asa essentials (part 1)

Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.

ASA Firewall Essentials July, 2012

Bogdan Doinea

Assoc. Technical Manager

CEE&RCIS

Cisco Networking Academy

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Introduction to the ASA Firewall

The ASA Operating System

ASA Firewall Configuration

ASA Remote Access

Technical Demo


Adaptive Security Appliance - Ciscos lead dedicated firewall solution (All-in-One solution)

Firewall

VPN concentrator

IPS

Advanced features

Virtual Firewalling

Transparent/Routed mode

High Availability

Advanced Threat Control (AIP-SSM, AIP-SSC modules)

Identity Firewall


Also monitors the state of connections

Initiation, data transfer, termination

Can detect abnormal connection behavior that might indicate attacks or exploits.


Internet

DMZ Security Level 50

inside Security Level 100

outside Security Level 0

E0/1

E0/2

E0/3

Only certain connections get inspected

The administrator configures the levels of security for each interface


- The packet is received on the inside

interface

- The inbound ACL is applied and if

NAT is configured, the inside NAT

operation is done. 1

- ASA randomisez the initial sequence

number of the connection

- the ASA creates a state object in memory

retaining layer 3 and layer 4 information

from the packet

- The connection is marked as embryonic

2

- The packet comes back on the outside

interface

- inbound ACLs are applied

* if the packet is permitted by the ACL,

the state table isnt checked and the

below next step is

- the state table is checked for a state

object that matches the information

contained in the returning packet; if the

match is not done, the packet is

dropped

3

- the ASA checks the ACK nr in the

packet relative to the SN that is

overwritten in the second step

- if the packet is legitimate, the ASA

sets the ACK to ISN+1 to match the

TCP information on the host

4

- the hosts responds with an ACK

- the ACK number is not randomized

- the connection is changed to active-

established and the embryonic counter

is reset for that state object

5


Routed-mode

the ASA is a layer 3 device

all the ASA features and capabilities are active

Transparent-mode

the ASA is a layer 2 device(works with VLANs instead of IP Subnets)

can have a global IP used for remote management

is invisible to any attacker coming from the Internet

Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP Relay.


A series of LEDs

Speed and link activity LEDs

Power LED

Status LED

Active LED

VPN LED

Security Services Card (SSC) LED


An 8-port 10/100 Fast Ethernet switch.

Three USB ports.

One Security Service Card (SSC) slot for expansion. The slot can be used to add the Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC).


Same modular structure as IOS

Unprivileged mode

Limited rights

Privileged mode

Generaly used for show commands

Global configuration

Used for general configurations (e.g password for priviledged mode, static routes, banners, hostname configuration etc)

Configuration sub-modes

Used for advanced configurations of specific features (firewall, VPN, routing protocols etc)

Same help system

ciscoasa > ?

enable Turn on privileged commands


The default password is ? CR + LF

ciscoasa>enable 15

Password:

ciscoasa#configure terminal

ciscoasa(config)#interface fa0/1

ciscoasa(config-if)#exit

ciscoasa(config)#exit

ciscoasa#exit

ciscoasa>


ciscoasa > ?


exit Exit the current command mode

login Log in as a particular user

logout Exit from current user profile to unprivileged mode

perfmon Change or view performance monitoring options

ping Test connectivity from specified interface to an IP

address

quit Exit the current command mode

ciscoasa > help enable

USAGE:

enable []

DESCRIPTION:



First we delete

startup-config running- config

Deleting configurations

RAM Flash

ciscoasa# clear configure all

ciscoasa# write erase


Then we save!

Salvarea configuraiei

RAM Flash

ciscoasa# copy running startup

ciscoasa# write mem

ciscoasa# wr

ciscoasa# show running

ciscoasa# show startup

startup-config running- config


It doesnt exist in IOS(on routers and switches)

Enables the specific deletion of configurations in RAM

ciscoasa(config)# show running-config | include isakmp

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

ciscoasa(config)# clear configure isakmp

ciscoasa(config)# show running-config | include isakmp


Configuring a hostname

Configuring a password for the telnet line

Configuring a password for privileged mode. How did we configure this on a router?

ciscoasa(config)# hostname ipd

ipd(config)#

ipd(config)# passwd cisco

ipd(config)# enable password cisco

ipd# sh run | i pass

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted


In order to pass traffic between 2 interfaces, levels of security need to be defined for each interface.

Security levels represent the simplest stateful firewall model that the ASA offers

Packets get inspected by the firewall engine when the traverse from a higher security level interface to a lower security level interface

Packets that try to pass from a lower security interface to a higher security interface, without having a stateful object related to them in the memory of the ASA, will get dropped by default.

Besides security levels, every ASA interface needs a name. This name is going to be reffered in all commands that want to use this interface


Configuring security levels is done from (config-if)#

Internet




E0/1

E0/2

E0/3


An ASA interface that has no name or security level does not have L3 connectivity

Internet




E0/1

E0/2

E0/3

ciscoasa(config)# interface e0/1

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0


Can be configured using the security-level command

Internet




E0/1

E0/2

E0/3

ciscoasa(config)#interface e0/1

ciscoasa(config-if)#nameif DMZ

INFO: Security level for "DMZ" set to 0 by default.

ciscoasa(config-if)#security-level 50

ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0

ciscoasa(config-if)#no shutdown


By default access is not allowed

If no password is set, by default its cisco

Access through telnet on the outside interface(security-level 0) is not permitted unless the telnet connection is coming through an IPSec tunnel

Monitoring connections

ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside

ciscoasa(config)# telnet timeout 10

ciscoasa(config)# passwd cisco123

ciscoasa# who

0: 10.10.0.132

ciscoasa# kill 0

ciscoasa# who


Permitted on any interface

Step 1: generate the keys

Step 2: activate SSH

By default, the user is pix and the password is the one configured with passwd

ciscoasa(config)# crypto key generate rsa modulus 1024

WARNING: You have a RSA keypair already defined named

.

Do you really want to replace them? [yes/no]: yes

Keypair generation process begin. Please wait...

ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside

ciscoasa(config)# ssh version 2

ciscoasa(config)# ssh timeout 10


Configuring a specific interface

Name of the interface and security levels

asa1# show run interface E0/3

interface Ethernet0/3

speed 10

duplex full

nameif outside

security-level 0

ip address 192.168.3.1 255.255.255.0

asa1# show nameif

Interface Name Security

GigabitEthernet0/0 outside 0

GigabitEthernet0/1 inside 100

GigabitEthernet0/2 dmz 50


All the parameters of an interface asa1# show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps

Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

MAC address 0013.c482.2e4c, MTU 1500

IP address 192.168.1.2, subnet mask 255.255.255.0

8 packets input, 1078 bytes, 0 no buffer

Received 8 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions

0 late collisions, 0 deferred

input queue (curr/max blocks): hardware (8/0) software (0/0)

output queue (curr/max blocks): hardware (0/0) software (0/0)

Traffic Statistics for "outside":

8 packets input, 934 bytes

0 packets output, 0 bytes

8 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 27

What command did we use in IOS to see the L2 and 3 status of interfaces in a "brief" output?

show ip interface brief

ASA does it slightly different

show interface ip brief

ciscoasa(config)# sh int ip br Interface IP-Address OK? Method Status Protocol

Ethernet0/0 192.168.1.1 YES manual up up

Ethernet0/1 10.10.1.1 YES manual up up


IOS Q: can we run a show command from config mode? A: yes, using the argument do in front of the command

We dont have do in ASA OS, but you can give show commands from anywhere in the OS

Theres also the possibility of filtering output by using | and the arguments:i, b, grep

normal_cisco_router(config)#do show clock

*15:08:07.867 UTC Thu Feb 17 2011

ciscoasa(config-if)# sh clock

15:54:01.139 UTC Thu Feb 17 2011


ASA e0/0 e0/0

R1 R2 G0 G1

outside

inside

Thank you.

asa essentials (part 1)

Documents

cisco andor

cisco confidential

asa features

asa randomisez

asa firewall essentials

state object

packet relative

returning packet