Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

firewall assessment document

Unanswered Question
Aug 28th, 2008
User Badges:

My company requires to perform a security assessment on our PIX\ASA firewalls. I have about 20+ points that I am currently reviewing on the firewall, but I was wondering if anyone has a document with a checklist of :

-best practice



If you don't have one, can you please point me to such a document online.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Thu, 08/28/2008 - 11:43
User Badges:
  • Green, 3000 points or more

You can use cisco output interpreter, you can place PIX/ASA config, it will provide various recommendations based on your configs.

output interpreter


Also Check this very good article




cisco24x7 Thu, 08/28/2008 - 18:50
User Badges:
  • Silver, 250 points or more

If you read the article carefully then Cisco ASA

firewalls fails this test miserably. According

to the article:

"Deny all traffic by default, and only enable those services that are needed."

Isn't the ASA, by default, allow traffics from

high security level interface to low security

security interface?

At least with version 6.x, this is not

possible due to the NAT nature of the code.

In version 7.x and 8.x, "no nat-control" is

enable by default on the ASA. Therefore,

infected hosts on the high security level

interface can infect hosts on the lower level

security interface.

Some security device.

ronshuster Fri, 08/29/2008 - 04:21
User Badges:

cisco24x7 : that is a very good point, how would you resolve this issue? Would you for example create ACL's to restrict traffic from the inside interface to the DMZ (low security to high?)

Also in reference to this document :


Should some of the ACL's in section titled "Specific Recommendations: Access Lists" also get applied for traffic going from a higher security to a lower security such as INSIDE to DMZ?

If you have some examples of a hardened config that would be very beneficial. We are trying to avoid hacks from the OUTSIDE and INSIDE as well and ensure the ASA is fully protected.


This Discussion