This section lists the package contents of each chassis. Note that contents are subject to change, and your exact contents might contain additional or fewer items.
ASA 5512-X, ASA 5515-X, or ASA 5525-X
ASA 5512-X, ASA 5515-X, or ASA 5525-X Chassis
Blue Console Cable and Serial PC Terminal Adapter (DB-9 to RJ-45)
Power Cord Retainer
4 10-32 Phillips Screws for rack mounting
4 12-24 Phillips Screws for rack mounting
4 M6 Phillips Screws for rack mounting
ASA 5545-X and ASA 5555-X
ASA 5545-X or ASA 5555-X Chassis (one power supply shown)
Blue Console Cable and Serial PC Terminal Adapter (DB-9 to RJ-45)
Power Cord Retainer
Slide Rail Kit
2. License Requirements
The ASA 5500-X includes the Base or Security Plus license, depending on the version you ordered. It also comes pre-installed with the Strong Encryption (3DES/AES) license if you qualify for its use. You can optionally purchase an AnyConnect Plus or Apex license.
If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. You will then receive an email with a Product Authorization Key (PAK) so you can obtain the license activation key. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions.
To install additional licenses on the ASA, see the ASDM Configuration > Device Management > Licensing Activation Key page.
ASA FirePOWER Licenses
The ASA FirePOWER module uses a separate licensing mechanism from the ASA. No licenses are pre-installed, but the box includes a PAK on a printout that lets you obtain a license activation key for the following licenses:
Control and Protection—Control is also known as “Application Visibility and Control (AVC)” or “Apps”. Protection is also known as “IPS”.
The right to updates for the Control (AVC) feature is included with a Cisco support contract. For the right to use updates for the Protection (IPS) feature, you need to purchase the following subscription from http://www.cisco.com/go/ccw :
IPS—This includes entitlement to Rule, Engine, Vulnerability, and Geolocation updates. Note: This right-to use subscription does not generate a PAK/license activation key for the ASA FirePOWER module.
Other licenses that you can purchase include the following:
To install the Control and Protection licenses and other optional licenses, see Install the Licenses.
3. Power On the ASA
1. Attach the power cable to the ASA and connect it to an electrical outlet.
The power turns on automatically when you plug in the power cable; do not press the power button on the front panel. (For older models, the power does not turn on automatically; check the hardware installation guide for more information).
2. Check the Power LED on the front of the ASA; if it is solid green, the device is powered on.
3. Check the Status LED on the front of the ASA; after it is solid green, the system has passed power-on diagnostics.
4. Modify the Initial Configuration for the ASA FirePOWER Module (Optional)
The ASA ships with a default configuration that enables Adaptive Security Device Manager (ASDM) connectivity to the Management 0/0 interface. When you use a software module such as the ASA FirePOWER module, we recommend that you do not use the default configuration, which can preclude the ASA FirePOWER from reaching the Internet for updates. This section describes how to apply a new configuration so the ASA FirePOWER can access the Internet. This configuration also enables a basic usable configuration for an inside and outside network.
The following figure shows the suggested network deployment for the ASA 5500-X with the ASA FirePOWER module:
Note: If you have an inside router instead of a switch, you can skip this section and instead configure the ASA to route between management and an inside network. In this case, configure the ASA and the ASA FirePOWER Management 0/0 IP addresses to be on the same network. Be sure to configure appropriate routes on the ASA and on the ASA FirePOWER so the management network can reach the inside network, and vice versa.
This procedure lets you connect to the ASA console port and paste in a new configuration that configures the following behavior:
inside --> outside traffic flow
outside IP address from DHCP
DHCP for clients on inside
Management 0/0 belongs to the ASA FirePOWER module. The interface is Up, but otherwise unconfigured on the ASA. The ASA FirePOWER can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.
Note: Do not configure an IP address for this interface in the ASA configuration. Only configure an IP address in the module configuration. You should consider this interface as completely separate from the ASA in terms of routing.
ASDM access on the inside interface
To achieve the above configuration, perform the following steps.
1. Connect your computer to the ASA console port with the supplied console cable. You might need to use a third party serial-to-USB cable to make the connection.
2. Launch a terminal emulator and connect to the ASA.
3. Press the Enter key to see the following prompt:
4. Access privileged EXEC mode:
The following prompt appears:
5. Press Enter. By default, the password is blank.
6. Access global configuration mode:
7. Clear the configuration:
clear configure all
8. Copy and paste the following configuration at the prompt:
ip address dhcp setroute
ip address 192.168.1.1 255.255.255.0
object network obj_any
subnet 0 0
nat (any,outside) dynamic interface
http server enable
http 192.168.1.0 255.255.255.0 inside
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
9. Save the new configuration:
1. Cable the following:
a. Cable the following to a Layer 2 Ethernet switch:
–GigabitEthernet 0/1 interface (inside)
–Management 0/0 interface (for the module)
Note: You can connect inside and management on the same network because the management interface acts like a separate device that belongs only to the ASA FirePOWER module.
b. Connect the outside GigabitEthernet 0/0 interface to your upstream router or WAN device.
Note: If the cable modem supplies an outside IP address that is on 192.168.1.0/24 or 192.168.10.0/24, then you must change the ASA configuration to use a different IP address. Interface IP addresses, HTTPS (ASDM) access, and DHCP server settings can all be changed using the Startup Wizard. If you change the IP address to which you are connected to ASDM, you will be disconnected when you finish the wizard. You must reconnect to the new IP address.
This procedure assumes you want to use ASDM to manage the ASA FirePOWER Module. If you want to use the Firepower Management Center, then you need to connect to the module CLI and run the setup script; see the ASA FirePOWER quick start guide.
1. On the computer connected to the ASA, launch a web browser.
3. Click one of the available options: Install ASDM Launcher, Run ASDM, or Run Startup Wizard.
4. Follow the onscreen instructions to launch ASDM according to the option you chose. The Cisco ASDM-IDM Launcher appears.
If you click Install ASDM Launcher, in some cases you need to install an identity certificate for the ASA and a separate certificate for the ASA FirePOWER module according to Install an Identity Certificate for ASDM.
5. Leave the username and password fields empty, and click OK. The main ASDM window appears.
6. If you are prompted to provide the IP address of the installed ASA FirePOWER module, cancel out of the dialog box. You must first set the module IP address to the correct IP address using the Startup Wizard.
ASDM can change the ASA FirePOWER module IP address settings over the ASA backplane; but for ASDM to then manage the module, ASDM must be able to reach the module (and its new IP address) on the Management 0/0 interface over the network. The recommended deployment allows this access because the module IP address is on the inside network. If ASDM cannot reach the module on the network after you set the IP address, then you will see an error.
7. Choose Wizards > Startup Wizard.
8. Configure additional ASA settings as desired, or skip screens until you reach the ASA FirePOWER Basic Configuration screen.
Set the following values to work with the default configuration:
– IP Address —192.168.1.2
– Subnet Mask —255.255.255.0
– Gateway —192.168.1.1
9. Click I accept the agreement, and click Next or Finish to complete the wizard.
10. Quit ASDM, and then relaunch. You should see ASA FirePOWER tabs on the Home page.
6. Run Other ASDM Wizards and Advanced Configuration
ASDM includes many wizards to configure your security policy. See the Wizards menu for all available wizards.
The Control and Protection licenses are provided by default and the Product Authorization Key (PAK) is included on a printout in your box. If you ordered additional licenses, you should have PAKs for those licenses in your email.
1. Obtain the License Key for your chassis by choosing Configuration > ASA FirePOWER Configuration > Licenses and clicking Add New License.
The License Key is near the top; for example, 72:78:DA:6E:D9:93:35.
1. To send traffic to the module, choose Configuration > Firewall > Service Policy Rules.
2. Choose Add > Add Service Policy Rule.
3. Choose whether to apply the policy to a particular interface or apply it globally and click Next.
4. Configure the traffic match. For example, you could match Any Traffic so that all traffic that passes your inbound access rules is redirected to the module. Or, you could define stricter criteria based on ports, ACL (source and destination criteria), or an existing traffic class. The other options are less useful for this policy. After you complete the traffic class definition, click Next.
5. On the Rule Actions page, click the ASA FirePOWER Inspection tab.
6. Check the Enable ASA FirePOWER for this traffic flow check box.
7. In the If ASA FirePOWER Card Fails area, click one of the following:
– Permit traffic —Sets the ASA to allow all traffic through, uninspected, if the module is unavailable.
– Close traffic —Sets the ASA to block all traffic if the module is unavailable.
8. (Optional) Check Monitor-only to send a read-only copy of traffic to the module, i.e. passive mode.
9. Click Finish and then Apply.
Repeat this procedure to configure additional traffic flows as desired.
8. Where to Go Next
For more information about the ASA FirePOWER module and ASA operation, see the “ASA FirePOWER Module” chapter in the ASA/ASDM firewall configuration guide, or the ASDM online help. You can find links to all ASA/ASDM documentation at Navigating the Cisco ASA Series Documentation.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)