topic Re: CISCO ISR 4000 with FTD in Network Security

CISCO ISR 4000 with FTD

dpsw120 — Fri, 21 Feb 2020 17:37:20 GMT

Hello All.

I have Cisco 4321 as NAT and GW device for my server. I need and IDS/IPS for security and i need some suggestion for this, can anyone help me please. I'm thinking about buying ASA5516-FTD-K9 or buying UCS E-Series Server Blade and run UTD on that.

Please help thank you.

Re: CISCO ISR 4000 with FTD

Rob Ingram — Wed, 23 Oct 2019 12:15:29 GMT

Hi,
I'd personally run the FTD on a dedicated appliance rather than a module on the router, so you would implement the FTD between the router and your network. Ideally you should look at the new Firepower 1000 series appliances, as the ASA hardware is older and probably EOL sooner rather than later.

How much throughput are you going to put through the appliance? You would need to ensure the 5516-X or whatever hardware you purchase can cope with your requirements.

HTH

Re: CISCO ISR 4000 with FTD

dpsw120 — Wed, 23 Oct 2019 12:49:12 GMT

I'd personally run the FTD on a dedicated appliance rather than a module on the router, so you would implement the FTD between the router and your network.

Can i implement FTD before Router? I mean in the edge and router still have wan ip because that way i wouldn't have to change configuration on running Router. And it already had nat forwarding to internet and dmpvn configured to office, it will be a mess if i should reconfigure my running Router.

Ideally you should look at the new Firepower 1000 series appliances, as the ASA hardware is older and probably EOL sooner rather than later.

Firepower 1000 and 2000 is not ready product and it take long to deliver to my country.

How much throughput are you going to put through the appliance? You would need to ensure the 5516-X or whatever hardware you purchase can cope with your requirements.

I already check that and ASA5516-X comply with our throughput.

Re: CISCO ISR 4000 with FTD

Rob Ingram — Wed, 23 Oct 2019 13:06:06 GMT

If you put the FTD in front of the router then the FTD would need the WAN IP address, so therefore you would have to change the router configuration. Place the FTD behind the router, such as ISP <> Router <> FTD <> internal network. You'd need to configure NAT on the router to the FTD's outside interface, unless you had additional public IP address range.

Alternatively you could implement FTD in transparent mode, link here.

Re: CISCO ISR 4000 with FTD

dpsw120 — Wed, 23 Oct 2019 13:37:59 GMT

If you put the FTD in front of the router then the FTD would need the WAN IP address, so therefore you would have to change the router configuration.

- It would be a mess right?

Place the FTD behind the router, such as ISP <> Router <> FTD <> internal network.

- Is it safe for a router running after ftd?

You'd need to configure NAT on the router to the FTD's outside interface, unless you had additional public IP address range.

- Yes i have additional public ip address range. this is my topology as right now, can you suggest me something.

I forgot to add my router run dmvpn for drc and office