The Cisco ASA has been around for a long time, and one of the features that I believe is highly under-utilized is that of the Modular Policy Framework (MPF) for L3-7 inspection. Granted some of the inspections are enabled by default, those either only inspect traffic at L3 and L4, or they do so little in the application layer that all you get out of it is what would be considered “Expected” functionality. But there’s a lot more you can do with an ASA that write ACL’s and configure NAT. The ASA can inspect application layer traffic for many popular protocols, like HTTP.
For a certainty, the more you do with the ASA the more impact you have on CPU. That’s to be expected, and that’s what the ASA is purpose built for. So why not make use of these application layer policies? Many feel that it’s too difficult to configure. We’ve gotten into a pattern of expecting a nice GUI interface designed in HTML5 and filled with wizards that we can click on and drive us through the entire process, not knowing what’s under the hood. While the ASA does have ASDM, a java based management tool (yuck), you still need to do quite a bit of configuration to bring application layer policies together.
I’m happy to announce that another Pluralsight course has been published today, ASA Threat Control for CCNP Security (300-206) SENSS.
In this course I cover how to configure the ASA for application layer policy, turning your ASA into a web filter with the ability to block Web sites that you specify. It’s a fast paced course and was a lot of fun to develop. Head on over to Pluralsight and check it out. If you’re not a member over at Pluralsight, use the contact form and I’ll send you a code for a 30-day trial.
If video training isn’t your thing, this topic is covered in the Cisco SENSS course which we offer live-online or in a classroom environment. We accept Cisco Learning credits!
There’s so much you can do with an ASA but you gotta take the time to figure it out. Once you wrap you mind around the ASA’s capabilities you’ll be able to impress the boss when he says we need to buy a new appliance to protect against XYZ, and you reply… “Uh, I can do that with our ASA right now!”