Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
30
Helpful
6
Replies

Migrate multiple context ASA with overlaping subnets to FTD

Go to solution
Chess Norris
Level 4
Level 4

‎07-05-2022 06:35 AM - edited ‎07-05-2022 06:35 AM

Hi,

We are looking to migrate an old ASA 5585-X with multiple contexts to a FTD 4112.

The challenge that we are facing is that the ASA use the same VLAN ID's and subnet for the outside interface, but on different contexts.

Since we are now moving to a FTD with no context, it's not possible to use the same subnet/VLAN ID and I am looking for a way to solve this. The VLAN ID would not be that difficult to change, but we cannot get more public addresses, so we need to use addresses from the same subnet, but on different interfaces.

Would VRF work in this case or is that just for segregation of routing tables? 

Is there something else we could do to solve this with a single FTD?

 

Thanks

/Chess

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Chess Norris

‎07-05-2022 08:00 AM - edited ‎07-05-2022 08:03 AM

@Chess Norris actually since 7.2 you can configure a VTI in a user-defined virtual router.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html

 

With multi-instance you just carve up resources on the appliance, and run seperately managed FTD images. Up to you how you configure it. https://www.cisco.com/c/en/us/products/collateral/security/firewalls/white-paper-c11-744750.html

 

 

 

View solution in original post

6 Replies 6

Go to solution
Aref Alsouqi
VIP
VIP

‎07-05-2022 06:42 AM - edited ‎07-05-2022 06:43 AM

You can definitely rely on VRF to work around this issue.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2022 06:47 AM

You need to look Context to instance :

 

https://community.cisco.com/t5/security-blogs/migrating-asa-multi-context-to-ftd-multi-instance/ba-p/3893465

 

Since we are now moving to a FTD with no context, it's not possible to use the same subnet/VLAN ID and I am looking for a way to solve this. The VLAN ID would not be that difficult to change, but we cannot get more public addresses, so we need to use addresses from the same subnet, but on different interfaces.

You need to test some of them offline, and do the cutover, if you like to use same

 

if that not sutable and see some Limitation, then you need configure manually and test as per the requirement.#

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Chess Norris
Level 4
Level 4

‎07-05-2022 07:50 AM - edited ‎07-05-2022 07:53 AM

Thanks for the advices. VRF looks easy but the problem is the lack of VPN support on other VRF's then the global.  The customer are running L2L tunnels on one of the context and RA VPN on another. Multi-instances might be the best solution here, but I have no experience with that. Do you configure failover as active/active or active/standby when running multi-instance?

 

/Chess

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Chess Norris

‎07-05-2022 08:00 AM - edited ‎07-05-2022 08:03 AM

@Chess Norris actually since 7.2 you can configure a VTI in a user-defined virtual router.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html

 

With multi-instance you just carve up resources on the appliance, and run seperately managed FTD images. Up to you how you configure it. https://www.cisco.com/c/en/us/products/collateral/security/firewalls/white-paper-c11-744750.html

 

 

 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Chess Norris

‎07-05-2022 08:15 AM

FTD you can run Cluster for high availability, so Instance will be Active/standby.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card