Embed Size (px)
Citation preview
Terms of Reference (ASA) Version 2010-05-07
1/12
ANNEX C
Terms of Reference (ASA)
Project Name: CISCO ASA GCI (Cisco Adaptive Security Appliances as replacement for GCI VPN Concentrators 3015)
Date: 2010-05-07 Release: Final and reviewed
Overview
1. BACKGROUND ....................................................................................... 2
2. SPECIFICATION OF THE REPLACEMENT SYSTEM ........................ 4 3. SCOPE OF WORK .................................................................................... 4
4. REQUIREMENTS AND CONDITIONS ................................................. 7 5. Current VPN Concentrator 3015 version .................................................. 8
6. Memory status (Primary 3015) .................................................................. 9
7. Interfaces (Primary 3015) ........................................................................ 10
8. Redundancy (Primary 3015) .................................................................... 10 9. Routing Table (Primary 3015) ................................................................. 11 10. 24 Hour IPSec statistics (Primary 3015) ................................................. 12
Terms of Reference (ASA) Version 2010-05-07
2/12
ANNEX C
1. BACKGROUND
For more than five years the Preparatory Commission for the Comprehensive Nuclear-Test-Ban Treaty Organization (hereinafter referred to as the “Commission”) owns and operates on its Global Communications Infrastructure (hereinafter referred to as the “GCI”), Virtual Private Network (hereinafter referred to as the “VPN”) concentrators comprising of two (2) Cisco 3015s in a redundant configuration. The 3015 concentrators allow remote users using the Cisco IPSec VPN Client to connect to a variety of services within the Commission infrastructure and the GCI, including GCI Network Management Systems (hereinafter referred to as the “NMS”), Mail Systems, Uniform Reporting Interfaces (hereinafter referred to as the “URI”) and Incident Tracking Systems (hereinafter referred to as the “ITS”). With the announcement by Cisco of the End-of-Life, Last Day of Support for the 3015 series as August 2012, the Commission has determined to replace the 3015s with two (2) ASA 5540 devices. This replacement should be implemented without losing or modifying any vital aspects of the current Client VPN functionality.
The operation of this infrastructure is critical to the operation of the Commission. Any failure will result in a switchover to the redundant system. A loss of the backup system or a miss-configuration of the entire system could result in the complete loss of Client VPN network connections to Vienna.
The following network diagram illustrates in general the 3015 VPN concentrator infrastructure in Vienna. Each 3015 has three interfaces, one interface connects to a public subnet, the other two interfaces connect to private subnets. The main traffic flows associated with the 3015s are also shown (both IPSec and non-IPSec out of tunnel traffic) together with the principal routers used to carry this traffic. Also shown is the path for the authentication of Client VPN users using an ACS infrastructure running the RADIUS protocol.
Terms of Reference (ASA) Version 2010-05-07
3/12
Terms of Reference (ASA) Version 2010-05-07
4/12
2. SPECIFICATION OF THE REPLACEMENT SYSTEM
The ASA configuration as replacement for the 3015 cluster has to consist of two (2) Cisco Adaptive Security Appliances model 5540 in a redundant active/standby configuration. Each of these appliances is to be delivered with the following configuration and services:
Product /part number Description Quantity
ASA5540-BUN--K9 Cisco ASA 5540 Appliance with SW, HA, 4GE+1FE, 3DES/AES 1 SF-ASA-7.2-K8 ASA 5500 Series Firmware v7.2 (or higher) 1 ASA5540-VPN-PR ASA 5540 VPN Premium 5000 IPSec User License 1 ASA5500-ENCR-K9 ASA 5500 Strong Encryption License 3DES/AES 1 ASA-VPN-CLNT-K9 Cisco VPN Client Software (Windows, Solaris, Linux, Mac) 1 SSM-BLANK ASA/IPS SSM Slot Cover 1 ASA-180W-PWR-AC ASA 180W AC Power Supply 1 CAB-ACE AC Power Cord (Europe), C13, CEE 7, 1.5M 1 CON-OSE-AS4BUNK9 SMARTnet ONSITE 8X5X4 ASA 5540 with HA, 3DES/AES hardware maintenance (1 year) 1 Installation on-site (as specified below) 1
3. SCOPE OF WORK
a) The Contractor shall elaborate and provide a detailed migration, implementation and testing plan for the whole replacement procedure. This plan shall describe exactly how the replacement of the 3015 cluster configuration is proposed with as little disruption of connectivity as possible. Any additional and temporary equipment (switches, routers, cables, etc.) which is required for the implementation of this plan shall be provided by the Contractor.
Terms of Reference (ASA) Version 2010-05-07
5/12
b) The Contractor shall deliver a complete configuration file for each of the two ASA devices which fully reflects the configuration and functionality of the respective 3015 concentrator to be replaced. Configuration files of the existing 3015s in their most current version will be made available to the Contractor without restriction as soon as the Contract is awarded.
c) The 3015 configuration files will be in the form of unencrypted XML files which the Contractor can forward to Cisco to request a conversion to ASA configuration files, using Cisco’s conversion tool. The Commission expects that the production of the ASA configuration file using Cisco’s conversion tool will not be a perfect conversion and that the Contractor will therefore need to further ensure that the ASA final configurations will fully reflect the configuration and functionality of the respective 3015s to be replaced.
d) The Contractor shall carry out the replacement in a way that will have none or minimal impact on Cisco VPN client users, including if possible, no change in the Cisco VPN client software currently deployed to users. The approved implementation and testing plan needs to detail how this will be achieved.
The currently deployed Cisco VPN Client software dates from the following releases:
I. CISCO VPN Client for Windows vpnclient-win-msi-4.0.4.B-k9 II. CISCO VPN Client for Solaris vpnclient-solaris-4.0-Rel-k9.tar
III. CISCO VPN Client for Linux vpnclient-linux-4.0.4.B-k9.tar
e) The Contractor shall design a 2 (two) phased deployment for the ASAs. Phase 1 (one) shall consist of the actual ASA 5540 devices installation and testing using the currently deployed Cisco VPN client software. Phase 2 (two) shall consist of the final cutover of VPN services from the 3015 to the ASAs. Consideration shall be given that Phase 1 (one) may identify incompatibility issues between the currently deployed Cisco VPN clients and the ASAs.
f) The Contractor shall deliver two (2) ASA 5540 devices as described by the specifications above to the Commission Computer Centre at floor C-1 in the Vienna International Centre (VIC) via the VIC Receiving Area. Prior to the actual hardware installation the new ASAs shall be loaded by the Contractor with the configuration files as accepted by the Commission.
Terms of Reference (ASA) Version 2010-05-07
6/12
g) The Contractor shall conduct on-site de-installation of the existing two 3015 devices (including all temporary re-cabling as required) and on-site hardware installation of the two new ASA 5540 devices according to the detailed implementation plan as referred to above.
h) The Commission will allocate cabinet space for the ASAs and allocate
redundant power feeds. The Commission will update rack layout diagrams to reflect the new infrastructure. The Commission will label and record all new cable runs in their cable records. The Contractor shall label the ASAs and ASA interfaces.
i) Under close supervision of the Commission the Contractor shall conduct extensive functional testing according to the approved implementation and testing plan. The respective test procedures shall cover all relevant aspects of the configuration files.
j) If any additional equipment or additional interfaces (temporary or permanent) are required on the new ASAs to facilitate the replacement of the 3015s, then these shall be configured using IP address range allocations and net masks provided by the Commission. The IP addresses will be recorded in the Station Interconnection Worksheet by the Commission and managed under the Commission Configuration Control Procedures if necessary.
k) The Contractor shall ensure that the ASAs can be fully monitored on
the GCI NMS using SNMP and that SNMP polling of the ASAs from other monitoring devices is possible.
l) Cisco ASA Firewall configuration: The appliance shall be configured as
transparent firewall, a Layer 2 firewall that acts like a stealth firewall and is not seen as a router hop to connected devices.
m) The Contractor shall provide a three days training course on the configuration and operation of the ASA 5540 for up to four (4) people on-site at the PTS premises. The course contents shall be tailored to fit the functionality provided by the ASAs as deployed at the PTS. Course content covering configuration and maintenance of ASA security and access list features are expected to be a minor component.
Terms of Reference (ASA) Version 2010-05-07
7/12
4. REQUIREMENTS AND CONDITIONS
a) The actual cut-over from the current 3015 VPN concentrator cluster to the two new CISCO ASA 5540s shall be performed with as little disruption as possible. Details of the proposed procedure shall be specified in advance in the migration, implementation and testing plan.
b) All necessary temporary equipment shall be provided by the Contractor.
c) On-site hardware de-installation and hardware installation as well as the consecutive testing shall take place on a working day (Tuesday, Wednesday or Thursday) during regular office hours.
d) The Contractor shall deliver a solution based on a “turn-key” approach.
e) The Commission estimates that the work to be performed under the contract, in addition to on-site training as specified above, shall require at minimum level of Contractor’s effort between 64 to 80 working hours (8-10 man-days). The Commission shall have the option to use any surplus hours for additional training and consulting in the event that the working hours required for the completion of the project should turn out to be lower than the expected 64 working hours (8 man-days).
f) It is nevertheless the sole responsibility of the Contractor to fulfil and complete the scope of work as specified above independent of the expected time frame of 64 to 80 working hours (8-10 man-days).
g) In the proposal, the actual amount of man-days/hours and their respective allocation to different work-phases shall be clearly specified. Independent of this calculation it will nevertheless be the sole responsibility of the Contractor to fulfil and complete the scope of work as specified.
Terms of Reference (ASA) Version 2010-05-07
8/12
5. Current VPN Concentrator 3015 version
Current Software Revision: Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.B Oct 04 2005 02:50:52
Number of Groups configured in each 3015: 20
System Status (Primary 3015):
Terms of Reference (ASA) Version 2010-05-07
9/12
6. Memory status (Primary 3015)
Terms of Reference (ASA) Version 2010-05-07
10/12
7. Interfaces (Primary 3015)
8. Redundancy (Primary 3015)
Terms of Reference (ASA) Version 2010-05-07
11/12
9. Routing Table (Primary 3015)
Address Mask Next Hop Interface Protocol Age Metric
0.0.0.0 0.0.0.0 193.218.117.134 2 Default 0 1
10.0.0.0 255.0.0.0 172.22.247.1 1 Static 0 1
10.0.170.0 255.255.255.0 0.0.0.0 2 Static 0 1
10.0.176.0 255.255.255.0 0.0.0.0 2 Static 0 1
10.0.177.0 255.255.255.0 0.0.0.0 2 Static 0 1
10.0.178.11 255.255.255.255 0.0.0.0 2 Static 0 1
10.33.3.0 255.255.255.0 172.22.247.6 1 Static 0 1
10.85.0.0 255.255.255.0 172.22.247.6 1 Static 0 1
10.86.3.0 255.255.255.0 172.22.247.6 1 Static 0 1
10.86.5.0 255.255.255.0 172.22.247.6 1 Static 0 1
10.86.6.0 255.255.255.0 172.22.247.6 1 Static 0 1
10.86.7.0 255.255.255.0 172.22.247.6 1 Static 0 1
10.86.254.0 255.255.255.0 172.22.247.6 1 Static 0 1
172.22.0.0 255.255.0.0 172.22.247.1 1 Static 0 1
172.22.55.80 255.255.255.240 172.22.247.6 1 Static 0 1
172.22.241.0 255.255.255.0 172.22.248.6 3 Static 0 1
172.22.242.0 255.255.255.0 172.22.248.6 3 Static 0 1
172.22.247.0 255.255.255.0 0.0.0.0 1 Local 0 1
172.22.248.0 255.255.255.0 0.0.0.0 3 Local 0 1
172.27.0.0 255.255.0.0 172.22.248.6 3 Static 0 1
172.27.33.0 255.255.255.0 0.0.0.0 2 Static 0 1
192.168.16.0 255.255.255.0 172.22.248.6 3 Static 0 1
192.168.17.0 255.255.255.0 172.22.248.6 3 Static 0 1
192.168.18.0 255.255.255.0 172.22.248.6 3 Static 0 1
192.168.19.0 255.255.255.0 172.22.248.6 3 Static 0 1
192.168.20.0 255.255.255.0 172.22.248.6 3 Static 0 1
192.168.27.0 255.255.255.0 172.22.248.6 3 Static 0 1
193.218.117.80 255.255.255.240 172.22.248.6 3 Static 0 1
193.218.117.96 255.255.255.224 172.22.248.6 3 Static 0 1
193.218.117.128 255.255.255.240 0.0.0.0 2 Local 0 1
193.218.117.160 255.255.255.240 172.22.247.1 1 Static 0 1
193.218.117.211 255.255.255.255 172.22.248.6 3 Static 0 1
193.218.117.212 255.255.255.255 172.22.248.6 3 Static 0 1
193.218.117.213 255.255.255.255 172.22.248.6 3 Static 0 1
198.212.41.0 255.255.255.0 193.218.117.138 2 Static 0 1
Terms of Reference (ASA) Version 2010-05-07
12/12
10. 24 Hour IPSec statistics (Primary 3015)
IKE (Phase 1) Statistics
Active Tunnels 16
Total Tunnels 26172
Received Bytes 3661367208
Sent Bytes 176195288
Received Packets 19475009
Sent Packets 1834700
Received Packets
Dropped 37602
Sent Packets Dropped 0
Received Notifies 19199599
Sent Notifies 3205706
Received Phase-2
Exchanges 37929
Sent Phase-2 Exchanges 181
Invalid Phase-2
Exchanges Received 0
Invalid Phase-2
Exchanges Sent 0
Rejected Received
Phase-2 Exchanges 1
Rejected Sent Phase-2
Exchanges 0
Phase-2 SA Delete
Requests Received 18175
Phase-2 SA Delete
Requests Sent 19844
Initiated Tunnels 0
Failed Initiated Tunnels 2
Failed Remote Tunnels 5043
Authentication Failures 205
Decryption Failures 0
Hash Validation Failures 0
System Capability
Failures 0
No-SA Failures 21
IPSec (Phase 2) Statistics
Active Tunnels 8
Total Tunnels 26318
Received Bytes 1012804224
Sent Bytes 641621648
Received Packets 919564265
Sent Packets 1173542337
Received Packets Dropped 42230
Received Packets Dropped
(Anti-Replay) 32141
Sent Packets Dropped 62358
Inbound Authentications 919534189
Failed Inbound
Authentications 11219
Outbound Authentications 1173542337
Failed Outbound
Authentications 0
Decryptions 919534189
Failed Decryptions 0
Encryptions 1173542337
Failed Encryptions 0
System Capability Failures 0
No-SA Failures 0
Protocol Use Failures 0
