Introduction to Firewalls

Hi I want to know how how ASA FW does packet inspection on encrypted packet? If browser is using https to access something how ASA does deep packet inspection?

Hello Suman

HTTPS filtering is not supported on ASA due to the fact that HTTPS content is encrypted. So no deep packet inspection can be applied. This is according to the following Cisco documentation:

I hope this has been helpful!



if don’t have the Hardware,how to practice ASA firewall?


Hello Tin

The ASA is available on the GNS3 platform. Take a look at this information from the GNS3 site that details how to get the ASA working on their platform.

I hope this has been helpful!


Hi Rene,
Thanks for this tutorial but i think you should have discussed about types of firewall ?

As per my point of view the stuff of R&S ( CCNA to CCIE ) you created and sharing globally that’s great which help me a lot and and i think others as well so I want to give my view that you must add Security part ( CCNA to CCIE) written and Lab both in your curriculam.

BTW thanks a lot again you and Laz too for creating this channel and well support for clearing doubts.

I am working on some firewall/data center labs and came across a similar design and trying to find the best way to approach. fwplacement #1 image is what I have on my lab and i am trying to force the traffic to my firewall before going to the HSRP Cisco 1841s. I have two 3750 L3 switches that have 4 Vlans on them. I can point them to the firewall but I am kinda lost after that. I am used to having the firewall on the outside.

  1. Would this be the equivalent of hairpinning ? 2) Not changing the configuration, would I have to do a static route and leave no default routing.

Any suggestions would be appreciated.


FW placement 1

FW placement 2


Hello Matt

There is no single best answer, but there are specific principles that will determine the best arrangement for a particular topology.

Remember that a firewall introduces another location where routing takes place. This affects your topology, as well as introduces a single point of failure into the network, if you ave only one device. So if you have an HSRP arrangement and you want to maintain that redundancy, introducing a high availability firewall implementation is necessary.

Next you have to determine if “firewall on a stick” is the way to go for you. In the options described in the diagrams, this is the topology that is represented. Typically, you will have three VLANs hanging off of the ASA (inside, DMZ, outside). If you use firewall on a stick, a single physical link will be used to carry traffic for all three VLANs. Alternatively, you can use three physical connections to your switches, but that uses up valuable physical ports on your switches. For this reason, you may want to place them physically inline, between the 3750s and the 1921s shown in the first diagram. That in turn, seems to defeat the purpose of the HSRP configuration, so you may consider replacing the 1921s with an Active/Active firewall arrangement will perform the same type of redundancy as the HSRP implementation. In this way, you remove additional points of failure.

If I was building something from scratch, I’d connect the firewalls directly to the service provider in an Active/Active arrangement to replace the HSRP routers. I’d connect both firewalls to both 3750 switches with two physical connections each (DMZ and inside network) and let the 3750s to the rest of the routing for the rest of the internal VLANs.

I would only use the firewall on a stick topology in an already established network for which I want to change the least amount of things.

I know I haven’t definitively answered the question, simply because there is no definitive answer. But I hope it gives you more insight in order to decide on how to proceed.

If your topology is similar to the first diagram, then you would have to configure firewall on a stick for each ASA, and then have all your outgoing traffic (from both DMZ and inside networks) use the firewall as the default gateway (or at least route the traffic there) , and have the firewall route traffic to the HSRP virtual address.

I hope this has been helpful!


1 Like


This has been very helpful and thank you for your candid response. You brought up some points to consider and overall helped me to understand this method as opposed to the traditional one. I will work on your recommendations and then see how it goes. Thanks again for your response, much appreciated!


1 Like

Hi Rene,

It is a great video. Eventhough I know some of the concepts, you have tied, routers firewall, firewall server and DMZ, and explained the functionality very well. I understand the individual modules.
Awesome job!
Keep up the great work!
Thank you,

Dear sir,

I would like to know how to verify the following are configured in our firewall ASA

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Hardware: ASA5585-SSP-20








Hello Manikandan

I’m not quite sure what you are asking. MD5, SHA1, and SHA256 are encryption algorithms used in a variety of ASA features including VPNs, digital certificates, and the NTP protocol, to name a few. What in particular were you looking for?

Let us know so that we can help you further.


Dear Laz,

I have missed out your email. These are list of Indicators of Compromise (IOC) as attached. Have to scan in our network particular in firewall and DNS servers .
If any hit found, need to block it.

Thank you

IOCs (22 Bytes)

Hello Mani

After doing some research, I have found that the Cisco ASA supports such IoC indicators when coupled with FirePOWER. You can take a look at this Cisco documentation that specifies more about how to configure it for an ASA.

This Cisco blog also talks about how it can be implemented on both network and endpoint devices:

However, it seems that without FirePOWER, implementing these IoC indicators on an ASA is not possible.

I hope this gives you some more information about what you need. (Also, it seems that your zip file attachment is empty). If you need more information, please clarify your question so that we can respond to them specifically.

I hope this has been helpful!


Dear Laz,
Our Asdm version dont have this Firepower module. Attached asdm and asa version for your reference.
Kindly advice is there upgrade is required to ASDM to get this firepower module.


Hello Mani

There are several ways in which FirePOWER can be incorporated into the use of an ASA device. This can be done either using the Firepower Management Center (FMC), which is a standalone software that manages multiple FirePOWER-enabled ASAs. In this scenario, ASDM is not used at all, but is replaced by the FMC. More info about this type of implementation can be found here:

Alternatively, you can enable an ASA with FirePOWER and manage it using the ASDM software. More about how this can be done can be found in the following Cisco documentation:

FMC is considered an “off-box” solution, which means that the intelligence of FirePOWER is found within the independent server while ASDM is considered the “on-box” solution because both FirePOWER and ASDM are installed and run from the ASA device itself.

I hope this has been helpful!



Dear sir ,

Thank you for your help provided.
Good day. Currently 10 physical interface have added in the FW. One of the customer have needs one more network have to add in the firewall. When i want to add interface it look like there is no hardware port is available. Does the model can support to create one more hardware port ? If Yes means how to make enable the hardware port.

Thank you


Hello Mani

Each firewall interface can have only one subnet connected to it. If a customer requires more subnets within their network, they will have to have a router or layer 3 switch that performs the routing between their internal networks. Then, any traffic going outbound via the firewall can be forwarded to the physical interface of the firewall connected to their network.

Alternatively, if you want to provide them with multiple subnets that actually terminate on the firewall, you can create subinterfaces. However, this will cause the firewall to act as a router for traffic travelling between subnets of that particular customer, something that will take up more CPU and memory resources of your firewall.

For more information about subinterfaces on an ASA firewall, take a look at this lesson:

I hope this has been helpful!


Dear sir,

Have two core switch configured with HSRB . , User switch hv connected to the Nexos 5k switches and then it is connected with core switch where fw and router r connected. Customer network connected to the end switch. One segment server is connected in the firewall . Instead adding the sub interface , I have to add another subnet for server to the core switch ? Any idea how to make the configuration and connection as well?

And firewall cant see the physical interface in CLI or GUI. And physically noticed TenGig0/8 . 10G port is used for few customers as trunk which is connected in Core switch which is also Trunk port 10G.

Another 10g connection have 3 more networks TenGi0/9 -
One of the interface named as SEC . and VLAN is 282
6 networks configured as below with one 10g port.

 nameif SEC
 security-level 90
 ip address standby

DCR8R1-N7K01# sh mac address-table |i  00a0.c917.0101
* 40       00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 88       00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 276      00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 278      00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 282      00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 291      00a0.c917.0101    dynamic   0          F    F  Eth1/31

interface Ethernet1/31
  description <to ASA01 Te0/8>
  switchport mode private-vlan trunk promiscuous
  logging event port link-status
  switchport private-vlan mapping 40 476,487,491
  switchport private-vlan trunk allowed vlan 1-3967
  switchport private-vlan mapping trunk 40 476,487,491
  no shutdown


If they previously configured as Sub interface how to verify it ?
Model is ASA5585-SSP-20

How to add additional one sub interface ?

Any idea please help two methods to connect new network.

Thank you


Hello Mani

It would be very helpful if you could include a diagram with your explanation as it is difficult to follow and understand your topology. However, concerning this question:

If you want to find out more about how to configure, or how to understand a configuration of subinterfaces on the ASA, take a look at the following lesson:

I await your clarifications to be able to answer the rest of your questions.

I hope this has been helpful!


Dear sir,

I have to know how to add additional sub inter face for another segments on context based asa 5585 -SSP-20 ?
if cant how to connect new segments in core switch NEXUS 7K ?

Thank you