Top CISCO ASA Interview Questions and Answers-(2024)

1 .

Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.

An ASA is valuable and flexible in that it can be used as a security solution for both small and large networks.

The Cisco ASA 5500 series is Cisco's follow up of the Cisco PIX 500 series firewall. However, the ASA is not just a pure hardware firewall. The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.

2 .

What are the Features and Capabilities in Cisco ASA?

Features and Capabilities : Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family. It delivers enterprise-class firewall capabilities for ASA devices in an array of form factors - standalone appliances, blades, and virtual appliances - for any distributed network environment. ASA Software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs.

Among its benefits, Cisco ASA Software :

* Offers integrated IPS, VPN, and Unified Communications capabilities

* Helps organizations increase capacity and improve performance through high-performance, multi-site, multi-node clustering

* Delivers high availability for high resiliency applications

* Provides collaboration between physical and virtual devices

* Meets the unique needs of both the network and the data center

* Provides context awareness with Cisco TrustSec security group tags and identity-based firewall technology

* Facilitates dynamic routing and site-to-site VPN on a per-context basis

Cisco ASA software also supports next-generation encryption standards, including the Suite B set of cryptographic algorithms. It also integrates with the Cisco Cloud Web Security solution to provide world-class, web-based threat protection.

3 .

What is Security Level In ASA Firewall?

Security level define to the Firewall Interface, Firewall Security Level can be 0-100. Where 100 is the highest security level on ASA firewall and most trusted Zone, By default its define to the Inside Interface. 0 is the lowest security level on the ASA Firewall, Its a define to the untrusted zone, such as Outside interface.

By default traffic allow from Higher Security Level to lower security level and traffic from lower security level to higher security level by default denied.

4 .

What is the Cisco ASA and How Does It Work?

An Adaptive Security Appliances, or ASA, is a piece of cybersecurity hardware sold by Cisco. ASAs are multi-purpose security devices. They boast firewall, antivirus, intrusion protection and VPN capabilities.

5 .

How Do ASAs Use Stateful Inspection?

When internal users make requests to the internet, an ASA saves session information so that when a valid response comes back, it can recognize and permit that traffic through. Stateful inspection is the mechanism that allows the ASA to do so.

Imagine a user on our internal network named Bob. Bob wants to go out to the internet, so he makes his request.

The traffic from that request goes out to the internet. Clearly, if Bob's ASA stopped all traffic from making it back into the network, it wouldn't be much more useful than never being plugged into the internet in the first place.

Because when Bob goes out to the internet, he's not just sending requests with no expectation of a response. For his internet connection to be useful, he'll need a reply. Bob is expecting a response back from an external server.

Remember, the default operation of an ASA is to deny traffic before it reaches the network. So if the firewall didn't allow the reply to Bob's request to come back in, no Internet. But when Bob's request leaves the network, the firewall does something amazing: in the background, it looks at Bob's session and remembers things.

It remembers the source IP address, destination IP address, Layer 4 information, and ports involved. And it puts all of that into a session table, a stateful session table. When the reply comes back, the firewall says, "Wait a minute, this reply is perfect! It exactly matches what Bob is expecting as a reply." And it dynamically makes an exception and lets that return traffic come back in.

With stateful inspection, you can have thousands of users all going out to the internet dynamically and allow all the return traffic while simultaneously stopping any traffic that's initiated on the outside from coming in.

6 .

Explain In-Active / Active Failover on ASA?

In-Active/ Active Failover both devices that are ASA’s can pass network traffic. Here we divide security context into the failover groups.

Failure group is nothing but the logical group of one or more security context. Each and every group is assigned to be active on ASA in the failover pair. When failover comes into the picture it will occur on the failover group level.

7 .

What are failover requirements between 2 devices?

There are 2 requirements for failover devices

1. Software Requirement

* Both the active and standby both devices must be in the same operating modes(Routed or Transparent or Single context or multiple contexts).

* The same software version must be needed.

2. Hardware Requirements

* Both units active, as well as standby, must be the same model. It should have the same number and interface type.

8 .

Explain Active / Standby Failover on ASA?

In Active / Standby failover, the active unit will always pass the traffic, but the standby can not pass any traffic. If the failover came into the picture then the active unit failover to the standby unit and then the standby unit becomes the active unit.

We can use failover on ASA for both for Single context as well as multiple contexts.

9 .

What is difference between Firepower and ASA?

One of the longer-running firewall lines, the Cisco Adaptive Security Appliance (ASA), has been around since it was introduced by Cisco in May 2005. It succeeded in replacing three distinct lines of Cisco devices, the Cisco PIX, the Cisco IPS 4200 series, and the Cisco VPN 3000 Concentrator. After the next few years, Cisco helped relieve some worry that it did not have some of the more advanced features by releasing the next-generation ASA firewall line. The Cisco ASA cemented itself as a mainstay in many small to medium business environments across the globe.

Cisco developed the Firepower appliance, the heir apparent and replacement to the ASA. Firepower ran on two different codes, the ASA code and the FTD (Firepower Threat Defense) code. The ASA was the basic software, but it lacked the advanced next-gen and IPS functionality. The next-gen ASA software had a Firepower module that ran inline on top of the existing architecture of the ASA. The module then would provide IPS, Malware, and URL filtering capabilities through Firepower. The Cisco Firepower appliance now integrates the firewall capabilities with the Firepower capabilities from the module together into one solution. This solution now falls under the newly branded Cisco Secure Firewall product line.

The Secure Firewall product line touts major advanced capabilities. All under one roof, Secure Firewall Management Center provides :

* Unified management of firewalls

* Application control

* IPS

* URL filtering

* Malware defense policies

10 .

What is FTD in ASA?

Cisco Firepower Threat Defense (FTD) is a unified software image, which is a combination of Cisco ASA and Cisco FirePOWER services features that can be deployed on Cisco Firepower 4100 and the Firepower 9300 Series appliances as well as on the ASA 5506-X,ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. However, at the time of writing, the Cisco Firepower Threat Defense (FTD) unified software cannot be deployed on Cisco ASA 5505 and 5585-X Series appliances.

The Cisco Firepower Threat Defense is continually expanding the Next-Generation Firewall Servicesit supports which currently includes :

* Stateful Firewall Capabilities

* Static and Dynamic Routing. Supports RIP, OSPF, BGP, Static Routing

* Next-Generation Intrusion Prevention Systems (NGIPS)

* URL Filtering

* Application Visibility and Control (AVC)

* Advance Malware Protection (AMP)

* Cisco Identity Service Engine (Cisco ISE) Integration

* SSL Decryption

* Captive Portal (Guest Web Portal)

* Multi-Domain Management

* Rate Limiting

* Tunnelled Traffic Policies

* Site-to-Site VPN. Only supports Site-to-Site VPN between FTD appliances and FTD to ASA

* Multicast Routing Shared NAT

* Limited Configuration Migration (ASA to Firepower TD)

While the Cisco Firepower Threat Defense is being actively developed and populated with some great features, we feel that it’s too early to place it in a production environment.

11 .

How do I add a static route in ASA?

Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets.

When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc.

12 .

Which Firepower appliance is right for you?

As the ASA product line shuts down and the Firepower appliance line continues to gain traction, it would be beneficial to see how the Firepower line can best help you. There are multiple options to utilize and to deploy, and the Firepower line is a stable and solid option for not only a data center, but your small and medium-sized business as well.

13 .

Explain the working of ASA at the time of traceroute?

When ASA gets traceroute command then ASA does not decrease the TTL value because it does not want to give information about the ASA because of security reasons. It will share TTL value without any decrement in the TTL value.

14 .

What are the configurations we can not configure on ASA?

Following configurations we can not perform on ASA

* Loopback (Logical interface)

* WCM(WildCard mask)

* Line Vty we can not be configured

15 .

What is the difference between Gateway and Firewall?

A Gateway is used for making your network/segment/VLAN communicate with the outside network because Layer 3 devices (Routers) do not accept Broadcast. Therefore, we must have a default gateway for unicast communication with the router.

A firewall on a network secures networks from unauthorized access, either outgoing or incoming.

Network firewalls could comprise hardware components or virtual machines, e.g., Cisco ASA, Checkpoint.

16 .

What is a Firewall, and at which layer of the OSI model does it works?

Firewall is a device that is placed between a trusted (Higher security Zone / Inside Network) and an untrusted network (Low-security Zone / Outside Network) to provide security to users, servers, and internal network. It allows or denies traffic that is allowed to enter or leave the network according to pre-configured rules.

Network firewalls guard an internal LAN network from malicious access from the outside/unsecured zone, such as malware-infested websites or vulnerable ports. A Firewall also regulates inbound and outbound communications between devices.

It works at the Network (Layer 3), Transport (Layer 4), and Application layers (Layer 7) of the OSI Model.

17 .

What is the difference between a Stateful & Stateless Firewall?

Stateful Firewall : Stateful Firewalls are equipped to monitor and detect the state of all traffic that is on the network. They can track and defend based on traffic flow patterns, and a Stateful firewall is aware of connections that go by it.

It adds and keeps details about the connections of users in a state table, also called the connection table. It then utilizes this connection table to establish security policies that apply to the connections of users. Examples of stateful firewalls are: Juniper, ASA, and Checkpoint.

Stateless Firewalls : Stateless firewalls concentrate on specific packets and use preset rules to filter traffic. Stateless firewalls, however, do not examine the status of connections; instead, only at the packets. An excellent example of a filtering firewall is the Extended Access Control lists available on Cisco's IOS Router.

18 .

What is security level 100 in Cisco ASA?

The following are the primary security levels created and used on the PIX firewall:

Security level 100 : The highest possible level, it is used by the inside interface by default. Using the trusted-untrusted terminology, this level is considered the most trusted.

Security level 0 : The lowest possible level, it's used by the outside interface by default, making it the most untrusted interface. Traffic can pass from this interface to other interfaces only if manually configured to do so.

Security levels 1–99 : Can be assigned to any other interface on the PIX. On a three-pronged PIX firewall, the inside is typically 100, the outside is 0, and the third interface could be 50. Traffic from interfaces between 1 and 99 can pass through to the outside (0), but it is prevented from passing to the inside (100). This is because the interface has a lower security level setting than the inside.

19 .

Differences between Layer 4 and Layer 7 Load Balancing

At the intermediary transport layer, Layer 4 balancing deals with message delivery without respect to message content.

Transmission Control Protocol is the Layer 4 protocol for HTTP communication (TCP).

These load balancers do nothing except forward packet headers to or from the upstream server, with no regard for what is in the packets. By looking at the first few TCP packets, they can make some rudimentary routing judgments.

Layer 7 flexibility and scalability deals with the real substance of each communication at the high-level application layer. When it comes to website traffic, HTTP is the protocol of choice at Layer 7.

For TCP-based traffic, Layer 7 loading balancers distribute net flow significantly more intelligently than Layer 4 network switches.

The network traffic is terminated and the message is read by a Layer 7 scheduler. It's capable of making a load-balancing choice built on the message's stuff (the URL and cookie, for example).

Next, a new TCP link is made with the downstream server (or recycles an existent one using HTTP keep lives) and the request is sent to the server via HTTP POST...

20 .

What about Layer 7 vs layer 4 in firewall?

The first one is a firewall that operates at the application level. As an HTTP(s) proxy, it probably sends the entire request to the proxy, which filters them all before sending them to your website. Your server's IP will be completely concealed from the internet if the business you're considering buying uses an http proxy. It's the simplest option for protecting your websites that "simply works."

Their base plan includes a Layer 7 barrier (which I understand to be HTTP, HTTPs, etc.), but their advance plan also includes layer 4 coverage (which I understand to be IP and TCP/UDP).

1. Layer 4 firewalls provide the aforementioned functions, as well as the capacity to monitor current internet connections or allow/refuse traffic based on the condition of those connections (i.e. stateful packet investigation).

2. Layer 7 firewalls (also known as application gateways) can perform all of the aforementioned functions, as well as analyze the network packets' contents intelligently. For example, all HTTP POST queries from Chinese Ips could be denied by a Layer 7 firewall. However, the finer the granularity, the slower the system will be.

Since their pricing scheme doesn't match their definitions, I believe they're referring to your VPS's software firewall as "Layer 7," which is technically inaccurate. Consider pintables and Windows Firewall as examples. By paying a little bit more, you can have your VPS behind such a real network firewall. Maybe.

This raises doubts about their expertise across the board if they can't even be bothered to describe their VPS solution using suitable terms to potential clients.

21 .

Can You Explain The Significance Of SGT In The Context Of ASA?

A SGT static mapping will be defined for each DC server or network device that will be used later in an ACL on the ASA in order to permit/deny traffic as required. These SGT mappings will be pushed from ISE to the ASA via the SXP peering.

For testing we will define 2 x IP address, mapped to 2 unique SGTs (as created previously), these will be sent via SXP to the ASA.

* Navigate to Work Centers > TrustSec > Components > IP SGT Static Mappings

* Click Add to create a new IP SGT static mapping

* Enter the IP address of a server to define mappings

IP address/host	SGT	Deploy via
2.2.2.1	ROUTER (1002/03EA)	default
2.2.2.10	WEBSVR (1001/03E9)	default

22 .

What are the Top Features of Cisco ASA?

A firewall is a network security system that takes actions on the ingoing or outgoing packets based on the defined rules on the basis of IP address, port numbers. Cisco calls its firewall Adaptive Security Appliance (ASA).

The Cisco ASA 5500 series has models :

Cisco ASA 5505, Cisco ASA 5510, Cisco ASA 5515-X, Cisco ASA 5520, Cisco ASA 5525-X, Cisco ASA 5540, Cisco ASA 5550, Cisco ASA 5555-X, Cisco ASA 5585-X.

The Cisco ASA is a security device with many features.

* Adaptive Security Appliance (ASA) : ASA is a Cisco security device that can perform basic firewall capabilities with VPN capabilities, antivirus, and many other features. Some of the features of ASA are:

* Packet filtering : Packet filtering is a simple process of filtering the incoming or outgoing packet on the basis of rules defined on the ACL which has been applied to the device. It consists of various permit or deny conditions. If the traffic matches one of the rules, no other rule is matched and the matched rule is executed.

* Stateful filtering : By default, ASA performs stateful tracking of the packet if the packet is generated from a higher security level to a lower security level.

By default, if the traffic is initiated by the devices in higher security levels for lower security levels device (as destination), TCP and UDP reply traffic will be allowed and will able to, say, telnet the other device in Lower security level. This is because a stateful database is maintained (in which an entry about the source and destination device information such as IP address, port numbers are maintained) as stateful inspection is enabled by default.

* Routing support : ASA can perform static routing, Default routing also dynamic routing protocols like EIGRP, OSPF, and RIP.

Transparent firewall :
ASA can operate in two modes:

* Routed mode : In this mode, ASA acts like a layer 3 device (router hop) and needs to have two different IP addresses (means two different subnets) on its interface.

* Transparent mode : In this mode, ASA operates at layer 2 and only a single IP address is needed to manage ASA management purpose as both the interfaces (inside and outside) act as a bridge.

* AAA support : ASA supports AAA services either using its local database or using an external server like ACS (Access Control Server).

* VPN support : ASA supports policy-based VPNs like point-to-point IPsec VPN(site-to-site VPN and remote-access VPN) and SSL-based VPNs.

* Supports IPv6 : ASA (new versions) supports IPv6 routing such as static, dynamic.

* VPN load Balancing : It is a Cisco proprietary feature of Cisco ASA. Multiple clients can be shared across multiple ASA units at the same time.

* Stateful failover : ASA supports the high availability of pair of Cisco ASA devices. If one of the ASA goes down, the other ASA device will perform the operations without any interruption. When stateful failover is enabled, the active unit continuously passes connection state information to the backup device. After the failover occurs, the same connection information is available on the new active unit.

* Clustering : Cisco ASA lets us configure multiple ASA devices as a single logical device. The cluster can consist of a maximum of 8 cohesive units. This results in high throughput and at the same time provides redundancy.

* Advanced Malware Protection (AMP) : Cisco ASA provides support for Next-Generation firewall features which can provide protection advanced malware protection in a single device as the classic firewall features are combined with NGFWs features.

* Modular Policy Framework (MPF) : MPF is used to define policies for different traffic flows. It is used in ASA to utilize advanced firewall features like QoS, Policing, prioritizing, etc.

For using MPF, we define Class-map for identifying the type of traffic, policy-map for identifying what action should be taken like prioritize, and service-policy for where it should be applied.

23 .

Explain Cisco ASA Basic Internet Protocol Inspection.

DNS Inspection : DNS inspection on the ASA is enabled by default and performs a number of different functions that many people might not even recognize. When enabled, DNS inspection makes the life of the ASA administrator much easier and keeps the relationship with the DNS administrators and the internal user base much happier. Functions that it provides include the following:

* Translates DNS record information based on the configuration of the NAT commands alias, static, and nat; this is referred to often as DNS rewrite. This translation affects only DNS A records and does not affect DNS PTR records.

* Enforces a maximum DNS message length. (The default is 512 bytes.)

* Enforces the domain name length of 255 bytes.

DNS inspection can also be used to control the behavior of the ASA based on a number of different traffic-matching criteria.

FTP Inspection : Like DNS inspection, FTP inspection is also enabled by default and provides a number of different functions. FTP can be a little bit interesting to work with when dealing with firewalls or NAT; this is because it can use different ports for control and data traffic and can use dynamic/well-known ports. The FTP inspection engine performs four main duties:

* Prepares dynamic secondary data connections

* Tracks the FTP command-response sequence

* Generates an audit trail

* Translates the embedded IP address

FTP inspection can also be used to control the behavior of the ASA based on a number of different traffic-matching criteria.

IP Options Inspection : The Options field within the IP header, commonly referred to as IP Options, provides some additional control of traffic. IP Options inspection is enabled by default. Although this field is typically not needed for most “normal” communications, in some situations the information is required (including for Integrated Services [IntServ]). The IP Options inspection engine enables you to check three different IP options in the packet:

* The End of Options List (EOOL): This marks the end of the IP options list.

* The No Operation (NOP): This is used to provide internal padding to align with the 32-bit IP header boundary.

* The Router Alert (RTRALT): This option is used to notify transit providers to inspect the contents of the packet even when the packet is not destined for that router. This is important when implementing protocols that require complex processing along the delivery path (This includes Resource Reservation Protocol [RSVP], which is used by IntServ implementations.)

HTTP Inspection : HTTP inspection is not enabled by default, but if any HTTP traffic is passing through the ASA it can be an important addition to the configuration. The HTTP inspection engine performs the following functions:

* Enhanced HTTP inspection

* URL screening through N2H2 or Websense

* Java and ActiveX filtering

The HTTP inspection engine can (like both the DNS and FTP inspection engines) control the behavior of the ASA based on different traffic-matching criteria. For the HTTP inspection engine, these criteria include conformance checks against published Request For Comments (RFC) and control based on most of the fields contained within the HTTP portion of the traffic (for example, HTTP header, body, method, URI).

ICMP Inspection : ICMP inspection is not enabled by default. Without being enabled, ICMP traffic is automatically not permitted through the ASA at all without additional security policy configuration. Permitting ICMP through the ASA via access policy is not recommended by Cisco. The ICMP inspection engine creates “sessions” out of ICMP traffic and inspects it like TCP or UDP. The ICMP inspection engine ensures that ICMP cannot be used to attack the internal network. The ICMP inspection engine also alters the way that the ASA treats ICMP error messages. These alterations include the following:

* The mapped IP is changed to the real IP, and the IP checksum is modified (in the IP header).

* The ICMP checksum is modified because of the changes in the ICMP packet (in the ICMP header).

* The original packet mapped IP is changed to the real IP (in the payload).

* The original packet mapped port is changed to the real port (in the payload).

* The original packet IP checksum is recalculated (in the payload).

24 .

What Exactly Is Internet Protocol Inspection?

For many protocols, protocol inspection is used only as a security technique because the protocol itself only uses a single commonly known port. However, what about those protocols that do not just use common ports; these protocols can be quite interesting to work with when configuring a firewall or Network Address Translation (NAT) device. This is because many of these protocols embed these dynamic port assignments within the user data portion of the traffic or open new secondary channels altogether. In these situations, for the protocol to be able to be used as expected, some amount of packet inspection is required so that the ASA can keep track of which ports are allowed through the firewall because they are attached to a primary data channel that is permitted.

Internet protocol inspection also enables the ASA administrator to control traffic based on a number of different parameters that exist within the Internet traffic, including the information contained within the data portion of the traffic. This article, because of its limited scope, cannot covers all the various possible combinations.

25 .

Does ASA inspects ICMP?

ICMP’s primary functions are error reporting at layer-3, and troubleshooting. In fact, two of the most useful networking tools, ping and traceroute, rely upon it. However, it is tightly bound to the IP stack at layer-3, so it’s no surprise that the ASA firewall treats it differently to other protocols like TCP or UDP.

The ASA can track an ICMP session by inspecting ICMP packets. This results in an ICMP session being tracked, which allows response packets back through.

ACL Evaluation : Please note that ICMP inspection does not bypass all ACLs. An ICMP packet will be allowed through the ASA without an ACL evaluation, only if it is part of an already established session. Like TCP or UDP, the first packet in the ICMP flow must still be evaluated against security policies, and allowed, in order for the flow to be established.

Inspect ICMP : Consider the topology below. R1 and R2 are separated by an ASA with default security configuration. The inside interface has security-level 100, and the outside interface has a security level of 0. All devices have appropriate IP addressing and routes.

With this configuration, consider the traffic flow when R1 tries to ping R2:

* R1 creates an ICMP echo packet, and forwards it to the next-hop, the ASA

* The ASA determines that the inside interface is the ingress, and the outside interface is the egress

* As the inside inderface has a higher security level than the outside, the packet is allowed to pass

* R2 receives the echo packet, and creates an echo-reply, which it sends to the next-hop (the ASA)

* The ASA determines the ingress and egress interfaces

* The packet is trying to travel from a lower security-level interface to a higher one, so the packet is dropped

Now, turn on ICMP inspection :

Enable ICMP Inspection

policy-map global_policy
  class inspection_default
    inspect icmpâ€‹

The process now behaves a little differently :

* R1 creates an ICMP echo packet, and forwards it to the next-hop, the ASA

* The ASA determines that the inside interface is the ingress, and the outside interface is the egress

* As the inside inderface has a higher security level than the outside, the packet is allowed to pass

* The ASA begins to track this ICMP session

* R2 receives the echo packet, and creates an echo-reply, which it sends to its next-hop (the ASA)

* The ASA determines that this is part of an existing session, and allows the echo-reply through

What if R2 tries to ping R1 now? When R2 sends the echo packet to the ASA, the ASA will still drop the packet (due to the security-level configuration), and will not begin to track the session.

If ICMP is required from the outside interface, an ACL needs to be configured to allow it through.

26 .

Explain Inspect ICMP Error.

Think of this scenario; There is a device outside the ASA that needs to run a traceroute to something inside the ASA, as shown in the diagram below.

The ASA is configured with ICMP inspection, and allows traceroute (ICMP and UDP) from the outside. Additionally, the host that R2 wants to traceroute to (192.168.100.100) has an object NAT applied, translating its IP to 200.200.200.200

When R2 starts a traceroute to 200.200.200.200, the ouput looks like this:

R2 Traceroute

R2#trace 200.200.200.200
Type escape sequence to abort.
Tracing the route to 200.200.200.200
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.20.10 4 msec *  4 msec
  2 200.200.200.200 9 msec 8 msec 8 msec
  3 200.200.200.200 9 msec 8 msec 10 msec
  4 200.200.200.200 9 msec 8 msec  12 msec
  5 200.200.200.200 9 msec *  12 msec

In this scenario, each hop along the path is showing as the translated IP of the end host. When traceroute runs, each hop along the path sends an ICMP time-exceeded error message back to the host that started the traceroute. This is how the original host builds a list of hops in the path.

But if this is the case, why doesn’t the real IP addresses of the hops show in the traceroute? After all, they don’t have NAT applied to them.

The answer is in the way the ASA handles the time-exceeded packets. When the ASA receives one of these packets, it looks into the ICMP payload. All ICMP error messages include part of the original packet that caused the error in the payload.

So when the ASA examines the ICMP packet, it gets the original destination from the payload. in this case it would see it as 192.168.100.100, as this is on the inside, where NAT is not applied. The ASA then changes the source IP of the time-exceeded packet to 192.168.100.100, which later gets translated to 200.200.200.200.

This happens for each time-exceeded message from all the hops in the path. The purpose behind this is to save resources by not assigning additional NAT resources to each packet.

This is the default ASA behaviour, and can be changed like this:

policy-map global_policy
  class inspection_default
    inspect icmp error

This enables the ASA to inspect ICMP error messages, such as time-exceeded. This means that the source IP is left as it is.

The result of this configuration is for the ASA to allocate NAT resources to each of the time-exceeded packets, which allows traceroute to show each hop correctly:

R2 Traceroute

R2#traceroute 200.200.200.200
Type escape sequence to abort.
Tracing the route to 200.200.200.200
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.20.10 5 msec *  3 msec
  2 10.10.10.10 8 msec 8 msec 7 msec
  3 10.10.101.10 8 msec 11 msec 8 msec
  4 10.10.100.10 10 msec 8 msec  13 msec
  5 200.200.200.200 10 msec *  13 msecâ€‹

The Exception : There is an exception to the behaviour above, and that is when port-overloading is used. Port-overloading is a dynamic twice-NAT, where multiple IP’s are ‘overloaded’ onto a single or pool of translated IP’s. This is often done to allow inside hosts with private RFC 1918 addressing to browse the internet, while not requiring a public IP for each one. This could be configured something like this:

Port-overload Configuration

object network Overload
  host 1.2.3.4
nat (inside,outside) after-auto source dynamic any Overload

When this happens, even if inspect icmp error is enabled, a traceroute will once again show every hop as the translated IP of the destination host.

Note, each hop shows as the destination host’s translated IP, not the IP in the port-overload rule. So in the example above, the hops show as 200.200.200.200, not 1.2.3.4.

27 .

Types of Contexts in ASA Firewall?

There are 3 types of Contexts in the ASA Firewall. Following are the types.

1. SES Context (System Execution Space)

2. Admin Context

3. User Context

System Execution Space (SES) Context :

* It is created by default. It cannot be modified or deleted.

* There can only be 1 SES context, not more than that.

* It does not participate in Control and Data plane.

* Whenever we take the console of the Multi-Context ASA, we always login to SES Context by default.

* From SES Context, we create another context and allocate physical resources to other contexts.

* Creation/deletion/suspension of all contexts are done on SES Context.

* Any Configuration done in the SES context gets saved in NVRAM.

Admin Context :

* It is also created by default when switching to multi-mode in ASA.

* Admin Context can be deleted, suspended, created from SES context.

* Admin Context is a prerequisite for User Contexts, without Admin Context, User Contexts cannot be created.

* Any Configuration done in Admin Context gets saved in Flash.

* The purpose of this context is generally for management like Remote Access- SSH, telnet, NTP, DNS, etc.

* Only one Admin Context can be there in the ASA firewall.

User Context :

* It does not thereby default, we can create user contexts as per our requirement, licenses.

* It can be created and deleted from the SES context only.

* We allocate interfaces or/and sub-interfaces to the User context as per our requirement and the User context takes an active part in Control and Data Plane.

* Every User context has its separate RIB, FIB, Connection Table, NAT Table, configuration, etc.

* Any configuration done in User Context gets saved in Flash

28 .

What is a denial-of-service attack (DoS)?

A Denial-of-Service attack (DoS attack) is an attack that attempts to disable a computer or network, so it is not accessible to its intended users. DoS attacks do this by sending traffic to the target or information that causes a crash. Both DoS attacks deprive legitimate users (i.e., employees, members, or account holders) of the service or resource they expect.

A Denial of Service (DoS) attack is made from a single machine where the attack may be directed to a specific Server, a specific port, or a service on a target. It may also be to the network or any of its components, a firewall or to any other system.

DoS attacks often target high-profile websites such as media, commerce, government, and trade organizations. While DoS attacks are not usually associated with the theft or loss of significant information or other assets, they can be costly to the victim both, money and time-wise.

29 .

What is a Distributed Denial of Service (DDoS) attack?

A distributed denial of service (DDoS) is an attack that attempts to interrupt the regular traffic of a target server, service, or network. It overwhelms the target's infrastructure or causes a flood of Internet traffic.

This kind of attack happens from more than one source or location. Even the DDoS attackers are mostly unaware of their participation in the DoS attack. Infact, they are tricked by a third party into joining the attack. The attack generation in this type of attack is distributed among multiple computers.

30 .

What is EtherType ACL in Cisco ASA Firewall?

An EtherType ACL consists of one or more Access Control Entries (ACEs) specifying an EtherType. The EtherType rule controls the EtherType that can be identified by a 16-bit hexadecimal number and other traffic types.

Only non-IP layer-2 traffic is subject to the EtherType ACL, and this applies only to bridge group member interfaces. These rules can be used for traffic control (permit/drop) based on the EtherType value contained in the layer-2 packet.

31 .

What is Webtype ACL in Cisco ASA?

Webtype ACLs can be used to filter clientless SSL VPN traffic. These ACLs can deny access based upon URLs and destination addresses, and URL-based ACLs or TCP-based ACLs are the two types of web-type ACLs.

* URLs with the format -protocol://ip-address/path are allowed or denied using the URL-based ACLs; these ACLs are for filtering based on clientless features.

* To allow/deny port and ip address, TCP-based ACLs are used.

32 .

What are the different types of ACl's?

We have different types of ACL

* Standard ACL

* Extended ACL

* Ethertype ACL(Transparent Firewall)

* Webtype ACL

33 .

What is Failover and what are the types of failover?

Failover is the cisco proprietary feature that is used to provide redundancy. In failover, we required 2 same ASA’s which must be connected to each other with the dedicated link and that is failover. We can monitor the health of active interfaces and units to find out whether failover has occurred or not.

In Failover we have 2 types

* Active / Standby Failover

* Active/Active Failover

34 .

Can We Use ASA For Web Filtering?

Such web filtering engines can provide much more robust filtering based on classes of sites. URL filtering directly on the ASA using regex, should be used only sparsely when broad classifications can be applied, with limited regex patterns. The ASA will not scale being used in an enterprise with large regex matches and large volumes of HTTP traffic.