+ Reply to Thread
Results 1 to 23 of 23

Thread: ASA Question

  1. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,967

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #1

    Default ASA Question

    Hi guys, I see a lot of jobs asking for people who have experince with ASA firewall solutions.

    This is something I have never had to use a my work place so I am looking for a way in to them.

    The closes I ahve come is working with IOS Zonebased firewalls. Is there much simulrity between this and ASA. I heard some one saying the ZONE based firewalls are simmler in syntax to the ASA model? but I have no idea how true this is.

    Also are there any good ASA emulators out there? I know the ASA was updated so what model/version would be a good one to look at for some one comming in to learn about this?

    Aaron
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member ConstantlyLearning's Avatar
    Join Date
    Dec 2006
    Location
    Dublin, Ireland
    Posts
    444

    Certifications
    JNCIA-JunOS, CCNP, CCNA-Security, CCNA, CCENT, CWNA, JNCIA-FWV, Security+, Network+, A+, MCP, MCSA, ITIL Foundation V3
    #2
    Quote Originally Posted by DevilWAH View Post
    Hi guys, I see a lot of jobs asking for people who have experince with ASA firewall solutions.

    This is something I have never had to use a my work place so I am looking for a way in to them.

    The closes I ahve come is working with IOS Zonebased firewalls. Is there much simulrity between this and ASA. I heard some one saying the ZONE based firewalls are simmler in syntax to the ASA model? but I have no idea how true this is.

    Also are there any good ASA emulators out there? I know the ASA was updated so what model/version would be a good one to look at for some one comming in to learn about this?

    Aaron
    I'm starting down this road as well.

    I believe PIX OS can be emulated in GNS3 and ASA v.7 can be emulated in Qemu but not v.8.

    From reading online posts there does seem to be a good bit of messing about to get the ASA emulation working though.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #3
    Quote Originally Posted by DevilWAH View Post
    Also are there any good ASA emulators out there? I know the ASA was updated so what model/version would be a good one to look at for some one comming in to learn about this?

    Aaron
    Here's some info from Tiersten: ASA 5505

    Maybe this can help you. The ASA 5505 with a 10 user license is fairly reasonable in price on ebay or different reseller's websites. I hope this helps.

    -Peanut
    Reply With Quote Quote  

  5. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #4
    Quote Originally Posted by DevilWAH View Post
    The closes I ahve come is working with IOS Zonebased firewalls. Is there much simulrity between this and ASA. I heard some one saying the ZONE based firewalls are simmler in syntax to the ASA model? but I have no idea how true this is.
    Not really. It is more similar than the old IOS firewall but still enough really enough that you can get past with just a router. The PIX/ASA don't run IOS at all. They just have a CLI that is very IOSlike in later versions.

    Quote Originally Posted by DevilWAH View Post
    Also are there any good ASA emulators out there?
    PEMU which is a modified QEMU does PIX/ASA emulation. GNS3 works as a GUI frontend to PEMU.
    Reply With Quote Quote  

  6. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,967

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #5
    Quote Originally Posted by tiersten View Post
    PEMU which is a modified QEMU does PIX/ASA emulation. GNS3 works as a GUI frontend to PEMU.
    HAve you managed to get version 8 working on this? Also are there major differences between version 7 and 8 ?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  7. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #6
    Quote Originally Posted by DevilWAH View Post
    HAve you managed to get version 8 working on this?
    I've not tried recently but yeah, 8.x worked back then. The unpacking tool didn't work properly so I had to unpack it manually. I've not really messed around with it that much lately because I've got ASAs now.

    The emulation isn't perfect though. It has some issues (or did last time I looked) with transparent mode and something else I can't remember.

    Quote Originally Posted by DevilWAH View Post
    Also are there major differences between version 7 and 8 ?
    8.0.2 release notes
    Reply With Quote Quote  

  8. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,967

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #7
    Sorry one last thing, If i was looking for an ASA hardware for my lab, are there any you would recomend ? Ie. Cheap but cover it all?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  9. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #8
    Quote Originally Posted by DevilWAH View Post
    Sorry one last thing, If i was looking for an ASA hardware for my lab, are there any you would recomend ? Ie. Cheap but cover it all?
    For the CCSP, you'd probably want 5510s with the Security Plus license if you want to do absolutely everything since that is the cheapest model that comes with Active/Active failover and allows you to plug in SSMs.

    The 5505 doesn't do failover at all with the base license and it only does stateless Active/Standby with the Security Plus license. I'm unsure of the limitations of the IPS SSC as well.
    Reply With Quote Quote  

  10. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,967

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #9
    do most compinies expect configuration via CLI or the ASDM?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  11. was here.
    Join Date
    Apr 2008
    Posts
    4,504
    #10
    Quote Originally Posted by DevilWAH View Post
    do most compinies expect configuration via CLI or the ASDM?
    In all the places I've been it was generally via the CLI but you'll be using both. You'll want ASDM for the monitoring anyway.
    Reply With Quote Quote  

  12. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #11
    Quote Originally Posted by DevilWAH View Post
    do most compinies expect configuration via CLI or the ASDM?
    I've worked at two companies that employed ASA's, and both were fine with config work done via the ASDM. Businesses want the job done... I haven't seen any indication that they give a rat's ass how it's done, as long as it's done.

    Having said that, the engineer where I am now is old school, and laughs when I do a rule or nat with the ASDM. Whatever.
    Reply With Quote Quote  

  13. CCIE R&S Lab next up accely's Avatar
    Join Date
    Mar 2009
    Location
    Bettendorf, IA
    Posts
    101

    Certifications
    CCNP R&S & Security | CCIE R&S Written Passed on 8/18/2010
    #12
    I purchased an ASA 5505 for my home network, replaced the stupid linksys with it and it was a great move. Not only was I forced to make sure it works since it's in my live network, but I always have access to it to test stuff or to play around with it. Was only 350$ brand new. I mainly bought it for the CCSP track which I Just finished. It was a must for the SNAF and SNAA exams
    Just passed my IPS test today and fully CCSP now

    cya!
    Reply With Quote Quote  

  14. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,967

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #13
    Just finaly got round to getting ASA 8 to run in GNS3

    now got to work out how to get ASDM working.

    I was thinking I will get hold of the CBT CCSP nuggets before I really get in to this as I can see there is a lot here to learn.

    To many things I want to learn! I really must finish my CCNP before getting side tracked!
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  15. wino burbankmarc's Avatar
    Join Date
    Oct 2009
    Location
    Virginia
    Posts
    455

    Certifications
    LPIC, NCLA, CCNA, CCNP, CCIP
    #14
    Quote Originally Posted by DevilWAH View Post
    Just finaly got round to getting ASA 8 to run in GNS3

    now got to work out how to get ASDM working.

    I was thinking I will get hold of the CBT CCSP nuggets before I really get in to this as I can see there is a lot here to learn.

    To many things I want to learn! I really must finish my CCNP before getting side tracked!

    The 802 IOS works fine in GNS3 .7. But in order to interface it with your PC nic card you need the dev version of GNS3. I'm pretty sure anyways. You'll need to hook it to your real network so you can upload the ASDM and stuff into it.
    Reply With Quote Quote  

  16. The Bringer of Light DevilWAH's Avatar
    Join Date
    Jan 2010
    Location
    UK
    Posts
    2,967

    Certifications
    CCENT, CCNA, CCNA Security, ITIL Foundation, CCNP SWITCH,ROUTE, Zoology BSc,
    #15
    Quote Originally Posted by burbankmarc View Post
    The 802 IOS works fine in GNS3 .7. But in order to interface it with your PC nic card you need the dev version of GNS3. I'm pretty sure anyways. You'll need to hook it to your real network so you can upload the ASDM and stuff into it.

    The latest version of GNS 7.02 i think seems to work fine. I can get an ip address and see it from my vm machines.

    Starting to build up a nice lab on GNS now, At the monent is mostly GNS3 running inside VM machines, but just got a few Servers, so going to have some with VMware exi running and some with GNS3 / Dynips running so I can set up a full blow lab.

    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
    Reply With Quote Quote  

  17. I'd rather be fly fishing johnwest43's Avatar
    Join Date
    Dec 2009
    Location
    Grand Blanc, MI
    Posts
    295

    Certifications
    CCNP, CCNA: Voice, Network+, A+
    #16
    old school question of the day. without googling does anyone know the name of the original operating system on a pix firewall?
    Reply With Quote Quote  

  18. Cisco Moderator mikej412's Avatar
    Join Date
    May 2005
    Location
    Chicago
    Posts
    10,190

    Certifications
    CCNP CCIP CCSP CCVP CCDP CCDA CCNA CS-CIPSS CS-CIPTDS CS-CIPTOS CS-CIPCSS CS-CFWS CS-CVPNS CS-CISecS ISSP 4013 4011
    #17
    Quote Originally Posted by johnwest43 View Post
    old school question of the day. without googling does anyone know the name of the original operating system on a pix firewall?
    Yes.

    Finesse (<--- highlight my post to see my answer).
    Reply With Quote Quote  

  19. I'd rather be fly fishing johnwest43's Avatar
    Join Date
    Dec 2009
    Location
    Grand Blanc, MI
    Posts
    295

    Certifications
    CCNP, CCNA: Voice, Network+, A+
    #18
    mikej412 wins!!! now for the lighting bonus round what does it stand for? Remember no googling.

    And for the super secret question of the day what does PIX stand for?
    Last edited by johnwest43; 06-25-2010 at 08:44 PM.
    Reply With Quote Quote  

  20. Cisco Moderator mikej412's Avatar
    Join Date
    May 2005
    Location
    Chicago
    Posts
    10,190

    Certifications
    CCNP CCIP CCSP CCVP CCDP CCDA CCNA CS-CIPSS CS-CIPTDS CS-CIPTOS CS-CIPCSS CS-CFWS CS-CVPNS CS-CISecS ISSP 4013 4011
    #19
    Quote Originally Posted by johnwest43 View Post
    mikej412 wins!!! now for the lighting bonus round what does it stand for? Remember no googling.

    And for the super secret question of the day what does PIX stand for?
    Fast something something something or other
    and
    something like Private Internet eXchange which I always wondered about
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Apr 2008
    Location
    Tampa, Fl
    Posts
    1,097

    Certifications
    A Few....
    #20
    Quote Originally Posted by johnwest43 View Post
    mikej412 wins!!! now for the lighting bonus round what does it stand for? Remember no googling.

    And for the super secret question of the day what does PIX stand for?
    Okay... I had to google the answer so I'd know!!
    Reply With Quote Quote  

  22. I'd rather be fly fishing johnwest43's Avatar
    Join Date
    Dec 2009
    Location
    Grand Blanc, MI
    Posts
    295

    Certifications
    CCNP, CCNA: Voice, Network+, A+
    #21
    Mike is on a roll!!!
    fast internet server executive
    Private internet exchange kind of like the ip version of pbx.
    Reply With Quote Quote  

  23. Surprised Badger TesseracT's Avatar
    Join Date
    Jul 2010
    Posts
    166

    Certifications
    BSc, CCNP, MCSA, MCTS Exchange. CCIE Written
    #22
    I've been using an 800 router for my home connection but I'm thinking of setting it into bridge mode and getting an ASA 5505 (Expensive bridged modem I know).

    Is the clustering/failover stuff really that hard with the ASAs? To get the 5510 with the proper license is way too much for a home network, and honestly GNS3 seems like a lot of stuffing around while I could be actually learning something...

    Could I just learn the theory and configs for the advanced features and be done with it?
    Reply With Quote Quote  

  24. Senior Member Nobylspoon's Avatar
    Join Date
    Sep 2008
    Location
    Ashburn, VA
    Posts
    609

    Certifications
    WGU BS:IT, MCITP:EA, MCSA:2008, Security+, Project+, JavaScript Specialist, Web Foundations
    #23
    I picked up an ASA 5505 with a 10 user base license earlier this week for $250. I work next door to Cisco, bought it from one of their security guys. Definatly a heck of a deal, usually a used one with the same license is closer to $300-350 but keep shopping around and you mind find a good deal. I came across this one on Craigslist.

    With work and school I haven't had a lot of time to dive deep into the ASA yet. I am currently working with a PIX 506E in school and that knowledge has made it pretty easy for me to start configuring my ASA.

    I should have it fully configured and my home network migrated over to it by the end of the weekend. I am even considering throwing a honeypot on a seperate vlan since my license comes with 3 (two of which can't talk to each other)
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks