ASDM

Differences between Cisco ASA 5505 base and security plus versions

Hello folks! One of the common questions I’ve been getting as of late is what are the differences between all the models of Cisco ASA 5505 firewalls available. This question has been asked of me numerous times, and it’s actually quite easy.

Here are the differences between the base model and the security plus version

• 10000, instead of 25000 maximum firewall connections
• 10 instead of 25 site-to-site vpn tunnels
• 3 vlans total allowed, instead of 20 allowed
• No vlan trunking, vs trunking
• No high-availability vs stateless active/standby failover
• The security plus version allows for unlimited users on the LAN accessing the Internet through the ASA

If you need more SSL VPN licenses you would need to purchase that separately. Also if you want to use the ASDM gui to manage the device then you want to make sure you purchase the version with “K9” in the SKU, not “K8“.

-RP

Cisco ASA Firewall dropping packets sporadically

So here’s an interesting issue I ran into with my Cisco ASA at home. It was working fine for quite sometime and then one day my wife told me that our Internet “was down”. I was on my wireless connection via my laptop at the time, and my wife was using one of our desktop computers. My Internet access was working perfectly but my connection goes out through a different firewall on my network. My wife was browsing through the Cisco ASA.

I went over to my wife’s desktop computer and I did all the normal Internet connectivity tests. I could communicate with the Cisco ASA fine, but I couldn’t ping outside of my network past the Cisco ASA Device. I then ran a recurring ping and I found that every few pings that I would get a successful ping but then the rest would time out. To me that says something was wrong on the external interface.

I went into my server room and checked on the connections because I have multiple firewalls hitting a switch which splits my Internet between them. Turns out the port the Cisco ASA was plugged into was faulty and dropping lots of packets. Bingo, problem solved!

-RP

Rules not working in Cisco ASA as you thought they should

Hi folks, as you know I’ve been doing a lot of work with the Cisco ASA firewall products lately and I wanted to address an issue I’ve seen a few administrators run into when setting up a new ASA.

Often when you setup an ASA you are not just setting up inside out external access but you might also want to set some incoming rules for some of your servers such as web servers or mail servers. The problem I see administrators run into is that after they setup these rules they still can’t get access to the servers from the outside world.

If you take a look at the rules closely, at first look it seems like everything was configured ok and everything should be working. What I’ve found in these situations is that someone specified an inside interface outgoing rule, or an outside interface outgoing rule. By doing that you’re implicity allowing that one rule and automatically denying all else. In order to fix this, create a specific rule for the device to allow it out or just remove all the outgoing rules altogether and then the Cisco ASA will allow it by default. Which way you chose will depend on how you want to secure your network of course. Hope this helps!

-Cheers, RP