Facebook Forum - Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA)

ciscomoderator · ‎01-23-2013

Live chat with Cisco Expert Bhavik Joshi

January 29, 2013

Learn and ask questions regarding Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA) . This event will be a continuation of the live Facebook Forum.

Bhavik Joshi is a Network Consulting Engineer with Service Provider Delivery team in Bangalore and has more than 3 years of experience working with security solutions implementation and troubleshooting network issues.

He has been actively working on multi-vendor security device and migration of multi-vendor security devices with cisco security solution. He also holds a CCIE Security certification #26263.

Where:

Please go to Cisco Support Facebook Page on the event day: http://www.facebook.com/CiscoSupportCommunity

When:

8:00 AM PST (San Francisco; UTC -7 hrs)

This corresponds to:

5:00 PM CET(Paris; UTC +1 hr)

9:00 PM PKT (Pakistan, UTC +5 hrs)

9:30 PM IST (India; UTC +5:30 hrs)

11:00 PM (Indonesia; UTC +7 hrs)

What is Facebook Forum?

Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

How do I participate?

On the day of the event, go to our Facebook page http://www.facebook.com/CiscoSupportCommunity.

To RSVP Click Here

ciscomoderator · ‎03-12-2013

Here's a condensed summary of this forum in a Q&A format.

ASA for VPN traffic what is the significance of :no sysopt connectionpermit vpn”?

No sysopt connectionpermit vpn tells the ASA to deny the VPN traffic regardless of access-lists.

In ASA can we run BGP? Most of the scenarios in my case it is used as VPN and security box only but bgp is not there… any specific reason for this?

No BGP cannot be configured in upto IOS ver 8.2/3

What is the implication of applying acl on global interface rather than applying on every interface?

There is no global interface in ASA, rather than global is a service policy use with MPF to do deep level inspection

In ASA how to find a specific IP belongs to a specific object group? Means if there are large number of object group created how can I know which IP belongs to which object group in CLI mode I mean

To find IP in object group you have to give sh run | beg IP address and to verify the same sh run object-group id

Do you mean that we can not run BGP in ASA? Or other routing protocols also? I didn’t understand

No BGP cannot be configured in upto IOS ver 8.2/3

I mean to say Global service policy in PPF/modular policy frame work?

There is no global interface in ASA, rather than global is a service policy use with MPF to do deep level inspection

Does captures in ASA stresses the CPU? Any limitation of this?

Captures are CPU intensive but can be applied using ACL and circular buffer to save CPU utilizations

Here is some bonus information prepared by our expert on this topic in a Q&A format

Can a Security Appliance with a failover license be part of an active-active failover?

Security Appliance failover units can be used in an active/active failover pair once they have a new failover active/active license upgrade installed (active/active requires one UR model and one "FO active/active" model). Refer to Feature Licenses and Specifications for more information on licensing.

Can I use ASA 5510 as an Easy VPN Client?

No. Easy VPN client configuration is only supported on ASA 5505.

Does ASA supports Asymmetric routing ?

ASA supports Asymmetric routing in version 8.2(1) and later. It is not supported in ASA versions before 8.2(1).

Does the PIX support WebVPN/SSL VPN?

No, but it is supported in the Cisco 5500 Series Adaptive Security Appliance (ASA).

Does ASA support ISP load balancing?

No. Load balancing must be handled by a router that passes traffic to the security appliance.

To visit the actual forum that took place on Facebook visit here:

https://www.facebook.com/events/540778652614087/permalink/543528695672416/

To see the archive on the Facebook, visit :

https://www.facebook.com/notes/cisco-online-support-community-netpro/facebook-forum-summary-firewall-security-troubleshooting-vpn-for-adaptive-securi/517066601665281

jocamare · ‎03-12-2013

Yo, can i try to answer some of the same questions?

*long and affirmative silence*

Thanks a lot!

Here i go.

In ASA can we run BGP? Most of the scenarios in my case it is used as VPN and security box only but bgp is not there… any specific reason for this?

Do you mean that we can not run BGP in ASA? Or other routing protocols also? I didn’t understand

No, it only supports RIP, EIGRP & OSPF.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1091638

What is the implication of applying acl on global interface rather than applying on every interface?

There is no global interface on the asa, but on versions after 8.3 you can configure Access-lists globally on the ASA.

[i assume this is what you are talking about]

The idea is the same, you can apply Access-lists globally [to save time and config] and on an interface.

Interface Access-lists take precedence over globally applied rules.

In ASA how to find a specific IP belongs to a specific object group? Means if there are large number of object group created how can I know which IP belongs to which object group in CLI mode I mean

This is how i would do it.

I would run a "show access-list | i " note the lack of the "run" keyword.

On the output we are going to obtain the line number.

i.e

access-list EXAMPLE line 10 extended permit ip....

Then, a "show run access-list EXAMPLE" and try to locate that line by its number. it isn't a perfect solution, but will save you time and work.

Does ASA supports Asymmetric routing ?

No, but it can handle it. It has some side-effects though.

Asymmetric routing is not a good thing to have in a network, so, no device should support something like this.