cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1388
Views
10
Helpful
3
Replies

ASA-5506-x-firepower - End of Support - Security considerations

Dear members,

 

To future proof our ASA 5506-X we would like to know whether it is wise we should upgrade this unit to a newer one or keep using it.

 

https://www.cisco.com/c/nl_nl/support/security/asa-5506-x-firepower-services/model.html

 

- can software upgrades or firmware upgrades still be performed after the end of support at 31-jul-22?

- security issues;  the website lists that this device is out of support for any new security issues that come to light but it is still "supported" until 2024, can software updates regarding security still be applied after 31-jul-22 or does Cisco stop publishing any new security fixes and or updates after this date : 31-JUL-2022 

- compatibility and authentication with Azure;  should we look for another device that supports Azure Authentication (e.g. end users login via VPN on this ASA device and credentials are verified/checked by Azure Active Directory) and for that matter other cloud providers?

 

 

 

2 Accepted Solutions

Accepted Solutions

@Rob Ingram, Thank you for your answers, these were very helpful. Where can I look for information regarding Azure connectivity for a possible new device? I found this article : https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html which I think enables end users to make use of their login credentials as defined in Azure AD.  Is it possible to use this article to support a scenario (new situation) as listed below ?

 

Authentication with Azure AD (new situation)

 

Local on premises domain controller is phased out and this functionality to look up usernames is taken over by Azure AD.

 

Outside office worker -> Cisco Anyconnect client -> ASA Firepower 1000 series with VPN (gets credentials/usernames of outside office worker from Azure AD, validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

 

Authentication with on premises Active Directory Domain Controller (old situation)

 

Outside office worker -> Cisco Anyconnect client -> ASA 5506-X with VPN (gets credentials/usernames of outside office worker from local domain controller (Active Directory) validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

View solution in original post

@Operations Eleaf the FPR1010 hardware running either ASA or FTD (newer NGFW image) supports SAML, so can authenticate to Azure AD.

View solution in original post

3 Replies 3

@Operations Eleaf the latest software version the 5506-X will support is 9.16, so you will be unable to get the new features from subsequent releases, current latest version is 9.18.

 

You will be able to get support for a few more years, but only if you have a service contract.

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html

 

There is no way to future proof the ASA 5506-X, the hardware is End of Life. You'd be better off purchasing the newer FPR-1010 hardware, this runs the FTD image which supports the NGFW features, such as URL Filtering, IPS, AVC etc....the ASA does not support these features.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

 

 

 

 

@Rob Ingram, Thank you for your answers, these were very helpful. Where can I look for information regarding Azure connectivity for a possible new device? I found this article : https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html which I think enables end users to make use of their login credentials as defined in Azure AD.  Is it possible to use this article to support a scenario (new situation) as listed below ?

 

Authentication with Azure AD (new situation)

 

Local on premises domain controller is phased out and this functionality to look up usernames is taken over by Azure AD.

 

Outside office worker -> Cisco Anyconnect client -> ASA Firepower 1000 series with VPN (gets credentials/usernames of outside office worker from Azure AD, validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

 

Authentication with on premises Active Directory Domain Controller (old situation)

 

Outside office worker -> Cisco Anyconnect client -> ASA 5506-X with VPN (gets credentials/usernames of outside office worker from local domain controller (Active Directory) validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

@Operations Eleaf the FPR1010 hardware running either ASA or FTD (newer NGFW image) supports SAML, so can authenticate to Azure AD.

Review Cisco Networking for a $25 gift card