Skip to main content

 

 

Cisco Defense Orchestrator

Onboard an ASA Device

Prerequisites

  • Review Connect Cisco Defense Orchestrator to Your Managed Devices.
  • Running Configuration File: The running configuration file of your ASA must be less than 4.5 MB. To confirm the size of your running configuration file, see Confirming ASA Running Configuration Size.
  • IP Addressing: Each ASA, ASAv, or ASA security context must have a unique IP address and the SDC must connect to it on the interface configured to receive management traffic.
  • Device Certificate Prerequisites. If your ASA device does not have a compatible certificate, onboarding the device may fail. Ensure the following requirements are met:
    • The device uses a TLS version equal to or greater than 1.0.
    • The certificate presented by the device is not expired, and its issuance date is in the past (i.e. it is already valid, not scheduled to become valid at a later date). 
    • The certificate must be a SHA-256 certificate. SHA1 certificates are not accepted.
    • One of these conditions is true:
      • The device uses a self-signed certificate, and it is the same as the most recent one trusted by an authorized user.
      • The device uses a certificate signed by a trusted Certificate Authority (CA), and provides a certificate chain linking the presented leaf certificate to the relevant CA.

See steps for Verifying Device Certificate Prerequisites for Onboarding an ASA.

  • Open SSL Cipher Prerequisites. If the device does not have a compatible SSL cipher suite, the device cannot successfully communicate with the Secure Device Connector (SDC). Use any of the following cipher suites:
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • DHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-SHA256
    • DHE-RSA-AES128-SHA256
    • ECDHE-RSA-AES256-SHA384
    • DHE-RSA-AES256-SHA384
    • ECDHE-RSA-AES256-SHA256
    • DHE-RSA-AES256-SHA256

If the cipher suite you use on your ASA is not in this list, the SDC does not support it and you will need to update the cipher suite on your ASA.

Onboarding ASA 

Use this procedure to onboard a single live ASA appliance, virtual ASA, or an ASA security context to CDO. 

Note: If you want to onboard multiple ASAs at once, see Onboard ASAs in Bulk

Before you begin

By default, the device is onboarded in the new policy view. For more information, see ASA New Access Policy View

If you want to onboard ASAs in the traditional policy view, enable the Allow opting out of the new ASA policy view when onboarding the device (Settings > General Settings) on the user tenant page before onboarding the ASA device. On enabling this option, the Policy View step appears on the ASA onboarding screen, allowing you to disable the new policy view in the device that is being onboarded. Opting out of the new ASA policy view allows you to use the traditional ASA policy view after onboarding an ASA. You will still have the opportunity to switch to the new policy view from the traditional policy view.

Procedure

  1. Navigate to the Devices & Services page.
  2. Click the blue plus button blue_cross_button.png to onboard an ASA.
  3. Click the ASA tile.
  4. In the Locate Device step, perform the following: Give the device a name.
    1. Click the Secure Device Connector button and select a Secure Device Connector installed in your network. If you would rather not use an SDC, CDO can connect to your ASA using the Cloud Connector. Your choice depends on how you connect CDO to your managed devices
    2. Provide a name to the device.
    3. Enter the location (IP address, FQDN, or URL) of the device or service. The default port is 443.
    4. Click Next. Once the location of the device or service is verified, the next step appears.
  5. In the Policy View step, you will see that Enable support for onboarding large configurations and enhanced user interface option is enabled, which allows onboarding large configurations and viewing the new policy view option is enabled. You can disable this option to onboard the device in traditional view and click NextNote: If you don't see the Policy View step, you can continue to onboard the device in the new policy view. 
  6. In the Credentials step, enter the username and password of the ASA administrator, or similar highest-privilege ASA user, that CDO will use to connect to the device and click Next
  7. In the Done step, (optional) enter a label for the device. You will be able to filter your list of devices by this label. See Labels and Label Groups for more information.
  8. After labeling your device or service, you can view it in the Devices & Services list.

Note: Depending on the size of the configuration and the number of other devices or services, it may take some time for the configuration to be analyzed.

About Onboarding ASA Security Contexts

See Onboard ASA Security Contexts

About Onboarding an ASA that is Part of a High Availability Pair

Only onboard the primary device of the high-availability pair. Do not onboard the secondary device. The primary device of the high availability pair is onboarded like any other ASA.

Troubleshooting

Cannot onboard ASA due to certificate error

Environment: ASA is configured with client-side certificate authentication.

Solution: Disable client-side certificate authentication.

Details: ASAs support credential-based authentication as well as client-side certificate authentication. CDO cannot connect to ASAs that use client-side certificate authentication. Before onboarding your ASA to CDO, make sure it does not have client-certificate authentication enabled by using this procedure:

  1. Open a terminal window and connect to the ASA using SSH.
  2. Enter global configuration mode.
  3. At the hostname (config)# prompt, enter this command: 

no ssl certificate-authentication interface interface-name port 443

The interface name is the name of the interface CDO connects to.