Cisco Firepower 1140 Security Appliance Configuration Guide

ASDM Book 1: Cisco ASA Series General Operations ASDM

Configuration Guide, 7.15

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network

topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional

and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:

https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (1721R)

CONTENTS

About This Guide xlix

PREFACE

Document Objectives xlix

Related Documentation xlix

Document Conventions xlix

Communications, Services, and Additional Information li

Getting Started with the ASA 53

PART I

Introduction to the Cisco ASA 1

CHAPTER 1

ASDM Requirements 1

ASDM Java Requirements 1

ASDM Compatibility Notes 2

Hardware and Software Compatibility 5

VPN Compatibility 6

New Features 6

New Features in ASA 9.14(2) 6

New Features in ASA 9.14(1.30) 6

New Features in ASDM 7.14(1.48) 6

New Features in ASAv 9.14(1.6) 7

New Features in ASA 9.14(1)/ASDM 7.14(1) 7

Firewall Functional Overview 10

Security Policy Overview 11

Permitting or Denying Traffic with Access Rules 11

Applying NAT 11

Protecting from IP Fragments 11

Applying HTTP, HTTPS, or FTP Filtering 11

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

iii

Applying Application Inspection 12

Sending Traffic to Supported Hardware or Software Modules 12

Applying QoS Policies 12

Applying Connection Limits and TCP Normalization 12

Enabling Threat Detection 12

Firewall Mode Overview 12

Stateful Inspection Overview 13

VPN Functional Overview 14

Security Context Overview 15

ASA Clustering Overview 15

Special, Deprecated, and Legacy Services 15

Getting Started 17

CHAPTER 2

Access the Console for the Command-Line Interface 17

Access the Appliance Console 17

Access the Firepower 2100 Platform Mode Console 18

Access the Firepower 1000 and 2100 Appliance Mode Console 20

Access the ASA Console on the Firepower 4100/9300 Chassis 22

Access the Software Module Console 23

Access the ASA 5506W-X Wireless Access Point Console 24

Configure ASDM Access 24

Use the Factory Default Configuration for ASDM Access (Appliances, ASAv) 24

Customize ASDM Access 25

Start ASDM 27

Customize ASDM Operation 29

Install an Identity Certificate for ASDM 29

Increase the ASDM Configuration Memory 29

Increase the ASDM Configuration Memory in Windows 29

Increase the ASDM Configuration Memory in Mac OS 30

Factory Default Configurations 30

Restore the Factory Default Configuration 32

Restore the ASAv Deployment Configuration 34

ASA 5506-X Series Default Configuration 35

ASA 5508-X and 5516-X Default Configuration 37

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

iv

Contents

ASA 5525-X through ASA 5555-X Default Configuration 38

Firepower 1010 Default Configuration 38

Firepower 1100 Default Configuration 40

Firepower 2100 Platform Mode Default Configuration 41

Firepower 2100 Appliance Mode Default Configuration 43

Firepower 4100/9300 Chassis Default Configuration 44

ISA 3000 Default Configuration 45

ASAv Deployment Configuration 46

Set the Firepower 2100 to Appliance or Platform Mode 48

Get Started with the Configuration 50

Use the Command Line Interface Tool in ASDM 50

Use the Command Line Interface Tool 50

Show Commands Ignored by ASDM on the Device 51

Apply Configuration Changes to Connections 52

ASDM Graphical User Interface 53

CHAPTER 3

About the ASDM User Interface 53

Navigate the ASDM User Interface 56

Menus 57

File Menu 57

View Menu 58

Tools Menu 59

Wizards Menu 61

Window Menu 61

Help Menu 61

Toolbar 62

ASDM Assistant 63

Status Bar 64

Connection to Device 64

Device List 64

Common Buttons 65

Keyboard Shortcuts 66

Find Function in ASDM Panes 68

Find Function in Rule Lists 68

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

v

Contents

Enable Extended Screen Reader Support 69

Organizational Folder 69

Home Pane (Single Mode and Context) 70

Device Dashboard Tab 70

Device Information Pane 71

Interface Status Pane 72

VPN Sessions Pane 72

Failover Status Pane 72

System Resources Status Pane 72

Traffic Status Pane 73

Latest ASDM Syslog Messages Pane 73

Firewall Dashboard Tab 74

Traffic Overview Pane 75

Top 10 Access Rules Pane 75

Top Usage Status Pane 75

Top Ten Protected Servers Under SYN Attack Pane 76

Top 200 Hosts Pane 76

Top Botnet Traffic Filter Hits Pane 76

Cluster Dashboard Tab 77

Cluster Firewall Dashboard Tab 78

Content Security Tab 79

Intrusion Prevention Tab 80

ASA CX Status Tab 82

ASA FirePower Status Tabs 82

Home Pane (System) 83

Define ASDM Preferences 84

Search with the ASDM Assistant 86

Enable History Metrics 87

Unsupported Commands 87

Ignored and View-Only Commands 87

Effects of Unsupported Commands 88

Discontinuous Subnet Masks Not Supported 88

Interactive User Commands Not Supported by the ASDM CLI Tool 89

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

vi

Contents

Licenses: Product Authorization Key Licensing 91

CHAPTER 4

About PAK Licenses 91

Preinstalled License 91

Permanent License 91

Time-Based Licenses 92

Time-Based License Activation Guidelines 92

How the Time-Based License Timer Works 92

How Permanent and Time-Based Licenses Combine 92

Stacking Time-Based Licenses 93

Time-Based License Expiration 94

License Notes 94

AnyConnect Plus and Apex Licenses 94

Other VPN License 95

Total VPN Sessions Combined, All Types 95

VPN Load Balancing 95

Legacy VPN Licenses 95

Encryption License 95

Carrier License 96

Total TLS Proxy Sessions 96

VLANs, Maximum 97

Botnet Traffic Filter License 97

IPS Module License 97

Shared AnyConnect Premium Licenses (AnyConnect 3 and Earlier) 97

Failover or ASA Cluster Licenses 97

Failover License Requirements and Exceptions 97

ASA Cluster License Requirements and Exceptions 99

How Failover or ASA Cluster Licenses Combine 99

Loss of Communication Between Failover or ASA Cluster Units 100

Upgrading Failover Pairs 101

No Payload Encryption Models 101

Licenses FAQ 101

Guidelines for PAK Licenses 102

Configure PAK Licenses 104

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

vii

Contents

Order License PAKs and Obtain an Activation Key 104

Obtain a Strong Encryption License 105

Activate or Deactivate Keys 107

Configure a Shared License (AnyConnect 3 and Earlier) 108

About Shared Licenses 109

About the Shared Licensing Server and Participants 109

Communication Issues Between Participant and Server 110

About the Shared Licensing Backup Server 110

