And yet again I got the chance to test a device at home. This time: a Cisco ASA5505. ASA stands for Adaptive Security Appliance, and this branch of devices specializes in security features, such as NAT, stateful firewalling, IPS, and VPN. It supports site-to-site VPN, client-based VPN, SSL VPN,… Strangely enough, no support for DMVPN yet. The full product list can be seen here.

ASA5505

The ASA5505 is the smallest in the series, and the only one which does not come as a rack-mountable unit. It does have almost the same functionality as the other models: difference between models is in throughput, processing power and number of concurrent VPN sessions mostly. Port count starts with 0, and ports 6 and 7 support PoE.

The lower models ASA’s (5505 and 5510) come with a differentiated licences model, which can be checked here. Basically, the license costs more depending on the number of users, where users means the number of IP’s or devices. The one I’m testing has a Security Plus license, which is the highest for the model, with unlimited users and full functionality. Keep in mind that not everything I’m going to explain in the upcoming series of ASA posts may work on a lower license.

An ASA handles quite differently compared to a standard Cisco IOS. ASA runs a custom Linux/Unix version as operating software (so do the Cisco Nexus series), and commands differ. ‘show ip route’ is ‘show route’, ‘show ip interfaces brief’ is ‘show ip’, for example. Also, you can connect Adaptive Security Device Manager, or ASDM, to it to configure the ASA in a GUI. Given the complex possibilities of the device, this is quite handy, although the (Java-based) ASDM tool does contain a few minor bugs and in some configurations creates extra rules in the background, that can be seen from the command-line, but not in the ASDM.

ASDM

For firewalling, it allows a lot of options with a modern software release: rules are defined with objects. Those objects can be source addresses or networks, destination addresses or networks, destination ports or port groups (both UDP and TCP), and time frames. All these rules can be defined in both IPv4 and IPv6. They also show the number of hits, so you can see which rules are used and which ones aren’t. Optionally you can use this feature to move the most-used rules to the top to reduce CPU load (rules are examined in the order they are listed).

In upcoming blog posts, I’m going to describe basic ASA functions, so stay tuned!

About these ads