Are you sure you want to cancel your subscription?

If you cancel, your subscription will remain active through the paid term. You will be able to reactivate the subscription until that date.

Sorry to see you go

Your subscription will remain active until . If you change your mind, you may rectivate your subscription anytime before that date.

Are you sure you want to reactivate?
Welcome Back!

Your subscription has been reactivated and you will continue to be charged on .

Reactivate Subscription

Thank you for choosing to reactivate your subscription. In order to lock in your previous subscription rate, you owe: .

Your Subscription term is from - .

Questions? Call Sales.

Payment Due:

Auto-Renew Subscription

To auto-renew your subscription you need to select or enter your payment method in "Your Account" under Manage Payments.

Click continue to set up your payments.

CBT Nuggets License Agreement

Unless otherwise stated all references to “training videos” or to “videos” includes both individual videos within a series, entire series, series packages, and streaming subscription access to CBT Nuggets content. All references to CBT or CBT Nuggets shall mean CBT Nuggets LLC, a Delaware limited liability company located at 44 Country Club Road, Ste. 150, Eugene, Oregon.

A CBT Nuggets license is defined as a single user license. Accounts may purchase multiple users, and each user is assigned a single license.

  • GRANT OF LICENSE. CBT Nuggets grants you a non-transferable, non-exclusive license to use the training videos contained in this package or streaming subscription access to CBT content (the “Products”), solely for internal use by your business or for your own personal use. You may not copy, reproduce, reverse engineer, translate, port, modify or make derivative works of the Products without the express consent of CBT. You may not rent, disclose, publish, sell, assign, lease, sublicense, market, or transfer the Products or use them in any manner not expressly authorized by this Agreement without the express consent of CBT. You shall not derive or attempt to derive the source code, source files or structure of all or any portion of the Products by reverse engineering, disassembly, decompilation or any other means. You do not receive any, and CBT Nuggets retains all, ownership rights in the Products. The Products are copyrighted and may not be copied, distributed or reproduced in any form, in whole or in part even if modified or merged with other Products. You shall not alter or remove any copyright notice or proprietary legend contained in or on the Products.
  • TERMINATION OF LICENSE. Once any applicable subscription period has concluded, the license granted by this Agreement shall immediately terminate and you shall have no further right to access, review or use in any manner any CBT Nuggets content. CBT reserves the right to terminate your subscription if, at its sole discretion, CBT believes you are in violation of this Agreement. CBT reserves the right to terminate your subscription if, at its sole discretion, CBT believes you have exceeded reasonable usage. In these events no refund will be made of any amounts previously paid to CBT.
  • DISCLAIMER OF WARRANTY AND LIABILITY. The products are provided to you on an “as is” and “with all faults” basis. You assume the entire risk of loss in using the products. The products are complex and may contain some nonconformities, defects or errors. CBT Nuggets does not warrant that the products will meet your needs, “expectations or intended use,” that operations of the products will be error-free or uninterrupted, or that all nonconformities can or will be corrected. CBT Nuggets makes and user receives no warranty, whether express or implied, and all warranties of merchantability, title, and fitness for any particular purpose are expressly excluded. In no event shall CBT Nuggets be liable to you or any third party for any damages, claim or loss incurred (including, without limitation, compensatory, incidental, indirect, special, consequential or exemplary damages, lost profits, lost sales or business, expenditures, investments, or commitments in connection with any business, loss of any goodwill, or damages resulting from lost data or inability to use data) irrespective of whether CBT Nuggets has been informed of, knew of, or should have known of the likelihood of such damages. This limitation applies to all causes of action in the aggregate including without limitation breach of contract, breach of warranty, negligence, strict liability, misrepresentation, and other torts. In no event shall CBT Nuggets’ liability to you or any third party exceed $100.00.
  • REMEDIES. In the event of any breach of the terms of the Agreement CBT reserves the right to seek and recover damages for such breach, including but not limited to damages for copyright infringement and for unauthorized use of CBT content. CBT also reserves the right to seek and obtain injunctive relief in addition to all other remedies at law or in equity.
  • MISCELLANEOUS. This is the exclusive Agreement between CBT Nuggets and you regarding its subject matter. You may not assign any part of this Agreement without CBT Nuggets’ prior written consent. This Agreement shall be governed by the laws of the State of Oregon and venue of any legal proceeding shall be in Lane County, Oregon. In any proceeding to enforce or interpret this Agreement, the prevailing party shall be entitled to recover from the losing party reasonable attorney fees, costs and expenses incurred by the prevailing party before and at any trial, arbitration, bankruptcy or other proceeding and in any appeal or review. You shall pay any sales tax, use tax, excise, duty or any other form of tax relating to the Products or transactions. If any provision of this Agreement is declared invalid or unenforceable, the remaining provisions of this Agreement shall remain in effect. Any notice to CBT under this Agreement shall be delivered by U.S. certified mail, return receipt requested, or by overnight courier to CBT Nuggets at the following address: 44 Club Rd Suite 150, Eugene, OR 97401 or such other address as CBT may designate.

CBT Nuggets reserves the right, in its sole discretion, to change, modify, add, or remove all or part of the License Agreement at any time, with or without notice.

Billing Agreement

  • By entering into a Billing Agreement with CBT Nuggets, you authorize CBT Nuggets to use automatic billing and to charge your credit card on a recurring basis.
  • You agree to pay subscription charges on a monthly basis, under the following terms and conditions:
    • CBT Nuggets will periodically charge your credit card each monthly billing cycle as your subscription charges become due;
    • All payments are non-refundable and charges made to the credit card under this agreement will constitute in effect a "sales receipt" and confirmation that services were rendered and received;
    • To terminate the recurring billing process and/or arrange for an alternative method of payment, you must notify CBT Nuggets at least 24 hours prior to the end of the monthly billing cycle;
    • You will not dispute CBT Nugget’s recurring billing charges with your credit card issuer so long as the amount in question was for periods prior to the receipt and acknowledgement of a written request to cancel your account or cancel individual licenses on your account.
  • You guarantee and warrant that you are the legal cardholder for the credit card associated with the account, and that you are legally authorized to enter into this recurring billing agreement.
  • You agree to indemnify, defend and hold CBT Nuggets harmless, against any liability pursuant to this authorization.
  • You agree that CBT Nuggets is not obligated to verify or confirm the amount for the purpose of processing these types of payments. You acknowledge and agree that Recurring Payments may be variable and scheduled to occur at certain times.
  • If your payment requires a currency conversion by us, the amount of the currency conversion fee will be determined at the time of your payment. You acknowledge that the exchange rate determined at the time of each payment transaction will differ and you agree to the future execution of payments being based on fluctuating exchange rates.

CBT Nuggets reserves the right, in its sole discretion, to change, modify, add, or remove all or part of the Billing Agreement at any time, with or without notice.

This video is only available to subscribers.
Start your 7-day free trial today.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Introduction to CCNA Security

Network Foundation Protection

Fortifying the Local Router


Securing the Switched Data-plane

Tools to Protect the Management-plane

Controlling the IPv4 Data-plane with ACLs

Protecting IPv6 Networks

IOS Firewall Fundamentals

Zone Based Firewall Implementation

ASA Firewall

00:00:01 - ASA firewall, the Adaptive Security
00:00:04 - Appliance from Cisco Systems.
00:00:06 - In this video, you and I are going to take a look at the
00:00:09 - thought process of how an ASA acts by default, what the
00:00:13 - default behaviors are, what flows are allowed.
00:00:16 - And once we understand the logic of how it thinks, you
00:00:18 - and I are going to take an ASA with a brand new wiped config
00:00:23 - and configure it from zero to functioning firewall,
00:00:26 - including network address translation and policy
00:00:28 - modification in this Nugget.
00:00:30 - We'll get live on the internet.
00:00:31 - Let's jump in.
00:00:33 - We should probably begin our journey in the world of the
00:00:35 - adaptive security appliance by pointing out that that's what
00:00:38 - ASA stands for.
00:00:40 - The ASA is the Adaptive Security Appliance, a
00:00:42 - purpose-built firewall from Cisco.
00:00:45 - And it does lots of really amazing things, which we'll
00:00:48 - talk about.
00:00:48 - But the most primary functional thing it does is
00:00:52 - something called stateful filtering.
00:00:56 - And you're like Keith, you mean stateful filtering, just
00:00:58 - like a zone-based firewall?
00:00:59 - That's what I'm talking about.
00:01:00 - It does stateful filtering.
00:01:02 - So as an example, and a quick review, if Bob was right here
00:01:06 - and Bob wanted to go out to the internet, Bob would send
00:01:09 - traffic out to the internet.
00:01:11 - The firewall would do stateful remembering, stateful
00:01:13 - filtering, put that information
00:01:15 - in a session table.
00:01:16 - Why?
00:01:17 - So that when the server replied, the ASA could say,
00:01:20 - oh, this matches correctly.
00:01:22 - What Bob sent out is the correct return traffic.
00:01:25 - I will go ahead and dynamically allow that to come
00:01:27 - back to Bob.
00:01:28 - That's it in a nutshell, the primary function of the ASA is
00:01:32 - stateful inspection.
00:01:33 - So how does it do it?
00:01:34 - How does it decide whether or not traffic should be allowed
00:01:38 - in the first place?
00:01:40 - So for this ASA right here, let's give it a name.
00:01:42 - Let's call it ASA-1, make it personal.
00:01:45 - And ASA-1, when he gets Bob's packet that needs to be
00:01:48 - forwarded out to, let's consider what's required
00:01:53 - to make that happen.
00:01:54 - The first thing that's overlooked a lot is something
00:01:58 - called routing.
00:02:00 - If this ASA gets a packet and the packet is destined to
00:02:04 -, and the ASA looks at its routing table and say, I
00:02:07 - have no clue how to forward towards
00:02:10 - I've got no default route.
00:02:11 - I don't have that static route.
00:02:13 - I haven't learned it dynamically.
00:02:14 - The packet is going to be dropped.
00:02:16 - So routing is critical to be in place.
00:02:18 - So let's assume that routing is in place, that we got an IP
00:02:21 - address from our DHCP server on the internet from the
00:02:24 - service provider.
00:02:25 - We have a default route to that service provider.
00:02:28 - How do we decide whether or not Bob's packet is allowed?
00:02:32 - And the secret to understanding this, I kid you
00:02:34 - not, is water.
00:02:36 - I want you to write out with me water.
00:02:38 - And we're going to a little graphical representation here.
00:02:41 - I want you to imagine that there's a river.
00:02:44 - And this river is going in this direction.
00:02:48 - So we have a river, it's going in this direction, and it
00:02:51 - happens to be at 100 feet elevation.
00:02:57 - So imagine visually, there's water at 100 feet going in
00:03:00 - this river, slightly downhill, and then there's a cliff.
00:03:04 - And I will label that so there's no mistaking that
00:03:06 - there's a cliff right here.
00:03:09 - And the cliff actually goes down until it hits some more
00:03:12 - ground at zero feet.
00:03:15 - And then the river continues.
00:03:17 - Now, my question is, what happens to water as it's going
00:03:20 - down the river and hits this cliff?
00:03:23 - Does it go down or doesn't it?
00:03:26 - I want you to think about that with me.
00:03:27 - Does the water go down the cliff from 100 feet down to 0
00:03:31 - feet, yes or no?
00:03:32 - And the answer is, without some extraterrestrial,
00:03:36 - non-gravity, external force scenario, water's going to go
00:03:40 - from higher to lower.
00:03:42 - And that, my friends, is how the ASA decides whether or not
00:03:46 - it is going to forward traffic, assuming there's
00:03:48 - routing in place.
00:03:50 - Every interface-- and let's take a look at them right now.
00:03:52 - Every interface has associated with it a security level.
00:03:56 - The inside interface here, I've named it INSIDE.
00:03:58 - By the way, on the ASA, we use these really clever names to
00:04:02 - configure the interfaces.
00:04:03 - So when we're configuring details for this interface
00:04:07 - right here, I would refer to its name, which
00:04:09 - I gave it of INSIDE.
00:04:10 - I also gave this interface the name of DMZ, and I gave this
00:04:13 - interface the name of OUTSIDE.
00:04:15 - But besides a name, which every good interface is going
00:04:17 - to have on an ASA that's doing routing, we're also going to
00:04:21 - have this security level.
00:04:22 - So security level of 100 is on the inside.
00:04:25 - A security level of 50 is on the DMZ.
00:04:27 - And a security level of 0.
00:04:29 - So let's get back to Bob's packet.
00:04:31 - Bob's sending a packet.
00:04:32 - It goes to the ASA because that's his default gateway
00:04:35 - very likely in this topology.
00:04:37 - And the ASA says, oh, I've got to default route.
00:04:39 - I know how to get to, not a problem.
00:04:42 - It needs to go out the outside interface
00:04:44 - to the service provider.
00:04:45 - And that's the magic where it gets to compare, am I going to
00:04:49 - forward this initial traffic?
00:04:50 - If the traffic is going from 100 and it's going out an
00:04:54 - interface based on the routing table that has a security
00:04:56 - level of 0, the answer is yes.
00:04:59 - I am willing.
00:05:00 - I am willing to forward the packet, and it will forward
00:05:02 - the packet.
00:05:03 - That's the secret of, does the initial packet, does initial
00:05:07 - flow go through the ASA if it's coming in on an interface
00:05:10 - that's higher security level-wise than the exit
00:05:14 - interface based on the routing table of the ASA, that traffic
00:05:17 - will be allowed.
00:05:18 - Higher to lower goes.
00:05:20 - So that's the secret of deciding whether the packet's
00:05:23 - going to flow.
00:05:23 - Let me do a couple scenarios with you.
00:05:25 - Let's say I have a user on the inside, and that user
00:05:28 - wants to ping 172--
00:05:30 - left not use ping.
00:05:31 - Let's use web services.
00:05:33 - Let's say the user, Bob, wants to open up in a web browser to
00:05:37 - a DMZ server that's at 0.10.
00:05:40 - So he puts in his browser
00:05:44 - The packet goes to the ASA.
00:05:46 - The ASA does a route lookup that's directly connected to
00:05:48 - these two networks.
00:05:49 - And the ASA says, should I forward this initial
00:05:52 - frame, yes or no?
00:05:53 - The source is 100, the destination, based on the
00:05:57 - routing table of the ASA, is 50.
00:05:59 - So it's going from 100 to 50.
00:06:00 - Does the initial packet and subsequent flow of traffic,
00:06:04 - does it go?
00:06:05 - And the answer is just like water, higher to
00:06:08 - lower goes by default.
00:06:10 - Isn't that fantastic?
00:06:11 - Let's do one more.
00:06:12 - This is a great game.
00:06:13 - And it's an important game too, because these are the
00:06:15 - fundamentals that when you get into CCNP security and CCIE
00:06:20 - security, understanding that basic thought process of the
00:06:24 - ASA is going to be critical for the real world and for
00:06:27 - your certification.
00:06:28 - So let's do a couple more scenarios.
00:06:30 - So we have a user here.
00:06:32 - So we have a user sitting at a web server, for whatever
00:06:35 - reason, and he wants to open up a web
00:06:38 - browser out to
00:06:41 - So he opens up a browser, he forwards the
00:06:44 - packet, it hits the ASA.
00:06:45 - The ASA does a route lookup and says, oh, to get to
00:06:48 -, I don't have a more specific route.
00:06:51 - I'm going to use my default route, which
00:06:52 - is the service provider.
00:06:55 - It now knows the ingress interface, the DMZ.
00:06:58 - It knows the egress interface of the OUTSIDE.
00:07:01 - It compares the security levels and says, this is from
00:07:03 - 50 going to 0.
00:07:05 - Does it go, yes or no?
00:07:08 - And the answer is absolutely yes, higher to lower.
00:07:11 - It's just like water.
00:07:12 - So what have we identified so far?
00:07:13 - You're doing great, by the way.
00:07:15 - Fantastic progress.
00:07:17 - We've identified that these flows will go by default.
00:07:19 - I'll put them in green.
00:07:22 - That would work because it's going from 100 to 50.
00:07:25 - This would work because it's going from 50 to 0.
00:07:28 - And this would work because it's going from 100 to 0.
00:07:32 - Are you with me?
00:07:33 - Those are all the initial flows of traffic that the ASA
00:07:37 - by default, without any additional changes to the
00:07:39 - security policy, would allow to happen.
00:07:41 - Now, what about the reply traffic?
00:07:43 - Oh my gosh, with if these users all initiate these
00:07:46 - connections.
00:07:47 - How in the world is reply traffic going to get back?
00:07:49 - And the answer is stateful inspection.
00:07:52 - Stateful inspection is on by default for TCP and UDP.
00:07:56 - So a lot of the most common applications that ride on top
00:07:59 - of those layer 4 protocols, the sessions will be analyzed,
00:08:03 - inspected, statefully remembered, and return traffic
00:08:05 - is going to be allowed back in.
00:08:07 - Fantastic story, it's just like in zone-based firewalls.
00:08:10 - By default, the ASA is doing a fantastic job of saying no.
00:08:15 - 0 to 50 is a no.
00:08:16 - 0 to 100 is a no.
00:08:18 - And you know what else is a no?
00:08:20 - 50 to 100 is a no.
00:08:21 - So all those reds right there are all no's by default.
00:08:26 - So we have a very, very secure security posture right out of
00:08:29 - the gate with the adaptive security appliance because if
00:08:32 - these are the security levels we're using, the outside world
00:08:35 - can't get to us but we can get to the outside world.
00:08:38 - So the immediate next question normally comes up saying,
00:08:41 - well, Keith, you've got a couple of web servers here on
00:08:44 - the DMZ, or email servers, or other public servers.
00:08:47 - Don't you want, like Jim on the internet to be able to
00:08:50 - access your servers?
00:08:51 - And the answer is yes.
00:08:53 - So what we could do on an outside interface, as an
00:08:56 - example, is we could use an ACL.
00:08:58 - And ACLs will override the default security levels.
00:09:02 - Meaning if we say on the ACL, permit HTTP traffic TCP port
00:09:07 - 80 to these two web servers, then Jim on the internet, as
00:09:11 - he comes into this interface, if the ACL says permit it,
00:09:15 - even though it's trying to go from a 0 to a 50, the ACL
00:09:18 - because it says permit, the traffic would be allowed.
00:09:20 - So ACLs can be exceptions to the rule.
00:09:24 - That could also be a bad thing for Bob over here.
00:09:26 - If we have rules in place where we don't want Bob to be
00:09:30 - able to go out using certain protocols, we could go ahead
00:09:33 - and put an access control list inbound on the INSIDE
00:09:35 - interface and simply tell the ASA, you know what?
00:09:38 - We're not allowing any kind of telnet.
00:09:40 - So even though it would be traffic from higher going to
00:09:43 - some lower interface, because of the ACL that says no telnet
00:09:47 - or no other protocol that you want to deny, the ACL would
00:09:51 - triumph and win over the default security behavior.
00:09:56 - So what else can this little box do for us?
00:09:58 - I say little box.
00:09:59 - This is a 5505.
00:10:01 - It has some bigger brothers that are based on the ability
00:10:04 - to have more capacity.
00:10:06 - So not every size fits all.
00:10:07 - If we're in a larger environment, we'd probably buy
00:10:09 - a bigger model, bigger flavor of the ASA.
00:10:12 - But the basic functionality is the same in all of them.
00:10:15 - So on the 5505, we've got the front here.
00:10:18 - And this was built for a small office/home office.
00:10:21 - And it's got a built-in switch.
00:10:22 - Somebody said, I don't want to have to buy a physical switch
00:10:25 - and a router and a firewall.
00:10:27 - Can I just get all that functionality built into one?
00:10:29 - And Cisco said, absolutely, yes.
00:10:32 - So here's the features that are supported.
00:10:34 - We have stateful inspection for Bob's traffic as it goes
00:10:36 - out to the internet, so the return traffic
00:10:38 - can come back in.
00:10:39 - We have access lists that we can use on the interfaces for
00:10:43 - overriding that policy if we need to let--
00:10:45 - for example, Jim go to a server.
00:10:47 - We have application inspection.
00:10:50 - So if Bob agrees, if Bob says, yes, I won't use any
00:10:53 - peer-to-peer networking software ever, I promise.
00:10:56 - The ASA can analyze all the traffic going through it.
00:11:00 - If it sees peer-to-peer, it can drop it based on policy.
00:11:03 - See, people can hide peer-to-peer
00:11:05 - in different protocols.
00:11:06 - They can hide it under, maybe port 80 or other ports that
00:11:09 - maybe are trying to hide their HTTP, but they're really not.
00:11:13 - With protocol and application inspection, the ASA
00:11:16 - can figure that out.
00:11:17 - It can say, oh my goodness, this is
00:11:19 - not valid HTTP traffic.
00:11:20 - I'm going to go ahead and drop it.
00:11:22 - It also supports a little solution for this problem.
00:11:26 - This is a private IP address space.
00:11:28 - This is a private IP address space.
00:11:29 - The internet doesn't route private IP addresses.
00:11:33 - So we can't use these addresses on the internet, so
00:11:35 - it also supports NAT and PAT and all of its flavors.
00:11:40 - So if we had one IP address here from a DHCP server, we
00:11:43 - could do port address translation and translate,
00:11:46 - maybe not the DMZ devices but our internal
00:11:48 - users to that one address.
00:11:50 - And then we could NAT the servers to other
00:11:52 - globally-reachable addresses so that
00:11:54 - they could be accessed.
00:11:55 - Or, we could actually do port address translation just for
00:11:58 - port 80, and have port 80 redirected to one or both of
00:12:02 - these servers.
00:12:03 - There's also VPN support.
00:12:04 - So Jill, out on the internet, wants to get to the home
00:12:07 - office and she can build a virtual private network from
00:12:11 - her computer on the internet all the way to the ASA.
00:12:14 - Could it use SSL?
00:12:15 - Could it use IPsec?
00:12:16 - And the answer is yes, it supports both of those.
00:12:19 - Even the little 5505, you get two licenses for VPNs.
00:12:23 - And you can purchase additional licensing for
00:12:25 - additional users if you need to.
00:12:28 - What else does it do?
00:12:29 - It supports object groups.
00:12:33 - Very similar to what we have on the router as
00:12:35 - far as object groups.
00:12:36 - So if you wanted to have an access list that identified an
00:12:39 - object group and the object group could then reference 10
00:12:41 - or 20 different servers as far as IP addresses go, very
00:12:45 - capable of doing that right here on the ASA.
00:12:48 - It also has the ability to do something
00:12:49 - called botnet filtering.
00:12:52 - Now, what is a botnet?
00:12:54 - I am a robot.
00:12:54 - I am at your command.
00:12:56 - What if we had 10,000 machines that we had comp-- not we, but
00:13:00 - somebody had compromised, and any time that attacker wanted
00:13:04 - to use those 10,000 machines to launch an attack, it could.
00:13:07 - That would be an example of a botnet.
00:13:09 - There's botnet support.
00:13:11 - And it can even leverage external services.
00:13:14 - So you can actually subscribe and actually get information
00:13:17 - on botnets that are out there, and that way the ASA can
00:13:20 - self-defend your network and say, oh my
00:13:22 - goodness, there's a botnet.
00:13:23 - It's well defined.
00:13:24 - It's attacking across the internet.
00:13:26 - And we can learn that information from an external
00:13:29 - trusted source, like Cisco, and then the botnet filtering
00:13:33 - could protect against that specific type of traffic and
00:13:36 - those addresses that are involved in the botnet.
00:13:40 - A few other features that are also supported for example, if
00:13:43 - we wanted to administer this box and not have to keep all
00:13:45 - our user names and passwords on the ASA
00:13:47 - itself, we can use AAA.
00:13:49 - Very similar to how we did it with our routers, by setting
00:13:52 - up authentication, proving who people are, authorization--
00:13:56 - what are they allowed to do-- and accounting records being
00:13:58 - sent back to a AAA server.
00:13:59 - And finally, we also have high availability.
00:14:02 - High availability means buying two.
00:14:04 - That's what that means.
00:14:05 - Why buy one when you can buy two at twice the price?
00:14:08 - For companies that can't afford to be down, by having
00:14:11 - two adaptive security appliances side by side
00:14:14 - forwarding traffic.
00:14:15 - If one goes belly up, the other keeps going.
00:14:17 - That's an important feature for most commerce and
00:14:20 - real-time network applications because they
00:14:23 - can't tolerate failure.
00:14:24 - It's too expensive or too painful to have the network go
00:14:26 - Down, so they buy two.
00:14:27 - They put them in a fault-tolerant or high
00:14:29 - availability failover situation so that they can
00:14:31 - support each other in the event of a failure.
00:14:34 - So let's say we have the ASA up and running, which we will
00:14:37 - here in a moment.
00:14:37 - Together, you and I will configure it from scratch.
00:14:39 - We'll do the whole thing together.
00:14:41 - And it's up for a couple weeks and the boss comes to us and
00:14:45 - says, hey guys, what we want to do is, can we do deep
00:14:48 - packet inspection on HTTP to really analyze whether or not
00:14:52 - valid HTTP commands are being forwarded or not?
00:14:55 - And we look at each other and say, yes, we can do it.
00:14:57 - As soon as the boss leaves, we talk to each other and we say,
00:15:00 - how would we do that?
00:15:01 - Now, the answer to that question, which we're going to
00:15:03 - discover right now, is knowing how the ASA implements its
00:15:07 - policies regarding inspection or policing of traffic or any
00:15:11 - type of data manipulation.
00:15:13 - It does this, I think you'll enjoy it.
00:15:15 - It uses something called a class map.
00:15:20 - Now, what does a class map do for a living?
00:15:22 - Well, Keith, it does the same thing it did for quality of
00:15:24 - service, which is to identify traffic.
00:15:27 - It does the same thing it did in the zone-based firewall in
00:15:29 - IOS, and that is to identify traffic.
00:15:32 - Guess what it's going to do here on the ASA?
00:15:34 - We use it to identify traffic based on IP addresses or layer
00:15:38 - 4 protocols or application layer services.
00:15:41 - So class maps identify the traffic that we want to
00:15:44 - manipulate.
00:15:45 - Then, as we want to manipulate that traffic, maybe we want to
00:15:47 - turn on inspection for our specific application.
00:15:51 - Or maybe we want to drop traffic.
00:15:53 - Or maybe we want to prioritize traffic.
00:15:55 - How do we specify the action?
00:15:57 - And the action is identified by using something called a
00:16:00 - policy map.
00:16:02 - And here's how they flow together.
00:16:03 - And it's not a coincidence, this is exactly how it
00:16:06 - functions with modular quality of service command line
00:16:09 - interface for QoS on routers.
00:16:11 - This is how it works with zone-based firewalls.
00:16:13 - The class map identifies the traffic.
00:16:15 - The policy map says, hey, if this class map's traffic is
00:16:18 - matched, I want to take an action.
00:16:20 - And that action could be policing the traffic,
00:16:23 - prioritizing the traffic, inspecting the traffic.
00:16:26 - And how do we apply the policy?
00:16:28 - The way we apply a policy is something
00:16:30 - called a service policy.
00:16:35 - And we can apply the service policy globally, which means
00:16:38 - traffic on all interfaces, or we can apply a policy to a
00:16:42 - specific interface in a specific direction, if we only
00:16:45 - want to have the policy based on traffic
00:16:47 - on that single interface.
00:16:48 - So class maps identify traffic.
00:16:50 - Policy maps specify the action to take, and service policy is
00:16:53 - how we apply it.
00:16:54 - We'll take a look at modifying the default policy here as we
00:16:57 - bring up the system.
00:16:58 - Having said that, let's bring up this device from scratch.
00:17:02 - I just wiped this guy out.
00:17:03 - This is in my home office.
00:17:05 - It's a 5505.
00:17:06 - I just erased the configuration, the whole
00:17:08 - thing, and I've got console access.
00:17:10 - So I've got a PC that has a console
00:17:14 - connection right there.
00:17:16 - And what we're going to do is this.
00:17:18 - Here's our game plan.
00:17:19 - These are ports.
00:17:20 - They call them ethernet.
00:17:21 - They're really fast ethernet, but they're labeled E0/--
00:17:24 - this is 0/0, 0/1, 2, 3, 4, 5, 6, and 7.
00:17:31 - These two here have power over ethernet.
00:17:33 - So if you had a webcam or access point, or something
00:17:36 - else that needs power over ethernet, you
00:17:37 - got those two ports.
00:17:38 - It's great.
00:17:39 - My PC has an ethernet cable connected right here.
00:17:43 - So our mission, should we choose to accept it, is to
00:17:46 - take this completely default configuration ASA and get it
00:17:51 - up and working.
00:17:52 - So the first things-- and this is true with a lot of devices.
00:17:55 - The very first thing we need to do is make sure we give it
00:17:57 - enough information, so that we can manage it with our
00:18:00 - management tools, such as SSH.
00:18:02 - Or, we could ASDM.
00:18:04 - What is ASDM?
00:18:06 - Glad you asked.
00:18:06 - ASDM, the ASA Security Device Manager.
00:18:11 - So ASDM.
00:18:12 - It's the GUI.
00:18:14 - What the Cisco configuration professional is to a router,
00:18:18 - the ASDM is to the firewall.
00:18:20 - And it's a great tool.
00:18:21 - There's a lot of really cool things that we
00:18:23 - could do with it.
00:18:24 - However, I also encourage you, if you're going to practice
00:18:26 - with this, is to also use the option to see the commands at
00:18:30 - the CLI before it pushes them out.
00:18:32 - That way you can see the commands that from the CLI
00:18:34 - perspective as well as knowing how to navigate the graphical
00:18:37 - user interface.
00:18:38 - So to get ASDM from my PC working, and I'm connected to
00:18:42 - this port right here, we need to first of
00:18:44 - all enable this port.
00:18:46 - Now, these are all switch ports.
00:18:47 - And by default, all those ports are members of VLAN 1
00:18:51 - from a Layer 2 perspective.
00:18:53 - So we're going to need to take this port,
00:18:55 - and that's port 0/5.
00:18:57 - We're going to need to do a no shut on it.
00:19:00 - We would want to assign it to VLAN 1, which is a default.
00:19:03 - You don't have to do that, but I wanted to show it to you.
00:19:05 - And I will because I want you to be
00:19:06 - aware of what's happening.
00:19:08 - And then once we no shut that interface and make sure it's
00:19:10 - an access port in VLAN 1, we're then going to go to
00:19:13 - interface VLAN 1.
00:19:18 - Now, interface VLAN 1, this is just like an SVI on a switch.
00:19:23 - On a switch, a Layer 2 switch that's manageable, if you want
00:19:26 - to manage it, it has to have an IP address.
00:19:28 - So where do you get an IP address?
00:19:30 - You pop in a switched virtual interface, interface VLAN 1.
00:19:34 - Enter.
00:19:35 - You're now in interface configuration mode.
00:19:37 - And then you can give it an IP address.
00:19:38 - On the ASA, we're going to do three basic things.
00:19:42 - Besides just giving it an IP address, which
00:19:44 - is one of the things.
00:19:45 - So we'll give an IP address.
00:19:47 - We're also going to give it a name and we're going to call
00:19:50 - ours INSIDE, because on the ASA, all the interfaces like
00:19:54 - to have names.
00:19:55 - And we refer to those names for the interface.
00:19:57 - And then the last thing we're going to do is set up a
00:19:59 - security level.
00:20:04 - Now, these elements are just to bootstrap the device so
00:20:07 - that we can connect to it with either SSH or a graphical
00:20:11 - tool, like ASDM so we can manage it.
00:20:13 - If we do want to manage it, we also need to enable HTTP so
00:20:18 - the box will respond when we make our HTTP request.
00:20:21 - And on an ASA, even though it says HTTP when we configure
00:20:25 - it, it's really referring to HTTPS.
00:20:28 - It's not going to allow HTTP connections to the box, even
00:20:32 - though the command to enable HTTP is HTTP.
00:20:35 - So we'll enable it, and we're also going to set up an ACL
00:20:38 - that tells me the ASA, hey, listen.
00:20:40 - It's OK if anybody on the 10 network, at least initially,
00:20:44 - go ahead and connects to you.
00:20:46 - And then we can lock it down after that point.
00:20:48 - So that's the bootstrap process of the ASA.
00:20:51 - Let's just make sure we have our quick checklist, and then
00:20:53 - we'll do it together.
00:20:54 - Number one, we're going to take that port
00:20:55 - out of shutdown state.
00:20:57 - We're going to make sure it's in VLAN 1.
00:20:59 - We're going to go to the logical interface for VLAN 1.
00:21:01 - We're going to give it a name.
00:21:04 - We're going to give it an IP.
00:21:05 - We're going to give it a security level.
00:21:07 - And we're going to enable HTTP globally on the box so it will
00:21:11 - respond to our HTTPS request.
00:21:14 - And we're going to set the ACL that allows people to connect.
00:21:17 - So that's the bootstrapping we're going to do.
00:21:20 - Let's bring in the interface and we'll
00:21:22 - do it all from scratch.
00:21:24 - So let's bring in the ASA.
00:21:25 - It's been recently rebooted, less than three minutes old.
00:21:28 - It just finished on powering up.
00:21:30 - It asked me if I wanted to run the setup script.
00:21:32 - I said no.
00:21:32 - I pressed Enter a few times to clear the screen.
00:21:34 - Let's go ahead and do our basic bootstrap right here.
00:21:37 - The very first thing we're going to do is going to go
00:21:38 - into privilege mode, just like on an IOS router
00:21:41 - by typing in Enable.
00:21:42 - The tricky part is there's no password by default.
00:21:45 - But you do have to press Enter.
00:21:47 - So when it asks you your password, press Enter, and
00:21:49 - you're good to go.
00:21:50 - Next, we're going to go into configuration mode, very much
00:21:52 - on like an IOS router.
00:21:54 - And from configuration mode, we can then
00:21:56 - configure the device.
00:21:57 - Let's go into interface e0/5.
00:22:00 - Tell it that we want it to be assigned to VLAN 1, just like
00:22:03 - a normal switch port layer 2.
00:22:05 - And we'll also do a no shut.
00:22:06 - Now, that's a little bit different.
00:22:08 - On traditional 3560s and so forth, and switches, they are
00:22:12 - up by default-- the interfaces.
00:22:13 - On the ASA, the switch ports are shut down by default.
00:22:16 - So it's up.
00:22:17 - It's assigned to VLAN 1.
00:22:18 - And now, let's carve out the logical VLAN 1 interface.
00:22:23 - This is the interface that's going to get the name command,
00:22:26 - the security level, and also the IP address.
00:22:28 - So we're going to call it INSIDE.
00:22:30 - I'm going to use uppercase.
00:22:31 - It doesn't have to be.
00:22:32 - But you want to make sure you follow the same case
00:22:34 - sensitivity throughout the config because the interface
00:22:37 - name is going to be used to refer to that interface.
00:22:40 - So security level's 100, name if INSIDE and the IP address.
00:22:45 - So again, we're just bootstrapping this router with
00:22:47 - enough information so we can communicate with it.
00:22:50 - We also need to enable HTTPS, so we'll use the HTTP server
00:22:54 - enable command.
00:22:55 - And we're going to specify where HTTPS sessions are
00:22:58 - allowed to come in from.
00:23:00 - And that's going to be, I'm going to say, anywhere on the
00:23:01 - 10 network.
00:23:02 - Wild card masks are a thing of the past with ASA.
00:23:06 - There's no such thing as a wild card mask.
00:23:09 - So access lists or network statements or anything else,
00:23:12 - if you ever need to identify an IP subnet, you're going to
00:23:15 - using a normal mask.
00:23:17 - No wild card masks anywhere.
00:23:19 - So the HTTP is allowed from the 10.0.0 network if it's
00:23:23 - coming in from the INSIDE, and then we have a
00:23:26 - show command for IP--
00:23:27 - show interface IP brief.
00:23:29 - And I wanted to point out here that we can use our show
00:23:32 - commands right from configuration mode.
