Cisco ASA 5515 to Firepower device questions

carl.townshend · ‎11-22-2023

Hi Guys

I am looking at moving from our Cisco ASA 5515X which we use for remote access VPN with DAP policies etc.

We need new hardware so looking at a Firepower 1000 series.

I have a few questions.

1.Should we stick with the ASA software on the new appliance or move to Firepower software?

2.We don't want an FMC and want to manage on the box locally using FDM, if we do that can we still configure DAP policies etc on the FDM?

3.Would there be a quick way to migrate our ASA to the Firepower device if using the FDM?

Cheers

balaji.bandi · ‎11-22-2023

Its all depends on your choice.

As on today firepower device still support ASA code, if you looking to Migrate Like to Like Migration each approach.

Moving Forward cisco more Focusing on Firepower (they my fade out ASA Code ) in this case some point of time you need to move to Firepower (so make a right decision)

7.2 onwards there is good improvements on FDM (not all features like FMC) - but should work.

Always read the release notes see the features work for you to choose, if some of the features still not working in FDM the i stick with ASA code.

Note : since you do not want to have FMC (if you like to go that route of FMC then you can migrate right from the day one - ASA to FTD Migration tool available - if this not big configuration i will do manually configure that help to clean up any old acl not required to carry to new kit)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎11-22-2023

FDM does not support DAP. If you require DAP, then you must either use ASA code or manage your FTD with FMC.

You should consider cloud-delivered (cdFMC), as it can be hosted by Cisco and you don't have to spin up and manage a server.

carl.townshend · ‎11-22-2023

Hi Marvin

With the cloud delivered FMC, is this the same price as the on prem FMC? how is the FMC licenced, do you just pay for number of firewalls managed etc?

Also, what do you think the lifespan of the ASA code is? do you think it will be phased out within 5 years?

Karsten Iwen · ‎11-22-2023

Besides DAP, there is another thing to consider. An FDM-managed FTD can only handle one RA-VPN interface. If you have redundant ISPs and terminate RA-VPNs on both, you need ASA or FMC.

MHM Cisco World · ‎11-22-2023

From cisco doc.

configuration on FTD devices. if you seek the ASA configuration example, please refer to the document: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100918-asa-sslvpn-00.html

Limitations:

Currently, these features are unsupported on FTD, but still available on ASA devices:

Double AAA Authentication (Available on FTD version 6.5)
Dynamic Access Policy
Host Scan
ISE posture
RADIUS CoA
VPN load-balancer
Local authentication (available on Firepower Device Manager 6.3. Cisco bug ID CSCvf92680 )
LDAP attribute map (Available via FlexConfig, Cisco bug ID CSCvd64585)
AnyConnect customization
AnyConnect scripts
AnyConnect localization
Per-app VPN
SCEP proxy
WSA integration
SAML SSO (Cisco bug ID CSCvq90789)
Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN
AnyConnect modules (NAM, Hostscan, AMP Enabler, SBL, Umbrella, Web Security, and so on). DART is the only module installed by default on this version.
TACACS, Kerberos (KCD Authentication and RSA SDI)
Browser Proxy

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html

carl.townshend · ‎11-23-2023

Hi

You say in the above that DAP policies are not supported on FTD, do you mean not supported locally i.e configuring with FDM? they are supported if configured on the FMC right?

cheers