Professional Documents
Culture Documents
Implementing Cisco
Adaptive Security
Appliance
CCNA Security
Presentation_ID
Cisco Confidential
Chapter 9
9.0 Introduction
9.1 Introduction to the ASA
9.2 ASA Firewall Configuration
9.3 ASA VPN Configuration
9.4 Summary
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
ASA Models
There are six ASA models, ranging from the basic 5505
branch office model to the 5585 data center version.
Maximum throughput
Available budget
Presentation_ID
Cisco Confidential
ASA Models
Multi-Service
(Firewall/VPN and IPS)
ASA 5540
(650 Mbps,25K cps)
ASA 5520
(450 Mbps,12K cps)
ASA 5510
ASA 5505
ASA 5550
(1.2 Gbps, 36K cps)
SOHO
Branch Office
Internet Edge
Presentation_ID
ASA SM
(16 Gbps, 300K cps)
Campus
Data Center
Cisco Confidential
ASA Features
Feature
Description
Stateful firewall
An ASA provides stateful firewall services tracking the TCP or UDP network
connections traversing it.
Only packets matching a known active connection will be allowed by the firewall;
others will be rejected.
VPN
concentrator
The ASA supports IPsec and SSL remote access and IPsec site-to-site VPN
features.
Intrusion
Prevention
Presentation_ID
Cisco Confidential
Description
Virtualization
A single ASA can be partitioned into multiple virtual devices called security
contexts.
Each context is an independent device, with its own security policy, interfaces,
and administrators.
Most IPS features are supported, except VPN and dynamic routing protocols.
High availability
Identity firewall
The ASA can provide access control using Windows Active Directory login
information.
Identity-based firewall services allow users or groups to be specified instead of
being restricted by traditional IP address-based rules.
Threat control
Presentation_ID
Cisco Confidential
Customer A
Security Context B
Customer B
Security Context C
Customer C
Internet
Presentation_ID
Cisco Confidential
10
.1
192.168.1.0/24
.1
.1
Internet
.3
10.2.2.0/30
.2
.2
PC-A
.2
ASA-2
Secondary/Standby
Presentation_ID
Cisco Confidential
11
Server
Client
Microsoft
Active Directory
Presentation_ID
AD Agent
Cisco Confidential
12
Presentation_ID
Cisco Confidential
13
Networks on a Firewall
Inside network - Network that is protected and behind the
firewall.
DMZ - Demilitarized zone, while protected by the firewall,
limited access is allowed to outside users.
Outside network - Network that is outside the protection of
the firewall.
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
Presentation_ID
Cisco Confidential
16
Cisco Confidential
17
ASA Licenses
ASA appliances come pre-installed with either a:
Base license
Only one permanent license key can be installed and once it is installed, it is
referred to as the running license.
show version
show activation-key
Presentation_ID
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
perpetual
DMZ Restricted
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
20
ASA 5505
The Cisco ASA 5505 is a full-featured security appliance for
small businesses, branch offices, and enterprise teleworker
environments.
It delivers a high-performance firewall, SSL VPN, IPsec VPN,
and rich networking services in a modular, plug-and-play
appliance.
Presentation_ID
Cisco Confidential
21
Presentation_ID
Active LED
VPN LED
Power LED
Status LED
Cisco Confidential
22
4 Status LED
Solid green indicates that the system tests passed and the system
is operational.
Active LED
VPN LED
Solid green LED indicates that this Cisco ASA is configured for
failover.
Solid green indicates that one or more VPN tunnels are active.
Presentation_ID
Solid green indicates that an SSC card is present in the SSC slot.
2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Presentation_ID
Reset button
SSC slot
Lock slot
Cisco Confidential
24
USB ports (front and back) can be used to enable additional services and
6
capabilities.
Consists of an 8-port 10/100 Fast Ethernet switch. Each port can be dynamically
7 grouped to create up to three separate VLANs or zones to support network segmentation
and security.
8 Ports 6 and 7 are Power over Ethernet (PoE) ports to simplify the deployment of
Cisco IP phones and external wireless access points.
Note: The default DRAM memory is 256 MB (upgradable to 512 MB) and the default internal
flash memory is 128 MB for the Cisco ASA 5505.
Presentation_ID
Cisco Confidential
25
Security Levels
The ASA assigns security levels to distinguish between Inside
and Outside networks.
Security levels define the level of trustworthiness of an
interface.
A name
Presentation_ID
Cisco Confidential
26
Presentation_ID
Cisco Confidential
27
Presentation_ID
Cisco Confidential
28
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
Presentation_ID
Cisco Confidential
31
Using the help key (?) after a command to view additional syntax.
Can execute any ASA CLI command regardless of the current configuration
mode prompt and does not require or recognize the do IOS CLI command.
Can provide additional help listing a brief command description and syntax
by using the help EXEC mode command, followed by the CLI command.
(e.g., help reload).
Interrupts show command output by simply using the letter Q (unlike the
Ctrl+C (^C) IOS CLI key sequence.).
Presentation_ID
Cisco Confidential
32
erase startup-config
write erase
line con 0
password password
login
passwd password
ip route
route outside
show ip route
show route
show vlan
show xlate
write [memory]
Presentation_ID
Cisco Confidential
33
The default factory configuration for the ASA 5505 adaptive security
appliance configures the following:
Presentation_ID
Cisco Confidential
34
<Output omitted>
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
<Output Omitted>
object network obj_any
nat (inside,outside) dynamic interface
<Output Omitted>
http server enable
http 192.168.1.0 255.255.255.0 inside
<Output Omitted>
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
<Output Omitted>
Presentation_ID
Cisco Confidential
35
Presentation_ID
Cisco Confidential
36
Presentation_ID
Cisco Confidential
37
Presentation_ID
Cisco Confidential
38
Presentation_ID
Cisco Confidential
39
Presentation_ID
Cisco Confidential
40
Presentation_ID
Cisco Confidential
41
Presentation_ID
Cisco Confidential
42
Cisco Confidential
43
Cisco Confidential
44
Presentation_ID
Cisco Confidential
45
Cisco Confidential
46
Presentation_ID
Cisco Confidential
47
Presentation_ID
Cisco Confidential
48
Cisco Confidential
49
Cisco Confidential
50
Presentation_ID
Cisco Confidential
51
Presentation_ID
Cisco Confidential
52
To verify the NTP configuration and status, use the show ntp status
and show ntp associations commands.
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
Presentation_ID
ntp
ntp
ntp
ntp
server 10.10.10.1
authentication-key 1 md5 cisco123
trusted-key 1
authenticate
Cisco Confidential
53
Cisco Confidential
54
Presentation_ID
Cisco Confidential
55
Cisco Confidential
56
Client Identifier
Lease expiration
Type
1
0
0
0
Message
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
Received
0
0
0
0
0
0
Message
BOOTREPLY
DHCPOFFER
DHCPACK
DHCPNAK
Sent
0
0
0
0
Presentation_ID
Cisco Confidential
57
Presentation_ID
Cisco Confidential
58
Fa0/1
4
6
5
24
24
Presentation_ID
Cisco Confidential
59
Object Groups
Presentation_ID
Cisco Confidential
94
Object Groups
Objects
The ASA supports two types of objects.
Network object:
Contains a single IP address/mask pair.
Service object:
Contains a protocol and optional source and/or destination port.
Note: A network object is required to configure NAT.
CCNAS-ASA(config)# object ?
configure mode commands/options:
network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
CCNAS-ASA(config)#
Presentation_ID
Cisco Confidential
95
Object Groups
A network object can contain only one IP address and mask pair. Entering
a second IP address/mask pair replaces the existing configuration.
Presentation_ID
Cisco Confidential
96
Object Groups
Presentation_ID
Cisco Confidential
98
Object Groups
Service Objects
There are five service options:
service protocol [source [operator port]] [destination
[operator port]]
Specifies an IP protocol name or number.
service tcp [source [operator port]] [destination
[operator port]]
Specifies that the service object is for TCP.
service udp [source [operator port]] [destination
[operator port]]
Specifies that the service object is for UDP.
service icmp icmp-type
Specifies that the service object is for ICMP.
service icmp6 icmp6-type
Specifies that the service object is for ICMPv6.
Presentation_ID
Cisco Confidential
99
Object Groups
Object Groups
Object groups are used to group objects. Objects can be
attached or detached from multiple object groups.
Objects can be attached or detached from one or more object
groups when needed, ensuring that the objects are not
duplicated but can be re-used wherever needed.
You can create network, protocol, and ICMP-type objects
groups created using the object-group {network |
protocol | icmp-type} group-name command.
You can also create service objects groups by using
object-group service group-name [tcp | udp |
tcp-udp].
Presentation_ID
Cisco Confidential
101
Object Groups
Description
Specifies a list of IP host, subnet, or network addresses.
Combines IP protocols (such as TCP, UDP, and ICMP) into one object.
Protocol
ICMP
For example, to add both TCP and UDP services of DNS, create an object group and add TCP and
UDP protocols into that group.
ICMP uses unique types to send control messages (RFC 792).
The ICMP-type object group can group the necessary types for security needs.
Used to group TCP, UDP, or TCP and UDP ports into an object.
Service
It can contain a mix of TCP services, UDP services, ICMP-type services, and any protocol such as
ESP, GRE, and TCP.
CCNAS-ASA(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network
Specifies a group of host or subnet IP addresses
protocol
Specifies a group of protocols, such as TCP, etc
service
Specifies a group of TCP/UDP ports/services
user
Specifies single user, local or import user group
CCNAS-ASA(config)# object-group
Presentation_ID
Cisco Confidential
102
Object Groups
Cisco Confidential
103
Object Groups
Cisco Confidential
105
Object Groups
Presentation_ID
Cisco Confidential
106
Object Groups
SERVICES-1
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq ntp
exit
SERVICES-2 tcp
port-object eq pop3
port-object eq smtp
exit
SERVICES-3 tcp
group-object SERVICES-2
port-object eq ftp
port-object range 2000 2005
exit
Cisco Confidential
107
ACLs
Presentation_ID
Cisco Confidential
109
ACLs
Presentation_ID
Cisco Confidential
110
ACLs
ACL Function
ACLs on a security appliance can be used:
Through-traffic packet filtering:
Presentation_ID
Cisco Confidential
111
ACLs
Description
Extended
Standard
IPv6
Presentation_ID
Webtype
Ethertype
Cisco Confidential
112
ACLs
ACL Applications
ACL Use
ACL Type
Description
Provide through-traffic
network access
Extended
Extended
Extended
Extended
Extended
Standard
IPv6
Cisco Confidential
113
ACLs
Cisco Confidential
114
ACLs
Condensed ACL
ACL name.
It could also be a number.
Presentation_ID
Cisco Confidential
115
ACLs
Access-group Syntax
To provide through-traffic network access, the ACL must be applied to an
interface.
access-group acl-id {in | out} interface interface-name
[per-user-override | control-plane]
Syntax
access-group
acl-id
in
out
interface
interface-name
per-user-override
control-plane
Presentation_ID
Description
Optional. Allows downloadable ACLs to override the entries on the interface ACL.
Optional. Specifies if the rule is for to-the-box traffic.
Cisco Confidential
116
ACLs
ACL Examples
ACL Examples
access-list ACL-IN-1 extended permit ip any any
access-group ACL-IN-1 in interface inside
ACL allows all hosts on the inside network to go through the ASA.
By default, all other traffic is denied.
Presentation_ID
Cisco Confidential
117
ACLs
Useful for VPN traffic that enters an interface, but is then routed out
the same interface.
Use the same-security-traffic permit interinterface command to enable interfaces on the same
security level so that they can communicate with each other.
Use the same-security-traffic permit intrainterface command to enable communication between
hosts connected to the same interface.
Presentation_ID
Cisco Confidential
118
ACLs
Verifying ACLs
To verify the ACL syntax, use the following commands:
show running-config access-list
show access-list
Presentation_ID
Cisco Confidential
119
ACLs
ACL - Example 1
PC-A and PC-B are external hosts that require access to the two internal
servers.
Each server provides web and email services.
Presentation_ID
Cisco Confidential
120
ACLs
ACL - Example 1
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-A -> Server A for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq smtp
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-A -> Server B for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq smtp
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-B -> Server A for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq smtp
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-B -> Server B for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq smtp
CCNAS-ASA(config)# access-list ACL-IN extended deny ip any any log
CCNAS-ASA(config)#
CCNAS-ASA(config)# access-group ACL-IN in interface outside
CCNAS-ASA(config)#
Presentation_ID
Cisco Confidential
121
ACLs
ACL - Example 1
Verify the configuration.
Notice that there are nine elements (nine ACEs), excluding the remarks,
that must be processed by the ASA.
CCNAS-ASA(config)# show running-config access-list
access-list ACL-IN remark Permit PC-A -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.131
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.131
access-list ACL-IN remark Permit PC-A -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.132
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.132
access-list ACL-IN remark Permit PC-B -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.131
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.131
access-list ACL-IN remark Permit PC-B -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.132
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.132
access-list ACL-IN extended deny ip any any log
CCNAS-ASA(config)#
CCNAS-ASA(config)# show access-list ACL-IN brief
access-list ACL-IN; 9 elements; name hash: 0x44d1c580
CCNAS-ASA(config)#
Presentation_ID
eq www
eq smtp
eq www
eq smtp
eq www
eq smtp
eq www
eq smtp
Cisco Confidential
122
ACLs
Cisco Confidential
123
ACLs
Presentation_ID
Cisco Confidential
124
ACLs
Presentation_ID
Cisco Confidential
125
ACLs
Cisco Confidential
eq
eq
eq
eq
eq
eq
eq
eq
126
Inside NAT
Typical NAT deployment method when the ASA translates the internal
host address to a global address.
The ASA restores return traffic the original inside IP address.
Outside NAT
Bidirectional NAT
Presentation_ID
Cisco Confidential
130
Presentation_ID
Cisco Confidential
131
Auto NAT
Introduced in ASA version 8.3, the Auto NAT feature has
simplified the NAT configuration as follows:
1. Create a network object.
2. Identify hosts network to be translated.
3. Define the nat command parameters.
Notes:
. Prior to ASA version 8.3, NAT was configured using the nat,
global, and static commands.
. The global and static commands are no longer recognized.
Presentation_ID
Cisco Confidential
132
Configuring NAT
The ASA divides the NAT configuration into two sections:
The first section defines the network to be translated using a network object.
The second section defines the actual nat command parameters.
Cisco Confidential
133
Many-to-many translation.
Dynamic PAT
Many-to-one translation.
Static NAT
A one-to-one translation.
Twice-NAT
ASA version 8.3 NAT feature that identifies both the source and destination address in
a single rule (nat command).
Presentation_ID
Cisco Confidential
134
Presentation_ID
Cisco Confidential
135
Presentation_ID
PUBLIC-IP
range 209.165.200.240 255.255.255.240
exit
INSIDE-NET
subnet 192.168.1.0 255.255.255.224
nat (inside,outside) dynamic PUBLIC-IP
end
Cisco Confidential
136
Presentation_ID
Cisco Confidential
137
Presentation_ID
INSIDE-NET
subnet 192.168.1.0 255.255.255.224
nat (inside,outside) dynamic interface
end
Cisco Confidential
138
INSIDE-NET
subnet 192.168.1.0 255.255.255.224
nat (inside,outside) dynamic 209.165.200.229
end
Presentation_ID
Cisco Confidential
139
host ip-addr
Identifies the inside host IP address.
Note that the any keyword could be used instead of the interface names to allow
the translation of an object between multiple interfaces using one CLI command.
Note: Static NAT also requires that an ACE be added to the outside interface ACL.
Presentation_ID
Cisco Confidential
140
Presentation_ID
Cisco Confidential
141
Presentation_ID
Cisco Confidential
142
ASA in ASDM
Presentation_ID
Cisco Confidential
147
ASA in ASDM
ASA AAA
Unlike the ISR, ASA devices do not support local
authentication without using AAA.
Cisco ASA can be configured to authenticate using:
Both
Presentation_ID
Cisco Confidential
148
ASA in ASDM
Local AAA is ideal for small networks that do not need a dedicated server.
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
Presentation_ID
authentication
authentication
authentication
authentication
Cisco Confidential
149
ASA in ASDM
Presentation_ID
Cisco Confidential
150
ASA in ASDM
Cisco Confidential
151
ASA in ASDM
Logoff
Username: admin
Password: *****
Type help or '?' for a list of available commands.
CCNAS-ASA>
Presentation_ID
Cisco Confidential
152
Cisco MPF uses these three configuration objects to define modular, objectoriented, hierarchical policies:
Class maps:
Define match criterion by using the class-map global configuration mode
command.
Policy maps:
Associate actions to the class map match criteria by using the policy-map
global configuration mode command.
Service policies:
Enable the policy by attaching it to an interface, or globally to all interfaces using
the service-policy interface configuration mode command.
Presentation_ID
Cisco Confidential
159
Presentation_ID
Cisco Confidential
160
Cisco Confidential
161
Class Maps
Class maps are configured to identify Layer 3/4 traffic.
To create a class map and enter class-map configuration mode, use the
class-map class-map-name global configuration mode command.
The class-default names and any name that begins with _internal or
_default are reserved.
The class map name must be unique and can be up to 40 characters in
length.
The name should also be descriptive.
Note: For management traffic destined to the ASA, configure the classmap type management class-map-name command.
Presentation_ID
Cisco Confidential
162
Presentation_ID
Cisco Confidential
163
Policy Maps
Policy maps are used to bind class maps with these steps :
1. Use the policy-map policy-map-name global configuration mode
command.
The policy map name must be unique and up to 40 characters in length.
Cisco Confidential
164
Presentation_ID
Cisco Confidential
165
Service Policy
To activate a policy map globally on all interfaces or on a
targeted interface, use the service-policy global
configuration mode command.
service-policy policy-map-name [global | interface intf]
Presentation_ID
Cisco Confidential
166
Presentation_ID
Cisco Confidential
167
Presentation_ID
Cisco Confidential
168
Presentation_ID
Cisco Confidential
169
class-map inspection_default
match default-inspection-traffic
Presentation_ID
Cisco Confidential
170
Presentation_ID
Cisco Confidential
171
Presentation_ID
Cisco Confidential
172
Presentation_ID
Cisco Confidential
173
Presentation_ID
Cisco Confidential
175
Presentation_ID
Cisco Confidential
176
Presentation_ID
Cisco Confidential
177
Presentation_ID
Cisco Confidential
178
After authentication, users access a portal page and can access specific,
supported internal resources.
Provides full tunnel SSL VPN connection but requires a VPN client
application to be installed on the remote host.
Presentation_ID
Cisco Confidential
179
Presentation_ID
Cisco Confidential
180
Presentation_ID
Cisco Confidential
181
Consumerization
To support IT consumerization, the Cisco AnyConnect client is available for
free for:
iOS devices (iPhone, iPad, and iPod Touch)
Android OS (select models)
BlackBerry
Windows Mobile 6.1
HP webOS
Nokia Symbian
Presentation_ID
Cisco Confidential
182
ASDM Assistant
Clientless SSL VPN can be configured using the ASDM Assistant to guide
an administrator through the SSL VPN configuration.
Presentation_ID
Cisco Confidential
183
Presentation_ID
Cisco Confidential
184
Presentation_ID
Cisco Confidential
185
Presentation_ID
Cisco Confidential
186
Presentation_ID
Cisco Confidential
195
Presentation_ID
Cisco Confidential
196
Presentation_ID
Cisco Confidential
197
Presentation_ID
Cisco Confidential
198
ASDM Assistant
Presentation_ID
Cisco Confidential
199
Presentation_ID
Cisco Confidential
200
Presentation_ID
Cisco Confidential
201
Presentation_ID
Cisco Confidential
202
Presentation_ID
Cisco Confidential
215
Presentation_ID
Cisco Confidential
216
Platform Detection
The ASA performs a series of compliance checks, platform detection, finally
selects or downloads the software package.
Presentation_ID
Cisco Confidential
217
Installing AnyConnect
A security warning displays if AnyConnect must be installed.
Presentation_ID
Cisco Confidential
218
Presentation_ID
Cisco Confidential
219
Presentation_ID
Cisco Confidential
220
Auto-Download Complete
After the client completes the auto-download, the web session automatically
launches the Cisco AnyConnect SSL VPN Client.
Presentation_ID
Cisco Confidential
221
Confirming Connectivity
Presentation_ID
Cisco Confidential
222
Presentation_ID
Cisco Confidential
223
Presentation_ID
Cisco Confidential
224
Presentation_ID
Cisco Confidential
225
Presentation_ID
Cisco Confidential
226
Presentation_ID
Cisco Confidential
227
9.4 Summary
Presentation_ID
Cisco Confidential
228
Summary
Summary
The Adaptive Security Appliance (ASA) is a standalone firewall device
that is a primary component of the Cisco SecureX technology.
The ASA protects Inside networks from unauthorized outside access by
combining firewall, VPN concentrator, and intrusion prevention
functionality into one device.
The ASA can also support advanced features, such as virtualization, high
availability with failover, identity firewall, and advanced threat control and
can be configured in routed mode or in transparent mode.
The ASA assigns security levels to distinguish between Inside and
Outside networks.
Security levels define the level of trustworthiness of an interface; the
higher the level, the more trusted the interface.
The security level numbers range from 0 (untrustworthy) to 100 (very
trustworthy). Each operational interface must have a name and a security
level from 0 (lowest) to 100 (highest) assigned.
Presentation_ID
Cisco Confidential
229
Summary
Summary Cont.
ASA devices can be configured and managed using either the CLI or the
Adaptive Security Device Manager (ASDM) GUI.
The ASA CLI is a proprietary OS which has a similar look and feel to the
router IOS.
The ASA 5505 ships with a default configuration that is sufficient for
SOHO deployments. The configuration includes:
Two preconfigured VLAN networks
DHCP enabled for inside hosts
NAT for outside access
The Cisco ASDM facilitates the setup, configuration, monitoring, and
troubleshooting of Cisco ASAs.
ASDM provides several wizards to help simplify the configuration.
The Startup Wizard guides the administrator through the initial
configuration of the ASA.
Presentation_ID
Cisco Confidential
230
Summary
Summary Cont.
The VPN wizards allow an administrator to configure basic site-to-site and
remote access VPNs. ASDM also provides a High Availability and
Scalability Wizard, Unified Communication Wizard, and a Packet Capture
Wizard.
The ASA supports objects and object groups making it easier to maintain
configurations.
The ASA provides basic traffic filtering capabilities with ACLs.
It supports NAT and PAT, which can be static or dynamic.
The ASA can be configured to authenticate using a local user database or
an external server.
The ASA uses the MPF to define sets of rules for applying firewall
features.
Presentation_ID
Cisco Confidential
231
Summary
Summary Cont.
The ASA provides support for site-to-site IPsec VPNs. It can also support
the following remote access VPNs:
Clientless SSL VPN Remote Access (using a web browser)
SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect
client)
IPsec (IKEv1) VPN Remote Access (using Cisco VPN client)
With a clientless SSL VPN deployment, remote clients use an SSL web
portal interface. A client-based SSL VPN requires a client, such as the
Cisco AnyConnect VPN client, to be pre-installed on the host, or
downloaded on-demand via a browser.
Presentation_ID
Cisco Confidential
232
Presentation_ID
Cisco Confidential
233