Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Michael K. Jones about the Cisco ASA 5500 Series which is a multi-function security/VPN device which delivers a suite of rich, market-proven security and VPN services without compromising features or performance. Michael is the senior product line manager for the Cisco Adaptive Security Appliance (ASA) 5500 and Cisco PIX Security Appliance families.
Remember to use the rating system to let Michael know if you have received an adequate response.
Michael might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 1. Visit this forum often to view responses to your questions and the questions of other community members.
Yes, the Cisco ASA 5500 Series supports integration with market-leading URL filtering solutions from both Websense and Secure Computing/N2H2. Both of our partners solutions provide a broad range of advanced services for managing and monitoring Internet access. I know for certain that Websense allows you to create per-user bandwidth usage polcies using their "Websense Enterprise Bandwidth Optimizer" add-on. I'm not sure about about Secure Computing/N2H2 - you may need to check with them on that. Yes, you can create access control lists on the Cisco ASA 5500 Series that are based on time of day.
Hope this helps.
So the web filtering is from third party software as the PIX before. It is not build-in to ASA??? So the ASA itself has the URL-Filtering capability.
Sorry for any confusion on this topic. Today we do not offer URL filtering services within the Cisco ASA 5500 Series itself. However, we do support integrating with leading URL filtering solutions from Websense and Secure Computing/N2H2, when those solutions are hosted on a separate server. Customers can configure their Cisco ASA 5500 Series appliance to hand URLs to the Websense or Secure Computing/N2H2 server (along with relevant user information, etc), and then ASA will enforce whatever answer the URL filtering solution sends back (permit or deny). Customers can use the URL filtering solutions GUI to create user/group-based URL filtering policies such as categories of sites their users can view, daily browsing limits, etc. These solutions also provide comprehensive reporting capabilities that give detailed insight into users browsing habits and wide range of statistics (top sites visited, etc).
I hope this further clarifies things for you.
Regarding the Administration and Monitoring tools for Cisco ASA Series, can they be monitored using CiscoWorks VMS? I havent found a patch for the VMS in order to support ASA5500 Series.
I have heard that the ASA needs two separate administrative IP addresses, one for IPS funcionality and another for FW/VPN. Is that correct?
Good questions. Cisco and our AVVID partners offer a variety of applications to manage and monitor the Cisco ASA 5500 Series. One can look at this as four different categories of solutions: single device management, multi-device management, centralized monitoring, and auditing.
First of all, from a single device management standpoint, we provide an integrated web user interface called Cisco Adaptive Security Device Manager (ASDM for short). It provides comprehensive management and monitoring of a single Cisco ASA 5500 Series appliance (including services such as IPS that are delivered via an AIP SSM module - all from a single GUI). Of course you can also manage the system via CLI (which is nearly identical to the Cisco PIX CLI, just extended to support all of the additional services ASA offers). As you point out, the AIP-SSM module has its own CLI, but that is completely abstracted when you are using the web-based device manager. Other remote management features include SSH, telnet, and console/AUX access to the system. We also support the concept of an out-of-band management port, where all management traffic is required to go through. We support many methods for transferring files, like SCP, HTTP, HTTPS, FTP, and TFTP. Of course we also support SNMP, syslog, and SDEE for monitoring purposes.
Secondly, from a multi-device management standpoint there are at least two different solutions that I am aware of. We are in the process of updating CiscoWorks VMS to have full support for all the different services offered by the Cisco ASA 5500 Series. As you point out, this has not been released yet. We will be entering beta soon with this solution - if you are interested in beta testing, please contact your Cisco account team and let them know. Solsoft, one of our AVVID program partners, has updated their Policy Server product to manage the firewall, IPSec VPN, and IPS services of the Cisco ASA 5500 Series. So that is another alternative you could consider.
From a monitoring perspective, there are many solutions available. Cisco offers at least two solutions, the primary being our Cisco MARS solution. This is a great monitoring solution that takes events in from all of our different security and networking products, as well as events from third-party firewall, IPS, etc products. There are also over 10 different monitoring solutions from our different AVVID partner program members as well. So plenty of options here, and I'm sure at least one of these will fit your needs.
From an auditing standpoint, the new Cisco Security Auditor product also fully supports the Cisco ASA 5500 Series. This product can help customers deal with regulatory compliance and ensure that devices throughout their network are following corporate security policies and industry best-practices. It can perform audits either online or offline, and will basically look at device configurations and compare them to policies that you have set or compare them to industry best practices. It has a variety of reporting capabilities as well to roll-up the audit results.
So I think this sums up management of the Cisco ASA 5500 Series. I hope this clarifies things for you.
Sorry to hear you are having problems with password recovery. From the small amount of information you have provided, my guess would be that the configuration of your Cisco ASA 5500 appliance had the "no password recovery" command in it prior to you performing the procedure. If this command is present when someone performs a password recovery procedure, we will wipe out the configs stored on flash as well as any encryption keys/certificates stored on the device. This is a security feature designed to protect the configuration and encryption keys from unauthorized use. So when you reboot after performing the password recovery procedure, in this scenario, no interfaces will be defined. You can connect via the console cable to get the system going, and can copy a backup of your config to the device or re-create your config as needed. You can use the "configure factory-default" command to reset the configuration back to the defaults we ship the product with.
I hope this helps. If you still have questions, please contact the TAC.
I wanted to take a minute and thank all of you for the great questions you asked during this Ask the Expert session for the Cisco ASA 5500 Series. I think we covered a lot of ground, and I hope this helped you better understand this exciting new product family. Please let your Cisco account team or Cisco partner know if you have any further follow-up questions.
I am about to recommend an ASA appliance for my customer. I am considering ASA5510-SEC-BUN-K9 or ASA5520
· Firewall / NAT
· Multi-Link Management (i.e. ability to have multiple ISPs links into same device
· Authentication (user, IP, and mac address)
I will really be greateful if I could get anwsers to these questions as soon as possible because it is very urgent.thank you in advance.
I recently purchased the license for AnyConnect Mobile for my ASA5510 which has an existing SSL VPN license for 10 concurrent users. When I activated the key for the AnyConnect Mobile license on the ASA5510, it disabled the SSL VPN license and reduced the concurrent users to the default 2. Is this a bug in ASA5510 or did I get the wrong license key from Cisco?
Can you give me the live log formatt for the below ID's for Cisco ASA 5500 Version 8.3(X).
These are the few log ID's which are added on the new version as we are planning to upgrade
our older version we need a clear idea about the logs and its exposure..,
I have the Synthetic log formatt for the above ID's.