Solved: Want to upgrade existing ASA to NGFW ASA, want IPS and load balancing

Gordon Fecyk · ‎10-07-2016

I'm researching the new ASA firewalls to replace an existing one. I'm using the installed ASA primarily as a basic firewall and NAT router, but it has more than one internet connection and the device has previously been used as a VPN server.

I'm phasing out the VPN functionality in favour of DirectAccess so I won't need so much support there anymore, but I really like the idea of load balancing between the two internet connections as opposed to just using one connection as a failover for the other.

The existing ASA also has an IPS module that has never really been used, and I want to properly use this on the new devices.

So just some high-level questions: What ASA functionality would I need to take advantage of two internet connections? I know I can do failover with just one device, but I'd like to do load balancing, outbound at least. Is one device capable of that, or would I need two working together? Inbound, I'd love to do load balancing or at least have redundancy available for things like SMTP and maybe HTTPS.

Then what do I need to properly enable intrusion prevention on the new ASAs? Is there a license, or a separate module, to purchase?

We do have some edge services, but I'd only need redundancy for SMTP and HTTPS. I already do a DMZ for my edge servers using virtual machine routers.

--

Collin Clark · ‎10-08-2016

What ASA functionality would I need to take advantage of two internet connections? The zone feature (9.3) will allow for Equal Cost Multi Path load balancing.

I know I can do failover with just one device, but I'd like to do load balancing, outbound at least.Yep, no problem, see above answer.

Is one device capable of that, or would I need two working together? You can do it with just one device.

Inbound, I'd love to do load balancing or at least have redundancy available for things like SMTP and maybe HTTPS. You won't be able to load balance, but you could split your services between the two connections. You could also use round-robin DNS, but if you have an outage you need to remove one of the records. For SMTP, just create two MX records and weight them.

Then what do I need to properly enable intrusion prevention on the new ASAs? Firepower has replaced the IPS module.

Is there a license, or a separate module, to purchase? There is a bundle you can purchase that has the ASA and firepower. Your VAR or local Cisco team can help with the bill of materials.

HTH

View solution in original post

Collin Clark · ‎10-08-2016

What ASA functionality would I need to take advantage of two internet connections? The zone feature (9.3) will allow for Equal Cost Multi Path load balancing.

I know I can do failover with just one device, but I'd like to do load balancing, outbound at least.Yep, no problem, see above answer.

Is one device capable of that, or would I need two working together? You can do it with just one device.

Inbound, I'd love to do load balancing or at least have redundancy available for things like SMTP and maybe HTTPS. You won't be able to load balance, but you could split your services between the two connections. You could also use round-robin DNS, but if you have an outage you need to remove one of the records. For SMTP, just create two MX records and weight them.

Then what do I need to properly enable intrusion prevention on the new ASAs? Firepower has replaced the IPS module.

Is there a license, or a separate module, to purchase? There is a bundle you can purchase that has the ASA and firepower. Your VAR or local Cisco team can help with the bill of materials.

HTH

shivdube · ‎10-10-2016

Hi,

Here are the suggestions I would like to provided.

If you are looking for new ASA firewall, go for the new X series firewall such as 5515, 5525, 5555 or High end 5585 and go for "sourcefire (sfr)" which is next gen IPS with high amount of functionality compared to IPS.

Except 5585 which has got separate dedicated h/w module for "sfr" all have s/w module for sfr.

Now which ASA you have to select depends upon your traffic requirements.

Now coming to the part of Load balancing with dual ISP connection.

Please elaborate what do you exactly want to achieve, do you want to make use of two ISP connections for outbound traffic.

If yes, we can achieve this by policy based routing on ASA, however the ASA shall be running min of 9.4.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/ge...

Dubey,Shivam

Gordon Fecyk · ‎10-12-2016

Please elaborate what do you exactly want to achieve, do you want to make use of two ISP connections for outbound traffic.

I'd like to split the outbound traffic to take advantage of the additional bandwidth. I'd also like to have redundant connections inbound for SMTP and HTTPS.

I have SMTP services here. Normally I'd have two MX resource records in DNS for this, though I'm subscribed to a cloud-based filtering solution for that and they do support more than one receiving server IPv4 address. So as long as both connections would accept and forward TCP port 25 this would work.

As for HTTPS, I have a Forefront TMG server that I'll replace with a Web Application Proxy server. Both would do the same thing: proxy inbound traffic to the correct internal server based on external host name requested. I'd do something similar like that with SMTP, in that I'd have two A resource records for 'webgate.example.com' for instance and it would be up to the client application to choose one of them, or I'd enable round-robin in DNS. So, like SMTP, it would be great if both inbound connections accepted and forwarded TCP 443 for this

So I can deal with having inbound clients choose one connection or the other; I'd just have to make sure both connections worked.

From Collin's answer, I'd enable the zone feature to do outbound load balancing, and I'd take care of MX weighting for SMTP. As for HTTPS, I'd have to hope client applications would be smart enough to try the second address if the first didn't respond.

Thanks for the responses. Am I allowed to select more than one correct answer in a post?

--