Skip to main content

 

 

Cisco Defense Orchestrator

Enable the ASA FirePOWER Module on Your ASA

Cisco Defense Orchestrator (CDO) automatically determines if your ASA device has an ASA FirePOWER module installed. If an ASA FirePOWER module is installed on your ASA, then the Enable FirePOWER button button appears in the details pane after you select your ASA. Clicking this button begins an onboarding process to bring the ASA FirePOWER module under the management of CDO.

This article assumes that your ASA and ASA FirePOWER module are installed and that you have followed the procedures in Before Installing or Onboarding an ASA FirePOWER Module.

The article also assumes that your ASA FirePOWER module IP address is private, the ASA management interface IP address is public, and you are using a cloud-based Secure Device Connector (SDC).

Benefits

After completing these steps you will be able to manage the following on your ASA FirePOWER module:

  • Manage explicit network policies
  • Select default action for all other traffic
  • Enable/disable device reporting
  • Enable/disable recurring IPS updates

Before You Start

Make sure:

  • You already have connectivity from CDO to the ASA that is hosting the FirePOWER module.
  • The ASA FirePOWER module has already been bootstrapped with an IP address is available on your local network.  
  • You're able to route to the ASA FirePOWER module from your ASA that is hosting the FirePOWER module.
  • The interface that connects to your inside network is named “inside” and the interface that connects to the outside network (the internet) is named “outside.” If these are not the names that you used, just replace the example names with the actual interface names for your device.

This document will walk you through the steps of creating two object groups, a NAT statement (Port Forwarding), and an Access List entry. In the event that no Access-Group exists for external access into your network, we will also show how to create that as well. You will be able to perform all of these steps using CDO.

Obtain an ASA FirePOWER Module IP Address

An important piece of information that you need is the IP address of your ASA FirePOWER module. Retrieve that address by following these steps:

  1. In the Devices & Services table, select the ASA which is hosting the FirePOWER module.
  2. Once the ASA is selected, you will see options appear in the right hand panel.
  3. Choose >_ Command Line Interface.
  4. This brings up the Command Line Interface View.  If there are already commands in your view, remove them by hitting the clear button.
  5. Then, enter show module sfr details | inc IP in the window and click Send.
  6. In the Response View, you will see a line that says “Mgmt IP addresses:   {YourIP}"
  7. Write down the IP address that is returned.  This is the IP address of your ASA FirePOWER module.
  8. If no IP is returned, first check that you entered the command properly. If after double checking your syntax, there still is no IP address returned, then your FirePOWER module is likely not properly preconfigured to be managed by CDO.  Please refer to the Before Installing or Onboarding an ASA FirePOWER Module to ensure that you have followed all the proper steps.
  9. While still in the Command Line View, click Clear to clear the previous command.
  10. Now you are going to test to ensure that the ASA can communicate to the FirePOWER via the network.
  11. Enter ping x.x.x.x where x.x.x.x = your FirePOWER module address, and then click Send.
  12. If the response comes back and shows success, continue with the Create NAT Satement procedure. 

Create a NAT Statement

  1. In the Devices & Services page, select the ASA device which is hosting the ASA FirePOWER module.
  2. Once the ASA is selected, your will see options appear on the right hand panel.
  3. Click Veiw NAT Rules.  This will bring up the NAT page for this ASA
  4. Click Create NAT Rule.
  5. Choose Static for the NAT rule type and click Continue.
  6. Specify the Source Interface as inside.
  7. Specify the Destination Interface as outside.
  8. Configure the packet flow.
    1. Configure the Original Address:  
      1. Expand the Original Address field. Click +Create to create a network object with the IP address of the ASA FirePOWER module. 
      2. Object Name:  We recommend naming the Object the {ASAHostname}-FirePOWER.  For example, if the name of the ASA is Boston, then name this object Boston-FirePOWER
      3. Value: Set the value equal to the IP address of the ASA FirePOWER module. 
      4. Click Add.
    2. Configure the Translated Address: 
      1. Select the Translated Address of Interface if you're using NAT overload or PAT.
      2. Check Use Port Translation.
      3. Map the TCP port that is on the ASA FirePOWER module to a different port that will be used on the outside interface of the ASA. 

nat_port_translation.png

  1. Leave the Advanced Options in Section 4 unchecked. 
  2. Click Save.

Note: Verify that there are no other shading Twice NAT rule proceeding the NAT statement you just created.

Create an Access-List

The last thing you need to do is create an Access-List to allow the traffic in from your Outside interface. There are two different ways to create an Access-List. If you already have an Outside_Access_In (or equivalent) Access-Group in use, choose Option 1; otherwise, choose Option 2. 

Option 1

Use this option if you already have an Outside_Access_In network policy configured on your ASA device.

  1. In CDO, select Policies > Network.
  2. Expand the Outside_Access_In access group for your device
  3. Click Edit Policy.  
  4. Select the first ACL, and Choose “+” in the Edit Tools bar in the right side panel.
  5. A new line appears. Configure the network policy with these settings:
  • ACTION: Permit
  • PROTOCOL: IP
  • SOURCE = Create a network object group here containing the CDO Secure Device Connectors for your geography:
    • Expand the source button.
    • Click + Create Object.
    • Object Name: Name the object, CDO-SDC.
    • If you are in the United States, enter two IP address values that equal the IP addresses of the U.S.-based SDCs:
      • Enter 52.36.70.147/32 in the Values field. 
      • Click Add Another Value.
      • Enter 52.34.234.2/32 in the Values field.
      • Click Add
    • If you are in Europe, the Middle East and Africa, enter two IP address values that equal the IP addresses of the EMEA-based SDCs:
      • Enter 35.157.12.126/32 in the Values field. 
      • Click Add Another Value.
      • Enter 35.157.12.15/32 in the Values field.
      • Click Add. 
  • DESTINATION = Select the destination network object {ASAHostname}-FirePOWER.  (We called it Boston-FirePOWER in our earlier example)
    • Expand the Network Object list box and select Replace any. 
    • Select Network Object.
    • Select {ASAHostname}-FirePOWER
  • Click Save.
  • Confirm
  1. Open Devices & Services page, select the ASA that is hosting the FirePOWER services module.
  • Once the ASA is selected, you will see options appear on the right hand panel
  • Click Write Changes

You are now ready to ENABLE FIREPOWER from CDO. 

Option 2

Choose this option if you do not have an Outside_Access_In Access-List (and Access-Group) defined yet on your device.

First, you will need to create an object that will contain the IP addresses of the CDO Secure Device Connector (SDC), and then you will create the Access-List and Access Group that you need to make the connection to CDO available.

  1. From the Devices & Services page, select the ASA device which is hosting the ASA FirePOWER module.
  2. In the Actions panel on the right hand side, click  >_ Command Line Interface. 
  3. This brings up the Command Line Interface page.  If there are already commands in your view, remove them by clicking Clear
  4. Create a network object group for either United States or EMEA geographies. To create the object group, copy the appropriate set of commands into the command line interface and click Send
    • If you are in the United States: 
      • object-group network CDO-SDC
      • network-object host 52.36.70.147
      • network-object host 52.34.234.2
    • If you are in Europe, the Middle East and Africa (EMEA):
      • object-group network CDO-SDC
      • network-object host 35.157.12.126
      • network-object host 35.157.12.15

You should receive a Response of “Done!”

  1. Click Clear and type the following lines. In the commands below {ASAHostname}-FirePOWER is the name of the object you defined when Creating a NAT Statement above.

    access-list outside_access_in extended permit ip object-group CDO-SDC object {ASAHostname}-FirePOWER 
    access-group outside_access_in in interface outside

  2. Click Send. You should receive a Response of “Done!
  • Was this article helpful?