Cisco ASA Firewalls
•Download as PPTX, PDF•
2 likes•7,289 views
Cisco's ASA55xx series are adaptive security appliances that provide firewall, IPSec and SSL VPN capabilities. The appliances range from small office/home office models like the ASA550x to data center models like the ASA558x. All models support stateful packet inspection firewalls and VPN endpoints. Optional modules allow for intrusion prevention, content filtering, and additional network interfaces. Licenses determine the number of supported VPN connections and interfaces/VLANs.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cisco ASA Firewalls
Similar to Cisco ASA Firewalls (20)
Recently uploaded
Recently uploaded (20)
Cisco ASA Firewalls
- 1. ASA55xx Series Cisco’s series of Adaptive Security Appliances Bryley Systems Inc. Business Technology Solutions Since 1987
- 2. Agenda • Default Capabilities • Models • Optional Capabilities
- 3. ASA Capabilities • Stateful/Deep Packet Inspection Firewall • IPSec VPN Endpoint • SSL VPN Endpoint • Virtualization • Anti-X • Intrusion Prevention
- 4. Firewall • Default firewall rules – Outbound traffic is allowed unless otherwise specified – Inbound traffic is denied unless otherwise specified • Stateful packet inspection ensures that responses to outbound traffic match outgoing requests
- 5. ASA Firewall • ASA assigns a security level to each interface – inside is 100, outside (Interent) is 0, DMZ is typically assigned 50 – Default rules allow free flow from higher security level to lower security 0 level • NAT/PAT – Allows for more servers with fewer public Ips • Deep packet inspection
- 6. IPSec VPN • Used for LAN-to-LAN connections • Workstation clients for Windows, Macintosh, Linux • Maximum connections depends on model • No additional licenses required • EasyVPN – Simplified configuration – Inbound connections only
- 7. SSL VPN • No pre-installed client – connect with web browser • Licensed by simultaneous connections (2 connections permitted for testing) • Clientless connection – Simplest configuration – Limited to web applications – Some client-server applications are SSL VPN aware
- 8. SSL VPN • Cisco AnyConnect VPN client • Downloaded on-the-fly • Full network access (if desired) • Windows/Macintosh/Linux • May not function of user rights on client computer limited
- 9. IPSec vs SSL IPSec • Workstation configuration required • Administrator can configure VPN then restrict user access • Access as if client machine on LAN • Has pre-shared key in addition to user password • No additional cost SSL • Browser-based from any computer • Limited access if user does not have right to install applications • Need to use web applictions to ensure access • Vulnerable to password compromise • Extra cost feature
- 10. ASA Models • ASA550x - SOHO/Telecommuter • ASA551x • ASA552x • ASA554x • ASA555x - Large enterprise • ASA558x - Datacenter/ISP Main Office, Integrated Protection http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
- 11. ASA550x – Base License • 10/50/Unlimited internal devices • 10 Simultaneous VPNs • 8 10/100 Ethernet ports – assigned to VLANs • 2 Power over Ethernet • 3 VLANs • One VLAN must be isolated from communicating with one of the others.
- 12. ASA550x – Telecommuter setup
- 13. ASA550x – Security Plus • 25 Simultaneous VPNs • Ports must be assigned to one of three interfaces, up to 20 trunked VLANs permitted • Communications between interfaces restriced by standard firewall rules • Failover to backup ISP for outbound access
- 14. ASA551x – Base License • 250 Simultaneous VPNs • 3 – 10/100 Ethernet ports – Firewall interfaces • 1 – 10/100 Ethernet port – Management only • Up to 50 Trunked VLANs • SSM Slot for Content Filter or Intrusion Prevention Module
- 15. ASA551x – Security Plus License • 250 Simultaneous VPNs • 3 – 10/100 Ethernet ports • 2 – 10/100/1000 Ethernet ports • Up to 100 Trunked VLANs • SSM Slot for Content Filter, Intrusion Prevention Module, or 4 x 10/100/1000 Ethernet Port module • 2 included/5 maximum Security Contexts
- 16. ASA552x • 750 Simultaneous VPNs • 1 – 10/100 Ethernet port • 4 – 10/100/1000 Ethernet ports • Up to 150 Trunked VLANs • SSM Slot for Content Filter, Intrusion Prevention Module, or 4 x 10/100/1000 Ethernet Port module • 2 included/20 maximum Security Contexts
- 17. ASA554x • 5000 Simultaneous VPNs (2500 SSL) • 1 – 10/100 Ethernet port • 4 – 10/100/1000 Ethernet ports • Up to 200 Trunked VLANs • SSM Slot for Content Filter, Intrusion Prevention Module, or 4 x 10/100/1000 Ethernet Port module • 2 included/50 maximum Security Contexts
- 18. ASA555x • 5000 Simultaneous VPNs • 1 – 10/100 Ethernet port • 4 – 10/100/1000 Ethernet ports • 4 ports selectable 1000T/SFP Fiber ports • Up to 250 Trunked VLANs • No SSM Slot • 2 included/50 maximum Security Contexts
- 19. Content Security and Control Module • Standard License – Anti-virus – Anti-Spyware – File blocking • Plus License adds – Anti-SPAM – URL Filter – E-mail content control
- 20. Content Security and Control Module • CSC-SSM-10 – 50/100/250/500 users – ASA5510 and ASA5520 • CSC-SSM-20 – 750/1000 users – ASA5510 , ASA5520, ASA5540 • Subscription required for updates
- 21. Advanced Intrusion Prevention • Compares every packet against a signature database • Alerting or automatic blocking • Update subscription required
Editor's Notes
- ASA is a stateful packet inspection firewall. Some protocols are inspected at a other layers Anti-X – anti-virus, anti-spy, file filter, anti-spam, url filter
- Stateful packet inspection has been standard for ALMOST 10 years, some early low-cost NAT devices lacked it.
- Typical firewalls allow for one of each type of server on a single pubic IP. Multiple Ips must be assigned one to one to internal servers. PAT allows for one server per protocol per public IP. Not exclusive to Cisco, but not typically found on low end fuirewalls. Deep packet inspection performs basic checks for validity on some protocols.