12-07-2015
02:29 AM
- last edited on
03-25-2019
05:21 PM
by
ciscomoderator
Somenone can tell me the missing parts for using three ASA5525-FPWR-K9
with L-ASA5525-TA-1Y IPS Licenses ?
Every ASA has a separate ASA5525-CTRL-LIC with PAK in the box.
At the moment, the ASA 5525-X units running ASDM 7.2 with sfr FirePOWER Service
Software Module Version 5.3.1
# show module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5525-X with SW, 8 GE Data, 1 GE Mgmt, AC ASA5525
ips Unknown N/A
cxsc Unknown N/A
sfr FirePOWER Services Software Module ASA5525
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 5.3.1-152
# show flash:
--#-- --length-- -----date/time------ path
10 4096 Jul 29 2015 15:26:20 log
20 4096 Jul 29 2015 15:27:00 crypto_archive
21 4096 Jul 29 2015 15:27:12 coredumpinfo
22 59 Jul 29 2015 15:27:12 coredumpinfo/coredump.cfg
114 52457472 Jul 29 2015 15:31:36 asa922-4-smp-k8.bin
115 41601024 Jul 29 2015 15:33:14 asasfr-5500x-boot-5.3.1-152.img
116 24070880 Jul 29 2015 15:58:58 asdm-7221.bin
117 12998641 Jul 29 2015 16:02:56 csd_3.5.2008-k9.pkg
118 4096 Jul 29 2015 16:02:56 sdesktop
122 1462 Jul 29 2015 16:02:56 sdesktop/data.xml
119 6487517 Jul 29 2015 16:02:58 anyconnect-macosx-i386-2.5.2014-k9.pkg
120 6689498 Jul 29 2015 16:02:58 anyconnect-linux-2.5.2014-k9.pkg
121 4678691 Jul 29 2015 16:02:58 anyconnect-win-2.5.2014-k9.pkg
8238202880 bytes total (4867211264 bytes free)
ciscoasa#
I read this discussion earlier: https://supportforums.cisco.com/discussion/12393861/firesight-management-virtual-machine-download
The SFR Boards needs the FireSIGHT Management Center and all licensing is done with the center.
PAK registration needs the created License Key of the Center.
The FS-VMW-SW-K9 is the Center Software, and a CON-SAU-VMWSW2 is necessary for Upgrades.
Is it recommended updating the ASA Base Software, and the Versions of the SFR Modules ?
The SFR modules get the new Firmware from the Center ? Does the CON-SAU-VMWSW2 covers this ?
summarized:
we have 3x ASA5525-FPWR-K9 units with above printed Softwareversions, 3x ASA5525-CTRL-LIC, 3x L-ASA5525-TA=
after reading the linked discussion we need further 2x FS-VMW-2SW-K9 and 2x CON-SAU-VMWSW2 ?
Is this enough ?
Any help is very appreciated...
thanks, and rgds
Solved! Go to Solution.
12-07-2015 07:50 PM
Deploying FirePOWER Management Center (new name as of 6.0) would be recommended. You would need the 10 device license as the 2 device licenses are not additive. (i.e buying two each doesn't give you a 4-device license).
Alternatively, you could upgrade each ASA and FirePOWER module to versions 9.5.2 and 6.0 respectively and manage each totally separately using ASDM. Not generally recommended due to the headache of keeping the policies in sync and not having one place to look at all events and logs.
12-08-2015 05:52 AM
The capability with FirePOWER 6.0 was just introduced in November 2015 with ASA 9.5(1)5 and FirePOWER 6.0.
ASA Release notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-149508
ASDM User Guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/firewall/asdm-75-firewall-config/access-sfr.html#ID-2123-0000034e
The ASDM User Guide mostly refers you to the FirePOWER 6.0 User Guide: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html
The data sheet doesn't make a big deal of it but it is noted in table 2 here: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html (See the row labeled "On-Device Maangement".)
The big differences are you will have to create each policy for every ASA separately on its respective ASDM instance. Events and reporting will not be available in a centralized location and are only stored on the ASA and retrievable from ASDM.
12-07-2015 07:50 PM
Deploying FirePOWER Management Center (new name as of 6.0) would be recommended. You would need the 10 device license as the 2 device licenses are not additive. (i.e buying two each doesn't give you a 4-device license).
Alternatively, you could upgrade each ASA and FirePOWER module to versions 9.5.2 and 6.0 respectively and manage each totally separately using ASDM. Not generally recommended due to the headache of keeping the policies in sync and not having one place to look at all events and logs.
12-08-2015 12:34 AM
Ok Marvin,
very helpfull answer. Great to hear of this possibility now to do it without a management center,
I think we prefer this, can you tell me the Part Numbers we need for covering all ASA5525-FPWR-K9
with a contract, that we get all necessary Files for Upgrading.
Is it possible to buy a contract without hardware support ?
Due to this discussion:
https://supportforums.cisco.com/discussion/12547496/how-upgrade-firepower-5525-x-cli-or-virtual defense-center
I believed that it is still up to date, only the entry level ASA's can manage it's firesourcemodule with ASDM. I have a last question for using ASDM instead of FirePOWER Management Center:
management, controlling and reporting of the basic IPS functions is the same ?, and can you give me a link to the Datasheet and Userguide of the new Version, please ?
thanks for your help,
rgds,
I
12-08-2015 05:52 AM
The capability with FirePOWER 6.0 was just introduced in November 2015 with ASA 9.5(1)5 and FirePOWER 6.0.
ASA Release notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html#pgfId-149508
ASDM User Guide: http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/firewall/asdm-75-firewall-config/access-sfr.html#ID-2123-0000034e
The ASDM User Guide mostly refers you to the FirePOWER 6.0 User Guide: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60.html
The data sheet doesn't make a big deal of it but it is noted in table 2 here: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html (See the row labeled "On-Device Maangement".)
The big differences are you will have to create each policy for every ASA separately on its respective ASDM instance. Events and reporting will not be available in a centralized location and are only stored on the ASA and retrievable from ASDM.
12-17-2015 07:21 AM
Hi Marvin,
thank you for your great support,
the units and modules are now updated to the latest versions,
all firepower controlling tabs are now available in ASDM ! :-)
12-17-2015 07:23 AM
Great - you're welcome.
Thanks for marking the answer correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide