Saturday, April 18, 2009

ASA: Lessons learned

Inter Vlan Routing:

This was harder to figure out than I expected it to be:

1) With a trunk / ROS setup I believe both of these are needed. inter-interface should be enough for separate physical links.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

2) Create a NAT exempt rule on both networks.

Source: Any Dest: Other same-security interfaces you want access to.

So if you had two local subnets you would need a nat exemption rule on both.

3) Create your dynamic NAT rule -- any/any.

This will allow all traffic between the subnets to flow freely but any traffic heading upstream will be caught by the dynamic NAT rule. This may or may not be the best or proper way to do it but it works never the less.

General thoughts on the ASA platform:

1) ASDM is more of a hindrance than a benefit. Maybe it's just my CLI bias but it's really difficult to do anything remotely complex using checkmarks and buttons. There's something about writing a carefully crafted command that has its own inherent procedural logic that allows you to understand things on a deeper level. I would encourage anyone using these devices to force themselves not to use ASDM at first. It's fine for quick changes once you have a better understanding of the platform but at first it makes things much harder than it needs to be.

2) I wish the command syntax was more IOS like. I feel like if they didn't want to completely replicate IOS 100% they should have gone a totally different direction. Having them be 90% similar is very confusing to me. Too often I am retyping commands simply because the order of arguments is slightly different.

3) Where the fuck is the "do" command? (see above point)

4) The packet trace command is a tool you should learn to use right away. This is something I would like to see folded back into IOS.

I still have a number of things to figure out -- security contexts, fall over, etc. I'll try to update this if I come to any other great revelations that might be helpful to someone else starting out with this platform.

No comments: