Re: ASA 5512 + Firepower Isolated Network: What licenses are useful?

thomas.talley · ‎05-17-2018

We will be deploying an ASA 5512 + Firepower in an isolated network. We will need to download update files and transfer to the ASA via CD/DVD. I see that the following updates are available for download from the Cisco site: VDB, Rules Updates and GeoDB. Since we would not be able to leverage any subscription services (i.e. not connected to the Internet) and would only be able to download these three updates periodically, what would be the appropriate License(s) for this situation?

Thank-you

Tom

nspasov · ‎06-29-2018

Hi Thomas-

When running ASAs with Firepower, you can still use the traditional/classic licenses. Those, do not require connectivity to the outside world. For the ASA-5512-X those are: L-ASA5512-TAMC. You need this license for each ASA (even in Active/Standby). The license will provide you with IPS, AMP and URL Filtering.

If you decide to run FTD (Firepower Threat Defense) then your only option is Smart Licenses and those require connectivity to the outside world. However, for air-gapped environments, you can utilize the Satellite Server:

https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager-satellite.html

I hope this helps!

Thank you for rating helpful posts!

thomas.talley · ‎06-29-2018

Since the ASA would not have connectivity to the Internet, it seemed that the GeoDB and URL filtering (based on a Reputation database) features would be of limited use. What other features depend on connectivity to the Internet?

Thanks

Tom

nspasov · ‎06-29-2018

You can update those offline as well:

https://software.cisco.com/download/home/286271170/type/286271056/release/VDB

Thank you for rating helpful posts!