Uploaded bykamarulzam
5 views

share.pdf

This document discusses security levels in Cisco ASA firewalls and the order of operations for ACLs and NAT rules. It notes that interfaces with the same security level allow traffic between connected networks by default. It also explains that for ASA versions prior to 8.3, ACLs are evaluated before NAT for outbound traffic but NAT is evaluated before ACLs for inbound traffic, while for versions 8.3 and above ACLs are always evaluated before NAT rules for both inbound and outbound traffic.

Embed presentation

Download to read offline
Knowledge Sharing 1
Security Levels in Cisco ASA 2
CAB Template v18 Security Levels in Cisco ASA Interface having same security level 3
Security Levels in Cisco ASA • PC1 ping PC2: 4
Security Levels in Cisco ASA PC2 ping PC1: 5
Security Levels in Cisco ASA PC2 ping PC1: same security level 6
Security Levels in Cisco ASA • PC1 ping PC2: After enable command below • # same-security-traffic permit inter- interface • Best practice: Keep it disabled by default. Always use access-list to permit traffic 7
Whitelist ip in Firewall -Cisco ASA 8 Via CLI / ASDM Ping /traceroute Network Diagram Search/trace location of ip NAT required? Use Show commands Configure
ACL and NAT order of operation 9 • ACL is evaluated first, then NAT rule applied to the packet for both Inbound and Outbound traffic ASA version prior to 8.3: • Outbound traffic: ACL is evaluated first, then only static NAT takes place • Inbound traffic: NAT rule will be evaluated first, then only ACL takes place ASA version 8.3 and above:
ACL and NAT order of operation An inside host (10.1.1.10) translated to public address (200.200.200.10) for outbound traffic (inside to outside) ACL configuration is same for Cisco ASA version below 8.3 and above 8.3 10 ciscoasa(config)# access-list INSIDE extended permit ip host 10.1.1.10 host 100.100.100.1 ciscoasa(config)# access-group INSIDE in interface inside object network inside-subnet subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface
ACL and NAT order of operation Inbound traffic coming from the Internet towards the public address of the Web Server Cisco ASA prior to version 8.3: ACL reference to NAT IP Cisco ASA 8.3 and above: ACL reference to REAL IP 11 Cisco ASA < 8.3 ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 200.200.200.10 eq 80 ciscoasa(config)# access-group OUTSIDE in interface outside object network WEB_SERVER host 10.1.1.10 nat (inside,outside) static 200.200.200.10 Cisco ASA > 8.3 ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq 80 ciscoasa(config)# access-group OUTSIDE in interface outside object network WEB_SERVER host 10.1.1.10 nat (inside,outside) static 200.200.200.10 Inboun d

More Related Content

PDF
Brkcrt 2214
byMac An
 
DOCX
Asa 8.3 upgrade what you need to know
byIT Tech
 
PPT
Chapter 6 overview
byali raza
 
PPTX
ASA Firewall Interview- Questions & Answers
byNetProtocol Xpert
 
PDF
CCNP Security-Firewall
bymohannadalhanahnah
 
PDF
Chapter 6-Securing the Local Area Network.pdf
byOhmRon
 
PDF
Cisco ASA Full Syllabus Outline
bySagarNetworkingCours
 
DOCX
PIX vs ASA_firewall
byRajesh Porwal
 
Brkcrt 2214
byMac An
 
Asa 8.3 upgrade what you need to know
byIT Tech
 
Chapter 6 overview
byali raza
 
ASA Firewall Interview- Questions & Answers
byNetProtocol Xpert
 
CCNP Security-Firewall
bymohannadalhanahnah
 
Chapter 6-Securing the Local Area Network.pdf
byOhmRon
 
Cisco ASA Full Syllabus Outline
bySagarNetworkingCours
 
PIX vs ASA_firewall
byRajesh Porwal
 

Similar to share.pdf

PPTX
Cisco CCNA Port Security
byHamed Moghaddam
 
PPTX
Basic Cisco ASA 5506-x Configuration (Firepower)
byNetProtocol Xpert
 
PPT
CCNA Discovery 3 - Chapter 8
byIrsandi Hasan
 
PPTX
Firewall basics
bySandeep Yadav
 
PDF
5 ip security ipsec gre
bySagarR24
 
PDF
ASA (Adaptive Security Appliance) firewall Configuration_-1.pdf
byskydon86
 
PPTX
012 2 ccna sv2-instructor_ppt_ch9
byBabaa Naya
 
PPTX
Enterprise Network Design and Deployment
bySandeep Yadav
 
PPTX
Implementing the Cisco Adaptive Security Appliance.pptx
byssuserb1479b
 
PDF
TCP Filtering on ASA
byPratik Bhide
 
PDF
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
bySalem Trabelsi
 
PPTX
FIREWALL ASA concept of basic uses in the Network
byAvikMazumdar3
 
PDF
BRKSEC-2021 Firewall Architectures in the Data Centre and Internet Edge.pdf
byAntonioIsipJr1
 
PDF
4.1.1.10 packet tracer configuring extended ac ls scenario 1
bymps125
 
PDF
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
byssuserf7cd2b
 
PDF
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
byZahraElhaddi
 
DOC
Deploying cisco asa firewall features
bybestip
 
PPT
Understanding and Troubleshooting ASA NAT
byCisco Russia
 
PDF
5 ip security dataplace security
bySagarR24
 
PDF
5 ip security copp-mpp
bySagarR24
 
Cisco CCNA Port Security
byHamed Moghaddam
 
Basic Cisco ASA 5506-x Configuration (Firepower)
byNetProtocol Xpert
 
CCNA Discovery 3 - Chapter 8
byIrsandi Hasan
 
Firewall basics
bySandeep Yadav
 
5 ip security ipsec gre
bySagarR24
 
ASA (Adaptive Security Appliance) firewall Configuration_-1.pdf
byskydon86
 
012 2 ccna sv2-instructor_ppt_ch9
byBabaa Naya
 
Enterprise Network Design and Deployment
bySandeep Yadav
 
Implementing the Cisco Adaptive Security Appliance.pptx
byssuserb1479b
 
TCP Filtering on ASA
byPratik Bhide
 
4.4.1.2 packet tracer configure ip ac ls to mitigate attacks-instructor
bySalem Trabelsi
 
FIREWALL ASA concept of basic uses in the Network
byAvikMazumdar3
 
BRKSEC-2021 Firewall Architectures in the Data Centre and Internet Edge.pdf
byAntonioIsipJr1
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
bymps125
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
byssuserf7cd2b
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
byZahraElhaddi
 
Deploying cisco asa firewall features
bybestip
 
Understanding and Troubleshooting ASA NAT
byCisco Russia
 
5 ip security dataplace security
bySagarR24
 
5 ip security copp-mpp
bySagarR24
 

Recently uploaded

PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
final.pdf
byomarbishtawi04
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
final.pdf
byomarbishtawi04
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 

share.pdf

  • 1.
  • 2.
    Security Levels inCisco ASA 2
  • 3.
    CAB Template v18 SecurityLevels in Cisco ASA Interface having same security level 3
  • 4.
  • 5.
    Security Levels inCisco ASA PC2 ping PC1: 5
  • 6.
    Security Levels inCisco ASA PC2 ping PC1: same security level 6
  • 7.
    Security Levels in CiscoASA • PC1 ping PC2: After enable command below • # same-security-traffic permit inter- interface • Best practice: Keep it disabled by default. Always use access-list to permit traffic 7
  • 8.
    Whitelist ip inFirewall -Cisco ASA 8 Via CLI / ASDM Ping /traceroute Network Diagram Search/trace location of ip NAT required? Use Show commands Configure
  • 9.
    ACL and NATorder of operation 9 • ACL is evaluated first, then NAT rule applied to the packet for both Inbound and Outbound traffic ASA version prior to 8.3: • Outbound traffic: ACL is evaluated first, then only static NAT takes place • Inbound traffic: NAT rule will be evaluated first, then only ACL takes place ASA version 8.3 and above:
  • 10.
    ACL and NATorder of operation An inside host (10.1.1.10) translated to public address (200.200.200.10) for outbound traffic (inside to outside) ACL configuration is same for Cisco ASA version below 8.3 and above 8.3 10 ciscoasa(config)# access-list INSIDE extended permit ip host 10.1.1.10 host 100.100.100.1 ciscoasa(config)# access-group INSIDE in interface inside object network inside-subnet subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface
  • 11.
    ACL and NATorder of operation Inbound traffic coming from the Internet towards the public address of the Web Server Cisco ASA prior to version 8.3: ACL reference to NAT IP Cisco ASA 8.3 and above: ACL reference to REAL IP 11 Cisco ASA < 8.3 ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 200.200.200.10 eq 80 ciscoasa(config)# access-group OUTSIDE in interface outside object network WEB_SERVER host 10.1.1.10 nat (inside,outside) static 200.200.200.10 Cisco ASA > 8.3 ciscoasa(config)# access-list OUTSIDE extended permit tcp any host 10.1.1.10 eq 80 ciscoasa(config)# access-group OUTSIDE in interface outside object network WEB_SERVER host 10.1.1.10 nat (inside,outside) static 200.200.200.10 Inboun d