Tuesday, 30 May 2017

Using ASDM to manage a FirePOWER module on ASA

Introduction

A FirePOWER module that is installed on ASA can be managed by either:
  • Firepower Management Center (FMC) – This is the off-box management solution
  • Adaptive Security Device Manager (ADSM) – This is the on-box management solution
The goal of this document is to explain how ASDM software communicates with the ASA and a FirePOWER software module installed on it.

Components used

  • A Windows 7 host
  • ASA5525-X running ASA 9.6.2-3 code
  • ASDM software 7.6.2.150
  • FirePOWER software module 6.1.0-330

Prerequisites

ASA configuration to enable ASDM management:
ASA5525(config)# interface GigabitEthernet0/0
ASA5525(config-if)# nameif INSIDE
ASA5525(config-if)# security-level 100
ASA5525(config-if)# ip address 192.168.75.23 255.255.255.0
ASA5525(config-if)# no shutdown
ASA5525(config)#
ASA5525(config)# http server enable
ASA5525(config)# http 192.168.75.0 255.255.255.0 INSIDE
ASA5525(config)# asdm image disk0:/asdm-762150.bin
ASA5525(config)#
ASA5525(config)# aaa authentication http console LOCAL
ASA5525(config)# username cisco password cisco
Additionally, on ASA the 3DES/AES license should be enabled:
ASA5525# show version | in 3DES
Encryption-3DES-AES               : Enabled        perpetual

Architecture

The ASA has 3 internal interfaces:
  • asa_dataplane = It is used to redirect packets from the ASA Data Path to the FirePOWER software module
  • asa_mgmt_plane = It is used to allow the FirePOWER management interface to communicate with the network
  • cplane = Control Plane interface that is used to transfer keepalives between the ASA and the FirePOWER module
You can capture traffic in all internal interfaces:
ASA5525# capture CAP interface ?

  asa_dataplane   Capture packets on dataplane interface
  asa_mgmt_plane  Capture packets on managementplane interface
  cplane          Capture packets on controlplane interface
The above can be visualized as follows:


Background operation when a user connects to ASA via ASDM

Consider the following topology
When a user initiates an ASDM connection to the ASA the following events will occur:


Step 1 – The user initiates the ASDM connection

The user specifies the ASA IP used for HTTP management, enters the credentials and initiates a connection towards the ASA:
In the background an SSL tunnel between the ASDM and the ASA is established:


This can be visualized as follows:

Step 2 – The ASDM discovers the ASA configuration and the FirePOWER module IP

Enabling debug http 255 on ASA will show all the checks that are done in the background when the ASDM connects to the ASA:
ASA5525# debug http 255
…
HTTP: processing ASDM request [/admin/exec/show+module] with cookie-based authentication 
HTTP: processing GET URL '/admin/exec/show+module' from host 192.168.75.22
HTTP: processing ASDM request [/admin/exec/show+cluster+interface-mode] with cookie-based authentication 
HTTP: processing GET URL '/admin/exec/show+cluster+interface-mode' from host 192.168.75.22
HTTP: processing ASDM request [/admin/exec/show+cluster+info] with cookie-based authentication 
HTTP: processing GET URL '/admin/exec/show+cluster+info' from host 192.168.75.22
HTTP: processing ASDM request [/admin/exec/show+module+sfr+details] with cookie-based authentication 
HTTP: processing GET URL '/admin/exec/show+module+sfr+details' from host 192.168.75.22
  • show module = The ASDM discovers the ASA modules
  • show module sfr details = The ASDM discovers the module details including the FirePOWER management IP

The above will be seen in the background as a series of SSL connections from the PC towards the ASA IP:

Step 3 – The ASDM initiates communication towards the FirePOWER module

Since the ASDM knows the FirePOWER management IP it initiates SSL sessions towards the module:
The above will be seen in the background as SSL connections from the ASDM host towards the FirePOWER management IP:

This can be visualized as follows:

The ASDM authenticates the FirePOWER and a Security Warning is shown since FirePOWER Certificate is self-signed:

Step 4 – The ASDM retrieves the FirePOWER Menu Items

After the successful authentication the ASDM retrieves from the FirePOWER the Menu Items:
The retrieved tabs:

It also retrieves the ASA FirePOWER Configuration Menu Item:


Troubleshooting

In case ASDM cannot establish an SSL tunnel with the FP Management IP then it will only load the following FirePOWER Menu Item:
The ASA FirePOWER Configuration Item will be missing as well:

Recommended actions



Verification 1
Make sure that the ASA management interface is UP and the switchport connected to it is in the proper VLAN:
ASA5525# show interface  ip brief | include Interface|Management0/0
Interface                  IP-Address      OK? Method Status                Protocol
Management0/0              unassigned      YES unset  up                    up


Verification 2
Make sure that the FirePOWER module is fully initialized, UP and running:
ASA5525# show module sfr details
Getting details from the Service Module, please wait...

