With Jennifer Halim
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the new Cisco ASA 1000V Cloud Firewall with Cisco Expert and CCIE Jennifer Halim. The Cisco ASA 1000V Cloud Firewall is one of the newest additions to the Cisco ASA series firewall is an edge cloud firewall that runs on VMware vSphere Hypervisor software, exclusively on Cisco Nexus 1000V. It allows Virtual Machines in Data Center to access the Internet securely, acting as a default gateway for those Virtual Machines and protects against network based attacks. It is not a replacement product to the existing ASA appliances but an addition to the ASA family to fulfil an increasing demands to protect VM environment. ASA 1000V requires ASA version 8.7(1) with ASDM version 6.7(1).
Jennifer Halim is a technical account manager for the Cisco ScanSafe (Cisco Cloud Web Security) solution in the Asia Pacific region. Her work involves implementing the solution within the customer's environment and managing the project. Prior to her current role, she was part of the Australia Security team in the Technical Assistance Center that helps customers configure and troubleshoot Cisco security technologies.She also served as a mentor to other Technical Assistance Center engineers. She has worked in the networking security field for more than 10 years and holds CCIE certification in Security (#16480) as well as CISSP and ITILv3 certifications.
Remember to use the rating system to let Jennifer know if you have received an adequate response.
Jennifer might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through October 5, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
You can read the interview with Jennifer in the Cisco Support Community.
Will there be an IDS/IPS solution in the ASA1000v ?
does the firewall work intergrated like the 6500 firewall blade ? or like an "stand alone" asa connected to a stand alone switch ?
Does Ipsec VPN work ?
How is failover within the vmware clustering handled ?
1) No, there won't be IDS/IPS feature within ASA1000v.
2) ASA1000v works slightly differently to the FWSM or the standalone ASA. It has 4 interfaces (inside,outside,failover and management) and they are fixed interfaces and can't be added. It protects traffic from VMs outbound to the Internet and vice versa.
3) Yes, IPSec LAN-to-LAN VPN works on ASA1000v.
4) ASA1000v has its own failover features which works exactly the same as the ASA appliance and FWSM. ASA1000V is configured to run on different hypervisors and when it detects one of the hypervisors fail, it will failover to the other one.
ASA1000v does not failover using the VMWare HA feature.
Hope that answers your questions.
Thank you for your answers it helps a lot when one tries to wrap ones head around how things work
but as always with good answers it also raises more questions.
Since there is normally a number of hardware servers in a vmware cluster and this firewall does not utilize vmware failover the question becomes does it support more than 2 firewalls in the failover cluster like one for each physical ?
One of the things that is a problem with virtualization (in my view) is that there is no good way to separate the servers from eachother, am I correct that this firewall does not support transparent mode ?
No, unfortunately it only supports 2 firewalls in ASA1000v failover, and each ASA1000v needs to be installed on separate Nexus1000V.
Yes, you are right. ASA1000v does not support transparent mode. Only supported in L3 (routed mode). If you would like to separate the VM servers from each other, then you should be using VSG (Virtual Security Gateway) instead as it is a L2 device and can secure VM to VM traffic.
ASA 1000V can be managed by either ASDM or VNMC, and you would need to decide on which management mode you are going to use prior to installation. If you change your mind after the install and would like to switch to the other management mode, you have to reinstall the ASA 1000V.
VNMC provides no monitoring capabilities. ASA 1000V can be monitored via:
- Command Line Interface (CLI): SSH, Telnet or Serial
- ASDM (when ASA 1000V is installed in VNMC mode, ASDM can be cross-launched from VNMC but exclusively for Monitoring only)
I just want to know that i have cisco ASA 5520 and also we have more then 100 vm servers.
Currently we are using cisco asa with IPS module to protect these servers.(All the servers are in DMZ Zone)
So how this New ASA 1000V is good over cisco ASA 5520.
The new ASA 1000V is only supported on Nexus 1000V switch, and can only protects the VM servers on Nexus 1000V. It is by no means a replacement to the existing ASA 5520. ASA 1000V only has 2 data interfaces (inside and outside), inside interface will be the default gateway for the VM servers, and outside would typically be connected towards the internet. It protects traffic from VM servers outbound towards the internet and vice versa.
ASA 5520 is more an edge firewall appliance and supports multiple data interfaces, IPS/CSC/additional interface module, VPN (IPSec and SSL), and many more other features. While the main purpose of ASA 1000V is to protect VM servers, the ASA 5520 can protect your network which may span multiple interfaces (eg: inside, dmz, outside, etc).
The 2 products are used in different use case.
Hope that answers your question.
Please let us know the below facts.
1. How you will diffrenciate VSG and ASA1000v?
2. Does it support all type of VPNs as ASA?
3. Can we do vMotion and vPath for ASA1000v?
4. Layer 7 inspection is possible?
5. Spoofing,Fragments and threat detection features?
6. How about DOS/DDOS attack prevention strategy?
7. What is connection processing rate per second?
8. What is the maximum connection limit for the ASA1000v?
9. Can we configure ASA1000v as Active/Active state?
10. If there is only two interface inside or outside, do we still need security level on the interface.
Kindly provide the valuable links to understand ASA1000v technologies in defence in depth point of view.
1. Here are a few differentiation between VSG and ASA 1000V:
- Layer 2 firewall.
- Handles security between VM-to-VM
- Out-of-band device, meaning only the first packet in flow is redirected to VSG data interface, remaining packets in flow are processed by Nexus 1000V VEM
- Zone Based FW
- Some L7 protocol inspections
- ACLs use 5-tuple and/or VM Attributes
- Supports 3 interfaces, ie: data, management and failover
- Layer 3 Firewall (Routed mode only)
- Handles security from VM to Internet and vice versa
- Inline device (all packets in a flow must traverse the ASA 1000V)
- Acts as default gateway of VM
- IPSec LAN-to-LAN VPN
- L7 Protocol Inspections
- ACLs use 5-tuple for policy enforcement
- Support 4 Interfaces, ie: data (inside and outside), management and failover
Here is the link for the 2 product comparison:
2. ASA 1000V supports only IPSec LAN-to-LAN VPN.
3. Yes, it supports vMotion and vPath:
4. Yes, ASA 1000V supports Layer 7 inspection:
5. Yes, here is the protection tools:
6. Basic DOS prevention:
However, it is not a DDOS prevention device.
7. 10,000 connections per second. Table 4 from the following URL:
8. 200,000 concurrent sessions. Table 4 from the following URL:
9. No, it only supports Active/Standby failover:
10. Yes, security level is still required on the interface:
Hope that answers all your questions.
I'm just running a POC for the ASA1000v for our cloud environmen and I have a few questions
1. Will dynamic routing be supported in future releases
2. Will remote access VPN's be support in future releases.
3. In ASDM mode do you still need to have VNMC ( I would prefer to manage & configure each ASA1000V instance via the ASDM rather than VNMC). It appears that even in ASDM mode i still need to create policies via the VNMC
Can i also ask for clarification on failover discussion above. If i am running a 2 host vmware environment, and my 1st host fails, are you saying that the ASA1000v appliances that were runing on this host will not start up on the 2nd host?