Ask the Expert: Cisco ASA 1000V Cloud Firewall - Page 3

ciscomoderator · ‎09-21-2012

With Jennifer Halim

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Cisco ASA 1000V Cloud Firewall with Cisco Expert and CCIE Jennifer Halim. The Cisco ASA 1000V Cloud Firewall is one of the newest additions to the Cisco ASA series firewall is an edge cloud firewall that runs on VMware vSphere Hypervisor software, exclusively on Cisco Nexus 1000V. It allows Virtual Machines in Data Center to access the Internet securely, acting as a default gateway for those Virtual Machines and protects against network based attacks. It is not a replacement product to the existing ASA appliances but an addition to the ASA family to fulfil an increasing demands to protect VM environment. ASA 1000V requires ASA version 8.7(1) with ASDM version 6.7(1).

Jennifer Halim is a technical account manager for the Cisco ScanSafe (Cisco Cloud Web Security) solution in the Asia Pacific region. Her work involves implementing the solution within the customer's environment and managing the project. Prior to her current role, she was part of the Australia Security team in the Technical Assistance Center that helps customers configure and troubleshoot Cisco security technologies.She also served as a mentor to other Technical Assistance Center engineers. She has worked in the networking security field for more than 10 years and holds CCIE certification in Security (#16480) as well as CISSP and ITILv3 certifications.

Remember to use the rating system to let Jennifer know if you have received an adequate response.

Jennifer might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through October 5, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

You can read the interview with Jennifer in the Cisco Support Community.

fabrizioisola · ‎10-02-2012

Hi Jennifer,

you would like to submit some questions regarding the evolution of our data center.

Currently we have an architecture based on two levels of firewall.

The first level generates the dmz, while the second level is a FWSM in the catalyst 6509 and generates the internal networks.

The virtual machines reside in the DMZ and in the internal network and the virtualization technology is Vmware.

In short time, we would like to move to an architecture that allows us to offer private cloud services.

Vmware is proposing us VMware vCloud Director and Vshield firewall.

Vmware say that we can dispose the FWSM, replacing it with Vshield.

Start by saying that I do not know Vshield, but what are the benefits of using cisco ASA1000V instead of vmware

Vshield?

Following this post there is a statement unclear for me, when you say:

ASA 1000V only has 2 data interfaces (inside and outside), inside interface will be the default gateway for the VM servers, and outside would typically be connected towards the internet.

Assuming that we maintain the two-tier architecture,

Not all virtual machines have the ASA 1000V as a gateway, dmz VM for example
The outside interface is not directly connected towards the internet, but there is another firewall
Only 2 data interfaces is a strong limit, Vshield new release has 10 interface.

I would like your opinion on these points

thanks,

Regards,

Fabrizio

Jennifer Halim · ‎10-02-2012

Hi Fabrizio,

Firstly, ASA 1000V is not a replacement for FWSM. If you are looking for a replacement of FWSM, then you should be looking into ASA-SM. ASA-SM can support up to 1000 VLANs (interfaces).

Here is more information on ASA-SM for your reference:

http://www.cisco.com/en/US/products/ps11621/index.html

Further to your 3 points:

To pass traffic through ASA 1000V, the virtual machines need to have the ASA 1000V as its default gateway. If the virtual machines doesn't need to route out to the internet, then there won't be any issues not having the ASA 1000V as its default gateway.
It is OK for the outside interface to not directly connect to the internet. Having another layer of firewall in front of ASA 1000V is not a problem at all.
The reason why it only has 2 data interfaces is because it is meant to protect traffic from virtual machines towards the Internet and vice versa. As per my above statement, if you are looking for a replacement of FWSM, then you should be looking at ASA-SM.

Hope that answers your questions.

Darren Lynn · ‎10-02-2012

Hi Jennifer,

I have the task of finding Virtual Firewall solutions for our hosting environment. Currently our hosting environment supports both VMware and Microsoft hypervisors.

Are there any roadmap plans to support any of the 1000V range of products on Hyper-V?

The Hyper-V virtual firewall solution is proving to be a rather difficult topic to find a solution too.

Cheers

Darren

Jennifer Halim · ‎10-02-2012

Hi Darren,

Yes, the Nexus 1000V is scheduled to support Hyper-V. You might want to check further with your Cisco Account Rep on its release date and more information on this integration.

Darren Lynn · ‎10-02-2012

Hi Jennifer,

Just to clarify, this is all 1000V products, or just the Nexus 1000V?

Cheers

Darren

Jennifer Halim · ‎10-02-2012

Hi Darren,

I can confirm "yes" for VSG and ASA 1000V. For other services supported on Nexus 1000V, it is best if you confirm that with your Cisco Account Rep.

Darren Lynn · ‎10-02-2012

Thankyou Jennifer.

Ive contacted my CAM to arrange further discussions

Cheers

Darren

fabrizioisola · ‎10-03-2012

Hi Jennifer,

I am even more confused by your answer.

You say that ASA 1000V is not a replacement for FWSM, and therefore should coexist.

Three considerations:

Implementing ASA 1000V and not disposing the FWSM or otherwise the ASA-SM, means that I will have three levels of firewall? Currently the VM in the internal network have as default gateway the FWSM. From my point of view if the ASA 1000v becomes the default gateway of the virtual machines it is no longer need the FWSM.
For network and security programmability, we said that the ASA 1000V will be integrated into vcloud director. I do not think with the ASA-SM will do the same.
For the cost prospective, how do I justify to my management the use of virtual if I must maintain the physical device?

Regards,

Fabrizio

Jennifer Halim · ‎10-03-2012

Hi Fabrizio,

1. No, if you would like to have 2 tier firewall, then you can either keep your existing FWSM, or replace it with ASA-SM, plus implement ASA 1000V. So you would have ASA 1000V as 1 tier firewall, and FWSM/ASA-SM as the second tier firewall. If you only have VM environment, then yes, you no longer require the FWSM. However, if you have mixed environment, and you still need to protect other hosts/servers, then you require the FWSM as well.

2. Yes, you are correct. ASA-SM won't be integrated into vCloud Director, as it is a replacement for FWSM, and only supported on Cisco 6500 switch.

3. I apologize that I don't have an answer for you in regards to cost, as this is meant to be a technical event. I would strongly suggest that you get in touch with your Cisco Account Rep for cost. He/she would be able to provide you with the necessary information on cost.