11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Networker Interview 
Prepare for CCNA, CCNP, CCIE Interview !

CCN A CCN P CCI E Q U ICK N O T ES CCN A P D F D O W NLO AD

ASA Firewall Interview Questions and Answe

Answers
rs [CCIE] Search

What is a Firewall?
Firewall is a device that is placed between a trusted and an untr
an  untrusted
usted network. It deny or permit tra䖶c that
enters or leaves network based on pre-con刍gured policies.
po licies.   Firewalls protect inside networks from
Buy
unauthorized access by users on an outside network. A 刍rewall
刍re wall can also protect inside networks from each
other. For example - By keeping a Management network separat
separatee from a user network. Ques
Questi
tio
o

What is the di淜erence between Gateway and Firewall?

A Gateway joins two networks together and a network 刍rewall protects a network against unauthorized

incomin
in coming
g or outgoi
outgoing
ng access. Network
access. Network 刍rewalls
刍rewalls may be hardware devices or software programs.

Firewalls works at which Layers?

Firewalls
Fir ewalls work at layer 3, 4 & 7.

What is the di淜erence between Stateful & Stateless Firewall?

Stateful 刍rewall - A Stateful 刍rewall is aware of the connections that pass through it. It adds and maintains
information about users connections in state table, referred to as a connection table. It than uses this
connection table to implement the security policies for users connections. Example of stateful 刍rewall are
C
PIX, ASA, Checkpoint.
Stateless 刍rewalls - (Packet Filtering) Stateless 刍rewalls on the other hand, does not look at the state of 
connections but just at the packets themselves.
Buy
Bu y VP
VP
Example of a packet 刍ltering 刍rewall is the Extended Access Control Lists on Cisco IOS Routers.
Intervi

What information does Stateful Firewall Maintains?  Ans

Stateful 刍rewall maintains following information in its State table:-
1.Source IP address.
2.Destination IP address.
3.IP protocol like TCP, UDP.
4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags.

What are the security-levels in Cisco ASA?

ASA uses Security levels to determine the Trustworthiness of a network attached to the respective
interface. The security level can be con刍gured between 0 to 100 where higher numbers are more trusted Cli
than lower. By default, the ASA allows tra䖶c from a higher security level to a lower security level only.

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 1/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

How can we allow packets from lower security level to higher security level (Override Security Levels)? Ne
1,4
We use ACLs to allow packets from lower security level to higher security level.

Same Security level tra䖶c is allowed or denied in ASA? Like Pag

By default same security level tra䖶c

t ra䖶c is not allowed. To allow it we use command:-
1 friend likes
ASA(con刍g)# same-security-tra䖶c permit inter-interface.

What is the security level of Inside and Outside Interface by default?

Security Level of Inside interface by default is 100. Security Level of Outside Interface by default is 0.

What protocols are inspected by ASA?

By default, TCP and UDP are inspected by ASA.

Does ASA inspects ICMP?

No, ASA does not inspect ICMP by default.

Explain DMZ (Demilitarized Zone) Server?

If we need some network resources such as a Web server or FTP server to be available to outside users we Net
place these resources on a separate network behind the 刍rewall called a demilitarized zone (DMZ). The
刍rewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack
there only a淜ects the servers and does not a淜ect the inside network.
Live Traffic Feed
Av vis
isit
itor
or from
from U
How does a 刍rewall process a packet? iewed ASA Fire
Questions and A
When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the Av vis
isit
ito
or fr
from K
arrived from ww
connection table. If it does, protocol inspection is carried out on that packet. and viewed BGP
Q
Auvisitor
est io
ionsfrom
and Ba
an A
---------------------------------------------------------------------------------------------------------------------- min ago
Karnataka
Karna taka arrive
If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the and viewed "AS"AS
Interv
Int
Av erview
vis iew
isit
itor fromsti
Questi
Que
or from U
packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is [CCIE]
[CCI E] | Netw
Network
arrived from gooork
mins
iewedago"ASA Fir
"A
the 刍rst packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection Q
Auveisito
stitor
vis ionr sfro
io anm
an
fromdAM
 Networker Interv
is likely an attack. iewed "A "ASA Fir
Quest ioions an and A
----------------------------------------------------------------------------------------------------------------------  Networker
A visitor
visitor from Interv
N
Nee
arrived from net
If the packet is allowed by ACLs and is also veri刍ed by translation rules, the packet goes through protocol
and viewed
Interview"
Interview "1 "9CC
"CC
19 m
mi ie
inspection. A visitor from
visitor N
Ne
arrived from net
---------------------------------------------------------------------------------------------------------------------- and viewed "CC "CC
Interview"
Interview
A visito " 2
20
visitorr from
from0mmini
IIn
Then, the IP header is translated if NAT is used and if the NAT rule speci刍es an egress interface, the ASA
google.co.in and
google.co.in  and
will virtually forward the packet to this egress interface and then perform a route lookup. Firewall Intervie
Firewall Intervie
Answers
Av vis
isitor [CCIE]
itor from Lo|
from
---------------------------------------------------------------------------------------------------------------------- Interview"
Interview
Cit
City arr"ived
y of arrive2
20
0dm
mi
fri
and viewed "AS"AS
If a route is found that speci刍es the egress interface, then the Layer-2 header of the packet is re-written Interv
Interview
iew Que
Questi
sti
A visitor
visito
E] r| Network
[CCIE]
[CCI from
from ork
Netw IIn
n
and the packet is forwarded out the egress interface. mins ago  and
google.co.in and
google.co.in
Interv
Interview
iew Que
Questi
sti
 Networker Interv
What are the values for timeout of TCP session, UDP session, ICMP session? A vi
visi
sito
torr fro
from
mW
Real-time view  · Get Feedjit
TCP session - 60 minutes

UDP session - 2 minutes

ICMP session - 2 seconds

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 2/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Explain TCP Flags?

While troubleshooting TCP connections through the ASA, the connection າags shown for each TCP
connection provide information about the state of TCP connections to the ASA.

What is the command to see timeout timers?

# sh run timeout

What is the Di淜erence between ports in ASA 8.4 and ASA 8.2?
In ASA 8.4 all ports are Gig ports and in ASA 8.2 all are Ethernet ports.

What is the command to check connection table?

# sh conn

How ASA works in reference to Traceroute?

ASA does not decrement the TTL value in traceroute because it does not want to give its information to
others for security purpose. It forwards it without decrementing the TTL Value.

What if we apply ACL as global in ASA?

It will be applied on all interfaces
int erfaces towards inbound. Global option is only in ASA 8.4 not in ASA 8.2

What is the di淜erence in ACL on ASA than on Router?

In router, if we delete one access-control entry whole ACL will be deleted. In ASA, if we will delete one

access-control entry whole ACL will not be deleted.

Name some concepts that cannot be con刍gured on ASA?

Line VTY cannot be con刍gured on ASA.
Wildcard mask concept is not present in ASA.
Loopback cannot be con刍gured on ASA.

What is the command to capture packets in ASA?

To capture packet from inside interface:-
inter face:- # capture abc interfacer inside
To see it:- # sh capture abc

What is the command to enable HTTP on ASA?

# http server enable

How to give static route on ASA?

# route outside <Destination IP> <Subnet Mask> < Next Hop>

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 3/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

How to give default route on ASA?

# route outside 0 0 < Next Hop>

What are the di淜erent types of ACL in Firewall?

1.Standard ACL
2.Extended ACL
3.Ethertype ACL (Transparent Firewall)
4.Webtype ACL (SSL VPN)

What is Tranparent Firewall?

In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames
based on destination MAC-address.

What is the need of Transparent Firewall?

If we want to deploy a new 刍rewall into an existing network it can be a complicated process due to various
issues like IP address recon刍guration, network topology changes, current 刍rewall etc. We can easily insert
a transparent 刍rewall in an existing segment and control tra䖶c between two sides without having to
readdress or recon刍gure the devices.

What are the similarities between switch and ASA (in Transparent mode) ?

Both learns which mac addresses are associated with which interface and store them in local mac address
table.

What are the di淜erences between switch and ASA (in Transparent mode) ?
ASA does not າoods unknown unicast frames that are not found in mac address table.
ASA does not participate in STP.
Switch process tra䖶c at layer 1 & layer 2 while ASA can process tra䖶c from layer 1 to layer 7.

What are the features that are not supported in Transparent mode?
1.Dynamic Routing.
2.Multicasting.
3.QOS.
4.VPNs like IPSec and WebVPN cannot be terminated.
t erminated.
5.ASA cannot act as DHCP relay agent.

Explain Ether-Type ACL?

In Transparent mode, unlike TCP/IP tra䖶c for which security levels are used to permit or deny tra䖶c all
non-IP tra䖶c is denied by default. We create Ether-Type ACL to allow NON-IP tra䖶c. We can control tra䖶c
like BPDU, IPX etc with Ether-Type ACL.

What is the command to convert ASA into Transparent mode?

# 刍rewall transparent

What is the command to see mode (routed or transparent)?

# sh 刍rewall

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 4/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Explain Failover?
Failover is a cisco proprietary feature. It is used to provide redundancy. It requires two identical ASAs to be
connected to each other through a dedicated failover link. Health of active interfaces and units are
monitored to determine if failover has occurred or not.

What are type of Failover?

1.Active/Standby Failover.
2.Active/Active Failover.

What information is exchanged between ASAs over a Failover link?

1.State - Active or standby.
2.Hello Messages.
3.Network Link Status.
4.Mac Addresses.
5.Con刍guration Replication and Synchronization.

What is the di淜erence between Stateful failover and Stateless failover?

Stateless Failover - When failover occurs all active connections are dropped. Clients need to re-establish
connections when the new active unit takes over.
Stateful Failover - The active unit continually passes per-connection state information to the standby unit.
After a failover occurs, the same connection information is available at the new active unit. Clients are not
required to reconnect to keep the same communication session.

What Information Active unit passes to the standby unit in Stateful Failover?
NAT translation table, TCP connection states, The ARP table, The Layer 2 bridge table (when running in
transparent 刍rewall mode), ICMP connection state etc.

What are the Failover Requirements between two devices?

Hardware Requirements - The two units in a failover con刍guration must be the same model, should have
same number and types of interfaces.
Software Requirements - The two units in a failover con刍guration must be in the same operating modes

(routed or transparent single or multiple context). They must have the same software version.

Explain Active/Standby Failover?

In Active/Standby Failover, one unit is the active unit which passes tra䖶c. The standby unit does not
actively pass tra䖶c. When Failover occurs, the active unit fails over to the standby unit, which
which then
becomes active. We can use Active/Standby Failover for ASAs in both single or multiple context mode.

Explain Active/Active Failover?

It is only available for ASAs in multiple context mode. In an Active/Active Failover con刍guration, both ASAs
can pass network tra䖶c. In Active/Active Failover, we divide the security contexts on the ASA into Failover
Groups. A Failover Group is simply a logical group of one or more security contexts. Each group is assigned

to be active on a speci刍c ASA in the failover pair. When Failover occurs, it occurs at the Failover group
level.

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 5/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

What is the command to enable Failover?

# Failover

What is the command to see Failover?

# sh failover

Explain Unit Health Monitoring in Failover? How Failover occurs?

The ASA unit determines the health of the other unit by monitoring the failover link. When a unit does not
receive three consecutive hello messages on the failover link, it sends hello messages on each interface,

including the failover interface, to 刍nd whether or not the other unit is responsive.
Based upon the response from the other unit it takes following actions:-
1.If the ASA receives a response on the failover interface, then it does not failover.
2.If the ASA does not receive a response on the failover link, but it does receive a response on another
interface, then the unit does not failover. The failover link is marked as failed.
3.If the ASA does not receive a response on any interface, then the standby unit switches to active mode
and classi刍es the other unit as failed.

How active unit is determined in Active/Standby Failover?

1.If a unit boots and detects another unit already running as active, it becomes the standby unit.
2.If a unit boots and does not detect active unit, it becomes the active unit.
3.If both units boot simultaneously, then the primary unit becomes the active unit, and the secondary
unit becomes the standby unit.

Name some commands replicated to standby unit?

All con刍guration commands except for mode, 刍rewall, and failover lan unit are replicated to standby unit.
# copy running-con刍g startup-con刍g
# write memory

Name some commands that are not replicated to standby unit?

All forms of the copy command except for # copy running-con刍g startup-con刍g
all forms of the write command except for # write memory

Explain Active/Standby Failover & Active/Active Failover in terms of preemption?

In Active/Standby Failover there is no preemption.
In Active/Active Failover preemption is optional.

Explain Security Context?

We can partition a Single ASA into multiple virtual devices, known as Security Contexts. Each Context acts
as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts
conte xts are
similar to having multiple standalone devices.

What features are supported in multiple context mode?

Routing tables, Firewall features, IPS, and Management.

What features are not supported in multiple context mode?

VPN and Dynamic Routing Protocols.

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 6/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Explain System area?

When we boot up in multiple mode from the CLI, we are taken into the system area. The system area is
used to create and manage the contexts, con刍gure the physical properties of the interfaces, create VLANs
for trunking, create resource classes to restrict the context system resource usage.

What is the admin context?

When the appliance boots up, one context is automatically created called Admin Context which defaults to
being the administrative context. Any context can be made administrative context. One of the contexts on
our appliance must be the administrative context. An “*” beside a context name indicates that the context
is the administrative context.

How ASA classi刍es packets?

The packet that enters is to be processed by which context is classi刍ed by ASA as follows:-
1.Unique Interfaces - If only one context is associated with the ingress interface, the ASA classi刍es the
packet into that context.
2.Unique MAC Addresses - If multiple contexts share an interface, then the interface MAC address is used
as classi刍er. ASA lets us assign a di淜erent MAC address in each context to the same shared interface. By
default, shared interfaces do not have unique MAC addresses. We can set the MAC addresses manually or
we can automatically generate MAC addresses by # mac-address auto command.

3.NAT Con刍guration - If we do not use unique MAC addresses, then the mapped addresses in our NAT
con刍guration are used to classify packets.

What is the command to switch to multiple context Mode?

# mode multiple
After entering this command the appliance will reboot itself and our current con刍guration is automatically
backed up to າash in case we want to switch back to
t o single mode. The 刍le is called “old_running.cfg.”

What is the command to switch back to single mode?

# mode single

What are di淜erent types of NAT in ASA?

Static NAT - A consistent mapping between a real and mapped IP address. It allows Bidirectional tra䖶c
initiation.
Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller) group of mapped IP
addresses on a 刍rst come 刍rst served basis. It allows only Unidirectional tra䖶c initiation.
Dynamic Port Address Translation (PAT) - A group of real IP addresses are mapped to a single IP address
using a unique source port of that
t hat IP address.
Identity NAT - A real
re al address is statically translated to itself,
it self, essentially bypassing NAT.

What is Policy NAT?

Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended
access list. We can also optionally specify the source and destination ports. Regular NAT can only consider
the source addresses, not the destination address.
In Static NAT it is called as Static Policy NAT.
In Dynamic NAT it is called as Dynamic Policy NAT.

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 7/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Give the order of preference between di淜erent types of NAT?

1.Nat exemption.
2.Existing translation in Xlate.
3.Static NAT
- Static Identity NAT
- Static Policy NAT
- Static NAT
- Static PAT

4.Dynamic NAT
- NAT Zero
- Dynamic Policy NAT
- Dynamic NAT
- Dynamic PAT

What is the di淜erence between Auto NAT & Manual NAT?

Auto NAT (Network Object NAT) - It only considers the source address while performing NAT. So, Auto NAT
is only used for Static or Dynamic NAT. Auto NAT is con刍gured within an object.
o bject.
Manual NAT (Twice NAT) - Manual NAT considers either only the source address or the source and
destination address while performing NAT. It can be used for almost all types of NAT like NAT exempt,
policy NAT etc.
Unlike Auto NAT that is con刍gured within an object, Manual NAT is con刍gured directly from the global
con刍guration mode.

Give NAT Order in terms of Auto NAT & Manual NAT?

NAT is ordered in 3 sections.
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto

What are the command to see NAT Translations?

# sh xlate
# sh nat
 
What is the command to see both NAT Table and Connection Table?
# sh local-host

Buy VPN & ASA Firewall Interview Questions and Answers Pdf - 3 $

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 8/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Click for Preview 

Go Back

6 comments   ASA Firewall

  Cisco asa 刍rewall 
刍rewall cisco asa 刍rewall 
刍rewall nameif  asa failover 
failover transparent 刍rewall 
刍rewall dmz server 
server asa 刍rewall nat 
nat stateful 刍rewall 
刍rewall asa tcp າags 
າags asa security context 
context asa activestandby
failover  asa activeactive failover 
failover failover asa statefull failover 
failover asa manual nat 
nat asa auto nat 
nat  asa 刍rewall notes

Share

Jitendra Yadav
1

Its really amazing webside, plz keep post good thing on this portal

mandeep kumar
2

it is Awesome!!!

  shim
3

for study

Janardan
4

very good site....

pls post for check point & juniper as well

sujeet
5

Awesome... thanks for sharing

Dilip
6

Awesome book. Thanks for sharing

Comment
Name:

E-mail :

Website :

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 9/10
 

11/4/2016 ASA Fire

Firewa
wall
ll Intervie
rview
w Quest
stio
ion
ns and Answers
wers [CCI
CCIE] | Net
Network
worke
er Intervie
rview
w

Comment:

Submit

Contact us 
us  About us 
us  Privacy Policy

Give your valuable suggestions and feedback through comments

Copyright © Networker Interview. All rights reserved.

http://netw or
or ke
ker in
inter v
vii e
ew
w.net/entr ie
ies/asa- fifi rre
ewal ll//asa- ffiir e
ew
wall -i
-i nt
nter v
vii ew
ew- qu
questi on
ons- an
and- a
an
nswer s 10/10