cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA Webcast

388
Views
0
Helpful
0
Comments

 

 

Introduction

akbehl.jpg Akhil Behl is a Solutions Architect consultant with Cisco Advanced Services, focusing on Cisco collaboration and security architectures. He leads collaboration and security projects worldwideas well as the Collaborative Professional Services portfolio for the commercial segment. Previously at Cisco, he spent 10 years in various roles at Linksys and the Cisco Technical Assistance Center. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications. He has published several research papers in international journals including IEEE Xplore. He has been a speaker at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of 'Securing Cisco IP Telephony Networks' by Cisco Press.

 

Cisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet Edge Data Sheet

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html

 

Cisco ASA 5500 Series Adaptive Security Appliances

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html


 

Q. Can CSM take backup of ASA configuration ?

A:   In CSM if you would like to see the configurations there are two ways to do this.

 

1) From the Device View, right-click on the device and select "Preview Configuration..."

 

2) In the top bar, Go to "Manage > Configuration Archive..." You  can then see a history of previous configurations pushed for each device  managed by CSM


CSM based backups are manual and are not automated.

 

Q. Can we expect remote access vpn support for contexts anytime soon?

A:   As far as I know it's not on the roadmap for next few releases.

 

Q. Why does the management interface not work when working with an active/standby solution ?

A:   You can access the video and regular data sheets for 5585-X series  firewall at http://www.cisco.com/en/US/products/ps11061/index.html

 

Q. Do you have a recommended scenario or plan for ASA deployment in Data Center or VMDC?

A:   Each network and organization has different requirement for services and security. Hence, putting one size fits all is not a possible solution. You can check the Cisco recommended design and configuration guidelines at following URLs

 

ASA DC deployment guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuide-February2012.pdf

 

Cisco ASA DC config guide

http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center


 

Q. Is there road-map to allow VPN functionality with ASA Cluster Deployment?

A:   Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know.

 

Q. Does ASA supports statefull sync for SSL or IPSec VPN sessions, means suppose primary fails then SSL or IPSec VPN session need not to re-established connectivity with Secondary?        

A:   Yes, stateful failover is available for IPSec and SSL connections.

 

Q. Can we confgiurion the cisco ASA on distrubuter artechtue?

A:   ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure.

 

 

Q. Does packet tracer supports FWSM ?

A:  FWSM doesn't support packet tracer command.

 

Q. Is there a concept of Inter-Context communication in current ASA? Meaning no need to forward the traffic out of the interface but instead inside ASA and between context. Saves interface and much faster?

A:   As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall.

 

Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ?

A:   You can access the video and regular data sheets for 5585-X series  firewall at http://www.cisco.com/en/US/products/ps11061/index.html

 

Q. What about MGCP support?

A:   Cisco ASA Clustering doe snot support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP

 

Q. Does it option for snap sort for backup purpose so we can restore the all configuration very fast. and how many snapshot it  can store?

A:   If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this.

 

1) From the Device View, right-click on the device and select "Preview Configuration..."

 

2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM

 

Q. What is the monitoring solution in cisco where we can see what each user is doing from the cisco trustsec perspective?

 

A:  You can do this from ISE dashboard for monitoring the network. Please see

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1226014 for more details

 

Q. What is the VPN split in IPv4/IPv6 network?  Is there VPN bypass with ASA?

A:   VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.

 

Q. What is the CX module in ASA- X series?

A:   ASA NGFW Services(formerly ASA CX) re-imagines  the firewall, delivering context-aware security that empowers  enterprises to manage applications, devices and the evolving  global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services  outpaces complexity to address evolving security needs by leveraging  local network intelligence via Cisco AnyConnect and TrustSec, and global  threat information via Cisco’s Security Intelligence Operation.

 

Q.  Can you please share the Packet flow in context mode? and the mode or context is it support multicast or unicast?

A:   Here's a URL which covers packet classification examples and flows in detail

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only support in single context.

 

Q.  Packet tracer & Traceroute feature is also not available in FWSM?

A:   Packet Tracer feature is not available on FWSM. Traceroute command is supported on FWSM.

 

 

General Questions

Q. Recommended tools for monitoring traffic, security events, syslogs ? Any cisco developed Netflow analyzers ? Is there anything budled with the IOS or is it an additional package ?    

A: You can use Cisco Security Manager for such task. More info available at http://www.cisco.com/en/US/products/ps6498/index.html

Q. Is that only Secure X platform has support for Trust sec?                    

A:  You can have complete detail from http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html.

Q.  Can ISE integrate with AD or do we need a AAA/LDAP                    

A:   Yes, we can integrate ISE directly with AD  

Q.  What is the secure x architecture    

A:  The Cisco SecureX Architecture is a context-aware, network-centric approach to security from cisco.  Secure X architechture detail can be found on

     http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-700240.html#wp9000078

Q. Where can we download the presentation?                

A:   https://supportforums.cisco.com/docs/DOC-35101

 

Q. Does Secure X supports built in IPS and IDS inline ?

A: CX modules for ASA do support inline IPS as they will be on same chassis as the firewall. CX services module doesn't support it as of today, its on roadmap.

 

Q. Which all are Authentication support in trustsec?

A: The following authentication types are support with TrustSec

 

Flexible authentication (FlexAuth) including

- IEEE 802.1X

- Web authentication (WebAuth)

- MAC  authentication bypass (MAB)

- IEEE 802.1X-REV MACsec Key Agreement (MKA)

 

Please see

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_overview_c22-591771.html#wp9000026 for more details

 

 

 

Webcast  related links: