cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


727
Views
0
Helpful
7
Replies

Cisco 4110 FTD AND ASA setup

Hello All, 

I'm new to Cisco 4110. We are planning to migrate  FWSM to 4110 with Firepower on it. My question is do have to install ASA and FTD both in the same 4110box? or FTD itself can handle all the FWSM config (object groups, ACLs,NAT .. etc ) and the firepower as well? 

Thanks

Anthonize

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

You install one or the other

You install one or the other but not both images on a 4110. 

The ASA image will have 100% support of the firewall features.

FTD will not. Especially if you have multiple contexts. 

7 REPLIES 7
Hall of Fame Master

You install one or the other

You install one or the other but not both images on a 4110. 

The ASA image will have 100% support of the firewall features.

FTD will not. Especially if you have multiple contexts. 

Thanks Marvin,that's what I

Thanks Marvin,that's what I thought too. 

Highlighted

Hello Marvin, 

Hello Marvin, 

What is the best practice(s) when you configuring zones? is it based on the environment functions (data,wireless,video,,etc) or is it based on Interface like ASA?

I tried look for a good documentation on this but, couldn't find any.

Thanks in advance.  

Hall of Fame Master

It's a bit new in the product

It's a bit new in the product cycle to say there's a "best practice".

Generally I've seen zones used as a container for multiple interfaces of the same security level that it would make sense to use one zone-based policy for multiple interfaces vs. the traditional one interface = one nameif = one ACL / set of NAT rules.

in my deployment I have used

in my deployment I have used same name for interface and their associated security zone, of-course I have just one interface in the same security zone.

I don't see any issue in this approach , rather it is helpful further to configure a new security policies i.e. by seeing the security zone name we can find out this is assigned to which interface

Beginner

Re: in my deployment I have used

I have a need to use context in FTD and I'm thinking of using an ASA appliance + FTD appliance to meet my demand. Has anyone seen it work?

I can not use only the ASA because I need an NGFW.

Hall of Fame Master

Re: in my deployment I have used

Yes - the current recommendation from Cisco for when you absolutely need multiple contexts is to put an ASA multiple context firewall in series with an FTD appliance.