firewall core for ccie candidates - clnv.s3. · pdf filefirewall topics covered in ccie...

Firewall Core for CCIE Candidates

By Rafael Leiva-Ochoa

BRKCCIE-3203

© 2013 Cisco Systems, Inc.

Introduction

• Rafael Leiva-Ochoa

• @Cisco since Oct 2000

• Works in the TS Training Group (Part of Learning@Cisco)

• Delivers courses on Security to Global TAC Centers

• CCIE 19322 Security since 2007


Step 1: Download the Mobile App

Get all the information you need at your

fingertips!

Participate in session polling and Q&A

Step 2: Access the session

Log into the app using your Cisco Live login

& find your session

http://bit.ly/clus2015

CCIE Security Program Overview


Firewall Topics Covered in CCIE Security

• Configure EtherChannel

• High availability and redundancy

• Layer 2 transparent firewall

• Security contexts (virtual firewall)

• Cisco Modular Policy Framework

• Identity firewall services

• Configure Cisco ASA with ASDM

• Context-aware services

• IPS capabilities

• QoS capabilities

CCIE Security Topics

• Cisco ASA firewalls

• Basic firewall Initialization

• Device management

• Address translation

• ACLs

• IP routing and route tracking

• Object groups

• VLANs


Cisco Gear Used on CCIE Security• Cisco 3800 Series Integrated Services Routers (ISR)

• Cisco 1800 Series Integrated Services Routers (ISR)

• Cisco 2900 Series Integrated Services Routers (ISR G2)

• Cisco Catalyst 3560-24TS Series Switches

• Cisco Catalyst 3750-X Series Switches

• Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances

• Cisco IPS Series 4200 Intrusion Prevention System sensors

• Cisco S-series Web Security Appliance

• Cisco ISE 3300 Series Identity Services Engine

• Cisco WLC 2500 Series Wireless LAN Controller

• Cisco Aironet 1200 Series Wireless Access Point

• Cisco IP Phone 7900 Series*

• Cisco Secure Access Control System

*Device Authentication only, provisioning of IP phones is NOT required.

Cisco Code Used on CCIE Security• Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T

• Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE

• Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x

• Cisco IPS Software Release 7.x

• Cisco VPN Client Software for Windows, Release 5.x

• Cisco Secure ACS System software version 5.3x

• Cisco WLC 2500 Series software 7.2x

• Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)

• Cisco WSA S-series software version 7.1x

• Cisco ISE 3300 series software version 1.1x

• Cisco NAC Posture Agent v4.X

• Cisco AnyConnect Client v3.0X

Cisco ASA GUI tools may or may not be available, therefore candidates are

expected to configure Cisco ASA appliances using CLI.

ASA Code Versions Covered in CCIE Security

• Cisco ASA 5500, and 5500-X Series Adaptive Security

Appliances OS Software Versions 8.2x, 8.4x, 8.6x


• Introduction

• ASA 5500 and 5500-X Platform

• Stateful Features

• NAT

• MPF

• Failover

• Conclusion

Agenda


CCIE Security Practice Labs

Primary/Active Secondary/Standby

Guests

209.165.200.0/24.1

.110.0.1.0/24

.2

.2 .3

10.0.2.0/24.1

.2 .3

DHCP

Server

DHCP

DHCP

10.0.4.0/24

.2

.1 .110.0.3.0/24

.4

209.165.300.0/24

.2.57

Internet

.3

HTTP

HTTPS

SMTP

.2

11.0.0.0/24

ASA 5500, and 5500-X Platform


Cisco ASA 5500 Series Adaptive Security Appliances

Teleworker Branch Office

Data Center

Campus

Cis

co

AS

A 5

500 P

latf

orm

s

Pe

rfo

rma

nce

an

d S

ca

lab

ility

ASA5585-S40P40

ASA5585-S20P20

ASA5585-S10P10

ASA-5540ASA-5520

ASA-5510 ASA-5505

ASA5585-S60P60

ASA-5550

InternetEdge

Cisco ASA 5500-X Series Next-Generation Firewalls

• Supports Cisco ASA Software Release 8.6.1 and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms.


ASA Stateful Features


Connection Table

Basic Connection StatesFlag Meaning Flag Meaning

a Awaiting outside ACK to SYN O Outbound data

A Awaiting inside ACK to SYN r Inside acknowledged FIN

B Initial SYN from outside R Outside acknowledged FIN

f Inside FIN s Awaiting outside SYN

F Outside FIN S Awaiting inside SYN

I Inbound data U Up

• Note: There are also other connection states that indicate application-awareness.

ASA1#show conn

TCP outside 172.16.3.9:2230 dmz 192.168.1.4:25, idle 0:00:00, bytes 0, flags saA

TCP outside 172.16.1.7:80 inside 10.1.1.2:4685, idle 0:00:06, bytes 11911, flags UfFrRIO

TCP dmz 192.168.1.6:22 inside 10.1.1.2:1474, idle 0:02:40, bytes 2580590, flags UIO

Connection States Flags

Example Connection States (TCP 3Way Handshake)

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags aB

10.0.0.1008.7.23.4InsideOutside

SYN-ACK


SYN


ACK

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags SaAB

Example Connection States (TCP Data Transmission)

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB


TCP PUSH


TCP PUSH

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIB

Example Connection States (TCP Close)TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBF

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFr


FIN-ACK


FIN


ACK

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr

Troubleshooting Common Stateful Issues

Packets are not coming back

Inside

Outside

ASA1#show connTCP outside 8.7.23.4:25 inside 10.0.0.100:1072, idle 0:00:00, bytes 0, flags saA

ASA1

ASA2

ASA1#show logging%ASA-6-302013: Built outbound TCP connection 11 for inside:10.0.0.100:1072(10.0.0.100/1072)to outside:8.7.23.4/25 (8.7.23.4/25)

%ASA-6-302014: Teardown TCP connection 11 for inside:10.0.0.100/1072 to outside:8.7.23.4/25 duration 0:00:30 bytes 0 SYN Timeout

Asymmetric Traffic

• You have two ASA’s connected to the same ISP.

• The ISP has loaded balanced traffic to each ASA.

Inside

Outside

Drop

ASA1

ASA2

Asymmetric TrafficASA2#show connUDP outside 40.1.2.30:53 inside 10.0.0.10:51132, idle 0:01:41, bytes 1739, flags -

TCP outside 30.2.4.5:22 inside 10.0.0.25:1474, idle 0:02:40, bytes 2580590, flags UIO

Inside

Outside

Drop

ASA1

ASA2

ASA2#show logging%ASA-6-106015: Deny TCP (no connection) from 8.7.23.4:25 to 10.0.0.100:1072 flags SYN ACK on interface outside

Addressing Issue

• Call the IPS to stop load balancing traffic between the two ASA’s

• Configure TCP State Bypass on ASA 2

Inside

Outside

Drop

ASA1

ASA2

TCP State Bypass• You can bypass Cisco ASA security

appliance stateful inspection algorithms for some flows.

• Is configurable through Cisco MPF traffic classes.

• Causes the appliance to treat these flows similarly to Cisco IOS Software stateless ACLs.

• Also disables Cisco AIC, Cisco ASA AIP-SSM, Cisco SSC-SSM,* cut-through proxy, and TCP normalizer for these flows.

• Is used only for trusted flows.

Deny

unidirectional

TCP flow.TCP SYN

TCP SYN-ACK

(synchronization

and acknowledgment)

TCP State Bypass: CLI Configurationaccess-list STATE-BYPASS-ACL permit tcp host 10.0.0.100 host 8.7.23.4 eq 25

access-list STATE-BYPASS-ACL permit tcp host 8.7.23.4 eq 25 host 10.0.0.100

!

class-map STATE-BYPASS

match access-group STATE-BYPASS-ACL

!

!

!

!

policy-map global_policy

class STATE-BYPASS

set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

Create ACL’s that match traffic to bypass SFT.

Create a class map and specify matching criteria.

Edit the policy map and apply actions to

traffic classes.

Default service-policy already

applying globally.

TCP Normalizer and Fragmentation

TCP Normalizer Overview

• The Cisco ASA security appliance TCP normalizer feature does the following:

• Verifies adherence to the TCP protocol and prevents evasion attacks

• Minimizes TCP features by default

• Performs TCP sequence number randomization for protected hosts

• Provides the reassembled byte stream to upper-layer inspectors

Incoming TCP Segments Normalized TCP Segments

Reassembled Stream

Sequence Number Randomization

• Only happens on communication from high to low security interfaces

• Only done to the initial SYC packet

• Tracked in the Stateful Table

InsideOutside

0 100

SYN = Seq 236745 SYN = Seq 0

ClientServer

Hacker

Cisco ASA Security Appliance IP Fragment Handling

• The appliance performs virtual IP reassembly:

• Buffers fragments of a packet until all have been received

• Verifies that fragments are properly fragmented

• Reassembles IP fragments internally, to perform TCP normalization and application inspection

• Forwards fragments as they are received

Incoming IP Fragments Outgoing IP Fragments

Reassembled Packet

Fragment size, chain, and time

!

fragment size 1000 inside

fragment size 1000 outside

!

!

fragment chain 250 inside

fragment chain 250 outside

!

fragment timeout 10 inside

fragment timeout 10 outside

• Fragmentation is controlled per interface

• The fragment size controls how many fragments the database can hold for reassembly.

• The fragment chain controls how much a signal packet can be fragmented.

• Note: The fragment size will only wait for 5 seconds by default for all the fragments to arrive. If all fragments of the packet do not arrive by the number of seconds configured, all fragments of the packet that were already received will be discarded.

CCIE Security Example

11.0.0.0/24Primary/Active Secondary/Standby

Guests

209.165.200.0/24.1

.110.0.1.0/24

.2

.2 .3

10.0.2.0/24.1

.2 .3

DHCP

Server

DHCP

DHCP

10.0.4.0/24

.2

.1 .110.0.3.0/24

.4

209.165.300.0/24

.2.57

Internet

.3

HTTP

HTTPS

SMTP

.2

Normalizer

Tuning (Increase

Conn Timeout)

BGP Peer

BGP Peer

BGP Peering

(Disable SNR,

and Keep

Options)

VPN

Tunnel

Fragmentation

(Increase

fragmentation

chain)

Timout Extention, BGP Peering, and Fragment Tuning

access-list SSH-TO-HOST permit tcp 209.165.200.0 255.255.255.0 host 10.0.4.3 eq 22

access-list BGP-PEERING permit tcp host 10.0.1.1 host 10.0.2.1 eq 179

access-list BGP-PEERING permit tcp host 10.0.2.1 host 10.0.1.1 eq 179

!

class-map BGP-PEERING

match access-group BGP-PEERING

!

tcp-map TCP-BGP-AUTH

tcp-options range 19 19 allow

!

class-map HOST-TIMEOUT

match access-group SSH-TO-HOST

!

policy-map CUSTOM_MPF_POLICY

class HOST-TIMEOUT

set connection timeout idle 4:00:00 reset

class BGP-PEERING

set connection advanced-options TCP-BGP-AUTH

set connection random-sequence-number disable

!

service-policy CUSTOM_MPF_POLICY global

fragment chain 30 inside

fragment chain 30 outside

CCIE Security Lab

Network Address Translation (NAT)


ASA NAT on 8.2 and Earlier vs. 8.3 and Later

8.2 and Earlier

Very strict order of processing NAT

ACL for Server access needs to reflect the

MAPPED IP (NATED IP)

None Objected Oriented, and hard to follow, and

hard to structure

NAT Control

Interfaces needed to be named for NAT to work

NAT Changes

8.3 and Later

NAT Processed from the TOP/DOWN

ACL for Server access needs to reflect the REAL

IP (SERVER IP)

Objected Oriented, very structured, and scalable

NAT Control Removed

ANY command can now be used to save time,

and lines of configuration

Twice NAT Support

Global ACL Support (Input Traffic Only)

Static NAT

Static NAT

• Static NAT is used to link to two interfaces that need access to the outside world.

• It is used for a server to communicate on a low-security interface using a routable IP, but still maintaining its private IP.

172.16.1.20 dmz outside

Translate

209.165.200.230

Local Address

Internet

Static NAT (Cont.)Static NAT Examples

ASA1(config)#static (dmz,outside) 209.165.200.230 172.16.1.20

Mapped IP Private IP

Real

Interface

Mapped

Interface

ASA1(config)# object network DMZ-Server

ASA1(config-network-object)# host 172.16.1.20

ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230

Private IP

Mapped IP

Object

Name

NAT

Type

8.2 and Earlier

8.3 and Later

Dynamic NAT

Dynamic NAT

• Dynamic NAT allows many internal clients to translate to a range of public IP’s.

• Note: The range of public IP’s limits how many clients can reach the internet at the same time.

10.0.1.0/24 inside outside

Translate to

209.165.230-235

Local Addresses

Internet

Dynamic NAT (Cont.)Dynamic NAT Examples

ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0

ASA1(config)#global (outside) 1 209.165.200.230-209.165.200.235

ASA1(config)# object network Public_Pool

ASA1(config-network-object)# range 209.165.200.230-209.165.200.235

ASA1(config)# object network Inside_Network

ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0

ASA1(config-network-object)# nat (inside,outside) dynamic Public_Pool

Private IP Subnet

Mapped IP

Range

Mapped IP

Range

Private IP

Subnet Mapped IP

Range Applied

8.2 and Earlier

8.3 and Later

Dynamic PAT

Dynamic PAT

• Dynamic PAT allows many internal clients to translate to a signal public address.

10.0.1.0/24 inside outside

Translate to

209.165.230

outside interface IP

Local Addresses

Internet

Dynamic PAT (Cont.)Dynamic PAT Examples


ASA1(config)#global (outside) 1 interface

ASA1(config)# object network Inside_Network


ASA1(config-network-object)# nat (inside,outside) dynamic interface

Private IP Subnet

Private IP

Subnet

8.2 and Earlier

8.3 and Later

Static PAT

Static PAT

• Static PAT is used to link one public IP to more then one server regardless of interface.

172.16.1.20

dmz outside

Translate

209.165.200.230

Local Address

Internet

Local Address

172.16.1.21

FTP

Server

HTTP

Server

Static PAT (Cont.)Static PAT Examples

ASA1(config)#static (dmz,outside) tcp 209.165.200.230 ftp 172.16.1.20 ftp

ASA1(config)# object network DMZ-Server


ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230 tcp ftp ftp

8.2 and Earlier

8.3 and LaterMapped

Port

Real

Port

Real

Port

Mapped

Port

Troubleshooting NAT

NAT Table Changes: Cisco ASA Software Version 8.3 and Later

• NAT configuration builds entries in the NAT table.

• The new NAT table in Cisco ASA Software Version 8.3 and later has three parts: - Manual NAT (first section)

• Default location for manual NAT statements

- Auto NAT (second section)

• Also called object NAT

• Default location for auto NAT statements

- Manual NAT after auto NAT(third section)

• Manual NAT entries that are specified with the after-auto keyword

NAT 8.3 and Later OrderASA1(config)# show run nat

nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination

static DNS-Server1 DNS-Server2

nat (inside,outside) source static smtp_access interface service smtp_port smtp_port

nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface

nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static

No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup

nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static

No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup

!

object network inside-192.168.1.0

nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup

object network All_Networks

nat (any,outside) dynamic interface

object network http_access

nat (inside,outside) static interface service tcp www www

object network https_access


Manual NAT

Auto NAT

NAT 8.3 and Later OrderASA1(config)# show nat

Manual NAT Policies (Section 1)

1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2

translate_hits = 319, untranslate_hits = 320

2 (inside) to (outside) source static smtp_access interface service smtp_port smtp_port


3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface


4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT

no-proxy-arp route-lookup


5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-

proxy-arp route-lookup


Auto NAT Policies (Section 2)

1 (inside) to (outside) source static http_access interface service tcp www www


2 (inside) to (outside) source static https_access interface service tcp www www


3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 no-proxy-arp route-lookup


4 (any) to (outside) source dynamic All_Networks interface


NAT 8.3 and Later Order

Manual NAT Sections 1, and 3

• Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1.

10.0.0.100172.16.1.254

InsideOutside


<input omitted>

!

nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2

nat (inside,outside) source static smtp_access interface service smtp_port smtp_port

nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface

nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-

lookup

nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup

!

!

ASA1(config)# show nat

Manual NAT Policies (Section 1)

1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2


2 (inside) to (outside) source static smtp_access interface service smtp_port smtp_port


3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface


4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp

route-lookup


5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-

lookup


NAT 8.3 and Later Order

Auto NAT Section 2

Section 2 rules are applied in the following order, as automatically determined by the ASA:

1. Static rules.

2. Dynamic rules.

Within each rule type, the following ordering guidelines are used:

a. Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses.

b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0.

c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.


<input omitted>

!

object network inside-192.168.1.0

nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup

object network All_Networks

nat (any,outside) dynamic interface

object network http_access


object network https_access


!

ASA1(config)# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static http_access interface service tcp www www


2 (inside) to (outside) source static https_access interface service tcp www www


3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 no-proxy-arp route-lookup


4 (any) to (outside) source dynamic All_Networks interface



Guests

209.165.200.0/24.1

.110.0.1.0/24

.2

.2 .3

10.0.2.0/24.1

.2 .3

DHCP

Server

DHCP

DHCP

10.0.4.0/24

.2

.1 .110.0.3.0/24

.4

209.165.300.0/24

.2.57

Internet

.3

HTTP

HTTPS

SMTP

.2

Static NAT

Dynamic PAT

11.0.0.0/24

Dynamic PAT SolutionCCIE Security Lab


ASA1(config)#global (outside) 1 interface

ASA1(config)# object network Client_Network


ASA1(config-network-object)# nat (inside,outside) dynamic interface

8.2 and Earlier

8.3 and Later

Static NATCCIE Security Lab

ASA1(config)#static (dmz,outside) 209.165.200.3 10.0.4.3

ASA1(config)# object network Server


ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.3

8.2 and Earlier

8.3 and Later

Modular Policy Framework (MPF)

Cisco ASA Security Appliance Cisco MPF Overview

• Different traffic flows may require different network policies.

• Cisco MPF provides granularity and flexibility when you implement network policies for traffic flows:• Defines traffic flows that require access control beyond ACLs

• Associates network policies with traffic flows

• Enables network policies on specific interface or globally

Branch Office

HeadquartersInternet

Prioritize VoIP traffic.

Send traffic from the Internet to the Cisco

ASA CSC-SSM.

Allow only safe HTTP methods.

Enable data loss prevention for HTTP,

FTP, and SMTP traffic.

OSI Layer 3 and Layer 4 Class Maps• To identify traffic for IP Phone:

Branch Office

To identify VoIP traffic, match DSCP EF.

Configure OSI Layer 3 and Layer 4 Policies:CLI Commands

class-map VoIP

match dscp ef

!

policy-map outside-policy

class VoIP

priority

!

service-policy outside-policy interface outside Apply policy map to the interface using the service policy.

Create a class map and specify matching attribute.

Refer to the class map.

Specify an action for the traffic class.

Create a policy map.

ASA1#show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

<...part of the output omitted...>

Interface outside:

Service-policy: outside-policy

Class-map: VoIP

Priority:

Interface outside: aggregate drop 0, aggregate transmit 0

Class-map: class-default

Verify OSI Layer 3 and Layer 4 Policies

Regular Expressions

• Regular expressions are a computer language that is used to describe patterns.

• Used to describe a set of strings without describing individual elements

• Used by the security appliance to match custom application layer content

Drop HTTP requests containing “CMD.EXE,” “/bin/sh,” “/bin/bash,” “/bin/ksh,” “/bin/tcsh”...

Allow only HTTP requests to “cisco.com” domain.

OSI Layer 3 and Layer 4 Class Maps• To identify traffic for IP Phone:

IS

P

Block: bad.com, and iamverybad.com.

Configure OSI Layers 5 to 7 PoliciesCLI Commands

regex SECRET_PAGES "[Bb][Aa][Dd]\.[Cc][Oo][Mm]"

regex GAMES_PAGES ”[Ii][Aa][Mm][Vv][Ee][Rr][Yy][Bb][Aa][Dd]\.[Cc][Oo][Mm]“

!

class-map type regex match-any BAD_PAGES

match regex BAD_PAGES

match regex VERYBAD_PAGES

!

class-map type inspect http match-any BAD_HTTP_TRAFFIC

match request header host regex class BAD_PAGES

!

policy-map type inspect http INSPECT_HTTP

class BAD_HTTP_TRAFFIC

reset log

!

policy-map global_policy

class inspection_default

inspect http INSPECT_HTTP

Refer to Layers 5 to 7 class map, and apply

actions

Create regular expressions.

Create Layers 5 to 7 class map for HTTP traffic.

Create Layers 5 to 7 policy map for HTTP traffic.

Create regular expression class map.

Specify match attributes inside HTTP traffic.

Apply a Layers 5 to 7 policy map in a Layers 3

and 4 policy map.

ASA1#show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0

Inspect: ftp, packet 0, drop 0, reset-drop 0

<…output omitted…>

Inspect: http INSPECT_HTTP, packet 484, drop 6, reset-drop 6

Inspect: icmp, packet 38, drop 0, reset-drop 0

Interface Branch_Net:

Service-policy: Branch_Net-policy

Class-map: VoIP1

Priority:

Interface Branch_Net: aggregate drop 0, aggregate transmit 0

Class-map: class-default

Verify OSI Layers 5 to 7 PoliciesCLI Commands


Guests

209.165.200.0/24.1

.110.0.1.0/24

.2

.2 .3

10.0.2.0/24.1

.2 .3

DHCP

Server

DHCP

DHCP

10.0.4.0/24

.2

.1 .110.0.3.0/24

.4

209.165.300.0/24

.2.57

Internet

.3

FTP

Server

.2

Server

Protections

(Embryonic)

FTP Server

(FTP

Inspection)

11.0.0.0/24

Server

Protections

(Conn Limit)

Embryonic Conn, Conn Limits and FTP Inspection

access-list SERVER_EMB_LIMITS permit ip any host 209.165.300.57

!

access-list SERVER_TRAFFIC_LIMITS permit ip any host 209.165.300.57

!

access-list FTP_TRAFFIC permit tcp any host 10.4.0.3 eq 21

!

class-map FTP_TRAFFIC_PASS

match access-list FTP_TRAFFIC

!

class-map CONN_MAX

match access-list SERVER_TRAFFIC_LIMITS

!

class-map EMBRYONIC_CONN_MAX

match access-list SERVER_EMB_LIMITS

!

policy-map SERVER_POLICY

class EMBRYONIC_CONN_MAX

set connection embryonic-conn-max 90 per-client-embryonic-max 10

class CONN_MAX

set connection conn-max 10000 per-client-max 50

class FTP_TRAFFIC_PASS

inspect ftp

!

service-policy SERVER_POLICY interface outside

CCIE Security Lab

Failover Active/Standby

Cisco ASA Adaptive Security Appliance Active/Standby Failover Overview

• Two Cisco ASA security appliances can be paired into an active/standby failover to provide device redundancy.

• One physical device is permanently designated as primary, the other device as secondary.

• One of the pair is elected to be in active state (forwarding traffic), and the other in hot standby state (waiting).

• The health of devices is monitored over the LAN failover interface.

Internet

Secondary/Standby

192.168.1.0/24

10.1.1.0/29

.3 .3

.2 .1

.1

.3

10.0.1.0/24

Primary/Active

Failover Deployment Options

• Stateless failover:• Provides hardware redundancy only.

• All established statefully tracked connections are dropped after switchover.

• Users may have to re-establish connections.

• Stateful failover extends stateless failover:• Provides hardware and state table redundancy.

• Connections remain active during the failover.

• Users do not have to re-establish connections.

• Requires a stateful link between devices (in addition to the LAN-based failover link).

Stateful Failover SupportState Information Passed to Standby Unit State Information Not Passed to Standby Unit

NAT table HTTP connection table (unless HTTP replication is enabled)

TCP connection states User authentication table

UDP connection states State information for Cisco AIP-SSM

ARP table

MAC address table (applies to transparent mode only) DHCP server leases

ISAKMP SAs, IPsec SAs, SSL sessions Phone proxy sessions

GTP PDP connection database

SIP signaling sessions

Dynamic routing table entries

• Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version 8.2(2).

Verify Active/Standby Failover

• Displays information about the failover status of the unit

ASA1/pri/act# show failover

Failover On

Failover unit Primary

Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 160 maximum

failover replication http

Version: Ours 8.4(1), Mate 8.4(1)

Last Failover at: 02:59:27 UTC Aug 1 2011

This host: Primary - Active

Active time: 930 (sec)

slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)

Interface outside (192.168.1.2): Normal

Interface inside (10.0.1.1): Normal

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)

IPS, 6.0(3)E1, Up

Other host: Secondary - Standby Ready


slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)




Troubleshooting Failover Active/Standby

• ASA are not Like-for-Like

• The secondary is not able to talk to the Primary (Failover Cable Issues)

• The monitoring interface policy was changed

• The secondary has failed

Troubleshooting Typical Failover Problems

Cisco ASA Security Appliance Failover Requirements

• Hardware requirements for both devices:• Same hardware model

• Same number and type of interfaces

• Same SSM software installed (if any)

• Same amount of RAM is recommended

• Software requirements for both devices:• Same major and minor software version

• Same licensed features (8.2 and earlier)

• License includes active/standby failover feature

• Same operating mode (transparent or routed, multiple- or single-context)

ASA1/act/pri# show failover

Failover On








Interface outside (192.168.1.2): Normal (Waiting)

Interface inside (10.0.1.1): Normal (Waiting)


IPS, 6.0(3)E1, Up

Other host: Secondary - Not Detected


slot 0: empty

Interface outside (192.168.1.3): Unknown (Waiting)

Interface inside (0.0.0.0): Unknown (Waiting)

slot 1: empty

Verify Failover Peer

• Peer device has not been detected and failover cannot occur.

• Verify connectivity between devices and failover configuration on the secondary device.

ASA1/pri/act# show failover

Failover On



Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 160 maximum

failover replication http

Version: Ours 8.4(1), Mate 8.4(1)








IPS, 6.0(3)E1, Up

Other host: Secondary - Standby Ready


slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)




Verify Active/Standby Failover Interface Policy

• Displays information about the failover status of the unit

Failover Health Monitoring

• Unit health monitoring• The Cisco ASA security appliance determines the health of the other unit by

monitoring the failover link.

• Devices exchange hello messages(sent every 1sec) over the failover interface.

• When there is no response from the active device, switchover occurs.

• Interface health monitoring• Each network interface can be monitored.

• Devices exchange hello messages(sent every 5sec) over monitored (1 Interface policy) interfaces.

• When a specified number of monitored interfaces fail on the active device, switchoveroccurs.


Guests

209.165.200.0/24.1

.110.0.1.0/24

.2

.2 .3

10.0.2.0/24.1

.2 .3

DHCP

Server

DHCP

DHCP

10.0.4.0/24

.2

.1 .110.0.3.0/24

.4

209.165.300.0/24

.2.57

Internet

.3

HTTP

HTTPS

SMTP

.2

11.0.1.0/24

Gig0/1 Gig0/1

Gig0/0 Gig0/0

Gig0/3

Primary Security Appliance

• Configure active/standby failover on the primary Cisco ASA security appliance.

interface GigabitEthernet0/3

no shutdown

!

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2

failover link FAILOVER

failover key 6X9vLuFt983d8FltTf7

failover

!


ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2

!


ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2

Enable the interface used for failover.

Assign active and standby IP addresses to the

failover link.

Specify unit as primary.

Specify interface used as the failover interface.

Specify the interface used as the stateful failover

link.Specify key for the

failover link.

Specify active and standby IP addresses.

Enable failover.

Specify active and standby IP addresses.

Secondary Security Appliance

• Configure active/standby failover on the secondary Cisco ASA security appliance.


no shutdown

!

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2

failover link FAILOVER

failover key 6X9vLuFt983d8FltTf7

failover

Enable interface used for failover.

Assign active and standby IP addresses to the failover link.

Specify unit as secondary.

Specify interface used as the failover interface.

Specify the interface used as the stateful failover link.

Specify key for the failover link.

Enable failover.

Enable HTTP replication.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

firewall core for ccie candidates - clnv.s3. · pdf filefirewall topics covered in ccie...

Documents