This discussion is locked

Ask the Expert: Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers

Unanswered Question
Jul 29th, 2013

Read the bioWith Akhil Behl

 

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions from Cisco expert Akhil Behl about the Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data Centers including various new features of the Cisco ASA firewall as a next-generation data center firewall in terms of its capability, scalability, and performance. He can also answer questions on Cisco ASA as a next-generation data center firewall, providing clustering and intelligent threat defense using Cisco ScanSafe technology and access control based on Cisco TrustSec.

 

Akhil Behl is a solutions architect with Cisco Advanced Services, focusing on Cisco collaboration and security architectures. He leads collaboration and security projects worldwide for the enterprise segment as well as the collaborative professional services portfolio for the commercial segment. Previously at Cisco, he spent 10 years in various roles at Linksys and the Cisco Technical Assistance Center. He holds CCIE (Voice and Security), PMP, ITIL, VMware VCP, and MCP certifications. He has published several research papers in international journals, including IEEE Xplore. He has been a speaker at prominent industry forums such as Interop, Enterprise Connect, Cloud Connect, Cloud Summit, Cisco SecCon, IT Expo, and Cisco Networkers. He is the author of Securing Cisco IP Telephony Networks by Cisco Press. 

 

This event is a continuation of the live Webcast and the panelist were

Sumanta Bhattacharya and Parminder Pal Singh 

 

Sumanta Bhattacharya Parminder Pal Singh

Sumanta Bhattacharya is a Network Consultant with Cisco Advanced Services and has more than 12 years of networking experience with specialization in Security topics that includs Firewall / IPS / VPN, Wireless, Network Optimization, Audits, Security assessments. He holds CCNP, CCSP, VCP & ISO 27001 Lead Audit certifications. 

 

Parminder Pal Singh is a Datacenter Specialist for Cisco Presales in Data Center and has more than 9 years of experience. Prior to this role he has worked in companies like VCustomer, Convergys and Aricent Technology Holdings. He is an active instructor for both Data Center & Network Security Technologies. He hold CCIE certification (#19972)in Security domain.

 

 

Remember to use the rating system to let Akhil and team know if you have received an adequate response. 

 

Akhil might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through August 9, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

 

Webcast related links:

 

 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ciscomoderator Tue, 07/30/2013 - 22:49

Hello Akhil, Sumanta and Parminder,

Here are few questions picked from the bunch of questions that attendees have asked during live webcast, hence can you please provide your responses to each one of them individually.

  • What are the different modes in which ASA clustering can be achieved?
  • Is there a specific license required for ASA clustering? If yes, is it per firewall or only for Master?
  • Can I have different models of firewalls in an ASA cluster?
  • What models of Cisco ASA family support clustering?

Thanks!

akbehl Wed, 07/31/2013 - 05:19

Dear Cisco Moderator,

Please find the answers to the questions as follows:

  • What are the different modes in which ASA clustering can be achieved?

Cisco ASA Clustering is supported in 2 modes - Spanned and Individual interface. In spanned mode, the firewall's interfaces are binded into port channel(s) and LACP may be used to send the traffic to firewalls in cluster. In individual interface mode, the traffic is to be load balanced by a layer 3 device before the firewall (Router, ACE etc.) and the firewall has its interfaces with routable IP addresses.

  • Is there a specific license required for ASA clustering? If yes, is it per firewall or only for Master?

Yes, Cisco ASA requires clustering license. This license is required for each node which will be a part of the cluster.

  • Can I have different models of firewalls in an ASA cluster?

No, the firewalls in a cluster should be the same platform - either 5580 or 5585(X)

  • What models of Cisco ASA family support clustering?

Cisco ASA clustering is supported only on ASA 5580, 5585 and 5585-X platforms as of today.


Akhil Behl
Solutions Architect


Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

vmuthumani Wed, 07/31/2013 - 22:26

Hi Akhil

I like to know why or what is the advantage using ISE with ASA firewalls, I am planning to have VPN user who will use any connect and connect though ASA, trying to understand what ASA can't do which ISE can do for VPN users while integrating with ASA.

Thanks

V.Muthu

akbehl Thu, 08/01/2013 - 10:17

Hello Muthu,

You asked a great question!

