1. Package Contents
This section lists the package contents of the chassis. Note that contents are subject to change, and your exact contents might contain additional or fewer items.
2. License Requirements
The ASA 5506-X includes the Base or Security Plus license, depending on the version you ordered. It also comes pre-installed with the Strong Encryption (3DES/AES) license if you qualify for its use. You can optionally purchase an AnyConnect Plus or Apex license.
If you need to manually request the Strong Encryption license (which is free), see http://www.cisco.com/go/license.
If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. See also the Cisco AnyConnect Ordering Guide and the AnyConnect Licensing Frequently Asked Questions (FAQ). You will then receive an email with a Product Authorization Key (PAK) so you can obtain the license activation key. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions.
Note: The serial number used for licensing is different from the chassis serial number printed on the outside of your hardware. The chassis serial number is used for technical support, but not for licensing. To view the licensing serial number, enter the show version | grep Serial command or see the ASDM Configuration > Device Management > Licensing Activation Key page.
The ASA FirePOWER module uses a separate licensing mechanism from the ASA. No licenses are pre-installed, but the box includes a PAK on a printout that lets you obtain a license activation key for the following licenses:
- Control and Protection —Control is also known as “Application Visibility and Control (AVC)” or “Apps”. Protection is also known as “IPS”. In addition to the activation key for these licenses, you also need “right-to-use” subscriptions for automated updates for these features.
The Protection (IPS) updates require you to purchase the IPS subscription from http://www.cisco.com/go/ccw. This subscription includes entitlement to Rule, Engine, Vulnerability, and Geolocation updates. Note: This right-to-use subscription does not generate or require a PAK/license activation key for the ASA FirePOWER module; it just provides the right to use the updates.
These licenses do generate a PAK/license activation key for the ASA FirePOWER module. See the Cisco Firepower System Feature Licenses for more information.
To install the Control and Protection licenses and other optional licenses, see Install the Licenses.
3. ASA 5506W-X Wireless Access Point
The ASA 5506W-X includes a Cisco Aironet 702i wireless access point integrated into the ASA. The access point connects to the ASA internally over the GigabitEthernet 1/9 interface. All wifi clients belong to the GigabitEthernet 1/9 network. The ASA security policy determines how the wifi network can access any networks on other interfaces. The access point does not contain any external interfaces or switch ports.
The access point includes an autonomous Cisco IOS image, which enables individual device management. You can install the lightweight image if you want to add the ASA 5506W-X to a Cisco Unified Wireless Network and use a wireless LAN controller. See the Converting Autonomous Access Points to Lightweight Mode chapter in the Cisco Wireless Control Configuration Guide for more information about using the lightweight image in unified mode.
- For supported access point software, see Cisco ASA Compatibility.
- For details about using the wireless LAN controller, see the Cisco Wireless LAN Controller Software documentation.
- For details about the wireless access point hardware and software, see the Cisco Aironet 700 Series documentation.
4. Deploy the ASA 5506-X in Your Network
ASA 9.7 and Later
The following figure shows the recommended network deployment for the ASA 5506-X with the ASA FirePOWER module and the built-in wireless access point (ASA 5506W-X). This deployment includes an inside bridge group that includes all but the outside and wifi interfaces so you can use these interfaces as an alternative to an external switch.
- outside GigabitEthernet 1/1, IP address from DHCP
- inside bridge group with GigabitEthernet 1/2 through 1/8 member interfaces (GigabitEthernet 1/2 through 1/4 for the ASA 5506H-X), 192.168.1.1
- (ASA 5506W-X) wifi GigabitEthernet 1/9, 192.168.10.1
- inside --> outside traffic flow
- inside --> inside traffic flow for member interfaces
- (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
- DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.
- Management 1/1 belongs to the ASA FirePOWER module. The interface is Up, but otherwise unconfigured on the ASA. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.
Note: Do not configure an IP address for this interface in the ASA configuration. Only configure an IP address in the FirePOWER configuration. You should consider this interface as completely separate from the ASA in terms of routing.
- ASDM access on the inside interface and the wifi interface
- NAT : Interface PAT for all traffic from inside, wifi, and management to outside.
Note: If you want to deploy a separate router on the inside network, then you can route between management and inside. In this case, you can manage both the ASA and ASA FirePOWER module on Management 1/1 with the appropriate configuration changes.
1. Cable Management 1/1 (for the ASA FirePOWER module) directly to one of: GigabitEthernet 1/2 through GigabitEthernet 1/8.
Note: You can connect inside and management on the same network because the management interface acts like a separate device that belongs only to the ASA FirePOWER module.
Note: If the cable modem supplies an outside IP address that is on 192.168.1.0/24 or 192.168.10.0/24, then you must change the ASA configuration to use a different IP address. Interface IP addresses, HTTPS (ASDM) access, and DHCP server settings can all be changed using the Startup Wizard. If you change the IP address to which you are connected to ASDM, you will be disconnected when you finish the wizard. You must reconnect to the new IP address.
ASA 9.6 and Earlier
The following figure shows the recommended network deployment for the ASA 5506-X with the ASA FirePOWER module and the built-in wireless access point (ASA 5506W-X):
- outside GigabitEthernet 1/1, IP address from DHCP
- inside GigabitEthernet 1/2, 192.168.1.1
- (ASA 5506W-X) wifi GigabitEthernet 1/9, 192.168.10.1
- inside --> outside traffic flow
- (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow
- DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.
- Management 1/1 belongs to the ASA FirePOWER module. The interface is Up, but otherwise unconfigured on the ASA. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.
Note: Do not configure an IP address for this interface in the ASA configuration. Only configure an IP address in the FirePOWER configuration. You should consider this interface as completely separate from the ASA in terms of routing.
- ASDM access on the inside interface and the wifi interface
- NAT : Interface PAT for all traffic from inside, wifi, and management to outside.
Note: If you want to deploy a separate router on the inside network, then you can route between management and inside. In this case, you can manage both the ASA and ASA FirePOWER module on Management 1/1 with the appropriate configuration changes.
Note: You can connect inside and management on the same network because the management interface acts like a separate device that belongs only to the ASA FirePOWER module.
Note: If the cable modem supplies an outside IP address that is on 192.168.1.0/24 or 192.168.10.0/24, then you must change the ASA configuration to use a different IP address. Interface IP addresses, HTTPS (ASDM) access, and DHCP server settings can all be changed using the Startup Wizard. If you change the IP address to which you are connected to ASDM, you will be disconnected when you finish the wizard. You must reconnect to the new IP address.
6. Enable the Wireless Access Point (ASA 5506W-X)
The ASA 5506W-X wireless access point is disabled by default. Connect to the access point GUI so you can enable the wireless radios and configure the SSID and security settings.
Note: If you are unable to reach the access point, and the ASA has the default configuration and other networking issues are not found, then you may want to restore the access point default configuration. You must access the ASA CLI (connect to the ASA console port, or configure Telnet or SSH access using ASDM). From the ASA CLI, enter hw-module module wlan recover configuration. If you need to troubleshoot the access point further, connect to the access point CLI using the session wlan console command.
–For details about using the wireless LAN controller, see the Cisco Wireless LAN Controller Software documentation.
–For details about the wireless access point hardware and software, see the Cisco Aironet 700 Series documentation.
7. Launch ASDM
See the ASDM release notes on Cisco.com for the requirements to run ASDM.
This procedure assumes you want to use ASDM to manage the ASA FirePOWER Module. If you want to use the Firepower Management Center, then you need to connect to the module CLI and run the setup script; see the ASA FirePOWER quick start guide.
If you connected your management computer to the ASA as a wireless client, you can access ASDM at https://192.168.10.1/admin.
If you click Install ASDM Launcher, in some cases you need to install an identity certificate for the ASA and a separate certificate for the ASA FirePOWER module according to Install an Identity Certificate for ASDM.
ASDM can change the ASA FirePOWER module IP address settings over the ASA backplane; but for ASDM to then manage the module, ASDM must be able to reach the module (and its new IP address) on the Management 1/1 interface over the network. The recommended deployment allows this access because the module IP address is on the inside network. If ASDM cannot reach the module on the network after you set the IP address, then you will see an error.
8. Run Other ASDM Wizards and Advanced Configuration
ASDM includes many wizards to configure your security policy. See the Wizards menu for all available wizards.
To continue configuring your ASA, see the documents available for your software version at Navigating the Cisco ASA Series Documentation.
9.Configure the ASA FirePOWER Module
Note: You can alternatively use the Firepower Management Center to manage the ASA FirePOWER module. See the ASA FirePOWER Module Quick Start Guide for more information.
Install the Licenses
The Control and Protection licenses are provided by default and the Product Authorization Key (PAK) is included on a printout in your box. If you ordered additional licenses, you should have PAKs for those licenses in your email.
Configure the ASA FirePOWER Security Policy
1. Choose Configuration > ASA FirePOWER Configuration to configure the ASA FirePOWER security policy.
Use the ASA FirePOWER pages in ASDM for information. You can click Help in any page, or choose Help > ASA FirePOWER Help Topics, to learn more about how to configure policies.
See also the ASA FirePOWER module configuration guide.
10. Where to Go Next
- For more information about the ASA FirePOWER module and ASA operation, see the “ASA FirePOWER Module” chapter in the ASA/ASDM firewall configuration guide, or the ASDM online help. You can find links to all ASA/ASDM documentation at Navigating the Cisco ASA Series Documentation.
- For more information about ASA FirePOWER configuration, see the online help or the ASA FirePOWER module configuration guide or the Firepower Management Center configuration guide for your version.
No comments:
Post a Comment