Professional Documents
Culture Documents
ASA Firewall Interview Questions and Answers Vol 1.0
ASA Firewall Interview Questions and Answers Vol 1.0
A Network Firewall may be Hardware or a Software device - It protects a computer network from
unauthorized access. Network firewalls guard an internal LAN network from malicious access from
the outside/unsecured zone, such as malware-infested websites or vulnerable ports. The main
purpose of a firewall is to separate a secured area (Higher security Zone / Inside Network) from a
less secure area (Low security Zone / Outside Network etc.) and to control communication between
the two. Firewall also controls inbound and outbound communications across devices.
Transparent mode firewall is one of the modes ASA Firewall may be configured in. In transparent
mode, Firewall works on layer 2 hop and does not function as a Layer 3 hop. Mac lookup and
forwarding is done through destination mac address. The outside and inside interface in transparent
mode exist in the same network.
“Security Level” signifies the trustworthiness of an interface when compared to other interfaces on
same device. In simple terms, Higher Security level means High trust interface while Lower Security
Level means Low trust interface. Each interface on the ASA is a security zone. Cisco ASA can be
configured to have multiple security levels between 0 and 100. Below is description of the security
levels –
Security Level 100 – This is the highest and most trusted security level. As a default, “Inside”
interface is assigned the security level of 100. LAN subnets usually come under this category level.
Security Level 100 traffic can reach to any of the other lower security Levels configured on the same
Firewall.
Security level 0 – This is the lowest and least secured Security Level on ASA Firewall. “Outside”
Interface of ASA Firewall comes under Security Level 0. Internet is the most common example of
security level 0. Default Firewall behaviour is to block any traffic from untrusted Zone (Security Level
0) trying to reach any destination of other security level.
Security level 1 to 99 – Security Level from 1 to 99 can be assigned to multiple Zone like DMZ (DMZ
is assigned Security Level 50). Another example is extranet Zone which may be assigned customised
Security Level of 50.
Ques 6. In which 2 modes does ASA work? How are the 2 modes different?
2 modes in which ASA can work are –
Routed Mode
Transparent mode
The differences between both modes is illustrated in below table -
Ques 8. How to allow packets from lower security level to higher security level?
An ACL needs to be applied for allowing traffic from Lower Security Level towards Higher Security
Levels.
Ques 9. How to allow packets from between VLANs/Interfaces across same security level?
If the interfaces have the same security level, traffic will not be permitted. In order to allow, unless
the “same-security-traffic” global configuration command is used.
Ques 12. Can We Mix Different Models In Clustering I.e. Can 5510 Be Clustered With 5520?
No, we can't mix different ASA models.
Ques 14. Can We Use ASA For Web Filtering Like Proxy?
Yes, ASA can be used for Web Filtering
Ques 15. Firewall Works at which layer?
Firewall works at Layer 4 of OSI Model. Some firewalls work upto Application layer (HTTP, HTTPS
etc.)
Ques 19. What are timeout values in ASA firewall for TCP, UDP and ICMP sessions?
The default timeout values are -
timeout conn - The idle time after which a connection closes. Default value is 1 hour
timeout half-closed - The idle time until a TCP half-closed connection closes. The default is 10
minutes.
timeout udp - The idle time until a UDP connection closes. The default is 2 minutes.
timeout icmp -The idle time for ICMP. The default is 2 seconds
In a Passive FTP mode, the server opens a port, passively listens and the client uses the control
connection to send a PASV command to the server and then receives a server IP address and server
port number from the server for the client connect to it. Further, Passive mode is used generally
where the client is behind a firewall and unable to accept incoming TCP connections. When we look
at overall security perspective, passive FTP mode is preferred safety measure.
System Context – This context allows to add and manage other contexts by the configuration of
each context configuration location, allocated interfaces, and other context operational parameters.
Only management IP address can be assigned in this context and no other IP can be given. Another
key feature of system context is ability to upgrade or downgrade the ASA software.
Admin Context – Admin context allows the user to have system administrator rights, and to access
the system and all other contexts. During conversion from a Single mode to the Multiple Context
mode, the admin context is created automatically and the configuration file will be created on the
flash memory. Admin context is not counted in the context license.
Normal Context – It is the actual partitioned firewall. Normal context can be accessed via Console,
Telnet, SSH, and ASDM.If we log in to a normal (non-admin context), we can only access the
configuration for that context.
Ques 29. What are hardware and software requirements for 2 ASA in HA?
Hardware Requirements for 2 ASA in HA (Cluster) –
Both units in a Failover configuration must have
Same model
Same number and types of interfaces
Same modules installed
Same RAM installed
Ques 30. Which command will forcefully activate secondary firewall to become active
firewall?
When Primary Firewall is issued the command “no failover active”, it forcefully activates the
secondary Firewall to become active.
“Failover active” command will trigger fail back to original active firewall.
Antispoofing is a technique for identifying and dropping packets that have a false source address.
Spoofed packets can be detected by setting up rules on a firewall, router ,network gateway or even
at the ISP end.
A Distributed Denial of Service (DDoS) attack is an attack from more than one source or from more
than one location. Most of times, the DDoS attackers are not aware that they are part of DoS attack
against a site, and are duped into joining the attack by a third party. In a DDoS, the attack generation
is instead distributed across multiple computers.
Active-Active Failover is the scenario in Cisco ASA configuration where both the ASAs pass the
network traffic by splitting traffic into groups. This type of flow is only possible with Multiple Context
mode. Both the ASA units are divided into Failover Groups where 1st unit is Active for one Failover
Group while the 2nd unit performs Active role for the second Failover Group. The other unit takes
over during event of Active unit going down. Active-Active setups are generally done to allow more
traffic to pass through the firewalls than a single unit can handle.
Extended ACLs - These ACLs are used for access rules to control (permit and deny) traffic flow
through the device. It’s also used as matching criteria for many features including –
Service Policies
AAA rules
WCCP
Botnet Traffic Filter
VPN group
DAP policies.
EtherType ACLs – This type of ACL is applied to non-IP layer-2 traffic on bridge group member
interfaces only. We may use these rules to control (permit or drop) traffic based on the EtherType
value in the layer-2 packet.
Webtype ACLs - Webtype ACLs are used for filtering clientless SSL VPN traffic. These ACLs can deny
access based on URLs or destination addresses.
Standard ACLs - Standard ACLs are used to identify traffic by destination address only. These are
used for few features only like –
Route maps
VPN filters
Since extended access lists also work for VPN filters, therefore we can say that Standard ACLs are
limited in use to route maps.
Ques 44. Which commands are used to convert routed mode to transparent mode and vice
versa?
Routed mode to transparent mode –
ciscoasa(config)# firewall transparent
Ques 45. Which features are not supported in multiple context mode?
Multiple context mode does not support the following features -
Dynamic Routing
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN
Ques 50. Which command is used to check the traffic on interfaces, the packet and byte
counters.
Show Interface <Interface number>