Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Firewall Functional Overview

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter1 Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Firewall Functional Overview

Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall

can also protect inside networks from each other, for example, by keeping a human resources network

separate from a user network. If you have network resources that need to be available to an outside user,

such as a web or FTP server, you can place these resources on a separate network behind the firewall,

called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ

only includes the public servers, an attack there only affects the servers and does not affect the other

inside networks. You can also control when inside users access outside networks (for example, access to

the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by

coordinating with an external URL filtering server.

General Features

Password Encryption

You can show password encryption in a security context.

We did not modify any screens.

ASDM Features

ASDM Upgrade

When ASDM loads on a device that has an incompatible ASA software version, a dialog box

notifies users that they can select from the following options:

•Upgrade the image version from Cisco.com.

•Upgrade the image version from their local drive.

•Continue with the incompatible ASDM/ASA pair (new choice).

We did not modify any screens.

This feature interoperates with all ASA versions.

Implementing IKEv2 in

IKEv2 support has been implemented into the AnyConnect VPN Wizard (formerly SSL VPN

wizard), the Clientless SSL VPN Wizard, and the Site-to-Site IPsec VPN Wizard (formerly

IPSec VPN Wizard) to comply with IPsec remote access requirements defined in federal and

public sector mandates. Along with the enhanced security, the new support offers the same end

user experience independent of the tunneling protocol used by the AnyConnect client session.

IKEv2 also allows other vendors’ VPN clients to connect to the ASAs.

We modified the following wizards: Site-to-Site IPsec VPN Wizard, AnyConnect VPN Wizard,

and Clientless SSL VPN Wizard.

IPS Startup Wizard

enhancements

For the IPS SSP in the ASA 5585-X, the IPS Basic Configuration screen was added to the

startup wizard. Signature updates for the IPS SSP were also added to the Auto Update screen.

The Time Zone and Clock Configuration screen was added to ensure the clock is set on the

ASA; the IPS SSP gets its clock from the ASA.

We introduced or modified the following screens:

Wizards > Startup Wizard > IPS Basic Configuration

Wizards > Startup Wizard > Auto Update

Wizards > Startup Wizard > Time Zone and Clock Configuration

Table1-6 New Features for ASA Version 8.4(1)/ASDM Version 6.4(1) (continued)

Feature Description

Contents

Cisco Systems Firewall Functional Overview

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505