topic It's a bit new in the product in Network Security

Cisco 4110 FTD AND ASA setup

Anthonize Rajaratne — Tue, 12 Mar 2019 08:56:21 GMT

Hello All,

I'm new to Cisco 4110. We are planning to migrate FWSM to 4110 with Firepower on it. My question is do have to install ASA and FTD both in the same 4110box? or FTD itself can handle all the FWSM config (object groups, ACLs,NAT .. etc ) and the firepower as well?

Thanks

Anthonize

You install one or the other

Marvin Rhoads — Wed, 15 Feb 2017 16:32:00 GMT

You install one or the other but not both images on a 4110.

The ASA image will have 100% support of the firewall features.

FTD will not. Especially if you have multiple contexts.

Thanks Marvin,that's what I

Anthonize Rajaratne — Wed, 15 Feb 2017 20:27:07 GMT

Thanks Marvin,that's what I thought too.

Hello Marvin,

Anthonize Rajaratne — Thu, 23 Feb 2017 01:24:21 GMT

Hello Marvin,

What is the best practice(s) when you configuring zones? is it based on the environment functions (data,wireless,video,,etc) or is it based on Interface like ASA?

I tried look for a good documentation on this but, couldn't find any.

Thanks in advance.

It's a bit new in the product

Marvin Rhoads — Thu, 23 Feb 2017 02:37:09 GMT

It's a bit new in the product cycle to say there's a "best practice".

Generally I've seen zones used as a container for multiple interfaces of the same security level that it would make sense to use one zone-based policy for multiple interfaces vs. the traditional one interface = one nameif = one ACL / set of NAT rules.

in my deployment I have used

prashant dwivedi — Tue, 20 Jun 2017 07:01:10 GMT

in my deployment I have used same name for interface and their associated security zone, of-course I have just one interface in the same security zone.

I don't see any issue in this approach , rather it is helpful further to configure a new security policies i.e. by seeing the security zone name we can find out this is assigned to which interface

Re: in my deployment I have used

FFALVES — Tue, 30 Jan 2018 13:27:20 GMT

I have a need to use context in FTD and I'm thinking of using an ASA appliance + FTD appliance to meet my demand. Has anyone seen it work?

I can not use only the ASA because I need an NGFW.

Re: in my deployment I have used

Marvin Rhoads — Tue, 30 Jan 2018 13:57:10 GMT

Yes - the current recommendation from Cisco for when you absolutely need multiple contexts is to put an ASA multiple context firewall in series with an FTD appliance.