Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA

Posted on 2011-02-27
15
Medium Priority
?
1,035 Views
Last Modified: 2012-05-11
In a previous closed post i was told my Cisco 2651xm is running at times reaching 100& utilization.

Was suggested to me to buy a ASA 5055 from ebay. Does the ASA do routing too or is it just a security appliance? Sorry if this is a stupid question but before i spend $400 - $900 on a used appliance i want to be sure what i am getting is all in one.


THanks
0
Comment
Question by:mxrider_420
15 Comments
 
LVL 1

Author Comment

by:mxrider_420
ID: 34993002
also when it says licensed for 10 users. does that mean 10 IP addresses on the network? i only have say 12 users at the office but we have about 40 IP addresses due to come computers using multi vlans IE guest access etc....

for example when it says
Cisco ASA 5505 Firewall Edition Bundle - 50 User  <--- what does this mean
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 34993029
Yes it indeed does routing. It is by design a router and if needed you can run OSPF and EIGRP in the ASA.

50 or 10 means the maximum number of users/ip addresses on the inside of the firewall that are allowed to communicate thru the firewall.

/kvistofta
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 34993055
hmm so if i have say 23 now buy a 50 or more to start to be safe?

how is your experience been with these devices vs a Sonicwall NSA240 or TZ210 for example?
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 1

Author Comment

by:mxrider_420
ID: 34993106
if i am running NAT and use private IP's and have only 1 outside IP does that mean i only have 1 ip that communicates through the firewall? I mean the rest are all internal IP's that do use the internet etc.. but you get the jist of my question. thanks
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 34993114
If you have 23 You should buy a 50-users ASA. I have no knowledge of sonicwalls, but I know perfectly well how the Cisco ASA works. :-)

/Kvistofta
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 34993153
Finally,

I find on my cisco 2651xm router SDM is weak. Doesnt really work as well as command line. Does the same go for the ASA? Also i am curious because i see on the cisco spec page that the ASA 5505 only supports 3VLANS. i use 3 now. no room to grow, can that be upgraded?
0
 
LVL 1

Expert Comment

by:orbistechnology
ID: 34993797
Just a caveat - the ASA does *not* do routing in a broad sense.  Using it as a "NAT router" - as you would to share a single Internet connection and public IP with a small internal network - it does indeed "route."

However, if you had multiple internal networks, or private links, or even a more elaborate VPN setup, the ASA would *not* allow you to route packets from your internal network to another gateway or interface to another network.  The ASA is *not* a true router in the strict sense of a standard IOS router.  

The Security Plus license on the ASA 5505 allows up to 20 VLANs.  The chassis with licenses for the sec-plus is around $1000.

ASDM on the ASA is *okay* - you can do most things with it.  Command line on the ASA is pretty strong - good management and diagnostic flexibility.

The limit is on MAC addresses.  Most devices on your network will have a one-to-one correlation of MAC to IP address, so you can think in terms of IP addresses.  However, you could have multiple IPs assigned to a single computer.  That would not count against the license.  The first 50 MAC addresses seen by the 5505 will be "routed" and have Internet access.  Device 51 will simply be ignored by the 5505.  Device 51 could communicate to all local resources, but not traverse the 5505 and reach the Internet.  The assignment is arbitrary: the first 50 devices to be "seen" via the ARP protocol on the 5505 will "pass" while any others will not.





0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 34994627
In what sense is the ASA not a router? A Router has interfaces in multiple ip networks and forwards packets based on a routing table. The ASA does that, with or without nat. I suggest that you remove all "*not*":s in your statements above.

Furthermore, the license model of ASA has nothing to do with it´s ARP table. Of course communicating devices must show up in the ARP-table but it is not this table that is limited, it is the local-host table.

mxrider_420: Yes, your license can be upgraded from "base" to "security plus".

Best regards
Kvistofta

0
 
LVL 1

Author Comment

by:mxrider_420
ID: 34994697
so if im looking for one used on ebay i should look for one with say 50 users and preferably more vlan capability?

one question or clarification rather.


currently i have 3 sub interfaces on my 2651xm that are vlaned with 802.11q. I use HP Proliant switches to trunk etc. all i need the router or if you assume the upgrade (ASA) is to do exactly what i have bellow still. Would the configuration bellow count as 1 strike against the 3 allowed vlans the 'BASE' config allows? I guess in essence since the router i have now has 2WICs EVERYTHING is plugged into the switch and the internet (ISP) is in 1 and the uplink to the 24port HP switch is the other WIC. id assume the same physical config with the ASA for ease of implementation rather than use any more of the 8 offered ports.

eg:
 interface FastEthernet0/0.5
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 90
 ip address 172.17.17.20 255.255.255.0
 ip access-group 106 in
 ip helper-address 192.168.1.58
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect VLAN90-interneal in
 ip inspect VLAN90-interneal out
 ip virtual-reassembly
 no cdp enable
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 34994723
You need to go for the unlimited ASA in order to have 3 or more interfaces without limitations. And the unlimited asa (Security Plus) doesnt exist in 10- or 50-users version.

/Kvistofta
0
 
LVL 4

Expert Comment

by:piersonm
ID: 34996936
While you're shopping EBay consider looking for an ASA 5510. This may offer a little more scalability for your office.
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 34998763
The 5510 is out of our budget and we can get similar functionality with other vendors for cheaper. The 5505 seems great. but to clarify can the ASA 5505 with the Plus allow unlimited users by default? if so i will proceed with the ASA

thanks
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 34998820
Yes, the "Security Plus" allows unlimited number of users.

/kvistofta
0
 
LVL 1

Author Comment

by:mxrider_420
ID: 34999393
thanks for your patience with me i know i am asking alot here. just want to be well informed before i spend money. so thanks in advance.

my FINAL question is with the Security Plus by defaut how many vlans are enabled?
0
 
LVL 17

Accepted Solution

by:
Jimmy Larsson, CISSP, CEH earned 1000 total points
ID: 34999453
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question