If the registration succeeds, the device is added to the list. If it fails, you will see an error message. If the threat
defense fails to register, check the following items:
• Ping—Access the threat defense CLI, and ping the management center IP address using the following
command:
ping system ip_address
If the ping is not successful, check your network settings using the show network command. If you need
to change the threat defense Management IP address, use the configure network
management-data-interface command.
• Registration key, NAT ID, and management center IP address—Make sure you are using the same
registration key, and if used, NAT ID, on both devices. You can set the registration key and NAT ID on
the threat defense using the configure manager add command.
For more troubleshooting information, see https://cisco.com/go/fmc-reg-error.
Configure a Basic Security Policy
This section describes how to configure a basic security policy with the following settings:
• Inside and outside interfaces—Assign a static IP address to the inside interface. You configured basic
settings for the outside interface as part of the manager access setup, but you still need to assign it to a
security zone.
• DHCP server—Use a DHCP server on the inside interface for clients.
• NAT—Use interface PAT on the outside interface.
• Access control—Allow traffic from inside to outside.
• SSH—Enable SSH on the manager access interface.
Configure Interfaces
Enable the threat defense interfaces, assign them to security zones, and set the IP addresses. Typically, you
must configure at least a minimum of two interfaces to have a system that passes meaningful traffic. Normally,
you would have an outside interface that faces the upstream router or internet, and one or more inside interfaces
for your organization’s networks. Some of these interfaces might be “demilitarized zones” (DMZs), where
you place publically-accessible assets such as your web server.
A typical edge-routing situation is to obtain the outside interface address through DHCP from your ISP, while
you define static addresses on the inside interfaces.
The following example configures a routed mode inside interface with a static address and a routed mode
outside interface using DHCP.
Procedure
Step 1 Choose Devices > Device Management, and click Edit ( ) for the firewall.
Cisco Firepower 2100 Getting Started Guide
79
Threat Defense Deployment with a Remote Management Center
Configure a Basic Security Policy
To Next Page
Loading...
Need help?
General