on - edited on by
Kelli Glass
Introduction
Akhil Behl is a Solutions Architect consultant with Cisco Advanced Services, focusing on Cisco collaboration and security architectures. He leads collaboration and security projects worldwideas well as the Collaborative Professional Services portfolio for the commercial segment. Previously at Cisco, he spent 10 years in various roles at Linksys and the Cisco Technical Assistance Center. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications. He has published several research papers in international journals including IEEE Xplore. He has been a speaker at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of 'Securing Cisco IP Telephony Networks' by Cisco Press.
ASA & Firewall Questions
Q. What would be the real-world throughput of ASA 5505 applance?
A. You can find the details on datasheet mentioned below:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html
Q. Does Cisco have good feedback regarding 5585x clustering so far? We wanted to implement this earlier this year but got the impression that we were pilot users with this solution due to the questions we got from Cisco's PM team so we abandoned the project?
A: Though you can surely go for the clustering but for detailed analysis with respect to your network, a clarification from PM/SA will be required so as to have a better understanding.
Q. It would be great if I can get a document that shows recommended real-world throughput of each models?
A: As in real it depends on the type of traffic youa re pushing through the firewall. so you can check the multiprotocol field if you are pushing different type of traffic. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Q. Can we have context configure with cluster?
A: Yes we can have context configure with clustering.
Q. Can you briefly describe how the ASA can link up with an IPS module for next gen intrussion threats?
A: The details available at http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html will help you to know the IPS with ASA.
Q. What is Sub Second failover ?
A: Sub second failover as the failover can happen in under a second. Both the interface and unit polling times can be configured in milliseconds. Be careful setting the failover settings too low though as you may have a quick communnication loss due to congestion.
Q. How can we cap the bandwidth on cisco ASA
A: To check what is the supported thoughput, please refer:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_poster_revision_r8.pdf
Q. Is there any plans for introducing the clusterin in ASA5500-x for Saleen Series?
A: The complete supported platforms for ASA clustering can be found from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html.
Q. What applications are supported for "full applications satat sync" does ASA supports SS/IPSec VPN ? Multiprotocol throughput for ASA 5505?
A: Since 5505 is for remote user, you can refer following link for more info on it.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_poster_revision_r8.pdf
Q. Can you configure site-to-site vpn with asa in multi-context mode?
A: Yes, you can as per shown in:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_site2site.html
Q. Can we have ISP level redundancy or Link Load balancing with CIsco ASA,as I have multiple link to my DC for resundancy?
A: ASA is not designed to do WAN load balancing between ISP links. Though you may refer to a similar setup in lab as shown in
https://supportforums.cisco.com/docs/DOC-15622
Q. Does site-to-site vpn co-exist with remote acces?
A: If using ASA clustering then vpn will not work. If non-cluster environment you can use L2L vpn and can co-exist in standalone version.
Q. You just told about using different Cisco boxes in a multi-tier firewall design.but the good practise is using different vendor firewall in different tier? How would you justify using only cisco firewalls in a multi-tier design?
A: Ease of management with single tool like CSM (Cisco Security Manager), additional security with Trustsec & ISE deployment which integrates seamlessly with Cisco environment.
Q. How should we size the firewall for the data center? Is there any guideline on the sizing?
A: For sizing we need to have the number of connections and type of traffice which we need to push through te firewall, then you can refer the following link for information on which model suits your need. Please refer
http://www.cisco.com/en/US/products/ps99
Q. Can you explain the significance of SGT in the context of ASA?
A: SGT is part of TrustSec.
Q. Can you load balance your outgoing internet connecvitiy with two inter connections hooked to one ASA?
A: Presently it is not possible to load balance traffic between two ISP links on an ASA.
Q. How to ASA 5500-X react on zero day attack?
A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available.
Q. Clustering up to 8 firewall would be active/active or active/standby?
A: All 8 Units will be active in a cluster
Q. What is Multi protocol troughput ?
A: When different type of traffic going through the firewall, i.e HTTP, FTP, etc.
Q. Can we block https traffic on firewall
A: When you are saying Block, I assume you are saying traffice going through the firewall, then the answer to that would be Yes.
Q. Can Security Manger be a Syslog server as well?
A: CSM is built to be a single point of management and configuration for ASA and other securiyt products. The function of Syslogging is to be offload to external server.
