Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA General / What is Cisco ASA Firewall – All you need to Know

What is Cisco ASA Firewall – All you need to Know

Written By Harris Andrea

The ASA (Adaptive Security Appliance) is a network security product that is a part of Cisco’s Advanced Network Firewall portfolio.

description and explanation of Cisco ASA firewall

A network Firewall is a hardware or software device that sits usually at the edge of a network and provides security by allowing or denying traffic based upon a set of pre-configured rules.

In large corporate network environments, you can also place a network firewall within your internal LAN in order to provide segmentation of private LAN IP subnets (e.g you can isolate servers LAN from users LAN for example).

The Cisco ASA was a replacement for the Cisco PIX firewall and is an advanced firewall which is capable of carrying out more advanced services than the older PIX firewall was capable of.

Table of Contents

  • How Does the ASA Firewall Work
  • Cisco ASA Main Core Security Features
    • Packet Filtering
    • NAT / PAT
    • SSL / IPSec VPN
  • Cisco Firepower Main Security Features
    • Intrusion Prevention
    • Content Filtering
    • Application Filtering
    • Anti-Malware (AMP)
    • Anti-Virus
    • Security Intelligence
  • What is Adaptive Security Device Manager (ASDM)
  • Current Cisco ASA models
  • Competitors to Cisco ASA
    • Palo Alto
    • Fortinet
    • Checkpoint

How Does the ASA Firewall Work

Let’s explain briefly what the core network firewall functionality is for the Cisco ASA. A network firewall is based on Stateful packet inspection, which I will explain below.

A stateful network firewall, such as the Cisco ASA, typically uses stateful packet inspection to prevent unauthorised traffic from entering the network from the outside or prevent unauthorised traffic from being passed between security zones internally within a network.

A stateful firewall keeps track of all the sessions that have been initiated from user devices inside the network and allows the responding traffic from outside the network to pass through to the initiating device.

Stateful packet inspection checks an access control list to see if the source or destination IP address (and/or ports) of the incoming packet is allowed access to the network or not.

The Cisco ASA has many physical interfaces which can be further divided into “sub-interfaces” using VLANs.

Each one of these firewall interfaces is connected to a “security zone” which is basically a Layer 3 subnet. All hosts inside this security zone (subnet) will have as gateway the IP address configured on the ASA firewall interface.

This means that all traffic from the specific security zone going out to other networks (zones) will pass through the ASA which will impose its firewall controls to the traffic.

A Cisco ASA is able to carry out the following services in addition to the core Stateful Packet Inspection functionality:

Cisco ASA Main Core Security Features

Packet Filtering

Packet filtering also known as Deep packet inspection goes much further than simply matching IP addresses to an allowed list.

Packet filtering is able to determine what protocol is being used such as TCP, UDP, RTP etc and which application is sending this traffic.

This enables much more complex rules to be created and instead of only being able to block traffic based on source or destination IP addresses, rules can now be created to block traffic based on the protocol being used or to block a particular application. 

NAT / PAT

Network Address Translation and Port Address Translation are used to translate the IP address of the source device from a private IP address range to a public IP address range.

This has a number of benefits. Firstly, the actual IP address of the sending device is disguised because all the destination machine ever sees is the public IP address that has been substituted at the firewall and not the original private address.

The second benefit is that many devices can access the internet using the single public IP address which saves on Public IP address use.

Port Address Translation (PAT) allows the firewall to assign each device with a different port number which are mapped so that when the destination server responds to the public IP address the firewall knows which internal IP address originally sent the request and is able to forward on the packet.

MORE READING:  Cisco ASA 5505, 5510 Base Vs Security Plus License Explained

SSL / IPSec VPN

An ASA firewall is able to create an encrypted channel between the corporate network and another device located on a different network.

The Virtual Private Network (VPN) tunnel protects all the traffic that is flowing from external devices to the corporate network over the public internet.

This allows remote users to securely access data from outside of the corporate network using IPSec or SSL encryption protocols.

Moreover, a site-to-site IPSec VPN can create a secured and encrypted connection between two distant private LAN networks over the Internet.

This allows for a cheap and secure connectivity solution between two or more LAN networks without leasing expensive dedicated WAN links between the two sites.

Cisco Firepower Main Security Features

Cisco Firepower is a separate product line that has been acquired by Cisco to provide many additional cybersecurity services such as Intrusion Prevention, DDOS prevention, Anti-malware, Anti-virus, mail scanning, URL filtering and dynamic security intelligence through Cisco TALOS which is a cybersecurity community that was created by Cisco.

A Firepower appliance is known as a Next Generation Security product and can be added to a network as a dedicated Firepower appliance or as a hardware module installed within a Cisco ASA.

An ASA with Firepower is able to provide the standard firewall services and also the enhanced security services of a Firepower device which makes these ASA’s Next Generation Firewalls.

Many of the security features offered by the Firepower module are activated by purchasing different levels of licensing which are available as a subscription service that is renewed on a yearly basis.

Subscription You Purchase  Smart Licenses You Assign in Firepower System 
T  Threat 
TC  Threat + URL Filtering 
TM  Threat + Malware 
TMC  Threat + URL Filtering + Malware 
URL  URL Filtering (can be added to Threat or used without Threat) 
AMP  Malware (can be added to Threat or used without Threat)

An ASA device that is running Firepower services is not managed by ASDM software. A Firepower device or cluster of Firepower devices is managed by another piece of software which is called the Cisco Secure Firewall Management Centre or SFMC (Formerly Firepower Management Centre or FMC).

The SFMC is a web-based security administration centre that is used for applying network security policies and configuration of the Firepower Threat Device (FTD) sensors or Firepower modules that are spread throughout a network.

Unlike ASDM, the FMC is not installed on a standard Windows or Mac OSX computer but is added to the network as a dedicated appliance or as a Virtual machine on a Hypervisor such as VMware ESXi.

The software can then be accessed from any device which has a web browser by navigating to the URL of the SFMC.

The following additional services are provided by the Firepower Module installed in a Cisco ASA or as a dedicated device:

Intrusion Prevention

An Intrusion Prevention System (IPS) works by scanning the incoming and outgoing traffic and comparing the traffic patterns to a baseline or against a signature database of known attack vectors.

A baseline is the normal amount of traffic that flows in and out of the network from all the different network sources.

When there is a deviation from this normal baseline such as an unusually large amount of data being uploaded from an internal system then an alert can be activated in SFMC to make the security team aware of a potential network breach. Automatic action can also be taken by the ASA to block this traffic.

Content Filtering

Content filtering or URL filtering is performed by the ASA to block web content that is deemed inappropriate by the company’s security policy.

This web filtering is very CPU intensive so its important to ensure an ASA model with the correct hardware specifications are chosen for filtering traffic on a large network.

Application Filtering

Many applications produce traffic signatures that can be recognized by the Firepower ASA and filtered as required.

MORE READING:  Block Attacks with a Cisco ASA Firewall and IDS using the shun command

It is even possible for the ASA to block specific parts of an application but not the entire application. For example, it is possible to block Facebook games but not the entire Facebook application.

Anti-Malware (AMP)

The ASA filters the incoming traffic and checks for a match to known malware signatures. If a match is found the traffic flow can be blocked preventing the malware from spreading throughout the network. Anti-malware filtering can be crucial in preventing the spread of ransomware.

Anti-Virus

An anti-virus mechanism is another service that the Firepower ASA employs to prevent malicious traffic from reaching internal users.

Like the anti-malware process the traffic is filtered and matched against known virus signatures and blocked before the virus is able to spread.

Security Intelligence

The Cisco ASA is able to use the power of the cybersecurity community to better protect enterprise networks. The ASA is able to prevent outgoing connections to a blacklist of known malicious domains that is constantly updated from the intelligence gathered by Cisco Talos.

As soon as a new malicious domain is confirmed the ASA blacklist is updated which helps to prevent Zero-day attacks.

What is Adaptive Security Device Manager (ASDM)

Traditional PIX firewalls only had the ability to be configured via the command line which meant that only Engineers experienced with command line configuration could setup or make changes to the firewall.

The Cisco ASA can be configured by the command line or through a graphical user interface called the Adaptive Security Device Manager or ASDM.

The ASDM software is a Java based application which needs to be installed on a Windows or Mac OSX computer which can then be used to remotely manage multiple ASA devices. The ASDM software image is placed also on the Cisco ASA flash drive.

ASDM make the day-to-day maintenance of the firewall easier as you are able to make configuration changes, view and filter connections, view charts and statistics or perform upgrades of the operating system remotely with the click of a mouse rather than by connecting through the CLI.

Current Cisco ASA models

  • ASA-5505- End of sale
  • ASA-5510 – End of Sale
  • ASA-5506-X – Desktop / Rack Mountable Unit
  • ASA-5506H-X – Desktop / Rack Mountable Unit
  • ASA-5508-X– 1 RU Rack Mountable Unit
  • ASA-5516-X– 1 RU Rack Mountable Unit
  • ASA-5525-X– 1 RU Rack Mountable Unit
  • ASA-5545-X– 1 RU Rack Mountable Unit
  • ASA-5555-X– 1 RU Rack Mountable Unit
  • ASA-5585-X– 2 RU Rack Mountable Unit
  • ASAv – Virtual machine software which is installed on a VMware server.

The standard ASA without Firepower services has now become end of sale and the ASA is now sold with Firepower installed as standard. The X in the model’s name denotes that this model has a Firepower Module installed.

Competitors to Cisco ASA

Cisco ASA with Firepower services is a premium security product for Enterprise Networks and according to gartner.com there are only three direct competitors to these Cisco products. They are Palo Alto, Fortinet and Checkpoint.

Palo Alto

Palo Alto next generation firewalls provide similar features to Cisco ASA firewalls through their PAN-OS operating system.

The Palo Alto firewalls, and firewall clusters can be managed by their Firewall management system known as Panorama.

Fortinet

Fortinet has a very large range of firewall models aimed at every size network from entry level to cloud datacentres. These firewalls run the Fortigate operating system.

Fortinet is one of the fast-growing security firms worldwide and they manufacture all kinds of security products, such as firewalls, antivirus, email security, SIEM, WiFi etc.

Checkpoint

Checkpoint have taken a unified approach to network security through a suite of products that include Next Generation Firewalls known as the Infinity architecture.

This architecture is made up of five sections which are Quantum, Cloudguard, Harmony and Infinity Vision which surrounds their Security Intelligence center known as Infinity Threat Cloud. Checkpoint has a large offering of 15 different Firewall models.

Related Posts

  • Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall
  • Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained
  • Cisco ASA 5505-5510-5520-5540-5550-5580 Performance Throughput and Specs
  • Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)
  • Cisco ASA 5505, 5510 Base Vs Security Plus License Explained

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. SUR says

    March 7, 2022 at 7:51 am

    How are Zone and CONTEXT Differ ?

  2. Harris Andrea says

    March 7, 2022 at 7:59 am

    A security Zone is a network subnet protected by the Firewall.

    A “Security Context” is a different virtual firewall entity.

  3. sur says

    March 7, 2022 at 11:13 am

    Andrea

    How to migrate a FW with 10,000 rules to New Vendor FW ?

    Any special Tools are required ?

    Is it manually possible to migrate all rules in say 4 weeks with one verygood resource ?

    thanks in advance

  4. Harris Andrea says

    March 7, 2022 at 4:26 pm

    sur, it depends on the new firewall vendor. Some vendors (for example Fortinet) have tools that help you migrate Cisco rules to Fortigate rules.

    Harris

  5. sur says

    March 8, 2022 at 12:34 pm

    Palo Alto and Checkpoint new Firewalls

  6. sur says

    March 8, 2022 at 12:57 pm

    Harris

    The New FW are Checkpoint and Palo Alto

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

1 shares