Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6428
Views
0
Helpful
3
Replies

Need help - Cisco ASA with FirePOWER

Go to solution
muhammad siddiqui
Level 1
Level 1

‎11-05-2014 01:39 AM - edited ‎03-12-2019 05:35 AM

hi 

 

currently we are using asa 5510 without firepower feature. our aim is to publish web servers and microsoft lync with reverse proxy method. control internet traffic , apply particular extensions file not to download , bandwidth management etc.

 

Is it possible when we add firepower on asa 5510 ..... please guide me.... thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
bturner
Level 1
Level 1

‎11-09-2014 08:14 AM

Firepower has to be installed on the new ASA X series.  5512x, 5515x, 5525x, etc.

 

If you have a 5510, then you would probably want a 5512x with a SSD drive.  Cisco has firepower bundles which include the ASAx with SSD and the Firepower license.

Add to that you also need the Firesight Management Software, and there is a 2 device bundle license for under $500 that you can install on VMWare.

 

Firepower doesn't do reverse proxy, it does transparent in-line packet inspection, analysis, and filtering by URL / Application / and Threat mitigation.  

 

If you want a reverse proxy, you should look into Microsoft ISA server, or a dedicated Web Reverse Proxy Server.  Cisco discontinued their Web Director product, which did this function. 

 

You can host websites behind the ASA Firewall without a reverse proxy.  And the ASA does have an application inspection for HTTP traffic, which will monitor the HTTP requests.  The Firepower System in the ASA also has specific signatures that monitor traffic to web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the Firepower module would likely cover your needs.

 

Keep in mind that until next Quarter the Firepower system does not have on-box decryption, and you may want to wait until that feature is released and established, so you know what size firewall you need to protect your network with the SSL decryption.  I believe the ASA5512x is currently testing at 75 mbps of decrypted flows through the Firepower module, which is about half of what the CX was doing before, so you could use the CX sizing numbers and extrapolate until Cisco releases official decryption numbers.

Brian S. Turner
CCIE 6145

View solution in original post

0 Helpful

Go to solution
bturner
Level 1
Level 1
In response to muhammad siddiqui

‎11-10-2014 04:56 PM

Okay let me clarify. 

If this is for internal users, you have two options on the ASA :

Option1:    Anyconnect VPN which would be a VPN client that installs itself on their system and provides access to whatever internal server you want to give them access too.

Option2:   Clientless VPN  you can create a portal page, add bookmarks to internal servers, and even pass through authentication from an SSO server to a back end system.  Or if they are internal you can just use LDAP to authenticate them.

 

If these users of the Web Server are external to your company and you are trying to protect the server from non-authenticated users, or web server vulnerabilities from botnet scanning engines and outside hackers, then you should go with something other than the ASA.

 

I would suggest you could put the Sophos UTM in the ASA's DMZ, and reverse proxy the websites there.  You don't want to get rid of the ASA or remove it from the picture, as it is very good at VPN and complex networking, which I'm sure the Sophos device will fall short.  However it is not as good at providing a reverse proxy function, for unauthenticated users.

Brian S. Turner
CCIE 6145

View solution in original post

0 Helpful
3 Replies 3

Go to solution
bturner
Level 1
Level 1

‎11-09-2014 08:14 AM

Firepower has to be installed on the new ASA X series.  5512x, 5515x, 5525x, etc.

 

If you have a 5510, then you would probably want a 5512x with a SSD drive.  Cisco has firepower bundles which include the ASAx with SSD and the Firepower license.

Add to that you also need the Firesight Management Software, and there is a 2 device bundle license for under $500 that you can install on VMWare.

 

Firepower doesn't do reverse proxy, it does transparent in-line packet inspection, analysis, and filtering by URL / Application / and Threat mitigation.  

 

If you want a reverse proxy, you should look into Microsoft ISA server, or a dedicated Web Reverse Proxy Server.  Cisco discontinued their Web Director product, which did this function. 

 

You can host websites behind the ASA Firewall without a reverse proxy.  And the ASA does have an application inspection for HTTP traffic, which will monitor the HTTP requests.  The Firepower System in the ASA also has specific signatures that monitor traffic to web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the Firepower module would likely cover your needs.

 

Keep in mind that until next Quarter the Firepower system does not have on-box decryption, and you may want to wait until that feature is released and established, so you know what size firewall you need to protect your network with the SSL decryption.  I believe the ASA5512x is currently testing at 75 mbps of decrypted flows through the Firepower module, which is about half of what the CX was doing before, so you could use the CX sizing numbers and extrapolate until Cisco releases official decryption numbers.

Brian S. Turner
CCIE 6145
0 Helpful

Go to solution
muhammad siddiqui
Level 1
Level 1

‎11-10-2014 02:55 AM

Thanks for your detailed reply brother. actually we have deployed lync server 2013 with reverse proxy so it is must.  see the comparison . i should go with Sophos UTM Firewall what you advice me...

 

Feature

Cisco Firepower

Fortinet

Sophos Utm

Firewall 

IPS

Antivirus Gateway

 

AntiMalware*

 *

Antispam

 

HTTP Proxy

 

Reverse Proxy

Partially

Web Filtering

Email Protection

 

Wireless Controller

 

 

Bandwidth Control

Expected in Next Year

Limited

Application Visibility and control

Data Loss Prevention

 

Advance Threat Prevention

On BOX reporting

 

Limited

External Reporting

Web Reputation defence

Failover

 

0 Helpful

Go to solution
bturner
Level 1
Level 1
In response to muhammad siddiqui

‎11-10-2014 04:56 PM

Okay let me clarify. 

If this is for internal users, you have two options on the ASA :

Option1:    Anyconnect VPN which would be a VPN client that installs itself on their system and provides access to whatever internal server you want to give them access too.

Option2:   Clientless VPN  you can create a portal page, add bookmarks to internal servers, and even pass through authentication from an SSO server to a back end system.  Or if they are internal you can just use LDAP to authenticate them.

 

If these users of the Web Server are external to your company and you are trying to protect the server from non-authenticated users, or web server vulnerabilities from botnet scanning engines and outside hackers, then you should go with something other than the ASA.

 

I would suggest you could put the Sophos UTM in the ASA's DMZ, and reverse proxy the websites there.  You don't want to get rid of the ASA or remove it from the picture, as it is very good at VPN and complex networking, which I'm sure the Sophos device will fall short.  However it is not as good at providing a reverse proxy function, for unauthenticated users.

Brian S. Turner
CCIE 6145
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card