In the book Cisco Next-Generation Security Solutions: All-in-one Cisco ASA Firepower Services, NGIPS, and AMP (it was written by Omar Santos), the author shared more contents about the Design of Cisco ASA with FirePOWER Services.
Now in the following part we selected some chapters that were shared with you: Cisco ASA FirePOWER Management Options
There are several options available for network security administrators to manage the Cisco ASA FirePOWER module. The Cisco ASA FirePOWER module provides a basic command-line interface (CLI) for initial configuration and troubleshooting only. Network security administrators can configure security policies on the Cisco ASA FirePOWER module using either of these methods:
- Administrators can configure the Cisco Firepower Management Center hosted on a separate appliance or deployed as a virtual machine (VM).
- Administrators can configure the Cisco ASA FirePOWER module deployed on Cisco ASA 5506-X, 5508-X, and 5516-X using Cisco’s Adaptive Security Device Manager (ASDM).
Figure 1 shows a Cisco ASA with FirePOWER Services being managed by a Cisco Firepower Management Center (FMC) in a VM.
Cisco ASA with FirePOWER Services Managed by a Cisco Firepower Management Center
In Figure 1 the Cisco Firepower Management Center manages the Cisco ASA FirePOWER module via its management interface. The following section provides important information about configuring and accessing the Cisco ASA FirePOWER module management interface.
Accessing the Cisco ASA FirePOWER Module Management Interface in Cisco ASA 5585-X Appliances
In the Cisco ASA 5585-X, the Cisco ASA FirePOWER module includes a separate management interface. All management traffic to and from the Cisco ASA FirePOWER module must enter and exit this management interface, and the management interface cannot be used as a data interface.
The Cisco ASA FirePOWER module needs Internet access to perform several operations, such as automated system software updates and threat intelligence updates. If the module is managed by the Firepower Management Center, the FMC is the one that needs to have Internet access to perform those tasks.
Figure 2 shows an example of how you can physically connect the Cisco ASA FirePOWER module management interface to be able to reach the Internet via the Cisco ASA interface.
Cisco ASA 5585-X FirePOWER Module Management Interface
In Figure 2, the Cisco ASA 5585-X has two modules:
- A module running Cisco ASA software
- A module running FirePOWER Services
The Cisco ASA is managed via the interface named management 0/0 in this example. This interface is configured with the IP address 192.168.1.1. The Cisco ASA FirePOWER module is managed via the interface named management 1/0, configured with the IP address 192.168.1.2. The Cisco ASA FirePOWER module is being managed by a virtual Cisco Firepower Management Center. Both interfaces are connected to a Layer 2 switch in this example.
NOTE: You can use other cabling options with the Cisco ASA FirePOWER module management interface to be able to reach the Internet, depending on how you want to connect your network. However, the example illustrated in Figure 4 is one of the most common scenarios.
In order for the Cisco ASA FirePOWER module management interface to have an Internet connection, the default gateway of the Cisco ASA FirePOWER module is set to the Cisco ASA management interface IP address (192.168.1.1 in this example). Figure 3 illustrates the logical connection between the Cisco ASA FirePOWER module management interface and the Cisco ASA management interface.
Cisco ASA FirePOWER Module Management Interface
Accessing the Cisco ASA FirePOWER Module Management Interface in Cisco ASA 5500-X Appliances
In the rest of the Cisco 5500-X appliances, the management interface is shared by the Cisco ASA FirePOWER module and the classic Cisco ASA software. These appliances include the Cisco ASA 5506-X, 5506W-X, 5506H-X, 5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X, and 5555-X appliances.
Figure 4 shows a Cisco ASA 5516-X running Cisco ASA FirePOWER Services.
Cisco ASA 5500-X FirePOWER Module Management Interface
In Figure 4, the management interface is used by the Cisco ASA FirePOWER module. The management interface is configured with the IP address 10.1.2.2. You cannot configure an IP address for this interface in the Cisco ASA configuration. For the ASA 5506-X, 5508-X, and 5516-X, the default configuration enables the preceding network deployment; the only change you need to make is to set the module IP address to be on the same network as the ASA inside interface and to configure the module gateway IP address. For other models, you must remove the ASA-configured name and IP address for management 0/0 or 1/1 and then configure the other interfaces as shown in Figure 5.
NOTE: The management interface is considered completely separate from the Cisco ASA, and routing must be configured accordingly.
The Cisco ASA FirePOWER module default gateway is configured to be the inside interface of the Cisco ASA (10.1.2.1), as illustrated in Figure 5.
Cisco ASA 5500-X FirePOWER Module Default Gateway
If you must configure the management interface separately from the inside interface, you can deploy a router or a Layer 3 switch between both interfaces, as shown in Figure 8. This option is less common, as you still need to manage the ASA via the inside interface.
Cisco ASA 5500-X FirePOWER Module Management Interface Connected to a Router
In Figure 6, the Cisco ASA FirePOWER module default gateway is the router labeled R1, with the IP address 10.1.2.1. The Cisco ASA’s inside interface is configured with the IP address 10.1.1.1. The Cisco ASA FirePOWER module must have a way to reach the inside interface of the ASA to allow for on-box ASDM management. On the other hand, if you are using FMC, the Cisco ASA FirePOWER module needs to have a way to reach the FMC.
The Cisco IP Phone 8800 Series is a big family that has 11 models.
Models in this Series
- IP Phone 8800 Key Expansion Module
- IP Phone 8811
- IP Phone 8841
- IP Phone 8845
- IP Phone 8851
- IP Phone 8861
- IP Phone 8865
- IP Phone 8865NR
- Unified IP Conference Phone 8831
- Wireless IP Phone 8821
- Wireless IP Phone 8821-EX
The Cisco Wireless IP Phone 8821 is a new member of 8800 Series. It is the a ruggedized, resilient, and secure 802.11 wireless LAN handset that delivers cost-effective, on-premises, comprehensive voice over wireless LAN (VoWLAN) communications for the highly mobile in-campus worker.
There is another 8821-EX. The EX model is also compliant with nonsparking standards, even when temporarily exposed to hazardous atmospheric environments. (ATEX Zone 1/Class 2 and CSA Zone 1/Division II compliant.)
- The 8821 is specifically designed for workers whose roles are in more rigorous, industrial settings. Examples of ideal use cases include nurses and doctors in healthcare, operations and engineering staff in manufacturing, customer service representatives in retail, service staff such as maids in hospitality, and workers on rigs in the oil and chemical industries.
- While the 8821 is sleek and lightweight, the design is hardened for users. It is Ingress Protection standard (IP67) rated and is sealed for protection against dust, splash and water. The device is also MIL-STD-810G tested, with a dozen drops onto concrete from heights of up to 6 feet (1.8 m), to help ensure shock resistance and avoid breakage if dropped.
- The 8821 enhances security and simplifies configuration management. Stronger encryption is supported for certificate management and policy enablement with the support of Secure Hash Algorithm 2 (SHA-2). Simple Certificate Enrollment Protocol (SCEP) eases IT administration by enabling automatic certificate management on the device.
- End users will enjoy a larger, higher-resolution color display and a user experience that is common with Cisco IP Phone 8800 Series desk phones. In addition, roaming between access points within the campus will support more seamless voice communications with the 8821’s support of Fast Transition (802.11r). This protocol was specifically designed for mobile voice over IP (VoIP) communications devices within Wi-Fi networks. Bluetooth is supported for the user’s choice of third-party wireless headsets and adds freedom by untethering the user from the handset.
- The 8821 supports Cisco and/or third-party XML applications such as push-to-talk.
A full suite of accessories, including desktop chargers, cases, holsters, and multicharger, are available from Cisco to support deployments.
Cisco Wireless IP Phone 8821Features
The Cisco Wireless IP Phone 8821 is designed for users in rigorous workspaces as well as general office environments. It supports a wide range of features for enhanced voice communications, quality of service (QoS), and security. Some of the main benefits and highlights are listed here:
● IEEE 802.11a/b/g/n/ac radio for VoWLAN communications support
● The large 2.4-inch (6 cm) color (240 x 320 pixels) display makes viewing easy
● IP67 rated for protection against dust, splash, and water
● MIL-STD-810G standard for shock resistance
● The phone offers exceptional voice quality with high-definition (HD) voice
● A built-in full-duplex speakerphone offers high-quality hands-free communications
● The phone supports third-party Bluetooth 3.0 headsets and a 3.5-mm headphone jack for added freedom
● The Applications key provides direct access to XML applications such as push-to-talk and Lone Worker
● Battery life delivers a minimum of 13 hours of talk time
● Enhanced encryption support for SHA-1 and SHA-2 signatures
● Fast, secure roaming using 802.11r and Cisco Centralized Key Management roaming
● Automatic certificate renewal –SCEP support
Specifications of Cisco Wireless IP Phone 8821 at a Glance
2.4-in (6 cm) color graphical TFT
Yes; full duplex
WLAN networking protocols
802.11a,b,g, n, ac
Battery rechargeable / talk time
Yes; talk time: 13 hours; standby: 240 hours
Extensible Markup Language (XML)
Desktop and multi-chargers, belt clips, handset cases, lanyards, holsters
The Main Cisco IP Phone 8800 Models-Major Features
Cisco Intelligent Proximity
To use the phone, the phone needs to be connected to a network and configured to connect to a call control system. The phones support many functions and features, depending on the call control system. Your phone might not have all functions available, based on the way your administrator has set up the phone.
The Cisco industrial router portfolio includes a range of compact, ruggedized modular products to build a highly secure, reliable, and scalable loT infrastructure. These products are certified to meet harsh environmental standards. They support a variety of communications interfaces, such as Ethernet, serial, fiber, cellular, Wi-Fi, Wi-SUN RF mesh, and others.
The Cisco Industrial Router Portfolio
The complete line of industrial routers includes:
Cisco 1000 Series Connected Grid Routers: Rugged routers designed for harsh environments, like those found in the utilities industry. Ideal for integrating multiple applications, such as advanced metering infrastructure (AMI), distribution automation, distributed energy resources (DER), street lighting, and remote workforce automation within a multi-service network.
Cisco 2000 Series Connected Grid Routers: Highly secure, reliable routers for the energy and utilities industries ideal for SCADA monitoring of transmission and distribution systems.
Cisco ASR 903 Aggregation Services Routers: Full-featured, modular, small-footprint, and fully redundant aggregation routers. They offer service flexibility and deliver Layer 2, IP, and Multiprotocol Label Switching (MPLS) transport for advanced Layer 2 VPN, Layer 3 VPN, and multicast services.
Cisco 500 Series WPAN Industrial Routers: Wi-SUN RF Mesh ruggedized routers provide unlicensed 915-MHz, ISM-band wireless personal-area network (WPAN) communications that enables IoT applications, including smart metering, distribution automation, street lighting, and remote supervisory control and data acquisition (SCADA) monitoring.
Cisco 809 Industrial Integrated Services Routers: Very compact cellular (3G and 4G/LTE) industrial routers for remote deployment in various industries. They enable reliable and secure cellular connectivity for remote asset monitoring and machine-to-machine (M2M) applications such as distribution automation, pipeline monitoring, and roadside infrastructure monitoring.
Cisco 819 Integrated Services Routers: Compact, hardened form factor, cellular (3G, WLAN, or 4G options) routers that allow businesses to deploy secure 3G WWAN loT applications, like ATMs, wireless kiosks, digital signage, and more.
Cisco 829 Industrial Integrated Services Routers: Highly ruggedized compact cellular (3G and 4G LTE with GPS and dual SIM) and WLAN (2.4/5GHz) industrial routers supporting for scalable, reliable, and secure management of IoT applications requiring mobile connectivity such as fleet vehicles and mass transit.
The Cisco IR 829 dual LTE offers multipath LTE and/or WAN backhaul for mission-critical IoT initiatives requiring highly secure data delivery, edge application execution and redundant connectivity.
Cisco 910 Industrial Router: Highly adaptable routers that you can easily integrate with third-party solutions to deliver smart city applications, such as environmental monitoring, smart parking, smart metering, and more.
Capabilities for Rugged, Industrial Settings
We designed the Cisco industrial routers to withstand harsh operating environments and to offer high-performance, secure connectivity of scale. Key features include:
• Design for industrial applications, including extended environmental, shock, vibration, and surge ratings; a complete set of power input options; convection cooling; and DIN rail, 19-inch rack or wall mounting.
• Advanced security such as Dynamic Multipoint VPN, stateful firewall, and access control lists to provide multi-layered security architecture.
• Diverse modular interfaces (Ethernet, T1/E1, 3G and 4G LTE cellular, asynch/synch, serial, and others) for diverse infrastructure needs.
• Advanced quality-of-service (QoS) capabilities to support mission-critical communications, such as command and control.
• Cisco IOx, an open, extensible environment for executing IoT applications at the network edge.
• Simple management and operation using network management tools such as IoT Field Network Director and Industrial Operations Kit.