The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To enable communication between AUS and devices, you must configure transport settings on the devices, before you add them to AUS or the Security Manager inventory. You configure devices according to the functionality you need.
Before you can manage a PIX firewall or an ASA device using AUS, you must set up the device with a minimum configuration that provides basic connectivity. See the User Guide for Cisco Security Manager for details about setting up basic connectivity.
In addition to basic connectivity, you need to configure some settings specific to AUS. The following procedures describe how to configure and verify these settings using the command line interface on the device. You can also use the PIX Firewall Device Manager (PDM) Setup wizard to configure a PIX version 6.3 device, or the Adaptive Security Device Manager (ASDM) Startup Wizard to configure PIX 7.0+ or ASA devices. See the ASA, ASDM, and PDM documentation for more information.
Note ASA devices must be bootstrapped with the asdm image and boot system commands to manage ASDM and ASA software images using AUS. For more information, see Configuring the Software Image and ASDM Image to Boot.
To bootstrap a PIX or ASA device to operate with AUS, follow these steps from the console terminal connected to the device console port:
By default, the security appliance boots the first software image it finds in internal Flash memory. It also boots the first ASDM image it finds in internal Flash memory, or of none exists there, then in external Flash memory. If you have more than one image, you should specify the image you want to boot. In the case of the ASDM image, if you do not specify the image to boot, even if you have only one image installed, then the security appliance inserts the asdm image command into the running configuration. To avoid problems with auto update (if configured), and to avoid the image search at each startup, you should specify the ASDM image you want to boot in the startup configuration.
You must use the boot system and asdm image commands on your security appliance to point the Flash memory to the version of images that are downloaded using AUS to the device. Otherwise, the existing image on the security appliance is overwritten with the latest version being downloaded from AUS and the update of the ASDM image might fail.
Also, the configuration file that is assigned to a security appliance must point to the same boot software image and ASDM image that are configured on the device. Otherwise, the existing image on the security appliance is overwritten with the latest version being downloaded from AUS.
If you see the following messages on the security appliance, make sure that the ASDM image on the security appliance is compatible with the current version. You can verify this condition by viewing the output of the show run command on the device.
The following explains how to configure these settings using the device command line. You can also configure these settings in Security Manager using the Platform > Device Admin > Boot Image/Configuration policy.
where url is one of the following:
– {flash:/ | disk0:/ | disk1:/}[path/]filename
The flash:/ keyword represents the internal Flash memory on the PIX 500 series security appliance. You can enter flash:/ or disk0:/ for the internal Flash memory on the ASA 5500 series adaptive security appliance. The disk1:/ keyword represents the external Flash memory on the ASA.
– tftp://[user[:password]@]server[:port]/[path/]filename
This option is only supported for the ASA 5500 series adaptive security appliance.
You can enter up to four boot system command entries to specify different images to boot from in order; the security appliance boots the first image it finds. Only one boot system tftp: command can be configured, and it must be the first one configured.