Cisco ASA 5508-X, ASA 5516-X Quick Start Manual

Cisco Firepower Threat Defense for the
ASA 5508-X and ASA 5516-X Using
Firepower Management Center Quick Start
Guide

First Published: August 10, 2016

Last Updated: December 3, 2018

Warning: You cannot install Firepower Threat Defense 6.3 or subsequent releases on the ASA 5508-X and

5516-X. The final supported Firepower Threat Defense release for these platforms is 6.2.3.

1. Is This Guide for You?

This guide explains how to complete the initial configuration of your Firepower Threat Defense device and how to
register the device to a Firepower Management Center. In a typical deployment on a large network, multiple
managed devices are installed on network segments, monitor traffic for analysis, and report to a managing
Firepower Management Center. The Firepower Management Center provides a centralized management console
with web interface that you can use to perform administrative, management, analysis, and reporting tasks.

For networks that include only a single device or just a few, where you do not need to use a high-powered
multiple-device manager like the Firepower Management Center, you can use the integrated Firepower Device
Manager. Use the Firepower Device Manager web-based device setup wizard to configure the basic features of
the software that are most commonly used for small network deployments as described in

http://www.cisco.com/go/fdm-quick.

2. Package Contents

This section lists the package contents of the chassis. Note that contents are subject to change, and your exact
contents might contain additional or fewer items.

Cisco Systems, Inc. www.cisco.com

1

Cisco Firepower Threat Defense for the ASA 5508-X and ASA 5516-X Using Firepower Management Center Quick Start Guide

1

3

2

353664

6

7

5

4

3. License Requirements

1 ASA 5508-X or ASA 5516-X chassis 2 Blue Console Cable and Serial PC Terminal Adapter

(DB-9 to RJ-45)

3 Power cable 4 4 10-32 Phillips Screws for rack mounting

5 4 12-24 Phillips Screws for rack mounting 6 4 M6 Phillips Screws for rack mounting

7 4 M4 Phillips Screws for rack mounting

3. License Requirements

Firepower Threat Defense devices require Cisco Smart Licensing. Smart Licensing lets you purchase and manage
a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a
specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.

In addition, Smart Licensing does not prevent you from using product features that you have not yet purchased.
You can start using a license immediately, as long as you are registered with the Cisco Smart Software Manager,
and purchase the license later. This allows you to deploy and use a feature, and avoid delays due to purchase order
approval.

When you purchase one or more Smart Licenses for Firepower features, you manage them in the Cisco Smart
Software Manager: http://www.cisco.com/web/ordering/smart-software-manager/index.html. The Smart
Software Manager lets you create a master account for your organization. For more information about the Cisco
Smart Software Manager, see the Cisco Smart Software Manager User Guide.

Your purchase of a Firepower Threat Defense device or Firepower Threat Defense Virtual automatically includes a
Base license. All additional licenses (Threat, Malware, or URL Filtering) are optional. For more information about
Firepower Threat Defense licensing, see the “Licensing the System” chapter of the Cisco Firepower Management

Center Configuration Guide.

2

Cisco Firepower Threat Defense for the ASA 5508-X and ASA 5516-X Using Firepower Management Center Quick Start Guide

Management

Computer

192.168.45.2
Layer 2

Switch

Firepower

Threat Defense

inside

Management 1/1

IP Address:

192.168.45.45

outside

Management Gateway

GigabitEthernet 1/2

192.168.45.1

GigabitEthernet 1/1

Management

Internet

Firepower

Management Center

192.168.45.44

4. Deploy the Firepower Threat Defense in Your Network

4. Deploy the Firepower Threat Defense in Your Network

The following figure shows the recommended network deployment for Firepower Threat Defense on the ASA
5508-X or ASA 5516-X.

Note: You must use a separate inside switch in your deployment.

The example configuration enables the above network deployment with the following behavior.

 inside --> outside traffic flow

 outside IP address from DHCP

 DHCP for clients on inside.

 Management 1/1 is used to set up and register the Firepower Threat Defense device to the Firepower

Management Center.

The Management interface requires Internet access for updates. When you put Management on the same
network as an inside interface, you can deploy the Firepower Threat Defense device with only a switch on the
inside and point to the inside interface as its gateway.

The physical management interface is shared between the Management logical interface and the Diagnostic
logical interface; see the Interfaces for Firepower Threat Defense chapter of the Firepower Management
Center Configuration Guide.

 Firepower Management Center access on the inside interface

Note: If you want to deploy a separate router on the inside network, then you can route between management

and inside; see the Interfaces for Firepower Threat Defense chapter of the Firepower Management Center
Configuration Guide for examples of alternate deployment configurations.

To cable the above scenario on the ASA 5508-X or ASA 5516-X, see the following illustration.

Note: The following illustration shows a simple topology using a Layer 2 switch. Other topologies can be used and

your deployment will vary depending on your basic logical network connectivity, ports, addressing, and
configuration requirements.

3