Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
10
Helpful
3
Replies

ASA-5506-x-firepower - End of Support - Security considerations

Go to solution
Operations Eleaf
Level 1
Level 1

‎07-05-2022 08:18 AM

Dear members,

 

To future proof our ASA 5506-X we would like to know whether it is wise we should upgrade this unit to a newer one or keep using it.

 

https://www.cisco.com/c/nl_nl/support/security/asa-5506-x-firepower-services/model.html

 

- can software upgrades or firmware upgrades still be performed after the end of support at 31-jul-22?

- security issues;  the website lists that this device is out of support for any new security issues that come to light but it is still "supported" until 2024, can software updates regarding security still be applied after 31-jul-22 or does Cisco stop publishing any new security fixes and or updates after this date : 31-JUL-2022 

- compatibility and authentication with Azure;  should we look for another device that supports Azure Authentication (e.g. end users login via VPN on this ASA device and credentials are verified/checked by Azure Active Directory) and for that matter other cloud providers?

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Operations Eleaf
Level 1
Level 1
In response to Rob Ingram

‎07-06-2022 01:11 AM

@Rob Ingram, Thank you for your answers, these were very helpful. Where can I look for information regarding Azure connectivity for a possible new device? I found this article : https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html which I think enables end users to make use of their login credentials as defined in Azure AD.  Is it possible to use this article to support a scenario (new situation) as listed below ?

 

Authentication with Azure AD (new situation)

 

Local on premises domain controller is phased out and this functionality to look up usernames is taken over by Azure AD.

 

Outside office worker -> Cisco Anyconnect client -> ASA Firepower 1000 series with VPN (gets credentials/usernames of outside office worker from Azure AD, validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

 

Authentication with on premises Active Directory Domain Controller (old situation)

 

Outside office worker -> Cisco Anyconnect client -> ASA 5506-X with VPN (gets credentials/usernames of outside office worker from local domain controller (Active Directory) validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Operations Eleaf

‎07-06-2022 01:24 AM

@Operations Eleaf the FPR1010 hardware running either ASA or FTD (newer NGFW image) supports SAML, so can authenticate to Azure AD.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎07-05-2022 12:20 PM

@Operations Eleaf the latest software version the 5506-X will support is 9.16, so you will be unable to get the new features from subsequent releases, current latest version is 9.18.

 

You will be able to get support for a few more years, but only if you have a service contract.

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744797.html

 

There is no way to future proof the ASA 5506-X, the hardware is End of Life. You'd be better off purchasing the newer FPR-1010 hardware, this runs the FTD image which supports the NGFW features, such as URL Filtering, IPS, AVC etc....the ASA does not support these features.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

 

 

 

 

Go to solution
Operations Eleaf
Level 1
Level 1
In response to Rob Ingram

‎07-06-2022 01:11 AM

@Rob Ingram, Thank you for your answers, these were very helpful. Where can I look for information regarding Azure connectivity for a possible new device? I found this article : https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215935-configure-asa-anyconnect-vpn-with-micros.html which I think enables end users to make use of their login credentials as defined in Azure AD.  Is it possible to use this article to support a scenario (new situation) as listed below ?

 

Authentication with Azure AD (new situation)

 

Local on premises domain controller is phased out and this functionality to look up usernames is taken over by Azure AD.

 

Outside office worker -> Cisco Anyconnect client -> ASA Firepower 1000 series with VPN (gets credentials/usernames of outside office worker from Azure AD, validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

 

Authentication with on premises Active Directory Domain Controller (old situation)

 

Outside office worker -> Cisco Anyconnect client -> ASA 5506-X with VPN (gets credentials/usernames of outside office worker from local domain controller (Active Directory) validates that the user and password are correct and authenticates the outside office worker) -> outside worker establishes VPN connection to the Office environment.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Operations Eleaf

‎07-06-2022 01:24 AM

@Operations Eleaf the FPR1010 hardware running either ASA or FTD (newer NGFW image) supports SAML, so can authenticate to Azure AD.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card