CCNA Security Chapter 9: Cisco ASA Implementation

Questions and Answers

What is the maximum number of physical interfaces that an ASA 5505 can support?

8

What are the three modes of operation for the ASA?

• Transparent Mode (correct)
• Routed Mode (correct)
• Bridge Mode
• Stateful Mode (correct)

The ASA uses a wildcard mask for network addresses.

False (B)

What is the command used to configure an extended access list?

access-list

What is the name of the command that configures the ASA to provide NAT services?

nat

What is the maximum number of concurrent firewall connections supported by the ASA with a base license?

10,000 (B)

What is the default security level for the "outside" interface?

0 (A)

What is the name of the command used to assign an IP address to a VLAN interface?

ip address

What is the command used to configure a default static route on the ASA?

route outside (C)

What are the three components of the Cisco Modular Framework (MPF)?

Class maps, Policy maps, and Service policies

What is the command used to apply an ACL to an interface?

access-group (A)

The ASA supports IPv6 ACLs.

True (A)

What are the two main types of NAT deployments?

Inside NAT (A), Outside NAT (C)

What is the key word used to activate a service policy on the ASA?

service-policy (D)

The ASA only supports traditional ACLs and not object groups.

False (B)

The ASA operates in a stateless mode by default.

False (B)

What is the name of the ASA configuration mode that is used to configure ACLs?

access-list

What is the name of the ASA configuration mode that is used to configure object groups?

object-group (D)

What is the command used to configure the ASA to enable SSH?

ssh

Flashcards

What is an ASA?

The Cisco Adaptive Security Appliance (ASA) is a firewall that provides advanced security features, like stateful inspection and access control, to protect networks from unauthorized access and threats. It can be deployed in various configurations to suit different network sizes and needs.

What is the ASA 5505?

The ASA 5505 is a popular model designed for small offices and branch offices. It combines firewalling with routing functionality to protect and connect these environments.

What are the ASA's Operating Modes?

The ASA operates in two main modes: Routed and Transparent.

• Routed Mode: The ASA acts as a traditional router, directing traffic between networks based on configured rules.
• Transparent Mode: The ASA operates like a transparent bridge, forwarding traffic without altering the network layer information.

How do security levels work on an ASA?

The ASA uses security levels to enforce access control policies. This helps prevent unauthorized access from lower-security networks to higher-security zones. Think of it like a tiered security system: level 1 is the least secure, level 100 is the most secure.

What are the default configurations for an ASA?

The ASA's default configuration provides basic security features like access control lists (ACLs) and stateful inspection. It's a good starting point for basic security, but may need customized configuration based on network requirements.

What are object groups?

Object groups allow you to group network objects with similar characteristics. This simplifies firewall rule creation and management.

What are ACLs?

Access Control Lists (ACLs) define which traffic is allowed or denied based on source, destination, and other criteria. They act as rules to control network access.

What is an ASA's NAT functionality?

An ASA provides various NAT (Network Address Translation) services to modify network addresses for purposes like hiding internal IP addresses from external users and conserving public IP addresses.

What is AAA?

AAA (Authentication, Authorization, and Accounting) is a framework that combines centralized authentication, authorization, and accounting processes in a network. This helps control user access and track their actions on the network.

What is MPF?

The Cisco Modular Policy Framework (MPF) offers a flexible and scalable way of configuring security policies on an ASA. You can define policies based on specific criteria, like traffic type or user identity, and apply them to various network interfaces.

What is the Base License?

The Base License provides basic firewall functionality such as access control and basic security features. Think of it as the foundation for your ASA.

What is the Security Plus License?

The Security Plus License expands the base functionality with additional features like advanced security features and IPS. It adds more layers of security to your ASA.

What is Dynamic NAT?

Dynamic NAT dynamically translates private IP addresses to public IP addresses using a pool of available public addresses. It allows multiple devices on a private network to share a limited number of public IP addresses.

What is Dynamic PAT?

Dynamic PAT (Port Address Translation) is a form of dynamic NAT that uses a single public IP address and translates multiple private IP addresses to different ports on that public address.

What is Static NAT?

Static NAT permanently maps a private IP address to a specific public IP address. This is useful for applications with known public addresses, such as web servers.

What is the local database on an ASA?

The ASA can be configured to use a local database to store username and password information for authentication purposes. This local database allows for local user authentication without relying on external servers.

What is the 'show version' command?

The show version command displays information about the ASA's software version, hardware, and installed licenses. It's a valuable command for understanding the current state of the device.

How do ASA interfaces work?

The ASA uses a variety of interfaces, like the GigabitEthernet interfaces, to connect to different networks. These interfaces can be configured to operate in different VLANs for segmentation and security purposes.

What is DHCP on an ASA?

The ASA can act as a DHCP server, providing IP addresses to devices on the network. This simplifies network management and eliminates the need for manual IP address configuration.

How do Telnet and SSH work on an ASA?

The ASA can provide secure Telnet and SSH access to allow remote management of the device. This provides a secure way to manage the ASA from a remote location.

What is NTP on an ASA?

The ASA can be configured to use NTP (Network Time Protocol) to synchronize the clock with reliable time sources. This ensures accurate time stamping for logs and security events.

How do ASA ACLs work?

The ASA ACLs are applied to interfaces to control traffic flow. This helps enforce security policies and prevent unauthorized access to network resources.

What is the default policy on an ASA?

The ASA's default policy is a set of predefined rules that govern network traffic. It acts as a base for your security policies and ensures basic security controls are in place.

What is Inside NAT?

Inside NAT translates private IP addresses to public IP addresses for outbound traffic from a private network to the internet.

What is Outside NAT?

Outside NAT translates public IP addresses to private IP addresses for inbound traffic from the internet to a private network. It helps protect internal IP addresses behind the firewall.

What is Bidirectional NAT?

Bidirectional NAT combines the benefits of both Inside and Outside NAT, allowing translation in both directions. It allows for flexible communication between networks.

What is a RADIUS server?

A RADIUS server can be configured on the ASA to authenticate, authorize, and account for network users. It provides a centralized authentication service for the network.

What is a TACACS+ server?

A TACACS+ server can be configured on the ASA to provide centralized authentication, authorization, and accounting services for network devices and users.

Study Notes

Chapter 9: Implementing the Cisco Adaptive Security Appliance

• This chapter covers the implementation of the Cisco Adaptive Security Appliance (ASA)
• The CCNA Security v2.0 curriculum is referenced.

Chapter Outline

• Introduction to the ASA
• ASA Firewall Configuration
• Summary

Section 9.1: Introduction to the ASA

• Upon completion of this section, students will be able to compare ASA solutions to other routing firewall technologies.
• Students will also be able to explain ASA 5505 operation with the default configuration.

Topic 9.1.1: ASA Solutions

• Various ASA firewall models are available
  • ASA 5505 / Security Plus: Up to 150 Mbps
  • ASA 5506-X/Security Plus: 750 Mbps
  • ASA 5512-X/Security Plus: 1 Gbps
  • ASA 5515-X: 1.2 Gbps
  • ASA 5525-X: 2 Gbps
  • ASA 5545-X: 3 Gbps
  • ASA 5555-X: 4 Gbps
  • ASA 5585-X SSP10: 4 Gbps
  • ASA 5585-X SSP20: 10 Gbps
  • ASA 5585-X SSP40: 20 Gbps
  • ASA 5585-X SSP60: 40 Gbps
  • ASA Service Module: 20 Gbps
• These are for small office and branch office and internet edge models
• Enterprise data center models are also covered.

Advanced ASA Firewall Features

• ASA Virtualization: A single ASA device can support multiple security contexts.
• High Availability: The ASA supports high availability through failover links.
• Identity Firewall: The ASA can use the Microsoft Active Directory for identity checking.
• ASA Threat Control: The ASA incorporates advanced threat control measures.

Review of Firewalls in Network Design

• Diagrams show firewall placements for permitted and denied traffic.

ASA Firewall Modes of Operation

• Routed Mode
  • 10.2.1.0/24
• Transparent Mode
  • 10.1.1.3
  • 10.1.1.0/24
  • Connection between two networks

ASA Licensing Requirements

• Various licenses are available, some are time-based or permanent, others disabled.
  • Firewall licenses (Bot-net traffic filter, firewall connections, concurrent, GTP/GPRS, Intercompany Media Engine, Unified Comm Sessions)
  • VPN licenses (Various AnyConnect, combined VPN sessions, and other VPNs)
  • Encryption and Failover
  • Security contexts, users, concurrent, VLANs, maximum VLAN trunks.
  • Routed/transparent modes and limitations

Topic 9.1.2: Basic ASA Configuration

• ASA 5505 Deployment in a small branch
• ASA 5505, network printer, workstations, IP Phones (diagram)
• ASA deployment in a small business (diagram)
• Deployment scenarios for an enterprise (diagram)

ASA 5505 Deployment Scenarios (cont.)

• ASA deployment in an enterprise (diagram of corporate headquarters with multiple ASAs and telecommuters using IPsec VPN)

Section 9.2: ASA Firewall Configuration

• Upon completion of this section, students will be able to:
  • Explain what ASA firewall services are enabled with default configuration
  • Configure ASA firewalls with basic services
  • Configure object groups
  • Configure access lists with object groups
  • Configure ASA for NAT services
  • Configure access control using the local database and AAA server
  • Explain how Cisco Modular Framework (MPF) is used to configure ASA policies

Topic 9.2.1: The ASA Firewall Configuration

• Introduce basic ASA settings
• Provide IOS Router commands and their equivalents in ASA commands for enabling, passwords, interfaces(e.g., e0/0), exiting configuration mode, etc

Topic 9.2.2: Configuring Management Settings and Services

• Provides methods for entering global configuration mode and additional configuration steps

Topic 9.2.3: Object Groups

Topic 9.2.4: ACLs

• How ACLs operate. ACLs are comprised of ACEs and are hierarchical.
• Similarities between ASA ACLs and IOS ACLs
• Overview of various types of ASA ACL filtering and examples

Topic 9.2.5: NAT Services on an ASA

• Overview of Inside NAT, Outside NAT, and Bidirectional NAT
• Configuring Dynamic NAT
• The dynamic NAT configuration example includes the enabling of return traffic.

Topic 9.2.6: AAA

• Overview of AAA features
• Local database and servers
  • RADIUS and TACACS+ server commands
• AAA Configuration example for TACACS+ Servers

Topic 9.2.7: Service Policies on an ASA

• Overview of MPF
• Configuring Class Maps
• Define and Activate a Policy
• ASA Default Policy

Section 9.3: Summary

• Chapter Objectives
  • Explain how the ASA operates
  • Implement an ASA firewall configuration

Description

This quiz focuses on Chapter 9 of the CCNA Security v2.0 curriculum, specifically addressing the implementation of Cisco Adaptive Security Appliances (ASA). Students will learn about various ASA models and their capabilities, as well as how to compare ASA technologies to other firewall solutions. Understanding the configuration of ASA firewalls is essential for networking professionals.