ASA Question

DevilWAH

Hi guys, I see a lot of jobs asking for people who have experince with ASA firewall solutions.

This is something I have never had to use a my work place so I am looking for a way in to them.

The closes I ahve come is working with IOS Zonebased firewalls. Is there much simulrity between this and ASA. I heard some one saying the ZONE based firewalls are simmler in syntax to the ASA model? but I have no idea how true this is.

Also are there any good ASA emulators out there? I know the ASA was updated so what model/version would be a good one to look at for some one comming in to learn about this?

Aaron

ConstantlyLearning

DevilWAH wrote: »

Hi guys, I see a lot of jobs asking for people who have experince with ASA firewall solutions.

This is something I have never had to use a my work place so I am looking for a way in to them.

The closes I ahve come is working with IOS Zonebased firewalls. Is there much simulrity between this and ASA. I heard some one saying the ZONE based firewalls are simmler in syntax to the ASA model? but I have no idea how true this is.

Also are there any good ASA emulators out there? I know the ASA was updated so what model/version would be a good one to look at for some one comming in to learn about this?

Aaron

I'm starting down this road as well.

I believe PIX OS can be emulated in GNS3 and ASA v.7 can be emulated in Qemu but not v.8.

From reading online posts there does seem to be a good bit of messing about to get the ASA emulation working though.

peanutnoggin

DevilWAH wrote: »

Also are there any good ASA emulators out there? I know the ASA was updated so what model/version would be a good one to look at for some one comming in to learn about this?

Aaron

Here's some info from Tiersten: ASA 5505

Maybe this can help you. The ASA 5505 with a 10 user license is fairly reasonable in price on ebay or different reseller's websites. I hope this helps.

-Peanut

tiersten

DevilWAH wrote: »

The closes I ahve come is working with IOS Zonebased firewalls. Is there much simulrity between this and ASA. I heard some one saying the ZONE based firewalls are simmler in syntax to the ASA model? but I have no idea how true this is.

Not really. It is more similar than the old IOS firewall but still enough really enough that you can get past with just a router. The PIX/ASA don't run IOS at all. They just have a CLI that is very IOSlike in later versions.

DevilWAH wrote: »

Also are there any good ASA emulators out there?

PEMU which is a modified QEMU does PIX/ASA emulation. GNS3 works as a GUI frontend to PEMU.

DevilWAH

tiersten wrote: »

PEMU which is a modified QEMU does PIX/ASA emulation. GNS3 works as a GUI frontend to PEMU.

HAve you managed to get version 8 working on this? Also are there major differences between version 7 and 8 ?

tiersten

DevilWAH wrote: »

HAve you managed to get version 8 working on this?

I've not tried recently but yeah, 8.x worked back then. The unpacking tool didn't work properly so I had to unpack it manually. I've not really messed around with it that much lately because I've got ASAs now.

The emulation isn't perfect though. It has some issues (or did last time I looked) with transparent mode and something else I can't remember.

DevilWAH wrote: »

Also are there major differences between version 7 and 8 ?

8.0.2 release notes

DevilWAH

Sorry one last thing, If i was looking for an ASA hardware for my lab, are there any you would recomend ? Ie. Cheap but cover it all?

tiersten

DevilWAH wrote: »

Sorry one last thing, If i was looking for an ASA hardware for my lab, are there any you would recomend ? Ie. Cheap but cover it all?

For the CCSP, you'd probably want 5510s with the Security Plus license if you want to do absolutely everything since that is the cheapest model that comes with Active/Active failover and allows you to plug in SSMs.

The 5505 doesn't do failover at all with the base license and it only does stateless Active/Standby with the Security Plus license. I'm unsure of the limitations of the IPS SSC as well.

DevilWAH

do most compinies expect configuration via CLI or the ASDM?

tiersten

DevilWAH wrote: »

do most compinies expect configuration via CLI or the ASDM?

In all the places I've been it was generally via the CLI but you'll be using both. You'll want ASDM for the monitoring anyway.

mikearama

DevilWAH wrote: »

do most compinies expect configuration via CLI or the ASDM?

I've worked at two companies that employed ASA's, and both were fine with config work done via the ASDM. Businesses want the job done... I haven't seen any indication that they give a rat's ass how it's done, as long as it's done.

Having said that, the engineer where I am now is old school, and laughs when I do a rule or nat with the ASDM. Whatever.

accely

I purchased an ASA 5505 for my home network, replaced the stupid linksys with it and it was a great move. Not only was I forced to make sure it works since it's in my live network, but I always have access to it to test stuff or to play around with it. Was only 350$ brand new. I mainly bought it for the CCSP track which I Just finished. It was a must for the SNAF and SNAA exams
Just passed my IPS test today and fully CCSP now

cya!

DevilWAH

Just finaly got round to getting ASA 8 to run in GNS3

now got to work out how to get ASDM working.

I was thinking I will get hold of the CBT CCSP nuggets before I really get in to this as I can see there is a lot here to learn.

To many things I want to learn! I really must finish my CCNP before getting side tracked!

burbankmarc

DevilWAH wrote: »

Just finaly got round to getting ASA 8 to run in GNS3

now got to work out how to get ASDM working.

I was thinking I will get hold of the CBT CCSP nuggets before I really get in to this as I can see there is a lot here to learn.

To many things I want to learn! I really must finish my CCNP before getting side tracked!

The 802 IOS works fine in GNS3 .7. But in order to interface it with your PC nic card you need the dev version of GNS3. I'm pretty sure anyways. You'll need to hook it to your real network so you can upload the ASDM and stuff into it.

DevilWAH

burbankmarc wrote: »

The 802 IOS works fine in GNS3 .7. But in order to interface it with your PC nic card you need the dev version of GNS3. I'm pretty sure anyways. You'll need to hook it to your real network so you can upload the ASDM and stuff into it.

The latest version of GNS 7.02 i think seems to work fine. I can get an ip address and see it from my vm machines.

Starting to build up a nice lab on GNS now, At the monent is mostly GNS3 running inside VM machines, but just got a few Servers, so going to have some with VMware exi running and some with GNS3 / Dynips running so I can set up a full blow lab.

johnwest43

old school question of the day. without googling does anyone know the name of the original operating system on a pix firewall?

mikej412

johnwest43 wrote: »

old school question of the day. without googling does anyone know the name of the original operating system on a pix firewall?

Yes.

Finesse (<--- highlight my post to see my answer).

johnwest43

mikej412 wins!!! now for the lighting bonus round what does it stand for? Remember no googling.

And for the super secret question of the day what does PIX stand for?

mikej412

johnwest43 wrote: »

mikej412 wins!!! now for the lighting bonus round what does it stand for? Remember no googling.

And for the super secret question of the day what does PIX stand for?

Fast something something something or other
and
something like Private Internet eXchange which I always wondered about

peanutnoggin

johnwest43 wrote: »

mikej412 wins!!! now for the lighting bonus round what does it stand for? Remember no googling.

And for the super secret question of the day what does PIX stand for?

Okay... I had to google the answer so I'd know!!

johnwest43

Mike is on a roll!!!
fast internet server executive
Private internet exchange kind of like the ip version of pbx.

TesseracT

I've been using an 800 router for my home connection but I'm thinking of setting it into bridge mode and getting an ASA 5505 (Expensive bridged modem I know).

Is the clustering/failover stuff really that hard with the ASAs? To get the 5510 with the proper license is way too much for a home network, and honestly GNS3 seems like a lot of stuffing around while I could be actually learning something...

Could I just learn the theory and configs for the advanced features and be done with it?

Nobylspoon

I picked up an ASA 5505 with a 10 user base license earlier this week for $250. I work next door to Cisco, bought it from one of their security guys. Definatly a heck of a deal, usually a used one with the same license is closer to $300-350 but keep shopping around and you mind find a good deal. I came across this one on Craigslist.

With work and school I haven't had a lot of time to dive deep into the ASA yet. I am currently working with a PIX 506E in school and that knowledge has made it pretty easy for me to start configuring my ASA.

I should have it fully configured and my home network migrated over to it by the end of the weekend. I am even considering throwing a honeypot on a seperate vlan since my license comes with 3 (two of which can't talk to each other)