ASA5555x - FirePower - Anyconnect Question

ttnstc3477 · ‎04-20-2017

Hello,

I am about to upgrade a ASA5555x. However, I have been reading on some blogs that there is an issue with AnyConnect VPN clients. I have not seen it on any of the Release notes for FirePower and the 5500X and the Data sheet clearly indicates that it is supported. I also have a Virtual FMC license and I have read that for the 5555x a FMC is required - and I have read in other areas that it is not required. I would really appreciate if somebody could give me the real scoop on this before I venture down this dark looking path.

Thanks,

Tc

Marvin Rhoads · ‎04-21-2017

It's a shifting landscape thus some of the confusion out there.

The ASA with FirePOWER service module fully supports AnyConnect (client-based or clientless) remote access VPN.

There is a new image type known as FirePOWER Threat Defense or FTD. FTD can run on an ASA appliance or one of the new FirePOWER appliances (2100, 4100 or 9300 series). It integrates the two code bases into one image and does not yet have full support for the legacy ASA features (as of the current 6.2.0.1 release). Unsupported features notably include AnyConnect remote access VPN. A 6.2.1 release will be out very soon with initial AnyConnect support. It will be limited though and lack several features (no clientless, no 2 factor authentication etc.)

Regarding FMC, the initial release (version 5.3) of FirePOWER on the 5555-X required it. FirePOWER 6.0 added ASDM management support for managing the FirePOWER module on that platform but you are much better served with FMC as ASDM has some constraints that make it unsuitable for all but the smalllest deployments.

ttnstc3477 · ‎04-21-2017

Thank you Marvin.

I have read a plethora of yours and others responses to questions on this subject. While it is time consuming - it has been very helpful and insightful. I appreciate your response - as it confirmed what I suspected. I host several websites - with HA Routers, BGP, Outside, DMZ, and Inside interfaces. So, I have some decisions to make or at least recommend to management. I do have one other quick question if you can answer - that would be great - if I was to decide to go with FTD on the ASA to start - can I still use the conversion tool with a Lab FMC - and use the output on the FTD - or would that only be if I went ahead and went full blown with a ASA5555x re-image for management by a FMC. I am also wondering if there is a issue in breaking the HA redundancy on my ASA5555x's and only upgrading one - while the redundant continues to perform it's duties, then when satisfied I am ready (and the FTD) bring it online and then convert the other. Is that possible? Seems like the way to do it to me.

Sorry, that was an extra question. Thank you in advance and once again I appreciate your response.

Tony

Marvin Rhoads · ‎04-21-2017

You're welcome.

If you're asking about exporting the conversion-tool-only FMC output for an FTD device that's locally managed that's not supported.

Local management on an FTD device is done with FirePOWER Device Manager (FDM). I can't say I've tried it but I don't believe FDM supports importing externally generated configuration files. Similar to ASDM vs. FMC management of the FirePOWER service module, FDM doesn't expose 100% of the functions of the FTD device.

Jumping into FTD for your production setup should be approached with care as of now. I haven't done such a conversion in the wild just yet and those who have are reporting back a number of issues. If you have anything but a basic ASA setup I'd advise waiting for now. The guys over at firewall.cx are saying the same in their recent blog post.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1197-cisco-asa-firepower-threat-defense-ftd-installation-management.html

I inquired and they've promised a follow up posting with details on the issues they encountered.

ttnstc3477 · ‎04-21-2017

Thanks again Marvin. I understand and appreciate the answer.

Thanks,

Tony