642-618 firewall notes
DESCRIPTION
642-618 Firewall Notes by rionTRANSCRIPT
Learning@Cisco: Ri0N; April 8, 2014
CCNP Security: 642-618 FIREWALL
Contents CHAPTER 1: Cisco ASA Overview .................................................................................................................. 2
CHAPTER 2: Working with a Cisco ASA ......................................................................................................... 5
CHAPTER 3: Configuring ASA Interfaces ....................................................................................................... 7
CHAPTER 4: Configuring IP Connectivity ...................................................................................................... 9
CHAPTER 5: Managing a Cisco ASA ............................................................................................................. 12
CHAPTER 6: Recording ASA Activity............................................................................................................ 18
CHAPTER 7: Using Address Translation ...................................................................................................... 20
CHAPTER 8: Controlling Access Through the ASA ...................................................................................... 31
CHAPTER 9: Inspecting Traffic .................................................................................................................... 38
CHAPTER 10: Using Proxy Services to Control Access ................................................................................ 47
CHAPTER 11: Handling Traffic ..................................................................................................................... 50
CHAPTER 12: Using Transparent Firewall Mode ........................................................................................ 52
CHAPTER 13: Creating Virtual Firewalls on the ASA ................................................................................... 56
CHAPTER 14: Deploying High Availability ................................................................................................... 60
CHAPTER 15: Integrating ASA Service Modules ......................................................................................... 69
CHAPTER 16: Traffic Analysis Tools ............................................................................................................ 70
Learning@Cisco: Ri0N; April 8, 2014
CHAPTER 1: Cisco ASA Overview
Overview
» trusted(/untrusted) network = security domain
» place a firewall at the boundary between the trusted and untrusted parts of a network
» firewall = a device that enforces an access control policy between two or more security
domains
» the firewall is the only pathway or "chokepoint" to get in or out of the security domain
» the firewall can enforce security policies on only the traffic that passes through it, not
around or behind it
» the firewall itself must be hardened to endure attack or compromise
» each security domain is implemented with a firewall at its border
» physical separation provides the utmost security because traffic cannot pass between
security domains without some sort of physical intervention
» two approaches to access control
permissive: all traffic is allowed to pass through unless explicitly blocked
restrictive: no traffic is allowed to pass through unless explicitly allowed
» permissive access control is also known as a reactive approach
typically coupled with IPS and antivirus systems
» restrictive access control is also known as a proactive approach
every acceptable type of traffic is identified and explicitly configured into the firewall
(compare to Cisco IOS access-lists)
Stateless Packet Filtering
» traffic is examined based solely on values found in the packets header
» forward/block decisions are made on each packet independently
» no concept of connection state
» performed by using statically configured firewall rules
Stateful Packet Filtering
» keeps track of individual connections or sessions as packets are encountered
» a state table for each active (permitted) connection is maintained
Learning@Cisco: Ri0N; April 8, 2014
Deep Packet Inspection (DPI)
» the firewall reassembles UDP and TCP sessions and looks inside the application layer
protocols (header and its contents)
» more processing power and memory required
Network Intrusion Prevention System (NIPS)
» examines and analyzes network traffic and compares it to a database of known malicious
activity
» large number of signatures or patterns that describe specific known attacks or exploits
» as new attacks are discovered, new signatures are added
» cannot react to new attacks
» requires inline operation
» requires periodic tuning to manage false positive and false negative threat detection
Network Behavior Analysis (NBA)
» examine network traffic over time to build statistical models of normal, baseline activity
» consider things like traffic volume, traffic rates, connection rates, and types of application
protocols that are normally used (not just simple bandwidth or utilization average)
» continually examines traffic and refines its models automatically
» triggers an alarm when an anomaly is detected
» often called anomaly-based network IPS
» can sometimes detect new attacks if they fall outside the norm
Application Layer Gateway (Proxy)
» gateway or intermediary device between clients and servers
» client sends its requests to the proxy (instead of any destination servers), the proxy
masquerades as a (false) client and relays the original client's requests on to the actual
server
» the proxy evaluates the content of replies and decides what to do with them
» can perform detailed and thorough analysis of client-server connections
the ASA can forward traffic much more efficiently from bus to bus than it can if traffic stays
within a single bus
the Security Services Module (SSM) contains dedicated hardware that can offload
specialized or processor-intensive functions
Learning@Cisco: Ri0N; April 8, 2014
the AIP-SSM and the CSC-SSM use identical hardware form factors, but run entirely
different software
Advanced Inspection and Prevention (AIP) SSM
» runs the Cisco IPS software image and performs IPS functions
» inline: traffic is internally redirected to the module for inspection and handling before it is
forwarded
» promiscuous: the ASA copies traffic to the module as it is being forwarded
» signature updates are available only by subscribing to the Cisco Services for IPS service
» available in several models (not all models can work in every ASA platform)
Content Security and Control (CSC) SSM
» performs comprehensive antivirus, antispyware, antispam, antiphishing, file blocking, URL
blocking and filtering, and content filtering
» ASA internally redirects traffic through the CSC-SSM, which runs the Trend Micro InterScan
for Cisco CSC-SSM software image
» commonly referred to as the "Anti-X" module
» HTTP, FTP, SMTP, and POP3 are protected
» must stay updated with the latest security information from Trend Micro
» update is done automatically but requires a subscription service license from Cisco
Note: The ASA 5585-X requires Cisco ASA software 8.2(3) or later. However, if an IPS SSP is
installed, the ASA must run release 8.4(2) or later and Cisco IPS 7.1(1)E4 or later.
Except for the ASA 5505, all other models can support virtual firewalls (aka security contexts).
Licensing
» ASAs can operate as clusters or failover pairs for high availability
» mode varies depending upon the model and installed license
» each ASA model comes with a Base license scheme based on the ASA's serial number
and opens up a basic set of features
» if additional capabilities are required, additional licenses must be purchased
» for 8.0(4) or later, time-based licenses can be aggregated or used in conjunction with
permanent licenses
» some features are added together, but with most features other features, the higher value
of the two licenses is used
Learning@Cisco: Ri0N; April 8, 2014
» 8.0(3) or earlier consider time-based licenses to override any permanent licenses
» beginning with 8.3, multiple time-based license keys can be installed
» two ASAs in a failover pair must have compatible licensing
» prior to 8.3(1), both ASAs must have identical licenses installed
» a feature is enabled if the license is found on either ASA
» if a time-based license is installed on either unit, the duration found on each unit is
combined for a total license duration
» many ASA models that were put into service before 8.3, do not have the minimum memory
to run 8.3 or newer
CHAPTER 2: Working with a Cisco ASA
Some configuration commands are not shown in the running-config if they use default values.
» show runnning-config all [command]
» help [command]
» show history
'Apply' button must be clicked to actually apply the changes from the ASDM to the ASA's running-
configuration.
Default ASA Configuration
» 192.168.1.1/24
» DHCP: 192.168.1.2-192.168.1.254
» HTTP allow 192.168.1.1/24
» ASA 5510 and higher: Management0/0
» ASA 5505: VLAN 1, i.e. Ethernet0/1-7 (VLAN 2, outside: Ethernet0/0)
» configure factory-default (takes effect immediately, no further confirmation)
By default, an ASA stores its startup configuration in a hidden partition of flash memory. That file
has no usable name and can be viewed only through the show startup-config command
» boot config <url>
» show bootvar
Clearing an ASA Configuration
» clear configure all: clears the entire running-configuration
» clear configure primary: clears all commands related to connectivity
» clear configure secondary: clears all commands not related to ASA connectivity
Learning@Cisco: Ri0N; April 8, 2014
» clear configure <command>: clears all commands that use the <command> keyword
Example: clear configure access-list TEST
clear configure all + copy run start = write erase
the ASA operating system is copied from flash into RAM at boot up
the operating system and ASDM images must be compatible before ASDM can be used
new ASDM image can be used immediately, new operating system requires a reboot
a directory must be empty of all files and other directories before it can be removed
By default, the ASA will ask you to confirm each item that is created or deleted. You can use the
/noconfirm option to proceed without any confirmation.
Note: If you attempt to view the contents of a large binary file, such as by using more image.bin,
you could be stuck waiting a long time. If you want to look at the contents of a binary file, always
use the more /binary or more /ascii forms of the command.
If you are copying files to or from a server that requires user authentication or a
specific port number, you can add the extra information in the following URL format:
ftp://[username[:password]@]server[:port]/[path/]filename
You can also delete an entire directory and all of its contents recursively
by using the /recursive keyword.
Even after the flash file system is erased, the ASA can continue to operate because its image file
and running-configuration are already loaded into RAM.
boot system <device:path>
» if the file can't be found, the command is accepted but a warning message is displayed
» the command is stored in the running-config (save to startup-config to take effect at next
reboot)
with the factory default configuration, the boot system command is empty
the ASA will search for and run the first valid image file it can find in its flash file system
the boot system command can be entered more than once to configure a list of image
files that can be executed
the list is tried in sequence
Learning@Cisco: Ri0N; April 8, 2014
once the image file has been downloaded (from ROMMON), the ASA automatically boots
and runs the new image
the image is not stored anywhere!
copy the same image file onto a flash file system
CHAPTER 3: Configuring ASA Interfaces
Each interface must be configured with the following three security attributes:
» interface name
» IP address and subnet mask
» security level
Redundant Interfaces
» only one interface is active at any given time; the other interface stays in a standby state
» two interfaces; must be of the same type
» up to eight (1 through 8)
» member interface cannot have a security level or an IP address
» ASA will automatically clear those parameters from physical interface configuration
» the order is important: the first member will become the active link
» the two interfaces trade the active role back and forth only when one of them fails
» uses the MAC address of the first member interface, even if it fails (override with manual
configuration)
Example:
interface redundant 1
member-interface ethernet0/0
member-interface ethernet0/1
no shutdown
» after this point, configurations are done normally on the logical interface
Beginning with 8.4(1), ASA can use EtherChannels:
» two to eight active physical interfaces (up 16 but only 8 can be active)
» must have same type, speed, and duplex mode
» support up to 48 different EtherChannels
» load balancing across active links by computing a hash value based on values found in the
packet header
Learning@Cisco: Ri0N; April 8, 2014
» if active interfaces are a multiple of two, load can be distributed evenly
» use mode on or LACP
» with LACP, switch and ASA use a system priority (2-byte priority + 6 byte MAC) to decide
which one is allowed to make decisions about active interfaces
» interfaces are selected and become active according to their port priority value (2-byte
priority + 2 byte port number), where a low value indicates a higher priority
» up to 16 links but only 8 active (with lowest priority)
» by default, the source and destination IP addresses are used to compute a hash index
(appropriate choice in most cases)
» the more varied the hash input values, the better the traffic will be distributed
» more interfaces can be added to the channel than are allowed to be active
» default LACP port and system priority is 32,768
» lower priority for active interfaces
» if same priority, lower port number wins
» if ASA and switch use the same value, the one with the lower MAC address becomes the
decision maker over the LACP negotiations
VLAN interfaces
» ASA 5510 and higher: unique subinterfaces of a physical interface
» ASA 5505: unique VLAN interfaces
» ASA supports only 802.1Q encapsulation
» frames from the native VLAN are sent over the trunk link without a tag, while frames from
other VLANs have a tag added while in the trunk
» by default, packets on the physical interface are not tagged (appear in the native VLAN)
» packets sent out a subinterface do receive a VLAN tag
» ASA does not support DTP
Example:
interface Ethernet0/0.47
vlan 47
» subinterface number and VLAN number do not have to match but it's better if they do
on ASA 5505, VLANs are supported on the physical interfaces, but only if corresponding
logical VLAN interfaces are configured
interface parameters should be configured on the VLAN interfaces rather than on physical
interfaces
Learning@Cisco: Ri0N; April 8, 2014
by default, no VLANs are permitted over a trunk link
switchport trunk allowed vlan 10,20
ASA uses the (configured) interface name when security policies are applied
if the subnet mask is omitted in IP address configuration, the ASA assumes a classful
network
IP address from DHCP:
ip address dhcp [setroute]
» sets a default route automatically, based on the default gateway parameter that is returned
in the DHCP reply
» release/renew IP address by re-entering ip address dhcp
Security Levels
» from higher security to lower security is allowed (if ACLs, inspect, and NAT concur)
» from lower to higher security cannot pass unless explicitly configured
» security levels do not have to be unique
» by default, traffic is not permitted between them
override with same-security-traffic permit inter-interface
» same-security-traffic permit intra-interface
useful for "hairpin routing" with VPNs
» default MTU is 1500 bytes (range from 64 to 9216 bytes)
» jumbo-frame reservation is only supported on ASA 5585-X
CHAPTER 4: Configuring IP Connectivity
ASA converts broadcast DHCP requests to unicast packets (UDP 67)
ASA can also intercept the DHCP replies and change the default router address to itself
(set route check box)
once the DHCP relay agent is enabled, no specific rules or security policies are required
Example:
dhcprelay server 192.168.50.11 dmz
dhcprelay enable inside
dhcprelay setroute inside
up to four different DHCP servers can be configured
DHCP requests are relayed to each of the servers simultaneously
Learning@Cisco: Ri0N; April 8, 2014
DHCP Server Example:
dhcpd enable inside
dhcpd address 192.168.10.10-192.168.10.254 inside
dhcpd dns 192.168.1.20 192.168.1.21
dhcpd wins 192.168.1.22 192.168.1.23
dhcpd domain mynewnetwork.com
enable DHCP server on an interface
the DHCP pool addresses must belong to the same subnet (as the ASA interface)
ASA hands out its own interface address as the client's default gateway (override with
DHCP option 3)
by default, DHCP lease is 3600 seconds, or 1 hour
before a DHCP reply is returned, the ASA sends an ICMP echo to make sure the IP does
not already exist (waits for 750 ms for an ICMP reply)
Routing Best Practices:
» static routing is preferred over dynamic routing protocols
» always authenticate router peers; no cleartext but MD5
» use route filtering
» use route summarization if possible
static routes are manually configured and are not learned or advertised by default
ASA can have up to three different default routes (load balance outbound traffic)
Example:
route inside 192.168.200.0 255.255.255.0 192.168.10.254
route outside 0.0.0.0 0.0.0.0 192.168.100.254
tracking makes a static route conditional, based on the reachability of some target address
(track command at the end of the static route)
threshold value must always be less than or equal to the timeout interval value (default 5
seconds)
the backup and tracked static routes should be identical except for their distance values
Example:
sla monitor 1
type echo protocol IpIcmpEcho 209.165.201.1 interface outside
sla monitor schedule 1 life forever now
!
track 1 rtr 1 reachability
!
Learning@Cisco: Ri0N; April 8, 2014
route 0.0.0.0 0.0.0.0 209.165.201.1 1 track 1
route 0.0.0.0 0.0.0.0 209.165.201.129 100
RIPv2
» exchange routing information broadcasts at regular intervals and when changes occur
» by default, ASA sends out updates as RIPv1, but receives either RIPv1 or RIPv2
» by default, automatic route summarization is enabled
» passive interface: receives but does not send routing updates
» RIPv2 is configured on a per-interface basis
EIGRP
» multicast 224.0.0.10, IP protocol 88
» DUAL
» no periodic routing updates (exchanges only when the metric changes)
» ASA can run only one EIGRP process
» AS number must match
» best practice is to configure a route map when redistributing routes
» define a metric for redistribution
» if automatic summarization is disabled, manual summarization can still be used
» optionally configure the ASA as an EIGRP stub router
OSPF
» OSPF routers build a common database of the status of all links in the area by exchanging
LSAs
» ASA can support up to two different OSPF processes (locally significant)
» by default, OSPF uses the highest IP address defined on any ASA interface as the router
ID
» by default, a default route (default-information originate) is advertised as an
external Type 2 route
» OSPF will wait a delay time of spf_delay (default 5 seconds) after receiving a topology
change before starting the SPF calculation
» OSPF will wait spf_holdtime (default 10 seconds) between two consecutive calculations
» areas can be referred to by a decimal number or by a subnet notation
» key-ids from 1 to 255, string up to 16 text characters (on each interface individually)
» key-ids must match
» stub area = only one path into and out of the area (all routers must comply)
» -totally stubby area = no-summary; no external or interarea routes into the stub area
Learning@Cisco: Ri0N; April 8, 2014
» NSSA = external routes are allowed
» OSPF does not use a distribute-list to filter routes that are advertised (prefix-list instead)
» if there are multiple match statements, all of them must be met
» use redistribute static when there are interfaces that aren't configured to participate
in OSPF
» by default, only routes that are not subnetted (classful routes) are redistributed into OSPF
unless the subnets keyword is given
CHAPTER 5: Managing a Cisco ASA
» FQDN = hostname + domain name (each max. 63 characters)
used to generate a self-signed certificate upon boot
» domain name is compulsory when deploying any kind of X.509 digital certificate
(HTTPS/SSL VPN/IPsec VPN)
» by default, no password is required to enter privileged EXEC mode
» for Telnet access (not enabled by default), the default password is "cisco" (SSH: pix/cisco)
» the configured enable password (empty by default) is used for access to ASDM in the
absence of other HTTP authentication
» if a different domain name suffix is entered when defining DNS servers, the ASA will also
change its domain name
» DNSGuard will enable one-to-one balance of DNS replies to DNS queries to guard against
DNS spoofing attacks
» the explicit definition of DNS servers is required in order to use the Botnet Traffic Filtering
function
» also if ASA should resolve URLs when using clientless SSL VPN
Example:
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.0.3
name-server 10.0.0.4
ASA File System
» flash: or disk0:
» file management using ASDM offers unique capabilities not accessible from the CLI
» the keyword flash: aliases to disk0: (internal flash)
» the delete command deletes a file from the local flash file system only
Learning@Cisco: Ri0N; April 8, 2014
» the rename command renames a file on the local file system only
» mkdir: if a directory with the specified name already exists, an error is generated and no
new directory is created
» cd: if the location is not specified, the working directory is changed to the root directory
» pwd: displays current working directory
» fsck: check for file corruption (FSCKxxxx.REN, where xxxx is a sequential number starting
with 0000)
» fsck is performed as part of ASA's boot routine
» format or erase: delete all files in the local file system (including all hidden content)
» format rewrites the file allocation table
» erase overwrites all memory with the 0xFF pattern first
» a raw disk read tool could see information deleted by format but not by erase
ASA operating system and ASDM image file must be compatible
ASDM must also be compatible with your local desktop
the ASA will boot with the first image listed, unless it is either unavailable or determined to
be corrupted upon next boot
ASA OS requires a reboot, ASDM image will be effective upon the next login to the ASA
using ASDM
Upgrading from OS version 8.2 to 8.3 or higher
» higher memory requirements
» upgrading to 8.3 or higher only from 8.2
» although it could work, any ASA containing less than the stated required minimum RAM is
not supported by Cisco
» upgrading the OS automatically updates NAT configuration
» remove nat-control because it is not supported on 8.3 or higher
License Management
» features activated by a hexadecimal string
» activation key is bound to the BIOS serial number (show version)
» "perpetual" (or blank) = permanently assigned licensed features
» 0x is optional
» activation key is stored in a hidden system file
» the new activation key should not take effect until the next reboot
» new image -> boot system -> new activation key -> reboot
Learning@Cisco: Ri0N; April 8, 2014
ASA Management Access
» SNMP is limited to read-only access
» no local accounting database for administrative actions
Best Practices:
» use only encrypted management protocols with strong authentication (preferably OOB)
» give preference to centralized AAA rather than local AAA
» group administrators based on role and grant each group only minimal privileges
ASA must be configured to accept management access from specific source IP ranges, on
specific interfaces, on a per-management-protocol basis
for SSH, in the absence of AAA, a default username "pix" is used
a dedicated management-only interface can accept and respond to traffic where the ASA
itself is the destination but cannot pass any transit traffic
still access specifications are needed
Management0/0 does not have to be used as an OOB management interface, any other
interface could be designated
Telnet/SSH
» maximum of 5 concurrent sessions (per context, or in multicontext mode, 100 connections
divided among all contexts)
» timeout after 5 minutes of inactivity
» SSH requires public-private RSA key pair
» Telnet: who / kill
» SSH: show ssh sessions / ssh disconnect
RSA keys
» label: specifies the name associated with the key pair; if none provided: <Default-RSA-
Key>
» usage-keys: two key pairs; one for signature, one for encryption
» the default key-pair type is general-keys (always used by SSH)
HTTPS
» requires HTTPS X.509 certificate
» by default, ASA will generate a self-signed server certificate each time it is rebooted, for this
purpose
Learning@Cisco: Ri0N; April 8, 2014
» generate a permanent self-signed certificate or, better yet, obtain the certificate from a CA
Example:
crypto ca trustpoint ASA-SELFCERT
id-usage ssl-ipsec
no fqdn
subject-name CN=DC1-FW01.SYPA.FI
enrollment self
crypto ca enroll ASA-SELFCERT noconfirm
Obtaining an Identity Certificate by PKI Enrollment
» manually: copy and paste certificate info into the RA or CA interface as instructed
» SCEP: Enrollment URL (provided by the CA) and any relevant password, otherwise
automatic
Example:
crypto ca trustpoint ASDM_TRUSTPOINT0
id-usage ssl-ipsec
no fqdn
subject-name CN=DC1-FW01.SYPA.FI
enrollment url http://certserver.ciscoserver.ccnp
!
crypto ca authenticate ASDM_TRUSTPOINT0
crypto ca enroll ASDM_TRUSTPOINT0 noconfirm
» bind an identity certificate to the interface(s) on which you want the ASA to accept HTTPS
management sessions
Example:
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASA-Self-Signed inside
ssl trust-point ASA-Self-Signed management
» the fallback certificate is used on all interfaces not associated with a certificate of their own
http 10.0.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
ASA Banners
» MOTD banner: the first banner displayed
» login banner: before the CLI login prompt
» exec banner: after the CLI login
» ASDM banner: displayed after ASDM login
Learning@Cisco: Ri0N; April 8, 2014
Creating Users in the Local Database
» create at least one local administrator account, even if remote AAA is used
» the default privilege level is 2, and in the absence of AAA command authorization, will
provide full administrative access
» an authenticated ASDM user has de facto level 15 access to the ASA
» no ASDM,SSH,Telnet, or Console access is for VPN users (no administrative access)
» the user lockout mechanism (1-16 login tries) is only available for the LOCAL database
aaa authentication serial console LOCAL
aaa local authentication attempts max-fail 3
» the name LOCAL is case sensitive
Reactivation Mode
» Depletion: after all servers in the group are declared dead, they are all reactivated
» Timed: server will be declared dead for a predefined time and then automatically
reactivated (Dead Time)
aaa-server CP-TACACS protocol tacacs+
aaa-server CP-TACACS (management) host 192.168.1.5 key *****
timeout 5
» Privilege level 0: denies all access to management functions
» Privilege level 1: allows CLI access only
» Privilege level 2: allows CLI and ASDM access
Three predefined roles for command authorization
» Admin: privilege level 15
» Read Only: privilege level 5
» Monitor Only: privilege level 3
NOTE: It is important that the database used for command authorization be the same as that used
to authenticate to the Enable console.
By default, configure terminal is a privilege level 15 command. If you want to change configuration
commands to a lower privilege level, the configure terminal privilege level must also be
changed: privilege cmd level 8 mode exec command configure.
Learning@Cisco: Ri0N; April 8, 2014
Remote AAA Command Authorization
» configure the remote AAA server first
» use LOCAL database as fallback + at least one user with privilege level 15
» assign permissions to groups, not individual users
» if using TACACS+ server, it is imperative that the Enable console authentication be
performed using TACACs+
» if a TACACS+ is not used for Enable console authentication, the ASA knows the user as
"enable_15" (system default privileged username) user
» TACACs+ does not have user "enable_15", and thus all command authorization requests
would fail
Configuring Remote AAA Accounting
» if auditing command execution, a privilege level is set to be recorded
» sending accounting messages to one or all servers is configured under the server group
show aaa-server
test aaa-server
Configuring Monitoring Using SNMP
» read-only access through the use of SNMP GET requests
» SNMP write access is not allowed (SNMP SET)
» SNMP on the ASA requires client authentication
» version 1 or 2c send community strings with the request
» version 3 can use strong, cryptographic protection
» UDP port 161 for polling
» UDP port 162 for SNMP trap
snmp-server host management 192.168.1.14 community SNPM1234 version 2c
» version 3 requires SNMPv3 users and groups
» if Password Type: Encypted is selected, both password fields must be completed with
hexadecimal strings
Cisco ASA Password Recovery
» only possible from the Serial console
» not exactly "recovering" a password but resetting a new one
» config-register 0x1 -> confreg 0x41
Learning@Cisco: Ri0N; April 8, 2014
» no service password-recovery prevents users from entering ROMMON without
erasing all flash file system
» if the erasure is not performed, the ASA reboots
» the use of ROMMON mode is required to reset the confreg value while retaining ASA
configuration
» otherwise a new image and backup configuration file need to be loaded
» the only way to change service password-recovery is to enter the command at the
CLI prompt (loading a new configuration that contains the command does not change the
setting)
CHAPTER 6: Recording ASA Activity
» time is set to UTC by default
» the configured time is retained in memory when the power is off, by a battery on the ASA
motherboard
» the ASA can act only as an NTP client, not as an NTP server
» with authentication, key number and key must match
» three NTP servers are recommended
» NTP server definition can accept only IP addresses, not DNS names
» time derived from an NTP server overrides any time set manually
» preference does not guarantee that NTP will use that server
» ASA will choose the NTP server with the lowest stratum number and synchronize to that
» a stratum number indicates the distance from the reference clock
ntp server 10.0.0.5 key 1 source inside prefer
ntp server 192.43.244.18 source outside
ntp authenticate
ntp authentication-key 1 md5 sufd8u92qd
ntp trusted-key 1
» changing DST is done from the CLI
NetFlow v9 support
NetFlow Secure Event Logging (NSEL) since 8.2(1)
Logging Message Format
» timestamps are disabled by default
» optinal device-id (disabled by default)
Learning@Cisco: Ri0N; April 8, 2014
» message identifier: %ASA-6-725002: Device completed SSL handshake
ASA: device type
6: the message severity level
725002: the event message number
Device completed SSL handshake: the message text
Message Severity
» 0 - Emergencies: extremely critical "system unusable" messages
» 1 - Alerts: messages that require immediate administrator action
» 2 - Critical: a critical condition
» 3 - Errors: an error message (ACL deny message)
» 4 - Warnings: a warning message (ACL deny message)
» 5 - Notifications: a normal but significant condition (interface up)
» 6 - Informational: an informational message (session being created or torn down)
» 7 - Debugging: a debug message or detailed accounting message
by default, all logging on the ASA is disabled
by default, only severity level 1 messages are available on the standby unit (related to
failover events)
by default, debug output is not included in system log messages
EMBLEM format is designed to be consistent with the Cisco IOS format but many event
management solutions will not recognize it
if buffering logs on internal flash, two parameters need to be defined
1. maximum amount of flash memory to be used for storing log information
2. mimimum free space to be preserved in flash memory
ASDM log buffer != internal log buffer
loggin enable
logging ftp-bufferwrap
logging ftp-server 192.168.1.15 <path> <username> <password>
logging timestamp
» default Facility Code: LOCAL4(20) (LOCAL0-LOCAL7 [16-23])
Configuring Event Filters
» event severity level only
» event classes
Learning@Cisco: Ri0N; April 8, 2014
» event class and event severity
» message ID
» the same event list can be applied to multiple logging destinations
» leave console logging disabled, log to the internal buffer instead
NOTE: When an ASA is configured to use TCP-based syslog to at least one syslog server, by
default, the ASA will drop all traffic attempting to go through the appliance if the TCP-based syslog
server is down or unable to record further messages in its logs (out of disk space). Traffic
terminating at the ASA itself is still allowed. Change with logging permit-hostdown.
» UDP: 514; TCP: 1470
show logging queue
logging queue 1024 <0-8192>
Dec 07 2011 18:49:56 FIREWALL : %ASA-3-414003: TCP Syslog Server
management: 192.168.1.7/1470 not responding, New connections are denied
based on logging permit-hostdown policy
CHAPTER 7: Using Address Translation
NAT Benefits
» mitigates public IP address depletion
» no need to change internal IP addressing when changing ISPs
» security: hides internal IP addressing and network topolgoy from the public Internet
Information needed for NAT/PAT:
1) original soure IP address (and port)
2) ingress interface
3) egress interface
4) translated IP address (or port)
» if any of the above four items is unknown, an ASA cannot perform address translation
NAT in ASA version 8.2 and Earlier
» NAT control = enforcing NAT
» inside NAT: ingress traffic on high security level interface, egress on lower security level
interface
» local, global; original, global
Learning@Cisco: Ri0N; April 8, 2014
NAT Exemption
» with applications that embed IP addresses on the application layer and use end-to-end
encryption
» with applications that authenticate entire packets
» with applications that establish additional dynamic sessions, and there is no support
protocol-specific inspection rules
» NAT is not required between same security level interfaces even if NAT control is enabled
NOTE: If you enter an IP address with no mask, Cisco ASDM treats it as a host address, even if it
ends with a 0 in the final octect.
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 209.165.200.235-209.165.200.254 netmask
255.255.255.224
timeout xlate 1:00:00
» the two commands are associated with each other through the use of the same NAT ID
number (1)
» any individual host can match only one NAT rule for any given connection
» the optional net mask should always be set to 255.255.255.255 for PAT
» because the same local hosts will be using the translation rule, whether communication
through the DMZ or outside interface, same NAT ID number must be used
nat (DMZ) 5 172.16.0.0 255.255.255.0 tcp 0 0 udp 0
nat (inside) 5 10.0.0.0 255.255.255.0 tcp 0 0 udp 0
global (outside) 5 interface
global (DMZ) 5 172.16.0.254 netmask 255.255.255.255
NOTE: A local host could match only one translation rule for any particular traffic flow. Policy NAT
rules are evaluated before "regular" NAT rules, so even though the rules uses a pool ID of 8, it will
be used, rather than pool ID 1, when packets match the defined policy. The pool IDs do not dictate
the order of evaluation.
access-list POLICY-NAT-ACL line 1 extended permit ip 10.0.0.0
255.255.255.0 host 209.165.202.150
!
nat (inside) 8 access-list POLICY-NAT-ACL tcp 0 0 udp 0
global (outside) 8 209.165.200.134 netmask 255.255.255.255
» deny access control entries (ACEs) are not supported inside policy NAT ACLs
Learning@Cisco: Ri0N; April 8, 2014
Static Inside NAT
» permanent, fixed translation between a local and a global address
» always present in the translation table, and persistent across reboots
» delete a NAT rule, automatically clears the entries (existing sessions will still remain
functional unless manually cleared)
» automatically bidirectional
» defined in a single command
» no IP addres that is also defined as part of a global address pool on the same interface
static (DMZ,outside) 209.165.200.228 172.16.0.5 netmask 255.255.255.255 tcp 0 0 udp 0
static (DMZ,outside) 209.165.200.229 172.16.0.10 netmask 255.255.255.255 tcp 0 0 udp 0
By default, the ASA will act as a proxy ARP responder for any global addresses configured on its
interfaces - it does not need to be attached to the network itself.
When using address blocks for translation, as long as the ASA interface is not part of the defined
network, it is not necessary to reserve out the addresses that would normally represent the
network identifier (.0) and the directed broadcast (.255). As long as the addresses are routed
toward the firewall, all addresses in the block can be used for host translations.
static (DMZ,outside) 209.165.201.0 172.16.0.32 netmask 255.255.255.224 tcp 0 0 udp 0
The first 27 bits are translated to equal the first 27 bits of the address in the Use IP address field,
and the last 5 bits are left unchanged.
It is not possible to define many-to-one static translations prior to OS version 8.3.
Static Inside PAT
» inbound connectivity to a number of local servers, using a single global IP address
» only supports incoming sessions to the configured global address and port
» supports the use of the ASA interface as the global address
» allows port redirection from a well-known global port to a custom local port, or vice versa
» allows port redirection so that multiple local servers, using unique local ports, can share a
single global IP address
static (DMZ,outside) tcp 209.165.200.230 443 172.16.0.15 8443 netmask
255.255.255.255 tcp 0 0 udp 0
static (DMZ,outside) tcp 209.165.200.230 25 172.16.0.20 netmask
255.255.255.255 tcp 0 0 udp 0
Learning@Cisco: Ri0N; April 8, 2014
Static Inside Policy NAT
» Warnings indicate an unusual condition that you should verify, whereas Errors indicate that
the configuration is invalid.
access-list POLICY-NAT-ACL2 line 1 extended permit ip host 172.16.0.20
10.10.10.0 255.255.255.0
!
static (DMZ,outside) 172.18.0.20 access-list POLICY-NAT-ACL2 tcp 0 0 udp 0
There is nothing in the show xlate command output that indicates a given xlate table entry is
based on a static, rather than dynamic, translation rule.
If you enable NAT control, you must configure translation rules for each host on a more secure
interface that requires communication with hosts on less secure interfaces.
Where NAT control is enabled but no translation is required or desired, you must configure no-
translation rules to satisfy the requirement.
Three mechanisms
1) Dynamic Identity NAT
2) Static Identity NAT
3) NAT Bypass (Exemption)
Dynamic Identity NAT
» a local address on a specific interface is the same on all lower-security interfaces
» only suitable to support client systems, not servers
» not able to limit the non-translation to specific global interfaces
» any given traffic flow can match only a single translation rule
» the NAT ID number is selected from the nat command that most specifically matches the
traffic being analyzed
» the NAT ID number exists only to bind a nat command to a global pool
The NAT Pool ID of 0 in an outbound direction has special significance to the ASA. It means that
specified host addresses will not be translated to any lower-security interfaces, and that translation
slots can be created only by outbound communication.
Learning@Cisco: Ri0N; April 8, 2014
Source addresses on lower-security interfaces, are not, by default, translated when traversing the
ASA toward a higher-security interface.
nat (inside) 0 10.0.0.0 255.255.255.0 0 0 tcp 0 0 udp 0
The hosts can only communicate within the inside network because no NAT is being performed.
Static Identity NAT
» suitable for servers accepting inbound connections
» able to limit the non-translation to specific global interfaces
» hosts on less secure interface can access server on more secure interface
static (inside,DMZ) 10.0.0.20 10.0.0.20 netmask 255.255.255.255 tcp 0 0 udp 0
NAT Bypass (NAT Exemption)
» recommended method
» configured traffic flows can completely bypass the ASA's NAT engine
» common example: traffic through a VPN tunnel
» only a single NAT bypass rule to any one interface
» all traffic to be exempted from NAT, when ingressing through a given interface, must be
defined as part of the same ACL
access-list NO-NAT line 1 extended permit ip 10.0.0.0 255.255.255.0
172.16.0.0 255.255.255.0
!
nat (inside) 0 access-list NO-NAT tcp 0 0 udp 0
NAT Rule Priority
» any specific traffic flow can match only one NAT rule
» conflicting NAT rules can still exist
» the ASA will apply the NAT rule with the highest precedence that matches the packets
being subjected to NAT control
» the order in which rules appear in the ASA configuration matters, as most NAT is applied to
the first rule encountered that matches the packets being checked
» exception: dynamic NAT, which will apply the rule with the longest match source address
Learning@Cisco: Ri0N; April 8, 2014
The precedence of NAT rules, with NAT control enabled, is as follows:
1. NAT bypass (exemption) (nat 0 access-list): Supersedes all other translation rules, and
searched in the order in which the rules appear in the configuration, with the first matching
rule applied.
2. Static NAT and static PAT (policy and regular): searched in the order in which the rules
appear in the configuration, with the first matching rule applied.
3. Policy dynamic NAT (nat nat_id access-list): searched in the order in which the rules
appear in the configuration, with the first matching rule applied.
4. Regular dynamic NAT (including dynamic identity NAT - NAT 0 without ACL): Searches all
dynamic NAT rules applied to the ingress interface, and applies the rule with the longest
match.
If NAT control is enabled, and a packet does not match any of the rules listed, the packet is
dropped. If NAT control is disabled (the default), packets not matching a translation rule are
forwarded without translation, if permitted by security policy.
Outside NAT
» applied to packets that ingress a lower security interface than the egress (inbound traffic)
» optional and actually fairly rare
» occasionally both inside NAT and outside NAT are needed to the same traffic flow (almost
always due to overlapping IP addresses on the network requiring communication) aka
bidirectional NAT or dual NAT
» configuration is exactly the same as inside NAT but Original or Source fields refer to a
lower-security interface, and the Translated or Destination fields refer to a higher-security
interface
» dynamic outside NAT is not recommended, use static outside NAT instead
» might want to exluded a range of addresses from the DHCP pool to use for outside NAT
assignments
static (outside,inside) 10.0.8.135 209.165.202.135 netmask
255.255.255.255 tcp 0 0 udp 0
» real, mapped, mapped, real
DNS Rewrite
» inspects inbound DNS replies
» if the IP address being returned is a global IP address configured with a static inside NAT
rule, translates the address inside the DNS reply to be the local IP address of the server
Learning@Cisco: Ri0N; April 8, 2014
» DNS inspection must be enabled for DNS Rewrite to function
Integrating NAT with ASA Access Control
» inbound ACLs are applied before NAT
» outbound ACLs are appled after NAT
Protocols Incompatible with NAT/PAT
» protocols that embed IP addresses at the application layer, unless specifically supported by
ASA packet inspection rules
» protocols that embed IP addresses at the application layer and use end-to-end encryption
(even if supported by the ASA packet inspection rules)
» protocols that include the IP or TCP/UDP headers as input to authentication hashing
algorithms
Extreme care should be taken before disabling proxy ARP on an ASA interface when NAT control
is enabled.
NAT in ASA Software Versions 8.3 and Later
» NAT control is no longer supported
» the traffic passes through the ASA without translation, if allowed by access rules and
policies
» the security levels no longer matter (there is no "outside NAT" or "inside NAT")
» NAT rule priority scheme no longer applies
» there is now an any option
» "twice NAT": translate both the source and destination addresses in a packet
» a static translation for many-to-one translation (PAT)
NAT Table
» three sections
» searched from top to bottom, and the first rule that matches the packet being analyzed is
always applied
1) manual NAT (1st section): default location for manual NAT statements
2) auto NAT (2nd section): aka "object NAT"
3) manual NAT after auto NAT (3rd section): manual NAT entries created using the after-
auto keyword
Learning@Cisco: Ri0N; April 8, 2014
Auto (Object) NAT
» simplest
» configured on the object itself
» any single object can have only one auto NAT rule
» static NAT: permanent, bidirectional entry in the NAT table
» dynamic NAT: one-to-one, temporary translations
» dynamic PAT: many-to-one, temporary translations (more entries in the NAT table)
object network DMZ-FTP-PRIV
host 172.16.0.10
!
object network DMZ-FTP-PUB
host 209.165.200.229
!
object network DMZ-FTP-PRIV
nat (DMZ,outside) static DMZ-FTP-PUB
Configuring Static NAT Configurations:
object network DMZ-HTTPS-PRIV
host 172.16.0.15
!
object network DMZ-PAT-OUTSIDE
host 209.165.200.230
!
object network DMZ-SMTP-PRIV
host 172.16.0.20
!
object network DMZ-HTTPS-PRIV
nat (DMZ,outside) static DMZ-PAT-OUTSIDE service tcp 8443 443
!
object network DMZ-SMTP-PRIV
nat (DMZ,outside) static DMZ-PAT-OUTSIDE service tcp 25 25
Dynamic Auto NAT
» expire after being idle for 3 hours
object network INSIDE-SEGMENT
subnet 10.0.0.0 255.255.255.0
!
object network IT-SEGMENT
subnet 10.0.1.0 255.255.255.0
!
object network OUTSIDE-NAT-POOL
range 209.165.200.235 209.165.200.254
!
object network INSIDE-SEGMENT
nat (any,outside) dynamic OUTSIDE-NAT-POOL interface
!
object network IT-SEGMENT
nat (any,DMZ) dynamic 172.16.0.254
Learning@Cisco: Ri0N; April 8, 2014
NAT Object Groups
object network OUTSIDE-NAT-POOL2
range 209.165.201.10 209.165.201.29
!
object network OUTSIDE-PAT
host 209.165.201.30
!
object-group network OUTSIDE-NAT-GROUP
network-object object OUTSIDE-NAT-POOL
network-object object OUTSIDE-NAT-POOL2
network-object object OUTSIDE-PAT
!
object network INSIDE-SEGMENT
nat (any,outside) dynamic OUTSIDE-NAT-GROUP interface
» the ASA will use the individual members of the object group, in the listed order, to assign
translated addresses for connections
ASA 8.2 and 8.3 Comparison
nat (inside) 1 10.0.0.0 255.255.255.0
nat (int04) 1 10.0.4.0 255.255.255.0
nat (int05) 1 10.0.5.0 255.255.255.0
nat (int06) 1 10.0.6.0 255.255.255.0
nat (int07) 1 10.0.7.0 255.255.255.0
global (outside) 1 209.165.200.235-209.165.200.254 netmask
255.255.255.224
global (outside) 1 interface
object network OUTSIDE-NAT-POOL
range 209.165.200.235 209.165.200.254
object network INTERNAL-SEGMENTS
subnet 10.0.0.0 255.255.248.0
nat (any,outside) dynamic OUTSIDE-NAT-POOL interface
Configuring Manual NAT
» with auto NAT, there can be only one NAT rule for any network object
» checked before auto NAT rules, because they appear in Section 1 of the NAT table
» if configured with the after-auto keyword, manual NAT rules appear in Section 3 of the
NAT table
» manual NAT allows more than one NAT option per network object
object network VENDOR-SERVER
host 192.0.2.50
!
object network VENDOR-SERVER-PAT
Learning@Cisco: Ri0N; April 8, 2014
host 209.165.200.234
!
object service HTTPS
service tcp destination eq https
!
object service VENDOR-PORTMAP
service tcp destination eq 8443
!
nat (inside,outside) 1 source dynamic INSIDE-SEGMENT VENDOR-SERVER-PAT
destination static VENDOR-SERVER VENDOR-SERVER service HTTPS VENDOR-
PORTMAP
nat (inside,outside) 1
» specifies both ingress and egress interfaces
» 1 indicates the order in which this rule is to appear in the Manual NAT section
» multiple translation rules for the same object, NAT is applied from top to bottom
source dynamic INSIDE-SEGMENT VENDOR-SERVER-PAT
» how the source is to be translated (dynamically)
» specifies the original address (INSIDE-SEGMENT)
» source address after translation (VENDOR-SERVER-PAT)
destination static VENDOR-SERVER VENDOR-SERVER
» specifies the destination address to be translated
» the destination address is to be "statically translated to itself"
service HTTPS VENDOR-PORTMAP
» optional
» only available for destination, not source, information
» original port, translated port
» will translate destination port 443 to destination port 8443
Configuring Twice NAT
» overlapping IP addresses involved
» prior to OS 8.3, such a scenario was usually handled by performing inside policy NAT at
each end of a VPN tunnel with overlapping addresses
» twice NAT makes it possible to handle the necessary address translations entirely on one
ASA
» each host must be uniquely identifable -> use static NAT, and not PAT
object network PARTNER-VPN-NAT-INBOUND
subnet 192.168.20.0 255.255.255.0
Learning@Cisco: Ri0N; April 8, 2014
!
object network PARTNER-VPN-NAT-OUTBOUND
subnet 192.168.10.0 255.255.255.0
!
object network PARTNER-VPN-SEGMENT
subnet 10.0.0.0 255.255.255.0
!
object network INSIDE-SEGMENT
subnet 10.0.0.0 255.255.255.0
!
object network SATELLITE-OFFICE
subnet 10.10.10.0 255.255.255.0
!
nat (inside,outside) 2 source static INSIDE-SEGMENT INSIDE-SEGMENT
destination SATELLITE-OFFICE SATELLITE-OFFICE
!
nat (inside,outside) 3 source static INSIDE-SEGMENT PARTNER-VPN-NAT-
OUTBOUND destination static PARTNER-VPN-SEGMENT PARTNER-VPN-NAT-INBOUND
Manual NAT after Auto NAT
» NAT translations for packets that do not match any more specific translation rules in the
NAT table
» specifically placed in Section 3
object network IT-OUTSIDE-PAT
host 209.165.200.233
!
nat (any,outside) after-auto 1 source dynamic IT-SEGMENT IT-OUTSIDE-PAT
» after-auto is the only syntax that differentiates a manual NAT after auto NAT rule
object network INSIDE-SVR-PUB
host 209.165.200.231
!
object network INSIDE-SVR-PRIV
host 10.0.0.10
!
nat (inside,outside) 4 source static INSIDE-SVR-PRIV INSIDE-SVR-PUB
unidirectional
» to insert a new rule between existing rules 3 and 4, for example, assign the new rule
position number 4. Existing rules 4 and above will have their position numbers
automatically increased by 1
access-list POLICY-NAT permit tcp 10.0.0.0 255.255.255.0 host 192.0.2.50
eq 443
access-list VPN permit ip 10.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
Learning@Cisco: Ri0N; April 8, 2014
static (outside,inside) tcp 192.0.2.50 443 192.0.2.50 8443 netmask
255.255.255.255
nat (inside) 0 access-list VPN
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 200 access-list POLICY-NAT
global (outside) 1 209.165.200.235-209.165.200.254 netmask
255.255.255.224
global (outside) 1 interface
global (outside) 200 209.165.200.234
object network INSIDE-SEGMENT
subnet 10.0.0.0 255.255.255.0
object network OUTSIDE-NAT-POOL
range 209.165.200.235 209.165.200.254
object network SATELLITE-OFFICE
subnet 10.10.10.0 255.255.255.0
object network VENDOR-SERVER
host 192.0.2.50
object network VENDOR-SERVER-PAT
host 209.165.200.234
object service HTTPS
service tcp destination eq https
object service VENDOR-PORTMAP
service tcp destination eq 8443
nat (inside,outside) 1 source dynamic INSIDE-SEGMENT VENDOR-SERVER-PAT
destination
static VENDOR-SERVER VENDOR-SERVER service HTTPS VENDOR-PORTMAP
nat (inside,outside) 2 source static INSIDE-SEGMENT INSIDE-SEGMENT
destination static
SATELLITE-OFFICE SATELLITE-OFFICE
object network INSIDE-SEGMENT
nat (any,outside) dynamic OUTSIDE-NAT-POOL interface
NAT Rule Priority
1. NAT 0 w/ ACL
2. Static translation
3. Dynamic NAT rule with NAT ID 200
4. Dynamic ANT rule with NAT ID 1
Tuning NAT
» global translation slot idle timer:
» DNS rewrite:
CHAPTER 8: Controlling Access Through the ASA
» the ASA is a stateful packet filtering device that is application-aware
Learning@Cisco: Ri0N; April 8, 2014
Connection Table
» aka session table
» ASA tracks all connections that were permitted across the device
» all packets belonging to existing connections that arrive at an ASA interface must match the
currently expected packet properties for that particular connection, as recorded in the
connection table (otherwise dropped)
» TCP and UDP are tracked by default (ICMP and ESP need to be configured)
» by default, for each new connection, the ASA will randomize the initial sequence number in
each direction, and cache the difference
» for half-closed TCP flows (only one side has sent a FIN), a separate idle timer is used to
delete them
» UDP flows are deleted only when they are idle for longer than the configurable UDP idle
timer
» when an ICMP reply is received, the ICMP connection object is deleted from the connection
table
» by default, the ASA treats ICMP traffic as stateless
» ICMP must be permitted either by using an access list, or preferably, enabling ICMP
inspection
TCP Connection Flags
» a: Awaiting outside ACK to SYN
» A: Awaiting inside ACK to SYN
» B: Initial SYN from outside
» f: Inside FIN
» F: Outside FIN
» I: Inbound data
» O: Outbound data
» r: Inside acknowledged FIN
» R: Outside acknowledged FIN
» s: Awaiting outside SYN
» S: Awaiting inside SYN
» U: Up (connection established)
Local Host Table
» contains all IP addresses (host object) that have connections established through the ASA
» each local host object references connection objects
Learning@Cisco: Ri0N; April 8, 2014
» show local-host
» organized by ASA interface, and then by host IP address
» creation and deletion of local host objects is logged at debugging (7) level
» creation and deletion of connection objects is logged at informational (6) level
Understanding Interface Access Rules
» all access lists are assumed to be extended (unless otherwise specified)
» standard ACLs cannot be used for interface access rules (for route update filters or VPN
split-tunneling instead)
» interface access rules determine which new connections can enter the connection table
» if a packet is already associated with an existing connection object, it is not operated upon
by the interface access rules
» if the packet is permitted, a connection object and host objects are created (if necessary)
» interface access rules control only transit traffic through the ASA, not traffic intended to the
ASA itself (require separate management access rules)
» ISAKMP/IKE and ESP packets are always permitted to enter any ASA interface on which
ISAKMP is enabled
» by default, packets arriving through a VPN tunnel are not examined by the interface access
rules (change with sysopt connection permit-vpn)
» default interface access rule sets do not contain any explicit rules, and therefore have no
implicit deny
Stateful Filtering
» connections between interfaces with the same security level are denied by default (same-
security-traffic permit inter-interface)
» by default, the ASA does not allow packets ingress and egress through the same interface
same-security-traffic permit intra-interface
Default Access Rules
» implicit, not shown in command output
The Global ACL
» introduced in version 8.3
» any traffic ingressing any ASA interface and not matching a rule in the interface-specific
access rule set (including implicit rules) is compared to the global ACL
» logically appended to each interface access rule set
Learning@Cisco: Ri0N; April 8, 2014
» if there are explicit rules within the global ACL, all implicit interface access rules (which
permit all traffic flows destined for lower security level interfaces) are removed
It is only in the complete absence of an interface access rule set that traffic is implicitly permitted
from higher-security to lower-security interfaces. The moment an explicit rule is defined, the
implicit permit will no longer exist, but the implicit deny all from the global ACL remains.
Access Rule Logging
» by default, the ASA logs all security events
» recommendation: change message ID 106023 (per packet) to message ID 106100
(interval)
» default interval is 300 seconds
» not possible to modify the implicit rule logging
» use remark sparingly
» 8.3 and higher: all access rules, on all interfaces, inbound or outbound, refer to the native
addresses of hosts or networks
» 8.2 and lower: access rules before NAT, refer to mapped address
» if no netmask value is specified, ASDM defaults to a host-specific mask when creating
access rules
Configuring the Global ACL
» set the Interface to Any
object network TIME.NIST.GOV
host 192.43.244.18
!
access-list GLOBAL-ACL line 1 extended permit udp any object
TIME.NIST.GOV eq ntp
log disable
!
access-group GLOBAL-ACL global
!
access-list OUTSIDE-IN line 1 extended permit tcp any object DMZ-WEB-PRIV
eq http
access-list OUTSIDE-IN line 2 remark Explicit deny all rule to change
interval log message 106100 from per packet log message 106023
access-list OUTSIDE-IN line 3 extended deny ip any any log 4 interval 300
!
access-group OUTSIDE-IN in interface outside
» the global ACL does not contain a direction
applied only in the inbound direction on all interfaces
Learning@Cisco: Ri0N; April 8, 2014
Cisco ASDM Public Server Wizard
» creates a static NAT rule and an access rule
object network DMZ-WEB-SERVER
host 172.16.0.23
!
object network DMZ-WEB-SERVER
nat (DMZ,outside) static 209.165.200.232
!
access-list OUTSIDE-IN line 1 extended permit tcp any object DMZ-WEB-
SERVER eq http
ASDM always places remarks above the access rule to which it refers
when creating ACLs from the CLI, entering line numbers and the keyword extended is
optional
line numbers are automatically assigned to all ACEs in order, one number at a time (cannot
specify an interval)
standard access-lists cannot be applied to interfaces
Implementation Guidelines
» permit only the minimal required set of services (minimal access policy)
» use only inbound interface access rules
» more specific and most frequently matched rules first
» add an explicit deny all statement at the end to gather statistics on denied traffic
Time-Based Access Rules
» absolute and/or recurring time ranges
» absolute start time - periodic time range - absolute end time
» enforced based on what time it is at the ASA's location
» midnight (00:00) is the beginning of a day, not the end
time-range CONTRACTOR-TO-WEB-SERVER
absolute start 00:00 01 April 2012 end 23:59 30 June 2012
!
time-range EVENING-FTP-TRANSFERS
periodic weekdays 00:00 to 04:59
!
access-list OUTSIDE-IN line 4 extended permit tcp any object DMZ-WEB-PRIV
eq ftp log 5 interval 300 time-range CONTRACTOR-TO-WEB-SERVER
access-list OUTSIDE-IN line 5 extended permit tcp any object DMZ-FTP-PRIV
eq ftp time-range EVENING-FTP-TRANSFERS
Learning@Cisco: Ri0N; April 8, 2014
To delete a whole access-list: clear configure access-list OUTSIDE-IN
» also removes the associated access-group command (if applied to an interface)
Caution: If a NAT ACL was deleted in its entirety, the translation rules that referred to it would be
automatically deleted as well. You are not given any warning or acknowledgement message
stating that this has occurred. Furthermore, using the clear configure access-list
command without any arguments will delete all ACLs on the ASA, no matter how they were
applied.
The ACE will be inserted above the ACE that currently has that line number, and all subsequent
ACEs will be renumbered automatically.
Organizing Access Rules Using Object Rules
» allows the grouping of hosts, resources, or services into a single access rule
» adding or removing hosts or services from object groups will automatically add or remove
them to or from any access rules that references them
» same type object groups can be nested
» network object groups: individual host addresses and network addresses
» service object groups: individual ports and port ranges (8.2 and later, ICMP and IP)
» ICMP-type object groups: ICMP message types
» protocol object groups: IP protocols
» if no name is specified for a network object, the name assigned will be the IP address you
enter when defining the object
object network CHI-OFFICE
subnet 192.0.2.96 255.255.255.224
object network HOU-OFFICE
subnet 192.0.2.128 255.255.255.128
object network LA-OFFICE
subnet 192.0.2.64 255.255.255.224
object network NYC-OFFICE
subnet 192.0.2.32 255.255.255.224
!
object-group network US-REGIONAL-OFFICES
network-object object CHI-OFFICE
network-object object HOU-OFFICE
network-object object LA-OFFICE
network-object object NYC-OFFICE
!
object-group service EXTERNAL-SERVICES-ALLOWED tcp
description Services to which access is allowed from the Inside segment
Learning@Cisco: Ri0N; April 8, 2014
port-object eq ftp
port-object eq http
port-object eq https
!
access-list INSIDE-IN line 1 extended permit tcp 10.0.0.0 255.255.255.0
any object-group EXTERNAL-SERVICES-ALLOWED
!
access-list OUTSIDE-IN line 5 extended permit tcp object-group US-
REGIONAL-OFFICES object DMZ-FTP-PRIV eq ftp time-range EVENING-FTP-
TRANSFERS
uRPF = Unicast Reverse Path Forwarding
» packets must arrive at a correct interface to be accepted
if a packet fails the uRPF check, the packet is dropped and a violation is logged
(message ID 106021)
» by default, uRPF is disabled on all interfaces
» uRPF will break asymmetric flows
» uRPF relies on the routing table
» uRPF will not prevent the spoofing of invalid source IP addresses that are not known to the
ASA (because they will match the default route on the ASA's outside interface)
» don't enable uRPF on the outside interface
» ip verfiy reverse-path interface <int-name>
Shunning
» allows you to quickly block all packets from a particular IP address
» overrides all methods by which a packet might be permitted to traverse the ASA
» three ways to enable: 1) manually, 2) automatically by IPS, 3) automatically as a result of
the scanning threat-detection feature
» do not become part of the ASA configuration file (not persistent across reboots)
» can be configured only from the CLI
shun 192.0.2.153
shun 192.0.2.231 209.165.200.228 40000 80 6
» shunning of individual connections is usually performed by an IPS, rather than manually
» only a single shun entry can exist for any one source host at any time
» if you shun a single connection, and the host launches an attack from a different source
port, the shun would have no effect on that subsequent attack
» the ASA automatically applies the shun only to the interface through which the shunned
address is reachable
Learning@Cisco: Ri0N; April 8, 2014
CHAPTER 9: Inspecting Traffic
Understanding Modular Policy Framework (MPF)
» provides an organized and scalable means of defining inspection policies for network traffic
flows
» identifies traffic and then takes some specific actions on it
» augments ACLs with additional functionality
» class-map: specific traffic flows are identified or classified
» policy-map: an action is taken on matched traffic
» service policy: an entire set of policies is applied to one or all ASA interfaces
» service policy references policy-map references class-map
Configuring the MPF
» each interface can have only one service policy specifically applied to it
» in addition, one global policy can be applied to all interfaces
» different sets of traffic can be inspected differently
» the ASA can control the volume of UDP and TCP connections
» adjust TCP parameters: values carried in the TCP header can be inspected, changed, or
normalized
» limit management traffic
» send traffic to a Security Services Module: embedded AIP module or CSC module
» limit bandwidth usage: predefined sets of traffic
» provide priority handling: time-critical applications receive premium service
» class map: which traffic will be matched?
» policy map: what action will be taken on each class of traffic?
» service policy: where will the policy be applied?
» you can define only one matching condition in a class-map
Match Commands Used in A Class Map
Any traffic: match any
Default traffic types: match default-inspection-traffic
Traffic flow: match flow ip destination-address
Destination port number: match port {tcp|udp} eq/range <port/range>
Access list: match access-list
QoS IP Precedence: match precedence <value>
Learning@Cisco: Ri0N; April 8, 2014
QoS DSCP: match dscp <value>
RTP port number range: match rtp <start> <end>
VPN tunnel group: match tunnel-group <name>
class-map ANYTHING
match any
!
class-map VOICE
match rtp 2000 2100
!
access-list extended DC permit ip any 10.100.0.0 255.255.0.0
class-map DATA-CENTER
match access-list DC
» class-default identifies all the traffic that hasn't been classified by any other class map
configured by default and contains only the match any command
Actions to Take on Traffic Matched by a Class Map
Set connection limits: set connection ...
Adjust TCP options: set connection advanced-options ...
Inspect applications: inspect <engine-name>
send to IPS module: ips {inline|promiscuous} {fail-open|fail-close}
Send to CSC moduel: csc {fail-open|fail-close}
Police the traffic: police ...
Shape the traffic: shape <bps>
Apply priority: priority
Export Netflow data: flow-export ...
» after you enter the class command to reference a class map, you can enter any number
of action commands to be performed on the matching traffic
Order of Actions:
1. QoS policing of ingress traffic
2. Set connection limits and TCP options
3. Send traffic to the CSC module
4. Application inspection
5. Send traffic to the IPS module
6. Qos policing of egress traffic
7. QoS priority handling
Learning@Cisco: Ri0N; April 8, 2014
8. QoS traffic shaping
» when multiple matches occur, the ASA will make sure that each type of action is performed
only once
similar actions are skipped
» the ASA will not duplicate actions taken on traffic that falls within the same traffic flows
if identical actions are configured on two interfaces, only the first action that is
encountered is performed
» the global keyword applies the policy map globally, to all ASA interfaces
» the ASA supports only one global service policy
» a global service policy is configured by default
» cannot add a second global service policy: edit the existing one or remove it and add
another one
» the actions taken in a policy map (and the service policy that references it) can be limited to
a specific traffic direction, depending on how the service policy is applied
A DCD probe is just a minimum size packet with the ACK bit set, using the same IP addresses and
TCP ports that the actual TCP connection uses. In this way, the client and server each think it is
simply answering a TCP ACK sent by its peer.
» by default, an ASA will allow an unlimited number of simultaneous UDP and TCP
connections to be built to and from specific hosts
hosts cannot support an unlimited number of connections without exhausting their
resources
the lower connection limit will be enforced
when the maximum number of connections is reached, the ASA will begin dropping
any new connections
TCP Intercept = ASA acts as a proxy for a target host for new TCP connections
» by default, ASA does not decrement the TTL value of packets it handles
keeps ASA somewhat invisible
» can configure the ASA to "uncloak" itself and decrement the TTL value for specific types of
traffic
set connection decrement-ttl
Learning@Cisco: Ri0N; April 8, 2014
» by default, ASA will compute a random ISN for each new TCP connection that is negotiated
through it
not good when a protocol or application computes an authentication or hash code
based on TCP packets as they leave a host
altering the ISN along the way will cause the packet authentication to fail at the
destination host
set connection random-sequence-number {enable|disable}
TCP Normalization
» ASA inspects individual packets containing TCP segments to make sure that they conform
to the TCP protocol specification
» the TCP map will act as a template for modifying various options in the TCP header of
matched packets
» you can return any of the TCP normalizer commands to the default by entering the
default keyword followed by the normalizer command keyword
tcp-map TCP-BGP
tcp-options range 19 19 allow
!
access-list ACL-BGP permit tcp host 192.168.10.10 host 192.168.20.20 eq 179
access-list ACL-BGP permit tcp host 192.168.20.20 host 192.168.10.10 eq 179
!
class-map BGP
match access-list ACL-BGP
!
policy-map BGP-POLICY
class BGP
set connection advanced-options TCP-BGP
!
service-policy BGP-POLICY interface outside
» by default, ASA will inspect TCP packets and apply the default TCP normalizer actions to it
» set connection advanced-options tcp-state-bypass
allows some traffic to bypass the TCP normalizer (for example, asymmetrical
routing)
also exempts the traffic from other important inspection processes - not just the TCP
normalizer
ICMP inspection
» will permit only one response to return to every request that is sent out
» the ICMP sequence numbers must also match between a request and a reply packet
» by default, the ICMP inspector does not permit any ICMP error packets to return
Learning@Cisco: Ri0N; April 8, 2014
because an ICMP error message can be sent from an address other than the
original ICMP target
inspect icmp error
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Configuring Dynamic Protocol Inspection
» UDP and TCP inspection is enabled by default and cannot be disabled
» ASA keeps track of UDP sessions by monitoring the source and destination UDP port
numbers
» the UDP "connections" are aged out after they become idle for a fixed amount of time
(default 2 minutes)
» DNS "connections" are not subject to this timeout, as they are handled by a separate
inspection engine
» deep packet inspection (DPI) is implemented with individual dynamic protocol inspectors or
inspection engines
» 26 unique dynamic protocol inspectors, 15 of them enabled by default and applied to all
traffic
in a policy map called global_policy, which is applied in a global service policy to all
ASA interfaces
access-list MY-HTTP extended permit tcp any 172.16.1.0 255.255.255.0 eq www
!
class-map CMAP-HTTP
match access-list MY-HTTP
!
policy-map PMAP-HTTP
class CMAP-HTTP
inspect http
!
service policy PMAP-HTTP interface outside
policy-map global_policy
class inspection_default
inspect http
class-map CMAP-HTTP8080
match port tcp eq 8080
!
policy-map global_policy
class CMAP-HTTP8080
inspect http
Learning@Cisco: Ri0N; April 8, 2014
» the established command tracks a known control port and opens "pinholes", or
temporary rules, that allow access on other dynamic ports
established tcp 4001 permitto udp 4000-5000
!
access-list OUTSIDE extended permit tcp 10.10.0.0 255.255.0.0 host 192.168.1.100 eq 4001
!
access-group OUTSIDE in interface outside
HTTP Inspection
» protocol verification: drop any HTTP sessions that do not adhere to the protocol
specification
» protocol minimization: allow only specific features of the HTTP protocol to be passed
» payload minimization: allow only specific payloads inside HTTP packets to be delivered
» application layer signatures: identify and drop known bad HTTP payloads (regular
expression)
an inspection policy can have multiple match and action pairs
the matches are not necessarily tried in the order that you enter them; the ASA has a
predetermined order that it uses internally
if a match command drops or resets an HTTP connection, then no further matches are
checked
class-map type inspect http match-all MY-HTTP-CLASS
match not request method get
match not request method poll
!
policy-map type inspect http HTTP-PMAP
class MY-HTTP-CLASS
drop-connection
regex Customer-URI ^/customer
!
policy-map type inspect http HTTP-PMAP
match not request uri regex Customer-URI
drop-connection
regex Embedded-Link1 http://
regex Embedded-Link2 https://
!
class-map type regex match-any Embedded-link
match regex Embedded-Link1
match regex Embedded-Link2
!
policy-map type inspect http HTTP-PMAP
match request args regex class Embedded-link
Learning@Cisco: Ri0N; April 8, 2014
drop-connection
OR
regex Embedded-link https?://
!
policy-map type inspect http HTTP-PMAP
match request args regex Embedded-link
drop-connection
test regex <input-text> <regex>
access-list SERVERS extended permit ip any 10.1.1.0 255.255.255.0
!
class-map C1
match access-list SERVERS
!
policy-map P1
class C1
inspect http HTTP-PMAP
!
service-policy P1 interface outside
FTP Inspection
» protocol verification: drop any FTP sessions that do not adhere to the FTP protocol
specification and log the URI of all accessed FTP objects
» FTP protocol verification is enabled by default and cannot be disabled
» protocol minimization: allow only specific FTP commands and functions to be passed
» payload minimization: allow only specific FTP payloads (filter according to filenames, file
types, server names, and usernames)
» application layer signature: identify and drop specific FTP payloads
» mask FTP server information
regex FTP_BADNAMES \.exe
!
policy-map type inspect ftp FTP-PMAP
match not request-command get put help
reset
match filename regex FTP_BADNAMES
» for FTP inspection, the reset action is mandatory and cannot be disabled
DNS Inspection
policy-map type inspect dns DNS-PMAP
parameters
protocol-enforcement
Learning@Cisco: Ri0N; April 8, 2014
dns-guard
id-randomization
nat-rewrite
!
inspect dns DNS-PMAP
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
Policy for ASA Management Traffic
» the command syntax is similar to a normal class map but the type management must be
added
» only two match criteria are possible: match access-list and match port
» traffic terminating on the ASA itself will be classified and handled as a unique policy
class-map type management MGMT-CMAP
match port tcp eq 443
!
policy-map P1
class MGMT-CMAP
set connection embryonic-conn-max 5
!
service-policy P1 interface outside
Detecting and Filtering Botnet Traffic
» infected hosts (inside) contact a botnet control server (outside) to receive further
instructions (the control server remotely controls the infected hosts and coordinates an
attack)
» when Botnet Traffic Filter is enabled, ASA maintains two reputation databases
» dynamic SensorBase: downloaded periodically from Cisco, contains information about
known botnet control servers
» static database: manually populated, "whitelist" and "blacklist"
» the Botnet Traffic Filter is dependent on four things:
1) license
2) DNS server
3) DNS snooping
4) Internet
Learning@Cisco: Ri0N; April 8, 2014
» the ASA updates its database once per hour, by default
» the local database is stored in running memory
dynamic-filter updater-client enable //DNS domain lookup must be properly configured dynamic-filter use-database
!
dynamic-filter {blacklist|whitelist}
name <hostname>
-OR-
address <ip-add>
policy-map global_policy
class inspection_default
inspect dns preset_dns_map dynamic-filter-snoop
dynamic-filter enable [interface <name> [classify-list <acl>]
dynamic-filter drop blacklist ...
» Cisco rates each entry in the dynamic database with the following threat levels:
1) very low
2) low
3) moderate
4) high
5) very high
» by default, the ASA will drop connections from a moderate to a very high threat level
» entries in the static blacklist automatically receive a threat level of very high
» you should always enable Botnet Traffic Filtering on all interfaces that face the public
Internet
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter blacklist
name www.badnews4u.com
dynamic-filter whitelist
name www.mostlynice.com
policy-map global_policy
class inspection_default
inspect dns preset_dns_map dynamic-filter-snoop
dynamic-filter drop blacklist interface outside
Learning@Cisco: Ri0N; April 8, 2014
Using Threat Detection
» basic threat detection: monitors the average and burst rate of dropped packets and security
events over an interval (generates a logging message when a threshold is exceeded)
» advanced threat detection: gathers statistics for both allowed and denied packets for
objects (generates a logging message when the TCP Intercept rate exceeds a threshold)
» scanning threat detection: maintains a database of suspicious activity for each host; detects
a host that is scanning for vulnerable targets (generates logging messages and can
automatically shun attacking hosts)
» be aware that advanced and scanning threat detection can tax the ASA resources because
they monitor and gather extensive and granular information
Basic threat detection for a 600-second interval, an average rate of 300 drops/s and a burst rate of
600 drops/s:
threat-detection basic-threat
threat-detection rate acl-drop rate-interval 600 average-rate 300 burst-
rate 600
» enable all types of advanced threat detection statistics gathering by using the threat-
detection statistics command with no additional arguments
threat-detection statistics
threat-detection statistics host number-of-rate 1
threat-detection statistics tcp-intercept
-SCAN-
threat-detection scanning-threat
threat-detection rate scanning-threat rate-interval 600 average-rate 5
burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4
burst-rate 8
threat-detection scanning-threat shun except ip-address 192.168.101.0
255.255.255.0
CHAPTER 10: Using Proxy Services to Control Access
user-based policies = cut-through proxy
proxy = device that can terminate and then reoriginate a connection between a client and
server
Learning@Cisco: Ri0N; April 8, 2014
User-Based (Cut-Through) Proxy Overview
» authentication process needs to occur only once per source IP address
» the credentials are cached on the ASA so that subsequent authentication requests do not
have to transpire
» initial authentication can be triggered only by HTTP, HTTPS, FTP, and TELNET
» external AAA server, when the following are required:
1) serveral devices or existing user credential databases
2) stronger passwords than simple, static strings, e.g. one-time passwords
3) authorization and accounting services
Two solutions for direct HTTP authentication:
» HTTP redirection
» virtual HTTP
aaa-server MYGROUP protocol radius
!
aaa-server MYGROUP (inside) host 10.0.0.10
key MYKEY
!
object-group service MYSERVICES tcp
port-object eq http
port-object eq ftp
!
access-list ACL_IN extended permit tcp any host 192.168.1.101 object-
group MYSERVICES
!
aaa authentication match ACL_IN outside MYGROUP
» clear uauth command clears the cached authentication information
causes users to reauthenticate but will not affect the current and established
sessions of authenticated users
aaa authentication listener http outside port http redirect
virtual http 172.16.1.101
virtual telnet 172.16.1.102
auth-prompt prompt
auth-prompt reject
auth-prompt accept
Authentication Timeouts
» set the time limits after which a user will be required to reauthenticate
» inactivity timeout value: based on idle time
Learning@Cisco: Ri0N; April 8, 2014
» absolute timeout value: begins just after the user is authenticated by the device
timeout uauth inactivity
timeout uauth absolute
If you want some users to access different resources from other users, you need to also implement
user-based authorization.
» download per-user ACLs from a RADIUS AAA server during the authentication process
(recommended)
» user authorization based on a TACACS+ AAA server (discouraged)
» the per-user override feature allows the downloaded ACL to override an existing ACL on
the interface for that particular user
» without per-user override, both the interface ACL and the downloaded ACL are checked for
permit statements for the packet to pass
access-list #ACSACL#-FIREWALLjohns-4bc6b693_
» #ACSACL#- = an identifier string
» FIREWALLjohns = the name of the ACL
» 4bc6b693 = a unique rule version identification code
access-list FIREWALL_ACL extended permit tcp any host 172.16.0.100
!
aaa accounting match FIREWALL_ACL outside FIREWALLAUTH
A Structured Approach
1. Verify that users are prompted for authentication in the correct manner.
2. Ensure that traffic to be authenticated is permitted through the ASA.
3. Verify cut-through proxy configuration.
4. Ensure that the AAA server is accessible from the Cisco ASA.
5. Be sure that the shared secret on the AAA server and the ASA match.
6. Verify that the ASA has been properly defined on the AAA server.
System Messages
» %ASA-6-109005: Authentication succeeded for user ‘johns’ from
172.16.1.100/1322to 172.16.0.12/80 on interface outside
» %ASA-6-109006: Authentication failed for user ‘johns’ from
172.16.1.100/1322 to 172.16.0.12/80 on interface outside
» %ASA-6-113014: AAA authentication server not accessible : server =
172.16.0.101: user = johns
Learning@Cisco: Ri0N; April 8, 2014
CHAPTER 11: Handling Traffic
fragmented or whole packets
whole packet security policies are not as effective when inspecting fragments
Handling Fragmented Traffic
» MTU is configured on a per-interface basis (1500 bytes by default)
» if a packet is larger than the MTU, it must be fragmented before being transmitted
» 9216 bytes is a common practical limit known as a "giant" packet
» mtu <interface> <bytes>
» the ASA must store each fragment in a cache and virtually reassemble the fragments so
that it can inspect the complete original packet and verify the order and integrity of each
fragment
» if the reassembled packet passes inspection, then the ASA discards the packet and
forwards all of the original fragments toward the destination
» limitations:
1) max. 200 unique packets that can be reassembled, per interface
2) max. 24 fragments for a single packet
3) max. time of 5 seconds for all fragments of a packet to arrive
fragment size <packets> <interface>
fragment chain <fragments> <interface>
fragment timeout <seconds> <interface>
Prioritizing Traffic
» ASA places packets in an output queue or buffer that stores outbound packets temporarily
until they can be transmitted
» packets that are placed into the queue are sent in a best-effort fashion
» best-effort queue (BEQ)
» to help deliver time-critical traffic more efficiently, an ASA can also maintain one priority or
low-latency queue (LLQ) on each of its interfaces
» packets must match specific criteria to be placed in LLQ
» any packets in the LLQ are transmitted ahead of any packets in the BEQ
» if either the BEQ or LLQ fills during a time of interface congestion, any other packets
destined for the queue are simply dropped
» there is no fallback between the queues, dropped instead
» both BEQ and LLQ are maintained in software
Learning@Cisco: Ri0N; April 8, 2014
» ASA also uses a hardware queue called the transmit ring to buffer packets that will be
copied directly to the physical interface hardware for transmission
» packets are pulled from the LLQ first, then the BEQ, and then they are placed in the
hardware queue of the egress interface
» by default, only BEQ is enabled and used on each interface (LLQ must be specifically
enabled)
» the queue limit value in packets (1 to 2048) varies according to the amount of ASA memory
and the interface speed
» packets can vary in size, but the queue is always measured in generic packets, which can
be up to the interface MTU (default 1500 bytes) bytes long
» priority-queue <interface>
By default, all packets are sent to the best-effort queue, regardless of whether a priority queue has
been configured and enabled. To send packets to the priority queue, you must use the Modular
Policy Framework (MPF) to configure a service policy that matches specific traffic with a class map
and then assigns that traffic to the priority queue.
Controlling Traffic Bandwidth
» aside from the priority queue, all traffic flows passing through an ASA have to compete for
the available bandwidth on an interface
» by default, there are no limits on bandwidth usage
» two ASA features control or limit the amount of bandwidth used by specific traffic flows:
1) traffic policing
2) traffic shaping
» with traffic policing, the packets are forwarded normally as long as the bandwidth threshold
is not exceeded
» packets that exceed the bandwidth threshold are simply dropped
» traffic shaping buffers traffic before it is forwarded so that the traffic rate can be shaped or
held within the threshold limit
» traffic shaping can be performed only on outbound traffic on an interface
» traffic shaping operates on the bulk traffic passing through an interface rather than on
specific traffic matched by a class map
access-list OUTBOUND_HTTP extended permit tcp any eq http any
!
class-map CLASS_HTTP
match access-list OUTBOUND_HTTP
!
policy-map MYPOLICY
class CLASS_HTTP
Learning@Cisco: Ri0N; April 8, 2014
police output 100000000 conform-action transmit exceed-action drop
!
service-policy MYPOLICY interface outside
show service-policy police
» traffic shaping doesn't shape specific matched traffic; it shapes the default traffic that isn't
matched or classified by any other traffic class
» use the class-default class map to match the traffic
» ASA does not support both priority queuing and traffic shaping on the same interface
» prioritizing inside the traffic shaping process is possible
policy-map OUTSIDE-POLICY
class class-default
shape average 100000000
!
service-policy OUTSIDE-POLICY interface outside
show service-policy shape
CHAPTER 12: Using Transparent Firewall Mode
» routed: Layer 3
» transparent: Layer 2
By default, an ASA operates by performing all of its operations at OSI Layer 3.
Transparent Firewall
» aka Layer 2 firewall or a stealth firewall
» no IP addresses, other than a single management address used for traffic sourced by the
transparent firewall itself or destined for a management session
» "bump-in-the-wire"
» the ASA must maintain a MAC address table of the source address learned in each
received packet, along with the interface on which the packet arrived
» the ASA probes for the existence of an unknown MAC address by ARP request or Ping
request
» 8.4(1) or later includes one or more logical bridge groups
» each bridge group functions as an independent transparent firewall
» traffic passing through one bridge group cannot reach any other bridge group internally
» if traffic must be passed from one bridge group to another, an external router must be used
Learning@Cisco: Ri0N; April 8, 2014
» up to 8 bridge groups supported on a physical ASA platform, with 2-4 interfaces assigned to
each
» at a minimum, a bridge group must contain two interfaces (usually inside and outside)
» prior to 8.4.1, only one bridge group with only two interfaces is supported
» in multiple context mode, each context can support one or more bridge groups
» each context must use a set of interfaces that is different than the set used by another
context
» all of the interfaces in a bridge group must share the same IP subnet
» starting from 8.0(2), an ASA integrate NAT with transparent firewall mode
» in routed firewall mode, an ASA can inspect and forward only IP packets
» the following features are not available in transparent firewall mode:
1) dynamic routing protocols
2) dynamic DNS
3) DHCP relay
4) multicast IP routing
5) QoS
6) VPN termination for transit traffic
firewall transparent
» transparent firewall mode begins immediately (no reload required) and clears the running
configuration
» ASDM does not offer any way to change the firewall mode
» interface parameters:
1) interface speed and duplex mode
2) interface name
3) security level
4) bridge group number (ASA 8.4(1) and later)
» NOTE: no IP address
interface ethernet0/0
nameif outside
security-level 0
bridge-group 1
no shutdown
interface ethernet0/1
nameif inside
security-level 100
bridge-group 1
no shutdown
Learning@Cisco: Ri0N; April 8, 2014
» assign a single IP to each bridge group as a whole (for management traffic)
» if using multiple context mode, you should configure one IP address for each bridge group
on each security context, including the admin context
interface BVI1
ip address 192.168.100.100 255.255.255.0
» use static routes for routing
» distance metric is the number of router hops until the gateway is reached
» if the metric is omitted, it defaults to one hop
route inside 192.168.200.0 255.255.255.0 192.168.100.5
route inside 192.168.201.0 255.255.255.0 192.168.100.5
route outside 0.0.0.0 0.0.0.0 192.168.100.1
Controlling Traffic in Transparent Firewall Mode
» ARP packets are permitted to pass in both directions without any explicit ACL rules
» broadcast and multicast packets are not permitted by default; explicit ACL rules are
required
» routed non-IP traffic can be permitted by using EtherType ACLs
access-list EXTRA-TRAFFIC extended permit ospf any host 224.0.0.5
access-list EXTRA-TRAFFIC extended permit ospf any host 224.0.0.6
access-group EXTRA-TRAFFIC in interface outside
access-group EXTRA-TRAFFIC in interface inside
access-list ETHERTYPES ethertype permit bpdu
access-list ETHERTYPES ethertype permit 0x22f3
access-group ETHERTYPES in interface outside
access-group ETHERTYPES in interface inside
» you can apply one EtherType access list and one extended IP access list to the same
interface
Using ARP Inspection
» by default, a transparent firewall forwards all ARP packets it receives on one interface out
the other interface
» a malicious host can abuse ARP to leverage a man-in-the-middle attack
» when the inside host receives the malicious ARP reply, it will reply any other ARP entry
Learning@Cisco: Ri0N; April 8, 2014
» the malicious host can also send spoofed ARP replies announcing itself as the inside host
too
man-in-the-middle attack
» ARP inspection uses static ARP entries as the basis for its inspection process
» the ASA will examine each ARP reply packet it overhears and compare the source IP and
MAC addresses, and the source interface to known static entries in its own ARP table
» if any of the ARP information conflicts with an existing entry, the ASA will assume that the
ARP reply contains spoofed addresses and will drop the packet
» if an existing ARP entry can't be found, the ASA can be configured to transmit or drop the
ARP reply packet
» static ARP entries never age out
When ARP Inspection is enabled, the ASA can take one of the following actions on ARP replies:
» MAC and IP found in a single ARP table entry: valid and allowed to pass
» MAC or IP found in the ARP table: invalid or spoofed information, dropped
» MAC nor IP in the ARP table: flood (allow, default action) or no-flood (drop)
By default, ARP inspection is disabled on all ASA interfaces.
arp inside 192.168.100.222 0000.2222.2222
arp outside 192.168.100.1 0000.1111.1111
arp-inspection inside enable [flood]
arp-inspection outside enable [flood]
show arp-inspection
Disabling MAC address learning
» in transparent firewall mode, an ASA will learn MAC addresses as they are received on
either of its interfaces
» to prevent MAC address spoofing attacks, MAC address learning can be disabled
completely
» statically configured MAC address entries must be used instead
» MAC address learning is configured on a per-interface basis
mac-learn inside disable
mac-learn outside disable
mac-address-table static outside 0000.1111.1111
mac-address-table static inside 0000.2222.2222
show mac-learn
Learning@Cisco: Ri0N; April 8, 2014
show mac-address-table
CHAPTER 13: Creating Virtual Firewalls on the ASA
» security context = virtual firewall
» requires multiple mode
The following features are not supported in multiple mode with the different virtual firewalls:
1) IPsec VPNs and other IPsec services
2) SSL VPNs
3) dynamic routing protocols
4) phone proxy
5) threat detection
6) multicast IP routing
» the physical interface can be shared across different security contexts for use by different
virtual firewalls with different security policies (not transparent mode virtual firewalls)
Different Contexts
» the system configuration: critical, contains settings for the Cisco ASA itself and is the entity
that stores information about all the other security contexts
» admin context: has adminitrative rights over all the security contexts set up on the system
» all interfaces that were enabled in single mode are available for admin context
» a context can use physical or subinterfaces of the Cisco ASA
» in transparent mode, only two interfaces can be used for user traffic, and one additional
management interface is supported
» in routed mode, an interface can be shared between contexts
The Cisco ASA uses a "classifier algorithm" to determine the destination security context for an
inbound packet on a shared interface.
» unique interfaces: always used in transparent firewall mode because interfaces cannot be
shared
» unique MAC addresses: uses the packet destination MAC address and compares it to the
interface MAC address for each context sharing the interface (you should set a unique
MAC address for each context)
Learning@Cisco: Ri0N; April 8, 2014
» NAT: the destination IP address is matched to either a global IP address in a static
configuration or to an address in the xlate table in the result of a dynamic configuration
NOTE: If there is no unique MAC address, and NAT is not used, the classifier is forced to drop
packets.
Virtual Firewall Deployment Guidelines
» carefully plan the implementation beforehand
» the number of security contexts required: depends on the type of license
» the configuration storage for each context: flash memory or external servers
» the network topology information: interfaces per security context, IP addressing, and routing
» the security policy used inside each of the security contexts: could be quite elaborate and
involved
» transparent firewalls cannot have shared interfaces
» routed mode firewalls can use shared interfaces if they connect to the same network
Deployment Guidelines
» if you need a transparent mode security context, all of your other virtual firewalls must also
use transparent mode
» when creating a transparent mode device, make that change first, and then create the
security contexts (if done in reverse, the security contexts will be removed)
» only two interfaces are supported in a security context running in transparent mode
» shared interfaces cannot be used in transparent mode
» when using shared interfaces, ensure that you assign a unique MAC address to the
interface in each context
» use the context resource management to ensure that a single context cannot deplete all
resources available on the Cisco ASA
Limitations
» key features that are not supported on a Cisco ASA in multiple mode are dynamic routing
protocols, IPsec and SSL VPNs, multicast IP routing, threat detection, and Phone Proxy
» Cisco ASA 5505 does not support multiple mode
» the number of possible security contexts depends on the software license
Configuration Task Overview
1. Enable multiple mode on the Cisco ASA.
Learning@Cisco: Ri0N; April 8, 2014
2. Create a security context.
3. Allocate interfaces to the context.
4. Specify the startup configuration location for the context.
5. Configure the security context resource management.
6. Configure each security context as a separate security appliance.
Changing from single mode to multiple mode
» the ASA automatically creates a security context named admin
» the running-config is converted to a system configuration for the admin security context
(admin.cfg)
» the original running-config is saved as old_running.cfg
» interfaces that were enabled in single mode are added to the admin security context
» disabled interfaces at the time of conversion are not assigned to any security context
» a new security context is not operational until you specify the location for the context startup
configuration (URL): options include Disk0/flash, Disk1 (CompactFlash memory card),
TFTP, FTP, HTTP(S)
» the admin context must be stored on internal flash (Disk0/flash)
The Admin Context
» retrieve configurations for other contexts and send system-level syslog messages
» when creating new contexts or changing the system configuration in any way
» the name does not have to be admin
Configuring Multiple Mode
» only by using the CLI
» mode multiple noconfirm
» requires a reboot
» context
» allocate-interface
» config-url
» show context
» an asterisk (*) indicates the current admin context
» by default, the context is named admin
Managing Security Contexts
changeto MYCONTEXT
Learning@Cisco: Ri0N; April 8, 2014
changeto system
» deleting a context does not automatically remove its configuration files
Packet Classification Configuration
» in routed mode and using shared interfaces, the ASA requires some method of determining
to which context it should send a packet
» the ASA always checks for the following:
1) a unique interface
2) a unique MAC address (recommended)
3) a global IP address in a NAT configuration
» the MAC address can be created manually or the ASA can generate it
Configuring Resource Management
» by default, a particular security context has unlimited access to the resources of the ASA
» you can impose limits on the use of specific hardware resources per security context
» a single context that is depleting a large number of resources of the ASA can have an
impact on all the security contexts on the device
» Options:
1) ASDM sessions
2) connections (count and rate)
3) hosts that can connect
4) SSH sessions
5) Telnet sessions
6) address translations
7) rate of application inspections per second
8) rate of system log messages per second
9) number of MAC addresses allowed in the MAC address table
» resource management for multiple mode ASA requires the creation and configuration of
resource classes
» security contexts are assigned to the resource classes
» by default, there is a default class (predefined limits and contains all security contexts)
» the configuration software will allow you to overallocate but never assign more than 100
percent of the available resources across security contexts
class gold
limit-resource mac-addresses 10000
Learning@Cisco: Ri0N; April 8, 2014
limit-resource conns 15%
limit-resource rate conns 1000
limit-resource rate inspects 500
limit-resource hosts 9000
limit-resource asdm 5
limit-resource ssh 5
limit-resource rate syslogs 5000
limit-resource telnet 5
limit-resource xlates 36000
!
hostname(config-ctx)# member gold
show resource allocation
Troubleshooting Security Contexts
1. Verify interface status in the system execution space.
2. Verify interface status in a context environment.
3. With shared interfaces, ensure that packets can be classified properly into specific security
contexts (MAC addresses or properly configured NAT).
4. Verify resource usage.
5. Troubleshoot within a security context as if you were troubleshooting a standalone security
appliance.
CHAPTER 14: Deploying High Availability
ASA Failover Overview
» two ASAs can be configured to operate as a high availability or "failover" pair
» active-standby: one ASA takes on the active role, handling all the normal security functions;
the other ASA stays in standby mode, ready to take over the active role in the event of a
failure (device redundancy)
» active-active: when the ASAs are running multiple security contexts, the contexts can be
organized into groups; one ASA is active for one group, and the other ASA is active for
another (device redundancy and load balancing across contexts)
» the two ASAs must be an identical model
» the ASA pair must share identical sets of interfaces
» once a failure is detected, the ASAs swap roles until the next failure
» no preemption
» each ASA maintains a unique MAC address and unique IP address on each of its
interfaces
» the addressing is also swapped when a failure occurs (except the LAN failover interface)
» one of the two units must be configured as the primary unit
Learning@Cisco: Ri0N; April 8, 2014
» the primary and secondary designations only determine the active and standby addresses -
not the active and standby roles
Active-Active Failover
» still alternate their roles as active and standby
» the active-standby combination is carried out on a per-failover group basis
» each failover group contains multiple security contexts
» the two ASAs effectively swap roles, but only on a failover group basis
» a failover pair of ASAs must have a special purpose link set aside for failover
communication between them
» the LAN failover interface should be connected to a switch that is separate from other ASA
interfaces
» to add even more resilience, the LAN failover interface can use a pair of redundant
interfaces, each connected to a different switch
» the ASA configurations are always maintained on the active unit (automatically
synchronized from the active unit to the standby)
» the startup-config is not automatically synchronized (copy run start)
» each ASA maintains its own flash file system
» upgrading must be done on each ASA independently
» by default, an ASA failover pair operates in a stateless failover mode (connections are not
copied to the standby unit)
» if the active unit fails, none of the active UDP or TCP connections will be preserved; the
hosts will have to reinitiate any connection they were using at the time
» stateful failover can be configured instead; requires a special-purpose stateful failover link
Replicated
» NAT table entries
» ARP table entries
» MAC address table entries
» UDP connections
» TCP connections
» H.323 and SIP signaling sessions
» MGCP connections
» HTTP connections (if explicitly enabled)
» dynamic routing table entries (beginning with 8.4)
Learning@Cisco: Ri0N; April 8, 2014
Not replicated
» user authentication cut-through proxy
» DHCP server address leases
» phone proxy information
» Security Services Module activity
» LAN failover and stateful failover link can share the same interface
» use the fastest interface that is available for stateful failover
Detecting an ASA failure
» two ASAs must be configured with their primary and secondary failover identities, so that
the active unit can determine which MAC and IP addresses to use
» each ASA must go through an election process for the active role when it boots
The Election Process
1. If a peer is detected, is trying to negotiate its own role, and is equally healthy as the booting
ASA, the primary unit will become active and the secondary unit will become standby.
2. If a peer is detected, is trying to negotiate its own role, but is not equally healthy, the
healthier of the two ASAs will become active.
3. If a peer is detected and already has the active role, the booting ASA will become standby.
4. If no peer is detected, the booting ASA will become active.
5. If the booting ASA becomes active, but later detects its peer that is also active, it will begin
negotiating roles with its peer to elect only one active role.
» once failover is enabled and active, the two ASA peers continuously communicate and
monitor each other
ASA monitors the health of its peer according to the following rules:
» as long as hellos are received over the LAN failover interface, the peer must be alive and
no failover occurs
» if hellos are not received over the LAN failover interface, but hellos are received on other
monitored interfaces, the peer must be alive and no failover occurs (only LAN failover
interface is declared to be "failed")
» if no hellos are received on any interface for a hold time interval, the peer is declared to be
"failed" and failover occurs
Learning@Cisco: Ri0N; April 8, 2014
» by default, hellos are sent every 1 second
» the default hold timer is 15 seconds
» each interface of one ASA must connect to the same network as the corresponding
interface of the peer ASA
» hellos are also sent on all interfaces that are monitored for failover
» the poll and hold times used by the interface-based hello monitoring are different from the
LAN failover interface
» by default, interface hellos are sent and polled every 5 seconds
» the interface hold timer is 25 seconds (5 x hello)
» if hello packets are not seen on a monitored interface within half of the hold time, that
interface is moved into a "testing" mode
» the peer ASA is notified of the test via the LAN failover interface
Interface Tests
1. Interface status: the interface is failed if the link status is down.
2. Network activity: if no packets are received over a 5-second interval, the next testing phase
begins; otherwise, the interface can still be used.
3. ARP: the interface simulates received traffic by sending ARP requests for the ten newest
entries in the ASA's ARP table; if not traffic is received in 5 seconds, the next testing phase
begins.
4. Broadcast ping: traffic is stimulated by sending an ICMP echo request to the broadcast
address on the interface; if no replies are received over a 5-second interval, the interface is
marked in a "failed" state. If the same interface on the peer ASA also fails the test, then the
interface is marked in an "unknown" state because an actual failure cannot be determined.
5. Finally, the two ASAs attempt to compare their status. If the active unit has more failed
interfaces than a configured threshold, a failover occurs. Once a monitored interface is
marked as "failed", it will become operational again as soon as any traffic is received on it
Configuring Active-Standby Failover Mode
» configure through ASDM either manually or automatically using a Wizard
» at a minimum, the secondary unit must have at least one interface configured with an IP
address and the unit must allow remote access on that interface
» you will need to restart ASDM on the secondary ASA and complete the failover
configuration there
Learning@Cisco: Ri0N; April 8, 2014
failover lan unit primary
!
failover lan interface <int-name> [physical_int]
failover interface ip <int-name> <ip-add> <mask> standby <ip-add>
failover key <key-str> | hex <key>
failover
failover link <int-name> [physical_int]
failover interface ip <int-name> <ip-add> <mask> standby <ip-add>
failover replication http
For each interface that will carry normal data, you will need to configure the active and standby unit
IP addresses.
ip address <act-addr> <mask> standby <stby-addr>
Normally, the active and standby units use their own burned-in MAC addresses for a regular data
interface and inform each other through failover messages.
failover mac address <int-name> <active-mac> <standby-mac>
By default, every ASA interface will be monitored to detect a failure that might trigger a failover.
Exclude: no monitor-interface <int-name>
failover lan unit secondary
failover lan interface <int-name> [physical_int]
failover interface ip <int-name> <ip-add> <mask> standby <ip-add>
failover key <key-str> | hex <key>
failover
The final failover command enables the failover function.
From this point on, you should enter all configuration changes only on the active ASA.
failover lan unit primary
failover lan interface LANfo Ethernet0/2
failover interface ip LANfo 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key B1gs3cr3tk3y
failover
!
failover link stateful Ethernet0/3
failover interface ip stateful 192.168.201.1 255.255.255.0 standby 192.168.201.2
failover replication http
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.165.200.226 255.255.255.0 standby 209.165.200.227
Learning@Cisco: Ri0N; April 8, 2014
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
!
failover mac address inside 001a.a22d.1ddd 001a.a22d.1eb9
failover mac address outside 001a.a22d.1ddc 001a.a22d.1eb8
no monitor-interface management0/0
failover lan unit secondary
failover lan interface LANfo Ethernet0/2
failover interface ip LANfo 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key B1gs3cr3tk3y
failover
Configuring Active-Active Failover Mode
» each ASA must be assigned its primary or secondary role in each of the two failover groups
» each security context must be assigned to a failover group
» by default, all contexts belong to failover group 1
» once either LAN failover and stateful failover links are configured and failover is enabled,
the primary unit will synchronize the system, admin, and any other context configuration
with the secondary unit automatically
» from that point on, any configuration changes should be entered on the ASA that currently
has the active role for a specific security context
» start from the system context of the primary ASA
» designate the ASA as the primary unit so that its system execution context can manage
configuration replication
» by default, the primary and secondary ASAs trade the active and standby roles only after a
failure
» by default, when a previously active unit is restored to service, it isn't allowed to preempt its
peer and resume the active role
» by default, every physical ASA interface will be monitored to detect a failure that might
trigger a failover
» the final failover command enables the failover function
» once the ASA units recognize each other, they will negotiate their roles in each failover
group
» the LAN failover interface will be used to replicate configuration commands from the active
to the standby unit
failover lan unit primary
failover lan interface LANfo Ethernet0/2
failover interface ip LANfo 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key $ecret
Learning@Cisco: Ri0N; April 8, 2014
failover
!
failover group 1
primary
preempt
replication http
!
failover group 2
secondary
preempt
replication http
!
failover link stateful Ethernet0/3
failover interface ip stateful 192.168.201.1 255.255.255.0 standby 192.168.201.2
!
context admin
allocate-interface Ethernet0/0.1
allocate-interface Ethernet0/1.1
config-url disk0:/admin.cfg
join-failover-group 1
!
context ContextA
allocate-interface Ethernet0/0.2
allocate-interface Ethernet0/1.2
config-url disk0:/contexta.cfg
join-failover-group 2
!
context contextB
allocate-interface Ethernet0/0.3
allocate-interface Ethernet0/1.3
config-url disk0:/contextb.cfg
join-failover-group 1
!
interface Ethernet0/0.1
nameif outside
security-level 0
ip address 209.165.200.226 255.255.255.224 standby 209.165.200.227
!
interface Ethernet0/1.1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0 standby 192.168.1.11
!
monitor-interface inside
monitor-interface outside
-ContextA-
interface Ethernet0/0.1
nameif outside
security-level 0
ip address 209.165.201.2 255.255.255.224 standby 209.165.201.3
!
interface Ethernet0/1.1
nameif inside
security-level 100
ip address 192.168.2.10 255.255.255.0 standby 192.168.2.11
!
monitor-interface inside
monitor-interface outside
Learning@Cisco: Ri0N; April 8, 2014
-ContextB-
interface Ethernet0/0.1
nameif outside
security-level 0
ip address 209.165.202.130 255.255.255.224 standby 209.165.202.131
!
interface Ethernet0/1.1
nameif inside
security-level 100
ip address 192.168.3.10 255.255.255.0 standby 192.168.3.11
!
monitor-interface inside
monitor-interface outside
-Secondary ASA-
failover lan unit secondary
failover lan interface LANfo Ethernet0/2
failover interface ip LANfo 192.168.200.1 255.255.255.0 standby 192.168.200.2
failover key $ecret
!
failover group 1
secondary
preempt
replication http
!
failover group 2
primary
preempt
replication http
!
failover
Tuning Failover Operation
» two mechanisms to determine each other's health: failover timers and interface failure
threshold
» the default poll time interval for failover messages is 1 second
» the deault hold time period is 15 seconds, after which the peer is declared to have failed
» -in active/standby control from the active unit, in active/active mode enter in the system
execution space
» the hold time value must be at least three times the poll time
» most aggressive: 200 msec/ 800 msec (catch: delayed or lost hellos on a congested LAN
failover interface could be misinterpreted as a failure)
» if separated by switches, make sure that they are configured to use the most efficient
spanning-tree and link-negotiation features
» Spanning Tree PortFast!
» failover peers also send hello messages to each other over each interface that they have in
common
Learning@Cisco: Ri0N; April 8, 2014
» by default, the interface poll time is 5 seconds with a hold time of 25 seconds
failover polltime 1 holdtime 15
failover interface 5 holdtime 25
!
failover group 1
polltime interface 5 holdtime 25
» by default, if an ASA tests and finds that at least one of its monitored interfaces has failed, it
declares itself failed
the other unit takes over
failover interface-policy <number>
failover group 1
interface-policy 1
» if asymmetric routing is likely, you can configure the context interfaces into an ASR group
» if a packet arrives on the interface and no connection state information is found, the ASA
will check for other interfaces in the ASR group, even on the other active-active failover
peer
» if nothing is still found, the packet is dropped
» ASR groups have three prerequisites:
1) active-active failover
2) stateful failover between peers
3) HTTP connection replication
» the ASR groups are configured within the context
asr-group <number>
failover exec {active | standby | mate} <cmd-str>
[no] failover active
» zero downtime upgrade is possible only when:
upgrade from one maintenance release to another, such as from 8.3(1) to 8.3(4)
upgrade from one minor release to the next minor release increment, such as from
8.2(1) to 8.3(1)
upgrade from the last minor release of one major relase to the first minor release of
the next major release, such as from 8.4(7) to 9.0(1)
» the idea is to juggle the roles so that the standby unit is always the one being upgraded
Learning@Cisco: Ri0N; April 8, 2014
Upgrade Process
1. Download a new software image to both ASA devices.
2. Use the boot system command to specify the new image file, and then save the running-
config.
3. From the active unit, force the standby unit to reload by entering the #failover reload-
standby command, and then wait for it to finish booting completely.
4. Force the active unit into the standby role by entering the #no failover active command.
5. Reload the former active unit by entering the reload command.
6. Restore the former active unit to active role by entering the failover command.
CHAPTER 15: Integrating ASA Service Modules
» AIP-SSM protects the network from attacks and misuse
» CSC-SSM protects the network clients from malicious content
» each module boasts the following:
a dedicated CPU for intrusion prevention or content security
dedicated RAM for the security services
dedicated flash memory and a separate file system for the software image
out-of-band port for management (SSMs only)
» the amount of dedicated resources and the specific hardware characteristics will vary from
module to module
» the Cisco IPS SSP has limitations:
requires the installation of the Firewall/VPN SSP
all traffic must flow through the firewall/VPN SSP, which must be installed in the
bottom slot of your Cisco ASA; after traffic passes through this device, it can be
redirected to the Cisco IPS SSP installed on the top slot
interfaces are down during the resets of the module
cannot be hot swapped
Cisco ASA Content Security and Control SSM (CSC-SSM)
» runs the popular and powerful Trend Micro InterScan for CSC-SSM
» provides protection against malware through its antivirus, anitspyware, and antispam
features
» automatic updates
Learning@Cisco: Ri0N; April 8, 2014
» the best rate of true positives
» base license: SSM-10 - 50 users, SSM-20 - 500 users
» optional licenses can be used to add more features or upgrade the number of users
supported
Cisco ASA Advanced Inspection and Prevention SSM and SSC
» IDS and IPS functionality
» signature-based: network traffic is compared to a database of well-known attacks
» anomaly-based: network traffic is compared to a statistical profile or normal baseline usage
» reputation-based: network traffic is compared to a reputation database (SensorBase) that
determines the reputation of the source of traffic
» typically, AIP-SSM or AIP-SSC is configured in inline mode of operation
» promiscuous mode: copies the packets moving through the ASA and sends them to the
module or card for analysis
the original packets still flow through the ASA and reach their target
interface vlan 1
no allow-ssc-mgmt
!
inteface vlan 5
allow-ssc-mgmt
ip address 192.168.1.100 255.255.255.0
nameif inside
!
interface Ethernet0/5
switchport access vlan 5
no shutdown
!
policy-map OUTSIDE-POLICY
class class-default
ips inline fail-open
!
service-policy OUTSIDE-POLICY interface outside
CHAPTER 16: Traffic Analysis Tools
By default, an ASA will permit inbound ICMP packets to terminate on and be answered by any of
its interfaces.
icmp deny any outside
ping tcp to test TCP reachability
Learning@Cisco: Ri0N; April 8, 2014
SYN --> SYN back --> TCP RST
ping tcp outside 209.165.201.199 25
» by default, traceroute probe packets are sent using UDP port 33434
the port can be changed or ICMP echo request can be used instead (use-icmp)
» ASA will begin with a TTL value of one and will keep incrementing indefinitely
» the ASA will send three probes at each TTL increment by default
» undiscovered router hops are displayed with an asterisk
Packet Tracer
» looks at the running configuration to build the list of features, and then it carries out its tests
on each feature
» doesn't include tests from any of the ASA's application inspection engines
» uses virtual packets for testing
passed through each of the ASA functions like a real packet
even creates actual syslog information
removed once the virtual packet queued in the egress interface buffer for
transmission so that it never appears on the network
access-list CAPTURE-HTTPS extended permit tcp any host 192.168.1.199 eq https
access-list CAPTURE-HTTPS extended permit tcp host 192.168.1.199 eq https any
!
capture example acccess-list CAPTURE-HTTPS interface outside
» by default, the decode keyword is assumed, displaying packets in an abbreviated form
copy capture:bigtest tftp://192.168.254.10/bigtest
https://asa_address/capture/session_name[/pcap]