[c-nsp] ASA vs ISR ZBFW

Matthew Huff mhuff at ox.com
Fri Sep 9 11:33:37 EDT 2011


> ... but still no BGP, which is undoubtly *the* routing protocol that you want to use if you don't trust your neighbours (due to much better filtering
> support) - and "firewall environment" is usually all about "not trusting".

I prefer to keep my BGP routing and firewall on separate boxes especially since full routes take quite a bit of CPU and memory. But I can see why it would be nice to keep it on the same box.

> (Can you do firewalling without NAT these days without configuring
> external-to-internal permits as "please do NAT from X to X"?)

Yes, a simple acl works now

> Just last week I had a customer call due to weird issues with "passive
> FTP is not working right"... but indeed that might have been an older
> firmware release.

Hmm, would it happen to have including a NetBSD or OpenBSD box? There have been some issues with some of the new FTP verbs (especially EPSV). Some ftp clients use the new EPSV verb without failing back correctly to PASV even over ipv4 connections (RFC2428). I've run into this a few times especially with older cisco load balancers.



----
Matthew Huff             | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC       | Phone: 914-460-4039
aim: matthewbhuff        | Fax:   914-460-4139


> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Friday, September 09, 2011 11:24 AM
> To: Matthew Huff
> Cc: 'Gert Doering'; 'Jay Nakamura'; 'cisco-nsp'
> Subject: Re: [c-nsp] ASA vs ISR ZBFW
> 
> Hi,
> 
> On Fri, Sep 09, 2011 at 11:17:39AM -0400, Matthew Huff wrote:
> > I understand where this comes from, but the ASA is a bit more modern
> then the "PIXen".
> >
> > 1) It now does dynamic routing (RIP, OSPF, EIGRP)
> 
> ... but still no BGP, which is undoubtly *the* routing protocol that
> you want to use if you don't trust your neighbours (due to much better
> filtering
> support) - and "firewall environment" is usually all about "not
> trusting".
> 
> > 2) Nat (as of 8.3+) is now "normal"
> 
> Hooray :-)
> 
> (Can you do firewalling without NAT these days without configuring
> external-to-internal permits as "please do NAT from X to X"?)
> 
> > 3) The inspect feature still has issues but is necessary for many
> protocols and is implemented very similar on the ZBFW  in ios.
> 
> Just last week I had a customer call due to weird issues with "passive
> FTP is not working right"... but indeed that might have been an older
> firmware release.
> 
> OTOH, I never said the PIX/ASAs are *bad*...  there's much worse evil
> on the market :-)
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> 
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-
> muenchen.de



More information about the cisco-nsp mailing list