353663
1
32
4
Cisco Firepower Threat Defense for the
ASA 5506-X Series Using Firepower
Device Manager Quick Start Guide
First Published: August 10, 2016
Last Updated: June 28, 2017
1. Is This Guide for You?
This guide explains how to complete the initial configuration of your Firepower Threat Defense device using the
Firepower Device Manager web-based device setup wizard included on Firepower Threat Defense devices.
Firepower Device Manager lets you configure the basic features of the software that are most commonly used for
small networks. It is especially designed for networks that include a single device or just a few, where you do not
want to use a high-powered multiple-device manager to control a large network containing many Firepower
Threat Defense devices.
If you are managing large numbers of d evices, or if you want to use the more complex features and configurations
that Firepower Threat Defense allows, use the Firepower Management Center to configure your devices instead
of the integrated Firepower Device Manager.
Use the CLI setup wizard to configure your Firepower Threat Defense device for network connectivity and to
register the device to a Firepower Management Center as described in http://www.cisco.com/go/ftd-asa-quick.
2. Package Contents
This section lists the package contents of the chassis. Note that contents are subject to change, and your exact
contents might contain additional or fewer items.
Figure 1 ASA 5506-X and 5506W-X
Cisco Systems, Inc. www.cisco.com
1
Cisco Firepower Threat Defense for the ASA 5506-X Series Using Firepower Device Manager Quick Start Guide
3. License Requirements
1 ASA 5506-X or ASA 5506W-X chassis 2 USB Console Cable (Type A to Type B)
3 Power cable 4 Power supply
Figure 2 ASA 5506H-X
1
3
2
4
5
403499
1 ASA 5506H-X chassis 2 Blue Console Cable and Serial PC Terminal Adapter
(DB-9 to RJ-45)
3 Power cord retention lock 4 Power cable
5 Power supply
3. License Requirements
Firepower Threat Defense devices require Cisco Smart Licensing. Smart Licensing lets you purchase and manage
a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a
specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.
In addition, Smart Licensing does not prevent you from using product features that you have not yet purchased.
You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager,
and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order
approval.
When you purchase one or more Smart Licenses for Firepower features, you manage them in the Cisco Smart
Software Manager: http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart
Software Manager lets you create a master account for your organization. For more information about the Cisco
Smart Software Manager, see the Cisco Smart Software Manager User Guide.
Your purchase of a Firepower Threat Defense device or Firepower Threat Defense Virtual automatically includes a
Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional. For more information about
Firepower Threat Defense licensing, see the “Licensing the System” chapter of the Cisco Firepower Threat
Defense Configuration Guide for Firepower Device Manager.
2
Cisco Firepower Threat Defense for the ASA 5506-X Series Using Firepower Device Manager Quick Start Guide
4. Deploy the Firepower Threat Defense in Your Network
4. Deploy the Firepower Threat Defense in Your Network
Note: The default configuration to use Firepower Device Manager to configure a Firepower Threat Defense device,
which includes the inside address and management address, changed in Version 6.2. See Figure 3 on page 3 for
the default topology for Version 6.2, and Figure 4 on page 4 for the default topology for Version 6.1.
About the Default Configuration (Version 6.2)
Except for the first data interface, and the Wi-Fi interface on an ASA 5506W-X, all other data interfaces on these
device models are structured into the “inside” bridge group and enabled. There is a DHCP server on the inside
bridge group. You can plug endpoints or switches into any bridged interface and endpoints get addresses on the
192.168.1.0/24 network.
For complete information about the default configuration and the options you have to configure bridged interfaces,
see the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.
The following figure shows the recommended network deployment for Firepower Threat Defense on the ASA
5506-X series of appliances, including the ASA 5506W-X with the built-in wireless access point.
Figure 3 Suggested Network Deployment - Version 6.2
Firepower
Threat Defense
inside bridge group
GigabitEthernet 1/2-1/8
192.168.1.1
Management Computer
DHCP from inside:192.168.1.x
The example configuration enables the above network deployment with the following behavior.
inside --> outside traffic flow
outside IP address from DHCP
(ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
DHCP for clients on inside and wifi. There is a DHCP server on the inside bridge group. You can plug
endpoints or switches directly into one of the bridged interfaces and get addresses on the 192.168.1.0/24
network. There is a DHCP server on the wifi interface for the access point itself and all its clients.
HTTPS access is enabled on the inside bridge group, so you can open Firepower Device Manager through any
inside bridge group member interface at the default address, 192.168.1.1.
Alternatively, you can connect to Management 1/1 to set up and manage the device using the Firepower
Device Manager. There is a DHCP server on the management interface. You can plug your management
computer directly into this interface and get an address on the 192.168.45.0/24 network.
Management
Management 1/1
IP Address:
192.168.45.45
outside
GigabitEthernet 1/1
Internet
AP
wifi
GigabitEthernet 1/9 (internal)
192.168.10.1
Access Point IP address: 192.168.10.2
HTTPS access is enabled on the management interface, so you can open Firepower Device Manager through
the management interface at the default address, 192.168.45.45.
The default gateway for the management IP address is to use the data interfaces to route to the Internet. Thus,
you do not need to wire the Management physical interface to a network.
3
Cisco Firepower Threat Defense for the ASA 5506-X Series Using Firepower Device Manager Quick Start Guide
Management Computer
DHCP from inside:192.168.45.x
Layer 2
Switch
Firepower
Threat Defense
inside
Management 1/1
IP Address:
192.168.45.45
outside
Gateway
GigabitEthernet 1/2
192.168.45.1
GigabitEthernet 1/1
wifi
GigabitEthernet 1/9 (internal)
192.168.10.1
Access Point IP address: 192.168.10.2
Management
AP
Internet
4. Deploy the Firepower Threat Defense in Your Network
Note: The physical management interface is shared between the Management logical interface and the
Diagnostic logical interface; see the “Interfaces” chapter of the Cisco Firepower Threat Defense Configuration
Guide for Firepower Device Manager.
The Firepower Threat Defense system requires Internet access for licensing and updates. The system can
obtain system database updates through the gateway for the outside interface. You do not need to have an
explicit route from the management port or network to the Internet. The default is to use internal routes
through the data interfaces.
About the Default Configuration (Version 6.1)
The default configuration assumes that you will connect the management and inside interfaces to the same
network using a switch. The inside interface is configured as a DHCP server, so you can attach your management
workstation to the same switch and get an address through DHCP on the same network. Then you can open the
Firepower Device Manager web interface.
For complete information about the default configuration, see the Cisco Firepower Threat Defense Configuration
Guide for Firepower Device Manager.
The following figure shows the recommended network deployment for Firepower Threat Defense on the ASA
5506-X series of appliances, including the ASA 5506W-X with the built-in wireless access point.
Figure 4 Suggested Network Deployment - Version 6.1
Note: You must use a separate inside switch in your deployment.
The example configuration enables the above network deployment with the following behavior.
inside --> outside traffic flow
outside IP address from DHCP
(ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.
Management 1/1 is used to set up and manage the device using the Firepower Device Manager, a simplified
single-device manager included on the box.
The Management interface requires Internet access for updates. When you put Management on the same
network as an inside interface, you can deploy the Firepower Threat Defense device with only a switch on the
inside and point to the inside interface as its gateway.
The physical management interface is shared between the Management logical interface and the Diagnostic
logical interface; see the “Interfaces” chapter of the Cisco Firepower Threat Defense Configuration Guide for
Firepower Device Manager.
4
Cisco Firepower Threat Defense for the ASA 5506-X Series Using Firepower Device Manager Quick Start Guide
USB
RESET
GE MGMT
LS
SLSLS LSLS LS LS LS L
Status
Power Active
Power
12VDC, 5A
12345678
wLAN
CONSOLE
GigabitEthernet 1/1
outside, DHCP from Modem
Wifi: See
quick start guide
Internet
WAN Modem
GigabitEthernet 1/2-1/8 Bridge Group
inside, 192.168.1.1
Management Computer
DHCP from inside: 192.168.1.x
Power
12VDC, 5A
Power
Status
Active
USB
RESET
GE MGMT
LS
CONSOLE
4
3
2
1
GigabitEthernet 1/1
outside, DHCP from Modem
GigabitEthernet 1/2-1/4 Bridge Group
inside, 192.168.1.1
Management Computer
DHCP from inside: 192.168.1.x
Internet
WAN Modem
4. Deploy the Firepower Threat Defense in Your Network
Connect the Interfaces
The default configuration assumes that certain interfaces are used for the inside and outside networks. Initial
configuration will be easier to complete if you connect network cables to the interfaces based on these
expectations. To cable the above scenario on the ASA 5506-X series, see the following illustrations.
Note: The following illustrations show a simple topology using a management computer connected to the inside
network. Other topologies can be used and your deployment will vary depending on your basic logical network
connectivity, ports, addressing, and configuration requirements.
Version 6.2
Figure 5 ASA 5506W-X (with Wi-Fi), 5506-X (without Wi-Fi) for Version 6.2.
Figure 6 ASA 5506H-X for Version 6.2.
5
Loading...