Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA 101

ASA 101 9 years 4 months ago #21813

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
I wanted to clear up a few basic concepts of the ASA:

It has been said (in my ASA book) that:
Before connections can form between firewall interfaces, two conditions must be met: 1) An address translation policy MUST be configured between a pair of interfaces. 2) A security policy must be configured to allow the connection to initiate toward the destination, usually in the form of an access list applied to a firewall interface.

It has also been said that:
2) Outbound connections from a higher security interface to a lower one are allowed, provided that they are permitted by any access lists that are applied to the firewall interfaces. 2) All inbound connections from a lower security interface to a higher one are blocked.

Questions:
1) Why do I need an ACL permitting traffic from a high-security interface to a lower one if the traffic is permitted (as previously stated)? How is this any different from a low-security interface to a high-security interface? Wouldn't I need an ACL in either case?

2) In order to communicate between interfaces, do I always need a n address translation policy? If so, is the book speaking of NAT and PAT?

3) In summation, for any communication, I need a NAT/PAT statement and an ACL allowing the flow of traffic?

4) When do I not need an ACL or an address translation policy.

5) If traffic is permitted from a higher-security interface to a lower-security interface, does this include return traffic? (because this is a stateful firewall.)

I think I am confusing some of the basic concepts. Please shed some light. Thanks!
The administrator has disabled public write access.

Re: ASA 101 9 years 4 months ago #21825

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there,

I will try and shed some light (well this is my understanding);

You don't need an access-list from a High to Low, this is allowed by default. You will need an access list from Low to High however. This is one of the Pix/ASA security mechanisms to try and secure them. Also, you don't necessarily need to configure NAT. If you are using Nat-Control then you obviously do need to configure NAT (And from a low to high you need to configure a Static Translation) but if you turn off Nat-Control then Natting isn't required.

In summary;

High to Low - Traffic will flow (if NAT is configured correctly, if you are using Nat)
Low to High - Will need an access-list (and a Static if you are using Nat)
Nat - Only if you are using Nat-Control
Routing - If you are not using Nat-Control then the appliance will route the traffic.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.073 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup