Cisco introduced the Cisco Firepower 9300 Integrated Security Platform to audiences in Cisco Live of last year. Do you know how to start the Cisco Firepower 9300 ASA Security Module? How does the Cisco ASA Works with the Firepower 9300? Yes, Cisco updated its Quick Start Guide of Cisco Firepower 9300 ASA Security Module. In the following part we will share the main details of the Firepower 9300 security appliance and how it works.
The Firepower 9300 security appliance can include up to three ASA security modules.
In Firepower eXtensible Operating System (FXOS) 1.1.3 and later, you can create an inter-chassis cluster to include up to six ASA security modules across multiple chassis.
How the ASA Works with the Firepower 9300
The Firepower 9300 security appliance runs its own operating system on the supervisor called the Firepower Chassis Manager, which runs on top of the Firepower eXtensible Operating System (FXOS). You can configure hardware interface settings, smart licensing, and other basic operating parameters on the supervisor using the Firepower Chassis Manager web interface or CLI.
All physical interface operations are owned by the supervisor, including establishing external EtherChannels. You can create two types of interfaces: Data and Management. Only Management interfaces can be shared across modules. You can assign interfaces to the ASA either at the time of deployment or later as needed. These interfaces use the same names in the supervisor as in the ASA configuration. The Firepower 9300 delivers network traffic to the ASA over internal backplane EtherChannels.
When you deploy the ASA, the supervisor downloads an ASA image of your choice, and establishes a default configuration. You can deploy the ASA as either a standalone logical device, or as a cluster of ASAs. When you use clustering, all modules in the chassis must belong to the cluster. For FXOS 1.1.2 and earlier, only intra-chassis clustering is supported. FXOS 1.1.3 supports inter-chassis clustering.
You must install the ASA software on all modules in the chassis; different software types are not supported at this time.
ASA Management
When you deploy the ASA, you can specify a management interface and management client information, so the deployment configuration allows ASDM access from that client.
Note: For FXOS 1.1.2 and earlier, and for 1.1.3 Smart Software Manager satellite deployments, before you can use ASDM, you must enable the Strong Encryption (3DES) license by requesting the entitlement within the ASA software. You must do this task from the ASA CLI, which is accessible from the Firepower 9300 CLI. For FXOS 1.1.3, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300. For an evaluation license, you cannot receive a Strong Encryption license.
You can also access the ASA CLI from the Firepower 9300 CLI using an internal Telnet connection. From within the ASA, you can later configure SSH or Telnet access over any of its management or data interfaces.
Licensing Requirements for the Firepower 9300 ASA Security Module
For the ASA on the Firepower 9300, Smart Software Licensing configuration is split between the Firepower 9300 supervisor and the ASA.
- Firepower 9300—Configure all Smart Software Licensing infrastructure in the supervisor, including parameters for communicating with the License Authority. The Firepower 9300 itself does not require any licenses to operate.
- ASA—Configure all license entitlements in the ASA. The deployment configuration automatically enables the standard licensing tier (the only tier available). Other add-on entitlements must be enabled within the ASA.
Note: For FXOS 1.1.2 and earlier, and for 1.1.3 Smart Software Manager satellite deployments, you must enable the Strong Encryption (3DES) license by requesting the entitlement within the ASA software. For FXOS 1.1.3, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300. For an evaluation license, you cannot receive a Strong Encryption license.
You can deploy a standalone ASA or a cluster of ASAs using the Firepower Chassis Manager. For CLI procedures, see the FXOS Configuration Guide.
Configure a Management Interface and Data Interfaces
Configure a Management type interface on the supervisor that you can include in the deployment configuration for the ASA. You must also configure at least one Data type interface.
Procedure to Configure a Management Interface and Data Interfaces
1. Choose Interfaces to open the Interfaces page.
2. To add an EtherChannel:
- a. Click Add Port Channel.
- b. For the Port Channel ID, enter a value between 1 and 47.
- c. Leave Enable checked.
- d. For the Type, choose Management or Data. You can only include one management interface per logical device. Do not choose Cluster.
- e. Add member interfaces as desired.
- f. Click OK.
3. For a single interface:
- a. Click the Edit icon in the interface row to open the Edit Interface dialog box.
- b. Check Enable.
- c. For the Type, click Management or Data. You can only include one management interface per logical device.
- d. Click OK.
Deploy a Standalone ASA or ASA Cluster
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device. This name is used by the Firepower 9300 supervisor to configure clustering/management settings and assign interfaces; it is not the cluster or device name used in the security module configuration.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Standalone or Cluster radio button.
7. Click OK. You see the Provisioning – device name window.
8. Expand the Data Ports area, and click each interface that you want to assign to the ASA.
9. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
10. Configure the deployment options as prompted.
11. Click OK to close the ASA Configuration dialog box.
12. Click Save. The Firepower 9300 supervisor deploys the logical device by downloading the specified software version and pushing the bootstrap configuration and management interface settings to the specified security module(s).
13. For inter-chassis clustering, see the Firepower Chassis Manager configuration guide.
For initial configuration or for troubleshooting, you may need to access the ASA CLI from the Firepower 9300 supervisor.
How to? See how to access the ASA CLI from the Firepower 9300 supervisor
1. Connect to the Firepower 9300 supervisor CLI, either from the console port or using SSH, for example.
2. Connect to the ASA.
connect module slot console
Example:
Firepower# connect module 1 console
Firepower-module1#
For an ASA cluster, you need to access the master unit for configuration. Typically, the master unit is in slot 1 on chassis 1, so you should connect to that module to check which unit is the master.
3. The first time you connect to the module, you enter the Firepower Chassis Manager module CLI. You must then connect to the ASA OS:
connect asa
Example:
Firepower-module1# connect asa
asa>
Subsequent connections place you directly in the ASA OS.
4. Enter privileged EXEC (enable) mode, and then global configuration mode. By default, the enable password is blank.
enable
configure terminal
Example:
asa> enable
Password:
asa# configure terminal
asa(config)#
5. For an ASA cluster, confirm that this module is the master unit:
show cluster info
Example:
asa(config)# show cluster info
Cluster cluster1: On
Interface mode: spanned
This is "unit-1-2" in state MASTER
ID : 2
Version : 9.5(2)
Serial No.: FCH183770GD
CCL IP : 127.2.1.2
CCL MAC : 0015.c500.019f
Last join : 01:18:34 UTC Nov 4 2015
Last leave: N/A
Other members in the cluster:
Unit "unit-1-3" in state SLAVE
ID : 4
Version : 9.5(2)
Serial No.: FCH19057ML0
CCL IP : 127.2.1.3
CCL MAC : 0015.c500.018f
Last join : 20:29:57 UTC Nov 4 2015
Last leave: 20:24:55 UTC Nov 4 2015
Unit "unit-1-1" in state SLAVE
ID : 1
Version : 9.5(2)
Serial No.: FCH19057ML0
CCL IP : 127.2.1.1
CCL MAC : 0015.c500.017f
Last join : 20:20:53 UTC Nov 4 2015
Last leave: 20:18:15 UTC Nov 4 2015
Unit "unit-2-1" in state SLAVE
ID : 3
Version : 9.5(2)
Serial No.: FCH19057ML0
CCL IP : 127.2.2.1
CCL MAC : 0015.c500.020f
Last join : 20:19:57 UTC Nov 4 2015
Last leave: 20:24:55 UTC Nov 4 2015
If a different module is the master unit, exit the connection and connect to the correct slot number. See below for information about exiting the connection.
6. To exit the console connection, type ~. You exit to the Telnet application. Enter quit to exit to the supervisor CLI.
Configure ASA License Entitlements
FXOS 1.1.2 and earlier; FXOS 1.1.3 with Smart Software Manager satellite
To run ASDM and other features such as VPN, you must have a Strong Encryption (3DES) license. You must request this license in the ASA configuration using the CLI.
Before You Begin
You must configure Cisco Smart Software Licensing on the Firepower 9300 supervisor before you configure license entitlements on the ASA.
How to Configure ASA License Entitlements?
1. Access the ASA CLI. See How to Access the ASA CLI from the Firepower 9300 supervisor
2. Enter license smart configuration mode:
license smart
Example:
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)#
3. Set the feature tier:
feature tier standard
Only the standard tier is available, and it is enabled by default. A tier license is a prerequisite for adding other feature licenses.
4. Request one or more of the following features:
–Strong Encryption (3DES)
feature strong-encryption
–ASA 9.5(1) and earlier: Mobile SP (GTP/GPRS)
feature mobile-sp
–ASA 9.5(2) and later: Carrier (Diameter, GTP/GPRS, SCTP)
feature carrier
–Security Contexts
feature context <1-248>
5. Save the configuration:
write memory
Launch ASDM
ASDM includes many easy-to-use Wizards as well as a complete suite of individual ASA feature configuration tools.
Before You Begin
See the ASDM release notes on Cisco.com for the requirements to run ASDM.
Procedure
1. On the computer connected to the ASA, launch a web browser.
2. In the Address field, enter the following URL: https:// ip_address /admin. The ip_address is the one you set for the management interface when you deployed the ASA. The Cisco ASDM web page appears.
3. Click one of the available options: Install ASDM Launcher, Run ASDM, or Run Startup Wizard.
4. Follow the onscreen instructions to launch ASDM according to the option you chose. The Cisco ASDM-IDM Launcher appears.
Note: If you click Install ASDM Launcher, for some Java 7 versions you need to install an identity certificate for the ASA according to Install an Identity Certificate for ASDM.
5. Leave the username and password fields empty, and click OK. The main ASDM window appears.
…More info from https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/fp9300/asa-firepower9300-qsg.html
More Related…