Skip to main content

 

 

Cisco Defense Orchestrator

Before You Install or Onboard an ASA FirePOWER Module

Make sure that your ASA FirePOWER module meets these requirements before onboarding it to CDO:

  1. Hardware and Software Requirements

CDO can manage an ASA FirePOWER module that meets these requirements:

  • ASA Hardware: The ASA FirePOWER module is installed on an ASA 5506, 5508, 5512, 5515, 5516, 5525, 5545, and 5555 only.  CDO does not support FirePOWER services module on ASA 5585. 

  • ASA FirePOWER module version: 5.4 and higher

  • ASA version and ASDM Versions: Those that support FirePOWER services version 5.4 and higher on the stated hardware devices. See the Cisco ASA Compatibility Guide for more information. 

  • Replace the certificate on an ASA FirePOWER modules and Firepower Threat Defense (FTD) device running FTD version 6.2.2 or above: You must replace the certificate on the ASA FirePOWER or FTD device device only if it's an auto-generated self-signed certificate in version 6.2.2 and above. To replace the certificate, see Replacing the Certificate on the ASA FirePOWER module 6.2.2 and Firepower Threat Defense 6.2.2 for instructions.

  1. Licensing Requirements

You will need to install the Control and Protection Firepower license for the ASA FirePOWER module to be managed by CDO.

  1. Disable and uninstall any pre-existing ips or csxc modules before you install the ASA FirePOWER module. To do so, follow these instructions:
    1. From the user EXEC mode prompt, run the show module command to determine what modules are installed on the ASA.

Note: If you do not have an ips or csxc module installed, or their status is "Unresponsive" and their Data Plane Status is "Not Applicable" then skip to step 4.

  1. Use the sw-module module <module_name> shutdown command to disable the ips or csxc or module.
  2. Use the sw-module module <module_name> uninstall command to uninstall the module.
  3. Reload the ASA.

For example: 

ciscoasa# sw-module module cxsc shutdown
ciscoasa# sw-module module cxsc uninstall
ciscoasa# reload
  1. The ASA FirePOWER module must be managed by ASDM not a Firepower Management Center. If you have an existing FirePOWER module, and it is already installed and managed by FMC, follow these procedures: 
  1. Determine if the ASA FirePOWER module is already installed on your ASA. Open ASDM and connect to your ASA. If you see the ASA FirePOWER Status tab and no other FirePOWER tabs, the boot and system images are loaded on the ASA but the FirePOWER module may not be configured.

FirePOWER status tab

If this is the state of your environment, skip to Installing an ASA FirePOWER module and perform the Configure the ASA FirePOWER boot image procedure an the following procedures on that page.

If you see several ASA FirePOWER tabs, the ASA FirePOWER module is installed and managed by ASDM, however, you may still need to redirect traffic to the module. 

FirePOWER tabs in ASDM

If this is the state of your environment, skip to Installing an ASA FirePOWER module and perform the Direct Traffic to the ASA FirePOWER module and the following procedures on that page.

  1. Choose an IP address for the ASA FirePOWER module. It is easier to onboard your ASA FirePOWER module to CDO when you do not need to create a NAT rule connecting the ASA FirePOWER module IP address and the ASA management interface IP address. Whether the IP addresses are public or private and whether your Secure Device Connector is "On-prem" or "in the cloud" determine if you need to create a NAT rule to connect the ASA FirePOWER module IP address and the ASA management interface IP address.

Use this table to determine when a NAT rule is required and try to reserve an IP address for your ASA FirePOWER module which would not require a NAT rule. 

ASA FirePOWER Module IP Address

  • Public (outside) address
  • Private (inside) address

ASA MGMT Interface IP Address

  • Public (outside) address
  • Private (inside) address

Secure Device Connector

  • Cloud connector
  • On-premises Connector
Is a NAT rule required to connect the ASA FirePOWER module IP address to the ASA management interface IP address?  
Private Public Cloud NAT rule is required
Public Public  Cloud No NAT rule required
Private Public  On-premises No NAT rule required
Private Private  On-premises No NAT rule required

 

Next Steps

Proceed with Installing an ASA FirePOWER Module.

  • Was this article helpful?