I'm planning on replacing a dated inline Sonicwall device with an ASA 5505 to handle only VPN routed traffic. what I mean by this is:
- Traffic is passed to the ASA only if it has a destination to the IPsec VPN destination
- 7 IPsec peers
- in bound IPsec is handled by an edge device and routed to the ASA for sourced IPSec
- All other RX/TX traffic is handled and routed normally
- Single internet circuit with /27 space
Haven't put a lot of thought into the design, but it's something I need to start preparing for. I'm not sure if the 5505 is good for what I want, but it's only for a small amount of routes. I'm redesigning our WAN and have considerations that may include creating IPsec failover routes for failed site traffic to this location over best effort business class circuits that do not include QoS.
2nd Q: If I want to design a failover model for multi-site traffic to transverse this ASA incase of our MoE being down - Total of 20ish VPN's / including Voice and Data - Should I ditch the 5505 and go with the 5510? I think the answer is obvious, but we already own the 5505 and it's collecting dust until I get around to working on this..
sorry if this isn't clear - Eating bacon and typing at the same time =)
Thanks.
I realize you already own the 5505, but the 5506 is out, and it has a lot more horsepower than the 5505. I would consider that over a 5505 and 5510, because of a longer support model, but not a 5512. They are still reasonably priced.
Yea? I guess I'm not up to par on the ASA models. Thanks for the tip, when my design is done and I submit my change requests I'll include the proposal to return this 5505 to our vender for credit.
I don't see the 5506 listed in their next gen security product line.. the virtual 1000v firewall looks really cool.. I'm planning on implementing the Nexus 1000v virtual switch as a Hyper-V - I also already deployed Microsoft VMM. So that's a real possibility.. I like the idea of setting up virtual ASA to manager these routes.. Thoughts?
Quote from: scottsee on February 15, 2015, 10:29:00 AM
I don't see the 5506 listed in their next gen security product line..
They must have pulled it, it was there last week. I was surprised to see it and started the ball rolling to get a few via NFR. It has 8 x 1GE interfaces + 1 Mgmt interface. IIRC, the FW throughput was listed at 750 mbps.
http://www.cdw.com/shop/products/CISCO-ASA-5506-X-W-FIREPOWER-SVC/3616643.aspx?enkwrd=ASA5506-K9
They did a poor job at removing it. The comparison table here:
http://www.cisco.com/c/en/us/products/security/asa-firepower-services/models-comparison.html
now has the 5505, but the paragraph above it says:
QuoteThis table shows the next-generation firewall capabilities and capacities of the Cisco ASA with FirePOWER Services for Cisco ASA 5506-X, 5512-X and 5515-X Models.
5506-X sounds totally cool. That or a 5512-X, but you need to make sure you have the additional security license for the 5512-X so it'll do everything you'll want it to do.
what's the industry consensus on having a ASA as a virtual appliance? If I were to opt to go with a Hyper-V and VMM managed ASA 1000v acting as my IPsec managed device will it play well with upstream devices? or will I need it on the edge?
It sounds ironic but if you want the rally good dynamic stuff like dmvpn getvpn flexvpn etc you need a router. Throughput sucks compared to equivalent firewall
Quote from: wintermute000 on February 15, 2015, 01:37:47 PMThroughput sucks compared to equivalent firewall
Especially with SSL VPN encryption.
yeah LOL. I remember an issue a few years back when a customer asked me 'is 1M throughput on my 1841 really normal on SSLVPN'. half an hour of labbing later.....
re: Placement of VM - you really want the public IP on the VM natively so you're going to have to put the VM in your DMZ/public facing segment regardless. If you don't have a dedicated host in that segment, run a VLAN through to a separate vswitch or even a dedicated pnic to vswitch and pray security deems virtual/hypervisor separation to be good enough. I've had success running static IPSec tunnels to/from PFsense VMs before, but I haven't seen anyone deploy vASA in prod.
Dean or the other sec guys, has Cisco released any VPN goodies in the X range that is different in the past? I just recall all the dynamic routing VPN stuff being on ISRs/ASRs only which was hilariously ironic (aside from EZVPN which is just a gimped, non-scalable, hub and spoke only version of DMVPN IIRC thouugh I could be wrong). Just labbed up FlexVPN actually, my god its just getting more and more complicated :p
The X range is more for the SourceFire stuff. Nothing new in VPN-land, from what I gather.
And the virtual firewalls in the Nexus are NOT the firewalls you're looking for.
Quote from: deanwebb on February 16, 2015, 09:01:12 AM
The X range is more for the SourceFire stuff. Nothing new in VPN-land, from what I gather.
And the virtual firewalls in the Nexus are NOT the firewalls you're looking for.
cool.. I'll do some research and take my suggestions to leadership and see what they want to do.. I seriously considering adding OSPF over our WAN, so I'll need to adjust my proposal to accommodate multi-site resiliency.
I've said this in the other thread, but make sure you can actually run OSPF over your WAN. Typically this means you have a layer 2 WAN i.e. a VPLS
If its a layer 3 WAN your provider will need to play ball which (outside of the US anyway) is pretty much no chance. Besides do you really want your provider integrated into the core of your IGP as a big black 'there be dragons' bit where you have no control or visibility?
The 5506 specs are here:
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html
Noice. Thanks for the link, javentre.
I pulled the trigger today and bought 2 x ASA 5525-X to put into Active/Active ... Should get them tomorrow.. :eek:
I hate to tell you this but you can't route over an ASA IPSEC VPN because for some retarded reason Cisco decided that GRE is no good on an ASA.
Hence no encapsulation hence no VTIs hence no routing protocols over your VPNs.
Throughput will beat the pants off a router but for routing failover purposes you're going to have to find another way e.g. IP SLA and/or duct tape aka route-maps somewhere else.
Whereas if you ran IPSEC tunnels from VTI interfaces or DMVPN on an ISR you could have run any IGP or BGP over the top.
Dean or another guru may come in and stomp me with new knowledge but that was the case when I was heavily ASA-ing a couple of years back and I haven't seen anything new in this regard
This is why we're looking at Juniper and Checkpoint as VPN solutions.