ASA 5510 price really?

Guys can you help me understand my options?

You mean in order for me to buy a home lab ASA 5510? I am going to have to fork over 2,000.00 dollars for a security plus version on the low end?

I have my home asa 5505 but have been doing reading and I get no contexts?
really?..I want to setup at home our exact configs at work. We have these contexts: or setup not sure if they are alll context when I run the show context command i think only private, internet, and admin come up so does that mean i have the security plus license and not the base only license?

Internet
Private
System
admin

I hear admin is created by default so that leaves only 1 more available if you have the base license right? I am still learning so I could be wrong.

can yu guys help me. I have seen base license asa 5510s on ebay but that only gives me 2 contexts? is that right so really only 1 left after admin is created is that right? like I said I want to make the above configs like I have at work do I need the security plus license? to make Internet, Private, System, admin?

Find more posts tagged with

Comments

instant000

This post claims that you can run multiple context through GNS3.

It would be worth checking out, yes?

GNS3 • ASA 8.02 - Good old FW, but full tuned : HOWTOs - Page 2

Bl8ckr0uter

Yea those things are expensive man. Do you have partner status with Cisco? You may be able to get some non production ASAs at a significant discount.

shodown

rack rentals are you friend.

lrb

Yeah if you are looking to use an ASA 5510 for CCNP Sec studies, this rack rental deal looks pretty decent:

http://www.gigavelocity.com/rack-1-internetwork-expert-security-30-lab-5.html?zenid=dafec3427d9f076ecf8c21198a5c5629

Never used these guys, but I've heard good stuff

itdaddy

thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.

hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:

L3 Core switch
Firewall Outside
Firewall Inside
gateway for both internet and WAN access
dmz switch

I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon.

instant000

itdaddy wrote: »

thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.

hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:

L3 Core switch
Firewall Outside
Firewall Inside
gateway for both internet and WAN access
dmz switch

I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon.

You can use visio for diagrams, if you need that software, you can always download the images from vendors such as Cisco, unless you don't really need those.

I whipped this up using GNS3, in a couple minutes. (see attachment)

lab1.jpg

itdaddy

thanks instant000 I have visio I was looking for some kind of method to list many interfaces on a firwall with the inside and outside fwl contexts. to keep it clean. yeah I can make a normal topology map but it is going to get weird with all those vlan interfaces (subifs) I have on my fwl. Tons! thanks man
I willl have to write small haha LOL thanks...I wish all was as easy as GNS3...I guess GNS3 can run multiple contexts huh? I heard this some where?

Lizano

I use DIA for diagrams and gigavelocity has gotten me thru 4 of 5 CCSP exams.

itdaddy

thanks lizano

Ryuksapple84

I have a 5505 ASA at home that I bought used for around $300... why not use that?

itdaddy

yeah I have an ASA 5505 too but it doesnt have the security plus license.
I want to practice with multiple contexts. Normally your ASA will create an admin context so there is one. and then you can make one more context(virtual firewall) and there is 2 the ASA 5505 comes with only 2 .

so I need 3 contexts to practice what we have at work.
we have

admin
Private
Internet

contexts and well I like to setup an exact systems like we have at work to practice labs on to make sure I understand our network. I change stuff on my lab if it works great it should work at work.

Bl8ckr0uter

Are any of you using any type of lab manual for CCNP:S?

itdaddy

I am looking for one. I only have an ASA book I am going thru.

Bl8ckr0uter

Are you going to do CCNP first or do CCNP:S?

itdaddy

I am torn..I am going for CCNP first but at the same time for my job
going to try to master as mush as I can ASA5510 which we have
that has 3 contexts and also vpn technology..

SteveO86

itdaddy wrote: »

I am torn..I am going for CCNP first but at the same time for my job
going to try to master as mush as I can ASA5510 which we have
that has 3 contexts and also vpn technology..

I'd consider your job requirements a priority, Besides the more you work with a technology the easier the exam will whenever you get to it.

Remember you don't have to get tunnel vision and overly focus on a cert

instant000

Just get a good ASA book. Study up on that, and it'll help you a lot at work.

