December 22, 2009 at 23:49ASA as it is. Introduction What she does not know how
Preface: when I read cisco security courses (for 7 years now, a lot like that :)) I come across the same questions. For a long time already I want to pour answers on paper because I don’t have to repeat the same thing :) Therefore, I’ll try to summarize the main features of cisco ASA, to configure the main technologies using the CLI (setting up via the web interface is not difficult when understanding the technology) and some design moments. Unless explicitly stated, then we are talking about OS version 8 and better.
So, I’ll start, perhaps, with a very important topic for customizers, designers, and pre-sellers: what the ASA does not know how to do .
Often I come across a situation where iron has already been purchased, “thanks” to the efforts of sellers, but it turns out that it does not know how to use the required technologies. These critical points include:
1. Traffic separation along parallel paths (paths with the same metric). Despite the fact that the ASA is a level 3 device, it works reliably with the RIPv1,2, OSPF, EIGRP protocols, it does not support redundant routes, i.e. one route always gets into the routing table. If there are more than one routes with the same metric (for example, OSPF sent), then the first one is selected :) If it disappears, the second one will immediately be found. In particular, therefore, it is impossible to write 2 default routes ( route [int] 0 0 [next-hop] ).
2. ASA does not support Policy Based Routing (PBR). Those. you cannot force a packet through a specific interface based on the source address (I remind you that this is done on routers using the route-map construct applied to the input of the internal interface). A cruel joke with many router adjusters first encountering ASA was played by the fact that there is a route-map on the ASA ! It is only used exclusively for redistributing routes.
3. There are no virtual interfaces (tunnel, loopback) on the ASA. Therefore, it does not support GRE tunnels (very sorry!), And therefore the convenient DMVPN technology.
These are perhaps the main points. There are a number of inconveniences, but as a rule they are not critical in projects. I can relate to them:
1. There is no telnet or ssh client on the ASA. Those. going somewhere with ASA will fail.
2. The ASA does not have “internal” routing, that is, routing within itself. It’s impossible to get from the inside zone to the outside interface. True, with the transition to OS Linux, shifts in this direction appeared, for example, you can “see” the address of the internal interface through the IPSec tunnel, and also allow you to control the ASA through the tunnel, connecting to the address of the
internal interface (you must give the command management-interface [int] ) In particular, therefore, the interface through which this or that address will be reachable must be explicitly specified on the ASA, for example, the next-hop address when setting a static route
route outside 0 0 192.168.1.1
or when setting an authentication server
aaa-server TAC (inside) host 10.1.1.100
3. On the ASA, you cannot immediately get to the 15 privilege level without an additional request to enter enable.
4. On the ASA, you cannot see the startup configuration as a file in any file system (on the router, this file is in nvram :). At the same time, you can see running-config:
more system: / running-config
5. On the ASA, you can’t just upload a new OS file to get new functionality. All the functionality is already “wired up” in the OS, and the features are
enabled using the license (activation key) 6. On the ASA, you cannot make a PPTP server, nor can you use it as a PPTP client.
7. Prior to version 8.2, there was no necessary feature: collecting statistics using netflow
Remembering this small set, I hope you can avoid disappointments when working with this reliable and convenient piece of iron.
Now let's talk about what you can do with ASA:
1. Routing, including dynamic
2. NAT in all forms that can be imagined
3. Dynamic firewall
4. Modular Policy Framework (MPF, design for sorting packets by classes and applying various actions to them, for example, prioritization and bandwidth limitation)
5. Deep analysis of “complex” protocols (FTP, H.323, SIP, TFTP, IPSec, etc.)
6. AAA, including intercept authentication
7 IPSec Site-to-site, Easy VPN Server (ASA 5505 may also be a hardware client)
8. SSLVPN gate
9. Virtual firewalls (Context)
10. Failover (Active / Standby and Active / Active)
11. “Transparent” shielding (Transparent Firewall)
Let's talk about these technologies in more detail. Later, as I find time and energy :)
(To be continued)
PS If you remembered something else that the ACA does not know how to compare with the router - do not keep it in yourself, write :) If you can not here - write to me on the anticisco forum. ru to "The rest"
So, I’ll start, perhaps, with a very important topic for customizers, designers, and pre-sellers: what the ASA does not know how to do .
Often I come across a situation where iron has already been purchased, “thanks” to the efforts of sellers, but it turns out that it does not know how to use the required technologies. These critical points include:
1. Traffic separation along parallel paths (paths with the same metric). Despite the fact that the ASA is a level 3 device, it works reliably with the RIPv1,2, OSPF, EIGRP protocols, it does not support redundant routes, i.e. one route always gets into the routing table. If there are more than one routes with the same metric (for example, OSPF sent), then the first one is selected :) If it disappears, the second one will immediately be found. In particular, therefore, it is impossible to write 2 default routes ( route [int] 0 0 [next-hop] ).
2. ASA does not support Policy Based Routing (PBR). Those. you cannot force a packet through a specific interface based on the source address (I remind you that this is done on routers using the route-map construct applied to the input of the internal interface). A cruel joke with many router adjusters first encountering ASA was played by the fact that there is a route-map on the ASA ! It is only used exclusively for redistributing routes.
3. There are no virtual interfaces (tunnel, loopback) on the ASA. Therefore, it does not support GRE tunnels (very sorry!), And therefore the convenient DMVPN technology.
These are perhaps the main points. There are a number of inconveniences, but as a rule they are not critical in projects. I can relate to them:
1. There is no telnet or ssh client on the ASA. Those. going somewhere with ASA will fail.
2. The ASA does not have “internal” routing, that is, routing within itself. It’s impossible to get from the inside zone to the outside interface. True, with the transition to OS Linux, shifts in this direction appeared, for example, you can “see” the address of the internal interface through the IPSec tunnel, and also allow you to control the ASA through the tunnel, connecting to the address of the
internal interface (you must give the command management-interface [int] ) In particular, therefore, the interface through which this or that address will be reachable must be explicitly specified on the ASA, for example, the next-hop address when setting a static route
route outside 0 0 192.168.1.1
or when setting an authentication server
aaa-server TAC (inside) host 10.1.1.100
3. On the ASA, you cannot immediately get to the 15 privilege level without an additional request to enter enable.
4. On the ASA, you cannot see the startup configuration as a file in any file system (on the router, this file is in nvram :). At the same time, you can see running-config:
more system: / running-config
5. On the ASA, you can’t just upload a new OS file to get new functionality. All the functionality is already “wired up” in the OS, and the features are
enabled using the license (activation key) 6. On the ASA, you cannot make a PPTP server, nor can you use it as a PPTP client.
7. Prior to version 8.2, there was no necessary feature: collecting statistics using netflow
Remembering this small set, I hope you can avoid disappointments when working with this reliable and convenient piece of iron.
Now let's talk about what you can do with ASA:
1. Routing, including dynamic
2. NAT in all forms that can be imagined
3. Dynamic firewall
4. Modular Policy Framework (MPF, design for sorting packets by classes and applying various actions to them, for example, prioritization and bandwidth limitation)
5. Deep analysis of “complex” protocols (FTP, H.323, SIP, TFTP, IPSec, etc.)
6. AAA, including intercept authentication
7 IPSec Site-to-site, Easy VPN Server (ASA 5505 may also be a hardware client)
8. SSLVPN gate
9. Virtual firewalls (Context)
10. Failover (Active / Standby and Active / Active)
11. “Transparent” shielding (Transparent Firewall)
Let's talk about these technologies in more detail. Later, as I find time and energy :)
(To be continued)
PS If you remembered something else that the ACA does not know how to compare with the router - do not keep it in yourself, write :) If you can not here - write to me on the anticisco forum. ru to "The rest"