14/22 Configuring Basic Firewall Policies on Cisco ASA (CCNA Security 640-554 Exam Cram)

14.1 Key Terms

stateful filtering = More than just a simple packet filter check, stateful inspection can determine whether a network flow exists and can look at information up to the application layer. A stateful filtering firewall dynamically allows the return traffic to the user, from the server they were accessing on the other side of the firewall. This is implemented in the ASA firewall and in the Zone-Based Firewall feature on an IOS router.

security levels = Numeric levels used in the ASA to define a relationship of more secure or less secure.

SVI = Switched virtual interface, or “interface VLAN,” on a switch

Modular Policy Framework (MPF) = Modular policy framework. A newer technique using the class map and policy map framework to bring about all sorts of manipulations or additional functions to a router. This is what the ASA refers to when using class maps, policy maps, and the service policy commands. On an IOS router, these are referred to as C3PL components.

class map = The portion of modular policy framework (MPF) in the ASA, or C3PL on routers and switches, that defines what types of traffic belong to a certain class. Policy maps rely on class maps for the classification of traffic.

policy map = The portion of MPF or C3PL that defines what actions occur to traffic belonging to each class.

service policy = Just like in MQC for quality of service (QoS), this is the device that ties a policy to an interface (QoS) or to a zone pair (ZBF). On an ASA, this is the command element that links a policy to one or more interfaces.

14.2 Things to Remember

14.2.1 ASA Models

Model > Description

ASA 5505 > This is the entry-level device. It is relatively small compared to the other appliances, and is not large enough (that is, not wide enough) to be rack mounted in a 19-inch-wide rack. It comes with a built-in switch that has 8 ports, and 2 of those provide support for Power over Ethernet. By default, all the interfaces on the switch port belong to VLAN 1, and the method used to connect this device to multiple networks is to assign the switch ports to at least 2 separate VLANs and then create switched virtual interfaces (SVI), which are logical Layer 3 interfaces just like on a management interface for a switch, for each logical Layer 3 interface you want the ASA to use. This is the only ASA 55xx series appliance with a built-in switch and with this behaviour. This device has a single slot allowing the addition of a compatible module.

ASA 5510 > This firewall has 4 built-in routable interfaces, and a management Ethernet interface that can be used as a dedicated interface for management only or can be converted to be a fifth routable interface on the ASA. This firewall has an option slot that supports a compatible module, such as an intrusion prevention system (IPS) module, which is like having an IPS appliance (if installed) that lives inside the ASA.

ASA 5520, 5540, 5550 > These firewalls are like the 5510, with the exception that they have more capacity.

ASA 5585 > High-performance, high-capacity firewall devices that support multiple add-ons – such as modules compatible with these appliances. These appliances take a more vertical space in a rack compared the 5510 to 5550.

Firewall Services Module (FWSM) and the ASA Services Module > These are blade firewalls that fit into a compatible switch, such as a 6500. They support many of the same features of the standalone ASA appliances in the 55xx family.

14.3 Command References

Command > Description

nameif bubba > Assign a name bubba to a Layer 3 interface, done from interface configuration mode

security-level 50 > Assign a security level to an interface, done from interface configuration mode

no shutdown > Bring an interface up out of shutdown mode

14.4 Command Examples

Initial Boot of the 5505 ASA

Running the Initial Setup Script on the ASA

Issuing an ICMP Echo Request (Ping) from the ASA

KI-ASA# ping 192.168.1.100

Implementing Additional Firewall Interfaces

KI-ASA (config)# configure terminal

KI-ASA (config)#

KI-ASA (config)# interface Vlan1

KI-ASA (config-if)# no shutdown

KI-ASA (config-if)# description connect to the dmz

KI-ASA (config-if)# nameif dmz

KI-ASA (config-if)# security-level 50

KI-ASA (config-if)# ip address 192.168.1.254 255.255.255.0

KI-ASA (config-if)# exit

KI-ASA (config)# interface Vlan2

KI-ASA (config-if)# no shutdown

KI-ASA (config-if)# description connects to my private network

KI-ASA (config-if)# nameif inside

KI-ASA (config-if)# security-level 100

KI-ASA (config-if)# ip address 10.0.0.1 255.255.255.0

KI-ASA (config-if)# exit

KI-ASA (config)#

KI-ASA (config)# interface Vlan4

KI-ASA (config-if)# no shutdown

KI-ASA (config-if)# description connects to the internet

KI-ASA (config-if)# no forward interface Vlan2

KI-ASA (config-if)# nameif outside

KI-ASA (config-if)# security-level 0

KI-ASA (config-if)# ip address 23.1.2.3 255.255.255.240

KI-ASA (config-if)# exit

KI-ASA (config)#

KI-ASA (config)# interface Ethernet0/1

KI-ASA (config-if)# switchport access vlan 4

KI-ASA (config-if)# exit

KI-ASA (config)#

KI-ASA (config)# interface Ethernet0/2