- ASA
- Multicontext mode
- Routed mode
- Transparent mode
- NAT
- ICMP
- LINA processing
- ASA license
- QoS
- SGT
- AAA
- Dead connection detection (DCD)
- Etherchannel
- Redundant interfaces
- VPN
- Active/Standby
- Active/active
- Cluster
- BGP through ASA
- Identity policy
ASA
- stateful firewall
- supports WebSSL VPN (FTD does not), VTI (starting from 9.7)
- up to 16 nodes in cluster
- up to 8 ports in asymmetric routing group (ASR)
- by default return TCP/UDP traffic is permitted (same when ACL is applied to outside)
- mgmt only with address on zone interface (e.g. impossible to connect from inside to IP address in dmz)
- by default traffic between same security-level is denied even if permitted by ACL
- by default routing traffic back via ingress interface is denied (~ split-horizon on data plane)
- ACL
- global: on ingress, one per ASA, replaces implicit deny in ACLs
- BVI: ≈ VACL, after interface ACL before global ACL
- service-policy
- global: ingress (except police, shape, prioritize)
- interface: ingress+egress
- does not decrease TTL by default
- for dynamic protocols (e.g. FTP, RTP) – inspect and permit of first packet
- authC + authZ: local DB, LDAP, RADIUS, TACACS+
- by default certificate is recreated after every reboot
- does not support telnet on security-zone 0-50
- L7 policy-map (type *) is applied only within L3/4 policy-map (without type)
- time-based ACL has no effect on existing connections
- tunneled default route:
- priority for traffic from VPN only
- AD = 255
- no effect on non-default (more specific) routes
- ECMP
- only through different next-hops on a single interface
- cannot balance across different interfaces
; permit traffic between interfaces with same security-level
(config)# same-security-traffic permit inter-interface
; permit forwarding traffic back via ingress interface
(config)# same-security-traffic permit intra-interface
; less priority than mgmt-protocol settings (e.g. ssh <PREFIX> <INTF>)
(config)# access-group <ACL> in interface <INTF> control-plane
(config)# route <INTF> 0.0.0.0 0.0.0.0 <NEXTHOP> tunneled
; does not support control plane ACL, permits receiving mgmt traffic from VPN
(config-if)# management-only
Multicontext mode
- process level
- Security Plus license (2 contexts, extra – optional license) for 5508 and 5512
- no support for OSPFv3, RIP, mcast, threat detection, Unified Communications, QoS
- no support for ASAv
- no CPU, RAM throttle – one context may starve others
- transparent
- requires interfaces to be dedicated to context
- routed
- permits sharing L3 interface between contexts
- by default all contexts sharing L3 interface also share same MAC
- different MACs are required for routing
- manual assignment
- auto-generated
- not required with NAT
- configs
- system: startup, context and physical interfaces settings
- admin context
- context
- context classification
- priority
- by interface
- by MAC
- by NAT
- inbound
- bcast/mcast is replicated to all contexts
- default class resources: 5 telnet, 5 SSH, 5 IPsec, 65535 MAC
(config)# mode multiple
(config)# admin-context <NAME>
(config)# context <NAME>
(config-ctx)# allocate-interface <INTF>
(config-ctx)# config-url <PATH>
(config-ctx)# member <CLASS>
(config)# class <CLASS>
(config-class)# limit-resource <RESOURCE> <LIMIT>
Routed mode
- default
- context-level
- standard ACL support (not used for traffic filtering)
- webtype ACL: SSLVPN traffic filtering (if not applied – permit all)
Transparent mode
- unknown unicast
- if local address is in dst ⇒ ARP for dst IP
- if remote address is in dst
- ping dst IP from BVI with TTL=1, L2 dst MAC is copied from initial packet
- GW MAC is copied from ICMP TTL expired
- first packet is dropped, if no MAC entry in CAM appears – drop all
- BVI required, no routing
- no RA or L2L VPN, only for mgmt
- no support for QoS, IPv6, IGP, ERSPAN
- EtherType ACL support (implicit deny does not block IP, explicit deny blocks)
(config)# firewall transparent
(config)# interface bvi <n>
(config-if)# bridge-group <n>
NAT
- no support for FQDN object, IPv4 object-group, IPv6 object-group
- auto NAT ≡ NAT within object definition
- twice NAT ≡ manual NAT
- NAT order
- between types:
- manual NAT, sequential
- static auto NAT
- dynamic auto NAT
- manual NAT after-auto, sequential
- within type:
- more specific real IP (/32 has more priority over /24)
- lower IP (10.1.1.0 > 11.1.1.0)
- lower object name (abcd > cat)
- manual NAT is required for policy-based NAT: NAT pool depends on source/destination pair
- by default entry timeout – 30s
- by default no ALG for DNS, contents are not rewritten
; outside NAT
(config)# nat (Outside, Inside) source dynamic any <OLA> destination static <IGA> <ILA>
ICMP
- statefil inspection not enabled by default ⇒ no ping reply because no state created
- ICMP Error inspection
- rewrites ICMP Reply contents based on NAT
- does not change ICMP and IP headers
- preserves headers of transit nodes in traceroute (by default – all transit IPs are translated to outer IP of the node targeted by traceroute)
(config)# icmp unreachable rate-limit <pps> burst <n>
; ASA-generated ICMP because they do not fall under ACL, > ctl ACL
(config)# icmp permit|deny <SRC> <TYPE> <INTF>
LINA processing
- flow lookup
- route lookup
- ingress ACL
- QoS, embryonic limits
- VPN crypto match
- NAT translation (100→0), NAT RPF (0→100)
- NAT host limit
- NAT lookup (0→100)
- flow creation (100→0)
ASA license
- time-based license – only 1 is active
- time-based + permanent:
- UC proxy: combine
- security context: combine
- botnet traffic filter: time-based only
- rest: higher limit
- shared SSL VPN: central ASA allocated chunks of 50 licenses to other ASAs from central pool
QoS
- police: no support for SSLVPN
- shape: class-default only
- has LLQ
SGT
- only local, cannot download SGACL from ISE
(config)# aaa-server <ISE> protocol radius
(config)# aaa-server <ISE> (INTF) host <IP>
(config)# cts server-group <ISE>
(config)# cts sxp connection peer <IP> password default mode local listener
(config)# cts sxp enable
# cts import-pac <PATH> password <PASS>
AAA
- if servers in group are unreachable, fallback method for 10 mins
- if no fallback is defined – reactive group immediately
; privilege 15 from AV attributes, otherwise ignored and enable is needed
(config)# aaa authorization exec authentication-server auto-enable
Dead connection detection (DCD)
- preserves open but silent sessions
- sends TCP keepalives to TCP peers
- no data
- seq.n is 1 lower than expected by peer ⇒ looks like retransmit, triggers ACK
- if one of the peers does not respond – close session
- peer response is also forwarded to other peer
- TCP state bypass: passes TCP is no state available (for asymmetric routing)
(config-pmap-c)# set connection timeout dcd
; TCP intercept
(config-pmap-c)# set connection embryonic-conn-max <n>
; TCP intercept
(config-pmap-c)# set connection per-client-embryonic-max <n>
(config-pmap-c)# set connection advanced-options tcp-state-bypass
Etherchannel
- up to 48 per appliance
- 16 active links (starting from 9.2(1), before – 8)
- static, LACP
- does not accept named interface
Redundant interfaces
- ~ FlexLink
- active/standby, into same L2 segment
- does not support inline set
VPN
- VTI starting from 9.7
- reverse route injection (RRI)
- static routes on peer for prefixes from SA, next-hop = peer IP
- for dynamic crypto-map
- OSPF over crypto-map = static unicast neighbour
- BGP over VTI
- by default VPN traffic is permitted
- NAT is done before encryption ⇒ NAT exemption needed
- container configuration: connection profile in ASDM (DefaultL2LGroup by default)
- no support for IKEv1 XAuth for L2L (RA only)
- tunnel-group selection for a connection:
- certificate OU
- IKE ID ≡ FQDN
- IP
; on default, permits all traffic from VPN
(config)# sysopt connection permit-vpn
(config)# crypto ikev1|ikev2 enable <INTF>
(config)# crypto ikev1|ikev2 policy <n>
(config)# crypto ipsec ikev1|ikev2 ipsec-proposal <PROPOSAL>
(config)# crypto map <MAP> <n> match address <ACL>
(config)# crypto map <MAP> <n> set peer <IP>
(config)# crypto map <MAP> <n> set ikev1|ikev2 proposal <PROPOSAL>
(config)# crypto map <MAP> <n> interface <INTF>
(config)# tunnel-group <IP> type ipsec-l2l
(config)# tunnel-group <IP> ipsec-attributes
Active/Standby
- no preempt
- LAN failover interface
- synchronizes config from active to standby
- IP 105
- can be encrypted on PSK
- stateful failover interface
- synchronizes state, RIB, ARP
- ~ NSF
- interfaces in the same L2 segment, different addresses
- failover
- standby accepts active MAC/IP
- standby initiates IGP resync (DBD, Update)
- requirements:
- same HW, model, number/type of interface
- same RAM, mode, OS version (except for upgrade), license
- same NTP settings
- no DHCP, PPPoE
- upgrade:
- maintenance: any (8.0(1) → 8.0(5))
- minor: sequential (8.0 → 8.1 → 8.2)
- major: from latest minor (7.9 → 8.0)
- vMAC instead of BIA allows to maintain connection (e.g. ARP) after cluster reboot
- does not synchronize XML: DAP, SSLVPN bookmarks
(config)# failover
(config)# failover lan unit primary|secondary
; LAN failover interface
(config)# failover lan interface <NAME> <INTF>
; stateful failover interface
(config)# failover link <NAME> <INTF>
; addresses for LAN failover link
(config)# failover interface ip <ADDR> <MASK> standby <STANDBY_ADDR>
; 1 default, number of failed interfaces to trigger failover
(config)# failover interface-policy <n>
(config)# failover mac address <INTF> <ACTIVE_VMAC> <STANDBY_VMAC>
; conceals passwords, logins, keys
(config)# failover key <PASS>
; includes "active/standby" in CLI prompt
(config)# prompt hostname state
Active/active
- multi-context only, ASA only
- 2 failover groups, only 1 context is active in pair
- no VPN support
(config)# failover group 1|2
(config-fover-group)# preempt
(config-fover-group)# primary|secondary
(config)# context <NAME>
(config-ctx)# join-failover-group 1|2
Cluster
- cluster control linl (CLL)
- attached to OOB switch (back-to-back not supported)
- physical, redundant, EtherChannel
- PortChannel48 by default
- master unit
- election
- priority: 1 = best
- name
- serial number
- no preempt: waits 45s for master response, then becomes master itself
- state is copied only to one other device in cluster
- interface modes
- L2 LACP: one MAC/IP for all (anycast), spanned
- L3 links: different MAC/IP, ECMP-based, individual, ASA only
- roles
- owner
- receives first packet of the flow
- creates TCP SYN cookie for identification in SYN+ACK
- director
- backup for owner for the state
- elected by 5-tuple hash of the flow
- returns info who is the owner
- backup director
- elected if owner ≡ director
- uses different hash algorithm
- forwarder
- passes packets of the flow to owner using CLL
- receives info about owner from TCP cookie or from director
- performance
- 70% throughput
- 60% max connections
- 50% max connections per second
- 16 devices max
- no supported by ASAv
; L2 LACP
(config)# cluster interface-mode spanned
(config)# cluster group <CLUSTER>
(cfg-cluster)# local-unit <LOCAL_NAME>
(cfg-cluster)# cluster-interface <PO> ip <ADDR> <MASK>
(cfg-cluster)# priority <n>
(cfg-cluster)# enable
; physical
(config-if)# channel-group <n> mode active vss-id <m>
; PortChannel
(config-if)# port-channel span-cluster vss-load-balance
BGP through ASA
- TCP seq.n randomization disabled (on by default) otherwise MD5 authC fails (MD5 includes seq.n)
- TCP option 19 (MD5 authC) allowed, otherwise ASA clears value of MD5
- TCP 179 permitted
(config)# tcp-map <MAP>
(config-tcp-map)# tcp-options range <n> <m> allow
(config-pmap-c)# set connection random-sequence-number disable
(config-pmap-c)# set connection advanced-options <MAP>
Identity policy
- integration with AD (e.g. ACL on AD groups, usernames)
- ASA requests information directly
- requires agent on AD for IP-to-ID mapping
- RADIUS between agent and ASA
(config)# aaa-server <AGENT> protocol radius
(config-aaa-server-group)# ad-agent-mode
(config)# aaa-server <AGENT> (INTF) host <IP>
(config-aaa-server-host)# key <KEY>
(config)# user-identity ad-agent aaa-server <AGENT>
(config)# user-identity enable