cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1205
Views
15
Helpful
3
Replies

firepower 4110 with ASA application

seegomaa
Level 1
Level 1

Dear Experts,

  I'm installing 4110 for the first time. 

My customer wants to have Anyconnect feature so decided to go with ASA on 4110. Application is installed but i dont know how i can enable IPS on it, is it same like legacy ASA with sourcefire services ? what about traffic flow do i need to create policy on ASA to forward traffic to IPS engine? will it be managed from FMC, or i need to manage the whole 4110 from the FMC ?

I have another issue regarding license, i went through some documents saying that ASA needs legacy license but my 4110 showing that it needs to be registered for smart license.

Need your help please.

thank you 

1 Accepted Solution

Accepted Solutions

Sorry but a given 4100 series chassis can only run an ASA or an FTD logical device - never both at the same time.

Basically if you choose to deploy the legacy ASA as a logical device on the new chassis type you are forgoing the ability to use IPS services on that chassis. Any IPS needs to be on a separate external device.

If you switch to FTD logical device (licensing required) then you can run most (but not all) ASA services along with the full set of IPS features we are sued to with FirePOWER.

Notably lacking features on FTD that are in the ASA are remote access VPN (being introduced soon in FTD 6.2.1 but will still have some caveats) and multiple context support. The routing support is not as strong either (even such as it is on the ASA).

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

A FirePOWER 4110 with an ASA logical device cannot also run the FirePOWER service module.

Any IPS in such a scenario needs to be on a separate device.

To run both NGFW and NGIPS type services on a 4100 series requires use of the FTD logical device type.

ASA on the FirePOWER appliances (4100 and 9300 series - the new 2100 series is FTD-only) requires Smart Licensing. You need the register the chassis in your portal and then assign ASA licenses to it. That includes the 3DES-AES and AnyConnect license types (among others).

Thank you Marvin for your response.

So I need to run both applications ( ASA + FTD ) on the same 4110 right ?. In this case i have still some doubts:

1- how i will forward traffic from ASA to FTD to be inspected ?

2- how ASA and FTD will integrate ? there is some internal sensor interface ASA can reach FTD using these interfaces ?

Appreciate if you have any document that explain how to have ASA + IPS on  4110 so i can follow.

Thank you 

 

Sorry but a given 4100 series chassis can only run an ASA or an FTD logical device - never both at the same time.

Basically if you choose to deploy the legacy ASA as a logical device on the new chassis type you are forgoing the ability to use IPS services on that chassis. Any IPS needs to be on a separate external device.

If you switch to FTD logical device (licensing required) then you can run most (but not all) ASA services along with the full set of IPS features we are sued to with FirePOWER.

Notably lacking features on FTD that are in the ASA are remote access VPN (being introduced soon in FTD 6.2.1 but will still have some caveats) and multiple context support. The routing support is not as strong either (even such as it is on the ASA).

Review Cisco Networking for a $25 gift card