2.1.3 Cisco ASA and Firepower (ASA Mode) - BlueCat Infrastructure Assurance - 25.2.0

BlueCat LiveAssurance User Guide
ft:locale
en-US
Product name
BlueCat Infrastructure Assurance
Version
25.2.0

Starting in v25.2.0, LiveAssurance supports Cisco Firepower appliances operating in ASA mode, in addition to the existing support for ASA.

Note: BlueCat always recommends that a system administrator defer to the vendor’s official documentation on credential creation. Follow the vendor’s instructions for configuring the device for access with an SSH key, and then use the LiveAssurance WebGUI to store the Private key in the relevant Credential Profile.

In order for LiveAssurance to run its full set of interrogation and monitoring scripts, a SSH and SNMP user with a role of administrator needs to be used to connect your device. It is highly recommended that a generic username is created for auditing and security purposes. Before adding any ASA or Firepower device, make sure both SSH and SNMP credentials are provided in Credentials Set.

Note: The following procedure covers ASA devices but is also applicable to Firepower appliances operating in ASA mode.

Creating an SSH User in the local database via CLI

  1. Log in to the Cisco ASA device via SSH.

  2. Enter the privileged EXEC mode by running the following command: 
    # enable
  3. Enter the global configuration mode by running the following command: 
    # conf t
  4. Create a new admin user with privilege level 15 by running the following command: 
    # username <username> password <password> privilege 15

  5. After the admin user is created, run the following command to allow the local admin users to enter enable mode by default. This step is required in order for all the scripts to run successfully:

    # aaa authorization exec LOCAL auto-enable
Note: The ASA support two Diffie-Hellman key exchange methods which are the DH Group 1 (768-bit) and DH Group 14 (2048-bit). By default, the ASA is set to use Diffie-Hellman Group 1. It is recommended that dh-group14-sha1 be used. The command ssh key-exchange group dh-group14-sha1 was introduced in 8.4(4.1) and 9.1(2). It can be used to set the default SSH key exchange method to dh-group14-sha1.

Creating an SSH User in the local database via ASDM



Creating an SNMPv3 User via CLI

The following example creates a SNMPv3 user with authentication and privacy passwords and limits the SNMP access to a range of IPs. Make sure the LiveAssurance server IP is included in the IP range configured on the device, otherwise LiveAssurance will NOT be able to interrogate the device.

  1. Log in to the Cisco ASA device via SSH.

  2. Enter the privileged EXEC mode by running the following command: 
    # enable
  3. Enter the global configuration mode by running the following command: 
    # conf t
  4. Create a network object with the object name indeni-server by running the following command: 
    # object network indeni-server
  5. Specify the IP address range for the network object: 
    # range 192.168.250.0 192.168.250.255
  6. Exit to global configuration mode by running the following command: 
    # exit
  7. Create an SNMPv3 group with authentication and privacy passwords by running the following command:
    # snmp-server group SNMPv3Group v3 priv
  8. Create an SNMPv3 user by running the following ommand: 
    # snmp-server user indeni SNMPv3Group v3 auth SHA <AuthPassword> priv AES 128 <PrivPassword>
  9. Specify the SNMP host group and user that can query the ASA: 
    # snmp-server host-group management indeni-server version 3 indeni
  10. Exit to Privileged EXEC mode by running the following command:
    # exit