1 / 30

ASA Firewall Essentials July, 2012

ASA Firewall Essentials July, 2012. Bogdan Doinea Assoc. Technical Manager CEE&RCIS Cisco Networking Academy. Agenda. Introduction to the ASA Firewall. The ASA Operating System. ASA Firewall Configuration. ASA Remote Access. Technical Demo. What is the ASA?.

edwinmorris
Download Presentation

ASA Firewall Essentials July, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASA Firewall EssentialsJuly, 2012 Bogdan Doinea Assoc. Technical Manager CEE&RCIS Cisco Networking Academy

  2. Agenda Introduction to the ASA Firewall The ASA Operating System ASA Firewall Configuration ASA Remote Access Technical Demo

  3. What is the ASA? • Adaptive Security Appliance - Cisco’s lead dedicated firewall solution (All-in-One solution) • Firewall • VPN concentrator • IPS • Advanced features • Virtual Firewalling • Transparent/Routed mode • High Availability • Advanced Threat Control (AIP-SSM, AIP-SSC modules) • Identity Firewall

  4. The ASA Family of Firewalls

  5. Stateful Firewall • Also monitors the state of connections • Initiation, data transfer, termination • Can detect abnormal connection behavior that might indicate attacks or exploits.

  6. Internet The ASA Stateful Firewall implementation “DMZ “ Security Level 50 “inside” Security Level 100 “outside” Security Level 0 E0/2 E0/1 E0/3 • Only certain connections get inspected • The administrator configures the levels of security for each interface

  7. ASA TCP Flow - The packet is received on the inside interface - The inbound ACL is applied and if NAT is configured, the inside NAT operation is done. - ASArandomisez the initial sequence number of the connection - the ASA creates a state object in memory retaining layer 3 and layer 4 information from the packet - The connection is marked as embryonic - The packet comes back on the outside interface - inbound ACLs are applied * if the packet is permitted by the ACL, the state table isn’t checked and the below next step is - the state table is checked for a state object that matches the information contained in the returning packet; if the match is not done, the packet is dropped - the ASA checks the ACK nr in the packet relative to the SN that is overwritten in the second step - if the packet is legitimate, the ASA sets the ACK to ISN+1 to match the TCP information on the host - the hosts responds with an ACK - the ACK number is not randomized - the connection is changed to active-established and the embryonic counter is reset for that state object 1 5 2 4 3

  8. Routed-Mode vs Transparent-Mode • Routed-mode • the ASA is a layer 3 device • all the ASA features and capabilities are active • Transparent-mode • the ASA is a layer 2 device(works with VLANs instead of IP Subnets) • can have a global IP used for remote management • is invisible to any attacker coming from the Internet • Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP Relay.

  9. ASA – front panel • A series of LEDs • Speed and link activity LEDs • Power LED • Status LED • Active LED • VPN LED • Security Services Card (SSC) LED

  10. ASA – Back panel • An 8-port 10/100 Fast Ethernet switch. • Three USB ports. • One Security Service Card (SSC) slot for expansion. The slot can be used to add the Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC).

  11. The ASA Operating System

  12. ASA OS ciscoasa> ciscoasa# ciscoasa(config)# Ciscoasa(config-if)# • Same modular structure as IOS • Unprivileged mode • Limited rights • Privileged mode • Generaly used for show commands • Global configuration • Used for “general” configurations (e.g password for priviledged mode, static routes, banners, hostname configuration etc) • Configuration sub-modes • Used for advanced configurations of specific features (firewall, VPN, routing protocols etc) • Same help system ciscoasa > ? enable Turn on privileged commands

  13. Navigating in the OS • The default password is …? • CR + LF ciscoasa>enable 15 Password: ciscoasa#configure terminal ciscoasa(config)#interface fa0/1 ciscoasa(config-if)#exit ciscoasa(config)#exit ciscoasa#exit ciscoasa>

  14. Help in ASA OS ciscoasa > ? enable Turn on privileged commands exit Exit the current command mode login Log in as a particular user logout Exit from current user profile to unprivileged mode perfmon Change or view performance monitoring options ping Test connectivity from specified interface to an IP address quit Exit the current command mode ciscoasa > help enable USAGE: enable [<priv_level>] DESCRIPTION: enable Turn on privileged commands

  15. Working with the file system • First we delete… startup-config running-config Flash RAM Deleting configurations ciscoasa#clear configure all ciscoasa#write erase

  16. Working with the file system (2) • Then we save! startup-config running-config ciscoasa#show running ciscoasa#show startup Flash RAM Salvarea configurației ciscoasa#copy running startup ciscoasa#write mem ciscoasa#wr

  17. The clear configure command • It doesn’t exist in IOS(on routers and switches) • Enables the specific deletion of configurations in RAM ciscoasa(config)# show running-config | include isakmp isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ciscoasa(config)# clear configure isakmp ciscoasa(config)# show running-config | include isakmp

  18. Other useful commands • Configuring a hostname • Configuring a password for the telnet line • Configuring a password for privileged mode. How did we configure this on a router? ciscoasa(config)# hostname ipd ipd(config)# ipd(config)#passwd cisco ipd(config)# enable password cisco ipd#sh run | i pass enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted

  19. ASA Security Levels • In order to pass traffic between 2 interfaces, levels of security need to be defined for each interface. • Security levels represent the simplest statefulfirewall model that the ASA offers • Packets get inspected by the firewall engine when the traverse from a higher security level interface to a lower security level interface • Packets that try to pass from a lower security interface to a higher security interface, without having a stateful object related to them in the memory of the ASA, will get dropped by default. • Besides security levels, every ASA interface needs a “name”. This “name” is going to be reffered in all commands that want to use this interface

  20. Internet Security Levels example • Configuring security levels is done from (config-if)# “DMZ “ Security Level 50 “inside” Security Level 100 “outside” Security Level 0 E0/2 E0/1 E0/3

  21. Internet Configuring interface names • An ASA interface that has no name or security level does not have L3 connectivity “DMZ “ Security Level 50 “inside” Security Level 100 “outside” Security Level 0 E0/2 E0/1 ciscoasa(config)# interface e0/1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)#ip address 192.168.1.1 255.255.255.0 E0/3

  22. Internet Configuring security levels • Can be configured using the security-level command “DMZ “ Security Level 50 “inside” Security Level 100 “outside” Security Level 0 E0/2 E0/1 ciscoasa(config)#interface e0/1 ciscoasa(config-if)#nameif DMZ INFO: Security level for "DMZ" set to 0 by default. ciscoasa(config-if)#security-level 50 ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0 ciscoasa(config-if)#no shutdown E0/3

  23. ASA – remote access via telnet • By default access is not allowed • If no password is set, by default it’s “cisco” • Access through telnet on the outside interface(security-level 0) is not permitted unless the telnet connection is coming through an IPSec tunnel • Monitoring connections ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside ciscoasa(config)# telnet timeout 10 ciscoasa(config)# passwd cisco123 ciscoasa# who 0: 10.10.0.132 ciscoasa# kill 0 ciscoasa# who

  24. ASA – remote access through SSH • Permitted on any interface • Step 1: generate the keys • Step 2: activate SSH • By default, the user is “pix” and the password is the one configured with passwd ciscoasa(config)# crypto key generate rsa modulus 1024 WARNING: You have a RSA keypair already defined named <Default-RSA-Key>. Do you really want to replace them? [yes/no]: yes Keypair generation process begin. Please wait... ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside ciscoasa(config)# ssh version 2 ciscoasa(config)# ssh timeout 10

  25. “show" commands • Configuring a specific interface • Name of the interface and security levels asa1# show run interface E0/3 interface Ethernet0/3 speed 10 duplex full nameif outside security-level 0 ip address 192.168.3.1 255.255.255.0 asa1# show nameif Interface Name Security GigabitEthernet0/0 outside 0 GigabitEthernet0/1 inside 100 GigabitEthernet0/2 dmz 50

  26. “show" commands (2) • All the parameters of an interface asa1# show interface Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps Full-Duplex(Full-duplex), 100 Mbps(100 Mbps) MAC address 0013.c482.2e4c, MTU 1500 IP address 192.168.1.2, subnet mask 255.255.255.0 8 packets input, 1078 bytes, 0 no buffer Received 8 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions 0 late collisions, 0 deferred input queue (curr/max blocks): hardware (8/0) software (0/0) output queue (curr/max blocks): hardware (0/0) software (0/0) Traffic Statistics for "outside": 8 packets input, 934 bytes 0 packets output, 0 bytes 8 packets dropped 1 minute input rate 0 pkts/sec, 0 bytes/sec 1 minute output rate 0 pkts/sec, 0 bytes/sec 1 minute drop rate, 0 pkts/sec

  27. “show" commands (3) • What command did we use in IOS to see the L2 and 3 status of interfaces in a "brief" output? • show ip interface brief • ASA does it slightly different • show interface ip brief ciscoasa(config)# shintipbr Interface IP-Address OK? Method Status Protocol Ethernet0/0 192.168.1.1 YES manual up up Ethernet0/1 10.10.1.1 YES manual up up

  28. Advanced use of the “show” command • IOS Q: can we run a show command from config mode? • A: yes, using the argument “do” in front of the command • We don’t have “do” in ASA OS, but … • … you can give show commands from anywhere in the OS • There’s also the possibility of filtering output by using “|” and the arguments:“i”, “b”, “grep” normal_cisco_router(config)#do show clock *15:08:07.867 UTC Thu Feb 17 2011 ciscoasa(config-if)# sh clock 15:54:01.139 UTC Thu Feb 17 2011

  29. ASA: Configuration DEMO outside inside R2 R1 ASA e0/0 G0 e0/0 G1

More Related