1-24
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter1 Introduction to the Cisco ASA 5500 Series
Firewall Functional Overview
Firewall Functional Overview
Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall
can also protect inside networks from each other, for example, by keeping a human resources network
separate from a user network. If you have network resources that need to be available to an outside user,
such as a web or FTP server, you can place these resources on a separate network behind the firewall,
called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ
only includes the public servers, an attack there only affects the servers and does not affect the other
inside networks. You can also control when inside users access outside networks (for example, access to
the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by
coordinating with an external URL filtering server.
When discussing networks connected to a firewall, the outside network is in front of the firewall, the
inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited
access to outside users. Because the ASA lets you configure many interfaces with varied security
policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired,
these terms are used in a general sense only.
This section includes the following topics:
Security Policy Overview, page1-24
Firewall Mode Overview, page1-27
Stateful Inspection Overview, page1-27

Security Policy Overview

A security policy determines which traffic is allowed to pass through the firewall to access another
network. By default, the ASA allows traffic to flow freely from an inside network (higher security level)
to an outside network (lower security level). You can apply actions to traffic to customize the security
policy. This section includes the following topics:
Permitting or Denying Traffic with Access Lists, page1-25
Applying NAT, page1-25
Protecting from IP Fragments, page1-25
Using AAA for Through Traffic, page 1-25
Applying HTTP, HTTPS, or FTP Filtering, page1-25
Applying Application Inspection, page1-25
Sending Traffic to the IPS Module, page1-26
General Features
Password Encryption
Visibility
You can show password encryption in a security context.
We modified the following command: show password encryption.
Table1-7 New Features for ASA Version 8.4(1) (continued)
Feature Description