10-30-2012 07:53 AM - edited 03-11-2019 05:16 PM
Hi Experts,
I have worked with lot of firewalls but i did not understand the actual use of this.
I know only one defination for Firewall => The firewall restricts unauthorized access
from the outside, it protects from Hacker and crackers.
It is only for example to understand :
SSL = it works on encryption algorithm like DSA, AES, DES
1) In above example, SSL works on Encryption Algo, in the same way
Firewall works on which Method / protocol / feature through which
it protect from unauthorised outsider ? Which is a feature of Firewall,
seeing that we can say is that it works on ?
2) what is actual use of firewall in any network ?
3) is firewall is good device to prevent from unauthorised access or Hacker.
if no, then which device need to buy ? i heard about IDS/IPS
4) In my sight, Cisco Router (specific models) and Cisco ASA firewall functionality
seems to be same. Some IOS of Router provide same features like NAT/PAT,
ACL, IPS/IDS, Content filter. i have checked through Cisco Navigation tool.
if i am wrong plz correct me ?
KS
Solved! Go to Solution.
10-30-2012 09:38 AM
Hello,
1) The firewall could use SSL for traffic to the box ( this mean will be encrypted so if an outside user intercept the traffic will not be able to understand what the client is doing with the ASA)
A deep packet inspection firewall can also inspect SSL sessions..
2) There are different uses for example: VPN termination device, as a proxy server, allows traffic across the network using stateful inspection and ACL;s, performs NAT, allow traffic based on signatures or the behavior of your network ( anomaly detection,etc)
3) Yes, it is a great device to prevent this, of course there is no device that will protect you from all the different attacks, that is why Cisco encourage you to use different devices at different places on your network ( an IPS will always be great)
4) You are correct, the IOS router can be configured as a firewall or IDS/IPS. ASA is more flexible as it was built as a security device but the IOS router can be as secure as the ASA.
Regards,
Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)
Julio
10-30-2012 09:38 AM
Hello,
1) The firewall could use SSL for traffic to the box ( this mean will be encrypted so if an outside user intercept the traffic will not be able to understand what the client is doing with the ASA)
A deep packet inspection firewall can also inspect SSL sessions..
2) There are different uses for example: VPN termination device, as a proxy server, allows traffic across the network using stateful inspection and ACL;s, performs NAT, allow traffic based on signatures or the behavior of your network ( anomaly detection,etc)
3) Yes, it is a great device to prevent this, of course there is no device that will protect you from all the different attacks, that is why Cisco encourage you to use different devices at different places on your network ( an IPS will always be great)
4) You are correct, the IOS router can be configured as a firewall or IDS/IPS. ASA is more flexible as it was built as a security device but the IOS router can be as secure as the ASA.
Regards,
Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)
Julio
10-30-2012 10:12 AM
Hi Julio,
Thanks for reply...
1) How to use SSL with Cisco ASA......
is cisco ASA cli or gui based ? plz send me screenshot-based url
10-30-2012 10:30 AM
Hello,
You can do it on both ways:
ASDM:
http://ciscogeek.org/activate-asdm-as-gui-interface-for-cisco-asapix-firewall/
http://www.net-gyver.com/?p=1419
Anyconnect:
http://www.tech21century.com/how-to-configure-anyconnect-ssl-vpn-on-cisco-asa-5500/
Regards,
Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)
Julio
10-30-2012 10:48 AM
Hi Julio,
1) i am not talking about SSL for VPN....
I simply want to know that how can we configure firewall
so it restrict the unauthorized outside user ? That's it
10-30-2012 10:59 AM
Hello,
So you mean, you have an inside HTTP server and you want to restrict SSL access to that server.
Simple. just configure an ACL and applied to the outside interface of the asa
acces-list OUTSIDE_IN permit tcp host 4.2.2.2 host 8.8.8.8 eq 443
acces-list OUTSIDE_IN permit tcp deny any host 8.8.8.8 eq 443
access-group OUTSIDE_IN in interface outside
With this you will restrict the SSL access across your network from intruders on the outside
Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)
10-30-2012 11:32 AM
Hi Julio,
Let's forget SSL in my case.......
My main concern is to restrict unauthorized person from outside.
so what configuration will be needed in ASA ?
Second question, it is related to access list command which you sent me:
acces-list OUTSIDE_IN permit tcp deny any host 8.8.8.8 eq 443
can we use permit and deny keyword in same command ?
10-30-2012 11:47 AM
Hello Kuldeep,
You can use ACL's, Intrusion prevention mechanism, Unicast Reverse path checks,etc.
Yes, can be done using ACL's. No on the same line. My bad ( typo)
It got to be permit or deny
As an example!
acces-list OUTSIDE_IN deny tcp any host 8.8.8.8 eq 443
acces-list OUTSIDE_IN deny tcp any host 8.8.8.8 eq 25
acces-list OUTSIDE_IN permit tcp any any
Regards,
10-30-2012 11:54 AM
Hi Julio,
One more question related to your ACL :
acces-list OUTSIDE_IN permit tcp host 4.2.2.2 host 8.8.8.8 eq 443
what does mean of this access list command ? Generally we uses
private ip address for LAN but you are using ip like 4.2.2.2 and
8.8.8.8. why ?
10-30-2012 12:03 PM
Hello,
It's just an example.
I am using public ip addresses as we are applying the ACL to the outside interface and on that interface is usually the internet edge so it will have public ip addresses.
Now you said you have on your internal network 192.x.x.x ( as an example), how would you acces that IP over the internet?? Using NAT right ( a public ip address) That is why on the ACL we make reference to the public IP address:
Regards,
Remember to rate all of the helfpul post ( If you do not know how to do it, just let me know, I will teach you)
11-01-2012 02:48 AM
Hi Julio,
I am confuse with Access list configuration with Cisco ASA/PIX.
Plz see given below example which is same as your example.
access-list Outside-In permit tcp any host 45.115.215.1 eq 3389
access-list Outside-In permit tcp any host 33.115.215.1 eq 80
1) is it named ACL type or else ? there are some types
of access list as we all knows 1. Standard 2. Extended 3. Named
but in above Named access list, there is no extended or standard keyword
used.
2) can i use numbered access list with ASA or not ?
11-01-2012 11:50 AM
Hello Kuldeep,
1) By default on the ASA the ACL's will be extended, if you want a standard you will need to call it
Example: access-list test standard permit 4.2.2.0 255.255.255.0
2) Yes, you can.
Kuldeep remember to rate all of the helpful posts, if you do not know how to rate a post, just let me know ...I will let you know how.
Regards,
Julio
11-01-2012 12:00 PM
Hi Julio,
2) can you plz send me link where i can see ASA configured
with numbered access list.....
11-01-2012 12:09 PM
Hello, Kuldeep,
asa(config)# access-list 123 permit ip any any
Remember to rate all of the helpful posts
11-01-2012 05:42 PM
Kuldeep,
Please find more information about ACLs here:
How to configure ACLs on the Cisco ASA
Fundamentals of Cisco ASA Security Appliance Access Control Lists
HTH.
Portu.
Please rate any helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide