1. No category

PDF

Cisco ASA for Firepower 9300
Quick Start Guide
First Published: July 16, 2015
Last Updated: May 9, 2016
1. About the ASA for Firepower 9300
The Firepower 9300 security appliance can include up to three security modules running the ASA application.
In Firepower eXtensible Operating System (FXOS) 1.1.3 and later, you can create an inter-chassis cluster to
include up to six ASAs across multiple chassis.
How the ASA Works with the Firepower 9300
The Firepower 9300 security appliance runs its own operating system on the supervisor called the Firepower
eXtensible Operating System (FXOS). You can configure hardware interface settings, smart licensing, and other
basic operating parameters on the supervisor using the Firepower Chassis Manager web interface or CLI.
All physical interface operations are owned by the supervisor, including establishing external EtherChannels. You
can create two types of interfaces: Data and Management. Only Management interfaces can be shared across
modules. You can assign interfaces to the ASA either at the time of deployment or later as needed. These
interfaces use the same IDs in the supervisor as in the ASA configuration. The Firepower 9300 delivers network
traffic to the ASA over internal backplane EtherChannels.
When you deploy the ASA, the supervisor downloads an ASA image of your choice, and establishes a default
configuration. You can deploy the ASA as either a standalone logical device, or as a cluster of ASAs. When you
use clustering, all modules in the chassis must belong to the cluster. For FXOS 1.1.2 and earlier, only intra-chassis
clustering is supported. FXOS 1.1.3 supports inter-chassis clustering.
You must install the ASA software on all modules in the chassis; different software types are not supported at this
time.
ASA Management
When you deploy the ASA, you can pre-configure a management interface and management client information,
so the deployed ASA allows ASDM access from that client.
You can also access the ASA CLI from the Firepower 9300 CLI using an internal Telnet connection. From within
the ASA, you can later configure SSH or Telnet access over any of its management or data interfaces.
Note: See Licensing Requirements for the Firepower 9300 ASA Security Module, page 2 for licensing
requirements for ASDM access.
Cisco Systems, Inc.
www.cisco.com
1
Cisco ASA for Firepower 9300 Quick Start Guide
2. Deploy the ASA
Licensing Requirements for the Firepower 9300 ASA Security Module
For the ASA on the Firepower 9300, Smart Software Licensing configuration is split between the Firepower 9300
supervisor and the ASA.

Firepower 9300—Configure all Smart Software Licensing infrastructure in the supervisor, including parameters
for communicating with the License Authority. The Firepower 9300 itself does not require any licenses to
operate.

