07-05-2017 12:14 AM - edited 03-10-2019 06:52 AM
Hi support,
I am going to deploy Cisco ASA 5525,
I need your help on the following points.
1. How to Migrate Cisco ASA image to FTD image?
2. After migrated to FTD image, is it possible to manage it by just browsing IP since there is no Fire managment center?
This is BoM,
ASA 5525 NGFW (Qty 2) | ||
ASA5525-FPWR-BUN | ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle | 1 |
ASA5525-FPWR-K9 | ASA 5525-X with FirePOWER Services, 8GE, AC, 3DES/AES, SSD | 2 |
CON-3SNT-A25FPK9 | 3YR SNTC 8X5XNBD ASA 5525-X with FirePOWER Services, 8GE | 2 |
CAB-ACE | AC Power Cord (Europe), C13, CEE 7, 1.5M | 2 |
SF-ASA-X-9.2.2-K8 | ASA 9.2.2 Software image for ASA 5500-X Series,5585-X,ASA-SM | 2 |
SF-ASA-FP5.4-K9 | Cisco FirePOWER Software v5.4 for ASA 5500-X | 2 |
ASA5525-CTRL-LIC | Cisco ASA5525 Control License | 2 |
ASA5500X-SSD120INC | ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.) | 2 |
ASA5525-MB | ASA 5525 IPS Part Number with which PCB Serial is associated | 2 |
ASA5500-ENCR-K9 | ASA 5500 Strong Encryption License (3DES/AES) | 2 |
L-ASA5525-TA= | Cisco ASA5525 FirePOWER IPS License | 1 |
L-ASA5525-TA-3Y | Cisco ASA5525 FirePOWER IPS 3YR Subscription | 1 |
07-05-2017 01:03 AM
Before re-imaging make sure you understand what features you need to use.
For instance, there is currently no SSL VPN (AnyConnect) availalbe on an ASA with FTD. Even when it is released, it will not be as full-featured as the version running on ASA software.
While you can manage an ASA with FTD using the Firepower Device manager (FDM) built-in web GUI, if has some limitations (cannot configure advanced features, limited reporting and logging etc.).
So, if you need just a basic NGIPS, yes you can run FTD on the ASA with the built-in management.
You will need to license it for FTD. The Control and IPS licenses that you have will not work with FTD. FTD would require the equivalent "Threat Defense" license and term subscription. The part numbers would be L-ASA5525T-T= and L-ASA5525T-TP-3Y (Cisco ASA5525 Threat Defense Threat Protection 3YR Subscription).
Step-by-step instructions for re-imaging can be found here:
http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_51368
07-05-2017 01:20 AM
Hi Marvin,
Thanks A lot,
Yes, for now I want to go with Basic NGIPS.
We are about to ordering below License,
So, is L-ASA5525T-T= not equivalent with -ASA5525-TA= regarding to control and IPS licenses to support FTD ?
L-ASA5525-TA= | Cisco ASA5525 FirePOWER IPS License |
L-ASA5525-TA-3Y | Cisco ASA5525 FirePOWER IPS 3YR Subscription |
07-05-2017 01:27 AM
You're welcome.
The licenses are functionally equivalent (and cost the same) but they are for different platforms.
The "TA" one is a traditional PAK-based license for the ASA FirePOWER service module. It cannot be used with FTD.
The "T" one is a Smart License for the ASA running FTD. It cannot be used with a FirePOWER service module. It will require you to setup a Smart account if you don't have one already.
Also FTD does not require nor can it use the (no-cost) Control license.
07-05-2017 02:19 AM
Hi Marvin,
Can you confirm the below BoM for platform, I thought it was ASA FirePOWER service module!
1. is it ASA FirePOWER service module or ASA? if not ASA FirePOWER service module I will order with "T" instead of "TA".
2. If not ASA firePower service, is it possible to migrate to FTD?
ASA5525-FPWR-BUN | ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle | 1 |
ASA5525-FPWR-K9 | ASA 5525-X with FirePOWER Services, 8GE, AC, 3DES/AES, SSD | 2 |
CON-3SNT-A25FPK9 | 3YR SNTC 8X5XNBD ASA 5525-X with FirePOWER Services, 8GE | 2 |
CAB-ACE | AC Power Cord (Europe), C13, CEE 7, 1.5M | 2 |
SF-ASA-X-9.2.2-K8 | ASA 9.2.2 Software image for ASA 5500-X Series,5585-X,ASA-SM | 2 |
SF-ASA-FP5.4-K9 | Cisco FirePOWER Software v5.4 for ASA 5500-X | 2 |
ASA5525-CTRL-LIC | Cisco ASA5525 Control License | 2 |
ASA5500X-SSD120INC | ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.) | 2 |
ASA5525-MB | ASA 5525 IPS Part Number with which PCB Serial is associated | 2 |
ASA5500-ENCR-K9 | ASA 5500 Strong Encryption License (3DES/AES) | 2 |
L-ASA5525-TA= | Cisco ASA5525 FirePOWER IPS License | 1 |
L-ASA5525-TA-3Y | Cisco ASA5525 FirePOWER IPS 3YR Subscription | 1 |
07-05-2017 06:22 AM
That BOM would not be correct for a new ASA with FTD image. If you bought that, the customer would have to do all of the re-imaging work, making the initial experience much more burdensome than it need be.
If you are a partner, please refer to the Cisco Security Products Ordering Guide. It will suggest you use the master SKU "ASA5525-FTD-BUN".
If you do that, then within the Cisco Commerce Workspace (CCW) ordering tool you will then be prompted to validate the configuration and, in doing so, select the correct country (for power cord) and licenses with associated subscription terms.
07-05-2017 06:22 AM
Thank you very much!
07-05-2017 06:36 AM
You're welcome. Please mark your question if answered if it has been and rate helpful replies.
07-07-2017 12:01 AM
Hi Marvin,
Seeking for your help and advise on how to size a NGFW also NGIPS.
What are the things to consider for the sizing with these given requirements.
Firewall Modes (routed, transparent, virtual firewall) |
Management Options(telnet, ssh,ftp, scp,snmp,netflow,Central web management/GUI), packet capture capability |
High Availability with session persistence |
User and Application Visibility Control |
Integration with Active Directory |
Microsegmentation |
APT Protection |
DOS/DDOS protection along with Antimalware and Antivirus capabilities |
Dynamic/Static Routes support along with Policy Based Routing |
IPS support |
Deep Packet inspection including SSL inspection |
Historical Reporting and logging |
10G ports, SFP support, along with interface expansion card option |
QOS, traffic shaping |
Dual Power Supply |
Thanks in advance
07-07-2017 12:31 AM
Please start a new discussion. Your question is unrelated to this thread.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide