What is ASA - Basics of ASA

 What is ASA?

• Adaptive Security Appliance and it is Cisco device.
• It is Firewall that has the capability to PIX functionalities (Filtering) and to do VPN capabilities (VPN Concentrator).
• ASA is L3 router by default.
• It is capable of doing all routing functions (RIP, EIGRP, BGP, OSPF).
• The difference between Router and Firewall is that the Router will allow all the traffic by default, but the Firewall will allow the traffic with certain policies.

ASA interface Parameters

• Router requires only the IP Address to be configured, but the ASA requires additional two parameters to be configured (Security Level and Name of the Interface).
• Name of the Interface. It can be any name of your convenience. Inside name is referred as the keyword. (configuring the Interface name as Inside has special function which I say in Security level).
• Security Level → 
• This says the level of trust-ness to the interface. 
• Value ranges from 0 to 100. (100 is referred as High Security and is the most trusted interface)
• By default all the interface will configured with the Security value of 0. Once exception is configuring the Interface name with the keyword as Inside→ it will set the security level as 100.
• It controls the traffic through the firewall

Default Traffic Flow

• Traffic flow through the firewall has been mainly based on three Scenarios
• Higher Security level to Lower Security Level
• Lower Security level to Higher Security Level
• Traffic between the same security level

Higher Security level to Lower Security Level

• By default, all the traffic will be allowed as long as the route is available.
• Although all the traffic is allowed, ASA will inspect only the TCP and UDP packets.
• Inspection will create a entry in the connection table of Firewall. This allows the return traffic to pass the firewall. This is called as “Stateful Inspection”.

Lower Security level to Higher Security Level

• By default all the traffic is blocked.
• You need to create an Explicit ACL entry in the Firewall to allow the traffic from lower to high security level.
• When the traffic hits from the Lower to higher security level hits the Firewall, it will do the process as below:
• firewall will first check the entry in the connection table.
• If not, then it will check if any ACL is available to forward the traffic.
• If not, then it will proceed with the default behavior.

Traffic between the same security level

• By default, traffic between the same security levels will be blocked.
• Even if we create an ACL to allow the traffic, it will not work.
• The only way is use the disabling the firewall between the interfaces with the same security level. This can be done with the help of command “Same-security-traffic permit inter interface”.
• The above command allows the traffic between the interfaces in the same security level.

To Traffic and Through Traffic

• To Traffic
• Traffic with the destination as Firewall is said to be To Traffic.
• Through traffic
• Traffic that Passes through the Firewall is said to be as Through Traffic.

To Traffic

• Only ICMP traffic is allowed by default.
• You need to enable the service for allowing other traffic (Eg: Telnet, ssh).
• Blocking/Allowing ACL will not impact To traffic.
• It needs to be configured per interface basis.

Through Traffic

• Only TCP/UDP will maintain the connection table, due to which only TCP/UDP packets return traffic will be allowed from Low to High.
• You need to create a ACL to permit all other traffic.
• Configuration needs to be done per interface basis.

For more info, please look at the video tutorial. Video is explained in Tamil Language:

ASA - To and Through Traffic Explained: