cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2283
Views
40
Helpful
12
Replies

ASA 5555-X with FTD Transparent Mode Configuration

alsayegh
Level 1
Level 1

Hello,

 

I added an ASA 5555-X with FTD appliance to an existing network in transparent mode. The device cannot be configured with FDM because it is in transparent mode which is not supported by FDM. I currently don't have FMC. So the only option I have is to configure the interfaces via CLI. So I got into diagnostic-cli. However, I can't find the configuration terminal command as was the case in ASA. So how can I configure outside and inside interfaces from there?

 

Thank you

 

 

-ammar

1 Accepted Solution

Accepted Solutions

In order to download vFMC you need a Cisco service contract in place. Or you can reach your local Cisco representative or your gold partner. 

 

normally vFMC come with a 90 day evaluation pack. However as you using Firewall you need a smart license with your FMC.

 

FMC is available as SaaS at the moment on Azure

please do not forget to rate.

View solution in original post

12 Replies 12

@alsayegh 

That's not possible, you need an FMC to manage a device running the FTD image if you want to use transparent mode, as even FDM version 7.0 still doesn't support transparent mode.

 

You cannot configure transparent mode from the CLI if you are running the FTD image.

 

If you cannot purchase an FMC, then you could reimage the device to use the ASA image and then you configure transparent mode.

Rob,

 

I actually had it as a transparent ASA for two years. Was working fine with ASDM manager. However, I needed to have trunked traffic between my switch and the DC core switch. The ASA doesn't support VLAN trunks, so I reimaged it yesterday to FTD to check if FTD will support it. However, it just got worse now without means of managing it. I don't think that I will reimage back to ASA. I will switch FTD to routed and reconfigure my network.

 

Does FTD routed support VLAN trunks?

 

-ammar

Yes FTD route mode support the trunk vlan function.

please do not forget to rate.

Transport mode depoloyment reqire the FMC can not be managed locally

please do not forget to rate.

Sheraz,

 

I am switching to FTD routed mode as I don't want to go back to ASA. I used to have one outside interface and the remaining are set as inside interfaces connected directly to my devices without changing their global IP's using BVI, so I didn't have to do much configuration on the devices when I first introduced the firewall. Is there a step-by-step guide to migrate from transparent to routed mode? I guess I have to create a local subnet for all my devices which were directly connected to the Internet and have local IP on the inside and global IP on the outside of each of the firewall interfaces now, right?

 

Thank you.

 

 

-ammar

migration from transparent firewall to routed firewall mode depends on the network requirment and on the knowledge as you have more understanding of your network. we can only give you an advise. remember once you change the mode from transparent to routed or vis versa the configuration on the box will wipe.

 

 

 

here

https://www.cisco.com/c/en/us/support/docs/security/firepower-2100-series/213519-configure-fdm-firepower-device-manageme.html

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html#anc9

 

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-2112.pdf

please do not forget to rate.

I haven't used transparent mode for years because on the FTD in routed mode, you can have inline interfaces which very often gives exactly the functionality of what the transparent mode was used to. I would evaluate if you can work with them in your scenario.

 

EDIT: Oh, wait ... no FMC? I missed that essential part. Inline sets are also not available on FDM managed FTDs!

Karsten,

 

Can't you configure inline interfaces using CLI?

 

Regards.

 

 

-ammar

I am afraid the NGFW are GUI based. Not like we old school get things done by CLI faster.

 

sorry did not mean to hijack the karsten question. 

please do not forget to rate.

Ok, I'm convinced to buy FMC. However, I need a temporary FMC in order to start configuring the firewall with inline interfaces while and be able to setup the servers so I can install FMC permanently. Is there open FMC servers or available as SaaS that I can subscribe to for a month or so? Does Cisco offer 30 day trial on their FMC's?

In order to download vFMC you need a Cisco service contract in place. Or you can reach your local Cisco representative or your gold partner. 

 

normally vFMC come with a 90 day evaluation pack. However as you using Firewall you need a smart license with your FMC.

 

FMC is available as SaaS at the moment on Azure

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: