ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIANCES

Unanswered Question
Feb 8th, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about how to deploy Cisco ASA and PIX security appliances with Cisco expert Tom Hunter. Tom is a technical marketing engineer for the Cisco Security Technology Group. In his 15-year career at Cisco, Tom has provided technical marketing support for the Cisco PIX and ASA family of products, starting with release 1.7. From hands-on network operations to supporting deployment of multisite topologies, Tom brings a wealth of experience to his role. He has been a network security specialist for his entire professional career, beginning with cryptographic communications in the military. You will find him regularly contributing to the Security VT program as well as presenting the latest Cisco security product solutions in the Executive Briefing Center and at Networkers symposiums.

Remember to use the rating system to let Tom know if you have received an adequate response.

Tom might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 22, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (16 ratings)
Loading.
Collin Clark Fri, 02/08/2008 - 10:47

Hi Tom,

Thanks for coming out and answering our questions. Is there any chance Netflow will be supported on any other platform besides the 5580?

Hunter Mon, 02/11/2008 - 11:05

Netflow logging is a high speed alternative to syslog. The 5580 will make good use of its features due to its performance levels. The development team will be watching customer reaction to this feature to determine what the next steps should be. Let your Cisco contacts know you interest.

clausonna Tue, 02/12/2008 - 12:20

Sorry for not RTFM'ing the docs on the 5580, but does ASA Netflow send flows -only- for flows that are actually permitted through the ASA, or does it flow for everything (incl. denied traffic).

My guess is the former, but I wanted to be sure.

Just for the record, we're heavily leveraging Netflow off of the routers and I'd be extremely interested in seeing in on the 5510/5520 platforms.

Hunter Tue, 02/12/2008 - 12:54

Watch the ASA Product page http://www.cisco.com/en/US/products/ps6120/prod_white_papers_list.html for a paper on ASA Netflow. Its still a bit of time from being published so it may be located on a different link. The netflow messaging grabs about 8 common messages around flows and packages them as two netflow messages. It helps considerably in the area of auditing traffic as the syslog messages typically collected for this are now together.

husycisco Fri, 02/08/2008 - 12:33

Hi Tom

How nice to see you in here, thanks for coming and for your time.

There are some questions that I have searched for answers that will unlock the questionmarks in my head, read comments from other experts in forums, read cisco articles etc but never been able to get the answer which would make me say “Aha!” . I am sure your experience will be the key.

Inside network=192.168.1.0

Access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

Access-group inside_access_in inbound interface inside

Above Access-list permits inside hosts to browse the internet. Question is, this is an outbound process, but why is it grouped to inside interface as “inside_access_in inbound” ? What does outbound option in Access-group stands for and in what kind of a scenario can we implement “Access-group inside_access_out outbound inside” . Can you please describe with an example according to your experiences?

I read about nat-control articles in cisco etc, comments by other experts, but could not find a good explaination and configuration in production . What happens if I issue no nat-control ? Does applience start acting like a router and Works between interfaces and routes without any NAT,exempt NAT or static entries? If yes, how would ACLs work in this case. No ACLs for traffic from higher security interface to lower security interface and permit acls for traffic from lower sec interface to higher sec interface?

What is static (inside,inside) or static (dmz,dmz) used for? Can I use this when I want to NAT my inside host to a desired IP in inside interface? (not in a different interface)? Would be useful for overlapping networks between L2L pers or etc. Or this is only for DNS doctoring?

I have heard that we can assign user specific ACLs to VPN users if we use a RADIUS server (Windows IAS for example) by setting an attribute in IAS (attribute 25 or something like this). Do you have a link for a document for this?

Is it possible to make IP reservation for a VPN client which acquires IP from specified DHCP server? Does a VPN client have a static MAC address for making IP reservations?

Do you know a book (maybe a Cisco release) about intermediate and advanced debugging levels, how to analyze debugs

Is it possible to add policy routes just like policy NATs? If not, would it be in further IOS?

Thanks a lot for your time!

Regards

sushilmenon Sun, 02/10/2008 - 22:08

hi tom glad to have u in the forum.

can u pls tell whether cisco is planning to target the mssp market with the asa;s. cause for that the asa is really not competent like other vendors like juniper, fortinet and checkpoint.

the security context in asa is not at all usefull.

for basic active active configuration we have to use contexts which is not in other vendors.

and from real point of view u know it;s not real active active any point in time on a single firewall only one context is active. just for getting active active we have to segment our network.

going to active/active disable routing,and the most important thing vpns.

will asa ever support having seperate routing domains like virtual routers in netscreen and seperate vpn tables for each context.

regards

sushil

Hunter Wed, 02/13/2008 - 08:55

I cannot comment on future product diretions. Your comments are noted. Thanks

Hunter Mon, 02/11/2008 - 13:03

Ok, you have 6 questions here ...

1 - Consider the PIX/ASA as the center of the world ... on any paticular interface traffic comes in (inbound) and traffic departs (outbound). You can save capacity by blocking inbound traffic you don't want. The access list statement indicates ONLY www users can pass inbound. No other protocol overheads are incurred. Outbound blocks traffic outbound on an interface ... what if you PIX/ASA has 5 interfaces, the inbound limits traffic to only www ... but if you want ONLY one interface to permit www outbound then you would want to block www inbound on the others. Of course all of this is selectable by address space.

2 - your PIX/ASA is configured NAT-CONTROL so you understand how all the NAT and ACL featurs work ... You also understand that any traffic not described by NAT does not get out. So what about NO NAT-CONTROL? It impacts traffic _not described in NAT statements_ All the NAT features still work as described ... the impact is to the address space not descibed by NAT ... it is no longer blocked. All ACL's, security level rules, statefullness, etc. not can traverse the PIX/ASA. Lower level interfaces cannot initiate inbound connections without acls ... etc.

3- This kind of a static is a method to direct an inside client to inside server when an external DNS returns and external address. An external static (I,O) will define the relation to an inside server. The dns query of an inside client will return the external address . the client will try to build that connection ... the inside static (I,I) will redirect the inside client back to the inside server following the dns lookup.

4 - From the Config guide 8.0 Firewall sect. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1056570

5 - Not currently possible to make a DHCP reservation.

6 - I have no recommendations on books, there are a variety of good ones ... and I do tend to lean to Cisco Press. If you need policy routing check IOS and let your Cisco contact know.

jmprats Mon, 02/11/2008 - 01:20

Hello, I'm deploying ASA SSL VPN in my enterprise and I have a problem. I have installed the RDP plugin and published some terminal server with the link “rdp:///?Keymap=es” to have the Spanish keyboard in the terminal server session. But the problem is that this keymap haven't got written accents, which is basic to write in Spanish. For me, it's a big problem because I can't use ASA with SSL with this problem, because my users can't write without written accents.

I have tried the French keymap and it has written accents. I have downloaded the rdp-pugin.jar file to my PC and it has a keymap directory, if you edit the “es” file exactly it hasn't got the written accents (á,é, í, ó, ú, à, è, ò, ù).

Some help?

Can Cisco resolve this issue?

Can I edit this file and import it to the ASA?

How can I edit this file?

Thanks

Hunter Thu, 02/14/2008 - 14:08

I was checking around on this question. The best thing for this is a TAC case. This will get visibility into Development for the missing characters. Spanish is widely used so it will get attention. Regards, Tom

sousa-carlos Mon, 02/11/2008 - 06:45

Hello Tom My name is Carlos Sousa and I work in the city hall of Vila Nova de Gaia, and recently we bought a cisco ASA 5520 firewall with a trend micro module which includes anti X and anti spam .

After installing and configuring the firewall ASA with NAT for 4 external IP's, everything was OK with our internet link, but after configuring the Trend Micro module our internet connection becomes very slow then after trying a few different configurations on the Trend Micro module, we noticed that if we disable the URL Blocking, URL filtering option, file blocking and HTTP Scanning options the internet connection works fine, with a fast communication.

We have about 450 users on our network, and I would like to know that if there are a problem having such number of users accessing the internet through the trend micro "filter" and how to configure the ASA 5520 with the full anti X options working on Trend Micro so that we can have a normal internet connection speed.

bphan Mon, 02/11/2008 - 15:45

Carlos,

Which version of CSC software are you running?

It is very possible that you're being hit by CSCsh35086

This bug has been resolved in 6.2.1599.0

See Bug Toolkit link below for more details:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh35086

I would recommend upgrading CSC-SSM software to 6.2.1599.0. If the issue persisted, go ahead and open a TAC case to close the loop on this one.

