Cisco ASA Firewall Overview and Traffic Flow
Cisco ASA Firewall
Essentially, Cisco ASA Firewall evolved from Cisco first physical appliance called the Cisco PIX Firewall which had limited VPN capabilities. Also, these firewalls had the ability to provide Remote Access VPN capabilities using basic IPSec and PPTP type VPNs.
Later, as Web-based VPNs (SSL VPNs) were becoming more popular, Cisco acquired a company called Altiga which was known for its Web VPN capabilities. The Web VPN capability along with the Firewall feature of the PIX were ported into a new device called the ASA Firewall. Moreover, Cisco ASA firewall can operate as a L3 router by default and all routing functionalities that a normal router would have. It also can run RIP, EIGRP, OSPF and BGP routing protocols.
The difference between a regular router and a ASA firewall is that the router forwards all traffic by default whereas the ASA will allow traffic based on certain policies.
Cisco ASA Firewall Initial Configuration
To initialize an ASA interface, you need the following parameters first:
- Nameif: this mandatory parameter defines the name of the interface and is not case-sensitive. Although, it does preserve the case. Note that all commands reference the interface using the Name not the Physical ID.
- Security Level: it is a number between 0-100 and controls the default traffic flow thru the firewall. When you configured a blank interface with a Name, it sets the security kevel automatically to 0 except if the name of the interface is Inside which is 100.
- IP Address: it could be configured same as the Cisco routers and you do not have the ability to skip the mask if the IP address is using the default class mask.
Cisco ASA Firewalls Default Traffic Flow
By default, all traffic is allowed to flow from high security interface towards a low security as long as the routing information is in place. Although, all traffic is allowed to flow from high security level to low security level, only TCP and UDP traffic is inspected. This inspection creates a return entry in the connection table on the firewall. This allows the return traffic to come back afterward. This is known as Stateful inspection.
In the other hand, all traffic is blocked from coming in from low security interface towards a high security interface. If you want this traffic to work, you would need to create an explicit policy on the low interface to allow this traffic using an ACL. When a packet hits a low security interface going towards a high security interface, it will check the connection table first, if there is no entry in the connection table, it will check the ACL for a Permit, if there is no permit in the ACL, it will check the default behavior.
Finally, any traffic going from an interface that has the same security level as the destination interface will be blocked. Note that even an explicit ACL will not help in allowing this traffic. A typical example of this setup is when you have 2 partner networks connection into your network but you don’t want them to traverse to each other thru firewall. Also, you have an option to disable firewall between 2 interfaces with the same security level by using the “Same-security-traffic permit inter interface” command. If you use the above command, it allows all traffic between 2 interfaces with same security level.
Cisco ASA Firewall Traffic Types
Essentially, there are two types of traffic reaching ASA firewall, TO and THRU traffic. TO traffic is destined to an interface on the firewall and it is controlled by the service running on the firewall. Plus, ACLs have no effect on the traffic flow. By default, the only service that us running on the firewall is ICMP and these traffic are only allowed to reach the ASA and no other traffic is allowed TO the firewall. Enabling or disabling of a service on the firewall is a “Per Interface Characteristic”. Although, the THROU traffic is a traffic that is destined to the network passing the firewall. This traffics can be controlled or limited using ACLs.
Cisco ASA Firewall Verification Commands
By using the following commands, you can verify your configurations:
ASA# Show run interface: Displays the running config for an interface.
ASA# Show interface ip brief: Equivalent to the show IP interface brief which displays the interface IP address and status.
ASA# show nameif: Displays the interfaces, their names and their security levels.