Implementing Network Security ( Version 2.0) – CCNAS Chapter 9 Exam Online

Hint

ASA protects Network/Zone C (Inside) from unauthorized access by users on a Network/Zone B (Outside). It also denies traffic from Network/Zone A (DMZ) to access the Network/Zone C (Inside).

Hint

In transparent mode the ASA functions like a Layer 2 device. An ASA device can have an IP address assigned on the local network for management purposes. The drawbacks to using transparent mode include no support for dynamic routing protocols, VPNs, QoS, or DHCP Relay.

Hint

The ASA assigns security levels to distinguish between inside and outside networks. The higher the level, the more trusted the interface. The security level numbers range between 0 to 100. When traffic moves from an interface with a higher security level to an interface with a lower security level, it is considered outbound traffic.

Hint

An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created, but a third “limited” VLAN interface can be created if it is first configured with the no forward interface vlan command. When the inside and outside VLAN interfaces are configured, the no forward interface vlan number command must be entered before the nameif command is entered on the third interface. The Security Plus license is required to achieve full functionality.

Hint

The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32. The only pool that contains 32 addresses is the pool with range 192.168.1.25-192.168.1.56

Hint

ASA standard ACLs are used to identify the destination IP addresses, unlike IOS ACLs where a standard ACL identifies the source host/network. They are typically only used for OSPF routes and can be used in a route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control traffic.

Hint

The Cisco ASA assigns security levels to distinguish among different networks it connects. Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy). Therefore, the interface connecting to the Internet should be assigned the lowest level. The interface connecting to the internal network should be assigned the highest level. The interface connecting to the DMZ network should be assigned a level between them.

Hint

Hint

There are many similarities between ASA ACLs and IOS ACLs, including:

• In both, there is an implicit deny any
• Only one ACL per interface, per protocol, per direction still applies.
• Both use deny and permit ACEs.
• ACLs can be either named or numbered.

ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., 255.255.255.0) instead of a wildcard mask (e.g. 0.0.0.255). Although most ASA ACLs are named, they can also be numbered.

Hint

The webtype ACLs are used in a configuration that supports filtering for clientless SSL VPN users.

Hint

NAT can be deployed on an ASA using one of these methods:

• inside NAT – when a host from a higher-security interface has traffic destined for a lower-security interface and the ASA translates the internal host address to a global address
• outside NAT – when traffic from a lower-security interface destined for a host on the higher-security interface is translated
• bidirectional NAT – when both inside NAT and outside NAT are used together

Because the nat command is applied so that the inside interface is mapped to the outside interface, the NAT type is inside. Also, the dynamic keyword in the nat command indicates that it is a dynamic mapping.

Hint

Hint

On an ASA, both the pool of addresses that will be used as inside global address and the range of internal private addresses that should be translated are configured through network objects.

Hint

There are three configuration objects in the MPF; class maps, policy maps, and service policy. The class maps configuration object uses match criteria to identify interesting traffic.

Hint

ASA devices have security levels assigned to each interface that are not part of a configured ACL. These security levels allow traffic from more secure interfaces, such as security level 100, to access less secure interfaces, such as level 0. By default, they allow traffic from more secure interfaces (higher security level) to access less secure interfaces (lower security level). Traffic from the less secure interfaces is blocked from accessing more secure interfaces.

Hint

Routed mode is the traditional mode for deploying a firewall where there are two or more interfaces that separate Layer 3 networks. The ASA is considered to be a router hop in the network and can perform NAT between connected networks. Routed mode supports multiple interfaces. Each interface is on a different subnet and requires an IP address on that subnet.

Hint

VLAN 1 and VLAN 2 have been configured correctly. Neither e0/0 nor e0/1 have been activated. For an inside host to ping the inside interface would require activating the e0/1 interface.

Hint

Hint

An ASA can be configured to authenticate by using a local user database or an external server, or both. Local authentication on a Cisco ASA requires the configuration of AAA on the ASA.

Hint

The ASA CLI is a proprietary OS which has a similar look and feel to the Cisco router IOS. Although it shares some common features with the router IOS, it has its unique features. For example, an ASA CLI command can be executed regardless of the current configuration mode prompt. The IOS do command is not required or recognized. Both the ASA CLI and the router CLI use the # symbol to indicate the EXEC mode. Both CLIs use the Tab key to complete a partially typed command. Different from the router IOS, the ASA provides a help command that provides a brief command description and syntax for certain commands.

Hint

The ASA 5505 ships with a default configuration that includes the following:

• VLAN 1 – for the inside network with security level 100.
• VLAN 2 – for the outside network with security level 0 and it should acquire its IP address and default route from an upstream device.
• PAT is configured so that inside host addresses are translated using the outside interface IP address.
• HTTP access for ASDM is enabled.
• DHCP services are provided to the inside hosts.

Hint

Policy NAT is based on rules that determine when specific source addresses will get translated. Those source addresses are intended for specific destination addresses or for specific ports or for both a destination address and a specific port.

Hint

AAA services (authentication, authorization, and accounting) are disabled by default. Authentication can be used alone or with authorization and accounting. Authorization always requires a user to be authenticated first. Accounting can be used alone, or with authentication and authorization. Authorization controls the services and commands that are available to each authenticated user. If authorization is not enabled, authentication would provide the same access to services for all authenticated users.

Hint

Hint

In order to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level, an ACL must be configured. By default, traffic will only flow from a higher security level to a lower.

Hint

The default DRAM memory is 4 GB in a Cisco ASA 5506-X device. The default DRAM memory in a Cisco ASA 5505 device is 256 MB. Both devices have 8 Ethernet ports in the backplane.However, Ethernet ports in ASA 5505 are switch ports and Ethernet ports in ASA 5506-X are routed ports. Both devices support remote access VPN functions, security level settings, and SSL VPN.

Hint

On the backplane of an ASA 5506-X device, there is a RESET pin at the lower right side. If pressed for longer than three seconds, it resets the ASA to its default “as-shipped” state following the next reboot.