The ASA alone can't run NGIPS

yeruel77 · ‎07-05-2017

Hi, Team, I am looking your confirmation regarding about licensing for web security and ASA NGFW redundant appliance. We have two ASA NGFW and two Web security. and we have single license for ASA NGFW and Web security. Is single license works for two ASA NGFW and Two Web appliance as failover deployment?

ASA NGFW and Web Security- BoM
No.	Part Number	Serial Number	Qty.
1	ASA 5525 NGFW (Qty 2)
	ASA5525-FPWR-BUN	ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle	1
	ASA5525-FPWR-K9	ASA 5525-X with FirePOWER Services, 8GE, AC, 3DES/AES, SSD	2
	CON-3SNT-A25FPK9	3YR SNTC 8X5XNBD ASA 5525-X with FirePOWER Services, 8GE	2
	CAB-ACE	AC Power Cord (Europe), C13, CEE 7, 1.5M	2
	SF-ASA-X-9.2.2-K8	ASA 9.2.2 Software image for ASA 5500-X Series,5585-X,ASA-SM	2
	SF-ASA-FP5.4-K9	Cisco FirePOWER Software v5.4 for ASA 5500-X	2
	ASA5525-CTRL-LIC	Cisco ASA5525 Control License	2
	ASA5500X-SSD120INC	ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.)	2
	ASA5525-MB	ASA 5525 IPS Part Number with which PCB Serial is associated	2
	ASA5500-ENCR-K9	ASA 5500 Strong Encryption License (3DES/AES)	2
	L-ASA5525-TA=	Cisco ASA5525 FirePOWER IPS License	1
	L-ASA5525-TA-3Y	Cisco ASA5525 FirePOWER IPS 3YR Subscription	1
2	Web Security (Qty 2)
	WSA-S190-K9	WSA S190 Web Security Appliance with Software	2
	CON-SNT-S190	SMARTNET 8X5XNBD WSA S190 Web Security Appliance with Sof	2
	CCS-PWR-AC-770W	Cisco Content Sec AC Power Supply 770W for x90 appliance	2
	CAB-9K10A-EU	Power Cord, 250VAC 10A CEE 7/7 Plug, EU	2
	SF-WSA-9.1.0-K9	WSA Async OS v9.1.0	2
	CCS-HDD-BLNK	Content Sec 2.5 inch HDD blanking panel	12
	CCS-PWR-BLNK	Cisco Content Sec Power Supply Blanking Panel	2
	CCS-MEM-8GB	Content Sec 8GB DDR4-2133-MHz RDIMM/PC4-17000	2
	CCS-HDD-600GB	Content Sec 600GB 12G SAS 10K RPM SFF HDD (4K)	4
	CCS-MLOM-I-RJ45	Cisco Content Sec i350 MLOM NIC	2
	CCS-MRAID-12G	Cisco Content Sec 12G SAS Modular Raid Controller	2
	CCS-CPU-E5-2609D	Content Sec 1.90 GHz E5-2609 v3/85W 6C/15MB Cache	2
	WSA-L4TM-LIC	WSA L4 Traffic Monitoring License	2
	WSA-CASM-LIC	WSA Cisco AnyConnect Secure Mobility License	2
	WSA-HTTPS-LIC	WSA HTTPS Inspection License	2
	WSA-PROXY-LIC	WSA Proxy and Dynamic Vectoring and Scanning License	2
	WSA-WSP-LIC=	Web Premium SW Bundle (WREP+WUC+AMAL) Licenses	250
	WSA-WSP-3Y-S2	Web Premium SW Bundle (WREP+WUC+AMAL) 3YR, 200-499 Users	250

Karsten Iwen · ‎07-05-2017

1) In the first line you only have 1*ASA5525-FPWR-BUN, that should be two times.

2) The IPS-licenses have to be bought twice. For the security-module there is no license-sharing as it's done with the base-ASA. Both modules need their own licenses.

3) You need something to manage the devices. Add the Firepower Management-Center to your BOM. There are both virtual and physical appliances available.

4) Should this device also be used for remote-access-VPNs? Then you have to add AnyConnect licenses.

yeruel77 · ‎07-05-2017

Okay Thanks,

is it possible to run NGIPS on ASA image ? or have to migrate ASA image to FTD image to running Basic NGIPS?

Karsten Iwen · ‎07-06-2017

The ASA alone can't run NGIPS. You need the Firepower service for that. You have the choice to use it as

ASA with Firepower service module
as Firepower Thread Defense (FTD)

The first option gives you more features (flexible remote-access-VPN), the second is a more integrated approach.

Cisco 5525 ASA NGFW and Web security Appliance Licensing