Cisco Firepower 9300 Series Configuration Guide

ASDM Book 1: Cisco ASA Series General Operations ASDM

Configuration Guide, 7.16

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network

topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional

and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:

https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a

partnership relationship between Cisco and any other company. (1721R)

CONTENTS

About This Guide xlix

PREFACE

Document Objectives xlix

Related Documentation xlix

Document Conventions xlix

Communications, Services, and Additional Information li

Getting Started with the ASA 53

PART I

Introduction to the Cisco ASA 1

CHAPTER 1

ASDM Requirements 1

ASDM Java Requirements 1

ASDM Compatibility Notes 2

Hardware and Software Compatibility 5

VPN Compatibility 6

New Features 6

New Features in ASA 9.16(1)/ASDM 7.16(1) 6

Firewall Functional Overview 9

Security Policy Overview 10

Permitting or Denying Traffic with Access Rules 10

Applying NAT 10

Protecting from IP Fragments 10

Applying HTTP, HTTPS, or FTP Filtering 10

Applying Application Inspection 10

Sending Traffic to Supported Hardware or Software Modules 10

Applying QoS Policies 11

Applying Connection Limits and TCP Normalization 11

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

iii

Enabling Threat Detection 11

Firewall Mode Overview 11

Stateful Inspection Overview 12

VPN Functional Overview 13

Security Context Overview 13

ASA Clustering Overview 14

Special, Deprecated, and Legacy Services 14

Getting Started 17

CHAPTER 2

Access the Console for the Command-Line Interface 17

Access the Appliance Console 17

Access the Firepower 2100 Platform Mode Console 18

Access the Firepower 1000 and 2100 Appliance Mode Console 20

Access the ASA Console on the Firepower 4100/9300 Chassis 22

Access the Software Module Console 23

Access the ASA 5506W-X Wireless Access Point Console 24

Configure ASDM Access 24

Use the Factory Default Configuration for ASDM Access (Appliances, ASAv) 24

Customize ASDM Access 25

Start ASDM 27

Customize ASDM Operation 29

Install an Identity Certificate for ASDM 29

Increase the ASDM Configuration Memory 29

Increase the ASDM Configuration Memory in Windows 29

Increase the ASDM Configuration Memory in Mac OS 29

Factory Default Configurations 30

Restore the Factory Default Configuration 31

Restore the ASAv Deployment Configuration 34

ASA 5506-X Series Default Configuration 35

ASA 5508-X and 5516-X Default Configuration 37

Firepower 1010 Default Configuration 38

Firepower 1100 Default Configuration 39

Firepower 2100 Platform Mode Default Configuration 40

Firepower 2100 Appliance Mode Default Configuration 42

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

iv

Contents

Firepower 4100/9300 Chassis Default Configuration 43

ISA 3000 Default Configuration 44

ASAv Deployment Configuration 45

Set the Firepower 2100 to Appliance or Platform Mode 47

Get Started with the Configuration 49

Use the Command Line Interface Tool in ASDM 50

Use the Command Line Interface Tool 50

Show Commands Ignored by ASDM on the Device 51

Apply Configuration Changes to Connections 51

ASDM Graphical User Interface 53

CHAPTER 3

About the ASDM User Interface 53

Navigate the ASDM User Interface 56

Menus 57

File Menu 57

View Menu 58

Tools Menu 59

Wizards Menu 61

Window Menu 61

Help Menu 61

Toolbar 62

ASDM Assistant 63

Status Bar 64

Connection to Device 64

Device List 64

Common Buttons 65

Keyboard Shortcuts 66

Find Function in ASDM Panes 68

Find Function in Rule Lists 68

Enable Extended Screen Reader Support 69

Organizational Folder 69

Home Pane (Single Mode and Context) 70

Device Dashboard Tab 70

Device Information Pane 71

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

v

Contents

Interface Status Pane 72

VPN Sessions Pane 72

Failover Status Pane 72

System Resources Status Pane 72

Traffic Status Pane 73

Latest ASDM Syslog Messages Pane 73

Firewall Dashboard Tab 74

Traffic Overview Pane 75

Top 10 Access Rules Pane 75

Top Usage Status Pane 75

Top Ten Protected Servers Under SYN Attack Pane 76

Top 200 Hosts Pane 76

Top Botnet Traffic Filter Hits Pane 76

Cluster Dashboard Tab 77

Cluster Firewall Dashboard Tab 78

Content Security Tab 79

Intrusion Prevention Tab 80

ASA CX Status Tab 82

ASA FirePower Status Tabs 82

Home Pane (System) 83

Define ASDM Preferences 84

Search with the ASDM Assistant 86

Enable History Metrics 87

Unsupported Commands 87

Ignored and View-Only Commands 87

Effects of Unsupported Commands 88

Discontinuous Subnet Masks Not Supported 88

Interactive User Commands Not Supported by the ASDM CLI Tool 89

Licenses: Product Authorization Key Licensing 91

CHAPTER 4

About PAK Licenses 91

Preinstalled License 91

Permanent License 91

Time-Based Licenses 92

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

vi

Contents

Time-Based License Activation Guidelines 92

How the Time-Based License Timer Works 92

How Permanent and Time-Based Licenses Combine 92

Stacking Time-Based Licenses 93

Time-Based License Expiration 94

License Notes 94

AnyConnect Plus and Apex Licenses 94

Other VPN License 95

Total VPN Sessions Combined, All Types 95

VPN Load Balancing 95

Legacy VPN Licenses 95

Encryption License 95

Carrier License 96

Total TLS Proxy Sessions 96

VLANs, Maximum 97

Botnet Traffic Filter License 97

IPS Module License 97

Shared AnyConnect Premium Licenses (AnyConnect 3 and Earlier) 97

Failover or ASA Cluster Licenses 97

Failover License Requirements and Exceptions 97

ASA Cluster License Requirements and Exceptions 98

How Failover or ASA Cluster Licenses Combine 99

Loss of Communication Between Failover or ASA Cluster Units 99

Upgrading Failover Pairs 100

No Payload Encryption Models 100

Licenses FAQ 101

Guidelines for PAK Licenses 101

Configure PAK Licenses 103

Order License PAKs and Obtain an Activation Key 103

Obtain a Strong Encryption License 104

Activate or Deactivate Keys 106

Configure a Shared License (AnyConnect 3 and Earlier) 107

About Shared Licenses 108

About the Shared Licensing Server and Participants 108

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

vii

Contents

Communication Issues Between Participant and Server 109

About the Shared Licensing Backup Server 109

Failover and Shared Licenses 110

Maximum Number of Participants 111

Configure the Shared Licensing Server 112

Configure the Shared Licensing Participant and the Optional Backup Server 112

Supported Feature Licenses Per Model 113

Licenses Per Model 113

ASA 5506-X and ASA 5506W-X License Features 113

ASA 5506H-X License Features 114

ASA 5508-X License Features 115

ASA 5516-X License Features 116

ISA 3000 License Features 117

Monitoring PAK Licenses 118

Viewing Your Current License 118

Monitoring the Shared License 119

History for PAK Licenses 119

Licenses: Smart Software Licensing (ASAv, ASA on Firepower) 129

CHAPTER 5

About Smart Software Licensing 129

Smart Software Licensing for the ASA on the Firepower 4100/9300 Chassis 129

Smart Software Manager and Accounts 130

Offline Management 130

Permanent License Reservation 130

Satellite Server (Smart Software Manager On-Prem) 132

Licenses and Devices Managed per Virtual Account 132

Evaluation License 132

About Licenses by Type 133

AnyConnect Plus, AnyConnect Apex, And VPN Only Licenses 133

Other VPN License 133

Total VPN Sessions Combined, All Types 134

Encryption License 134

Carrier License 136

Total TLS Proxy Sessions 136

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

viii

Contents

VLANs, Maximum 137

Botnet Traffic Filter License 137

Failover or ASA Cluster Licenses 137

Failover Licenses for the ASAv 137

Failover Licenses for the Firepower 1010 137

Failover Licenses for the Firepower 1100 138

Failover Licenses for the Firepower 2100 139

Failover Licenses for the ASA on the Firepower 4100/9300 Chassis 141

ASA Cluster Licenses for the ASA on the Firepower 4100/9300 Chassis 142

Prerequisites for Smart Software Licensing 143

Regular and Satellite Smart License Prerequisites 143

Permanent License Reservation Prerequisites 143

License PIDs 144

Guidelines for Smart Software Licensing 147

Defaults for Smart Software Licensing 148

ASAv: Configure Smart Software Licensing 148

ASAv: Configure Regular Smart Software Licensing 148

ASAv: Configure Satellite Smart Software Licensing 151

ASAv: Configure Utility Mode and MSLA Smart Software Licensing 152

ASAv: Configure Permanent License Reservation 152

Install the ASAv Permanent License 153

(Optional) Return the ASAv Permanent License 155

(Optional) Deregister the ASAv (Regular and Satellite) 155

(Optional) Renew the ASAv ID Certificate or License Entitlement (Regular and Satellite) 156

Firepower 1000 and 2100: Configure Smart Software Licensing 156

Firepower 1000 or 2100: Configure Regular Smart Software Licensing 157

Firepower 1000 or 2100: Configure Satellite Smart Software Licensing 160

Firepower 1000 or 2100: Configure Permanent License Reservation 161

Install the Firepower 1000 or 2100 Permanent License 162

(Optional) Return the Firepower 1000 or 2100 Permanent License 164

(Optional) Deregister the Firepower 1000 or 2100 (Regular and Satellite) 165

(Optional) Renew the Firepower 1000 or 2100 ID Certificate or License Entitlement (Regular and

Satellite) 165

Firepower 4100/9300: Configure Smart Software Licensing 166

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

ix

Contents

Firepower 4100/9300: Configure Pre-2.3.0 Satellite Smart Software Licensing 166

Firepower 4100/9300: Configure Smart Software Licensing 168

Licenses Per Model 169

ASAv 169

Firepower 1010 172

Firepower 1100 Series 173

Firepower 2100 Series 174

Firepower 4100 Series ASA Application 176

Firepower 9300 ASA Application 177

Monitoring Smart Software Licensing 178

Viewing Your Current License 178

Viewing Smart License Status 178

Viewing the UDI 178

Smart Software Manager Communication 179

Device Registration and Tokens 179

Periodic Communication with the License Authority 179

Out-of-Compliance State 180

Smart Call Home Infrastructure 181

Smart License Certificate Management 181

History for Smart Software Licensing 181

Logical Devices for the Firepower 4100/9300 185

CHAPTER 6

About Firepower Interfaces 185

Chassis Management Interface 185

Interface Types 186

FXOS Interfaces vs. Application Interfaces 187

About Logical Devices 188

Standalone and Clustered Logical Devices 188

Requirements and Prerequisites for Hardware and Software Combinations 188

Guidelines and Limitations for Logical Devices 189

Guidelines and Limitations for Firepower Interfaces 189

General Guidelines and Limitations 190

Requirements and Prerequisites for High Availability 190

Configure Interfaces 190

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

x

Contents

Enable or Disable an Interface 191

Configure a Physical Interface 191

Add an EtherChannel (Port Channel) 192

Configure Logical Devices 194

Add a Standalone ASA 194

Add a High Availability Pair 196

Change an Interface on an ASA Logical Device 197

Connect to the Console of the Application 198

History for Logical Devices 200

Transparent or Routed Firewall Mode 203

CHAPTER 7

About the Firewall Mode 203

About Routed Firewall Mode 203

About Transparent Firewall Mode 203

Using the Transparent Firewall in Your Network 204

Management Interface 204

Passing Traffic For Routed-Mode Features 204

About Bridge Groups 205

Bridge Virtual Interface (BVI) 205

Bridge Groups in Transparent Firewall Mode 205

Bridge Groups in Routed Firewall Mode 206

Passing Traffic Not Allowed in Routed Mode 207

Allowing Layer 3 Traffic 207

Allowed MAC Addresses 208

BPDU Handling 208

MAC Address vs. Route Lookups 208

Unsupported Features for Bridge Groups in Transparent Mode 210

Unsupported Features for Bridge Groups in Routed Mode 210

Default Settings 212

Guidelines for Firewall Mode 212

Set the Firewall Mode (Single Mode) 213

Examples for Firewall Mode 214

How Data Moves Through the ASA in Routed Firewall Mode 214

An Inside User Visits a Web Server 214

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xi

Contents

An Outside User Visits a Web Server on the DMZ 215

An Inside User Visits a Web Server on the DMZ 216

An Outside User Attempts to Access an Inside Host 217

A DMZ User Attempts to Access an Inside Host 218

How Data Moves Through the Transparent Firewall 219

An Inside User Visits a Web Server 220

An Inside User Visits a Web Server Using NAT 221

An Outside User Visits a Web Server on the Inside Network 223

An Outside User Attempts to Access an Inside Host 224

History for the Firewall Mode 225

Startup Wizard 229

CHAPTER 8

Access the Startup Wizard 229

Guidelines for the Startup Wizard 229

Startup Wizard Screens 229

Starting Point or Welcome 229

Basic Configuration 230

Interface Screens 230

Outside Interface Configuration (Routed Mode) 230

Outside Interface Configuration - PPPoE (Routed Mode, Single Mode) 230

Management IP Address Configuration (Transparent Mode) 230

Other Interfaces Configuration 230

Static Routes 230

DHCP Server 230

Address Translation (NAT/PAT) 231

Administrative Access 231

IPS Basic Configuration 231

ASA CX Basic Configuration (ASA 5585-X) 231

ASA FirePOWER Basic Configuration 231

Time Zone and Clock Configuration 231

Auto Update Server (Single Mode) 231

Startup Wizard Summary 232

History for the Startup Wizard 232

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xii

Contents

High Availability and Scalability 235

PART II

Multiple Context Mode 237

CHAPTER 9

About Security Contexts 237

Common Uses for Security Contexts 237

Context Configuration Files 238

Context Configurations 238

System Configuration 238

Admin Context Configuration 238

How the ASA Classifies Packets 238

Valid Classifier Criteria 238

Classification Examples 239

Cascading Security Contexts 241

Management Access to Security Contexts 242

System Administrator Access 242

Context Administrator Access 242

Management Interface Usage 242

About Resource Management 243

Resource Classes 243

Resource Limits 243

Default Class 244

Use Oversubscribed Resources 245

Use Unlimited Resources 245

About MAC Addresses 246

MAC Addresses in Multiple Context Mode 246

Automatic MAC Addresses 246

VPN Support 247

Licensing for Multiple Context Mode 247

Prerequisites for Multiple Context Mode 248

Guidelines for Multiple Context Mode 248

Defaults for Multiple Context Mode 249

Configure Multiple Contexts 250

Enable or Disable Multiple Context Mode 250

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xiii

Contents

Enable Multiple Context Mode 250

Restore Single Context Mode 252

Configure a Class for Resource Management 252

Configure a Security Context 256

Assign MAC Addresses to Context Interfaces Automatically 258

Change Between Contexts and the System Execution Space 258

Manage Security Contexts 259

Remove a Security Context 259

Change the Admin Context 260

Change the Security Context URL 260

Reload a Security Context 261

Reload by Clearing the Configuration 262

Reload by Removing and Re-adding the Context 262

Monitoring Security Contexts 262

Monitor Context Resource Usage 263

View Assigned MAC Addresses 264

View MAC Addresses in the System Configuration 264

View MAC Addresses Within a Context 265

History for Multiple Context Mode 265

Failover for High Availability 271

CHAPTER 10

About Failover 271

Failover Modes 271

Failover System Requirements 272

Hardware Requirements 272

Software Requirements 272

License Requirements 273

Failover and Stateful Failover Links 273

Failover Link 273

Stateful Failover Link 274

Avoiding Interrupted Failover and Data Links 275

MAC Addresses and IP Addresses in Failover 277

Stateless and Stateful Failover 279

Stateless Failover 279

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xiv

Contents

Stateful Failover 279

Bridge Group Requirements for Failover 281

Bridge Group Requirements for Appliances, ASAv 281

Failover Health Monitoring 282

Unit Health Monitoring 282

Interface Monitoring 282

Failover Times 284

Configuration Synchronization 285

Running Configuration Replication 285

File Replication 286

Command Replication 286

About Active/Standby Failover 287

Primary/Secondary Roles and Active/Standby Status 287

Active Unit Determination at Startup 287

Failover Events 287

About Active/Active Failover 288

Active/Active Failover Overview 289

Primary/Secondary Roles and Active/Standby Status for a Failover Group 289

Active Unit Determination for Failover Groups at Startup 289

Failover Events 290

Licensing for Failover 291

Guidelines for Failover 292

Defaults for Failover 294

Configure Active/Standby Failover 294

Configure Active/Active Failover 295

Configure Optional Failover Parameters 296

Configure Failover Criteria and Other Settings 296

Configure Interface Monitoring and Standby Addresses 299

Configure Support for Asymmetrically Routed Packets (Active/Active Mode) 300

Manage Failover 302

Modify the Failover Setup 302

Force Failover 304

Disable Failover 305

Restore a Failed Unit 306

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xv

Contents

Re-Sync the Configuration 306

Monitoring Failover 307

Failover Messages 307

Failover Syslog Messages 307

Failover Debug Messages 307

SNMP Failover Traps 307

Monitoring Failover Status 307

System 308

Failover Group 1 and Failover Group 2 308

History for Failover 309

Failover for High Availability in the Public Cloud 313

CHAPTER 11

About Failover in the Public Cloud 313

About Active/Backup Failover 314

Primary/Secondary Roles and Active/Backup Status 314

Failover Connection 314

Polling and Hello Messages 314

Active Unit Determination at Startup 315

Failover Events 315

Guidelines and Limitations 317

Licensing for Failover in the Public Cloud 318

Defaults for Failover in the Public Cloud 318

About ASAv High Availability in Microsoft Azure 318

About the Azure Service Principal 319

Configuration Requirements for ASAv High Availability in Azure 320

Configure Active/Backup Failover 321

Configure Optional Failover Parameters 323

Configure Azure Route Tables 323

Manage Failover in the Public Cloud 324

Force Failover 324

Update Routes 324

Validate Azure Authentication 325

Monitor Failover in the Public Cloud 325

Failover Status 326

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xvi

Contents

Failover Messages 326

History for Failover in the Public Cloud 327

ASA Cluster 329

CHAPTER 12

About ASA Clustering 329

How the ASA Cluster Fits into Your Network 329

Cluster Members 330

Bootstrap Configuration 330

Control and Data Unit Roles 330

Cluster Interfaces 330

Cluster Control Link 330

Configuration Replication 331

ASA Cluster Management 331

Management Network 331

Management Interface 331

Control Unit Management Vs. Data Unit Management 331

RSA Key Replication 332

ASDM Connection Certificate IP Address Mismatch 332

Inter-Site Clustering 332

Licenses for ASA Clustering 333

Requirements and Prerequisites for ASA Clustering 333

Guidelines for ASA Clustering 335

Configure ASA Clustering 340

Back Up Your Configurations (Recommended) 341

Cable the Units and Configure Interfaces 341

About Cluster Interfaces 341

Cable the Cluster Units and Configure Upstream and Downstream Equipment 350

Configure the Cluster Interface Mode on the Control Unit 350

(Recommended; Required in Multiple Context Mode) Configure Interfaces on the Control Unit

353

Create or Join an ASA Cluster 358

Run the High Availability Wizard 358

Customize the Clustering Operation 362

Configure Basic ASA Cluster Parameters 362

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xvii

Contents

Configure Interface Health Monitoring and Auto-Rejoin Settings 366

Configure the Cluster TCP Replication Delay 367

Configure Inter-Site Features 368

Manage Cluster Members 371

Add a New Data Unit from the Control Unit 371

Become an Inactive Member 372

Deactivate a Data Unit from the Control Unit 373

Rejoin the Cluster 373

Leave the Cluster 374

Change the Control Unit 375

Execute a Command Cluster-Wide 376

Monitoring the ASA Cluster 377

Monitoring Cluster Status 377

Capturing Packets Cluster-Wide 377

Monitoring Cluster Resources 377

Monitoring Cluster Traffic 377

Monitoring the Cluster Control Link 378

Monitoring Cluster Routing 378

Configuring Logging for Clustering 378

Examples for ASA Clustering 378

Sample ASA and Switch Configuration 378

ASA Configuration 379

Cisco IOS Switch Configuration 380

Firewall on a Stick 381

Traffic Segregation 384

Spanned EtherChannel with Backup Links (Traditional 8 Active/8 Standby) 386

OTV Configuration for Routed Mode Inter-Site Clustering 393

Examples for Inter-Site Clustering 395

Individual Interface Routed Mode North-South Inter-Site Example 395

Spanned EtherChannel Routed Mode Example with Site-Specific MAC and IP Addresses 396

Spanned EtherChannel Transparent Mode North-South Inter-Site Example 397

Spanned EtherChannel Transparent Mode East-West Inter-Site Example 398

Reference for Clustering 399

ASA Features and Clustering 399

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xviii

Contents

Unsupported Features with Clustering 399

Centralized Features for Clustering 400

Features Applied to Individual Units 401

AAA for Network Access and Clustering 402

Connection Settings 402

FTP and Clustering 402

Identity Firewall and Clustering 402

Multicast Routing and Clustering 403

NAT and Clustering 403

Dynamic Routing and Clustering 405

SCTP and Clustering 407

SIP Inspection and Clustering 407

SNMP and Clustering 407

STUN and Clustering 407

Syslog and NetFlow and Clustering 407

Cisco TrustSec and Clustering 407

VPN and Clustering 407

Performance Scaling Factor 408

Control Unit Election 408

High Availability Within the ASA Cluster 409

Unit Health Monitoring 409

Interface Monitoring 409

Status After Failure 410

Rejoining the Cluster 410

Data Path Connection State Replication 410

How the ASA Cluster Manages Connections 411

Connection Roles 411

New Connection Ownership 413

Sample Data Flow 413

Rebalancing New TCP Connections Across the Cluster 414

History for ASA Clustering 414

ASA Cluster for the Firepower 4100/9300 Chassis 423

CHAPTER 13

About Clustering on the Firepower 4100/9300 Chassis 423

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xix

Contents

Bootstrap Configuration 424

Cluster Members 424

Master and Slave Unit Roles 424

Cluster Control Link 425

Size the Cluster Control Link 425

Cluster Control Link Redundancy 426

Cluster Control Link Reliability 426

Cluster Control Link Network 426

Cluster Interfaces 427

Connecting to a VSS or vPC 427

Configuration Replication 427

ASA Cluster Management 427

Management Network 427

Management Interface 427

Control Unit Management Vs. Data Unit Management 428

RSA Key Replication 428

ASDM Connection Certificate IP Address Mismatch 428

Spanned EtherChannels (Recommended) 428

Inter-Site Clustering 429

Requirements and Prerequisites for Clustering on the Firepower 4100/9300 Chassis 430

Licenses for Clustering on the Firepower 4100/9300 Chassis 431

Licenses for Distributed S2S VPN 432

Clustering Guidelines and Limitations 433

Configure Clustering on the Firepower 4100/9300 Chassis 437

FXOS: Add an ASA Cluster 438

Create an ASA Cluster 438

Add More Cluster Members 444

ASA: Change the Firewall Mode and Context Mode 446

ASA: Configure Data Interfaces 446

ASA: Customize the Cluster Configuration 448

Configure Basic ASA Cluster Parameters 448

Configure Interface Health Monitoring and Auto-Rejoin Settings 451

Configure the Cluster TCP Replication Delay 452

Configure Inter-Site Features 453

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16

xx

Contents

Page is loading ...

Cisco Firepower 9300 Series Configuration Guide

Related papers

Other documents