Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2058
Views
0
Helpful
3
Replies

Moving from ASA to Firepower for remote access VPN

carl.townshend
Level 1
Level 1

‎05-28-2021 01:17 AM

Hi All

I am looking at moving from ASA to Firepower for Remote access vpn.

Does the Firepower support Dynamic access policies ? i.e access lists applied to different user groups? If they don't, then what are the options? we do not use ISE.

 

Also, what is the support for the ASA? will they discontinue them soon?

 

What are most people using for RA vpn?

0 Helpful
3 Replies 3

rschlayer
Level 4
Level 4

‎05-28-2021 02:07 AM - edited ‎05-28-2021 02:09 AM

Hello @carl.townshend 

Dynamic Access Polices are currently only supported on Firepower version 7.0. See here: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_dynamic_access_policies.html

If you rely on this feature and do not use ISE I would recommend to run ASA software on your VPN Gateway.

EDIT: The reason I am saying this is because 7.0 is not even out for one week.

I believe ASA will stick until all features from ASA are available in Firepower.

BR
Rick

0 Helpful

Karsten Iwen
VIP
VIP

‎05-28-2021 02:42 AM

Do you really need DAPs? You can assign a Class-Attribute with any RADIUS-server. It does not have to be the ISE. This Class-Attribute applies a group-policy with a VPN-filter to the VPN-session.

And no, I would not expect the ASA (the OS, not the hardware-platform) to be discontinued anytime soon.

0 Helpful

Oliver Kaiser
Level 7
Level 7

‎05-30-2021 05:59 AM

ASA will be available for a long time since its codebase is also used within Firepower Threat Defense, so for the foreseeable future (5-10Y) you should be fine in my opinion. As for DAP you will need to upgrade to FTD 7.0 which was released this week and includes a lot of new AnyConnect features. From a feature parity standpoint FTD can now do nearly everything that ASA can do with AnyConnect, except for some niche usecases.

 

If you only want to use Remote Access and nothing else (basically just have an AnyConnect VPN Server) I'd still recommend ASA since the resource footprint is lower, updates are quicker and you do not have to run a central manager like FMC. However if you want to utilize features like IPS, AMP, URL Filtering, TLS Decryption, etc. go with FTD - some new networking features (like VRFs) are only available on FTD and not ASA... Don't get me wrong ASA is there to stay, but do not expect any groundbreaking innovations for ASA

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card