cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2544
Views
0
Helpful
7
Replies

Cisco 4110 FTD AND ASA setup

Hello All, 

I'm new to Cisco 4110. We are planning to migrate  FWSM to 4110 with Firepower on it. My question is do have to install ASA and FTD both in the same 4110box? or FTD itself can handle all the FWSM config (object groups, ACLs,NAT .. etc ) and the firepower as well? 

Thanks

Anthonize

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You install one or the other but not both images on a 4110. 

The ASA image will have 100% support of the firewall features.

FTD will not. Especially if you have multiple contexts. 

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

You install one or the other but not both images on a 4110. 

The ASA image will have 100% support of the firewall features.

FTD will not. Especially if you have multiple contexts. 

Thanks Marvin,that's what I thought too. 

Hello Marvin, 

What is the best practice(s) when you configuring zones? is it based on the environment functions (data,wireless,video,,etc) or is it based on Interface like ASA?

I tried look for a good documentation on this but, couldn't find any.

Thanks in advance.  

It's a bit new in the product cycle to say there's a "best practice".

Generally I've seen zones used as a container for multiple interfaces of the same security level that it would make sense to use one zone-based policy for multiple interfaces vs. the traditional one interface = one nameif = one ACL / set of NAT rules.

in my deployment I have used same name for interface and their associated security zone, of-course I have just one interface in the same security zone.

I don't see any issue in this approach , rather it is helpful further to configure a new security policies i.e. by seeing the security zone name we can find out this is assigned to which interface

I have a need to use context in FTD and I'm thinking of using an ASA appliance + FTD appliance to meet my demand. Has anyone seen it work?

I can not use only the ASA because I need an NGFW.

Yes - the current recommendation from Cisco for when you absolutely need multiple contexts is to put an ASA multiple context firewall in series with an FTD appliance.

Review Cisco Networking for a $25 gift card