Re: OT - Dynamic Routing on a Firewall?

From: CCIEin2006 (ciscocciein2006@gmail.com)
Date: Tue Sep 09 2008 - 11:29:55 ART

Absolutley! These are the types of road blocks your customers will throw at
you when you walk in there as a consultant so its good to discuss in this
forum and then you have the ammo to WOW your customer with all your
rebuttals!

On Tue, Sep 9, 2008 at 10:27 AM, Muhammad Nasim <muhammad.nasim@gmail.com>wrote:

> No friend you can not create GRE or any logical interface on ASA.
>
> So for sure now ASA will not fulfill your requirements
>
> Hey we are not getting crazy we are learning here I love to involve in REAL
> time scenarios discussion this really helping me to moving towards good
> network Engineer : )
>
>
>
>
> 2008/9/9 CCIEin2006 <ciscocciein2006@gmail.com>
>
>> Whoa lets not get crazy here...no fancy virtual firewalls or VRF's or
>> anything.
>>
>> I simply want the branches to have a VPN tunnel backup their P2P circuits.
>> I want to run OSPF over the VPN tunnel for dynamic failover so this may or
>> may not require the use of a GRE tunnel depending on what you use.
>>
>> I also want to treat the tunnel as a logical interface so that if the
>> tunnel goes down my SNMP monitoring tool will get a link down alert
>> whereas a plain IPSEC tunnel will not alert (correct me if I'm wrong here).
>>
>> I also want to be able to poll the tunnel interface for utiliztion stats
>> which I don't think you can do with a plain IPSEC tunnel.
>>
>> Since the ASA cannot do GRE I don't think you have the option of creating
>> a logical interface can you?
>>
>> On Tue, Sep 9, 2008 at 10:10 AM, Joseph Brunner <
>> joe@affirmedsystems.com> wrote:
>>
>>> Actually IOS has better vpn routing over tunnels that either of those
>>> "firewalls that route".
>>>
>>> Can an SSG do DMVPN? How about 2547/o/dmvpn? VRF doorstep routing?
>>>
>>> LOL
>>>
>>> NICE TRY
>>>
>>> -----Original Message-----
>>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>>> Muhammad Nasim
>>> Sent: Tuesday, September 09, 2008 10:08 AM
>>> To: CCIEin2006
>>> Cc: smorris@internetworkexpert.com; Wes Stevens; ccielab@groupstudy.com
>>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>>
>>> Yes I still can switch back to you to Cisco ASA (I think this should be
>>> the
>>> primary responisbilyt of a Consultant) : )
>>>
>>> What routing and VPN tunnels you are looking for what exact protcol you
>>> will
>>> be running and others.
>>>
>>> You can contact me offline if you want : )
>>>
>>>
>>>
>>> 2008/9/9 CCIEin2006 <ciscocciein2006@gmail.com>
>>>
>>> > Thanks guys.
>>> >
>>> > Since these branches have less than 100 people it sounds like an all in
>>> one
>>> > appliance would suffice.
>>> >
>>> > Unfortunately it looks like I'll have to go with...gulp...a Juniper
>>> > SSG which seems to have a better grip on VPN tunnels and routing than
>>> the
>>> > ASA.
>>> >
>>> > Unless you guys can recommend a Cisco product?
>>> >
>>> > Thanks,
>>> > Nick
>>> >
>>> > On Mon, Sep 8, 2008 at 10:31 AM, Scott Morris <
>>> > smorris@internetworkexpert.com> wrote:
>>> >
>>> >> In CERTAIN situations (e.g. small office/small routing table) I don't
>>> >> see anything wrong with it. In larger deployments, I'm a firm
>>> believer
>>> in
>>> >> everything has it's place in life. Firewalls were designed to be
>>> >> firewalls. Routers were designed to be routers.
>>> >>
>>> >> My best example of it is the DHCP and DNS server capabilities within
>>> IOS.
>>> >>
>>> >> A Cisco router CAN be damn-near everything to your network, but the
>>> >> question is SHOULD it? :) Small, not-too-many reqest deployments,
>>> sure,
>>> >> you can get away with it. Don't get used to it though because you'll
>>> start
>>> >> having processing problems in heavier deployments. It's the same kind
>>> of
>>> >> logic though where people deploy a single server to be their Win2k AD
>>> >> controller/PDC plus the SQL server plus the Exchange server, and
>>> wonder
>>> why
>>> >> things suck.
>>> >>
>>> >> Just my two cents. Even after caffeine. :)
>>> >>
>>> >> Scott
>>> >>
>>> >> ------------------------------
>>> >> *From:* CCIEin2006 [mailto:ciscocciein2006@gmail.com]
>>> >> *Sent:* Monday, September 08, 2008 9:23 AM
>>> >> *To:* Scott Morris
>>> >> *Cc:* Muhammad Nasim; Wes Stevens; ccielab@groupstudy.com
>>> >>
>>> >> *Subject:* Re: OT - Dynamic Routing on a Firewall?
>>> >>
>>> >> Hi Scott,
>>> >>
>>> >> So what are your thoughts regarding doing the routing on your
>>> firewall?
>>> Is
>>> >> it a bad idea?
>>> >>
>>> >> Thanks
>>> >>
>>> >> On Mon, Sep 8, 2008 at 8:30 AM, Scott Morris <
>>> >> smorris@internetworkexpert.com> wrote:
>>> >>
>>> >>> Ohhh... Now lightbulb is going on. After having read a series of
>>> >>> e-mails
>>> >>> about PEMU and Dynamips, I thought the original post was about
>>> running
>>> >>> Netscreen/Juniper firewalls in a virtual environment (e.g. not real
>>> >>> equipment).
>>> >>>
>>> >>> Duh... I'm off to seek more caffeine now. :)
>>> >>>
>>> >>>
>>> >>> Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
>>> >>> CCSI/JNCI-M/JNCI-ER
>>> >>> Senior CCIE Instructor
>>> >>>
>>> >>> smorris@internetworkexpert.com
>>> >>>
>>> >>>
>>> >>>
>>> >>> Internetwork Expert, Inc.
>>> >>> http://www.InternetworkExpert.com><
>>> http://www.internetworkexpert.com/> <
>>> >>> http://www.internetworkexpert.com/>
>>> >>> Toll Free: 877-224-8987
>>> >>> Outside US: 775-826-4344
>>> >>> Online Community: Seek it out, well worth the find!
>>> >>> CCIE Blog: Read the blogs... Learn the good stuff....
>>> >>>
>>> >>> Knowledge is power.
>>> >>> Power corrupts.
>>> >>> Study hard and be Eeeeviiiil......
>>> >>>
>>> >>> _____
>>> >>>
>>> >>> From: Muhammad Nasim [mailto:muhammad.nasim@gmail.com]
>>> >>> Sent: Monday, September 08, 2008 7:30 AM
>>> >>> To: Wes Stevens
>>> >>> Cc: Scott Morris; ccielab@groupstudy.com
>>> >>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>> >>>
>>> >>>
>>> >>> Shahid,
>>> >>>
>>> >>> The virtualiztion support in Juniper is far more better then Cisco
>>> ASA.
>>> >>> Cisco Highest model support maximum of 50 contexts where Juniper
>>> supports
>>> >>> 500
>>> >>>
>>> >>> Following Juniper firewalls support virtulization (Virtual Firewalls)
>>> >>>
>>> >>> 1- ISG 1000
>>> >>> 2-ISG-2000
>>> >>> 3-Netscreen 500 (EOS now)
>>> >>> 4-Netscreen 5200
>>> >>> 5-Netscreen 5400
>>> >>>
>>> >>> in terms of features and other things the virtual firewall of Juniper
>>> is
>>> >>> better then Contexts of Cisco.
>>> >>>
>>> >>> But hey I should favour Cisco as I am Cisco Certified : )
>>> >>>
>>> >>> HTH
>>> >>>
>>> >>>
>>> >>>
>>> >>> 2008/9/7 Wes Stevens <wrsteve33-gsccie@yahoo.com>
>>> >>>
>>> >>>
>>> >>> The quantumflow processors in the new asr are cabilble of doing
>>> firewall
>>> >>> functions (and a lot more) in hardware. The ASR will fuction as a
>>> >>> firewall
>>> >>> with 4.5gbps of throughput. This chip reminds me of the early days of
>>> IBM
>>> >>> and the power pc chip. It was basically a mainframe on a chip. It
>>> started
>>> >>> in
>>> >>> the pc and AS400 lines and eventually expanded to run everything.
>>> >>>
>>> >>> This chip will probably do the same in cisco. It will be the basis of
>>> the
>>> >>> switch processor engine from the ISR all the way up to the CSR.
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> ----- Original Message ----
>>> >>> From: Scott Morris <smorris@internetworkexpert.com>
>>> >>> To: Shahid Ansari <shahid1357@gmail.com>; Muhammad Nasim
>>> >>> <muhammad.nasim@gmail.com>
>>> >>> Cc: CCIEin2006 <ciscocciein2006@gmail.com>; Cisco certification
>>> >>> <ccielab@groupstudy.com>
>>> >>> Sent: Sunday, September 7, 2008 9:01:43 AM
>>> >>> Subject: RE: OT - Dynamic Routing on a Firewall?
>>> >>>
>>> >>> Kinda hard to virtualize an ASIC-driven operation....
>>> >>>
>>> >>> AFAIK, no. Not for the Netscreen firewalls.
>>> >>>
>>> >>> Scott
>>> >>>
>>> >>> -----Original Message-----
>>> >>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>> Of
>>> >>> Shahid Ansari
>>> >>> Sent: Sunday, September 07, 2008 4:36 AM
>>> >>> To: Muhammad Nasim
>>> >>> Cc: CCIEin2006; Cisco certification
>>> >>> Subject: Re: OT - Dynamic Routing on a Firewall?
>>> >>>
>>> >>> Cisco made ASA for pure firewalling,IPS and content security
>>> technologies
>>> >>> with Multiple vulnerabilities. : )
>>> >>>
>>> >>> Can We do Virtualization for Juniper`s Firewall ? : ) ;)
>>> >>>
>>> >>> Thanks
>>> >>> Shahid
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Sun, Sep 7, 2008 at 9:53 AM, Muhammad Nasim
>>> >>> <muhammad.nasim@gmail.com>wrote:
>>> >>>
>>> >>> > BGP is not supported on ASA until now.
>>> >>> >
>>> >>> > Juniper supports it.
>>> >>> >
>>> >>> > Now a days memory is not an issue in firewalls. Rams are in GB now
>>> a
>>> >>> days.
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > 2008/9/7 Shahid Ansari <shahid1357@gmail.com>
>>> >>> >
>>> >>> >
>>> >>> >> If you are receiving default route in BGP no problem let firewall
>>> to
>>> >>> >> do two functionality(Routing and Firewalling)
>>> >>> >> but if you are receiving full BGP table then keep enough memory
>>> to
>>> >>> >> support routing and Firewalling .
>>> >>> >>
>>> >>> >> May be Juniper has some higher end products which can supports
>>> both
>>> >>> >> Routing and Firewall in large networks.
>>> >>> >>
>>> >>> >> Thanks
>>> >>> >> Shahid
>>> >>> >>
>>> >>> >> On Sun, Sep 7, 2008 at 5:10 AM, Muhammad Nasim <
>>> >>> >> muhammad.nasim@gmail.com> wrote:
>>> >>> >>
>>> >>> >>> I don't think so that one should avoid running routing protocol
>>> due
>>> >>> >>> to the fear of BUGS and other things. If we think like that trust
>>> me
>>> >>> >>> then we will not be able to run most of the feature set of
>>> firewall.
>>> >>> >>>
>>> >>> >>> For example ASA support S2S, Remote Access and SSL VPNs so I
>>> should
>>> >>> >>> avoid to run two or more type of VPNs together ? The answer is
>>> >>> >>> simple NO. Yes some error or bug occur I will try to solve it or
>>> >>> >>> workaround it other wise calling TAC is the last step.
>>> >>> >>>
>>> >>> >>> I don't think so firewall becomes more vulnerable by running
>>> routing
>>> >>> >>> protocol. if we think like that then we will be also avoiding
>>> >>> >>> running VPN and CBAC (application firewall) on the routers and
>>> also
>>> >>> >>> then we will also be avoiding running CME on the Routers as well.
>>> >>> >>>
>>> >>> >>>
>>> >>> >>> So no need to worries : )
>>> >>> >>>
>>> >>> >>> HTH
>>> >>> >>>
>>> >>> >>>
>>> >>> >>> 2008/9/7 CCIEin2006 <ciscocciein2006@gmail.com>
>>> >>> >>>
>>> >>> >>> > Thanks for the reply Muhammad.
>>> >>> >>> >
>>> >>> >>> > From a security perspective, do you think running routing
>>> >>> >>> > protocols on
>>> >>> >>> a
>>> >>> >>> > firewall makes the firewall more vulnerable? If so how?
>>> >>> >>> >
>>> >>> >>> > I am thinking that extra processes running on the firewall
>>> leads
>>> >>> >>> > to
>>> >>> >>> more
>>> >>> >>> > bugs and more likelyhood of exploitation. What do you think?
>>> >>> >>> >
>>> >>> >>> > No one else wants to chime in here?
>>> >>> >>> >
>>> >>> >>> > On Sat, Sep 6, 2008 at 12:09 PM, Muhammad Nasim <
>>> >>> >>> muhammad.nasim@gmail.com>wrote:
>>> >>> >>> >
>>> >>> >>> >> Ok lets have a debate on it.
>>> >>> >>> >>
>>> >>> >>> >> It depends what exactly the design you have on your network.
>>> For
>>> >>> >>> example
>>> >>> >>> >> standard is to have router for ROUTING and Firewall for
>>> >>> >>> >> firewalling
>>> >>> >>> and IPS
>>> >>> >>> >> and other things.
>>> >>> >>> >>
>>> >>> >>> >> Now if u already have router and firewall in place then it is
>>> >>> >>> >> good to
>>> >>> >>> keep
>>> >>> >>> >> the routing on the routers BUT if u really want to save money
>>> >>> >>> >> then
>>> >>> >>> just
>>> >>> >>> >> purchase firewall which supports good routing and again
>>> Juniper
>>> >>> >>> >> takes
>>> >>> >>> the
>>> >>> >>> >> edge.
>>> >>> >>> >>
>>> >>> >>> >>
>>> >>> >>> >> Juniper SSG series have very strong support of routing not
>>> only
>>> >>> >>> >> that
>>> >>> >>> it
>>> >>> >>> >> also supports WAN , DSL and other interfaces so in short u can
>>> >>> >>> >> only
>>> >>> >>> buy SSG
>>> >>> >>> >> and do routing and firewalling not only that from version
>>> 6.1.0
>>> >>> >>> juniper
>>> >>> >>> >> firewall support DMVPN as well which unfortunaly cisco is
>>> lacking
>>> >>> >>> behind.
>>> >>> >>> >>
>>> >>> >>> >> There is no hard and fast rule for it. It really depends on
>>> your
>>> >>> >>> scenario
>>> >>> >>> >>
>>> >>> >>> >> For example if I am going to desing network for 10 branches
>>> now I
>>> >>> >>> >> will first look into the budget of the my customer if it
>>> permits
>>> >>> >>> >> I will
>>> >>> >>> surley go
>>> >>> >>> >> for one router and one firewall.
>>> >>> >>> >>
>>> >>> >>> >>
>>> >>> >>> >> if it budget does not permit I will go for firewall which
>>> >>> >>> >> supports
>>> >>> >>> good
>>> >>> >>> >> routing as well.
>>> >>> >>> >>
>>> >>> >>> >> Hope this helps
>>> >>> >>> >>
>>> >>> >>> >> 2008/9/6 CCIEin2006 <ciscocciein2006@gmail.com>
>>> >>> >>> >>
>>> >>> >>> >>> No brave ones want to tackle this one?
>>> >>> >>> >>>
>>> >>> >>> >>> On Fri, Sep 5, 2008 at 10:09 AM, CCIEin2006 <
>>> >>> >>> ciscocciein2006@gmail.com
>>> >>> >>> >>> >wrote:
>>> >>> >>> >>>
>>> >>> >>> >>> > Hiya folks,
>>> >>> >>> >>> >
>>> >>> >>> >>> > I was wondering if the group could share some pro/cons of
>>> >>> >>> >>> > running
>>> >>> >>> >>> dynamic
>>> >>> >>> >>> > routing protocols on a firewall?
>>> >>> >>> >>> > Can anyone share their experience with this?
>>> >>> >>> >>> >
>>> >>> >>> >>> > I have a few branch offices connected to HQ in a hub and
>>> spoke
>>> >>> >>> fashion
>>> >>> >>> >>> via
>>> >>> >>> >>> > metro ethernet links. I am looking to add VPN as a backup
>>> >>> >>> >>> > (each
>>> >>> >>> branch
>>> >>> >>> >>> has
>>> >>> >>> >>> > local internet access). The routers are currently runnign
>>> OSPF.
>>> >>> >>> >>> >
>>> >>> >>> >>> > I am thinking of doing it all on the ASA platform to save
>>> >>> >>> >>> > money,
>>> >>> >>> but
>>> >>> >>> >>> > something in my gut tells me to leave the routing up to
>>> >>> >>> >>> > routers. So
>>> >>> >>> I
>>> >>> >>> >>> am
>>> >>> >>> >>> > thinking I might need to bite the bullet and buy some
>>> routers
>>> >>> too.
>>> >>> >>> >>> >
>>> >>> >>> >>> > What do you think?
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>>
>>> ____________________________________________________________________
>>> >>> >>> ___
>>> >>> >>> >>> Subscription information may be found at:
>>> >>> >>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>>
>>> >>> >>> >>
>>> >>> >>> >>
>>> >>> >>> >> --
>>> >>> >>> >> Muhammad Nasim
>>> >>> >>> >> Network Engineer
>>> >>> >>> >> Saudi Arabia
>>> >>> >>> >>
>>> >>> >>> >
>>> >>> >>> >
>>> >>> >>>
>>> >>> >>>
>>> >>> >>> --
>>> >>> >>> Muhammad Nasim
>>> >>> >>> Network Engineer
>>> >>> >>> Saudi Arabia
>>> >>> >>>
>>> >>> >>>
>>> >>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>> >>>
>>> >>> >>>
>>> ____________________________________________________________________
>>> >>> >>> ___ Subscription information may be found at:
>>> >>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>>
>>> >>> >>
>>> >>> >>
>>> >>> >> --
>>> >>> >> Regards,
>>> >>> >>
>>> >>> >> Shahid
>>> >>> >>
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>> > --
>>> >>> > Muhammad Nasim
>>> >>> > Network Engineer
>>> >>> > Saudi Arabia
>>> >>> >
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Regards,
>>> >>>
>>> >>> Shahid
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>>
>>> >>>
>>> _______________________________________________________________________
>>> >>> Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>>
>>> >>>
>>> _______________________________________________________________________
>>> >>> Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>>
>>> >>>
>>> _______________________________________________________________________
>>> >>> Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Muhammad Nasim
>>> >>> Network Engineer
>>> >>> Saudi Arabia
>>> >>>
>>> >>>
>>> >>> Blogs and organic groups at http://www.ccie.net
>>> >>>
>>> >>>
>>> _______________________________________________________________________
>>> >>> Subscription information may be found at:
>>> >>> http://www.groupstudy.com/list/CCIELab.html
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>
>>> >
>>>
>>>
>>> --
>>> Muhammad Nasim
>>> Network Engineer
>>> Saudi Arabia
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> Muhammad Nasim
> Network Engineer
> Saudi Arabia

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART