Service providers offer managed WAN service in their portfolio. Cisco ASA Firepower platform provides unified threat management feature set to provide differentiated services. An ASA Firepower device has seperate interfaces for management connect to a LAN device, however, connecting a management interface with a LAN device creates a dependency on a LAN device.
This document provides a solution that allows you to manage a Cisco ASA Firepower (SFR) module without connecting to a LAN device or using a second interface from the service provider edge device.
ASA 5500-X series platform with Firepower (SFR) services.
Management interface which is shared between the ASA and Firepower module.
Single dedicated internet access handoff from Service Provider edge device to ASA Firepower.
Access to the management interface is necessary in order to change the interface state to up.
The management interface of the ASA should stay up in order to manage the Firepower module.
Management connectivity should not be lost if customer disconnects LAN device.
Management architecture should support Active/Backup WAN failover.
The following configurations will allow you to manage the SFR module over VPN remotely, without any LAN connectivity as pre-requisite.
Connect the Management interface 1/1 to the GigabitEthernet1/8 interface using an ethernet cable.
Note: The ASA Firepower module must use the Management 1/x (1/0 or 1/1) interface to send and receive management traffic. Since the Management 1/x interface is not on the data plane, you need to physically cable the management interface to another LAN device in order to pass traffic through the ASA over the control plane.
As a part of the one-box solution, you will connect the Management interface 1/1 to the GigabitEthernet1/8 interface using an ethernet cable.
GigabitEthernet 1/8 Interface: 192.168.10.1/24
SFR Management Interface: 192.168.10.2/24
SFR Gateway: 192.168.10.1
Management 1/1 Interface: Management interface does not have any IP address configured. The management-access command should be configured for management (MGMT) purpose.
The local and remote traffic will be on the following subnets:
Local traffic is on the management subnet 192.168.10.0/24.
Remote traffic is on 192.168.11.0/24 subnet.
VPN and NAT
Define the VPN policies.
NAT command should be configured with route-lookup prefix to determine the egress interface using a route lookup instead of using the interface specified in the NAT command.