Cisco ASA for Firepower 4100
Quick Start Guide
First Published: March 21, 2016
Last Updated: May 9, 2016
1. About the ASA for Firepower 4100
The Firepower 4100 security appliance includes a single security engine that can run the ASA application.
How the ASA Works with the Firepower 4100
The Firepower 4100 security appliance runs its own operating system called the Firepower eXtensible Operating
System (FXOS). You can configure hardware interface settings, smart licensing, and other basic operating
parameters using the Firepower Chassis Manager web interface or CLI.
All physical interface operations are owned by the Firepower 4100, including establishing external EtherChannels.
You can create two types of interfaces: Data and Management. You can assign interfaces to the ASA either at the
time of deployment or later as needed. These interfaces use the same IDs on the Firepower 4100 as in the ASA
configuration. The Firepower 4100 delivers network traffic to the ASA over internal backplane EtherChannels.
When you deploy the ASA, the Firepower 4100 downloads an ASA image of your choice and establishes a default
configuration. You can deploy the ASA as either a standalone logical device, or as a cluster of ASAs on up to six
chassis.
ASA Management
When you deploy the ASA, you can pre-configure a management interface and management client information,
so that the deployed ASA allows ASDM access from that client.
You can also access the ASA CLI from the Firepower 4100 CLI using an internal Telnet connection. From within
the ASA, you can later configure SSH or Telnet access over any of its management or data interfaces.
Note: See Licensing Requirements for the ASA for Firepower 4100, page 1 for licensing requirements for ASDM
access.
Licensing Requirements for the ASA for Firepower 4100
On the ASA for Firepower 4100, Smart Software Licensing configuration is split between the Firepower 4100 and
the ASA.

Firepower 4100—Configure all Smart Software Licensing infrastructure on the Firepower 4100, including
parameters for communicating with the License Authority. The Firepower 4100 itself does not require any
licenses to operate.
Cisco Systems, Inc.
www.cisco.com
1
Cisco ASA for Firepower 4100 Quick Start Guide
2. Deploy the ASA

ASA—Configure all license entitlements in the ASA, including the required Standard tier license. Other optional
licenses are also available. The Strong Encryption license is automatically enabled for qualified customers
when you apply the registration token on the Firepower 4100, so no additional action is required.
Note: For Smart Software Manager satellite deployments, before you can use ASDM (and features such as VPN)
you must enable the Strong Encryption (3DES/AES) license by requesting the entitlement within the ASA software.
You must perform this task from the ASA CLI, which is accessible from the FXOS CLI. For an evaluation license,
you cannot receive a Strong Encryption license.
2. Deploy the ASA
You can deploy a standalone ASA or a cluster of ASAs using the Firepower Chassis Manager. For CLI procedures,
see the FXOS Configuration Guide.
Configure Interfaces
Configure a Management-type interface on the Firepower 4100 that you can include in the deployment
configuration for the ASA. You must also configure at least one Data-type interface. For a cluster, you need to add
at least one member interface to the Port-Channel 48 Cluster-type interface that acts as the cluster control link
between chassis.
Procedure
1. In the Firepower Chassis Manager, choose Interfaces to open the Interfaces page.
2. To add an EtherChannel:
a. Click Add Port Channel.
b. For the Port Channel ID, enter a value between 1 and 47.
c. Leave Enable checked.
d. For the Type, choose Management or Data. You can only include one management interface. Do not
choose Cluster.
e. Add member interfaces as needed.
f. Click OK.
3. To add a single interface:
a. Click the Edit icon in the interface row to open the Edit Interface dialog box.
b. Check Enable.
c. For the Type, click Management or Data. You can only include one management interface.
d. Click OK.
4. To add a member to Port-Channel 48 for the cluster control link:
a. Click the Edit icon in the interface row to open the Edit Interface dialog box.
b. Select an interface from the Available Interface window, and click Add Interface. Repeat for additional
interfaces if needed; you need a minimum of one interface.
c. Click OK.
2
Cisco ASA for Firepower 4100 Quick Start Guide
2. Deploy the ASA
Deploy a Standalone ASA
Procedure
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device. This name is used by the Firepower 4100 to
configure management settings and assign interfaces; it is not the device name used in the ASA configuration.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Standalone radio button.
7. Click OK. You see the Provisioning - device name window.
8. Expand the Data Ports area, and ensure all of the interfaces are assigned to the ASA.
9. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
10. Configure the deployment options as prompted.
11. Click OK to close the ASA Configuration dialog box.
12. Click Save. The Firepower 4100 deploys the logical device by downloading the specified software version and
pushing the bootstrap configuration and management interface settings to the security engine.
Deploy an ASA Cluster
Procedure
1. Choose Logical Devices to open the Logical Devices page.
2. Click Add Device to open the Add Device dialog box.
3. For the Device Name, provide a name for the logical device. This name is used by the Firepower 4100 to
configure clustering/management settings and assign interfaces; it is not the cluster or device name used in
the ASA configuration.
4. For the Template, choose asa.
5. For the Image Version, choose the ASA software version.
6. For the Device Mode, click the Cluster radio button.
7. Click the Create New Cluster radio button.
8. Click OK. You see the Provisioning - device name window.
9. Expand the Data Ports area, and ensure all of the interfaces are assigned to the ASA.
10. Click the device icon in the center of the screen. The ASA Configuration dialog box appears.
11. Configure the deployment options as prompted.
Note: In the Management IP Pool field, configure a pool of Local IP addresses, one of which will be assigned
to each cluster unit for the interface, by entering the starting and ending addresses separated by a hyphen.
Include at least as many addresses as there are units in the cluster. If you plan to expand the cluster, include
additional addresses. The Virtual IP address (known as the Main cluster IP address) that belongs to the
current primary unit is not a part of this pool; be sure to reserve an IP address on the same network for the
virtual IP address. You can use IPv4 and/or IPv6 addresses.
12. Click OK to close the ASA Configuration dialog box.
3
Cisco ASA for Firepower 4100 Quick Start Guide
3. Access the ASA CLI
13. Click Save. The Firepower 4100 deploys the logical device by downloading the specified software version and
pushing the bootstrap configuration and management interface settings to the security engine.
14. Add the next chassis to the cluster:
a. On the first chassis Firepower Chassis Manager, click the Show Cluster Details icon at the top right.
b. Select and copy the displayed cluster configuration text.
c. Connect to the Firepower Chassis Manager on the next chassis, and add a logical device according to this
procedure.
d. Choose Join an Existing Cluster.
e. Click the Copy config check box, and click OK. If you uncheck this check box, you must manually enter
the settings to match the first chassis configuration.
f. In the Copy Cluster Details box, paste in the cluster configuration from the first chassis, and click OK.
g. Click the device icon in the center of the screen. The cluster information is pre-filled, except for the Chassis
ID; enter a unique chassis ID, and click OK.
h. Click Save.
3. Access the ASA CLI
For initial configuration or for troubleshooting, you may need to access the ASA CLI from the Firepower 4100 CLI.
Procedure
1. Connect to the primary Firepower 4100 CLI; for example, connect to the console port or use SSH to the
Firepower Management interface.
2. Connect to the ASA:
connect module 1 console
Example:
4
Cisco ASA for Firepower 4100 Quick Start Guide
3. Access the ASA CLI
Firepower> connect module 1 console
Firepower-module1>
3. The first time you connect to the security engine, you enter the FXOS security engine CLI. You must then
connect to the ASA application:
connect asa
Example:
Firepower-module1> connect asa
asa>
Subsequent connections place you directly in the ASA application.
4. Enter privileged EXEC (enable) mode, and then global configuration mode. By default, the enable password is
blank.
enable
configure terminal
Example:
asa> enable
Password:
asa# configure terminal
asa(config)#
5. If required, for an ASA cluster confirm that this unit is the primary unit:
show cluster info
Example:
asa(config)# show cluster info
Cluster cluster1: On
Interface mode: spanned
This is "unit-1-1" in state MASTER
ID
: 2
Version
: 9.6(1)
Serial No.: FCH183770GD
CCL IP
: 127.2.1.1
CCL MAC
: 0015.c500.019f
Last join : 01:18:34 UTC Nov 4
Last leave: N/A
Other members in the cluster:
Unit "unit-2-1" in state SLAVE
ID
: 4
Version
: 9.6(1)
Serial No.: FCH19057ML0
CCL IP
: 127.2.2.1
CCL MAC
: 0015.c500.018f
Last join : 20:29:57 UTC Nov 4
Last leave: 20:24:55 UTC Nov 4
Unit "unit-3-1" in state SLAVE
ID
: 1
Version
: 9.6(1)
Serial No.: FCH19057ML0
CCL IP
: 127.2.3.1
CCL MAC
: 0015.c500.017f
Last join : 20:20:53 UTC Nov 4
Last leave: 20:18:15 UTC Nov 4
Unit "unit-4-1" in state SLAVE
ID
: 3
2015
2015
2015
2015
2015
5
Cisco ASA for Firepower 4100 Quick Start Guide
4. Smart Software Manager Satellite: Request the Strong Encryption (3DES/AES) License
Version
:
Serial No.:
CCL IP
:
CCL MAC
:
Last join :
Last leave:
9.6(1)
FCH19057ML0
127.2.4.1
0015.c500.020f
20:19:57 UTC Nov 4 2015
20:24:55 UTC Nov 4 2015
If a different chassis is the primary unit, exit the connection and connect to the correct chassis. See below for
information about exiting the connection.
4. Smart Software Manager Satellite: Request the Strong
Encryption (3DES/AES) License
To run ASDM and other features such as VPN, you must have a Strong Encryption (3DES/AES) license. When you
use the Smart Software Manager satellite, you must request this license in the ASA configuration using the CLI.
Before You Begin

You must configure Cisco Smart Software Licensing on the Firepower 4100 before you configure license
entitlements on the ASA.

For an ASA cluster, you need to access the primary unit for configuration. Check the Firepower Chassis
Manager to see which unit is the primary. You can also check from the ASA CLI.
Procedure
1. Access the ASA CLI. See 3. Access the ASA CLI, page 4.
2. Enter license smart configuration mode:
license smart
Example:
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)#
3. Set the feature tier:
feature tier standard
Only the standard tier is available. A tier license is a prerequisite for adding other feature licenses.
4. Request the Strong Encryption license, and optionally other features:
— Strong Encryption (3DES/AES)
feature strong-encryption
— Carrier (Diameter, GTP/GPRS, SCTP)
feature carrier
— Security Contexts
feature context <1-248>
5. Save the configuration:
write memory
6. Exit the console connection by typing ~. You exit to the Telnet application. Enter quit to exit to the Firepower
4100 CLI.
6
Cisco ASA for Firepower 4100 Quick Start Guide
5. Launch ASDM
5. Launch ASDM
ASDM includes many easy-to-use Wizards as well as a complete suite of individual ASA feature configuration
tools.
Before You Begin

See the ASDM release notes on Cisco.com for the requirements to run ASDM.

You must configure Cisco Smart Software Licensing on the Firepower 4100 before you can connect to ASDM;
the Strong Encryption (3DES/AES) is required to use ASDM. The Strong Encryption license is automatically
enabled for qualified customers when you apply the registration token on the Firepower 9300. For Smart
Software Manager satellite deployments, see 4. Smart Software Manager Satellite: Request the Strong
Encryption (3DES/AES) License, page 6.
Procedure
1. On the computer connected to the management interface that you assigned to the ASA, launch a web
browser.
2. In the Address field, enter the following URL: https://ip_address/admin. The ip_address is the one you set for
the management interface when you deployed the ASA. The Cisco ASDM web page appears.
3. Click one of the available options: Install ASDM Launcher, Run ASDM, or Run Startup Wizard.
4. Follow the onscreen instructions to launch ASDM according to the option you chose. The Cisco ASDM-IDM
Launcher appears.
Note: If you click Install ASDM Launcher, for some Java 7 versions you need to install an identity certificate
for the ASA according to Install an Identity Certificate for ASDM.
5. Leave the username and password fields empty, and click OK. The main ASDM window appears.
6. Where to Go Next

You can find links to all ASA/ASDM documentation at Navigating the Cisco ASA Series Documentation.

See all FXOS Chassis documentation.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command
display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in
illustrative content is unintentional and coincidental.
© 2016 Cisco Systems, Inc. All rights reserved.
7
Cisco ASA for Firepower 4100 Quick Start Guide
6. Where to Go Next
8