
This is the introduction to the cisco ASA firewall, where you will learn about the different model and physical appearance of ASA.
you will learn about the default behavior of ASA, about security zones and configuration to create them, also naming interfaces with security zones
By default no zone can communicate with each other, in order to allow traffic to communicate with different zones we create ACLs.
You will learn to configure Routing protocol OSPF on cisco ASA via CLI
You will learn to configure Routing protocol BGP on cisco ASA via CLI
You will learn to configure Routing protocol EIGRP on cisco ASA via CLI
You will learn to configure Routing protocol RIP on cisco ASA via CLI
You will learn to configure redistribution between OSPF and BGP on cisco ASA via CLI. At the end of the lab you will see routes redistribution in respective protocols.
NAT is important as we dont have many IPV4 address that can be provided to each machine. To overcome this problem we configure NAT such that our internal network stays secure and hidden from the internet.
We will explore the ASDM application and options to get started to configure ASA with ASDM. Its good to familiarize ourselves with the application and options in it for faster access in GUI
Its good to know about configuring the ASA using the ASDM application as some people like to configure via GUI.
CLI would be much better if you are CLI person otherwise its not different on the GUI to configure OSPF
CLI would be much better if you are CLI person otherwise its not different on the GUI to configure RIP
CLI would be much better if you are CLI person otherwise its not different on the GUI to configure BGP
Availability is the crucial aspect of the network as many business critical services needs to available 24/7. In this video you know about the different types of HA which you can configure in ASA
One of the easiest configuration but the standby device resources are not utilized as the device wait for the primary to fail which the probability of failure is low.
We have learned to configure HA Active Stanby using CLI its also best to know the alternative method to configure HA using ASDM
Security context allow us create virtual firewalls within firewall, its also provide the way to handle the traffic and utilizing the both the firewall unlike Active standby setup.
One of the best and robust HA in cisco ASA, as it provides HA as well as load balance the traffic for higher throughput and bandwidth.
This video will be the introduction to VPNs and different types of VPNs which you can configure in cisco ASA.
Site-to-site VPNs is secure but its good to learn to configure using ASDM
As we saw with CLI most of the things works but with ASDM not every time things work. Its better to learn in more than one way to configure VPNs.
learn to configure cisco Anyconnect VPN via ASDM application.
Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses.
The firewall is the barrier between a trusted and untrusted network, often used between your LAN and WAN. It’s typically placed in the forwarding path so that all packets have to be checked by the firewall, where we can drop or permit them.
Architecture
The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities. In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.
The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.
Options
The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added
The 5585-X has options for SSP. SSP stands for security services processor. These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules.
On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability. Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.
Stateful filtering
Firewalls, like routers can use access-lists to check for the source and/or destination address or port numbers. Most routers however, don’t spend much time at filtering…when they receive a packet, they check if it matches an entry in the access-list and if so, they permit or drop the packet. That’s it.
No matter if they receive a single packet or thousands, each packet is treated individually and we don’t keep track of packets we have seen before or not. This is called stateless filtering.
Firewalls, on the other hand, use stateful filtering. They keep track of all incoming and outgoing connections. Here are some examples:
A computer on the LAN uses its email client to connect to a mail server on the Internet. The client will start the connection with a TCP three-way handshake, which the firewall sees. The firewall will keep track of this connection and when the mail server responds, the firewall will automatically permit this traffic to return to the client.
A web server is sitting behind a firewall, it’s a busy server that accepts an average of 20 new TCP connections per second from different IP addresses. The firewall keeps track of all connections, once it sees a source IP address that is requesting more than 10 new TCP connections per second, it will drop all traffic from this source IP address, preventing a DoS (Denial of Service).