Modeblue

After upgrading the firewalls in our organisation, I have gotten to grips with the new Cisco Adaptive Security Appliances quite well. Here’s my thoughts on the new kit.

Well, I say new – they’ve been out for a couple of years now, but since the PIX reached eol last year, the ASA has only become a must have upgrade for me since the start of the year.

The first ASA I came across was a 5510 for the office. When compared to the PIX515 it replaced, the figures stacked up very well – it handled twice the traffic, had an extra interface and increased VPN encryted throughput by a multiple of 7!! However, my initial impressions were not good. The asdm (Adaptive Security Device Manager – a web based gui) shared the same practically unusable interface as the pdm (Pix Device Manager) of old and there seemed little difference in the configuration mathod or reporting on the device.

I decided to find the latest software (version 8), which wasnt easy to find even with a smartnet support agreement. Upgrading is a fairly simple process, as long as you either know your way around the command line (and have a tftp server) or have access to the PDM asdm. Article re: upgrading.

Once the upgrade was complete and I opened up the new asdm version 6 interface – what a contrast!

I can now get decent reporting on what the device is doing, realtime, without any additional tools (see ASDM Interface Screenshot 1 and ASDM Interface Screenshot 2). This makes high level trouble shooting really simple and allows me to instantly see any resource that is in high demand. If I need more detailed logs, then I can see syslogs in a realtime window, and filter the results for a specific string (see Real Time Log Viewer Screenshot 1) – this will filter incoming logs on the fly, meaning you can debug connectivity issues (especially config related ones) much quicker.

While talking about trouble-shooting, its also worth mentioning the fantastic packet trace tool, which helped me setup some fairly complicated NAT and Access rules without having to “test in live” – the packet tracer allows you to input a source IP & port and a destination IP & port on a certain interface, then see how that packet would be handled in the current configuration. Each step is linked to a rule that was applied which allows you to go and fix any issues directly. (see ASDM Packet Trace Interface)

I’ve since set up a 5505 (branch office), 5520 (data center) and within the company, we have 3 more 5510′s – all immediately upgraded to ASA version 8 and ASDM version 6. Now we have a standard across the world that allows us to use a combination of CLI commands and GUI management tools and wizards. Having suffered with various firewalls for several years, the impact of such a user friendly interface is simple – easier diagnostics therefore less problems therefore more uptime.

Thank-You Cisco.