User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ASA-Firepower migration path  (Read 9368 times)

Offline misthe

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 0
  • Certification: CCNP
ASA-Firepower migration path
« on: June 18, 2015, 02:16:14 PM »
Hi all,

My company is ready to deploy the new ASA with firepower module.
We proceed on that purchasement as it seems that this acquisition promise a new restart regarding the strategic of Cisco in security market. (Gartner, NSS-Labs)

Personally i feel that I'm standing in front of a crossroad regarding the implementation-migration that has to do with the deployment of the L3-L4 configuration (aCLS).
As far as i know there are two ways that someone can follow to migrate form the previous ASA to the new one.

1) copy-paste the aCLS, NAT and VPN  from the old to the new one and seperate configuration for IPS and AMP on the sfr module. (like in the past with AIP-SSM)

2) create from scratch all aCLS to the new platform of firepower (leaving the NAT and VPN on the traditional ASA) and controlling everything through F.P (L3- L7)

I' m sure that there are advantages and disadvantages on each implementation but i would like to listen your opinion on this critical matter as you may have also faced this dilemma in your recent implementation.

Kind regards

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 400
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: ASA-Firepower migration path
« Reply #1 on: June 19, 2015, 10:05:50 PM »
Like you said, there are multiple ways achieve the same result. What I would do is to keep L3/L4 ACL on the ASA as normal and perform application-level filtering on FirePower. That why you do not burden FP with unnecessary traffic as it already have a lot of traffic processing to do. Of course, there might be situation where you need to use IP/Port information in combination with L7 information to build policy on FireSight. ASA FirePower does not support NAT or VPN so you will definitely need to keep those on ASA.

Offline misthe

  • Cisco Newbie
  • *
  • Posts: 3
  • Reputation: 0
  • Certification: CCNP
Re: ASA-Firepower migration path
« Reply #2 on: June 21, 2015, 11:29:09 AM »

I will start from the end.

I agree that what ever deployment will eventually someone follow, one thing won't change (at least for the moment)  the NAT, VPN and Routing config will remain on ASA as this two features are not configurable on F.P

Despite that and as the plans of Cisco is to merge these two products I heard that enough soon the L3/L4 will be managed from F.P, this is also based on the fact that on new deployments the recommendations of Cisco is to redirect the traffic to F.P and through this making the total policy from L3 to L7.

Another thing that confuses me is that enough soon a new management console will arise, and as far as i know it will comes from F.P environment. So at this point the question is, will this console manage rules that previously will have been configured on ASA platform?   if not then there is a problem.

Regarding the performance matter the only thing that can produce safety is the same the purchasement for example if you had before  a 5520 and now you thinking change it with 5525 the spesifications gives you the same numbers including IPS and AMP as the new platforms have better CPUs etc.


Related Topics

  Subject / Started by Replies Last post
1 Replies
Last post May 15, 2015, 05:55:19 AM
by MC
6 Replies
Last post July 20, 2015, 07:48:48 AM
by amsa
1 Replies
Last post August 29, 2015, 05:19:33 PM
by MC
2 Replies
Last post November 02, 2015, 06:56:59 AM
by chhayheng
1 Replies
Last post November 06, 2015, 04:57:48 PM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal