topic Re: SSL rewrite on ASA platform in Network Security

SSL rewrite on ASA platform

lcaruso — Fri, 07 Jan 2022 23:25:59 GMT

Some questions about the latest ASAs out there. Client is getting ready to replace their aging Cisco firewalls (5525s, no FP)

Is it possible to AnyConnect to new ASAs w/2FA and then redirect user's web session via an SSL rewrite to a backend server?

For clients that already have NGFW services elsewhere, is it possible to run a new ASA without FP active and/or installed?

Current redundancy is Active/Standby and they need fiber/SFP failover redundancy port connections. Do the SFP ports on the new ASAs allow use for failover?

Since there is no hardware upgrade tool online, my best estimate currently is the 2100 line to replace the 5525s if the SFP ports can be used for back to back failover connections.

Thanks

Re: SSL rewrite on ASA platform

balaji.bandi — Sat, 08 Jan 2022 07:46:31 GMT

s it possible to AnyConnect to new ASAs w/2FA and then redirect user's web session via an SSL rewrite to a backend server?

BB - as i understand you looking to redirect to the portal? why do you like to do this, as the user already trusted and made 2 facto identify as trust user?

For clients that already have NGFW services elsewhere, is it possible to run a new ASA without FP active and/or installed?

BB - i do not see any issue until i interpret this as different from your original requirement.

Current redundancy is Active/Standby and they need fiber/SFP failover redundancy port connections. Do the SFP ports on the new ASAs allow use for failover?

BB - depends on the Model here - yes you can have a sync link using SFP or Ethernet.

check ASA Model has SFP port :

https://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-345385.html

Since there is no hardware upgrade tool online, my best estimate currently is the 2100 line to replace the 5525s if the SFP ports can be used for back to back failover connections.

BB - 2100 is good to replace the model you mentioned ASA.

FP2100 do have SFP ports check datasheet :

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

Re: SSL rewrite on ASA platform

alirafaleiro — Thu, 20 Jan 2022 04:26:32 GMT

Cisco AnyConnect is a uniform security endpoint agent which deliver multiple security services to protect the enterprise. Also, it provides visibility along with the control which is required you to identify who and which devices are accessing the extended enterprise.

Re: SSL rewrite on ASA platform

lcaruso — Sat, 08 Jan 2022 17:49:11 GMT

Thanks for your reply.

Regarding SSL rewrite requirement, that was specified by the Architect for this project. All I know is this is a requirement, but I still do not see this capability on the newer Cisco firewalls.

Do you know if there is a SKU to order a 2100 w/o FP?

Re: SSL rewrite on ASA platform

balaji.bandi — Sat, 08 Jan 2022 17:53:53 GMT

Do you know if there is a SKU to order a 2100 w/o FP?

what do you mean W/o FP, by Default 2100 ship with Firepower, if you like to with ASA on top of it, you need to re-image with ASA.

the above post provides you datasheet to ordering guide : (if you have concerns, i would advise to a local partner who can assist you better).

Have seen some people buying this product later it can not be replaced as expected. so suggest to contact local partner and understand requirement and guide you better.

FP2100 do have SFP ports check datasheet :

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

Re: SSL rewrite on ASA platform

lcaruso — Sat, 08 Jan 2022 17:56:30 GMT

working with a partner next week thanks just trying to get started on the weekend.

Re: SSL rewrite on ASA platform

balaji.bandi — Sat, 08 Jan 2022 17:59:55 GMT

Sure i understand, you also need more hands-on information before you talk to your partner.

Re: SSL rewrite on ASA platform

Marvin Rhoads — Sun, 09 Jan 2022 03:13:16 GMT

"SSL rewrite" is not possible with a Firepower appliance by itself - whether running FTD or ASA image.

If you use ISE as the AAA server you can push a redirect ACL as part of the Authorization result.

All Firepower hardware appliances can be ordered with either FTD or ASA software as part of the initial order.

We seldom see them ordered with ASA software though since that means you will not be able to run any of the NGIPS, Malware or URL Filtering features. You will also have to continue to manage the configuration via ASDM or cli (or possibly CDO) vs. FMC with its richer analysis and event management features.

Re: SSL rewrite on ASA platform

lcaruso — Fri, 14 Jan 2022 19:20:27 GMT

Thank you for your reply. I'm not the architect of this design, otherwise even if they were redundant/overlapping, I'd have NGFW services on the ASA and in the cloud where they currently exist.