Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Omar Santos how to deploy firewall, VPN, and IPS solutions with the Cisco ASA. Omar is a senior network security engineer in the worldwide security service practice of Cisco's advanced services for network security. He has more than ten years of experience in secure data communications. He has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. Government. Omar has lead several secure data communications implementations with the United States Marine Corps (USMC) and Department of Defense (DoD).
Remember to use the rating system to let Omar know if you have received an adequate response.
Omar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 8, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
hi omar nice to have in the forum. let me post the first query in this topic.
in security contecxt vpns are not allowed routing protocols are not allowed. then what is the use of this security context. it only does the stupid natting and nothing more.
is there any chance in the newer ios that vpns will be allowed in multiple context mode. caue other products like netscreen, checkpoint,fortinet. when will the asa come at par with the other products. cause even for active/active we are forced to run context and in context actually it;s active/standy just like per vlan hsrp.
in failover also asa doesn;t pass on the ipsec sa to the standby one nor even the routing updates which netscreen supports.
will this features will ever be supported in cisco asa.
i am not against cisco by any means. just expressed my concerns abt asa.
agree to that - i got the ASA 5520 with the IPS module and wanted to use the security context and was very disappointed i cant use the ASA as VPN device and activate OSPF when running the ASA a mutiple security context mode.
Thank you for your comments. This is also a concern from other customers as well. The ASA with security contexts still support all the other features within the ASA. NAT like you mentioned, deep packet inspection, access control, active/active and active/standby failover,etc. The ASA development team is working very hard to integrate the other features (like VPN and routing protocols) with the use of security contexts, although there is no an estimated completion date.
hi omar thanks a lot for ur reply. we really hope cisco asa stands in the market at par with other products.
hi omar right now i am trying to implement shell command authorization locally on asa.
i have 2 users cisco and admin
admin user is at level 5 and cisco user at level 7
i have issued this commands
privilege clear level 5 command access-list
privilege show level 5 command access-list
privilege cmd level 7 mode exec command configure
here if u see level 7 inherits the level 5 commands for show access-list and clear access-list. but when level 7 user logs in the configure mode he can do clear configure access-list command also. how do i stop it then. cause i have only permitted level 7 user to access configure mode. now he can delete the access-list done by some other user.
why the asa is functioning this way or is my config wrong.
pls reply back at ur earnest.
thanks a lot .
You are in the correct path; however, you may be overlooking a couple of things. Just out of curiousity, when you login as "cisco" (the level 7 user) you are not typing enable and then entering into enable (level 15 mode), right?
If you are doing so, then you will have level 15 anyways, since by entering the enable password/secret you are now put into level 15; so technically you should be able to execute any other commands, not just only the clear configure access-list command.
hi omar no i have created 2 seperate enable passwords at level 5 and level 7 . and i doing enable 7 and typing in ebale 7 password and loggin in . show curpriv i can see my privilege level as 7 only. and like i said level 7 user doesn;t get access to all the commands.he cannot create access-list but he can delete access-list with the clear configure access-list.the clear commands were enabled for level 5 user which the level 7 user has inherited.
the level 7 user could only go into the configure mode. but why is he allowed with the clear configure command. can u pls help
why is it this way.
Just update from pix 515 to ASA 5520 and interested in blocking Im and file sharing programs. It was a beast with the 515e, I heard its a little easier with the new code (7.2(1). Can you point me to some documentation in doign this?
Is it possible to use antivirus and ips module in same ASA box.
in 5510 we cannot, but in higher models like 5520 or 5540 is it possible to integrate these 2 modules.
is there any issues like if i use IPs module in ASA i cant use the ASA as VPN box or cant use VPN services?
and if a remote user is connecting using VPN soft client how much band width will it take ?