Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIANCES

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about how to deploy Cisco ASA and PIX security appliances with Cisco expert Tom Hunter. Tom is a technical marketing engineer for the Cisco Security Technology Group. In his 15-year career at Cisco, Tom has provided technical marketing support for the Cisco PIX and ASA family of products, starting with release 1.7. From hands-on network operations to supporting deployment of multisite topologies, Tom brings a wealth of experience to his role. He has been a network security specialist for his entire professional career, beginning with cryptographic communications in the military. You will find him regularly contributing to the Security VT program as well as presenting the latest Cisco security product solutions in the Executive Briefing Center and at Networkers symposiums.

Remember to use the rating system to let Tom know if you have received an adequate response.

Tom might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 22, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

113 REPLIES

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hi Tom,

Thanks for coming out and answering our questions. Is there any chance Netflow will be supported on any other platform besides the 5580?

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Netflow logging is a high speed alternative to syslog. The 5580 will make good use of its features due to its performance levels. The development team will be watching customer reaction to this feature to determine what the next steps should be. Let your Cisco contacts know you interest.

Bronze

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Sorry for not RTFM'ing the docs on the 5580, but does ASA Netflow send flows -only- for flows that are actually permitted through the ASA, or does it flow for everything (incl. denied traffic).

My guess is the former, but I wanted to be sure.

Just for the record, we're heavily leveraging Netflow off of the routers and I'd be extremely interested in seeing in on the 5510/5520 platforms.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Watch the ASA Product page http://www.cisco.com/en/US/products/ps6120/prod_white_papers_list.html for a paper on ASA Netflow. Its still a bit of time from being published so it may be located on a different link. The netflow messaging grabs about 8 common messages around flows and packages them as two netflow messages. It helps considerably in the area of auditing traffic as the syslog messages typically collected for this are now together.

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hi Tom

How nice to see you in here, thanks for coming and for your time.

There are some questions that I have searched for answers that will unlock the questionmarks in my head, read comments from other experts in forums, read cisco articles etc but never been able to get the answer which would make me say “Aha!” . I am sure your experience will be the key.

Inside network=192.168.1.0

Access-list inside_access_in permit tcp 192.168.1.0 255.255.255.0 any eq www

Access-group inside_access_in inbound interface inside

Above Access-list permits inside hosts to browse the internet. Question is, this is an outbound process, but why is it grouped to inside interface as “inside_access_in inbound” ? What does outbound option in Access-group stands for and in what kind of a scenario can we implement “Access-group inside_access_out outbound inside” . Can you please describe with an example according to your experiences?

I read about nat-control articles in cisco etc, comments by other experts, but could not find a good explaination and configuration in production . What happens if I issue no nat-control ? Does applience start acting like a router and Works between interfaces and routes without any NAT,exempt NAT or static entries? If yes, how would ACLs work in this case. No ACLs for traffic from higher security interface to lower security interface and permit acls for traffic from lower sec interface to higher sec interface?

What is static (inside,inside) or static (dmz,dmz) used for? Can I use this when I want to NAT my inside host to a desired IP in inside interface? (not in a different interface)? Would be useful for overlapping networks between L2L pers or etc. Or this is only for DNS doctoring?

I have heard that we can assign user specific ACLs to VPN users if we use a RADIUS server (Windows IAS for example) by setting an attribute in IAS (attribute 25 or something like this). Do you have a link for a document for this?

Is it possible to make IP reservation for a VPN client which acquires IP from specified DHCP server? Does a VPN client have a static MAC address for making IP reservations?

Do you know a book (maybe a Cisco release) about intermediate and advanced debugging levels, how to analyze debugs

Is it possible to add policy routes just like policy NATs? If not, would it be in further IOS?

Thanks a lot for your time!

Regards

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

hi tom glad to have u in the forum.

can u pls tell whether cisco is planning to target the mssp market with the asa;s. cause for that the asa is really not competent like other vendors like juniper, fortinet and checkpoint.

the security context in asa is not at all usefull.

for basic active active configuration we have to use contexts which is not in other vendors.

and from real point of view u know it;s not real active active any point in time on a single firewall only one context is active. just for getting active active we have to segment our network.

going to active/active disable routing,and the most important thing vpns.

will asa ever support having seperate routing domains like virtual routers in netscreen and seperate vpn tables for each context.

regards

sushil

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

I cannot comment on future product diretions. Your comments are noted. Thanks

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Ok, you have 6 questions here ...

1 - Consider the PIX/ASA as the center of the world ... on any paticular interface traffic comes in (inbound) and traffic departs (outbound). You can save capacity by blocking inbound traffic you don't want. The access list statement indicates ONLY www users can pass inbound. No other protocol overheads are incurred. Outbound blocks traffic outbound on an interface ... what if you PIX/ASA has 5 interfaces, the inbound limits traffic to only www ... but if you want ONLY one interface to permit www outbound then you would want to block www inbound on the others. Of course all of this is selectable by address space.

2 - your PIX/ASA is configured NAT-CONTROL so you understand how all the NAT and ACL featurs work ... You also understand that any traffic not described by NAT does not get out. So what about NO NAT-CONTROL? It impacts traffic _not described in NAT statements_ All the NAT features still work as described ... the impact is to the address space not descibed by NAT ... it is no longer blocked. All ACL's, security level rules, statefullness, etc. not can traverse the PIX/ASA. Lower level interfaces cannot initiate inbound connections without acls ... etc.

3- This kind of a static is a method to direct an inside client to inside server when an external DNS returns and external address. An external static (I,O) will define the relation to an inside server. The dns query of an inside client will return the external address . the client will try to build that connection ... the inside static (I,I) will redirect the inside client back to the inside server following the dns lookup.

4 - From the Config guide 8.0 Firewall sect. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1056570

5 - Not currently possible to make a DHCP reservation.

6 - I have no recommendations on books, there are a variety of good ones ... and I do tend to lean to Cisco Press. If you need policy routing check IOS and let your Cisco contact know.

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Thanks Tom!

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hello, I'm deploying ASA SSL VPN in my enterprise and I have a problem. I have installed the RDP plugin and published some terminal server with the link “rdp:///?Keymap=es” to have the Spanish keyboard in the terminal server session. But the problem is that this keymap haven't got written accents, which is basic to write in Spanish. For me, it's a big problem because I can't use ASA with SSL with this problem, because my users can't write without written accents.

I have tried the French keymap and it has written accents. I have downloaded the rdp-pugin.jar file to my PC and it has a keymap directory, if you edit the “es” file exactly it hasn't got the written accents (á,é, í, ó, ú, à, è, ò, ù).

Some help?

Can Cisco resolve this issue?

Can I edit this file and import it to the ASA?

How can I edit this file?

Thanks

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

I was checking around on this question. The best thing for this is a TAC case. This will get visibility into Development for the missing characters. Spanish is widely used so it will get attention. Regards, Tom

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hello Tom My name is Carlos Sousa and I work in the city hall of Vila Nova de Gaia, and recently we bought a cisco ASA 5520 firewall with a trend micro module which includes anti X and anti spam .

After installing and configuring the firewall ASA with NAT for 4 external IP's, everything was OK with our internet link, but after configuring the Trend Micro module our internet connection becomes very slow then after trying a few different configurations on the Trend Micro module, we noticed that if we disable the URL Blocking, URL filtering option, file blocking and HTTP Scanning options the internet connection works fine, with a fast communication.

We have about 450 users on our network, and I would like to know that if there are a problem having such number of users accessing the internet through the trend micro "filter" and how to configure the ASA 5520 with the full anti X options working on Trend Micro so that we can have a normal internet connection speed.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Carlos,

Which version of CSC software are you running?

It is very possible that you're being hit by CSCsh35086

This bug has been resolved in 6.2.1599.0

See Bug Toolkit link below for more details:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh35086

I would recommend upgrading CSC-SSM software to 6.2.1599.0. If the issue persisted, go ahead and open a TAC case to close the loop on this one.

