Introduction to ASA Firewall

-->ASA is an application-aware stateful packet filtering firewall.

--> Inspects all the packets which are passing through the firewall.

--> Each and every interface on ASA requires configuration of following things,

1) Interface Name

2) Security-level

3) IP Address

--> By default, the security level is automatically assigned to the interface once the name is configured.

--> ASA uses security-level 100 for Inside and 0 for all the other interfaces including Outside.

--> To assign different security level other than 100 or 0, we have to use the command security-level on the interface.

--> Security-level on the ASA specifies the connection going via ASA is outbound or Inbound.

--> Outbound connection is the one that is flowing from internal networks to the internet and the Inbound connection is the one flowing from the Internet to Internal networks.

--> By default, traffic from higher security level to lower security level is only allowed( inspected) on ASA, all the other traffic is blocked.

--> That's why we configure inside interface ( where our internal networks are connected) with security level 100 and Internet with security level 0.

--> Each IP Packet is placed in two tables when it goes from one interface to other interfaces on the firewall,

1) Connection table: 

--> Stores all the connections passed by firewall policy.

--> Each and every connection is updated based upon traffic flowing through the firewall.

--> Contains following entries in the connection table,

i) Source  IP Address

ii) Destination IP Address

iii) Source Port ( TCP or UDP)

iv) Destination Port ( TCP or UDP)

v) TCP Sequence Number

vi) TCP flags

vii) Idle timer

--> # show connection command is used to check the connection table on ASA.

--> # clear connection command is used to clear all the entries from the connection table in ASA.

--> # show connection detail command provides detailed information of connection table.

--> # show connection port < Port number > detail provides only information about selected tcp port on ASA.




2) Local Host Table

--> ASA stores the connections or sessions based upon per host/IP address in this table.

--> Used by ASA to calculate per host statistics based upon IP Address.

--> # show local-host is used to check the local host table on ASA.

--> # clear local-host all is used clear all the entries from the local host table.

--> # show local-host < IP Address > gives the information about the selected IP Address in Host table.

--> By default, traffic is allowed from high-security level to lower security level ( It is outbound traffic).

--> By default, traffic is blocked between same security levels (For example, if you have two internet connections with the same security level 0 or Two dmz interfaces on ASA with security level 50).

--> # same-security-traffic permit inter-interface command on ASA allows the traffic flow between the interfaces with the same security level.

--> #same-security-traffic permit intra-interface command on ASA allows the traffic flow on the same interface from other networks.

--> By default, traffic is blocked from low-security level to high-security level (It is inbound traffic).

--> By default, all the traffic to the ASA interface is also blocked.

--> By default, ASA only inspects TCP and UDP traffic only and not possible to disable this behaviour.

--> We need to manually configure inspection of  ICMP traffic on ASA. It can be done by using two methods,

1) Configure ICMP Inspection Globally

2) Configure Inbound ACL to permit icmp echo reply on the interface with the lower security level.


Ref: Cisco.com

Md.Kareemoddin

CCIE # 54759

0 Comments