The following prerequisites must be met in order for the ASA integration to work successfully.


  • A valid Cisco Umbrella subscription
  • The ASA must have a 3DES license. If you are using Smart Licensing, your account must allow export-controlled functionality.

Hardware and Software

  • Administrative access to an ASA on version 9.10.1 or newer. This includes ASAv, ASA 5500-X, and Firepower 2100/4100/9300. FTD software is not supported.
  • Full Admin access to the Umbrella dashboard.

Network Access

  • The ASA must have a name server configured and DNS lookup enabled on its interfaces. You can use your own servers, or configure the Umbrella servers. DNS inspection automatically redirects to the Umbrella resolvers even if you configure different servers. Example:
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# dns domain-lookup inside
ciscoasa(config)# dns name-server
  • The name server you set must be able to resolve, and there must be a route configured to reach it.
  • The ASA registers itself with your Umbrella dashboard over HTTPS, so the ASA must be able to communicate with over TCP port 443.
  • The root certificate must be present on the ASA in order for registration to complete successfully. See Import the Root Certificate.

The following access must be allowed:

53TCP, UDP208.67.222.222,

Integration for ASA Overview < Prerequisites > Import the Digicert Certificate Authority