00:23:34 - You don't have to put a do in there.
00:23:35 - You can just stay in configuration and do your show
00:23:38 - commands as much as you'd like.
00:23:39 - Also, they couldn't use this--
00:23:41 - they could of, but they didn't.
00:23:43 - They didn't use the same exact command set.
00:23:45 - So on a Cisco router to show IP interface brief, on an ASA
00:23:48 - you can do show interface IP brief.
00:23:51 - We can also do a show IP and it's going to show us some
00:23:54 - details regarding the address.
00:23:56 - So here it's showing us the VLAN 1 interface.
00:23:58 - The name is INSIDE.
00:23:59 - It's IP address is this.
00:24:00 - The mask is that.
00:24:02 - And we can also see that we have these other interfaces
00:24:04 - that are all switch ports.
00:24:06 - This is the one port that's up, and it's currently
00:24:08 - assigned to VLAN 1, which they're all assigned to VLAN 1
00:24:11 - by default.
00:24:12 - So now it's strapped.
00:24:13 - What do we do next?
00:24:15 - Well, the next thing is to get ourselves an IP address on
00:24:18 - that 10 network.
00:24:19 - So I'm going to move this out of way.
00:24:21 - And let's say that this PC here is one of
00:24:25 - those PCs is ours.
00:24:26 - And let's give ourselves the address of
00:24:31 - I'm going to have to manually configure that because right
00:24:34 - now I'm on a different network.
00:24:35 - So I'm going to physically take my PC.
00:24:38 - I'm going to plug it into this port right here, so
00:24:40 - it'll look like that.
00:24:41 - I'll be at, and then we can open up ASDM to go
00:24:46 - ahead and manage this through a graphical user interface.
00:24:50 - So let's take a look at my IP address, make
00:24:51 - sure I got that right.
00:24:53 - You can be the eyes over my shoulder
00:24:54 - here as we do it together.
00:24:56 - If we go to Properties of that interface and
00:24:58 - TCP/IP, there's
00:25:01 - My default gate was
00:25:03 - And I'm using DNS of
00:25:06 - So right now, the ASA doesn't have access out to the
00:25:08 - internet yet because we don't have the OUTSIDE interface
00:25:11 - configured.
00:25:12 - And certainly, the DMZ isn't up yet either.
00:25:14 - So from our PC perspective though, I'll click OK.
00:25:16 - Click OK.
00:25:17 - Close that.
00:25:18 - And let's just verify that we can ping the device before we
00:25:21 - try to open an HTTPS session.
00:25:23 - So bring up command and ping it from here.
00:25:30 - And OK, that looks promising.
00:25:32 - That means at leas we have on the same broadcast domain and
00:25:34 - our IP addresses are responding to each other.
00:25:37 - So let's open up the ASDM.
00:25:38 - Now, how would we do this in a brand new environment?
00:25:40 - We would launch a browser, HTTPS to the IP address of the
00:25:45 - ASA at and it would prompt us to download the
00:25:50 - adaptive security device manager ASDM.
00:25:53 - We could actually run it right there through Java, or we
00:25:56 - could download the app, install it locally, and run it
00:25:59 - from our computer.
00:25:59 - Either way, we're conversing and communicating with the
00:26:02 - actual ASA.
00:26:03 - I've already installed the software ASDM, so I don't need
00:26:06 - to go through the install process again.
00:26:08 - It's asking me, who do I want to connect to?
00:26:09 - Now, this is challenging.
00:26:11 - We just configured this ASA together.
00:26:12 - We didn't configure any user name.
00:26:15 - We didn't configure any passwords.
00:26:16 - So how do we log in with ASDM?
00:26:18 - The answer is you simply click on OK.
00:26:21 - That's definitely something we'd want to fix by setting up
00:26:23 - authentication for people trying to access via HTTPS.
00:26:27 - But for now, we can say, yeah, sure.
00:26:29 - I'll accept the certificate.
00:26:30 - It's not signed by a CA server that my browser trusts, and
00:26:34 - that would be expected because it's a self-signed certificate
00:26:37 - that the ASA just generated for the SSL session.
00:26:40 - So we'll click on Yes.
00:26:41 - It's going to open up ASDM.
00:26:43 - I'll size it, and then we can take a look at it together.
00:26:46 - There's the dashboard of everything
00:26:48 - that's going on here.
00:26:49 - We have the host name, which is Cisco ASA by default.
00:26:53 - The version of software it's running.
00:26:55 - So how do we configure this?
00:26:56 - Really simple.
00:26:57 - There's a Configuration tab.
00:26:58 - And if we want to start with interfaces that would be a
00:27:00 - good thing to do.
00:27:02 - And it's saying, OK, you've got one interface named INSIDE
00:27:04 - and all the switchports are currently assigned
00:27:07 - to that same VLAN.
00:27:08 - So let's create a second interface.
00:27:11 - If we take a look at our topology here, we've got the
00:27:13 - OUTSIDE interface that we need.
00:27:14 - And it's going to be security level 0 and it's going to DHCP
00:27:17 - assigned IP address.
00:27:19 - Now, what VLAN should we use for this?
00:27:21 - Now by default, all these ports are currently in VLAN 1.
00:27:25 - So it doesn't really matter what VLAN we use, as long as
00:27:28 - we use a different VLAN for the connection
00:27:30 - going to the outside.
00:27:31 - So what we could do is we could take this port here,
00:27:33 - which is physically connected to the outside world going to
00:27:36 - a cable modem in my home office here, and we can make
00:27:39 - that port a member of VLAN 2.
00:27:41 - We create a VLAN 2 interface.
00:27:44 - We name it OUTSIDE.
00:27:46 - We give it a security level of 0, and we tell it we want it
00:27:48 - to have a DHCP-assigned IP address.
00:27:51 - So let's do that right now.
00:27:52 - We'll bring our GUI interface back in, ASDM.
00:27:55 - There it is in all it's wonder.
00:27:56 - We'll click on Add.
00:27:58 - And let me get this so it's readable by everybody.
00:28:02 - And let's go ahead and click on that we want the interface
00:28:05 - named OUTSIDE.
00:28:07 - We want the security level to be 0.
00:28:09 - Now, the 0 is just subjective.
00:28:12 - If we had two interfaces, the INSIDE had 100 and the OUTSIDE
00:28:15 - at 99, with just two interfaces, the security
00:28:19 - policy would be the same.
00:28:20 - Traffic would flow from higher to lower.
00:28:23 - Return traffic would make it-- if it was inspected on the way
00:28:26 - out, the reply traffic would be allowed.
00:28:27 - Initial traffic coming from the outside, if it started at
00:28:30 - 99, wouldn't make it to interface of 100.
00:28:34 - We often use 0 for the OUTSIDE and 100 for the INSDIE, but
00:28:37 - they're just numbers for a comparison purpose for the
00:28:39 - initial policy.
00:28:41 - So we say it's 0.
00:28:42 - It's outside.
00:28:43 - The IP address is going to be via DHCP.
00:28:46 - And we want to add this interface 0/0, which currently
00:28:49 - is associated with VLAN 1 on the INSIDE.
00:28:51 - And if we go to Advanced, we can actually
00:28:54 - choose our VLAN number.
00:28:56 - So we're going to use VLAN 2, just because we can.
00:28:58 - And in the background, it's assigning that port as an
00:29:01 - access port for VLAN 2.
00:29:03 - It will also create a new logical VLAN 2 interface and
00:29:06 - name it OUTSIDE and try to get an IP address via DHCP.
00:29:10 - So if that looks OK, which it does.
00:29:11 - I'll click on Okey-doke and apply it.
00:29:16 - So there's the actual syntax that it's going to push out.
00:29:19 - It's going to Interface Configuration Mode and it's
00:29:20 - saying, OK, switch port access VLAN 2.
00:29:23 - You're in access port VLAN 2.
00:29:24 - For the logical interface VLAN 2, it's going to bring it out
00:29:27 - of shut down.
00:29:28 - It's going to go ahead and give it a security level of 0,
00:29:30 - name it OUTSIDE, and do an IP address via DHCP.
00:29:34 - And we'll set our default route based on what we
00:29:37 - learned from DHCP.
00:29:38 - Check this out, though.
00:29:39 - You know what's missing here?
00:29:41 - I'm looking at this syntax.
00:29:43 - That interface is currently shut down.
00:29:46 - Ethernet 0/0 is currently shut down.
00:29:48 - And as a result, just assigning it to access VLAN 2
00:29:51 - is not going to cut it.
00:29:52 - But we can fix that.
00:29:54 - Let's apply this.
00:29:55 - We'll send it out.
00:29:58 - And it's pushing the
00:29:59 - configuration, that's fantastic.
00:30:01 - And it says it's enabled.
00:30:04 - Let's go to switchports 0/0.
00:30:07 - It says No here.
00:30:10 - So the logical interface is enabled, the OUTSIDE
00:30:13 - interface, the interface VLAN 2.
00:30:16 - However, the physical switchport is not enabled.
00:30:18 - It says so right there.
00:30:19 - So let's edit that, and let's go ahead and say Enable
00:30:22 - SwitchPort and apply it.
00:30:25 - And we're good to go.
00:30:28 - So no shut down.
00:30:29 - That's going to be really important for that to work.
00:30:32 - OK, so now having done that, what should happen is, if my
00:30:35 - connection is in place, which I believe it is, going out to
00:30:38 - the internet on this port right here, the pieces in
00:30:41 - place are that port is an access port on VLAN 2.
00:30:44 - We have a logical VLAN 2 interface that wants to be a
00:30:47 - DHCP client, and that goes out to the internet via cable
00:30:50 - modem who should be supplying an IP address via DHCP.
00:30:53 - That's the theory, anyway.
00:30:55 - Let's see if that all works out.
00:30:56 - So we'll bring back this guy right here.
00:30:59 - And let's refresh this with the big Refresh button.
00:31:03 - Oh, look at that.
00:31:05 - Perfect.
00:31:06 - So under Configuration Interfaces, this is showing me
00:31:09 - the DHCP-assigned IP address--
00:31:11 - temporarily, I might add.
00:31:14 - So please don't attack this IP address in the near future
00:31:18 - because it won't be mine after this demonstration is done.
00:31:21 - So that's the IP address on the OUTSIDE interface.
00:31:23 - Now, can my customers get out to the internet?
00:31:25 - Let's take a look at this together.
00:31:26 - This is real world here.
00:31:28 - I've got my PC literally right here.
00:31:31 - I'm on the 10 network.
00:31:32 - My IP address is 0.2.
00:31:34 - My default gateway is 0.1.
00:31:36 - It's the ASA.
00:31:37 - And the IP address has been assigned
00:31:40 - on the OUTSIDE interface.
00:31:41 - Can I get out to the internet, yes or no?
00:31:43 - We could try it.
00:31:45 - But the answer is it's not going to be too happy yet.
00:31:48 - Because there's no network address translation involved.
00:31:51 - NAT has to be put in place because my ASA has a valid IP
00:31:55 - address on the internet, but my PC doesn't.
00:31:58 - So I need to do network address translation to-- and
00:32:01 - we could do PAT on this interface so that my client
00:32:04 - could go out to the internet.
00:32:05 - So how do you configure the basics?
00:32:07 - And again, in CCNA my friend, we're talking about just some
00:32:11 - basic foundation components here.
00:32:14 - Basic IP addressing, getting the ASA bootstrapped and
00:32:19 - getting a NAT configured so that we can have a client go
00:32:22 - out to the internet.
00:32:23 - So to configure the ASA for network address translation,
00:32:27 - where would we do that?
00:32:29 - Well, under Interfaces there's no options here.
00:32:31 - But if we go down to-- under configuration, if we go down
00:32:34 - to Firewall, most of the policies that we can implement
00:32:38 - on the ASA are done right here.
00:32:41 - So Access Rules.
00:32:42 - I'm going to go ahead and say take off the IPv6 just to
00:32:45 - clean it up a little bit.
00:32:46 - The access rules apply to access control lists.
00:32:49 - The NAT rules applies to NAT, and that's what we need to do.
00:32:52 - So let's go ahead and set up a NAT rule that says taking all
00:32:56 - the clients on the INSIDE and allowing to be translated to
00:32:59 - the global address that the ASA has on the outside.
00:33:02 - So to do that, it's really simple to set up a NAT role.
00:33:05 - You simply click on Add.
00:33:07 - You specify the details for you NAT.
00:33:08 - You say, well if any traffic is coming in on the INSIDE
00:33:12 - interface, regardless of its source address, we could also
00:33:15 - limit it to one subnet that we want to do translation for.
00:33:18 - And the destination interface is the OUTSIDE.
00:33:20 - Regardless of destination IP address we're going to, we
00:33:24 - want to go ahead and do dynamic translation.
00:33:26 - We're going to do PAT where we're going to
00:33:27 - overload on the interface.
00:33:29 - And we're going to specify the new source address should be
00:33:32 - whatever the IP address is on the OUTSIDE interface.
00:33:35 - That's it.
00:33:36 - That's NAT in a nutshell.
00:33:38 - So we'll click on OK.
00:33:40 - And then we'll click on-- actually, let's look at it
00:33:41 - first, then we'll click on Apply.
00:33:43 - So this is saying traffic from the inside going to the
00:33:46 - outside from any IP address going to any IP address,
00:33:49 - regardless of service, we want the translated packet to have
00:33:52 - the OUTSIDE IP address.
00:33:54 - And the destination we're not changing that.
00:33:56 - If you're going to Google, you're still going to Google.
00:33:59 - And we're set, so apply it.
00:34:01 - And it's showing us the syntax that we could use at the
00:34:03 - command line to implement this network address translation.
00:34:06 - We'll send that off on its way, and now
00:34:08 - our NAT is in place.
00:34:10 - So the question now is, should we be able to go out to the
00:34:14 - internet as a client?
00:34:15 - Let's go back and take a peek.
00:34:17 - So here's our PC.
00:34:18 - We haven't changed.
00:34:19 - We're at
00:34:22 - Our default gateway is
00:34:24 - We have DNS of and we have NAT going on.
00:34:29 - So any traffic source from the inside going to be outside
00:34:32 - should be NATed and it should be allowed because we're going
00:34:35 - from higher to lower security levels.
00:34:37 - And because of the stateful inspection that happens by
00:34:39 - default, return traffic should be allowed back in.
00:34:42 - So I'm thinking we have a strong
00:34:43 - possibility of it working.
00:34:45 - So let's go ahead and test it.
00:34:47 - Let's bring up a command prompt.
00:34:49 - And here's a command prompt.
00:34:51 - And let's do an nslookup for
00:34:58 - Well, that's a very good sign.
00:35:01 - That means that UDP is working because we just got a response
00:35:04 - regarding the IP addresses we can use to reach
00:35:07 -
00:35:08 - And we could probably ping I guess as well to
00:35:13 - That's an IP address of a DNS server provided.
00:35:16 - Oh, and ping is not working.
00:35:17 - I wonder why that is.
00:35:19 - UDP works, but ICMP doesn't work.
00:35:22 - What could that be?
00:35:22 - Well, let's go ahead and look at the policy to understand
00:35:26 - why that's not working and how to change the policy
00:35:29 - if we wanted to.
00:35:31 - So to take a look at why that might not be working, let's
00:35:33 - take a look at our access rules.
00:35:35 - And by default, we have the implicit rules where traffic
00:35:38 - from higher security interfaces is allowed to be
00:35:41 - initiated to lower security interfaces.
00:35:43 - And we know that UDP works, so that isn't the issue here.
00:35:45 - And there's no manual access list configured by default.
00:35:49 - So let's go ahead and take a look at service policy rules.
00:35:51 - Service policy is all about the class maps and policy maps
00:35:55 - being applied by a service policy to the traffic.
00:35:58 - And here's our default global policy that's in place.
00:36:01 - And it's saying that it wants to go ahead and do inspection
00:36:04 - of these protocols.
00:36:06 - Take a look.
00:36:06 - We have DNS.
00:36:08 - And also what it doesn't mention here is we also have
00:36:10 - TCP and UDP generic inspection happening.
00:36:13 - But if you'll notice if we take a look at this list, it
00:36:15 - does not include any ICMP inspection.
00:36:19 - So ICMP, because it's not being inspected, that's the
00:36:22 - reason it's not being allowed.
00:36:23 - We could also use another tool to verify it.
00:36:25 - This is really an awesome tool as well.
00:36:27 - It's called Packet Tracer.
00:36:29 - And we could actually do the Packet Tracer from right here.
00:36:31 - They have an icon for it.
00:36:32 - You can launch it from the menu.
00:36:33 - You can launch it from an icon.
00:36:35 - And we could say, well, let's see why a ping doesn't work.
00:36:38 - So with Packet Tracer, if we wanted to simulate what the
00:36:41 - firewall would do with a specific packet, we could say,
00:36:44 - we want to take traffic from the inside.
00:36:46 - If it's coming from IP address going to and
00:36:55 - it's an echo request.
00:36:56 - And we could go ahead and Start and it would run that
00:36:58 - cycle and say, you know what?
00:37:00 - This packet would make it or it wouldn't make it.
00:37:02 - Now, for marketing purposes perhaps, they actually show it
00:37:05 - to you in slow motion with every step along the way the
00:37:08 - process it's going through.
00:37:09 - But we could also de-select Show Animation and it would
00:37:12 - just show us the final result without the fanfare.
00:37:14 - So this implies that from route lookups, checking access
00:37:18 - lists, checking NAT all the way through, that this packet
00:37:20 - is allowed.
00:37:22 - So the ASA is saying, I've got no problem forwarding this
00:37:24 - ping request from the client out to
00:37:28 - Well, why didn't it work?
00:37:30 - The reason it didn't work is because by default, the ASA
00:37:33 - doesn't inspect ICMP.
00:37:36 - It inspects TCP generic, UDP generic.
00:37:39 - It inspects these applications that I have right here, but it
00:37:42 - doesn't inspect ICMP.
00:37:44 - If we wanted to change that behavior, or any of the other
00:37:47 - inspections that are on or off, or we want to manipulate
00:37:49 - it, here's how we do.
00:37:51 - We'd go to Service Policy Rules.
00:37:53 - On the Default Policy, click on Edit.
00:37:56 - And here we have the rule actions.
00:37:59 - And this is specifying the applications that we're going
00:38:01 - to inspect.
00:38:02 - And check it out, ICMP is not inspected by default.
00:38:06 - That's why the ping didn't work.
00:38:08 - So if we did this side by side, we bring over the PC
00:38:12 - that didn't work.
00:38:13 - So we'll try our ping again.
00:38:14 - It's not flying.
00:38:15 - We go back here to the policy.
00:38:17 - We say, yep, I want to inspect ICMP as well.
00:38:20 - Click OK.
00:38:21 - Apply it.
00:38:22 - It's going to modify the policy map to say for class
00:38:26 - inspection default, we want to go ahead and inspect the ICMP.
00:38:29 - So that when the return traffic comes
00:38:31 - back, the echo replies.
00:38:33 - Because there's going to be a session entry for that
00:38:35 - session, the reply will be allowed.
00:38:38 - So we'll send that over.
00:38:39 - We'll go back to the command prompt.
00:38:41 - We'll try our ping again.
00:38:42 - And now the ping's working.
00:38:44 - Why is it working?
00:38:45 - It's because we're doing inspection.
00:38:47 - And one step further if we wanted to, if we wanted to go
00:38:49 - take a look at deeper packet inspection, for many of these
00:38:52 - applications we can actually configure specific application
00:38:56 - policy maps to get very deep into application layer
00:39:00 - protocols looking for specific protocol compliance or other
00:39:04 - details up in the application layer.
00:39:07 - That's why each of these have the additional Configure
00:39:09 - option next to them.
00:39:11 - So one more thing I wanted to discuss with you before we
00:39:13 - close on the ASA is the concept of access control list
00:39:17 - and how they override policy.
00:39:19 - Currently as we have it configured, our customer is
00:39:22 - allowed to go out to the internet with TCP and UDP and
00:39:25 - a whole bunch of other applications.
00:39:27 - And it can do ICMP.
00:39:29 - Why is that?
00:39:30 - Because the inspection rule said inspect ICMP so that
00:39:34 - reply traffic could come back.
00:39:36 - And that's still working.
00:39:37 - We could verify that real quick that's nothing's changed
00:39:39 - by doing the ping we did just a few moments ago to
00:39:44 - And it indeed, is working.
00:39:45 - Fantastic.
00:39:46 - If we wanted to override the policy of traffic being able
00:39:51 - to go out, we could implement an access list.
00:39:53 - And access lists are important to see at least once.
00:39:56 - So let's take a look at the ASA and how an access list
00:39:59 - could be applied.
00:40:00 - From a planning perspective, let's apply the access list to
00:40:04 - block ICMP traffic if it's destined to and if
00:40:12 - it's sourced from the 10.0.0 subnet.
00:40:15 - Now, here's a big difference.
00:40:17 - On the IOS routers, we use wild card masks to indicate we
00:40:21 - don't care about the last octet.
00:40:22 - We could use
00:40:25 - On the ASA, there's never, ever, ever, never, never, ever
00:40:29 - the use of a wild card mask.
00:40:31 - It's always just normal masks.
00:40:33 - So we can have standard ACLs, which filter only on the
00:40:36 - source IP address, both in the router and on the ASA.
00:40:39 - We can have extended access lists, which can filter on
00:40:42 - virtually anything at layer 3 or 4, source or destination.
00:40:45 - But the difference is when we apply an access list or create
00:40:48 - one, we don't use the wild card masks.
00:40:50 - So let's go ahead and create one.
00:40:52 - Let me clear off the screen.
00:40:53 - Let's bring in Cisco Configuration Professional.
00:40:56 - Here it is.
00:40:57 - And to get to the access lists, we go to Configuration,
00:41:00 - click on Firewall, and then go to Access Rules.
00:41:03 - That's just the fancy way of saying here's where the ACLs
00:41:06 - are if you want to configure them.
00:41:07 - So to create one, we'll simply click on Add.
00:41:10 - And we're going to have this apply it on the INSIDE.
00:41:12 - You can apply it the INSIDE or the OUTSIDE.
00:41:14 - Apply it on the INSIDE.
00:41:15 - We're going to say Deny, and we want to deny traffic if
00:41:18 - it's from anywhere on the INSIDE.
00:41:21 - So I'm going to go ahead and pick this.
00:41:23 - There's an object group already created
00:41:24 - for the INSIDE network.
00:41:26 - So I'm going to create that one by double clicking.
00:41:28 - It puts it down here.
00:41:29 - I'm going to click OK.
00:41:30 - So that's the 10.0.0/24.
00:41:33 - And I'm going to say if the destination
00:41:35 - is a specific host.
00:41:37 - So I'm actually going to type in right here
00:41:41 - That's the host we want to try to reach.
00:41:43 - And the service is ICMP.
00:41:45 - We just want to block ICMP.
00:41:47 - So we can pick that.
00:41:48 - Green is TCP and the blue is UDP.
00:41:52 - And then we have ICMP.
00:41:52 - I'm going to say echo.
00:41:54 - Great, no echo requests being sent out.
00:41:56 - So the echo request will never make it.
00:41:59 - And I can do a description if we wanted to.
00:42:02 - So I'm going to go ahead and click on OK.
00:42:04 - And now I've got this really cool access list entry.
00:42:07 - Now, what's the problem with this?
00:42:09 - It's on the INSIDE interface.
00:42:10 - It's inbound on that interface.
00:42:13 - And check it out, it's denying--
00:42:15 - anything else?
00:42:16 - If the answer is no, we just killed all of our traffic
00:42:20 - because an access list, just like in an IOS router, has a
00:42:23 - default implicit deny at the end.
00:42:26 - So we would be well to highlight this access list.
00:42:29 - So we're going to insert after.
00:42:31 - And we're going to say, I want to go ahead and add a permit
00:42:33 - for IP any, any for all the rest of the traffic.
00:42:36 - So now we have two rules in place in our
00:42:38 - INSIDE access list.
00:42:39 - We have a deny of the traffic from 10.0.0 if it's going to
00:42:44 - and it's an echo.
00:42:45 - And we're going to allow everything else.
00:42:48 - So Apply that and take a look at the syntax here.
00:42:50 - Look at this IP address.
00:42:52 - We have 10.0.0 for the network, and I want you to pay
00:42:55 - attention to that mask.
00:42:56 - It's just a normal mask,
00:43:00 - So anything weird, like wouldn't be a valid
00:43:05 - syntax on as ASA as part of an access list.
00:43:09 - So having said that, it's going to create the access
00:43:11 - list, two entries.
00:43:12 - It's going to apply it inbound on the INSIDE interface.
00:43:15 - We'll send it over, and let's go try our test one more time.
00:43:18 - So we'll bring back our command prompt.
00:43:20 - This ping worked a moment ago.
00:43:22 - Now it's not working, and that's good.
00:43:25 - That means we're applied correctly.
00:43:26 - But let's make sure that we can still get
00:43:27 - out with other protocols.
00:43:29 - So let's do--
00:43:30 - I think we have still on the-- there we go.
00:43:32 - We'll do our nslookup.
00:43:33 - That's still working.
00:43:33 - So UDP works.
00:43:35 - And if we wanted to open up a browser, let's go ahead and
00:43:38 - bring in Google.
00:43:40 - It's already open.
00:43:41 - I clicked on it to launch it and it went.
00:43:43 - So if we went to another site such as, it
00:43:49 - comes right up.
00:43:50 - We're good to go.
00:43:51 - So everything is working except for the
00:43:52 - pings out to
00:43:55 - The DNS work out that works out there, which is UDP but
00:43:58 - not the pings.
00:43:59 - If we wanted to troubleshoot that and we say, well, why
00:44:01 - isn't ping working?
00:44:02 - Let's say we didn't realize or understand why.
00:44:04 - We could go back to our good friend the Packet Tracer and
00:44:07 - say, why isn't the ping working from
00:44:09 - out to
00:44:13 - It's ICMP.
00:44:14 - It's an echo request.
00:44:16 - And let's say 1 there and 1 there.
00:44:18 - And then we'll say Start.
00:44:20 - And it's going to send it out and it's going to go--
00:44:21 - I should have clicked on don't show the animation.
00:44:24 - But it's going for the route lookup.
00:44:26 - It then goes to the access list.
00:44:28 - It stops.
00:44:28 - The little x there says it never made it.
00:44:31 - And it actually tells us, the flow is denied by
00:44:33 - a configured rule.
00:44:34 - The access list killed the packet.
00:44:37 - So there's the details of it right there, access list
00:44:39 - INSIDE and it denied ICMP coming from the 10.0.0 network
00:44:44 - going to
00:44:46 - So that's a great method of verifying.
00:44:48 - Another tool, while I have you, is we could go ahead and
00:44:51 - look at logging.
00:44:51 - This is also amazing.
00:44:53 - Under monitoring, if we go down to
00:44:56 - logging and enable it--
00:44:58 - we'll say, yeah, I want to enable logging.
00:45:00 - And we could launch this real-time logging viewer.
00:45:04 - So let me bring back our command prompt and let's go
00:45:06 - try the ping that failed there.
00:45:09 - This one.
00:45:10 - And it's going to show us exactly what happened.
00:45:12 - So here we have the entry.
00:45:13 - We have a deny.
00:45:14 - The details are all down here.
00:45:16 - So it says deny ICMP source INSIDE, destination OUTSIDE,
00:45:20 - ICMP type 8 by access group called INSIDE access in.
00:45:24 - So it's a great way to visually see.
00:45:26 - This is just syslog messages that we can see right here in
00:45:29 - the graphical user interface.
00:45:32 - So in this video, we've taken a look at the ASA, the
00:45:35 - Adaptive Security Appliance.
00:45:37 - How to bootstrap it so we can get basic connectivity to it,
00:45:40 - how we can use ASDM to manage it.
00:45:43 - And it once it's in place, it's doing stateful inspection
00:45:46 - for traffic as well as NAT if we configure it, so that when
00:45:49 - users go out to the internet they're [INAUDIBLE]
00:45:52 - to the OUTSIDE interface address.
00:45:53 - That's based on what we configured.
00:45:55 - And because of the stateful inspection, return traffic is
00:45:58 - allowed for TCP, for UDP, and there's a host of
00:46:02 - application-layer inspections as well.
00:46:04 - But what isn't inspected by default as ICMP.
00:46:07 - We turned on ICMP inspection, and then all of a sudden we
00:46:10 - could send ICMP out and get our replies back as well.
00:46:14 - What else does ASA support?
00:46:16 - It can support DHCP.
00:46:18 - It can be a client and a server.
00:46:19 - A client here and a server here to its devices.
00:46:23 - It can provide botnet support.
00:46:27 - It can do application-layer inspection.
00:46:30 - it can use object groups.
00:46:31 - It can support VPNs.
00:46:32 - And by the way, VPNs we'll cover in a complete separate
00:46:35 - Nugget just on IPsec and SSL VPNs in the latter part of
00:46:39 - this Nugget series.
00:46:40 - So that's coming up.
00:46:41 - Hang onto that one.
00:46:42 - It also has support for AAA, the Authentication,
00:46:46 - Authorization, and Accounting.
00:46:47 - So if this is an ASA inside of your enterprise, you don't
00:46:50 - have to create all your local users on that ASA.
00:46:53 - You can have them on a AAA server.
00:46:55 - And then when Jill VPNs in and wants to authenticate, the ASA
00:47:00 - can check with the AAA server and say, hey, it's Jill.
00:47:02 - Here's her credentials.
00:47:03 - Is she valid?
00:47:04 - And if so, provide access into the network.
00:47:07 - I have had a lot of fun taking this little ASA with you and
00:47:11 - bringing it all way from a default config into a working
00:47:14 - config that involved stateful inspection, network address
00:47:17 - translation, and even customizing the policy to tell
00:47:21 - it to inspect ICMP as well.
00:47:23 - I hope this has been informative for you, and I'd
00:47:25 - like to thank you for viewing.

