These models run the
ASA FirePOWER module as a software module, and the ASA FirePOWER module shares
the Management 0/0 or Management 1/1 interface (depending on your model) with
All management traffic
to and from the ASA FirePOWER module must enter and exit the Management
interface. The ASA FirePOWER module also needs Internet access. Management
traffic cannot pass through the ASA over the backplane; therefore you need to
physically cable the management interface to an ASA interface to reach the
If you do not
configure a name and IP address in the ASA configuration for Management, then
the interface belongs exclusively to the module. In this case, the Management
interface is not a regular ASA interface, and you can:
Configure the ASA
FirePOWER IP address to be on the same network as a regular ASA data interface.
Specify the data
interface as the ASA FirePOWER gateway.
the Management interface to the data interface (using a Layer2 switch).
See the following
typical cabling setup to allow ASA FirePOWER access to the Internet through the
ASA inside interface.
For the ASA
5508-X, and 5516-X, the default configuration enables the above
network deployment; the only change you need to make is to set the module IP
address to be on the same network as the ASA inside interface and to configure
the module gateway IP address.
For other models, you
must remove the ASA-configured name and IP address for Management 0/0 or 1/1,
and then configure the other interfaces as indicated above.
If you want to
deploy a separate router on the inside network, then you can route between
management and inside. In this case, you can manage both the ASA and ASA
FirePOWER module on the Management interface with the appropriate configuration
changes, including configuring the ASA name and IP address for the Management
interface (on the same network as the ASA FirePOWER module address).