Skip to main content

 

 

Cisco Defense Orchestrator

Connect Cisco Defense Orchestrator to Your Managed Devices

CDO connects to the devices it manages through the Cloud Connector or through a Secure Device Connector (SDC). 

If your device can be accessed directly from the internet you should be using the Cloud Connector to connect to your device. If you can configure the device to, allow inbound access on port 443 from the CDO IP addresses in your cloud region. 

If your device is not accessible from the internet you can deploy an on-premises SDC in your network to allow CDO to communicate with your devices. If you can configure the device to, allow full inbound access on port 443 (or whichever port you have configured for your device management).

An FTD can be onboarded to CDO using its device credentials, a registration key, or its serial number whether or not it is directly accessible from the internet. If the FTD does not have direct access to the internet, but it resides on a network that does, the Cisco Security Services Exchange (SSE) connector delivered as part of the FTD, can reach the SSE cloud, allowing the FTD to be onboarded. See Onboard an FTD for specifics about the different oboarding methods.

Table: Best Practices for Connecting CDO to your Device or Service

Device Type or Cloud Service Onboarding Method Cloud Connector Secure Device Connector (SDC)
Adaptive Security Appliance (ASA) Credentials    X
Firepower Threat Defense (FTD) Credentials    X
Firepower Threat Defense (FTD) Registration token X  
Firepower Threat Defense (FTD) version 6.7 or later Serial Number X  
Firepower Management Center (FMC) Credentials   X
Cisco IOS device Credentials   X
Device with SSH access Credentials   X
Meraki organizations Cloud service to Cloud Service X  
Amazon Web Services (AWS) services or devices  Cloud service to Cloud Service X  

Connecting Devices to CDO Through the Cloud Connector

When connecting CDO directly to your device through the Cloud Connector, you should allow inbound access on port 443 (or whichever port you have configured for your device management) for the various IP addresses in the EMEA, United States, or APJC region. 

If you are a customer in Europe, the Middle East, or Africa (EMEA), and you connect to Defense Orchestrator at https://defenseorchestrator.eu, allow inbound access from the following IP addresses:

  • 35.157.12.126
  • 35.157.12.15

If you are a customer in the United States, and you connect to Defense Orchestrator at https://defenseorchestrator.com, allow inbound access from the following IP addresses:

  • 52.34.234.2
  • 52.36.70.147

If you are a customer in the Asia-Pacific-Japan-China (APJC) region, and you connect to Defense Orchestrator at https://www.apj.cdo.cisco.com, allow inbound access from the following IP addresses:

  • 54.199.195.111
  • 52.199.243.0

Connecting Devices to CDO Using an SDC

When connecting CDO to your device through an SDC, the devices you want CDO to manage must allow full inbound access on port 443 (or whichever port you have configured for your device management). This is configured using a management access control rule. 

You must also ensure that the virtual machine on which the SDC is deployed has network connectivity to the management interface of the managed device.

Special Considerations for Connecting an ASA to an SDC

Specifically, for ASA, the SDC uses the same secure communications channel used by ASDM.

If the ASA under management is also configured to accept AnyConnect VPN Client connections, the ASDM HTTP server port must be changed to a value of 1024 or higher.

Note: That this port number will be the same port number used when onboarding the ASA device to CDO.

Example ASA Commands

The following examples assume that the ASA outside interface is named 'outside' and an AnyConnect client is configured on the ASA, so the ASDM HTTP server is listening on port 8443.

To enable the outside interface, enter these commands:

EMEA:

http 35.157.12.126 255.255.255.255 outside

http 35.157.12.15 255.255.255.255 outside

United States:

http 52.34.234.2 255.255.255.255 outside

http 52.36.70.147 255.255.255.255 outside

Asian-Pacific-Japan-China Region:

https 54.199.195.111 255.255.255.255 outside

https 52.199.243.0 255.255.255.255 outside

To enable the ASDM HTTP server port, in the case where AnyConnect VPN Client is in use, enter this commands:

http server enable 8443