Solved: Re: Cisco ASA 5515- X IPS Lincensing

nethack009 · ‎11-06-2017

WE have a Cisco ASA 5515-x would like configure IPS on this firewall.

Which license I need to purchase?
Do i need to increase or purchase any hardware for this(device is having 4gb ram)?
Enabling IPS will create any slowness in traffice flow?

Marvin Rhoads · ‎11-14-2017

Your ASA is running software that is a couple of years old plus it does not have the SSD (solid state drive) that is required for the currently supported IPS module type (the Firepower service module, also known as "sfr" under "show module" output).

To upgrade it to support Firepower service module, you would need to purchase the SSD (with associated Smartnet), a no-cost Control license and an IPS term subscription (1, 3 or 5 years). a sample parts list would look like this:

ASA5500X-SSD120= with CON-SNT-ASD120

ASA5515-CTRL-LIC=

L-ASA5515-TA= with L-ASA5515-TA-1Y

You would also upgrade your ASA software to the current recommended release 9.6(3). Then follow the Quick Start Guide here for setup:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

View solution in original post

Marvin Rhoads · ‎11-10-2017

License SKUs depend on what features you want - IPS only, URL filtering and/or Malware protection and for how long (1, 3 or 5 years term).

Please share "show version", "show module" and "show inventory" output. You can remove serial numbers for privacy. I ask for that because you may need to upgrade the software and add an SSD if one is not installed.

Adding the Firepower service module into the traffic path does take computing resources on the appliance and reduce the overall throughput. However if you are not pushing it to its limit without the module then you may be fine.

nethack009 · ‎11-14-2017

Please find the details,

The device Partnumber is ASA5515-K9 and IPS partnumber showing is ASA5515-IPS-K9 how i can upgrade current device to IPS supporting.

FW# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V05 ,

FW# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515
ips Unknown N/A
cxsc Unknown N/A
sfr Unknown N/A

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 843d.c64d.8b74 to 843d.c64d.8b7b 1.0 2.1(9)8 9.2(2)4
ips 843d.c64d.8b72 to 843d.c64d.8b72 N/A N/A
cxsc 843d.c64d.8b72 to 843d.c64d.8b72 N/A N/A
sfr 843d.c64d.8b72 to 843d.c64d.8b72 N/A N/A

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr Unknown No Image Present Not Applicable

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
<--- More ---> cxsc Unresponsive Not Applicable
<--- More ---> sfr Unresponsive Not Applicable
<--- More --->
<--- More ---> Mod License Name License Status Time Remaining
<--- More ---> ---- -------------- --------------- ---------------
<--- More ---> ips IPS Module Disabled perpetual
<--- More --->

FW# show ver
FW# show version

Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 7.2(2)1

Compiled on Tue 29-Jul-14 23:41 PDT by builders
System image file is "disk0:/asa922-4-smp-k8.bin"
Config file at boot was "startup-config"

FW up 40 mins 31 secs

Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-PLUS-T020
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 843d.c64d.8b74, irq 11
1: Ext: GigabitEthernet0/0 : address is 843d.c64d.8b78, irq 10
<--- More ---> 2: Ext: GigabitEthernet0/1 : address is 843d.c64d.8b75, irq 10
<--- More ---> 3: Ext: GigabitEthernet0/2 : address is 843d.c64d.8b79, irq 5
<--- More ---> 4: Ext: GigabitEthernet0/3 : address is 843d.c64d.8b76, irq 5
<--- More ---> 5: Ext: GigabitEthernet0/4 : address is 843d.c64d.8b7a, irq 10
<--- More ---> 6: Ext: GigabitEthernet0/5 : address is 843d.c64d.8b77, irq 10
<--- More ---> 7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
<--- More ---> 8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
<--- More ---> 9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
<--- More ---> 10: Ext: Management0/0 : address is 843d.c64d.8b74, irq 0
<--- More --->
<--- More ---> Licensed features for this platform:
<--- More ---> Maximum Physical Interfaces : Unlimited perpetual
<--- More ---> Maximum VLANs : 100 perpetual
<--- More ---> Inside Hosts : Unlimited perpetual
<--- More ---> Failover : Active/Active perpetual
<--- More ---> Encryption-DES : Enabled perpetual
<--- More ---> Encryption-3DES-AES : Enabled perpetual
<--- More ---> Security Contexts : 2 perpetual
<--- More ---> GTP/GPRS : Disabled perpetual
<--- More ---> AnyConnect Premium Peers : 2 perpetual
<--- More ---> AnyConnect Essentials : Disabled perpetual
<--- More ---> Other VPN Peers : 250 perpetual
<--- More ---> Total VPN Peers : 250 perpetual
<--- More ---> Shared License : Disabled perpetual
<--- More ---> AnyConnect for Mobile : Disabled perpetual
<--- More ---> AnyConnect for Cisco VPN Phone : Disabled perpetual
<--- More ---> Advanced Endpoint Assessment : Disabled perpetual
<--- More ---> UC Phone Proxy Sessions : 2 perpetual
<--- More ---> Total UC Proxy Sessions : 2 perpetual
<--- More ---> Botnet Traffic Filter : Disabled perpetual
<--- More ---> Intercompany Media Engine : Disabled perpetual
<--- More ---> IPS Module : Disabled perpetual
<--- More ---> Cluster : Enabled perpetual
<--- More ---> Cluster Members : 2 perpetual
<--- More --->
<--- More ---> This platform has an ASA 5515 Security Plus license.
<--- More --->
<--- More ---> Serial Number:
<--- More ---> Running Permanent Activation Key:
<--- More ---> Configuration register is 0x1
<--- More ---> Configuration has not been modified since last system restart.

Marvin Rhoads · ‎11-14-2017

Your ASA is running software that is a couple of years old plus it does not have the SSD (solid state drive) that is required for the currently supported IPS module type (the Firepower service module, also known as "sfr" under "show module" output).

To upgrade it to support Firepower service module, you would need to purchase the SSD (with associated Smartnet), a no-cost Control license and an IPS term subscription (1, 3 or 5 years). a sample parts list would look like this:

ASA5500X-SSD120= with CON-SNT-ASD120

ASA5515-CTRL-LIC=

L-ASA5515-TA= with L-ASA5515-TA-1Y

You would also upgrade your ASA software to the current recommended release 9.6(3). Then follow the Quick Start Guide here for setup:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

nethack009 · ‎11-14-2017

I want make my new firewall (ASA5515-K9)same like my old(ASA5515-IPS-K9) below are the both configuration.

Please let me know how i can get this Please help

FW# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V02 ,

FW# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515
ips ASA 5515-X IPS Security Services Processor ASA5515-IPS
cxsc Unknown N/A
sfr Unknown N/A

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 5087.89b7.bb71 to 5087.89b7.bb78 1.0 2.1(9)8 9.4(2)11
ips 5087.89b7.bb6f to 5087.89b7.bb6f N/A N/A 7.1(8p1)E4
cxsc 5087.89b7.bb6f to 5087.89b7.bb6f N/A N/A
sfr 5087.89b7.bb6f to 5087.89b7.bb6f N/A N/A

NEW

FW# show inventory
Name: "Chassis", DESCR: "ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC"
PID: ASA5515 , VID: V05 ,

FW# show module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515
ips Unknown N/A
cxsc Unknown N/A
sfr Unknown N/A

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 843d.c64d.8b74 to 843d.c64d.8b7b 1.0 2.1(9)8 9.2(2)4
ips 843d.c64d.8b72 to 843d.c64d.8b72 N/A N/A
cxsc 843d.c64d.8b72 to 843d.c64d.8b72 N/A N/A
sfr 843d.c64d.8b72 to 843d.c64d.8b72 N/A N/A

Marvin Rhoads · ‎11-14-2017

Just buy 2 each of the part numbers I listed earlier.

The old style IPS that's reflected in your "ASA5515-IPS-K9"part number is long past end of sales. You need to move to the current style which uses the Firepower service modules.

If you have 2 or more we usually recommend also purchasing a separate Firepower Management Center to keep their Firepower module configurations synced. It is available for VMware or KVM in 2, 5 or 25 device license levels. To manage 2 Firepower modules using the VMware-based product you would need:

SF-FMC-VMW-2-K9 with CON-ECMU-SFMMCVWK

(plus your own ESXi host of course).