Re: ASA 5515-x with Firepower (fmc NAT)

bondandrey · ‎05-08-2018

Hello!

I have ASA 5515-x with sfr module installed.

I have a couple Firepower Access Control Policy rules configured through FMC.

And I have some Access rules and NAT rules (internet assess, internal servers publishing etc.) configured through ASDM.

And I wonder is it possible to replace all Access/Nat configuration from ASDM with Access Policy / NAT policy in FCM?

I tried to replace one NAT rule but with no luck, please tell me is it possible?

Thanks!

Florin Barhala · ‎05-08-2018

I think you need FTD appliances to accomplish this config migration.

Mohammed al Baqari · ‎05-08-2018

SFR module won't be doing what you are looking for. L3/L4 operations are
handled by ASA and Inspection in handled by SFR. If you want both functions
to be combined you have to convert to FTD assuming that you fulfill the
prerequisites

bondandrey · ‎05-09-2018

Thanks for your reply, Mohammed!

Can you tell me why I can assign NAT policy to my ASA device if it will not work anyway?

Is it a bug or there is some purpose?

Am I right that NAT policy don't work on SFR module, but work on 7000 and 8000 series devices?

Because there is description of NAT configuration in official guide for 7000 and 8000 series devices.

And I can't find any docs specifically for SFR configuration.

What is more Access policies works well on my ASA device. Where I can find information about which feature will work on SFR and which will not? I am really confused.

Thanks in advance!

Florin Barhala · ‎05-10-2018

SFR will only take care of UTM also known as: Antivirus, IPS, WebFiltering
If you want both Firewall, NAT and UTM you need a FTD appliance. That's why only on FTD appliance you will find a NAT guide.