Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 VPN Functional Overview, Security Context Overview

1-27

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter1 Introduction to the Cisco ASA 5500 Series

VPN Functional Overview

For UDP or other connectionless protocols, the ASA creates connection state information so that it

can also use the fast path.

Data packets for protocols that require Layer 7 inspection can also go through the fast path.

Some established session packets must continue to go through the session management path or the

control plane path. Packets that go through the session management path include HTTP packets that

require inspection or content filtering. Packets that go through the control plane path include the

control packets for protocols that require Layer 7 inspection.

VPN Functional Overview

A VPN is a secure connection across a TCP/IP network (such as the Internet) that appears as a private

connection. This secure connection is called a tunnel. The ASA uses tunneling protocols to negotiate

security parameters, create and manage tunnels, encapsulate packets, transmit or receive them through

the tunnel, and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive

plain packets, encapsulate them, and send them to the other end of the tunnel where they are

unencapsulated and sent to their final destination. It can also receive encapsulated packets,

unencapsulate them, and send them to their final destination. The ASA invokes various standard

protocols to accomplish these functions.

The ASA performs the following functions:

•Establishes tunnels

•Negotiates tunnel parameters

•Authenticates users

•Assigns user addresses

•Encrypts and decrypts data

•Manages security keys

•Manages data transfer across the tunnel

•Manages data transfer inbound and outbound as a tunnel endpoint or router

The ASA invokes various standard protocols to accomplish these functions.

Security Context Overview

You can partition a single ASA into multiple virtual devices, known as security contexts. Each context

is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts

are similar to having multiple standalone devices. Many features are supported in multiple context mode,

including routing tables, firewall features, IPS, and management. Some features are not supported,

including VPN and dynamic routing protocols.

In multiple context mode, the ASA includes a configuration for each context that identifies the security

policy, interfaces, and almost all the options you can configure on a standalone device. The system

administrator adds and manages contexts by configuring them in the system configuration, which, like

a single mode configuration, is the startup configuration. The system configuration identifies basic

settings for the ASA. The system configuration does not include any network interfaces or network

settings for itself; rather, when the system needs to access network resources (such as downloading the

contexts from the server), it uses one of the contexts that is designated as the admin context.

Cisco Systems VPN Functional Overview, Security Context Overview