Solved: Re: ASA/Firepower interfaces question

robbo79871 · ‎11-10-2018

Hi, i have a few questions regarding the different setups with the different boxes Cisco's Firepower platform comes on. Having used the software now a bit i can say that i really like it and find a very good piece of kit. I've acquired an FTD and FMC image and i plan on setting up a lab and creating a topology in GNS3 to use them.

I do believe i have a decent understanding of how the whole process works but there are a few things that do confuse me still.

Can someone take me through the different Firepower platforms and explain how they're different? For example you've the ASA 5500-X series along with the the normal Firepower Series 2100, 9000 that seem to be standalone devices without the inclusion of the ASA hardware/software.

Hopefully i'm also correct in saying that the management interfaces on the ASA 5500-X series have one for the ASA module and one for the Firepower module, you can have them either on the same subnet or different subnets and have their default gateway address as a L3 switch potentially. The traffic will come into an ASA data interface and the service policy on it will dictate to send the traffic to the Firepower management interface for traffic inspection and is then sent back to the ASA management interface to either be sent along or dropped.

What is the process for the standalone Firepower series devices that don't have an ASA setup inside them? Do you just manage the firewall and IPS from the one GUI as opposed to the ASA 5500-X devices were you've to use both ASDM and FMC to manage both modules right?

Do you also have to setup the same interfaces on the ASA and Firepower modules with the same IP addresses etc... For example if i have an outside IP on the ASA of 1.1.1.1 and nameif outside etc... do i have to setup an interface on the Firepower module with the same config?

Thanks for all the help, these little things are the ones that are confusing me the most and haven't been able to find definite answers for myself.

Marvin Rhoads · ‎11-12-2018

When you run FTD it is instead of ASA (or ASA + Firepower). You get most (but not all) of the features of the ASA and all of the Firepower features. For instance, local authentication of remote access VPN users is not supported. Authorization of VPN users based on AD group membership is not supported. Configuring EIGRP requires you use FlexConfig text objects and cannot be done directly via the GUI. etc.

Yes unified management is cleaner visually. However it still has some kinks. For instance, making changes on FMC and then deploying to FTD is not instantaneous - it takes 5-8 minutes (even for single line changes). Migration is an imperfect process (although it has improved) as it relies on the features being configured being supported by the system API and that's not 100% of all features.

View solution in original post

Abheesh Kumar · ‎11-10-2018

Hi,

Firepower is the new Next Generation ASA and FTD is the unified software runs on it and image consists of 2 main engines:

LINA engine ( ASA)
Snort engine (Sourcefire/Firepower)

This figure shows how the 2 engines interact:

A packet enters the ingress interface and it is handled by the LINA engine
If it is required by the FTD policy the packet is inspected by the Snort engine
The Snort engine returns a verdict (whitelist or blacklist) for the packet
The LINA engine drops or forwards the packet based on Snort’s verdict

FTD provides two Deployment modes and six Interface modes as shown in image:

So you can choose your deployment scenario and interface type that suites you network architecture.

Go through below documents for more details.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/datasheet-c78-736661.html

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html

HTH

Abheesh

robbo79871 · ‎11-11-2018

Hi, thanks for the reply. The example you provided while it is appreciated it was not quite what i was wondering, it is a pretty low level explanation of how traffic flows while entering the ASA and travelling to the Firepower module. I'm still curious about pretty much all of my questions i asked in my original post.

k.nandakumar · ‎11-11-2018

Are you asking only about FTD software or asking about ASA wFirePOWER service also?

FTD running on either ASA55xx platform or Firepower 21xx, 41xx, 9300 are same, except FP21xx, 41xx, 9300 new platform has come advance feature like Cluster, Intelligent Application Bypass etc.

Let me take one question at a time...

Marvin Rhoads · ‎11-11-2018

@robbo79871 wrote:

Can someone take me through the different Firepower platforms and explain how they're different? For example you've the ASA 5500-X series along with the the normal Firepower Series 2100, 9000 that seem to be standalone devices without the inclusion of the ASA hardware/software.

A: ASA appliances can run ASA software (with or without Firepower service module) or FTD unified software. Firepower 2100, 4100 and 9300 series can run ASA software (WITHOUT Firepower service module) or FTD unified software.

Hopefully i'm also correct in saying that the management interfaces on the ASA 5500-X series have one for the ASA module and one for the Firepower module, you can have them either on the same subnet or different subnets and have their default gateway address as a L3 switch potentially. The traffic will come into an ASA data interface and the service policy on it will dictate to send the traffic to the Firepower management interface for traffic inspection and is then sent back to the ASA management interface to either be sent along or dropped.

A: The Firepower service module and ASA share the physical management interface. It's mandatory to use it for Firepower management. The ASA can optionally use that interface or any other interface on the appliance. The management interface is never involved for data plane traffic. When you have a Firepower service module the transfer between the ASA and it is via an internal-only dataplane interface.

What is the process for the standalone Firepower series devices that don't have an ASA setup inside them? Do you just manage the firewall and IPS from the one GUI as opposed to the ASA 5500-X devices were you've to use both ASDM and FMC to manage both modules right?

A: Yes, you manage them either on-box (2100 series or ASA running FTD) with the built-in Firepower Device Manager GUI or remotely with Firepower Management Center. One or the other but never both.

Do you also have to setup the same interfaces on the ASA and Firepower modules with the same IP addresses etc... For example if i have an outside IP on the ASA of 1.1.1.1 and nameif outside etc... do i have to setup an interface on the Firepower module with the same config?

A: ASA has all the data plane interfaces and associated IP addresses when you are using an ASA with Firepower service module. The module has an address used only for management (and eventing when there's an FMC managing it).

For further information, please check out some of the free Cisco Live presentations or the Cisco Press book on Firepower Threat Defense.

robbo79871 · ‎11-12-2018

A: The Firepower service module and ASA share the physical management interface. It's mandatory to use it for Firepower management. The ASA can optionally use that interface or any other interface on the appliance. The management interface is never involved for data plane traffic. When you have a Firepower service module the transfer between the ASA and it is via an internal-only dataplane interface.....

So there is only one management interface with one IP address and it can be used for both FMC and ASDM management?

A: ASA has all the data plane interfaces and associated IP addresses when you are using an ASA with Firepower service module. The module has an address used only for management (and eventing when there's an FMC managing it).....

So do you setup the IP addresses on the interfaces on the ASA or FMC when you configure them? What i got from your answer above is that the data plane interfaces (non-management) are only setup on the ASA side and not the FMC. Sorry i'm still a bit confused by your answer.

Thanks for the help so far though, it is much appreciated.

Marvin Rhoads · ‎11-12-2018

All ASAs (except ASAv VM) have at least one physical management interface. However use of it is optional for the ASA itself as they can always be managed by one or more of the other physical interfaces (as long as you allow it in your configuration). When you have an ASA with Firepower service module, you MUST use the management interface to manage the module (whether you manage it via ASDM or via FMC).

Interfaces that handle traffic through the box (e.g. data plane) are always configured in the ASA, not in the Firepower module. Traffic through the ASA has no interaction with the IP address of the Firepower service module. It arrives on an ingress interface on the ASA and exits via an egress interface.

You setup the Firepower module's address during the initial installation of the module (from the cli via session into the module from the ASA which it belongs to).

robbo79871 · ‎11-12-2018

So can you run a FTD image on an ASA/Firepower device and control everything on there? (both the ASA and Firepower device).

From what you've said it sounds like you can pretty much do any combination on either devices (Firepower series and ASA/Firepower module). If that is the case then it sounds like it would be a lot easier to just manage an ASA/Firepower or Firepower series device via FMC using the FTD on the device as opposed to hopping between ASDM and FMC?

Marvin Rhoads · ‎11-12-2018

When you run FTD it is instead of ASA (or ASA + Firepower). You get most (but not all) of the features of the ASA and all of the Firepower features. For instance, local authentication of remote access VPN users is not supported. Authorization of VPN users based on AD group membership is not supported. Configuring EIGRP requires you use FlexConfig text objects and cannot be done directly via the GUI. etc.

Yes unified management is cleaner visually. However it still has some kinks. For instance, making changes on FMC and then deploying to FTD is not instantaneous - it takes 5-8 minutes (even for single line changes). Migration is an imperfect process (although it has improved) as it relies on the features being configured being supported by the system API and that's not 100% of all features.

robbo79871 · ‎11-12-2018

Thanks i think i've 99% got it now, one last thing though. Are the new Firepower series 2100 etc... all managed via a FTD image and nothing else?

mohanB · ‎11-12-2018

2100 supports both FTD and ASA.

Marvin Rhoads · ‎11-12-2018

2100, 4100 and 9300 series all support ASA image as an alternative to FTD. However you cannot have Firepower service module on those platforms.