Solved: Choosing the right firewall, 5506-X bundle and licensing

Mikolaj Moryto · ‎12-13-2018

Hi,

Have been trying to find a replacement for client's 5510. I found 5506-X and based on the data sheet I think that will do the job just fine. There is one location only and the device will be used as a firewall and VPN device for remote users. I was thinking of FTD bundle rather FPWR one as there is actually no need for FMC and it would be managed by FDM.

My choice was:

ASA5506-FTD-K9=

L-ASA5506T-T= (one year, just threat defense/protection, no URL or malware)

In case there is a need for FMC in the future (potential second location coming), would the L-ASA5506T-T= license need to be changed/migrated to the FMC one, L-ASA5506-TA= ?

In terms of AnyConnect, I guess I don't need any if VPN clients will keep using windows native VPN client?

Still to make a decision if 5508-X wouldn't be better option long term (5506-X not supported with 6.3) but above applies to both.

Any comments appreciated.

Regards

Francesco Molino · ‎12-13-2018

Hi

FTD supports ssl and ikev2 vpn with ldap and radius authentication, at least when managed by FMC. With FDM, i believe it's the same except you can only have ldap authentication (not deployed a lot without FMC because there are limitations and honestly, even for small designs, FMC isn't too expensive for 2 managed devices)

With version 6.3, you can now have local accounts as well.

If i recall correctly, with FDM, you can't configure remote access vpn if you don't have anyconnect licenses attached, which means you will need to go with it.

If you have a 5510, i would recommend asa5508x. Also because 5506 isn't a compatible device for 6.3.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎12-13-2018

Hi

FTD supports ssl and ikev2 vpn with ldap and radius authentication, at least when managed by FMC. With FDM, i believe it's the same except you can only have ldap authentication (not deployed a lot without FMC because there are limitations and honestly, even for small designs, FMC isn't too expensive for 2 managed devices)

With version 6.3, you can now have local accounts as well.

If i recall correctly, with FDM, you can't configure remote access vpn if you don't have anyconnect licenses attached, which means you will need to go with it.

If you have a 5510, i would recommend asa5508x. Also because 5506 isn't a compatible device for 6.3.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mikolaj Moryto · ‎12-13-2018

Thank you for your comments.

You're right about the remote VPN licensing as I have just found following statement in the FTD config guide with FDM:

In addition, you need to purchase and enable a remote access VPN license, any of the following: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only. These licenses are treated the same for Firepower Threat Defense devices, even though they are designed to allow different feature sets when used with ASA Software-based headends.

Do you know if that's still required if managed by FMC? I have been looking for it in FTD config guide with FMC but haven't found the clear answer yet.

I have been looking at 5508-X as well for the reason of better throughput plus 50 VLANs and 50 VPN users comparing to 5 or 30 with security plus license.

Also, in the meantime I found what the difference is between FTD and FPWR bundles. The sooner comes with FTD software whereas the latter comes with ASA with FirePOWER svcs. so definitely FTD bundle is the way to go.

Thank you.

Francesco Molino · ‎12-14-2018

It's something i do so often with FMC, that now you're asking the question I've a doubt 😂
Yes it's required as well I believe. I can't test because the one i have in my lab have licenses.
I heard about new boxes coming out soon (FP 1000 series). Talk with your Cisco representative to see when they'll be release and what the list price is. FP boxes are more powerful

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mikolaj Moryto · ‎12-14-2018

So I understand you can use LDAP authentication with FDM but for FMC you can use LDAP or RADIUS?

Still digging on AnyConnect licenses as in current 5510 there seems to be no AnyConnect licenses and logging into VPN with native OS client works fine. Did it change from 5500 to 5500X? I guess it did and now on the newer boxes, for remote access VPN AnyConnect license is required.

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 50
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 0
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
 
This platform has a Base license.

Francesco Molino · ‎12-15-2018

With FMC you can authenticate using LDAP and Radius.

I'm quite sure you need Anyconnect licenses now.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question