asa essentials (part 1)
DESCRIPTION
ASA FIREWALL ciscoTRANSCRIPT
-
Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.
ASA Firewall Essentials July, 2012
Bogdan Doinea
Assoc. Technical Manager
CEE&RCIS
Cisco Networking Academy
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Introduction to the ASA Firewall
The ASA Operating System
ASA Firewall Configuration
ASA Remote Access
Technical Demo
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Adaptive Security Appliance - Ciscos lead dedicated firewall solution (All-in-One solution)
Firewall
VPN concentrator
IPS
Advanced features
Virtual Firewalling
Transparent/Routed mode
High Availability
Advanced Threat Control (AIP-SSM, AIP-SSC modules)
Identity Firewall
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Also monitors the state of connections
Initiation, data transfer, termination
Can detect abnormal connection behavior that might indicate attacks or exploits.
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Internet
DMZ Security Level 50
inside Security Level 100
outside Security Level 0
E0/1
E0/2
E0/3
Only certain connections get inspected
The administrator configures the levels of security for each interface
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
- The packet is received on the inside
interface
- The inbound ACL is applied and if
NAT is configured, the inside NAT
operation is done. 1
- ASA randomisez the initial sequence
number of the connection
- the ASA creates a state object in memory
retaining layer 3 and layer 4 information
from the packet
- The connection is marked as embryonic
2
- The packet comes back on the outside
interface
- inbound ACLs are applied
* if the packet is permitted by the ACL,
the state table isnt checked and the
below next step is
- the state table is checked for a state
object that matches the information
contained in the returning packet; if the
match is not done, the packet is
dropped
3
- the ASA checks the ACK nr in the
packet relative to the SN that is
overwritten in the second step
- if the packet is legitimate, the ASA
sets the ACK to ISN+1 to match the
TCP information on the host
4
- the hosts responds with an ACK
- the ACK number is not randomized
- the connection is changed to active-
established and the embryonic counter
is reset for that state object
5
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Routed-mode
the ASA is a layer 3 device
all the ASA features and capabilities are active
Transparent-mode
the ASA is a layer 2 device(works with VLANs instead of IP Subnets)
can have a global IP used for remote management
is invisible to any attacker coming from the Internet
Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP Relay.
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
A series of LEDs
Speed and link activity LEDs
Power LED
Status LED
Active LED
VPN LED
Security Services Card (SSC) LED
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
An 8-port 10/100 Fast Ethernet switch.
Three USB ports.
One Security Service Card (SSC) slot for expansion. The slot can be used to add the Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC).
-
Cisco Confidential 2011 Cisco and/or its affiliates. All rights reserved. 11
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Same modular structure as IOS
Unprivileged mode
Limited rights
Privileged mode
Generaly used for show commands
Global configuration
Used for general configurations (e.g password for priviledged mode, static routes, banners, hostname configuration etc)
Configuration sub-modes
Used for advanced configurations of specific features (firewall, VPN, routing protocols etc)
Same help system
ciscoasa > ?
enable Turn on privileged commands
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
The default password is ? CR + LF
ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ciscoasa > ?
enable Turn on privileged commands
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP
address
quit Exit the current command mode
ciscoasa > help enable
USAGE:
enable []
DESCRIPTION:
enable Turn on privileged commands
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
First we delete
startup-config running- config
Deleting configurations
RAM Flash
ciscoasa# clear configure all
ciscoasa# write erase
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Then we save!
Salvarea configuraiei
RAM Flash
ciscoasa# copy running startup
ciscoasa# write mem
ciscoasa# wr
ciscoasa# show running
ciscoasa# show startup
startup-config running- config
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
It doesnt exist in IOS(on routers and switches)
Enables the specific deletion of configurations in RAM
ciscoasa(config)# show running-config | include isakmp
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ciscoasa(config)# clear configure isakmp
ciscoasa(config)# show running-config | include isakmp
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Configuring a hostname
Configuring a password for the telnet line
Configuring a password for privileged mode. How did we configure this on a router?
ciscoasa(config)# hostname ipd
ipd(config)#
ipd(config)# passwd cisco
ipd(config)# enable password cisco
ipd# sh run | i pass
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
In order to pass traffic between 2 interfaces, levels of security need to be defined for each interface.
Security levels represent the simplest stateful firewall model that the ASA offers
Packets get inspected by the firewall engine when the traverse from a higher security level interface to a lower security level interface
Packets that try to pass from a lower security interface to a higher security interface, without having a stateful object related to them in the memory of the ASA, will get dropped by default.
Besides security levels, every ASA interface needs a name. This name is going to be reffered in all commands that want to use this interface
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Configuring security levels is done from (config-if)#
Internet
DMZ Security Level 50
inside Security Level 100
outside Security Level 0
E0/1
E0/2
E0/3
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
An ASA interface that has no name or security level does not have L3 connectivity
Internet
DMZ Security Level 50
inside Security Level 100
outside Security Level 0
E0/1
E0/2
E0/3
ciscoasa(config)# interface e0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Can be configured using the security-level command
Internet
DMZ Security Level 50
inside Security Level 100
outside Security Level 0
E0/1
E0/2
E0/3
ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#no shutdown
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
By default access is not allowed
If no password is set, by default its cisco
Access through telnet on the outside interface(security-level 0) is not permitted unless the telnet connection is coming through an IPSec tunnel
Monitoring connections
ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside
ciscoasa(config)# telnet timeout 10
ciscoasa(config)# passwd cisco123
ciscoasa# who
0: 10.10.0.132
ciscoasa# kill 0
ciscoasa# who
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Permitted on any interface
Step 1: generate the keys
Step 2: activate SSH
By default, the user is pix and the password is the one configured with passwd
ciscoasa(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 10
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Configuring a specific interface
Name of the interface and security levels
asa1# show run interface E0/3
interface Ethernet0/3
speed 10
duplex full
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
asa1# show nameif
Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/2 dmz 50
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
All the parameters of an interface asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 27
What command did we use in IOS to see the L2 and 3 status of interfaces in a "brief" output?
show ip interface brief
ASA does it slightly different
show interface ip brief
ciscoasa(config)# sh int ip br Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.10.1.1 YES manual up up
-
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IOS Q: can we run a show command from config mode? A: yes, using the argument do in front of the command
We dont have do in ASA OS, but you can give show commands from anywhere in the OS
Theres also the possibility of filtering output by using | and the arguments:i, b, grep
normal_cisco_router(config)#do show clock
*15:08:07.867 UTC Thu Feb 17 2011
ciscoasa(config-if)# sh clock
15:54:01.139 UTC Thu Feb 17 2011
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ASA e0/0 e0/0
R1 R2 G0 G1
outside
inside
-
Thank you.