Cisco ASA ( Adaptiv Security Algorithm )?

Answered Question
Feb 13th, 2014
User Badges:

Hello,


Im french so sorry for my english , i will do my best to explain my question.


Im actually working on Cisco PIX 501 ( for school ).

I have to do some test on it , search what is able to do and how to proove it...


My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?

My question could be : what cisco ASA doing more than ACL?


I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.


Thank you!

Amaury

Correct Answer by Marvin Rhoads about 3 years 6 months ago

Marius


Thank for reminding me that Cisco does use the term "Adaptive Security Algorithm" in some of their materials. As a purist, I would argue that it's not really an algorithm since it's not a mathematical expression like an encoding algorithm or such.


As far as demonstrating the operations, it would be mostly via demonstration and inspection of the behavior. As in:


1. browsing from inside computer to outside resource and showing tcp connections and NAT xlate table entries at the firewall CLI before and after.


2. attempting to browse from outside to inside resource without an access-list entry allowing the communications and with an explicit (vs. the standard implicit) deny any any access list in place. Show the hit count increments when attempting this.


3. Doing #2 with an access-list entry in place and demonstrating the establishment of tcp connection and the increment of the access-list hit count.


One could also use the packet-tracer feature (from ASDM or cli) to demonstrate most of this. The ASDM would be useful in a classroom environment as it presents the result graphically.

Correct Answer by Marius Gunnerud about 3 years 6 months ago

ASA is the acronym for Adaptive Security Appliance, as the previous posts have pointed out.  The adaptive seurity algorithm however, refers to processes that are taken on a packet during stateful inspection.


Those processes are:

- ACL lookup

- Route table lookup

- NAT translation

- creating a session for the traffic in the "fast path"


http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/intro_intro.html#wpmkr1128151


so as you can see, the adaptive security algorithm is not just dropping or allowing traffic.  It does quite a bit more.



--
Please remember to rate and select a correct answer

Correct Answer by Marvin Rhoads about 3 years 6 months ago

If you want to ping from outside to inside addresses then, yes you would need an ACL with an entry allowing the icmp traffic. Normally we don't see this done because we are also performing NAT on the firewall and there is not a persistent public IP address for most inside hosts (which in most cases have private IP addresses that are not publicly routable).


Traffic inspection is descrtibed in the configuration guide here:


http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall_config/inspect_overview.html


I'm not sure what you mean by "is it hard to prove it". Do you mean demonstrate it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
mvsheik123 Thu, 02/13/2014 - 06:01
User Badges:
  • Gold, 750 points or more

Hi,


ASA- Adaptive Security Appliance.


The detailed answer to your question can be very long as different feature set of IOS & hardware will provide different/additonal functions. Attached is nice write up I came across that may help you getting basic idea.


hth

MS

patchack39 Thu, 02/13/2014 - 06:45
User Badges:

you are speaking about: ASA- Adaptive Security Appliance and me ASA- Adaptive Security Algorithm. That isnt the same thing right?

ASA (appliance) is for more recent router/firewall not for mine i think , im just interested about how does the firewall is doing his job (with the ASA algorithm).



Still, i will read the document you join to your message, it will maybe answer to my question, thanks a lot.


edit: By the way my firewall cisco PIX 501 got 6.3 firmware

2nd edit : in fact to be clear , i have the pix 501 and i have to show  what it is doing , i mean , did it drop everything from outside to inside or more ( try to check if its good or bad packet)? What is the job of ASA/algorithm finally

Marvin Rhoads Thu, 02/13/2014 - 19:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Amaury,


There is no Cisco product or technology "Adaptive Security Algorithm". The ASA product is a shorthand common way of referring to the Adaptive Security Appliance (as MS noted above).


All firewalls, including Pix type and their Cisco successor the ASA - will by default prevent traffic originated from the outside or lower security level to the inside or higher security level.


This is one of many many things an ASA can do. The configuration guide is 3 volumes long (and that's not including the 1000_+ page AnyConnect administration guide for remote access VPN clients). At a very high level it can perform stateful Firewalling (i.e., is the traffic part of an established allowed connection?), traffic inspection (what you might refer to as "good or bad packet"), remote access VPN, site to site VPN, network Address translation (NAT). It also has high availability and clustering features.

patchack39 Fri, 02/14/2014 - 00:49
User Badges:

Thanks a lot for your answer,it help me a lot.

Ok so everything originated from outside to inside is dropped.For example if i want ping to be ok i have to use ACL? its the only way to allow ping to pass right?

I think im starting to understand. In fact the part i would like to understand is the "traffic inspection", how does it work? Is it to hard to proove it ?


Thanks again for your help.

Correct Answer
Marvin Rhoads Fri, 02/14/2014 - 05:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

If you want to ping from outside to inside addresses then, yes you would need an ACL with an entry allowing the icmp traffic. Normally we don't see this done because we are also performing NAT on the firewall and there is not a persistent public IP address for most inside hosts (which in most cases have private IP addresses that are not publicly routable).


Traffic inspection is descrtibed in the configuration guide here:


http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall_config/inspect_overview.html


I'm not sure what you mean by "is it hard to prove it". Do you mean demonstrate it?

patchack39 Mon, 02/17/2014 - 01:49
User Badges:

Yes by "prove it" i mean "demonstrate it".

I will read your document ,if i need more help about that i will come back.

thanks a lot for your help,i didnt expect so much.

patchack39 Mon, 02/17/2014 - 05:35
User Badges:

About "stateful Firewalling" i understand what it is , im ok with that. But same question can we demonstrate it? or its just something which is done without any action possible from me? or i can check what is done by firewall (concerning stateful firewalling) ?


In fact for me if we cant demonstrate it , there is no point to me. Because i need to demonstrate to my professor what the firewall is doing, something we can do experience with... Exemple: a computer (outstide) try to attack an other (inside) , then i want to see what firewall is doing , to show to my classmate possibilities of pix501.


I hope you can understand what i mean,its not really easy to me.


Thank you !

Correct Answer
Marius Gunnerud Mon, 02/17/2014 - 05:44
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

ASA is the acronym for Adaptive Security Appliance, as the previous posts have pointed out.  The adaptive seurity algorithm however, refers to processes that are taken on a packet during stateful inspection.


Those processes are:

- ACL lookup

- Route table lookup

- NAT translation

- creating a session for the traffic in the "fast path"


http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/intro_intro.html#wpmkr1128151


so as you can see, the adaptive security algorithm is not just dropping or allowing traffic.  It does quite a bit more.



--
Please remember to rate and select a correct answer

Correct Answer
Marvin Rhoads Mon, 02/17/2014 - 07:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Marius


Thank for reminding me that Cisco does use the term "Adaptive Security Algorithm" in some of their materials. As a purist, I would argue that it's not really an algorithm since it's not a mathematical expression like an encoding algorithm or such.


As far as demonstrating the operations, it would be mostly via demonstration and inspection of the behavior. As in:


1. browsing from inside computer to outside resource and showing tcp connections and NAT xlate table entries at the firewall CLI before and after.


2. attempting to browse from outside to inside resource without an access-list entry allowing the communications and with an explicit (vs. the standard implicit) deny any any access list in place. Show the hit count increments when attempting this.


3. Doing #2 with an access-list entry in place and demonstrating the establishment of tcp connection and the increment of the access-list hit count.


One could also use the packet-tracer feature (from ASDM or cli) to demonstrate most of this. The ASDM would be useful in a classroom environment as it presents the result graphically.

Marius Gunnerud Tue, 02/18/2014 - 01:36
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Yes it is a bit misleading, which is why I prefere to call it a process instead of an algorithm.


The packet tracer does give a good indication of what happens to a packet as it passes through the ASA.


--
Please remember to rate and select a correct answer

patchack39 Wed, 02/19/2014 - 02:35
User Badges:

Hi,

sorry i couldnt answers earlier , was really busy.


First,thanks for your answers, if i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection ( by the way stateful inspection = stateful firewalling , right?)

Thanks again for your exemple of experience , its help me a lot.


when you said "showing tcp  connections and NAT xlate table entries at the firewall CLI before and  after" , iam ok with that but what are the command to check table entries? i cant find it.

Aswell i will need the commands to configure ( if possible ) stateful inspection and traffic inspection , but i will try search by myself because i didnt start yet.

For ACL i know how to do , i've no question for the moment about that.

Marius Gunnerud Wed, 02/19/2014 - 03:16
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

if i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection

not really,  I would say that stateful inspection is part of the adaptive security algorithm.  The algroithm goes through processes such as ACL check, NAT..etc. and based on these check makes entries in the state table.


( by the way stateful inspection = stateful firewalling , right?)

Kind of.  Stateful inspection is what the stateful firewall does and not what it is if you can understand that.  A stateful firewall performs stateful inspection.  So stateful inspection is not a firewall.


when you said "showing tcp  connections and NAT xlate table entries at  the firewall CLI before and  after" , iam ok with that but what are the  command to check table entries? i cant find it.

show conn protocol tcp will show you the TCP connections through the firewall and show xlate will show you the NAT translation that are currently active.


Aswell i will need the commands to configure ( if possible ) stateful  inspection and traffic inspection , but i will try search by myself  because i didnt start yet

Again, stateful inspection is not something you configure but is what the ASA does based on configured rules.  so all you need to do is configure ACLs and NAT rules and routing and the ASA does all the stateful inspection stuff on its own.


--
Please remember to rate and select a correct answer

patchack39 Wed, 02/19/2014 - 05:44
User Badges:

Thanks for that fast answers, its clear in my mind now ( i think ).

I will read , and use everything you gave to me . Then if i need more help or precisions, i will come back.

Amaury

Actions

This Discussion