Cisco 5525 ASA Image to FTD Image

yeruel77 · ‎07-05-2017

Hi support,

I am going to deploy Cisco ASA 5525,

I need your help on the following points.

1. How to Migrate Cisco ASA image to FTD image?

2. After migrated to FTD image, is it possible to manage it by just browsing IP since there is no Fire managment center?

This is BoM,

ASA 5525 NGFW (Qty 2)
ASA5525-FPWR-BUN	ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle	1
ASA5525-FPWR-K9	ASA 5525-X with FirePOWER Services, 8GE, AC, 3DES/AES, SSD	2
CON-3SNT-A25FPK9	3YR SNTC 8X5XNBD ASA 5525-X with FirePOWER Services, 8GE	2
CAB-ACE	AC Power Cord (Europe), C13, CEE 7, 1.5M	2
SF-ASA-X-9.2.2-K8	ASA 9.2.2 Software image for ASA 5500-X Series,5585-X,ASA-SM	2
SF-ASA-FP5.4-K9	Cisco FirePOWER Software v5.4 for ASA 5500-X	2
ASA5525-CTRL-LIC	Cisco ASA5525 Control License	2
ASA5500X-SSD120INC	ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.)	2
ASA5525-MB	ASA 5525 IPS Part Number with which PCB Serial is associated	2
ASA5500-ENCR-K9	ASA 5500 Strong Encryption License (3DES/AES)	2
L-ASA5525-TA=	Cisco ASA5525 FirePOWER IPS License	1
L-ASA5525-TA-3Y	Cisco ASA5525 FirePOWER IPS 3YR Subscription	1

Marvin Rhoads · ‎07-05-2017

Before re-imaging make sure you understand what features you need to use.

For instance, there is currently no SSL VPN (AnyConnect) availalbe on an ASA with FTD. Even when it is released, it will not be as full-featured as the version running on ASA software.

While you can manage an ASA with FTD using the Firepower Device manager (FDM) built-in web GUI, if has some limitations (cannot configure advanced features, limited reporting and logging etc.).

So, if you need just a basic NGIPS, yes you can run FTD on the ASA with the built-in management.

You will need to license it for FTD. The Control and IPS licenses that you have will not work with FTD. FTD would require the equivalent "Threat Defense" license and term subscription. The part numbers would be L-ASA5525T-T= and L-ASA5525T-TP-3Y (Cisco ASA5525 Threat Defense Threat Protection 3YR Subscription).

Step-by-step instructions for re-imaging can be found here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_51368

yeruel77 · ‎07-05-2017

Hi Marvin,

Thanks A lot,

Yes, for now I want to go with Basic NGIPS.

We are about to ordering below License,

So, is L-ASA5525T-T= not equivalent with -ASA5525-TA= regarding to control and IPS licenses to support FTD ?

L-ASA5525-TA=	Cisco ASA5525 FirePOWER IPS License
L-ASA5525-TA-3Y	Cisco ASA5525 FirePOWER IPS 3YR Subscription

Marvin Rhoads · ‎07-05-2017

You're welcome.

The licenses are functionally equivalent (and cost the same) but they are for different platforms.

The "TA" one is a traditional PAK-based license for the ASA FirePOWER service module. It cannot be used with FTD.

The "T" one is a Smart License for the ASA running FTD. It cannot be used with a FirePOWER service module. It will require you to setup a Smart account if you don't have one already.

Also FTD does not require nor can it use the (no-cost) Control license.

yeruel77 · ‎07-05-2017

Hi Marvin,

Can you confirm the below BoM for platform, I thought it was ASA FirePOWER service module!

1. is it ASA FirePOWER service module or ASA? if not ASA FirePOWER service module I will order with "T" instead of "TA".

2. If not ASA firePower service, is it possible to migrate to FTD?

ASA5525-FPWR-BUN	ASA 5525-X with FirePOWER Svcs. Chassis and Subs. Bundle	1
ASA5525-FPWR-K9	ASA 5525-X with FirePOWER Services, 8GE, AC, 3DES/AES, SSD	2
CON-3SNT-A25FPK9	3YR SNTC 8X5XNBD ASA 5525-X with FirePOWER Services, 8GE	2
CAB-ACE	AC Power Cord (Europe), C13, CEE 7, 1.5M	2
SF-ASA-X-9.2.2-K8	ASA 9.2.2 Software image for ASA 5500-X Series,5585-X,ASA-SM	2
SF-ASA-FP5.4-K9	Cisco FirePOWER Software v5.4 for ASA 5500-X	2
ASA5525-CTRL-LIC	Cisco ASA5525 Control License	2
ASA5500X-SSD120INC	ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.)	2
ASA5525-MB	ASA 5525 IPS Part Number with which PCB Serial is associated	2
ASA5500-ENCR-K9	ASA 5500 Strong Encryption License (3DES/AES)	2
L-ASA5525-TA=	Cisco ASA5525 FirePOWER IPS License	1
L-ASA5525-TA-3Y	Cisco ASA5525 FirePOWER IPS 3YR Subscription	1

Marvin Rhoads · ‎07-05-2017

That BOM would not be correct for a new ASA with FTD image. If you bought that, the customer would have to do all of the re-imaging work, making the initial experience much more burdensome than it need be.

If you are a partner, please refer to the Cisco Security Products Ordering Guide. It will suggest you use the master SKU "ASA5525-FTD-BUN".

If you do that, then within the Cisco Commerce Workspace (CCW) ordering tool you will then be prompted to validate the configuration and, in doing so, select the correct country (for power cord) and licenses with associated subscription terms.

yeruel77 · ‎07-05-2017

Thank you very much!

Marvin Rhoads · ‎07-05-2017

You're welcome. Please mark your question if answered if it has been and rate helpful replies.

gladcube123 · ‎07-07-2017

Hi Marvin,

Seeking for your help and advise on how to size a NGFW also NGIPS.

What are the things to consider for the sizing with these given requirements.

Firewall Modes (routed, transparent, virtual firewall)

Management Options(telnet, ssh,ftp, scp,snmp,netflow,Central web management/GUI), packet capture capability

High Availability with session persistence

User and Application Visibility Control

Integration with Active Directory

Microsegmentation

APT Protection

DOS/DDOS protection along with Antimalware and Antivirus capabilities

Dynamic/Static Routes support along with Policy Based Routing

IPS support

Deep Packet inspection including SSL inspection

Historical Reporting and logging

10G ports, SFP support, along with interface expansion card option

QOS, traffic shaping

Dual Power Supply

Thanks in advance

Marvin Rhoads · ‎07-07-2017

gladcube123

Please start a new discussion. Your question is unrelated to this thread.