+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 27
  1. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #1

    Default ASA 5510 price really?

    Guys can you help me understand my options?

    You mean in order for me to buy a home lab ASA 5510? I am going to have to fork over 2,000.00 dollars for a security plus version on the low end?

    I have my home asa 5505 but have been doing reading and I get no contexts?
    really?..I want to setup at home our exact configs at work. We have these contexts: or setup not sure if they are alll context when I run the show context command i think only private, internet, and admin come up so does that mean i have the security plus license and not the base only license?

    Internet
    Private
    System
    admin

    I hear admin is created by default so that leaves only 1 more available if you have the base license right? I am still learning so I could be wrong.

    can yu guys help me. I have seen base license asa 5510s on ebay but that only gives me 2 contexts? is that right so really only 1 left after admin is created is that right? like I said I want to make the above configs like I have at work do I need the security plus license? to make Internet, Private, System, admin?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #2
    This post claims that you can run multiple context through GNS3.

    It would be worth checking out, yes?

    GNS3 • ASA 8.02 - Good old FW, but full tuned : HOWTOs - Page 2
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #3
    Yea those things are expensive man. Do you have partner status with Cisco? You may be able to get some non production ASAs at a significant discount.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    May 2009
    Location
    DMV
    Posts
    2,205

    Certifications
    CCNP, CCNP(V), S+ CCIE V(written)
    #4
    rack rentals are you friend.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
    Reply With Quote Quote  

  6. lrb
    lrb is offline
    Senior Member
    Join Date
    Aug 2010
    Location
    Australia
    Posts
    522

    Certifications
    CCIEx2 #45527 (RS,SP)
    #5
    Yeah if you are looking to use an ASA 5510 for CCNP Sec studies, this rack rental deal looks pretty decent:

    http://www.gigavelocity.com/rack-1-i...8c21198a5c5629

    Never used these guys, but I've heard good stuff
    Reply With Quote Quote  

  7. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #6
    thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.

    hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:

    L3 Core switch
    Firewall Outside
    Firewall Inside
    gateway for both internet and WAN access
    dmz switch


    I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
    I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #7
    Quote Originally Posted by itdaddy View Post
    thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.

    hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:

    L3 Core switch
    Firewall Outside
    Firewall Inside
    gateway for both internet and WAN access
    dmz switch


    I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
    I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon.
    You can use visio for diagrams, if you need that software, you can always download the images from vendors such as Cisco, unless you don't really need those.

    I whipped this up using GNS3, in a couple minutes. (see attachment)
    Attached Images Attached Images
    Reply With Quote Quote  

  9. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #8
    thanks instant000 I have visio I was looking for some kind of method to list many interfaces on a firwall with the inside and outside fwl contexts. to keep it clean. yeah I can make a normal topology map but it is going to get weird with all those vlan interfaces (subifs) I have on my fwl. Tons! thanks man
    I willl have to write small haha LOL thanks...I wish all was as easy as GNS3...I guess GNS3 can run multiple contexts huh? I heard this some where?
    Reply With Quote Quote  

  10. Senior Member Lizano's Avatar
    Join Date
    Jun 2007
    Posts
    221

    Certifications
    CCNP Security
    #9
    I use DIA for diagrams and gigavelocity has gotten me thru 4 of 5 CCSP exams.
    Reply With Quote Quote  

  11. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #10
    thanks lizano
    Reply With Quote Quote  

  12. Senior Member Ryuksapple84's Avatar
    Join Date
    Sep 2008
    Location
    MD
    Posts
    181

    Certifications
    CCENT, CCNA R&S, Security, Wireless & Data Center, CCNP Data Center
    #11
    I have a 5505 ASA at home that I bought used for around $300... why not use that?
    Reply With Quote Quote  

  13. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #12
    yeah I have an ASA 5505 too but it doesnt have the security plus license.
    I want to practice with multiple contexts. Normally your ASA will create an admin context so there is one. and then you can make one more context(virtual firewall) and there is 2 the ASA 5505 comes with only 2 .

    so I need 3 contexts to practice what we have at work.
    we have

    admin
    Private
    Internet


    contexts and well I like to setup an exact systems like we have at work to practice labs on to make sure I understand our network. I change stuff on my lab if it works great it should work at work.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #13
    Are any of you using any type of lab manual for CCNP:S?
    Reply With Quote Quote  

  15. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #14
    I am looking for one. I only have an ASA book I am going thru.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #15
    Are you going to do CCNP first or do CCNP:S?
    Reply With Quote Quote  

  17. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #16
    I am torn..I am going for CCNP first but at the same time for my job
    going to try to master as mush as I can ASA5510 which we have
    that has 3 contexts and also vpn technology..
    Reply With Quote Quote  

  18. Senior Member SteveO86's Avatar
    Join Date
    Oct 2010
    Location
    FL
    Posts
    1,405

    Certifications
    CCNP, CCIP, CCDP, CCNP: Security/Data Center, CCNA Wireless, CWNA, WCNA
    #17
    Quote Originally Posted by itdaddy View Post
    I am torn..I am going for CCNP first but at the same time for my job
    going to try to master as mush as I can ASA5510 which we have
    that has 3 contexts and also vpn technology..
    I'd consider your job requirements a priority, Besides the more you work with a technology the easier the exam will whenever you get to it.

    Remember you don't have to get tunnel vision and overly focus on a cert
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #18
    Just get a good ASA book. Study up on that, and it'll help you a lot at work.

    You can either get the ASA All-in one 2nd edition, or you can get the Richard Deal ASA book, or you can get the Firewall exam guide.

    If you like reading cisco.com, make sure you read all of the ASA technotes that you can. They have a good amount out there, and the technotes are small, bite-sized chunks that you can read in one pass.

    Stuff like packet trace and captures are awesome features to get familiar with, as well as the logging functions. If you ever have to troubleshoot how or why a connection's not working, these are great tools.

    Also, remember the fundamentals of ASA:

    1. ROUTES
    2. statics
    3. ACLS

    make sure you check all three of those, whenever you have any sort of connectivity issue.

    1. ROUTES - kinda self-explanatory. you need a way to route to that network you're connecting to, otherwise the uRPF check will fail. be especially mindful of networks behind a DMZ interface. Also, be careful if you have certain routes that certain traffic takes, that may be particular to an application. For example, some traffic has to go through tunnels, so we send that to VPN devices, while other destinations are reached through default route to internet, so that gets sent there, and if you have many DMZ's, often those DMZ's have networks behind them, so make sure you route appropriately for those
    2. statics - (high, low) low high .... if you're being lax, these mirror your routes. if you're being tight, these mirror exactly what you're giving access to in your ACLs. often when you have issues with a connection you're troubleshooting, a "clear xlate" and/or clear conn can save you
    3. ACLs - if you did CCNA, you pretty much know how to do these these help you with providing access, making captures, etc. If you work on firewalls any measurable length of time, ACLs will be second nature to you.


    good troubleshooting commands:
    sh conn
    sh xlate
    sh log
    clear xlate
    clear conn
    sh route
    sh cap

    Make sure you run through the packet trace utility a time or two. Quite interesting to see how that thing works, and which ACLs it tries first to compare against. Also, if you run it through against an existing connection, the simulated packet trace will use the fast path, also.

    In my experience, the packet-trace tool doesn't appear to work 100%, but my experience is limited, and I haven't figured out all the quirks of it.

    Also, running captures is a good friend for you, if you need to convince a server admin that you are receiving traffic for a server, and you are sending it to that server.

    If you work in a highly compartmentalized environment, where different levels of switching and routing can be handled by different departments, you need to be able to verify that it's not the firewall's fault on a regular basis, and captures help a lot here.

    Hope this helps!
    Last edited by instant000; 08-26-2011 at 04:21 AM.
    Reply With Quote Quote  

  20. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #19
    instant000
    question. on best practices.

    okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
    what is common practice to have all vpn gateways flow thru the firewall
    and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?

