Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
1
Helpful
5
Replies

Upgrading ASA5545X

carl_townshend
Spotlight
Spotlight

‎07-08-2025 02:28 AM

Hi All

We are looking at replacing our ASA5545X with a new firewall.

We have already replaced a smaller model with a Firepower managed in cdFMC within CDO, its working well.

What are peoples thoughts, stay with the ASA code or move to Firepower?

Also, there are 150 or so site to site vpn's running on it and quite a bit of config, does the ASA migration tool in CDO work well?

I want to have the least downtime possible and we will use all the same ip addresses in the new firewalls, how best is it to migrate? put a management address on the firepowers and use that to register to CDO, then build them?

Cheers

Labels:
0 Helpful
5 Replies 5

wajidhassan
Level 4
Level 4

‎07-08-2025 05:24 AM

Hi Carl,

I’d recommend moving to Firepower for better features and easier management with FMC/CDO. The ASA migration tool works well for VPNs and config but might need some manual tweaks.

For minimal downtime, set up the Firepowers first with management IPs, register them in CDO, and build your configs ahead of time. Using the same IPs is fine, just make sure to test routing and failover.

This way, the switch should be smoother and faster.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to wajidhassan

‎07-22-2025 07:57 AM

Hi There

Could I onboard the FTDs using a management interface behind a NAT device, would the NAT device need to be on a static one to one NAT with the management interface on the FTD?

Cheers

0 Helpful

Aref Alsouqi
VIP
VIP
In response to carl_townshend

‎07-23-2025 02:55 AM

You can leverage NAT ID to register the FTD with the FMC in that case. Please check this post of mine with some more details about NAT ID and this Cisco documenation about the different use cases to register the FTD to FMC behind NAT devices.

https://bluenetsec.com/add-ftd-to-fmc/

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Device_Management_Basics.html

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎07-10-2025 02:14 AM

Probably I would go for the 1140 FTD which supports up to 400 VPN connections. Regarding management, I would go with FMC or cdFMC as suggested by @wajidhassan. For the migration, just onboard the new FTD, migrate the ASA config to it, the key thing here is to keep the data interfaces disconnected while you do this operation, and once you have all migrated to the FTD you can go through the cutover. Usually what I do for our customers is connecting the new firewall(s) data interfaces to their switches, shutdown the switches ports, finishing the config migration, and finally shutdown the ports of the old firewall(s) and unshut the ports connected to the new one(s). In some cases you might not be able to do this, for instance if you have a single hand-off from the ISP, then you have to move the ISP cable manually from the old to the new firewall(s).

Cisco Firepower 1000 Series Firewall - Cisco

MHM Cisco World
VIP
VIP

‎07-10-2025 02:30 AM

Just to clear 

Firepower is hardware device' it new you can run on it 

FTD or ASA 

Sure FTD is so so advanced than ASA' you can get deep inspect which is not available in ASA.

Use asa only if you need VPN gateway other than that use FTD

MHM

0 Helpful
Customers Also Viewed These Support Documents