cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1285
Views
10
Helpful
8
Replies

SSL rewrite on ASA platform

lcaruso
Level 6
Level 6

Some questions about the latest ASAs out there. Client is getting ready to replace their aging Cisco firewalls (5525s, no FP)

 

Is it possible to AnyConnect to new ASAs w/2FA and then redirect user's web session via an SSL rewrite to a backend server?

 

For clients that already have NGFW services elsewhere, is it possible to run a new ASA without FP active and/or installed?

 

Current redundancy is Active/Standby and they need fiber/SFP failover redundancy port connections. Do the SFP ports on the new ASAs allow use for failover?

 

Since there is no hardware upgrade tool online, my best estimate currently is the 2100 line to replace the 5525s if the SFP ports can be used for back to back failover connections.

 

Thanks

Thanks

1 Accepted Solution

Accepted Solutions

"SSL rewrite" is not possible with a Firepower appliance by itself - whether running FTD or ASA image.

If you use ISE as the AAA server you can push a redirect ACL as part of the Authorization result.

All Firepower hardware appliances can be ordered with either FTD or ASA software as part of the initial order.

We seldom see them ordered with ASA software though since that means you will not be able to run any of the NGIPS, Malware or URL Filtering features. You will also have to continue to manage the configuration via ASDM or cli (or possibly CDO) vs. FMC with its richer analysis and event management features.

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

s it possible to AnyConnect to new ASAs w/2FA and then redirect user's web session via an SSL rewrite to a backend server?

 

BB - as i understand you looking to redirect to the portal? why do you like to do this, as the user already trusted and made 2 facto identify as trust user?

 

For clients that already have NGFW services elsewhere, is it possible to run a new ASA without FP active and/or installed?

 

BB - i do not see any issue until i interpret this as different from your original requirement.

 

Current redundancy is Active/Standby and they need fiber/SFP failover redundancy port connections. Do the SFP ports on the new ASAs allow use for failover?

 

BB -  depends on the Model here  - yes you can have a sync link using SFP or Ethernet.

check ASA Model has SFP port :

 

https://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/data_sheet_c78-345385.html

 

Since there is no hardware upgrade tool online, my best estimate currently is the 2100 line to replace the 5525s if the SFP ports can be used for back to back failover connections.

 

BB - 2100 is good to replace the model you mentioned ASA. 

 

FP2100 do have SFP ports check datasheet :

 

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for your reply. 

 

Regarding SSL rewrite requirement, that was specified by the Architect for this project. All I know is this is a requirement, but I still do not see this capability on the newer Cisco firewalls. 

 

Do you know if there is a SKU to order a 2100 w/o FP?

Do you know if there is a SKU to order a 2100 w/o FP?

what do you mean W/o FP, by Default  2100 ship with Firepower, if you like to with ASA on top of it, you need to re-image with ASA.

the above post provides you datasheet to ordering guide : (if you have concerns, i would advise to a local partner who can assist you better).

 

Have seen some people buying this product later it can not be replaced as expected. so suggest to contact local partner and understand requirement and guide you better.

 

 

FP2100 do have SFP ports check datasheet :

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

working with a partner next week thanks just trying to get started on the weekend.

Sure i understand, you also need more hands-on information before you talk to your partner.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

"SSL rewrite" is not possible with a Firepower appliance by itself - whether running FTD or ASA image.

If you use ISE as the AAA server you can push a redirect ACL as part of the Authorization result.

All Firepower hardware appliances can be ordered with either FTD or ASA software as part of the initial order.

We seldom see them ordered with ASA software though since that means you will not be able to run any of the NGIPS, Malware or URL Filtering features. You will also have to continue to manage the configuration via ASDM or cli (or possibly CDO) vs. FMC with its richer analysis and event management features.

Thank you for your reply. I'm not the architect of this design, otherwise even if they were redundant/overlapping, I'd have NGFW services on the ASA and in the cloud where they currently exist.

alirafaleiro
Level 1
Level 1

Cisco AnyConnect is a uniform security endpoint agent which deliver multiple security services to protect the enterprise. Also, it provides visibility along with the control which is required you to identify who and which devices are accessing the extended enterprise.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: