ASA as it is. Introduction What she does not know how
Preface: reading courses on cisco security (for 7 years now, a lot like that :)) I am confronted with the same questions. I have long wanted to pour answers on paper for repeating the same thing is no longer possible :) Therefore, I will try to briefly and briefly talk about the main features of cisco ASA, setting up basic technologies using the CLI (setting up through the web interface while understanding the technology is not difficult) and some design points. Unless explicitly stated, then we are talking about OS version 8 and better.
So, let me begin, perhaps, with a very important topic for designers, designers and presalers: what the ASA does not know how .
Often I come across a situation where iron has already been purchased, “thanks to” the efforts of sellers, but it turns out that the required technology does not know how. These critical moments include:
1. Separation of traffic along parallel paths (paths with the same metric). Although the ASA is a Layer 3 device, it works confidently with RIPv1,2, OSPF, EIGRP, it does not support redundant routes, i.e. In the routing table always gets one route. If there are more than one route with the same metric (for example, OSPF has sent), then the first one that is selected is selected :) When it disappears, the second one will immediately appear. In particular, it is therefore impossible to write 2 default routes ( route [int] 0 0 [next-hop] ).
2. ASA does not support Policy Based Routing (PBR). Those. you cannot force a packet through a specific interface based on the source address (recall that on routers this is done using the route-map construct applied to the input of the internal interface). The cruel joke with many of the router customizers that first encountered the ASA was played by the fact that there is a route-map on the ASA! Only it is used exclusively for the redistribution of routes.
3. There are no virtual interfaces on the ASA (tunnel, loopback). Therefore, it does not support the GRE tunnels (very sorry!), And therefore the convenient DMVPN technology.
')
This is perhaps the main points. There are a number of inconveniences, but as a rule they are not critical in projects. These can include:
1. On the ASA, there is no telnet or ssh client. Those. go with the ASA somewhere does not work.
2. The ASA does not have “internal” routing, that is, routing within itself. Getting from the inside zone to the outside interface will fail. However, with the transition to the Linux OS, advances in this direction have appeared, for example, you can “see” the address of the internal interface through the IPSec tunnel, and also allow the ASA to be managed through the tunnel, connecting to the address
m internal interface (you must give the command management-interface [int] ). In particular, therefore, the ASA must explicitly specify the interface through which a particular address will be reachable, for example, the next-hop address when defining a static route
route outside 0 0 192.168.1.1
or when setting the authentication server
aaa-server TAC (inside) host 10.1.1.100
3. It is not possible to immediately access the ASA to 15 privilege level without an additional request to enter enable.
4. On the ASA, you cannot see the starting configuration as a file in any file system (on the router this file lies in nvram :). At the same time running-config you can see:
more system: / running-config
5. At the ASA, you cannot simply upload a new OS file to get new functionality. All the functionality is already “sewn up” in the OS, and features are enabled using a license (activation key)
6. On the ASA, you cannot make a PPTP server, nor can you use it as a PPTP client.
7. Prior to version 8.2, there was no necessary feature: collecting statistics using netflow
Remembering this small set, I hope you can avoid disappointment when working with this reliable and convenient piece of hardware.
Now let's talk about what you can do with ASA:
1. Routing, including dynamic
2. NAT in all forms that can be imagined
3. Dynamic firewall
4. Modular Policy Framework (MPF, a construct for sorting packets into classes and applying various actions to them, for example, prioritization and band limitation)
5. Deep analysis of “complex” protocols (FTP, H.323, SIP, TFTP, IPSec, etc.)
6. AAA, including intercepting authentication
7. IPSec Site-to-site, Easy VPN Server (ASA 5505 can be a hardware client)
8. SSLVPN gate
9. Virtual Firewalls (Context)
10. Failover (Active / Standby and Active / Active)
11. Transparent Firewall
Let's talk about these technologies in more detail. Later, as I seek time and effort :)
(To be continued)
Threat If you remember something else that the ASA does not know how compared to the router - do not keep in yourself, write :) If you can not here - write me to the forum on anticisco.ru in "The Rest"
So, let me begin, perhaps, with a very important topic for designers, designers and presalers: what the ASA does not know how .
Often I come across a situation where iron has already been purchased, “thanks to” the efforts of sellers, but it turns out that the required technology does not know how. These critical moments include:
1. Separation of traffic along parallel paths (paths with the same metric). Although the ASA is a Layer 3 device, it works confidently with RIPv1,2, OSPF, EIGRP, it does not support redundant routes, i.e. In the routing table always gets one route. If there are more than one route with the same metric (for example, OSPF has sent), then the first one that is selected is selected :) When it disappears, the second one will immediately appear. In particular, it is therefore impossible to write 2 default routes ( route [int] 0 0 [next-hop] ).
2. ASA does not support Policy Based Routing (PBR). Those. you cannot force a packet through a specific interface based on the source address (recall that on routers this is done using the route-map construct applied to the input of the internal interface). The cruel joke with many of the router customizers that first encountered the ASA was played by the fact that there is a route-map on the ASA! Only it is used exclusively for the redistribution of routes.
3. There are no virtual interfaces on the ASA (tunnel, loopback). Therefore, it does not support the GRE tunnels (very sorry!), And therefore the convenient DMVPN technology.
')
This is perhaps the main points. There are a number of inconveniences, but as a rule they are not critical in projects. These can include:
1. On the ASA, there is no telnet or ssh client. Those. go with the ASA somewhere does not work.
2. The ASA does not have “internal” routing, that is, routing within itself. Getting from the inside zone to the outside interface will fail. However, with the transition to the Linux OS, advances in this direction have appeared, for example, you can “see” the address of the internal interface through the IPSec tunnel, and also allow the ASA to be managed through the tunnel, connecting to the address
m internal interface (you must give the command management-interface [int] ). In particular, therefore, the ASA must explicitly specify the interface through which a particular address will be reachable, for example, the next-hop address when defining a static route
route outside 0 0 192.168.1.1
or when setting the authentication server
aaa-server TAC (inside) host 10.1.1.100
3. It is not possible to immediately access the ASA to 15 privilege level without an additional request to enter enable.
4. On the ASA, you cannot see the starting configuration as a file in any file system (on the router this file lies in nvram :). At the same time running-config you can see:
more system: / running-config
5. At the ASA, you cannot simply upload a new OS file to get new functionality. All the functionality is already “sewn up” in the OS, and features are enabled using a license (activation key)
6. On the ASA, you cannot make a PPTP server, nor can you use it as a PPTP client.
7. Prior to version 8.2, there was no necessary feature: collecting statistics using netflow
Remembering this small set, I hope you can avoid disappointment when working with this reliable and convenient piece of hardware.
Now let's talk about what you can do with ASA:
1. Routing, including dynamic
2. NAT in all forms that can be imagined
3. Dynamic firewall
4. Modular Policy Framework (MPF, a construct for sorting packets into classes and applying various actions to them, for example, prioritization and band limitation)
5. Deep analysis of “complex” protocols (FTP, H.323, SIP, TFTP, IPSec, etc.)
6. AAA, including intercepting authentication
7. IPSec Site-to-site, Easy VPN Server (ASA 5505 can be a hardware client)
8. SSLVPN gate
9. Virtual Firewalls (Context)
10. Failover (Active / Standby and Active / Active)
11. Transparent Firewall
Let's talk about these technologies in more detail. Later, as I seek time and effort :)
(To be continued)
Threat If you remember something else that the ASA does not know how compared to the router - do not keep in yourself, write :) If you can not here - write me to the forum on anticisco.ru in "The Rest"
Source: https://habr.com/ru/post/79029/
All Articles