From: Brad Ellis (brad@ccbootcamp.com)
Date: Tue Mar 28 2006 - 16:24:06 GMT-3
I agree John. I'd be looking at the ASDL connection as the biggest possible
failure point... I think the ASA is going to be the last thing to worry
about in this situation!
Stefan, like John said, make sure you put the unsecure/untrusted interfaces
in a separate VLAN and the IP address you use to access your switch on an
internal and trusted vlan. :) In addition, I would config the ports that
you are connecting the untrusted interfaces to ONLY allow access to that
specific untrusted VLAN (ie, switchport access command on the intefaces).
thanks,
Brad Ellis
CCIE#5796 (R&S / Security)
CCSI#30482
Network Learning Inc - A Cisco Learning Partner (CLP)
YES! We take Cisco Learning credits!
brad@ccbootcamp.com
www.ccbootcamp.com (Cisco Training and Advanced Technology Rental Racks)
Voice: 702-968-5100
FAX: 702-446-8012
----- Original Message -----
From: "Sheahan, John" <John.Sheahan@priceline.com>
To: "Stefan Grey" <examplebrain@hotmail.com>; <ccielab@groupstudy.com>
Sent: Tuesday, March 28, 2006 11:06 AM
Subject: RE: ASA failover [bcc][faked-from]
> In my opinion and from what I have been told by our Cisco reps, it is
> not insecure to configure it this way. In fact, it would not be
> considered insecure to run one VLAN on a switch as the external VLAN and
> one VLAN on the same switch as the INTERNAL VLAN.
>
> My only other observation is that you are only using one switch on the
> external side and only have one connection to your ISP....not really
> sure why you would want to burn two ASA's (one in active and one in
> standby mode) when the rest of your design is full of single points of
> failure?
>
> john
>
> -----Original Message-----
> From: Stefan Grey [mailto:examplebrain@hotmail.com]
> Sent: Tuesday, March 28, 2006 2:00 PM
> To: Sheahan, John; ccielab@groupstudy.com
> Subject: RE: ASA failover
>
> Ok, another question. Is it very insecure to have a Switch on the
> clients
> perimeter??
> What would you say if I put the Switch on the perimeter. From the
> provider I
> have on ethernet (ADSL modem) connected to the switch. Two ASA are
> connected
> in this switch and between them is configured failover Active standby.
>
> Is it insecure?? What do you think.... Have heared critique about such
> design and never heared that the switch could be on the clients
> perimeter
> but.... don't know, understand why could it be bad indeed :( what do you
>
> think??
>
>>From: "Sheahan, John" <John.Sheahan@priceline.com>
>>Reply-To: "Sheahan, John" <John.Sheahan@priceline.com>
>>To: "Stefan Grey" <examplebrain@hotmail.com>, <ccielab@groupstudy.com>
>>Subject: RE: ASA failover
>>Date: Tue, 28 Mar 2006 12:21:17 -0500
>>
>>Yes. Here is the quote from the Cisco's site:
>>
>>http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/co
> n
>>fig/failover.htm#wp1051178
>>
>>
>>Interface Monitoring
>>You can monitor up to 250 interfaces divided between all contexts. You
>>should monitor important interfaces, for example, you might configure
>>one context to monitor a shared interface (because the interface is
>>shared, all contexts benefit from the monitoring).
>>
>>When a unit does not receive hello messages on a monitored interface,
> it
>>runs the following tests:
>>
>>1. Link Up/Down test-A test of the interface status. If the Link
> Up/Down
>>test indicates that the interface is operational, then the security
>>appliance performs network tests. The purpose of these tests is to
>>generate network traffic to determine which (if either) unit has
> failed.
>>At the start of each test, each unit clears its received packet count
>>for its interfaces. At the conclusion of each test, each unit looks to
>>see if it has received any traffic. If it has, the interface is
>>considered operational. If one unit receives traffic for a test and the
>>other unit does not, the unit that received no traffic is considered
>>failed. If neither unit has received traffic, then the next test is
>>used.
>>
>>2. Network Activity test-A received network activity test. The unit
>>counts all received packets for up to 5 seconds. If any packets are
>>received at any time during this interval, the interface is considered
>>operational and testing stops. If no traffic is received, the ARP test
>>begins.
>>
>>3. ARP test-A reading of the unit ARP cache for the 2 most recently
>>acquired entries. One at a time, the unit sends ARP requests to these
>>machines, attempting to stimulate network traffic. After each request,
>>the unit counts all received traffic for up to 5 seconds. If traffic is
>>received, the interface is considered operational. If no traffic is
>>received, an ARP request is sent to the next machine. If at the end of
>>the list no traffic has been received, the ping test begins.
>>
>>4. Broadcast Ping test-A ping test that consists of sending out a
>>broadcast ping request. The unit then counts all received packets for
> up
>>to 5 seconds. If any packets are received at any time during this
>>interval, the interface is considered operational and testing stops.
>>
>>If all network tests fail for an interface, but this interface on the
>>other unit continues to successfully pass traffic, then the interface
> is
>>considered to be failed. If the threshold for failed interfaces is met,
>>then a failover occurs. If the other unit interface also fails all the
>>network tests, then both interfaces go into the "Unknown" state and do
>>not count towards the failover limit.
>>
>>An interface becomes operational again if it receives any traffic. A
>>failed security appliance returns to standby mode if the interface
>>failure threshold is no longer met.
>>
>>
>>
>>-----------------------------------------------------------------------
> -
>>--------
>>
>>Note If a failed unit does not recover and you believe it should not be
>>failed, you can reset the state by entering the failover reset command.
>>If the failover condition persists, however, the unit will fail again.
>>
>>
>>-----------------------------------------------------------------------
> -
>>--------
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>Stefan Grey
>>Sent: Tuesday, March 28, 2006 12:00 PM
>>To: ccielab@groupstudy.com
>>Subject: ASA failover
>>
>>Hi,
>>Does ASA support failover of multiple interfaces??
>>Say ASA1 and ASA2 are connected by multiple interfaces to the 3
> routers.
>>
>>ASA1 is active and is connected to the 3 routers. If it fails than ASA2
>>will
>>be active and its 3 connections to this 3 routers will become active???
>>
>>I just couldn't find it anywhere :(
>>
>>_________________________________________________________________
>>Customise your home page with RSS feeds at MSN Ireland!
>>http://ie.msn.com/
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Find a baby-sitter FAST with MSN Search! http://search.msn.ie/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:40 GMT-3