Cisco Support Community Expert Series Webcast...

© 2011 Cisco and/or its affiliates. All rights reserved. 1

Cisco Support Community Expert Series Webcast: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

Namit Agarwal, Engineer Technical Services

Rahul Govindan, Engineer Technical Services October 22nd 2013

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

•  Today’s featured experts are Cisco Engineers Namit and Rahul

•  Ask them questions now about the ASA 9.x features

Rahul Govindan

2

Namit Agarwal


Today’s presentation will include audience polling questions

We encourage you to participate!


If you would like a copy of the presentation slides, click the PDF link in the chat box on the right or go to the following url:

https://supportforums.cisco.com/docs/DOC-37105


a)  I have never heard ASA 9.x version before

b)   I have heard of the ASA 9.x version but not used it so far.

c)  I have used the ASA 9.x version but not the new features

d)   I am using the new features from ASA 9.x.

What is your level of experience with ASA 9.x software?

6 © 2011 Cisco and/or its affiliates. All rights reserved.

Use the Q&A panel to submit your questions. Experts will start responding those


Namit Agarwal and Rahul Govindan

Technical Services Engineers


•  Introduction into ASA 9.x

•  Overview of new Firewall features

•  Overview of ASA CX

•  Overview of new VPN features

•  Upgrading to ASA 9.x

•  Q&A


•  Different software releases per hardware prior to 9.x

•  Need for a unified software release compatible for all platforms

•  First release in October 2012

Hardware Software versions

ASA 5505,10,20,50,80,85 8.0-8.4

ASA SM 8.5

ASA 5500-X 8.6


•  Cisco Cloud Web Security (ScanSafe)

Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity.

•  ASA Clustering for the ASA 5580 and 5585-X

ASA Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. ASA clustering is supported for the ASA 5580 and the ASA 5585-X; all units in a cluster must be the same model with the same hardware specifications.


•  Dynamic routing in Security Contexts

EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3,RIP, and multicast routing are not supported.

•  Mixed firewall mode support in multiple context mode

You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.


•  Ability to view top 10 memory users – show memory top-usage

You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.

•  Support for administrator password policy when using the local database

•  Support for a maximum number of management sessions

•  Support for image verification - Support for SHA-512 image integrity checking was added.

•  CPU profile enhancements

•  Decreased the half-closed timeout minimum value to 30 seconds


•  Context Aware Firewall -> CX

•  The ASA CX filtering capacity is beyond the 5 tuple packet information

-  Identify Users based on Usernames and Groups

-  Can block Application/specific URL/URL of a specific category

-  Can make decisions based on client information/ posture


•  User ID Active/Passive Authentication

•  AVC – Broad and Web

•  SSL/TLS decryption

•  HTTP inspection

•  URL Filtering

•  Web Reputation

•  Reporting/Eventing

•  Layer 3/7 access control


•  Use the ASA Modular Policy Framework (MPF) to direct traffic to the CX :

policy-map global_policy

class class-default cxsc fail-open auth-proxy

service-policy global_policy global

ASA CLI

PRSM


•  On-Box

-  Configuration

-  Eventing/Reporting

•  Off-Box

-  Configuration

-  Eventing/Reporting

-  Multi-Device Manager for ASA CX

-  Role Based Access Control

-  VM or UCS appliance


•  Identity

•  Decryption

•  Access


•  Active authentication – Intercept user traffic (http(s)) and authenticate proxy - Similar to auth-proxy functionality on ASA.

•  Passive authentication – Obtain user authentication from other sources (AD Agent, CDA, ASA VPN information).


Requirements :

•  CX needs CA Certificate and private key.

•  Needs to be something the end users trust.

•  Can be self-signed certificate.

•  Can be a CA certificate that users already trust.

Things not supported:

•  SSH decryption.

•  Client side authentication with TLS.


•  delete – delete files (cores and package captures)

•  setup – configure the IP addresses, hostname, domain, DNS, NTP

•  system (reload | shutdown) – reboot or stop the blade

•  system (upgrade | revert) – upgrade or downgrade the OS

•  services (start | stop) – turn on and off the services including packet inspectors

•  ping, nslookup, traceroute – management interface connectivity troubleshooting

•  show interface – statistics for management interface

•  show opdata – show operational data from the data plane

•  show tech-support – outputs for Cisco support troubleshooting

•  support tail log – watch the logs on the CLI

•  support diagnostics – package and upload a collection of logs and debug info (including packet captures)

•  config (backup | restore) – backup or restore the configuration. Backup requires FTP. Restore requires FTP or HTTP


•  Support for the ASA CX module in multiple context mode ( requires CX 9.2(1) and above )

•  ASA 5585-X with SSP-40 and -60 support for the ASA CX SSP-40 and -60 ( requires CX 9.2(1) and above )

•  Filtering packets captured on the ASA CX backplane

•  Support for ASA CX monitor-only mode for demonstration purposes

•  Support for the ASA CX module and NAT 64

•  Support for the ASA CX SSP for the ASA 5512-X through ASA 5555-X

•  ASA 5585-X support for the ASA CX SSP-10 and -20

• 


a)  Granular URL control

b)  Granular app access control

c)  Zero day attack protection

d)  Detailed event reporting

Which among these is the best feature you like on the ASA CX?


•  VPN support in Multi-context mode

•  ASA IPv6 support for Anyconnect and Clientless SSLVPN

•  Next Gen Encryption (NGE) support

•  Citrix Mobile Receiver feature


© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

•  Site-to-Site VPN : •  IKEv1 IPSec •  IKEv2 IPSec •  Both V4 and V6 •  Next Generation Encryption / Suite B • Failover

•  Active / Standby mode •  Active / Active mode

•  NO support for Remote Access VPN.

•  ASA 5505 doesn’t support Multi-Context mode

•  Supports all the available single context mode Site-to-Site VPN feature set •  Configuration similar to single context mode.

•  VPN configuration commands executed in user/admin contexts


•  Configured from system context using resource classes

•  Licenses for each context MUST be explicitly assigned using resource classes in resource manager

•  Two new resource types added to resource manager for this Other VPN license – Guaranteed licenses assigned to each context Other VPN license Burst limit – Based on availability in the system

•  Burst: Allows over subscription of licenses than allocated to this context if available on the system. Best Effort. No Guarantees.


•  ASA previously limited IPv6 support with AnyConnect Client

•  Feature adds extended IPv6 support with AnyConnect client including

- Tunnel establishment using IPv6 between peers for both SSL and IKEv2 protocols

- IPv6 support for various attributes configured on the ASA and sent down to the client

Unsupported functionality – IPv6 tunneled traffic in tunnels established using IKEv2


Client IP Assigned IP ASA Headend SSL/DTLS IKEV2 (IPSec)

IPV4 IPV4 IPV4 YES YES

IPV4 IPV6 IPV4 YES NO

IPV6 & IPV4 IPV4 IPV6 & IPV4 YES YES

IPV6 & IPV4 IPV6 IPV6 & IPV4 YES NO

IPV6 & IPV4 IPV6 & IPV4 IPV6 & IPV4 YES NO

IPV6 IPV4 IPV6 YES YES

IPV6 IPV6 IPV6 YES NO ** ASA Must have IPV4 Interface Address to support LB Inter-Device Communication ** ** Client must have dual stack for combinations where assigned IP type is different from outer IP **


•  What is ASA 9.x NGE? •  Two main parts

•  NSA Suite B •  Set of algorithms defined in RFC 4869

•  AES-GCM/GMAC Encryption/Authentication

•  Elliptic Curve Diffie-Hellman (ECDH) Key Exchange – Groups 19, 20, and 21

•  Elliptic Curve Digital Signature Algorithm (ECDSA) Signature/Verification – Curves P256, P384, and P521

•  ESP with SHA-256, SHA-384, and SHA-512 packet authentication

•  IPsecV3 •  ESPv3 (RFC 4303)

•  4096-bit RSA key support

•  Diffie-Hellman Group 24

•  ASA 9.x NGE only applies to IKEv2/IPsec VPN connections


•  Platform Support

Feature Single-Core Platforms Multi-Core Platforms AES-GCM/GMAC Not Supported Hardware*

ESP/SHA-2 Not Supported Hardware & Software

ECDH Software Software**

ECDSA Software Software**

ESPv3 Supported Supported

4096-bit RSA Not Supported Hardware

DH 24 Software Hardware & Software

* Software support will be introduced in a future release ** Hardware support will be introduced in a future release


•  ESPv3 features ICMP error validation – This feature allows the administrator to enable validation of specific ICMP error messages before they are forwarded. The error validation will ensure that the ICMP errors are in response to a previously transmitted packet and not part of an attack.

Fragmentation policy per tunnel – This feature allows the DF bit policy (copy, clear, or set) to be set for individual tunnels. This setting was only available at the interface level previously.

Dummy packet generation for Traffic Flow Confidentiality (TFC) – This feature allows the administrator to inject dummy packets into the IPsec packet stream. These packets can be used to prevent traffic analysis of the IPsec data.

PMTU Aging – This feature allows the administrator to control the effective time of PMTU updates. In the current releases, a PMTU update will last for the remaining life of the IPsec tunnel. This option provides a timeout for the PMTU updates.


•  Previously, to remotely access XenApp /XenDesktop resources from mobile devices, Citrix Access Gateway (CAG) is required.


•  With this feature, ASA can replace CAG while the rest of infrastructure kept intact


Device OS version Citrix Receiver version

iPad 4.x and higher 4.x or later

iPhone/ iTouch

4.x and higher 4.x or later

Android Phone 2.x 2.x or later

Android Tablet 3.x 2.x or later


Instead of Citrix Access Gateway,

enter ASA address.


•  You cannot upgrade directly to 9.0 or later for pre-8.3 releases. You must first upgrade to Version 8.3 or 8.4 for a successful migration.

•  Backup entire configuration before any upgrade as downgrade will not revert back all changes. ASDM Backup/Restore tool is preferred.

•  Use Zero downtime upgrade for failover pair. Please follow the upgrade instructions carefully as provided in Cisco Documentation.


a)  Option 1

b)   Option 2

c)  Option 3

d)   Option 4

What ………?


Use the Q&A panel to submit your questions. Experts will start responding those

46 © 2011 Cisco and/or its affiliates. All rights reserved.

If you have additional questions, you can ask Haseeb and Chris. They will be answering from October 22 – November 1, 2013 https://supportforums.cisco.com/thread/2246756 You can watch the video or read the Q&A 5 business days after the event at https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47 © 2013 Cisco and/or its affiliates. All rights reserved.

A. In 1997, Cisco first released Adaptive Security Appliance

B. In 1997, Cisco Systems, Inc. announced the industry’s first enterprise-wide security initiative which was just the start of things to come in the enterprise security space for Cisco including Cisco Adaptive Security Appliance, VPN, Firewalls and the current ASA 9x.

C. In 1997, Cisco earned a patent for the Adaptive Security Appliance

What does the year 1997, Security and Cisco all have in common?


Those who fill out the Evaluation Survey will be entered into a raffle to win:

$50 Amazon Gift Card

To complete the evaluation, please click on link provided in the chat or in the pop-up once the event is closed.


Tuesday, November 5, 2013

10:00 a.m. JST Tokyo (Monday, November 4, 5 p.m. PDT San Francisco)

Join Cisco Expert:

Ryota Takao

During this live event, the expert Ryota Takao will focus on the behavior of Cisco IO Router memory and buffers, introducing the troubleshooting methods of log checkpoints, cautions, and case studies.

Register for this live Webcast at:

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=J&SEMINAR_CODE=S19095&PRIORITY_CODE=

Topic: Cisco IOS Routers Memory/Buffer Troubleshooting


Wednesday, November 6, 2013

11:00 a.m. Brasilia City 1:00 p.m. WEST Lisbon 5:00 a.m. San Francisco 8:00 a.m. New York City

Join Expert:

Top Contributor Bruno Rangel of Capgemini Brazil

During this live event, expert Bruno Rangel of Capgemini Brazil will cover important topics such as call control for Cisco TelePresence, media resources, network requirements for Cisco TelePresence, and Cisco TelePresence Management Suite (TMS).


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=P&SEMINAR_CODE=S19206&PRIORITY_CODE=

Topic: Cisco TelePresence: Fundamentals, Configuration, and Support



9:00 a.m. PDT San Francisco 12:00 p.m. EDT New York 5:00 p.m. BST London 6:00 p.m. CEST Paris

Join Expert:

Vinayak Sudame

During this live event, expert Vinayak Sudame will cover important caveats and best practices for the Cisco Nexus switches, including configuring and troubleshooting Cisco Nexus 5000 and 6000 Series switches as well as Fibre Channel over Ethernet (FCoE). Additionally, Vinayak will provide best practices for working with the Technical Assistance Center (TAC).


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S19254&PRIORITY_CODE#

Topic: Cisco Nexus 5000 and 6000 Fibre Channel over Ethernet Important Caveats and Best Practices



12:00 p.m. Moscow Time 10:00 a.m. Brussels Time

Join Expert:

Irina Ilyina-Sidorova

During this live event, expert Irina llyina-Sidorova will cover a typical ISE installation process – in the case of a multi-node deployment. Irina will also cover HW and network infrastructure requirements.


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19170&PRIORITY_CODE=

Topic: Identity Service Engine – typical setup in a multi-node deployment


Topic: Packet Capture Capabilities of Cisco Routers and Switches

Join Cisco Experts: Hitesh Kumar and Rahul Rammanohar Learn and ask questions about packet capture capabilities of Cisco routers and switches.

Ends November 1

Join the discussion for these Ask The Expert Events at: https://supportforums.cisco.com/community/netpro/expert-corner#view=ask-the-experts

Topic: Layer 2 Security on Cisco Catalyst Platforms

Join Cisco Expert: Wilson Bonilla Learn and ask questions about issues in designing, planning and implementing Layer 2 security in your LAN network.

Ends November 1


Topic: Integrating Cisco Identity Services Engine 1.2 for BYOD Join Cisco Experts: Eric Yu and Todd Pula Learn and ask questions about integrating Cisco ISE 1.2 for BYOD.

Starts November 4

Join the discussion for these Ask The Expert Events at: https://supportforums.cisco.com/community/netpro/expert-corner#view=ask-the-experts

Topic: IPv6 Routing Protocols Join Cisco Designated VIP Peter Palúch Learn and ask questions about how to manage controllers with Cisco Prime™

Starts November 4

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 55

https://supportforms.cisco.com http://www.facebook.com/CiscoSupportCommunity

http://twitter.com/#!/cisco_support

http://www.youtube.com/user/ciscosupportchannel

http://tinyurl.com/cscgoogleplus

http://tinyurl.com/csclinked

Newsletter Subscription: http://tinyurl.com/csc-newsletters

http://tinyurl.com/cscitunesapp

http://tinyurl.com/cscandroidapp

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 56

If you speak Spanish, Portuguese, Japanese, Polish or Russian, we invite you to ask your questions and collaborate in your

language:

•  Spanish à https://supportforums.cisco.com/community/spanish

•  Portuguese à https://supportforums.cisco.com/community/portuguese

•  Japanese à https://supportforums.cisco.com/community/csc-japan

•  Polish à https://supportforums.cisco.com/community/etc/netpro-polska

•  Russian à https://supportforums.cisco.com/community/russian


https://supportforums.cisco.com


Now your ratings on documents videos and blogs count give points to the authors!!!

So, when you contribute and get ratings you now get the points in your profile.

Help us recognize the good quality content in the community and make your searches

easier. Rate content in the community.

https://supportforums.cisco.com/community/netpro/idea-center/cafe/blog/2013/06/07/ratings-extended-to-documents-blogs-and-videos


Global community members can collaborate with colleagues and other support professionals with easy, on-the-go access to the community’s breadth of technical resources in their local language.

With the latest version of the mobile app, you can now access the Spanish, Portuguese, Japanese and Russians communities.

https://supportforums.cisco.com/community/netpro/online-tools/mobile-technical-support


A. In 1997, Cisco first released Adaptive Security Appliance

B. In 1997, Cisco Systems, Inc. announced the industry’s first enterprise-wide security initiative which was just the start of things to come in the enterprise security space for Cisco including Cisco Adaptive Security Appliance, VPN, Firewalls and the current ASA 9x.

C. In 1997, Cisco earned a patent for the Adaptive Security Appliance

What does the year 1997, Security and Cisco all have in common?

Thank You for Your Time

Please Take a Moment to Complete the Evaluation

Thank you.

Cisco Support Community Expert Series Webcast...

Documents

Transcript of Cisco Support Community Expert Series Webcast...