Module 20: Introduction to

the ASA

Networking Security v1.0

(NETSEC)
Module Objectives
Module Title: Introduction to the ASA

Module Objective: Explain how the ASA operates as an advanced stateful firewall.

Topic Title Topic Objective

ASA Solutions Compare ASA solutions to other routing firewall technologies.

The ASA 5506-X with
Describe three ASA deployment scenarios.
FirePOWER Services

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
20.1 ASA Solutions

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
ASA Solutions
ASA Firewall Models
The Cisco ASA with FirePOWER Services family of products provides dedicated firewall services in one
device. These are next-generation firewall (NGFW) devices that deliver integrated threat defense across
the entire attack continuum. They combine proven ASA firewalls with Sourcefire threat and advanced
malware protection in a single device. These include Cisco Firepower 1000, Cisco Firepower 2100,
Cisco Firepower 4100, Cisco Firepower 9300. All models provide advanced stateful firewall features and
VPN functionality. The biggest difference between the models is the maximum traffic throughput handled
by each model and the number and types of interfaces.

Cisco also supports the virtualization of computing infrastructure by taking advantage of the increased
power availability of modern x86 servers. The Cisco Adaptive Security Virtual Appliance (ASAv) brings
the power of ASA appliances to the virtual domain.

To provide a suitable fit for customer needs, Cisco ASAv is available in five models: Cisco ASAv5, Cisco
ASAv10, Cisco ASAv30, Cisco ASAv50, Cisco ASAv100. The focus of this module will be on the ASA
5506-X which is designed for small business, branch office, and enterprise teleworker implementations.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
ASA Solutions
Video - Cisco ASA Next-Generation Firewall Appliances

This video explains the Cisco ASA Next-Generation Firewall Appliances.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
ASA Solutions
Advanced ASA Firewall Features

A single ASA can be partitioned into multiple

virtual devices, as illustrated here. Each
virtual device is called a security context.
Each context is an independent device, with
its own security policy, interfaces, and
administrators. Multiple contexts are similar to
having multiple standalone devices. Many
features are supported in multiple context
modes, including routing tables, firewall
features, IPS, and management. Some
features are not supported, including VPN
and dynamic routing protocols.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
ASA Solutions
Advanced ASA Firewall Features (Cont.)

As shown here, two identical ASAs can

be paired into an active / standby failover
configuration to provide device
redundancy. Both platforms must be
identical in software, licensing, memory,
and interfaces, including the Security
Services Module (SSM). In the example,
ASA-1 is the primary/active forwarding
device and traffic leaving PC-1 takes the
preferred path using ASA-1. ASA-1 and
ASA-2 monitor each other using the LAN
failover link. If ASA-1 fails, then ASA-2
would immediately assume the primary
role and become active.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
ASA Solutions
Advanced ASA Firewall Features (Cont.)

The ASA provides optional, granular access

control based on an association of IP
addresses to Windows Active Directory login
information. For example, in the figure, when
a client attempts to access the server
resources, it must first be authenticated
using the Microsoft Active Directory Identity-
based firewall services. These services
enhance the existing access control and
security policy mechanisms by allowing
users, or groups, to be specified in place of
source IP addresses. Identity-based security
policies can be interleaved without restriction
between traditional IP address-based rules.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
ASA Solutions
Advanced ASA Firewall Features (Cont.)

The ASA uses the Advanced Inspection

and Prevention (AIP) modules.
Antimalware capabilities can be deployed
by integrating the Content Security and
Control (CSC) module. The Cisco
Advanced Inspection and Prevention
Security Services Module (AIP-SSM) and
Cisco Advanced Inspection and
Prevention Security Services Card (AIP-
SSC) deliver protection against tens of
thousands of known exploits.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
ASA Solutions
Cisco Firepower Series

Cisco has introduced a new line of next-generation firewalls (NGFW) which combines their
proven firewall technology with Sourcefire advanced threat and malware detection capabilities.

These NGFWs consolidate multiple security layers into a single platform, eliminating the cost of
buying and managing multiple solutions. This integrated approach combines best-in-class
security technology with multilayer protection that is integrated into a single device.

The Cisco ASA 5500-X with FirePOWER Services devices are part of the new Cisco NGFWs.
Designed for small to medium branch offices, the ASA 5500-X with FirePOWER Services
merges the ASA 5500 stateful firewall features with some of the following advanced threat and
malware detection capabilities:
• Next-generation IPS (NGIPS)
• Advanced Malware Protection (AMP)
• Application control and URL filtering

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
ASA Solutions
Video - Collect Firepower Threat Defense (FTD) Packet Captures with
Firepower Management Center (FMC)

This video explains Firepower Threat Defense Packet Captures with Firepower Management
Center.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ASA Solutions
Review of Firewalls in Network Design
When discussing networks that are connected to a firewall, there are some general terms to consider:

• Outside network - The network/zone that is outside the protection of the firewall.
• Inside network - The network/zone that is protected and behind the firewall.
• DMZ - The demilitarized zone that allows both inside and outside users access to protected network
resources.

Firewalls protect inside networks from unauthorized access by users who are on an outside network. They also
protect inside network users from each other. For example, by creating zones, an administrator can keep the
network that is hosting the accounting servers separate from other networks in an organization.
The figure illustrates how these zones interact for
permitted traffic:
• Traffic originating from the inside network going to the
outside network is permitted.
• Traffic originating from the inside network going to the
DMZ network is permitted.
• Traffic originating from the outside network going to
the DMZ network is selectively permitted.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
ASA Solutions
Review of Firewalls in Network Design (Cont.)

The figure illustrates how these zones interact

for denied traffic:
• Traffic originating from the outside
network going to the inside network is
denied.
• Traffic originating from the DMZ
network going to the inside network is
denied.
Cisco ISRs can provide firewall features by
using either the Zone-Based Policy Firewall
(ZPF) or by using the older context-based
access control (CBAC) feature.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
ASA Solutions
ASA Firewall Modes of Operation
Routed Mode
There are two firewall interface modes of operation
available on ASA devices: routed mode and
transparent mode.

In routed mode, two or more interfaces separate

Layer 3 networks, i.e. domains.

In the figure, the ASA is considered to be a router hop

in the network and can perform NAT between
connected networks. Routed mode supports multiple
interfaces. Each interface is on a different subnet and
requires an IP address on that subnet. The ASA
applies policies to flows as they transit the firewall.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ASA Solutions
ASA Firewall Modes of Operation (Cont.)
Transparent Mode
An ASA in transparent mode is often
referred to as a “bump in the wire,” or a
“stealth firewall” because the ASA functions
like a Layer 2 device and is not considered
a router hop. In the figure below, the ASA is
only assigned an IP address on the local
network for management purposes. This
mode is useful to simplify a network
configuration, or when the existing IP
addressing cannot be altered. However, the
drawbacks include no support for dynamic
routing protocols, VPNs, QoS, or DHCP
Relay.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ASA Solutions
ASA Licensing Requirements

A license specifies the options that are enabled

on a given ASA. Most ASA appliances come pre-
installed with either a Base license or a Security
Plus license.

To provide more features to the ASA, additional

time-based or optional licenses can be
purchased.

To verify the license information on an ASA

device, use the show activation-key command,
as shown below, or the show version
command.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
20.2 The ASA 5506-X with
FirePOWER Services

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
The ASA 5506-X with FirePOWER Services
Overview of ASA 5506-X
The Cisco ASA 5506-X delivers a high-performance firewall, SSL VPN, IPsec VPN, and rich
networking services in a modular, plug-and-play appliance. The default DRAM memory is 4 GB and
the default internal flash memory is 8 GB. In a failover configuration, the two units must be identical
models with the same hardware configuration, the same number and types of interfaces, and the
same amount of RAM. Failover is available with the Security Plus license.

The figure illustrates the front panel of the ASA 5506-X.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
The ASA 5506-X with FirePOWER Services
Overview of ASA 5506-X
The figure illustrates the back panel of the Cisco ASA 5506-X.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
The ASA 5506-X with FirePOWER Services
Overview of ASA 5506-X (Cont.)

The figure shows the inside

components of the Cisco ASA
5506-X.

Unlike the ASA 5505, the ASA

5506-X does not use
switchports. All interfaces are
routed and require IP
addresses.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
The ASA 5506-X with FirePOWER Services
ASA Security Levels
Security levels define the level of
trustworthiness of an interface. Each
operational interface must have a
name and a security level from 0
(lowest) to 100 (highest) assigned.

As shown in the figure, level 100

should be assigned to the most secure
network, such as the inside network.
Level 0 can be assigned to the outside
network, which is connected to the
internet. DMZs and other networks can
be assigned a security level between 0
and 100

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
The ASA 5506-X with FirePOWER Services
ASA Security Levels (Cont.)

Security levels help to control many aspects of network traffic as shown in the table
below.
Aspect Effect
Network Access By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on
the higher security interface can access hosts on a lower security interface. Multiple interfaces can be assigned the
same security level. If communication is enabled for interfaces with the same security level, there is an implicit permit
for traffic between the interfaces.
Inspection Engines Some application inspection engines are dependent on the security level. When interfaces have the same security level,
the ASA inspects traffic in either direction.
Application Filtering HTTPS and FTP filtering applies only for outbound connections that are from a higher level to a lower level. If
communication is enabled for interfaces with the same security level, traffic can be filtered in either direction.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
The ASA 5506-X with FirePOWER Services
ASA 5506-X Deployment Scenarios
Small Branch
The ASA 5506-X is commonly used as an
edge security device. It connects a small
business to an ISP device, such as a DSL
or cable modem, for access to the
internet. It can be deployed to
interconnect and protect several
workstations, network printers, and IP
phones.

In a small branch, a common deployment

would include an inside network (VLAN 1)
with security level 100 and an outside
network (VLAN 2) with security level 0, as
shown in the figure.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
The ASA 5506-X with FirePOWER Services
ASA 5506-X Deployment Scenarios (Cont.)
Small Business
In the small business, shown here, the
ASA 5505 can be deployed with two
different protected network segments. One
segment is the inside network (VLAN 1),
which connects workstations and IP
phones. The other segment is the DMZ
(VLAN 3), which connects a company web
server. The outside interface (VLAN 2) is
used to connect to the internet.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
The ASA 5506-X with FirePOWER Services
ASA 5506-X Deployment Scenarios (Cont.)
Enterprise
In an enterprise deployment, as shown
here, the ASA 5505 can be used by
telecommuters and home users to connect
to a centralized location using a VPN.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
20.3 Introduction to the ASA
Summary

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Introduction to the ASA Summary
What Did I Learn in this Module?

• The choice of ASA model depends on an organization’s requirements, such as maximum throughput,
maximum connections per second, and budget.
• When discussing networks connected to a firewall, terms to consider include outside network, inside
network, and the DMZ.
• There are two firewall interface modes of operation available on ASA devices: routed mode and
transparent mode.
• Advanced ASA firewall features include ASA virtualization, high availability with failover, identity firewall,
and threat control and containment services.
• Most ASA appliances come pre-installed with either a Base license or a Security Plus license.
• The Cisco ASA 5506-X delivers a high-performance firewall, SSL VPN, IPsec VPN, and rich networking
services in a plug-and-play appliance.
• The security level numbers range from 0 (untrustworthy) to 100 (very trustworthy).
• The ASA 5506-X is commonly used as an edge security device. It connects a small business to an ISP
device, such as a DSL or cable modem, for access to the internet.
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Introduction to the ASA Summary
New Terms and Commands
• Security Services Module (SSM)
• Content Security and Control (CSC) module
• Advanced Inspection and Prevention Security Services Module (AIP-SSM)
• Advanced Inspection and Prevention Security Services Card (AIP-SSC)
• Next-generation IPS (NGIPS)
• Outside network
• Inside network
• context-based access control (CBAC)
• routed mode
• transparent mode
• show activation-key
• inspection engines
• application filtering

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28