module. Once it is complete, you can escape out of the SFR module CLI and back into the
ASA by pressing CTRL + SHIFT + 6 +X (CTRL ^ X)
If the ASA is NOT connected to an inside switch:
An inside switch may not exist in some small deployments. In this type of topology, clients would
generally connect to the ASA via the WiFi interface. In this scenario, it is possible eliminate the
need for an external switch and access the SFR module via a separate ASA interface by cross-
connecting the Management1/1 interface to another physical ASA interface.
In this example, a physical ethernet connection must exist between the ASA GigabitEthernet1/3
interface and the Management1/1 interface. Next, you configure the ASA and SFR module to be
on a separate subnet and then you are able to access the SFR from both the ASA as well as
clients located on the inside or wifi interfaces.
ASA Interface Configuration:
asa(config)# interface gigabitEthernet 1/3
asa(config-if)# ip address 10.2.0.1 255.255.255.0
asa(config-if)# nameif sfr
INFO: Security level for "sfr" set to 0 by default.
asa(config-if)# security-level 100
asa(config-if)# no shut
SFR Module Configuration:
asa# session sfr console
Opening console session with module sfr.
Connected to module sfr. Escape character sequence is 'CTRL-^X'.
Cisco ASA5506W v5.4.1 (build 211)
Sourcefire3D login: admin
Password: Sourcefire
<<Output Truncated - you will see a large EULA>>
Please enter 'YES' or press <ENTER> to AGREE to the EULA: YES
System initialization in progress.
You must change the password for 'admin' to continue.
Enter new password:
Confirm new password:
You must configure the network to continue.
You must configure at least one of IPv4 or IPv6.
Do you want to configure IPv4? (y/n) [y]: y
Do you want to configure IPv6? (y/n) [n]: n
Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:
Enter an IPv4 address for the management interface [192.168.45.45]: 10.2.0.254
Enter an IPv4 netmask for the management interface [255.255.255.0]: 255.255.255.0
Enter the IPv4 default gateway for the management interface []: 10.2.0.1
Enter a fully qualified hostname for this system [Sourcefire3D]: Cisco_SFR Enter a comma-
separated list of DNS servers or 'none' []: 10.0.0.250 Enter a comma-separated list of search
domains or 'none' [example.net]: example.net If your networking information has changed, you
will need to reconnect. For HTTP Proxy configuration, run 'configure network http-proxy'
Applying 'Default Allow All Traffic' access control policy.
Note: It may take a couple minutes for the default access control policy to apply on the SFR
module. Once it is complete, you can escape out of the SFR module CLI and back into the
Please stand by.