Also IMHO if this is the case, he needs a Cisco security
trained/certified IT person to manage it. I was OK dealing with IOS
but the ASA series I always found very difficult to configure and
maintain, I pretty much wouldn’t touch them. One of my customers who
had ASAs at HQ and every branch office had a big IT company under
contract to do all their ASA maintenance and even though they were
supposedly Cisco experts, they would screw up and mess everything up
trying to do a simple change and end up taking a whole day to get it
working again.
Yeah I think they bought the ASA product line from another company. It's
similar enough to IOS to trick you into thinking you can do something
with it, but has enough subtle syntax differences to frustrate you.
A common approach seems to be start with ASDM to get a basic working
config because you’ll never get there from the command line, but then
SSH in and do the rest of the config manually. Then be sure to save a
copy of the config for when you inevitably break everything trying to
make a change.
I encountered a number of ASA's which were set up for point to point
VPN's between offices. The VPN configs were exact duplicates of the
examples on Cisco's website. They had the exact names of the access
lists, and the encryption was something ridiculous like 56 bit DES. It's
what the example did and someone just copied it. The firewall rules
were very basic....I assume those also came from an example. These
people would have gotten more value out of something they knew how to use.
Honestly I think the primary reason to use an ASA was /because it was
hard/. There's almost no chance that you're just going to muddle
through something on an ASA. The config is daunting and arcane, and
therefore the company computer guy is scared to touch it and has to call
the consultant. The consultant then makes $300 to adjust a NAT rule.
If you need firmware you can sign up for smartnet (which Ken correctly
points out is not that easy to do), or call your consultant who already
has smartnet and pay him another $300 to update firmware for you.
If I was an IT consultant this would be a smart business choice.
Anyway yeah, ASA is an IT consultant's best friend and doesn't have much
value to a home user even if that user happens to be a CEO. The answer
is to buy him a simple router at Walmart. If he has to have the ASA for
some reason, call the IT person who put it there or pencil in ample time
to spend dealing with it.
I'll deal with it for you, but it might cost you LOL.
-Adam
--
AF mailing list
[email protected]
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
