cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
737
Views
30
Helpful
6
Replies

Migrate multiple context ASA with overlaping subnets to FTD

Chess Norris
Level 4
Level 4

Hi,

We are looking to migrate an old ASA 5585-X with multiple contexts to a FTD 4112.

The challenge that we are facing is that the ASA use the same VLAN ID's and subnet for the outside interface, but on different contexts.

Since we are now moving to a FTD with no context, it's not possible to use the same subnet/VLAN ID and I am looking for a way to solve this. The VLAN ID would not be that difficult to change, but we cannot get more public addresses, so we need to use addresses from the same subnet, but on different interfaces.

Would VRF work in this case or is that just for segregation of routing tables? 

Is there something else we could do to solve this with a single FTD?

 

Thanks

/Chess

1 Accepted Solution

Accepted Solutions

@Chess Norris actually since 7.2 you can configure a VTI in a user-defined virtual router.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html

 

With multi-instance you just carve up resources on the appliance, and run seperately managed FTD images. Up to you how you configure it. https://www.cisco.com/c/en/us/products/collateral/security/firewalls/white-paper-c11-744750.html

 

 

 

View solution in original post

6 Replies 6

You can definitely rely on VRF to work around this issue.

balaji.bandi
Hall of Fame
Hall of Fame

You need to look Context to instance :

 

https://community.cisco.com/t5/security-blogs/migrating-asa-multi-context-to-ftd-multi-instance/ba-p/3893465

 

Since we are now moving to a FTD with no context, it's not possible to use the same subnet/VLAN ID and I am looking for a way to solve this. The VLAN ID would not be that difficult to change, but we cannot get more public addresses, so we need to use addresses from the same subnet, but on different interfaces.

You need to test some of them offline, and do the cutover, if you like to use same

 

if that not sutable and see some Limitation, then you need configure manually and test as per the requirement.#

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chess Norris
Level 4
Level 4

Thanks for the advices. VRF looks easy but the problem is the lack of VPN support on other VRF's then the global.  The customer are running L2L tunnels on one of the context and RA VPN on another. Multi-instances might be the best solution here, but I have no experience with that. Do you configure failover as active/active or active/standby when running multi-instance?

 

/Chess

@Chess Norris actually since 7.2 you can configure a VTI in a user-defined virtual router.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html

 

With multi-instance you just carve up resources on the appliance, and run seperately managed FTD images. Up to you how you configure it. https://www.cisco.com/c/en/us/products/collateral/security/firewalls/white-paper-c11-744750.html

 

 

 

FTD you can run Cluster for high availability, so Instance will be Active/standby.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card