This article summarizes some of the key features of the Cisco ASA firewalls. The Cisco ASA (Adaptive Security Appliance) Firewall provides advanced stateful firewall and VPN concentrator functionality in one device, and for some models, integrated services modules such as IPS. Here are some of the key features.
State full Firewall
- As being a state-full firewall, it maintains the state of the connection in its connection table when the packet is traveling through the firewall. After adding a connection table entry, the packet will be forwarded to the destination.
- Forward traffic is permitted or denied using an access-list on Cisco ASA while return traffic is permitted or denied based on connection table entry because of the state-full firewall behavior.
- The ASA runs in two different firewall modes: Routed and Transparent.
- In routed mode, the ASA is considered to be a router hop in the network.
- In transparent mode, the ASA acts like a “bump in the wire,” or a “stealth firewall,” and is not considered a router hop. The ASA connects to the same network on its inside and outside interfaces.
User Base Authentication
- Using AAA server, Cisco ASA provides authentication support for protocols like HTTP,HTTPS, FTP, SSH etc..in and outbound.
Modular Policy Framework
- ASA provides deep packet inspection for protocols like HTTP, DNS, ICMP, FTP, H.323 etc..using MPF ( Modular Policy Framework ).
- ASA also supports some of the QoS functionality such as Traffic policing, shaping, connection limit etc. using MPF.
- Cisco ASA supports Point-to-Point IPSec-based (site-site, & remote-access) VPNs, SSL-based (Clientless, client-based) VPNs and L2TP based VPNs.
- As of now, Cisco ASA can only support Policy-based VPNs and can not support Route-based VPNs such as Point-to-multipoint tunnels, DMVPN etc.
VPN Load Balancing
- Using VPN load balancing, Cisco VPN Clients can be shared across multiple ASA units without user intervention.
- It is Cisco Proprietary Feature of Cisco ASA firewalls.
- Using this feature, a physical firewall can be configured with multiple virtual firewalls all in one box.
- All context maintains their own sets of configuration and acts as separate firewalls.
Web Base Management
- The Cisco ASA can be configured using CLI and using ASDM, it can also be managed via GUI.
- The Cisco ASA supports active-standby & active-active failover using high availability between a pair of Cisco ASAs.
- Cisco ASA also supports iv6 routing such as static, Dynamic.
- ASA clustering lets you group multiple ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices
Dynamic Routing protocol support
- As of version 9.x, Cisco ASA now supports dynamic routing protocols such as RIP, EIGRP, OSPFv2.
- Cisco’s new next generation firewall includes the ability to do intrusion prevention, advanced malware protection, URL filtering, and application visibility and control all together in one single consolidated appliance.
I hope you enjoyed this article. Please feel free to leave a comment or feedback.