Card Type:          FirePOWER Services Software Module
Model:              ASA5525
Hardware version:   N/A
Serial Number:      FCH1719J54R
Firmware version:   N/A
Software version:   6.1.0-330
MAC Address Range:  6c41.6aa1.2bf2 to 6c41.6aa1.2bf2
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       6.1.0-330
Data Plane Status:  Up
Console session:    Ready
Status:             Up
DC addr:            No DC Configured
Mgmt IP addr:       192.168.75.123
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       192.168.75.23
Mgmt web ports:     443
Mgmt TLS enabled:   true
A5525# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
> show version
--------------------[ FP5525-3 ]--------------------
Model                     : ASA5525 (72) Version 6.1.0 (Build 330)
UUID                      : 71fd1be4-7641-11e6-87e4-d6ca846264e3
Rules update version      : 2016-03-28-001-vrt
VDB version               : 270
----------------------------------------------------

>


Verification 3
Check basic connectivity between the ASDM host and the FirePOWER module management IP by using tools like ping and tracert/traceroute:


Verification 4
If the ASDM host and the FirePOWER management IP are in the same L3 network check the ARP table on the ASDM host:


Verification 5
Enable capture on the ASDM device while you are connecting via ASDM to see if there is proper TCP communication between the host and the FirePOWER module. At minimum you should see:
  • TCP 3-way handshake between the ASDM host and the ASA
  • SSL tunnel established between the ASDM host and the ASA
  • TCP 3-way handshake between the ASDM host and the FirePOWER module management IP
  • SSL tunnel established between the ASDM host and the FirePOWER module management IP


Verification 6
To check the traffic to and from the FirePOWER module you can enable capture on the asa_mgmt_plane interface. In the capture below it can be seen:
  • ARP request from the ASDM host (packet 42)
  • ARP reply from the FirePOWER module (packet 43)
  • TCP 3-way handshake between the ASDM host and the FirePOWER module (packets 44-46)
ASA5525# capture FP_MGMT interface asa_mgmt_plane
ASA5525# show capture FP_MGMT | i 192.168.75.123
…
  42: 20:27:28.532076  arp who-has 192.168.75.123 tell 192.168.75.22
  43: 20:27:28.532153  arp reply 192.168.75.123 is-at 6c:41:6a:a1:2b:f2
  44: 20:27:28.532473  192.168.75.22.48391 > 192.168.75.123.443: S 2861923942:2861923942(0) win 8192 <mss 1260,nop,wscale 2,nop,nop,sackOK>
  45: 20:27:28.532549  192.168.75.123.443 > 192.168.75.22.48391: S 1324352332:1324352332(0) ack 2861923943 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
  46: 20:27:28.532839  192.168.75.22.48391 > 192.168.75.123.443: . ack 1324352333 win 16695

Verification 7
Verify that the ASDM user has privilege level 15. One way to confirm this is by running debug http 255 while connecting via ASDM:
ASA5525# debug http 255
debug http enabled at level 255.
HTTP: processing ASDM request [/admin/asdm_banner] with cookie-based authentication (aware_webvpn_conf.re2c:444)
HTTP: check admin session. Cookie index [2][c8a06c50]
HTTP: Admin session cookie [A27614B@20480@78CF@58989AACB80CE5159544A1B3EE62661F99D475DC]
HTTP: Admin session idle-timeout reset
HTTP: admin session verified =  [1]
HTTP: username = [user1], privilege = [14]

Verification 8
If between the ASDM host and the FirePOWER module there is NAT for the Firepower Management IP then you need to specify the NATed IP:


Verification 9
Make sure that the FirePOWER module is not already managed by Firepower Management Center (FMC) because in that case the FirePOWER tabs in ASDM will be missing:
ASA5525# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
> show managers
Managed locally.

>
Another way:
ASA5525# show module sfr details
Getting details from the Service Module, please wait...

Card Type:          FirePOWER Services Software Module
Model:              ASA5525
Hardware version:   N/A
Serial Number:      FCH1719J54R
Firmware version:   N/A
Software version:   6.1.0-330
MAC Address Range:  6c41.6aa1.2bf2 to 6c41.6aa1.2bf2
App. name:          ASA FirePOWER
App. Status:        Up
App. Status Desc:   Normal Operation
App. version:       6.1.0-330
Data Plane Status:  Up
Console session:    Ready
Status:             Up
DC addr:            No DC Configured
Mgmt IP addr:       192.168.75.123
Mgmt Network mask:  255.255.255.0
Mgmt Gateway:       192.168.75.23
Mgmt web ports:     443
Mgmt TLS enabled:   true

Verification 10
Verify in the ASA Compatibility guide that the ASA/ASDM images are compatible:


Verification 11
Verify in the Firepower Compatibility guide that the FirePOWER device is compatible with the ASDM version:

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...