ASA Firewall Interview Questions and Answers – Network Professional Member Site

ASA Firewall Interview Questions and Answers

ASA Firewall Interview Questions and Answers

Ques 1. What is a Firewall?

A Network Firewall may be Hardware or a Software device – It protects a computer network from unauthorized access. Network firewalls guard an internal LAN network from malicious access from the outside/unsecured zone, such as malware-infested websites or vulnerable ports. The main purpose of a firewall is to separate a secured area (Higher security Zone / Inside Network) from a less secure area (Low security Zone / Outside Network etc.) and to control communication between the two. Firewall also controls inbound and outbound communications across devices.

Ques 2. What Is Default Route Configuration Command In ASA Firewall?

Below is the syntax –
(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]

Ques 3. What Is Default TCP Session Timeout?

Default TCP session timeout is 1 hour (3600 seconds).

Ques 4. What Is A Transparent Firewall?

Transparent mode firewall is one of the modes ASA Firewall may be configured in. In transparent mode, Firewall works on layer 2 hop and does not function as a Layer 3 hop. Mac lookup and

forwarding is done through destination mac address. The outside and inside interface in transparent mode exist in the same network.

Benefits of using firewall in transparent mode –

No change required on existing IP addressing
Protocols such as HSRP, VRRP, and GLBP can pass.
Multicast streams can traverse
Non-IP traffic can be allowed (IPX, MPLS, BPDUs etc.)
Routing protocols can establish adjacencies through the firewall

Ques 5. What are security levels in Cisco ASA?
“Security Level” signifies the trustworthiness of an interface when compared to other interfaces on same device. In simple terms, Higher Security level means High trust interface while Lower Security Level means Low trust interface. Each interface on the ASA is a security zone. Cisco ASA can be configured to have multiple security levels between 0 and 100. Below is description of the security levels –

Security Level 100 – This is the highest and most trusted security level. As a default, “Inside” interface is assigned the security level of 100. LAN subnets usually come under this category level. Security Level 100 traffic can reach to any of the other lower security Levels configured on the same Firewall.
Security level 0 – This is the lowest and least secured Security Level on ASA Firewall. “Outside” Interface of ASA Firewall comes under Security Level 0. Internet is the most common example of security level 0. Default Firewall behaviour is to block any traffic from untrusted Zone (Security Level 0) trying to reach any destination of other security level.
Security level 1 to 99 – Security Level from 1 to 99 can be assigned to multiple Zone like DMZ (DMZ is assigned Security Level 50). Another example is extranet Zone which may be assigned customised Security Level of 50.

Ques 6. In which 2 modes does ASA work? How are the 2 modes different?

2 modes in which ASA can work are –

Routed Mode
Transparent mode

The differences between both modes is illustrated in below table –

Ques 7. What Is Default Security Level For Inside Zone In ASA?

Default Security Level for Inside Zone in ASA is “100”

Ques 8. How to allow packets from lower security level to higher security level?

An ACL needs to be applied for allowing traffic from Lower Security Level towards Higher Security Levels.

Ques 9. How to allow packets from between VLANs/Interfaces across same security level?

If the interfaces have the same security level, traffic will not be permitted. In order to allow, unless the “same-security-traffic” global configuration command is used.

Ques 10. What Command to Check NAT Table in Cisco ASA?

“Show xlate”

Ques 11. Can We Block HTTPS Traffic On Firewall?

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic since content is encrypted (SSL).However, ASA with Sourcefire is able to analyse HTTPS traffic and block/allow the same.

Ques 12. Can We Mix Different Models In Clustering I.e. Can 5510 Be Clustered With 5520?

No, we can’t mix different ASA models.

Ques 13. Does The ASA Supports Server Load Balancing?

No, ASA doesn’t support Server Load Balancing.

Ques 14. Can We Use ASA For Web Filtering Like Proxy?

Yes, ASA can be used for Web Filtering

Ques 15. Firewall Works at which layer?

Firewall works at Layer 4 of OSI Model. Some firewalls work upto Application layer (HTTP, HTTPS etc.)

Ques 16. Difference between Stateful and stateless firewall?

Below table differentiates Stateless and Stateful Firewall –

Ques 17. What information does Stateful Firewall maintain?

Stateful Firewalls consist of a Stateful technology which maintains the state of every connection coming through the firewall. Whenever a packet is to be sent across the firewall, the information of state stored in the state table is used to either allow or deny flow of packet.

Stateful Firewalls perform decisions based on following criteria –

Source IP address
Destination IP address
Protocol type (TCP/UDP)
Source port
Destination port
Connection state

Below is an example scenario showing how Stateful Firewall functions –

Ques 18. Does ASA inspect ICMP by default?

ICMP inspection is not enabled by default in ASA Firewall.

Ques 19. What are timeout values in ASA firewall for TCP, UDP and ICMP sessions?

The default timeout values are –
timeout conn – The idle time after which a connection closes. Default value is 1 hour
timeout half-closed – The idle time until a TCP half-closed connection closes. The default is 10 minutes.
timeout udp – The idle time until a UDP connection closes. The default is 2 minutes.
timeout icmp -The idle time for ICMP. The default is 2 seconds

Ques 20. Active FTP vs. Passive FTP?

In an Active FTP mode, the client initiates the request to opens a port and then listens. Client sends the FTP command PORT M to inform the server on which port it is listening and server actively connects to the client from its port 20, the FTP server data port.

In a Passive FTP mode, the server opens a port, passively listens and the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server for the client connect to it. Further, Passive mode is used generally where the client is behind a firewall and unable to accept incoming TCP connections. When we look at overall security perspective, passive FTP mode is preferred safety measure.

Ques 21. Does Cisco ASA support BGP?

Starting ASA Version 9.2(1), BGP is supported on Cisco ASA Firewalls.

Ques 22. What is FWSM? Where is this used?

FWSM (Firewall Service module) is a module that you can install in a modular chassis switch, such as

6500 series or Cisco 7600 Series Router. It is a High speed firewall which integrates as module within

the chassis of 6500/7600 Series devices. Upto 4 FWSM modules can be installed into one chassis.

Ques 23. Difference between PIX and ASA?

Below table illustrates difference between PIX and ASA –

Ques 24. Which command is used in ASA to view connections?

“Show conn”

Ques 25. What is functionality of NAT control in Cisco Firewalls?

NAT Control is function used to enforce the use of NAT in ASA. NAT control requires that packet traversing the ASA in any direction match a NAT rule.
8.3 and higher: NAT-control is disabled by default and cannot be configured.

Ques 26. What are types of Contexts in ASA?

Contexts in ASA can be of 3 types –

System Context
Admin Context

Normal Context

System Context – This context allows to add and manage other contexts by the configuration of each context configuration location, allocated interfaces, and other context operational parameters. Only management IP address can be assigned in this context and no other IP can be given. Another key feature of system context is ability to upgrade or downgrade the ASA software.

Admin Context – Admin context allows the user to have system administrator rights, and to access the system and all other contexts. During conversion from a Single mode to the Multiple Context mode, the admin context is created automatically and the configuration file will be created on the flash memory. Admin context is not counted in the context license.

Normal Context – It is the actual partitioned firewall. Normal context can be accessed via Console, Telnet, SSH, and ASDM.If we log in to a normal (non-admin context), we can only access the configuration for that context.

Ques 27. What is PFS?

Perfect Forward Secrecy (PFS) is an encryption solution which assures that session keys will not be compromised even if the private key of the server is compromised. In other words, if one of these session keys is compromised, data from any other session will not be affected. PFS is an additional security layer for customer VPN connections.

Ques 28. Difference between checkpoint and ASA?

Below table describes key differences between Checkpoint and ASA –

Ques 29. What are hardware and software requirements for 2 ASA in HA?

Hardware Requirements for 2 ASA in HA (Cluster) –

Both units in a Failover configuration must have
Same model
Same number and types of interfaces
Same modules installed
Same RAM installed

Software Requirements for 2 ASA in HA (Cluster) –

Both units in a Failover configuration must have
Same firewall mode (routed or transparent).
Same context mode (single or multiple).
Same major and minor software version

Same AnyConnect image

License Requirements for 2 ASA in HA (Cluster) –
The two units configured in a failover don’t need to have identical licenses; the licenses

combine to make a failover cluster license.

Ques 30. Which command will forcefully activate secondary firewall to become active firewall?

When Primary Firewall is issued the command “no failover active”, it forcefully activates the secondary Firewall to become active.
“Failover active” command will trigger fail back to original active firewall.

Ques 31. What is spoofing and what is anti-spoofing?

Spoofing is a technique used to gain unauthorised access to server applications by an attacker, who illegally mimics another machine by manipulating IP packets. Spoofing attack initiates from outside unsecured Internet and the attacker on the unsecured Internet spoofs the company inside IP address to make it look like it’s part of the inside of customer LAN network.

Antispoofing is a technique for identifying and dropping packets that have a false source address. Spoofed packets can be detected by setting up rules on a firewall, router ,network gateway or even at the ISP end.

Ques 32. Which ASA platform series in used nowadays?

Following are the list of few ASA models in use nowadays –

ASA 5555-X with FirePOWER Services
ASA 5545-X with FirePOWER Services
ASA 5525-X with FirePOWER Services
ASA 5516-X with FirePOWER Services
ASA 5508-X with FirePOWER Services
ASA 5506H-X with FirePOWER Services
ASA 5506W-X with FirePOWER Services
ASA 5506-X with FirePOWER Services

Ques 33. What is DMZ Zone? What is DMZ zone used for?

DMZ Zone is considered with reference to Perimeter Firewall. DMZ Zone has security level 50 on ASA Firewall and is what sits between an organisation’s internal network and an external network. A DMZ network enables Internet users to access the public servers of a company. The DMZ network maintains the security for a company’s private LAN.

Some of services residing in DMZ Zone include –

Applications servers
VPN

Proxy Servers
Global Load balancers
Ques 34. What is DOS and DDOS?

A Denial of Service (DoS) attack is made from a single machine where the attack may be directed to a specific Server, a specific port or service on a target. It may also be to a network / a network component, to a firewall or to any other system. A DoS attack is made from a single machine to a victim.

A Distributed Denial of Service (DDoS) attack is an attack from more than one source or from more than one location. Most of times, the DDoS attackers are not aware that they are part of DoS attack against a site, and are duped into joining the attack by a third party. In a DDoS, the attack generation is instead distributed across multiple computers.

Ques 35. Explain Active/Active failover?

Active-Active Failover is the scenario in Cisco ASA configuration where both the ASAs pass the network traffic by splitting traffic into groups. This type of flow is only possible with Multiple Context mode. Both the ASA units are divided into Failover Groups where 1st unit is Active for one Failover Group while the 2nd unit performs Active role for the second Failover Group. The other unit takes over during event of Active unit going down. Active-Active setups are generally done to allow more traffic to pass through the firewalls than a single unit can handle.

Ques 36. Explain Active/Standby failover?

Active-Standby Failover is the scenario in Cisco ASA configuration where one ASA unit acts as Active unit while the other performs as Standby unit. The Standby unit keeps on monitoring the Active unit and state information is shared across both. During event of Active unit going down, the standby unit takes over role of Active unit and starts forwarding traffic. The unit that becomes active assumes the IP addresses and MAC addresses of the failed unit and before beginning to pass traffic.

Ques 37. What are different types of ACL in firewall?

The ASA uses the following types of ACLs –

Extended ACLs – These ACLs are used for access rules to control (permit and deny) traffic flow through the device. It’s also used as matching criteria for many features including –

Service Policies
AAA rules
WCCP
Botnet Traffic Filter
VPN group
DAP policies.

EtherType ACLs – This type of ACL is applied to non-IP layer-2 traffic on bridge group member interfaces only. We may use these rules to control (permit or drop) traffic based on the EtherType value in the layer-2 packet.

Webtype ACLs – Webtype ACLs are used for filtering clientless SSL VPN traffic. These ACLs can deny access based on URLs or destination addresses.

Standard ACLs – Standard ACLs are used to identify traffic by destination address only. These are used for few features only like –

Route maps
VPN filters
Since extended access lists also work for VPN filters, therefore we can say that Standard ACLs are limited in use to route maps.

Ques 38. What is SYN flooding?

SYN Flooding is a Denial of service attack where victim server is rendered unresponsive since the attack consumes resources of the targeted server.SYN flooding makes use of TCP 3 way handshake by repeatedly sending SYN packets to every port of the server. The server responds to each attempt with a SYN-ACK (synchronization acknowledged) packet from each open port by temporarily opening a communications port for each attempted connection and then waits for a final ACK (acknowledgement) message from the source .The attacker never sends the final ACK message, therefore the connection is never completed. As per TCP standard timeout values, the temporary connection will eventually time out and close. This leaves target server is with many incomplete connections.

Ques 39. What is difference between ACL on ASA and Router?

Below table enumerates difference between ACL on Router and ACL on Firewall –

Ques 40. Can we create loopback on ASA?

No, ASA Firewalls don’t support Loopback creation.

Ques 41. Which command is used to capture packets on ASA?

“CAPTURE” is the keyword used in command to capture packets. Below are the 2 steps in running Capture –
Step1–
Capture using a match statement –

capture <cap-name> match ip <criteria> or
Capture using Access list –
capture <cap-name> access-list <acl>

Step2-

Specify the interface upon which the capture should be performed: capture <cap-name> interface <ifname>

Ques 42. How to configure a static and default route on ASA?

Syntax and example of configuring static route on ASA is given below –

Syntax –

route if_name dest_ip mask gateway_ip [distance]

Example –

hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1 Syntax and example of configuring Default route on ASA is given below –

Syntax –

route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]

Example –

hostname(config)# route outside 0 0 192.168.1.1 tunneled

Ques 43. Which features are not supported in transparent mode?

Transparent mode does not support following features –

QoS
Dynamic/Multicast Routing
DHCP Relay
Dynamic DNS
IP Multicast Routing
VPN termination

Ques 44. Which commands are used to convert routed mode to transparent mode and vice versa?

Routed mode to transparent mode – ciscoasa(config)# firewall transparent

Transparent mode to routed mode – ciscoasa(config)# no firewall transparent

Ques 45. Which features are not supported in multiple context mode?

Multiple context mode does not support the following features –

Dynamic Routing
Multicast routing
Threat Detection
Unified Communications
QoS
Remote access VPN

Ques 46. What is order of preference of NAT types in Cisco ASA?

NAT Rule order follows the below –

1) Twice NAT
2) Network object NAT –
Following order is applied in this section –

o Static rules.

o Dynamic rules 3) Twice NAT

Ques 47. What type of end systems/services reside in DMZ Zone?

Some of the services residing in DMZ Zone are –

Web Servers
FTP Servers
Mail Servers
Proxy Servers
Web Application Firewall

Ques 48. What type of end systems/services reside in EXTRANET Zone?

Some of the services leveraging/connecting via Extranet Zone are –

Vendors

Partners

Parties outside Company’s administrative scope
New companies merging into parent company

Ques 49. Which command is used to verify the failover state?

Show failover state

Ques 50. Which command is used to check the traffic on interfaces, the packet and byte counters.

Show Interface <Interface number>

OTHER CONTENTS

OTHER CONTENTS