1-25
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter1 Introduction to the Cisco ASA 5500 Series
Firewall Functional Overview
Sending Traffic to the Content Security and Control Module, page1-26
Applying QoS Policies, page1-26
Applying Connection Limits and TCP Normalization, page1-26
Enabling Threat Detection, page 1-26
Enabling the Botnet Traffic Filter, page1-27
Configuring Cisco Unified Communications, page1-27
Permitting or Denying Traffic with Access Lists
You can apply an access list to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
NAT can resolve IP routing problems by supporting overlapping IP addresses.
Protecting from IP Fragments
The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error
messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.
Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The ASA also sends accounting information to a RADIUS or TACACS+ server.
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the ASA in conjunction with a separate server running one of
the following Internet filtering products:
Websense Enterprise
Secure Computing SmartFilter
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the ASA to
perform a deep packet inspection.