Scribd
Upload
206 views

1.overview and Traffic Flow

The document provides an overview of traffic flow in the Cisco ASA firewall by default. It discusses the interface configuration parameters needed and how traffic is allowed based on the security levels of interfaces. Same security level interfaces block all traffic by default unless configured otherwise. Traffic destined for the firewall interfaces is controlled by enabled services on that interface.

Uploaded by

Ramon Pirbux
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
206 views

1.overview and Traffic Flow

The document provides an overview of traffic flow in the Cisco ASA firewall by default. It discusses the interface configuration parameters needed and how traffic is allowed based on the security levels of interfaces. Same security level interfaces block all traffic by default unless configured otherwise. Traffic destined for the firewall interfaces is controlled by enabled services on that interface.

Uploaded by

Ramon Pirbux
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 9

ASA Overview and Traffic c

Flow
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
 ASA Firewall Overview
 Default Traffic Flow
 “TO” Traffic versus “THRU” Traffic c
ASA Firewall Overview
 Cisco ASA Firewall evolved from Cisco first Physical firewall appliance called the Cisco PIX
Firewall.

 The PIX Firewall was a firewall with limited VPN capabilities.

 Web-based VPNs (SSL VPNs) were becoming cpopular. The PIX firewall had the ability to provide
Remote Access VPN capabilities using basic IPSec and PPTP type VPNs.

 Cisco acquired a company called Altiga. Altiga had a product known for its VPN capabilities.
The Product was called the VPN Concentrator. It was known for it’s Web VPN capability.

 Initially Cisco sold the VPN Concentrator as a stand alone device.

 The Web VPN capability along with the Firewall capability of the PIX were ported into a new
device called the ASA Firewall.

 The ASA Firewall is a combination of the Firewalling of the PIX with the Web VPN capability of
the VPN Concentrator.
ASA Firewall Overview
 ASA Firewall is a L3 Router by default.
 It has all the routing functionalities that a normal router would have.
 It can run RIP, EIGRP, OSPF and BGPc Routing Protocols.
 The difference between a regular router and a ASA Firewall is that the router
forwards all traffic by default whereas the ASA will allow traffic based on certain
policies which will be discussed in this video.
 Besides assigning the IP Address to an Interface, the ASA requires 2 additional
parameters on the Interface.
 Let’s discuss the Interface configuration as it control the default traffic flow thru
the Firewall.
Interface Configuration Parameters
 To initialize an ASA Interface, you need the following parameters:
 Nameif:
o The name of the Interface is not case-sensitive.
o c the case.
Although, it is not case-sensitive, it does preserve
o It is a required parameter.
o All commands reference the Interface using the Name not the Physical ID.
 Security Level:
o It is a number between 0 – 100.
o It controls the default traffic flow thru the firewall.
o When you configured a blank interface with a Name, it sets the security level automatically to 0 except
if the name of the interface is Inside.
 IP Address:
o You configure it just like you would on a router.
o You do have the ability to skip the mask if the IP address is using the default class mask.
Default Traffic Flow
 High Security Level to Low Security Level
 By default, all traffic is allowed to flow from a High Security Interface towards a Low Security as long as
the routing information is in place.
 Although, all traffic is allowed to flow from High Security Level to Low Security Level, only TCP and UDP
traffic is inspected. c
 Inspection creates a return entry in the Connection Table on the Firewall. This allows the return traffic to
come back. This is known as Stateful Inspection.

 Low Security Level to High Security Level


 By default, all traffic is blocked from coming in from Low Security Interface towards a High Security
Interface.
 If you want this traffic to work, you would need to create an explicit policy on the Low Interface to allow
this traffic. This is done by creating an ACL.
 When a packet hits a low security interface going towards a high security interface, it will check the
connection table first, if there is no entry in the connection table, it will check the ACL for a Permit, if
there is no Permit in the ACL, it will check the default behavior.
Default Traffic Flow Contd.
 Same Security Level Interfaces
 By default, any traffic going from an interface that has the same security level as
the destination interface, it will blocked.
c
 Even an explicit ACL will not help in allowing this traffic.
 A typical example of this type of setup is when you have 2 partner networks
connecting into your network but you don’t want them to traverse to each other
thru your firewall.
 You have an option to disable firewall between 2 interfaces with the same security
level by using the “Same-security-traffic permit inter interface” command.
 If you use the above command, it allows all traffic between 2 interfaces with the
same security level.
Traffic Destined to the Firewall
 “TO” traffic is traffic destined to an interface on the Firewall.
 It is controlled by the service running on the Firewall. ACLs have no affect
on the traffic flow. c

 By default, the only service that is running on the Firewall is the ICMP.
 The only traffic that is allowed to successfully reach the firewall is ICMP.
 No other traffic is allowed TO the firewall.
 Enabling or disabling of a service on the Firewall is a "Per Interface"
characteristic.
Whiteboard

You might also like