Search This Blog

Friday, May 04, 2007

firewall-wizards Digest, Vol 13, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Cisco ASA and FWSM (Timo Schoeler)
2. Re: ASA 5510 problem (Skough Axel U/IT-S)
3. Re: ASA 5510 problem (Chris Wargaski)


----------------------------------------------------------------------

Message: 1
Date: Mon, 30 Apr 2007 15:34:51 +0200
From: Timo Schoeler <timo.schoeler@riscworks.net>
Subject: Re: [fw-wiz] Cisco ASA and FWSM
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: drsharp@pacbell.net
Message-ID: <20070430153451.24c27006.timo.schoeler@riscworks.net>
Content-Type: text/plain; charset="us-ascii"

On Sat, 28 Apr 2007 14:23:43 -0700
D Sharp <drsharp@pacbell.net> wrote:

> Hi;
>
> We have a Internet Portal inplace for some 2+ years based on a
> redundant set of 6500 switches with sup720s, IDS-SM, NAM, FWSM,
> switch blades. We also use the FWSM to create isolated non-production
> developement/test/QA areas. We also have PIX and ASA firewalls.
>
> Would we use FWSM again, not likely. We spent a great deal of time
> finding a stable version of software for both SUP720 and FWSM. The
> problems we have experienced may no longer exist in current code
> releases.
>
> But the FWSM is very compelling, yet it has to meet your
> requirements. You asked for a comparision, and as others have
> responded with some points. These are more on the design.
>
> Chassis versus standalone:
> FWSM 'interface' is a set of virtual gigabit intfs. bound into a
> single GEC (gigabit ether channel). Packets are 'load balanced' over
> these. You work with vlans, not interfaces.
> ASA top model supports (8) gig interfaces, but ether channel
> still does not appear to be supported. Not a big deal as the top ASA
> only supports up to 1.2gbs throughput.

yeah, and for the ASA-5520 (e.g.) they share one single interrupt.
worst hardware design ever.

> FWSM uses the shared bus of the chassis, not the switched bus.
> Thus the SUP32 and SUP720 modules are supported.
> Or less desireable, as your switched bus cards still have to send
> traffic over the shared bus for the FWSM.
> With externally connected firewalls, you save a chassis slot for
> another (48) port switch card, or some other special purpose module.
>
> There is another interesting design "feature" of the FWSM, it
> uses ONE MAC address per module. Thus all interfaces, layer 3, across
> all virtual firewalls share this MAC. This precludes some designs
> that would share a vlan.
>
> Capabilities, there are dozens of comparison points, my top 5 are:
> FWSM vs ASA5500
> 1: FWSM 5gbs over ASA 1.2gbs
> 2: flexible vlans, FWSM over ASA.
> 3: FWSM support for more ACLs, vlans, connections over ASA.
> 4: ASA for VPNs, not possible with FWSM.
> 5: ASA uses (8) network ports versus the FWSM usage of a slot.
>
> Hope this helps.
>
> Yours,
> Duncan Sharp
>
> Security Guy wrote:
>
> >As Avishai said, the FWSM is just a firewall, no VPN or IDS support
> >at all (those are different modules ;)
> >
> >If you can do without the features, you still have to consider cost:
> >the last time I looked at FWSMs they were in the 20k USD range..
> >
> >The main thing you get with FWSM is performance (supposedly about
> >6gb/s limited by the 6-gb etherchannel it takes from the backplane)
> >tied directly to your core switch/router, if that's what you're
> >looking for.
> >
> >
> >On 4/12/07, Kimberly Fields <kimberlymfields@gmail.com> wrote:
> >
> >
> >>Can anyone tell me what, if any, are the differences between the
> >>Cisco ASA firewall features and the Cisco FWSM firewall features?
> >>
> >>_______________________________________________
> >>firewall-wizards mailing list
> >>firewall-wizards@listserv.icsalabs.com
> >>https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070430/9493f4e1/attachment-0001.pgp


------------------------------

Message: 2
Date: Wed, 2 May 2007 21:58:01 +0200
From: "Skough Axel U/IT-S" <axel.skough@scb.se>
Subject: Re: [fw-wiz] ASA 5510 problem
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <7D5607434F895540B2A717820399633D14B090@exs13.scb.intra>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

Have you specified the VPN Pool range properly? It should be for example 10.10.10.0/24.

/ Axel

________________________________

From: firewall-wizards-bounces@listserv.icsalabs.com on behalf of Dehnert James Sr
Sent: Tue 2007-05-01 02:04
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] ASA 5510 problem

I have a Cisco ASA 5510 with an External, Internal, and DMZ
interfaces. I have a mail server in the DMZ and I have configured
the ASA so that I can get to it internally an externally, however,
when I log in using the IPSEC VPN I cannot connect.

The internal address range is 192.168.100.0/24
The dmz address range is 192.168.200.0/24
The VPM pool range is 10.10.10.10/24

I have mappings internally to so that any 192.168.100 host can
connect to the mail server at 192.168.200.25, but the VPN access
issue has me flummoxed.

Cisco has examples of VPN or DMZ, bit nothing with info on both.

Any pointers would be greatly appreciated.

Thanks,
Zeke

--
James "Zeke" Dehnert
mailto:jdehnert@norcalnetworks.com
Phone: +1 707.546.6620 x602 Fax: +1 707.324.8043
"Life is racing, everything else is just waiting"


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4362 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070502/f6d27ba7/attachment-0001.bin


------------------------------

Message: 3
Date: Thu, 3 May 2007 01:00:10 -0500
From: "Chris Wargaski" <cwargaski@rmstsi.com>
Subject: Re: [fw-wiz] ASA 5510 problem
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <F7B8D9BB39700E48AAFAAC978C7ABB731DBD24@cliff.rmsbg.com>
Content-Type: text/plain; charset="iso-8859-1"

Zeke--

Are you able to access anything when you establish the VPN tunnel? How are you trying to access? (ping, email client?) Also, when you connect, is your connecting workstation directly connected to a public network, or are you behind a device performing NAT (like a home firewall)?

Can you post snippets of the configuration? (group-policy block, and any line beginning with the word crypto).

cjw

Christopher J. Wargaski
RMS Technology Solutions, Inc.
cwargaski@rmstsi.com
(847) 215-1661 x223

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com on behalf of Dehnert James Sr
Sent: Mon 4/30/2007 7:04 PM
To: firewall-wizards@listserv.icsalabs.com
Subject: [fw-wiz] ASA 5510 problem

I have a Cisco ASA 5510 with an External, Internal, and DMZ
interfaces. I have a mail server in the DMZ and I have configured
the ASA so that I can get to it internally an externally, however,
when I log in using the IPSEC VPN I cannot connect.

The internal address range is 192.168.100.0/24
The dmz address range is 192.168.200.0/24
The VPM pool range is 10.10.10.10/24

I have mappings internally to so that any 192.168.100 host can
connect to the mail server at 192.168.200.25, but the VPN access
issue has me flummoxed.

Cisco has examples of VPN or DMZ, bit nothing with info on both.

Any pointers would be greatly appreciated.

Thanks,
Zeke

--
James "Zeke" Dehnert
mailto:jdehnert@norcalnetworks.com
Phone: +1 707.546.6620 x602 Fax: +1 707.324.8043
"Life is racing, everything else is just waiting"


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3598 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070503/b5f71d4c/attachment-0001.bin


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 13, Issue 2
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)