While ASA can act as a VPN termination point, it can only filter traffic or inspect the content passing through it. ISE can do much more in conjunction with ASA.

As I also illustrated in my presentation during the Webcast, ISE allows ASA to apply granular security rules based on posture assessment, posture remediation, Security Group Tagging (SGT). This allows the administrator to allow or block access for a user to corporate resources based on certain attributes.

For example, upon connecting to ASA from IPSec or Any Connect VPN, ISE can tell ASA if the user's Anti Virus is turned off and therefore, allow limited access to the network. This is much more than doing user authentication and authorization. You are actually limiting the user access based on AV, windows patches etc.

Hope this clarifies the difference between simple ASA based VPN and the SGT based features including posture validation of ISE.


Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

exchangeit Thu, 08/01/2013 - 14:34

Does the Cisco ASA 5512-X support Traffic Shaping? I am installing one of these and I cannot find the command to enable traffic shapping under 8.6 and 9.1 firmware.

Running  the following command does not work, because the shape option is not available.

policy-map outside-policy
 class class-default
  shape average 5000000

Is this becasue it is SMP firmware, is shape not an option with SMP? and if so Why?

Thanks

--Blake

akbehl Fri, 08/02/2013 - 03:32

Hi Blake,

As of today, Cisco ASA multiprocessor / multicore units like the 5512-x do not support traffic shaping. Rather than being a firmware specific restriction, it's a hardware based restriction.

Please see the following URL (see model guidelines)

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/conns_qos.html#wp1112081

Hope the information provided is helpful!

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

exchangeit Fri, 08/02/2013 - 11:21

Thanks for the follow up, and confirming that I am not going mad.

Do you know if shaping will ever be support?

Is it not a concern now, since the hardware is hanlding it implicitly?

Should priority queuing be used instead?

Thanks!

--Blake

akbehl Fri, 08/02/2013 - 12:25

Hello Blake,

I know where you are coming from and no worries.

As of today, shaping is not on the roadmap for multiprocessor or multicore firewalls. I know it's not something you'd like to hear.

You can use priority queing on outside interface to set the traffic into different queues and prioritizing delay sensitive traffic like RTP.

Regards,


Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

r-godden Thu, 08/01/2013 - 14:44

Are there any Plans to support PIM BSR ?

akbehl Fri, 08/02/2013 - 03:43

Hi R-Godden,

As of today, there's no support for PIM-BSR through ASA firewall. Also, it's not seen as of yet on the roadmap.


Regards,


Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

syedumairali Fri, 08/02/2013 - 01:48

Hi Akhil,

This is regarding ASA placement in our datacenter network. My question below

Data Center comprises of two Nexus 7Ks at the spine, connected to 6 Nexus 5Ks at the access layer. They run fabric path in between.

We have couple of firewalls (ASA 5585) which we plan for filtering+IPS+NAT (No VPN). We planned to connect them like (sorry for my bad drawing)

-----------------------------Core Network----------------------------------------

|  /                                                                                          \   |

| /                                                                                            \  |

N7K01   ----inside/outside----- ASA01--------inside/outside --------- N7K02

  |                                         |CCL|                                              |

  \----------inside/outside----- ASA02--------inside/outside -------------/

Both N7K are in same VPC  domain, so they are running Active-Active mode.

  1. Do we have support for VPC feature on the firewall, any plan for vpc feature in the future.
  2. Do Clustering feature support Active-Active mode in the same context ? is it at the session Level or packets lever ?
  3. In the figure above, how we make sure the routing be correct. Should we use Policy based routing on Nexus to force datacenter traffic towards firewall ?
  4. Is there any best practice document for ASA deployment in the data center.

Do you think that following design is better

-------------------------Core Network-------------------------------------------

|  /                                                                                          \   |

| /                                                                                            \  |

N7K01 ------inside/outside----- ASA01                                    N7K02

                                              |                                                 |

                                        ASA02--------inside/outside -------------/

Regards,

Umair

akbehl Fri, 08/02/2013 - 03:58

Hi Umair,

Your drawing looks just fine!

Here are the answers to your queries:

1. Do we have support for VPC feature on the firewall, any plan for vpc feature in the future

VPC is supported for Cluster Control Link (CCL), please see following URLs

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1559338

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1595624

2. Do Clustering feature support Active-Active mode in the same context ? is it at the session Level or packets lever ?

Clustering is supported in single or multiple mode contexts. By default clustering is active active. Clustering can be at Layer 2 (spanned, etherchannel, VPC) or at layer 3 (individual mode)

3. In the figure above, how we make sure the routing be correct. Should we  use Policy based routing on Nexus to force datacenter traffic towards  firewall ?

If you have spanned interfaces with port channel or routed interfaces, you have an IP address to route traffic to as next hop. You can use this IP address as gateway of last resort for everything going out of DC. See the following topologies

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html#wp1669969

4. Is there any best practice document for ASA deployment in the data center.

There are a few documents around ASA as a DC firewall detailing best practices. I've listed the ones I refer to most often

ASA DC design guide for 550-X series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/design_guide_c22-624431.html

ASA DC deployment guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuide-February2012.pdf

Cisco ASA DC config guide

http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center

Hope this information is helpful!

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

shillings Fri, 08/02/2013 - 04:27

Hi Akhil,

Hope you can help with a couple of pre-sales/design queries.

  1. Any dates as to when Cisco will support both CX and IPS in the same box?
  2. Online Cisco documentaion says it will implement IPS functionality into CX, in future. Does this mean Cisco will simply fix the above interoperability issue, or will it develop an entirely new IPS solution that is embedded within CX?
  3. Any idea when Cisco will fix the EtherChannel restriction for ASA cross-stack connectivity (VSS is fine)? I appreciate there is a work around and it's not exactly data centre, but would like to see it supported and working straight out of the box for the SME customer.
  4. Will ASDM be migrated to Prime Security Manager, like CX? If so, when?
  5. A brief scenario. You need to connect an active/standby HA pair. There are three spare interfaces on each firewall. Normally, I'd assign one interface for the failover link and one for the replication link. I'd also follow Cisco best practice and place a switch between each failover interface. However, could we negate the requirement for the switch by bundling two interfaces into a single EtherChannel (or use a Redundant interface)? I appreciate only one channel in the EtherChannel bundle is ever used at any one time, but that shouldn't be an issue. The point is that if one of the two failover ports fail, on the active firewall, then connectivity is not lost. I think the chances of both failing a slim. The downside is that it requires a total of 3 interfaces, instead of just 2. Perhaps it's not a great idea, but would appreciate your thoughts (or those of any forum members).

Many Thanks!

akbehl Fri, 08/02/2013 - 13:26

Hi Shillings,

I'll try to answer your queries based on my know how about the road map and feature sets.

1. Any dates as to when Cisco will support both CX and IPS in the same box?

First release of CX was planned without IPS support, though future release(s) do have IPS support for NGFW service module on the roadmap.

To your point, statistically, in many organizations it is not common to have all firewall and related services on the same network device based on performance and separation of duties perspectives. For those that need IPS functionality in the same physical chasis as a Firewall, ASA 5585x supports hardware (SSP) based IPS solution. I know this is not really inline with your query however, trying to provide a perspective of how larger community thinks.

2. Online Cisco documentation says it will implement IPS functionality into CX, in  future. Does this mean Cisco will simply fix the above interoperability  issue, or will it develop an entirely new IPS solution that is embedded  within CX?

As I mentioned earlier, I don't see an interoperability issue here since, the FCS release never had IPS planned into it. IP functionality for CX NGFW services module is on the roadmap and will support full IPS capabilities.

3. Any idea when Cisco will fix the EtherChannel  restriction for ASA cross-stack connectivity (VSS is fine)? I appreciate  there is a work around and it's not exactly data centre, but would like  to see it supported and working straight out of the box for the SME  customer.

This restriction still applies in 9.x release and from where I see it, it's there till defined on the roadmap. If you have a strong business case to have this feature, please approach your account manager to have your case shared with BU (if not already done) so they can work on the same for future releases.

4. Will ASDM be migrated to Prime Security Manager, like CX? If so, when?

For now ASDM will continue to be management interface for ASA and PRSM for NGFW CX. On roadmap future plan is to manage ASA firewall features through PRSM, so that  customers get a single management pane for ASA and NGFW  Services.

5. A  brief scenario. You need to connect an      active/standby HA pair. There  are three spare interfaces on each      firewall. Normally, I'd assign one  interface for the failover link      and one for the replication link. I'd  also follow Cisco best      practice and place a switch between each failover  interface.      However, could we negate the requirement for the switch by  bundling      two interfaces into a single EtherChannel (or use a Redundant       interface)? I appreciate only one channel in the EtherChannel bundle      is  ever used at any one time, but that shouldn't be an issue. The      point is  that if one of the two failover ports fail, on the active      firewall, then  connectivity is not lost. I think the chances of both      failing a slim.  The downside is that it requires a total of 3      interfaces, instead of  just 2. Perhaps it's not a great idea, but      would appreciate your  thoughts (or those of any forum members).

In my honest opinion, using port channel with ASA failover is not the best of designs. The major reason is that - you lose 2 interfaces for something which could have been handled by one and hence, lose on a good ZONE. Moreover, for ASA in an Active/Standby failover deployment, you need to create separate EtherChannels on the switches in the VSS,  one for each ASA, which is an overhead.


Hope the information provided is useful!

Regards,

Akhil Behl
Solutions Architect

Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

shillings Sat, 08/03/2013 - 01:44

Thanks for taking the time to respond in full Akhil.

1. Any dates as to when Cisco will support both CX and IPS in the same box?

First release of CX was planned without IPS support, though future release(s) do have IPS support for NGFW service module on the roadmap.

To your point, statistically, in many organizations it is not common to have all firewall and related services on the same network device based on performance and separation of duties perspectives. For those that need IPS functionality in the same physical chasis as a Firewall, ASA 5585x supports hardware (SSP) based IPS solution. I know this is not really inline with your query however, trying to provide a perspective of how larger community thinks.

I can understand that from a data centre perspective. However, many small/medium businesses are not willing to spend on dedicated IPS sensors, 5585-Xs, or additional midrange firewall pairs, at least not in the UK in the current financial climate.

Also, if Cisco has concluded that IPS and CX features should not be combined in the same small/midrange appliance, then why is it not sticking to this decision? I do appreciate this is more of a product marketing topic, and not exactly data centre either, but thank you for being open to the questions. Hope I'm not getting you into hot water! It certainly adds value to the forum.

2. Online Cisco documentation says it will implement IPS functionality into CX, in  future. Does this mean Cisco will simply fix the above interoperability  issue, or will it develop an entirely new IPS solution that is embedded  within CX?

As I mentioned earlier, I don't see an interoperability issue here since, the FCS release never had IPS planned into it. IP functionality for CX NGFW services module is on the roadmap and will support full IPS capabilities.

Good news.

In my honest opinion, using port channel with ASA failover is not the best of designs. The major reason is that - you lose 2 interfaces for something which could have been handled by one and hence, lose on a good ZONE. Moreover, for ASA in an Active/Standby failover deployment, you need to create separate EtherChannels on the switches in the VSS,  one for each ASA, which is an overhead.

OK, thanks for your feedback on this.

akbehl Sat, 08/03/2013 - 08:02

Hi Shillings,

I understand your point here and agree with the same. However, what I said for the CX's IPS capabilities was in perspective based on what my colleagues have seen in today's Data Centers.

Goes without saying (and same as what you mentioned), it's on need by need basis and as per the requirement of network as well as organizational security requirements / regulatory requirements that one may or may not want same platform to do multiple things. Cost also drives many a things and I agree that many organizations want to have all in one security appliance or blade.

Again, Cisco isn't taking IPS away from CX and coming up with an option for it as it is on roadmap. So, you stay empowered in next releases!

Regards,


Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

shillings Mon, 08/05/2013 - 06:54
I understand your point here and agree with the same. However, what I said for the CX's IPS capabilities was in perspective based on what my colleagues have seen in today's Data Centers. 

Goes without saying (and same as what you mentioned), it's on need by need basis and as per the requirement of network as well as organizational security requirements / regulatory requirements that one may or may not want same platform to do multiple things. Cost also drives many a things and I agree that many organizations want to have all in one security appliance or blade.

Again, Cisco isn't taking IPS away from CX and coming up with an option for it as it is on roadmap. So, you stay empowered in next releases!

Thanks Akdehl.

On an IPS/CX related topic, and appologies my CX understanding is not very good yet, but would CX benefit from using the integrated IPS to inspect SSL traffic? Put another way, my understanding is that CX can already decrypt, inspect, and then encrypt SSL traffic, but is there any value in sending the decrypted HTTP traffic to the IPS engine as well, or does CX already perform the same tasks that IPS does, in this particular scenario?

akbehl Wed, 08/07/2013 - 08:52

Hello Shillings,

Your understanding on CX is as good as mine : )

So, the basic difference in a firewall inspecting a packet and an IPS inspecting a packet is as follows:

Firewall inspection - is mainly geared towards UPNP protocols e.g. FTP, SCCP, H225 etc. to open ports and also to look the content inside the packet and match it with one or other policy. Essentially firewall does filtering based on static rules.

IPS inspection - is mainly required to drill down to the payload / header and based upon signatures or attack profiles take an action (depending on whether IPS is inline or promiscuous). IPS can also perform heruistic analysis for 0-day signatures which a firewall is not designed to do. So say, there's malicious payload being tunneled in HTTP packet, while firewall may not be able to look into the content and segregate as malicious traffic, IPS can do it based on signatures, profiles, pattern matching or heruistics.

Hope this gives a perspective on CX vs. CX + IPS

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

shillings Wed, 08/07/2013 - 11:32

OK, it was just a thought - that there might be some direct co-operation between the two.

Thanks for all your responses.

S25012010 Sat, 08/03/2013 - 03:22

Dear team,

                   My cisco router 1841 is not taking clear counters command why??

akbehl Sun, 08/04/2013 - 12:47

Hello Sandeep,

This topic is dedicated to Cisco ASA's next gen security features.

Although your query is not in line with the topic, here're a few things you can try:

1. Since you have not provided the snapshot or error, are you trying the command on privilege (EXEC) mode? See

http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfacces.html#wp1120161

2. If yes, do you have the right privilege to issue the command (if there's an AAA local or server based authorization)?

3. Are you able to issue any other clear counter commands - clear counters

Try these. If you're not able to do any clear counters command it's most probably AAA.

Regards,

Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

vmuthumani Sun, 08/04/2013 - 17:09

Hi Akhil

Thanks for clarification and more question,

1.  for VPN users profiling is not possible if yes profiling and posture has any dependence?  And any idea when ASA will start support profiling . because I am planning to use iPad’s as a vpn client though ASA and authenticated by ISE.

2.  Mac Authentication Bypass(MAB) also possible for any connect vpn client through ASA and controlled by ISE?

Thanks

V.Muthu

vmuthumani Sun, 08/04/2013 - 17:10

Hi Akhil

Thanks for clarification and more question,

1.  for VPN users profiling is not possible if yes profiling and posture has any dependence?  And any idea when ASA will start support profiling . because I am planning to use iPad’s as a vpn client though ASA and authenticated by ISE.

2.  Mac Authentication Bypass(MAB) also possible for any connect vpn client through ASA and controlled by ISE?

Thanks

V.Muthu

akbehl Sun, 08/04/2013 - 23:37

Hello V.Muthu,

As of today, ISE does not support VPN user profiling however, this is on the roadmap. The major reason is that, Cisco ASA does not currently forward the MAC address in the Calling ID of RADIUS Request. And IP address alone cannot be used as basis for profiling. For MAC bypass, you can try MAC Exempt in the VPN client pool. In your case, you can terminate (for time being) VPN on a headend device other than ASA and then authenticate user via ISE. Again, this is a workaround till the support for VPN user profiling via ASA is out.

I hope this answers your query.

Regards,


Akhil Behl
Solutions Architect
Cisco Systems

Author of “Securing Cisco IP Telephony Networks”
http://www.ciscopress.com/title/1587142953

miller_mark Wed, 08/07/2013 - 23:05

Hello! Could you help me download ciscovusb.zip. Because I have a bad gateway error 502

Actions

Login or Register to take actions

This Discussion

Posted July 29, 2013 at 9:16 PM
Stats:
Replies:26 Avg. Rating:
Views:8289 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446