introduction to cisco pix and asa
TRANSCRIPT
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice
Introduction to Cisco PIX and ASA
Network Security - FirewallsFirewall A firewall is a system or group of systems that manages access
between two networks. It provides the first line of perimeter defense.
It prevents unauthorized access to a network.
It protects the trusted network from attacks.
It manages the information flow and restrict dangerous free access.
It can permit, deny, encrypt, decrypt or proxy the traffic.
Provides ability to expose internet services in a limited ability to the outside world via a DMZ.
Cisco PIXPIX – Private Internet ExchangeUsers Adaptive Security AlgorithmNot a UTM , stateful firewall, NAT , VPNPIX OS, similar to IOS, but there are some
differencesHave GUI of PDM – PIX Device ManagerStarts with 500 seriesEOL
Cisco ASAASA – Adaptive Security ApplianceWith Add on Module can be used as a UTMHad add on modules, for Anti-Virus, VPN,
IPSMore similar to that of a IOSHas GUI – ASDM Adaptive Security Device
Manager Starts with 5500 series
Cisco ASA Different Editions
PIX 501
Processor: 133 MHz AMD SC520Memory: 16MBEthernet: 2 Flash: 8 MB Connections: 3500Clear Text Throughput: 10MbpsVPN Peers: 5
PIX 501
Processor: 133 MHz AMD SC520Memory: 16MBEthernet: 2 Flash: 8 MB Connections: 3500Clear Text Throughput: 10MbpsVPN Peers: 5
Cisco PIX 501
Cisco PIX 506
PIX 506
Processor: 300 MHz Intel CeleronMemory: 32MBEthernet: 2 Flash: 8 MB Clear Text Throughput: 20MbpsVPN Peers: 25
PIX 506
Processor: 300 MHz Intel CeleronMemory: 32MBEthernet: 2 Flash: 8 MB Clear Text Throughput: 20MbpsVPN Peers: 25
Cisco PIX 515• PIX 515
• Processor: 200 MHz Pentium Pro
• Memory: 32 MB (515-R)64 MB (515-UR)
• Ethernet: 2 (515-R)6 (515-UR)
• Flash: 8 MB (515-R)16 MB (515-UR)
• Connections: 50,000 (515-R)100,000 (515-UR)
• PIX 515
• Processor: 200 MHz Pentium Pro
• Memory: 32 MB (515-R)64 MB (515-UR)
• Ethernet: 2 (515-R)6 (515-UR)
• Flash: 8 MB (515-R)16 MB (515-UR)
• Connections: 50,000 (515-R)100,000 (515-UR)
Cisco PIX 525
PIX-525
Processor: 600 MHz Pentium IIIMemory: 128 MB SDRAM Ethernet: 6 ConfigurableToken Ring 4 configurableFDDI 2 configurableEthernet/TR 6 totalFlash: 16 MBConnections: 256,000+VPN Tunnels : 2000
PIX-525
Processor: 600 MHz Pentium IIIMemory: 128 MB SDRAM Ethernet: 6 ConfigurableToken Ring 4 configurableFDDI 2 configurableEthernet/TR 6 totalFlash: 16 MBConnections: 256,000+VPN Tunnels : 2000
Cisco PIX 535
PIX-535
Processor: 1GhzPentium IIIMemory: 512 MB SDRAM Ethernet: 4/6 ConfigurableFlash: 16 MBConnections: 500,000VPN Tunnels : 2000
PIX-535
Processor: 1GhzPentium IIIMemory: 512 MB SDRAM Ethernet: 4/6 ConfigurableFlash: 16 MBConnections: 500,000VPN Tunnels : 2000
PIX Firewall ModelsModel 501 506e 515e 525 535
CPU type AMDIntel
Celeron
Intel Celero
nIntel P
III Intel P III
CPU speed133 MHz
300 MHz
433 MHz
600 MHz 1 GHz
Default RAM (MB) 16 32 64 128 512
Default flash 8 MB 8 MB 16 MB 16 MB 16 MBInterfaces 2 2 6 (M) 6(M) 8(M)
VPN accelerator supported No No Yes Yes Yes
Failover Supported No No Yes Yes Yes
Cisco ASA Models
Cisco ASA Models
Cisco ASA Models
Cisco ASA Models
ASA 5510/5520/5540
Power
Status
Active
Flash
VPN
Four 10/100/1000Copper Gigabit Ports
10/100 Out of BandManagement Port
AUX Ports
Compact Flash
Two USB 2.0 Ports
Console Port
Security Service Module (SSM) Monitoring Port
Cisco ASA – Security Services Module
High Performance Modulefor Additional Services
High Performance Modulefor Additional Services
Gigabit Ethernet Port forOut-of-Band
Management, etc.
Gigabit Ethernet Port forOut-of-Band
Management, etc.
Failover—Hot Standby
−Minimizes single point of failure−Maximizes reliability of network−Transparent to users behind firewall−Failover units must be identical model of PIX/ASA
InternalLAN
Failover Cable
DMZWeb
Server
DNS Server
FTPServer
Internet
failover activefailover active
19 April 11, 2023 Company confidential
Context Firewall• Cisco feature for Cisco 5500 Series Adaptive Security Appliance with
software version 7.2 and later.− Note: The multiple context feature is not supported on the ASA
5505 Series Adaptive Security Appliance. ASA 5510 supports maximum of 5 contexts even if it adds an additional 4Eth card.
• Partition a single device into multiple virtual deices. Each context is an independent device with its own configuration.
• Supports routing tables, firewall features, IPS, and standalone devices etc…
• Multiple context mode does not support the following features: − Dynamic routing protocols (Security contexts support only static
routes. You cannot enable OSPF or RIP in multiple context mode). − VPN − Multicast
• System administrator rights is mandatory when a user logs into admin context.
• Admin context is not counted in the context license. For example, if you get the default license, you are allowed to have one admin context and two other contexts.− when buying a new ASA5500 with a default license, we can run
‘three’ firewalls contexts
Sample Network
InternalLAN
InternetInside Outside
E1
E0
DMZ
E2
172.16.30.0/27
10.10.10.0/24
200.200.200.1/30
Basic Configuration – Interfaceinterface Ethernet0description "Outside Interface-Conn to Internet Router" nameif outside security-level 0 ip address 200.200.200.1 255.255.255.252interface Ethernet1 description "Inside Interface - Conn to Core Switch nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 interface Ethernet2 description "DMZ Interface towards DMZ1 servers" nameif DMZ security-level 50 ip address 172.16.30.1 255.255.255.224!
Basic Configuration - DNS• dns domain-lookup outside • dns server-group DefaultDNS • name-server 3.3.3.3 • name-server 4.4.4.4 • dns server-group DefaultDNS • domain-name xyz.net
Basic Configuration - Time• clock timezone IST 5 30 • ntp server 1.1.1.1 • ntp server 2.2.2.2
Basic Configuration - Logging• logging enable• logging timestamp• logging monitor informational• logging buffered informational• logging trap informational• logging asdm informational• logging host <interface> <syslogger IP>• Ex: logging host inside 10.10.10.1
•
Basic Configuration - SNMP• snmp-server host <interface> 6.6.6.6 poll community
"snmp-rostring"• snmp-server host <interface> 7.7.7.7 poll community
"snmp-rostring“• snmp-server location "<location>"• snmp-server contact "XYZ,Phone +91 123456789" • -------------------------------------------------------------------------------------
-----------------------------------------------------------------
• snmp-server host inside 6.6.6.6 poll community Cisco• snmp-server host inside 7.7.7.7 community Procurve• snmp-server location Bangalore• snmp-server contact "XYZ,Phone +91 123456789"
Basic Configuration - AAA• aaa-server admin protocol tacacs+• aaa-server admin (<interface>) host 1.2.3.4• timeout 5• key "tacacs-key"• aaa-server admin (<interface>) host 3.4.5.6• timeout 5• key "tacacs-key"• aaa authentication telnet console admin LOCAL• aaa authentication ssh console admin LOCAL• aaa authentication enable console admin LOCAL• aaa authentication serial console admin LOCAL
Failover Configuration• failover• failover lan unit primary• failover lan interface failover Ethernet0/3• failover key 123456• failover link failover Ethernet0/3• failover interface ip failover 20.20.20.1
255.255.255.0 standby 20.20.20.2
Access-List and Access-Groups• access-list acl_inside • access-list acl_dmz• access-list acl_outside
• access-group acl_inside in interface inside• access-group acl_outside in interface
outside• access-group acl_dmz in interface DMZ
ACL Inside ACLaccess-list acl_inside extended permit ip 10.10.10.0 255.255.255.0
172.16.30.0 255.255.255.224Outside ACLaccess-list acl_outside extended permit tcp any host 200.200.200.5
eq smtp DMZ ACLaccess-list acl_dmz extended permit tcp host 172.16.30.10 any eq
smtp
NATStatic (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0static (dmz,outside) 200.200.200.5 172.16.30.10 netmask
255.255.255.255
Commands• Show ip address• Show int ip brief• Show failover• Show interface• Object-group• Names
IPSEC - RecapIKE Phase 1 Parameters IKE encryption algorithm (DES, 3DES, or AES) IKE authentication algorithm (MD5 or SHA-1) IKE key (preshare, RSA signatures) Diffie-Hellman version (1, 2, or 5) IKE tunnel lifetime (time and/or byte count)
IKE Phase 2 Parameters IPsec protocol (ESP or AH) IPsec encryption type (DES, 3DES, or AES) IPsec authentication (MD5 or SHA-1) IPsec mode (tunnel or transport) IPsec SA lifetime (seconds or kilobytes)
IPSEC VPNCommand Purpose
crypto isakmp policy 1 This creates a new isakmp policy, the number here usually doesn't matter
encr 3des Sets encryption to triple-DES
hash sha Sets hash algorithm to SHA-1
authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers
group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)
crypto isakmp key [Shared-key] address [Remote-External-IP] This sets the pre-shared key for a specific IPSEC peer
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
This defines a list of common preset algorithms. The preset name is the word right after "transform-set". Most of the newer IOS software images will support compression and AES encryption. Older ones will only support 3DES encryption. Some of the images will only support DES.
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
ip access-list extended Crypto-listCreates an access list that defines what goes into the tunnel
permit ip [Local-Int-NetID] [Local-Int-RMask] [Remote-Int-NetID] [Remote-Int-RMask]
You can create multiple lists of source, destination, and services
crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels
per interface by incrementing the "10" on the next map with the same name "VPN-Map-1".
set peer [Remote-External-IP] Defines the IP address of the remote peer
set transform-set [Algorithm-preset] Sets the algorithm preset we defined above
set pfs group2 Enables perfect forwarding secret
match address Crypto-listDefines the access list we created earlier of what goes into the tunnel
interface [External-Interface] Enters the external interface configuration
crypto map VPN-Map-1Attaches map "VPN-Map-1" to this interface. Only one map per interface allowed.
ip access-list extended [Firewall-policy-name]Enters the external firewall policy for controlling inbound traffic
permit udp host [Remote-External-IP] any eq isakmp Permits IPSEC IKE setup from the peer
permit esp host [Remote-External-IP] any Permits IPSEC payload from the peer
IPSEC VPN
Command Purpose
crypto isakmp policy 1This creates a new isakmp policy, the number here usually doesn't matter
encr 3des Sets encryption to triple-DES
hash sha Sets hash algorithm to SHA-1
authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers
group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)
crypto isakmp key test123 address 100.100.100.100 This sets the pre-shared key for a specific IPSEC peer
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
This defines a list of common preset algorithms. The preset name is the word right after "transform-set". Most of the newer IOS software images will support compression and AES encryption. Older ones will only support 3DES encryption. Some of the images will only support DES.
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
IPSEC VPN
ip access-list extended Crypto-list Creates an access list that defines what goes into the tunnel
permit ip 10.10.10.0 0.0.0.255 10.0.20.0 0.0.0.255You can create multiple lists of source, destination, and services
crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels per
interface by incrementing the "10" on the next map with the same name "VPN-Map-1".
set peer 100.100.100.100 Defines the IP address of the remote peer set transform-set AES-SHA-compression Sets the algorithm preset we defined above set pfs group2 Enables perfect forwarding secret
match address Crypto-listDefines the access list we created earlier of what goes into the tunnel
interface Ethernet0 Enters the external interface configuration
crypto map VPN-Map-1Attaches map "VPN-Map-1" to this interface. Only one map per interface allowed.
ip access-list extended Internet-inbound-ACLEnters the external firewall policy for controlling inbound traffic
permit udp host 100.100.100.100 any eq isakmp Permits IPSEC IKE setup from the peer permit esp host 100.100.100.100 any Permits IPSEC payload from the peer
IPSEC VPN