03-22-2017 10:51 AM - edited 03-12-2019 02:06 AM
Dear Experts,
I'm installing 4110 for the first time.
My customer wants to have Anyconnect feature so decided to go with ASA on 4110. Application is installed but i dont know how i can enable IPS on it, is it same like legacy ASA with sourcefire services ? what about traffic flow do i need to create policy on ASA to forward traffic to IPS engine? will it be managed from FMC, or i need to manage the whole 4110 from the FMC ?
I have another issue regarding license, i went through some documents saying that ASA needs legacy license but my 4110 showing that it needs to be registered for smart license.
Need your help please.
thank you
Solved! Go to Solution.
03-22-2017 08:05 PM
Sorry but a given 4100 series chassis can only run an ASA or an FTD logical device - never both at the same time.
Basically if you choose to deploy the legacy ASA as a logical device on the new chassis type you are forgoing the ability to use IPS services on that chassis. Any IPS needs to be on a separate external device.
If you switch to FTD logical device (licensing required) then you can run most (but not all) ASA services along with the full set of IPS features we are sued to with FirePOWER.
Notably lacking features on FTD that are in the ASA are remote access VPN (being introduced soon in FTD 6.2.1 but will still have some caveats) and multiple context support. The routing support is not as strong either (even such as it is on the ASA).
03-22-2017 07:32 PM
A FirePOWER 4110 with an ASA logical device cannot also run the FirePOWER service module.
Any IPS in such a scenario needs to be on a separate device.
To run both NGFW and NGIPS type services on a 4100 series requires use of the FTD logical device type.
ASA on the FirePOWER appliances (4100 and 9300 series - the new 2100 series is FTD-only) requires Smart Licensing. You need the register the chassis in your portal and then assign ASA licenses to it. That includes the 3DES-AES and AnyConnect license types (among others).
03-22-2017 07:37 PM
Thank you Marvin for your response.
So I need to run both applications ( ASA + FTD ) on the same 4110 right ?. In this case i have still some doubts:
1- how i will forward traffic from ASA to FTD to be inspected ?
2- how ASA and FTD will integrate ? there is some internal sensor interface ASA can reach FTD using these interfaces ?
Appreciate if you have any document that explain how to have ASA + IPS on 4110 so i can follow.
Thank you
03-22-2017 08:05 PM
Sorry but a given 4100 series chassis can only run an ASA or an FTD logical device - never both at the same time.
Basically if you choose to deploy the legacy ASA as a logical device on the new chassis type you are forgoing the ability to use IPS services on that chassis. Any IPS needs to be on a separate external device.
If you switch to FTD logical device (licensing required) then you can run most (but not all) ASA services along with the full set of IPS features we are sued to with FirePOWER.
Notably lacking features on FTD that are in the ASA are remote access VPN (being introduced soon in FTD 6.2.1 but will still have some caveats) and multiple context support. The routing support is not as strong either (even such as it is on the ASA).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide