Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1407
Views
15
Helpful
6
Replies

Onboarding an ASA on FTD Device

kostasthedelegate
Level 4
Level 4

‎02-01-2021 01:52 AM

Hello, 

 

I have a couple of questions about onboarding on CDO.

I have FTD 2120 and the OS is ASA 9.12. 

 

When I am going to onboard it, I will choose FTD or ASA on CDO?

 

In order for the CDO to find the device I will have to assign a public IP to it right?

 

Regards, 

Konstantinos

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎02-01-2021 02:03 AM

Hi @kostasthedelegate 

You'd onboard the device as an ASA

 

What Service Device Connector do you have? Cloud or On-Premise?

 

https://docs.defenseorchestrator.com/Welcome_to_Cisco_Defense_Orchestrator/Basics_of_Cisco_Defense_Orchestrator/0025_Secure_Connectors

For desired CDO-managed devices that are non-perimeter based, do not have a public IP address, or an open port to the outside interface, we recommended you use the on-premises SDC which enables onboarding, accessing, reading, and writing to those devices using internal IP addresses.

kostasthedelegate
Level 4
Level 4

‎02-01-2021 02:11 AM

Hello Rob, 

 

Thank you for the answer!
Actually, just a little while ago I read about the connectors.

I have the default for now. 

These first appliances have a public IP because they are used for VPN, so I think I will stick to that. 

 

Regards

0 Helpful

kostasthedelegate
Level 4
Level 4

‎02-01-2021 03:30 AM

So if I use the public IP of the device I see that CDO uses port 443. 

If I have the VPN on the same port will I have any problems?

0 Helpful

Rob Ingram
VIP
VIP

‎02-01-2021 03:44 AM

@kostasthedelegate 

ASDM and SSL-VPN/WebVPN both listen on port 443, CDO would be connecting to the ASDM service when using CDO. You could change the port used for ASDM using the command from the ASA CLI http server enable <port>, when you onboard the device in CDO you can specify the custom port. Bear in mind that when you connect to ASDM again you'd now need to use the custom port. Connections to the SSL-VPN would not be affected.

kostasthedelegate
Level 4
Level 4

‎02-02-2021 12:25 AM

Ok great 

And of course every device needs a separate public IP.

What about the certificate used? Could I use one certificate for both appliances bearing in mind that this will be used for VPN also?

0 Helpful

Rob Ingram
VIP
VIP

‎02-02-2021 01:12 AM - edited ‎02-02-2021 01:13 AM

@kostasthedelegate The certificates can be unique, you can use the ASA's self-signed certificate or the public certificate. Check out this link for certificate pre-reqs.

 

https://docs.defenseorchestrator.com/Configuration_Guides/Onboard_Devices_and_Services/0010_Onboard_an_ASA_Device

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card