ASA Firewall Overview

 Cisco ASA Firewall evolved from Cisco first Physical firewall appliance called the Cisco PIX
Firewall.
 The PIX Firewall was a firewall with limited VPN capabilities.
 Web-based VPNs (SSL VPNs) were becoming popular. The PIX firewall had the ability to provide
Remote Access VPN capabilities using basic IPSec and PPTP type VPNs.
 Cisco acquired a company called Altiga. Altiga had a product known for its VPN capabilities. The
Product was called the VPN Concentrator. It was known for it’s Web VPN capability.
 Initially Cisco sold the VPN Concentrator as a stand alone device.
 The Web VPN capability along with the Firewall capability of the PIX were ported into a new
device called the ASA Firewall.
 The ASA Firewall is a combination of the Firewalling of the PIX with the Web VPN capability of
the VPN Concentrator.
 ASA Firewall is a L3 Router by default.
 It has all the routing functionalities that a normal router would have.
 It can run RIP, EIGRP, OSPF and BGP Routing Protocols.
 The difference between a regular router and a ASA Firewall is that the router forwards all traffic
by default whereas the ASA will allow traffic based on certain policies which will be discussed in
this video.
 Besides assigning the IP Address to an Interface, the ASA requires 2 additional parameters on
the Interface.
 Let’s discuss the Interface configuration as it control the default traffic flow thru the Firewall.
Interface Configuration Parameters
 To initialize an ASA Interface, you need the following parameters:
 Nameif:
o The name of the Interface is not case-sensitive.
o Although, it is not case-sensitive, it does preserve the case.
o It is a required parameter.
o All commands reference the Interface using the Name not the Physical ID.
 Security Level:
o It is a number between 0 – 100.
o It controls the default traffic flow thru the firewall.
o When you configured a blank interface with a Name, it sets the security level
automatically to 0 except if the name of the interface is Inside.
 IP Address:
o You configure it just like you would on a router.
o You do have the ability to skip the mask if the IP address is using the default
class mask.
Default Traffic Flow
 High Security Level to Low Security Level

Apparao Kesavarapu 1|Page

  By default, all traffic is allowed to flow from a High Security Interface towards a Low
Security as long as the routing information is in place.
 Although, all traffic is allowed to flow from High Security Level to Low Security Level,
only TCP and UDP traffic is inspected.
 Inspection creates a return entry in the Connection Table on the Firewall. This allows the
return traffic to come back. This is known as Stateful Inspection.
 Low Security Level to High Security Level
 By default, all traffic is blocked from coming in from Low Security Interface towards a
High Security Interface.
 If you want this traffic to work, you would need to create an explicit policy on the Low
Interface to allow this traffic. This is done by creating an ACL.
 When a packet hits a low security interface going towards a high security interface, it
will check the connection table first, if there is no entry in the connection table, it will
check the ACL for a Permit, if there is no Permit in the ACL, it will check the default
behavior.
 Same Security Level Interfaces
 By default, any traffic going from an interface that has the same security level as the
destination interface, it will blocked.
 Even an explicit ACL will not help in allowing this traffic.
 A typical example of this type of setup is when you have 2 partner networks connecting
into your network but you don’t want them to traverse to each other thru your firewall.
 You have an option to disable firewall between 2 interfaces with the same security level
by using the “Same-security-traffic permit inter interface” command.
 If you use the above command, it allows all traffic between 2 interfaces with the same
security level.
Interface Configuration Parameters
 To initialize an ASA Interface, you need the following parameters:
 Nameif:
o The name of the Interface is not case-sensitive.
o Although, it is not case-sensitive, it does preserve the case.
o It is a required parameter.
o All commands reference the Interface using the Name not the Physical ID.
 Security Level:
o It is a number between 0 – 100.
o It controls the default traffic flow thru the firewall.
o When you configured a blank interface with a Name, it sets the security level
automatically to 0 except if the name of the interface is Inside.
 IP Address:
o You configure it just like you would on a router.
You do have the ability to skip the mask if the IP address is using the default class mask.
Configuration Commands

Apparao Kesavarapu 2|Page

  Configure Interface Gig 0/0 with an IP Address of 192.1.20.10/24. The Name of the Interface
should be “Outside”. It should have a Security Level of 0.
Interface Gig 0/0
nameif Outside
IP address 192.1.20.10
no shut
Note: (Mask is not required as it is the default mask for the Class. Security Level is not required as it
automatically sets the Security Level to “0” for any name except “Inside” on a blank interface)
 Configure Interface Gig 0/1 with an IP Address of 10.11.11.10/24. The Name of the Interface
should be “Inside”. It should have a Security Level of 100.
Interface Gig 0/1
nameif Inside
IP address 10.11.11.10 255.255.255.0
no shut
Note: (Mask is required as it is a non-default mask for the Class. Security Level is not required as it
automatically sets the Security Level to “100” for the Interface name of “Inside” on a blank interface
Verification Commands
 Show run interface - Displays the running config for an Interface
 Show Interface IP Brief - Equivalent to the Show IP interface Brief. Displays the Interface IP
Address and Status.
 Show Nameif - Displays the Interfaces, their Names and their Security levels.

10.2.2.0/24
R2 199.1.1.0/24
200.1.1.0/24

E0/0 (.2)

192.1.20.0/24 Outside

ASA FW G0/0 (.10)

R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3
E0/0 (.4) G0/3 (.10) G0/2 (.10) E0/0 (.3)

10.4.4.0/24 G0/1 (.10)

10.3.3.0/24

10.11.11.0/24 Inside

E0/0 (.1)

