Cisco adaptive security appliance (asa) firewalls lifeline of today’s data centers
1. Cisco Adaptive Security Appliance (ASA) Firewalls: Lifeline of Today’s Data
Centers-FAQs from Live Webcast
ASA & Firewall Questions
Q. What would be the real-world throughput of ASA 5505 applance?
A. You can find the details on datasheet mentioned below:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod
uct_data_sheet0900aecd802930c5.html
Q. Does Cisco have good feedback regarding 5585x clustering so far? We wanted to
implement this earlier this year but got the impression that we were pilot users
with this solution due to the questions we got from Cisco's PM team so we
abandoned the project?
A: Though you can surely go for the clustering but for detailed analysis with respect
to your network, a clarification from PM/SA will be required so as to have a better
understanding.
Q. It would be great if I can get a document that shows recommended real-world
throughput of each models?
A: As in real it depends on the type of traffic youa re pushing through the firewall. So
you can check the multiprotocol field if you are pushing different type
of traffic. http://www.cisco.com/en/US/products/ps6120/prod_models_comparison
.html
Q. Can we have context configure with cluster?
A: Yes we can have context configure with clustering.
Q. Can you briefly describe how the ASA can link up with an IPS module for next
gen intrussion threats?
A: The details available at
http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html will
help you to know the IPS with ASA.
Q. What is Sub Second failover ?
A: Sub second failover as the failover can happen in under a second. Both the
interface and unit polling times can be configured in milliseconds. Be careful
setting the failover settings too low though as you may have a quick
communnication loss due to congestion.
Q. How can we cap the bandwidth on Cisco ASA?
A: To check what is the supported thoughput, please refer:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_
poster_revision_r8.pdf
Q. Is there any plans for introducing the clusterin in ASA5500-x for Saleen Series?
2. A: The complete supported platforms for ASA clustering can be found from:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_
c67-712934.html.
Q. What applications are supported for "full applications satat sync" does ASA
supports SS/IPSecVPN ? Multiprotocol throughput for ASA 5505?
A: Since 5505 is for remote user, you can refer following link for more info on it.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_
poster_revision_r8.pdf
Q. Can you configure site-to-site vpn with asa in multi-context mode?
A: Yes, you can as per shown in:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_site
2site.html
Q. Can we have ISP level redundancy or Link Load balancing with Cisco ASA,as I
have multiple link to my DC for resundancy?
A: ASA is not designed to do WAN load balancing between ISP links. Though you may
refer to a similar setup in lab as shown in
https://supportforums.cisco.com/docs/DOC-15622
Q. Does site-to-site vpn co-exist with remote acces?
A: If using ASA clustering then vpn will not work. If non-cluster environment you can
use L2L vpn and can co-exist in standalone version.
Q. You just told about using different Cisco boxes in a multi-tier firewall design.but
the good practise is using different vendor firewall in different tier? How would you
justify using only cisco firewalls in a multi-tier design?
A: Ease of management with single tool like CSM (Cisco Security Manager), additional
security with Trustsec& ISE deployment which integrates seamlessly with Cisco
environment.
Q. How should we size the firewall for the data center? Is there any guideline on
the sizing?
A: For sizing we need to have the number of connections and type of traffice which
we need to push through te firewall, then you can refer the following
link for
information on which model suits your need. Please refer
http://www.cisco.com/en/US/products/ps99
Q. Can you explain the significance of SGT in the context of ASA?
A: SGT is part of TrustSec.
Q. Can you load balance your outgoing internet connecvitiy with two inter
connections hooked to one ASA?
3. A: Presently it is not possible to load balance traffic between two ISP links on an ASA.
Q. How to ASA 5500-X react on zero day attack?
A: Cisco anomaly detection learns the normal behavior on your network and alerts
you when it sees anomalous activities in your network. Cisco anomaly protection
helps protect you against new threats even before signatures are available.
Q. Clustering up to 8 firewall would be active/active or active/standby?
A: All 8 Units will be active in a cluster
Q. What is Multi protocoltroughput ?
A: When different type of traffic going through the firewall, i.e HTTP, FTP, etc.
Q. Can we block https traffic on firewall
A: When you are saying Block, I assume you are saying traffice going through the
firewall, then the answer to that would be Yes.
Q. Can Security Manger be a Syslog server as well?
A: CSM is built to be a single point of management and configuration for ASA and
other securiyt products. The function of Syslogging is to be offload to external server.
Q. Does Cisco have a UTM box?
A: Yes, Please refer:
http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html
Q. Cluster of 8 FW is supported on all models of ASA?
A: Complete detail is available at
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_
c67-712934.html
Q. What are the diff HA modes supported
A: You can refer to Cisco ASA datasheet on Cisco.com
Q.Can we mix different models in clustering i.e. Can Cisco 5510 be clustered with
Cisco 5520?
A: No, we can't mix different asa models. And clustering is only supported with 5580,
5585 or 5585X
Q. When we say ASA virtualization, is that the hardware virtualization, IOS or
theconfigurations ?
A: You can use ASA 1000V for virtualized environment and that's what it means.
Again, if term virtual is used, it can be a context as many times these two terms are
used inter-changeably.
4. Q. Is access to the scanSafe database a subscription service?
A: Yes, a scansafe subscription will be required.
Q. Can i have multi-context along with clustering?
A: You won't need a context in cluster mode but you can have multi contexts.
Q. Can we block https traffic on firewall
A: Yes, with ACLs you can block HTTPS traffic going though the firewall
Q. IsClustering possible across geographies or is there any distance
limitation ?
A: This can be done through VPNs (Site to site) but never recommended.Such setup
in production environment is not recommended.
Q. Are there only 8 ASA in a cluster possible, and can I mix the
models?
A: It has to be same model with same hardware configuration like memory etc.
Q. Can we detect NMAP scans with ASA ??
A: You may refer to
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bd3
913.shtml for nmapscan as attacker example.
Q. How can i block facebook on firewall
A: You can block using scan safe.
Q. What is the best choice for site-2-site vPN, Firewall ASA or Cisco security
router?
A: ASA vpn edition will be the best as it supports lot many more features in security
compared to router.
Q. Firewall virtualization supported in ASA?
A: Yes, We call it Context in ASA
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps12726/qa_
c67-712934.htmllist all the features supported by ASA with 9.0
Q. Can I have a HA Design with Two ASA5525X in two separate places in
Active/Active Mode?
A: In that case you are expanding your cluster, there is no restriction but I do not see
any use case of this
Q. What is one of the ASA goes down, will other 7 modules are still deliver 280
GBPS?
A: Only the throughput will drop on overall basis but no impact on traffic.
5. Total Throughput = N x Single node throughput x Scaling Factor
Q. Hello do we need to have even number of Firewalls to participate in
clustering?
A: No, there's no such mandates.
Q. How to ASA 5500-X react on zero day attack
A: Cisco anomaly detection learns the normal behavior on your network and alerts
you when it sees anomalous activities in your network. Cisco anomaly protection
helps protect you against new threats even before signatures are available. Help in
Day 0 Attack
Q. Please, could you explain more about the 'individual' and 'spanned' mode at the
clustering.
A: Refer to
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust
er.html for complete details on HA cluster configuration and various interface modes.
Q. ASA5585-SSP-10-2units, ASA ver 8.2(5),Old ASDM ver 6.4(5),Current ASDM ver
7.1(3),anny compatibility issue of Java 1.7 with ASDM?Please suggest any stable
java version which works with all ASDM versions.
A: You can get in touch with Cisco TAC support for granular information of ASA &
ASDM with java.
Q. What will happen if one node fails in ASA cluster. Traffic which was going
through failed node will be dropped or it will be processed by some other node in
cluster?
A: Processed by other member in cluster
Q. We have IPS module with our ASA. It cannot detect external scans like NMAP OS
finger printing. I opened a TAC case also. They confrm that this not possible with
Cisco IPS and it only detect it as a normal traffic. Is that true?
A: Thats an extensive topic and this discussion may help
https://supportforums.cisco.com/thread/2152269
Q. Does clustering support IPv6?
A: Yes
Q. So where to point the route from inside equipment, when ASAs are addressed
from a dynamic pool? Is there a VIP address?
A: No, each firewall would get an address from the Pool created by master ASA in a
cluster
Q. Can we create context in cluster?
6. A: You can have ASA with multiple context part of cluster, however all the ASA should
be in multiple mode inthatcluster
Q. How many context firewall we have configuration on a single ASA
A: Depends on the model, please refer
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/asa_
poster_revision_r8.pdf
Q. Why do I still have to manually copy xml profiles from the active to the
standby ?
A: Depends on the version you are using. More detailed info can be obtained from
Cisco TAC as its specific to Anyconnect.
Q. Few years ago threat detection, routing protocols, etc. will not be used if you
enable multiple context mode on ASA. Was this resolved already in today's
software or product line?
A: Virtually not, you can have as many policies but can be brought down if combined
with Trustsec. Still same: Multiple context mode does not support the following
features:
RIP
OSPFv3. (OSPFv2 is supported.)
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN. (Site-to-site VPN is supported.)
Q. Based on active cluster configuration, if new firewall picks a ipaddress from the
pool, alter if the firewall goes down how the session failover will happen, the live
session will be dropped or it will failover to other active
firewall ?
A: It will be taken care by the next priority firewall in the cluster.
Q. Is there any policy limitiation of cisco ASA
A: Virtually not, you can have as many policies but can be brought down if combined
with Trustsec.
Q. Can you also have visibility of the SGT at the level of the CX
module?
A: Complete details are available at
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c
67-700607.html
Q. ASA CLI or ASDM Logging feature does not provide the rule number details
7. (unlike Checkpoint FW), We need to know which rule is blocking or allowing the
traffic.That will be easy for troubleshooting any issue.
A: You can use packet tracer under ASDM.
Q. What other features do we have with ADSM 9.0 and also can we config bridge
and routed mode same time
A: No, we cannot have different mode in ASA cluster .Please refer the link for new
feature in OS 9.0
http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#
wp586890
Q. How does the VIP is maintained in the cluster
A: There is no VIP, all firewalls have there own firewall, we need loadbalancing from
outside the cluster
Q. We are using 3 differenet Management servers, We are facing this ASDM
Loading issue with all of them, How there can be issue with OS Level?
A: Please get in touch with Cisco TAC for in-depth review &troublshooting.
Q. Does the load balancing into the cluster need to be "sticky"? Must traffic for a
particular connection always hit the same appliance? Or is connection state
replicated between all appliances in the cluster?
A: No, the sessions backup exists on clustering setup. If a asa goes down then the
session wont be dropped and the next master will handle it. In short, yes,
connections replication happens.
Q. CCL has to be in routed mode or can be made l2.I believe its like VSL in VSS or
like stacking ?
A: VSS is supported and refer to
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_clust
er.html#wp1559338
Q. Does the ASA supports Server Load Balancing?
A: No ASA doesn't support Server Load Balancing.
Q. Is that also the fact with Site2site VPN when cluster master fails or does it work
more like Active/Standby VPN state failover?
A: Clustering is analogous to failover not the same. The VPN sessions will be
replicated across the cluster.
Q. Can the IPS in ASA5500-x do heuristic detection?
A: Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an
improvement over local engine)
8. Q. Will Remote VPN works with Clustering mode ?
A: RA VPN is not available in clustered mode, Full list of centralized and disabled
features can be found at:
http://asapedia.cisco.com/index.php/Clustering
Q. Which is the best module which can block the torrent traffic as it is using any
dynamic port available ?
A: IPS Module will be the best option as it can look into the payload .
Q. I have about 30+ Cisco ASA Firewalls, all of them running on Cisco ASA 8.2(5) is
there a document that i can follow to upgrade them to 9.0 ?
A: Yes, a plan is needed for upgrade. Refer to
https://supportforums.cisco.com/thread/2183482 as a similar request and do take
the help of TAC for such major upgradation of over 30+ firewalls.
Q. Will Remote VPN works with Clustering mode ?
A: It doesn't work.
Q. Do easy VPN works with Active/standby mode in ASA ?
A: Yes it works with failover ASA
Q. Can we use ASA for web filtering like PROXY?
A: Yes ASA can be used for Web Filtering and it has been possible for many years.
Now, you also have ScanSafe
Q. And how do I just point to _one_ ASA IP from core routing equipment, when
clustering?
A: Adresses configured in pool is given to firewalls in cluster, you can simply push the
traffice any given address assigned to specific firewall in cluster
Q. What will happen if one node fails in ASA cluster. Traffic which was going
through failed node will be dropped or it will be processed by some other node in
cluster?
A: Yes, ASA clustering always has a backup node (owner) for every flow through the
clsuter so, if the node through which traffic is passing is down, the next owner will
process the n+1 traffic (if previous node was processing nth packet.
Q. How many "sessions/connection per second" does 5585-X can support? Is there
a public document that shows performance matrix for ASA? Something similar with
Router & Switch performance matrix, there is one available for Router & Switch
product line?
A: You can access the video and regular data sheets for 5585-X series firewall
athttp://www.cisco.com/en/US/products/ps11061/index.html
9. Q. Any plan for a refresh of the 5505 ? Right now alot of our customers are looking
elsewhere (Checkpoint, Palo Alto) for a layer 4-7 aware firewall.
A: If you're looking for a replacement of 5505 you have multiple options as explained
at Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices
and Branch Locations Data Sheet (Updated) such as 5512-X and 5515-X next gen
firewalls with better throughput and a host of new features
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data
_sheet_c78-701253.html
Q. Is Clustering supported across all models or not ?
A: Clustering is only supported with 5580, 5585 and 5585X models
Q. If cisco marketing 5500X products stops, does that means slowly cisco will stop
5500 models?
A: Not sure where this is coming from since, 5500X is the latest in next gen firewalls
and Cisco intends to continue with both 5500 and 5500X series
Q. What’s about a blade system on cisco side fürASA ?
A: Cisco FWSM is the current generation and Cisco NGFW services module is the
solution for next gen DC which supports many new features
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c
67-700607.html
Q. Can Cisco Security Manager be a netflow collector for ASA devices?
A: CSM is primarily meant for configuring and managing the firewalls. If you wish to
collect netflow data it's better to look at Cisco LMS/Prime solutions.
Q. What is the max throughput at line speed?
A: For information on the throughput and other parameter splease consult the
respective data sheets of ASA 5500 and 5500 X series
Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls for Small Offices
and Branch Locations Data Sheet (Updated)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data
_sheet_c78-701253.html
Cisco ASA 5500 and ASA 5500-X Series Next Generation Firewalls for the Internet
Edge Data Sheet
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data
_sheet_c78-701808.html
Cisco ASA 5500 Series Adaptive Security Appliances
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod
uct_data_sheet0900aecd802930c5.html
10. Q. Can CSM take backup of ASA configuration ?
A: In CSM if you would like to see the configurations there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview
Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a
history of previous configurations pushed for each device managed by CSM
CSM based backups are manual and are not automated.
Q. Can we expect remote access vpn support for contexts anytime soon?
A: As far as I know it's not on the roadmap for next few releases.
Q. Why does the management interface not work when working with an
active/standby solution ?
A: You can access the video and regular data sheets for 5585-X series firewall at
http://www.cisco.com/en/US/products/ps11061/index.html
Q. Do you have a recommended scenario or plan for ASA deployment in Data
Center or VMDC?
A: Each network and organization has different requirement for services and security.
Hence, putting one size fits all is not a possible solution. You can check the Cisco
recommended design and configuration guidelines at following URLs
ASA DC deployment guide
http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smar
t_Business_Architecture/February2012/SBA_Mid_DC_DataCenterDeploymentGuideFebruary2012.pdf
Cisco ASA DC config guide
http://docwiki.cisco.com/wiki/Cisco_ASA_Firewall_Configuration_for_Data_Center
Q. Is there road-map to allow VPN functionality with ASA Cluster Deployment?
A: Site to site VPN is already supported in clustering. Remote access VPN is not
supported as of today and is not on roadmap as I know.
Q. Does ASA supports statefull sync for SSL or IPSec VPN sessions, means suppose
primary fails then SSL or IPSec VPN session need not to re-established connectivity
with Secondary?
A: Yes, stateful failover is available for IPSec and SSL connections.
Q. Can we confgiurion the cisco ASA on distrubuterartechtue?
11. A: ASA clustering is distributed architecture for High Availability and is compatible
with next gen and current switching infrastructure.
Q. Does packet tracer supports FWSM ?
A: FWSM doesn't support packet tracer command.
Q. Is there a concept of Inter-Context communication in current ASA? Meaning no
need to forward the traffic out of the interface but instead inside ASA and between
context. Saves interface and much faster?
A: As of today, inter context communication has to go out of a physical interface and
come in again (same or different interface). Essentially trombone of traffic needs to
happen out and in to the firewall.
Q. Based on active cluster configuration, if new firewall picks a ipaddress from the
pool, alter if the firewall goes down how the session failover will happen, the live
session will be dropped or it will failover to other active firewall ?
A: You can access the video and regular data sheets for 5585-X series firewall
athttp://www.cisco.com/en/US/products/ps11061/index.html
Q. What about MGCP support?
A: Cisco ASA Clustering does not support any UC protocols including H.323 suite, RTP,
RTCP, SIP, SCCP and MGCP
Q. Does it option for snap sort for backup purpose so we can restore the all
configuration very fast. and how many snapshot it can store?
A: If the query is about CSM, and you would like to see the configurations within the
CSM interface there are two ways to do this.
1) From the Device View, right-click on the device and select "Preview
Configuration..."
2) In the top bar, Go to "Manage > Configuration Archive..." You can then see a
history of previous configurations pushed for each device managed by CSM
Q. What is the monitoring solution in cisco where we can see what each user is
doing from the cisco trustsec perspective?
A: You can do this from ISE dashboard for monitoring the network. Please see
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_mnt.html#wp
1226014 for more details
Q. What is the VPN split in IPv4/IPv6 network? Is there VPN bypass with ASA?
A: VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or
client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the
client's / remote site can connect with a headend behind ASA.
12. Q. What is the CX module in ASA- X series?
A: ASA NGFW Services(formerly ASA CX) re-imagines the firewall, delivering
context-aware security that empowers enterprises to manage applications, devices
and the evolving global workforce, while ensuring unprecedented visibility and
control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces
complexity to address evolving security needs by leveraging local network
intelligence via Cisco AnyConnect and TrustSec, and global threat information via
Cisco’s Security Intelligence Operation.
Q. Can you please share the Packet flow in context mode? and the mode or context
is it support multicast or unicast?
A: Here's a URL which covers packet classification examples and flows in detail
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts
.html#wp1134280. Contexts support both unicast and multicast howevr, PIM is only
support in single context.
Q. Packet tracer &Traceroute feature is also not available in FWSM?
A: Packet Tracer feature is not available on FWSM. Traceroute command is
supported on FWSM.
General Questions
Q. Recommended tools for monitoring traffic, security events, syslogs ? Any cisco
developed Netflowanalyzers ? Is there anything budled with the IOS or is it an
additional package ?
A: You can use Cisco Security Manager for such task. More info available
at http://www.cisco.com/en/US/products/ps6498/index.html
Q. Is that only Secure X platform has support for Trust sec?
A: You can have complete detail from
http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html.
Q. Can ISE integrate with AD or do we need a AAA/LDAP
A: Yes, we can integrate ISE directly with AD
Q. What is the secure x architecture
A: The Cisco SecureX Architecture is a context-aware, network-centric approach to
security from cisco. Secure X architechture detail can be found on
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/whit
e_paper_c11-700240.html#wp9000078
Q. Where can we download the presentation?
A: https://supportforums.cisco.com/docs/DOC-35101
Q. Does Secure X supports built in IPS and IDS inline ?
13. A: CX modules for ASA do support inline IPS as they will be on same chassis as the
firewall. CX services module doesn't support it as of today, its on roadmap.
Q. Which all are Authentication support in trustsec?
A: The following authentication types are support with TrustSec
Flexible authentication (FlexAuth) including
- IEEE 802.1X
- Web authentication (WebAuth)
- MAC authentication bypass (MAB)
- IEEE 802.1X-REV MACsec Key Agreement (MKA)
Please see
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/solution_ov
erview_c22-591771.html#wp9000026 for more details
Reference from: https://supportforums.cisco.com/docs/DOC-35563
More Tech Tips Related to Cisco ASA Firewalls:
Q&A: How to Troubleshoot ASA, PIX, and FWSM?
Cisco ASA5510 Vs ASA5512-X or Cisco 5515-X
How to Connect to Cisco ASA?
Cisco ASA 5520 Basic Configuration Guide