Im french so sorry for my english , i will do my best to explain my question.
Im actually working on Cisco PIX 501 ( for school ).
I have to do some test on it , search what is able to do and how to proove it...
My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?
My question could be : what cisco ASA doing more than ACL?
I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.
Thank for reminding me that Cisco does use the term "Adaptive Security Algorithm" in some of their materials. As a purist, I would argue that it's not really an algorithm since it's not a mathematical expression like an encoding algorithm or such.
As far as demonstrating the operations, it would be mostly via demonstration and inspection of the behavior. As in:
1. browsing from inside computer to outside resource and showing tcp connections and NAT xlate table entries at the firewall CLI before and after.
2. attempting to browse from outside to inside resource without an access-list entry allowing the communications and with an explicit (vs. the standard implicit) deny any any access list in place. Show the hit count increments when attempting this.
3. Doing #2 with an access-list entry in place and demonstrating the establishment of tcp connection and the increment of the access-list hit count.
One could also use the packet-tracer feature (from ASDM or cli) to demonstrate most of this. The ASDM would be useful in a classroom environment as it presents the result graphically.
ASA is the acronym for Adaptive Security Appliance, as the previous posts have pointed out. The adaptive seurity algorithm however, refers to processes that are taken on a packet during stateful inspection.
Those processes are:
- ACL lookup
- Route table lookup
- NAT translation
- creating a session for the traffic in the "fast path"
so as you can see, the adaptive security algorithm is not just dropping or allowing traffic. It does quite a bit more.
Please remember to rate and select a correct answer
If you want to ping from outside to inside addresses then, yes you would need an ACL with an entry allowing the icmp traffic. Normally we don't see this done because we are also performing NAT on the firewall and there is not a persistent public IP address for most inside hosts (which in most cases have private IP addresses that are not publicly routable).
Traffic inspection is descrtibed in the configuration guide here:
I'm not sure what you mean by "is it hard to prove it". Do you mean demonstrate it?