asa essentials (part 1).pdf

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

ASA Firewall EssentialsJuly, 2012

Bogdan Doinea

Assoc. Technical Manager

CEE&RCIS

Cisco Networking Academy

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Introduction to the ASA Firewall

The ASA Operating System

ASA Firewall Configuration

ASA Remote Access

Technical Demo


• Adaptive Security Appliance - Cisco’s lead dedicated firewall solution (All-in-One solution)

Firewall VPN concentrator IPS

• Advanced features Virtual Firewalling Transparent/Routed mode High Availability Advanced Threat Control (AIP-SSM, AIP-SSC modules) Identity Firewall


• Also monitors the state of connections

Initiation, data transfer, termination

• Can detect abnormal connection behavior that might indicate attacks or exploits.


Internet

“DMZ “Security Level

50

“inside”Security Level

100

“outside”Security Level 0

E0/1

E0/2

E0/3

• Only certain connections get inspected

• The administrator configures the levels of security for each interface


- The packet is received on the inside interface- The inbound ACL is applied and if NAT is configured, the inside NAT operation is done.

- The packet is received on the inside interface- The inbound ACL is applied and if NAT is configured, the inside NAT operation is done. 11

- ASA randomisez the initial sequence number of the connection - the ASA creates a state object in memory retaining layer 3 and layer 4 information from the packet- The connection is marked as embryonic

- ASA randomisez the initial sequence number of the connection - the ASA creates a state object in memory retaining layer 3 and layer 4 information from the packet- The connection is marked as embryonic

22

- The packet comes back on the outside interface - inbound ACLs are applied* if the packet is permitted by the ACL, the state table isn’t checked and the below next step is - the state table is checked for a state object that matches the information contained in the returning packet; if the match is not done, the packet is dropped

- The packet comes back on the outside interface - inbound ACLs are applied* if the packet is permitted by the ACL, the state table isn’t checked and the below next step is - the state table is checked for a state object that matches the information contained in the returning packet; if the match is not done, the packet is dropped 33

- the ASA checks the ACK nr in the packet relative to the SN that is overwritten in the second step - if the packet is legitimate, the ASA sets the ACK to ISN+1 to match the TCP information on the host

- the ASA checks the ACK nr in the packet relative to the SN that is overwritten in the second step - if the packet is legitimate, the ASA sets the ACK to ISN+1 to match the TCP information on the host 44

- the hosts responds with an ACK - the ACK number is not randomized - the connection is changed to active-established and the embryonic counter is reset for that state object

- the hosts responds with an ACK - the ACK number is not randomized - the connection is changed to active-established and the embryonic counter is reset for that state object

55


• Routed-mode• the ASA is a layer 3 device• all the ASA features and capabilities are active

• Transparent-mode• the ASA is a layer 2 device(works with VLANs instead of IP Subnets)• can have a global IP used for remote management• is invisible to any attacker coming from the Internet• Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP Relay.


• A series of LEDs

Speed and link activity LEDs

Power LED

Status LED

Active LED

VPN LED

Security Services Card (SSC) LED


• An 8-port 10/100 Fast Ethernet switch.

• Three USB ports.

• One Security Service Card (SSC) slot for expansion. The slot can be used to add the Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC).


• Same modular structure as IOSUnprivileged mode

Limited rights

Privileged mode Generaly used for show commands

Global configurationUsed for “general” configurations (e.g password for priviledged mode, static routes, banners, hostname configuration etc)

Configuration sub-modesUsed for advanced configurations of specific features (firewall, VPN, routing protocols etc)

• Same help system

ciscoasa > ?

enable Turn on privileged commands

ciscoasa>ciscoasa#ciscoasa(config)#Ciscoasa(config-if)#


• The default password is …?CR + LF

ciscoasa>enable 15Password:

ciscoasa#configure terminal

ciscoasa(config)#interface fa0/1ciscoasa(config-if)#exitciscoasa(config)#exitciscoasa#exitciscoasa>


ciscoasa > ?


exit Exit the current command mode

login Log in as a particular user

logout Exit from current user profile to unprivileged mode

perfmon Change or view performance monitoring options

ping Test connectivity from specified interface to an IP

address

quit Exit the current command mode

ciscoasa > help enable

USAGE:

enable [<priv_level>]

DESCRIPTION:



• First we delete…

startup-config running- config

Deleting configurations

RAMFlash

ciscoasa# clear configure all

ciscoasa# write erase


• Then we save!

Salvarea configurației

RAMFlash

ciscoasa# copy running startupciscoasa# write memciscoasa# wr

ciscoasa# show running

ciscoasa# show startup

startup-config running- config


• It doesn’t exist in IOS(on routers and switches)

• Enables the specific deletion of configurations in RAM

ciscoasa(config)# show running-config | include isakmp isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

ciscoasa(config)# clear configure isakmp ciscoasa(config)# show running-config | include isakmp


• Configuring a hostname

• Configuring a password for the telnet line

• Configuring a password for privileged mode. How did we configure this on a router?

ciscoasa(config)# hostname ipdipd(config)#

ipd(config)# passwd cisco

ipd(config)# enable password ciscoipd# sh run | i passenable password 2KFQnbNIdI.2KYOU encryptedpasswd 2KFQnbNIdI.2KYOU encrypted


• In order to pass traffic between 2 interfaces, levels of security need to be defined for each interface.

• Security levels represent the simplest stateful firewall model that the ASA offers

• Packets get inspected by the firewall engine when the traverse from a higher security level interface to a lower security level interface

• Packets that try to pass from a lower security interface to a higher security interface, without having a stateful object related to them in the memory of the ASA, will get dropped by default.

• Besides security levels, every ASA interface needs a “name”. This “name” is going to be reffered in all commands that want to use this interface


• Configuring security levels is done from (config-if)#

Internet


50


100


E0/1

E0/2

E0/3


• An ASA interface that has no name or security level does not have L3 connectivity

Internet


50


100


E0/1

E0/2

E0/3

ciscoasa(config)# interface e0/1ciscoasa(config-if)# nameif insideINFO: Security level for "inside" set to 100 by default.ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0


• Can be configured using the security-level command

Internet


50


100


E0/1

E0/2

E0/3

ciscoasa(config)#interface e0/1ciscoasa(config-if)#nameif DMZINFO: Security level for "DMZ" set to 0 by default.ciscoasa(config-if)#security-level 50ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0ciscoasa(config-if)#no shutdown


• By default access is not allowed

• If no password is set, by default it’s “cisco”

• Access through telnet on the outside interface(security-level 0) is not permitted unless the telnet connection is coming through an IPSec tunnel

• Monitoring connections

ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 insideciscoasa(config)# telnet timeout 10ciscoasa(config)# passwd cisco123

ciscoasa# who0: 10.10.0.132ciscoasa# kill 0ciscoasa# who


• Permitted on any interface

• Step 1: generate the keys

• Step 2: activate SSH

• By default, the user is “pix” and the password is the one configured with passwd

ciscoasa(config)# crypto key generate rsa modulus 1024WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.Do you really want to replace them? [yes/no]: yesKeypair generation process begin. Please wait...

ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outsideciscoasa(config)# ssh version 2ciscoasa(config)# ssh timeout 10


• Configuring a specific interface

• Name of the interface and security levels

asa1# show run interface E0/3 interface Ethernet0/3 speed 10 duplex full nameif outside security-level 0 ip address 192.168.3.1 255.255.255.0

asa1# show nameifInterface Name SecurityGigabitEthernet0/0 outside 0GigabitEthernet0/1 inside 100GigabitEthernet0/2 dmz 50


• All the parameters of an interfaceasa1# show interfaceInterface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) MAC address 0013.c482.2e4c, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 8 packets input, 1078 bytes, 0 no buffer Received 8 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (8/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Traffic Statistics for "outside": 8 packets input, 934 bytes 0 packets output, 0 bytes 8 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 27

• What command did we use in IOS to see the L2 and 3 status of interfaces in a "brief" output?show ip interface brief

• ASA does it slightly differentshow interface ip brief

ciscoasa(config)# sh int ip brInterface IP-Address OK? Method Status ProtocolEthernet0/0 192.168.1.1 YES manual up upEthernet0/1 10.10.1.1 YES manual up up


• IOS Q: can we run a show command from config mode?A: yes, using the argument “do” in front of the command

• We don’t have “do” in ASA OS, but …… you can give show commands from anywhere in the OS

• There’s also the possibility of filtering output by using “|” and the arguments:“i”, “b”, “grep”

normal_cisco_router(config)#do show clock*15:08:07.867 UTC Thu Feb 17 2011

ciscoasa(config-if)# sh clock15:54:01.139 UTC Thu Feb 17 2011


ASAe0/0 e0/0

R1 R2G0 G1

outsideinside

Thank you.

asa essentials (part 1).pdf

Documents