on 08-08-2013 01:33 AM - edited on 02-13-2020 12:37 PM by Kelli Glass
Akhil Behl is a Solutions Architect consultant with Cisco Advanced Services, focusing on Cisco collaboration and security architectures. He leads collaboration and security projects worldwideas well as the Collaborative Professional Services portfolio for the commercial segment. Previously at Cisco, he spent 10 years in various roles at Linksys and the Cisco Technical Assistance Center. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications. He has published several research papers in international journals including IEEE Xplore. He has been a speaker at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of 'Securing Cisco IP Telephony Networks' by Cisco Press.
A. You can find the details on datasheet mentioned below:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
A: Though you can surely go for the clustering but for detailed analysis with respect to your network, a clarification from PM/SA will be required so as to have a better understanding.
A: As in real it depends on the type of traffic youa re pushing through the firewall. so you can check the multiprotocol field if you are pushing different type of traffic. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
A: Yes we can have context configure with clustering.
A: The details available at http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html will help you to know the IPS with ASA.
A: Sub second failover as the failover can happen in under a second. Both the interface and unit polling times can be configured in milliseconds. Be careful setting the failover settings too low though as you may have a quick communnication loss due to congestion.
A: To check what is the supported thoughput, please refer:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_poster_revision_r8.pdf
A: The complete supported platforms for ASA clustering can be found from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html.
A: Since 5505 is for remote user, you can refer following link for more info on it.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_poster_revision_r8.pdf
A: Yes, you can as per shown in:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_site2site.html
A: ASA is not designed to do WAN load balancing between ISP links. Though you may refer to a similar setup in lab as shown in
https://supportforums.cisco.com/docs/DOC-15622
A: If using ASA clustering then vpn will not work. If non-cluster environment you can use L2L vpn and can co-exist in standalone version.
A: Ease of management with single tool like CSM (Cisco Security Manager), additional security with Trustsec & ISE deployment which integrates seamlessly with Cisco environment.
A: For sizing we need to have the number of connections and type of traffice which we need to push through te firewall, then you can refer the following link for information on which model suits your need. Please refer
http://www.cisco.com/en/US/products/ps99
A: SGT is part of TrustSec.
A: Presently it is not possible to load balance traffic between two ISP links on an ASA.
A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available.
A: All 8 Units will be active in a cluster
A: When different type of traffic going through the firewall, i.e HTTP, FTP, etc.
A: When you are saying Block, I assume you are saying traffice going through the firewall, then the answer to that would be Yes.
A: CSM is built to be a single point of management and configuration for ASA and other securiyt products. The function of Syslogging is to be offload to external server.
A: Yes, Please refer: http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html
A: Complete detail is available at
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html
A: You can refer to Cisco ASA datasheet on Cisco.com
A: No, we can't mix different asa models. And clustering is only supported with 5580, 5585 or 5585X
A: You can use ASA 1000V for virtualized environment and that's what it means. Again, if term virtual is used, it can be a context as many times these two terms are used inter-changeably.
A: Yes, a scansafe subscription will be required.
A: You won't need a context in cluster mode but you can have multi contexts.
A: Yes, with ACLs you can block HTTPS traffic going though the firewall
A: This can be done through VPNs (Site to site) but never recommended.Such setup in production environment is not recommended.
A: It has to be same model with same hardware configuration like memory etc.
A: You may refer to http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml for nmap scan as attacker example.
A: You can block using scan safe.
A: ASA vpn edition will be the best as it supports lot many more features in security compared to router.
A: Yes, We call it Context in ASA
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html
list all the features supported by ASA with 9.0
A: In that case you are expanding your cluster, there is no restriction but I do not see any use case of this
A: Only the throughput will drop on overall basis but no impact on traffic.
Total Throughput = N x Single node throughput x Scaling Factor
A: No, there's no such mandates.
A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available. Help in Day 0 Attack
A: Refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html for complete details on HA cluster configuration and various interface modes.
A: You can get in touch with Cisco TAC support for granular information of ASA & ASDM with java.
A: Processed by other member in cluster
A: Thats an extensive topic and this discussion may help https://supportforums.cisco.com/thread/2152269
A: Yes
A: No, each firewall would get an address from the Pool created by master ASA in a cluster
A: You can have ASA with multiple context part of cluster, however all the ASA should be in multiple mode inthat cluster
A: Depends on the model, please refer http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_poster_revision_r8.pdf
A: Depends on the version you are using. More detailed info can be obtained from Cisco TAC as its specific to Anyconnect.
A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Still same: Multiple context mode does not support the following features:
A: It will be taken care by the next priority firewall in the cluster.
A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec.
A: Complete details are available at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
A: You can use packet tracer under ASDM.
A: No, we cannot have different mode in ASA cluster .Please refer the link for new feature in OS 9.0
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890
A: There is no VIP, all firewalls have there own firewall, we need loadbalancing from outside the cluster
A: Please get in touch with Cisco TAC for in-depth review & troublshooting.
A: No, the sessions backup exists on clustering setup. If a asa goes down then the session wont be dropped and the next master will handle it. In short, yes, connections replication happens.
A: VSS is supported and refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1559338
A: No ASA doesn't support Server Load Balancing.
A: Clustering is analogous to failover not the same. The VPN sessions will be replicated across the cluster.
A: Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an improvement over local engine)
A: RA VPN is not available in clustered mode, Full list of centralized and disabled features can be found at:
http://asapedia.cisco.com/index.php/Clustering
A: IPS Module will be the best option as it can look into the payload .
A: Yes, a plan is needed for upgrade. Refer to https://supportforums.cisco.com/thread/2183482 as a similar request and do take the help of TAC for such major upgradation of over 30+ firewalls.
A: It doesn't work.
A: Yes it works with failover ASA
A: Yes ASA can be used for Web Filtering and it has been possible for many years. Now, you also have ScanSafe
A: Adresses configured in pool is given to firewalls in cluster, you can simply push the traffice any given address assigned to specific firewall in cluster
A: Yes, ASA clustering always has a backup node (owner) for every flow through the clsuter so, if the node through which traffic is passing is down, the next owner will process the n+1 traffic (if previous node was processing nth packet.
A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html
A: If you're looking for a replacement of 5505 you have multiple options as explained at Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) such as 5512-X and 5515-X next gen firewalls with better throughput and a host of new features http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
A: Clustering is only supported with 5580, 5585 and 5585X models
A: Not sure where this is coming from since, 5500X is the latest in next gen firewalls and Cisco intends to continue with both 5500 and 5500X series
A: Cisco FWSM is the current generation and Cisco NGFW services module is the solution for next gen DC which supports many new features
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
A: CSM is primarily meant for configuring and managing the firewalls. If you wish to collect netflow data it's better to look at Cisco LMS/Prime solutions.
A: For information on the throughput and other parameter splease consult the respective data sheets of ASA 5500 and 5500 X series
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.htmlCisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet Edge Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html
Cisco ASA 5500 Series Adaptive Security Appliances
A: In CSM if you would like to see the configurations there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM
CSM based backups are manual and are not automated.
A: As far as I know it's not on the roadmap for next few releases.
A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html
A: Each network and organization has different requirement for services and security. Hence, putting one size fits all is not a possible solution. You can check the Cisco recommended design and configuration guidelines at following URLs
ASA DC deployment guide
Cisco ASA DC config guide
http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center
A: Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know.
A: Yes, stateful failover is available for IPSec and SSL connections.
A: ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure.
A: FWSM doesn't support packet tracer command.
A: As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall.
A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html
A: Cisco ASA Clustering doe snot support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP
A: If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM
A: You can do this from ISE dashboard for monitoring the network. Please see
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1226014 for more details
A: VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.
A: ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering context-aware security that empowers enterprises to manage applications, devices and the evolving global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by leveraging local network intelligence via Cisco AnyConnect and TrustSec, and global threat information via Cisco’s Security Intelligence Operation.
A: Here's a URL which covers packet classification examples and flows in detail
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only support in single context.
A: Packet Tracer feature is not available on FWSM. Traceroute command is supported on FWSM.
A: You can use Cisco Security Manager for such task. More info available at http://www.cisco.com/en/US/products/ps6498/index.html
A: Yes, we can integrate ISE directly with AD
A: https://supportforums.cisco.com/docs/DOC-35101
A: The following authentication types are support with TrustSec
Flexible authentication (FlexAuth) including
- IEEE 802.1X
- Web authentication (WebAuth)
- MAC authentication bypass (MAB)
- IEEE 802.1X-REV MACsec Key Agreement (MKA)
Please see
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_overview_c22-591771.html#wp9000026 for more details
Webcast related links:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: