© 2011 Cisco and/or its affiliates. All rights reserved. 1 Cisco Support Community Expert Series Webcast: Introduction to Cisco Adaptive Security Appliance

© 2011 Cisco and/or its affiliates. All rights reserved. 1

Cisco Support Community Expert Series Webcast:

Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

Namit Agarwal, Engineer Technical Services

Rahul Govindan, Engineer Technical Services

October 22nd 2013

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Cisco Support Community – Expert Series Webcast

• Today’s featured experts are Cisco Engineers Namit and Rahul

• Ask them questions now about the ASA 9.x features

Rahul Govindan

2

Namit Agarwal


Thank You for Joining Us Today Today’s presentation will include audience polling

questions

We encourage you to participate!


Thank You for Joining Us Today

If you would like a copy of the presentation slides, click the PDF link in the chat box on the right or go to the following url:

https://supportforums.cisco.com/docs/DOC-37105

https://supportforums.cisco.com/docs/DOC-37105


Polling Question 1

a) I have never heard ASA 9.x version before

b) I have heard of the ASA 9.x version but not used it so far.

c) I have used the ASA 9.x version but not the new features

d) I am using the new features from ASA 9.x.

What is your level of experience with ASA 9.x software?

6© 2011 Cisco and/or its affiliates. All rights reserved.

Submit Your Questions Now!Use the Q&A panel to submit your questions. Experts will start responding those


Namit Agarwal and Rahul Govindan

Technical Services Engineers

Cisco Support Community Expert Series Webcast:

Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)


Agenda• Introduction into ASA 9.x

• Overview of new Firewall features

• Overview of ASA CX

• Overview of new VPN features

• Upgrading to ASA 9.x

• Q&A


Introduction to ASA 9.x

• Different software releases per hardware prior to 9.x

• Need for a unified software release compatible for all platforms

• First release in October 2012

Hardware Software versions

ASA 5505,10,20,50,80,85 8.0-8.4

ASA SM 8.5

ASA 5500-X 8.6


Overview of Firewall features

• Cisco Cloud Web Security (ScanSafe)

Cisco Cloud Web Security provides content scanning and other malware protection service for web traffic. It can also redirect and report about web traffic based on user identity.

• ASA Clustering for the ASA 5580 and 5585-X

ASA Clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. ASA clustering is supported for the ASA 5580 and the ASA 5585-X; all units in a cluster must be the same model with the same hardware specifications.


Overview of Firewall features (contd.)

• Dynamic routing in Security Contexts

EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3,RIP, and multicast routing are not supported.

• Mixed firewall mode support in multiple context mode

You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.


Overview of Firewall features (contd.)• Ability to view top 10 memory users – show memory top-usage

You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.

• Support for administrator password policy when using the local database

• Support for a maximum number of management sessions

• Support for image verification - Support for SHA-512 image integrity checking was added.

• CPU profile enhancements

• Decreased the half-closed timeout minimum value to 30 seconds


Introduction to ASA CX

• Context Aware Firewall -> CX

• The ASA CX filtering capacity is beyond the 5 tuple packet information

- Identify Users based on Usernames and Groups

- Can block Application/specific URL/URL of a specific category

- Can make decisions based on client information/ posture


ASA CX Features• User ID Active/Passive Authentication

• AVC – Broad and Web

• SSL/TLS decryption

• HTTP inspection

• URL Filtering

• Web Reputation

• Reporting/Eventing

• Layer 3/7 access control


Configure Traffic Forwarding• Use the ASA Modular Policy Framework (MPF) to direct traffic to

the CX :

policy-map global_policy

class class-default cxsc fail-open auth-proxy

service-policy global_policy global

ASA CLI

PRSM


CX Management Structure

• On-Box

- Configuration

- Eventing/Reporting

• Off-Box

- Configuration

- Eventing/Reporting

- Multi-Device Manager for ASA CX

- Role Based Access Control

- VM or UCS appliance


ASA CX Architecture


Packet Flow


Packet flow between ASA and CX


Internal Software modules in the CX


Packet Life


CX – Functional Overview• Identity

• Decryption

• Access


CX – Types of Authentication• Active authentication – Intercept user traffic (http(s)) and authenticate

proxy - Similar to auth-proxy functionality on ASA.

• Passive authentication – Obtain user authentication from other sources (AD Agent, CDA, ASA VPN information).


CX – TLS proxy limitations

Requirements :

• CX needs CA Certificate and private key.

• Needs to be something the end users trust.

• Can be self-signed certificate.

• Can be a CA certificate that users already trust.

Things not supported:

• SSH decryption.

• Client side authentication with TLS.


CLI commands available in CX• delete – delete files (cores and package captures)

• setup – configure the IP addresses, hostname, domain, DNS, NTP

• system (reload | shutdown) – reboot or stop the blade

• system (upgrade | revert) – upgrade or downgrade the OS

• services (start | stop) – turn on and off the services including packet inspectors

• ping, nslookup, traceroute – management interface connectivity troubleshooting

• show interface – statistics for management interface

• show opdata – show operational data from the data plane

• show tech-support – outputs for Cisco support troubleshooting

• support tail log – watch the logs on the CLI

• support diagnostics – package and upload a collection of logs and debug info (including packet captures)

• config (backup | restore) – backup or restore the configuration. Backup requires FTP. Restore requires FTP or HTTP


New CX features• Support for the ASA CX module in multiple context mode ( requires

CX 9.2(1) and above )

• ASA 5585-X with SSP-40 and -60 support for the ASA CX SSP-40 and -60 ( requires CX 9.2(1) and above )

• Filtering packets captured on the ASA CX backplane

• Support for ASA CX monitor-only mode for demonstration purposes

• Support for the ASA CX module and NAT 64

• Support for the ASA CX SSP for the ASA 5512-X through ASA 5555-X

• ASA 5585-X support for the ASA CX SSP-10 and -20

•


Polling Question 2

a) Granular URL control

b) Granular app access control

c) Zero day attack protection

d) Detailed event reporting

Which among these is the best feature you like on the ASA CX?


Highlights of new VPN features in 9.x

• VPN support in Multi-context mode

• ASA IPv6 support for Anyconnect and Clientless SSLVPN

• Next Gen Encryption (NGE) support

• Citrix Mobile Receiver feature


Introducing VPN in Multi-Context Mode

• Site-to-Site VPN : • IKEv1 IPSec • IKEv2 IPSec• Both V4 and V6• Next Generation Encryption / Suite B• Failover

• Active / Standby mode• Active / Active mode

• NO support for Remote Access VPN.

• ASA 5505 doesn’t support Multi-Context mode

• Supports all the available single context mode Site-to-Site VPN feature set

• Configuration similar to single context mode.

• VPN configuration commands executed in user/admin contexts


License Provisioning

• Configured from system context using resource classes

• Licenses for each context MUST be explicitly assigned using resource classes in resource manager

• Two new resource types added to resource manager for this

Other VPN license – Guaranteed licenses assigned to each context

Other VPN license Burst limit – Based on availability in the system

• Burst:

Allows over subscription of licenses than allocated to this context if available on the system.

Best Effort. No Guarantees.


License Provisioning


ASA IPv6 VPN Overview• ASA previously limited IPv6 support with AnyConnect Client

• Feature adds extended IPv6 support with AnyConnect client including

- Tunnel establishment using IPv6 between peers for both SSL and IKEv2 protocols

- IPv6 support for various attributes configured on the ASA and sent down to the client

Unsupported functionality – IPv6 tunneled traffic in tunnels established using IKEv2


Supported IPv4/IPv6 combinations

Client IP Assigned IP ASA Headend SSL/DTLS IKEV2 (IPSec)

IPV4 IPV4 IPV4 YES YES

IPV4 IPV6 IPV4 YES NO

IPV6 & IPV4 IPV4 IPV6 & IPV4 YES YES

IPV6 & IPV4 IPV6 IPV6 & IPV4 YES NO

IPV6 & IPV4 IPV6 & IPV4 IPV6 & IPV4 YES NO

IPV6 IPV4 IPV6 YES YES

IPV6 IPV6 IPV6 YES NO

** ASA Must have IPV4 Interface Address to support LB Inter-Device Communication **** Client must have dual stack for combinations where assigned IP type is different from outer IP **


ASA 9.x NGE Overview• What is ASA 9.x NGE?

• Two main parts• NSA Suite B

• Set of algorithms defined in RFC 4869

• AES-GCM/GMAC Encryption/Authentication

• Elliptic Curve Diffie-Hellman (ECDH) Key Exchange – Groups 19, 20, and 21

• Elliptic Curve Digital Signature Algorithm (ECDSA) Signature/Verification – Curves P256, P384, and P521

• ESP with SHA-256, SHA-384, and SHA-512 packet authentication

• IPsecV3

• ESPv3 (RFC 4303)

• 4096-bit RSA key support

• Diffie-Hellman Group 24

• ASA 9.x NGE only applies to IKEv2/IPsec VPN connections


Overview (Cont’d)• Platform Support

Feature Single-Core Platforms Multi-Core Platforms

AES-GCM/GMAC Not Supported Hardware*

ESP/SHA-2 Not Supported Hardware & Software

ECDH Software Software**

ECDSA Software Software**

ESPv3 Supported Supported

4096-bit RSA Not Supported Hardware

DH 24 Software Hardware & Software

* Software support will be introduced in a future release** Hardware support will be introduced in a future release


IPSecV3• ESPv3 features

ICMP error validation – This feature allows the administrator to enable validation of specific ICMP error messages before they are forwarded. The error validation will ensure that the ICMP errors are in response to a previously transmitted packet and not part of an attack.

Fragmentation policy per tunnel – This feature allows the DF bit policy (copy, clear, or set) to be set for individual tunnels. This setting was only available at the interface level previously.

Dummy packet generation for Traffic Flow Confidentiality (TFC) – This feature allows the administrator to inject dummy packets into the IPsec packet stream. These packets can be used to prevent traffic analysis of the IPsec data.

PMTU Aging – This feature allows the administrator to control the effective time of PMTU updates. In the current releases, a PMTU update will last for the remaining life of the IPsec tunnel. This option provides a timeout for the PMTU updates.


Citrix Mobile Receiver Overview• Previously, to remotely access XenApp /XenDesktop resources from mobile

devices, Citrix Access Gateway (CAG) is required.


Citrix Mobile Receiver Overview• With this feature, ASA can replace CAG while the rest of infrastructure kept

intact


Citrix Mobile Receiver Overview

Device OS version Citrix Receiverversion

iPad 4.x and higher 4.x or later

iPhone/iTouch

4.x and higher 4.x or later

Android Phone 2.x 2.x or later

Android Tablet 3.x 2.x or later


End user experience (iPad)

Instead of Citrix Access Gateway,

enter ASA address.


End User Experience (iPad)


Upgrading to to 9.x

• You cannot upgrade directly to 9.0 or later for pre-8.3 releases. You must first upgrade to Version 8.3 or 8.4 for a successful migration.

• Backup entire configuration before any upgrade as downgrade will not revert back all changes. ASDM Backup/Restore tool is preferred.

• Use Zero downtime upgrade for failover pair. Please follow the upgrade instructions carefully as provided in Cisco Documentation.


Further Reading & References• ASA 9.x release notes

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html

• ASA Failover upgrade procedure http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html#wp724721

• ASA CX White Paper http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-700240.html




http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html%23wp724721



http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/white_paper_c11-700240.html




Polling Question 3

a) More in-depth ASA Security features

b) IPv6 security

c) IKEv2 and Next Gen security protocols

d) Troubleshooting Next Gen Firewalls

What would you like to see in the further sessions?


Submit Your Questions Now!

Use the Q&A panel to submit your questions. Experts will start responding those

46© 2011 Cisco and/or its affiliates. All rights reserved.

Ask The Experts Event (with Namit Agarwal and Rahul Govindan)

If you have additional questions, you can ask Haseeb and Chris. They will be answering from October 22 – November 1, 2013https://supportforums.cisco.com/thread/2246756 You can watch the video or read the Q&A 5 business days after the event athttps://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts

https://supportforums.cisco.com/thread/2246756

https://supportforums.cisco.com/thread/2246756

https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts

https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47© 2013 Cisco and/or its affiliates. All rights reserved.

Trivia Question (select the correct answer)

A. In 1997, Cisco first released Adaptive Security Appliance

B. In 1997, Cisco Systems, Inc. announced the industry’s first enterprise-wide security initiative which was just the start of things to come in the enterprise security space for Cisco including Cisco Adaptive Security Appliance, VPN, Firewalls and the current ASA 9x.

C. In 1997, Cisco earned a patent for the Adaptive Security Appliance

What does the year 1997, Security and Cisco all have in common?


We Appreciate Your Feedback!

Those who fill out the Evaluation Survey will be entered into a raffle to win:

$50 Amazon Gift Card

To complete the evaluation, please click on link provided in the chat or in the pop-up once the event is closed.


October Expert Series Webcast - Japanese

Tuesday, November 5, 201310:00 a.m. JST Tokyo (Monday, November 4, 5 p.m. PDT San Francisco)

Join Cisco Expert:

Ryota Takao

During this live event, the expert Ryota Takao will focus on the behavior of Cisco IO Router memory and buffers, introducing the troubleshooting methods of log checkpoints, cautions, and case studies.

Register for this live Webcast at:

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=J&SEMINAR_CODE=S19095&PRIORITY_CODE=

Topic: Cisco IOS Routers Memory/Buffer Troubleshooting

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=J&SEMINAR_CODE=S19095&PRIORITY_CODE

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=J&SEMINAR_CODE=S19095&PRIORITY_CODE


October Expert Series Webcast - Portuguese

Wednesday, November 6, 201311:00 a.m. Brasilia City

1:00 p.m. WEST Lisbon

5:00 a.m. San Francisco

8:00 a.m. New York City

Join Expert:

Top Contributor Bruno Rangel of Capgemini Brazil

During this live event, expert Bruno Rangel of Capgemini Brazil will cover important topics such as call control for Cisco TelePresence, media resources, network requirements for Cisco TelePresence, and Cisco TelePresence Management Suite (TMS).


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=P&SEMINAR_CODE=S19206&PRIORITY_CODE=

Topic: Cisco TelePresence: Fundamentals, Configuration, and Support




October Expert Series Webcast – English

Tuesday, November 12, 2013 9:00 a.m. PDT San Francisco

12:00 p.m. EDT New York

5:00 p.m. BST London

6:00 p.m. CEST Paris

Join Expert:

Vinayak Sudame

During this live event, expert Vinayak Sudame will cover important caveats and best practices for the Cisco Nexus switches, including configuring and troubleshooting Cisco Nexus 5000 and 6000 Series switches as well as Fibre Channel over Ethernet (FCoE). Additionally, Vinayak will provide best practices for working with the Technical Assistance Center (TAC).


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S19254&PRIORITY_CODE#

Topic: Cisco Nexus 5000 and 6000 Fibre Channel over Ethernet Important Caveats and Best Practices

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=E&SEMINAR_CODE=S19254&PRIORITY_CODE




October Expert Series Webcast – Russian

Tuesday, November 19, 2013

12:00 p.m. Moscow Time

10:00 a.m. Brussels Time

Join Expert:

Irina Ilyina-Sidorova

During this live event, expert Irina llyina-Sidorova will cover a typical ISE installation process – in the case of a multi-node deployment. Irina will also cover HW and network infrastructure requirements.


http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19170&PRIORITY_CODE=

Topic: Identity Service Engine – typical setup in a multi-node deployment

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19170&PRIORITY_CODE

http://tools.cisco.com/gems/cust/customerSite.do?METHOD=E&LANGUAGE_ID=R&SEMINAR_CODE=S19170&PRIORITY_CODE


Ask the Expert Events – Current English

Topic: Packet Capture Capabilities of Cisco Routers and Switches

Join Cisco Experts: Hitesh Kumar and Rahul Rammanohar

Learn and ask questions about packet capture capabilities of Cisco routers and switches.

Ends November 1

Join the discussion for these Ask The Expert Events at:https://supportforums.cisco.com/community/netpro/expert-corner#view=ask-the-experts

Topic: Layer 2 Security on Cisco Catalyst Platforms

Join Cisco Expert: Wilson Bonilla

Learn and ask questions about issues in designing, planning and implementing Layer 2 security in your LAN network.

Ends November 1

https://supportforums.cisco.com/community/netpro/expert-corner


Ask the Expert Events – Upcoming English

Topic: Integrating Cisco Identity Services Engine 1.2 for BYOD

Join Cisco Experts: Eric Yu and Todd Pula

Learn and ask questions about integrating Cisco ISE 1.2 for BYOD.

Starts November 4

Join the discussion for these Ask The Expert Events at:https://supportforums.cisco.com/community/netpro/expert-corner#view=ask-the-experts

Topic: IPv6 Routing Protocols

Join Cisco Designated VIP Peter Palúch

Learn and ask questions about how to manage controllers with Cisco Prime™

Starts November 4

https://supportforums.cisco.com/community/netpro/expert-corner

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 55

We invite you to actively collaborate in the Cisco Support Community and social media

https://supportforms.cisco.comhttp://www.facebook.com/CiscoSupportCommunity

http://twitter.com/#!/cisco_support

http://www.youtube.com/user/ciscosupportchannel

http://tinyurl.com/cscgoogleplus

http://tinyurl.com/csclinked

Newsletter Subscription: http://tinyurl.com/csc-newsletters

http://tinyurl.com/cscitunesapp

http://tinyurl.com/cscandroidapp

https://supportforms.cisco.com/

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 56

We have communities in other languages

If you speak Spanish, Portuguese, Japanese, Polish or Russian, we invite you to ask your questions and collaborate in your

language:

• Spanish https://supportforums.cisco.com/community/spanish

• Portuguese https://supportforums.cisco.com/community/portuguese

• Japanese https://supportforums.cisco.com/community/csc-japan

• Polish https://supportforums.cisco.com/community/etc/netpro-polska

• Russian https://supportforums.cisco.com/community/russian

https://supportforums.cisco.com/community/spanish

https://supportforums.cisco.com/community/portuguese

https://supportforums.cisco.com/community/csc-japan

https://supportforums.cisco.com/community/etc/netpro-polska

https://supportforums.cisco.com/community/russian


Join the Cisco Support Community

https://supportforums.cisco.com


Rate Support Community’s Content

Now your ratings on documents videos and blogs count give points to the authors!!!

So, when you contribute and get ratings you now get the points in your profile.

Help us recognize the good quality content in the community and make your searches

easier. Rate content in the community.

https://supportforums.cisco.com/community/netpro/idea-center/cafe/blog/2013/06/07/ratings-extended-to-documents-blogs-and-videos


Cisco Technical Support Mobile App

Global community members can collaborate with colleagues and other support professionals with easy, on-the-go access to the community’s breadth of technical resources in their local language.

With the latest version of the mobile app, you can now access the Spanish, Portuguese, Japanese and Russians communities.

https://supportforums.cisco.com/community/netpro/online-tools/mobile-technical-support




Trivia Question (select the correct answer)

A. In 1997, Cisco first released Adaptive Security Appliance

B. In 1997, Cisco Systems, Inc. announced the industry’s first enterprise-wide security initiative which was just the start of things to come in the enterprise security space for Cisco including Cisco Adaptive Security Appliance, VPN, Firewalls and the current ASA 9x.

C. In 1997, Cisco earned a patent for the Adaptive Security Appliance

What does the year 1997, Security and Cisco all have in common?

Thank You for Your Time

Please Take a Moment to Complete the Evaluation

Thank you.

Documents

© 2011 Cisco and/or its affiliates. All rights reserved. 1 Cisco Support Community Expert Series Webcast: Introduction to Cisco Adaptive Security Appliance