1.What are Security levels in ASA ?
The Cisco ASA Firewall uses “security levels” to indicate how trusted an interface is compared to another interface. The higher the security level, the more trusted the interface is. Each interface on the ASA is a security zone so by using these security levels we have different trust levels for our security zones.
An interface with a high security level can access an interface with a low security level but the other way around is not possible unless we configure an access-list that permits this traffic.
Here are a couple of examples of security levels:
- Security level 0: This is the lowest security level there is on the ASA and by default it is assigned to the “outside” interface. Since there is no lower security level this means that traffic from the outside is unable to reach any of our interfaces unless we permit it within an access-list.
- Security level 100: This is the highest security level on our ASA and by default this is assigned to the “inside” interface. Normally we use this for our “LAN”. Since this is the highest security level, by default it can reach all the other interfaces.
- Security level 1 – 99: We can create any other security levels that we want, for example we can use security level 50 for our DMZ. This means that traffic is allowed from our inside network to the DMZ (security level 100 -> 50) and also from the DMZ to the outside (security level 50 -> 0). Traffic from the DMZ however can’t go to the inside (without an access-list) because traffic from security level 50 is not allowed to reach security level 100. You can create as many security levels as you want…
Note: By default, if two interfaces are both at the exact same security level, the traffic will not be allowed between them.
2. Explain failover in ASA.
Failover Types:
a.Regular Failover:-
-All active connections are dropped.Client will have to re-establish connection when the new firewall takes over.
b.Statefull Failover:-
-All active connections are being passed per connection state information to the standby.Below are the details which are being passed :-
- Layer 2 bridge table (Only in Transparent Mode)
- HTTP connection states (If HTTP inspection is enabled)
- ISKMP and IPSEC SA Table
- TCP connection states
- NAT translation table
- UDP Connection table
- ARP table
Failover Interfaces:
a.Failover Link/Interface
- All configs,Unit state,Hello messages,Network link status,Mac address exchange are shared via this interface.
b.State Link/Interface
- All connection states are shared via state interfaces.
- For Cisco ASA 5510 stateful link speed can be 100 Mbps even though data interface can operate at 1 Gigabit due to CPU speed limitation.
- For Cisco ASA 5520/5540/5550 speed should matach the fastest data link
- For Cisco ASA 5580/5585-X it uses only non-management 1 Gigabit ports for the stateful link
Failover Requirements:
- Two units must be of same model,have same number and types of interfaces.
- Two units should have same service module and RAM installed.
- Two units must be of same operating modes (routed or transparent mode ,single or mutiple context mode).
- Two units must have same major and minor software version.
- Two units must have same AnyConnect images.
Failover Modes:
a.Active/Standby Mode
This issupported in Single Context Mode only.
Failover Condition in Active/Standby Mode:
i.Health Monitoring
- If ASA does not receive response on the failover interface for three consecutive Hello messages which is sent on each interface to validate the peer interface response than the ASA fails over.
- The failover link is marked as failed even if one of the monitored interface does not receive response while other does.
ii.Interface Monitoring in Active/Standby Mode:
- ASA can monitor upto 250 interfaces divided between all contexts.
- It performs Link up/down tests
- Network activity tests
- Arp test
- Broadcast ping test
Steps | Primary Unit | Secondary unit |
Step 1 | failover lan unit primary | failover lan unit secondary |
Step 2 | failover lan interface if_name interface_id | failover lan interface |
Step 3 | failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ] | failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ] |
Step 4 | interface interface_id | interface interface_id |
no shutdown | no shutdown | |
Step 5 | failover link if_name interface_id | Skip these Steps |
Step 6 | failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ] | |
Step 7 | interface interface_id | |
no shutdown | ||
Step 8 | failover | failover |
Step 9 | copy running-config startup-config | copy running-config startup-config |
b.Active/Active Mode
- Only available to ASA in multiple context mode
- It divides the security contexts on the ASA into failover groups
- Admin context is always a member of failover group 1
- Any unassigned contexts are also member of failover group 1 by default
- Active/Active failover generates virtual MAC address for the interface in ech failover group
- Failover gets triggered in case unit has a hardware failure,power failure or software failure.
Steps | Primary Unit | Secondary unit |
Step 1 | failover lan unit primary | failover lan unit secondary |
Step 2 | failover lan interface if_name phy_if | failover lan interface if_name phy_if |
Step 3 | failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ] | failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ] |
Step 4 | failover link if_name phy_if | |
Step 5 | failover interface ip if_name [ ip_address mask standby ip_address | ipv6_address / prefix standby ipv6_address ] | |
Step 6 | interface phy_if | interface phy_if |
no shutdown | no shutdown | |
Step 7 | failover group { 1 | 2 } | no failover active group group_id |
primary | secondary | ||
Step 8 | context name | |
join-failover-group {1 | 2} | ||
Step 9 | failover | failover |
Step 10 | copy running-config startup-config | copy running-config startup-config |
3.What is difference between Routed and Transparent Firewall ?
Routed:
- Default firewall mode in ASA and works at Layer 3
- Supports everything like routing protocols,vpn’s etc
- ASA is considered to be a router hop in the network.It acts as a default gateway for hosts that connects to one of its screened subnets.
- Only IP traffic is allowed.Non-IP Traffic such as AppleTalk,IPX,BPDUs are not allowed.
Transparent:
- It is a layer 2 firewall that acts “bump in the wire” or a “stealth firewall”
- Layer 2 connectivity is achieved by “Bridge Group” where the inside and outside interfaces are grouped together
- Each bridge group consists of bridge virtual interface BVI to which ip address is assigned
- Bridge groups cannot communicate with each other
- All bridge groups can share same syslog or AAA Server
- IP traffic from higher to lower security is allowed
- Arps are allowed both ways
- Broadcast and multicast traffic are not allowed and need to be allowed by access rules
- BPDUs are not allowed by default
- For traffic forwarding mac address lookup is done instead of route lookup
- Dynamic routing protocols and VPNs are not supported
- Supports 250 bridge groups with 4 interfaces/group
Few commands in transparent mode:
firewall transparent — Making firewall as transparent
int bvi 1 –Creation of Bridge group interface and assigning IP
bridge-group 1 — Adding interface to Bridge Group
Show firewall —To check whether firewall is in routed or transparent mode
4.Order of NAT in ASA ?
- NAT Exmept
- Static NAT or PAT
- Policy Dynamic NAT
- Regular Dynamic NAT
5.What are the different licences used in an ASA ?
Base license,security ,security +
6.ASA packet flow
7.Explain Pre and Post NAT after 8.3
working of nat
8.How does site to site VPN works
9.How wwould you troubleshoot site to site VPN
10.Explain difference between Main mode and aggressive mode.
11.Are packets of aggressive mode encrypted or in clear text compared to main mode?
Clear text.
12.What is re-transmission limit reached in L2L VPN.
13.Explain TCP/IP and TCP/IP flags.
14.What is Data offset and padding.
15.How to permit traffic from lower to higher security level without using an ACL.
16. NAT exempt vs NAT-0
17.What is NAT-Traversal.
18.IPSec sa is showing incrementing errors and one – way encaps/decaps. How would you troubleshoot this?