How ASA Works

How ASA Works

Informally, ASA allows cartage to breeze from a college aegis akin to a lower

security level, unless adapted by the aqueduct or access-list commands. More

formally, the chiral notes:

 No packets can bisect the PIX firewall after a affiliation and state.

 Outbound admission or states are allowed, except those specifically

denied by admission ascendancy lists. An outbound affiliation is one in which

the artist or applicant is on a college aegis interface than the receiver

or server.The accomplished aegis interface is consistently the central interface and

the everyman is the alfresco interface.Any ambit interfaces can have

security levels amid the central and alfresco values.

www.syngress.com

50 Chapter 2 • Introduction to PIX Firewalls

 Entering admission or states, except those accurately allowed, are

denied. An entering affiliation or accompaniment is one in which the originator

or applicant is on a lower aegis interface or arrangement than the receiver or

server.You can administer assorted exceptions to a distinct xlate (translation).

This lets you admittance admission from an approximate machine, network, or any

host on the Internet to the host authentic by the xlate.

 All ICMP packets are denied unless accurately permitted.

 All attempts to avoid the antecedent rules are alone and a message

is generated. It is beatific to a administration accessory (local buffer, SNMP trap,

syslog, console), depending on the severity of the attack and bounded configuration.

(Note that accustomed cartage ability additionally activate logging, again

depending on configuration. At the accomplished debugging mode, every

packet generates an alert!)