Tuesday 11 August 2015

Cisco ASA's Part 1: Introduction to the Cisco ASA Firewall, Stateful Filtering, Security Levels and Interface Names.

Cisco ASA 5505's are excellent hardware firewalls for home and small office environments. They offer most of the features that are available in enterprise-level Cisco Adaptive Appliances. I had to get this one setup in my home lab network so that I could establish a dedicated site-to-site VPN with Microsoft Azure for testing purposes.

The interfaces on an ASA 5505 are numbered from 0-7 (right to left), the last interfaces (6 + 7) are actually Power over Ethernet capable interfaces. My interfaces are configured in the following way.
  • Interface 0 - "inside" with Security Level 100
  • Interface 1 - "outside" with Security Level 0
  • Interface 2 - "dmz" with Security Level 50
Each of the physical interfaces are assigned a name, either "inside", "outside", or "dmz" you can call these anything you like but more often than not you will see them names something similar to the above. 

Security Levels are assigned to interfaces to determine how "trusted" a particular network is. In this example the "inside" network (which is the internal LAN) is configured with the level of 100, then DMZ 50 and the outside (internet facing) 0. By default traffic can flow from higher to lower but not lower to higher. The best analogy I have heard for this is to think of a waterfall, water flows down but cannot flow upwards.

That being said, State-full Filtering is used to ensure that network connectivity can be established through a firewall. For example if you are on the "inside" network on a PC with the address and you visit a website on the internet at, there is packets leaving the "inside" network flowing down to the "outside" interface. Most network communications would not work if the session could not be established between the PC and the Web Server, this is because the return traffic back from the Web Server to the PC would be hitting a Security Zone (or Level) with a lower value than the internal network. As we said previously, traffic can flow down from higher to lower, but not lower to higher. Static Filtering makes this possible, a state table is maintained by the Cisco ASA firewall to ensure return traffic is dynamically allowed back to the clients even if they reside in a Security Zone with a higher value that the "outside" interface. 

It is also worth noting that the values used are irrelevant, instead of using 100, 50 and 0 you can use 3,2 and 1 and the effect would be the same.