5.5 Firewall features on the Cisco Adaptive Security Appliance ASA 9.x

Follow me on Twitter:

Previous Video:
5.4 Implement zone-based firewall on Cisco IOS Router

5.5.c Configure Cisco ASA interface security levels

Security levels on interfaces on the ASA are to define how much you trust traffic from that interface. Level 100 is the most trusted and 0 is the least trusted. Some people will use 50 for a DMZ since you trust it more then internet traffic, but less then internal traffic.

Modular Policy Framework (MPF)

MPF: is used to control which IP protocols are supported for stateful inspections TCP and UDP inspection is enabled by default and cannot be disabled ICMP, ESP is not inspected by default MPF is also used to other purposes Advanced TCP inspections
Deep Packet Inspection (DPI) and QoS Quality of Service
Traffic redirection to software/hardware module (IPS, CX, FirePower for advance inspections)
It inspect application layer protocol that dynamically assigns ports like, FTP. You can not use a stateless/ACL to allow traffic to FTP because it assigns dynamically port. Therefore, MFP is needed

5.5.e Describe modes of deployment (routed firewall, transparent firewall)

The ASA offers different modes of deployment. The modes are known as routed mode and transparent mode. The mode of deployment that is used will depend upon your network requirements and needs. The modes of deployment have the following characteristics:

Routed mode: The ASA supports RIP (versions 1 and 2), OSPF, EIGRP, and BGP dynamic routing protocols to integrate into existing routing infrastructures. Where dynamic routing is not available, the ASA can use static route tracking to determine neighbor or path health instead. This is the most commonly used mode of deployment.

Transparent (bridged) mode: The ASA includes the ability to operate in a secure bridging mode as a Layer 2 device to provide rich OSI Layers 2 through 7 security services for the protected network. This ability enables businesses to deploy security appliances into existing network environments without requiring readdressing of the network. Although the security appliance can be invisible to devices on both sides of a protected network, you can manage it via a management IP address (which can be hosted on a separate management interface, if required).

5.5.f Describe methods of implementing high availability

Active / Standby: only one Firewall works and passes traffick while the other remains in standby.Active/Standby failover can run on single or multiple context mode.
Active / Active both Firewalls work and pass network traffic. firewalls must be running in multiple contexts mode.
Active/Active stateful failover, IPsec or SSL VPN cannot be enabled. Firewalls must be ASA 5510 (Security Plus) or higher (Base)
Requirements for Failover
Firewalls must be same model, number and types of interfaces.
Firewalls must have same amount of RAM installed
Firewalls must have sufficient free space on flash for ASA image files and configuration files.
Firewalls must be in same mode (routed, transparent, single or multiple contexts)
Firewalls must have same numbers for major and minor version numbers.

Active/Active failover model:

Both security appliances can actively process user traffic and can tolerate the failure of one device in the failover cluster. Figure 8-5 shows an example of an active/active failover topology.
This example is somewhat more complex and introduces the concept of security contexts. Three security contexts are used. Failover group 1 should contain the admin and ContextB contexts, with the primary ASA normally having the active role. Failover group 2 should contain only ContextA, normally active on the secondary ASA. We will discuss security contexts in the following section


Clustering: This feature lets you group multiple ASAs as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.
These interfaces connect to two different switches, which are connected using a virtual port channel (vPC). TenGigabitEthernet0/6 and 0/7 interfaces on both cluster members bundle into the inside EtherChannel; both members respond to the virtual IP address of on this link. TenGigabitEthernet0/8 and 0/9 interfaces similarly bundle into the outside EtherChannel with the virtual IP address of

Share the Post:

Related Posts

Help Us By Donating