Cisco ASA 5505 Configuration Manual page 78

Firewall Functional Overview
Permitting or Denying Traffic with Access Rules
You can apply an access rule to limit traffic from inside to outside, or allow traffic from outside to inside.
For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.
Applying NAT
Some of the benefits of NAT include the following:
•
•
•
Protecting from IP Fragments
The adaptive security appliance provides IP fragment protection. This feature performs full reassembly
of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through
the adaptive security appliance. Fragments that fail the security check are dropped and logged. Virtual
reassembly cannot be disabled.
Using AAA for Through Traffic
You can require authentication and/or authorization for certain types of traffic, for example, for HTTP.
The adaptive security appliance also sends accounting information to a RADIUS or TACACS+ server.
Applying HTTP, HTTPS, or FTP Filtering
Although you can use access lists to prevent outbound access to specific websites or FTP servers,
configuring and managing web usage this way is not practical because of the size and dynamic nature of
the Internet. We recommend that you use the adaptive security appliance in conjunction with a separate
server running one of the following Internet filtering products:
•
•
Applying Application Inspection
Inspection engines are required for services that embed IP addressing information in the user data packet
or that open secondary channels on dynamically assigned ports. These protocols require the adaptive
security appliance to do a deep packet inspection.
Sending Traffic to the Advanced Inspection and Prevention Security Services Module
If your model supports the AIP SSM for intrusion prevention, then you can send traffic to the AIP SSM
for inspection. The AIP SSM is an intrusion prevention services module that monitors and performs
real-time analysis of network traffic by looking for anomalies and misuse based on an extensive,
embedded signature library. When the system detects unauthorized activity, it can terminate the specific
connection, permanently block the attacking host, log the incident, and send an alert to the device
Cisco ASA 5500 Series Configuration Guide using ASDM
1-16
You can use private addresses on your inside networks. Private addresses are not routable on the
Internet.
NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
NAT can resolve IP routing problems by supporting overlapping IP addresses.
Websense Enterprise
Secure Computing SmartFilter
Chapter 1 Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance
OL-20339-01