Professional Documents
Culture Documents
ASA
I. The ASA Appliance Family and Features
1. Meet the ASA Family
Table 14-2 ASA Models
Model
Description
ASA 5505
ASA 5510
ASA 5520, 5540, 5550 These firewalls are like the 5510, with the exception that they have more
capacity
ASA 5585
High-performance, high-capacity firewall devices that support multiple addons, such as modules compatible with these appliances. These appliances
take more vertical space in a rack compared to the 5510 to 5550
Firewall Services
Module (FWSM) and
the ASA Services
Module
These are blade firewalls that fit into a compatible switch, such as a 6500.
They support many of the same features of the standalone ASA appliances in
the 55xx family
Packet filtering Simple packet filtering normally represents an access list. It is also
true with regard to this feature that the ASA provides. The ASA supports both standard
and extended access lists. The most significant difference between an access list on an
ASA versus an access list on a router is that the ASA never ever uses a wildcard mask.
Instead, if it needs to represent a mask related to a permit or deny statement in an
ACL, it just uses the real mask in the ACL.
2. Stateful filtering By default, the ASA enters stateful tracking information about
packets that have been initially allowed through the firewall. Therefore, if you have an
ACL applied inbound on the outside interface of the firewall that says deny everything,
but a user from the inside makes a request to a server on the outside, the return traffic is
allowed back in through the firewall (in spite of the ACL that stops initial traffic from
the outside) because of the stateful inspection that is done by default on the initial
traffic from the client out to the server, which is now dynamically allowing the return
traffic to come back in. This is probably the most significant and most used feature on
3.
4.
5.
6.
7.
the ASA. One way of thinking about stateful filtering is to imagine that the ASA is
going to build a dynamic permit entry in a virtual ACL that will permit the return
traffic. Suppose that you are sending a packet to a web server. Your source address is
4.4.4.4, and your source TCP port is 4444. The destination IP address of the server is
5.5.5.5, and the destination port is TCP 60 (web/http). The ASA will (virtually, as this
is just a way to consider it) remember this outbound session and expect to see a return
packet from 5.5.5.5 destined to 4.4.4.4 (the client), and the source port is TCP:80 (for
the return packet), and the destination port is TCP:4444 (again going back to the
client). The virtual ACL, or state table, that is dynamically created by the ASA
would say please permit this packet (the return one) from the outside network to the
inside network where the client is waiting for this reply.
Application inspection/awareness The ASA can listen in on conversations between
devices on one side and devices on the other side of the firewall. The benefit of
listening in is so that the firewall can pay attention to application layer information. An
example of this is a client on the inside of our network going to an FTP server on the
outside. The client may open a connection from a source port of 6783 to the wellknown FTP port of TCP:21. During the conversation between the client and the server,
stateful inspection is inspecting traffic (and allowing reply traffic inbound from the
outside networks) as long as the source IP address is the server and the source port is
21 (coming from the server back to the client) and the destination port is 6783. That is
how stateful inspection works. Unfortunately, some applications, such as FTP,
dynamically use additional ports. In the case of standard FTP, the client and the server
negotiate the data connection, which is sourced from port 20 at the server and destined
for whatever port number was agreed to by the client. The challenge is this is that the
initial packets for this data connection are initiated from the server on the outside. As a
result, normal stateful filtering denies it (either by default rules or an ACL that is
denying initial traffic from the outside). With application layer inspection, the ASA
learns about the dynamic ports that were agreed to and dynamically allows the data
connection to be initiated from the server who is on the outside going to the client on
the inside
NAT You learned about the benefits of NAT and PAT earlier in this book, and it
comes as no surprise that the ASA supports both of these. It supports inside and
outside NAT, and both static and dynamic NAT and PAT, including policy NAT, which
is only triggered based on specific matches of IP addresses or ports. There is also the
ability to perform NAT exemption (for example, specifying that certain traffic should
not be translated). This comes in handy if you have NAT rules that say everybody who
is going from the inside networks out to the Internet should be translated, but at the
same time you have a VPN tunnel to either a remote user or a remote network. Any
traffic from the inside network going over the VPN tunnel in most cases should not be
translated, so you set up exemption rule that says traffic from the inside networks to the
destinations that are reachable via the VPN tunnels should not be translated. The
policy that indicates that traffic should not be translated is often referred to as NAT
zero.
DHCP The ASA can act as a DHCP server or client or both. This is a handy feature
when implementing a firewall at a smaller office that might require getting a globally
routable address from our service provider through DHCP and at the same time the
ability to hand out addresses to the internal DHCP clients at that location.
Routing The ASA supports most of the interior gateway routing protocols, including
RIP, EIGRP, and OSPF. It also supports static routing
Layer 3 or Layer 2 implementation The ASA can be implemented as a traditional
Layer 3 firewall, which has IP addresses assigned to each of its routable interfaces.
The other option is to implement a firewall as a transparent firewall, in which the actual
physical interfaces receive individual IP addresses, but a pair of interfaces operate like
a bridge. Traffic that is going across this two-port bridge is still subject to the rules and
inspection that can be implemented by the ASA. The ASA can still perform application
2. Default behavior of traffic source and destined between interfaces of the same security
level is denied, but this can be changed
3. Default behavior of traffic source and destined on the same interface is also not
permitted, but this can be changed as well. (This is called a hairpin turn)
4. Initial Access
1. Factory default allows console access / full access
2. ASDM is included with ASAs. Uses SSL to connect. Connect up to five separate
firewalls and switch between them conveniently from ASDM.
2. Use the setup script, or not and you can run it later. Using the setup script should get
you enough configuration done to allow ASDM and remote access.
2. The below shows how to create a new SVI. You click the Add button. The VLAN
number is dynamically used, or you can click the Advanced tab to choose it yourself.
3. Associate interfaces
4. Configure IP address (static, dhcp, pppoe)
5. Enable interface
6. Security level
7. Interface name
10. In this example we want an inside interface, outside, and DMZ. So we must change
the management interface to DMZ. The security level does not change after changing
the name, but we will change it manually to 50 to be higher than the outside interface
but lower than the inside interface.
11. Problem here is that you can only have two named interfaces functioning at the same
time with the base license. Therefore you need to upgrade the ASA to have all
interfaces functioning. Upgrade to Plus license.
3.
4.
5.
6.
Navigate to Access Rules and click the Add button to add an ACL
Make sure you add an explicit permit all otherwise all traffic will be denied
Click Apply to add to the router.
ASDM assumes ingress of the specified interface.
2. Source and destination information does not have to be ip addresses that are even
assigned as this is just from the perspective of the firewall configuration.
3. Shows each step and each check that the firewall does and will show whether the
simulated traffic was permitted or denied and why.
4. CLI Equivalent
1-3
4-7
8-10
1. Which of the following features does the Cisco ASA provide? (Choose all that apply.)
a. Simple packet filtering using standard or extended access lists
b. Layer 2 transparent implementation
c. Support for remote-access SSL VPN connections
d. Support for site-to-site SSL VPN connections
2. Which of the following has an option slot that can support a hardware module?
(Choose all that apply.)
a. 5505
b. 5510
c. 5540
d. FWSM
3. When used in an access policy, which component could identify multiple servers?
a. Stateful filtering
b. Application awareness
c. Object groups
d. DHCP services
4. Which of the following is an accurate description of the word inbound as it relates to
an ASA? (Choose all that apply.)
a. Traffic from a device that is located on a high-security interface
b. Traffic from a device that is located on a low-security interface
c. Traffic that is entering any interface
d. Traffic that is existing any interface
5. When is traffic allowed to be routed and forwarded if the source of the traffic is from a
device located off of a low-security interface if the destination device is located off of a
high-security interface? (Choose all that apply.)
a. This traffic is never allowed
b. This traffic is allowed if the initial traffic was inspected and this traffic is the return
traffic
c. If there is an access list that is permitting this traffic
d. This traffic is always allowed by default
6. Which of the following tools could be used to configure or manage an ASA? (Choose
all that apply.)
a. Cisco Security Manager (CSM)
b. ASA Security Device Manager (ASDM)
c. Cisco Configuration Professional (CCP)
d. The command-line interface (CLI)
7. Which of the following elements, which are part of the Modular Policy Framework on
the ASA, are used to classify traffic?
a. Class maps
b. Policy maps
c. Service policies
d. Stateful filtering
8. When configuring the ASA as a DHCP server for a small office, what default gateway
will be assigned for the DHCP clients to use?
a. The service provider's next-hop IP address
b. The ASA's outside IP address
c. The ASA's inside IP address
d. Clients need to locally configure a default gateway value
9. When configuring network address translation for a small office, devices on the
Internet will see the ASA inside users as coming from which IP address?
a. The inside address of the ASA
b. The outside address of the ASA
c. The DMZ address of the ASA
d. Clients will each be assigned a unique global address, one for each user
10. You are interested in verifying whether the security policy you implemented is having
the desired effect. How can you verify this policy without involving end users or their
computers?
a. Run the policy check tool which is built in to the ASA
b. The ASA automatically verifies that policy matches intended rules
c. Use the Packet Tracer tool
d. You must manually generate the traffic from an end-user device to verify that the
firewall will forward it or deny it based on policy
Page
Number
Text
330
Text
331
Text
333
Text
335
Figure 14-2
336
Text
337
Text
338
Text
347
352
Text
355
Text
356
Text
357
Text
359
Text
362
VPN load
balancing
(clustering)
Load balancing
using an
external load
balancer
Redundant
VPN Servers
Enter the virtual cluster IP address to be used by this cluster. All members of the cluster must have the same address
configured.
UDP Port
Enter the UDP port used for cluster member communication. This port must be unused on the network (default
9023).
Verify Secret
Public Interface
network.
Priority
Private Interface
Select from the drop-down list your private/internal-facing interface. Cluster member interfaces must be on the
same network.
Send FQDN to Client Instead By default, the cluster master sends the IP address of a
of an IP Address When
cluster member to a connecting user/client when redirectRedirecting
ing. However, if using certificates, the master can be configured to send the FQDN after performing a reverse
Domain Name System (DNS) lookup of the cluster member it is redirecting to.
Table 14-2 ASA Models
Model
Description
ASA 5505
ASA 5510
ASA 5520,
5540, 5550
These firewalls are like the 5510, with the exception that they have
more capacity.
ASA 5585
Firewall
Services
Module
(FWSM) and
the ASA
Services
Module
These are blade firewalls that fit into a compatible switch, such as a
6500. They support many of the same features of the standalone ASA
appliances in the 55xx family.
stateful filtering security levels SVI Modular Policy Framework class map policy map service policy -
Assign a name bubba to a Layer 3 interface, done from interface configuration mode
Security-level 50 Assign a security level to an interface, done from interface configuration mode
No shutdown