Repurposing Cisco ASA 5545-X with FirePOWER Services Hardware

superadmin9 · ‎04-20-2020

Hello,

We recently upgraded our 5545-X ASA with 1120 FTD's. I am now left with 3 5545-X units that I am unsure of how to repurpose. I'd hate to recycle these or keep them in storage since they are still high end and current.

Does anyone have an idea of how I could repurpose these? Is it possible to put FTD code on these and use them as test units? I'm not sure what type of options I have?

Thanks!

Marvin Rhoads · ‎04-20-2020

You can run FTD code on them although it would have to be licensed to do any of the IPS, URL Filtering or Malware protection things. If you just want to test out access control policies and such you can do that without any license beyond the free base license.

They could also be useful as VPN-only firewalls (running ASA code).

By the way, the end of sales announcement for the 5545-X was just published in March:

https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/eos-eol-notice-c51-743545.html

superadmin9 · ‎04-20-2020

Thanks! I found some documentation on loading FTD code on the ASA. Does anyone know if this works well? I'm thinking I could maybe test SW updates on these before deploying to production FTD's. Also, to test out basic stuff like access control policies. Does anyone have recommendations on the best way to test these policies on a test device before moving to production?

Also, interesting idea to use them as VPN online firewalls. Is there a big benefit from separating this out from the FTD's? I would think for simplicity, to just have VPN on the production FTD's, but if someone has a setup where they use different firewalls for VPN, I'd be interesting in feedback on this.

Thanks!

Sheraz.Salim · ‎04-20-2020

we are heavily deployed site-to-site vpn 300+ on ASA5545 ain active standby mode. since December last year we started having issue with these units. TAC recommended to up grade the image but this does not make a much difference we are getting new bug with each stable release. long story short we moved to FTD. our FTDs are managed by FMC. we have tested site to site vpn with pre-shared-key and with cert based. the good think about site to site vpn as long as you understand the ASA code you can easy pick up the FTD site of config. i felt the drawback on FTD you can go to lina cli and you can see the FTD config which presented as ASA code but you cant change the config it has to be from the FMC. however you have a very limited options available in FTD cli.

the good part is we are heavily based on cert vpn. in FTD import and generation a CSR is very easy (version 6.3) it does do all the magic behind the GUI.

As Far i am happy with FTD. only down site is if you have a small change for example create object you have to deploy the policy which takes time :(. also there is no VTI for vpn in FMC/FTD. VTI in FTD is plan some time in 6.7.

you can convert your 5545 to FTD code as @Marvin Rhoads suggested. I shall strongly suggest take a unit 5545 convert it to FTD and play as much as you can once you got the understanding deploy in production. i am sure you wont regret this.

please do not forget to rate.