Cisco ASAv: The “v” Makes It Better

ByFebruary 1, 2016

software networkingWhen companies move to the cloud, one of the biggest topics is getting rid of all the hardware servers and how freeing it is to no longer have to monitor and maintain servers. However, something a lot of people don’t realize is that this plan gives network engineers pause. 

I talk to a lot of network engineers during their migration to iland’s cloud environment, and there is an overwhelming opinion that software networking can’t compete with tried and true network hardware. The common misconception is that they’ll have to toss their hardware firewall in the trash and are going to get a junky virtual machine running an “out of the box” service as their corporate firewall replacement.

Before I explain why – first, a bit about me.  I joined iland with a general desire to be at the front of the pack when it came to learning new technologies. I wanted to be the guy that was playing around with new technology the minute it was released; no “too long, didn’t read” guides by users, no “copy and paste someone else’s code”. I wanted to be the guy to discover all of this information on my own and come up with creative ways to implement the technology. I got lucky and iland just so happened to be the perfect place for me to do that. iland adopts new technologies and provides its employees with all the right tools to test and implement these technologies at lightning speed.

One of these new technologies came out in 2014 and is called Cisco ASAv. The Cisco ASAv is the first virtual version of Cisco’s famous ASA firewall. Almost everyone I’ve come into contact with is familiar with the Cisco ASA, and most of those people have used them in some shape or form before. When the Cisco ASAv came out, iland immediately jumped on it and gave it to me and said, “Here. Make this work.” This is what network engineers’ dreams are made of. Like they say, the rest is history.

Today, iland not only takes company servers and makes them virtual, but it also takes company networking and makes it virtual… all without losing any functionality. The Cisco ASAv gets deployed from a template in our environment and goes from non-existent to powered on and running in 5 minutes. By the end of the day, we have the ASAv attached to a public network and our customer has an SSH connection open to it and we’re working together on the phone to finalize their configuration. I always get something along the lines of, “Man this is awesome. I had no idea this was a thing” from the customer.

Sure, it’s a cool idea; a virtual Cisco ASA is a shiny new toy. But what’s the big deal if it just does what the hardware ASA does? Well, it doesn’t just do what a hardware ASA does; it provides so much more. The ASAv allows us to deploy a high-availability pair that is setup for failover events, and then we utilize VMware host rules to keep the ASAv firewalls on separate hosts: 

  • In the event a VMware host goes down, the ASAv fails over to the backup ASAv. 
  • In the event where the ASAv itself goes down, it fails over to the backup ASAv. 
  • In the event that you accidentally wipe your entire config, we’ll pull a backup of your config from our monitoring system. 
  • In the event that you delete the ASAv pair, we’ll pull a backup of your ASAv itself. 

Let’s look at the hardware ASA real quick… In the event the ISP at your data center goes down, you’re gonna have a bad time. In the event that your power at the datacenter goes out, you’re gonna have a bad time. In the event that the ASA is old and finally croaks in the middle of the night, you’re gonna have a bad time. This could go on forever.

So we have a high-availability pair of virtual ASA firewalls on flexible, redundant hosts. It can’t get any better, right? Enter Cisco REST API. Welcome to automated configurations and error checking, advanced monitoring, and so much more. Imagine deploying a server and having your ASAv automatically add firewall rules based on your server’s role in your network. For me, this means deploying an entire customer network in a few minutes; everything from the base network to an SSL VPN for remote management to multiple IPSEC VPN tunnels for securing WAN traffic.

At this point, you’re looking at your hardware firewall and wondering what you’re doing with your life. The Cisco ASAv is a game changer in the software-defined networking world, and iland is a seasoned veteran when it comes to migrating customers off of hardware networking devices. The reliability, redundancy, speed, and ease is what we’ve all wanted in our networking job, and iland has found a way to turn that pipe dream into reality.

Garret Nowak

Garret Nowak

Garrett Nowak is a network engineer at iland, where he's worked for 4 years. He loves working with our customers on network designs and spends a lot of his time with other network engineers on iland infrastructure projects. Outside of work, he enjoys watching college football, gaming, and eating everything in sight.