ASA Interview Questions & Answers
Question 1. What are the ASA security Levels?
Answer: In ASA security levels are nothing but the interfaces of firewalls. In the ASA firewall, we have 0 -100 security levels. The security level inside is 100 means it is more trusted. The security level on the outside interface is 0 means we can not trust because it is the untrusted mode.
Question 2. What is the default session timeout for TCP?
Question 3. What is transparent Firewall? Explain the working as well.
Answer: Transparent firewalls can act as a layer 2 device. Transparent firewalls can be easily configured on existing networks. In transparent firewall layer 3 traffic, we can easily pass from higher security levels to the lower security levels without any access-list configuration.
Question 4. How stateful Inspection in firewall works.
Answer: Stateful firewalls have state tables or connection tables. In-state tables we can keep track of all active connections. Stateful firewalls have dynamic state tables which can change dynamically on every state of each connection. Stateful Firewall first inspects the state table and then the policies.
Question 5. If we have the same security levels on both the side can we connect?
Answer: We need to use one command for communication. Same-security-traffic permit inter-interface
Question 6. What kind of information does the firewall maintain in Stateful Inspection?
Answer: Stateful Table maintains the following type of information
- Source Ip address
- Destination Ip address
- IP protocol TCP & UDP
- IP protocol information we have which are nothing but TCP/UDP port numbers, TCP sequence number & TCP flags
Question 7. Explain the packet flow in ASA?
- When we receive a packet at the ingress interface it will check the existing entry in the state table. If it matches then the protocol inspection is going to take place on that packet.
- If the packet doesn’t match then it means that packet is TCP-SYN packet or UDP packet. Then it will send that packet for ACL check.
- If the packet is allowed by ACL then it will be verified by translation rule, then the protocol inspection on the packet.
- Ip header is translated through nat translation rule by egress interface.
- Once the packet is translated through the egress interface then it will perform route lookup.
- If we get the route that specifies the egress interface then the layer-2 header of the packet is re-written and then packet sent out of the egress interface.
Question 8. What are the timeouts for TCP sessions, UDP sessions, and ICMP sessions?
TCP session – 60 minutes
UDP session- 2minutes
Icmp session- 2sec
Question 9. Which command will we use to check the connection table?
Answer: # show conn
Question 10. Explain the working of ASA at the time of traceroute?
Answer: When ASA gets traceroute command then ASA does not decrease the TTL value because it does not want to give information about the ASA because of security reasons. It will share TTL value without any decrement in the TTL value.
Question 11. What are the configurations we can not configure on ASA?
Answer: Following configurations we can not perform on ASA
- Loopback (Logical interface)
- WCM(WildCard mask)
- Line Vty we can not be configured
Question 12. What is the command to enable HTTP service on ASA?
Answer: #http Server Enable
Question 13. How to configure a Default route on ASA?
Answer: #static outside 0.0.0.0 0.0.0.0 <Next hop interface ip address>
Question 14. What are the different types of ACl’s?
Answer: We have different types of ACL
- Standard ACL
- Extended ACL
- Ethertype ACL(Transparent Firewall)
- Webtype ACL
Question 15. What are the features that are not supported by Transparent Firewall?
- Dynamic Routing
- QOS (Quality of Service)
- VPN (IPsec and webVPN can’t be terminated )
- Can’t acts as DHCP relay agent
Question 16. Which command we will use to convert ASA into Transparent mode?
Answer: #Firewall Transparent
Question 17. Which command we will use to see the mode of Firewall?
Answer: We have 2 modes into the firewall
- Routed mode
- Transparent mode
We can identify the mode with the help of #Show Firewall
Question 18. What is Failover and what are the types of failover?
Answer: Failover is the cisco proprietary feature that is used to provide redundancy. In failover, we required 2 same ASA’s which must be connected to each other with the dedicated link and that is failover. We can monitor the health of active interfaces and units to find out whether failover has occurred or not.
In Failover we have 2types
1.Active / Standby Failover
Question 19. What information exchanged between ASA in Failover?
- State – Active/Standby
- Hello Messages
- Network Link status
- Mac Address
- Configuration Replication and synchronization.
Question 20. What is the difference between Stateful Failover and Stateless Failover?
Answer: Stateless Failover- When a failover occurs active connections are dropped. Clients need to re-establish connections when active came into the picture.
Stateful Failover- In the stateful, the Active unit already shares pre-connection state information to the standby. when the failover occurs all connection information is already present on the Active unit. So the client does not required to re-establish any state.
Question 21. What kind of Connection Information is shared in Stateful Failover?
Answer: Following connection, Information is shared between Active to standby units in Stateful Failover
- NAT Translation Table
- TCP Connection State
- ARP Table
- Layer 2 bridge Table (In running in Transparent Firewall mode )
- ICMP Connection State
Question 22. What are failover requirements between 2 devices?
Answer: There are 2 requirements for failover devices
1. Software Requirement-
-Both the active and standby both devices must be in the same operating modes(Routed or Transparent or Single context or multiple contexts).
-The same software version must be needed.
2. Hardware Requirements-
- Both units active, as well as standby, must be the same model. It should have the same number and interface type.
Question 23. Explain Active / Standby Failover on ASA?
Answer: In Active / Standby failover, the active unit will always pass the traffic, but the standby can not pass any traffic. If the failover came into the picture then the active unit failover to the standby unit and then the standby unit becomes the active unit.
We can use failover on ASA for both for Single context as well as multiple contexts.
Question 24. Explain Active / Active Failover on ASA?
Answer: In Active/ Active Failover both devices that are ASA’s can pass network traffic. Here we divide security context into the failover groups.
Failure group is nothing but the logical group of one or more security context. Each and every group is assigned to be active on ASA in the failover pair. When failover comes into the picture it will occur on the failover group level.
Question 25. Which command will we use to enable Failover?
Question 26. Which command will we use for Failover?
Answer: # Show Failover
Question 27. Which command we will use to see NAT table and Connection Table?
Answer: # Show local-host
Question 28. Which command we will use to see the Nat translation?
# Show xlate
# Show NAT
Question 29. How unit Heath Monitoring in Failover? How failover occurs?
Answer: The ASA monitors the health of other units by monitoring the link in failover.
When the unit does not receive three consecutive packets on the failover link then it will send hello messages to each link. Just to verify whether it is responsive or not
On the basis of response, it will take the following actions.
- If ASA received a response on failover interface then it will not failover
- If ASA does not receive a response on failover link but it will get a response on another interface then the unit is not going to failover, which means failover links have been crashed.
- If ASA does not receive any response on any interface in failover, then the standby unit will switch to an active unit and then classifies to another unit as failed.
Question 30. How can we determine the active/standby states in failover?
- If unit boots and if it finds another unit inactive state, then that unit becomes a standby unit.
- If unit boots and if it finds no active unit then it will become an Active unit.
- If both units will boot simultaneously then the primary becomes an Active unit and another becomes the Standby unit.
Question 31. Which commands are not replicated to the Standby unit?
All kind of copy commands are replicated except
#copy Running-config Startup-config
All kind of write commands are replicated except
# write memory
Question 32. Explain Preemption in Active/ Standby and Active / Active.
In Active / Standby no preemption
In Active / Active preemption is the optional
Question 33. Explain the Security Context?
Answer: We can segregate the ASA into multiple virtual devices in the form of the security context. Each security context will act as a separate independent device with its own security policies, administrators and interfaces. If we have multiple contexts then these are similar to have multiple separate standalone devices.
Question 34. Which features are not supported by Multiple contexts?
Answer: VPN and Dynamic Routing Protocols are not supported by Multiple context mode.
Call the Trainer and Book your free demo Class for now!!!