Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Protecting from IP Fragments, Using AAA for Through Traffic, Applying HTTP, HTTPS, or FTP Filtering, Applying Application Inspection, Sending Traffic to the IPS Module, Sending Traffic to the Content Security and Control Module, Applying QoS Policies

1-24

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter1 Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

•NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP Fragments

The ASA provides IP fragment protection. This feature performs full reassembly of all ICMP error

messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.

Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Using AAA for Through Traffic

You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.

The ASA also sends accounting information to a RADIUS or TACACS+ server.

Applying HTTP, HTTPS, or FTP Filtering

Although you can use access lists to prevent outbound access to specific websites or FTP servers,

configuring and managing web usage this way is not practical because of the size and dynamic nature of

the Internet. We recommend that you use the ASA in conjunction with a separate server running one of

the following Internet filtering products:

•Websense Enterprise

•Secure Computing SmartFilter

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet

or that open secondary channels on dynamically assigned ports. These protocols require the ASA to

perform a deep packet inspection.

Sending Traffic to the IPS Module

If your model supports the IPS module for intrusion prevention, then you can send traffic to the module

for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking

for anomalies and misuse based on an extensive, embedded signature library. When the system detects

unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log

the incident, and send an alert to the device manager. Other legitimate connections continue to operate

independently without interruption. For more information, see the documentation for your IPS module.

Sending Traffic to the Content Security and Control Module

If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other

unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you

configure the ASA to send to it.

Applying QoS Policies

Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a

network feature that lets you give priority to these types of traffic. QoS refers to the capability of a

network to provide better service to selected network traffic.

Cisco Systems Protecting from IP Fragments, Using AAA for Through Traffic, Applying HTTP, HTTPS, or FTP Filtering, Applying Application Inspection, Sending Traffic to the IPS Module, Sending Traffic to the Content Security and Control Module, Applying QoS Policies