Introduction
Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
RahulGovindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
This document contains the answers provided for the questions asked during the live "Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)" Webcast
You can download the slides of the presentation in PDF format here. The related Ask The Expert sessions is available here. The Complete Recording of this live Webcast can be accessed here.
Q: Is this type of clustering coming for the lower end firewall as well?
A: Presently, this is supported only on 5580 and 5585-x series ASAs. We cannot currently promise if and when the lower end ASAs will support clustering.
Q: Can we virtualize a clustered active active FW, in version 9.0?
A: Yes, clustering can be used along with ASAs in multiple-context mode. At the same time, failover is not supported with ASAs in cluster.
Q: How will management work ? only single management for all devices in a cluster ( like stacking ) or seperate management console for each device ( like nexus ?)
A: You can manage each cluster member separately using a pool of management addresses. More details here: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1551576. Configuration changes should be made only on the master.
Q: How many ASA modules can be clustered together?
A: You can have upto 8 ASAs in a cluster.
Q: ASA support vpn in 9.x version in multi context mode?
A: yes VPN is supported in 9.x multi context mode.. Here is the list of all features supported. http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/data_sheet_c78-714849.html (although Remote access vpn is not yet supported)
Q: Is the Active Directory integration has been added, because Cyberoam supports Active Directory integration?
A: Yes Active Directory Integration is supported on ASAs (Identity based Firewall) and ASA-CX.
Currently, we support vmware environment but there are plans to include support for microsoft hyper-v as well. For further details, please check in with your Cisco Account Representative.
Q: Is it possible to block https traffic also?
A: Yes, ASACX supports HTTPS filtering as well.
Q: If 9.x version going to run in ASA and ASA-x model, how you will differentiate ASA and ASA-X model I guess all feature going to work on both model
A: Thanks for your question. Could you please elaborate on ASA-X? Did you mean ASA-CX instead?
Q: How cluster is different from failover?
A: Cluster is a method of aggregating multiple ASAs as one where every ASA in a cluster processes some amount of traffic. This also provides redundancy. Failover provides only redundancy.
Q: Was this filtering option not in 8.x versions?
A: Thanks for your question. Are you talking about ASA-CX filtering? If so, no versions 8.3 and before doesn't support ASA-CX. This is supported only beginning version 8.4 in 5585 ASAs and 9.1 in ASA5500-x appliances.
Q: For the client posture, how the cisco ASA knows client's information ? agent ?
A: if you are referring client posture assesment with Anyconnect, then hostscan in CSD will be used to extract client information.. let me know this answers your question.
Q: So is it right that ASA CX can do what ever ASA BOTNET filter does?
A: Though they both have similarities, ASA-CX is capable of doing much more than Botnet traffic filter on ASA. For example, we support HTTPS filtering, micro-app filtering, etc on ASA-CX.
Q: Can you combine CX and IPS on the same ASA (let's say 5525-X) and have them both active?
A: no you can either have CX or IPS modules only. In version 9.2 of CX, basic IPS features have been introduced.
Q: The advanced feature in firewall technology - dynamic inspection by default for all the services rather than limited services using MPF and the other one is 2. SSL Decipher or SSL Proxy services for HTTPS for TS secure traffic?
A:
Q: which algorithm used to check SSL/TLS Decryption?
A:
Q: Its alredy there is palo alto firewalls., when can we expect these features on asa?
A:
Q: is ASA CX = ASA + Ironport web?
A: Hi Arin. ASA-CX uses similar Application visibility and control features as Ironport WSA and works with ASA so in essence, you could say that. But, in working along with ASA, ASA-CX is capable of a few more things.
Q: What about https?
A:
Q: How is nat config in 9.1 version, same as 8.3 or different?
A: Yes, the NAT format remains unchanged though we now have support for IPv6 NAT (yes, I said IPv6 NAT! :)).
Q: Do we need particular license for web reputation, url filetring, http inspection? what comes by default with the box ?
A: by default you get a trial license of 60 days for all features with an option 60 day extension. After this, you will have too purchase and install licenses for necessary features.
Q: What is the difference between the ASA CX HTTP inspection and HTTP inspection in the regular ASA?
A: The HTTP inspection on ASA-CX is much more optimized than the ASA and since it works in conjucntion with Application visibiluty and control, we have the capability of micro-application filtering.
Q: Does 9.x support AAA IP Address assignment for IPv6?
A: IPv6 address assignemnt is supported only for local authentication, with an external AAA, IPv6 address assignment is not supported.
Q: What's the difference between HTTP inspection and using AVC ?
A: AVC provides visibility into type of protocol and application and the HTTP inspection engine can take decisions based on this information. In essence, they work in conjunction with each other.
Q: Is it possilbe to block Skype?
A: Yes, skype can be blocked but please note that these application constantly change their modus operandi in which case you might see behavior otherwise. We try our best to keep up with this.
Q: Is the ASAcx support vpn connection while it is in context mode?
A: ASACS is a security service in ASA, and with 9.x on ASA you can have VPN (site to site, not remote access vpn yet) in multi-context mode.. let me know if this answers your question.
Q: Does the ASA CX support UID filtering?
A: Yes, ASA-CX supports User-ID (UID) based filtering working along with Active Directory or LDAP servers.
Q: My company is blocking websites. I get a message stating website is blocked "due to website reputation".. i'm assuming Cisco ASA firewall is issue. What is easiest way for me to login to firewall and change restriction for single website?
A: The best thing to do will be to first ensure it is the ASA that is blocking this traffic (using syslogs and/or packet captures). If it is the ASa, then syslogs will give you information about reason for block.
Q: This is the error while trying to download the presentation. "It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake."
A:
Q: Is the architecture different from SSM?
A: Yes the architecture is completely different from SSMs.
Q: Is ASA CX is like SSM where we can inserted into ASA box?
A: Yes ASA-CX will be a physical module inserted in ASA5585 appliances. In Asa5500-x appliances, CX can be installed as a software module.
Q: Do we have any replacement/buback process/facility with existing 5505-5510 with ASA CX next -Generation firewall , ASA5500-x series?
A: Yes majority of the features are common across the two. ASA-CX though is supported only in ASa5500-x. For more details, would recommend talk to you Cisco Accounts Representative for details.
Q: Why to drop if there is no xlate? Nat-control has been deprecated as far as I know.
A: You are right. that stage only talks about nat-control or an equivalent configuration in 8.3 and above.
Q: In case of https scanning, is it required to import https certificate on all of the users?
A: Yes. If you are using a self-signed certificate, all end users will have to trust the CX presented certificate. If you are importing a certificate from your local CA server, then users should automatically trus the certificate.
Q: HA in ASA is possible if I have box in two different datacenter, again single logical device setup also possible between two datacenter?
A: Presently, we do no explicitly support clustering across data centers but there are plans for the same. I can not promise if and when it will be supported though.
Q: Do we need any thirty party server to filter the url? like websense,trend micro, Mcafee?
A: URL filtering is inherently supported on ASA-CX.
Q: Can I configure user VPN while using multi context?
A: With 9.x you can configure site to site VPN but not Remote Access IPSec VPN with multi-context mode. Here is list of all other features supported: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/data_sheet_c78-714849.h
Q: We have a pair of 5585-40s, can I still add the CX 20 module to the units? I don't mind if I lose potential throughput.
A: You can only add CX-SSP-40 in ASA5585-SSp-40.
Q: On the ASA CX packet life slide (21); how is the packet encrypted after decrypted by TLS proxy?
A: The ASA-CX ensures it does not transmit decrypted packets if it received them encrypted in the first place. the tls_proxy engine takes care of decrypting and re-encrypting traffic as necessary.
CX is used with 5505 ASA v8.3 after upgrading the ASA v 9.x
Q: Can you apply QoS to L7 applications or only allow/deny?
A: With version 9.2 on CX, you can configure rate-limiting based on layer 7 information as well.
Q: Can u give some example about inspection traffic decryption mechanism?
A: You can read up about HTTPS decryption here: http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_01101.html.
Q: Does CX authentication support SSO ?
A: With pasive authentication, we support SSO inherently. With active authentication as well you have the ability to transparently authenticate users.
Q: Identify users – another indent I can use to authentication other then user’s name?
A: You can use usernames or groups (in an AD environment).
Q: if we used the ASA CX with 9.x versin do we still need to have an hardware appliance for proxy or this ASA CX we can use. Could you please elaborate on this question with more details?
A:
Q: Identify users – any other identify I can use to authentication other then user’s name.
A:
Q: Is 9.2 CX already available in CCO? And what do you mean by basic IPS features?
A: Yes it is available for download now. It supports basic IPS signatures currently and plan is to include more signatures in future.
Q: What abt SSL and TLS decryption via ASA?
A: ASA doesn't support HTTPS filtering inherently but only using the ASA-CX.
Q: When CX is running on a blade server, how do we connect the ASA and CX?
A: Just like you did with an IPS or CSC SSM, you can insert the physical CX-SSP module into Asa5585 chassis slot 1. In ASA5500-x ASA, CX operates as a software module (no hardware needed apart from an SSD).
Q: When i was studying for firewall i studied on GNS3 with 8.4.2 version, is that version only supported on 5585 ASA's?
A: All models of ASAs support 8.4.2.
Q: Do we need any feature keys or licence for any specific policy or features in asa cx or the base license support all features ?
A: You do have additional license for Web Security and Application visibilty but it comes by default wit a 60 day trial with a one time extension of 60 additional days.
Q: Is the radius authentication supported?
A: Radius authentication with ASA as external AAA servers has been supported since older releases (8.x) as well.. are you looking for anything specific with Radius authentication..
Q: I am unale to download PDF persentation, it says It appears you're not allowed to view what you requested. You might contact your administrator if you think this is a mistake.
A: it has been fixed, can you try downloading it again..
Q: Are the CX features integrated into packet-tracer command? Is there possibility to see invidividual steps that are being processed by the ASA/CX?
A: Packet-tracer is limited to the ASA. There are plans to include a packet-tracer for the ASA-CX separately but we cannot promise when that will be made available.
Q: Migrating 8.6 to 9.0 what abt natting and MPF config.. Is it needed to modify or will it migrate automatically?
A: All your configuration should be migrated automatically by the ASA.
Q: I have a question on url control and app control. Is it possible to exclude few of categoriess from https scanning (Banking, governance etc)?
A: Yes you do have the ability to exclude certain category of web sites from decryption.
Q: How CX blades can be enabled on legacy ASA firewall hardware like ASA 5510/5520 ?
A: Legacy ASA5500 series ASAs do not support ASA-CX integration. You should make use fo ASa5500-x series ASAs along with an SSD (solid state disk)
Q: Does it give the contol like checkpoint URL filtering and application control blade?
A: I am not a familiar with checkpoint URL filering capabilities but the ASa-CX does support micro-application filtering. For example, we can filter on Facbook chat, photos, videos, etc.
Q: I am using asa 5520, can I rollout ver 9.0?
A: Yes, ASA5520 supports version 9.
Q: Does the ASA CX require additional HW in e.g. a ASA 5545-X appliance?
A: You will need solid state disk(s) (SSD) installed in your 5545-x ASA to install ASA-CX.
Q: Does ASA 9.x support dynamic routing with multi context?
A: Yes, ASA 9.x supports dynamic routing for EIGRP and OSPFv2 for multi context mode
Q: When ASA will support change of Authorization to over come IPEP?
A:
Q: Any plans for remote access in multi context mode?
A: No plans as of now for remote access vpn in multi-context mode..
Q: Does ASA multi context support PFS and QOS over the VPN?
A: Yes, both PFS and QoS should work over VPN in multi-context..
Q: If we used this firewall, do we need to have another hardware for proxy or this can be enough for mediam level of comapanies like up 300 users
A: Details of amount of throughput is available in the data sheet on cisco.com. It will depend on the amount and type of traffic.
Q: How CX blades can be enabled on legacy ASA firewall hardware like ASA 5510/5520 ?
A: Unfortunately, CX is not supported on ASA 5510,5520 platforms
Q: Will the Prime Security Manager be available for the ASA (replace ASDM)?
A: Yes with version 9.2, PRSM supports management of ASA as well but not all the features are presently supported.
Q: Change of authorization feature any idea from which version or from when it will be supported
A: change of authorization feature is in the roadmap, currently no ETA on which upcoming version will support this..
Q: Either IPS SSP or CX SSP can be used per ASA chassis?
A: This question has been answered verbally.
Q: When will there be a support for passive authentication for Windows Terminal Server?
A: I remember discussing this with you on a TAC case. ASA-CX does support passive authentication but challenges exist when multiple users login simultaneously. Is this what you are referring to?
Q: How ASACX Module help Inspect HTTP traffic and other traffic and Prevent Trojans
A: You have highly granular control on policies in your ASA-CX and have full control over what to allow and deny.
Q: If we used ASA CX firewall can it works as Firewall and Proxy?
A: ASA-CX works as a transparent proxy in essence with the end users not really having knowledge about its presence.
Q: OK, i wanted to know whether a application can be controlled per user IP or username.
A: That is the good thing .. you can control application access based on both username or IP
Q: Is Demo is available for CX ?
A:
Q: When using remote access VPN, is automatic fallback from IPSec to SSL VPN supported ?
A: There is no automatic fallback mechanism from Remote Acess IPsec vpn to SSL (Anyconnect)..
Q: do you know if remote access vpn (SSL) will be support for multi-context mode ?
A: Remote access - SSL is not supported in multi-context mode yet..
Q: so its prefeferable to use another hardware for proxy?
A:
Q: What hardware would you suggest to datacenter? We are considering to replace old FWSM modules.
A: ASA-SM is meant to be the replacement for FWSM modules. It supports miuch higher throughput and is pretty much on-par with latest ASa features.
Q: Is EIGRP IPv6 support available now?
A:
Q: Any connect client version compatibility for 9.x version any restriction ?
A: Please refer the table in this link that provides the Anyconnect version compatibility for 9.x: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp145440
Q: We will be installing Cisco ASA5520X (ver9.x) within next 3-months. Along with this, we will be installing Dual-stack. can you advise if any important items we should take note (i.e. license type, etc) or this is quite similar to version 8.x?
A: There are no major differneces in integratin an ASA wit a dual-stack switch if that is what your question was. Feel free to post on forum if you ened more details.
Q: can we use IPv6 for remote access VPN users
A: You can assign ipv6 addresses from ip local pools defined ASA to remote access VPN users, but option to assign ipv6 from external DHCP servers (i.e DHCPv6) is not supported yet..
Q: is SQL injection attack protection provided?
A: CX can not protect against SQL injection. IPS is integrated in the latest version with a minimal set of signatures but to my knowledge, this is not supported.
Q: Do you have multiple CPU for various proecsses , like different CPUs for data plane , cx
A: There are different processes for each of these opeariotns.
Q: Which ASA features are supported on PRSM at the moment?
A: Some of the suppported fatures are NAT, ACL, Logging. more ifnormation should be available online in the release notes and user guides.
Q: Will VPN be supported in Active-Active Context ?
A:
Q: Is third party vendor supported on 9.x like websense ?
A: Yes, websense is still supported.
Q: Will VPN be supported in Active-Active Context ?
A:
Related Information