PIX Deployment Scenarios
The Cisco PIX and ASA VPN capabilities have their roots in Cisco IOS VPN technologies. VPNs were first introduced in the Cisco IOS router product line and then added to the PIXs in an early 5.x release. Like the routers and the concentrators, Cisco PIXs support many VPN solutions including IPsec, PPTP, and L2TP. Because of their flexibility, they can be used in many different situations. The ASA was introduced in the spring of 2005. The ASA is a unique hybrid security appliance, having abilities from the PIX, VPN 3000, and IDS 4200 sensors. This section will focus on how PIX and ASA security appliances can be used to enhance a VPN solution in your network.
Specifically, the section will cover the following:
- L2L and Remote Access Connections
- The Special Capabilities of PIXs and ASAs
L2L and Remote Access Connections
PIXs and ASAs support L2L and remote access connections. For remote access solutions, the PIXs and ASAs can be Easy VPN Servers and the PIX 501 and 506E can be Easy VPN Remotes (clients). As I mentioned in Chapter 9, "Concentrator Site-to-Site Connections," I prefer to use Cisco routers for L2L sessions and concentrators for remote access connections. With the introduction of the ASA security appliances, they also can terminate SSL VPNs, with similar SSL capabilities compared to the VPN 3000 concentrators.
Routers support enhanced routing and QoS capabilities over Cisco PIX and ASA security appliances and VPN 3000 concentrators. Plus, VPN 3000 concentrators scale better for remote access connections and are easy to set up. However, the Cisco PIX and ASA security appliances, first and foremost, provide better-integrated and more comprehensive security services than routers and concentrators. Therefore, if you need to enhance your VPN solution with security and firewall functions and place it in one box, or if you need enhanced address translation services for VPNs that terminate on a VPN device, the PIX or ASA is a much better choice than a router or a concentrator.
Special Capabilities of PIXs and ASAs
As I mentioned in Chapter 6, I prefer to use PIXs or ASAs in a VPN solution when I need advanced address translation capabilities in addition to advanced firewall and security services. There are three main features the PIX and ASA security appliances have over Cisco VPN 3000 concentrators and IOS-based routers when it comes to VPN implementations: address translation, stateful firewall services, and redundancy.
Address Translation
The PIX was originally developed by Network Translation as an address translation device back in 1994. From the beginning, the PIX has had its roots in address translation. The concentrator's address translation capabilities are very minimal and Cisco routers' capabilities are based primarily on address translation involving two logical locations: inside and outside. However, the PIX's address translation capabilities can handle multiple interfaces easily, with different translation policies for different interfaces. Policy address translation is one of its main strengths. Many times I've attempted to configure complex address translation policies, such as bidirection NAT on a multi-interfaced router, and then shortly gave up and easily configured the same policies on a PIX.
Stateful Firewall Services
With the introduction of FOS 6.x and 7.0, the PIX and ASA security appliances provide one of the best, if not the best, integrated stateful firewall services in the market, including support for both IPv4 and IPv6. Besides performing stateful firewall functions, they support superb application layer inspection and filtering capabilities, including detailed inspection of application layer information such as HTTP, FTP, SMTP, ESMTP, multimedia applications, voice, and many others. They support advanced guard and detection features to protect against TCP flood attacks, DNS spoofing, fragmentation attacks, web server attacks, and e-mail attacks. The PIX and ASA also can be used to detect and block instant messaging applications, peer-to-peer file sharing programs, and other applications that tunnel traffic through web services, such as AOL's Instant Messenger, KaZaA, and GoToMyPC.
Redundancy
Cisco PIXs support stateful failover for redundancy of connections. Before FOS 7.0, though, this did not include redundancy for VPN sessions; nor did it allow both PIXs, in a failover configuration, to process traffic. With the introduction of FOS 7.0, both PIXs or ASAs in a failover configuration can actively process traffic; this is referred to as Active/Active failover. Cisco routers don't support this type of redundancy, but the VPN 3000 concentrators do with VCA. However, with VCA, any remote access connections dropped by a failed concentrator must be rebuilt by the remote access clients via the master of the cluster, so temporary loss of connectivity will occur.
With 7.0 of the FOS software, if one of the PIXs (or ASAs) in a failover configuration fails, all of the necessary VPN information already exists on the other redundant PIX, and the redundant PIX can immediately begin processing traffic for the VPN traffic. This solution provides a true stateful failover configuration not only for VPN traffic, but for any traffic flowing through the PIXs.
Note
Active/Active failover is load balancing based on the VCA code in VPN 3000 concentrators, and active/standby failover provides stateful failover for VPN sessions.
Failover times between PIXs or ASAs have been reduced to subsecond times when serial-based failover is used and three seconds when LAN-based failover is used. Another great feature in FOS 7.0 is zero-downtime software upgrades. You can upgrade the PIX or ASA without having to reboot it, which can be very important for mission-critical VPN applications.