Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

firewall assessment document

My company requires to perform a security assessment on our PIX\ASA firewalls. I have about 20+ points that I am currently reviewing on the firewall, but I was wondering if anyone has a document with a checklist of :

-best practice



If you don't have one, can you please point me to such a document online.



Re: firewall assessment document

You can use cisco output interpreter, you can place PIX/ASA config, it will provide various recommendations based on your configs.

output interpreter

Also Check this very good article,289142,sid14_gci838230,00.html




Re: firewall assessment document

If you read the article carefully then Cisco ASA

firewalls fails this test miserably. According

to the article:

"Deny all traffic by default, and only enable those services that are needed."

Isn't the ASA, by default, allow traffics from

high security level interface to low security

security interface?

At least with version 6.x, this is not

possible due to the NAT nature of the code.

In version 7.x and 8.x, "no nat-control" is

enable by default on the ASA. Therefore,

infected hosts on the high security level

interface can infect hosts on the lower level

security interface.

Some security device.

New Member

Re: firewall assessment document

cisco24x7 : that is a very good point, how would you resolve this issue? Would you for example create ACL's to restrict traffic from the inside interface to the DMZ (low security to high?)

Also in reference to this document :

Should some of the ACL's in section titled "Specific Recommendations: Access Lists" also get applied for traffic going from a higher security to a lower security such as INSIDE to DMZ?

If you have some examples of a hardened config that would be very beneficial. We are trying to avoid hacks from the OUTSIDE and INSIDE as well and ensure the ASA is fully protected.

CreatePlease to create content