We’re going to be demoing a couple of Firepower 2100’s solely for the role of AnyConnect VPN concentrators. We have extensive experience using ASA 55xx-X’s for basic firewalling duties but are a little put-off by reading all the bad experiences with Firepower so some questions upfront:
Is Firepower a good fit when used solely for the role of AnyConnect VPN concentrator?
Is there a good up-to-date overview of any missing AnyConnect features compared to ASA?
It seems it’s also possible to run legacy ASA on the Firepower hardware but we’re not certain if this a good choice because we can’t seem to find a roadmap for this. Is this a solid choice futurewise? We’re aiming for a 5 year lifetime and want to avoid a forced migration to Firepower during this period.
This is coming from someone who leverages FirePOWER for all sorts of clients (MSP provider).
If you must upgrade your hardware and the powers that be are dead set on Cisco, use the thing in ASA mode. There is no need for 2100s for anyconnect. Get a 1100 series or a 5525-X if its only pulling RA VPN duties. Unless you are getting hundreds of connections creeping into thousands of concurrent connections, its a cheaper way to go. Using the FMC to configure the anyconnect settings will work, but you can get way more granular with the ASA mode configurations. Monitoring it via the ASDM also works waaaay better and much more intuitive than the FMC (like wtf cisco?).
You know that the 5525-X hasn’t drop its EoL yet? I thought it did and checked, but its hasn’t dropped. That workhorse will push along for another 5+ years.
I have a massive client that leverages a massive FirePOWER presence and uses both AnyConnect via a 5525-X and Global Protect via some Palo Altos. They stay away from the FP RA VPN stuff. If cost is an issue, just get a 5525-X and continue along. Or host a VPN solution on a linux box or something
We use 2110 Firepowers running ASA code solely for AnyConnect. It’s a bit odd at first, as there’s a Firepower OS still running on the device. We couldn’t figure out why ports wouldn’t come up after configuring them in ASDM or ASA CLI, then realized you have to log into the Firepower side and no shut the ports from there. Other than that bit of quirky behavior, they handle our AnyConnect clients with no issue.
Save yourself the headache and time and just go with Palo Altos and GlobalProtect.
I say this as a huge fan of other Cisco products and a very long time user of AnyConnect. AnyConnect is great, but not good enough to deal with the fustercluck that is the Firepower ecosystem.
(All of this could have changed over the last year with software versions)
The last time I deployed a Firepower to be used as a VPN it was really limited. Most of the features were not supported and what we ended up doing in one situation is I just put an ASA off a leg of the Firepower and used it as the VPN. In other situations we would just flash the Firepower to run with ASA firmware and it works great. Again this could have been updated, the last version I used was like 6.3 which was buggy af…
Firepower itself has been a dumpster fire and I would avoid it at all costs.
We haven’t upgraded our AnyConnect VPN ASAs yet, but I am running other Firepower 4100 and 2100 boxes with ASA code on them and they work OK. If you don’t want to deal with FTD then a Firepower running ASA mostly just behaves like a faster ASA, with some exceptions since you have to deal with FXOS underneath.
This was a couple years ago … but last I looked at Firepower for VPN it was incredibly far off from feature parity with ASA for VPN. You couldn’t do multiple connection profiles or group policies. You could not authenticate via RADIUS at all. The dynamic access policies wasn’t there. It was just a complete mess. Unless you have super simple VPN access … like everyone connects to one thing and gets the same policies you’re probably going to have problems. Unless there was some massive feature update in the last couple years… We ended up just buying new ASAs since we only use them for VPN.
If you only wanted to use FTD for AnyConnect (no IPS, L7 filtering etc.), the only benefit I can see is being able to centrally maintain Remote VPN policy across multiple firewalls from FMC.
Otherwise, I’ve noted:
- It takes longer to deploy/migrate. Configuration must be done through GUI and the Firepower Migration Tool can’t be used to migrate ASA AnyConnect related configuration.
- No Clientless VPN
- Local user accounts aren’t supported - you have to use LDAP or RADIUS for authentication
- No control over what AnyConnect modules are loaded and DART gets installed which could impact existing AnyConnect users who don’t have privileges to install software.
- If you have any need to install an intermediate CA certificate (i.e. Cisco phones using AnyConnect), loading them in FTD is a royal pain.
Please seriously consider looking at other vendors like Palo, Fortinet, F5 ( If you’re already considering spending mucho dinero) Checkpoint etc for your VPN concentrator needs.
You will most likely end up disappointed with the feature to price point comparison Cisco has to offer with Firepower vs other vendors.
We did exactly what you plan to do: Replaced our old ASA55XX boxes with new Firepower2100 boxes last year.
As others have mentioned, if you want to have a dedicated anyconnect Firewall - do not use the FTD but the ASA image on the Box.
Please be aware that the datasheet specs for the 2100 series are not even close to reality - we are replacing our 2130 right now with a 4110 as it hits 90% CPU with 1k concurrent clients (datasheet says 7,5k!) We are used to incorrect datasheets specs but this is just ridiculous.
Maybe go with a “try & buy” from Cisco so you are safe if they won’t perform as you expect, we should have done this.
Anyconnect is the last thing that works smooth in the Cisco Firewall product series, everything else will be Palo Alto from now on for us.
How much are you forking over here for a dual set of Firepowers? What is your primary firewall(s)? Independent of client or hardware dedicated VPN appliances have been a waste of resources for over a decade.
In general, I do not recommend the Firepowers at all.
The problem is there doesn’t seem to be an official Cisco stance or roadmap regarding ASA development and subsequently legacy ASA on Firepower hardware.
Thats the FirePOWER Chassis Manager you are working on. Turn up the ports there, turn up the ports in the ASA CLI. The chassis manager makes upgrades super simple for the ASA code, but be fucking careful. There are massive bugs that can brick your devices if you don’t have the chassis software updated to a certain level to support the upgraded ASA code. And its a fucking poop shoot as to which version will do that. Even if the software matrix says that it supports the two versions together, it can still brick. Just make sure you have SMARTnet when you upgrade cause downgrading/rollback of the chassis manager sometimes fucks up, also. Last time I saw it happen was just a few months ago over the holiday breaks, so that shit is still happening.
I echo what you just said. We ripped out FTD last year in favor of Fortigates, granted we traded one problem for another but FTD was a huge PIA operationally that it didn’t fully do what we had expect in a “enterprise class” NGFW.
To the OP - if you’re looking for AnyConnect, I recommend staying with ASA code for the time being until Cisco figures out what they are going to do with FTD. There are plenty of threads on reddit showing the frustration that people have had with that platform as a whole.
Let’s just say that we’re also looking at this demo to test the waters for any future replacements of our current ASA firewalls but I’m not fooling myself and the reality is that at the moment, for firewalling, Palo Alto is the undisputed king. It’s a pity that AnyConnect is so tied to the troubled future of Cisco’s firewalls because at first sight it really is a very capable VPN solution.
Agreed. We have 35ish sites with dual ASAs and based on everything I have read I do not feel comfortable putting in new FTDs. Bad experience with the one site we ran Firepowers, no feature parity with ASA code, and going to be forced to FTD code at some arbitrary time?
Sitting on ASAs on ASA code and looking at Palo Alto for new deployments.