12-03-2019 07:17 PM - edited 02-21-2020 09:44 AM
I am migrating a customer from an ASA 5505 to a FirePower 1120 with IPS and AMP services. I have a few questions about the onboard device manager vs the management center. The ASA config is not terribly complicated - it has a single static route for Internet access, a couple static translations from the outside for the email server and such, a client access VPN and a single site-to-site VPN. I don't think there's too much more to it. Here's what I'd like to know; any insight would be greatly appreciated:
1 - I'd like to migrate the existing ASA config using the migration tool, but I understand that will only work with FMC. But I've seen some information that leads me to believe FMC won't support the 1120 - is this correct? Can I only use FDM with the 1120?
2 - I have also seen some info referencing limitations with FDM, such as not supporting site-to-site VPNs or QoS, which would be a problem for me. Is this correct, or does FDM support those things?
What would be your suggestions for the best way to get the new device configured? Thanks in advance,
Chris
Solved! Go to Solution.
12-03-2019 11:15 PM
If you use the downloadable migration tool then, yes, it requires FMC.
However you can manage locally with FDM and add Cisco Defense Orchestrator (CDO) the cloud-based management tool. It has an ASA-FTD migration tool built-in. You could even use it on a trial only basis and do only the migration. If you like it, keep the service active and pay for it (not very costly for a single device).
Both FMC and FDM will manage the Firepower 1120. FMC would need to be at least release 6.4.0.3. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60525
FDM (and CDO) can do site-site VPNs just fine (see below). QoS isn't supported in the FDM (or CDO) GUI but you should be able to do a Flexconfig for your QoS policy and deploy that way.
12-03-2019 11:15 PM
If you use the downloadable migration tool then, yes, it requires FMC.
However you can manage locally with FDM and add Cisco Defense Orchestrator (CDO) the cloud-based management tool. It has an ASA-FTD migration tool built-in. You could even use it on a trial only basis and do only the migration. If you like it, keep the service active and pay for it (not very costly for a single device).
Both FMC and FDM will manage the Firepower 1120. FMC would need to be at least release 6.4.0.3. Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#id_60525
FDM (and CDO) can do site-site VPNs just fine (see below). QoS isn't supported in the FDM (or CDO) GUI but you should be able to do a Flexconfig for your QoS policy and deploy that way.
12-04-2019 03:01 PM
Thanks Marvin, the CDO definitely looks interesting. I can try to get a trial set up, but even if that doesn't work it looks to be about $150/yr - that's certainly not a huge cost. So if I'm reading this migration document correctly (Migrating ASA to Firepower Threat Defense Using Cisco Defense Orchestrator - Getting Started [Cisco Adaptive Security Appliance (ASA) Software] - Cisco), CDO should be used to migrate the ASA if I want to manage the 1120 via FDM, and the Firepower Migration Tool should be used if I want to manage it via FMC. I think, since it's a single firewall site without a terribly complex config, and since you showed I can still recreate my site-to-site VPN, that I'd be better off managing it with the device manager - do you agree? Or is there a compelling reason I would use FMC instead?
Also, if I use CDO to migrate the config and manage the 1120 with FDM, can I assume there won't be any difficulties down the road should I stop using CDO? I can just let it go and manage the 1120 full time with the device manager?
Thanks
Chris
12-04-2019 09:25 PM
Correct.
CDO/FDM is more netops-oriented. FMC is more secops/ SOC-oriented.
FMC does have more advanced security analysis features and a few advanced configuration can only be done with it (but that list is shrinking with every release).
CDO can co-exist with or be entirely replaced by FDM without any loss of configuration.
12-05-2019 07:37 PM
Sounds good, I'm going to start playing around with device manager while I wait for a CDO trial. Thanks Marvin, you've been a great help!
Chris
06-21-2020 03:25 AM
Hi Marvin,
Can we configure sub-interface, port channel and HA using FDM.
06-21-2020 04:13 AM
Yes, Etherchannel, Sub Interfaces and HA is supported using FDM. Here is the 6.5 guides:-
HTH
06-22-2020 12:01 AM
Thanks Rob,
I have 6.4 firmware on the box. Will it work or i have to upgrade to 6.5.
Thanks
Ajay
06-22-2020 12:16 AM
Etherchannel is not supported on FDM 6.4, it was first introduced in 6.5.
So if you require that feature you will need to upgrade
06-24-2020 12:24 AM
Thanks ROB, Got that.
I was not able to find the upgrade steps through FDM.
I found many docs to upgrade the FMC and checks before upgrade.
Seems easy in FDM to go in update section, then to upload and upgrade but fear if device doesn't comes up.
06-24-2020 12:38 AM
The upgrade is indeed that easy. If the image is bad or incompatible it will tell you and abandon the upgrade before starting.
If the failure is more subtle and happens along the way, it will have the same log files in /var/log/sf that it would if it were FMC-managed and upgraded from the FMC.
06-25-2020 10:30 AM
Thanks Marvin,
That was helpful.
I have management network but it was an inside port of ASA acting as gateway for all management address of inside network devices. Basically it was just a data interface acting as gateway for management network.
In FDM, I have configured management IP under device-system settings-management interface and have connected management port on management vlan. How can i move this management interface to data port where the same management IP will be used for licensing and updates from cloud and will also serve as gateway for internal management network.
Also I am not able to see the add subinterface button under interface.
Also do we have any CLI reference for basic configurations.
Thanks in advance.
07-09-2020 07:26 PM
Hi Team,
Thanks for your inputs that I am able to do the setup, now only one thing remaining is that the remote network at my peer end of sts tunnel are not able to communicate to my local network. The other way is working after I created the Nat rules by keeping source and destinations same in original and translated packet configs.
The access rules defined for the access are from inside interfaces to outside interfaces.
In palo alto we do define access rules for incoming traffic as well with source as vpn zone.
Here tried with reverse nat rules and reverse access rules too with source as outside and destination zone as inside...still not working.
Any expert comment for this?
07-09-2020 11:25 PM
Hi,
You would need to define access rules from inside to outside AND from outside to inside to permit traffic over the VPN tunnel.
You would normally configure your NAT Exemption rule as such:
nat (INSIDE,OUTSIDE) source static LAN LAN destination static REMOTE-NETWORK REMOTE-NETWORK no-proxy-arp
If that is what you had configured please provide screenshots and run packet-tracer from the CLI and provide the output.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide