firewall core for ccie candidates - clnv.s3. · pdf filefirewall topics covered in ccie...
TRANSCRIPT
Firewall Core for CCIE Candidates
By Rafael Leiva-Ochoa
BRKCCIE-3203
© 2013 Cisco Systems, Inc.
Introduction
• Rafael Leiva-Ochoa
• @Cisco since Oct 2000
• Works in the TS Training Group (Part of Learning@Cisco)
• Delivers courses on Security to Global TAC Centers
• CCIE 19322 Security since 2007
© 2013 Cisco Systems, Inc.
Step 1: Download the Mobile App
Get all the information you need at your
fingertips!
Participate in session polling and Q&A
Step 2: Access the session
Log into the app using your Cisco Live login
& find your session
http://bit.ly/clus2015
CCIE Security Program Overview
© 2013 Cisco Systems, Inc.
Firewall Topics Covered in CCIE Security
• Configure EtherChannel
• High availability and redundancy
• Layer 2 transparent firewall
• Security contexts (virtual firewall)
• Cisco Modular Policy Framework
• Identity firewall services
• Configure Cisco ASA with ASDM
• Context-aware services
• IPS capabilities
• QoS capabilities
CCIE Security Topics
• Cisco ASA firewalls
• Basic firewall Initialization
• Device management
• Address translation
• ACLs
• IP routing and route tracking
• Object groups
• VLANs
© 2013 Cisco Systems, Inc.
Cisco Gear Used on CCIE Security• Cisco 3800 Series Integrated Services Routers (ISR)
• Cisco 1800 Series Integrated Services Routers (ISR)
• Cisco 2900 Series Integrated Services Routers (ISR G2)
• Cisco Catalyst 3560-24TS Series Switches
• Cisco Catalyst 3750-X Series Switches
• Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances
• Cisco IPS Series 4200 Intrusion Prevention System sensors
• Cisco S-series Web Security Appliance
• Cisco ISE 3300 Series Identity Services Engine
• Cisco WLC 2500 Series Wireless LAN Controller
• Cisco Aironet 1200 Series Wireless Access Point
• Cisco IP Phone 7900 Series*
• Cisco Secure Access Control System
*Device Authentication only, provisioning of IP phones is NOT required.
Cisco Code Used on CCIE Security• Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
• Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
• Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
• Cisco IPS Software Release 7.x
• Cisco VPN Client Software for Windows, Release 5.x
• Cisco Secure ACS System software version 5.3x
• Cisco WLC 2500 Series software 7.2x
• Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
• Cisco WSA S-series software version 7.1x
• Cisco ISE 3300 series software version 1.1x
• Cisco NAC Posture Agent v4.X
• Cisco AnyConnect Client v3.0X
Cisco ASA GUI tools may or may not be available, therefore candidates are
expected to configure Cisco ASA appliances using CLI.
ASA Code Versions Covered in CCIE Security
• Cisco ASA 5500, and 5500-X Series Adaptive Security
Appliances OS Software Versions 8.2x, 8.4x, 8.6x
© 2013 Cisco Systems, Inc.
• Introduction
• ASA 5500 and 5500-X Platform
• Stateful Features
• NAT
• MPF
• Failover
• Conclusion
Agenda
© 2013 Cisco Systems, Inc.
CCIE Security Practice Labs
Primary/Active Secondary/Standby
Guests
209.165.200.0/24.1
.110.0.1.0/24
.2
.2 .3
10.0.2.0/24.1
.2 .3
DHCP
Server
DHCP
DHCP
10.0.4.0/24
.2
.1 .110.0.3.0/24
.4
209.165.300.0/24
.2.57
Internet
.3
HTTP
HTTPS
SMTP
.2
11.0.0.0/24
ASA 5500, and 5500-X Platform
© 2013 Cisco Systems, Inc.
Cisco ASA 5500 Series Adaptive Security Appliances
Teleworker Branch Office
Data Center
Campus
Cis
co
AS
A 5
500 P
latf
orm
s
Pe
rfo
rma
nce
an
d S
ca
lab
ility
ASA5585-S40P40
ASA5585-S20P20
ASA5585-S10P10
ASA-5540ASA-5520
ASA-5510 ASA-5505
ASA5585-S60P60
ASA-5550
InternetEdge
Cisco ASA 5500-X Series Next-Generation Firewalls
• Supports Cisco ASA Software Release 8.6.1 and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms.
© 2013 Cisco Systems, Inc.
ASA Stateful Features
© 2013 Cisco Systems, Inc.
Connection Table
Basic Connection StatesFlag Meaning Flag Meaning
a Awaiting outside ACK to SYN O Outbound data
A Awaiting inside ACK to SYN r Inside acknowledged FIN
B Initial SYN from outside R Outside acknowledged FIN
f Inside FIN s Awaiting outside SYN
F Outside FIN S Awaiting inside SYN
I Inbound data U Up
• Note: There are also other connection states that indicate application-awareness.
ASA1#show conn
TCP outside 172.16.3.9:2230 dmz 192.168.1.4:25, idle 0:00:00, bytes 0, flags saA
TCP outside 172.16.1.7:80 inside 10.1.1.2:4685, idle 0:00:06, bytes 11911, flags UfFrRIO
TCP dmz 192.168.1.6:22 inside 10.1.1.2:1474, idle 0:02:40, bytes 2580590, flags UIO
Connection States Flags
Example Connection States (TCP 3Way Handshake)
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags aB
10.0.0.1008.7.23.4InsideOutside
SYN-ACK
10.0.0.1008.7.23.4InsideOutside
SYN
10.0.0.1008.7.23.4InsideOutside
ACK
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags SaAB
Example Connection States (TCP Data Transmission)
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB
10.0.0.1008.7.23.4InsideOutside
TCP PUSH
10.0.0.1008.7.23.4InsideOutside
TCP PUSH
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIB
Example Connection States (TCP Close)TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBF
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFr
10.0.0.1008.7.23.4InsideOutside
FIN-ACK
10.0.0.1008.7.23.4InsideOutside
FIN
10.0.0.1008.7.23.4InsideOutside
ACK
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr
Troubleshooting Common Stateful Issues
Packets are not coming back
Inside
Outside
ASA1#show connTCP outside 8.7.23.4:25 inside 10.0.0.100:1072, idle 0:00:00, bytes 0, flags saA
ASA1
ASA2
ASA1#show logging%ASA-6-302013: Built outbound TCP connection 11 for inside:10.0.0.100:1072(10.0.0.100/1072)to outside:8.7.23.4/25 (8.7.23.4/25)
%ASA-6-302014: Teardown TCP connection 11 for inside:10.0.0.100/1072 to outside:8.7.23.4/25 duration 0:00:30 bytes 0 SYN Timeout
Asymmetric Traffic
• You have two ASA’s connected to the same ISP.
• The ISP has loaded balanced traffic to each ASA.
Inside
Outside
Drop
ASA1
ASA2
Asymmetric TrafficASA2#show connUDP outside 40.1.2.30:53 inside 10.0.0.10:51132, idle 0:01:41, bytes 1739, flags -
TCP outside 30.2.4.5:22 inside 10.0.0.25:1474, idle 0:02:40, bytes 2580590, flags UIO
Inside
Outside
Drop
ASA1
ASA2
ASA2#show logging%ASA-6-106015: Deny TCP (no connection) from 8.7.23.4:25 to 10.0.0.100:1072 flags SYN ACK on interface outside
Addressing Issue
• Call the IPS to stop load balancing traffic between the two ASA’s
• Configure TCP State Bypass on ASA 2
Inside
Outside
Drop
ASA1
ASA2
TCP State Bypass• You can bypass Cisco ASA security
appliance stateful inspection algorithms for some flows.
• Is configurable through Cisco MPF traffic classes.
• Causes the appliance to treat these flows similarly to Cisco IOS Software stateless ACLs.
• Also disables Cisco AIC, Cisco ASA AIP-SSM, Cisco SSC-SSM,* cut-through proxy, and TCP normalizer for these flows.
• Is used only for trusted flows.
Deny
unidirectional
TCP flow.TCP SYN
TCP SYN-ACK
(synchronization
and acknowledgment)
TCP State Bypass: CLI Configurationaccess-list STATE-BYPASS-ACL permit tcp host 10.0.0.100 host 8.7.23.4 eq 25
access-list STATE-BYPASS-ACL permit tcp host 8.7.23.4 eq 25 host 10.0.0.100
!
class-map STATE-BYPASS
match access-group STATE-BYPASS-ACL
!
!
!
!
policy-map global_policy
class STATE-BYPASS
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
Create ACL’s that match traffic to bypass SFT.
Create a class map and specify matching criteria.
Edit the policy map and apply actions to
traffic classes.
Default service-policy already
applying globally.
TCP Normalizer and Fragmentation
TCP Normalizer Overview
• The Cisco ASA security appliance TCP normalizer feature does the following:
• Verifies adherence to the TCP protocol and prevents evasion attacks
• Minimizes TCP features by default
• Performs TCP sequence number randomization for protected hosts
• Provides the reassembled byte stream to upper-layer inspectors
Incoming TCP Segments Normalized TCP Segments
Reassembled Stream
Sequence Number Randomization
• Only happens on communication from high to low security interfaces
• Only done to the initial SYC packet
• Tracked in the Stateful Table
InsideOutside
0 100
SYN = Seq 236745 SYN = Seq 0
ClientServer
Hacker
Cisco ASA Security Appliance IP Fragment Handling
• The appliance performs virtual IP reassembly:
• Buffers fragments of a packet until all have been received
• Verifies that fragments are properly fragmented
• Reassembles IP fragments internally, to perform TCP normalization and application inspection
• Forwards fragments as they are received
Incoming IP Fragments Outgoing IP Fragments
Reassembled Packet
Fragment size, chain, and time
!
fragment size 1000 inside
fragment size 1000 outside
!
!
fragment chain 250 inside
fragment chain 250 outside
!
fragment timeout 10 inside
fragment timeout 10 outside
• Fragmentation is controlled per interface
• The fragment size controls how many fragments the database can hold for reassembly.
• The fragment chain controls how much a signal packet can be fragmented.
• Note: The fragment size will only wait for 5 seconds by default for all the fragments to arrive. If all fragments of the packet do not arrive by the number of seconds configured, all fragments of the packet that were already received will be discarded.
CCIE Security Example
11.0.0.0/24Primary/Active Secondary/Standby
Guests
209.165.200.0/24.1
.110.0.1.0/24
.2
.2 .3
10.0.2.0/24.1
.2 .3
DHCP
Server
DHCP
DHCP
10.0.4.0/24
.2
.1 .110.0.3.0/24
.4
209.165.300.0/24
.2.57
Internet
.3
HTTP
HTTPS
SMTP
.2
Normalizer
Tuning (Increase
Conn Timeout)
BGP Peer
BGP Peer
BGP Peering
(Disable SNR,
and Keep
Options)
VPN
Tunnel
Fragmentation
(Increase
fragmentation
chain)
Timout Extention, BGP Peering, and Fragment Tuning
access-list SSH-TO-HOST permit tcp 209.165.200.0 255.255.255.0 host 10.0.4.3 eq 22
access-list BGP-PEERING permit tcp host 10.0.1.1 host 10.0.2.1 eq 179
access-list BGP-PEERING permit tcp host 10.0.2.1 host 10.0.1.1 eq 179
!
class-map BGP-PEERING
match access-group BGP-PEERING
!
tcp-map TCP-BGP-AUTH
tcp-options range 19 19 allow
!
class-map HOST-TIMEOUT
match access-group SSH-TO-HOST
!
policy-map CUSTOM_MPF_POLICY
class HOST-TIMEOUT
set connection timeout idle 4:00:00 reset
class BGP-PEERING
set connection advanced-options TCP-BGP-AUTH
set connection random-sequence-number disable
!
service-policy CUSTOM_MPF_POLICY global
fragment chain 30 inside
fragment chain 30 outside
CCIE Security Lab
Network Address Translation (NAT)
© 2013 Cisco Systems, Inc.
ASA NAT on 8.2 and Earlier vs. 8.3 and Later
8.2 and Earlier
Very strict order of processing NAT
ACL for Server access needs to reflect the
MAPPED IP (NATED IP)
None Objected Oriented, and hard to follow, and
hard to structure
NAT Control
Interfaces needed to be named for NAT to work
NAT Changes
8.3 and Later
NAT Processed from the TOP/DOWN
ACL for Server access needs to reflect the REAL
IP (SERVER IP)
Objected Oriented, very structured, and scalable
NAT Control Removed
ANY command can now be used to save time,
and lines of configuration
Twice NAT Support
Global ACL Support (Input Traffic Only)
Static NAT
Static NAT
• Static NAT is used to link to two interfaces that need access to the outside world.
• It is used for a server to communicate on a low-security interface using a routable IP, but still maintaining its private IP.
172.16.1.20 dmz outside
Translate
209.165.200.230
Local Address
Internet
Static NAT (Cont.)Static NAT Examples
ASA1(config)#static (dmz,outside) 209.165.200.230 172.16.1.20
Mapped IP Private IP
Real
Interface
Mapped
Interface
ASA1(config)# object network DMZ-Server
ASA1(config-network-object)# host 172.16.1.20
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230
Private IP
Mapped IP
Object
Name
NAT
Type
8.2 and Earlier
8.3 and Later
Dynamic NAT
Dynamic NAT
• Dynamic NAT allows many internal clients to translate to a range of public IP’s.
• Note: The range of public IP’s limits how many clients can reach the internet at the same time.
10.0.1.0/24 inside outside
Translate to
209.165.230-235
Local Addresses
Internet
Dynamic NAT (Cont.)Dynamic NAT Examples
ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0
ASA1(config)#global (outside) 1 209.165.200.230-209.165.200.235
ASA1(config)# object network Public_Pool
ASA1(config-network-object)# range 209.165.200.230-209.165.200.235
ASA1(config)# object network Inside_Network
ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic Public_Pool
Private IP Subnet
Mapped IP
Range
Mapped IP
Range
Private IP
Subnet Mapped IP
Range Applied
8.2 and Earlier
8.3 and Later
Dynamic PAT
Dynamic PAT
• Dynamic PAT allows many internal clients to translate to a signal public address.
10.0.1.0/24 inside outside
Translate to
209.165.230
outside interface IP
Local Addresses
Internet
Dynamic PAT (Cont.)Dynamic PAT Examples
ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0
ASA1(config)#global (outside) 1 interface
ASA1(config)# object network Inside_Network
ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
Private IP Subnet
Private IP
Subnet
8.2 and Earlier
8.3 and Later
Static PAT
Static PAT
• Static PAT is used to link one public IP to more then one server regardless of interface.
172.16.1.20
dmz outside
Translate
209.165.200.230
Local Address
Internet
Local Address
172.16.1.21
FTP
Server
HTTP
Server
Static PAT (Cont.)Static PAT Examples
ASA1(config)#static (dmz,outside) tcp 209.165.200.230 ftp 172.16.1.20 ftp
ASA1(config)# object network DMZ-Server
ASA1(config-network-object)# host 172.16.1.20
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230 tcp ftp ftp
8.2 and Earlier
8.3 and LaterMapped
Port
Real
Port
Real
Port
Mapped
Port
Troubleshooting NAT
NAT Table Changes: Cisco ASA Software Version 8.3 and Later
• NAT configuration builds entries in the NAT table.
• The new NAT table in Cisco ASA Software Version 8.3 and later has three parts: - Manual NAT (first section)
• Default location for manual NAT statements
- Auto NAT (second section)
• Also called object NAT
• Default location for auto NAT statements
- Manual NAT after auto NAT(third section)
• Manual NAT entries that are specified with the after-auto keyword
NAT 8.3 and Later OrderASA1(config)# show run nat
nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination
static DNS-Server1 DNS-Server2
nat (inside,outside) source static smtp_access interface service smtp_port smtp_port
nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static
No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static
No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
!
object network inside-192.168.1.0
nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup
object network All_Networks
nat (any,outside) dynamic interface
object network http_access
nat (inside,outside) static interface service tcp www www
object network https_access
nat (inside,outside) static interface service tcp www www
Manual NAT
Auto NAT
NAT 8.3 and Later OrderASA1(config)# show nat
Manual NAT Policies (Section 1)
1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2
translate_hits = 319, untranslate_hits = 320
2 (inside) to (outside) source static smtp_access interface service smtp_port smtp_port
translate_hits = 9780, untranslate_hits = 11515
3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface
translate_hits = 34, untranslate_hits = 163
4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT
no-proxy-arp route-lookup
translate_hits = 12, untranslate_hits = 0
5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-
proxy-arp route-lookup
translate_hits = 714, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static http_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static https_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
translate_hits = 175, untranslate_hits = 31834
4 (any) to (outside) source dynamic All_Networks interface
translate_hits = 1098827, untranslate_hits = 161280
NAT 8.3 and Later Order
Manual NAT Sections 1, and 3
• Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1.
10.0.0.100172.16.1.254
InsideOutside
NAT 8.3 and Later OrderASA1(config)# show run nat
<input omitted>
!
nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2
nat (inside,outside) source static smtp_access interface service smtp_port smtp_port
nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-
lookup
nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
!
!
ASA1(config)# show nat
Manual NAT Policies (Section 1)
1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2
translate_hits = 319, untranslate_hits = 320
2 (inside) to (outside) source static smtp_access interface service smtp_port smtp_port
translate_hits = 9780, untranslate_hits = 11515
3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface
translate_hits = 34, untranslate_hits = 163
4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp
route-lookup
translate_hits = 12, untranslate_hits = 0
5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-
lookup
translate_hits = 714, untranslate_hits = 0
NAT 8.3 and Later Order
Auto NAT Section 2
Section 2 rules are applied in the following order, as automatically determined by the ASA:
1. Static rules.
2. Dynamic rules.
Within each rule type, the following ordering guidelines are used:
a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses.
b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0.
c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.
NAT 8.3 and Later OrderASA1(config)# show run nat
<input omitted>
!
object network inside-192.168.1.0
nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup
object network All_Networks
nat (any,outside) dynamic interface
object network http_access
nat (inside,outside) static interface service tcp www www
object network https_access
nat (inside,outside) static interface service tcp www www
!
ASA1(config)# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static http_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static https_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
translate_hits = 175, untranslate_hits = 31834
4 (any) to (outside) source dynamic All_Networks interface
translate_hits = 1098827, untranslate_hits = 161280
CCIE Security Example
Primary/Active Secondary/Standby
Guests
209.165.200.0/24.1
.110.0.1.0/24
.2
.2 .3
10.0.2.0/24.1
.2 .3
DHCP
Server
DHCP
DHCP
10.0.4.0/24
.2
.1 .110.0.3.0/24
.4
209.165.300.0/24
.2.57
Internet
.3
HTTP
HTTPS
SMTP
.2
Static NAT
Dynamic PAT
11.0.0.0/24
Dynamic PAT SolutionCCIE Security Lab
ASA1(config)#nat (inside) 1 10.0.3.0 255.255.255.0
ASA1(config)#global (outside) 1 interface
ASA1(config)# object network Client_Network
ASA1(config-network-object)# subnet 10.0.3.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
8.2 and Earlier
8.3 and Later
Static NATCCIE Security Lab
ASA1(config)#static (dmz,outside) 209.165.200.3 10.0.4.3
ASA1(config)# object network Server
ASA1(config-network-object)# host 10.0.4.3
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.3
8.2 and Earlier
8.3 and Later
Modular Policy Framework (MPF)
Cisco ASA Security Appliance Cisco MPF Overview
• Different traffic flows may require different network policies.
• Cisco MPF provides granularity and flexibility when you implement network policies for traffic flows:• Defines traffic flows that require access control beyond ACLs
• Associates network policies with traffic flows
• Enables network policies on specific interface or globally
Branch Office
HeadquartersInternet
Prioritize VoIP traffic.
Send traffic from the Internet to the Cisco
ASA CSC-SSM.
Allow only safe HTTP methods.
Enable data loss prevention for HTTP,
FTP, and SMTP traffic.
OSI Layer 3 and Layer 4 Class Maps• To identify traffic for IP Phone:
Branch Office
To identify VoIP traffic, match DSCP EF.
Configure OSI Layer 3 and Layer 4 Policies:CLI Commands
class-map VoIP
match dscp ef
!
policy-map outside-policy
class VoIP
priority
!
service-policy outside-policy interface outside Apply policy map to the interface using the service policy.
Create a class map and specify matching attribute.
Refer to the class map.
Specify an action for the traffic class.
Create a policy map.
ASA1#show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
<...part of the output omitted...>
Interface outside:
Service-policy: outside-policy
Class-map: VoIP
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
Class-map: class-default
Verify OSI Layer 3 and Layer 4 Policies
Regular Expressions
• Regular expressions are a computer language that is used to describe patterns.
• Used to describe a set of strings without describing individual elements
• Used by the security appliance to match custom application layer content
Drop HTTP requests containing “CMD.EXE,” “/bin/sh,” “/bin/bash,” “/bin/ksh,” “/bin/tcsh”...
Allow only HTTP requests to “cisco.com” domain.
OSI Layer 3 and Layer 4 Class Maps• To identify traffic for IP Phone:
IS
P
Block: bad.com, and iamverybad.com.
Configure OSI Layers 5 to 7 PoliciesCLI Commands
regex SECRET_PAGES "[Bb][Aa][Dd]\.[Cc][Oo][Mm]"
regex GAMES_PAGES ”[Ii][Aa][Mm][Vv][Ee][Rr][Yy][Bb][Aa][Dd]\.[Cc][Oo][Mm]“
!
class-map type regex match-any BAD_PAGES
match regex BAD_PAGES
match regex VERYBAD_PAGES
!
class-map type inspect http match-any BAD_HTTP_TRAFFIC
match request header host regex class BAD_PAGES
!
policy-map type inspect http INSPECT_HTTP
class BAD_HTTP_TRAFFIC
reset log
!
policy-map global_policy
class inspection_default
inspect http INSPECT_HTTP
Refer to Layers 5 to 7 class map, and apply
actions
Create regular expressions.
Create Layers 5 to 7 class map for HTTP traffic.
Create Layers 5 to 7 policy map for HTTP traffic.
Create regular expression class map.
Specify match attributes inside HTTP traffic.
Apply a Layers 5 to 7 policy map in a Layers 3
and 4 policy map.
ASA1#show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
<…output omitted…>
Inspect: http INSPECT_HTTP, packet 484, drop 6, reset-drop 6
Inspect: icmp, packet 38, drop 0, reset-drop 0
Interface Branch_Net:
Service-policy: Branch_Net-policy
Class-map: VoIP1
Priority:
Interface Branch_Net: aggregate drop 0, aggregate transmit 0
Class-map: class-default
Verify OSI Layers 5 to 7 PoliciesCLI Commands
CCIE Security Example
Primary/Active Secondary/Standby
Guests
209.165.200.0/24.1
.110.0.1.0/24
.2
.2 .3
10.0.2.0/24.1
.2 .3
DHCP
Server
DHCP
DHCP
10.0.4.0/24
.2
.1 .110.0.3.0/24
.4
209.165.300.0/24
.2.57
Internet
.3
FTP
Server
.2
Server
Protections
(Embryonic)
FTP Server
(FTP
Inspection)
11.0.0.0/24
Server
Protections
(Conn Limit)
Embryonic Conn, Conn Limits and FTP Inspection
access-list SERVER_EMB_LIMITS permit ip any host 209.165.300.57
!
access-list SERVER_TRAFFIC_LIMITS permit ip any host 209.165.300.57
!
access-list FTP_TRAFFIC permit tcp any host 10.4.0.3 eq 21
!
class-map FTP_TRAFFIC_PASS
match access-list FTP_TRAFFIC
!
class-map CONN_MAX
match access-list SERVER_TRAFFIC_LIMITS
!
class-map EMBRYONIC_CONN_MAX
match access-list SERVER_EMB_LIMITS
!
policy-map SERVER_POLICY
class EMBRYONIC_CONN_MAX
set connection embryonic-conn-max 90 per-client-embryonic-max 10
class CONN_MAX
set connection conn-max 10000 per-client-max 50
class FTP_TRAFFIC_PASS
inspect ftp
!
service-policy SERVER_POLICY interface outside
CCIE Security Lab
Failover Active/Standby
Cisco ASA Adaptive Security Appliance Active/Standby Failover Overview
• Two Cisco ASA security appliances can be paired into an active/standby failover to provide device redundancy.
• One physical device is permanently designated as primary, the other device as secondary.
• One of the pair is elected to be in active state (forwarding traffic), and the other in hot standby state (waiting).
• The health of devices is monitored over the LAN failover interface.
Internet
Secondary/Standby
192.168.1.0/24
10.1.1.0/29
.3 .3
.2 .1
.1
.3
10.0.1.0/24
Primary/Active
Failover Deployment Options
• Stateless failover:• Provides hardware redundancy only.
• All established statefully tracked connections are dropped after switchover.
• Users may have to re-establish connections.
• Stateful failover extends stateless failover:• Provides hardware and state table redundancy.
• Connections remain active during the failover.
• Users do not have to re-establish connections.
• Requires a stateful link between devices (in addition to the LAN-based failover link).
Stateful Failover SupportState Information Passed to Standby Unit State Information Not Passed to Standby Unit
NAT table HTTP connection table (unless HTTP replication is enabled)
TCP connection states User authentication table
UDP connection states State information for Cisco AIP-SSM
ARP table
MAC address table (applies to transparent mode only) DHCP server leases
ISAKMP SAs, IPsec SAs, SSL sessions Phone proxy sessions
GTP PDP connection database
SIP signaling sessions
Dynamic routing table entries
• Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version 8.2(2).
Verify Active/Standby Failover
• Displays information about the failover status of the unit
ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 02:59:27 UTC Aug 1 2011
This host: Primary - Active
Active time: 930 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)
Interface outside (192.168.1.2): Normal
Interface inside (10.0.1.1): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 495 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)
Interface outside (192.168.1.3): Normal
Interface inside (10.0.1.3): Normal
<…output omitted…>
Troubleshooting Failover Active/Standby
• ASA are not Like-for-Like
• The secondary is not able to talk to the Primary (Failover Cable Issues)
• The monitoring interface policy was changed
• The secondary has failed
Troubleshooting Typical Failover Problems
Cisco ASA Security Appliance Failover Requirements
• Hardware requirements for both devices:• Same hardware model
• Same number and type of interfaces
• Same SSM software installed (if any)
• Same amount of RAM is recommended
• Software requirements for both devices:• Same major and minor software version
• Same licensed features (8.2 and earlier)
• License includes active/standby failover feature
• Same operating mode (transparent or routed, multiple- or single-context)
ASA1/act/pri# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
<…output omitted…>
Last Failover at: 02:59:27 UTC Aug 1 2011
This host: Primary - Active
Active time: 930 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)
Interface outside (192.168.1.2): Normal (Waiting)
Interface inside (10.0.1.1): Normal (Waiting)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (192.168.1.3): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
slot 1: empty
Verify Failover Peer
• Peer device has not been detected and failover cannot occur.
• Verify connectivity between devices and failover configuration on the secondary device.
ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 02:59:27 UTC Aug 1 2011
This host: Primary - Active
Active time: 930 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)
Interface outside (192.168.1.2): Normal
Interface inside (10.0.1.1): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 495 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)
Interface outside (192.168.1.3): Normal
Interface inside (10.0.1.3): Normal
<…output omitted…>
Verify Active/Standby Failover Interface Policy
• Displays information about the failover status of the unit
Failover Health Monitoring
• Unit health monitoring• The Cisco ASA security appliance determines the health of the other unit by
monitoring the failover link.
• Devices exchange hello messages(sent every 1sec) over the failover interface.
• When there is no response from the active device, switchover occurs.
• Interface health monitoring• Each network interface can be monitored.
• Devices exchange hello messages(sent every 5sec) over monitored (1 Interface policy) interfaces.
• When a specified number of monitored interfaces fail on the active device, switchoveroccurs.
CCIE Security Example
Primary/Active Secondary/Standby
Guests
209.165.200.0/24.1
.110.0.1.0/24
.2
.2 .3
10.0.2.0/24.1
.2 .3
DHCP
Server
DHCP
DHCP
10.0.4.0/24
.2
.1 .110.0.3.0/24
.4
209.165.300.0/24
.2.57
Internet
.3
HTTP
HTTPS
SMTP
.2
11.0.1.0/24
Gig0/1 Gig0/1
Gig0/0 Gig0/0
Gig0/3
Primary Security Appliance
• Configure active/standby failover on the primary Cisco ASA security appliance.
interface GigabitEthernet0/3
no shutdown
!
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2
failover link FAILOVER
failover key 6X9vLuFt983d8FltTf7
failover
!
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2
!
interface GigabitEthernet0/0
ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2
Enable the interface used for failover.
Assign active and standby IP addresses to the
failover link.
Specify unit as primary.
Specify interface used as the failover interface.
Specify the interface used as the stateful failover
link.Specify key for the
failover link.
Specify active and standby IP addresses.
Enable failover.
Specify active and standby IP addresses.
Secondary Security Appliance
• Configure active/standby failover on the secondary Cisco ASA security appliance.
interface GigabitEthernet0/3
no shutdown
!
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2
failover link FAILOVER
failover key 6X9vLuFt983d8FltTf7
failover
Enable interface used for failover.
Assign active and standby IP addresses to the failover link.
Specify unit as secondary.
Specify interface used as the failover interface.
Specify the interface used as the stateful failover link.
Specify key for the failover link.
Enable failover.
Enable HTTP replication.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you