dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1275
share rss forum feed

mbruno

join:2003-07-03
Fruitland, MD

[Info] Cisco ASA5505

I was wondering if someone could shed some light on the ASA5505 for me. Specifically the DMZ feature, I was looking to buy one but as always Cisco seems to be very vague on details. Or I just do not know where to look. To my knowledge the ASA5505 comes in variety of different feature sets. I know the security plus feature offers the full DMZ where as the base model only offers the limited DMZ.

My question is what is limited on the DMZ? Would it be trunking? I am really just looking for something I can practice on since the Pix are end of line.

Thanks all.


WireHead
I drive to fast
Premium
join:2001-05-09
Muncie, IN
You had me thinking so I perused some older posts.

Hope this helps, check this thread.

»ASA5505 help
--
Retired BBR Team Starfire Team Q III Host
Live by chance. Love by choice. Kill by profession.

HELLFIRE
Premium
join:2009-11-25
kudos:19

1 recommendation

reply to mbruno
Base licence gives "DMZ-lite" functionality (I use that term very sarcastically)
in that it's not full DMZ communicability -- IIRC DMZ can communicate to the
outside / untrusted interface but CANNOT communicate with the inside, even if you
configure it.

Also, BASE cannot do dot1q trunking while SECPLUS can.

If you want REAL DMZ connectivity, budget for SECPLUS licence. If this is just
for practice, you should be able to get away with a BASE licence.

Regards


imanon

@comcast.net
I think this is best explained here:
»www.gomjabbar.com/?p=1624

What HELLFIRE points out is very important:
"BASE cannot do dot1q trunking while SECPLUS can"
...this is where your going to get frustrated

mbruno

join:2003-07-03
Fruitland, MD
reply to HELLFIRE
So if I understand this correctly, I can have a exchange server on the outside DMZ and the clients on the LAN (Inside) can talk to the exchange server but the Exchange Server can not talk to the LAN clients? Is this correct. Cisco and their weird language, they really like to chop you off at the knees on this stuff. They just give you a little taste of what the device can do that's it.

From what I can find out the ASA5505 security feature cost like around $700 if you buy it together or around $400 to $500 for the license pack alone. I wouldn't mind buying it if it had a 1gigabit connection but 10/100. I love it how ISP providers are advertising speed of 20 and 50 Mbps down, you will never take full advantage of this while using a 10/100 connection. Who knows maybe I am wrong here.

HELLFIRE
Premium
join:2009-11-25
kudos:19

1 recommendation

reply to mbruno
Base vs SECPLUS is also compared here as well, but yes, in
a nutshell the DMZ "VLAN" can talk with outside [u]OR[/u] inside but not both.

I've said it before, and I'll repeat it again -- while ASA was a badly needed upgrade to the PIX line, Cisco SERIOUSLY
shot themselves in the foot with the 'everything as a licence' model.

Regards

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
And this is why I buy Cisco less today--it's kind of nuts and I feel like I'm licensing something from Microsoft/need to be a licensing expert just to get expected functionality.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to HELLFIRE
Yes, they've gotten way overboard with the licensing crap. However, with the ASA base vs. secplus... you pretty much know what you need before you start shopping. For most purposes, the "DMZ-lite" mode is acceptable. So DMZ hosts cannot initiate contact with an inside (or outside) host, just plan ahead.

Also, if you're planning an enterprise network, you likely aren't doing it with a 5505. (and today, would be looking at things not made by Cisco.)

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to mbruno
said by mbruno:

So if I understand this correctly, I can have a exchange server on the outside DMZ and the clients on the LAN (Inside) can talk to the exchange server but the Exchange Server can not talk to the LAN clients?

Correct. It's the origin of the connection that matters. In a secure context, the DMZ host(s) should not be allowed to connect to the (secure) inside network anyway. (even on an old pix, it cannot without explicit configuration... lower security to higher security by default is blocked.)

Having used a 5505-base DMZ -- because that's the only way to have dns rewriting to work [censored Cisco] -- it works just fine. Having the DMZ'd web servers not able to mess with inside hosts is actually a Good Thing(tm).

