Ask the Expert: Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers

ciscomoderator · ‎07-29-2013

With Akhil Behl

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Akhil Behl about the Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers including various new features of the Cisco ASA firewall as a next-generation data center firewall in terms of its capability, scalability, and performance. He can also answer questions on Cisco ASA as a next-generation data center firewall, providing clustering and intelligent threat defense using Cisco ScanSafe technology and access control based on Cisco TrustSec.

Akhil Behl is a solutions architect with Cisco Advanced Services, focusing on Cisco collaboration and security architectures. He leads collaboration and security projects worldwide for the enterprise segment as well as the collaborative professional services portfolio for the commercial segment. Previously at Cisco, he spent 10 years in various roles at Linksys and the Cisco Technical Assistance Center. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications. He has published several research papers in international journals, including IEEE Xplore. He has been a speaker at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of Securing Cisco IP Telephony Networks by Cisco Press.

This event is a continuation of the live Webcast and the panelist were

Sumanta Bhattacharya and Parminder Pal Singh

Sumanta Bhattacharya is a Network Consultant with Cisco Advanced Services and has more than 12 years of networking experience with specialization in Security topics that includs Firewall / IPS / VPN, Wireless, Network Optimization, Audits, Security assessments. He holds CCNP, CCSP, VCP & ISO 27001 Lead Audit certifications.

Parminder Pal Singh is a Datacenter Specialist for Cisco Presales in Data Center and has more than 9 years of experience. Prior to this role he has worked in companies like VCustomer, Convergys and Aricent Technology Holdings. He is an active instructor for both Data Center & Network Security Technologies. He hold CCIE certification (#19972)in Security domain.

Remember to use the rating system to let Akhil and team know if you have received an adequate response.

Akhil might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through August 9, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

Webcast related links:

ciscomoderator · ‎07-30-2013

Hello Akhil, Sumanta and Parminder,

Here are few questions picked from the bunch of questions that attendees have asked during live webcast, hence can you please provide your responses to each one of them individually.

What are the different modes in which ASA clustering can be achieved?
Is there a specific license required for ASA clustering? If yes, is it per firewall or only for Master?
Can I have different models of firewalls in an ASA cluster?
What models of Cisco ASA family support clustering?

Thanks!

Akhil Behl · ‎07-31-2013

Dear Cisco Moderator,

Please find the answers to the questions as follows:

What are the different modes in which ASA clustering can be achieved?

Cisco ASA Clustering is supported in 2 modes - Spanned and Individual interface. In spanned mode, the firewall's interfaces are binded into port channel(s) and LACP may be used to send the traffic to firewalls in cluster. In individual interface mode, the traffic is to be load balanced by a layer 3 device before the firewall (Router, ACE etc.) and the firewall has its interfaces with routable IP addresses.

Is there a specific license required for ASA clustering? If yes, is it per firewall or only for Master?

Yes, Cisco ASA requires clustering license. This license is required for each node which will be a part of the cluster.

Can I have different models of firewalls in an ASA cluster?

No, the firewalls in a cluster should be the same platform - either 5580 or 5585(X)

What models of Cisco ASA family support clustering?

Cisco ASA clustering is supported only on ASA 5580, 5585 and 5585-X platforms as of today.

Akhil Behl
Solutions Architect

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Muthu Mani · ‎07-31-2013

Hi Akhil

I like to know why or what is the advantage using ISE with ASA firewalls, I am planning to have VPN user who will use any connect and connect though ASA, trying to understand what ASA can't do which ISE can do for VPN users while integrating with ASA.

Thanks

V.Muthu

Akhil Behl · ‎08-01-2013

Hello Muthu,

You asked a great question!

While ASA can act as a VPN termination point, it can only filter traffic or inspect the content passing through it. ISE can do much more in conjunction with ASA.

As I also illustrated in my presentation during the Webcast, ISE allows ASA to apply granular security rules based on posture assessment, posture remediation, Security Group Tagging (SGT). This allows the administrator to allow or block access for a user to corporate resources based on certain attributes.

For example, upon connecting to ASA from IPSec or Any Connect VPN, ISE can tell ASA if the user's Anti Virus is turned off and therefore, allow limited access to the network. This is much more than doing user authentication and authorization. You are actually limiting the user access based on AV, windows patches etc.

Hope this clarifies the difference between simple ASA based VPN and the SGT based features including posture validation of ISE.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

exchangeit · ‎08-01-2013

Does the Cisco ASA 5512-X support Traffic Shaping? I am installing one of these and I cannot find the command to enable traffic shapping under 8.6 and 9.1 firmware.

Running the following command does not work, because the shape option is not available.

policy-map outside-policy
 class class-default
  shape average 5000000

Is this becasue it is SMP firmware, is shape not an option with SMP? and if so Why?

Thanks

--Blake

Akhil Behl · ‎08-02-2013

Hi Blake,

As of today, Cisco ASA multiprocessor / multicore units like the 5512-x do not support traffic shaping. Rather than being a firmware specific restriction, it's a hardware based restriction.

Please see the following URL (see model guidelines)

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/conns_qos.html#wp1112081

Hope the information provided is helpful!

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

exchangeit · ‎08-02-2013

Thanks for the follow up, and confirming that I am not going mad.

Do you know if shaping will ever be support?

Is it not a concern now, since the hardware is hanlding it implicitly?

Should priority queuing be used instead?

Thanks!

--Blake

Akhil Behl · ‎08-02-2013

Hello Blake,

I know where you are coming from and no worries.

As of today, shaping is not on the roadmap for multiprocessor or multicore firewalls. I know it's not something you'd like to hear.

You can use priority queing on outside interface to set the traffic into different queues and prioritizing delay sensitive traffic like RTP.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

Muthu Mani · ‎08-04-2013

Hi Akhil

Thanks for clarification and more question,

1. for VPN users profiling is not possible if yes profiling and posture has any dependence? And any idea when ASA will start support profiling . because I am planning to use iPad’s as a vpn client though ASA and authenticated by ISE.

2. Mac Authentication Bypass(MAB) also possible for any connect vpn client through ASA and controlled by ISE?

Thanks

V.Muthu

Muthu Mani · ‎08-04-2013

Hi Akhil

Thanks for clarification and more question,

1. for VPN users profiling is not possible if yes profiling and posture has any dependence? And any idea when ASA will start support profiling . because I am planning to use iPad’s as a vpn client though ASA and authenticated by ISE.

2. Mac Authentication Bypass(MAB) also possible for any connect vpn client through ASA and controlled by ISE?

Thanks

V.Muthu

Akhil Behl · ‎08-04-2013

Hello V.Muthu,

As of today, ISE does not support VPN user profiling however, this is on the roadmap. The major reason is that, Cisco ASA does not currently forward the MAC address in the Calling ID of RADIUS Request. And IP address alone cannot be used as basis for profiling. For MAC bypass, you can try MAC Exempt in the VPN client pool. In your case, you can terminate (for time being) VPN on a headend device other than ASA and then authenticate user via ISE. Again, this is a workaround till the support for VPN user profiling via ASA is out.

I hope this answers your query.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

r-godden · ‎08-01-2013

Are there any Plans to support PIM BSR ?

Akhil Behl · ‎08-02-2013

Hi R-Godden,

As of today, there's no support for PIM-BSR through ASA firewall. Also, it's not seen as of yet on the roadmap.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

Akhil Behl Solutions Architect akbehl@cisco.com Author of “Securing Cisco IP Telephony Networks” http://www.ciscopress.com/title/1587142953

kthned · ‎08-02-2013

Hi Akhil,

This is regarding ASA placement in our datacenter network. My question below

Data Center comprises of two Nexus 7Ks at the spine, connected to 6 Nexus 5Ks at the access layer. They run fabric path in between.

We have couple of firewalls (ASA 5585) which we plan for filtering+IPS+NAT (No VPN). We planned to connect them like (sorry for my bad drawing)

-----------------------------Core Network----------------------------------------

| / \ |

N7K01 ----inside/outside----- ASA01--------inside/outside --------- N7K02

| |CCL| |

\----------inside/outside----- ASA02--------inside/outside -------------/

Both N7K are in same VPC domain, so they are running Active-Active mode.

Do we have support for VPC feature on the firewall, any plan for vpc feature in the future.
Do Clustering feature support Active-Active mode in the same context ? is it at the session Level or packets lever ?
In the figure above, how we make sure the routing be correct. Should we use Policy based routing on Nexus to force datacenter traffic towards firewall ?
Is there any best practice document for ASA deployment in the data center.

Do you think that following design is better

-------------------------Core Network-------------------------------------------

| / \ |

N7K01 ------inside/outside----- ASA01 N7K02

| |

ASA02--------inside/outside -------------/

Regards,

Umair