If ASA-2 detects that ASA-1 has failed, then ASA-2 would become the Primary/Active firewall gateway and traffic from PC-A would take the preferred path using ASA-2. ASA-1 and ASA-2 are identical ASA devices configured for failover and each device monitors the other device over the LAN failover link. Traffic leaving PC-A takes the preferred path using ASA-1. Customer B Security Context C Internet Security Context A Security Context B Single ASA Device Customer A Customer Cĩ Advanced ASA Feature: High Availability One single ASA device is divided into three virtual ASA devices (security context) serving the needs of three separate customers. Threat control Along with integrated IPS features, additional anti-malware threat control capabilities are provided by adding the Content Security and Control (CSC) module. Identity-based firewall services allow users or groups to be specified instead of being restricted by traditional IP address-based rules.
#ASA ASDM DMZ OUTSIDE WINDOWS#
Identity firewall The ASA can provide access control using Windows Active Directory login information. Both ASAs must have identical software, licensing, memory, and interfaces. One ASA is the primary (active) device while the other is the secondary (standby) device. High availability Two ASAs can be paired into an active / standby failover configuration to provide device redundancy. Most IPS features are supported except VPN and dynamic routing protocols. Each context is an independent device, with its own security policy, interfaces, and administrators. Advanced threat control is provided by adding the Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) and Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC).ħ Advanced ASA Features Feature Description VirtualizationĪ single ASA can be partitioned into multiple virtual devices called security contexts. Intrusion Prevention All ASA models support basic IPS features. VPN concentrator The ASA supports IPsec and SSL remote access and IPsec site-to-site VPN features. Only packets matching a known active connection will be allowed by the firewall others will be rejected. The choice of ASA model will depend on an organization's requirements, such as: Maximum throughput Maximum connections per second Available budgetĥ Multi-Service (Firewall/VPN and IPS) Performance and ScalabilityĪSA Models ASA 5585 SSP-60 (40 Gbps, 350K cps) ASA 5585 SSP-40 (20 Gbps, 240K cps) Multi-Service (Firewall/VPN and IPS) ASA 5585 SSP-20 (10 Gbps, 140K cps) ASA 5585 SSP-10 (4 Gbps, 65K cps) ASA (650 Mbps,25K cps) Performance and Scalability ASA (450 Mbps,12K cps) ASA (300 Mbps, 9K cps) ASA (150 Mbps, 4000 cps) ASA (1.2 Gbps, 36K cps) ASA SM (16 Gbps, 300K cps) SOHO Branch Office Internet Edge Campus Data Center * Mbps and Gbps = maximum throughput * cps = maximum connection per secondĦ ASA Features Feature Description Stateful firewallĪn ASA provides stateful firewall services tracking the TCP or UDP network connections traversing it. The types and the number of interfaces on the device. The biggest difference between models is the: Maximum traffic throughput handled by the device. All provide advanced stateful firewall features and VPN functionality. There are six ASA models, ranging from the basic 5505 branch office model to the 5585 data center version. Failover feature for fault tolerance.Ĥ ASA Models Cisco ASA devices scale to meet a range of requirements and network sizes. Comprehensive, highly effective intrusion prevention system (IPS) with Cisco Global Correlation and guaranteed coverage. High-performance VPNs and always-on remote-access. ASA 5500 appliances incorporate: Proven firewall technology. Firewall Solution The ASA 5500 firewall appliance is a multi-service standalone appliance that is a primary component of the Cisco SecureX architecture. However, an IOS firewall solution does not scale well and typically cannot meet the needs of a large enterprise. 1 Implementing the Cisco Adaptive Security Appliance (ASA)Ģ IOS Firewall Solution An IOS router firewall solution is appropriate for small branch deployments and for administrators who are experienced with Cisco IOS.