Comments
With the included Security Plus license it upgrades two of the Cisco ASA 5510 interfaces to Gigabit Ethernet and enable integration into switches through VLAN support. Simultaneously this upgrade license enables Active/Active and Active/Standby high-availability services.
The ASA 5510 adaptive security appliance now has the security plus license to enable GE (Gigabit Ethernet) for port 0 and 1. If you upgrade the license from base to security plus, the capacity of the external port Ethernet0/0 and Ethernet0/1 increases from the original FE (Fast Ethernet) (100 Mbps) to GE (1000 Mbps). Cisco ASA 5510 Security Bundle, ASA5510-SEC-BUN-K9 Cisco ASA5510 Security Plus Firewall Edition includes 2 Gigabit Ethernet + 3 Fast Ethernet interfaces, 250 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license, console and auxiliary ports. The 5520 and up do not have Security Plus licensing. They come with the Base license and need nothing more to get the most performance out of the unit. Update: As Stojan pointed out in the comments, the 5585X series does have Security Plus licenses which enables the 10GB SFP+ slots.
Asa 5510 Security Plus License Gigabit
- This post claims that you can run multiple context through GNS3.
It would be worth checking out, yes?
GNS3 • ASA 8.02 - Good old FW, but full tuned : HOWTOs - Page 2Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) - Posts: 5,031Inactive Imported Users■■■■■■■■□□Yea those things are expensive man. Do you have partner status with Cisco? You may be able to get some non production ASAs at a significant discount.
- Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related - Yeah if you are looking to use an ASA 5510 for CCNP Sec studies, this rack rental deal looks pretty decent:
http://www.gigavelocity.com/rack-1-internetwork-expert-security-30-lab-5.html?zenid=dafec3427d9f076ecf8c21198a5c5629
Never used these guys, but I've heard good stuff - thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.
hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:
L3 Core switch
Firewall Outside
Firewall Inside
gateway for both internet and WAN access
dmz switch
I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon. - thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.
hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:
L3 Core switch
Firewall Outside
Firewall Inside
gateway for both internet and WAN access
dmz switch
I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon.
You can use visio for diagrams, if you need that software, you can always download the images from vendors such as Cisco, unless you don't really need those.
I whipped this up using GNS3, in a couple minutes. (see attachment)Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) - thanks instant000 I have visio I was looking for some kind of method to list many interfaces on a firwall with the inside and outside fwl contexts. to keep it clean. yeah I can make a normal topology map but it is going to get weird with all those vlan interfaces (subifs) I have on my fwl. Tons! thanks man
I willl have to write small haha LOL thanks...I wish all was as easy as GNS3...I guess GNS3 can run multiple contexts huh? I heard this some where? - I use DIA for diagrams and gigavelocity has gotten me thru 4 of 5 CCSP exams.
- 0·Share on FacebookShare on Twitter
- I have a 5505 ASA at home that I bought used for around $300... why not use that?0·Share on FacebookShare on Twitter
- yeah I have an ASA 5505 too but it doesnt have the security plus license.
I want to practice with multiple contexts. Normally your ASA will create an admin context so there is one. and then you can make one more context(virtual firewall) and there is 2 the ASA 5505 comes with only 2 .
so I need 3 contexts to practice what we have at work.
we have
admin
Private
Internet
contexts and well I like to setup an exact systems like we have at work to practice labs on to make sure I understand our network. I change stuff on my lab if it works great it should work at work. - Posts: 5,031Inactive Imported Users■■■■■■■■□□Are any of you using any type of lab manual for CCNP:S?
- I am looking for one. I only have an ASA book I am going thru.
- Posts: 5,031Inactive Imported Users■■■■■■■■□□0·Share on FacebookShare on Twitter
- I am torn..I am going for CCNP first but at the same time for my job
going to try to master as mush as I can ASA5510 which we have
that has 3 contexts and also vpn technology.. - I am torn..I am going for CCNP first but at the same time for my job
going to try to master as mush as I can ASA5510 which we have
that has 3 contexts and also vpn technology..
I'd consider your job requirements a priority, Besides the more you work with a technology the easier the exam will whenever you get to it.
Remember you don't have to get tunnel vision and overly focus on a certMy Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS - Just get a good ASA book. Study up on that, and it'll help you a lot at work.
You can either get the ASA All-in one 2nd edition, or you can get the Richard Deal ASA book, or you can get the Firewall exam guide.
If you like reading cisco.com, make sure you read all of the ASA technotes that you can. They have a good amount out there, and the technotes are small, bite-sized chunks that you can read in one pass.
Stuff like packet trace and captures are awesome features to get familiar with, as well as the logging functions. If you ever have to troubleshoot how or why a connection's not working, these are great tools.
Also, remember the fundamentals of ASA:
1. ROUTES
2. statics
3. ACLS
make sure you check all three of those, whenever you have any sort of connectivity issue.
1. ROUTES - kinda self-explanatory. you need a way to route to that network you're connecting to, otherwise the uRPF check will fail. be especially mindful of networks behind a DMZ interface. Also, be careful if you have certain routes that certain traffic takes, that may be particular to an application. For example, some traffic has to go through tunnels, so we send that to VPN devices, while other destinations are reached through default route to internet, so that gets sent there, and if you have many DMZ's, often those DMZ's have networks behind them, so make sure you route appropriately for those
2. statics - (high, low) low high .... if you're being lax, these mirror your routes. if you're being tight, these mirror exactly what you're giving access to in your ACLs. often when you have issues with a connection you're troubleshooting, a 'clear xlate' and/or clear conn can save you
3. ACLs - if you did CCNA, you pretty much know how to do these these help you with providing access, making captures, etc. If you work on firewalls any measurable length of time, ACLs will be second nature to you.
good troubleshooting commands:
sh conn
sh xlate
sh log
clear xlate
clear conn
sh route
sh cap
Make sure you run through the packet trace utility a time or two. Quite interesting to see how that thing works, and which ACLs it tries first to compare against. Also, if you run it through against an existing connection, the simulated packet trace will use the fast path, also.
In my experience, the packet-trace tool doesn't appear to work 100%, but my experience is limited, and I haven't figured out all the quirks of it.
Also, running captures is a good friend for you, if you need to convince a server admin that you are receiving traffic for a server, and you are sending it to that server.
If you work in a highly compartmentalized environment, where different levels of switching and routing can be handled by different departments, you need to be able to verify that it's not the firewall's fault on a regular basis, and captures help a lot here.
Hope this helps!Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) - instant000
question. on best practices.
okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
what is common practice to have all vpn gateways flow thru the firewall
and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?
ROUTES I get
ACLS I get
I don't know what statics are - instant000
question. on best practices.
okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
what is common practice to have all vpn gateways flow thru the firewall
and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?
Is this your network?
[remote vpn] - [ internet]- [router]- [firewall] - [local vpn] - <IDS> [local network]
or is this your network?
[remote vpn] - [internet] - [router] - [local vpn] - [firewall] - <IDS> - [local network]
obviously, I prefer the second network. My reasoning is that typically, you put some type of IDS/IPS on your network somewhere before your local network. you can't really 'inspect' the VPN traffic using your firewall, as it should all be encrypted, so you're going to need permit statements for ESP/500 to go through your firewall, and whatever they're doing, is getting through to your network, unless the IDS/IPS stops it.
Whereas in the second network, look how you have the router at the top filtering out a lot of bogus stuff (RFC 1918/RFC 3330), then the VPNs, then even if it does survive to make it to the VPN, it comes out ready to get inspected by the firewall, then, if it survives that, it has to go through IDS/IPS before hitting your local network.
truth be told, you'd see more firewalls, more ips, and more routers in the standard networks I work with, so as you can imagine, you can probably draw a lot more complex drawings, if you wanted to.... imagine segmenting it off so that all your vpn traffic came in a certain way, and then you sniffed the traffic, just to make sure it was only VPN traffic on the link, for good measure. ... if you have enough money, you can really get carried away with this stuff.
but, all of this does nothing for you, if you don't educate your users to not click on links in emails and go all over the net clicking on stuff haphazardly.
This, my friends, is called Defense in Depth. That'll be $1,000 for the consult Oh wait, you want Cisco DID? in that case, it'll be $2,500 for the consult.
In some cases, if you don't have the translation specified, the traffic won't pass across the interfaces, even IF you have an access-list configured.ROUTES I get
ACLS I get
I don't know what statics are
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Information About NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
Make sure to read the stuff about nat control and identity nat.
And, if you can understand ACLs, and high/low security interfaces, you can understand how to set up the statics. Just lab it up, no big dealCurrently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) - [remote vpn] - [internet] - [DMZ] - [IPS iSensor] - [firewall] - <router> - [local vpn gateway] - [locan lan]
just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.
maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man! - Too manyPosts: 1,443Member■■■■□□□□□□ROUTES I get
ACLS I get
I don't know what statics are
The static statement are for NAT translation and if you aren't used to them the syntax seems backwards. - just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.
maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!
Umm, no, that traffic's not being inspected by the firewall, as it's encrypted if its going through the VPN. You most definitely have some type of ESP ACL allowing that traffic through.
Does your setup look like this link (or similar)
PIX/ASA (Version 7.x and Later) IPsec VPN Tunnel with Network Address Translation Configuration Example - Cisco Systems
A lot of orgs want to see your traffic unencrypted, which is why you sometimes end up with extensive proxy setups, and any attempts to use encrypted traffic to unapproved destinations send out red flags when the log review guys look through their logs.
Anyway, check out this article, where it allows the encrypted traffic through the firewall. You probably have a similar setup.
If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.
I can think of one reason why they use the tunnel (the app they are tunneling uses a lot of ports and protocols that are poorly documented, so it may not be a simple matter to get it working through the firewall)
Even with that said, you need to make sure you communicate to someone higher in your organization that those guys coming in through the VPN tunnel aren't being inspected by the firewall, and represent a greater security risk to you than they do otherwise.
Let me be clear on the 'unencrypted' piece. I'm referring to orgs who set up IDS/IPS/logging whatever, and they want to capture that traffic unencrypted that enters and exits their network.
With the setup you have above, someone could snatch the data out of your home network, and the Firewall/IDS/IPS wouldn't be there to catch it, as it got encrypted before you could inspect it.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) - The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.
True dat.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
so you would have it terminate before firwall and the inspect the lan
If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.
traffic static routed to and from the terminated vpn end right?
so maybe that is what the firewall is doing?- Senior MemberPosts: 1,623Member■■■■■■■■□□The big thing on contexts is for active/active failover. Essentially, you have two firewalls that you want active... you setup contexts so you have virtual firewalls.... For instance, physical firewalls 1 and 2, and virtual firewalls A (active), a (passive for A), B (Active), and b (passive for . Firewall 1 has virtual firewalls A and b and firewall 2 has virtual firewalls a and B. So, it is like a dual active/passive setup and while all hardware is active, each unit has only one active virtual firewall. Assuming firewall 2 fails, firewall 1 assumes the active role for both firewalls and will have firewalls A and B.
I am not sure if I explained that well.... but that is really the purpose of the contexts.0·Share on FacebookShare on Twitter - Powerfool.
what this guy did is he has two contexts apart from admin context of course. he create INTERNET virtual context and PRIVATE virtual context...and their repsective zones...the Internet context has the NATng and DMZ and the Private deals with I think the vpns coming in off of the DMZ? if that makes sense It is kind of confusing but I am having a CCIE
which I am paying to come in and teach me all my questions about our main site and its architecture. very cool..I get to pay someone to teach my my networks. I am 75 to 80 percent sure of how it works but that 25 percent I want to make darn sure. I know LOL! I will let you know what I discovered when I contract a CCIE out...
thanks so much..and I have decided to buy another firewall at work as a spare and practice on it vs using GNS3..'
I have played with the GNS3 ASA firwall and it is very buggy and for those of you who got it working with no bugs I am glad for you but I followed all the steps on the forums with the flash issue and multiple context issue and I got no results seems buggie so I have decided since I am boss hahaa to just buy a extra ASA5510 with SP license to practice on at work It is good to be king! haahhah LOL thanks guys for the help..
Cisco Asa 5510 Security Plus License
For failover, Cisco ASA 5505, ASA 5510, and ASA 5512-X appliances must have the Security Plus license installed. For clustering, all participating Cisco ASA 5585-X appliances with SSP-10 and SSP-20 must have either the Base license or the Security Plus license. Buy New CISCO ASA 5510 Security Plus license L-ASA5510-SEC-PL from Turbo Networks your one stop shop for all of you need IT infrastructure needs. We also offer upgrades and maintenance plans at liquidated prices. All of our units are guaranteed to work as a replacement/repair for your units.