    ROUTES I get
    ACLS I get

    I don't know what statics are
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #20
    Quote Originally Posted by itdaddy View Post
    instant000
    question. on best practices.

    okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
    what is common practice to have all vpn gateways flow thru the firewall
    and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?
    Is this your network?
    [remote vpn] - [ internet]- [router]- [firewall] - [local vpn] - <IDS> [local network]

    or is this your network?
    [remote vpn] - [internet] - [router] - [local vpn] - [firewall] - <IDS> - [local network]


    obviously, I prefer the second network. My reasoning is that typically, you put some type of IDS/IPS on your network somewhere before your local network. you can't really "inspect" the VPN traffic using your firewall, as it should all be encrypted, so you're going to need permit statements for ESP/500 to go through your firewall, and whatever they're doing, is getting through to your network, unless the IDS/IPS stops it.

    Whereas in the second network, look how you have the router at the top filtering out a lot of bogus stuff (RFC 1918/RFC 3330), then the VPNs, then even if it does survive to make it to the VPN, it comes out ready to get inspected by the firewall, then, if it survives that, it has to go through IDS/IPS before hitting your local network.

    truth be told, you'd see more firewalls, more ips, and more routers in the standard networks I work with, so as you can imagine, you can probably draw a lot more complex drawings, if you wanted to.... imagine segmenting it off so that all your vpn traffic came in a certain way, and then you sniffed the traffic, just to make sure it was only VPN traffic on the link, for good measure. ... if you have enough money, you can really get carried away with this stuff.

    but, all of this does nothing for you, if you don't educate your users to not click on links in emails and go all over the net clicking on stuff haphazardly.

    This, my friends, is called Defense in Depth. That'll be $1,000 for the consult Oh wait, you want Cisco DID? in that case, it'll be $2,500 for the consult.


    ROUTES I get
    ACLS I get

    I don't know what statics are
    In some cases, if you don't have the translation specified, the traffic won't pass across the interfaces, even IF you have an access-list configured.

    Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Information About NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    Make sure to read the stuff about nat control and identity nat.

    And, if you can understand ACLs, and high/low security interfaces, you can understand how to set up the statics. Just lab it up, no big deal
    Reply With Quote Quote  

  22. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #21
    [remote vpn] - [internet] - [DMZ] - [IPS iSensor] - [firewall] - <router> - [local vpn gateway] - [locan lan]

    just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.

    maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!
    Reply With Quote Quote  

  23. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #22
    Quote Originally Posted by itdaddy View Post
    ROUTES I get
    ACLS I get

    I don't know what statics are

    The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #23
    Quote Originally Posted by itdaddy View Post
    just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.

    maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!
    Umm, no, that traffic's not being inspected by the firewall, as it's encrypted if its going through the VPN. You most definitely have some type of ESP ACL allowing that traffic through.

    Does your setup look like this link (or similar)

    PIX/ASA (Version 7.x and Later) IPsec VPN Tunnel with Network Address Translation Configuration Example - Cisco Systems

    A lot of orgs want to see your traffic unencrypted, which is why you sometimes end up with extensive proxy setups, and any attempts to use encrypted traffic to unapproved destinations send out red flags when the log review guys look through their logs.

    Anyway, check out this article, where it allows the encrypted traffic through the firewall. You probably have a similar setup.

    If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.

    I can think of one reason why they use the tunnel (the app they are tunneling uses a lot of ports and protocols that are poorly documented, so it may not be a simple matter to get it working through the firewall)

    Even with that said, you need to make sure you communicate to someone higher in your organization that those guys coming in through the VPN tunnel aren't being inspected by the firewall, and represent a greater security risk to you than they do otherwise.
    Let me be clear on the "unencrypted" piece. I'm referring to orgs who set up IDS/IPS/logging whatever, and they want to capture that traffic unencrypted that enters and exits their network.

    With the setup you have above, someone could snatch the data out of your home network, and the Firewall/IDS/IPS wouldn't be there to catch it, as it got encrypted before you could inspect it.
    Last edited by instant000; 09-06-2011 at 02:18 AM.
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #24
    Quote Originally Posted by cisco_trooper View Post
    The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.
    True dat.
    Reply With Quote Quote  

  26. Senior Member itdaddy's Avatar
    Join Date
    Jan 2006
    Posts
    2,081

    Certifications
    A+, MCP, CCNA R/S, CCNA-Security, CCNA Collaboration, CCNP R/S
    #25

    If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.
    so you would have it terminate before firwall and the inspect the lan
    traffic static routed to and from the terminated vpn end right?
    so maybe that is what the firewall is doing?
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks