Cisco Asa Firewall Interview Questions & Answers

Question 1. What Is Security Level In Asa Firewall?

Answer :

Security level define to the Firewall Interface, Firewall Security Level can be 0-100. Where 100 is the highest security level on ASA firewall and most trusted Zone, By default its define to the Inside Interface. 0 is the lowest security level on the ASA Firewall, Its a define to the untrusted zone, such as Outside interface.

By default traffic allow from Higher Security Level to lower security level and traffic from lower security level to higher security level by default denied.

Question 2. What Is Aaa?

Answer :

AAA stands for: Authentication, authorization and Accounting

Authentication:Authentication is the process, provide credential to the user, to Login on Servers or Devices with user ID and Password. Authenticate individual user to access Network or Server.

Authorization:Authentication is the process, Allow specific services or resources to the authenticate users. Means Which services user can access from server, such as – Read only, read write etc.

Accounting:Accounting is the process, Keeping the track of user activity after authenticate and authorized, Means that what task done by user, will go to the user account. Accounting user for audit purpose.

Question 3. What Is Default Tcp Session Timeout?

Answer :

60 Minutes.

Question 4. What Is Command To Enable Failover In Asa Firewall?

Answer :

Failover

Question 5. What Is Default Route Configuration Command In Asa Firewall?

Answer :

ASA(config)# 0 0 <next-hope>

Question 6. What Is Default Security Level For Inside Zone In Asa?

Answer :

100

Question 7. What Is Default Security Level For Outside Interface In Asa Firewall?

Answer :

 0.

Question 8. What Is A Transparent Firewall?

Answer :

Transparent firewall act line a layer 2 device, Transparent firewall can be easily deploy on existing network.Transparent Firewall allow layer 3 traffic from higher security level to lower security level without an access list.

Question 9. What Is Stateful Inspection?

Answer :

Stateful Firewall maintain the connection table, which keeps the track of the active connection. Its Maintain the dynamic connection table that continuously updated with state of each connection. Stateful Firewall first inspect session table instead of security policy.

Question 10. What Is Command To Permit Traffic In Same Security Level In Asa?

Answer :

same-security-traffic permit inter-interface.

Question 11. What Command To Check Nat Table In Cisco Asa?

Answer :

show nat detail

Question 12. Which Command Used To Switch Multiple Mode To Single Mode?

Answer :

mode single

Question 13. What Is Sub Second Failover?

Answer :

Sub second failover as the failover can happen in under a second. Both the interface and unit polling times can be configured in milliseconds. Be careful setting  the failover settings too low though as you may have a quick communication loss due to congestion.

Question 14. Does Site-to-site Vpn Co-exist With Remote Access?

Answer :

If using ASA clustering then vpn will not work. If non-cluster environment you can use L2L vpn and can co-exist in standalone version.

Question 15. Can You Explain The Significance Of Sgt In The Context Of Asa?

Answer :

SGT is part of TrustSec.

Question 16. Can You Load Balance Your Outgoing Internet Connectivity With Two Inter Connections Hooked To One Asa?

Answer :

Presently it is not possible to load balance traffic between two ISP links on an ASA.

Question 17. How To Asa 5500-x React On Zero Day Attack?

Answer :

Cisco anomaly detection learns the normal behavior on your network and alerts you when it sees anomalous activities in your network. Cisco anomaly protection helps protect you against new threats even before signatures are available.

Question 18. Clustering Up To 8 Firewall Would Be Active/active Or Active/standby?

Answer :

All 8 Units will be active in a cluster

Question 19. What Is Multiprotocol Throughput?

Answer :

When different type of traffic going through the firewall, i.e HTTP, FTP, etc.

Question 20. Can We Block Https Traffic On Firewall?

Answer :

When you are saying Block, I assume  you are saying traffic going through the firewall, then the answer to that would be Yes.

Question 21. Can Security Manger Be A Syslog Server As Well?

Answer :

CSM is built to be a single point of management and configuration for ASA and other securiyt products. The function of Syslogging is to be offload to external server.

Question 22. Can We Mix Different Models In Clustering I.e. Can 5510 Be Clustered With 5520?

Answer :

No, we can't mix different asa models. And clustering is only supported with 5580, 5585 or 5585X.

Question 23. When We Say Asa Virtualization, Is That The Hardware Virtualization, Ios Or The Configurations?

Answer :

You can use ASA 1000V for virtualized environment and that's what it means. Again, if term virtual is used, it can be a context as many times these two terms are used inter-changeably.

Question 24. Is Access To The Scansafe Database A Subscription Service?

Answer :

Yes, a scansafe subscription will be required.

Question 25. Can I Have Multi-context Along With Clustering?

Answer :

You won't need a context in cluster mode but you can have multi contexts.

Question 26. Is Clustering Possible Across Geographies Or Is There Any Distance Limitation ?

Answer :

This can be done through VPNs (Site to site) but never recommended.Such setup in production environment is not recommended.

Question 27. Are There Only 8 Asa In A Cluster Possible, And Can I Mix The Models?

Answer :

It has to be same model with same hardware configuration like memory etc.

Question 28. Can I Have A Ha Design With Two Asa 5525 X In Two Separate Places In Active/active Mode?

Answer :

In that case you are expanding your cluster, there is no restriction but I do not see any usecase of this.

Question 29. What Is One Of The Asa Goes Down, Will Other 7 Modules Are Still Deliver 280 Gbps?

Answer :

Only the throughput will drop on overall basis but no impact on traffic. 

Total Throughput = N x Single node throughput x Scaling Factor.

Question 30. Hello Do We Need To Have Even Number Of Firewalls To Participate In Clustering?

Answer :

No, there's no such mandates.

Question 31. Why Do I Still Have To Manually Copy Xml Profiles From The Active To The Standby?

Answer :

Depends on the version you are using. More detailed info can be obtained from Cisco TAC as its specific to AnyConnect.

Question 32. Few Years Ago Threat Detection, Routing Protocols, Etc. Will Not Be Used If You Enable Multiple Context Mode On Asa. Was This Resolved Already In Today's Software Or Product Line?

Answer :

Virtually not, you can have as many policies but can be brought down if combined with Trustsec. Still same:

Multiple context mode does not support the following features:

• RIP                   
• OSPFv3. (OSPFv2 is supported.)                   
• Multicast routing                   
• Threat Detection                   
• Unified Communications                   
• QoS                   
• Remote access VPN. (Site-to-site VPN is supported.)

Question 33. Based On Active Cluster Configuration, If New Firewall Picks A Ip-address From The Pool, Alter If The Firewall Goes Down How The Session Failover Will Happen, The Live Session Will Be Dropped Or It Will Failover To Other Active Firewall?

Answer :

It will be taken care by the next priority firewall in the cluster.

Question 34. Is There Any Policy Limitation Of Cisco Asa?

Answer :

Virtually not, you can have as many policies but can be brought down if combined with Trustsec.

Question 35. How Does The Vip Is Maintained In The Cluster?

Answer :

There is no VIP, all firewalls have there own firewall, we need load-balancing from outside the cluster.

Question 36. We Are Using 3 Different Management Servers, We Are Facing This Asdm Loading Issue With All Of Them, How There Can Be Issue With Os Level?

Answer :

Please get in touch with Cisco TAC for in-depth review & troubleshooting.

Question 37. Does The Asa Supports Server Load Balancing?

Answer :

No ASA doesn't support Server Load Balancing.

Question 38. Is That Also The Fact With Site2site Vpn When Cluster Master Fails Or Does It Work More Like Active/standby Vpn State Failover?

Answer :

Clustering is analogous to failover not the same. The VPN sessions will be replicated across the cluster.

Question 39. Can The Ips In Asa5500-x Do Heuristic Detection?

Answer :

Basic Heruristics are there, 0day attacks are identified (now better by SacanSafe an improvement over local engine)

Question 40. Will Remote Vpn Works With Clustering Mode ?

Answer :

 It doesn't work.

Question 41. Do Easy Vpn Works With Active/standby Mode In Asa?

Answer :

Yes it works with failover ASA.

Question 42. Can We Use Asa For Web Filtering Like Proxy?

Answer :

Yes ASA can be used for Web Filtering and it has been possible for many years. Now, you also have ScanSafe

Question 43. And How Do I Just Point To _one_ Asa Ip From Core Routing Equipment, When Clustering?

Answer :

Addresses configured in pool is given to firewalls in cluster, you can simply push the traffic any given address assigned to specific firewall in cluster.

Question 44. What Will Happen If One Node Fails In Asa Cluster. Traffic Which Was Going Through Failed Node Will Be Dropped Or It Will Be Processed By Some Other Node In Cluster?

Answer :

Yes, ASA clustering always has a backup node (owner) for every flow through the cluster so, if the node through which traffic is passing is down, the next owner will process the n+1 traffic (if previous node was processing nth packet.

Question 45. Can Cisco Security Manager Be A Netflow Collector For Asa Devices?

Answer :

CSM is primarily meant for configuring and managing the firewalls. If you wish to collect netflow data it's better to look at Cisco LMS/Prime solutions.

Question 46. Can Csm Take Backup Of Asa Configuration?

Answer :

In CSM if you would like to see the configurations there are two ways to do this.

1. From the Device View, right-click on the device and select "Preview Configuration..."
2. In the top bar, Go to "Manage > Configuration Archive..." You  can then see a history of previous configurations pushed for each device  managed by CSM

CSM based backups are manual and are not automated.

Question 47. Can We Expect Remote Access Vpn Support For Contexts Anytime Soon?

Answer :

As far as I know it's not on the roadmap for next few release.

Question 48. Is There Road-map To Allow Vpn Functionality With Asa Cluster Deployment?

Answer :

Site to site VPN is already supported in clustering. Remote access VPN is not supported as of today and is not on roadmap as I know.

Question 49. Does Asa Supports Stateful Sync For Ssl Or Ipsec Vpn Sessions, Means Suppose Primary Fails Then Ssl Or Ipsec Vpn Session Need Not To Re-established Connectivity With Secondary?

Answer :

Yes, stateful failover is available for IPSec and SSL connections.

Question 50. Can We Configure The Cisco Asa On Distributor Artechtue?

Answer :

ASA clustering is distributed architecture for High Availability and is compatible with next gen and current switching infrastructure.

Question 51. Does Packet Tracer Supports Fwsm ?

Answer :

FWSM doesn't support packet tracer command.

Question 52. Is There A Concept Of Inter-context Communication In Current Asa? Meaning No Need To Forward The Traffic Out Of The Interface But Instead Inside Asa And Between Context. Saves Interface And Much Faster?

Answer :

As of today, inter context communication has to go out of a physical interface and come in again (same or different interface). Essentially trombone of traffic needs to happen out and in to the firewall.

Question 53. What About Mgcp Support?

Answer :

Cisco ASA Clustering doe snot support any UC protocols including H.323 suite, RTP, RTCP, SIP, SCCP and MGCP.

Question 54. Does It Option For Snapshot For Backup Purpose So We Can Restore The All Configuration Very Fast. And How Many Snapshot It Can Store?

Answer :

If the query is about CSM, and you would like to see the configurations within the CSM interface there are two ways to do this.

1. From the Device View, right-click on the device and select "Preview Configuration..."
2. In the top bar, Go to "Manage > Configuration Archive..." You can then see a history of previous configurations pushed for each device managed by CSM.

Question 55. What Is The Vpn Split In Ipv4/ipv6 Network? Is There Vpn Bypass With Asa?

Answer :

VPN in IPv4 or IPv6 depends on the configuration for the VPN site to site or client (remote access) VPN. ASA can do VPN bypass for IPSec and SSL VPN so the client's / remote site can connect with a headend behind ASA.

Question 56. What Is The Cx Module In Asa- X Series?

Answer :

ASA NGFW Services(formerly ASA CX) re-imagines  the firewall, delivering context-aware security that empowers  enterprises to manage applications, devices and the evolving  global workforce, while ensuring unprecedented visibility and control. Unlike other next-generation firewalls, only ASA NGFW Services outpaces complexity to address evolving security needs by leveraging  local network intelligence via Cisco AnyConnect and TrustSec, and global  threat information via Cisco’s Security Intelligence Operation.