ASA 5510 price really?

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
Guys can you help me understand my options?

You mean in order for me to buy a home lab ASA 5510? I am going to have to fork over 2,000.00 dollars for a security plus version on the low end?

I have my home asa 5505 but have been doing reading and I get no contexts?
really?..I want to setup at home our exact configs at work. We have these contexts: or setup not sure if they are alll context when I run the show context command i think only private, internet, and admin come up so does that mean i have the security plus license and not the base only license?

Internet
Private
System
admin

I hear admin is created by default so that leaves only 1 more available if you have the base license right? I am still learning so I could be wrong.

can yu guys help me. I have seen base license asa 5510s on ebay but that only gives me 2 contexts? is that right so really only 1 left after admin is created is that right? like I said I want to make the above configs like I have at work do I need the security plus license? to make Internet, Private, System, admin?icon_rolleyes.gif

Comments

  • instant000instant000 Member Posts: 1,745
    This post claims that you can run multiple context through GNS3.

    It would be worth checking out, yes?

    GNS3 • ASA 8.02 - Good old FW, but full tuned : HOWTOs - Page 2
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Yea those things are expensive man. Do you have partner status with Cisco? You may be able to get some non production ASAs at a significant discount.
  • shodownshodown Member Posts: 2,271
    rack rentals are you friend.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • lrblrb Member Posts: 526
    Yeah if you are looking to use an ASA 5510 for CCNP Sec studies, this rack rental deal looks pretty decent:

    http://www.gigavelocity.com/rack-1-internetwork-expert-security-30-lab-5.html?zenid=dafec3427d9f076ecf8c21198a5c5629

    Never used these guys, but I've heard good stuff
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.

    hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:

    L3 Core switch
    Firewall Outside
    Firewall Inside
    gateway for both internet and WAN access
    dmz switch


    I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
    I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon. ;)
  • instant000instant000 Member Posts: 1,745
    itdaddy wrote: »
    thanks a lot guys, yeah wow. Hey I do have smart net for our network devices at work maybe I can ask them how much a non production ASA 5510 would cost. For labbing things up. I am trying to mimic our setup at work. This guy who set it up made two firewalls Outside and Inside like old school days with the two firewall concept. I think it is cool but very confusing right now..I want to set the same thing up.

    hey you guys don't know of any drawings out there that can help me map out these components. Firewall, L3 core switch, dmz switch and gateway router. We use lots of vlan interfaces and trunking. Our internet and WAN access go out the same gateway so it is really confusing. I want to map/draw all the interfaces out and and where they connect to. and simple topology map gets really spagetti like. Do you guys know of any good drawing structure to map out on a vision multiple vlan interfaces that again use the above. Firewall with outside and inside firewalls, L3 switch, gateway for both internet and wan access, and dmz switch:

    L3 Core switch
    Firewall Outside
    Firewall Inside
    gateway for both internet and WAN access
    dmz switch


    I am trying to find a method to map all the interfaces to see the idea of flow and it is hard with your normal topology maps...thought maybe you guys knew of any way to map these components to be able to analyze them better. hope this makes sense..thanks guys will look into GNS3 too.
    I am going to ask how much I can get one for if I have smart net with them already and let you know the deal they give me see you soon. ;)

    You can use visio for diagrams, if you need that software, you can always download the images from vendors such as Cisco, unless you don't really need those.

    I whipped this up using GNS3, in a couple minutes. (see attachment)
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    thanks instant000 I have visio I was looking for some kind of method to list many interfaces on a firwall with the inside and outside fwl contexts. to keep it clean. yeah I can make a normal topology map but it is going to get weird with all those vlan interfaces (subifs) I have on my fwl. Tons! thanks man
    I willl have to write small haha LOL thanks...I wish all was as easy as GNS3...I guess GNS3 can run multiple contexts huh? I heard this some where?
  • LizanoLizano Member Posts: 230 ■■■□□□□□□□
    I use DIA for diagrams and gigavelocity has gotten me thru 4 of 5 CCSP exams.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
  • Ryuksapple84Ryuksapple84 Member Posts: 183
    I have a 5505 ASA at home that I bought used for around $300... why not use that?
    Eating humble pie.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    yeah I have an ASA 5505 too but it doesnt have the security plus license.
    I want to practice with multiple contexts. Normally your ASA will create an admin context so there is one. and then you can make one more context(virtual firewall) and there is 2 the ASA 5505 comes with only 2 .

    so I need 3 contexts to practice what we have at work.
    we have

    admin
    Private
    Internet


    contexts and well I like to setup an exact systems like we have at work to practice labs on to make sure I understand our network. I change stuff on my lab if it works great it should work at work.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Are any of you using any type of lab manual for CCNP:S?
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    I am looking for one. I only have an ASA book I am going thru.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Are you going to do CCNP first or do CCNP:S?
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    I am torn..I am going for CCNP first but at the same time for my job
    going to try to master as mush as I can ASA5510 which we have
    that has 3 contexts and also vpn technology..
  • SteveO86SteveO86 Member Posts: 1,423
    itdaddy wrote: »
    I am torn..I am going for CCNP first but at the same time for my job
    going to try to master as mush as I can ASA5510 which we have
    that has 3 contexts and also vpn technology..

    I'd consider your job requirements a priority, Besides the more you work with a technology the easier the exam will whenever you get to it.

    Remember you don't have to get tunnel vision and overly focus on a cert icon_smile.gif
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • instant000instant000 Member Posts: 1,745
    Just get a good ASA book. Study up on that, and it'll help you a lot at work.

    You can either get the ASA All-in one 2nd edition, or you can get the Richard Deal ASA book, or you can get the Firewall exam guide.

    If you like reading cisco.com, make sure you read all of the ASA technotes that you can. They have a good amount out there, and the technotes are small, bite-sized chunks that you can read in one pass.

    Stuff like packet trace and captures are awesome features to get familiar with, as well as the logging functions. If you ever have to troubleshoot how or why a connection's not working, these are great tools.

    Also, remember the fundamentals of ASA:

    1. ROUTES
    2. statics
    3. ACLS

    make sure you check all three of those, whenever you have any sort of connectivity issue.

    1. ROUTES - kinda self-explanatory. you need a way to route to that network you're connecting to, otherwise the uRPF check will fail. be especially mindful of networks behind a DMZ interface. Also, be careful if you have certain routes that certain traffic takes, that may be particular to an application. For example, some traffic has to go through tunnels, so we send that to VPN devices, while other destinations are reached through default route to internet, so that gets sent there, and if you have many DMZ's, often those DMZ's have networks behind them, so make sure you route appropriately for those
    2. statics - (high, low) low high .... if you're being lax, these mirror your routes. if you're being tight, these mirror exactly what you're giving access to in your ACLs. often when you have issues with a connection you're troubleshooting, a "clear xlate" and/or clear conn can save you
    3. ACLs - if you did CCNA, you pretty much know how to do these these help you with providing access, making captures, etc. If you work on firewalls any measurable length of time, ACLs will be second nature to you.


    good troubleshooting commands:
    sh conn
    sh xlate
    sh log
    clear xlate
    clear conn
    sh route
    sh cap

    Make sure you run through the packet trace utility a time or two. Quite interesting to see how that thing works, and which ACLs it tries first to compare against. Also, if you run it through against an existing connection, the simulated packet trace will use the fast path, also.

    In my experience, the packet-trace tool doesn't appear to work 100%, but my experience is limited, and I haven't figured out all the quirks of it.

    Also, running captures is a good friend for you, if you need to convince a server admin that you are receiving traffic for a server, and you are sending it to that server.

    If you work in a highly compartmentalized environment, where different levels of switching and routing can be handled by different departments, you need to be able to verify that it's not the firewall's fault on a regular basis, and captures help a lot here.

    Hope this helps!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    instant000
    question. on best practices.

    okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
    what is common practice to have all vpn gateways flow thru the firewall
    and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?

    ROUTES I get
    ACLS I get

    I don't know what statics are
  • instant000instant000 Member Posts: 1,745
    itdaddy wrote: »
    instant000
    question. on best practices.

    okay we have a lot of vpn routers for many vendors coming into our network including our own ASA 5505 remote access vpn device.
    what is common practice to have all vpn gateways flow thru the firewall
    and get inspected? or pass? to the gateway. Do both public side and LAN side get inspected for vendor vpns or what is the best really?

    Is this your network?
    [remote vpn] - [ internet]- [router]- [firewall] - [local vpn] - <IDS> [local network]

    or is this your network?
    [remote vpn] - [internet] - [router] - [local vpn] - [firewall] - <IDS> - [local network]


    obviously, I prefer the second network. My reasoning is that typically, you put some type of IDS/IPS on your network somewhere before your local network. you can't really "inspect" the VPN traffic using your firewall, as it should all be encrypted, so you're going to need permit statements for ESP/500 to go through your firewall, and whatever they're doing, is getting through to your network, unless the IDS/IPS stops it.

    Whereas in the second network, look how you have the router at the top filtering out a lot of bogus stuff (RFC 1918/RFC 3330), then the VPNs, then even if it does survive to make it to the VPN, it comes out ready to get inspected by the firewall, then, if it survives that, it has to go through IDS/IPS before hitting your local network.

    truth be told, you'd see more firewalls, more ips, and more routers in the standard networks I work with, so as you can imagine, you can probably draw a lot more complex drawings, if you wanted to.... imagine segmenting it off so that all your vpn traffic came in a certain way, and then you sniffed the traffic, just to make sure it was only VPN traffic on the link, for good measure. ... if you have enough money, you can really get carried away with this stuff.

    but, all of this does nothing for you, if you don't educate your users to not click on links in emails and go all over the net clicking on stuff haphazardly.

    This, my friends, is called Defense in Depth. That'll be $1,000 for the consult :D Oh wait, you want Cisco DID? in that case, it'll be $2,500 for the consult.

    ROUTES I get
    ACLS I get

    I don't know what statics are
    In some cases, if you don't have the translation specified, the traffic won't pass across the interfaces, even IF you have an access-list configured.

    Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Information About NAT [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    Make sure to read the stuff about nat control and identity nat.

    And, if you can understand ACLs, and high/low security interfaces, you can understand how to set up the statics. Just lab it up, no big deal :D
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    [remote vpn] - [internet] - [DMZ] - [IPS iSensor] - [firewall] - <router> - [local vpn gateway] - [locan lan]


    just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.

    maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!
  • cisco_troopercisco_trooper Too many Member Posts: 1,442 ■■■■□□□□□□
    itdaddy wrote: »
    ROUTES I get
    ACLS I get

    I don't know what statics are


    The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.
  • instant000instant000 Member Posts: 1,745
    itdaddy wrote: »
    just don't know why the preveious engineer would have vpns get static routed thru firewall if the vpns cannot be inspected? isnt that a lot of work? I suppose they could get inspected when they come out on the LAN side..maybe that is what the ASA is configured..inspecting on the LAN side coming out...I am still trying to figure out what it is doing but it could be inspecting the traffice when it comes out on our lan side.

    maybe after all i said above he is just directing it thru and inspecting traffic going in and out of the lan side...then it could inspect it since the vpn tunnel starts on the wan side huh? never thought of that will be looking more..thanks man!

    Umm, no, that traffic's not being inspected by the firewall, as it's encrypted if its going through the VPN. You most definitely have some type of ESP ACL allowing that traffic through.

    Does your setup look like this link (or similar)

    PIX/ASA (Version 7.x and Later) IPsec VPN Tunnel with Network Address Translation Configuration Example - Cisco Systems

    A lot of orgs want to see your traffic unencrypted, which is why you sometimes end up with extensive proxy setups, and any attempts to use encrypted traffic to unapproved destinations send out red flags when the log review guys look through their logs.

    Anyway, check out this article, where it allows the encrypted traffic through the firewall. You probably have a similar setup.

    If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.

    I can think of one reason why they use the tunnel (the app they are tunneling uses a lot of ports and protocols that are poorly documented, so it may not be a simple matter to get it working through the firewall)

    Even with that said, you need to make sure you communicate to someone higher in your organization that those guys coming in through the VPN tunnel aren't being inspected by the firewall, and represent a greater security risk to you than they do otherwise.
    Let me be clear on the "unencrypted" piece. I'm referring to orgs who set up IDS/IPS/logging whatever, and they want to capture that traffic unencrypted that enters and exits their network.

    With the setup you have above, someone could snatch the data out of your home network, and the Firewall/IDS/IPS wouldn't be there to catch it, as it got encrypted before you could inspect it.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Member Posts: 1,745
    The static statement are for NAT translation and if you aren't used to them the syntax seems backwards.

    True dat.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□

    If it was my network, I would want them to have to terminate the VPN BEFORE they went through my firewall.
    so you would have it terminate before firwall and the inspect the lan
    traffic static routed to and from the terminated vpn end right?
    so maybe that is what the firewall is doing?
  • powerfoolpowerfool Senior Member Member Posts: 1,649 ■■■■■■■■□□
    The big thing on contexts is for active/active failover. Essentially, you have two firewalls that you want active... you setup contexts so you have virtual firewalls.... For instance, physical firewalls 1 and 2, and virtual firewalls A (active), a (passive for A), B (Active), and b (passive for B). Firewall 1 has virtual firewalls A and b and firewall 2 has virtual firewalls a and B. So, it is like a dual active/passive setup and while all hardware is active, each unit has only one active virtual firewall. Assuming firewall 2 fails, firewall 1 assumes the active role for both firewalls and will have firewalls A and B.

    I am not sure if I explained that well.... but that is really the purpose of the contexts.
    AZ-204 [ ] AZ-400 [X] AZ-500
    2020 Goals: Azure Developer Associate, Azure DevOps Expert, Azure Security Associate
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    Powerfool.
    what this guy did is he has two contexts apart from admin context of course. he create INTERNET virtual context and PRIVATE virtual context...and their repsective zones...the Internet context has the NATng and DMZ and the Private deals with I think the vpns coming in off of the DMZ? if that makes sense It is kind of confusing but I am having a CCIE
    which I am paying to come in and teach me all my questions about our main site and its architecture. very cool..I get to pay someone to teach my my networks. I am 75 to 80 percent sure of how it works but that 25 percent I want to make darn sure. I know LOL! I will let you know what I discovered when I contract a CCIE out...
    thanks so much..and I have decided to buy another firewall at work as a spare and practice on it vs using GNS3.."
    I have played with the GNS3 ASA firwall and it is very buggy and for those of you who got it working with no bugs I am glad for you but I followed all the steps on the forums with the flash issue and multiple context issue and I got no results seems buggie so I have decided since I am boss hahaa to just buy a extra ASA5510 with SP license to practice on at work ;) It is good to be king! haahhah LOL thanks guys for the help..
Sign In or Register to comment.