You can either get the ASA All-in one 2nd edition, or you can get the Richard Deal ASA book, or you can get the Firewall exam guide.

If you like reading cisco.com, make sure you read all of the ASA technotes that you can. They have a good amount out there, and the technotes are small, bite-sized chunks that you can read in one pass.

Stuff like packet trace and captures are awesome features to get familiar with, as well as the logging functions. If you ever have to troubleshoot how or why a connection's not working, these are great tools.

Also, remember the fundamentals of ASA:

1. ROUTES
2. statics
3. ACLS

make sure you check all three of those, whenever you have any sort of connectivity issue.

1. ROUTES - kinda self-explanatory. you need a way to route to that network you're connecting to, otherwise the uRPF check will fail. be especially mindful of networks behind a DMZ interface. Also, be careful if you have certain routes that certain traffic takes, that may be particular to an application. For example, some traffic has to go through tunnels, so we send that to VPN devices, while other destinations are reached through default route to internet, so that gets sent there, and if you have many DMZ's, often those DMZ's have networks behind them, so make sure you route appropriately for those
2. statics - (high, low) low high .... if you're being lax, these mirror your routes. if you're being tight, these mirror exactly what you're giving access to in your ACLs. often when you have issues with a connection you're troubleshooting, a "clear xlate" and/or clear conn can save you
3. ACLs - if you did CCNA, you pretty much know how to do these these help you with providing access, making captures, etc. If you work on firewalls any measurable length of time, ACLs will be second nature to you.

good troubleshooting commands:
sh conn
sh xlate
sh log
clear xlate
clear conn
sh route
sh cap

Make sure you run through the packet trace utility a time or two. Quite interesting to see how that thing works, and which ACLs it tries first to compare against. Also, if you run it through against an existing connection, the simulated packet trace will use the fast path, also.

In my experience, the packet-trace tool doesn't appear to work 100%, but my experience is limited, and I haven't figured out all the quirks of it.

Also, running captures is a good friend for you, if you need to convince a server admin that you are receiving traffic for a server, and you are sending it to that server.

If you work in a highly compartmentalized environment, where different levels of switching and routing can be handled by different departments, you need to be able to verify that it's not the firewall's fault on a regular basis, and captures help a lot here.

Hope this helps!

itdaddy

instant000
question. on best practices.

okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
what is common practice to have all vpn gateways flow thru the firewall
and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?

ROUTES I get
ACLS I get

I don't know what statics are

instant000

itdaddy wrote: »

instant000
question. on best practices.

okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
what is common practice to have all vpn gateways flow thru the firewall
and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?

Is this your network?
[remote vpn] - [ internet]- [router]- [firewall] - [local vpn] - <IDS> [local network]

or is this your network?
[remote vpn] - [internet] - [router] - [local vpn] - [firewall] - <IDS> - [local network]

obviously, I prefer the second network. My reasoning is that typically, you put some type of IDS/IPS on your network somewhere before your local network. you can't really "inspect" the VPN traffic using your firewall, as it should all be encrypted, so you're going to need permit statements for ESP/500 to go through your firewall, and whatever they're doing, is getting through to your network, unless the IDS/IPS stops it.

Whereas in the second network, look how you have the router at the top filtering out a lot of bogus stuff (RFC 1918/RFC 3330), then the VPNs, then even if it does survive to make it to the VPN, it comes out ready to get inspected by the firewall, then, if it survives that, it has to go through IDS/IPS before hitting your local network.

truth be told, you'd see more firewalls, more ips, and more routers in the standard networks I work with, so as you can imagine, you can probably draw a lot more complex drawings, if you wanted to.... imagine segmenting it off so that all your vpn traffic came in a certain way, and then you sniffed the traffic, just to make sure it was only VPN traffic on the link, for good measure. ... if you have enough money, you can really get carried away with this stuff.

but, all of this does nothing for you, if you don't educate your users to not click on links in emails and go all over the net clicking on stuff haphazardly.

This, my friends, is called Defense in Depth. That'll be $1,000 for the consult

Oh wait, you want Cisco DID? in that case, it'll be $2,500 for the consult.

ROUTES I get
ACLS I get

I don't know what statics are

In some cases, if you don't have the translation specified, the traffic won't pass across the interfaces, even IF you have an access-list configured.

Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Information About NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

Make sure to read the stuff about nat control and identity nat.

And, if you can understand ACLs, and high/low security interfaces, you can understand how to set up the statics. Just lab it up, no big deal

itdaddy

[remote vpn] - [internet] - [DMZ] - [IPS iSensor] - [firewall] - <router> - [local vpn gateway] - [locan lan]

just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.

maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!

cisco_trooper

itdaddy wrote: »

ROUTES I get
ACLS I get

I don't know what statics are

The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.

instant000

itdaddy wrote: »

just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.

maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!

Umm, no, that traffic's not being inspected by the firewall, as it's encrypted if its going through the VPN. You most definitely have some type of ESP ACL allowing that traffic through.

Does your setup look like this link (or similar)

PIX/ASA (Version 7.x and Later) IPsec VPN Tunnel with Network Address Translation Configuration Example - Cisco Systems

A lot of orgs want to see your traffic unencrypted, which is why you sometimes end up with extensive proxy setups, and any attempts to use encrypted traffic to unapproved destinations send out red flags when the log review guys look through their logs.

Anyway, check out this article, where it allows the encrypted traffic through the firewall. You probably have a similar setup.

If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.

I can think of one reason why they use the tunnel (the app they are tunneling uses a lot of ports and protocols that are poorly documented, so it may not be a simple matter to get it working through the firewall)

Even with that said, you need to make sure you communicate to someone higher in your organization that those guys coming in through the VPN tunnel aren't being inspected by the firewall, and represent a greater security risk to you than they do otherwise.
Let me be clear on the "unencrypted" piece. I'm referring to orgs who set up IDS/IPS/logging whatever, and they want to capture that traffic unencrypted that enters and exits their network.

With the setup you have above, someone could snatch the data out of your home network, and the Firewall/IDS/IPS wouldn't be there to catch it, as it got encrypted before you could inspect it.

instant000

cisco_trooper wrote: »

The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.

True dat.

itdaddy

If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.

so you would have it terminate before firwall and the inspect the lan
traffic static routed to and from the terminated vpn end right?
so maybe that is what the firewall is doing?

powerfool

The big thing on contexts is for active/active failover. Essentially, you have two firewalls that you want active... you setup contexts so you have virtual firewalls.... For instance, physical firewalls 1 and 2, and virtual firewalls A (active), a (passive for A), B (Active), and b (passive for

. Firewall 1 has virtual firewalls A and b and firewall 2 has virtual firewalls a and B. So, it is like a dual active/passive setup and while all hardware is active, each unit has only one active virtual firewall. Assuming firewall 2 fails, firewall 1 assumes the active role for both firewalls and will have firewalls A and B.

I am not sure if I explained that well.... but that is really the purpose of the contexts.

itdaddy

Powerfool.
what this guy did is he has two contexts apart from admin context of course. he create INTERNET virtual context and PRIVATE virtual context...and their repsective zones...the Internet context has the NATng and DMZ and the Private deals with I think the vpns coming in off of the DMZ? if that makes sense It is kind of confusing but I am having a CCIE
which I am paying to come in and teach me all my questions about our main site and its architecture. very cool..I get to pay someone to teach my my networks. I am 75 to 80 percent sure of how it works but that 25 percent I want to make darn sure. I know LOL! I will let you know what I discovered when I contract a CCIE out...
thanks so much..and I have decided to buy another firewall at work as a spare and practice on it vs using GNS3.."
I have played with the GNS3 ASA firwall and it is very buggy and for those of you who got it working with no bugs I am glad for you but I followed all the steps on the forums with the flash issue and multiple context issue and I got no results seems buggie so I have decided since I am boss hahaa to just buy a extra ASA5510 with SP license to practice on at work

It is good to be king! haahhah LOL thanks guys for the help..