Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Basic Concept

Hi Guys,

I would like to ask help regarding basic concept of ASA, basic configuration, how routing works, modes, role of ACL and NAT translation. I have the link below and tried to read it but it is too hard/technical for me to understand (knowing I am newbie in Firewall).

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1102444

Thanks in advance and have a nice day.

regards,

Gagamboy

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ASA 5505 Basic Concept

gagamboy15 wrote:

Hi Guys,

I would like to ask help regarding basic concept of ASA, basic configuration, how routing works, modes, role of ACL and NAT translation. I have the link below and tried to read it but it is too hard/technical for me to understand (knowing I am newbie in Firewall).

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1102444

Thanks in advance and have a nice day.

regards,

Gagamboy

Gagamboy

ASA basic function

==============

The ASA is a stateful firewall. What this means is it keep track of connections through the firewall. So it if sees a packet go out from inside to outside it records certain information in that packet. When the return packet arrives on the outside interface the ASA checks it against the information it previously recorded and if there is a match it allows the packet in. That is the essence of a stateful firewall. An example will help

h1 -> (inside) ASA (outside) -> Internet ->   w1

h1 = host inside your network

w1 = web server on internet

h1 IP = 192.168.5.10

w1 IP = 195.17.17.10

h1 wants to look at a web page on w1 so it sends a packet to w1 (note that 192.168.5.10 is not a valid internet address but i'll cover that in the NAT bit)

src IP = 192.168.5.10

src port number = 35776

dst IP = 195.17.17.10

dst port number = 80

the ASA receives the packet and records the above information in the state table. It also records the TCP flag and sequence number in the packet.

the packet arrives at w1. w1 then sends a packet back -

src IP 195.17.17.10

src port = 80

dst IP = 192.168.5.10

dst port = 35776

when the ASA receives the packet it looks at it's state table and sees that there was a corresponding packet sent out. So it knows this packet is valid and it allows it back in.

Now the above example is somewhat simplified because i didn't go into the TCP flags etc, or cover UDP which doesn't have flags, but put simply that is how a stateful firewall works.

If w1 had sent the same packet back but the host 192.168.5.10 has never sent the original packet then the ASA would not have a record in it's state table and therefore it would drop the packet.

ACL function

==========

access-lists (acls) are used to allow or deny traffic. They are applied to interfaces on the ASA and can be applied either inbound or outbound but usually they are applied inbound. Traffic by default on an ASA is automatically allowed from a higher to lower security interface with the inside interface generally having a security level of 100 and the outside interface generally having a security level of 0.

So in the above example you would not have needed an acl because the initial packet originated on the inside interface of the ASA ie. from the host so when the return packet comes back from w1 it is automatically allowed in because it is part of an existing connection.

However lets say you have a DMZ and a web server on it. The security level of the DMZ interface is 50. A client on the internet tries to connect to it. The packet arrives on the outside interface.  Outside security level = 0, DMZ security level = 50. So here you would need an acl on the outside interface that allowed the traffic from the client on the internet to the DMZ web server. Without an acl allowing this the traffic would be dropped by the ASA.

Note that there are other uses for acls on the ASA such as policy NAT but the main use is for allowing/denying traffic.

NAT function

============

Network Address Translation (NAT) changes the IP address in a packet to another IP address. There are many different types of NAT but the principle is the same.

Going back to the initial example, 192.168.5.10 is not a routable address on the Internet. So h1 would not be able to communicate with w1 unless we change h1's address. This is where NAT comes in. You configure the ASA to change h1's IP address to an IP address that is routable on the internet. w1 sees this public address and has no idea that h1's real IP is 192.168.5.10.

Similarly with your DMZ web server. If it has a real address of 192.168.6.11 this is not routable on the internet. So you "present" the web server to the internet as a different address eg. 195.66.10.10. Clients on the internet connect to this address and the ASA translates it back to 192.168.6.11 before sending the packet to the web server.

When the ASA does a NAT translation it keeps a record of this translation in the xlate table.

Routing

=======

Routing is fairly straightforward the only complication being if the address has been translated which is why the xlate table has to be consulted.

Modes

=====

Not sure what you mean. If you mean routed vs transparent then routed means the ASA acts as L3 hop in the network ie. packets are routed through the ASA. Transparent means it acts as L2 device ie. packets are not routed and the same network is seen on both sides of the ASA.

Put simply, if you did a traceroute and the traceroute went through the ASA as part of it's path, in routed mode you would see it as a hop, in transparent mode you wouldn't.

The above is a very general explanation of the functions you listed. I haven't covered inspect which allows the ASA to be a bit more than just a stateful firewall for some protocols/applications and there is certainly a lot more could be said about NAT than i have covered but hopefully this will get you started.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: ASA 5505 Basic Concept

gagamboy15 wrote:

Hi Guys,

I would like to ask help regarding basic concept of ASA, basic configuration, how routing works, modes, role of ACL and NAT translation. I have the link below and tried to read it but it is too hard/technical for me to understand (knowing I am newbie in Firewall).

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1102444

Thanks in advance and have a nice day.

regards,

Gagamboy

Gagamboy

ASA basic function

==============

The ASA is a stateful firewall. What this means is it keep track of connections through the firewall. So it if sees a packet go out from inside to outside it records certain information in that packet. When the return packet arrives on the outside interface the ASA checks it against the information it previously recorded and if there is a match it allows the packet in. That is the essence of a stateful firewall. An example will help

h1 -> (inside) ASA (outside) -> Internet ->   w1

h1 = host inside your network

w1 = web server on internet

h1 IP = 192.168.5.10

w1 IP = 195.17.17.10

h1 wants to look at a web page on w1 so it sends a packet to w1 (note that 192.168.5.10 is not a valid internet address but i'll cover that in the NAT bit)

src IP = 192.168.5.10

src port number = 35776

dst IP = 195.17.17.10

dst port number = 80

the ASA receives the packet and records the above information in the state table. It also records the TCP flag and sequence number in the packet.

the packet arrives at w1. w1 then sends a packet back -

src IP 195.17.17.10

src port = 80

dst IP = 192.168.5.10

dst port = 35776

when the ASA receives the packet it looks at it's state table and sees that there was a corresponding packet sent out. So it knows this packet is valid and it allows it back in.

Now the above example is somewhat simplified because i didn't go into the TCP flags etc, or cover UDP which doesn't have flags, but put simply that is how a stateful firewall works.

If w1 had sent the same packet back but the host 192.168.5.10 has never sent the original packet then the ASA would not have a record in it's state table and therefore it would drop the packet.

ACL function

==========

access-lists (acls) are used to allow or deny traffic. They are applied to interfaces on the ASA and can be applied either inbound or outbound but usually they are applied inbound. Traffic by default on an ASA is automatically allowed from a higher to lower security interface with the inside interface generally having a security level of 100 and the outside interface generally having a security level of 0.

So in the above example you would not have needed an acl because the initial packet originated on the inside interface of the ASA ie. from the host so when the return packet comes back from w1 it is automatically allowed in because it is part of an existing connection.

However lets say you have a DMZ and a web server on it. The security level of the DMZ interface is 50. A client on the internet tries to connect to it. The packet arrives on the outside interface.  Outside security level = 0, DMZ security level = 50. So here you would need an acl on the outside interface that allowed the traffic from the client on the internet to the DMZ web server. Without an acl allowing this the traffic would be dropped by the ASA.

Note that there are other uses for acls on the ASA such as policy NAT but the main use is for allowing/denying traffic.

NAT function

============

Network Address Translation (NAT) changes the IP address in a packet to another IP address. There are many different types of NAT but the principle is the same.

Going back to the initial example, 192.168.5.10 is not a routable address on the Internet. So h1 would not be able to communicate with w1 unless we change h1's address. This is where NAT comes in. You configure the ASA to change h1's IP address to an IP address that is routable on the internet. w1 sees this public address and has no idea that h1's real IP is 192.168.5.10.

Similarly with your DMZ web server. If it has a real address of 192.168.6.11 this is not routable on the internet. So you "present" the web server to the internet as a different address eg. 195.66.10.10. Clients on the internet connect to this address and the ASA translates it back to 192.168.6.11 before sending the packet to the web server.

When the ASA does a NAT translation it keeps a record of this translation in the xlate table.

Routing

=======

Routing is fairly straightforward the only complication being if the address has been translated which is why the xlate table has to be consulted.

Modes

=====

Not sure what you mean. If you mean routed vs transparent then routed means the ASA acts as L3 hop in the network ie. packets are routed through the ASA. Transparent means it acts as L2 device ie. packets are not routed and the same network is seen on both sides of the ASA.

Put simply, if you did a traceroute and the traceroute went through the ASA as part of it's path, in routed mode you would see it as a hop, in transparent mode you wouldn't.

The above is a very general explanation of the functions you listed. I haven't covered inspect which allows the ASA to be a bit more than just a stateful firewall for some protocols/applications and there is certainly a lot more could be said about NAT than i have covered but hopefully this will get you started.

Jon

New Member

Re: ASA 5505 Basic Concept

Wow! That was a very clear and straight forward explanation Jon, I was very impressed.

Thanks a lot to you, it sure help me understand the Firewall concept.

After this I may have another advance Firewall inquiry, I think.

3752
Views
0
Helpful
2
Replies