I haven’t worked directly with these two devices, but having done some research, I find that both of them run the fundamental FirePower Threat Defence (FTD) OS. The 9300 runs it on top of the FXOS modular OS, while the 8350 runs it as part of the FirePower Management Center (FMC). Fundamentally, the CLI for both devices is similar, but differs only in the additional features that the 9300 offers.
You can find more information at the following links:
When you refer to path selection, I assume you mean routing in general. As far as routing goes, an ASA will function much the same as a router using either a static or dynamic routing. Things get a little more complicated when NAT is involved. Take a look at this post which describes this further. This post also includes information about order of operations, something that is intricately connected to routing decisions on ASAs.
If you have any additional questions, feel free to ask!
Enterprise networks that host their own Internet-facing services, such as web servers for example, will typically use a DMZ. This is because the security features required to protect internal hosts are generally different than those required to protect internet-facing servers. Because of this difference, it is generally more convenient to separate these types of hosts into two different regions, specifically, the inside network and the DMZ.
Specifically, the internal network contains hosts that:
are end-user devices (PCs, laptops, IP phones, tablets, smartphones etc…)
require access to the internet
have extensive filtering to regulate what content from the internet is accessible by the hosts
block all access from the internet to the inside hosts
Conversely, devices in the DMZ are hosts that:
must be accessible from the internet
have much fewer filtering rules, but still maintain some level of filtering for security
Because of these differences, it is much more convenient to apply these rules to whole subnets/network segments (inside and DMZ) and segregate them rather than applying these rules on an IP by IP address basis.
In addition, if a server in the DMZ does become compromised by an attack, any such attack will be confined to the DMZ and will not affect the Internal network. If the servers were on the same subnet as the end-users, then any attack may also affect other devices on the subnet.
Although it is possible to have all devices be on the inside network, for the reasons mentioned, it is best practice to segregate your network into the DMZ and the internal network. It is easier to manage and more secure.
Yes, it is possible to set up more than one OUTSIDE interface, and it is possible to set up more the one INSIDE interface as well. This can be done on any ASA firewall, regardless of its location in the network topology.
Whether you set this up on a firewall on the edge of your network, or on a firewall within your network, the results are the same. There are no specialized configurations necessary. If your network topology needs a firewall to have two or more outside interfaces, simply create them. Is there a more specific scenario that you had in mind about which you’d like to ask a more specific question? Let us know!
If an interface goes down on a router running OSPF, and the network on that interface was being advertised using OSPF, then yes, OSPF must reconverge. This is because:
The network on that interface is removed from the OSPF database within the local router
Advertising updates are sent to all neighboring routers stating that this network is no longer reachable
In addition, any networks that were reachable via that interface are also removed, and update requests are sent to other neighboring OSPF routers to find alternative paths to those destinations.
Now, by default route summarization between OSPF areas on ABRs is not employed. If that is the case then each prefix within an OSPF area will have an LSA reach the ABR and be advertised into the neighboring area. This means that any changes to the OSPF area that take place will also update routing information in neighboring areas. If route summarization is employed at the ABR, then such updates into other areas can be avoided, thus reducing OSPF convergence time. For more info about OSPF summarization, take a look at this lesson:
What effect will this have on a firewall configuration? Well, to be honest, not much. If a firewall is participating in OSPF, it is subject to the same rules as a router would be in the same situation. There are no direct security implications for firewalls that I can think of that arise from such a scenario.
I use to use ASA in my GNS3 as I have Licenses via VIRL and my job. However, this last time I installed GNS3 and installed the ASA does not seem to load up. I even got my palo alto to work but not the ASA which is annoying. You came across any information on this as my wife is not very fond of the 32U rack I have and so its already been taken apart and moved to the garage with a pile of cisco equipment.
I’m not sure what the problem may be without more details. However, I think your best bet is to search the GNS3 forum for others that have faced similar situations. One thread that you may find useful is this one:
After everything upgraded I went in and loaded up my CiscoASA992.qcow2-1 image
I then followed instructions I found:
The appliance is available in the firewall category.
There is no default password and enable password. A default configuration is present. ASAv goes through a double-boot before becoming active. This is normal and expected.
Remember on ASA you boot it up let it reboot then once its up you shut down vnc and then turn off firewall then you right click and go configure and change console type from VNC to telnet.
Then you go back start ASA and you start it up
This seemed to fix it. Fact is I am not sure if upgrading firmware fixed it or if I didnt read the directions close enough to see it has to reboot twice then you have to shut down and then right click and configure to use Telnet instead of VNC. I cannot remember now but good news is that it is working and if someone had trouble and the directions did not work perhaps they could upgrade or reinstall and it would resolve!
On my job Security teams and Data center teams (not really me as I am on a WAN Team) will use ASA to create IPSEC VPNs to customer sites and then my company NATs are private IPs (which is used for monitoring devices like Sevone etc…) to subnet we choose for the NAT and it reaches the clients subnets over the VPN so we can reach their servers and networking equipment from what we call Bastions (Jump boxes).
However, I get annoyed because I dont do this stuff just for a pay check only I want to learn it all and how to do it!!! I consider myself more of a scientist just passionate about learning and knowledge. So I want to be able to do the data center and security teams parts as well dang it.
So anyway now I can maybe figure out a template to do just that. Maybe a router then Cisco ASA and then another firewall cisco ASA maybe Palo Alto which I have image for as well. (I still need to get a FortiGate image as those are popular with my company as well as the other two) and then back into a router (router)—(ASA) —ipsec VPN—(ASA)—(router)–(Switches) that should be easy enough to do on GNS3 then I can still learn all the parts as I dont like to be siloed into just LAN and WAN routing and switching.
Thanks for sharing the steps you took and the resulting success of your actions. It doesn’t really matter which action actually resolved the issue, as GNS3 can get fidgety with various issues. In any case, the steps you took should/would have been done eventually as new updates are available for the various components of the system. This info can be helpful for those facing similar issues.
It’s really refreshing to see networking professionals like yourself be interested in much more than just a paycheck. That’s what makes a career fulfilling, when you love what you do, and when you share that love with other like-minded people as you do on this forum. Keep loving it, and you’ll learn quickly and enjoyably! Putting together such templates and playing around with them in an emulator will go a long way in helping you learn quickly and effectively.
thank you Rene for this course but I have a problem: you mentioned in the course that only data from the safe zone can be accepted to the unsafe zone, so I would like to know how we can access data from a network of this kind being foreign to the local network; give me a clear and practical example of daily life
When creating various security zones, such as INSIDE, OUTSIDE, and DMZ as shown in the lesson, the default behavior is the following:
Traffic from a “high” security level to a “lower” security level is permitted.
Traffic from a “low” security level to a “higher” security level is denied.
However, in order to make a network function correctly, there must be cases where there are exceptions to this default rule. You can create exceptions using access lists. In the lesson, Rene mentions that:
To ensure traffic from the OUTSIDE is able to reach the servers in the DMZ, we will use an access-list that only permits traffic to the IP address (and port numbers) that the servers in the DMZ use. This setup is very secure, if one of your servers in the DMZ gets hacked, your INSIDE network will still be secure.
For more information on how you can create “exceptions” to the default rule, take a look at these lessons:
First of all, for reference for our other readers, you are talking about the command included as part of the following lesson:
I went into the CML 2.5 lab, and I tried this command out and it seems to work fine. I’m using the following ASAv version:
Cisco Adaptive Security Appliance Software Version 9.18(2)
SSP Operating System Version 2.12(0.438)
Device Manager Version 7.18(1)152
In any case, even if it doesn’t work out for you, this is just one command, and it’s a command that you can actually skip safely, or simply make the changes you need to the device manually. The vast majority of other commands for the ASA will be available to you, so using your ASAv should be more than enough for all of the lessons from here on. If there are any commands that are not available, just let us know so that we can make a note and see if we can inform users in the future.
I have a server in my dmz and a laptop in my inside network. I can ping the server, but I cannot access it via vmware vsphere client as I would do if directly connected. Not sure how to check the rules. Can anyone point me in the right direction? Thanks. I have ASA version 9.1.2, ASDM version 7.1.3.
I’m not completely clear on where your VMware Vshpere client is within the topology you describe, so I don’t have an informed suggestion as to why you see this behavior. However, an excellent tool that will help you determine why packets are being dropped and where is the Packet Tracer feature of the ASA. This is not to be confused with Cisco’s Packet Tracer network emulator, that’s a whole different thing.
You can find out more about the packet tracer feature on a Cisco ASA at the following lesson, in the Packet Tracer section:
Using it you will be able to see your packet enter the ASA and also you will see what actions the ASA applies to the packet, and which action in particular actually drops the packet. Using this you should be able to determine why you’re not seeing connectivity. Let us know how you get along.