Intrusion Prevention Systems (IPS)

IOS-based IPS

Cryptography Essentials

IPsec Site to Site VPNs


Defense in Depth

This forum is for community use – trainers will not participate in conversations. Share your thoughts on training content and engage with other members of the CBT Nuggets community. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Community Standards

We encourage you to share your wisdom, opinions, and questions with the CBT Nuggets community. To keep things civil, we have established the following policy.

We reserve the right not to post comments that:
contain obscene, indecent, or profane language; contain threats or defamatory statements; contain personal attacks; contain hate speech directed at race, color, sex, sexual orientation, national origin, ethnicity, age, religion, or disability; contributes to a hostile atmosphere; or promotes or endorses services or products. Non-commercial links, if relevant to the topic, are acceptable. Comments are not moderated, however, all comments will automatically be filtered for content that might violate our comment policies. If your comment is flagged by our filter, it will not be published.

We will be continually monitoring published comments and any content that violates our policies will be removed. Users who repeatedly violate our comments policy may be prohibited from commenting.

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

MP3 Downloads

Listen to videos anytime, anywhere


Files/materials that supplement the video training

Annual Course Features

Transcender Practice Exams

These practice tests help you review your knowledge and prepare you for exams.
Available only with the annual subscription.
Keith Barker

Keith Barker

CBT Nuggets Trainer

Cisco CCDP, CCIE Security, CCIE Routing & Switching; Juniper JNCIS-ENT, JNCIS-SP; Brocade BCNP ; HP-MASE; (ISC)2 CISSP; CompTIA Network+, Security+

Area Of Expertise:
Cisco, security, networking, bitcoin. Author or coauthor of: CCNA Security 640-554 Official Cert Guide; CCNP Security IPS 642-627 Official Cert Guide; CCNA Security 640-554 Official Cert Guide, and many more.

Add training to a playlist
or create a new list
Add to current playlist
or add to an existing list
Add to new playlist
Add New Bookmark

ASA Firewall
Bookmark Title:

Login is required to access this feature.

Your browser cannot access Virtual Labs
Video Options

This advanced buffering is applied to all streams regardless if you installed the doublespeed control or not. Sometimes the advanced buffering causes the video to hang or behave erratically. If you are experienceing issues with video playback please disable the doublespeed buffer.

Remember to re-enable the buffer if you want to use the doublespeed control.

If you are experiencing problems with our content delivery, please click here to switch to our alternate content delivery network or go to our network FAQ.
For other common video playback issues, including firewall and corporate network issues, please visit our Tech Support forum.