Nextelco:ASA

= Cisco ASA 5505 =

General description
Cisco ASA devices are security appliances which include the following features:
 * Firewall
 * IPsec VPN (Layer 3)
 * SSL VPN (Layer 6)
 * Intrusion Prevention System
 * Content Security Inspection
 * Voice & Video security services

Apart from described above, this kind of devices offer some services such as:
 * Access Control: dynamic and granular
 * Threat protection: DoS, protocol fuzzing…
 * Policy enforcement: Whitelists, Blacklists, SIP policies...
 * Service protection: ensure maximum uptime
 * Voice & Video encryption
 * Support for several Voice & Video protocols: SCCP, SIP, H.323, MGCP, RTP/RTCP, CTIQBE.
 * Protection of call control servers: control access to the servers in order to prevent malicious or unauthorized network connections that could impact performance or availability.
 * Remote-access security: SSL and IPsec VPN for remote users.
 * SIP trunk security
 * Trusted/Untrusted boundaries: prevent trusted devices from the impact of untrusted networks.
 * Proxy service: can be used to proxy traffic between voice and data VLANs.
 * DMZ architecture: secure an internal network against external access.

Special version
Cisco offers several versions of ASA 5505 series. The version which corresponds with part number 47-18790-05 refers to Firewall solution, version 11. This type of devices are able to protect all devices located behind them as well as they can be used to create VPN connections with other networks.

Configuration
The ASA 5505 family devices have 8 ethernet ports located in the back side. All of them can be assigned to different VLANs depending on the device license. Usually, the lower ones are used to connect to external or insecure ports while the others are assigned to secure devices. Additionally, some of these ports have an especial purpose which is described below:
 * Ports 6 - 7: power over ethernet, IP telephones or devices that require energy from ethernet cable are supposed to connect to these ports.



After connecting all devices, the next step is to provide ASA with enough power.

ASA comes with the initial configuration which it is more than enough for most applications. However, there is a special graphical tool, ASDM, which allows to configure ASA from any location with the usage of a web browser. These are the parameters that can be configured:
 * Hostname
 * Domain name
 * Administrative passwords
 * Interfaces
 * IP addresses
 * Static routes
 * DHCP server
 * Network Address Translation (NAT) rules

Command Line Interface
Cisco ASA offers a Command Line Interface for its configuration. For more information and available commands please refer to Cisco ASA commands.

Understanding ASA Order of Operation
It is important to know exactly how Cisco ASA verifies and forwards each message. The following Figure shows ASA's order of operation.



Understanding ASA Security Levels
Security levels are used by the ASA to determine the level of trust given to a network that is located behind or directly attached to the respective interface.

The security level is configured as a number in the range 0 to 100 (allowing for 101 possible values), with the higher number being trusted and the lower untrusted. By default, the inside interface on every ASA is the only interface to be configured with a name and security level of 100, and any remaining interfaces that are not configured with a security level explicitly are automatically given the security level of 0 (the lowest security level) regardless of their name. If we were to name one interface Outside and another DMZ, for example, the two would automatically be given the security level 0, even though we might trust our DMZ network more than the Outside network we are connected to.

By default, the ASA allows packets from a higher (trusted) security interface to a lower (untrusted) security interface without the need for an ACL explicitly allowing the packets.

It is common to think of the analogy of a person traveling up and down a hill or the water flowing in a waterfall to remember ASA security level operation. Visualize a waterfall and imagine the top of the waterfall as the higher (trusted) security interface and the bottom of the waterfall as the lower (untrusted) security interface.

Now think of the water traveling through the waterfall as the packets flowing through your firewall. Water naturally flows from the top (trusted) of the waterfall to the bottom (untrusted) freely and without any interruptions. However, when the water tries to travel from the bottom (untrusted) of the waterfall to the top (trusted), it is impossible without help. The help in our ASA’s case is the introduction of an ACL on the untrusted/lower security (bottom of the waterfall) interface.



Understanding ASA NAT
Cisco ASA supports three different NAT configurations (based on NAT Type on ASA):
 * 1) Dynamic PAT: many to one source IP address translation in which multiple computers can share a single IP address by building a private to public table of TCP and UDP ports.
 * 2) Policy NAT: NAT restricted by an access-list. For example traffic originated at 192.168.0.x destined to 10.10.10.0 could be translated to 192.0.2.1 and traffic destined to 20.20.20.0 could be translated to 192.0.2.2.
 * 3) Twice NAT: used for source and destination overlapping IP addresses. Both the source and destination IP addresses are translated. Useful in case a VPN has to be established between two LANs which use the same network address, 192.168.1.0/24.

In the same way Cisco's official documentation defines the following NAT types:
 * Dynamic NAT: translates a group of real addresses to a pool of mapped addresses that are routable on the destination network.
 * PAT: translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket).
 * Static NAT: creates a fixed translation of real address(es) to mapped address(es).
 * Static PAT: it lets you specify the protocol (TCP or UDP) and port for the real and mapped addresses.
 * Bypassing NAT When NAT Control is Enabled
 * Policy NAT: ets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports.

Understanding ASA VPNs
Cisco supports several types of VPN implementations on the ASA but they are generally categorized as either IPSec Based VPNs or SSL Based VPNs. The first category uses the IPSec protocol for secure communications while the second category uses SSL. SSL Based VPNs are also called WebVPN in Cisco terminology. The two general VPN categories supported by Cisco ASA are further divided into the following VPN technologies.

IPSec Based VPNs

 * Lan-to-Lan IPSec VPN: Used to connect remote LAN networks over unsecure media (e.g Internet). It runs between ASA-to-ASA or ASA-to-Cisco Router.
 * Remote Access with IPSec VPN Client: A VPN client software is installed on user’s PC to provide remote access to the central network. Uses the IPSec protocol and provides full network connectivity to the remote user. The users use their applications at the central site as they normally would without a VPN in place.

SSL Based VPNs (WebVPN)

 * Clientless Mode WebVPN: This is the first implementation of SSL WebVPN supported from ASA version 7.0 and later. It lets users establish a secure remote access VPN tunnel using just a Web browser. There is no need for a software or hardware VPN client. However, only limited applications can be accessed remotely.
 * AnyConnect WebVPN: A special Java based client is installed on the user’s computer providing an SSL secure tunnel to the central site. Provides full network connectivity (similar with IPSec remote access client). All applications at the central site can be accessed remotely.

From the description above one can understand that the AnyConnect WebVPN technology combines the best from both IPSec based VPNs and SSL based VPNs. It offers full network connectivity to the remote user without having to install a dedicated VPN software like the IPSec remote access client. The AnyConnect VPN client is a lightweight Java client (around 3MB).

More information at | Comparing VPN technologies. Specially why GRE traffic can not be forwarded through Cisco ASA VPN.

Terminology
ASA 	= Adaptive Security Appliance

Return to Technology description.