Regards,

Binh

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Binh,

Thanks for your post, but that is precisely the version of CSC that we are using (the version that comes with CSC SSM is 6.2.1599.0)

Regards,

Carlos

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Pretty sure there's a 6.2.1599.1 patch we had to apply late last year under TAC direction. Not sure of it's bug fixes though, hopefully there's associated release notes.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

The best thing to do at this point is open a TAC case and provide feedback directly into Cisco. Regards, Tom (and Binh)

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Is the ASA going to replace the PIX? By this I mean will Cisco stop making/selling/supporting the PIX because they expect everyone to be on ASAs? How soon?

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hi,

The PIX product line has just gone End-of-Life, as the following bulletin shows:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html

Support will continue up to July 2013 when the product line becomes officially obsolete.

HTH

Andrew.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hi Tom,

I'm thrilled to 'meet' you, heh. I have a somewhat esoteric problem and can find no assistance anywhere (including TAC, and two friends who are CCIEs). We have a ASA-5520 in our main office, and a VPN 3000 Concentrator in a secondary office. We have a bunch fo PIX 501's in our satellite offices. What we want to do is setup site-to-site VPNs from those PIXs to both the ASA and the VPN 3000 in such a way that the ASA is the primary VPN and if it fails, the VPNs will all switch over to the Concentrator. I can connect the PIX's to either the Concentrator or the ASA one at a time, but not together. Have you heard of any way to do this? If it can't be done, can you recommend a relatively low cost aternative? Thanks ahead of time.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

You are limited by the interfaces and OS on the PIX501. Also the PIX line is identified as EOS now. Relatively low cost would point me to the ASA5505 product as a replacement, that would give you the "dual ISP" feature to work with. Keeping the PIX501's in service with an upstream device would probably be close to the same cost as replacement.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hi Tom,

We use ASA 5540 as vpn concentrator and firewalling. I was wondering if there is and utility similiar to Get Pass that checks the encrypted password for the ASA's.

Thanks.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

The password alg's on ASA are very tight. No analysis tools I know of touch them. Regards, TomH

Silver

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

You can "probably" do this by adding a second IP in your VPN peer config. At the main site and concentrator, set them to answer-only. I did a similar thing using an ASA 5505 with Dual ISPs back to a main branch. I set it up so that a failure on one ISP would bring up the VPN on the other. Theoretically it should work the same. This is assuming that 6.3(X) can support multiple peers....

Jay

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

You can support multiple peers, the only issue left is trying to control which path is used. The dual isp mechanism in ASA code will do the connectivity failover and failback for link selection. In 6.x code that control isn't there. Regards, Tom

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Would it be possible to use a routing protocol, like RIPv2 or OSPF as the control to decide which path to take?

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Hello Tom. I have a question about routing and NAT on the ASA

Will OSPF on the ASA advertise mapped NAT addresses that are in a unique network, i.e. not associated with an interface on the ASA? This is so I don't need to have a static on my upstream internet perimter router for these NAT'd public addresses. If not OSPF will any of the support routing protocols advertise these NATs?

thanks in advance

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Unfortunately, this is not supported. You need to use static routes on the neighboring router(s) and redistribute them via OSPF process on the router itself.

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

regarding OSPF advertising mapped NAT addresses. I have been looking into this a little more, I have found in the OSPF Overview of the Config Guide ( http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1057742 ) one of the OSPF features listed as:

•- Advertisement of static and global address translations.

This sounds like what I want. If not, what is this feature?

thanks

New Member

Re: ASK THE EXPERT - DEPLOYING CISCO ASA AND PIX SECURITY APPLIA

Thanks for bringing this to our attention. This is apparently a documentation bug. It is indeed not supported as I previously stated.

I have notified the documentation team to get this corrected soon.

Regards,

Binh

698
Views
66
Helpful
113
Replies