ASA—Configure all license entitlements in the ASA, including the required Standard tier license. Other optional
licenses are also available. (FXOS 1.1.3 and later) The Strong Encryption license is automatically enabled for
qualified customers when you apply the registration token on the Firepower 9300, so no additional action is
required.
Note: For FXOS 1.1.2 and earlier, and for 1.1.3 and later Smart Software Manager satellite deployments, before
you can use ASDM (and features such as VPN) you must enable the Strong Encryption (3DES/AES) license by
requesting the entitlement within the ASA software. You must perform this task from the ASA CLI, which is
accessible from the FXOS CLI. For an evaluation license, you cannot receive a Strong Encryption license.
2. Deploy the ASA
You can deploy a standalone ASA or a cluster of ASAs using the Firepower Chassis Manager. For CLI procedures,
see the FXOS Configuration Guide.
Configure a Management Interface and Data Interfaces
Configure a Management type interface on the supervisor that you can include in the deployment configuration for
the ASA. You must also configure at least one Data type interface.
Procedure
1. Choose Interfaces to open the Interfaces page.
2. To add an EtherChannel:
a. Click Add Port Channel.
b. For the Port Channel ID, enter a value between 1 and 47.
c. Leave Enable checked.
d. For the Type, choose Management or Data. You can only include one management interface per logical
device. Do not choose Cluster.
e. Add member interfaces as desired.
f. Click OK.
3. For a single interface:
a. Click the Edit icon in the interface row to open the Edit Interface dialog box.
b. Check Enable.
c. For the Type, click Management or Data. You can only include one management interface per logical
device.
d. Click OK.
2
Cisco ASA for Firepower 9300 Quick Start Guide
2. Deploy the ASA
Deploy a Standalone ASA
Procedure
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device. This name is used by the Firepower 9300 to
configure management settings and assign interfaces; it is not the device name used in the ASA configuration.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Standalone radio button.
7. Click OK. You see the Provisioning - device name window.
8. Expand the Data Ports area, and ensure all of the interfaces are assigned to the ASA.
9. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
10. Configure the deployment options as prompted.
11. Click OK to close the ASA Configuration dialog box.
12. Click Save. The Firepower 9300 deploys the logical device by downloading the specified software version and
pushing the bootstrap configuration and management interface settings to the security engine.
Deploy an ASA Cluster
Procedure
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device. This name is used by the Firepower 9300
supervisor to configure clustering/management settings and assign interfaces; it is not the cluster or device
name used in the ASA configuration.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Cluster radio button.
7. Click OK. You see the Provisioning - device name window.
8. Expand the Data Ports area, and ensure all of the interfaces are assigned to the ASA.
9. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
10. Configure the deployment options as prompted.
Note: In the Management IP Pool field, configure a pool of Local IP addresses, one of which will be assigned
to each cluster unit for the interface, by entering the starting and ending addresses separated by a hyphen.
Include at least as many addresses as there are units in the cluster. If you plan to expand the cluster, include
additional addresses. The Virtual IP address (known as the Main cluster IP address) that belongs to the
current primary unit is not a part of this pool; be sure to reserve an IP address on the same network for the
virtual IP address. You can use IPv4 and/or IPv6 addresses.
11. Click OK to close the ASA Configuration dialog box.
3
Cisco ASA for Firepower 9300 Quick Start Guide
3. Access the ASA CLI
12. Click Save. The Firepower 9300 supervisor deploys the logical device by downloading the specified software
version and pushing the bootstrap configuration and management interface settings to the specified security
module(s).
13. For inter-chassis clustering, add the next chassis to the cluster:
a. On the first chassis Firepower Chassis Manager, click the Show Cluster Details icon at the top right.
b. Select and copy the displayed cluster configuration text.
c. Connect to the Firepower Chassis Manager on the next chassis, and add a logical device according to this
procedure.
d. Choose Join an Existing Cluster.
e. Click the Copy config check box, and click OK. If you uncheck this check box, you must manually enter
the settings to match the first chassis configuration.
f. In the Copy Cluster Details box, paste in the cluster configuration from the first chassis, and click OK.
g. Click the device icon in the center of the screen. The cluster information is pre-filled, except for the Chassis
ID; enter a unique chassis ID, and click OK.
h. Click Save.
3. Access the ASA CLI
For initial configuration or for troubleshooting, you may need to access the ASA CLI from the Firepower 9300
supervisor.
Procedure
1. Connect to the Firepower 9300 supervisor CLI, either from the console port or using SSH, for example.
2. Connect to the ASA.
connect module slot console
Example:
4
Cisco ASA for Firepower 9300 Quick Start Guide
3. Access the ASA CLI
Firepower> connect module 1 console
Firepower-module1>
For an ASA cluster, you need to access the primary unit for configuration. Refer to the Firepower Chassis
Manager Logical Devices screen to see which module is the primary unit, or use the ASA CLI to check.
3. The first time you connect to the module, you enter the FXOS module CLI. You must then connect to the
ASA application:
connect asa
Example:
Firepower-module1> connect asa
asa>
Subsequent connections place you directly in the ASA application.
4. Enter privileged EXEC (enable) mode, and then global configuration mode. By default, the enable password is
blank.
enable
configure terminal
Example:
asa> enable
Password:
asa# configure terminal
asa(config)#
5. If required, for an ASA cluster confirm that this module is the primary unit:
show cluster info
Example:
asa(config)# show cluster info
Cluster cluster1: On
Interface mode: spanned
This is "unit-1-2" in state MASTER
ID
: 2
Version
: 9.5(2)
Serial No.: FCH183770GD
CCL IP
: 127.2.1.2
CCL MAC
: 0015.c500.019f
Last join : 01:18:34 UTC Nov 4
Last leave: N/A
Other members in the cluster:
Unit "unit-1-3" in state SLAVE
ID
: 4
Version
: 9.5(2)
Serial No.: FCH19057ML0
CCL IP
: 127.2.1.3
CCL MAC
: 0015.c500.018f
Last join : 20:29:57 UTC Nov 4
Last leave: 20:24:55 UTC Nov 4
Unit "unit-1-1" in state SLAVE
ID
: 1
Version
: 9.5(2)
Serial No.: FCH19057ML0
CCL IP
: 127.2.1.1
CCL MAC
: 0015.c500.017f
Last join : 20:20:53 UTC Nov 4
2015
2015
2015
2015
5
Cisco ASA for Firepower 9300 Quick Start Guide
4. Configure ASA License Entitlements
Last leave:
Unit "unit-2-1"
ID
:
Version
:
Serial No.:
CCL IP
:
CCL MAC
:
Last join :
Last leave:
20:18:15 UTC Nov 4 2015
in state SLAVE
3
9.5(2)
FCH19057ML0
127.2.2.1
0015.c500.020f
20:19:57 UTC Nov 4 2015
20:24:55 UTC Nov 4 2015
If a different module is the primary unit, exit the connection and connect to the correct slot number. See below
for information about exiting the connection.
6. To exit the console connection, type ~. You exit to the Telnet application. Enter quit to exit to the supervisor
CLI.
4. Configure ASA License Entitlements
FXOS 1.1.2 and earlier; FXOS 1.1.3 with Smart Software Manager satellite
To run ASDM and other features such as VPN, you must have a Strong Encryption (3DES/AES) license. You must
request this license in the ASA configuration using the CLI.
Before You Begin
You must configure Cisco Smart Software Licensing on the Firepower 9300 supervisor before you configure
license entitlements on the ASA.
Procedure
1. Access the ASA CLI. See 3. Access the ASA CLI, page 4.
2. Enter license smart configuration mode:
license smart
Example:
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)#
3. Set the feature tier:
feature tier standard
Only the standard tier is available. A tier license is a prerequisite for adding other feature licenses.
4. Request one or more of the following features:
— Strong Encryption (3DES)
feature strong-encryption
— ASA 9.5(1) and earlier: Mobile SP (GTP/GPRS)
feature mobile-sp
— ASA 9.5(2) and later: Carrier (Diameter, GTP/GPRS, SCTP)
feature carrier
— Security Contexts
feature context <1-248>
6
Cisco ASA for Firepower 9300 Quick Start Guide
5. Launch ASDM
5. Save the configuration:
write memory
5. Launch ASDM
ASDM includes many easy-to-use Wizards as well as a complete suite of individual ASA feature configuration
tools.
Before You Begin

See the ASDM release notes on Cisco.com for the requirements to run ASDM.

You must configure Cisco Smart Software Licensing on the Firepower 9300 supervisor before you can connect
to ASDM; the Strong Encryption (3DES/AES) is required to use ASDM. For FXOS 1.1.3 and later, the Strong
Encryption license is automatically enabled for qualified customers when you apply the registration token on
the Firepower 9300. For FXOS 1.1.2 and earlier, and for 1.1.3 and later Smart Software Manager satellite
deployments, see 4. Configure ASA License Entitlements, page 6.
Procedure
1. On the computer connected to the ASA, launch a web browser.
2. In the Address field, enter the following URL: https://ip_address/admin. The ip_address is the one you set for
the management interface when you deployed the ASA. The Cisco ASDM web page appears.
3. Click one of the available options: Install ASDM Launcher, Run ASDM, or Run Startup Wizard.
4. Follow the onscreen instructions to launch ASDM according to the option you chose. The Cisco ASDM-IDM
Launcher appears.
Note: If you click Install ASDM Launcher, for some Java 7 versions you need to install an identity certificate
for the ASA according to Install an Identity Certificate for ASDM.
5. Leave the username and password fields empty, and click OK. The main ASDM window appears.
6. Where to Go Next

You can find links to all ASA/ASDM documentation at Navigating the Cisco ASA Series Documentation.

See all Firepower 9300 documentation.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command
display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in
illustrative content is unintentional and coincidental.
© 2016 Cisco Systems, Inc. All rights reserved.
7
Cisco ASA for Firepower 9300 Quick Start Guide
6. Where to Go Next
8

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz