The document provides an overview of implementing the Cisco Adaptive Security Appliance (ASA), including comparing ASA solutions to other routing firewall technologies, explaining ASA operation and models for various use cases. It outlines objectives for configuring basic ASA firewall services like access lists, network address translation, and authentication. The document also covers advanced ASA policies using the modular policy framework.

1. CCNA Security v2.0
Chapter 9:
Implementing the Cisco Adaptive
Security Appliance

2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
9.0 Introduction
9.1 Introduction to the ASA
9.2 ASA Firewall Configuration
9.3 Summary

3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Upon completion of this section, you should be able to:
• Compare ASA solutions to other routing firewall technologies.
• Explain ASA 5505 operation with the default configuration.

4. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 4

5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Small Office and Branch Office ASA Models

6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Internet Edge Models

7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Enterprise Data Center Models

8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ASA Virtualization

9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
High Availability

10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Identity Firewall

11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ASA Threat Control

12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Permitted Traffic
DeniedTraffic

13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Routed Mode Transparent Mode

14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Base License Specifics

15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Security Plus License
Specifics

16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
show version Command Output

17. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 17

18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
ASA 5505 Back
Panel
ASA 5505 Front
Panel

19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Security Level Control:
• Network Access
• Inspection Engines
• Application Filtering

20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
ASA Deployment in a Small Branch
ASA Deployment in a Small
Business

21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
ASA Deployment in an Enterprise

22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Upon completion of this section, you should be able to:
• Explain what ASA firewall services are enabled using the default configuration.
• Configure an ASA to provide basic firewall services.
• Configure object groups on an ASA.
• Configure access lists with object groups on an ASA.
• Configure an ASA to provide NAT services.
• Configure access control using the local database and AAA server.
• Explain how the Cisco Modular Framework (MPF) is used to configure ASA policies.

23. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 23

24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Base License
Specifics
Security Plus
License Specifics

25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
show version Command Output

26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
ASA 5505 Default
Configuration Overview.

27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Entering the ASA 5505 Setup Initialization Wizard

28. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 28

29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Entering Global Configuration Mode Example

30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
ASA Basic Configuration Commands

31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Configuring Basic Settings
Enabling AES Encryption
Example

32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Configuring IP Addresses
on VLAN Interfaces
Local VLAN Interface
Commands

33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Configuring VLAN Interfaces Example

34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Configuring Layer 2
Ports Example
Verifying VLAN Port
Assignment Example

35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Verifying IP
Addresses Example
Verifying Interfaces
Example

36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Telnet Configuration Commands Example
Telnet Configuration Commands

38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SSH Configuration Commands
Configuring SSH Access Example

39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
NTP Authentication Commands
Configuring NTP Example

40. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
DHCP Server Commands
Configuring DHCP Server Example

41. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 41

42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Network Object Commands
Configuring a Network Object Example

44. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Service Object Options Example

45. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Common Service Object Commands
Configuring a Service Object Example

46. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Network Object Group
Example
ICMP-type Object Group
Example

48. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Services Object Group Example

49. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Services Object Group Example

50. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 50

51. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
ASA ACL and IOS ACL
Similarities
ASA ACL and IOS ACL
Similarities

52. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Lower Levels Denied To
Higher Levels
Higher Levels Allowed
To Lower Levels

53. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Standard ACL
Example
IPv6 ACL Example
Extended ACL Examples

54. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
ACL Command Parameters

55. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Condensed Extended ACL Syntax

56. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
ASA ACL Elements

57. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
access-group Command Syntax

58. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
ACL Reference Topology

59. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Extended ACL
Configuration
Example
Verifying the ACL

60. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Condensed Extended ACL Syntax with Object Groups
ACL Reference Topology

61. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
ACL and Object
Group
Configuration
Example
Verifying the ACL and Object Group Configuration Example

62. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 62

63. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Types of NAT Deployments:
• Inside NAT
• Outside NAT
• Bidirectional NAT

64. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Dynamic NAT Reference Topology

65. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Dynamic NAT Configuration
Example
Enable Return
Traffic Example
Verifying the Dynamic
NAT Configuration
Example

66. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Dynamic PAT Configuration Example
Verifying the Dynamic PAT Configuration Example

67. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Configure the DMZ
Interface Example
Static NAT
Configuration
Example

68. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Verifying the Static NAT Configuration Example

69. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 69

70. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
RADIUS and TACACS+ Server Commands
Sample AAA TACACS+ Server Configuration

72. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

73. Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 73

74. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Implementing Modular Policy Framework

77. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Default Service Policy Configuration

78. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Chapter Objectives:
• Explain how the ASA operates as an advanced stateful firewall.
• Implement an ASA firewall configuration.

79. Thank you.

80. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page.
(https://www.netacad.com)
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
1
2