Cisco PIX to ASA not what it seems.

We I am still behind in getting configs published. But please know that they are coming. This is a hobby for me and like most hobbies it is lower in my priority queue than work and family. One of the items that took priority this week was a conversion from a pair of PIX 515sto ASA-5540s with AIP-20s.

I learned a lot about traffic, hardware limitations and marketing with this project. This whole project started shortly after an upgrade from a DSL to their upstream provider to a 100 Mbit Circuit. Along with the circuit upgrade they customer also started using a WebApp provided by their upstream provider that generated alot of connections but not allot of bandwidth. To make a long story short we ended up having sudden outages that would come and go with no explanation…that is until I checked the connections on thier PIX 515. During outages they were running between 148,000 to 160,000 connections and their pic was designed to handle 120,000. We could have performed connection tuning on the PIX but the client was ready to move on to an ASA.

After quite a bit of confusion and jockeying with Cisco we finally ordered a Pair of ASA-5540s with AIP-20 IPS modules. We also ordered a Cisco MARS unit to centralize reporting for both the AIP modules as well as our Routers, SNORT IDS sensors (at each WAN location) and simplify attack and network problem mitigation/solutions. Initially I had planned taking a week to deploy the new fail over pair of ASA’s; rebuilding the ACL’s from scratch (putting them into object groups), creating the new VPN (IPSEC and SSL), and deploying them in a test environment to work out the bugs. However life being what it is often times problems dictate deployment not planning, and thats where we found ourselves this past Thursday. In the middle of a busy week the clients PIX 515’s hit their connection limits and stopped business in its tracks. Three days prior the new ASA’s had arrived and were sitting in my office spun up with the newest IOS and ASDM software. Knowing that the client made the decision to deploy the ASAs.

Its important to know that I wasn’t going into this install cold. We have worked with ASA’s off and on for the past 7 months and all of us have more than 4 years experience with the PIX IOS (Mainly 6.x). On top of that we had received a demo ASA-5520 from Cisco a few weeks prior. With the demo we had deployed this particular clients config file from their PIX 515s. We did this to test our ability to provide emergency conversion services and to know exacly how much of the OLD PIX IOS structure (6.x) applied in the new PIX IOS structure (7.x). What our testing showed is as follows;

  1. Interface commands are totally invalid between versions. This is because Cisco made the smart decision to move the ASA’s to a similar configuration to that of its routers and switches. For future configuration and design this is great but when converting configs you have to pull interface parameters from several locations within the PIX 6.x config files.
  2. ACLs seemed to transfer seamlessly as well as did their ACCESS-GROUP assignments. When we dropped them into the CLI no errors were reported. When we viewed Security Policy in ASDM they appeared fine. Along with the ACLs the object and protocol groups also applied correctly and displayed correctly in ASDM. However this is where the conversion became a bit dis-ingenious. When we applied our test findings to a real world situation with this client upgrade our raw ACL’s (non-object based) were a mess.
  3. VPN Engine: I’ll start by saying if your were terminating VPNs against any of the PIX family then the ASA will be a breath of fresh air. ASDM (The new Java GUI for 7.x) is very similar to the VPN Concentrator 3000 GUI but slimmed down and made easier to manage. I have had some weird issues such as non-responsive security gateway messages and rather cryptic prompts from the GUI for configuration parameters. Add Cisco’s new SSL VPN engine and their best in class VPN Client software and you have a winner. Just make sure if your looking for a unified FW/IDS/VPN unit that you size it appropriately.
  4. IDS Feature Set: What was IDS feature set in the PIX 6 code is now full blown IDS if you purchase one of the AIP-XX engines as your expansion module for ASA. If you look closely at the actual AIP hardware you’ll see that its really just a small computers with a Flash drive for its OS and storage. I have yet to fully implement one of these IPS modules but within the month I’ll be able to fill you in on both the AIP, its ASDM integration in the newest release as well as its interaction with the MARS.
  5. ANTI-X Engine: Honestly I cant speak to this at all. I have yet to have a client purchase one and I haven’t had time to get to a cisco demo to get hands on time with it. If you have an want to post your ideas in the comments go for it. Most of my clients are using Baracuda Networks devices for both Span and Anti Spyware/Phishing.

There is so much more I could say both good and bad about this product. But to sum it all up I’ll say this. It does everything it claims. The CLI is a wonderful upgrade and ASDM does what PDM should have done (makes changes in actual CLI manageable code). The feature expansion is mindblowing and thats both good and bad. Good from the perspective that you can manage all your security gateway needs in a single box. Bad in the extent that like the 6500 multi-service chassis’s you find yourself continually spread across multiple support brackets on Cisco’s site, NetPro and TAC. I’ll be posting more as we continue to deploy and unlock the secrets of the ASA series. Specifically I look forward to writing a thorough post concerning the SSL WebVPN capabilities of the ASA.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.