Failover and Shared Licenses 111

Maximum Number of Participants 112

Configure the Shared Licensing Server 113

Configure the Shared Licensing Participant and the Optional Backup Server 113

Supported Feature Licenses Per Model 114

Licenses Per Model 114

ASA 5506-X and ASA 5506W-X License Features 114

ASA 5506H-X License Features 115

ASA 5508-X License Features 116

ASA 5516-X License Features 117

ASA 5525-X License Features 118

ASA 5545-X License Features 119

ASA 5555-X License Features 120

ISA 3000 License Features 122

Monitoring PAK Licenses 123

Viewing Your Current License 123

Monitoring the Shared License 123

History for PAK Licenses 124

Licenses: Smart Software Licensing (ASAv, ASA on Firepower) 133

CHAPTER 5

About Smart Software Licensing 133

Smart Software Licensing for the ASA on the Firepower 4100/9300 Chassis 133

Smart Software Manager and Accounts 134

Offline Management 134

Permanent License Reservation 134

Satellite Server (Smart Software Manager On-Prem) 136

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

viii

Contents

Licenses and Devices Managed per Virtual Account 136

Evaluation License 136

About Licenses by Type 137

AnyConnect Plus, AnyConnect Apex, And VPN Only Licenses 137

Other VPN License 137

Total VPN Sessions Combined, All Types 138

Encryption License 138

Carrier License 140

Total TLS Proxy Sessions 140

VLANs, Maximum 141

Botnet Traffic Filter License 141

Failover or ASA Cluster Licenses 141

Failover Licenses for the ASAv 141

Failover Licenses for the Firepower 1010 141

Failover Licenses for the Firepower 1100 142

Failover Licenses for the Firepower 2100 143

Failover Licenses for the ASA on the Firepower 4100/9300 Chassis 145

ASA Cluster Licenses for the ASA on the Firepower 4100/9300 Chassis 146

Prerequisites for Smart Software Licensing 147

Regular and Satellite Smart License Prerequisites 147

Permanent License Reservation Prerequisites 147

License PIDs 148

Guidelines for Smart Software Licensing 151

Defaults for Smart Software Licensing 152

ASAv: Configure Smart Software Licensing 152

ASAv: Configure Regular Smart Software Licensing 152

ASAv: Configure Satellite Smart Software Licensing 155

ASAv: Configure Utility Mode and MSLA Smart Software Licensing 156

ASAv: Configure Permanent License Reservation 156

Install the ASAv Permanent License 157

(Optional) Return the ASAv Permanent License 159

(Optional) Deregister the ASAv (Regular and Satellite) 159

(Optional) Renew the ASAv ID Certificate or License Entitlement (Regular and Satellite) 160

Firepower 1000 and 2100: Configure Smart Software Licensing 160

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

ix

Contents

Firepower 1000 or 2100: Configure Regular Smart Software Licensing 161

Firepower 1000 or 2100: Configure Satellite Smart Software Licensing 164

Firepower 1000 or 2100: Configure Permanent License Reservation 165

Install the Firepower 1000 or 2100 Permanent License 166

(Optional) Return the Firepower 1000 or 2100 Permanent License 168

(Optional) Deregister the Firepower 1000 or 2100 (Regular and Satellite) 169

(Optional) Renew the Firepower 1000 or 2100 ID Certificate or License Entitlement (Regular and

Satellite) 169

Firepower 4100/9300: Configure Smart Software Licensing 170

Firepower 4100/9300: Configure Pre-2.3.0 Satellite Smart Software Licensing 170

Firepower 4100/9300: Configure Smart Software Licensing 172

Licenses Per Model 173

ASAv 173

Firepower 1010 176

Firepower 1100 Series 177

Firepower 2100 Series 178

Firepower 4100 Series ASA Application 180

Firepower 9300 ASA Application 181

Monitoring Smart Software Licensing 182

Viewing Your Current License 182

Viewing Smart License Status 182

Viewing the UDI 182

Smart Software Manager Communication 183

Device Registration and Tokens 183

Periodic Communication with the License Authority 183

Out-of-Compliance State 184

Smart Call Home Infrastructure 185

Smart License Certificate Management 185

History for Smart Software Licensing 185

Logical Devices for the Firepower 4100/9300 189

CHAPTER 6

About Firepower Interfaces 189

Chassis Management Interface 189

Interface Types 190

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

x

Contents

FXOS Interfaces vs. Application Interfaces 191

About Logical Devices 192

Standalone and Clustered Logical Devices 192

Requirements and Prerequisites for Hardware and Software Combinations 192

Guidelines and Limitations for Logical Devices 193

Guidelines and Limitations for Firepower Interfaces 193

General Guidelines and Limitations 194

Requirements and Prerequisites for High Availability 194

Configure Interfaces 194

Enable or Disable an Interface 195

Configure a Physical Interface 195

Add an EtherChannel (Port Channel) 196

Configure Logical Devices 198

Add a Standalone ASA 198

Add a High Availability Pair 200

Change an Interface on an ASA Logical Device 201

Connect to the Console of the Application 202

History for Logical Devices 204

Transparent or Routed Firewall Mode 207

CHAPTER 7

About the Firewall Mode 207

About Routed Firewall Mode 207

About Transparent Firewall Mode 207

Using the Transparent Firewall in Your Network 208

Management Interface 208

Passing Traffic For Routed-Mode Features 208

About Bridge Groups 209

Bridge Virtual Interface (BVI) 209

Bridge Groups in Transparent Firewall Mode 209

Bridge Groups in Routed Firewall Mode 210

Passing Traffic Not Allowed in Routed Mode 211

Allowing Layer 3 Traffic 211

Allowed MAC Addresses 212

BPDU Handling 212

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xi

Contents

MAC Address vs. Route Lookups 212

Unsupported Features for Bridge Groups in Transparent Mode 214

Unsupported Features for Bridge Groups in Routed Mode 214

Default Settings 216

Guidelines for Firewall Mode 216

Set the Firewall Mode (Single Mode) 217

Examples for Firewall Mode 218

How Data Moves Through the ASA in Routed Firewall Mode 218

An Inside User Visits a Web Server 218

An Outside User Visits a Web Server on the DMZ 219

An Inside User Visits a Web Server on the DMZ 220

An Outside User Attempts to Access an Inside Host 221

A DMZ User Attempts to Access an Inside Host 222

How Data Moves Through the Transparent Firewall 223

An Inside User Visits a Web Server 224

An Inside User Visits a Web Server Using NAT 225

An Outside User Visits a Web Server on the Inside Network 227

An Outside User Attempts to Access an Inside Host 228

History for the Firewall Mode 229

Startup Wizard 233

CHAPTER 8

Access the Startup Wizard 233

Guidelines for the Startup Wizard 233

Startup Wizard Screens 233

Starting Point or Welcome 233

Basic Configuration 234

Interface Screens 234

Outside Interface Configuration (Routed Mode) 234

Outside Interface Configuration - PPPoE (Routed Mode, Single Mode) 234

Management IP Address Configuration (Transparent Mode) 234

Other Interfaces Configuration 234

Static Routes 234

DHCP Server 234

Address Translation (NAT/PAT) 235

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xii

Contents

Administrative Access 235

IPS Basic Configuration 235

ASA CX Basic Configuration (ASA 5585-X) 235

ASA FirePOWER Basic Configuration 235

Time Zone and Clock Configuration 235

Auto Update Server (Single Mode) 235

Startup Wizard Summary 236

History for the Startup Wizard 236

High Availability and Scalability 239

PART II

Multiple Context Mode 241

CHAPTER 9

About Security Contexts 241

Common Uses for Security Contexts 241

Context Configuration Files 242

Context Configurations 242

System Configuration 242

Admin Context Configuration 242

How the ASA Classifies Packets 242

Valid Classifier Criteria 242

Classification Examples 243

Cascading Security Contexts 245

Management Access to Security Contexts 246

System Administrator Access 246

Context Administrator Access 246

Management Interface Usage 246

About Resource Management 247

Resource Classes 247

Resource Limits 247

Default Class 248

Use Oversubscribed Resources 249

Use Unlimited Resources 249

About MAC Addresses 250

MAC Addresses in Multiple Context Mode 250

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xiii

Contents

Automatic MAC Addresses 250

VPN Support 251

Licensing for Multiple Context Mode 251

Prerequisites for Multiple Context Mode 252

Guidelines for Multiple Context Mode 253

Defaults for Multiple Context Mode 254

Configure Multiple Contexts 254

Enable or Disable Multiple Context Mode 254

Enable Multiple Context Mode 255

Restore Single Context Mode 256

Configure a Class for Resource Management 256

Configure a Security Context 260

Assign MAC Addresses to Context Interfaces Automatically 262

Change Between Contexts and the System Execution Space 262

Manage Security Contexts 263

Remove a Security Context 263

Change the Admin Context 264

Change the Security Context URL 264

Reload a Security Context 265

Reload by Clearing the Configuration 266

Reload by Removing and Re-adding the Context 266

Monitoring Security Contexts 266

Monitor Context Resource Usage 267

View Assigned MAC Addresses 268

View MAC Addresses in the System Configuration 268

View MAC Addresses Within a Context 269

History for Multiple Context Mode 269

Failover for High Availability 275

CHAPTER 10

About Failover 275

Failover Modes 275

Failover System Requirements 276

Hardware Requirements 276

Software Requirements 276

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xiv

Contents

License Requirements 277

Failover and Stateful Failover Links 277

Failover Link 277

Stateful Failover Link 278

Avoiding Interrupted Failover and Data Links 279

MAC Addresses and IP Addresses in Failover 281

Stateless and Stateful Failover 283

Stateless Failover 283

Stateful Failover 283

Bridge Group Requirements for Failover 285

Bridge Group Requirements for Appliances, ASAv 285

Failover Health Monitoring 286

Unit Health Monitoring 286

Interface Monitoring 286

Failover Times 288

Configuration Synchronization 289

Running Configuration Replication 289

File Replication 290

Command Replication 290

About Active/Standby Failover 291

Primary/Secondary Roles and Active/Standby Status 291

Active Unit Determination at Startup 291

Failover Events 291

About Active/Active Failover 292

Active/Active Failover Overview 293

Primary/Secondary Roles and Active/Standby Status for a Failover Group 293

Active Unit Determination for Failover Groups at Startup 293

Failover Events 294

Licensing for Failover 295

Guidelines for Failover 297

Defaults for Failover 299

Configure Active/Standby Failover 299

Configure Active/Active Failover 300

Configure Optional Failover Parameters 301

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xv

Contents

Configure Failover Criteria and Other Settings 301

Configure Interface Monitoring and Standby Addresses 304

Configure Support for Asymmetrically Routed Packets (Active/Active Mode) 305

Manage Failover 307

Modify the Failover Setup 307

Force Failover 309

Disable Failover 310

Restore a Failed Unit 311

Re-Sync the Configuration 311

Monitoring Failover 312

Failover Messages 312

Failover Syslog Messages 312

Failover Debug Messages 312

SNMP Failover Traps 312

Monitoring Failover Status 312

System 313

Failover Group 1 and Failover Group 2 313

History for Failover 314

Failover for High Availability in the Public Cloud 317

CHAPTER 11

About Failover in the Public Cloud 317

About Active/Backup Failover 318

Primary/Secondary Roles and Active/Backup Status 318

Failover Connection 318

Polling and Hello Messages 318

Active Unit Determination at Startup 319

Failover Events 319

Guidelines and Limitations 321

Licensing for Failover in the Public Cloud 322

Defaults for Failover in the Public Cloud 322

About ASAv High Availability in Microsoft Azure 322

About the Azure Service Principal 323

Configuration Requirements for ASAv High Availability in Azure 324

Configure Active/Backup Failover 325

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xvi

Contents

Configure Optional Failover Parameters 327

Configure Azure Route Tables 327

Manage Failover in the Public Cloud 328

Force Failover 328

Update Routes 328

Validate Azure Authentication 329

Monitor Failover in the Public Cloud 329

Failover Status 330

Failover Messages 330

History for Failover in the Public Cloud 331

ASA Cluster 333

CHAPTER 12

About ASA Clustering 333

How the ASA Cluster Fits into Your Network 333

Cluster Members 334

Bootstrap Configuration 334

Control and Data Unit Roles 334

Cluster Interfaces 334

Cluster Control Link 334

Configuration Replication 335

ASA Cluster Management 335

Management Network 335

Management Interface 335

Control Unit Management Vs. Data Unit Management 335

RSA Key Replication 336

ASDM Connection Certificate IP Address Mismatch 336

Inter-Site Clustering 336

Licenses for ASA Clustering 337

Requirements and Prerequisites for ASA Clustering 337

Guidelines for ASA Clustering 339

Configure ASA Clustering 344

Back Up Your Configurations (Recommended) 345

Cable the Units and Configure Interfaces 345

About Cluster Interfaces 345

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xvii

Contents

Cable the Cluster Units and Configure Upstream and Downstream Equipment 354

Configure the Cluster Interface Mode on the Control Unit 354

(Recommended; Required in Multiple Context Mode) Configure Interfaces on the Control Unit

357

Create or Join an ASA Cluster 362

Run the High Availability Wizard 362

Customize the Clustering Operation 366

Configure Basic ASA Cluster Parameters 366

Configure Interface Health Monitoring and Auto-Rejoin Settings 370

Configure the Cluster TCP Replication Delay 371

Configure Inter-Site Features 372

Manage Cluster Members 375

Add a New Data Unit from the Control Unit 375

Become an Inactive Member 376

Deactivate a Data Unit from the Control Unit 377

Rejoin the Cluster 377

Leave the Cluster 378

Change the Control Unit 379

Execute a Command Cluster-Wide 380

Monitoring the ASA Cluster 381

Monitoring Cluster Status 381

Capturing Packets Cluster-Wide 381

Monitoring Cluster Resources 381

Monitoring Cluster Traffic 381

Monitoring the Cluster Control Link 382

Monitoring Cluster Routing 382

Configuring Logging for Clustering 382

Examples for ASA Clustering 382

Sample ASA and Switch Configuration 382

ASA Configuration 383

Cisco IOS Switch Configuration 384

Firewall on a Stick 385

Traffic Segregation 388

Spanned EtherChannel with Backup Links (Traditional 8 Active/8 Standby) 390

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xviii

Contents

OTV Configuration for Routed Mode Inter-Site Clustering 397

Examples for Inter-Site Clustering 399

Individual Interface Routed Mode North-South Inter-Site Example 399

Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP Addresses 400

Spanned EtherChannel Transparent Mode North-South Inter-Site Example 401

Spanned EtherChannel Transparent Mode East-West Inter-Site Example 402

Reference for Clustering 403

ASA Features and Clustering 403

Unsupported Features with Clustering 403

Centralized Features for Clustering 404

Features Applied to Individual Units 405

AAA for Network Access and Clustering 406

Connection Settings 406

FTP and Clustering 406

Identity Firewall and Clustering 406

Multicast Routing and Clustering 407

NAT and Clustering 407

Dynamic Routing and Clustering 409

SCTP and Clustering 410

SIP Inspection and Clustering 411

SNMP and Clustering 411

STUN and Clustering 411

Syslog and NetFlow and Clustering 411

Cisco TrustSec and Clustering 411

VPN and Clustering 411

Performance Scaling Factor 412

Control Unit Election 412

High Availability Within the ASA Cluster 413

Unit Health Monitoring 413

Interface Monitoring 413

Status After Failure 413

Rejoining the Cluster 414

Data Path Connection State Replication 414

How the ASA Cluster Manages Connections 415

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xix

Contents

Connection Roles 415

New Connection Ownership 417

Sample Data Flow 417

Rebalancing New TCP Connections Across the Cluster 418

History for ASA Clustering 418

ASA Cluster for the Firepower 4100/9300 Chassis 425

CHAPTER 13

About Clustering on the Firepower 4100/9300 Chassis 425

Bootstrap Configuration 426

Cluster Members 426

Master and Slave Unit Roles 426

Cluster Control Link 427

Size the Cluster Control Link 427

Cluster Control Link Redundancy 428

Cluster Control Link Reliability 428

Cluster Control Link Network 428

Cluster Interfaces 429

Connecting to a VSS or vPC 429

Configuration Replication 429

ASA Cluster Management 429

Management Network 429

Management Interface 429

Control Unit Management Vs. Data Unit Management 430

RSA Key Replication 430

ASDM Connection Certificate IP Address Mismatch 430

Spanned EtherChannels (Recommended) 430

Inter-Site Clustering 431

Requirements and Prerequisites for Clustering on the Firepower 4100/9300 Chassis 432

Licenses for Clustering on the Firepower 4100/9300 Chassis 433

Licenses for Distributed S2S VPN 434

Clustering Guidelines and Limitations 435

Configure Clustering on the Firepower 4100/9300 Chassis 439

FXOS: Add an ASA Cluster 440

Create an ASA Cluster 440

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.15

xx

Contents

Page is loading ...

Cisco Firepower 1140 Security Appliance Configuration Guide

Related papers

Other documents