ASA Firewall Essentials
July, 2012
Bogdan Doinea
Assoc. Technical Manager
CEE&RCIS
Cisco Networking Academy
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
Introduction to the ASA Firewall
The ASA Operating System
ASA Firewall Configuration
ASA Remote Access
Technical Demo
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
• Adaptive Security Appliance - Cisco’s lead dedicated firewall
solution (All-in-One solution)
 Firewall
 VPN concentrator
 IPS
• Advanced features
 Virtual Firewalling
 Transparent/Routed mode
 High Availability
 Advanced Threat Control (AIP-SSM, AIP-SSC modules)
 Identity Firewall
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
• Also monitors the state of connections
Initiation, data transfer, termination
• Can detect abnormal connection behavior that might indicate attacks
or exploits.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
“DMZ “
Security Level 50
“inside”
Security Level 100
“outside”
Security Level 0
E0/2
E0/1
Internet
E0/3
• Only certain connections get inspected
• The administrator configures the levels of security for each interface
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
- The packet is received on the inside
interface
- The inbound ACL is applied and if
NAT is configured, the inside NAT
operation is done.
1
- The packet comes back on the outside
interface
- inbound ACLs are applied
* if the packet is permitted by the ACL,
the state table isn’t checked and the
below next step is
- the state table is checked for a state
object that matches the information
contained in the returning packet; if the
match is not done, the packet is
dropped
3
© 2011 Cisco and/or its affiliates. All rights reserved.
- ASA randomisez the initial sequence
number of the connection
- the ASA creates a state object in memory
retaining layer 3 and layer 4 information
from the packet
- The connection is marked as embryonic
2
- the ASA checks the ACK nr in the
packet relative to the SN that is
overwritten in the second step
- if the packet is legitimate, the ASA
sets the ACK to ISN+1 to match the
TCP information on the host
4
- the hosts responds with an ACK
- the ACK number is not randomized
- the connection is changed to activeestablished and the embryonic counter
is reset for that state object
5
Cisco Confidential
7
• Routed-mode
• the ASA is a layer 3 device
• all the ASA features and capabilities are active
• Transparent-mode
• the ASA is a layer 2 device(works with VLANs instead of IP Subnets)
• can have a global IP used for remote management
• is invisible to any attacker coming from the Internet
• Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP
Relay.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
• A series of LEDs
 Speed and link activity LEDs
 Power LED
 Status LED
 Active LED
 VPN LED
 Security Services Card (SSC) LED
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
• An 8-port 10/100 Fast Ethernet switch.
• Three USB ports.
• One Security Service Card (SSC) slot for expansion. The slot can be used to
add the Cisco Advanced Inspection and Prevention Security Services Card (AIPSSC).
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• Same modular structure as IOS
Unprivileged mode
Limited rights
Privileged mode
Generaly used for show commands
Global configuration
Used for “general” configurations (e.g password for priviledged mode, static routes,
banners, hostname configuration etc)
Configuration sub-modes
Used for advanced configurations of specific features (firewall, VPN, routing
protocols etc)
• Same help system
ciscoasa > ?
enable
© 2011 Cisco and/or its affiliates. All rights reserved.
Turn on privileged commands
Cisco Confidential
12
ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>
• The default password is …?
CR + LF
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
ciscoasa > ?
enable
Turn on privileged commands
exit
Exit the current command mode
login
Log in as a particular user
logout
Exit from current user profile to unprivileged mode
perfmon
Change or view performance monitoring options
ping
Test connectivity from specified interface to an IP
address
quit
Exit the current command mode
ciscoasa > help enable
USAGE:
enable [<priv_level>]
DESCRIPTION:
enable
© 2011 Cisco and/or its affiliates. All rights reserved.
Turn on privileged commands
Cisco Confidential
14
• First we delete…
startup-config
running- config
Flash
RAM
Deleting configurations
ciscoasa# clear configure all
ciscoasa# write erase
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
• Then we save!
startup-config
running- config
Flash
RAM
ciscoasa# show running
ciscoasa# show startup
Salvarea configurației
ciscoasa# copy running startup
ciscoasa# write mem
ciscoasa# wr
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
• It doesn’t exist in IOS(on routers and switches)
• Enables the specific deletion of configurations in RAM
ciscoasa(config)# show running-config | include isakmp
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ciscoasa(config)# clear configure isakmp
ciscoasa(config)# show running-config | include isakmp
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
• Configuring a hostname
ciscoasa(config)# hostname ipd
ipd(config)#
• Configuring a password for the telnet line
ipd(config)# passwd cisco
• Configuring a password for privileged mode. How did we
configure this on a router?
ipd(config)# enable password cisco
ipd# sh run | i pass
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
• In order to pass traffic between 2 interfaces, levels
of security need to be defined for each interface.
• Security levels represent the simplest stateful
firewall model that the ASA offers
• Packets get inspected by the firewall engine when the traverse from a
higher security level interface to a lower security level interface
• Packets that try to pass from a lower security interface to a higher security
interface, without having a stateful object related to them in the memory of
the ASA, will get dropped by default.
• Besides security levels, every ASA interface needs a “name”. This “name” is
going to be reffered in all commands that want to use this interface
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
“DMZ “
Security Level 50
“inside”
Security Level 100
“outside”
Security Level 0
E0/2
E0/1
Internet
E0/3
• Configuring security levels is done from (config-if)#
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
• An ASA interface that has no name or security level does not
have L3 connectivity
“DMZ “
Security Level 50
“inside”
Security Level 100
“outside”
Security Level 0
E0/2
E0/1
Internet
E0/3
ciscoasa(config)# interface e0/1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
• Can be configured using the security-level command
“DMZ “
Security Level 50
“inside”
Security Level 100
“outside”
Security Level 0
E0/2
E0/1
Internet
E0/3
ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#no shutdown
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
• By default access is not allowed
ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside
ciscoasa(config)# telnet timeout 10
ciscoasa(config)# passwd cisco123
• If no password is set, by default it’s “cisco”
• Access through telnet on the outside interface(security-level 0) is not
permitted unless the telnet connection is coming through an IPSec tunnel
• Monitoring connections
ciscoasa# who
0: 10.10.0.132
ciscoasa# kill 0
ciscoasa# who
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
• Permitted on any interface
• Step 1: generate the keys
ciscoasa(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
<Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
• Step 2: activate SSH
ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 10
• By default, the user is “pix” and the password is the one
configured with passwd
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
• Configuring a specific interface
asa1# show run interface E0/3
interface Ethernet0/3
speed 10
duplex full
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
• Name of the interface and security levels
asa1# show nameif
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
© 2011 Cisco and/or its affiliates. All rights reserved.
Name
outside
inside
dmz
Security
0
100
50
Cisco Confidential
25
• All the parameters of an interface
asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
• What command did we use in IOS to see the L2 and 3 status of
interfaces in a "brief" output?
show ip interface brief
• ASA does it slightly different
show interface ip brief
ciscoasa(config)# sh int ip br
Interface
IP-Address
Ethernet0/0
192.168.1.1
Ethernet0/1
10.10.1.1
 27
© 2011 Cisco and/or its affiliates. All rights reserved.
OK? Method Status
YES manual up
YES manual up
Protocol
up
up
Cisco Confidential
27
• IOS Q: can we run a show command from config mode?
A: yes, using the argument “do” in front of the command
normal_cisco_router(config)#do show clock
*15:08:07.867 UTC Thu Feb 17 2011
• We don’t have “do” in ASA OS, but …
… you can give show commands from anywhere in the OS
ciscoasa(config-if)# sh clock
15:54:01.139 UTC Thu Feb 17 2011
• There’s also the possibility of filtering output by using “|” and
the arguments:“i”, “b”, “grep”
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
28
R1
ASA
e0/0
G0
G1
e0/0
R2
outside
inside
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Thank you.