Scribd
Upload
370 views12 pages

Using ASDM To Manage A FirePOWER Module

The document describes how the Adaptive Security Device Manager (ASDM) communicates with an ASA firewall and FirePOWER module installed on the ASA to provide on-box management. When a user connects to ASDM, it discovers the ASA configuration and FirePOWER IP address, then initiates secure communication with the FirePOWER module. ASDM retrieves menu items from the FirePOWER module to display FirePOWER management options within ASDM. Troubleshooting steps are provided to verify the communication and management connectivity between ASDM, ASA, and FirePOWER module.

Uploaded by

Huy Meng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
370 views12 pages

Using ASDM To Manage A FirePOWER Module

The document describes how the Adaptive Security Device Manager (ASDM) communicates with an ASA firewall and FirePOWER module installed on the ASA to provide on-box management. When a user connects to ASDM, it discovers the ASA configuration and FirePOWER IP address, then initiates secure communication with the FirePOWER module. ASDM retrieves menu items from the FirePOWER module to display FirePOWER management options within ASDM. Troubleshooting steps are provided to verify the communication and management connectivity between ASDM, ASA, and FirePOWER module.

Uploaded by

Huy Meng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Using ASDM to manage a FirePOWER

module on ASA
Contents
Introduction
Components used
Prerequisites
Architecture
Background operation when a user connects to ASA via ASDM
Step 1 The user initiates the ASDM connection
Step 2 The ASDM discovers the ASA configuration and the FirePOWER module IP
Step 3 The ASDM initiates communication towards the FirePOWER module
Step 4 The ASDM retrieves the FirePOWER Menu Items
Troubleshooting
Recommended actions
Related Documents

Introduction
A FirePOWER module that is installed on ASA can be managed by either:

Firepower Management Center (FMC) This is the off-box management solution


Adaptive Security Device Manager (ADSM) This is the on-box management solution
The goal of this document is to explain how ASDM software communicates with the ASA and a
FirePOWER software module installed on it.

Components used

A Windows 7 host
ASA5525-X running ASA 9.6.2-3 code
ASDM software 7.6.2.150
FirePOWER software module 6.1.0-330

Prerequisites

ASA configuration to enable ASDM management:

ASA5525(config)# interface GigabitEthernet0/0 ASA5525(config-if)# nameif INSIDE ASA5525(config-


if)# security-level 100 ASA5525(config-if)# ip address 192.168.75.23 255.255.255.0
ASA5525(config-if)# no shutdown ASA5525(config)# ASA5525(config)# http server enable
ASA5525(config)# http 192.168.75.0 255.255.255.0 INSIDE ASA5525(config)# asdm image disk0:/asdm-
762150.bin ASA5525(config)# ASA5525(config)# aaa authentication http console LOCAL
ASA5525(config)# username cisco password cisco
Additionally, on ASA the 3DES/AES license should be enabled:
ASA5525# show version | in 3DES Encryption-3DES-AES : Enabled perpetual

Architecture
The ASA has 3 internal interfaces:

asa_dataplane = It is used to redirect packets from the ASA Data Path to the FirePOWER
software module
asa_mgmt_plane = It is used to allow the FirePOWER management interface to
communicate with the network
cplane = Control Plane interface that is used to transfer keepalives between the ASA and the
FirePOWER module
You can capture traffic in all internal interfaces:

ASA5525# capture CAP interface ? asa_dataplane Capture packets on dataplane interface


asa_mgmt_plane Capture packets on managementplane interface cplane Capture packets on
controlplane interface
The above can be visualized as follows:

Background operation when a user connects to ASA via


ASDM
Consider the following topology
When a user initiates an ASDM connection to the ASA the following events will occur:

Step 1 The user initiates the ASDM connection

The user specifies the ASA IP used for HTTP management, enters the credentials and initiates a
connection towards the ASA:

In the background an SSL tunnel between the ASDM and the ASA is established:

This can be visualized as follows:


Step 2 The ASDM discovers the ASA configuration and the FirePOWER
module IP

Enabling debug http 255 on ASA will show all the checks that are done in the background when
the ASDM connects to the ASA:

ASA5525# debug http 255 HTTP: processing ASDM request [/admin/exec/show+module] with cookie-
based authentication HTTP: processing GET URL '/admin/exec/show+module' from host 192.168.75.22
HTTP: processing ASDM request [/admin/exec/show+cluster+interface-mode] with cookie-based
authentication HTTP: processing GET URL '/admin/exec/show+cluster+interface-mode' from host
192.168.75.22 HTTP: processing ASDM request [/admin/exec/show+cluster+info] with cookie-based
authentication HTTP: processing GET URL '/admin/exec/show+cluster+info' from host 192.168.75.22
HTTP: processing ASDM request [/admin/exec/show+module+sfr+details] with cookie-based
authentication HTTP: processing GET URL '/admin/exec/show+module+sfr+details' from host
192.168.75.22
show module = The ASDM discovers the ASA modules
show module sfr details = The ASDM discovers the module details including the FirePOWER
management IP

The above will be seen in the background as a series of SSL connections from the PC towards the
ASA IP:

Step 3 The ASDM initiates communication towards the FirePOWER module

Since the ASDM knows the FirePOWER management IP it initiates SSL sessions towards the
module:

The above will be seen in the background as SSL connections from the ASDM host towards the
FirePOWER management IP:

This can be visualized as follows:

The ASDM authenticates the FirePOWER and a Security Warning is shown since FirePOWER
Certificate is self-signed:
Step 4 The ASDM retrieves the FirePOWER Menu Items

After the successful authentication the ASDM retrieves from the FirePOWER the Menu Items:
The retrieved tabs:

It also retrieves the ASA FirePOWER Configuration Menu Item:

Troubleshooting
In case ASDM cannot establish an SSL tunnel with the FP Management IP then it will only load
the following FirePOWER Menu Item:
The ASA FirePOWER Configuration Item will be missing as well:

Recommended actions

Verification 1

Make sure that the ASA management interface is UP and the switchport connected to it is in the
proper VLAN:

ASA5525# show interface ip brief | include Interface|Management0/0 Interface IP-Address OK?


Method Status Protocol Management0/0 unassigned YES unset up up

Verification 2

Make sure that the FirePOWER module is fully initialized, UP and running:
ASA5525# show module sfr details Getting details from the Service Module, please wait... Card
Type: FirePOWER Services Software Module Model: ASA5525 Hardware version: N/A Serial Number:
FCH1719J54R Firmware version: N/A Software version: 6.1.0-330 MAC Address Range: 6c41.6aa1.2bf2
to 6c41.6aa1.2bf2 App. name: ASA FirePOWER App. Status: Up App. Status Desc: Normal Operation
App. version: 6.1.0-330 Data Plane Status: Up Console session: Ready Status: Up DC addr: No DC
Configured Mgmt IP addr: 192.168.75.123 Mgmt Network mask: 255.255.255.0 Mgmt Gateway:
192.168.75.23 Mgmt web ports: 443 Mgmt TLS enabled: true A5525# session sfr console Opening
console session with module sfr. Connected to module sfr. Escape character sequence is 'CTRL-
^X'. > show version --------------------[ FP5525-3 ]-------------------- Model : ASA5525 (72)
Version 6.1.0 (Build 330) UUID : 71fd1be4-7641-11e6-87e4-d6ca846264e3 Rules update version :
2016-03-28-001-vrt VDB version : 270 ---------------------------------------------------- >

Verification 3

Check basic connectivity between the ASDM host and the FirePOWER module management IP
by using tools like ping and tracert/traceroute:

Verification 4

If the ASDM host and the FirePOWER management IP are in the same L3 network check the ARP
table on the ASDM host:
Verification 5

Enable capture on the ASDM device while you are connecting via ASDM to see if there is proper
TCP communication between the host and the FirePOWER module. At minimum you should see:

TCP 3-way handshake between the ASDM host and the ASA
SSL tunnel established between the ASDM host and the ASA
TCP 3-way handshake between the ASDM host and the FirePOWER module management IP
SSL tunnel established between the ASDM host and the FirePOWER module management IP

Verification 6

To check the traffic to and from the FirePOWER module you can enable capture on the
asa_mgmt_plane interface. In the capture below it can be seen:

ARP request from the ASDM host (packet 42)


ARP reply from the FirePOWER module (packet 43)
TCP 3-way handshake between the ASDM host and the FirePOWER module (packets 44-46)

ASA5525# capture FP_MGMT interface asa_mgmt_plane ASA5525# show capture FP_MGMT | i


192.168.75.123 42: 20:27:28.532076 arp who-has 192.168.75.123 tell 192.168.75.22 43:
20:27:28.532153 arp reply 192.168.75.123 is-at 6c:41:6a:a1:2b:f2 44: 20:27:28.532473
192.168.75.22.48391 > 192.168.75.123.443: S 2861923942:2861923942(0) win 8192 <mss
1260,nop,wscale 2,nop,nop,sackOK> 45: 20:27:28.532549 192.168.75.123.443 > 192.168.75.22.48391:
S 1324352332:1324352332(0) ack 2861923943 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7> 46:
20:27:28.532839 192.168.75.22.48391 > 192.168.75.123.443: . ack 1324352333 win 16695

Verification 7

Verify that the ASDM user has privilege level 15. One way to confirm this is by running debug http
255 while connecting via ASDM:

ASA5525# debug http 255 debug http enabled at level 255. HTTP: processing ASDM request
[/admin/asdm_banner] with cookie-based authentication (aware_webvpn_conf.re2c:444) HTTP: check
admin session. Cookie index [2][c8a06c50] HTTP: Admin session cookie
[A27614B@20480@78CF@58989AACB80CE5159544A1B3EE62661F99D475DC] HTTP: Admin session idle-timeout
reset HTTP: admin session verified = [1] HTTP: username = [user1], privilege = [14]

Verification 8

If between the ASDM host and the FirePOWER module there is NAT for the Firepower
Management IP then you need to specify the NATed IP:

Verification 9

Make sure that the FirePOWER module is not already managed by Firepower Management
Center (FMC) because in that case the FirePOWER tabs in ASDM will be missing:

ASA5525# session sfr console Opening console session with module sfr. Connected to module sfr.
Escape character sequence is 'CTRL-^X'. > show managers Managed locally. >
Another way:

ASA5525# show module sfr details Getting details from the Service Module, please wait... Card
Type: FirePOWER Services Software Module Model: ASA5525 Hardware version: N/A Serial Number:
FCH1719J54R Firmware version: N/A Software version: 6.1.0-330 MAC Address Range: 6c41.6aa1.2bf2
to 6c41.6aa1.2bf2 App. name: ASA FirePOWER App. Status: Up App. Status Desc: Normal Operation
App. version: 6.1.0-330 Data Plane Status: Up Console session: Ready Status: Up DC addr: No DC
Configured Mgmt IP addr: 192.168.75.123 Mgmt Network mask: 255.255.255.0 Mgmt Gateway:
192.168.75.23 Mgmt web ports: 443 Mgmt TLS enabled: true

Verification 10

Verify in the ASA Compatibility guide that the ASA/ASDM images are compatible:

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
Verification 11

Verify in the Firepower Compatibility guide that the FirePOWER device is compatible with the
ASDM version:

http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

Related Documents
Cisco ASA FirePOWER Module Quick Start Guide

ASA with FirePOWER Services Local Management Configuration Guide, Version 6.1.0

ASA FirePOWER Module User Guide for the ASA5506-X, ASA5506H-X, ASA5506W-X,
ASA5508-X, and ASA5516-X, Version 5.4.1

You might also like