12-13-2018 03:17 PM - edited 03-12-2019 07:10 AM
Hi,
Have been trying to find a replacement for client's 5510. I found 5506-X and based on the data sheet I think that will do the job just fine. There is one location only and the device will be used as a firewall and VPN device for remote users. I was thinking of FTD bundle rather FPWR one as there is actually no need for FMC and it would be managed by FDM.
My choice was:
ASA5506-FTD-K9=
L-ASA5506T-T= (one year, just threat defense/protection, no URL or malware)
In case there is a need for FMC in the future (potential second location coming), would the L-ASA5506T-T= license need to be changed/migrated to the FMC one, L-ASA5506-TA= ?
In terms of AnyConnect, I guess I don't need any if VPN clients will keep using windows native VPN client?
Still to make a decision if 5508-X wouldn't be better option long term (5506-X not supported with 6.3) but above applies to both.
Any comments appreciated.
Regards
Solved! Go to Solution.
12-13-2018 08:11 PM
12-13-2018 08:11 PM
12-13-2018 09:16 PM
Thank you for your comments.
You're right about the remote VPN licensing as I have just found following statement in the FTD config guide with FDM:
In addition, you need to purchase and enable a remote access VPN license, any of the following: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only. These licenses are treated the same for Firepower Threat Defense devices, even though they are designed to allow different feature sets when used with ASA Software-based headends.
Do you know if that's still required if managed by FMC? I have been looking for it in FTD config guide with FMC but haven't found the clear answer yet.
I have been looking at 5508-X as well for the reason of better throughput plus 50 VLANs and 50 VPN users comparing to 5 or 30 with security plus license.
Also, in the meantime I found what the difference is between FTD and FPWR bundles. The sooner comes with FTD software whereas the latter comes with ASA with FirePOWER svcs. so definitely FTD bundle is the way to go.
Thank you.
12-14-2018 05:45 AM
12-14-2018 08:38 AM - edited 12-14-2018 08:38 AM
So I understand you can use LDAP authentication with FDM but for FMC you can use LDAP or RADIUS?
Still digging on AnyConnect licenses as in current 5510 there seems to be no AnyConnect licenses and logging into VPN with native OS client works fine. Did it change from 5500 to 5500X? I guess it did and now on the newer boxes, for remote access VPN AnyConnect license is required.
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 50 Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 0 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 250 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled AnyConnect Essentials : Disabled Advanced Endpoint Assessment : Disabled UC Phone Proxy Sessions : 2 Total UC Proxy Sessions : 2 Botnet Traffic Filter : Disabled This platform has a Base license.
12-15-2018 06:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide