01-07-2022 03:25 PM
Some questions about the latest ASAs out there. Client is getting ready to replace their aging Cisco firewalls (5525s, no FP)
Is it possible to AnyConnect to new ASAs w/2FA and then redirect user's web session via an SSL rewrite to a backend server?
For clients that already have NGFW services elsewhere, is it possible to run a new ASA without FP active and/or installed?
Current redundancy is Active/Standby and they need fiber/SFP failover redundancy port connections. Do the SFP ports on the new ASAs allow use for failover?
Since there is no hardware upgrade tool online, my best estimate currently is the 2100 line to replace the 5525s if the SFP ports can be used for back to back failover connections.
Thanks
Thanks
Solved! Go to Solution.
01-08-2022 07:12 PM - edited 01-08-2022 07:13 PM
"SSL rewrite" is not possible with a Firepower appliance by itself - whether running FTD or ASA image.
If you use ISE as the AAA server you can push a redirect ACL as part of the Authorization result.
All Firepower hardware appliances can be ordered with either FTD or ASA software as part of the initial order.
We seldom see them ordered with ASA software though since that means you will not be able to run any of the NGIPS, Malware or URL Filtering features. You will also have to continue to manage the configuration via ASDM or cli (or possibly CDO) vs. FMC with its richer analysis and event management features.
01-07-2022 11:46 PM
s it possible to AnyConnect to new ASAs w/2FA and then redirect user's web session via an SSL rewrite to a backend server?
BB - as i understand you looking to redirect to the portal? why do you like to do this, as the user already trusted and made 2 facto identify as trust user?
For clients that already have NGFW services elsewhere, is it possible to run a new ASA without FP active and/or installed?
BB - i do not see any issue until i interpret this as different from your original requirement.
Current redundancy is Active/Standby and they need fiber/SFP failover redundancy port connections. Do the SFP ports on the new ASAs allow use for failover?
BB - depends on the Model here - yes you can have a sync link using SFP or Ethernet.
check ASA Model has SFP port :
Since there is no hardware upgrade tool online, my best estimate currently is the 2100 line to replace the 5525s if the SFP ports can be used for back to back failover connections.
BB - 2100 is good to replace the model you mentioned ASA.
FP2100 do have SFP ports check datasheet :
01-08-2022 09:49 AM
Thanks for your reply.
Regarding SSL rewrite requirement, that was specified by the Architect for this project. All I know is this is a requirement, but I still do not see this capability on the newer Cisco firewalls.
Do you know if there is a SKU to order a 2100 w/o FP?
01-08-2022 09:53 AM
Do you know if there is a SKU to order a 2100 w/o FP?
what do you mean W/o FP, by Default 2100 ship with Firepower, if you like to with ASA on top of it, you need to re-image with ASA.
the above post provides you datasheet to ordering guide : (if you have concerns, i would advise to a local partner who can assist you better).
Have seen some people buying this product later it can not be replaced as expected. so suggest to contact local partner and understand requirement and guide you better.
FP2100 do have SFP ports check datasheet :
01-08-2022 09:56 AM
01-08-2022 09:59 AM
Sure i understand, you also need more hands-on information before you talk to your partner.
01-08-2022 07:12 PM - edited 01-08-2022 07:13 PM
"SSL rewrite" is not possible with a Firepower appliance by itself - whether running FTD or ASA image.
If you use ISE as the AAA server you can push a redirect ACL as part of the Authorization result.
All Firepower hardware appliances can be ordered with either FTD or ASA software as part of the initial order.
We seldom see them ordered with ASA software though since that means you will not be able to run any of the NGIPS, Malware or URL Filtering features. You will also have to continue to manage the configuration via ASDM or cli (or possibly CDO) vs. FMC with its richer analysis and event management features.
01-14-2022 11:20 AM
01-08-2022 01:59 AM - edited 01-19-2022 08:26 PM
Cisco AnyConnect is a uniform security endpoint agent which deliver multiple security services to protect the enterprise. Also, it provides visibility along with the control which is required you to identify who and which devices are accessing the extended enterprise.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: