CCIE Security: Theory – Section 5.1 – ASA

ASAs now. Looks like I need to break section 5 down into several posts. Still very much note form. Time is not on my side, so excuse any lack of coherence.

5.1 Cisco Adaptive Security Appliance (ASA)

5.1.a Firewall functionality

Advanced stateful firewall & VPN concentrator. Can have IPS module (depending on model).
Can do contexts (like tenants), clustering, be in transparent mode (L2), or routed mode (L3). Has inspection engines, IPSec VPN, SSL VPN, clientless SSL VPN.

5.1.b Routing and multicast capabilities

Supports Static routes, OSPF, RIP, EIGRP, BGP (as of 9.1??), Multicast, & IPv6

Static – Single & multiple context, routed and transparent, supports IPv6
OSPF – single context, routed, not supported in transparent, does not support IPv6
RIP – also supported in multiple context & transparent
Not supported in transparent mode.
Supported in routed mode
Supported in single context mode.

5.1.c Firewall modes

Routed – default – has IP address, acts as default gateway – router hop. Can do NAT, Each interface on different subnet. Can share interfaces between contexts.

Transparent mode – bump in the wire. connects same network on inside and outside interfaces. Supports ARP, IP, IPv6 (in 8.4 – not in 7.2).
Does not support (in 8.4):
Dynamic DNS
DHCP relay
Dynamic routing protocols
VPN termination (supported for Management)

Management interface for management (obviously) – only allows management traffic – can have static route.


Partitioning of ASA into multiple virtual devices. Each context is an individual device with own security policy, interfaces, and administrators. Can have admin context – allowing control over everything.

If multiple contexts share an interface then the classifier uses the interface MAC address. Can have a different MAC address in each context on the same shared interface. Therefore traffic classified by this MAC address along with destination address.

If using NAT then the traffic for shared interface is classified using the destination address of the packet, by using the NAT table and also by the destination MAC address.

5.1.d NAT (before and after version 8.4)

NAT 8.3 – uses network objects – IP address, range of, a network, or FQDN. NAT control no longer supported. If connection finds no translation rules then passes through ASA without translation.
No more Outside NAT versus Inside NAT.
NAT rule priority no longer applies.

5.1.e Object definition and ACLs

Can now use FQDN in ACLs – requires DNS server to be configured and a FQDN object to be created.
ACL order of operation different between 8.2 and more recent:

ASA 8.2
Packet comes to ingress interface – counter gets incremented.
ASA checks internal connection table to verify if current. If matches current then ACL check is bypassed and packet is forwarded.
Packet processed as per interface ACLs – in sequence – if matches then passes.
Packet verified for translation rules – if passes then connection entry created and packet passes
Packet undergoes inspection check
IP header is translated (per NAT/PAT). Packet forwarded to Advanced Inspection & prevention Security Services Module (AIP-SSM) for IPS stuff (if IPS is involved)
packet forwarded to egress interface – route lookup performed.
Once L3 route found, L2 resolution is performed. Rewrite MAC header
Packet transmitted on the wire, egress interface counter increased.

ASA 8.3
Can have interface ACL and Global ACL:
Interface ACL checked first
Global checked next
Default global checked after


5.1.f MPF functionality (IPS, QoS, and application awareness)


Inline or promiscuous.

1. Traffic enters the ASA.
2. Incoming VPN traffic is decrypted.
3. Firewall policies are applied.
4. Traffic is sent to the IPS module over the backplane.
5. The IPS module applies its security policy to the traffic, and takes appropriate actions.
6. Valid traffic is sent back to the adaptive security appliance over the backplane; the IPS module might block some traffic according to its security policy, and that traffic is not passed on.
7. Outgoing VPN traffic is encrypted.
8. Traffic exits the adaptive security appliance.


Single context

Supports policing, priority queuing, traffic shaping

Application awareness:

Application layer protocol inspection, through Inspection engines:
DNS inspection – matches ID of reply to ID of query. Enforces maximum DNS message length (default is 512 bytes, maximum is 65535 bytes) – drops if exceed maximum. Enforces domain-name length of 255 bytes, label of 63 bytes. Uses DNS rewrite.
FTP inspection – PORT/PASV. If disable (no inspect ftp) outbound users can start only in passive mode – all inbound FTP disabled.
HTTP inspection – enhanced HTTP inspection, URL screening (websense), Java & ActiveX filtering
ICMP inspection – ensures only one response for each request & sequence number is correct
IM inspection
IP options inspection – can clear specified options and pass
PPTP inspection – creates GRE connections and xlates – only version 1.
SMTP inspection – Supports:
Does not support:

5.1.g Context-aware firewall

Who, What, when, Where, How
Active/passive authentication
AD – one realm, ASA joins domain, AD Agent, Kerberos, NTLM, Basic for active authentication
LDAP – multiple realms, basic authentication only

5.1.h Identity-based services

Uses Microsoft AD. IDFW – requires 8.4.2.
AD agent installed on windows server – communicates w/ AD & ASA

5.1.i Failover options

Active/Active & Active/standby
Failover link – Exchanges unit state, keep-alives, network link status, MAC address change, configuration replication

Stateful failover passes:
Dynamic routing tables (as of 8.4)
NAT translation table
TCP connection states
UDP connection states
ICMP connection states
ARP table
L2 bridge table (in transparent mode)
HTTP connection states (if HTTP replication enabled)
ISAKMP and IPSec SA table
GTP PDP connection database
SIP signalling sessions

Interfaces are monitored.  Can monitor up to 250 interfaces divided between all contexts. Should monitor important interfaces.

If unit does not receive a hello on monitored interface it does tests:

Link up/Down – if operational performs network tests. At start of each test each unit clears the received packet count for its interfaces. – to see if it has received any traffic. If neither unit receives traffic then runs:
Network activity test – unit counts received packets for up to 5 seconds. If no traffic received it does an ARP test.
ARP test – reads ARP cache for 2 most recently acquired entries. Unit sends ARP requests to those entries, attempting to simulate network traffic. If both fail, does PIng test
Broadcast Ping test – broadcast ping – counts all received packets for up to 5 seconds.