cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1064
Views
1
Helpful
1
Replies

Migrating from ASA5525-X w/ Sourcefire to FPR2110 w/ Firepower Threat Defense unified code

bill.whelan
Level 1
Level 1

Hello,

 

A client recently purchased a Firepower 2110 to replace an ASA5525-X w/ Sourcefire at one of their locations due to a circuit upgrade and need for more aggregate throughput. They currently utilize Sourcefire for Malware, Intrusion, Geolocation, URL filtering, etc., all managed on the FMC through a single Access Control Policy. Basic filtering, NAT's etc. are maintained on the individual ASA's according to needs for that specific location.

 

It was a bit shocking to find out the 2110 cannot support Firepower services while also running the ASA code, to do this we need to migrate to FTD code. I've already stood up an FMC with the migration tool and converted configs which produced an output containing a prefilter, NAT and access policy along with associated network, port and interface objects. Hopefully that's enough information to answer some questions:

 

The goal is to maintain the customers existing experience when using the FMC. Ideally the existing access policy can be nested with the migrated access policy so that any changes the customer makes that are common to all sites would be inherited and pushed globally. Basic filtering, NAT's and other items which are unique per site and previously configured using ASDM would now be made to prefilter and NAT policies in the FMC. My thought was to select the customer's access policy as a "Default Action" for the migrated access policy but when set it throws a warning. So is this the best way to achieve what we're looking for or is there some other way?

 

2017-11-21 11_48_32-Cisco Firepower Management Center for VMWare 6.2.0.3 Build 108 (firepower.gsn.co.png

2017-11-21 11_55_12-Cisco Firepower Management Center for VMWare 6.2.0.3 Build 108 (firepower.gsn.co.png

 

 

 

1 Reply 1

Greg Smalley
Level 1
Level 1

For FTD your Access Control Policy default action should be set to "Block All Traffic", this way if no allows are hit in your rule set, the implicit deny action will be completed.  If you want to nest policies you should use the the "Inheritance Settings" function (See top right of the ACP page). 

 

-Greg Smalley

Review Cisco Networking for a $25 gift card