Ask the Expert: Cisco ASA 1000V Cloud Firewall - Page 2

ciscomoderator · ‎09-21-2012

With Jennifer Halim

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Cisco ASA 1000V Cloud Firewall with Cisco Expert and CCIE Jennifer Halim. The Cisco ASA 1000V Cloud Firewall is one of the newest additions to the Cisco ASA series firewall is an edge cloud firewall that runs on VMware vSphere Hypervisor software, exclusively on Cisco Nexus 1000V. It allows Virtual Machines in Data Center to access the Internet securely, acting as a default gateway for those Virtual Machines and protects against network based attacks. It is not a replacement product to the existing ASA appliances but an addition to the ASA family to fulfil an increasing demands to protect VM environment. ASA 1000V requires ASA version 8.7(1) with ASDM version 6.7(1).

Jennifer Halim is a technical account manager for the Cisco ScanSafe (Cisco Cloud Web Security) solution in the Asia Pacific region. Her work involves implementing the solution within the customer's environment and managing the project. Prior to her current role, she was part of the Australia Security team in the Technical Assistance Center that helps customers configure and troubleshoot Cisco security technologies.She also served as a mentor to other Technical Assistance Center engineers. She has worked in the networking security field for more than 10 years and holds CCIE certification in Security (#16480) as well as CISSP and ITILv3 certifications.

Remember to use the rating system to let Jennifer know if you have received an adequate response.

Jennifer might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through October 5, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

You can read the interview with Jennifer in the Cisco Support Community.

Jennifer Halim · ‎09-28-2012

Hi Adam,

I will get back to you in regards to question 1 and 2 (getting confirmation from the product team).

3. In ASDM mode, you don't need to have VNMC. However, when you install ASA 1000V, you would need to choose whether to use management in ASDM mode or VNMC mode. If you choose VNMC mode during install, then you can't configure it via ASDM. To change it to ASDM mode, you would need to reinstall ASA 1000V and choose ASDM mode during the reinstallation.

4. In regards to failover, yes, if the first host fails (hardware failure), then it will failover to the second host.

Here is more information on what triggers ASA 1000V failover:

http://www.cisco.com/en/US/docs/security/asa/asa87/configuration/guide/basic_active_standby.html#wp1231294

Jennifer Halim · ‎09-28-2012

Hi Adam,

In regards to your questions 1 and 2, as off today, both dynamic routing and remote access VPN will not be supported in future releases.

However, if you have a good use case for those 2 features, please kindly get in touch with your Cisco Account rep., and he/she will be able to further assist in requesting for those feature addition.

Hope that answers all your questions.

AdamBatey · ‎09-30-2012

HI Jennifer,

Thats a real shame. The dynamic routing we could live without(still would be good to have), but the remote-access VPN is a must have for our customers.

We currently use ASA 5505 & 5510's in our datacenter as a hosted firewall platform (one for each customer). The biggest issues with this is scalability. The ASA1000V would be the perfect solution for multi-tenant firewalling. Unfortunately remote-access VPN's are a key requirement, without which we will not be able to switch to the ASA1000v platform.

I'll get in touch with our Cisco Rep but just thought I'd put my thought up here too. If you are able to feed this back to the ASA1000V team it would be appreciated.

Regards,

Jennifer Halim · ‎09-30-2012

Hi Adam,

Thank you for the input, much appreciated. I have fed this back to the ASA 1000V product team. If you can also get in touch with your Cisco Rep that would be great and I am sure other customers/partners would have the same requirement too. I agree with you that Remote Access VPN would be a huge plus to manage the VMs within the data center.

Regards, Jennifer

AdamBatey · ‎10-02-2012

HI Jennifer,

In my test environment I am running an ASA1000V in ASDM mode, but cannot appear to get any traffic to flow from the inside to the outside.

When i do a packet tracer to test it fails saying "Security-profile not used" I cannot set security profiles as this needs the VNMC.

I found this in the ASA1000V ASDM admin guide: (http://www.cisco.com/en/US/docs/security/asa/quick_start/asa1000V/setup.html#wp1066535

Registering the ASA 1000V Using ASDM

When ASDM is used to manage policies for the ASA 1000V, the Cisco VNMC appliance must be installed because it coordinates the creation and use of security profiles between Cisco Nexus 1000V and the ASA 1000V. For this reason, the ASA 1000V should be configured with a user account that has privileges to create and delete security profiles in Cisco VNMC.

See the Cisco VNMC documentation for information about creating user accounts.

This implies to me that i do need the VNMC irrespective of whether my ASA1000V is in ASDM or VNMC mode. Can you re-confirm the requirement for VNMC if my ASA is in ASDM mode.

Regards,

Jennifer Halim · ‎10-02-2012

Hi Adam,

You would need to register ASA 1000V to VNMC first even though configuration is done via ASDM, in ASDM mode.

To register via ASDM:

Configuration --> Device Setup --> Interfaces --> you would need VNMC IP Address, user account, pre-shared key, and unique organization path for this particular ASA 1000V instance.

Then Security Profiles can be configured via ASDM under the same menu: Configuration --> Device Setup --> Interfaces.

parvezahmad90 · ‎09-30-2012

Hi Jennifer,

Could you please provide a Deployment/Configuration scenarios where we can integrate below technologies with ASA1000v?

VSG
vPath
vMotion
Multi Tenant environments
VXLAN
vCloud Director etc.

The objective is to explain the logical traffic flow among these technologies along with all feature sets, in front of the customers.

Regards

Parvez

Jennifer Halim · ‎09-30-2012

Hi Parvez,

1. VSG is deployed in transparent mode to protect traffic flow between VMs, while ASA 1000V is deployed in routed mode to protect traffic flow from VMs outbound to the Internet and vice versa. VSG and ASA 1000V provides tenant edge, intra-tenant, and inter-tenant virtual and cloud security.

2. For outbound connection:

Packet receives by ASA 1000V is encapsulated as being tagged by vPath and policy applied accordingly and packet is sent out to the outside interface without the vPath encapsulation. Return traffic will be re-encapsulated before being sent back towards the VM host.

For inbound connection:

Packet receives by ASA 1000V on the outside interface will not have vPath encapsulation, and after policy is being applied and flow created on ASA 1000V, it will be sent out the inside interface with vPath encapsulation towards the VM host.

vPath also supports service chaining so that multiple virtual network services can be used as part of a single traffic flow.

For example: by specifying the network policy, vPath can direct the traffic to first go through the ASA 1000V, providing tenant edge security, and then go through the VSG, providing zone firewall capabilities.

3. ASA 1000V is vMotion aware, so even though there is movement of VMs across physical servers, inbound and outbound traffic from and to VMs are still protected by ASA 1000V.

4. One ASA 1000V supports 1 tenant (it doesn't support multi context mode). If you have multi tenant environment, you would just need to deploy 1 ASA 1000V per tenant.

5. ASA 1000V acts as a VXLAN gateway to send traffic to and from the VXLAN to a traditional VLAN. VXLAN is terminated on Nexus 1000V port, and can't be terminated on the ASA 1000V.

6. I believe ASA 1000V will be supported on vCloud Director in the future.

shijogeorge · ‎10-01-2012

Hi Jennifer,

Can you please elaborate on below statement from the FAQ

"A single instance of ASA 1000V can support multiple edge profiles, each with distinctly defined security policies attached to different sets of VMs on the same VLAN and subnet".

Does that mean that the same ASA inside interface can be shared between VMs belonging to different tenants which are placed in different 'groups' within a VLAN? How does this work?

TIA

Shijo George

Jennifer Halim · ‎10-01-2012

Hi Shijo,

No, it can't protect VMs belonging to different tenants as ASA 1000V only supports one tenant.

What the FAQ means by "single instance of ASA 1000V can support multiple edge profiles" is:

You can create multiple segments within the inside using a single subnet.

For example:

- Different security profiles can be created for Web servers, Database servers and Application servers.

- On ASA 1000V, you configure multiple interface security-profile with corresponding nameif:

interface security-profile 1

security-profile web-server

nameif web

no ip address

security-level 100

interface security-profile 2

security-profile db-server

nameif db

no ip address

security-level 100

interface security-profile 3

security-profile app-server

nameif app

no ip address

security-level 100

- Then you can configure different policy/access rules for each security-profile above and apply the rule to the security-profile interface.

Hope that answers your question.

shijogeorge · ‎10-01-2012

Hi Jennifer,

Thanks for the clarification.

So the security profile is just a grouping which can be used to define policies for traffic traversing in/out of the subnet only; we would still need VSG to control access between these groups. Am I correct?

Regards,

Shijo George

Jennifer Halim · ‎10-01-2012

Hi Shijo,

Yes, you are absolutely correct. Traffic between groups still need to be controlled/protected by VSG.

ykanemitsu · ‎10-01-2012

Hi Jennifer,

At first, please allow my poor English.

In the future, ASA1000V would be one of the best solutions in Hybrid Cloud Environment?

For example....

ASA1000V would be connected to third-party cloud (ex. Amazon AWS) by IPsec-VPN, and deploy to provide secure access between private cloud and public cloud.

All of them would be managed by vCloud Director.

Does these ideas incorrect?

Please tell me the answer including your personal opinion.

Regards

Yasunori

Jennifer Halim · ‎10-01-2012

Hi Yasunori,

Your English is absolutely fine.

Currently, ASA 1000V already supports IPSec VPN (LAN-to-LAN only) and if third party cloud such as Amazon AWS supports LAN-to-LAN IPSec VPN, then they would be able to provide secure access between the 2 clouds.

vCloud Director will be supported in the future release, you are absolutely correct too.

ykanemitsu · ‎10-01-2012

Thank you for your immediate response.