A firewall is a network security system which takes actions on the ingoing or outgoing packets based on the defined rules on the basis of IP address, port numbers. Cisco calls its firewall as Adaptive Security Appliance (ASA).
The Cisco ASA 5500 series has models:
Cisco ASA 5505, Cisco ASA 5510, Cisco ASA 5515-X, Cisco ASA 5520, Cisco ASA 5525-X, Cisco ASA 5540, Cisco ASA 5550, Cisco ASA 5555-X, Cisco ASA 5585-X.
Adaptive Security Appliance (ASA) –
ASA is Cisco security device that can perform basic firewall capabilities with VPN capabilities, antivirus and many other features. Some of the features of ASA are:
- Packet filtering –
Packet filtering is a simple process of filtering the incoming or outgoing packet on the basis of rules defined on the ACL which has been applied to the device. It consists of various permit or deny conditions. If the traffic matches one of the rule, no other rule is matched and the matched rule is executed.
- Stateful filtering –
By default, ASA performs stateful tracking of the packet if the packet is generated from higher security level to lower security level.
By default, if the traffic is initiated by the devices in higher security levels for lower security levels device (as destination), TCP and UDP reply traffic will be allowed and will able to, say, telnet the other device in Lower security level. This is because a stateful database is maintained (in which an entry about the source and destination device information such as IP address, port numbers are maintained) as stateful inspection is enabled by default.
- Routing support –
ASA can perform static routing, Default routing also dynamic routing protocols like EIGRP, OSPF and RIP.
- Transparent firewall –
ASA can operate in two modes:
- Routed mode: In this mode, ASA acts like a layer 3 device (router hop) and needs to have two different IP address (means two different subnets) on its both interface.
- Transparent mode: In this mode, ASA operates at layer 2 and only a single IP address is needed to manage ASA management purpose as both the interfaces (inside and outside) acts like a bridge.
- AAA support –
ASA supports AAA services either using its local database or using a external server like ACS (Access Control Server).
- VPN support –
ASA supports policy-bases VPNs like point-to-point IPsec VPN(site-to-site VPN and remote-access VPN) and SSL based VPNs.
- Supports IPv6 –
ASA (new versions) supports IPv6 routing such as static, dynamic.
- VPN load Balancing –
It is a Cisco proprietary feature of Cisco ASA. Multiple clients can be shared across multiple ASA units at the same time.
- Stateful failover –
ASA supports high availability of pair of Cisco ASA devices.If one of the ASA goes down, the other ASA device will perform the operations without any interruption. When stateful failover is enabled, the active unit continously passes connection state information to the backup device. After the failover occurs, same connection information is available on the new active unit.
- Clustering –
Cisco ASA let’s us configure multiple ASA devices as a single logical device. cluster can consists of maximum 8 cohesive units. This results in high throughput and at the same time, provides redundancy.
- Advance Malware Protection (AMP) –
Cisco ASA provides support for Next-Generation firewall features which can provide protection advanced malware protection in a single device as the classic firewall features are combined with NGFWs features.
- Modular Policy Framework (MPF) –
MPF is used to define policies for different traffic flows. Its used in ASA to utilize advanced firewall features like QOS, Policing, prioritising etc.
For using MPF, we define Class-map for identifying the type of traffic, policy-map for identifying what action should be taken like priortize and service-policy for where it should be applied.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.
- Basic configuration of Adaptive Security Appliance (ASA)
- TELNET and SSH on Adaptive Security Appliance (ASA)
- Port Address Translation (PAT) on Adaptive Security Appliance (ASA)
- Difference between Adaptive and Non-Adaptive Routing algorithms
- Default flow of traffic (ASA)
- Cisco ASA Redistribution example
- Static NAT (on ASA)
- Dynamic NAT (on ASA)
- Difference between Cyber Security and Information Security
- Difference between Network Security and Cyber Security
- Difference between Information Security and Network Security
- How Security System Should Evolve to Handle Cyber Security Threats and Vulnerabilities?
- Features of Enhanced Interior Gateway Routing Protocol (EIGRP)
- Difference between BISYNC and HDLC features
- Fundamental Features of MQTT
- Fundamental Features of MQTT | Set 2
- Fundamental Features of MQTT | Set 3
- Fundamental Features of MQTT | Set 4
- What is Information Security?
- Hash Functions in System Security
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.