cisco asa firewall training

8/11/2019 CISCO ASA Firewall Training

1/41

REPORT OF SUMMER TRAINING

CCNP SECURITY-ASA FIREWALL

Prepared by: Hussein El-HajjPresented for: Dr. Jamal Haydar

Islamic University Of Lebanon

Faculty of Engineering CCEFourth Year

October 9, 2013


2/41

Report of summer training CCNP SECURITY-ASA Firewall

P a g e 1 | 40


3/41


P a g e 2 | 40

ACKNOLEDGMENTS

I would like to thank my university and especially our responsible, Dr. Jamal Haydar, for givingme the opportunity to work in such a great company.

I would like to thank the staff of TerraNet for helping me improving my skills in networking.I would like to offer my special thanks to Mr. Hussein Majed (Cisco ASA Specialist) for helping

me and giving me the information needed in this field.


4/41


P a g e 3 | 40

Table of contents:

I. Introduction ........................................................................................................................... 4II. Firewall ............................................................................................................................... 5

II.1. Definition ........................................................................................................................... 5

II.2. Firewall techniques .............................................................................................................. 7

II.3. Firewall Features ................................................................................................................. 7

III. ASA Firewall ...................................................................................................................... 9

III.1. ASA Features ..................................................................................................................... 9

III.2. ASA Models ..................................................................................................................... 10

IV. Virtual work environment and default inspection ....................................................... 13IV.1. Virtual work environment ................................................................................................ 13

IV.1.1. GNS 3 ........................................................................................................................ 13

IV.1.2. Virtual Box ................................................................................................................ 14

IV.2. Default inspection ............................................................................................................ 18

IV.2.1. Scenario 1 .................................................................................................................. 19

V. Access rules and NAT rules ................................................................................................ 27

V.1. Access rules ....................................................................................................................... 27

V.1.1. Scenario 2 ................................................................................................................... 28

V.2. Network Address Translation (NAT) ................................................................................ 32

V.2.1. Difference between NAT and PAT ............................................................................ 32

V.2.2. Scenario 3 ................................................................................................................... 34

VI. Conclusion ........................................................................................................................ 39

VII. References ........................................................................................................................ 40


5/41


P a g e 4 | 40

I. Introduction

Founded in 1999, TarraNet launched a comprehensive range of leading Internet connectivityservices and Web solutions. TerraNet designs, develops, and customizes a complete line ofindustry-leading, high-performance Internet services and solutions.TerraNet offers hosting and Web development services, customized Web solutions, wireless data,and other Internet technologies and applications that are redefining the country's communicationsaround the power and potential of the Internet.

My training was based on the CCNP security course, we worked on the ASA firewall and welearned the configurations and some of its features.

In the first chapter we prepared the virtual environment to test and work on the ASA firewall usingGNS3 and the Oracle virtual box.

In the second chapter we will define the firewall, its functions and features.

In the third chapter we will show the features and the types of an ASA firewall and we willconfigure the default inspection on the firewalls interfaces.

In the fifth chapter we will define and configure access lists and the NAT and the PAT rules andwe configured NAT rules on the interfaces.


6/41


P a g e 5 | 40

II. Firewall

II.1. DefinitionA firewall is a software or hardware-based network security system that controls the incoming andoutgoing network traffic by analyzing the data packets and determining whether they should beallowed through or not, based on a rule set. A firewall establishes a barrier between a trusted, secureinternal network and another network (e.g., the Internet) that is not assumed to be secure andtrusted.

Basically, a firewall, working closely with a router program, examines each network packet todetermine whether to forward it toward its destination. A firewall also includes or works with a

proxy server that makes network requests on behalf of workstation users. A firewall is ofteninstalled in a specially designated computer separate from the rest of the network so that noincoming request can get directly at private network resources.

There are a number of firewall screening methods. A simple one is to screen requests to make surethey come from acceptable (previously identified) domain name and Internet Protocol addresses.For mobile users, firewalls allow remote access in to the private network by the use of secure logon

procedures and authentication certificates.

As a simple example, a small company decides to protect itself from the public Internet.The security domain forms where the companys network meets the Internet, and everything insidethe company network resides within a secure boundary

Figure 1: A Simple Security Domain

The most common and effective way to implement a security domain is to place a firewall at the boundary between the trusted and untrusted parts of a network. By definition, a firewall is a devicethat enforces an access control policy between two or more security domains. Firewalls haveinterfaces that connect into the network. In order for a firewall to do its job, all traffic that crossesa security domain boundary must pass through the firewall.In effect, a firewall becomes the only pathway or chokepoint to get in or out of the secu ritydomain.
http://searchnetworking.techtarget.com/definition/routerhttp://searchnetworking.techtarget.com/definition/packethttp://whatis.techtarget.com/definition/proxy-serverhttp://searchwindevelopment.techtarget.com/definition/domain-namehttp://searchunifiedcommunications.techtarget.com/definition/Internet-Protocolhttp://searchmidmarketsecurity.techtarget.com/definition/remote-accesshttp://searchmidmarketsecurity.techtarget.com/definition/remote-accesshttp://searchunifiedcommunications.techtarget.com/definition/Internet-Protocolhttp://searchwindevelopment.techtarget.com/definition/domain-namehttp://whatis.techtarget.com/definition/proxy-serverhttp://searchnetworking.techtarget.com/definition/packethttp://searchnetworking.techtarget.com/definition/router


7/41


P a g e 6 | 40

For the simple network shown in the figure above a firewall would sit on the trust boundary and become the only path between Company As internal trusted network and the untrusted publicInternet.

The firewall must be the only path into and out of the secured network. No other paths around thefirewall or backdoors into the network behind the firewall can exist. The firewall can enforce security policies on only the traffic that passes through it, not around or

behind it.

The firewall itself must be hardened or made resistant to attack or compromise. Otherwise,malicious users on the untrusted side might take control of the firewall and alter its security policies.

Now consider a different scenario. Company A is surrounded by a security domain at theInternet boundary. It wants to allow its internal, trusted users to connect to resources out on the

public Internet through the Internet firewall. Company A also has some web servers that it wants

to have face the public so that untrusted Internet users can interact with the business.

If the web servers are located somewhere inside the security domain, then untrusted users would be granted access into the trusted environment. Tha t isnt necessarily bad, except that malicioususers might be able to attack or compromise one of the web servers. Because the web server isalready a trusted resource, the malicious users might then use that server to attack other trustedresources.A better solution is to put the web servers into a security domain of their own, somewhere betweenthe trusted internal network and the untrusted Internet. This is commonly called a demilitarized

zone (DMZ) .

Figure 2: Using a Single Firewall to Form Multiple Security Domains


8/41


P a g e 7 | 40

II.2. Firewall techniques

A firewall can take one of the following approaches to its access control:

Permissive access control: All traffic is allowed to pass through unless it is explicitly blocked.

Restrictive access control: No traffic is allowed to pass through unless it is explicitlyallowed.

II.3. Firewall Features

A firewall can use its access control approach to evaluate and filter traffic based on the methodsand techniques described in the following sections:

Stateless Packet Filtering:Some firewalls examine traffic based solely on values found in a packets header at the network ortransport layer. Decisions to forward or block a packet are made on each packet independently.Therefore, the firewall has no concept of a connection state; it knows only whether each packetconforms to the security policies.

Stateful Packet Filtering:Stateful packet filtering (SPF) requires that a firewall keep track of individual connections orsessions as packets are encountered. The firewall must maintain a state table for each activeconnection that is permitted, to verify that the pair of hosts is following an expected behavior asthey communicate.

Stateful Packet Filtering with Application Inspection and Control: To move beyond stateful packet filtering, firewalls must add additional analysis at the applicationlayer. Inspection engines in the firewall reassemble UDP and TCP sessions and look inside theapplication layer protocols that are passing through. Application inspection and control (AIC)

filtering , also known as deep packet inspection (DPI) , can be performed based on the application protocol header and its contents, allowing greater visibility into a users activity.

Network Intrusion Prevention System:A network intrusion prevention system (NIPS) examines and analyzes network traffic and comparesit to a database of known malicious activity. The database contains a large number of signatures or

patterns that describe specific known attacks or exploits. As new attacks are discovered, newsignatures are added to the database.In some cases, NIPS devices can detect malicious activity from single packets or atomic attacks. Inother cases, groups or streams of packets must be collected, reassembled, and examined. A NIPScan also detect malicious activity based on packet and session rates, such as a denial-of-serviceTCP SYN flood, that differ significantly from normal activity on the network.


9/41


P a g e 8 | 40

Network Behavior Analysis: Network behavior analysis (NBA) systems examine network traffic over time to build statisticalmodels of normal, baseline activity. This isnt a simple ba ndwidth or utilization average; rather,the models consider things like traffic volume, traffic rates, connection rates, and types ofapplication protocols that are normally used. An NBA system continually examines traffic andrefines its models automatically, although human intervention is needed to tune the results.

Application Layer Gateway (Proxy):An application layer gateway (ALG) or proxy is a device that acts as a gateway or intermediary

between clients and servers. A client must send its application layer requests to the proxy, in placeof any destination servers. The proxy masquerades as the client and relays the clients requests onto the actual servers. Once the servers answer the requests, the proxy evaluates the content anddecides what to do with them.Because a proxy operates on application requests, it can filter traffic based on the IP addressesinvolved, the type of application request, and the content of any data that is returned from the server.


10/41


P a g e 9 | 40

III. ASA Firewall

III.1. ASA Features

Even further, the ASA has many features that go beyond the basic firewall techniques, giving itgreat versatility. A summary of the ASA features is presented in the following sections.

Stateful packet filtering engine: The SPF engine tracks connections and their states, performingTCP normalization and conformity checks, as well as dynamic session negotiation.

Application inspection and control: The AIC function analyzes application layer protocols totrack their state and to make sure they conform to protocol standards.

User-based access control: The ASA can perform inline user authentication followed by Cut-through Proxy, which controls the access that specific users are allowed to have. Once a user isauthenticated, Cut-through Proxy also accelerates inspection of a users traffic flows.

Cryptographic Unified Communications (UC) proxy: When Cisco Unified Communicationstraffic must pass through an ASA, the ASA can be configured as an authorized UC proxy. TheASA can then terminate and relay cryptographically protected UC sessions between clients andservers.

Denial-of-service prevention: An ASA can leverage traffic-control features like protocolnormalization, traffic policing, and connection rate controls to minimize the effects of denial-of-service (DoS) attacks.

Site-to-site VPNs: An ASA can support IPsec VPN connections between sites or enterprises. Site-to-site or LAN-to-LAN VPN connections are usually built between firewalls or routers at eachlocation.

Powerful Network Address Translation (NAT): As an ASA inspects and forwards packets, itcan apply a rich set of NAT functions to alter source and destination addresses.

And so many other features


11/41


P a g e 10 | 40

III.2. ASA Models

The Cisco ASA family consists of seven different models:

ASA 5505The ASA 5505 is the smallest model in the ASA lineup, in both physical size and performance.It is designed for small offices and home offices (SOHO). For a larger enterprise, theASA 5505 is frequently used to support teleworkers in remote locations.

Figure 3: ASA 5505

ASA 5510, 5520, and 5540The ASA 5510, 5520, and 5540 models all use a common chassis and have identical front panelindicators and hardware connections.

Figure 4: ASA 5520


12/41


P a g e 11 | 40

ASA 5550The ASA 5550 is designed to support large enterprises and service provider networks.

Figure 5: ASA 5550

ASA 5580The ASA 5580 is a high-performing model in the family and is designed for large enterprises, data

centers, and large service providers.

Figure 6: ASA 5580


13/41


P a g e 12 | 40

ASA 5585-XThe ASA 5585-X is the highest-performing model in the family and is designed for largeenterprises and mission critical data centers.

Figure 7: ASA 5585-X


14/41


P a g e 13 | 40

IV. Virtual work environment and default inspection

IV.1. Virtual work environment

Since ASA firewall is not available because of its price and its access that requires a high privilege, we will use a simulation environment.

The simulation needs two softwares: GNS 3 and Virtual Box.

IV.1.1. GNS 3It is a simulation program of professional networking capable of booting multiple images of variousCisco equipment (routers, switches, firewalls ) .

Figure 8: GNS 3 interface

To use the equipment we must first specify the appropriate Cisco image for each device.


15/41


P a g e 14 | 40

Figure 9: choosing the cisco image

In the figure above, we used the ASA 8.4 image that allows us to use the ASA firewall device inGNS3.

IV.1.2. Virtual Box

We need to create three different areas of interaction (inside, outside, DMZ) so we used threeinstances of the virtual box XP reacting as real networks in our simulation.This program is able to start these instances simultaneously.


16/41


P a g e 15 | 40

Figure 10: 3 instances in the Virtual Box

In this figure we created three instances XP with predefined configurations that depend on the physical capabilities of the machine.

Figure 11: use of three different instances


17/41


P a g e 16 | 40

After the startup of an instance we must install the ASDM . Its an application created by Cisco toorganize and simplify the configuration of the ASA firewall from a GUI.

To install the ASDM an image ASDM must be installed in the ASA firewall, this file can bedownloaded via a TFTP server.

We used the SUPERPUTTY as a connection method to make the configurations on the ASAfirewall, give the IP and subnet mask to the intefaces and start the HTTP server used to allow thedownload of the ASDM application on the authorized hosts via the web browser.

Figure 12: downloading the ASDM using the web browser

After downloading the application we are now able to access the ASA firewall easily.


18/41


P a g e 17 | 40

Figure 13: access on the ASA firewall

Figure 14 : configuration interface

And now we have a simple interface to make all the necessary configurations.


19/41


P a g e 18 | 40

IV.2. Default inspection

This inspection allows us to have a security based on different security levels. For example if youhave two hosts, the first with a security level 50 and the second with a security level 100 in thiscase the one having a higher level can communicate with the other one but in the opposite case, theone having lower security level cannot communicate with the other.

The communication permitted by this inspection can be defined by the network administrator thatcan add or remove specific protocols.The default inspection is organized by the ASA in 3 different levels:

Service policy: An entire set of policies that is applied to one or all ASA interfaces, configuredwith the service-policy command

Policy map: Where an action is taken on matched traffic, configured with the policy-map

command

Class map: Where specific traffic flows are identified or classified, configured with the class-map command

A service policy can contain one or more policy maps, which can, in turn, contain one or more classmaps. As well, any class maps you define can be referenced in multiple policy maps and service

policies.


20/41


P a g e 19 | 40

Figure 15 : MPF Organisation and Structure

IV.2.1. Scenario 1

In this scenario we divided the network into three parts: the first is the inside network (with thehighest security level (100), the second is the demilitarized zone (DMZ) with a medium securitylevel (50) and the third is the outside network with the lowest security level (0).

So we can conclude that after the configuration of the default inspection the inside network cancommunicate with the DMZ and the outside because it has a higher level of security, the DMZ cancommunicate only with the outside and the outside cannot communicate with anyone.

The figure below shows the construction of network in GNS with the necessary IP addresses.


21/41


P a g e 20 | 40

Figure 16: network division

The Figure below shows the commands required to configure the IP addresses of the networks:

Figure 17: configuration of the interfaces


22/41


P a g e 21 | 40

The configuration of the inside network is:

Figure 18: configuration of the inside network

We have now two LAN networks and we only use the second one so we have to disable the firstone.

Figure 19: two different LAN networks

The configuration of the DMZ network is:

Figure 20: configuration of the DMZ network

And the configuration of the outside network is:

Figure 21: configuration of the outside network


23/41


P a g e 22 | 40

After the configuration is applied and without the default inspection, the three networks cannotcommunicate with each other so we have to configure it and choose the desired protocols.

First of all, we should open the ASDM on the host of the inside network:

Figure 22: Access from the inside network

We choose the configuration of the firewall we add a new global service-policy (global indicatesthat it will be applied on all of the firewalls interfaces).

Figure 23: adding a new service-policy

Then we should create a class-map and choose that it is a default inspection.


24/41


P a g e 23 | 40

Figure 24: creation of a new class-map

Then we should choose the protocols that will be inspected on the interfaces:

Figure 25: adding protocols to the default inspection


25/41


P a g e 24 | 40

Figure 26: choosing the protocols

After the configuration, some access rules will be applied on each interface:


26/41


P a g e 25 | 40

Figure 27: default access rules

And with these steps we finished the configuration we should test the communication between thenetworks:

Ping from the inside to the two other networks: SUCCEEDED

Figure 28: ping from the inside to the other networks

Ping from DMZ to the inside network: FAILED

Figure 29: ping from the DMZ to the inside network


27/41


P a g e 26 | 40

Ping from DMZ to the outside network: SUCCEEDED

Figure 30: ping from the DMZ to the outside

Ping from the outside to the other networks: FAILED

Figure 31: ping from the outside to the other networks


28/41


P a g e 27 | 40

V. Access rules and NAT rules

V.1. Access rulesThe Cisco ASA is, at its foundation, a stateful packet filtering device that is application aware, andis capable of verifying the legitimacy and correctness of packets arriving at its interfaces by usingvarious state tables combined with configured access policies. If a packet arrives at an ASAinterface, it either must match expected traffic definitions from an existing session or will becompared against the inbound interface security policy applied to that interface.To determine whether the interface security policy will be applied to packets, therefore, the ASAmust be able to determine if arriving packets match expected traffic from an existing connection.The ASA does this by maintaining state tables, as just mentioned. State tables act as short-termmemory for the device on active connections.

Figure 32: output of the command show run


29/41


30/41


P a g e 29 | 40

Figure 35: configuration of the access rule

And we replace the IP in the service field by the TFTP protocol:

Figure 36: choosing the TFTP protocol


31/41


P a g e 30 | 40

Figure 37: configured access rule

And now we have the new access rule.

We can see the access rule command with the command show run

Figure 38: output of the command show run

Now we should save the configuration using the command copy running-config startup-config

Figure 39 : saving the configurations

And now we should test the communication:On the DMZ host we created a text file (test.txt) on the Desktop to try to download it from theoutside host.Then we start the TFTP server on the DMZ host and we specified the Desktop as the directory:

Figure 40 : TFTP server


32/41


P a g e 31 | 40

If we try to ping the DMZ from the outside it will failed be cause we didnt permit the ICMP protocol:

Figure 41: ping from the outside to the DMZ

Now we try to download the file on the outside network using this command:

Figure 42: output of the command GET

And it will succeed.

The access lists are very important to manage the access throug h the firewalls interfaces andespecially when we needed to permit packets from lower to higher security level.


33/41


P a g e 32 | 40

V.2. Network Address Translation (NAT)

The ASA firewall is often deployed on the border betweena network using a private IP addressing scheme and the Internet.To solve the problems in the interconnection of these networks, the Cisco ASAsupports IP address translation (NAT) and Port Address Translation (PAT).

There simply were not enough addresses available in the originally designed IP addressing schemeto accommodate universal connectivity, especially given the manner in which addresses wereoriginally assigned. Therefore, a system of private IP addresses was developed, first in RFC1597, which was then superseded by the better-known RFC 1918, which allows multiple networksaround the world to deploy the exact same IP addresses for addresses that require only localuniqueness. This eliminates the need to maintain globally unique addresses for every connectedhost worldwide.

Because private IP addresses are intended for local use only a nd are considered nonroutable onthe public Internet, NAT is required to translate these private (local) IP addresses to public (global),routable addresses when hosts on a private network need to communicate with hosts outside of that

private network.Additionally, because many organizations can deploy the same private IP addresses, due to localsignificance, NAT is required if hosts on these networks with overlapping addresses need tocommunicate with each other.

Figure 43: basic address translation example

V.2.1. Difference between NAT and PAT

When you use inside NAT, only the source IP address of the internal host is translated, and a one-to-one mapping is made between the original (local) IP address and the translated (global) addressassigned to the host. The global address can be assigned in either a static (fixed and permanent) ordynamic (from a pool and temporary) manner. If there are not enough global IP addresses to supportall internal hosts, some hosts will not be able to communicate through the ASA.


34/41


P a g e 33 | 40

Figure below illustrates the use of NAT with an example of inside NAT. Recall that inside NAT means that traffic from the host subject to translation ingresses the ASA on a more secureinterface than it egresses the ASA. In the figure, two hosts connected to the inside interface of theASA both need to communicate with destinations on the Internet.

Figure 44: dynamic inside NAT scenario

In this Figure, hosts on the internal 10.0.0.0/24 network share a pool of global addresses,209.165.200.235-254, from which addresses are dynamically allocated to hosts as they makeconnections, and to which addresses are returned after an idle period. But in the previous examplewe have a static NAT which all addresses will be translated to a single global address.

When you use inside NAT, only the source IP address of the internal host is translated, and a one-to-one mapping is made between the original (local) IP address and the translated (global) addressassigned to the host. With PAT, however, both the source IP address and source port (for TCP andUDP packets) are translated, which creates a many-to-one mapping, with multiple internal hostssharing a single global IP address, and each of their TCP or UDP connections being assigned aunique port number, tracked by the ASA for the duration of the connection. This allows formaximum efficiency in conserving global IP addresses, but is not compatible with all applications.


35/41


P a g e 34 | 40

Figure below illustrates the use of a dynamic NAT with an interior PAT:

Figure 45: Dynamic inside PAT scenario

V.2.2. Scenario 3

To understand the NAT we had a scenario where we have three security zones: inside, outsideand DMZ.In this scenario we have to do a NAT for the http server in the DMZ to the outside and we should

permit the DMZ to use the FTP server of the interior network.

Figure 46: network division

To configure a NAT rule we need to open the ASDM window on the inside host and select NATRules then ADD:


36/41


P a g e 35 | 40

Figure 47: NAT rule configuration

Source interface is the outsidethe destination interface is the DMZthe source address is any because any external host wants to access the http server must passthrough the NAT ruleDestination address is a fake IP from the outside network (10.10.10.80) it permits the translationof the server IP address (172.16.0.2) to this fake addressService: anyType of NAT: Staticdestination address: 172.16.0.2 is the address of the web server


37/41


P a g e 36 | 40

Figure 48: configuration of the interfaces

Figure 49 : NAT rule

Any host of the outside network tries to access the DMZ with the fake ip will be directed to theweb server.

But first we must add an access rule to allow access from a lower security level (outside) to a highersecurity level (DMZ).


38/41


P a g e 37 | 40

Figure 50: configuration of the access rule needed for the NAT rule

Source is Any & destination is the web server because they have two different security levels.

Now we should test the connection: on the outside host we open the web browser and use the fakeIP 10.10.10.80:

Figure 51: loading the web page


39/41


P a g e 38 | 40

The web page is loaded successfullyWe can confirm it by using the command netstat n on the outside host

Figure 52: output of the command netstat n

This is a sample page that can be found in the IIS by default. The IIS is the web server launched onthe DMZ host.

Now we should permit the access from the DMZ host to the ftp server on the inside host.

Figure 53: configuring the access rule

Now we should test the ftp connection using this command:

Figure 54: FTP connection

The result of this command will be the same as the connection to the TFTP server.


40/41


P a g e 39 | 40

VI. Conclusion

I learned during the training the importance and the necessity of the hardware based firewall in thesecurity domain by controlling access through multi-optional access rules, masking private ip byapplying simple or sophisticated NAT rules, protecting critical data, filtering and detectingmalicious activities, intrusion prevention ,detection and many other features.

Also I learned how to create multiple instances of virtual machines to operate and simulate realcases networks.

Finally, I learned that security is very important parameter in implementing networks due theescalating threats ,excessive attacks, viruses spreading and hacking techniques all over the cyberworld.


41/41


VII. References

- CCNP Security-FIREWALL 642-618-Official Cert Guide- www.wikipedia.com

cisco asa firewall training

Documents