Router/Firewall suggestions (commercial)

S

supergper

Gawd
Joined
Apr 25, 2005
Messages
766
I'm sure it's been asked lots, but here it is again. I currently have an ASA 5505 with the security bundle. This is not for my home, but for a rack I have at a local data center. I'm looking to possibly try something else. What else would you guys suggest to take a look at in the sub $600 range? So far I'm considering the following:

Juniper SRX100
Juniper SSG5
Watchguard XTM330
Another ASA

Any other suggestions? The features I would really like/need are high availability (A/S), 100mb+ throughput, vlan support (only need maybe 5 vlans), don't care about UTM/VPN/etc if it comes with the extras, great if not I don't care. This will be supporting a small hosting company. The reason I'm starting to look is my current ASA may or may not have an issue. I recently paid someone to configure it correctly and since then I get random page hangs on customer's sites (and my own). He mentioned he thought the hardware could be going bad but since I never had these issues before, I question that.

Anyways, any suggestions?
 
Oh, I will also say, since it's in a datacenter, I'd prefer it doesn't even include wireless. If it has it, it will be shutoff so I'd prefer not to pay for it. :)
 
post up the config, also setup syslog to see if there are any issues. No point paying out money if its a config issue.
 
if you need high availability, the 5505 won't cut it (you'd need a 5510 to do A/S).

It appears you don't configure the devices yourself, so make sure whatever you buy you can hire someone to do it; Cisco people are easier to find than Juniper geeks.
 
What exactly happens with the page hangs? Does it seem like the state/session was dropped?
 
supergper said:
He mentioned he thought the hardware could be going bad but since I never had these issues before, I question that.

Anyways, any suggestions?
Click to expand...

Hardware might be going bad? Sounds like either smoke to me. Either way, as Jay said, setup syslog and check the logs when you get timeouts. Got Smartnet on the ASA?
 
5515 is what I would get for production, but that is way out of 600$ range. 5505 should work for you, not sure why it wouldn't...
 
I'd normally recommend an ASA, but for your price range, the SRX100 may be the best option. I'd recommend an SRX200 or ASA5510(or better) if you can afford it, but the SRX100 is built like a tank too, so you can't really go wrong. Honestly, your config is probably f'ed up on your current ASA, so maybe you just need that fixed up.
 
Well, I have always configured it myself in the past (and it's always been 100% stable without any issues). I was recently upgrading my service at my DC, moving cabinets, etc so I figured it would be a good idea to have someone that really knows this stuff come in and set it up properly (I'm sure my setup was mostly hacked together since I've learned my Cisco knowledge on this device). My day job is a System Engineer (actually I'm the manage of the team) so I'm not completely clueless, but I stay away from the network side of things, our neteng team handles all that stuff...and we're a Juniper shop, so finding Juniper help wouldn't be too tough...but as said, if I can avoid buying something new for no reason, that would be ideal. As for the HA on the 5505, that's correct, it doesn't do HA, the way we are handling it is using spanning tree on the upstream switches. I suspected that setup at first so I disabled one of the two interfaces and left it that way for a couple days, I continued to see the hangs. The guy that set it up thought maybe one of the firewall rules were causing the hangs, but that didn't make sense to me because if that were the case, I would think it would be consistent. The hangs aren't consistent, if I click a link it may hang, if it does hang I can usually click the link again and the page will then load fine. Kind of like it's loosing packets but I tried to monitor on the asa and on my switch (Cisco 2960G) and I'm not seeing packet loss. As a result, he added a permit any any rule to see if they would stop (they haven't) Doing an mtr shows some loss on the internet, but again, before these changes, this same setup, same connections, etc were hang free. You can see the hangs for yourself by viewing my main website at http://www.cloud-virt.com (promise, this isn't a shameless promo :D) click around a bit and you'll eventually see you page just hang, when it does, you can usually click again and it will then load fine.

Here's my config: (ofcourse I've changed passwords and usernames)
http://www.cloud-virt.com/tmp/asa.txt

If anyone wants to take a look at it, I'd appreciate it. If you want more info, feel free to ask.
 
Also, due to some connections I have, I could get in to a new 5510 with a security plus license within my budget, but it would be several weeks (maybe even a couple months) out.
 
Any thoughts on adding something like a fortigate to the list? Maybe even an NSA series Sonicwall?
 
I've had bad experience with SonicWall in the past...but that was probably 8 or so years ago. I'm keeping an open mind at this point, so anything would be considered.
 
Are you sure it's not your server doing the hangs on that website? I see when it hangs, but if i click the same button right after the hang it works instantly. How about if you boot up ASDM and watch the packets? I would let asdm log the traffic and then click around on your website... Once you see it hang press stop and go back and see if you can see anything out of the ordinary like a blocked packet or lost packet.
 
Yeah, I'm 100% sure it's not the server. I have a half dozen bare metal servers, more than a dozen VPSes, and a standalone NAS device in my network and they all show the same symptoms. When I see hangs, I don't see anything in the logs other than the request was served. Like I said, nothing was changed but the asa config from when it was fine and when it was not fine.
 
ahh ok, did you happen to make a backup of the config before he configured it again? Also did he upgrade the IOS to a new version?
 
supergper said:
I've had bad experience with SonicWall in the past...but that was probably 8 or so years ago. I'm keeping an open mind at this point, so anything would be considered.
Click to expand...

I would have agreed with you had this been 8 years ago. But having worked with their Gen 5 firewalls my opinion has changed. Not saying its the way you should go, but look in their NSA line and I don't think you'll be disappointed (stay away from their tz line for your purpose).
 
thrash408 said:
ahh ok, did you happen to make a backup of the config before he configured it again? Also did he upgrade the IOS to a new version?
Click to expand...

I do, I was going to go over that and see what the differences are. One big change was a new /24 was added, so I can't just rollback to that config, otherwise I'll drop connectivity for half of my customers.

calvinj said:
I would have agreed with you had this been 8 years ago. But having worked with their Gen 5 firewalls my opinion has changed. Not saying its the way you should go, but look in their NSA line and I don't think you'll be disappointed (stay away from their tz line for your purpose).
Click to expand...

Good to know, I'll give them a look. Thanks
 
Yeah i wouldn't say roll back to that config, just try to find anything that would be different between the two. If you want to upload it i'll take a look and see if i can see anything :) I've been pinging your 87.1 and 84.2 IP's for some time now and only see minimal loss so i don't think your connection has anything to do with it. The weird thing is i can ping 84.10 and don't see loss either, i'm assuming that's a server? I would think that if the ASA was the problem i would see loss via ping to a server
 
Yeah, I'll get it uploaded in a few. Yeah, the actual packet loss is quite minimal and most of it is on the carriers lines, rarely do I see loss at my asa or at one of my servers. Even when I watch the interfaces on the asa and on my switch, I don't see packet loss, even when I do a flood ping. The .10 address is one of my vpses.
 
One thing is see weird is your ACL's... He named them cv-outside, but then in your groups he didn't map them to a port..

access-list cv-outside extended permit icmp any any echo-reply
access-list cv-outside extended permit ip any host 209.41.84.2
access-list cv-outside extended permit ip any host 209.41.84.3
access-list cv-outside extended permit ip any host 209.41.84.4
access-list cv-outside extended permit ip any host 209.41.84.5
access-list cv-outside extended permit ip any host 209.41.84.6
access-list cv-outside extended permit ip any host 209.41.84.7
access-list cv-outside extended permit ip any host 209.41.84.8
access-list cv-outside extended permit ip any host 209.41.84.9
access-list cv-outside extended permit ip any host 209.41.84.10
access-list cv-outside extended permit ip any host 209.41.84.11
access-list cv-outside extended permit ip any host 209.41.84.20
access-list cv-outside extended permit ip any host 209.41.84.21
access-list cv-outside extended permit ip any host 209.41.84.22
access-list cv-outside extended permit ip any host 209.41.84.23
access-list cv-outside extended permit ip any host 209.41.84.24
access-list cv-outside extended permit ip any host 209.41.84.25
access-list cv-outside extended permit ip any host 209.41.84.26
access-list cv-outside extended permit ip any host 209.41.84.27
access-list cv-outside extended permit ip any host 209.41.84.28
access-list cv-outside extended permit ip any host 209.41.84.29
access-list cv-outside extended permit ip any host 209.41.84.30
access-list cv-outside extended permit ip any host 209.41.84.31
access-list cv-outside extended permit ip any host 209.41.84.32
access-list cv-outside extended permit ip any host 209.41.84.33
access-list cv-outside extended permit ip any host 209.41.84.34
access-list cv-outside extended permit ip any host 209.41.84.35
access-list cv-outside extended permit ip any host 209.41.84.36
access-list cv-outside extended permit ip any host 209.41.84.37
access-list cv-outside extended permit ip any host 209.41.84.38
access-list cv-outside extended permit ip any host 209.41.84.39
access-list test-cv-in extended permit ip any any

access-group test-cv-in in interface customer-net-1
access-group test-cv-in out interface customer-net-1
access-group test-cv-in in interface outside
access-group test-cv-in out interface outside

I see at the bottom he has access-list test-cv-in extended permit ip any any. Which appears to be mapped to the outside port. So that whole ACL list above that looks to be useless. Everything is coming in that one IP Any Any statement. I don't think i would want to allow everything coming in from the outbound port to your whole network (if it were me) but you know your datacenter so if that is safe then ignore that. One other thing i saw is you have a nat statement in your old config and it's not in the new. (nat (inside) 1 0.0.0.0 0.0.0.0) Also how come he didn't static map anything to a internal IP?
 
You could delete that cv-outside access-list, it's not mapped to any access-groups.
 
Yeah, I mentioned that earlier, he added the permit any any to rule out the access list rules as where it's hanging up. No it's not ideal and will be removed. The reason the ips aren't mapped is because the servers are assigned public ips, this was by design.

As for the natting, I would assume that's not there because I'm not natting anything. In my old setup, I only had a /28 so I had to make do and share IPs, now that I have that /28 and a /24, I have a few more IPs to play with for my management stuff.
 
You must log in or register to reply here.
Back
Top