Firewall Options

Son of Jor-El

Right now, everything works fine. Was told that in order to have a site to site connection, I need to be a 8.3 firmware. I think I'm on 8.1.

To be honest, I haven't looked at alternatives yet. The past 3 jobs have all had 5510's, so that's all I've known for like the past 10 years or whatever LOL.

Alternative ideas are welcome!!

scottalanmiller

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

Son of Jor-El

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

scottalanmiller

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

VPN tech is "always" free There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.

scottalanmiller

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#additionaldevices

Son of Jor-El

@scottalanmiller said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

VPN tech is "always" free There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.

So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?

Dashrender

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

VPN tech is "always" free There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.

So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?

Unless there is a known bug in the ASA firmware that causes issues with Azure, sure sounds like it.

Dashrender

In any case - a Ubiquiti Edge Router is approximately $100 - what's the issue in buying one of these?

Son of Jor-El

@Dashrender said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

VPN tech is "always" free There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.

So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?

Unless there is a known bug in the ASA firmware that causes issues with Azure, sure sounds like it.

Interesting!

scottalanmiller

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

VPN tech is "always" free There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.

So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?

Possible, but more likely Cisco lacks some flexibility and you need something more robust. They probably only added the needed power with that update. Just a guess.

Son of Jor-El

@Dashrender said in Firewall Options:

In any case - a Ubiquiti Edge Router is approximately $100 - what's the issue in buying one of these?

Just a lack of knowledge on them, that's all.

scottalanmiller

@Dashrender said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

@Son-of-Jor-El said in Firewall Options:

@scottalanmiller said in Firewall Options:

5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.

I understand and didn't say you were implying anything.

That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.

VPN tech is "always" free There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.

So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?

Unless there is a known bug in the ASA firmware that causes issues with Azure, sure sounds like it.

I would guess more of a limitation on settings. Like not having a way to configure an uncommon option that is necessary.

Son of Jor-El

I am asking the person who said I needed the update what SPECIFIC issue causes us to do the update. Let's see what they say.

Dashrender

You should look at what's been patched in that newer version of the firmware - that to me is a bigger reason to either purchased SmartNet or move away from the ASA.

Kelly

End of support is coming up fast on the 5510 - http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html.

Son of Jor-El

So, I got the following response on why I need 8.3: Based on the debugging information, lack of proper ikev2 support appears to be involved in the connectivity failures. Unless the device is upgraded to firmware version 8.3 or later, but I you cannot use it to establish a site-to-site tunnel to Azure

scottalanmiller

@Son-of-Jor-El said in Firewall Options:

So, I got the following response on why I need 8.3: Based on the debugging information, lack of proper ikev2 support appears to be involved in the connectivity failures. Unless the device is upgraded to firmware version 8.3 or later, but I you cannot use it to establish a site-to-site tunnel to Azure

So the answer is... the 5510 doesn't have proper IKEv2 support. What year is this?

scottalanmiller

Cisco, only 12 years behind. Just great.

JaredBusch

@scottalanmiller said in Firewall Options:

Cisco, only 12 years behind. Just great.

Umm, these unit were EoL'd almost 4 years ago. And lack of proper support does not mean lack of support. It could simply be a bug that was never patched because it has been EoL'd since 2013.

scottalanmiller

@JaredBusch said in Firewall Options:

@scottalanmiller said in Firewall Options:

Cisco, only 12 years behind. Just great.

Umm, these unit were EoL'd almost 4 years ago. And lack of proper support does not mean lack of support. It could simply be a bug that was never patched because it has been EoL'd since 2013.

Definitely an old unit, but we'd hope that they would have had that working before 2010.