Cisco Firepower Threat Defense for the ASA 5506-X Series Using Firepower Device Manager Quick Start Guide
4. Deploy the Firepower Threat Defense in Your Network
4
Note:
The physical management interface is shared between the Management logical interface and the
Diagnostic logical interface; see the “Interfaces” chapter of the
Cisco Firepower Threat Defense Configuration
Guide for Firepower Device Manager
.
The Firepower Threat Defense system requires Internet access for licensing and updates. The system can
obtain system database updates through the gateway for the outside interface. You do not need to have an
explicit route from the management port or network to the Internet. The default is to use internal routes
through the data interfaces.
About the Default Configuration (Version 6.1)
The default configuration assumes that you will connect the management and inside interfaces to the same
network using a switch. The inside interface is configured as a DHCP server, so you can attach your management
workstation to the same switch and get an address through DHCP on the same network. Then you can open the
Firepower Device Manager web interface.
For complete information about the default configuration, see the
Cisco Firepower Threat Defense Configuration
Guide for Firepower Device Manager
.
The following figure shows the recommended network deployment for Firepower Threat Defense on the ASA
5506-X series of appliances, including the ASA 5506W-X with the built-in wireless access point.
Figure 4
Suggested Network Deployment - Version 6.1
Note:
You must use a separate inside switch in your deployment.
The example configuration enables the above network deployment with the following behavior.
inside --> outside
traffic flow
outside IP
address from
DHCP
(ASA 5506W-X)
wifi <--> inside
,
wifi --> outside
traffic flow
DHCP
for clients on
inside
and
wifi
. The access point itself and all its clients use the ASA as the DHCP server.
Management 1/1
is used to set up and manage the device using the Firepower Device Manager, a simplified
single-device manager included on the box.
The Management interface requires Internet access for updates. When you put Management on the same
network as an inside interface, you can deploy the Firepower Threat Defense device with only a switch on the
inside and point to the inside interface as its gateway.
The physical management interface is shared between the Management logical interface and the Diagnostic
logical interface; see the “Interfaces” chapter of the
Cisco Firepower Threat Defense Configuration Guide for
Firepower Device Manager
.
Management Computer
DHCP from inside:192.168.45.x
Layer 2
Switch
Firepower
Threat Defense
inside
Management 1/1
IP Address:
192.168.45.45
outside
Gateway
GigabitEthernet 1/2
192.168.45.1
GigabitEthernet 1/1
wifi
GigabitEthernet 1/9 (internal)
192.168.10.1
Access Point IP address: 192.168.10.2
Management
AP
Internet