cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
0
Helpful
2
Replies

ASA 5512x with firepower service to FPR1010 migration

ROBBY HARRELL
Level 1
Level 1

I was asked to help migrate a ASA 5512x with firepower services that I installed while working with another company about 8 years ago.  My current company (a Telco) no longer sells or installs CPE equipment,  and the former customer ordered a FPR1010-ASA-k9 through another online hardware vendor.   The ASA 5512x that they have at their main office is managed by a FMC virtual appliance, and a remote office ASA 5506 with firepower services is also managed.

The customer wants to replace the 5512x with the fpr 1010.  Question is, can the FPR 1010 be setup like the 5512x with the ASA code doing the ACL, NAT, VPN, and then have a Firepower Module controlled by the FMC, or will I have to convert the FPR 1010 that was shipped with ASA code to FTD and use the onbox FTD management?

How would licensing work?  The FMC has licensing for 2 devices.   

Or could I have the FRP 1010 with FTP be managed by the FMC, but have to upgrade the FMC?

 

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

If the ASA is with SFR Module - not Cisco Secure firewall ( NGFW) - it has both Firewall and IPS/IDS features.

If you looking to Migrate from OLD ASA  to new FPR1010 - you can Migrate the Policies and create IPS Policies (like you have in SFR)

FMC only manages SFR, not ASA. so moving forward 1010 can be manged by FMC also.

Look at the Migration tool :

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
Hall of Fame
Hall of Fame

If the customer ordered FPR1010-ASA-k9, that is the 1010 running ASA code. In that mode, it cannot run a Firepower service module - only base ASA features.

To run NGFW type features (including IPS) on the 1010, it needs to run FTD code (not ASA). Doing so requires a reimage as well as licensing. Once you have that, you can migrate the old ASA config as @balaji.bandi alluded to.

Review Cisco Networking for a $25 gift card