E0/1 (.1)
10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1

Traffic Destined to the Firewall

Apparao Kesavarapu 3|Page

  “TO” traffic is traffic destined to an interface on the Firewall.
 It is controlled by the service running on the Firewall. ACLs have no affect on the traffic flow.
 By default, the only service that is running on the Firewall is the ICMP.
 The only traffic that is allowed to successfully reach the firewall is ICMP.
 No other traffic is allowed TO the firewall.
 Enabling or disabling of a service on the Firewall is a "Per Interface" characteristic.
 The service has no affect on “THRU” traffic. THRU traffic is controlled by the implicit (High –
Low / Low – High) or ACLs.
 Remote Management to the Firewall via Telnet, SSH or HTTP/HTTPS is also considered to be
“TO” traffic.
 The services need to be enabled and the addresses that are allowed need to specified.
 Remote Management is also enabled on a Per-Interface basis.
 Routing Protocol also send traffic “TO” the firewall. You enable receiving routing updates by
using the “Network” command in case of IGP’s (RIP, EIGRP, OSPF) and using the “Neighbor”
command in case of BGP.
Controlling ICMP to the Firewall
 By default, ICMP is the only service that is allowed on the Firewall.
 It is enabled on all the Interfaces.
 You can control it by using the “ICMP” command.
 When you configure the ICMP command, it automatically uses the implicit deny for the rest of
the traffic.
 For example, if you want to deny outside devices pinging you by using the ICMP command but
allow the firewall to ping outside, you will configure a permit statement allowing the echo-reply.
The rest of the ICMP traffic will be denied by the Implicit Deny statement.
ICMP Configuration Command
 The Syntax for the ICMP command is:
ICMP [Action] [Source] [Type] [Interface]
- Action – Permit / Deny
- Source – Source IP or Network
- Type – ICMP Packet type like echo / echo-reply
- Interface – Interface Name that you want to control
Lab Configuration
 This lab builds on the Previous Lab (ACL)
 Allow the following traffic To the Firewall:
• R2 (192.1.20.2) should be able Ping the Firewall Outside Interface.
• The 199.1.1.0/24 network should be able ping the Outside Interface.
• The Firewall should be able to ping any outside device.
• ICMP should be blocked for all other traffic on the Outside Interface.
• Firewall should be able to ping devices on DMZ-4.
ICMP should be blocked for all other traffic on the DMZ-4 Interface.
ASA – OUTSIDE
ICMP permit host 192.1.20.2 echo Outside

Apparao Kesavarapu 4|Page

ICMP permit 199.1.1.0 255.255.255.0 echo Outside
ICMP permit any echo-reply Outside
ASA – OUTSIDE
ICMP permit any echo-reply DMZ-4
Verifications:
• Verify by pinging the Outside Firewall Interface from the Loopback addresses on R2.
• Ping the Outside Loopbacks from the Firewall
• Ping the R4 Loopbacks from the Firewall.
ASA Firewall ACL
 Firewall ACLs only control traffic going “THRU” the firewall. It does not affect traffic destined to
the Firewall Interfaces.
 Firewall ACLs are Extended ACLs by default.
 They are Named extended ACLs.
 The ACLs on the Routers use an inverse mask for matching
[ 0 = match ; 1 = ignore]
 The ACLs on the Firewalls use a normal mask for matching
[ 1 = match ; 0 = ignore]

Configuration Commands
 The Syntax for Creating the ACLs on the ASA is:
Access-list [NAME] [Action] [Protocol] [Source IP] [Dest. IP] [Port/Type]
- Name – Name/Identifier for the ACL
- Action – Permit / Deny
- Protocol – TCP / UDP / ICMP / ESP / GRE / OSPF / EIGRP etc.
- Source / Dest. IP – Source / Destination Host or Network Address.
- Port / Type – Application Port (80,23,25) or ICMP Packet Type (Echo, Echo-reply)
 The Syntax for Applying the ACLs on the ASA is:
Access-group [ACL Name] [Direction] Interface [Interface Name]
- ACL Name – Name of the ACL to be applied
- Direction – Inbound or Outbound from the perspective of the Interface
- Interface Name – Name of the Interface where the ACL is being Applied

Remote Management Access to the ASA Firewall

 The ASA allows remote management using 3 protocols.
 Telnet – Telnet gives you command line console access to the Firewall remotely. Telnet
is a clear text management protocol. It is not allowed from an Interface set with a
security level of “0”
 SSH – SSH also gives you command line console access to the Firewall remotely. SSH
encrypts the communication between the Admin device and the Firewall. It is the
recommended protocol for Remote management.

Apparao Kesavarapu 5|Page

  HTTP – HTTP allows you to use the ASDM application to manage the firewall remotely.
ASDM is a tool that allows you to configure the ASA using a GUI. Some of the VPN
Services require you to use ASDM for configuration.

Remote Management using Telnet

 Telnet can be configured on any Interface except an Interface with a Security Level of 0.
 It needs to be enabled on the Interface and the allowed address needs to be specified.
 You also need to configure a password for Telnet.
 Configuration Example:
Telnet 10.11.11.0 255.255.255.0 Inside
Telnet 192.168.3.3 255.255.255.255 DMZ-3
Passwd cisco123

Remote Management using SSH

 SSH can be configured on any Interface.
 It needs to be enabled on the Interface and the allowed address needs to be specified.
 SSH requires a RSA Key to be generated.
 SSH also requires a Username / Password combination. You can either do it based on the LOCAL
Username Database or a AAA Server.
 Configuration Example:
ssh 10.11.11.0 255.255.255.0 Inside
ssh 192.1.20.2 255.255.255.255 Outside
Username Khawar password cisco123
!
Domain-name kbschool.online
Crypto key generate rsa modulus 1024
!
Aaa authentication ssh console LOCAL
Remote Management using HTTP
 HTTP is required for the ASDM Application.
 ASDM is the application that allows you to manage the Firewall configurations using a Graphical
Tool.
 HTTP also requires a Username / Password combination. You can either do it based on the
LOCAL Username Database or a AAA Server.
 Configuration Example:
http server enable
http 10.10.10.0 255.255.255.0 inside
!
username Khawar password cisco123 privilege 15
aaa authentication http console LOCAL

Remote Management using SSH

Apparao Kesavarapu 6|Page

  SSH can be configured on any Interface.
 It needs to be enabled on the Interface and the allowed address needs to be specified.
 SSH requires a RSA Key to be generated.
 SSH also requires a Username / Password combination. You can either do it based on the LOCAL
Username Database or a AAA Server.
Configuration Commands
 Syntax:
SSH [Source IP] [Mask] [Interface]
- Source IP / Mask – Specifies the Admin device/Network Address.
- Interface – Interface name where SSH Service should be enabled.
Domain-name [Domain-name]
Crypto key generate rsa modulus [Key Size]
- Key Size – The size of the Encryption key
Username [Admin Username] password [Password]
Aaa authentication ssh console LOCAL
- LOCAL – Points to the Local Username/Password Database. “LOCAL” is case sensitive.
Lab Configuration
 This lab builds on the Previous Lab (Telnet)
 Configure remote management of the ASA Firewall from the Inside, DMZ-3 an Outside Network
using SSH.
 It should only be allowed from the 10.11.11.0/24 network from the Inside Interface,
192.168.3.0/24 network from the DMZ-3 Interface and 192.1.20.2 Host from the Outside.
 SSH should use the configured LOCAL username/password for authentication.

ASA
Domain-name cisco.com
Crypto key generate rsa modulus 1024
!
Aaa authentication ssh console LOCAL
!
SSH 10.11.11.0 255.255.255.0 Inside
SSH 192.168.3.0 255.255.255.0 DMZ-3
SSH 192.1.20.2 255.255.255.255 Outside

Remote Management using Telnet

 Telnet can be configured on any Interface except an Interface with a Security Level of 0.
 It needs to be enabled on the Interface and the allowed address needs to be specified.
 You also need to configure a password for Telnet.
 You could also use a Username/Password combination for Telnet Authentication like you use for
SSH & HTTP.
Configuration Commands
 Syntax:

Apparao Kesavarapu 7|Page

Telnet [Source IP] [Mask] [Interface]
- Source IP / Mask – Specifies the Admin device/Network Address.
- Interface – Interface name where Telnet Service should be enabled.
Passwd [Password]
- Telnet requires a password for the administrator.
- Using a LOCAL database Username/Password combination.
Username [Admin Username] password [Password]
Aaa authentication telnet console LOCAL
- LOCAL – Points to the Local Username/Password Database. “LOCAL” is case sensitive.
Lab Configuration

 This lab builds on the Previous Lab (ICMP)

 Configure remote management of the ASA Firewall from the Inside Network.
 It should only be allowed from the 10.11.11.0/24 network.
 Create a username admin with a password of cisco123.
 Telnet should use the configured LOCAL username/password for authentication.

ASA
Telnet 10.11.11.0 255.255.255.0 Inside
!
Username admin password cisco123
Aaa authentication telnet console LOCAL

Static Routing
 Static Routes are User-defined, manually created routes.
 As the ASA has full routing capabilities by default, you can configure Static Routing on it.
 The administrator creates Static Routes on a Cisco ASA Firewall using the Route Command.
 The administrator is responsible for creating routes for each network that is in your topology.
 If a new route is added in the network, you would need to add the new route manually on each
and every router.
 It is not suitable for a large/dynamic environment.
 In case a route goes down, the other routers are not going to be aware of the change and will
continue to send traffic towards the router.

Configuration Commands
 The syntax for the Static Route Command [IP Route] is :
Route [Exit Interface] [Network] [Mask] [Next Hop]
 For our network, if the ASA wants to reach the 10.1.1.0/24 network, which is behind R1, you
would create a static route using the following:
Route inside 10.1.1.0 255.255.255.0 10.11.11.1
Destination Network: 10.1.1.0
Network Mask: 255.255.255.0

Apparao Kesavarapu 8|Page

Exit Interface: Inside
Next Router IP to reach the destination: 10.11.11.1 (This needs to be reachable/directly connected)

Default Routes
 Default routes define a router as the default gateway for your device.
 When there is no entry for the destination network in a routing table, the router will forward
the packet to its default router.
 Default routes help in reducing the size of your routing table.
 The default route is essentially a static route with a special Destination Network and Network
Mask.
 The Special Destination Network is “0.0.0.0”. The special Network Mask is “0.0.0.0”
Default Route Syntax
 The syntax for the Static Route Command on the ASA is:
route [Exit Interface] 0.0.0.0 0.0.0.0 [Next Hop Router]
 For our network, if ASA wants to reach any network not in the routing table, you would create a
static route using the following:
route Outside 0.0.0.0 0.0.0.0 192.1.20.2
 The 0.0.0.0 0.0.0.0 can be abbreviated by using a “0” to represent the Networks and “0” to
represent the Mask.
Route Outside 0 0 192.1.20.2
 Show run route - Displays the running config for a route statement.
 Show Route – Displays the routing table.
 Ping – Verifies connectivity.

Lab Configuration
 This lab builds on the Basic Initialization Lab.
 Configure Static routes on the ASA to provide it reachability towards the Loopback networks
behind the surrounding routers.
 Configure a Default Route on the ASA towards R2.
 Configure Static Routes on the ASA towards the 10.X.X.0/24 Loopback Networks behind R1, R3
& R4.
 Ping these networks to verify connectivity.

ASA
Route Outside 0 0 192.1.20.2
Route Inside 10.1.1.0 255.255.255.0 10.11.11.1
Route Inside 10.10.10.0 255.255.255.0 10.11.11.1
Route Inside 10.20.20.0 255.255.255.0 10.11.11.1
Route DMZ-3 10.3.3.0 255.255.255.0 192.168.3.3
Route DMZ-3 10.4.4.0 255.255.255.0 192.168.4.4

 Ping 10.2.2.2 to verify the Default Route.

Apparao Kesavarapu 9|Page

  Ping 10.1.1.1, 10.10.10.1& 10.20.20.1 behind R1.
 Ping 10.3.3.3 behind R3.
 Ping 10.4.4.4 behind R4.
Configuring RIPv2
 All Routing Protocols are enabled by using the “Router” command.
 In order to enable RIP, you use the “Router RIP” command.
 By default, a routing device sends updates using RIP version 1. You should change the version to
2. This is the current and most popular version of RIP.
 Auto-summarization of Subnets is also turned on by default. It is highly recommended to disable
Auto-summarization.
Router Rip
version 2
no auto-summary

 Network Command is enable a Routing Protocol on an interface.

 By Enabling the routing protocol under the interface, it will take the following 2 actions:
• 1. It will allow the router to send and receive RIP updates on that interface.
• 2. It will send/advertise this interface network on other RIP enabled interfaces.
 In RIP, the network command is only configured for Major networks. If your router has subnets,
all the subnets belonging to a major network will automatically be enabled for RIP.
 You enable RIP on all the directly connected interfaces.
Router Rip
version 2
auto-summary
Network 10.0.0.0
Network 192.168.4.0
RIP Authentication
 Authentication allows you to validate the updates are being sent from a trusted source.
 RIP authentication can be done by using Clear Text Authentication or MD5.
 Clear Text authentication sends the password along with the Update. The password can be seen
if someone runs a sniffer on the network.
 MD5 hashes the password. It is the preferred mechanism for authentication. The password is
not sent in the clear.
 Authentication is done on a Per-Interface Basis.
Configuring RIP Authentication
 Authentication is done differently on Routers versus the ASA Firewall.
 On the routers, you configure a Key Chain to specify the Key ID and Key String that needs to be
exchanged. The Key chain is applied on the specific interface that authentication needs to be
done on.
 On the ASA, the Key ID and Key String is applied directly to the interface.
 In addition to the Key, you need to specify the Authentication Mode.

Apparao Kesavarapu 10 | P a g e
  If you apply a Key/Key Chain to the interface, the devices default to “Clear Text” authentication.
You can change the authentication mode to MD5 for a more secure mechanism.
Configuring RIP Authentication
 Router Configuration
Key chain ABC
key 1
key-string cisco123
!
Interface E 0/0
ip rip authentication key-chain ABC
ip rip authentication mode [text/md5] (Default = text)
 ASA Configuration
Interface G 0/0
rip authentication key cisco123 key_id 1
rip authentication mode [text/md5] (Default = text)
Lab Configuration
 This lab builds on the Previous Lab (Static Routes)
 Clear all the Static routes on the Firewall by using the “Clear Configure Route” Command.
 Configure RIP version 2 on the Lab Network.
 Make sure all 10.X.X.X networks are reachable from the ASA.
 Configure Clear Text Authentication using a key ID of 1 and Key string of cisco123 between the
ASA and R3.
 Configure MD5 Authentication using a key ID of 1 and Key string of cisco555 between ASA and
R2.

ASA
Clear Configure route
!
Router rip
version 2
no auto-summary
network 192.1.20.0
network 10.0.0.0
network 192.168.3.0
network 192.168.4.0
!
Interface Gig 0/0
rip authentication mode md5
rip authentication key cisco555 key_id 1
!
Interface Gig 0/2
rip authentication mode text

Apparao Kesavarapu 11 | P a g e
 rip authentication key cisco123 key_id 1

Routing on the ASA – EIGRP

 All Routing Protocols are enabled by using the “Router” command.
 In order to enable EIGRP, you use the “Router EIGRP XXX” command where XXX is the
Autonomous System Number. This number needs to match between the neighboring routers.
 Auto-summarization of Subnets is also turned on by default. It is highly recommended to disable
Auto-summarization.
Router EIGRP 100
no auto-summary
 Network Command is enable a Routing Protocol on an interface.
 By Enabling the routing protocol under the interface, it will take the following 2 actions:
• 1. It will allow the router to send and receive EIGRP updates on that interface.
• 2. It will send/advertise this interface network on other EIGRP enabled interfaces.
 In EIGRP, the network command can be used with a wild card mask. You can enable a major
network, which will enable EIGRP on all interfaces with that major network including subnets.
You can also enable EIGRP using a normal mask, which allows you to be more specific.
Router EIGRP 010
no auto-summary
Network 10.3.3.0 255.255.255.0
Network 192.168.4.0

EIGRP Authentication
 Authentication allows you to validate the updates are being sent from a trusted source.
 EIGRP authentication can be only be done by using MD5.
 Authentication is done on a Per-Interface Basis.
 Although MD5 is the only authentication mechanism, it needs to be specified to turn on
Authentication on an Interface
 Authentication is done differently on Routers versus the ASA Firewall.
 On the routers, you configure a Key Chain to specify the Key ID and Key String that needs to be
exchanged. The Key chain is applied on the specific interface that authentication needs to be
done on.
 On the ASA, the Key ID and Key String is applied directly to the interface.
 In addition to the Key, you need to specify the Authentication Mode.
 EIGRP only supports MD5 authentication. It needs to be specified to turn on authentication on
the interface.

 Router Configuration
Key chain ABC
key 1
key-string cisco123
!

Apparao Kesavarapu 12 | P a g e
 Interface E 0/0
ip authentication key-chain eigrp 100 ABC
ip authentication mode eigrp 100 md5
 ASA Configuration
Interface G 0/0
authentication key eigrp 100 cisco123 key-id 1
authentication mode eigrp 100 md5
Lab Configuration
 This lab builds on the Previous Lab (RIPv2)
 Clear all routing configuration by using the “Clear configure router” command. Also, use the
“No router rip” command on the routers to disable RIP.
 Configure EIGRP in AS 100 on all the routers.
 Make sure all 10.X.X.X networks are reachable from the ASA.
 Configure MD5 Authentication using a key ID of 1 and Key string of cisco555 between ASA and
R2.

ASA
Clear Configure router
!
Router EIGRP 100
no auto-summary
network 192.1.20.0
network 10.11.11.0 255.255.255.0
network 192.168.3.0
network 192.168.4.0
!
Interface Gig 0/0
authentication mode eigrp 100 md5
authentication key eigrp 100 cisco555 key-id 1

Routing on the ASA – OSPF

 All Routing Protocols are enabled by using the “Router” command.
 In order to enable OSPF, you use the “Router OSPF XX” command where the “XX” is the process
ID. Process ID is locally significant and does not need to match the remote router.
 OSPF routers are grouped into a logical entity known as an Area. In our examples, we are going
to use a single area, Area 0.
 OSPF router’s are identified by using a “IP Address” like identifier known as the router id. It can
be configured manually using the Router-ID command under the routing process.
Router OSPF 1
router-id 1.1.1.1
Configuration Commands
 Network Command is enable a Routing Protocol on an interface.

Apparao Kesavarapu 13 | P a g e
  By Enabling the routing protocol under the interface, it will take the following 2 actions:
• 1. It will allow the router to send and receive OSPF updates on that interface.
• 2. It will send/advertise this interface network on other OSPF enabled interfaces.
 In OSPF, the network command has to be used with a wild card mask. You can enable a major
network, which will enable OSPF on all interfaces with that major network including subnets.
You need to specify the area that this/these networks belong to.
 You enable OSPF on all the directly connected interfaces.
Router ospf 1
router-id 1.1.1.1
Network 10.0.0.0 255.0.0.0 area 0
Network 192.168.4.0 255.255.255.0 area 0

OSPF Authentication
 Authentication allows you to validate the updates are being sent from a trusted source.
 OSPF authentication can be done by using Clear Text Authentication or MD5.
 Clear Text authentication sends the password along with the Update. The password can be seen
if someone runs a sniffer on the network.
 MD5 hashes the password. It is the preferred mechanism for authentication. The password is
not sent in the clear.
 Both the authentication mode and the Key configuration is directly done under the interface for
a router as well.
 You do have the ability to specify the authentication mode under the Routing process but the
key needs to be specified under the interface.
 This is applicable for both the Routers and the Firewall.

 Clear Text Authentication on the Routers

Interface E 0/0
ip ospf authentication
ip ospf authentication-key cisco123
 Clear Text Authentication on the ASA
Interface E 0/0
ospf authentication
ospf authentication-key cisco123
Or
Router ospf 1
area 0 authentication
Interface E 0/0
ospf authentication-key cisco123
 MD5 Authentication on the Routers
Interface E 0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco123

Apparao Kesavarapu 14 | P a g e
 Or
Router ospf 1
area 0 authentication message-digest
Interface E 0/0
ip ospf message-digest-key 1 md5 cisco123
 Clear Text Authentication on the ASA
Interface E 0/0
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco123

 This lab builds on the Previous Lab (EIGRP)

 Clear all routing configuration by using the “Clear configure router” command. Also, use the
“No router eigrp 100” command on the routers to disable EIGRP.
 Configure OSPF in process ID 1 on all the routers.
 Make sure all 10.X.X.X networks are reachable from the ASA. Use Area 0 for all networks.
 Configure Clear Text Authentication using a key ID of 1 and Key string of cisco123 between the
ASA and R3.
 Configure MD5 Authentication using a key ID of 1 and Key string of cisco555 between ASA and
R2.

Routing on the ASA – BGP

 You have the ability to run BGP on the ASA as well.
 BGP is a protocol that is used by your company to communicate to a remote company.
 It is generally run between ISPs although some companies can also use it to communicate to the
ISPs.
 The purpose of BGP is to advertise the internal routes that are directly connected or learnt via
an IGP to external neighbors.
 BGP is a Unicast based protocol. Each neighbor needs to be identified using an IP address and
the remote AS of the neighbor.
Router BGP 100
neighbor 192.1.20.2 remote-as 200

 Network Command in BGP is used to advertise internal networks.

 Network command can be used to advertise a major network without the mask as it recognizes
the default mask or using the mask for a subnet.
 The mask has to be specific. For example, Network 10.0.0.0 will only advertise network
10.0.0.0/8 not 10.1.1.0/24. Network 10.1.1.0/24 requires the network command as network
10.1.1.0 mask 255.255.255.0.
 You configure BGP on the ASA using the following configuration:
router bgp 100
address-family ipv4 unicast

Apparao Kesavarapu 15 | P a g e
 neighbor 192.1.20.2 remote-as 200
neighbor 192.1.20.2 activate
network 10.11.11.0 mask 255.255.255.0

BGP Authentication
 Authentication allows you to validate the updates are being sent from a trusted source.
 BGP authentication can be only be done by using MD5.
 Authentication is done on a Per-Neighbor Basis.

Configuring BGP Authentication

 Configuring BGP with Authentication on a Router

Router bgp 200
neighbor 192.1.20.10 remote-as 100
neighbor 192.1.20.10 password cisco123
network 10.2.2.0 mask 255.255.255.0
network 199.1.1.0
network 200.1.1.0
 Configuring BGP with Authentication on a ASA
router bgp 100
address-family ipv4 unicast
neighbor 192.1.20.2 remote-as 200
neighbor 192.1.20.2 activate
neighbor 192.1.20.2 password cisco123

Configuring Redistribution
 The BGP Router would have learnt all the internal routes using an IGP. The routes you would like
to advertise to the external neighbor needs to be redistributed into BGP. You can also
redistribute BGP into the IGP.]
 Configuration for redistributing between BGP and OSPF is below:
Router bgp 100
address-family ipv4 unicast
redistribute ospf 1
!
Router ospf 1
redistribute bgp 100 subnets
Network Address Translation (NAT) – Overview
 IP Address Blocks are assigned to the ISP’s by Internet Assigned Numbers Authority (IANA).
 The ISP in turn will assign IP Addresses to the clients which could be individual users or
enterprises. They use these addresses communicate to each other on the Internet. These
addresses are known as Public Addresses.
 The Internet has grown beyond anyone's expectations.

Apparao Kesavarapu 16 | P a g e
  As a result of the explosion of the Internet, the IP Addresses are getting depleted.
 To counter this concern, IANA, reserved a certain set of addresses that could be used internally
within the private networks.
 These addresses can be used for communications within a Private network. They are defined in
a standards document called the RFC. The RFC number for Private addresses is RFC 1918.
 These addresses cannot be used on the Internet. They are assigned within the Private network
and translated to a Public address when the device wants to communicate to the Internet.
Private IP Address & NAT
 The ISP assigns Dynamic IP addresses to clients from a Pool of addresses. When the client is not
using the address, the address is returned back to the pool. It can be re-used for another client
that might require it at that moment.
 This allows you to use Public addresses more efficiently.
 If an individual has more devices in his premises like on a home network or office, the Private
addresses can be used internally. They are used when the devices want to communicate to each
other on the internal network.
 When an internal device wants to communicate to a device on the Internet, the Private address
is translated to the IP Address assigned to the individual or company by the ISP.
 This process is called Network Address Translation (NAT). Multiple internal devices can share the
same Public IP addresses on the Internet. This allows you to conserve IP Addresses by assigning
a single address for a multiple set of Internal addresses.

NAT Classifications
 When we translate Our Address (Private – To – Public or Public – To – Private), it is known as
Inside NAT or Source NAT. This is the most common type of NAT. Generally we are translating
our Private address to our ISP assigned Public address when the packet is going from Inside to
Outside and we translate our Public address to the corresponding Private address when the
packet coming in from Outside to Inside.
 When we translate the Remote address on our Network, (Private – To – Public or Public – To –
Private), it is known as Outside NAT or Destination NAT. Generally we are NOT translating the
remote address on our internal networks.
 Another way of classifying NAT is by whether NAT is done based on simple IP – to – IP
translations or by involving Port numbers.
 If we configure NAT in a way that it only uses IP – To – IP translations, it is known as Network
Address Translation (NAT).
 If we configure NAT in a way that it uses a Port # in addition to an IP Address to perform the
translation, it is known as Port Address Translation (PAT) or NAT overload. This is done when
you have a small number of public addresses as compared to the internal device that need to be
translated.
 Another way of classifying NAT is by whether NAT entries are created manually or they are
created when a flow requires it to be created.
 When we have internal devices going out to the Internet, we can define a Pool of addresses that
can be used on the Public Network. As the Internal device wants to initiate the connection to

Apparao Kesavarapu 17 | P a g e
 the outside, it will dynamically pick an address from the Pool of Public addresses and create an
entry in the Translation table. This is known as Dynamic NAT. This is generally used for Traffic
initiated from Inside to Outside.
 If we want translation to be done in a manner that our devices are always translated to the
same address, we configure a manual entry in the Translation Table. This is known as Static NAT.
This is generally done for our Public facing devices like our Public Servers or Devices.
Main NAT Types
 Let’s take a look at the popular NAT Types:
• Dynamic NAT
• Static NAT
• Dynamic PAT
• Static PAT

Dynamic NAT Overview

 - Translates Private IP's to Public IP's to conserve Public Internet IP Address space.
 - In Dynamic NAT, you create a pool of Public IPs.
 - You link it to internal addresses that can use the Pool of Public IPs.
 - When the Internal devices tries to go out, it picks an unused IP address from the Pool and
translates it.
 - It keeps the translation in a table known as the Translation table.
 - When the packet returns, the Destination gets untranslated back to the original IP and is sent
back to the Original Device.
 - It is generally configured to allow internal devices going towards the Internet.
 This type of NAT is used when clients on the inside initiate a connection towards a device on the
Internet.
 In this type of NAT, your Internal private address gets changed to your public address.
 You configure a Pool of Addresses on your NAT device. This pool consists of Public IP Addresses
that are assigned by the ISP to your company.
 As a packet tries go from your internal network towards the Internet, the NAT device will
translate the internal private address to an address from the pool of Public addresses configured
on the NAT device.
 The translation between the Private and Public address will be stored in the Translation table of
the NAT Device so that the return traffic can be translated back to the original IP and forwarded
to the internal device. This entry will be created dynamically at the time the connection is made.
 The entry will stay in the translation table for a configurable amount of idle time after which the
translation entry is removed and the address is returned back to the Pool.
 The internal device is not aware that the NAT process has taken place.
Dynamic NAT Process
 Dynamic NAT requires you to create a Pool of Public addresses on the NAT device, in our case
the ASA Firewall.
 You need to specify the internal addresses that are allowed to use the POOL.

Apparao Kesavarapu 18 | P a g e
  You also need to specify which interface is the internal interface and which interface is the
external interface.
 When a packet is received on the Internal Interface, it checks the routing table to determine the
exit interface. If the exit interface matches the external interface for NAT, it will initiate the NAT
process.
 It will check the source address to determine if there is an external pool linked to it.
 If it matches, the firewall will create an entry in the translation table and change the source
address of the packet and forward it out.
 When the packet returns, the NAT process will check the destination address of the packet.
 If it matches an address in the translation table, it will change the Destination address of the
packet and forward it to the Internal interface.
 In this NAT, we changed the Source IP of the packet going from Inside to Outside. The Source IP
was our Private IP Address. We changed it to a corresponding Public address from our allocated
range.
 On the return packet, we change the Destination IP of the packet. The Destination IP was our
Public IP Address that was used to translated our Internal IP on the Public Internet.
 In either direction, OUR IP was translated. This is known as Source NAT.
 As the address was dynamically selected from a Pool of Public addresses, it is also known as
Dynamic NAT.

Configuration Commands
 Dynamic NAT configuration on the ASA Firewall involves 2 steps.
 Step 1: In this step, we define a pool of Public Addresses assigned to us by the ISP
Syntax:
Object network [POOL NAME]
Range [Start Address] [End Address]
 Step 2: In this step, we link the Pool to an internal Subnet. We also specify the Interfaces
involved in the translation.
Syntax:
Object network [NAME]
subnet [Network] [Mask]
nat (HIGH INT NAME , LOW INT NAME) dynamic [POOL NAME]

Static NAT Overview

 - Translates Private IP's to Public IP's to conserve Public Internet IP Address space.
 - In Static NAT, you manually create an entry in the translation table whereas in Dynamic NAT, a
user initiates a flow for an entry to be created.
 - Static NAT is generally used to translated the Public facing servers on the DMZ. The reason for
that is the clients from the Internet will need a fixed IP address to send their request.
 - Although you have translated your Servers for the Internet users, at this point they will not be
able to access the servers. You still need to take care of the Traffic flow.
 - From Outside to Inside, the Firewall in 9.x translates the flow before checking the ACL.

Apparao Kesavarapu 19 | P a g e
  This type of NAT is used when internal devices require a fixed address on the internet.
 Generally this is in the case of the company’s public devices/servers that need to be accessed
from the Internet by clients.
 You configure the mapping between the internal IP to its corresponding public IP manually on
the router.
 Unlike Dynamic NAT, where the entry in the translation table is created when the client initiates
the connection, Static NAT entries are created immediately.
 The reason for this is that the entry needs to be present in the translation table at the time the
Internet-based client initiates a connection towards your Public Server.
 If the server needs to initiate a flow towards the Internet, It will also use the same translation.
Static NAT Process
 Static NAT changes your Internal address to a public address statically.
 This type of connection can be initiated from either inside or outside.
 In this type of connection, the Source Address of a packet is changed from Inside to Outside and
the Destination of a packet is changed from Outside to Inside.
 In the “IN - To – OUT” direction, your Private address changes to your Public address. In the
“OUT - To – IN” direction, your Public address changes to your Private address. In other words,
in both directions, YOUR Internal address changes.
 This type of connection is generally used for connecting Clients on the Internet to YOUR public
facing servers.
 The Server could also initiate a connection towards the internet using the same static Public IP
Address.
 The access is still controlled by the ACLs for traffic coming in from a Low Interface towards a
High Interface.
 In terms of the processing, the NAT Process takes place first for a packet coming in from the
Outside. It changes the address to the private address.
 The ACL entries need to point to the Private Address.

Configuration Commands
 Static NAT configuration on the ASA Firewall is configured as follows:
Syntax:
Object network [NAME]
Host [HIGH IP]
nat (HIGH INT NAME , LOW INT NAME) Static [LOW IP]
- High IP – This is the Private IP that is seen on the Internal Interface.
- High Interface Name – This is the name of the Interface that the Private IP resides on.
- Low IP – This is the corresponding Public IP that is seen on the External Interface.
- Low Interface Name – This is the name of the Interface that the Public IP resides on.
Example:
Object network WWW1
Host 192.168.3.11
nat (DMZ-3 , OUTSIDE) Static 192.1.20.21

Apparao Kesavarapu 20 | P a g e
Destination NAT Overview
 Generally, when we configure NAT, we are translating OUR address.
 When the traffic is going from the Internal/DMZ interfaces towards the Public Internet, OUR
Private address is translated to OUR corresponding Public address.
 When the traffic is coming into our Internal Networks (Inside/DMZ), OUR Public is translated to
OUR corresponding Private Address.
 In either case, OUR address is translated. This is called Source NAT.
 99% of the time you are translating OUR address.
 You do have the ability to translate a Remote device on the Local network. If you translate the
REMOTE device on the local network, it is called Destination NAT. It is generally not required.
 One of the common “use cases” for Destination NAT is when there is a local non-routable device
to communicate to the remote device. You can translate the remote devices Public IP as a Local
IP.
 Destination NAT is translating the REMOTE address.
Destination NAT Process
 Let’s take a look at an example. We have a Mainframe device on the DMZ-3 segment that is
non-routable device. There is a Remote Mainframe with a Public IP of 199.1.1.1.
 We would like it to communicate to the non-routable Local Mainframe device.
 We will configure the firewall to translate a packet received on the Outside interface with a
Source Address of 199.1.1.1 to a local unused address on the DMZ-3 segment (192.168.3.99).
Our Mainframe would have been translated to a Public address, let’s say 192.1.20.25.
 The packet comes in with a Source of 199.1.1.1 and Destination of 192.1.20.25.
 The firewall will translate the Source from 199.1.1.1 to 192.168.3.99 (Destination NAT). The
firewall will also translate the Destination from 192.1.20.25 to it’s Private IP.
 This can be accomplished by either using 2 Object NAT configurations or a Single Policy NAT
statement.
Configuration Commands
 Option 1 – Destination NAT using Object NAT
Syntax:
Object network [NAME]
Host [Public IP of Remote Device]
NAT (LOW INT, HIGH INT) static [Private IP]
 Example:
Source NAT
Object network MF-LOCAL
Host 192.168.3.65
NAT (DMZ-3,Outside) static 192.1.20.25
Destination NAT
Object network MF-REMOTE
Host 199.1.1.1
NAT (Outside,DMZ-3) static 192.168.3.99 .

Apparao Kesavarapu 21 | P a g e
  Option 2 – Destination NAT using Manual NAT/Twice NAT
 Create Objects for each address that is going to be used in the NAT command.
Syntax:
Object network [NAME]
Host [IP]
Note: Will be created for each IP that will be used.
NAT (HIGH INT,LOW INT) source static [Your IP] [Your Xlated IP] destination static [Remote
IP] [Remote Xlated IP]

 Example:
Object network MF-LOCAL
Host 192.168.3.65
!
Object network MF-LOCAL-X
Host 192.1.20.25
!
Object network MF-REMOTE
Host 199.1.1.1
!
Object network MF-REMOTE-X
Host 192.168.3.99
!
NAT (DMZ-3,Outside) source static MF-LOCAL MF-LOCAL-X destination static MF-REMOTE-X
MF-REMOTE
Static PAT
 This type of NAT is used when internal devices require a fixed address on the internet.
 Generally this is in the case of the company’s public devices/servers that need to be accessed
from the Internet by clients.
 Static PAT is used when you have a small number of public IP’s and you have more internal
servers/devices that need to be made available on the Internet.
 The uniqueness in the translation table is maintained by using a IP/Port combination.
 You configure this entry manually.
 The reason for this is that the entry needs to be present in the translation table at the time the
Internet-based client initiates a connection towards your Public Server.
Static PAT Process
 Static NAT changes your Internal address to a public address statically.
 This type of connection can be initiated from either inside or outside.
 In this type of connection, the Source Address of a packet is changed from Inside to Outside and
the Destination of a packet is changed from Outside to Inside.
 In the “IN - To – OUT” direction, your Private address changes to your Public address. In the
“OUT - To – IN” direction, your Public address changes to your Private address. In other words,
in both directions, YOUR Internal address changes.

Apparao Kesavarapu 22 | P a g e
  This type of connection is generally used for connecting Clients on the Internet to YOUR public
facing servers.
 When you create a Static PAT entry on the firewall, you will use the same Public IP for multiple
Internal Devices.
 This is done by using the Port number in combination with the Public IP and specifying the
appropriate internal server to forward the packet to.
 This is also referred to as “Port Forwarding”. The port number does not change in this case.
 You also have the ability to keep a different public port number for a device and forward it by
changing the port number. This is known as “Port Redirection.
 A more generic name for the above is Static PAT.
 The access is still controlled by the ACLs for traffic coming in from a Low Interface towards a
High Interface.
 In terms of the processing, the NAT Process takes place first for a packet coming in from the
Outside. It changes the address to the private address.
 The ACL entries need to point to the Private Address.
Configuration Commands
 Static PAT configuration on the ASA Firewall is configured as follows:
Syntax:
Object network [NAME]
Host [HIGH IP]
nat (HIGH INT NAME , LOW INT NAME) Static [LOW IP] Service [TCP/UDP] [High Port #, Low Port #]
- High IP – This is the Private IP that is seen on the Internal Interface.
- High Interface Name – This is the name of the Interface that the Private IP resides on.
- High Port # - This is the port # that external users will use to reach this device.
- Low IP – This is the corresponding Public IP that is seen on the External Interface.
- Low Interface Name – This is the name of the Interface that the Public IP resides on.
- Low Port # – This is the actual port number on the internal device. Generally they will match.
Example:
Object network WWW2
Host 192.168.4.11
nat (DMZ-4 , OUTSIDE) Static 192.1.20.5 service tcp 80 80
Dynamic PAT
 This type of NAT is used when clients on the inside initiate a connection towards a device on the
Internet.
 In this type of NAT, your Internal private address gets changed to your public address.
 Dynamic PAT is used when you have a small number of public IP’s and you have multiple
simultaneous connections.
 Dynamic PAT allows multiple clients from the internal network to go the Internet using a Single
Public IP.
 The uniqueness in the translation table is maintained by using a IP/Port combination.
 NAT device uses the client's randomly generated source port as the Port number in the
translation table.

Apparao Kesavarapu 23 | P a g e
  In case, there is already a translation using the same port number, the NAT device changes the
Source Port in the outgoing packet as well to make the translation unique.
 The internal device is not aware that the NAT process has taken place.
Dynamic PAT Process
 Dynamic PAT can either use a specified IP for PAT or it can use the Public IP Assigned to the
Outside Interface.
 You need to specify the internal addresses that are allowed to use PAT.
 You also need to specify which interface is the internal interface and which interface is the
external interface.
 When a packet is received on the Internal Interface, it checks the routing table to determine the
exit interface. If the exit interface matches the external interface for NAT, it will initiate the NAT
process.
 It will check the source address to determine if there is an external pool linked to it.
 If it matches, the firewall will create an entry in the translation table and change the source
address of the packet and forward it out. It will use the source Port number in the translation
table to make it unique.
 In case the port # is already being used, it will dynamically change the port number of the packet
as well and reflect it in the Xlation table.
 Let’s analyze the 3 flows in the Network Diagram.
 Let’s say that the device 10.1.1.5 wanted to communicate to a Web server (199.1.1.1) on the
outside. The client randomly used 15001 as the Source Port Number.
 The packet received by the firewall will look like the following:
|10.1.1.5 – 199.1.1.1 | 15001 – 80 | Data |
 The firewall will translate the IP 10.1.1.5 to the PAT IP (192.1.20.11).
|192.1.20.11 – 199.1.1.1 | 15001 – 80 | Data |
 It will leave the port number unchanged and create a translation table entry like the following:
|10.1.1.5 | 15001 | 192.1.20.11 | 15001 |
 When the device 10.1.1.6 communicates to a Web server (200.1.1.1) on the outside. The client
randomly used 19111 as the Source Port Number.
 The packet received by the firewall will look like the following:
|10.1.1.6 – 200.1.1.1 | 19111 – 80 | Data |
 The firewall will translate the IP 10.1.1.6 to the PAT IP (192.1.20.11).
|192.1.20.11 – 200.1.1.1 | 19111 – 80 | Data |
 It will leave the port number unchanged and create a translation table entry like the following:
|10.1.1.6 | 19111 | 192.1.20.11 | 19111 |
 When the device 10.1.1.7 communicates to a Web server (200.1.1.1) on the outside. The client
randomly used 15001 as the Source Port Number.
 The packet received by the firewall will look like the following:
|10.1.1.7 – 200.1.1.1 | 15001 – 80 | Data |
 As the Xlation table already has an entry that is using 15001, it will change the port on the
packet and xlation table to a random number. It will map it in the xlation table to allow the
firewall to untranslated the return packet.

Apparao Kesavarapu 24 | P a g e
  The firewall will translate the IP 10.1.1.7 to the PAT IP (192.1.20.11) and the Source Port to an
unsed Random Port.
 It will use the translated port number in the translation table.
|10.1.1.7 | 15001 | 192.1.20.11 | 30001 |
 The Outgoing packet will look like the following:
|192.1.20.11 – 200.1.1.1 | 30001 – 80 | Data |
Configuration Commands
 Dynamic PAT configuration can be done in multiple ways
 Option # 1 : Using a specific IP for the translation.
 Step 1: In this step, we define an IP for the Dynamic PAT.
Syntax:
Object network [IP Object Name]
Host [X.X.X.X] (Note: ASA knows to use PAT as soon as it sees a Single IP for Dynamic NAT.
Step 2: In this step, we link the IP to an internal Subnet. We also specify the Interfaces
involved in the translation.
Syntax:
Object network [NAME]
subnet [Network] [Mask]
nat (HIGH INT NAME , LOW INT NAME) dynamic [IP Object Name]

 Option # 2 : Using Outside Interface IP for Translation. This is commonly used when the Site
does not have a dedicated Static IP assigned to the Company.
 Step 1 : In this step, we link the internal Subnet to the outside interface. We also specify the
Interfaces involved in the translation.
Syntax:
Object network [NAME]
subnet [Network] [Mask]
nat (HIGH INT NAME , LOW INT NAME) dynamic Interface
Policy NAT
 This type of NAT allows you to translate devices based on a flow rather than just the Source or
Destination IP Address.
 Normal Dynamic NAT will classify the NAT statement by comparing the Source Address of a
Packet going from Inside to Outside. It does not care about the destination that the packet is
going to.
 If you want NAT to translate by looking at the Source and Destination IP address combination to
execute the NAT statement, it is called Policy NAT.
 This type of NAT is also referred to as Manual NAT on the ASA.
 It is NOT done under the Object. This type of NAT is configured globally.

Policy NAT Process

 Just like the other NAT configurations, you need to specify which interface is the internal
interface and which interface is the external interface.

Apparao Kesavarapu 25 | P a g e
  When a packet is received on the Internal Interface, unlike normal NAT where it only checks the
Source IP, Policy NAT checks the Source and Destination IP against the NAT configuration.
 The NAT configuration will need to specify the Source and Destination IP that define the flow
and the corresponding translated addresses.
 Policy NAT allows you to translate both the Source and Destination addresses using the same
statement. It is also referred to as Twice-NAT or Manual NAT.
Configuration Commands

 Policy NAT configuration on the ASA Firewall requires you to create objects for all IP’s that are
going to be used in the NAT Statement.
Syntax:
Object network [NAME]
Host [X.X.X.X]
 Once the Objects are created for each address, you will use them in the NAT Statement. The
NAT statement is configured in the Global Configuration Mode.
Syntax:
NAT (HIGH INT,LOW INT) source static [Your IP] [Your Xlated IP] destination static [Remote IP]
[Remote Xlated IP]

Clustering
 - Allows you the ability to use multiple physical boxes as a single logical device.
 - Both the boxes will be in forwarding state.
 - If one of them goes down, the other is still up.
 - Clustering has 2 modes, Spanned-Mode and Individual Interface Mode
 - In the Spanned Mode (recommended), the ASA's are connected to a switch. The switch sets up
a Port-channel. The switch performs load balancing based on the Port-channel load balancing
technique. In this mode, the end devices can be connected on the same segment as the ASA's.
 - In the Individual Interface mode, the ASA's connect to a segment that has a Router. It runs a
routing protocol with the router on both sides. The routers on each side will learn the same
routes from all the ASA's with the same cost. The routing protocol will use ECMP to perform
load balancing. You cannnot have end devices connected directly on the segment that has the
ASA. It has to be behind the Router.

Apparao Kesavarapu 26 | P a g e