Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
RahulGovindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
This document contains the answers provided for the questions asked during the live "Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)" Webcast
You can download the slides of the presentation in PDF format here. The related Ask The Expert sessions is available here. The Complete Recording of this live Webcast can be accessed here.
A: Presently, this is supported only on 5580 and 5585-x series ASAs. We cannot currently promise if and when the lower end ASAs will support clustering.
A: Yes, clustering can be used along with ASAs in multiple-context mode. At the same time, failover is not supported with ASAs in cluster.
A: You can manage each cluster member separately using a pool of management addresses. More details here: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1551576. Configuration changes should be made only on the master.
A: You can have upto 8 ASAs in a cluster.
A: yes VPN is supported in 9.x multi context mode.. Here is the list of all features supported. http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/data_sheet_c78-714849.html (although Remote access vpn is not yet supported)
A: Yes Active Directory Integration is supported on ASAs (Identity based Firewall) and ASA-CX.
Currently, we support vmware environment but there are plans to include support for microsoft hyper-v as well. For further details, please check in with your Cisco Account Representative.
A: Yes, ASACX supports HTTPS filtering as well.
A: Thanks for your question. Could you please elaborate on ASA-X? Did you mean ASA-CX instead?
A: Cluster is a method of aggregating multiple ASAs as one where every ASA in a cluster processes some amount of traffic. This also provides redundancy. Failover provides only redundancy.
A: Thanks for your question. Are you talking about ASA-CX filtering? If so, no versions 8.3 and before doesn't support ASA-CX. This is supported only beginning version 8.4 in 5585 ASAs and 9.1 in ASA5500-x appliances.
A: if you are referring client posture assesment with Anyconnect, then hostscan in CSD will be used to extract client information.. let me know this answers your question.
A: Though they both have similarities, ASA-CX is capable of doing much more than Botnet traffic filter on ASA. For example, we support HTTPS filtering, micro-app filtering, etc on ASA-CX.
A: no you can either have CX or IPS modules only. In version 9.2 of CX, basic IPS features have been introduced.
A: Hi Arin. ASA-CX uses similar Application visibility and control features as Ironport WSA and works with ASA so in essence, you could say that. But, in working along with ASA, ASA-CX is capable of a few more things.
A: Yes, the NAT format remains unchanged though we now have support for IPv6 NAT (yes, I said IPv6 NAT! :)).
A: by default you get a trial license of 60 days for all features with an option 60 day extension. After this, you will have too purchase and install licenses for necessary features.
A: The HTTP inspection on ASA-CX is much more optimized than the ASA and since it works in conjucntion with Application visibiluty and control, we have the capability of micro-application filtering.
A: IPv6 address assignemnt is supported only for local authentication, with an external AAA, IPv6 address assignment is not supported.
A: AVC provides visibility into type of protocol and application and the HTTP inspection engine can take decisions based on this information. In essence, they work in conjunction with each other.
A: Yes, skype can be blocked but please note that these application constantly change their modus operandi in which case you might see behavior otherwise. We try our best to keep up with this.
A: ASACS is a security service in ASA, and with 9.x on ASA you can have VPN (site to site, not remote access vpn yet) in multi-context mode.. let me know if this answers your question.
A: Yes, ASA-CX supports User-ID (UID) based filtering working along with Active Directory or LDAP servers.
A: The best thing to do will be to first ensure it is the ASA that is blocking this traffic (using syslogs and/or packet captures). If it is the ASa, then syslogs will give you information about reason for block.
A: Yes the architecture is completely different from SSMs.
A: Yes ASA-CX will be a physical module inserted in ASA5585 appliances. In Asa5500-x appliances, CX can be installed as a software module.
A: Yes majority of the features are common across the two. ASA-CX though is supported only in ASa5500-x. For more details, would recommend talk to you Cisco Accounts Representative for details.
A: You are right. that stage only talks about nat-control or an equivalent configuration in 8.3 and above.
A: Yes. If you are using a self-signed certificate, all end users will have to trust the CX presented certificate. If you are importing a certificate from your local CA server, then users should automatically trus the certificate.
A: Presently, we do no explicitly support clustering across data centers but there are plans for the same. I can not promise if and when it will be supported though.
A: URL filtering is inherently supported on ASA-CX.
