09-21-2012 12:09 PM - edited 03-11-2019 04:57 PM
With Jennifer Halim
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Cisco ASA 1000V Cloud Firewall with Cisco Expert and CCIE Jennifer Halim. The Cisco ASA 1000V Cloud Firewall is one of the newest additions to the Cisco ASA series firewall is an edge cloud firewall that runs on VMware vSphere Hypervisor software, exclusively on Cisco Nexus 1000V. It allows Virtual Machines in Data Center to access the Internet securely, acting as a default gateway for those Virtual Machines and protects against network based attacks. It is not a replacement product to the existing ASA appliances but an addition to the ASA family to fulfil an increasing demands to protect VM environment. ASA 1000V requires ASA version 8.7(1) with ASDM version 6.7(1).
Jennifer Halim is a technical account manager for the Cisco ScanSafe (Cisco Cloud Web Security) solution in the Asia Pacific region. Her work involves implementing the solution within the customer's environment and managing the project. Prior to her current role, she was part of the Australia Security team in the Technical Assistance Center that helps customers configure and troubleshoot Cisco security technologies.She also served as a mentor to other Technical Assistance Center engineers. She has worked in the networking security field for more than 10 years and holds CCIE certification in Security (#16480) as well as CISSP and ITILv3 certifications.
Remember to use the rating system to let Jennifer know if you have received an adequate response.
Jennifer might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through October 5, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
You can read the interview with Jennifer in the Cisco Support Community.
10-02-2012 07:59 AM
Hi Jennifer,
you would like to submit some questions regarding the evolution of our data center.
Currently we have an architecture based on two levels of firewall.
The first level generates the dmz, while the second level is a FWSM in the catalyst 6509 and generates the internal networks.
The virtual machines reside in the DMZ and in the internal network and the virtualization technology is Vmware.
In short time, we would like to move to an architecture that allows us to offer private cloud services.
Vmware is proposing us VMware vCloud Director and Vshield firewall.
Vmware say that we can dispose the FWSM, replacing it with Vshield.
Start by saying that I do not know Vshield, but what are the benefits of using cisco ASA1000V instead of vmware
Vshield?
Following this post there is a statement unclear for me, when you say:
ASA 1000V only has 2 data interfaces (inside and outside), inside interface will be the default gateway for the VM servers, and outside would typically be connected towards the internet.
Assuming that we maintain the two-tier architecture,
I would like your opinion on these points
thanks,
Regards,
Fabrizio
10-02-2012 08:41 PM
Hi Fabrizio,
Firstly, ASA 1000V is not a replacement for FWSM. If you are looking for a replacement of FWSM, then you should be looking into ASA-SM. ASA-SM can support up to 1000 VLANs (interfaces).
Here is more information on ASA-SM for your reference:
http://www.cisco.com/en/US/products/ps11621/index.html
Further to your 3 points:
Hope that answers your questions.
10-02-2012 04:23 PM
Hi Jennifer,
I have the task of finding Virtual Firewall solutions for our hosting environment. Currently our hosting environment supports both VMware and Microsoft hypervisors.
Are there any roadmap plans to support any of the 1000V range of products on Hyper-V?
The Hyper-V virtual firewall solution is proving to be a rather difficult topic to find a solution too.
Cheers
Darren
10-02-2012 09:03 PM
Hi Darren,
Yes, the Nexus 1000V is scheduled to support Hyper-V. You might want to check further with your Cisco Account Rep on its release date and more information on this integration.
10-02-2012 09:52 PM
Hi Jennifer,
Just to clarify, this is all 1000V products, or just the Nexus 1000V?
Cheers
Darren
10-02-2012 10:10 PM
Hi Darren,
I can confirm "yes" for VSG and ASA 1000V. For other services supported on Nexus 1000V, it is best if you confirm that with your Cisco Account Rep.
10-02-2012 10:16 PM
Thankyou Jennifer.
Ive contacted my CAM to arrange further discussions
Cheers
Darren
10-03-2012 02:36 AM
Hi Jennifer,
I am even more confused by your answer.
You say that ASA 1000V is not a replacement for FWSM, and therefore should coexist.
Three considerations:
Regards,
Fabrizio
10-03-2012 04:13 AM
Hi Fabrizio,
1. No, if you would like to have 2 tier firewall, then you can either keep your existing FWSM, or replace it with ASA-SM, plus implement ASA 1000V. So you would have ASA 1000V as 1 tier firewall, and FWSM/ASA-SM as the second tier firewall. If you only have VM environment, then yes, you no longer require the FWSM. However, if you have mixed environment, and you still need to protect other hosts/servers, then you require the FWSM as well.
2. Yes, you are correct. ASA-SM won't be integrated into vCloud Director, as it is a replacement for FWSM, and only supported on Cisco 6500 switch.
3. I apologize that I don't have an answer for you in regards to cost, as this is meant to be a technical event. I would strongly suggest that you get in touch with your Cisco Account Rep for cost. He/she would be able to provide you with the necessary information on cost.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: