Cisco ASA 5506-X Configuration Manual page 350

Chapter 16 ASA FirePOWER (SFR) Module
Configure the ASA FirePOWER Module
If you have an inside router
If you have an inside router, you can route between the Management 0/0 or 1/1 network, which includes
both the ASA and ASA FirePOWER management IP addresses, and the inside network for Internet
access. Be sure to also add a route on the ASA to reach the Management network through the inside
router.
Proxy or DNS Server (for example)
ASA gateway for Management
ASA
Router
Outside
Inside
Internet
ASA FirePOWER
Default Gateway
FP
Management
Management 0/0
Management PC
If you do not have an inside router
If you have only one inside network, then you cannot also have a separate management network. In this
case, you can manage the ASA from the inside interface instead of the Management 0/0 or 1/1 interface.
If you remove the ASA-configured name from the Management 0/0 or 1/1 interface, you can still
configure the ASA FirePOWER IP address for that interface. Because the ASA FirePOWER module is
essentially a separate device from the ASA, you can configure the ASA FirePOWER management
address to be on the same network as the inside interface.
ASA FirePOWER Default Gateway
Layer 2
Switch
ASA
Management PC
Inside Outside
Internet
FP
Management 0/0
Proxy or DNS Server
(ASA FirePOWER only)
(for example)
Note You must remove the ASA-configured name for Management 0/0 or 1/1; if it is configured on the ASA,
then the ASA FirePOWER address must be on the same network as the ASA, and that excludes any
networks already configured on other ASA interfaces. If the name is not configured, then the ASA
FirePOWER address can be on any network, for example, the ASA inside network.
Cisco ASA Series Firewall CLI Configuration Guide
16-10