1-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1
Basic Access Control
Step 5 Implement Network Address Translation (NAT). See Network Address Translation, page 1-4.
Step 6 Implement application inspection if the default settings are insufficient for your network. See
Application Inspection, page 1-5.
Basic Access Control
Access rules, applied per interface or globally, are your first line of defense. You can drop, upon entry,
specific types of traffic, or traffic from (or to) specific hosts or networks. By default, the ASA allows
traffic to flow freely from an inside network (higher security level) to an outside network (lower security
level).
You can apply an access rule to limit traffic from inside to outside, or allow traffic from outside to inside.
Basic access rules control traffic using a “5-tuple” of source address and port, destination address and
port, and protocol.
You can augment your rules by making them identity aware. This lets you configure rules based on user
identity or group membership. To implement identity control, do any combination of the following:
• Install Cisco Context Directory Agent (CDA), also known as AD agent, on a separate server to
collect user and group information already defined in your Active Directory (AD) server. Then,
configure the ASA to get this information, and add user or group criteria to your access rules.
• Install Cisco Identity Services Engine (ISE) on a separate server to implement Cisco Trustsec. You
can then add security group criteria to your access rules.
• Install the ASA FirePOWER module on the ASA and implement identity policies in the module. The
identity-aware access policies in ASA FirePOWER would apply to any traffic that you redirect to
the module.
Related Topics
• Access Control Lists, page 3-1
• Access Rules, page 4-1
• Identity Firewall, page 5-1
• ASA and Cisco TrustSec, page 6-1
• ASA FirePOWER Module, page 7-1
Application Filtering
The wide-spread use of web-based applications means that a lot of traffic runs over the HTTP or HTTPS
protocols. With traditional 5-tuple access rules, you either allow or disallow all HTTP/HTTPS traffic.
You might require more granular control of web traffic.
You can install a module on the ASA to provide application filtering to selectively allow HTTP or other
traffic based on the application being used. Thus, you do not have to make a blanket permit for HTTP.
You can look inside the traffic and prevent applications that are unacceptable for your network (for
example, inappropriate file sharing). When you add a module for application filtering, do not configure
HTTP inspection on the ASA.
To Next Page
Loading...
Need help?
General