Q. Does Cisco have a UTM box?
A: Yes, Please refer: http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html
Q. Cluster of 8 FW is supported on all models of ASA?
A: Complete detail is available at
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html
Q. What are the diff HA modes supported
A: You can refer to Cisco ASA datasheet on Cisco.com
Q. Can we mix different models in clustering i.e. Can 5510 be clustered with 5520?
A: No, we can't mix different asa models. And clustering is only supported with 5580, 5585 or 5585X
Q. When we say ASA virtualization, is that the hardware virtualization, IOS or the configurations ?
A: You can use ASA 1000V for virtualized environment and that's what it means. Again, if term virtual is used, it can be a context as many times these two terms are used inter-changeably.
Q. Is access to the scanSafe database a subscription service?
A: Yes, a scansafe subscription will be required.
Q. Can i have multi-context along with clustering?
A: You won't need a context in cluster mode but you can have multi contexts.
Q. Can we block https traffic on firewall
A: Yes, with ACLs you can block HTTPS traffic going though the firewall
Q. Is Clustering possible across geographies or is there any distance limitation ?
A: This can be done through VPNs (Site to site) but never recommended.Such setup in production environment is not recommended.
Q. Are there only 8 ASA in a cluster possible, and can I mix the models?
A: It has to be same model with same hardware configuration like memory etc.
Q. Can we detect NMAP scans with ASA ??
A: You may refer to http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3913.shtml for nmap scan as attacker example.
Q. How can i block facebook on firewall
A: You can block using scan safe.
Q. What is the best choice for site-2-site vPN, Firewall ASA or Cisco security router?
A: ASA vpn edition will be the best as it supports lot many more features in security compared to router.
Q. Firewall virtualization supported in ASA?
A: Yes, We call it Context in ASA
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_c67-712934.html
list all the features supported by ASA with 9.0
Q. Can I have a HA Design with Two ASA5525X in two separate places in Active/Active Mode?
A: In that case you are expanding your cluster, there is no restriction but I do not see any use case of this
Q. What is one of the ASA goes down, will other 7 modules are still deliver 280 GBPS?
A: Only the throughput will drop on overall basis but no impact on traffic.
Total Throughput = N x Single node throughput x Scaling Factor
Q. Hello do we need to have even number of Firewalls to participate in clustering?
A: No, there's no such mandates.
Q. How to ASA 5500-X react on zero day attack
A: Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available. Help in Day 0 Attack
Q. Please, could you explain more about the 'individual' and 'spanned' mode at the clustering.
A: Refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html for complete details on HA cluster configuration and various interface modes.
Q. ASA5585-SSP-10-2units, ASA ver 8.2(5),Old ASDM ver 6.4(5),Current ASDM ver 7.1(3),anny compatibility issue of Java 1.7 with ASDM?Please suggest any stable java version which works with all ASDM versions.
A: You can get in touch with Cisco TAC support for granular information of ASA & ASDM with java.
Q. What will happen if one node fails in ASA cluster. Traffic which was going through failed node will be dropped or it will be processed by some other node in cluster?
A: Processed by other member in cluster
Q. We have IPS module with our ASA. It cannot detect external scans like NMAP OS finger printing. I opened a TAC case also. They confrm that this not possible with Cisco IPS and it only detect it as a normal traffic. Is that true?
A: Thats an extensive topic and this discussion may help https://supportforums.cisco.com/thread/2152269
Q. Does clustering support IPv6?
A: Yes
Q. So where to point the route from inside equipment, when ASAs are addressed from a dynamic pool? Is there a VIP address?
A: No, each firewall would get an address from the Pool created by master ASA in a cluster
Q. Can we create context in cluster?
A: You can have ASA with multiple context part of cluster, however all the ASA should be in multiple mode inthat cluster
Q. How many context firewall we have configuration on a single ASA
A: Depends on the model, please refer http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_poster_revision_r8.pdf
Q. Why do I still have to manually copy xml profiles from the active to the standby ?
A: Depends on the version you are using. More detailed info can be obtained from Cisco TAC as its specific to Anyconnect.
Q. Few years ago threat detection, routing protocols, etc. will not be used if you enable multiple context mode on ASA. Was this resolved already in today's software or product line?
A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Still same: Multiple context mode does not support the following features:
- RIP
- OSPFv3. (OSPFv2 is supported.)
- Multicast routing
- Threat Detection
- Unified Communications
- QoS
- Remote access VPN. (Site-to-site VPN is supported.)
Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ?
A: It will be taken care by the next priority firewall in the cluster.
Q. Is there any policy limitiation of cisco ASA
A: Virtually not, you can have as many policies but can be brought down if combined with Trustsec.
Q. Can you also have visibility of the SGT at the level of the CX module?
A: Complete details are available at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
Q. ASA CLI or ASDM Logging feature does not provide the rule number details (unlike Checkpoint FW), We need to know which rule is blocking or allowing the traffic.That will be easy for troubleshooting any issue.
A: You can use packet tracer under ASDM.
Q. What other features do we have with ADSM 9.0 and also can we config bridge and routed mode same time
A: No, we cannot have different mode in ASA cluster .Please refer the link for new feature in OS 9.0
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp586890
Q. How does the VIP is maintained in the cluster
A: There is no VIP, all firewalls have there own firewall, we need loadbalancing from outside the cluster
Q. We are using 3 differenet Management servers, We are facing this ASDM Loading issue with all of them, How there can be issue with OS Level?
A: Please get in touch with Cisco TAC for in-depth review & troublshooting.
Q. Does the load balancing into the cluster need to be "sticky"? Must traffic for a particular connection always hit the same appliance? Or is connection state replicated between all appliances in the cluster?
A: No, the sessions backup exists on clustering setup. If a asa goes down then the session wont be dropped and the next master will handle it. In short, yes, connections replication happens.
Q. CCL has to be in routed mode or can be made l2.I believe its like VSL in VSS or like stacking ?
A: VSS is supported and refer to http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1559338
Q. Does the ASA supports Server Load Balancing?
A: No ASA doesn't support Server Load Balancing.
Q. Is that also the fact with Site2site VPN when cluster master fails or does it work more like Active/Standby VPN state failover?
A: Clustering is analogous to failover not the same. The VPN sessions will be replicated across the cluster.
Q. Can the IPS in ASA5500-x do heuristic detection?
A: Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an improvement over local engine)
Q. Will Remote VPN works with Clustering mode ?
A: RA VPN is not available in clustered mode, Full list of centralized and disabled features can be found at:
http://asapedia.cisco.com/index.php/Clustering
Q. Which is the best module which can block the torrent traffic as it is using any dynamic port available ?
A: IPS Module will be the best option as it can look into the payload .
Q. I have about 30+ Cisco ASA Firewalls, all of them running on Cisco ASA 8.2(5) is there a document that i can follow to upgrade them to 9.0 ?
A: Yes, a plan is needed for upgrade. Refer to https://supportforums.cisco.com/thread/2183482 as a similar request and do take the help of TAC for such major upgradation of over 30+ firewalls.
Q. Will Remote VPN works with Clustering mode ?
A: It doesn't work.
Q. Do easy VPN works with Active/standby mode in ASA ?
A: Yes it works with failover ASA
Q. Can we use ASA for web filtering like PROXY?
A: Yes ASA can be used for Web Filtering and it has been possible for many years. Now, you also have ScanSafe
Q. And how do I just point to _one_ ASA IP from core routing equipment, when clustering?
A: Adresses configured in pool is given to firewalls in cluster, you can simply push the traffice any given address assigned to specific firewall in cluster
Q. What will happen if one node fails in ASA cluster. Traffic which was going through failed node will be dropped or it will be processed by some other node in cluster?
A: Yes, ASA clustering always has a backup node (owner) for every flow through the clsuter so, if the node through which traffic is passing is down, the next owner will process the n+1 traffic (if previous node was processing nth packet.
Q. How many "sessions/connection per second" does 5585-X can support? Is there a public document that shows performance matrix for ASA? Something similar with Router & Switch performance matrix, there is one available for Router & Switch product line?
A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html
Q. Any plan for a refresh of the 5505 ? Right now alot of our customers are looking elsewhere (Checkpoint, Palo Alto) for a layer 4-7 aware firewall.
A: If you're looking for a replacement of 5505 you have multiple options as explained at Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated) such as 5512-X and 5515-X next gen firewalls with better throughput and a host of new features http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.html
Q. Is Clustering supported across all models or not ?
A: Clustering is only supported with 5580, 5585 and 5585X models
Q. If cisco marketing 5500X products stops, does that means slowly cisco will stop 5500 models?
A: Not sure where this is coming from since, 5500X is the latest in next gen firewalls and Cisco intends to continue with both 5500 and 5500X series
Q. Whats about a blade system on cisco side für ASA ?
A: Cisco FWSM is the current generation and Cisco NGFW services module is the solution for next gen DC which supports many new features
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607.html
Q. Can Cisco Security Manager be a netflow collector for ASA devices?
A: CSM is primarily meant for configuring and managing the firewalls. If you wish to collect netflow data it's better to look at Cisco LMS/Prime solutions.
Q. What is the max throughput at line speed?
A: For information on the throughput and other parameter splease consult the respective data sheets of ASA 5500 and 5500 X series
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices and Branch Locations Data Sheet (Updated)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701253.htmlCisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet Edge Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701808.html
Cisco ASA 5500 Series Adaptive Security Appliances
Q. Can CSM take backup of ASA configuration ?
A: In CSM if you would like to see the configurations there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM
CSM based backups are manual and are not automated.
Q. Can we expect remote access vpn support for contexts anytime soon?
A: As far as I know it's not on the roadmap for next few releases.
Q. Why does the management interface not work when working with an active/standby solution ?
A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html
Q. Do you have a recommended scenario or plan for ASA deployment in Data Center or VMDC?
A: Each network and organization has different requirement for services and security. Hence, putting one size fits all is not a possible solution. You can check the Cisco recommended design and configuration guidelines at following URLs
ASA DC deployment guide
Cisco ASA DC config guide
http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center
Q. Is there road-map to allow VPN functionality with ASA Cluster Deployment?
A: Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know.
Q. Does ASA supports statefull sync for SSL or IPSec VPN sessions, means suppose primary fails then SSL or IPSec VPN session need not to re-established connectivity with Secondary?
A: Yes, stateful failover is available for IPSec and SSL connections.
Q. Can we confgiurion the cisco ASA on distrubuter artechtue?
A: ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure.
Q. Does packet tracer supports FWSM ?
A: FWSM doesn't support packet tracer command.
Q. Is there a concept of Inter-Context communication in current ASA? Meaning no need to forward the traffic out of the interface but instead inside ASA and between context. Saves interface and much faster?
A: As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall.
Q. Based on active cluster configuration, if new firewall picks a ipaddress from the pool, alter if the firewall goes down how the session failover will happen, the live session will be dropped or it will failover to other active firewall ?
A: You can access the video and regular data sheets for 5585-X series firewall at http://www.cisco.com/en/US/products/ps11061/index.html
Q. What about MGCP support?
A: Cisco ASA Clustering doe snot support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP
Q. Does it option for snap sort for backup purpose so we can restore the all configuration very fast. and how many snapshot it can store?
A: If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM
Q. What is the monitoring solution in cisco where we can see what each user is doing from the cisco trustsec perspective?
A: You can do this from ISE dashboard for monitoring the network. Please see
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp1226014 for more details
Q. What is the VPN split in IPv4/IPv6 network? Is there VPN bypass with ASA?
A: VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.
Q. What is the CX module in ASA- X series?
A: ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering context-aware security that empowers enterprises to manage applications, devices and the evolving global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by leveraging local network intelligence via Cisco AnyConnect and TrustSec, and global threat information via Cisco’s Security Intelligence Operation.
Q. Can you please share the Packet flow in context mode? and the mode or context is it support multicast or unicast?
A: Here's a URL which covers packet classification examples and flows in detail
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only support in single context.
Q. Packet tracer & Traceroute feature is also not available in FWSM?
A: Packet Tracer feature is not available on FWSM. Traceroute command is supported on FWSM.
General Questions
Q. Recommended tools for monitoring traffic, security events, syslogs ? Any cisco developed Netflow analyzers ? Is there anything budled with the IOS or is it an additional package ?
A: You can use Cisco Security Manager for such task. More info available at http://www.cisco.com/en/US/products/ps6498/index.html
Q. Can ISE integrate with AD or do we need a AAA/LDAP
A: Yes, we can integrate ISE directly with AD
Q. Where can we download the presentation?
A: https://supportforums.cisco.com/docs/DOC-35101
Q. Which all are Authentication support in trustsec?
A: The following authentication types are support with TrustSec
Flexible authentication (FlexAuth) including
- IEEE 802.1X
- Web authentication (WebAuth)
- MAC authentication bypass (MAB)
- IEEE 802.1X-REV MACsec Key Agreement (MKA)
Please see
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_overview_c22-591771.html#wp9000026 for more details
Webcast related links: