Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about how to deploy Cisco ASA and PIX security appliances with Cisco expert Tom Hunter. Tom is a technical marketing engineer for the Cisco Security Technology Group. In his 15-year career at Cisco, Tom has provided technical marketing support for the Cisco PIX and ASA family of products, starting with release 1.7. From hands-on network operations to supporting deployment of multisite topologies, Tom brings a wealth of experience to his role. He has been a network security specialist for his entire professional career, beginning with cryptographic communications in the military. You will find him regularly contributing to the Security VT program as well as presenting the latest Cisco security product solutions in the Executive Briefing Center and at Networkers symposiums.
Remember to use the rating system to let Tom know if you have received an adequate response.
Tom might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 22, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
Thanks for coming out and answering our questions. Is there any chance Netflow will be supported on any other platform besides the 5580?
Netflow logging is a high speed alternative to syslog. The 5580 will make good use of its features due to its performance levels. The development team will be watching customer reaction to this feature to determine what the next steps should be. Let your Cisco contacts know you interest.
Sorry for not RTFM'ing the docs on the 5580, but does ASA Netflow send flows -only- for flows that are actually permitted through the ASA, or does it flow for everything (incl. denied traffic).
My guess is the former, but I wanted to be sure.
Just for the record, we're heavily leveraging Netflow off of the routers and I'd be extremely interested in seeing in on the 5510/5520 platforms.
Watch the ASA Product page http://www.cisco.com/en/US/products/ps6120/prod_white_papers_list.html for a paper on ASA Netflow. Its still a bit of time from being published so it may be located on a different link. The netflow messaging grabs about 8 common messages around flows and packages them as two netflow messages. It helps considerably in the area of auditing traffic as the syslog messages typically collected for this are now together.
How nice to see you in here, thanks for coming and for your time.
There are some questions that I have searched for answers that will unlock the questionmarks in my head, read comments from other experts in forums, read cisco articles etc but never been able to get the answer which would make me say âAha!â . I am sure your experience will be the key.
Access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www
Access-group inside_access_in inbound interface inside
Above Access-list permits inside hosts to browse the internet. Question is, this is an outbound process, but why is it grouped to inside interface as âinside_access_in inboundâ ? What does outbound option in Access-group stands for and in what kind of a scenario can we implement âAccess-group inside_access_out outbound insideâ . Can you please describe with an example according to your experiences?
I read about nat-control articles in cisco etc, comments by other experts, but could not find a good explaination and configuration in production . What happens if I issue no nat-control ? Does applience start acting like a router and Works between interfaces and routes without any NAT,exempt NAT or static entries? If yes, how would ACLs work in this case. No ACLs for traffic from higher security interface to lower security interface and permit acls for traffic from lower sec interface to higher sec interface?
What is static (inside,inside) or static (dmz,dmz) used for? Can I use this when I want to NAT my inside host to a desired IP in inside interface? (not in a different interface)? Would be useful for overlapping networks between L2L pers or etc. Or this is only for DNS doctoring?
I have heard that we can assign user specific ACLs to VPN users if we use a RADIUS server (Windows IAS for example) by setting an attribute in IAS (attribute 25 or something like this). Do you have a link for a document for this?
Is it possible to make IP reservation for a VPN client which acquires IP from specified DHCP server? Does a VPN client have a static MAC address for making IP reservations?
Do you know a book (maybe a Cisco release) about intermediate and advanced debugging levels, how to analyze debugs
Is it possible to add policy routes just like policy NATs? If not, would it be in further IOS?
Thanks a lot for your time!
hi tom glad to have u in the forum.
can u pls tell whether cisco is planning to target the mssp market with the asa;s. cause for that the asa is really not competent like other vendors like juniper, fortinet and checkpoint.
the security context in asa is not at all usefull.
for basic active active configuration we have to use contexts which is not in other vendors.
and from real point of view u know it;s not real active active any point in time on a single firewall only one context is active. just for getting active active we have to segment our network.
going to active/active disable routing,and the most important thing vpns.
will asa ever support having seperate routing domains like virtual routers in netscreen and seperate vpn tables for each context.
Ok, you have 6 questions here ...
1 - Consider the PIX/ASA as the center of the world ... on any paticular interface traffic comes in (inbound) and traffic departs (outbound). You can save capacity by blocking inbound traffic you don't want. The access list statement indicates ONLY www users can pass inbound. No other protocol overheads are incurred. Outbound blocks traffic outbound on an interface ... what if you PIX/ASA has 5 interfaces, the inbound limits traffic to only www ... but if you want ONLY one interface to permit www outbound then you would want to block www inbound on the others. Of course all of this is selectable by address space.
2 - your PIX/ASA is configured NAT-CONTROL so you understand how all the NAT and ACL featurs work ... You also understand that any traffic not described by NAT does not get out. So what about NO NAT-CONTROL? It impacts traffic _not described in NAT statements_ All the NAT features still work as described ... the impact is to the address space not descibed by NAT ... it is no longer blocked. All ACL's, security level rules, statefullness, etc. not can traverse the PIX/ASA. Lower level interfaces cannot initiate inbound connections without acls ... etc.
3- This kind of a static is a method to direct an inside client to inside server when an external DNS returns and external address. An external static (I,O) will define the relation to an inside server. The dns query of an inside client will return the external address . the client will try to build that connection ... the inside static (I,I) will redirect the inside client back to the inside server following the dns lookup.
4 - From the Config guide 8.0 Firewall sect. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1056570
5 - Not currently possible to make a DHCP reservation.
6 - I have no recommendations on books, there are a variety of good ones ... and I do tend to lean to Cisco Press. If you need policy routing check IOS and let your Cisco contact know.
Hello, I'm deploying ASA SSL VPN in my enterprise and I have a problem. I have installed the RDP plugin and published some terminal server with the link ârdp://
I have tried the French keymap and it has written accents. I have downloaded the rdp-pugin.jar file to my PC and it has a keymap directory, if you edit the âesâ file exactly it hasn't got the written accents (Ã¡,Ã©, Ã, Ã³, Ãº, Ã , Ã¨, Ã², Ã¹).
Can Cisco resolve this issue?
Can I edit this file and import it to the ASA?
How can I edit this file?
I was checking around on this question. The best thing for this is a TAC case. This will get visibility into Development for the missing characters. Spanish is widely used so it will get attention. Regards, Tom
Hello Tom My name is Carlos Sousa and I work in the city hall of Vila Nova de Gaia, and recently we bought a cisco ASA 5520 firewall with a trend micro module which includes anti X and anti spam .
After installing and configuring the firewall ASA with NAT for 4 external IP's, everything was OK with our internet link, but after configuring the Trend Micro module our internet connection becomes very slow then after trying a few different configurations on the Trend Micro module, we noticed that if we disable the URL Blocking, URL filtering option, file blocking and HTTP Scanning options the internet connection works fine, with a fast communication.
We have about 450 users on our network, and I would like to know that if there are a problem having such number of users accessing the internet through the trend micro "filter" and how to configure the ASA 5520 with the full anti X options working on Trend Micro so that we can have a normal internet connection speed.
Which version of CSC software are you running?
It is very possible that you're being hit by CSCsh35086
This bug has been resolved in 6.2.1599.0
See Bug Toolkit link below for more details:
I would recommend upgrading CSC-SSM software to 6.2.1599.0. If the issue persisted, go ahead and open a TAC case to close the loop on this one.
Thanks for your post, but that is precisely the version of CSC that we are using (the version that comes with CSC SSM is 6.2.1599.0)
Pretty sure there's a 6.2.1599.1 patch we had to apply late last year under TAC direction. Not sure of it's bug fixes though, hopefully there's associated release notes.
The best thing to do at this point is open a TAC case and provide feedback directly into Cisco. Regards, Tom (and Binh)
Is the ASA going to replace the PIX? By this I mean will Cisco stop making/selling/supporting the PIX because they expect everyone to be on ASAs? How soon?
The PIX product line has just gone End-of-Life, as the following bulletin shows:
Support will continue up to July 2013 when the product line becomes officially obsolete.
I'm thrilled to 'meet' you, heh. I have a somewhat esoteric problem and can find no assistance anywhere (including TAC, and two friends who are CCIEs). We have a ASA-5520 in our main office, and a VPN 3000 Concentrator in a secondary office. We have a bunch fo PIX 501's in our satellite offices. What we want to do is setup site-to-site VPNs from those PIXs to both the ASA and the VPN 3000 in such a way that the ASA is the primary VPN and if it fails, the VPNs will all switch over to the Concentrator. I can connect the PIX's to either the Concentrator or the ASA one at a time, but not together. Have you heard of any way to do this? If it can't be done, can you recommend a relatively low cost aternative? Thanks ahead of time.
You are limited by the interfaces and OS on the PIX501. Also the PIX line is identified as EOS now. Relatively low cost would point me to the ASA5505 product as a replacement, that would give you the "dual ISP" feature to work with. Keeping the PIX501's in service with an upstream device would probably be close to the same cost as replacement.
We use ASA 5540 as vpn concentrator and firewalling. I was wondering if there is and utility similiar to Get Pass that checks the encrypted password for the ASA's.
You can "probably" do this by adding a second IP in your VPN peer config. At the main site and concentrator, set them to answer-only. I did a similar thing using an ASA 5505 with Dual ISPs back to a main branch. I set it up so that a failure on one ISP would bring up the VPN on the other. Theoretically it should work the same. This is assuming that 6.3(X) can support multiple peers....
You can support multiple peers, the only issue left is trying to control which path is used. The dual isp mechanism in ASA code will do the connectivity failover and failback for link selection. In 6.x code that control isn't there. Regards, Tom
Would it be possible to use a routing protocol, like RIPv2 or OSPF as the control to decide which path to take?
Hello Tom. I have a question about routing and NAT on the ASA
Will OSPF on the ASA advertise mapped NAT addresses that are in a unique network, i.e. not associated with an interface on the ASA? This is so I don't need to have a static on my upstream internet perimter router for these NAT'd public addresses. If not OSPF will any of the support routing protocols advertise these NATs?
thanks in advance
Unfortunately, this is not supported. You need to use static routes on the neighboring router(s) and redistribute them via OSPF process on the router itself.
regarding OSPF advertising mapped NAT addresses. I have been looking into this a little more, I have found in the OSPF Overview of the Config Guide ( http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1057742 ) one of the OSPF features listed as:
â¢- Advertisement of static and global address translations.
This sounds like what I want. If not, what is this feature?
Thanks for bringing this to our attention. This is apparently a documentation bug. It is indeed not supported as I previously stated.
I have notified the documentation team to get this corrected soon.