In this example, we’ll step through Cisco ASA 5506-X FirePOWER configuration example and activate the FirePOWER module in a typical network. We used ASA 5506-X running code 9.5(2) and ASDM version 7.5(2).

Before proceed, please make sure the followings are taken into consideration. If you are configuring a brand new ASA 5506-X, you may skip to Step 1.

  • It is not recommended to configure and run Could Web Security (ScanSafe) at the same time running FirePOWER. Technically it is possible to split traffic to be inspected by one of the method respectively, however it is not recommended.
  • Do not enable ASA’s HTTP inspection features since FirePOWER provides more advance HTTP inspection than ASA.
  • Cisco Mobile User Security (MUS) is not compatible with FirePOWER.

Cisco ASA 5506-X FirePOWER Configuration Example Part 2

Step 1: Update ASA software and ASDM code

Download the recent stable release from Cisco.com and transfer the codes to the ASA.

ASA FirePOWER SourceFire Configuration (2)

Set the system to boot to the new image. Configure the ASDM image to be used.

ASA1(config)# boot system disk0:/asa952-lfbff-k8.SPA
ASA1(config)# asdm image disk0:/asdm-752.bin 

Write memory and verify the bootvar is set correctly. Reboot the system to load the new image.

ASA FirePOWER SourceFire Configuration (3)

Step 2: Verifying FirePOWER module status

Using “show module”, you can verify the FirePOWER module is online and healthy.

ASA1# sho module

Mod Card Type                                  Model             Serial No.
---- -------------------------------------------- ------------------ -----------
ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506           JAD19280XXX
sfr FirePOWER Services Software Module          ASA5506           JAD19280XXX
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
1 5897.bd27.58d6 to 5897.bd27.58df 1.0         1.1.1       9.5(2)
sfr 5897.bd27.58d5 to 5897.bd27.58d5 N/A         N/A         5.4.1-211
Mod SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
sfr ASA FirePOWER                 Up               5.4.1-211
Mod Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
1 Up Sys             Not Applicable
sfr Up                 Up

Step 3: Physical cabling

On ASA 5506-X through ASA 5555-X platforms, the ASA itself and FirePOWER module share the same physical management interface (ASA 5585-X has dedicated management interface for each). For the shared management interface, you have two options to configure.

Option 1: Dedicate the management interface to FirePOWER, and manage the ASA through its inside or outside interface.

In order to run in this mode, you must not configure a name on the management interface. You need to configure a FirePOWER management IP on the same network as inside interface of the ASA. In our example, we have 192.168.0.1 on the inside interface and 192.168.0.2 on the management interface.

Keep in mind that FirePOWER management interface must have internet access for signature updates and communication to the Management Center. Traffic cannot pass through the ASA’s backbone. Instead, management traffic must enter and exit through the same physical port. Illustrated below is a typical cabling setup where management interface is connected to the same layer 2 switch as the inside network.

ASA FirePOWER SourceFire Configuration (4)

Option 2: Share management interface between ASA and FirePOWER

If you have a layer 3 device such as a layer 3 switch on your network, this method of configuration is recommended. The ASA and the FirePOWER module share the same physical management interface with different IP addresses. The management IP addresses are on a separate network or VLAN, dedicated to management traffic. Internet bound traffic initiated from the management IP is routed through the layer 3 device to the inside interface of the ASA.

ASA FirePOWER SourceFire Configuration (5)

In our example, we assigned 192.168.1.1 for ASA management and 192.168.1.2 for FirePOWER management. Please note that the IP address under management interface configuration only reflects the ASA management IP. FirePOWER management IP is not shown under “show running-config”.

interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0

Step 4: Initial configuration of FirePOWER module

On console CLI interface, enter the FirePOWER module using session command:

ASA1# session sfr
Default username / password: admin / Sourcefire
The first time you access the FirePOWER module, you are prompted for basic configuration parameters.
System initialization in progress. Please stand by.
You must change the password for 'admin' to continue.
Enter new password:
Confirm new password:
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]:
Do you want to configure IPv6? (y/n) [n]:
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.2
Enter an IPv4 netmask for the management interface [255.255.255.0]:
Enter the IPv4 default gateway for the management interface []: 192.168.1.1
Enter a fully qualified hostname for this system [Sourcefire3D]:
Enter a comma-separated list of DNS servers or 'none' []:
Enter a comma-separated list of DNS servers or 'none' []:
Enter a comma-separated list of DNS servers or 'none' []: 4.2.2.2
Enter a comma-separated list of search domains or 'none' [example.net]:
If your networking information has changed, you will need to reconnect.
For HTTP Proxy configuration, run 'configure network http-proxy'
Applying 'Default Allow All Traffic' access control policy.

At the end of this step, we have completed the initial setup of the ASA and the FirePOWER module. A “Default Allow All Traffic” policy is activated on the FirePOWER module. It will inspect and monitor all traffic being sent to the module. It will not drop any traffic.

Now you may proceed to Configure and Manage ASA FirePOWER Module using ASDM or Configure and Manage ASA FirePOWER Module using FirePOWER Management Center.

If you are looking for best practice, baseline configuration of the ASA 5506-X before moving on to setting up the FirePOWER module, please read: Basic Cisco ASA 5506-x Configuration Example, or download configuration template for FREE.

Continue reading:

Cisco ASA 5506-X FirePOWER Configuration Example Part 1

Configure and Manage ASA FirePOWER Module using ASDM Part 3

Configure and Manage ASA FirePOWER Module using Management Center Part 4