Permitting or denying traffic with access lists, Applying nat, Protecting from ip fragments – Cisco ASA 5505 User Manual

Page 95: Using aaa for through traffic, Applying http, https, or ftp filtering, Applying application inspection

Advertising
background image

1-25

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Sending Traffic to the Content Security and Control Module, page 1-26

Applying QoS Policies, page 1-26

Applying Connection Limits and TCP Normalization, page 1-26

Enabling Threat Detection, page 1-26

Enabling the Botnet Traffic Filter, page 1-27

Configuring Cisco Unified Communications, page 1-27

Permitting or Denying Traffic with Access Lists

You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.

Applying NAT

Some of the benefits of NAT include the following:

You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.

NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.

NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP Fragments

The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error
messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.
Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Using AAA for Through Traffic

You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The ASA also sends accounting information to a RADIUS or TACACS+ server.

Applying HTTP, HTTPS, or FTP Filtering

Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the ASA in conjunction with a separate server running one of
the following Internet filtering products:

Websense Enterprise

Secure Computing SmartFilter

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the ASA to
perform a deep packet inspection.

Advertising