Cisco ASA for the ISA 3000 Series Quick Start Guide

The Cisco ISA 3000 is a powerful rack-mountable, hardened firewall that runs the ASA software and also includes the integrated FirePOWER software module. The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation Intrusion Prevention System (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).

Package Contents

This section lists the package contents of the chassis. Note that contents are subject to change, and your exact contents might contain additional or fewer items.

Figure 1. ISA 3000 Package Contents
ISA 3000 Package Contents

1

ISA 3000 chassis

2

2 DC Power connectors

3

Alarm connector (not shown)

License Requirements

Licenses are required to enable special features.

ASA Licenses

The ISA 3000 includes the Base or Security Plus license, depending on the version you ordered. The Security Plus license provides more firewall connections, VPN connections, failover capability, and VLANs.

It also comes pre-installed with the Strong Encryption (3DES/AES) license if you qualify for its use; this license is not available for some countries depending on United States export control policy. The Strong Encryption license allows traffic with strong encryption, such as VPN traffic. If you need to manually request the Strong Encryption license (which is free), see https://www.cisco.com/go/license.

You can optionally purchase an AnyConnect Plus or Apex license, which allows AnyConnect VPN client connections..

If you want to upgrade from the Base license to the Security Plus license, or purchase an AnyConnect license, see http://www.cisco.com/go/ccw. See also the Cisco AnyConnect Ordering Guide and the AnyConnect Licensing Frequently Asked Questions (FAQ). You will then receive an email with a Product Authorization Key (PAK) so you can obtain the license activation key. For the AnyConnect licenses, you receive a multi-use PAK that you can apply to multiple ASAs that use the same pool of user sessions.


Note

The serial number used for licensing is different from the chassis serial number printed on the outside of your hardware. The chassis serial number is used for technical support, but not for licensing. To view the licensing serial number, enter the show version | grep Serial command or see the ASDM Configuration > Device Management > Licensing Activation Key page.


ASA FirePOWER Licenses

The ASA FirePOWER module uses a separate licensing mechanism from the ASA. No licenses are pre-installed, but the box includes a PAK on a printout that lets you obtain a license activation key for the following licenses:

  • Control and Protection—Control is also known as “Application Visibility and Control (AVC)” or “Apps”. Protection is also known as “IPS”. In addition to the activation key for these licenses, you also need “right-to-use” subscriptions for automated updates for these features.

    The Control (AVC) updates are included with a Cisco support contract.

    The Protection (IPS) updates require you to purchase the IPS subscription from http://www.cisco.com/go/ccw. This subscription includes entitlement to Rule, Engine, Vulnerability, and Geolocation updates. Note: This right-to-use subscription does not generate or require a PAK/license activation key for the ASA FirePOWER module; it just provides the right to use the updates.

Other licenses that you can purchase include the following:

  • Advanced Malware Protection (AMP)

  • URL Filtering

These licenses do generate a PAK/license activation key for the ASA FirePOWER module. See the Cisco Firepower System Feature Licenses for more information.

To install the Control and Protection licenses and other optional licenses, see Install the Licenses.

Deploy the ISA 3000 in Your Network

The following figure shows the recommended network deployment for the ISA 3000 with the ASA FirePOWER module:

Figure 2. ISA 3000 Network
ISA 3000 Network

The default factory configuration for the ISA 3000 configures the following:

  • Transparent firewall mode—A transparent firewall is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.

  • 1 Bridge Virtual Interface—All bridge group member interfaces are in the same network (IP address not pre-configured; you must set to match your network): GigabitEthernet 1/1 (outside1), GigabitEthernet 1/2 (inside1), GigabitEthernet 1/3 (outside2), GigabitEthernet 1/4 (inside2).

  • All inside and outside interfaces can communicate with each other.

  • Management 1/1 interface—192.168.1.1/24 for Adaptive Security Device Manager (ASDM) HTTPS access.

  • DHCP for clients on management.

  • ASDM clients—Management hosts allowed.

  • Hardware bypass is enabled for the following interface pairs: GigabitEthernet 1/1 & 1/2; GigabitEthernet 1/3 & 1/4


    Note

    When the ISA 3000 loses power and goes into hardware bypass mode, only the above interface pairs can communicate; inside1 and inside2, and outside1 and outside2 can no longer communicate. Any existing connections between these interfaces will be lost. When the power comes back on, there is a brief connection interruption as the ASA takes over the flows.


  • ASA FirePOWER module—All traffic is sent to the module in Inline Tap Monitor-Only Mode. This mode sends a duplicate stream of traffic to the ASA FirePOWER module for monitoring purposes only.

  • Precision Time Protocol—PTP traffic is not sent to the FirePOWER module.

Perform the following steps to cable your network.

Figure 3. Cabling
Cabling

Procedure


Step 1

Connect GigabitEthernet 1/1 to an outside router, and GigabitEthernet 1/2 to an inside router.

These interfaces form a hardware bypass pair.

Step 2

Connect GigabitEthernet 1/3 to a redundant outside router, and GigabitEthernet 1/4 to a redundant inside router.

These interfaces form a hardware bypass pair. These interfaces provide a redundant network path if the other pair fails. All 4 of these data interfaces are on the same network of your choice. You will need to configure the BVI 1 IP address to be on the same network as the inside and outside routers.

Step 3

Connect Management 1/1 to your management PC (or network).

You will need to configure the FirePOWER module IP address to be on the same network so your PC can manage both the ASA and the FirePOWER module.


Power On the ISA 3000

Power on the ISA 3000, and check the power up progress.

Procedure


Step 1

Refer to the instructions for proper wiring of the power plug in the hardware installation guide.

Step 2

Attach the power plug to the ISA3000 after wiring it to the DC power source.

Step 3

Check the Status LEDs. If the DC_A and DC_B LEDs show green, then power is on.


Launch ASDM

This procedure assumes you want to use ASDM to manage the ASA FirePOWER Module. If you want to use the Firepower Management Center, then you need to connect to the module CLI and run the setup script; see the ASA FirePOWER quick start guide.

Before you begin

See the ASDM release notes on Cisco.com for the requirements to run ASDM.

Procedure


Step 1

On the computer connected to the ISA 3000, launch a web browser.

Step 2

In the Address field, enter the following URL: https://192.168.1.1/admin. The Cisco ASDM web page appears.

Step 3

Click one of the available options: Install ASDM Launcher, Run ASDM, or Run Startup Wizard.

Step 4

Follow the onscreen instructions to launch ASDM according to the option you chose. The Cisco ASDM-IDM Launcher appears.

Step 5

Leave the username and password fields empty, and click OK. The main ASDM window appears.

Step 6

If you are prompted to provide the IP address of the installed ASA FirePOWER module, cancel out of the dialog box. You must first set the module IP address to the correct IP address using the Startup Wizard.

Step 7

Choose Wizards > Startup Wizard.

Step 8

Configure ASA settings, or skip screens until you reach the Management IP Address Configuration screen.

Ensure that the BVI has an IP address on the same subnet as the local network connected to the data interfaces (GigabitEthernet 1/1-1/4).

Figure 4. BVI IP Address Screen
BVI IP Address Screen
Step 9

Configure additional ASA settings, or skip screens until you reach the ASA FirePOWER Basic Configuration screen.

Set the following values to work with the default configuration:

  • IP Address—192.168.1.2

  • Subnet Mask—255.255.255.0

  • Gateway—192.168.1.1

Figure 5. ASDM Startup Wizard
ASDM Startup Wizard
Step 10

Click I accept the agreement, and click Next or Finish to complete the wizard.

Step 11

Quit ASDM, and then relaunch. You should see ASA FirePOWER tabs on the Home page.


Run Other ASDM Wizards and Advanced Configuration

ASDM includes many wizards to configure your security policy. See the Wizards menu for all available wizards.

To continue configuring your ISA 3000, see the documents available for your software version at Navigating the Cisco ASA Series Documentation.

Configure the ASA FirePOWER Module

Use ASDM to install licenses, configure the module security policy, and send traffic to the module.


Note

You can alternatively use the Firepower Management Center to manage the ASA FirePOWER module. See the ASA FirePOWER Module Quick Start Guide for more information.


Procedure


Step 1

Install the Licenses.

Step 2

Configure the ASA FirePOWER Security Policy.

Step 3

Change the ASA FirePOWER Module to Inline Mode.


Install the Licenses

The Control and Protection licenses are provided by default and the Product Authorization Key (PAK) is included on a printout in your box. If you ordered additional licenses, you should have PAKs for those licenses in your email.

Procedure


Step 1

Obtain the License Key for your chassis by choosing Configuration > ASA FirePOWER Configuration > Licenses and clicking Add New License.

The License Key is near the top; for example, 72:78:DA:6E:D9:93:35.

Step 2

Click Get License to launch the licensing portal. Alternatively, in your browser go to https://www.cisco.com/go/license.

Step 3

Enter the PAKs separated by commas in the Get New Licenses field, and click Fulfill.

Step 4

Provide the License Key and email address and other fields.

Step 5

Copy the resulting license activation key from either the website display or from the zip file attached to the licensing email that the system automatically delivers.

Step 6

Return to the ASDM Configuration > ASA FirePOWER Configuration > Licenses > Add New License screen.

Step 7

Paste the license activation key into the License box.

Step 8

Click Verify License to ensure that you copied the text correctly, and then click Submit License after verification.

Step 9

Click Return to License Page.


Configure the ASA FirePOWER Security Policy

Configure the security policy for traffic that you send from the ISA 3000 to the ASA FirePOWER module.

Procedure


Choose Configuration > ASA FirePOWER Configuration to configure the ASA FirePOWER security policy.

Use the ASA FirePOWER pages in ASDM for information to learn about the ASA FirePOWER security policy. You can click Help in any page, or choose Help > ASA FirePOWER Help Topics, to learn more about how to configure policies.

See also the ASA FirePOWER module configuration guide.


Change the ASA FirePOWER Module to Inline Mode

The default ISA 3000 configuration sends all traffic to the ASA FirePOWER module in Inline Tap Monitor-Only Mode. This mode sends a duplicate stream of traffic to the module for monitoring purposes only. If you want to change the mode to inline mode, where the module policy affects traffic, and/or to change the traffic sent to the module, perform the following steps.

Procedure


Step 1

Choose Configuration > Firewall > Service Policy Rules.

Step 2

Under Global; Policy: global_policy, select sfrclass, and click Edit.

Figure 6. sfrclass Rule
sfrclass Rule
Step 3

(Optional) Click the ACL tab to change the traffic to send to the module.

By default, the ASA sends all incoming traffic to the module.

Step 4

Click the Rule Actions tab, and then click the ASA FirePOWER Inspection tab.

Step 5

Uncheck the Enable Monitor Only check box to set it to inline mode.

Figure 7. Uncheck Monitor Only
Uncheck Monitor Only
Step 6

(Optional) In the If ASA FirePOWER Card Fails area, click one of the following:

  • Permit traffic—(Default) Sets the ASA to allow all traffic through, uninspected, if the module is unavailable.

  • Close traffic—Sets the ASA to block all traffic if the module is unavailable.

Step 7

Click OK and then Apply.