A: With 9.x you can configure site to site VPN but not Remote Access IPSec VPN with multi-context mode. Here is list of all other features supported: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/data_sheet_c78-714849.h
A: You can only add CX-SSP-40 in ASA5585-SSp-40.
A: The ASA-CX ensures it does not transmit decrypted packets if it received them encrypted in the first place. the tls_proxy engine takes care of decrypting and re-encrypting traffic as necessary.
CX is used with 5505 ASA v8.3 after upgrading the ASA v 9.x
A: With version 9.2 on CX, you can configure rate-limiting based on layer 7 information as well.
A: You can read up about HTTPS decryption here: http://www.cisco.com/en/US/docs/security/asacx/9.1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_01101.html.
A: With pasive authentication, we support SSO inherently. With active authentication as well you have the ability to transparently authenticate users.
A: You can use usernames or groups (in an AD environment).
A: Yes it is available for download now. It supports basic IPS signatures currently and plan is to include more signatures in future.
A: ASA doesn't support HTTPS filtering inherently but only using the ASA-CX.
A: Just like you did with an IPS or CSC SSM, you can insert the physical CX-SSP module into Asa5585 chassis slot 1. In ASA5500-x ASA, CX operates as a software module (no hardware needed apart from an SSD).
A: All models of ASAs support 8.4.2.
A: You do have additional license for Web Security and Application visibilty but it comes by default wit a 60 day trial with a one time extension of 60 additional days.
A: Radius authentication with ASA as external AAA servers has been supported since older releases (8.x) as well.. are you looking for anything specific with Radius authentication..
A: it has been fixed, can you try downloading it again..
A: Packet-tracer is limited to the ASA. There are plans to include a packet-tracer for the ASA-CX separately but we cannot promise when that will be made available.
A: All your configuration should be migrated automatically by the ASA.
A: Yes you do have the ability to exclude certain category of web sites from decryption.
A: Legacy ASA5500 series ASAs do not support ASA-CX integration. You should make use fo ASa5500-x series ASAs along with an SSD (solid state disk)
A: I am not a familiar with checkpoint URL filering capabilities but the ASa-CX does support micro-application filtering. For example, we can filter on Facbook chat, photos, videos, etc.
A: Yes, ASA5520 supports version 9.
A: You will need solid state disk(s) (SSD) installed in your 5545-x ASA to install ASA-CX.
A: Yes, ASA 9.x supports dynamic routing for EIGRP and OSPFv2 for multi context mode
A: No plans as of now for remote access vpn in multi-context mode..
A: Yes, both PFS and QoS should work over VPN in multi-context..
A: Details of amount of throughput is available in the data sheet on cisco.com. It will depend on the amount and type of traffic.
A: Unfortunately, CX is not supported on ASA 5510,5520 platforms
A: Yes with version 9.2, PRSM supports management of ASA as well but not all the features are presently supported.
A: change of authorization feature is in the roadmap, currently no ETA on which upcoming version will support this..
A: This question has been answered verbally.
A: I remember discussing this with you on a TAC case. ASA-CX does support passive authentication but challenges exist when multiple users login simultaneously. Is this what you are referring to?
A: You have highly granular control on policies in your ASA-CX and have full control over what to allow and deny.
A: ASA-CX works as a transparent proxy in essence with the end users not really having knowledge about its presence.
A: That is the good thing .. you can control application access based on both username or IP
A: There is no automatic fallback mechanism from Remote Acess IPsec vpn to SSL (Anyconnect)..
A: Remote access - SSL is not supported in multi-context mode yet..
A: ASA-SM is meant to be the replacement for FWSM modules. It supports miuch higher throughput and is pretty much on-par with latest ASa features.
A: Please refer the table in this link that provides the Anyconnect version compatibility for 9.x: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp145440
A: There are no major differneces in integratin an ASA wit a dual-stack switch if that is what your question was. Feel free to post on forum if you ened more details.
A: You can assign ipv6 addresses from ip local pools defined ASA to remote access VPN users, but option to assign ipv6 from external DHCP servers (i.e DHCPv6) is not supported yet..
A: CX can not protect against SQL injection. IPS is integrated in the latest version with a minimal set of signatures but to my knowledge, this is not supported.
A: There are different processes for each of these opeariotns.
A: Some of the suppported fatures are NAT, ACL, Logging. more ifnormation should be available online in the release notes and user guides.
A: Yes, websense is still supported.