Solved: That makes perfect sense! - Page 2

Terence Lockette · ‎12-10-2015

Hello all,

I'm in the process of purchasing a quantity of 2 for the following:

ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle
Cisco ASA5525 FirePOWER IPS, AMP and URL Licenses
Cisco FireSIGHT Management Center,(VMWare) for 2 devices

These will replace our guest network firewall and content filter which are currently Barracuda devices. I'm not sure if it's worth mentioning but there are 3 networks behind our guest network. The 1st is the main guest network that has the current firewall, Web filter, switches, and guest devices. The 2nd network services a remote network where we used PBR to get it's traffic routed to the guest network. The last network is a network created where clients are behind the PacketFence captive portal so the server has 2 NICs (one on the main network and the other behind the portal that serves clients behind it. Eventually, users on the main network will be moved behind the captive portal.

We're going to run the ASAs in active/standby HA. What I need to know is since this will be a new install/configure from scratch, is there any documentation that will guide me through the process of getting this up and running step-by-step? For instance, do I need to configure my firewall with all required configurations first and then proceed to configure CX for content filtering? We're not going to run, at least for now, FirePOWER services so I don't think the install/configuration of FirePOWER and the FireSIGHT Mgmt Center would be necessary unless it's used for the URL/Content filtering. I just need to be pointed in the right direction as to how to get started. Thanks!

Regards,

Terence

Marvin Rhoads · ‎01-06-2016

You can configure the FirePOWER module independent of the parent ASA it resides in. Of course the module needs to have been installed - if it's not you have to image it from the ASA cli.

See the Quick Start Guide here for IP addressing:

http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html#pgfId-144598

Basically the FP module requires you to use the ASA management interface. It has its own default gateway independent of the host ASA. (It's basically a Linux VM with FirePOWER software.)

It's optional whether you also want to use that same physical interface (m0/0) for ASA management - most people do not and instead manage the ASA via the inside interface. That's primarily because (prior to ASA 9.5) a single context ASA only has one routing table. So unless you have a true out of band management network, using the ASA's m0/0 interface for management is challenging.

Terence Lockette · ‎01-06-2016

Thanks Marvin! I typically use the inside interface to manage the ASA. I checked out some videos from LabMinutes and they put the management interface on the same subnet as their inside interface for their FireSIGHT deployment. I'm looking to use this same method. Is this ok?

Terence

Marvin Rhoads · ‎01-06-2016

Yes - the labminutes method will work.

It can be confusing for folks who are new to the box to have two physical interfaces in the same subnet. As long as you remember they are being used by two different operating systems (ASA software and FirePOWER software - kind of like VMs on a hypervisor), it makes sense.

Terence Lockette · ‎01-06-2016

That makes perfect sense! Marvin I truly thank you for your help and assistance in this matter as it is very new to me.

Regards,

Terence

Question about Firewalling & Content Filtering using ASA 5525-X