Onboard ASA Device to CDO

Use this procedure to onboard a single live ASA device, not an ASA model, to CDO. If you want to onboard multiple ASAs at once, see Onboard ASAs in Bulk.

Before you begin

Device Prerequisites
  • Review Connect Cisco Defense Orchestrator to your Managed Devices.

  • Device must be running at least version 8.4+.

    Note

    TLS 1.2 was not available for the ASA management-plane until version 9.3(2). With version 9.3(2), a local SDC is required to onboard to CDO.

  • The running configuration file of your ASA must be less than 4.5 MB. To confirm the size of your running configuration file, see Confirming ASA Running Configuration Size.

  • IP addressing: Each ASA, ASAv, or ASA security context must have a unique IP address and the SDC must connect to it on the interface configured to receive management traffic.

Certificate Prerequisites

If your ASA device does not have a compatible certificate, onboarding the device may fail. Ensure the following requirements are met:

  • The device uses a TLS version equal to or greater than 1.0.

  • The certificate presented by the device is not expired, and its issuance date is in the past (i.e. it is already valid, not scheduled to become valid at a later date).

  • The certificate must be a SHA-256 certificate. SHA1 certificates are not accepted.

  • One of these conditions is true:

    • The device uses a self-signed certificate, and it is the same as the most recent one trusted by an authorized user.

    • The device uses a certificate signed by a trusted Certificate Authority (CA), and provides a certificate chain linking the presented leaf certificate to the relevant CA.

If you experience certificate errors during the onboarding process, see Cannot onboard ASA due to certificate errorfor more information.

Open SSL Cipher Prerequisites

If the device does not have a compatible SSL cipher suite, the device cannot successfully communicate to the Secure Device Connector (SDC). Use any of the following cipher suites:

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • DHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-SHA256

  • DHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • DHE-RSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA256

  • DHE-RSA-AES256-SHA256

If the cipher suite you use on your ASA is not in this list, the SDC does not support it and you will need to update the cipher suite on your ASA.

Procedure


Step 1

In the navigation bar, click Inventory.

Step 2

Click the blue plus button to onboard an ASA.

Step 3

Click the ASA tile.

Step 4

In the Locate Device step, perform the following:

  1. Click the Secure Device Connector button and select a Secure Device Connector installed in your network. If you would rather not use an SDC, CDO can connect to your ASA using the Cloud Connector. Your choice depends on how you connect CDO to your managed devices.

  2. Give the device a name.

  3. Enter the location (IP address, FQDN, or URL) of the device or service. The default port is 443.

  4. Click Next.

Step 5

In the Credentials step, enter the username and password of the ASA administrator, or similar highest-privilege ASA user, that CDO will use to connect to the device and click Next.

Step 6

(Optional) In the Done step, enter a label for the device. You will be able to filter your list of devices by this label. See Labels and Label Groups for more information.

Step 7

After labeling your device or service, you can view it in the Inventory list.

Note

Depending on the size of the configuration and the number of other devices or services, it may take some time for the configuration to be analyzed.