Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help - Cisco ASA with FirePOWER

hi 

 

currently we are using asa 5510 without firepower feature. our aim is to publish web servers and microsoft lync with reverse proxy method. control internet traffic , apply particular extensions file not to download , bandwidth management etc.

 

Is it possible when we add firepower on asa 5510 ..... please guide me.... thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Firepower has to be installed

Firepower has to be installed on the new ASA X series.  5512x, 5515x, 5525x, etc.

 

If you have a 5510, then you would probably want a 5512x with a SSD drive.  Cisco has firepower bundles which include the ASAx with SSD and the Firepower license.

Add to that you also need the Firesight Management Software, and there is a 2 device bundle license for under $500 that you can install on VMWare.

 

Firepower doesn't do reverse proxy, it does transparent in-line packet inspection, analysis, and filtering by URL / Application / and Threat mitigation.  

 

If you want a reverse proxy, you should look into Microsoft ISA server, or a dedicated Web Reverse Proxy Server.  Cisco discontinued their Web Director product, which did this function. 

 

You can host websites behind the ASA Firewall without a reverse proxy.  And the ASA does have an application inspection for HTTP traffic, which will monitor the HTTP requests.  The Firepower System in the ASA also has specific signatures that monitor traffic to web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the Firepower module would likely cover your needs.

 

Keep in mind that until next Quarter the Firepower system does not have on-box decryption, and you may want to wait until that feature is released and established, so you know what size firewall you need to protect your network with the SSL decryption.  I believe the ASA5512x is currently testing at 75 mbps of decrypted flows through the Firepower module, which is about half of what the CX was doing before, so you could use the CX sizing numbers and extrapolate until Cisco releases official decryption numbers.

New Member

Yep, looks like you need a

Okay let me clarify. 

If this is for internal users, you have two options on the ASA :

Option1:    Anyconnect VPN which would be a VPN client that installs itself on their system and provides access to whatever internal server you want to give them access too.

Option2:   Clientless VPN  you can create a portal page, add bookmarks to internal servers, and even pass through authentication from an SSO server to a back end system.  Or if they are internal you can just use LDAP to authenticate them.

 

If these users of the Web Server are external to your company and you are trying to protect the server from non-authenticated users, or web server vulnerabilities from botnet scanning engines and outside hackers, then you should go with something other than the ASA.

 

I would suggest you could put the Sophos UTM in the ASA's DMZ, and reverse proxy the websites there.  You don't want to get rid of the ASA or remove it from the picture, as it is very good at VPN and complex networking, which I'm sure the Sophos device will fall short.  However it is not as good at providing a reverse proxy function, for unauthenticated users.

3 REPLIES
New Member

Firepower has to be installed

Firepower has to be installed on the new ASA X series.  5512x, 5515x, 5525x, etc.

 

If you have a 5510, then you would probably want a 5512x with a SSD drive.  Cisco has firepower bundles which include the ASAx with SSD and the Firepower license.

Add to that you also need the Firesight Management Software, and there is a 2 device bundle license for under $500 that you can install on VMWare.

 

Firepower doesn't do reverse proxy, it does transparent in-line packet inspection, analysis, and filtering by URL / Application / and Threat mitigation.  

 

If you want a reverse proxy, you should look into Microsoft ISA server, or a dedicated Web Reverse Proxy Server.  Cisco discontinued their Web Director product, which did this function. 

 

You can host websites behind the ASA Firewall without a reverse proxy.  And the ASA does have an application inspection for HTTP traffic, which will monitor the HTTP requests.  The Firepower System in the ASA also has specific signatures that monitor traffic to web servers and prevent specific vulnerabilities that are known on those servers, so if that is what you want the Reverse Proxy for, then the Firepower module would likely cover your needs.

 

Keep in mind that until next Quarter the Firepower system does not have on-box decryption, and you may want to wait until that feature is released and established, so you know what size firewall you need to protect your network with the SSL decryption.  I believe the ASA5512x is currently testing at 75 mbps of decrypted flows through the Firepower module, which is about half of what the CX was doing before, so you could use the CX sizing numbers and extrapolate until Cisco releases official decryption numbers.

New Member

Thanks for your detailed

Thanks for your detailed reply brother. actually we have deployed lync server 2013 with reverse proxy so it is must.  see the comparison . i should go with Sophos UTM Firewall what you advice me...

 

Feature

Cisco Firepower

Fortinet

Sophos Utm

Firewall 

IPS

Antivirus Gateway

 

AntiMalware*

 *

Antispam

 

HTTP Proxy

 

Reverse Proxy

Partially

Web Filtering

Email Protection

 

Wireless Controller

 

 

Bandwidth Control

Expected in Next Year

Limited

Application Visibility and control

Data Loss Prevention

 

Advance Threat Prevention

On BOX reporting

 

Limited

External Reporting

Web Reputation defence

Failover

 

New Member

Yep, looks like you need a

Okay let me clarify. 

If this is for internal users, you have two options on the ASA :

Option1:    Anyconnect VPN which would be a VPN client that installs itself on their system and provides access to whatever internal server you want to give them access too.

Option2:   Clientless VPN  you can create a portal page, add bookmarks to internal servers, and even pass through authentication from an SSO server to a back end system.  Or if they are internal you can just use LDAP to authenticate them.

 

If these users of the Web Server are external to your company and you are trying to protect the server from non-authenticated users, or web server vulnerabilities from botnet scanning engines and outside hackers, then you should go with something other than the ASA.

 

I would suggest you could put the Sophos UTM in the ASA's DMZ, and reverse proxy the websites there.  You don't want to get rid of the ASA or remove it from the picture, as it is very good at VPN and complex networking, which I'm sure the Sophos device will fall short.  However it is not as good at providing a reverse proxy function, for unauthenticated users.

2707
Views
0
Helpful
3
Replies