Often referred to as a “bump in the wire,” or a “stealth firewall” because the ASA functions like a Layer 2 device and is not considered a router hop useful to simplify a network configuration, or when the existing IP addressing cannot be altered. no support for dynamic routing protocols, VPNs, QoS, or DHCP Relay.
The choice of ASA model depends on an organization’s requirements, such as maximum throughput, maximum connections per second, and budget. Models for small office and SOHO:
Internet Edge of medium to large businesses
Large enterprises and data centers
Advanced ASA feature:
Each virtual device is called a security context. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context modes, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
Review firewall:When discussing networks connected to a firewall, there are some general terms to consider:
Firewalls protect inside networks from unauthorized access by users who are on an outside network. They also protect inside network users from each other. Rules for traffic between zones:
An ASA use either the Zone-Based Policy Firewall (ZPF) or by using the older context-based access control (CBAC) feature. but the configuration differs markedly from the IOS router configuration of the ZPF. The ASA is a dedicated firewall appliance. By default, it treats a defined inside interface as the trusted network and any defined outside interfaces as untrusted networks. Each interface has an associated security level. These security levels enable the ASA to implement security policies. ASA Firewall Modes of Operation
There are two firewall modes of operation available on ASA devices:
Setting the Firewall ModeNote We recommend that you set the firewall mode before you perform any other configuration because changing the firewall mode clears the running configuration. You are not prompted to confirm the firewall mode change; the change occurs immediately.
Prerequisites When you change modes, the ASA clears the running configuration (see the “Guidelines and Limitations” section for more information). •If you already have a populated configuration, be sure to back up your configuration before changing the mode. •Use the CLI at the console port to change the mode. If you use any other type of session, including the ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared, and you will have to reconnect to the ASA using the console port in any case. Set the ASA to transparent mode: hostname(config)# firewall transparentTo change the mode to routed, enter the command: hostname(config)#no firewall transparent
A license specifies the options that are enabled on a given ASA. Most ASA appliances come pre-installed with either a Base license or a Security Plus license. For example, the Cisco ASA 5505 model comes with a Base license and the option to upgrade to the Security Plus license. The Security Plus upgrade license enables the Cisco ASA 5505 to scale to support a higher connection capacity and up to 25 IPsec VPN users. It adds full DMZ support and integrates into switched network environments through VLAN trunking support. Furthermore, the Security Plus license enables support for redundant ISP connections and stateless active/standby high-availability services. This feature helps to ensure business continuity. The permanent license is then activated by installing a permanent activation key using the activation-key command. The permanent activation key includes all licensed features in a single key. A product activation key can be purchased from a Cisco account representative. Note: Only one permanent license key can be installed. After it is installed, it is referred to as the running license. To verify the license information on an ASA device, use the show version command, or the show activation-key command. ASA basic ConfigurationFirst comes with the hardware : Front panel:1. USB 2.0 Interface: Enables additional services and capabilities 2. Speed and Link Activity LEDs A solid green speed indicator LED indicates 100Mb/s. If the LED is off, this indicates 10Mb/s. When the link activity indicator LED is on, it indicates that a network link is established. When it is blinking, it indicates network activity. 3. Power LED Solid green indicates that the appliance is powered on. 4. Status LED Flashing green indicates that the system is booting and power-up tests are running. Solid green indicates that the system tests passed and the system is operational. Solid amber indicates that the system tests have failed. 5. Active LED Green indicates that this Cisco ASA is active. 6. VPN LED Solid green indicate that one or more VPN tunnels are active. 7. Security Services Card (SSC) led Solid green indicates that an SSC card is present in the SSC slot. Back panel
1. Security Service Card (SSC) slot Adds the cisco advanced inspection and prevention Security Services Card (AIP-SSC). The AIP-SSC card provides intrusion prevention services to stop malicious traffic before it can affect a network. 2.Security Console Port Initially configure the ASA 3. Lock Slot Attach a security cable to this slot 4. Power Connector 48 VDC power. 5. Two PoE 10/100 Fast Ethernet Switch ports These can provide Power over ethernet (PoE) ports to simplify the deployment of Cisco IP phones and external wireless access points. 6. Six 10/100 Fast Ethernet Switch Ports These can be dynamically grouped to create up to three separate VLANs to support network segmentation and security. 7. Two USB 2.0 Ports Enables additional services and capabilities 8. Reset button: returens to factory based configuration. The default DRAM memory is 256 MB (upgradable to 512 MB) and the default internal flash memory is 128 MB for the Cisco ASA 5505. In a failover configuration, the two units must be identical models with the same hardware configuration, the same number and types of interfaces, and the same amount of RAM. ASA security levelsThe ASA assigns security levels to distinguish between inside and outside networks. Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range from 0 (untrustworthy) to 100 (very trustworthy). Each operational interface must have a name and a security level from 0 (lowest) to 100 (highest) assigned.
Security Level Control:
Outbound traffic is allowed and inspected by default. Returning traffic is allowed because of stateful packet inspection. For example, internal users on the inside interface can easily access resources on the DMZ. They can also initiate connections to the Internet with no restrictions and without the need for an additional policy or additional commands. However, traffic that is coming from the outside network and going into either the DMZ or the inside network, is denied by default. Return traffic, originating on the inside network and returning via the outside interface, would be allowed. Any exception to this default behavior requires configuration of an ACL to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level, for example outside to inside. |