A Cisco ASA Q&A Session

Sometimes questions come up in classes that may not be covered in the course material. We thought we’d take this opportunity to share four recent questions from a Cisco ASA course with you here:

  1. Question:In the new NAT when do you use Auto NAT vs. Manual NAT?Answer: As of ASA 8.3 code, Cisco has updated Network Address Translation (NAT). In this newer version of NAT, there are now two different choices for configuring NAT: Auto (Object) NAT and Manual (Twice) NAT. Auto NAT is useful for configuring Dynamic NAT, Static NAT, and Dynamic PAT. Manual NAT is intended for more complex NAT configurations including Policy NAT, Outside NAT, Static PAT, and NAT Exemption.
  2. Question: Can the ASA firewall act as a multicast rendezvous point?Answer: The ASA can participate in both Stub Multicast routing as well as PIM multicast routing. When participating in stub multicast routing, the ASA forwards IGMP messages to an upstream multicast router which sets up delivery of the multicast data. If configured for stub multicast routing, the ASA cannot be configured for PIM. When configured for PIM multicast routing, the ASA can be configured as the rendezvous point of the shared multicast tree.
  3. Question: What is Reverse Route Injection?Answer: Reverse Route Injection (RRI) on the ASA is a feature that can be useful in both remote access as well as site-to-site VPNs. For remote access VPNs a company may have multiple VPN entry points to its network via ASA firewalls. In such a case, internal routers will need to be informed of the best pathway (firewall) back to the VPN client. With RRI enabled, the ASA will place static A.B.C.D/32 entries in its own route table when an address is handed out to a remote access client. These addresses are automatically added and removed from the ASA route table as clients connect and disconnect. Because the ASA has full support for all three major IGP Protocols, EIGRP, OSPF, and RIP, those routes can then be redistributed into the IGP and pave the way for return traffic to reach the VPN client.
  4. Question:In transparent firewall mode, why does each Bridged Virtual Interface require its own IP address.Answer: In ASA 8.4 code Cisco made a change in the way it implements Transparent Firewall mode. In the past this mode was limited to using only two interfaces per context in multi-mode or two interfaces total in single mode. That limitation has been removed and you now have the ability to create up to eight Bridged Virtual Interfaces (BVI), each of which can support up to four physical interfaces. During Configuration, you are required to configure an IP address for each BVI. Unlike other layer 2 devices, the ASA does NOT flood frames of unknown unicast traffic. Instead Cisco uses the BVI address to send a ping to the L3 address in hopes of discovering MAC information related to unknown addresses. It is therefore essential that each BVI has its own IP address to be used in discovering unknown unicast addresses.

Related Courses
ASA e-Camp
ASAE v2.0 – ASA Essentials v2.0
ASACAMP – ASA Lab Camp

In this article

Join the Conversation