topic Re: Which interface is used by an ASA to access Licensing services? in Network Security

Which interface is used by an ASA to access Licensing services?

REJR77 — Fri, 27 Aug 2021 15:10:23 GMT

Hi,

We have a Active/Standby HA ASA with 2 Firepower 2130 in appliance mode.

We use the Management interface as management-only and several interfaces.

We have a default route on the management interface and a default route on an external interface.

Which interface is used by the ASA to connect to the Cisco licensing services?

Thanks for the help

Re: Which interface is used by an ASA to access Licensing services?

Sheraz.Salim — Fri, 27 Aug 2021 18:25:34 GMT

The ASA uses Cisco Smart Software Licensing. here is the Guide how to implement it

On 2100 the ASA communicates with the Cisco Smart Licensing portal (cloud) using the ASA interfaces, not the FXOS management.

n this case, HTTP local authentication is used on outside interface:

ciscoasa(config)# show run http
http server enable
http 0.0.0.0 0.0.0.0 outside
ciscoasa(config)# show run aaa
aaa authentication http console LOCAL
ciscoasa(config)# show run username
username cisco password ***** pbkdf2

You can only connect to the ASA via ASDM if there is a 3DES/AES license enabled. For an ASA that is not already registered this is possible only on an interface that is management-only. Per configuration guide: "Strong Encryption (3DES/AES) is available for management connections before you connect to the License Authority or Satellite server so you can launch ASDM. Note that ASDM access is only available on management-only interfaces with the default encryption. Through the box traffic is not allowed until you connect and obtain the Strong Encryption license". In different case you get:

ciscoasa(config)# debug ssl 255
debug ssl enabled at level 255.
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

To overcome the ASA has management-only configured on the Internet-facing interface and thus ASDM connection is possible:

interface Ethernet1/2
management-only
nameif outside
security-level 100
ip address 192.168.123.111 255.255.255.0 standby 192.168.123.112

Reference from:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215920-asa-smart-license-registration-and-troub.html

Re: Which interface is used by an ASA to access Licensing services?

Peter Koltl — Wed, 12 Jan 2022 16:08:10 GMT

Which interface is used by the ASA to connect to the Cisco licensing services?

Re: Which interface is used by an ASA to access Licensing services?

Sheraz.Salim — Wed, 12 Jan 2022 21:23:19 GMT

For an ASA that is not already registered this is possible only on an interface that is management-only.

Let me explain. let say your ASA is not registered to Cisco licensing services. In order for you to get it connected to Cisco licensing services is using the following configuration.

interface Ethernet1/2
management-only
nameif outside
security-level 100
ip address XX.XX.XX.XY 255.255.255.0

here in the above example ASA has management-only configured on the Internet-facing interface. this will get your connected to licience server at cisco.

Re: Which interface is used by an ASA to access Licensing services?

REJR77 — Thu, 13 Jan 2022 07:21:23 GMT

You can use the Management interface

In our case this is what was done finally