adding ASA for only VPN routes

[scottsee]

I'm planning on replacing a dated inline Sonicwall device with an ASA 5505 to handle only VPN routed traffic. what I mean by this is:

• Traffic is passed to the ASA only if it has a destination to the IPsec VPN destination
• 7 IPsec peers
• in bound IPsec is handled by an edge device and routed to the ASA for sourced IPSec
• All other RX/TX traffic is handled and routed normally
• Single internet circuit with /27 space

Haven't put a lot of thought into the design, but it's something I need to start preparing for. I'm not sure if the 5505 is good for what I want, but it's only for a small amount of routes. I'm redesigning our WAN and have considerations that may include creating IPsec failover routes for failed site traffic to this location over best effort business class circuits that do not include QoS.

2nd Q: If I want to design a failover model for multi-site traffic to transverse this ASA incase of our MoE being down - Total of 20ish  VPN's / including Voice and Data - Should I ditch the 5505 and go with the 5510? I think the answer is obvious, but we already own the 5505 and it's collecting dust until I get around to working on this..

sorry if this isn't clear - Eating bacon and typing at the same time =)

Thanks.

[javentre]

I realize you already own the 5505, but the 5506 is out, and it has a lot more horsepower than the 5505.  I would consider that over a 5505 and 5510, because of a longer support model, but not a 5512.  They are still reasonably priced.

[scottsee]

Yea? I guess I'm not up to par on the ASA models. Thanks for the tip, when my design is done and I submit my change requests I'll include the proposal to return this 5505 to our vender for credit.

[scottsee]

I don't see the 5506 listed in their next gen security product line.. the virtual 1000v firewall looks really cool.. I'm planning on implementing the Nexus 1000v virtual switch as a Hyper-V - I also already deployed Microsoft VMM. So that's a real possibility.. I like the idea of setting up virtual ASA to manager these routes.. Thoughts?

[javentre]

I don't see the 5506 listed in their next gen security product line..

They must have pulled it, it was there last week.  I was surprised to see it and started the ball rolling to get a few via NFR.  It has 8 x 1GE interfaces + 1 Mgmt interface.  IIRC, the FW throughput was listed at 750 mbps.

http://www.cdw.com/shop/products/CISCO-ASA-5506-X-W-FIREPOWER-SVC/3616643.aspx?enkwrd=ASA5506-K9

[javentre]

They did a poor job at removing it.  The comparison table here:
http://www.cisco.com/c/en/us/products/security/asa-firepower-services/models-comparison.html

now has the 5505, but the paragraph above it says:

This table shows the next-generation firewall capabilities and capacities of the Cisco ASA with FirePOWER Services for Cisco ASA 5506-X, 5512-X and 5515-X Models.

[deanwebb]

5506-X sounds totally cool. That or a 5512-X, but you need to make sure you have the additional security license for the 5512-X so it'll do everything you'll want it to do.

[scottsee]

what's the industry consensus on having a ASA as a virtual appliance? If I were to opt to go with a Hyper-V and VMM managed ASA 1000v acting as my IPsec managed device will it play well with upstream devices? or will I need it on the edge?

[wintermute000]

It sounds ironic but if you want the rally good dynamic stuff like dmvpn getvpn flexvpn etc you need a router. Throughput sucks compared to equivalent firewall

[javentre]

Throughput sucks compared to equivalent firewall

Especially with SSL VPN encryption.   

[wintermute000]

yeah LOL. I remember an issue a few years back when a customer asked me 'is 1M throughput on my 1841 really normal on SSLVPN'. half an hour of labbing later.....

re: Placement of VM - you really want the public IP on the VM natively so you're going to have to put the VM in your DMZ/public facing segment regardless. If you don't have a dedicated host in that segment, run a VLAN through to a separate vswitch or even a dedicated pnic to vswitch and pray security deems virtual/hypervisor separation to be good enough. I've had success running static IPSec tunnels to/from PFsense VMs before, but I haven't seen anyone deploy vASA in prod.

Dean or the other sec guys, has Cisco released any VPN goodies in the X range that is different in the past? I just recall all the dynamic routing VPN stuff being on ISRs/ASRs only which was hilariously ironic (aside from EZVPN which is just a gimped, non-scalable, hub and spoke only version of DMVPN IIRC thouugh I could be wrong). Just labbed up FlexVPN actually, my god its just getting more and more complicated :p

[deanwebb]

The X range is more for the SourceFire stuff. Nothing new in VPN-land, from what I gather.

And the virtual firewalls in the Nexus are NOT the firewalls you're looking for.

[scottsee]

The X range is more for the SourceFire stuff. Nothing new in VPN-land, from what I gather.

And the virtual firewalls in the Nexus are NOT the firewalls you're looking for.

cool.. I'll do some research and take my suggestions to leadership and see what they want to do.. I seriously considering adding OSPF over our WAN, so I'll need to adjust my proposal to accommodate multi-site resiliency.

[wintermute000]

I've said this in the other thread, but make sure you can actually run OSPF over your WAN. Typically this means you have a layer 2 WAN i.e. a VPLS

If its a layer 3 WAN your provider will need to play ball which (outside of the US anyway) is pretty much no chance. Besides do you really want your provider integrated into the core of your IGP as a big black 'there be dragons' bit where you have no control or visibility?

[javentre]

The 5506 specs are here:
http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html