ASA for learning and (eventual) use for certification lab.

bermovick

So, we have an ASA at work and as the main network person I get the task of deciphering its current configuration and eventual modifications and troubleshooting. Everyone is new and as far as I know the device had its current configuration applied elsewhere and shipped here so I'm pretty much on my own. I'm not complaining as gaining firewall exposure and experience is high on my list of skills to have.

But since I don't have anyone else to learn from and the device (and access to the device) is in a room I don't have access to without an escort, there's no way to regularly review and parse its configurations. Plus a production device is not a good device to learn on as we all know!

I had planned on (eventually) getting the NP:Security (and IE:Security) but had held off on choosing hardware/emulation until that time came for obvious reasons, but with the need to learn now I need to consider what options I have. These things are EXPENSIVE though. 5510s on eBay are about $250 if I remember correctly (and are EoL), and 5506s are around $400. I looked into the ASR1000v but unfortunately it looks like that requires a service contract for download. Finally, I remember GNS3 is able to load an ASA image, but last time I did it (several years ago) it was a bit problematic, as you had to run a cpu-limiter and spend several minutes each boot to apply a license I believe. Are there any other options that are cheaper and/or easier to work with? The most expensive piece of lab equipment I've purchased so far has been about $70-80 so dishing out 3-5x that amount makes me cringe.

For books, the ASA All-in-One book has received high recommendations, so barring replies suggesting better material, I'll be using that along with whatever "hardware" I get.

JoJoCal19

I picked up the Cisco ASA All-in-One 3e a few weeks ago during the CiscoPress 50% off sale. Ive been flipping through it and it seems really good for someone who has been thrown the task of dealing with an ASA for the first time.

bermovick

I found a 5540 on eBay for only $102. From my perspective it looks like a good buy, but I don't know if there's anything I don't know to look for that might make it a bad deal. It's running 8.4 and looks to have a premium license:

Link

Update: Googling & cisco's website suggests there's no such thing as a "premium license" or "VPN Premium license" (despite the output of the bootup listing that). As far as I can tell from the licensed features, the only thing this has over the base license is the $0 cost license that adds 3DES and AES capabilities. Am I correct? Although looking through the list of things that CAN be licensed, I don't even think I'd require most of them (although having additional anyconnect peers MIGHT be useful)

Mike-Mike

i was thinking about getting an ASA for home use, didn't realize they were so expensive on eBay

viper75

bermovick wrote: »

I found a 5540 on eBay for only $102. From my perspective it looks like a good buy, but I don't know if there's anything I don't know to look for that might make it a bad deal. It's running 8.4 and looks to have a premium license:

Link

Update: Googling & cisco's website suggests there's no such thing as a "premium license" or "VPN Premium license" (despite the output of the bootup listing that). As far as I can tell from the licensed features, the only thing this has over the base license is the $0 cost license that adds 3DES and AES capabilities. Am I correct? Although looking through the list of things that CAN be licensed, I don't even think I'd require most of them (although having additional anyconnect peers MIGHT be useful)

My friend....

Here's my suggestion coming from someone that eats, sleeps, dreams, and works on ASA's everyday since the beginning of time!

You do not need a ASA5510 and up. It's a waste and they are too loud for home use.

Go on eBay and get yourself an ASA5505 with Security Plus License, or 50 User License. Yes, you will pay no more than $400 for it. My suggestion is get this one:

New Cisco ASA 5505 Security Plus ASA5505 Sec Bun K9 V13 25 SSL VPN Users | eBay

I purchased that one last year. It's a great price for what it comes with. Look at the Sh Ver output.

Has Botnet License, 25 AnyConnect Premium Peers which includes clientless VPNs, Mobile VPN for Android phones and tablets as well as iphones and ipads which use AnyConnect.

This firewall will pay for its self with the wealth of knowledge you will get from it.

I can tell you this, I use this ASA5505 as my connection to my home ISP. I have all sorts of VPNs client and L2L. Lots of stuff configured in it. I have deployed large sites and labbed client scenarios on my ASA5505 as a proof of concept and it has helped me out A LOT!!! I do not know where I would be to this day without.

I know that if I have to do something for a client and I am not sure of what the outcome will be I lab it on my 5505. If it breaks something or does not work, I know that there's a good chance it will not work on the bigger ASAs.

The ASA5505 has helped me through out my CCNP Security journey which I just completed earlier this month.

Do yourself a favor and get this ASA. You will not regret it! Also remember that once you start to get involved more with the ASA's you will want to lab more advanced things like failover. Ofcourse, you will need a 2nd ASA for that but what I am trying to get at is that make sure you get the one with the Security Plus License. This will give you Active\Standby Failover capabilities. If you go the cheap route and get the basic ASA with base License you will NOT have the option to do failover at all down the road. Of course you can by a License but the License will cost you more than the ASA. So it's not worth it!

Go to the link I posted and go for that ASA. If you have any questions PM or post on this here. I can help you figure out what you need.

Btw...
That Cisco press ASA book 3rd Edition is the bible for the ASA's. I have the 2nd and 3rd editions...great books!

Also the ASA5506's that you see on eBay for around $400 come bare bones. Base License which will put a lot of limitations on it. To me it's not worth it. For less then $400 you get a FULLY LOADED ASA5505.

Good Luck!
pm with any questions...

bermovick

Viper;

The only concern I had regarding 5505's was that I thought I had read that you had to assign each port to an SVI, while the higher 55xx models had layer 3 ports. The ASA at work has most of its ports configured into a port-channel with sub-interfaces trunked to the core switch, and I was going to try to mimic that (although on a smaller scale of course)

viper75

bermovick wrote: »

Viper;

The only concern I had regarding 5505's was that I thought I had read that you had to assign each port to an SVI, while the higher 55xx models had layer 3 ports. The ASA at work has most of its ports configured into a port-channel with sub-interfaces trunked to the core switch, and I was going to try to mimic that (although on a smaller scale of course)

Yes, you are correct. The ASA5505's use VLANs the other ASA's all have L3 ports. However, once you get passed that difference the rest is all the same, with the exception of the horsepower behind the ASA. For a home lab and just to learn the ASA5505 is more then enough. There are no fans in the 5505 which makes it quiet. No sound! The other ASA's 5510 and above have multiple fans which makes them very loud.

With the ASA5505, you will not be able to do port-channels, but again. That's not going to make or break you, believe me!

Since you're new to the ASA's. The 5505 is work well for you. At this point you may want to learn how to work the ASA. Mimicing you job may be a little too advanced right now. Learn to read the ASA'c config like a book. Understand how it works and how traffic flow works. Once you're at that point mimicing your job will make more sense to you. Trust me...I have been there. I've started with PIX firewalls and the very 1st ASA's. The 1st firewall I touched was back in 1999. Pix 501...I was hooked then. Then the ASA's came out and they work like crack to me.

I was fortunate enough that, I was given ASA's by my jobs so I can play with then so I can learn. It was cheaper for them to give me an ASA to take home and play with then to send me for training. The only ASA I have ever purchased was the one I mentioned earlier. Only reason was because it was fully loaded for under $400. Usually that firewall with all the features can be close to $2,000.

I would say, don't worry about the port-channels, or L3 ports. I see that you have your CCNP in R&S so creating VLANs should be nothing new to you.

If you want to go for a 5510 or above then go for it. Not really needed though to start off with unless you're getting them for free.

It will take time to understand all the different protocols and how Cisco wants you to think.

bermovick

Cool; thanks for the reply (+rep). And yeah, having an L3 port vs an L2 port to an SVI isn't terribly different when you get around to it. I just have to convince the missus that a near $400 investment is worth it


(although since she's wanting to get involved in security as well, it might be an easy sell)

viper75

bermovick wrote: »

Cool; thanks for the reply (+rep). And yeah, having an L3 port vs an L2 port to an SVI isn't terribly different when you get around to it. I just have to convince the missus that a near $400 investment is worth it

Consider the $400 is career investment. It will be worth it. I have purchased home lab gear to lab different scenerios. It has all paid off at the end. You have to invest to get returns in life. If you can fork over the $$$ for that ASA or any ASA then I would suggest you go for it. It will make you a better engineer at the end of the day which will pay off during your career.

Just tell the Lady that it's a career investment. Sounds like she's in the same field so she should understand. I think that's pretty cool though.

Women in networking is hot in my eyes. I have worked with some bright talented women in networking during my career. man man.....

JoJoCal19

To add, I've found 5506's on eBay with Security Plus licenses for $650, so not too much more than a 5505.

bermovick

To be honest, I'm kinda scared to purchase these things. People list them as having a security plus license, but the log display doesn't show it, and I don't know enough to understand! Take a look at this one:

<LINK>

viper75

I see your concern which is valid. Always make sure you request a show version from the seller. Confirm that you are purchasing the firewall with the Security Plus license.

The link that I posted a few post back shows the sho version so I knew what I was getting.