ASA Firewall Interview Questions and Answers

Ques 1. What is a Firewall?

A Network Firewall may be Hardware or a Software device - It protects a computer network from
unauthorized access. Network firewalls guard an internal LAN network from malicious access from
the outside/unsecured zone, such as malware-infested websites or vulnerable ports. The main
purpose of a firewall is to separate a secured area (Higher security Zone / Inside Network) from a
less secure area (Low security Zone / Outside Network etc.) and to control communication between
the two. Firewall also controls inbound and outbound communications across devices.

Ques 2. What Is Default Route Configuration Command In ASA Firewall?

Below is the syntax -
(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]

Ques 3. What Is Default TCP Session Timeout?

Default TCP session timeout is 1 hour (3600 seconds).

Ques 4. What Is A Transparent Firewall?

Transparent mode firewall is one of the modes ASA Firewall may be configured in. In transparent
mode, Firewall works on layer 2 hop and does not function as a Layer 3 hop. Mac lookup and
forwarding is done through destination mac address. The outside and inside interface in transparent
mode exist in the same network.

Benefits of using firewall in transparent mode –

 No change required on existing IP addressing
 Protocols such as HSRP, VRRP, and GLBP can pass.
 Multicast streams can traverse
 Non-IP traffic can be allowed (IPX, MPLS, BPDUs etc.)
 Routing protocols can establish adjacencies through the firewall

Ques 5. What are security levels in Cisco ASA?

“Security Level” signifies the trustworthiness of an interface when compared to other interfaces on
same device. In simple terms, Higher Security level means High trust interface while Lower Security
Level means Low trust interface. Each interface on the ASA is a security zone. Cisco ASA can be
configured to have multiple security levels between 0 and 100. Below is description of the security
levels –
Security Level 100 – This is the highest and most trusted security level. As a default, “Inside”
interface is assigned the security level of 100. LAN subnets usually come under this category level.
Security Level 100 traffic can reach to any of the other lower security Levels configured on the same
Firewall.
Security level 0 – This is the lowest and least secured Security Level on ASA Firewall. “Outside”
Interface of ASA Firewall comes under Security Level 0. Internet is the most common example of
security level 0. Default Firewall behaviour is to block any traffic from untrusted Zone (Security Level
0) trying to reach any destination of other security level.
Security level 1 to 99 – Security Level from 1 to 99 can be assigned to multiple Zone like DMZ (DMZ
is assigned Security Level 50). Another example is extranet Zone which may be assigned customised
Security Level of 50.

Ques 6. In which 2 modes does ASA work? How are the 2 modes different?
2 modes in which ASA can work are –
 Routed Mode
 Transparent mode
The differences between both modes is illustrated in below table -

Ques 7. What Is Default Security Level For Inside Zone In ASA?

Default Security Level for Inside Zone in ASA is “100”

Ques 8. How to allow packets from lower security level to higher security level?
An ACL needs to be applied for allowing traffic from Lower Security Level towards Higher Security
Levels.

Ques 9. How to allow packets from between VLANs/Interfaces across same security level?
If the interfaces have the same security level, traffic will not be permitted. In order to allow, unless
the “same-security-traffic” global configuration command is used.

Ques 10. What Command to Check NAT Table in Cisco ASA?

“Show xlate”

Ques 11. Can We Block HTTPS Traffic On Firewall?

HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based
on regular expression for HTTPS traffic since content is encrypted (SSL).However, ASA with
Sourcefire is able to analyse HTTPS traffic and block/allow the same.

Ques 12. Can We Mix Different Models In Clustering I.e. Can 5510 Be Clustered With 5520?
No, we can't mix different ASA models.

Ques 13. Does The ASA Supports Server Load Balancing?

No, ASA doesn't support Server Load Balancing.

Ques 14. Can We Use ASA For Web Filtering Like Proxy?
Yes, ASA can be used for Web Filtering
Ques 15. Firewall Works at which layer?
Firewall works at Layer 4 of OSI Model. Some firewalls work upto Application layer (HTTP, HTTPS
etc.)

Ques 16. Difference between Stateful and stateless firewall?

Below table differentiates Stateless and Stateful Firewall -

Ques 17. What information does Stateful Firewall maintain?

Stateful Firewalls consist of a Stateful technology which maintains the state of every connection
coming through the firewall. Whenever a packet is to be sent across the firewall, the information of
state stored in the state table is used to either allow or deny flow of packet.

Stateful Firewalls perform decisions based on following criteria –

 Source IP address
 Destination IP address
 Protocol type (TCP/UDP)
 Source port
 Destination port
 Connection state

Below is an example scenario showing how Stateful Firewall functions -

Ques 18. Does ASA inspect ICMP by default?
ICMP inspection is not enabled by default in ASA Firewall.

Ques 19. What are timeout values in ASA firewall for TCP, UDP and ICMP sessions?
The default timeout values are -
timeout conn - The idle time after which a connection closes. Default value is 1 hour
timeout half-closed - The idle time until a TCP half-closed connection closes. The default is 10
minutes.
timeout udp - The idle time until a UDP connection closes. The default is 2 minutes.
timeout icmp -The idle time for ICMP. The default is 2 seconds

Ques 20. Active FTP vs. Passive FTP?

In an Active FTP mode, the client initiates the request to opens a port and then listens. Client sends
the FTP command PORT M to inform the server on which port it is listening and server actively
connects to the client from its port 20, the FTP server data port.

In a Passive FTP mode, the server opens a port, passively listens and the client uses the control
connection to send a PASV command to the server and then receives a server IP address and server
port number from the server for the client connect to it. Further, Passive mode is used generally
where the client is behind a firewall and unable to accept incoming TCP connections. When we look
at overall security perspective, passive FTP mode is preferred safety measure.

Ques 21. Does Cisco ASA support BGP?

Starting ASA Version 9.2(1), BGP is supported on Cisco ASA Firewalls.

Ques 22. What is FWSM? Where is this used?

FWSM (Firewall Service module) is a module that you can install in a modular chassis switch, such as
6500 series or Cisco 7600 Series Router. It is a High speed firewall which integrates as module within
the chassis of 6500/7600 Series devices. Upto 4 FWSM modules can be installed into one chassis.
Ques 23. Difference between PIX and ASA?
Below table illustrates difference between PIX and ASA -

Ques 24. Which command is used in ASA to view connections?

“Show conn”

Ques 25. What is functionality of NAT control in Cisco Firewalls?

NAT Control is function used to enforce the use of NAT in ASA. NAT control requires that packet
traversing the ASA in any direction match a NAT rule.
8.3 and higher: NAT-control is disabled by default and cannot be configured.

Ques 26. What are types of Contexts in ASA?

Contexts in ASA can be of 3 types –
 System Context
 Admin Context
  Normal Context

System Context – This context allows to add and manage other contexts by the configuration of
each context configuration location, allocated interfaces, and other context operational parameters.
Only management IP address can be assigned in this context and no other IP can be given. Another
key feature of system context is ability to upgrade or downgrade the ASA software.

Admin Context – Admin context allows the user to have system administrator rights, and to access
the system and all other contexts. During conversion from a Single mode to the Multiple Context
mode, the admin context is created automatically and the configuration file will be created on the
flash memory. Admin context is not counted in the context license.

Normal Context – It is the actual partitioned firewall. Normal context can be accessed via Console,
Telnet, SSH, and ASDM.If we log in to a normal (non-admin context), we can only access the
configuration for that context.

Ques 27. What is PFS?

Perfect Forward Secrecy (PFS) is an encryption solution which assures that session keys will not be
compromised even if the private key of the server is compromised. In other words, if one of these
session keys is compromised, data from any other session will not be affected. PFS is an additional
security layer for customer VPN connections.

Ques 28. Difference between checkpoint and ASA?

Below table describes key differences between Checkpoint and ASA -

Ques 29. What are hardware and software requirements for 2 ASA in HA?
Hardware Requirements for 2 ASA in HA (Cluster) –
 Both units in a Failover configuration must have
 Same model
 Same number and types of interfaces
 Same modules installed
 Same RAM installed

Software Requirements for 2 ASA in HA (Cluster) –

 Both units in a Failover configuration must have
 Same firewall mode (routed or transparent).
 Same context mode (single or multiple).
 Same major and minor software version
  Same AnyConnect image

License Requirements for 2 ASA in HA (Cluster) -

 The two units configured in a failover don’t need to have identical licenses; the licenses
combine to make a failover cluster license.

Ques 30. Which command will forcefully activate secondary firewall to become active
firewall?
When Primary Firewall is issued the command “no failover active”, it forcefully activates the
secondary Firewall to become active.
“Failover active” command will trigger fail back to original active firewall.

Ques 31. What is spoofing and what is anti-spoofing?

Spoofing is a technique used to gain unauthorised access to server applications by an attacker, who
illegally mimics another machine by manipulating IP packets. Spoofing attack initiates from outside
unsecured Internet and the attacker on the unsecured Internet spoofs the company inside IP
address to make it look like it’s part of the inside of customer LAN network.

Antispoofing is a technique for identifying and dropping packets that have a false source address.
Spoofed packets can be detected by setting up rules on a firewall, router ,network gateway or even
at the ISP end.

Ques 32. Which ASA platform series in used nowadays?

Following are the list of few ASA models in use nowadays -
 ASA 5555-X with FirePOWER Services
 ASA 5545-X with FirePOWER Services
 ASA 5525-X with FirePOWER Services
 ASA 5516-X with FirePOWER Services
 ASA 5508-X with FirePOWER Services
 ASA 5506H-X with FirePOWER Services
 ASA 5506W-X with FirePOWER Services
 ASA 5506-X with FirePOWER Services
Ques 33. What is DMZ Zone? What is DMZ zone used for?
DMZ Zone is considered with reference to Perimeter Firewall. DMZ Zone has security level 50 on
ASA Firewall and is what sits between an organisation's internal network and an external network. A
DMZ network enables Internet users to access the public servers of a company. The DMZ network
maintains the security for a company's private LAN.

Some of services residing in DMZ Zone include –

 Applications servers
 VPN
 Proxy Servers
 Global Load balancers

Ques 34. What is DOS and DDOS?

A Denial of Service (DoS) attack is made from a single machine where the attack may be directed to
a specific Server, a specific port or service on a target. It may also be to a network / a network
component, to a firewall or to any other system. A DoS attack is made from a single machine to a
victim.

A Distributed Denial of Service (DDoS) attack is an attack from more than one source or from more
than one location. Most of times, the DDoS attackers are not aware that they are part of DoS attack
against a site, and are duped into joining the attack by a third party. In a DDoS, the attack generation
is instead distributed across multiple computers.

Ques 35. Explain Active/Active failover?

Active-Active Failover is the scenario in Cisco ASA configuration where both the ASAs pass the
network traffic by splitting traffic into groups. This type of flow is only possible with Multiple Context
mode. Both the ASA units are divided into Failover Groups where 1st unit is Active for one Failover
Group while the 2nd unit performs Active role for the second Failover Group. The other unit takes
over during event of Active unit going down. Active-Active setups are generally done to allow more
traffic to pass through the firewalls than a single unit can handle.

Ques 36. Explain Active/Standby failover?

Active-Standby Failover is the scenario in Cisco ASA configuration where one ASA unit acts as Active
unit while the other performs as Standby unit. The Standby unit keeps on monitoring the Active unit
and state information is shared across both. During event of Active unit going down, the standby
unit takes over role of Active unit and starts forwarding traffic. The unit that becomes active
assumes the IP addresses and MAC addresses of the failed unit and before beginning to pass traffic.

Ques 37. What are different types of ACL in firewall?

The ASA uses the following types of ACLs –

Extended ACLs - These ACLs are used for access rules to control (permit and deny) traffic flow
through the device. It’s also used as matching criteria for many features including –
 Service Policies
 AAA rules
 WCCP
 Botnet Traffic Filter
 VPN group
 DAP policies.

EtherType ACLs – This type of ACL is applied to non-IP layer-2 traffic on bridge group member
interfaces only. We may use these rules to control (permit or drop) traffic based on the EtherType
value in the layer-2 packet.

Webtype ACLs - Webtype ACLs are used for filtering clientless SSL VPN traffic. These ACLs can deny
access based on URLs or destination addresses.

Standard ACLs - Standard ACLs are used to identify traffic by destination address only. These are
used for few features only like –
 Route maps
 VPN filters
Since extended access lists also work for VPN filters, therefore we can say that Standard ACLs are
limited in use to route maps.

Ques 38. What is SYN flooding?

SYN Flooding is a Denial of service attack where victim server is rendered unresponsive since the
attack consumes resources of the targeted server.SYN flooding makes use of TCP 3 way handshake
by repeatedly sending SYN packets to every port of the server. The server responds to each attempt
with a SYN-ACK (synchronization acknowledged) packet from each open port by temporarily opening
a communications port for each attempted connection and then waits for a final ACK
(acknowledgement) message from the source .The attacker never sends the final ACK message,
therefore the connection is never completed. As per TCP standard timeout values, the temporary
connection will eventually time out and close. This leaves target server is with many incomplete
connections.

Ques 39. What is difference between ACL on ASA and Router?

Below table enumerates difference between ACL on Router and ACL on Firewall -

Ques 40. Can we create loopback on ASA?

No, ASA Firewalls don’t support Loopback creation.

Ques 41. Which command is used to capture packets on ASA?

“CAPTURE” is the keyword used in command to capture packets.
Below are the 2 steps in running Capture -
Step 1 –
Capture using a match statement -
capture <cap-name> match ip <criteria>
or
Capture using Access list -
capture <cap-name> access-list <acl>
Step 2 -
Specify the interface upon which the capture should be performed:
capture <cap-name> interface <ifname>

Ques 42. How to configure a static and default route on ASA?

Syntax and example of configuring static route on ASA is given below -
Syntax -
route if_name dest_ip mask gateway_ip [distance]
Example -
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1

Syntax and example of configuring Default route on ASA is given below -

Syntax -
route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]
Example -
hostname(config)# route outside 0 0 192.168.1.1 tunneled

Ques 43. Which features are not supported in transparent mode?

Transparent mode does not support following features –
 QoS
 Dynamic/Multicast Routing
 DHCP Relay
 Dynamic DNS
 IP Multicast Routing
 VPN termination

Ques 44. Which commands are used to convert routed mode to transparent mode and vice
versa?
Routed mode to transparent mode –
ciscoasa(config)# firewall transparent

Transparent mode to routed mode –

ciscoasa(config)# no firewall transparent

Ques 45. Which features are not supported in multiple context mode?
Multiple context mode does not support the following features -
 Dynamic Routing
 Multicast routing
 Threat Detection
 Unified Communications
 QoS
 Remote access VPN

Ques 46. What is order of preference of NAT types in Cisco ASA?

NAT Rule order follows the below -
1) Twice NAT
2) Network object NAT –
Following order is applied in this section -
o Static rules.
o Dynamic rules
3) Twice NAT

Ques 47. What type of end systems/services reside in DMZ Zone?

Some of the services residing in DMZ Zone are –
 Web Servers
 FTP Servers
 Mail Servers
 Proxy Servers
 Web Application Firewall
Ques 48. What type of end systems/services reside in EXTRANET Zone?
Some of the services leveraging/connecting via Extranet Zone are -
 Vendors
 Partners
 Parties outside Company’s administrative scope
 New companies merging into parent company

Ques 49. Which command is used to verify the failover state?

Show failover state

Ques 50. Which command is used to check the traffic on interfaces, the packet and byte
counters.
Show Interface <Interface number>