Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANCES (ASA)

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Omar Santos on how to deploy firewall, VPN, and IPS solutions with the Cisco ASA. Omar is a senior network security engineer in the WW Security Service Practice of Cisco’s Advanced Services for Network Security. He has more than ten years of experience in secure data communications. He has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. Government.

Remember to use the rating system to let Omar know if you have received an adequate response.

Omar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 22, 2005. Visit this forum often to view responses to your questions and the questions of other community members.

52 REPLIES
New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

A duplicate message entered by mistake ..

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Omar

1) I want to know more about the underlying architecture of the ASA. When you are configuring VPN's on the ASA using ASDM, does each action of yours result in a command entered in the CLI config? Is the VPN part of the CLI integrated with the PIX CLI itself or do you have to access it using a 'session' command like you would with the AIP-SSM?

2) Your answer to the above may answer this one too but I am asking it anyways. Since the concentrator and the PIX come together in one box, is there any duplication in VPN functionality with the ASA? The PIX has also been able to create VPN's in the past and hence I'm wondering if on one box, you can create VPN's using two components.

Thank you

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

The following are the answers to your questions:

1. When you configure the ASA via ASDM each action can result in one or more commands that are appended to the configuration. The VPN configuration is part of the main CLI. You do not have to session like you do with the AIP-SSM that runs IPS software.

2. The VPN capabilities of the Cisco ASA are combined features from VPN 3000 concentrator and the old PIX software. Consequently, you will see the combination of PIX-like crypto maps and configuration parameters like tunnel groups that were adopted from the VPN 3000 concentrators. You can see several configuration examples at:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/index.htm

(part 3 configuring VPN)

and the ASA book at http://www.ciscopress.com/title/1587052091

There is also a document titled "Migrating to ASA for VPN 3000 Concentrator Series Administrators" posted at:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/migr_vpn/index.htm

Hope this information helps.

Best regards,

Omar Santos

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

I just found out, after configuring and setting up 1/2 dozen VPN tunnels, that ASA/PIX ver. 7 code sets the default 'isakmp identity' to 'hostname' instead of 'address', which was the default in previous versions of PIX code.

I've run into an issue with a VPN tunnel with a Nortel Contivity. Nortel has suggested that we change the 'isakmp identity' to 'address' because of Nortel's devices not using 'hostname' to identify a peer. As of right now, Phase 1 completion is not being recognized on the Nortel device, but IS being recognized by the ASA, running 7.04 code.

My question through all this is:

If I change the global ISAKMP identity parameter from 'hostname' to 'address', will this reset my current ISAKMP SA's? This is a medical environment that can not be disrupted without notice.

Thanks in advance for any response...

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

By changing the ISAKMP identity parameter 'hostname' to 'address' the ASA/PIX should not reset your current ISAKMP SA's... On the other hand, once the SA's expire and renegotiate IKE the new parameters will take effect. As a side note, we have introduced the "auto" keyword on the isakmp identity command (i.e., isakmp identity auto)... with this the ASA determines ISKMP negotiation by connection type; IP address for preshared key or cert DN for certificate authentication.

Hope this helps,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

What is the best way of handling PDA/Phone devices that require Outlook web access from the Internet to an Internal server? We are using WEBVPN thrpugh an ASA appliance for PC access to OWA.

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

I have personally not tested PDA/Phones using OWA through WebVPN; however, here are some of the major guidelines... We support MS Outlook Web Access for Exchange 2000, Exchange 5.5, and Exchange 2003. It requires an MS Outlook Exchange Server at the central site (of course).

The " Configuring Email" section in the Cisco Security Appliance Command Line Configuration Guide has an example on how to configure the ASA parameters .

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080334071.html#wp1042419

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Omar:

How are you? I hope you are fine...

I have a question for you, I work in a company where we havea Cisco PIX 515E as the FW (it has just 3 FE Interfaces), we want to replace it with one Cisco ASA 5510 (but we need it with 5 interfaces), and we want the AIP-SSM-10 Module on it, is that possible?

I checked on Cisco's Webpage and the state that they have one ASA5510-SEC-BUN-K9 that has those 5 Interfaces that I need but does not have the AIP-SSM-10 Module, in the other hand, they are selling one ASA5510-AIP10-K9 that has that AIP-SSM-10 Module BUT, with 3 interfaces.

The bottom line is this... Can I buy one ASA5510-SEC-BUN-K9 with those 5 Interfaces enabled, and get one AIP-SSM-10 and tick it is the ASA5510 having all those 5 Interfaces enabled?

If that is not possible, What do you recommend? Can I get the ASA5510-SEC-BUN-K9 without the AIP-SSM-10 and install one IDS-4215-4FE-K9 to monitor all my subnets?

I really hope you can help me because I already spoke to Cisco's Pre-Sales representatives, but they couldn't give me a clue.

Thank you very much!!!

Heriberto

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Heriberto,

The 5510 has 5 FastEthernet interfaces. By default, only 3 are enabled for firewall/VPN traffic and 1 is enabled for out-of-band management traffic. However, with the "Security Plus" license you can enable all 5 interfaces for firewall/vpn traffic. The following link has a table/matrix that outlines this...

http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html

Hope this helps,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Omar,

I already took a look at that table, but it didn't respond my question...

If I get the ASA 5510 with the Security Plus license (so I can have those 5 interfaces working) can I add one AIP-SSM-10 Module to the appliance and continue to have those 5 interfaces working?

In other words, Is it possible to have the ASA 5510 Security Plus working with 5 interfaces and have the AIP-SSM-10 module working on that same appliance at the same time?

Thank you very much!!!

Heriberto

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Heriberto,

Yes. It is possible to have the ASA 5510 Security Plus working with 5 interfaces (with the Security Plus License) and have the AIP-SSM-10 module working on that same appliance at the same time. What you can't do is have the AIP-SSM and the new 4GB port SSM on the same chasis (since the appliance has only one expansion slot).

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Omar,

I am a last year student at a Finnish polytechnic and Im (hopefully) graduating soon with a bachelor's degree in business and administration. Im doing my thesis work for the school in relation to a Cisco Systems ASA 5510 and adapting it to manage user access to a laboratory network from the Internet.

I've been lucky enough to see Cisco Systems Netlab environment at work at another polytechnic here in Helsinki and this is the sort of thing functionality Im interested in, though in a much smaller scale.

Prior to this I'd already constructed a small scale PHP/MySQL website/database for users to log in and to make reservations to use the class at certain times.

The website currently resides behind a DMZ interface of the Cisco Systems ASA 5510.

My questions are all related to this:

How would you go about creating the most secure possible way of transmitting user/timelists from a web database on to the Cisco Systems ASA 5510? Is this feasible? What in your mind are the main risks involved and how to avoid them?

Thank you!

Wishing a merry christmas to you,

Julius Tuomisto

Student

Helsinki, Finland

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Julius,

The most secure way in your case will be to create an IPSec VPN tunnel to the Cisco ASA with the strongest supported encryption and hashing protocols (ie., AES-256 and SHA). Creating this VPN tunnel will provide you with the communication mechanism to transfer your user information to the protected network.

The following link includes the configuration guidelines for IPSec VPNs (Part 3):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_70/cfg_gd/index.htm

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

1) Does Active/Active on the ASA/PIX simply mean that one context can be active on an ASA while another context is in standby?

2) If I only need a single context in my environment (rather small network), I presume my only option is Active/Standby? Right?

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

1. In Active/Active ASA/PIX failover you configure two context per box... One context will be active and another will be standby (and viceversa). There is a sample configuration at http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1046980

2. You can still configure Act/Act failover for small environments...

In Active/Active failover, you divide the security contexts on the security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups on the security appliance. The admin context is always a member of failover group 1, and any unassigned security contexts are also members of failover group 1 by default.

The failover group forms the base unit for failover in Active/Active failover. Interface failure monitoring, failover, and active/standby status are all attributes of a failover group, rather than the unit. When an active failover group fails, it changes to the standby state while the standby failover group becomes active. The interfaces in the failover group that becomes active assume the MAC and IP addresses of the interfaces in the failover group that failed. The interfaces in the failover group that is now in the standby state take over the standby MAC and IP addresses.

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

NAT-CONTROL

I am a little confused about this. Some say that if you are deploying a firewall at the edge which requires PAT for the inside users to reach the Internet, use nat-control.

However, can't I disable nat-control and still specify a nat/global pair? This way, I don't have to create additional NAT exemption statements for remote access VPN's, etc and also can let my inside users talk to DMZ servers freely if they abide by the ACL rules.

I would appreciate if you could give me two answers from you for the above.

Answer1 - technical (if it's possible ornot)

Answer2 - best-practice (should I do what I am trying to)

Thank you very much Omar

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

The following are the answers to your question(s):

Answer1 - technical (if it's possible or not)

Yes. When you do "no nat-control" you can still translate (use NAT/PAT)... and all "untranslated packets" will still go thru the ASA/PIX

Answer2 - best-practice (should I do what I am trying to)

This all depends on your security practice and environment. A traditional "best practice" is to hide your internal/protected network from untrusted segments. But this all depends on your organization's security policy and technical requirements (ie., some applications do not play well with NAT).

Hope this helps,

Omar

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

Is there any email feature in ASA (with SSM) that can be used to send email alert, e.g alert on detected intrusion attempt, directly to network admin without using any management server, e.g VMS server?

Thank you.

AK

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

You can configure an email (SMTP) server and Email Logging Level on the ASA for Firewall and VPN related messages. For IPS (SSM) messages you will need to use a management server (ie., VMS or MARS).

For the FW/VPN Logging Email you can use the following commands:

ciscoasa(config)# logging recipient-address test@testemail.com

then select the syslog level of messages that will be sent via email...

ciscoasa(config)# logging mail ?

configure mode commands/options:

<0-7> Enter syslog level (0 - 7)

WORD Specify the name of logging list

alerts

critical

debugging

emergencies

errors

informational

notifications

warnings

and configure the smtp server:

ciscoasa(config)# smtp-server 1.1.1.1

Hope this helps.

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

I had bought a failover PIX unit (2 Pix’s, one active and one standby) to our project 6 month back. Situation made me to use these two PIX’s for 2 different projects. Both the pix’s are in active configuration.

Now the problem is the standby pix which is there in the active role is getting restarted at every 8 hours and not functioning as expected. All the time I need to restart and have to give “Failover Active” command specifically for make the PIX up.

I do aware that the separate usage of standby Pix in the failover unit is not recommended by CISCO.

Please give me a resolution if any…

Thanks in advance…

Sumesh T

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

This is expected. The PIX Firewall with the FO license is intended to be used solely for failover and not in standalone mode. If a failover unit is used in standalone mode, the unit will reboot at least once every 24 hours until the unit is returned to failover duty. When the unit reboots, the following message displays on the console:

=========================NOTICE=========================

This machine is running in secondary mode without

a connection to an active primary PIX. Please

check your connection to the primary system.

REBOOTING....

========================================================

You can refer to this disclosure at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/failover.htm

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

any workaround solution for the same.

like licence upgrade or command to incease the restart duration......

please reply..

--sumesh T

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Sumesh,

Yes. You can upgrade your license. Your local account team will be able to help you/guide you on how to obtain such upgrade.

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Omar,

Can you tell me if it's possible to do stateful failover of VPN sessions with a pair of 5540's? We have them running Active/Standby with both a failover and stateful failover link. The 5540 is terminating VPN's from clients. I have tried to read the documentation but this failover is unclear, is it just firewall information being exchanged on the stateful link or is it also VPN information?

Thanks

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

The ISAKMP and IPSec SA tables are transferred during a failover. The state information passed to the standby unit includes the following:

•NAT translation table.

•TCP connection states.

•UDP connection states.

•The ARP table.

•The Layer 2 bridge table (when running in transparent firewall mode).

•The HTTP connection states (if HTTP replication is enabled).

•The ISAKMP and IPSec SA table.

•GTP PDP connection database.

The information that is not passed to the standby unit when Stateful Failover is enabled includes the following:

•The HTTP connection table (unless HTTP replication is enabled).

•The user authentication (uauth) table.

•The routing tables.

•State information for Security Service Cards.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1052476

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

I have questions about security contexts in an ASA 5520 when implementing Transparent firewall, Multiple Mode (I also have an a Activation key for more security contexts).

1. I have 4 security contexts and 1 admin context. Does admin context only need a MGMT IP so I can access the ASDM GUI? And will I only need to specify interfaces in the admin context if I'm using a SYSLOG/MGMT server?

2. I also have an SSM-10 module. I want to send all data traffic from those 4 security contexts to the SSM. Will I only need to implement the MPF commands in the admin context?

3. I'm setting up 2 ASAs to Active/Active, each box with 4 security contexts, should I putting all 4 contexts into failover group 1? Even after reading some of your posts, I'm not clear why I might need 2 failover groups.

Thanks in advance for your help.

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi,

The following are the answers to your questions:

1. I have 4 security contexts and 1 admin context. Does admin context only need a MGMT IP so I can access the ASDM GUI? And will I only need to specify interfaces in the admin context if I'm using a SYSLOG/MGMT server?

In Multi-Transparent mode you must specify an IP address for management purposes (ie, connecting via ASDM, SSH, Telnet, Syslog, AAA, etc).

The transparent firewall configuration requires a management IP address on each of the contexts (since they are "independent virtual firewalls". (think about them as separate entities). The security appliance uses this IP address as the source address for packets originating on the security appliance. The management IP address must be on the same subnet as the connected network.

In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

-- If multiple contexts are associated with the ingress interface, then the security appliance classifies the packet into a context by matching the destination address to one of the following context configurations:

- Interface IP address (the ip address command)

The classifier looks at the interface IP address for traffic destined to an interface, such as management traffic.

2. I also have an SSM-10 module. I want to send all data traffic from those 4 security contexts to the SSM. Will I only need to implement the MPF commands in the admin context?

You will configure MPF commands on each context.

3. I'm setting up 2 ASAs to Active/Active, each box with 4 security contexts, should I putting all 4 contexts into failover group 1? Even after reading some of your posts, I'm not clear why I might need 2 failover groups.

You need to failover groups for Active/Active failover. Failover Group 1 is commonly used for the active context(s) and failover group 2 is configure to be in standby mode... More info and sample configs are located at:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/failover.htm#wp1096075

Regards,

Omar

New Member

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Omar,

I am maybe asking a question that shouldn't be a part of this conversation considering that it has more to do with troubleshooting, but I am wondering if you have ever seen a situation where a user wants to access a shared folder on a domain controller via webvpn and gets "access denied"? This however works using a Cisco VPN client. I know that it has nothing to do with the ASA 5510 and its configuration, because we can get through with no problems and I see the link in my browser pointing to the shared drive. The ACS server shows the user successfully authenticated (RADIUS).

Thanks,

\Dragi

Bronze

Re: ASK THE EXPERT – DEPLOYING CISCO ADAPTIVE SECURITY APPLIANC

Hi Dragi,

Can the user access other CIFS shared folders within the WebVPN connection or is this the only one that you are initially testing? If no other shares are accessible check the following:

1. make sure that the concentrator has a name server configured and that its private IP address is allowed to resolve the name of the internal share

2. After checking the above enable the CIFS and CIFSDBG with sev to log 1-9 under Configuration | System | Events | Classes and collect the logs when the user attempts to connect to the share. This will give us more information about what exactly is happening.

Regards,

Omar

259
Views
35
Helpful
52
Replies
CreatePlease to create content