Regards,

Binh

sousa-carlos Tue, 02/12/2008 - 03:52

Binh,

Thanks for your post, but that is precisely the version of CSC that we are using (the version that comes with CSC SSM is 6.2.1599.0)

Regards,

Carlos

GRAEME DANIELSON Wed, 02/13/2008 - 09:10

Pretty sure there's a 6.2.1599.1 patch we had to apply late last year under TAC direction. Not sure of it's bug fixes though, hopefully there's associated release notes.

Hunter Wed, 02/13/2008 - 10:19

The best thing to do at this point is open a TAC case and provide feedback directly into Cisco. Regards, Tom (and Binh)

slug420 Mon, 02/11/2008 - 07:19

Is the ASA going to replace the PIX? By this I mean will Cisco stop making/selling/supporting the PIX because they expect everyone to be on ASAs? How soon?

i-appleman Mon, 02/11/2008 - 11:45

Hi Tom,

I'm thrilled to 'meet' you, heh. I have a somewhat esoteric problem and can find no assistance anywhere (including TAC, and two friends who are CCIEs). We have a ASA-5520 in our main office, and a VPN 3000 Concentrator in a secondary office. We have a bunch fo PIX 501's in our satellite offices. What we want to do is setup site-to-site VPNs from those PIXs to both the ASA and the VPN 3000 in such a way that the ASA is the primary VPN and if it fails, the VPNs will all switch over to the Concentrator. I can connect the PIX's to either the Concentrator or the ASA one at a time, but not together. Have you heard of any way to do this? If it can't be done, can you recommend a relatively low cost aternative? Thanks ahead of time.

Hunter Mon, 02/11/2008 - 16:18

You are limited by the interfaces and OS on the PIX501. Also the PIX line is identified as EOS now. Relatively low cost would point me to the ASA5505 product as a replacement, that would give you the "dual ISP" feature to work with. Keeping the PIX501's in service with an upstream device would probably be close to the same cost as replacement.

SpeedCisco Thu, 02/14/2008 - 00:37

Hi Tom,

We use ASA 5540 as vpn concentrator and firewalling. I was wondering if there is and utility similiar to Get Pass that checks the encrypted password for the ASA's.

Thanks.

Hunter Thu, 02/14/2008 - 14:48

The password alg's on ASA are very tight. No analysis tools I know of touch them. Regards, TomH

You can "probably" do this by adding a second IP in your VPN peer config. At the main site and concentrator, set them to answer-only. I did a similar thing using an ASA 5505 with Dual ISPs back to a main branch. I set it up so that a failure on one ISP would bring up the VPN on the other. Theoretically it should work the same. This is assuming that 6.3(X) can support multiple peers....

Jay

Hunter Wed, 02/13/2008 - 10:25

You can support multiple peers, the only issue left is trying to control which path is used. The dual isp mechanism in ASA code will do the connectivity failover and failback for link selection. In 6.x code that control isn't there. Regards, Tom

i-appleman Thu, 02/14/2008 - 07:38

Would it be possible to use a routing protocol, like RIPv2 or OSPF as the control to decide which path to take?

GRAEME DANIELSON Mon, 02/11/2008 - 17:48

Hello Tom. I have a question about routing and NAT on the ASA

Will OSPF on the ASA advertise mapped NAT addresses that are in a unique network, i.e. not associated with an interface on the ASA? This is so I don't need to have a static on my upstream internet perimter router for these NAT'd public addresses. If not OSPF will any of the support routing protocols advertise these NATs?

thanks in advance

bphan Mon, 02/11/2008 - 20:17

Unfortunately, this is not supported. You need to use static routes on the neighboring router(s) and redistribute them via OSPF process on the router itself.

GRAEME DANIELSON Tue, 02/12/2008 - 08:39

regarding OSPF advertising mapped NAT addresses. I have been looking into this a little more, I have found in the OSPF Overview of the Config Guide ( http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1057742 ) one of the OSPF features listed as:

•- Advertisement of static and global address translations.

This sounds like what I want. If not, what is this feature?

thanks

bphan Tue, 02/12/2008 - 13:10

Thanks for bringing this to our attention. This is apparently a documentation bug. It is indeed not supported as I previously stated.

I have notified the documentation team to get this corrected soon.

Regards,

Binh

marcohernandez Mon, 02/11/2008 - 20:56

Hi Tom,

Some times when trying to implement HTTP cut-through proxy there is a message: "Error 501 Not Implemented". The authentication is successfull but this message is displayed in the browser. I have researched and found that "some method" sent to the web server is not supported by the Web Server (in this case the Appliance). Have you faced with this?

Hunter Tue, 02/12/2008 - 20:22

I have not seen this one but I will research it and let you know. Can you provide any details around what the user is doing or load on the system (time of day?)

Hunter Wed, 02/13/2008 - 10:33

virtual http ip_address [warning] is the command used to implement this feature. The selection of the IP Address needs to be one that's vacant. The information found indicates the 500 message is returned if the address choosen is not vacant. Since the virtual auth-proxy IP address is only used for authentication purposes and it does not have a HTTP listener/daemon it will return such error. Regards, TomH

7dpursel Mon, 02/11/2008 - 21:55

Hi Tom, Great timing. I see you have 15 years experience. I would like to test your memory on some of the older FOS's. Thanks to David Chapman and Andy Fox's Cisco Press book, Cisco Secure Pix Firewalls, I have turned my Pix520 into a boat anchor. If it ain't broke, don't fix it. I was experimenting with upgrading to 6.3.5 from 5.1.4 when I discovered I didn't learn enough about memory requirements. Now I'm in a boot loop. I've yet to see a monitor prompt no matter how hard I try to interrupt it. I've been searching nearly all day since Saturday for a method that would allow me to get back to the pix514.bin file I have. Do you remember how?

Hunter Tue, 02/12/2008 - 11:03

Officially this is not supported or recommended. But may save your doorstop. Depending on the Flash you have, you can swap two of the eproms to force a Flash failure. Then it will drop to monitor mode, you can reformat and reload.

7dpursel Thu, 02/14/2008 - 08:07

Tx for the reply. I realize its unsupported and EOL so I appreciate you applying your knowledge to my problem. I did swap the left pair, then the right pair, but still can't break into monitor mode. A couple more questions if I may. I've tried different boot helpers with no luck (with exception of the bh514.bin which I can't locate). Is a boot helper diskette suppose to put me into monitor mode such that I can do a tftp to reload version x.x.x. Is a particular version of boot helper flash dependent? Is there any documentation your aware of on the flash card itself. Ie. dip switch settings, etc? Do I have to worry about using boot helpers with the ASA5520? Looking at Cisco Press - David Hucaby's book, there's no mention they are applicable, so I can't help but wonder if I could be in the same situation with our new box, hence maybe we should play and learn before it's in production. Tx for your answers and assistance.

algort Tue, 02/12/2008 - 02:36

On ASA can we configure vlan interface as a inside port.

rstraube Tue, 02/12/2008 - 03:01

It is definetely possible to configure a VLAN interface as the "inside" one. Please consult the documentation using the following links:

Configuring VLAN Subinterfaces and 802.1Q Trunking

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1044006

Configuring Interface Parameters

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wpxref44915

regards

rene

Hunter Wed, 02/13/2008 - 18:13

I'll give you my best at this ... engineers usually don't choose part numbers. The ASA5510-BUN-K9 is an ASA 5510 Appliance with SW, 5FE, 3DES/AES. You probably should choose a ASA5510-CSC10-K9 (ASA 5510 Appl w/ CSC10, SW, 50 Usr AV/Spy, 1 YR Subscript) or ASA5510-CSC20-K9 (ASA 5510 Appl w/ CSC20, SW, 500 Usr AV/Spy, 1 YR Subscript) and the appropriate Feature license (more later). Which of these is right is up to your customer needs. The feature license will be ASA-CSC10-PLUS (ASA 5500 CSC SSM10 Plus Lic. (Spam/URL/Phish, 1Yr Subscript)) or ASA-CSC20-PLUS (ASA 5500 CSC SSM20 Plus Lic. (Spam/URL/Phish, 1Yr Subscript)) depending on what you choose in the hardware. Regards, Tom

I have the IPS set to promiscuous mode.

I get no reports or logs, I see no traffic on it. How do you know what it's doing? or get it to do something?

access-list IPS extended permit ip any any

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 xx.xx.xxx.1 1

route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1

class-map IPS-CLASS

match access-list IPS

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1024

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

class IPS-CLASS

ips promiscuous fail-open

Hunter Wed, 02/13/2008 - 19:40

If you have TAC accessible turn around is faster than the forum. The configuration looks good ... so the problem is the sensor. Is ASDM showing the IPS icons for management? if yes - good. If no then the sensor is not configured and may be shutdown. At CLI level do a show module and check the output for the status of module 1. sho module 1 ... If its up then login with user/pass you expect or the defaults ... if its not up bring it up with the the hw-module reset command. Check the ASA command reference guide for the hw-module commands.

After you login to the AIP then do a setup and check/change the parameters as necessary. Once that's done, logout of the AIP and go back to ASDM and the configuration tab for the IPS and login again to the AIP via the configurtion screen and check the interfaces. If they are not what you have planned then configure as required.

At this point you should go to the IPS Netpro forum and browse the conversations there for information. The next step will be detailed at the AIP interface level and best followed from the doc's.

clausonna Tue, 02/12/2008 - 12:17

Hi Tom.

Could you please elaborate on ASA 8.0 and Dynamic Access Policies (DAP) with regards to Network/Web ACLs?

I'm specifically interested in the restriction that a DAP ACL's must be "all permit" or "all deny". Why is that so?

And, as a follow-up question:

I'm going to be doing SSLVPN via AnyConnect to the ASA, with authentication via RADIUS up to an ACS 4.1 appliance. I have one Tunnel Group and currently one - soon to be two - group policies. group-policy-employee will get fulls rights with no restrictions***, but group-policy-contractor should be significantly restricted (hence my ACL question.)

What's better: having both groups get assigned IP addresses from the same DHCP scope, but have the contractor policy have DAP Acls, downloadable ACL's from the ACS, or should I have assign the contractors from a totally different IP pool? I like the idea of having separate IP ranges based on policy, but want ACLs to be reasonably logical and manageable.

I've read everything I could on both the ASA and ACS sides, but the whole concept isn't well documented (but maybe I'm coming at it from the wrong angle.)

*** = I restrict internal users' access to the Internet with an "inside-to-external" ACL (explicitly deny a few things, allow 80, 443, 53, etc, deny everything else) and do the same for DMZ servers with a "dmz-to-external" ACL that is similar but different than the "inside-to-external" ACL. VPN users are "on" the outside interface, right? How can I ensure that the same rules apply to users whether they're VPN'ing into the network or are actually onsite? (note: NO split-tunneling allowed.)

PS - Yes, I know a NAC appliance is probably a better way to go for contractor/guest access. We're not quite there yet though! :-)

Thanks in advance!!!!

Hunter Thu, 02/14/2008 - 15:35

[this was provided by one of our SSL VPN experts]

Could you please elaborate on ASA 8.0 and Dynamic Access Policies (DAP) with regards to Network/Web ACLs?

I'm specifically interested in the restriction that a DAP ACL's must be "all permit" or "all deny". Why is that so?

--, In case of aggregating multiple DAP policies, it needs to be either all permit or all deny to easily prioritize the order of ACLs.

And, as a follow-up question:

I'm going to be doing SSLVPN via AnyConnect to the ASA, with authentication via RADIUS up to an ACS 4.1 appliance. I have one Tunnel Group and currently one - soon to be two - group policies. group-policy-employee will get fulls rights with no restrictions***, but group-policy-contractor should be significantly restricted (hence my ACL question.)

What's better: having both groups get assigned IP addresses from the same DHCP scope, but have the contractor policy have DAP Acls, downloadable ACL's from the ACS, or should I have assign the contractors from a totally different IP pool? I like the idea of having separate IP ranges based on policy, but want ACLs to be reasonably logical and manageable.

---, Assign the different IP pools makes better sense for managment purposes. Not sure how you are planning to set as criteria for this separation (src IP? Or LDAP attribute etc..) but I have seen customers separate ip pools.

I've read everything I could on both the ASA and ACS sides, but the whole concept isn't well documented (but maybe I'm coming at it from the wrong angle.)

*** = I restrict internal users' access to the Internet with an "inside-to-external" ACL (explicitly deny a few things, allow 80, 443, 53, etc, deny everything else) and do the same for DMZ servers with a "dmz-to-external" ACL that is similar but different than the "inside-to-external" ACL. VPN users are "on" the outside interface, right? How can I ensure that the same rules apply to users whether they're VPN'ing into the network or are actually onsite? (note: NO split-tunneling allowed.)

--, We probably need more info on your setup. Are you planning to deploy Clientless? Or Client SSLVPN? A network ACL is useful for Client SSLVPN and the web ACL is useful for Clientless SSL VPN. If this is clienless VPN then you can also show limited Hyper Link on the Portal web site.

Regards, Tom

I have been looking at the netpro forums and one question seems to be asked a lot and never answered. How do you upgrade code on an asa from (through) the tunnel. I am holding off deployment until I get a usable solution.

(Remote) -vpn-> internet <-vpn- (HUB) - tftp server

When I issue:

copy tftp://x.x.x.x/asa803-k8.bin flash

Address or name of remote host [x.x.x.x]?

Source filename [asa803-k8.bin]?

Destination filename [asa803-k8.bin]?

Accessing tftp://x.x.x.x/asa803-k8.bin...

WARNING: TFTP download incomplete!

%Error reading tftp://x.x.x.x/asa803-k8.bin (Unspecified Error)

The TFTP server is working correctly. It sends and receives other jobs. It appears that the tftp command is only sending the request to the the external interface. How do I get this to work?

I find it absurd I have to have a local machine in the remote site to update the ASA, what a waste. (Solution provided by Cisco TAC) I should be able to upgrade these boxes from my hub location.

Hunter Tue, 02/12/2008 - 20:48

The use of CLI implies that no GUI type management tools are in use. To push this code easily I would enable ASDM on the outside interface and use it (File Management on the menu bar at the top) to download the new images for ASDM and ASA to flash. Then you can change the "boot system" command line and the asdm image command line to load the new images next a reload occurs. This is safe from a security point of view since the connection is encrypted and authenticated ...

GRAEME DANIELSON Wed, 02/13/2008 - 09:30

For me the discovery of scp on the ASA (and IOS I think?) has been a godsend; no more tftp ugliness. If you already ssh in you're 99% there. Granted, it's still from the remote site but it's solid, simple and secure.

Configure "ssh scopy enable" then use your scp client to copy the image - I use PuTTy's pscp command line. I would presume you can get an image to wherevever you ssh from?

qatarpetroleum Tue, 02/12/2008 - 20:20

Hello Tom,

Glad that you will address our design issue. We will be deploying FWSM with Inter-Chassis failover in the ServerFarm domain in our Data-Center.

The Data Center Topology is as follows. We have 3 server farm switches (2 x6509s and 1x6513), SS-1, 2 and 3 which are connected to each other via L-2 port-channels. All the switches are in the same VTP domain and are in transparent mode.The vlans are defined in all the 3 switches uniformly.

These switches connect to a CORE-1 switch via L-3 port-channel. The clients connect through the CORE-1 switch.

We have FWSM module only on SS-1. The failover FWSM (Standby) will be in SS-2 and there is no FWSM in SS-3. However, the Server-Farm Vlans span to all the 3 switches, viz. SS-1, 2 and 3.

What I plan to do is move some of the production Server-Farm Vlans to behind the FWSM for protection. The MSFC interface VLAN will now move to the FWSM DMZ interface. The default gw. for each server will be the FWSM DMZ interface. Is this Ok. That is, the Firewall-DMZ will have vlans whose members are spread to all the 3 server farm switches. Note that SS-2 has a FWSM on standby and SS-3 has no FWSM module at all. The FWSM in SS-1 will be in Router mode and single context. That is, the MSFC in SS-1 will treat the FWSM as a next hop.

Please advice. If further clarifications is needed, let me know.

rgds.,

Vasu Chari

bapatsubodh Tue, 02/12/2008 - 23:02

Hello,

We are having Cisco ASA 5520 series and we have configured IPS on that. But our consultant ( one reputed auditor MNC ) has objected and asked us to have dedicated seperate IPS and IDS apart from ASA. Is it recomended invesing again in seperate appliances.

Please suggest or can have a link on cisco.com to have best possible ips or ids configured on existing ASA. And how to test this ?

Any link on cisco.com or experience is highly appreciable.

Thanks

Subodh

Actions

This Discussion