Make sure that your ASA FirePOWER module meets these requirements before onboarding it to CDO:
- Hardware and Software Requirements
CDO can manage an ASA FirePOWER module that meets these requirements:
ASA Hardware: The ASA FirePOWER module is installed on an ASA 5506, 5508, 5512, 5515, 5516, 5525, 5545, and 5555 only. CDO does not support FirePOWER services module on ASA 5585.
ASA FirePOWER module version: 5.4 and higher
ASA version and ASDM Versions: Those that support FirePOWER services version 5.4 and higher on the stated hardware devices. See the Cisco ASA Compatibility Guide for more information.
Replace the certificate on an ASA FirePOWER modules and Firepower Threat Defense (FTD) device running FTD version 6.2.2 or above: You must replace the certificate on the ASA FirePOWER or FTD device device only if it's an auto-generated self-signed certificate in version 6.2.2 and above. To replace the certificate, see Replacing the Certificate on the ASA FirePOWER module 6.2.2 and Firepower Threat Defense 6.2.2 for instructions.
- Licensing Requirements
You will need to install the Control and Protection Firepower license for the ASA FirePOWER module to be managed by CDO.
- Disable and uninstall any pre-existing ips or csxc modules before you install the ASA FirePOWER module. To do so, follow these instructions:
- From the user EXEC mode prompt, run the show module command to determine what modules are installed on the ASA.
Note: If you do not have an ips or csxc module installed, or their status is "Unresponsive" and their Data Plane Status is "Not Applicable" then skip to step 4.
- Use the sw-module module <module_name> shutdown command to disable the ips or csxc or module.
- Use the sw-module module <module_name> uninstall command to uninstall the module.
- Reload the ASA.
ciscoasa# sw-module module cxsc shutdown ciscoasa# sw-module module cxsc uninstall ciscoasa# reload
- The ASA FirePOWER module must be managed by ASDM not a Firepower Management Center. If you have an existing FirePOWER module, and it is already installed and managed by FMC, follow these procedures:
- Determine if the ASA FirePOWER module is already installed on your ASA. Open ASDM and connect to your ASA. If you see the ASA FirePOWER Status tab and no other FirePOWER tabs, the boot and system images are loaded on the ASA but the FirePOWER module may not be configured.
If this is the state of your environment, skip to Installing an ASA FirePOWER module and perform the Configure the ASA FirePOWER boot image procedure an the following procedures on that page.
If you see several ASA FirePOWER tabs, the ASA FirePOWER module is installed and managed by ASDM, however, you may still need to redirect traffic to the module.
If this is the state of your environment, skip to Installing an ASA FirePOWER module and perform the Direct Traffic to the ASA FirePOWER module and the following procedures on that page.
- Choose an IP address for the ASA FirePOWER module. It is easier to onboard your ASA FirePOWER module to CDO when you do not need to create a NAT rule connecting the ASA FirePOWER module IP address and the ASA management interface IP address. Whether the IP addresses are public or private and whether your Secure Device Connector is "On-prem" or "in the cloud" determine if you need to create a NAT rule to connect the ASA FirePOWER module IP address and the ASA management interface IP address.
Use this table to determine when a NAT rule is required and try to reserve an IP address for your ASA FirePOWER module which would not require a NAT rule.
ASA FirePOWER Module IP Address
ASA MGMT Interface IP Address
Secure Device Connector
|Is a NAT rule required to connect the ASA FirePOWER module IP address to the ASA management interface IP address?|
|Private||Public||Cloud||NAT rule is required|
|Public||Public||Cloud||No NAT rule required|
|Private||Public||On-premises||No NAT rule required|
|Private||Private||On-premises||No NAT rule required|
Proceed with Installing an ASA FirePOWER Module.