Chapter 14: Configuring Basic Firewall Policies on Cisco

ASA
I. The ASA Appliance Family and Features
1. Meet the ASA Family
Table 14-2 ASA Models
Model
Description
ASA 5505

This is the entry-level device. It is relatively small compared to the other

appliances, and is not large enough (that is, not wide enough) to be rack
mounted in a 19-inch-wide rack. It comes with a built-in switch that has 8
ports, and 2 of them support PoE. By default, all the interfaces on the switch
port belong to VLAN 1, and the method used to connect this device to
multiple networks is to assign the switch ports to at least 2 separate VLANs
and then create SVIs, which are logical Layer 3 interfaces just like on a
management interface for a switch, for each logical Layer 3 interface you
want the ASA to use. This is the only ASA 55xx series appliance with a builtin switch and with this behavior. This device has a single slot allowing the
addition of a compatible module

ASA 5510

This firewall has 4 built-in routable interfaces, and a management Ethernet

interface that can be used as a dedicated interface for management only or can
be converted to be a fifth routable interface on the ASA. This firewall has an
option slot that supports a compatible module, such as an IPS module, which
is like having an IPS appliance (if installed) that lives inside the ASA

ASA 5520, 5540, 5550 These firewalls are like the 5510, with the exception that they have more
capacity
ASA 5585

High-performance, high-capacity firewall devices that support multiple addons, such as modules compatible with these appliances. These appliances
take more vertical space in a rack compared to the 5510 to 5550

Firewall Services
Module (FWSM) and
the ASA Services
Module

These are blade firewalls that fit into a compatible switch, such as a 6500.
They support many of the same features of the standalone ASA appliances in
the 55xx family

2. ASA Features and Services

1.

Packet filtering Simple packet filtering normally represents an access list. It is also
true with regard to this feature that the ASA provides. The ASA supports both standard
and extended access lists. The most significant difference between an access list on an
ASA versus an access list on a router is that the ASA never ever uses a wildcard mask.
Instead, if it needs to represent a mask related to a permit or deny statement in an
ACL, it just uses the real mask in the ACL.
2. Stateful filtering By default, the ASA enters stateful tracking information about
packets that have been initially allowed through the firewall. Therefore, if you have an
ACL applied inbound on the outside interface of the firewall that says deny everything,
but a user from the inside makes a request to a server on the outside, the return traffic is
allowed back in through the firewall (in spite of the ACL that stops initial traffic from
the outside) because of the stateful inspection that is done by default on the initial
traffic from the client out to the server, which is now dynamically allowing the return
traffic to come back in. This is probably the most significant and most used feature on

3.

4.

5.

6.
7.

the ASA. One way of thinking about stateful filtering is to imagine that the ASA is
going to build a dynamic permit entry in a virtual ACL that will permit the return
traffic. Suppose that you are sending a packet to a web server. Your source address is
4.4.4.4, and your source TCP port is 4444. The destination IP address of the server is
5.5.5.5, and the destination port is TCP 60 (web/http). The ASA will (virtually, as this
is just a way to consider it) remember this outbound session and expect to see a return
packet from 5.5.5.5 destined to 4.4.4.4 (the client), and the source port is TCP:80 (for
the return packet), and the destination port is TCP:4444 (again going back to the
client). The virtual ACL, or state table, that is dynamically created by the ASA
would say please permit this packet (the return one) from the outside network to the
inside network where the client is waiting for this reply.
Application inspection/awareness The ASA can listen in on conversations between
devices on one side and devices on the other side of the firewall. The benefit of
listening in is so that the firewall can pay attention to application layer information. An
example of this is a client on the inside of our network going to an FTP server on the
outside. The client may open a connection from a source port of 6783 to the wellknown FTP port of TCP:21. During the conversation between the client and the server,
stateful inspection is inspecting traffic (and allowing reply traffic inbound from the
outside networks) as long as the source IP address is the server and the source port is
21 (coming from the server back to the client) and the destination port is 6783. That is
how stateful inspection works. Unfortunately, some applications, such as FTP,
dynamically use additional ports. In the case of standard FTP, the client and the server
negotiate the data connection, which is sourced from port 20 at the server and destined
for whatever port number was agreed to by the client. The challenge is this is that the
initial packets for this data connection are initiated from the server on the outside. As a
result, normal stateful filtering denies it (either by default rules or an ACL that is
denying initial traffic from the outside). With application layer inspection, the ASA
learns about the dynamic ports that were agreed to and dynamically allows the data
connection to be initiated from the server who is on the outside going to the client on
the inside
NAT You learned about the benefits of NAT and PAT earlier in this book, and it
comes as no surprise that the ASA supports both of these. It supports inside and
outside NAT, and both static and dynamic NAT and PAT, including policy NAT, which
is only triggered based on specific matches of IP addresses or ports. There is also the
ability to perform NAT exemption (for example, specifying that certain traffic should
not be translated). This comes in handy if you have NAT rules that say everybody who
is going from the inside networks out to the Internet should be translated, but at the
same time you have a VPN tunnel to either a remote user or a remote network. Any
traffic from the inside network going over the VPN tunnel in most cases should not be
translated, so you set up exemption rule that says traffic from the inside networks to the
destinations that are reachable via the VPN tunnels should not be translated. The
policy that indicates that traffic should not be translated is often referred to as NAT
zero.
DHCP The ASA can act as a DHCP server or client or both. This is a handy feature
when implementing a firewall at a smaller office that might require getting a globally
routable address from our service provider through DHCP and at the same time the
ability to hand out addresses to the internal DHCP clients at that location.
Routing The ASA supports most of the interior gateway routing protocols, including
RIP, EIGRP, and OSPF. It also supports static routing
Layer 3 or Layer 2 implementation The ASA can be implemented as a traditional
Layer 3 firewall, which has IP addresses assigned to each of its routable interfaces.
The other option is to implement a firewall as a transparent firewall, in which the actual
physical interfaces receive individual IP addresses, but a pair of interfaces operate like
a bridge. Traffic that is going across this two-port bridge is still subject to the rules and
inspection that can be implemented by the ASA. The ASA can still perform application

layer inspection and stateful filtering.

VPN support The ASA can operate as either the head-end or remote-end device for
VPN tunnels. When using IPsec, the ASA can support remote-access VPN users and
site-to-site VPN tunnels. When supporting SSL, it can support the clientless SSL VPN
and the full AnyConnect SSL VPN tunnels (which hand out IP addresses to remote
VPN users, similar to the IPsec remote VPN users). SSL is a very upcoming and
popular option for VPNs and is only used for remote access, not for site-to-site VPNs.
9. Object groups An object group is a configuration item on the ASA that refers to one
or more items. In the case of a network object group, it refers to one or more IP
addresses or network address ranges. The benefit of an object group is that a single
entry in an access list could refer to an object group as the source IP or destination IP
address in an individual ACE, and the ASA logically applies that entry against all the IP
addresses that are currently in the object group. If an object group has four IP
addresses in it, and we use that object group in a single entry of an ACL that permits
TCP traffic to the object group, in effect we are allowing TCP traffic to each of those
four IP addresses that are in the group. If we change the contents of the group, the
dynamics of what that ACL permits or denies also change.
10. Botnet traffic filtering A botnet is a collection of computers that have been
compromised and are willing to follow the instructions of someone who is attempting
to centrally control them (for example, 10,000 machines all willing [or so commanded]
to send a flood of ping requests to the IP address dictated by the person controlling
these devices). Often, users of these computers have no idea that their computers are
participating in this coordinated attack. The ASA works with an external system at
Cisco that provides information about the Botnet Traffic Filter Database and so can
protect against this.
11. High availability By using two firewalls in a high-availability failover combination,
you can implement protection against a single system failure.
12. AAA support The use of AAA services, either locally or from an external server
such as ACS, is supported.
8.

II. ASA Firewall Fundamentals

1. ASA Security Levels
1. ASA has security levels 0 to 100. The higher the number the more it's trusted. The
inside interface will most likely be assigned a security level of 100 while the outside
interface should be assigned 0.
2. Making ASA interfaces operational:
a. Assign a security level to the interface
b. Assign a name to the interface
c. Bring up the interface with the no shutdown command
3. Common to have an interface in the middle to allow outside connection to a server for
example; this is called a DMZ

2. The Default Flow of Traffic

1. Higher security interfaces (for example, inside security 100) that source traffic destined
to a lower security level interface is by default allowed. Return traffic will be allowed
do to stateful inspection

2. Default behavior of traffic source and destined between interfaces of the same security
level is denied, but this can be changed
3. Default behavior of traffic source and destined on the same interface is also not
permitted, but this can be changed as well. (This is called a hairpin turn)

3. Tools to Manage the ASA

1.
2.
3.

CLI Functions similar to IOS

ASA Security Device Manager (ASDM) GUI included with the ASA
Cisco Security Manager (CSM) An enterprise (commercial grade) GUI tool that
can manage most of your network devices, including routers, switches, and security
appliances such as the ASA

4. Initial Access
1. Factory default allows console access / full access
2. ASDM is included with ASAs. Uses SSL to connect. Connect up to five separate
firewalls and switch between them conveniently from ASDM.

5. Packet Filtering on the ASA

1. If outside users require access to the webserver on the DMZ, this will be denied by
default do to traffic source from a lower security level attempting to move to a higher
security level. However you can apply standard and extended ACLs to interfaces, for
example the outside interface, to allow specific traffic to the DMZ.
2. Traffic directions:
a. Inbound to an interface Traffic that is going into an interface (any interface).
This is also referred to as ingress traffic (from an interface perspective).
b. Inbound from a security level perspective Traffic that is being routed by the
ASA from a lower-security interface to a higher-security interface, such as from the
outside to the DMZ, from the outside to the inside, from the DMZ to the inside.
This is from a high-level perspective of the firewall as a whole device.
c. Outbound from an interface Traffic that is exiting an interface (any interface)
is also referred to as egress traffic (from an interface perspective).
d. Outbound from a security level perspective Traffic that is being routed by the
ASA from a high-security interface to a lower-security interface, such as inside to
DMZ, inside to outside, or DMZ to outside. This is from a high-level perspective
of the firewall as a whole device

6. Implementing a Packet-Filtering ACL

1. To allow Internet traffic to the DMZ server, you would want to create an ACL inbound
on the outside interface allowing any source but only to the DMZ server ip address and
any ports that the DMZ server is servicing of which you want to allow through the
firewall.

7. Modular Policy Framework

1. IOS uses the inspect option to differentiate between regular class/policy/service policy
maps.
2. IOS uses class maps to classify traffic while policy maps take action and service
policies apply the policy maps to an interface
3. Modular Policy Framework (MPF) ASA Does the same thing as IOS but can also
implement a service-policy globally.
a. Can use MPF to forward traffic to an IPS
b. Give priority to voice packets etc...
c. Class maps identify based on Layer 3 and Layer 4, and also application specific
class maps for layers 5 to 7.
d. Layer 3 and 4 class maps can identify traffic via the following methods:
a. Referring to an ACL
b. Looking at the DSCP and/or IP Precedence fields of a packet
c. TCP or UDP ports
d. IP Precedence
e. Real-time Transport Protocol (RTP) port numbers
f. VPN tunnel groups
e. Policy maps use class maps to identify traffic and specify the actions to take on
them
a. Reroute the traffic to a hardware module such as the IPS module that is inside
the ASA
b. Perform inspection on that traffic (related to stateful filtering or application
layer inspection/filtering)
c. Give priority treatment to the forwarding of that traffic
d. Rate-limit or police that traffic
e. Perform advanced handling of the traffic

8. Where to Apply a Policy

1. Can apply a policy map to an interface. Each interface can only have one policy
applied to it. Global policy map applies to all interfaces. If you have a policy map
applied to an interface, both the interface policy map and the global policy map are
used.

III. Configuring the ASA

1. Beginning the Configuration

1. Booting up the ASA, shown below:

2. Use the setup script, or not and you can run it later. Using the setup script should get
you enough configuration done to allow ASDM and remote access.

3. Below is showing a ping from the ASA to ensure it has IP connectivity.

2. Getting to the ASDM GUI

1. When connecting to the ASA via ASDM, you are prompted to use the applet directly
from the ASA or install it on your PC. You are prompted to accept an untrusted ASA
self-signed certificate, you must accept it. Later you can implement a public key
infrastructure (PKI) self signed certificate. ASDM prompts for a user and password,
however you have not configured one yet. Leave the user field blank and use the
enable secret password you configured during the setup script. Your in!

2. This is the dashboard, above.

3. Dashboard shows the following:
a. Version of software
b. Model
c. Mode it is running in
d. Memory size of flash and RAM
e. License tab shows general license info
f. Graphically shows VPN sessions and traffic status
g. Can run a setup wizard by going to the Wizards menu
a. See below for the wizard menu

3. Configuring the Interfaces

1.

Configuration > Device Setup > Interfaces (as shown below)

2. The below shows how to create a new SVI. You click the Add button. The VLAN
number is dynamically used, or you can click the Advanced tab to choose it yourself.
3. Associate interfaces
4. Configure IP address (static, dhcp, pppoe)
5. Enable interface
6. Security level
7. Interface name

8. Advanced tab, configure VLAN ID and MTU.

a. MAC address cloning used for high availability
b. Block traffic
c. Base license only supports up to 3 named interfaces

9. Summary page below:

a. name of interface
b. switch ports associated with logical interface
c. security level
d. ip address
e. VLAN number and more
f. HERE you can also change the default of traffic being denied between two
interfaces of the same security level and also traffic two or more hosts of the same
interface (intra interface)
a. Check the boxes below the summary window.

10. In this example we want an inside interface, outside, and DMZ. So we must change
the management interface to DMZ. The security level does not change after changing
the name, but we will change it manually to 50 to be higher than the outside interface
but lower than the inside interface.
11. Problem here is that you can only have two named interfaces functioning at the same
time with the base license. Therefore you need to upgrade the ASA to have all
interfaces functioning. Upgrade to Plus license.

12. CLI configuration of what we went over using ASDM

4. IP Addresses for Clients

1. Configure DHCP server
a. Configuration > Device Management > DHCP > DHCP Server (shown below)
b. Timeouts and lengths are set to a default if not configured

2. CLI dhcp configuration

5. Basic Routing to the Internet

1. Can use IGPs, not BGP
2. Modify Routing Table:
a. Configuration > Device setup > Routing
a. Modify static and dynamic routing
1. Static Route Click on the Static Routes link and click Add (shown
below)

3. CLI static route

6. NAT and PAT

1.

Configuration > Firewall > NAT Rules click Add

a. Top half is the source interface, and source address of which you can use an object
group, and even create an object group here using the ... button.
b. Bottom half configures the exit interface and what kind of NAT or PAT. In this
case it's Dynamic PAT (Hide) mode.
c. Click OK and Apply

2. CLI NAT/PAT config

3. NAT rules shown below.

4. Hover over object to see details, or navigate to Network Objects/Groups
5. Navigate to Interfaces to see the IP addressing details of the outside interface

7. Permitting Additional Access Through the Firewall

1. Create packet filter to control traffic from the inside to another interface or even allow
outside traffic in to the DMZ server
a. Configuration > Firewall > Access Rules
a. Default policy is to allow all traffic (because it's not security 0) from the inside
or DMZ to less secured interfaces, particularly the outside interface
b. Default policy for security 0 (the outside) is to deny all except for reply traffic
done by stateful inspection.
c. Diagram button shows a visual representation of the NAT rules, and you can
view IPv4 or IPv6, or both.

2. Deny TCP/Telnet no matter the IP address (source or destination)

3.
4.
5.
6.

Navigate to Access Rules and click the Add button to add an ACL
Make sure you add an explicit permit all otherwise all traffic will be denied
Click Apply to add to the router.
ASDM assumes ingress of the specified interface.

7. CLI ACL config

8. Using Packet Tracer to Verify Which Packets Are Allowed

1. Use Packet Tracer to see whether any particular traffic is allowed in any particular path
a. Enter the source IP and port information and destination port and IP address and the
interface and packet type that the packet will be using as it leaves the user and
enters the firewall.

2. Source and destination information does not have to be ip addresses that are even
assigned as this is just from the perspective of the firewall configuration.
3. Shows each step and each check that the firewall does and will show whether the
simulated traffic was permitted or denied and why.

4. CLI Equivalent

9. Verifying the Policy of No Telnet

1. Testing telnet now to ensure it's denied

IV.Do I Know This Already? Quiz

Table 14-1 Do I Know This Already? Section-to-Question Mapping
Foundation Topics Section
Questions
The ASA Appliance Family and Features

1-3

ASA Firewall Fundamentals

4-7

Configuring the ASA

8-10

1. Which of the following features does the Cisco ASA provide? (Choose all that apply.)
a. Simple packet filtering using standard or extended access lists
b. Layer 2 transparent implementation
c. Support for remote-access SSL VPN connections
d. Support for site-to-site SSL VPN connections
2. Which of the following has an option slot that can support a hardware module?
(Choose all that apply.)
a. 5505
b. 5510
c. 5540
d. FWSM
3. When used in an access policy, which component could identify multiple servers?
a. Stateful filtering
b. Application awareness
c. Object groups
d. DHCP services
4. Which of the following is an accurate description of the word inbound as it relates to
an ASA? (Choose all that apply.)
a. Traffic from a device that is located on a high-security interface
b. Traffic from a device that is located on a low-security interface
c. Traffic that is entering any interface
d. Traffic that is existing any interface
5. When is traffic allowed to be routed and forwarded if the source of the traffic is from a
device located off of a low-security interface if the destination device is located off of a
high-security interface? (Choose all that apply.)
a. This traffic is never allowed
b. This traffic is allowed if the initial traffic was inspected and this traffic is the return
traffic
c. If there is an access list that is permitting this traffic
d. This traffic is always allowed by default
6. Which of the following tools could be used to configure or manage an ASA? (Choose
all that apply.)
a. Cisco Security Manager (CSM)
b. ASA Security Device Manager (ASDM)
c. Cisco Configuration Professional (CCP)
d. The command-line interface (CLI)
7. Which of the following elements, which are part of the Modular Policy Framework on
the ASA, are used to classify traffic?
a. Class maps
b. Policy maps
c. Service policies
d. Stateful filtering

8. When configuring the ASA as a DHCP server for a small office, what default gateway
will be assigned for the DHCP clients to use?
a. The service provider's next-hop IP address
b. The ASA's outside IP address
c. The ASA's inside IP address
d. Clients need to locally configure a default gateway value
9. When configuring network address translation for a small office, devices on the
Internet will see the ASA inside users as coming from which IP address?
a. The inside address of the ASA
b. The outside address of the ASA
c. The DMZ address of the ASA
d. Clients will each be assigned a unique global address, one for each user
10. You are interested in verifying whether the security policy you implemented is having
the desired effect. How can you verify this policy without involving end users or their
computers?
a. Run the policy check tool which is built in to the ASA
b. The ASA automatically verifies that policy matches intended rules
c. Use the Packet Tracer tool
d. You must manually generate the traffic from an end-user device to verify that the
firewall will forward it or deny it based on policy

V. Review All the Key Topics

Table 14-3 Key Topics
Key Topic
Description
Element

Page
Number

Text

Meet the ASA family -

330

Text

ASA features and services -

331

Text

ASA security levels -

333

Text

The default flow of traffic -

335

Figure 14-2

Default permissions and return traffic due to stateful filtering -

336

Text

Packet filtering on the ASA -

337

Text

Modular Policy Framework -

338

Text

Configuring the interfaces -

347

Example 14-4 Using the CLI to implement additional firewall interfaces -

352

Text

IP addresses for clients -

355

Text

Basic routing to the Internet -

356

Text

NAT and PAT -

357

Text

Permitting additional access through the firewall -

359

Text

Verifying which packets are allowed with ASA Packet Tracer -

362

VI. Complete the Tables and Lists from Memory

Table 14-2 Advantages and Limitations of Available HA Methods
Method
Advantages
Limitations
Active/standby Can offer stateful or stateless
failover
methods. Stateful operation is required to prevent session reestablishment during or after a failover.

No load sharing or balancing occurs

between devices. Only one device is
active at a time. Lack of support for
clientless SSL VPN applications.

VPN load
balancing
(clustering)

Allows for the load between devices to be shared among them

based on the least used device
receiving the latest connection attempt.
Differing hardware and software
revisions can be used.
Native, built-in ASA feature.

Cannot provide stateful failover.

Load balancing
using an
external load
balancer

Allows for the load between devices to be shared among them.

We have greater flexibility in
choosing load-balancing algorithms than clustering.
Differing hardware and software
revisions can be used.

Cannot provide stateful failover.

No active failover between devices.
Clients must reconnect to the next
available device after being disconnected.

Redundant
VPN Servers

Allows for connections to be

shared among available devices
based on clients using different
VPN server addresses.
Differing hardware and software
revisions can be used.

No active failover detection. Clients

must use DPD for peer detection.
Connections are not stateful.
Clientless SSL VPN cannot use this
method.

Table 14-4 ASDM VPN Cluster Configurable Fields and Values

Field
Value
Participate in Load Balancing Disabled by default. Before this device can join an active cluster or
Cluster
become the master of a new one, you must select this option.
Cluster IP Address

Enter the virtual cluster IP address to be used by this cluster. All members of the cluster must have the same address
configured.

UDP Port

Enter the UDP port used for cluster member communication. This port must be unused on the network (default
9023).

Enable IPsec Encryption

For messages between cluster members to be encrypted

instead of sent in plain text, select this option.

IPsec Shared Secret

Enter the shared secret that will be used by each cluster

member to encrypt the messages between them.

Verify Secret

Enter the secret from the preceding step again to confirm

your entry.

Public Interface

Select from the drop-down list your public/external-facing

interface. Cluster member interfaces must be on the same

network.
Priority

Enter the priority value 1 to 10 for this device used for

master negotiations. The higher value wins (default 10).

Private Interface

Select from the drop-down list your private/internal-facing interface. Cluster member interfaces must be on the
same network.

NAT Assigned IP Address

Enter the IP address the device is being NAT-ed to. If you

are not using a NAT on your network, leave this field
blank.

Send FQDN to Client Instead By default, the cluster master sends the IP address of a
of an IP Address When
cluster member to a connecting user/client when redirectRedirecting
ing. However, if using certificates, the master can be configured to send the FQDN after performing a reverse
Domain Name System (DNS) lookup of the cluster member it is redirecting to.
Table 14-2 ASA Models
Model
Description
ASA 5505

This is the entry-level device. It is relatively small compared to the other

appliances, and is not large enough (that is, not wide enough) to be rack
mounted in a 19-inch-wide rack. It comes with a built-in switch that has
8 ports, and 2 of those provide support for Power over Ethernet. By
default, all the interfaces on the switch port belong to VLAN 1, and the
method used to connect this device to multiple networks is to assign
the switch ports to at least 2 separate VLANs and then create switched
virtual interfaces (SVI), which are logical Layer 3 interfaces just like on
a management interface for a switch, for each logical Layer 3 interface
you want the ASA to use. This is the only ASA 55xx series appliance
with a built-in switch and with this behavior. This device has a single slot
allowing the addition of a compatible module.

ASA 5510

This firewall has 4 built-in routable interfaces, and a management

Ethernet interface that can be used as a dedicated interface for
management only or can be converted to be a fifth routable interface
on the ASA. This firewall has an option slot that supports a compatible
module, such as an intrusion prevention system (IPS) module, which is
like having an IPS appliance (if installed) that lives inside the ASA.

ASA 5520,
5540, 5550

These firewalls are like the 5510, with the exception that they have
more capacity.

ASA 5585

High-performance, high-capacity firewall devices that support multiple

add-ons, such as modules compatible with these appliances. These
appliances take a more vertical space in a rack compared the 5510 to
5550.

Firewall
Services
Module
(FWSM) and
the ASA
Services
Module

These are blade firewalls that fit into a compatible switch, such as a
6500. They support many of the same features of the standalone ASA
appliances in the 55xx family.

VII. Define Key Terms

1.
2.
3.
4.
5.
6.
7.

stateful filtering security levels SVI Modular Policy Framework class map policy map service policy -

VIII. Command Reference to Check Your Memory

Table 14-4 Command Reference
Command
Description
Nameif bubba

Assign a name bubba to a Layer 3 interface, done from interface configuration mode

Security-level 50 Assign a security level to an interface, done from interface configuration mode
No shutdown

Bring an interface up out of shutdown mode