Setup Tasks Covered in this Guide

This guide uses sample values to tell you step by step how to:

• Configure a Firepower Management Center on the network.

• Configure a Firepower Threat Defense on the network.

• License the Firepower Management Center.

• Manage the Firepower Threat Defense device using Firepower Management Center.

• Configure a NAT policy and a static route.

• Set up an initial access control rule that allows all traffic so you can test internet access from a client connected to the inside network and make sure the managed device is filtering the traffic.

Who Should Use This Guide

Anyone who wants to configure the Firepower System, including administrators and integrators.

What You'll Need

To complete the tasks discussed in this guide, you'll need:

• Firepower Management Center (any model, physical or virtual) running version 6.2.3

• Firepower Threat Defense (any model, physical or virtual) running version 6.2.3

  For information about upgrading a Firepower Management Center or Firepower Threat Defense device, see the Firepower Management Center Upgrade Guide.

  Note	You can use another version of the Firepower System software but additional tasks, or different tasks, might be required. Consult the appropriate configuration or quick start guide for the version you're using for details.

• For virtual devices, a hypervisor manager and client.

• A private network so the IP addresses used in this system don't conflict with IP addresses used in your network. For example, you can set up a Virtual LAN (VLAN). Explaining how to isolate this system from the rest of your network is beyond the scope of this guide.

• (Optional.) Cisco Smart License. If you don't have a Smart License, you can use a 90-day evaluation license.

  For more information about Smart Licenses in version 6.2.3, see Smart Licensing for the Firepower System.

Firepower Threat Defense Interfaces

In this example network, the Firepower Threat Defense device has three interfaces: management, inside, and outside. The outside interface connects directly to the internet. Using an allow access control rule, clients attached to the inside network can connect to the internet through the Firepower Threat Defense device. This type of configuration is sometimes referred to as a bootstrap because this is the minimum amount of configuration you need to connect to the internet.

Management (1 / 1)

IP address 10.10.2.45. Used only to communicate with the Firepower Management Center. The management IP address must be on the same subnet as the Firepower Management Center.

Inside (GigabitEthernet 1 / 2)

IP address 10.10.2.1. Computers attached to the inside interface can have access control and intrusion prevention policies applied to them. The default gateway for the inside network is 10.10.2.254.

Outside (GigabitEthernet 1 / 1)

IP address 209.165.200.255. Used to connect to the internet. The default gateway for the outside network is 209.165.200.254.

Note

This guide has sample IP addresses that you can use in your system, provided they do not conflict with addresses in your network. You can either use the same IP addresses described in this guide or you can use IP addresses that are compatible with your network. If you change IP addresses to conform with your network, make sure that the Firepower Threat Defense management interface and the Firepower Management Center interface are on the same subnet.

Note

Depending on what type of device you're managing, the interfaces might be identified differently than the preceding. For example, a virtual managed device has interfaces numbered GigabitEthernet0/0, GigabitEthernet0/1, and so on. A Firepower Threat Defense 4100 or 9300 series device has interfaces numbered Ethernet1/1, Ethernet2/1, Ethernet3/1, and so on.

Firepower Management Center

The Firepower Management Center has one interface with an IP address of 10.10.2.2. This interface is used to manage Firepower Threat Defense devices, each of which must all have a management IP address on the same subnet.