I love it how ISP providers are advertising speed of 20 and 50 Mbps down, you will never take full advantage of this while using a 10/100 connection.

20 and 50 are less than 100, so yes, you can use the full bandwidth with a 100mbps connection. (if your link(s) are half-duplex, then you should upgrade out of the internet dark ages.) What's limiting many people's use of all those bits is the cheap little router they've been using for a decade, not the link speed.

mbruno

join:2003-07-03
Fruitland, MD

20 and 50 are less than 100, so yes, you can use the full bandwidth with a 100mbps connection. (if your link(s) are half-duplex, then you should upgrade out of the internet dark ages.) What's limiting many people's use of all those bits is the cheap little router they've been using for a decade, not the link speed.

I actually am using full-duplex on my home stuff. I guess I really never thought about the 20 and 50 is less than 100. You make a good point about that. I would still like to have a 1 gig Ethernet port from the cable modem to the Firewall to the router and then to the switch that feeds the computers. It may be overkill but at least I know I am not the bottle neck. It may be true that I would never reach the full saturation point of the connection but I would at least like to be ready for when I do need it.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
ASA 5505 comes with multiple flavors. HELLFIRE See Profile mentioned about Base vs Security Plus which is one of the considerations. Another one is the User Number license and VPN tunnel number that comes with 10, 50, and Unlimited. Make sure that whichever model or flavor you choose, would be the proper one since the upgrade fee itself may cost more than buying a new equipment.

From different angle, you also can go with Juniper firewall. An SSG 5 is a dirt-cheap option, though SRX 100 is recommended since Juniper is phasing out ScreenOS-based firewall. Regardless SSG and SRX firewall have only one flavor, which is unlimited features and user number on any model (except the Antivirus and IPS features). Compared to Cisco ASA, Juniper SSG and SRX is much simpler solution since there is no flavor to choose and you don't have to since most features companies look for are already included

HELLFIRE
Premium
join:2009-11-25
kudos:19
SSG does do unlimited users (compared to the ASA), however it does mess with your head about BASE and Advanced licences
(doubles the session count from 8K to 16K, and ups your tunnel count). I forget if this also included "advanced"
routing features like BGP, but in terms of pure functionality over an ASA the SSG seems much better thought out.

Regards

aryoba
Premium,MVM
join:2002-08-22
kudos:4
All SSG 5 we bought came by default all features most companies need including advanced routing (BGP, OSPF, RIP), unlimited security and user session (IPSec VPN, SSL, inspection, NAT, etc.), virtual routers, trunking, VLAN and Spanning Tree, and security zones. With today's prices, SSG 5 is an obvious deal compared to ASA 5505.

Also, SSG 5 has a wireless model for those who are in need of wireless firewall integration

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Makes you wonder about Cisco’s future when the forum regulars stop recommending Cisco…

aryoba
Premium,MVM
join:2002-08-22
kudos:4
said by Bink:

Makes you wonder about Cisco's future when the forum regulars stop recommending Cisco...

Some engineers are vendor-neutral, especially when they are used to a mixed environment where there are not only Cisco but also Juniper, F5, Aruba, Avaya, Riverbed (among other things). When you are forced to get more bang for your buck, some companies are forced to move away from Cisco or at least having mixed environment when your "regular Cisco box" cannot deliver what you are trying to achieve

I myself still like Cisco switches, routers, and firewall since they are durable and reliable. I still buy and recommend Cisco for both personal and business needs. However I think it would be refreshing if one that has been "too long" dealing with Cisco ways to start tinkering around other vendor's solution. That way, not only you learn different way to achieve but also forcing you to think outside the box.


HELLFIRE
Premium
join:2009-11-25
kudos:19

1 recommendation

reply to Bink
...No one got fired for suggesting Cisco / IBM / MS / [insert vendor here], didn't you know Bink?

Regards


Da Geek Kid

join:2003-10-11
::1
kudos:1
they should...