Solved: Should I go with Cisco FTD or Cisco ASR in this scenario?

adamscottmaster2013 · ‎11-28-2025

Firewall or no Firewall? Is a router good enough?

I am going through a network redesign for my company. This is my environment:

- 2,000 total users. About 1,500 users at the HQ and another 5000 remote users,
- One Data Center in Virginia, and Azure cloud in Virginia and California,
- Cameras and Audio/Video at HQ,
- All users, HQ or remote, have ZScaler Client Connector (ZCC) with 100% ZTA implementation,

Users at HQ communicate directly with ZScaler cloud infrastructure. Cameras/Audio/Video
devices that are not ZCC capable, access the Internet over the IPSec tunnel between our
Data Center in Virginia and ZScaler infrastructure. The Data Center Internet firewall (Cisco
Firepower Threat [FTD] Defense) is also used for VPN between our Data Center and ZScaler
in the cloud.

In March 2026, we're going to shutdown the Data Center in Virginia. We're going to setup
a site-2-site VPN between the HQ and and Azure cloud in Virginia and California. We're going
to setup a VPN between HQ and ZScaler cloud so that Cameras/Audio/Video can leverage ZScaler
infrastructure for DLP, malware, etc... There will be NO inbound access from the Internet to
HQ, other than site-2-site VPNs with Azure and ZScaler infrastructure.

I am debating whether I should just go with Cisco ASR router that will do the VPN termination,
and dynamic PAT, instead of another Cisco FTD. What is the downside of NOT using Cisco FTD in
this scenario? We will harden the Cisco ASR and block everything inbound, so I don't see any
issues with this. However, I am looking for a counter argument of going with FTD instead
of Cisco ASR in this Scenario.

Thoughts?

Rob Ingram · ‎11-28-2025

@adamscottmaster2013 so the device (router or firewall) is just used to terminate the VPNs, no other inbound or DIA traffic? In which case you don't necessarily need the L4-L7 functionality the firewall would provide, personally I'd be fine running those VPNs on a cisco router.Just restrict create an ACL inbound, to allow VPN traffic (udp/500, esp and maybe udp/4500 if NAT-t) from the VPN peers and restrict the rest.

The benefits of using a Firewall, if you have ISE you could integrate with the Firewall to provide some user/device identity in the logs or use ISE ANC to quarantine traffic. You get a better GUI to configure and troubleshoot compared to a router IMO.

View solution in original post

Rob Ingram · ‎11-28-2025

@adamscottmaster2013 so the device (router or firewall) is just used to terminate the VPNs, no other inbound or DIA traffic? In which case you don't necessarily need the L4-L7 functionality the firewall would provide, personally I'd be fine running those VPNs on a cisco router.Just restrict create an ACL inbound, to allow VPN traffic (udp/500, esp and maybe udp/4500 if NAT-t) from the VPN peers and restrict the rest.

The benefits of using a Firewall, if you have ISE you could integrate with the Firewall to provide some user/device identity in the logs or use ISE ANC to quarantine traffic. You get a better GUI to configure and troubleshoot compared to a router IMO.

adamscottmaster2013 · ‎11-28-2025

@Rob Ingram wrote:
@adamscottmaster2013 so the device (router or firewall) is just used to terminate the VPNs, no other inbound or DIA traffic? In which case you don't necessarily need the L4-L7 functionality the firewall would provide, personally I'd be fine running those VPNs on a cisco router.Just restrict create an ACL inbound, to allow VPN traffic (udp/500, esp and maybe udp/4500 if NAT-t) from the VPN peers and restrict the rest.
The benefits of using a Firewall, if you have ISE you could integrate with the Firewall to provide some user/device identity in the logs or use ISE ANC to quarantine traffic. You get a better GUI to configure and troubleshoot compared to a router IMO.

Hi @Rob Ingram,

Thank you very much for your response.

We do have for ISE for 802.1x wired and wireless. Traffic quarantine will be done via the ZScaler Client Connector (ZCC). I agree that the FTD does not add any value in this scenario. Btw, real engineers do not use GUI :-).