Anda di halaman 1dari 2


-> Stateful Firewall Filtering

- Supports application level inspection (non standard)
-> Supports both IPsec and SSL VPNs
-> Supports IPS
-> Content Filtering (virus, spyware,spam,etc)
-- Stateful Firewall-o Track traffic (trust to untrust)
o Create an entry in state table
o Track Traffic from untrested to trusted
- Permit, if an entry exists in the state table
- Deny, if no entry exists in the state tabel
--ASA Traffic Inspection-o Modular Policy Framework (MPF) uses inspection engine
o Configuration using 3 steps :
- Class Map, Policy Map, Service Policy
o MPF controls...
- What traffic is inspected (Class Map)
1. Basic layer 3 or 4 inspection (Std Apps)
2. App layer inspection (non-std), HTTP SMPT,DNS, SIP,etc
- Different for each appliacation
- How traffic is inspected (Policy Map)
1. Connection limits, QoS paramters,etc.
- Direction of Inspection
1. Inside, Outside, DMZ
ps. Uses ACLs as exceptions to MPF Inspection (no engine)
ASA MPF vs IOS Zone Base Policy FW
1. ASA is less flexible
2. But, better inspection and performance
3. Not a promblem, but need to take to the account
--Mode of Operation--

o Routed Firewall
- Different subnets and VLANs
o Transparent Firewall
- Same subnet but different VLANs
- Traffic is bridged between interfaces
- Using CAM table
- no VPN termination, same as Multiple context ASA
p.s. Multiple Context and Transparent FW stops dynamic routing and VPN
--ASA VPN Termination-o Support both IPsec and SSL VPN Termination