Official Cisco Support
Using PIX Firewall
Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Security Level as Stateful Firewall feature foundation
Cisco ASA/PIX Firewall is designed as stateful firewall. From Cisco implementation perspective, there is a concept of Security Level as foundation of all stateful firewall features.
In basic firewall concept, there are three security zones. The first zone is Untrusted network where Cisco implements as Outside network. The second zone is Trusted network where Cisco implements as Inside network. The third zone is DMZ network where Cisco also implements as DMZ network.
Following basic firewall concept, a firewall is designed as perimeter guarding traffic flow between zones. With the concept of Security Level, the Untrusted (Outside) network has the lowest level of trust where Cisco by default assign the trust level as 0 (zero). Consequently the Trusted (Inside) network has the highest level of trust where Cisco by default assign the security level of 100. Since DMZ network is considered somewhat trusted and untrusted, Cisco by default assign (typically) even number between 0 and 100.
Based on associated Security Level; you may notice that the higher a network level is, the more trusted a network is. In other words, Inside network is more trusted or more secure that DMZ network and DMZ network is more trusted or more secure than Outside network. When you put Cisco ASA/PIX Firewall as your Internet gateway or Internet firewall for example, the Outside network is the Internet, the Inside network is your internal network, and the DMZ network is your publicly-accessible web or email server.
If you like to go further, you may segment your internal network further by putting a dedicated firewall between your internal servers and users' PC where the Inside network is where the internal servers are and the Outside network is where the users' PC are. When you consider to use only one firewall for all, then you may want to create multiple DMZ networks where the Outside network (Security Level 0) is the Internet, Inside network (Security Level 100) is the internal servers, DMZ 1 network (i.e. Security Level 1) is the publicly-accessible web or email server, DMZ 2 network (i.e. Security Level 4) is a guest wireless network, DMZ 3 network (i.e. Security Level 6) is the user's PC, and so on and so forth.
Also based on associated Security Level, any incoming traffic from lower Security Level to higher Security Level is by default denied. When you have publicly-accessible web or email server let's say on your DMZ network, then you have to permit certain incoming traffic from the lower Security Level (the Internet or Outside) network to enter higher Security Level network which is the DMZ by using either nat command or static command. You can also control how many incoming permitted sessions for further protection.
How Cisco ASA/PIX Firewall Treats TCP-based traffic differently than ICMP-based traffic
You also have to permit incoming ICMP echo reply packets from least trusted network as a response of ICMP echo packets issued by a machine within more trusted network. For TCP-based traffic, by default all returning TCP traffic coming from least trusted network as a response of TCP packet initiated by a machine within more trusted network are permitted. Therefore you don't need to create rules to permit such returning TCP traffic.
The reason of no need to create rules to permit such returning TCP traffic is that the firewall understands the concept of 3-way TCP handshake. Every time there is outbound TCP-based traffic initiated from more trusted network to less trusted network is inspected and stored in connectivity table (the show conn command reveals such table). When the firewall sees matching TCP packet coming from less trusted network toward the more trusted network as part of the 3-way handshake, the firewall permits those returning traffic.
ICMP-based traffic however has different properties. Since there is no concept of 3-way handshake in ICMP, each ICMP traffic is treated as one-way traffic. Therefore you have to permit any necessary incoming ICMP traffic from less trusted network towards more trusted network when you plan to use something like ICMP ping or traceroute from more trusted network to less trusted network.
TCP Transaction Protection
For those TCP traffic, all incoming TCP traffic are inspected by Cisco ASA/PIX Firewall to make sure that there will be a 3-way handshake per TCP mechanism to complete TCP transaction. The firewall will drop any incomplete TCP transaction for protection from possible TCP-based attack.
As example, the firewall keeps TCP session as part of the TCP 3-way handshake protection mechanism where there is some kind of hold timer. The firewall expects to receive responses from server within the hold timer interval, which the timer will expire. At the time the firewall does not receive the server response when the timer expires, the firewall drops any related TCP session and also drops "late" server response.
Another example is having the firewall drops TCP packets when the TCP client keeps sending TCP synchronization (SYN) packet or sending TCP acknowledge (ACK) packet without sending TCP SYN packet first. In this situation, the firewall drops the TCP SYN and TCP ACK accordingly.
There is also a TCP Initial Sequence Number (ISN) randomization protection feature which by default randomizing TCP sequence number to negotiate between client and server in order to provide TCP Sequence Prediction Attacks protection.
One optional feature is setting maximum number of simultaneous TCP and UDP connections through the firewall for the entire subnet. The default is 0, which means unlimited connections and the firewall lets the server determine the number.
Another optional feature is specifying the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.
The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall and ASA accomplish TCP intercept functionality using SYN cookies.
TCP/UDP Application-Specific Protocol Protection
By default, the PIX Firewall and ASA provide TCP/UDP application-specific protection of the following protocols.
Various Cisco ASA/PIX Firewall Features
1. SSH and Telnet as firewall management access
You can only use SSH for the firewall management access when you are sitting in non-Inside network. By default you can use either telnet or SSH for the firewall management access when you are sitting in Inside network.
2. NAT
In the PIX or ASA OS version prior 8.3, by default there is NAT in place for traffic between zones. In earlier OS version, you typically use the nat 0 command to eliminate NAT for traffic between zones. You could also use static command with the same IP subnet of pre- and post- NAT process. Further, there is a rule called NAT Order of Operation in earlier OS version to make sure that the NAT-related business is in order.
NAT Concept on PIX Firewall running OS version 6.3 or later and ASA running OS version prior 8.3
Introduction to NAT Operation
In network environment where there is a private network that is not (and should not) be visible directly from Outside network should be made invisible to the Outside network. PIX Firewall and ASA were originally designed to provide such invisibility and do NAT by default for traffic across security zones such as between Inside and Outside network.
When the Outside network access is needed from more trusted network, you need to NAT the outbound traffic by using nat command. If the traffic is just outbound where connections are initiated from more trusted network to less trusted network, then the nat command should be associated with a global command.
For inbound traffic where connections are initiated from less trusted network to more trusted network, the static command is needed to accommodate the NAT process. With the static command, the traffic flow between the less and more trusted network is established both way; meaning that the Outside network (less trusted network) can initiate traffic to the Inside network (more trusted network) at anytime and vice versa. There is no need to create specific nat command to accommodate the traffic flow.
In regards of the static command use, you have a choice to either use the same or different IP address/subnet between the less and more trusted network. Following is list of possibilities where you want to use different IP address/subnet appearing on the less trusted network.
1. The private network (residing at the more trusted network) uses IP scheme that is not routable at the less trusted network; i.e. Internet access from LAN using private network of 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16
2. The less trusted network is unable to do routing. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP subnet
3. There is conflicting IP scheme between less and more trusted network. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP scheme. Furthermore, you need to NAT the inbound traffic from less to more trusted network using NAT-ed IP address that is within the more trusted network IP scheme.
When none of the above situation meets, you should use the same IP address/subnet between less and more trusted network. Note that just because you use the same IP address/subnet between less and more trusted network, it does not mean that there will be security risk on the more trusted network since the PIX Firewall or ASA provides sufficient stateful security feature as mentioned at earlier discussion.
Different Types of NAT
1. Dynamic PAT
Commands to use: nat, global
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is not needed
Example 1.1
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 203.43.45.93
Description:
Any hosts within Inside IP subnet of 192.168.1.0/24 will be PAT-ed into 203.43.45.93 when there is outbound traffic from Inside to Outside network
Example 1.2
nat (outside) 1 203.43.45.0 255.255.255.0
global (inside) 1 192.168.1.93
Description:
Any hosts within Outside IP subnet of 203.43.45.0/24 will be PAT-ed into 192.168.1.93 when there is inbound traffic from Outside to Inside network
2. Static PAT
Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed
Example 2.1
static (inside,outside) tcp 203.43.45.93 80 192.168.45.93 80 netmask 255.255.255.255
Description:
Host 192.168.45.93 will be PAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using TCP port 80 as source TCP port to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using TCP port 80 as destination TCP port in order to access 192.168.45.93 on TCP port 80
Example 2.2
static (outside,inside) tcp 192.168.45.93 80 203.43.45.93 80 netmask 255.255.255.255
Description:
Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using TCP port 80 as source TCP port to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using TCP port 80 as destination TCP port in order to access 203.43.45.93 on TCP port 80
3. Static NAT of single IP address
Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address.
Example 3.1
static (inside,outside) 203.43.45.93 192.168.45.93 netmask 255.255.255.255
Description:
Host 192.168.45.93 will be NAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using any IP protocol in order to access 192.168.45.93.
Note:
This static statement may seem as security risk since you are opening the IP address to any incoming IP protocol from less to more trusted network. Such risk is mitigated when there is access-list controlling inbound traffic to open necessary IP protocol and ports (i.e. just open inbound TCP port 80 and 443 where others are denied).
Example 3.2
static (outside,inside) 192.168.45.93 203.43.45.93 netmask 255.255.255.255
Description:
Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using any IP protocol (including ESP, TCP, and UDP) to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using any IP protocol in order to access 203.43.45.93.
4. Static NAT of entire IP subnet
Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address.
Example 4.1
static (inside,outside) 203.43.45.0 192.168.45.0 netmask 255.255.255.0
Description:
Any hosts within 192.168.45.0/24 will be NAT-ed to 203.43.45.0/24 when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.0/24 using any IP protocol in order to access 192.168.45.0/24.
Using IP subnet static NAT indicates the following static NAT in place
As you can see, the last octet will be the same while only the first three octets are different between the Outside and the Inside IP addresses.
Note:
The command is useful when you need to NAT the entire subnet without the requirement of creating multiple static command of each pair of Outside-Inside IP addresses. You can simply create static NAT for the entire subnet instead.
Example 4.2
static (outside,inside) 192.168.45.0 203.43.45.0 netmask 255.255.255.0
Description:
Any hosts within 203.43.45.0/24 will be NAT-ed to 192.168.45.0/24 when there is outbound traffic initiated from the Inside network using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, IP address within 203.43.45.0/24 Outside network will access the any IP addresses within Inside network as 192.168.45.0/24 using any IP protocol.
5. Static NAT of entire IP subnet and keep the same IP scheme between less and more trusted network
Command to use: access-list, nat 0, and/or static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network.
Example 5.1 - NAT exemption
access-list nonat_inside-outside permit ip 192.168.45.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat_inside-outside
Description:
Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network of 192.168.1.0/24. Similarly, any IP address within Outside network of 192.168.1.0/24 will access 192.168.45.0/24 using any IP protocol directly.
Example 5.2
static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
Description:
Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to any Outside network IP address. Similarly, any IP address within Outside network will access 192.168.45.0/24 using any IP protocol directly.
Example 5.3 - Identity NAT
nat (inside) 0 192.168.45.0 255.255.255.0
static (inside, outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
Description:
The behavior is similar as Examples 5.1 and 5.2. This configuration is less popular since it seems more complex than it has to.
6. Static NAT Policy
Command to use: access-list and static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network.
Example 6.1
access-list nat1_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.6.0 255.255.255.0
access-list nat2_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.7.0 255.255.255.0
nat (inside) 1 0.0.0.0
static (inside,outside) 23.54.6.254 access-list nat1_inside-outside
static (inside,outside) 23.54.7.254 access-list nat2_inside-outside
global (outside) 1 203.43.45.32
Description:
Any 192.168.45.x within Inside network will be statically NAT as 23.54.6.254 when 192.168.45.x access 23.54.6.x that resides at Outside network. Similarly, any 192.168.45.x within Inside network will be statically NAT as 23.54.7.254 when 192.168.45.x access 23.54.7.x that resides at Outside network. When 192.168.45.x access any other IP addresses at Outside network beside 23.54.6.x and 23.54.7.x, the 192.168.45.x will be dynamically PAT-ed as 203.43.45.32.
NAT Implementation Illustration
For the sake of illustration, we assume the following
Outside network: any IP subnet
DMZ 1 network: 192.168.0.0/24, 192.168.1.0/24
DMZ 2 network: 192.168.2.0/24, 192.168.3.0/24
Inside network: 192.168.32.0/24, 192.168.33.0/24, 192.168.45.0/24
Example 1
access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.32.0 255.255.255.0
global (outside) 1 203.45.32.84
Description:
When any IP address within 192.168.32.0/24 access the 192.168.1.0/24, the 192.168.32.x appears as themselves. If the 192.168.32.x access anything else that is at Outside network, there will be dynamic PAT to use 203.45.32.84 IP address to appear on the Outside network.
Further, any machine within 192.168.1.0/24 can access 192.168.32.0/24 as themselves. In other words, 192.168.32.0/24 appears as themselves in the 192.168.1.0/24 presence and vice versa.
The 192.168.33.x cannot access anything beyond Inside network. Similarly, the 192.168.0.x cannot access anything beyond DMZ 1 network. Anything at Outside and DMZ 2 cannot access anything at DMZ 1 and 192.168.33.x Inside network.
Example 2
access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0
nat (dmz1) 2 192.168.0.0 255.255.255.0
global (dmz2) 1 192.168.2.254
global (outside) 2 204.54.65.231
static (inside,outside) 192.168.32.0 192.168.32.0 netmask 255.255.254.0
Description:
The 192.168.0.x and 192.168.32.x can see each other as themselves. Any IP address within Inside network (including those that are not 192.168.32.x or 192.168.33.x if any such as 192.168.45.x) is able to access 192.168.2.x and 192.168.3.x using PAT-ed IP address of 192.168.2.254. Both 192.168.32.x and 192.168.33.x will appear as themselves when they are accessing Outside network. Any 192.168.0.x will appear as 204.54.65.231 to access Outside network.
Example 3
access-list nonat permit ip 192.168.32.0 255.255.254.0 192.168.0.0 255.255.254.0
access-list nonat permit ip 192.168.45.0 255.255.255.0 192.168.0.0 255.255.254.0
access-list nat1_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list nat1_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat2_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.3.0 255.255.255.0
access-list nat2_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nat_inside-outside permit ip 192.168.32.0 255.255.254.0 any
access-list nat_inside-outside permit ip 192.168.45.0 255.255.255.0 any
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat1_inside-dmz2
nat (inside) 2 access-list nat2_inside-dmz2
nat (inside) 3 access-list nat_inside-outside
global (dmz2) 1 192.168.2.254
global (dmz2) 2 192.168.3.254
global (outside) 3 204.54.65.231-204.54.65.253
global (outside) 3 204.54.65.254
static (dmz1,outside) 204.54.64.0 192.168.0.0 netmask 255.255.255.0
Description:
The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as themselves when they access 192.168.0.x, 192.168.1.x and vice versa. The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as 192.168.2.254 when they access 192.168.2.x and appear as 192.168.3.254 when they access 192.168.3.x.
The 192.168.0.x appear as 204.54.64.x when they access Outside network. Similarly, Outside network access 204.54.64.x in order to access 192.168.0.x.
The 192.168.32.x, 192.168.33.x, and 192.168.45.x on the Inside network appear as any available IP address within range of 204.54.65.231 and 204.54.65.253 when those Inside networks access Outside network. Such range is called NAT pool where there will be dynamic one-one NAT relationship between 192.168.32.x, 192.168.33.x, 192.168.45.x on the Inside network and any available IP address within range of 204.54.65.231 and 204.54.65.253. When all IP addresses within the NAT pool are used up, the 204.54.65.254 will be used as last resort (as dynamic PAT instead of dynamic NAT).
Note:
For illustration, please check out all sample configuration using Cisco ASA/PIX Firewall in this Cisco Forum FAQ to better understand how Cisco firewall implementation look like.
Traffic Flow Across Security Zones
1. Default Behavior and Ways To Tweak
As a firewall, PIX Firewall and ASA by default expect to have traffic flow comes from one security zone to another. Any routing traffic that comes from one security zone and bounce back to the same security zone (called hair pinning) is denied. Another default behavior is to block traffic flow between security zones with equal security level.
In regards of traffic flow coming from one security zone to another, following is default behavior
* Initiated from Less-Trusted zone to More-Trusted zone, traffic is denied
* Initiated from More-Trusted zone to Less-Trusted zone, traffic is permitted
* Initiated from one security zone to another with equal security level, traffic is denied
* Initiated from one security zone and bounce back (hair pinning), traffic is denied
To adjust the above default behavior, following is the list of choices that applies for PIX Firewall and ASA running OS version 6.3 and later
* Implement nat 0 or static command in addition to implement access-group command tied with specific access-list command to allow initiating traffic from Less-Trusted zone to More-Trusted zone
* Implement access-group command tied with specific access-list command to restrict initiating traffic from More-Trusted zone to Less-Trusted zone
When the PIX Firewall or ASA runs OS version 7.0 or later, following is a list of choices to adjust various default behaviors
* Implement same-security-traffic permit command to allow initiating traffic from one security zone to another with equal security level. The same command is used to also allow hair-pinning traffic
* Transform the Layer-3 firewall default behavior into Layer-2 firewall using firewall transparent command to avoid the firewall participating in routing
* Transform the single physical firewall into multiple virtual firewall using mode command to allow Active/Active or Active/Standby traffic flow separating routing table between each virtual firewall
2. Traffic Flow Order of Operation
For those traffic flow initiating from Less-Trusted to More-Trusted network, here is what Cisco devices including PIX Firewall and ASA expect
* Incoming traffic hits IP address as seen in the IP scheme of the Less-Trusted network. If there is NAT in place, then the incoming traffic hits the NAT-ed IP address.
* Cisco devices check incoming traffic to see if there is a match within the access-list. When there is a match; Cisco devices stop searching, treat the traffic per the rule, and exit. When there is no match, by default Cisco devices deny traffic
* If static command is in place to manage the NAT/PAT-ed IP addresses, Cisco devices translate IP address accordingly and forward the traffic based on the routing table
Since PIX Firewall and ASA are firewall, by design the firewall does traffic inspection before forwarding traffic based on the routing table as mentioned in early discussion. Any traffic that do not pass the inspection will be dropped and will not be forwarded.
What Is New On ASA (Or PIX OS 7.2 and above) Compared To PIX Firewall Running PIX OS 6.3?
Note:
* PIX Firewall 500 series only support PIX OS up to 8.0(4) version. The ASA 5500 series support beyond OS 8.0(4) with possible DRAM/Flash upgrade
* There is no known "real" differences between PIX OS 7.x and ASA OS 7.x from software perspective
For further info, check out the following official Cisco online documentation links for specific OS version features.
Features
Legacy OS 6.3(5)
http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn635.html
OS 7.0(1)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp169795
OS 7.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp213502
OS 7.0(5)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix705rn.html#wp213502
OS 7.2(1)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185529
OS 7.2(2)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html#wp191103
OS 7.2(3)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn723.html#wp213761
OS 8.0
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn80.html#wp191103
OS 8.0(3)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/prn803.html#wp191103
OS 8.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html#wp191103
OS 8.1
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html#wp229690
Enable/Disable Communication on OS 7.0 image and newer
1. Troubleshooting on OS 7.0 image and newer
Establish and Troubleshoot Connectivity through PIX/ASA
Packet/Traffic Troubleshooting
2. Sample Configuration on OS 7.0 image and newer
ASA/PIX EIGRP Routing Support
Backup/Failover Routing
Single Firewall Partitioned Into Multiple Independent Firewalls: Introduction to Multiple Context
Active/Active PIX/ASA Stateful Redundancy
Active/Standby PIX/ASA Stateful Redundancy
Transparent (Layer-2) Firewall
QoS
ASA As SSL Server
SSL VPN Client (SVC) on ASA with ASDM Configuration Example
Clientless SSL VPN (WebVPN) on ASA Configuration Example
Thin-Client SSL VPN (WebVPN) on ASA with ASDM Configuration Example
Block or Restrict the Instant Messaging (IM) Traffic
URL Filtering
New Features and Deprecated Commands Starting OS version 8.3
You may notice that PIX Firewall appliances are unable to run latest OS version. PIX 501 can only run up to OS version 6.3(5) while PIX 515E and larger appliances can only run up to OS version 8.0. You need ASA 5500 series appliance to run newer OS version than 8.0.
Cisco ASA 5500 Migration Guide for Version 8.3
Discussion of OS version 9.1
»ASA 5520 Fan Question
Licenses
For those who are eager to get their hands on ASA or PIX Firewall, they need to consider the license factor. With either ASA or PIX Firewall, you should get the one with Unlimited Inside Hosts instead of 10 or 50 Inside Hosts. For PIX Firewall, one with Unrestricted license has more features compared to one with Restricted license; while one with the Failover license can only work as backup firewall of the Unrestricted license. For ASA, one with Security Plus license supports more features similarly. Both Inside Hosts number and license type that firewall carries can be verified through the show version.
Upgrading from lower license to higher license may cost you dearly where at that point, getting a new firewall with higher license may cost you less compared to upgrade your existing firewall to have higher license.
You can check out the following discussion for some illustration.
»[HELP] Upgrade ASA 5505 License
Thanks to http://www.dslreports.com/faq/15531
Using PIX Firewall
Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Security Level as Stateful Firewall feature foundation
Cisco ASA/PIX Firewall is designed as stateful firewall. From Cisco implementation perspective, there is a concept of Security Level as foundation of all stateful firewall features.
In basic firewall concept, there are three security zones. The first zone is Untrusted network where Cisco implements as Outside network. The second zone is Trusted network where Cisco implements as Inside network. The third zone is DMZ network where Cisco also implements as DMZ network.
Following basic firewall concept, a firewall is designed as perimeter guarding traffic flow between zones. With the concept of Security Level, the Untrusted (Outside) network has the lowest level of trust where Cisco by default assign the trust level as 0 (zero). Consequently the Trusted (Inside) network has the highest level of trust where Cisco by default assign the security level of 100. Since DMZ network is considered somewhat trusted and untrusted, Cisco by default assign (typically) even number between 0 and 100.
Based on associated Security Level; you may notice that the higher a network level is, the more trusted a network is. In other words, Inside network is more trusted or more secure that DMZ network and DMZ network is more trusted or more secure than Outside network. When you put Cisco ASA/PIX Firewall as your Internet gateway or Internet firewall for example, the Outside network is the Internet, the Inside network is your internal network, and the DMZ network is your publicly-accessible web or email server.
If you like to go further, you may segment your internal network further by putting a dedicated firewall between your internal servers and users' PC where the Inside network is where the internal servers are and the Outside network is where the users' PC are. When you consider to use only one firewall for all, then you may want to create multiple DMZ networks where the Outside network (Security Level 0) is the Internet, Inside network (Security Level 100) is the internal servers, DMZ 1 network (i.e. Security Level 1) is the publicly-accessible web or email server, DMZ 2 network (i.e. Security Level 4) is a guest wireless network, DMZ 3 network (i.e. Security Level 6) is the user's PC, and so on and so forth.
Also based on associated Security Level, any incoming traffic from lower Security Level to higher Security Level is by default denied. When you have publicly-accessible web or email server let's say on your DMZ network, then you have to permit certain incoming traffic from the lower Security Level (the Internet or Outside) network to enter higher Security Level network which is the DMZ by using either nat command or static command. You can also control how many incoming permitted sessions for further protection.
How Cisco ASA/PIX Firewall Treats TCP-based traffic differently than ICMP-based traffic
You also have to permit incoming ICMP echo reply packets from least trusted network as a response of ICMP echo packets issued by a machine within more trusted network. For TCP-based traffic, by default all returning TCP traffic coming from least trusted network as a response of TCP packet initiated by a machine within more trusted network are permitted. Therefore you don't need to create rules to permit such returning TCP traffic.
The reason of no need to create rules to permit such returning TCP traffic is that the firewall understands the concept of 3-way TCP handshake. Every time there is outbound TCP-based traffic initiated from more trusted network to less trusted network is inspected and stored in connectivity table (the show conn command reveals such table). When the firewall sees matching TCP packet coming from less trusted network toward the more trusted network as part of the 3-way handshake, the firewall permits those returning traffic.
ICMP-based traffic however has different properties. Since there is no concept of 3-way handshake in ICMP, each ICMP traffic is treated as one-way traffic. Therefore you have to permit any necessary incoming ICMP traffic from less trusted network towards more trusted network when you plan to use something like ICMP ping or traceroute from more trusted network to less trusted network.
TCP Transaction Protection
For those TCP traffic, all incoming TCP traffic are inspected by Cisco ASA/PIX Firewall to make sure that there will be a 3-way handshake per TCP mechanism to complete TCP transaction. The firewall will drop any incomplete TCP transaction for protection from possible TCP-based attack.
As example, the firewall keeps TCP session as part of the TCP 3-way handshake protection mechanism where there is some kind of hold timer. The firewall expects to receive responses from server within the hold timer interval, which the timer will expire. At the time the firewall does not receive the server response when the timer expires, the firewall drops any related TCP session and also drops "late" server response.
Another example is having the firewall drops TCP packets when the TCP client keeps sending TCP synchronization (SYN) packet or sending TCP acknowledge (ACK) packet without sending TCP SYN packet first. In this situation, the firewall drops the TCP SYN and TCP ACK accordingly.
There is also a TCP Initial Sequence Number (ISN) randomization protection feature which by default randomizing TCP sequence number to negotiate between client and server in order to provide TCP Sequence Prediction Attacks protection.
One optional feature is setting maximum number of simultaneous TCP and UDP connections through the firewall for the entire subnet. The default is 0, which means unlimited connections and the firewall lets the server determine the number.
Another optional feature is specifying the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.
The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall and ASA accomplish TCP intercept functionality using SYN cookies.
TCP/UDP Application-Specific Protocol Protection
By default, the PIX Firewall and ASA provide TCP/UDP application-specific protection of the following protocols.
Protocol TCP/UDP Port Protocol-Specific Protection dns 53 packet maximum length 512 ftp 21 h323 h225 1720 h323 ras 1718-1719 http 80 rsh 514 rtsp 554 sip 5060 sip udp 5060 skinny 2000 smtp 25 sqlnet 1521 tftp 69
Various Cisco ASA/PIX Firewall Features
1. SSH and Telnet as firewall management access
You can only use SSH for the firewall management access when you are sitting in non-Inside network. By default you can use either telnet or SSH for the firewall management access when you are sitting in Inside network.
2. NAT
In the PIX or ASA OS version prior 8.3, by default there is NAT in place for traffic between zones. In earlier OS version, you typically use the nat 0 command to eliminate NAT for traffic between zones. You could also use static command with the same IP subnet of pre- and post- NAT process. Further, there is a rule called NAT Order of Operation in earlier OS version to make sure that the NAT-related business is in order.
NAT Concept on PIX Firewall running OS version 6.3 or later and ASA running OS version prior 8.3
Introduction to NAT Operation
In network environment where there is a private network that is not (and should not) be visible directly from Outside network should be made invisible to the Outside network. PIX Firewall and ASA were originally designed to provide such invisibility and do NAT by default for traffic across security zones such as between Inside and Outside network.
When the Outside network access is needed from more trusted network, you need to NAT the outbound traffic by using nat command. If the traffic is just outbound where connections are initiated from more trusted network to less trusted network, then the nat command should be associated with a global command.
For inbound traffic where connections are initiated from less trusted network to more trusted network, the static command is needed to accommodate the NAT process. With the static command, the traffic flow between the less and more trusted network is established both way; meaning that the Outside network (less trusted network) can initiate traffic to the Inside network (more trusted network) at anytime and vice versa. There is no need to create specific nat command to accommodate the traffic flow.
In regards of the static command use, you have a choice to either use the same or different IP address/subnet between the less and more trusted network. Following is list of possibilities where you want to use different IP address/subnet appearing on the less trusted network.
1. The private network (residing at the more trusted network) uses IP scheme that is not routable at the less trusted network; i.e. Internet access from LAN using private network of 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16
2. The less trusted network is unable to do routing. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP subnet
3. There is conflicting IP scheme between less and more trusted network. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP scheme. Furthermore, you need to NAT the inbound traffic from less to more trusted network using NAT-ed IP address that is within the more trusted network IP scheme.
When none of the above situation meets, you should use the same IP address/subnet between less and more trusted network. Note that just because you use the same IP address/subnet between less and more trusted network, it does not mean that there will be security risk on the more trusted network since the PIX Firewall or ASA provides sufficient stateful security feature as mentioned at earlier discussion.
Different Types of NAT
1. Dynamic PAT
Commands to use: nat, global
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is not needed
Example 1.1
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 203.43.45.93
Description:
Any hosts within Inside IP subnet of 192.168.1.0/24 will be PAT-ed into 203.43.45.93 when there is outbound traffic from Inside to Outside network
Example 1.2
nat (outside) 1 203.43.45.0 255.255.255.0
global (inside) 1 192.168.1.93
Description:
Any hosts within Outside IP subnet of 203.43.45.0/24 will be PAT-ed into 192.168.1.93 when there is inbound traffic from Outside to Inside network
2. Static PAT
Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed
Example 2.1
static (inside,outside) tcp 203.43.45.93 80 192.168.45.93 80 netmask 255.255.255.255
Description:
Host 192.168.45.93 will be PAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using TCP port 80 as source TCP port to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using TCP port 80 as destination TCP port in order to access 192.168.45.93 on TCP port 80
Example 2.2
static (outside,inside) tcp 192.168.45.93 80 203.43.45.93 80 netmask 255.255.255.255
Description:
Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using TCP port 80 as source TCP port to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using TCP port 80 as destination TCP port in order to access 203.43.45.93 on TCP port 80
3. Static NAT of single IP address
Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address.
Example 3.1
static (inside,outside) 203.43.45.93 192.168.45.93 netmask 255.255.255.255
Description:
Host 192.168.45.93 will be NAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using any IP protocol in order to access 192.168.45.93.
Note:
This static statement may seem as security risk since you are opening the IP address to any incoming IP protocol from less to more trusted network. Such risk is mitigated when there is access-list controlling inbound traffic to open necessary IP protocol and ports (i.e. just open inbound TCP port 80 and 443 where others are denied).
Example 3.2
static (outside,inside) 192.168.45.93 203.43.45.93 netmask 255.255.255.255
Description:
Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using any IP protocol (including ESP, TCP, and UDP) to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using any IP protocol in order to access 203.43.45.93.
4. Static NAT of entire IP subnet
Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address.
Example 4.1
static (inside,outside) 203.43.45.0 192.168.45.0 netmask 255.255.255.0
Description:
Any hosts within 192.168.45.0/24 will be NAT-ed to 203.43.45.0/24 when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.0/24 using any IP protocol in order to access 192.168.45.0/24.
Using IP subnet static NAT indicates the following static NAT in place
Outside Inside
203.43.45.1 <====> 192.168.45.1
203.43.45.2 <====> 192.168.45.2
203.43.45.3 <====> 192.168.45.3
.
.
.
203.43.45.254 <====> 192.168.45.254
As you can see, the last octet will be the same while only the first three octets are different between the Outside and the Inside IP addresses.
Note:
The command is useful when you need to NAT the entire subnet without the requirement of creating multiple static command of each pair of Outside-Inside IP addresses. You can simply create static NAT for the entire subnet instead.
Example 4.2
static (outside,inside) 192.168.45.0 203.43.45.0 netmask 255.255.255.0
Description:
Any hosts within 203.43.45.0/24 will be NAT-ed to 192.168.45.0/24 when there is outbound traffic initiated from the Inside network using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, IP address within 203.43.45.0/24 Outside network will access the any IP addresses within Inside network as 192.168.45.0/24 using any IP protocol.
5. Static NAT of entire IP subnet and keep the same IP scheme between less and more trusted network
Command to use: access-list, nat 0, and/or static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network.
Example 5.1 - NAT exemption
access-list nonat_inside-outside permit ip 192.168.45.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat_inside-outside
Description:
Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network of 192.168.1.0/24. Similarly, any IP address within Outside network of 192.168.1.0/24 will access 192.168.45.0/24 using any IP protocol directly.
Example 5.2
static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
Description:
Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to any Outside network IP address. Similarly, any IP address within Outside network will access 192.168.45.0/24 using any IP protocol directly.
Example 5.3 - Identity NAT
nat (inside) 0 192.168.45.0 255.255.255.0
static (inside, outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0
Description:
The behavior is similar as Examples 5.1 and 5.2. This configuration is less popular since it seems more complex than it has to.
6. Static NAT Policy
Command to use: access-list and static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network.
Example 6.1
access-list nat1_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.6.0 255.255.255.0
access-list nat2_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.7.0 255.255.255.0
nat (inside) 1 0.0.0.0
static (inside,outside) 23.54.6.254 access-list nat1_inside-outside
static (inside,outside) 23.54.7.254 access-list nat2_inside-outside
global (outside) 1 203.43.45.32
Description:
Any 192.168.45.x within Inside network will be statically NAT as 23.54.6.254 when 192.168.45.x access 23.54.6.x that resides at Outside network. Similarly, any 192.168.45.x within Inside network will be statically NAT as 23.54.7.254 when 192.168.45.x access 23.54.7.x that resides at Outside network. When 192.168.45.x access any other IP addresses at Outside network beside 23.54.6.x and 23.54.7.x, the 192.168.45.x will be dynamically PAT-ed as 203.43.45.32.
NAT Implementation Illustration
For the sake of illustration, we assume the following
Outside network: any IP subnet
DMZ 1 network: 192.168.0.0/24, 192.168.1.0/24
DMZ 2 network: 192.168.2.0/24, 192.168.3.0/24
Inside network: 192.168.32.0/24, 192.168.33.0/24, 192.168.45.0/24
Example 1
access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.32.0 255.255.255.0
global (outside) 1 203.45.32.84
Description:
When any IP address within 192.168.32.0/24 access the 192.168.1.0/24, the 192.168.32.x appears as themselves. If the 192.168.32.x access anything else that is at Outside network, there will be dynamic PAT to use 203.45.32.84 IP address to appear on the Outside network.
Further, any machine within 192.168.1.0/24 can access 192.168.32.0/24 as themselves. In other words, 192.168.32.0/24 appears as themselves in the 192.168.1.0/24 presence and vice versa.
The 192.168.33.x cannot access anything beyond Inside network. Similarly, the 192.168.0.x cannot access anything beyond DMZ 1 network. Anything at Outside and DMZ 2 cannot access anything at DMZ 1 and 192.168.33.x Inside network.
Example 2
access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0
nat (dmz1) 2 192.168.0.0 255.255.255.0
global (dmz2) 1 192.168.2.254
global (outside) 2 204.54.65.231
static (inside,outside) 192.168.32.0 192.168.32.0 netmask 255.255.254.0
Description:
The 192.168.0.x and 192.168.32.x can see each other as themselves. Any IP address within Inside network (including those that are not 192.168.32.x or 192.168.33.x if any such as 192.168.45.x) is able to access 192.168.2.x and 192.168.3.x using PAT-ed IP address of 192.168.2.254. Both 192.168.32.x and 192.168.33.x will appear as themselves when they are accessing Outside network. Any 192.168.0.x will appear as 204.54.65.231 to access Outside network.
Example 3
access-list nonat permit ip 192.168.32.0 255.255.254.0 192.168.0.0 255.255.254.0
access-list nonat permit ip 192.168.45.0 255.255.255.0 192.168.0.0 255.255.254.0
access-list nat1_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list nat1_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat2_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.3.0 255.255.255.0
access-list nat2_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nat_inside-outside permit ip 192.168.32.0 255.255.254.0 any
access-list nat_inside-outside permit ip 192.168.45.0 255.255.255.0 any
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat1_inside-dmz2
nat (inside) 2 access-list nat2_inside-dmz2
nat (inside) 3 access-list nat_inside-outside
global (dmz2) 1 192.168.2.254
global (dmz2) 2 192.168.3.254
global (outside) 3 204.54.65.231-204.54.65.253
global (outside) 3 204.54.65.254
static (dmz1,outside) 204.54.64.0 192.168.0.0 netmask 255.255.255.0
Description:
The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as themselves when they access 192.168.0.x, 192.168.1.x and vice versa. The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as 192.168.2.254 when they access 192.168.2.x and appear as 192.168.3.254 when they access 192.168.3.x.
The 192.168.0.x appear as 204.54.64.x when they access Outside network. Similarly, Outside network access 204.54.64.x in order to access 192.168.0.x.
The 192.168.32.x, 192.168.33.x, and 192.168.45.x on the Inside network appear as any available IP address within range of 204.54.65.231 and 204.54.65.253 when those Inside networks access Outside network. Such range is called NAT pool where there will be dynamic one-one NAT relationship between 192.168.32.x, 192.168.33.x, 192.168.45.x on the Inside network and any available IP address within range of 204.54.65.231 and 204.54.65.253. When all IP addresses within the NAT pool are used up, the 204.54.65.254 will be used as last resort (as dynamic PAT instead of dynamic NAT).
Note:
For illustration, please check out all sample configuration using Cisco ASA/PIX Firewall in this Cisco Forum FAQ to better understand how Cisco firewall implementation look like.
Traffic Flow Across Security Zones
1. Default Behavior and Ways To Tweak
As a firewall, PIX Firewall and ASA by default expect to have traffic flow comes from one security zone to another. Any routing traffic that comes from one security zone and bounce back to the same security zone (called hair pinning) is denied. Another default behavior is to block traffic flow between security zones with equal security level.
In regards of traffic flow coming from one security zone to another, following is default behavior
* Initiated from Less-Trusted zone to More-Trusted zone, traffic is denied
* Initiated from More-Trusted zone to Less-Trusted zone, traffic is permitted
* Initiated from one security zone to another with equal security level, traffic is denied
* Initiated from one security zone and bounce back (hair pinning), traffic is denied
To adjust the above default behavior, following is the list of choices that applies for PIX Firewall and ASA running OS version 6.3 and later
* Implement nat 0 or static command in addition to implement access-group command tied with specific access-list command to allow initiating traffic from Less-Trusted zone to More-Trusted zone
* Implement access-group command tied with specific access-list command to restrict initiating traffic from More-Trusted zone to Less-Trusted zone
When the PIX Firewall or ASA runs OS version 7.0 or later, following is a list of choices to adjust various default behaviors
* Implement same-security-traffic permit command to allow initiating traffic from one security zone to another with equal security level. The same command is used to also allow hair-pinning traffic
* Transform the Layer-3 firewall default behavior into Layer-2 firewall using firewall transparent command to avoid the firewall participating in routing
* Transform the single physical firewall into multiple virtual firewall using mode command to allow Active/Active or Active/Standby traffic flow separating routing table between each virtual firewall
2. Traffic Flow Order of Operation
For those traffic flow initiating from Less-Trusted to More-Trusted network, here is what Cisco devices including PIX Firewall and ASA expect
* Incoming traffic hits IP address as seen in the IP scheme of the Less-Trusted network. If there is NAT in place, then the incoming traffic hits the NAT-ed IP address.
* Cisco devices check incoming traffic to see if there is a match within the access-list. When there is a match; Cisco devices stop searching, treat the traffic per the rule, and exit. When there is no match, by default Cisco devices deny traffic
* If static command is in place to manage the NAT/PAT-ed IP addresses, Cisco devices translate IP address accordingly and forward the traffic based on the routing table
Since PIX Firewall and ASA are firewall, by design the firewall does traffic inspection before forwarding traffic based on the routing table as mentioned in early discussion. Any traffic that do not pass the inspection will be dropped and will not be forwarded.
What Is New On ASA (Or PIX OS 7.2 and above) Compared To PIX Firewall Running PIX OS 6.3?
Note:
* PIX Firewall 500 series only support PIX OS up to 8.0(4) version. The ASA 5500 series support beyond OS 8.0(4) with possible DRAM/Flash upgrade
* There is no known "real" differences between PIX OS 7.x and ASA OS 7.x from software perspective
For further info, check out the following official Cisco online documentation links for specific OS version features.
Features
Legacy OS 6.3(5)
http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn635.html
OS 7.0(1)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp169795
OS 7.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp213502
OS 7.0(5)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix705rn.html#wp213502
OS 7.2(1)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185529
OS 7.2(2)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html#wp191103
OS 7.2(3)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn723.html#wp213761
OS 8.0
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn80.html#wp191103
OS 8.0(3)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/prn803.html#wp191103
OS 8.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html#wp191103
OS 8.1
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html#wp229690
Enable/Disable Communication on OS 7.0 image and newer
1. Troubleshooting on OS 7.0 image and newer
Establish and Troubleshoot Connectivity through PIX/ASA
Packet/Traffic Troubleshooting
2. Sample Configuration on OS 7.0 image and newer
ASA/PIX EIGRP Routing Support
Backup/Failover Routing
Single Firewall Partitioned Into Multiple Independent Firewalls: Introduction to Multiple Context
Active/Active PIX/ASA Stateful Redundancy
Active/Standby PIX/ASA Stateful Redundancy
Transparent (Layer-2) Firewall
QoS
ASA As SSL Server
SSL VPN Client (SVC) on ASA with ASDM Configuration Example
Clientless SSL VPN (WebVPN) on ASA Configuration Example
Thin-Client SSL VPN (WebVPN) on ASA with ASDM Configuration Example
Block or Restrict the Instant Messaging (IM) Traffic
URL Filtering
New Features and Deprecated Commands Starting OS version 8.3
You may notice that PIX Firewall appliances are unable to run latest OS version. PIX 501 can only run up to OS version 6.3(5) while PIX 515E and larger appliances can only run up to OS version 8.0. You need ASA 5500 series appliance to run newer OS version than 8.0.
Cisco ASA 5500 Migration Guide for Version 8.3
Discussion of OS version 9.1
»ASA 5520 Fan Question
Licenses
For those who are eager to get their hands on ASA or PIX Firewall, they need to consider the license factor. With either ASA or PIX Firewall, you should get the one with Unlimited Inside Hosts instead of 10 or 50 Inside Hosts. For PIX Firewall, one with Unrestricted license has more features compared to one with Restricted license; while one with the Failover license can only work as backup firewall of the Unrestricted license. For ASA, one with Security Plus license supports more features similarly. Both Inside Hosts number and license type that firewall carries can be verified through the show version.
Upgrading from lower license to higher license may cost you dearly where at that point, getting a new firewall with higher license may cost you less compared to upgrade your existing firewall to have higher license.
You can check out the following discussion for some illustration.
»[HELP] Upgrade ASA 5505 License
Thanks to http://www.dslreports.com/faq/15531
No comments:
Post a Comment