Adapative Security Algorithm (ASA)

ASA refers to dynamic and static translation slots (xlate), created with the static and global commands respectively. ASA is a stateful approach to security. Every inbound packet is checked against connection state information in memory.

Dynamic translation slots are for desktop machines that do not need a constant address on the Internet. The firewall supports NAT, which provides a globally unique address for each inside host, and PAT, which shares a single globally uniq address for up to 64K simultaneously accessing inside hosts.

Status translation moves an internal, unregistered host into the virutal network in the firewall. This is useful for internal machines that need to be addressed from the outside Internet gateways, for example, an SMPT server.

  1. No packets can traverse the firewall without a connection and state.

  2. Outbound connections or states are allowed, except those specifically denied by outbound deny lists.

  3. Inbound connections or states are denied, except those specifically allowed by conduits.

  4. All attempts to circumvent the previous rules are dropped and a message is sent to syslog.

  5. All ICMP packets are denied unless specifically permitted using the following command:

    conduit permit icmp

firewall handles UDP data transfers in a manner similar to TCP. The firewall creates UDP connection state information when a UDP packet is sent from the inside network. Response packets resulting from this traffic are accepted if they match the connection state information.

How Data Moves Through the Firewall

When an outbound packet arrives, the firewall checks to see if the packet is valid based on the ASA, and then whether or not previous packets have come from that host. If not, then the packet is for a new connection, and firewall creates a translation slot in its state table for the connection. The following information is stored:

  • Inside IP address
  • Globally unique IP Address assigned by NAT, PAT, or Identity

When an inbound packet arrives it must first pass the ASA criteria. If the packets passes the security tests, the firewall removes the destination IP address, and the internal IP address is inserted in its place. The packet is forwarded to the protected interface.