Professional Documents
Culture Documents
Course Agenda
Class Timing
Start daily at 9 AM
10 min break between subjects
Lunch break between 12:00 13:00 PM
Class ends ~ 17:30 PM
Classroom introduction
Questions in class
Participation is a key
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Course Agenda
Topics covered
1. FW Overview
2. ASA Overview
3. ASA Get knowing the tools
4. ASA Routing
5. Administrative access
6. ASA Monitoring (Syslog/SNMP)
7. ASA ACLs
8. ASA NAT
9. ASA algorithm, Packet Flow
10. MPF - Protocol handling
11. Asymmetric Routing uRPF
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Course Agenda
Topics covered (cont.)
12. AAA Identity management
13. Transparent FW
14. Contexts
15. Redundant interfaces
16. Failover
17. Miscellaneous topics
18. Troubleshooting
19. Review
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Course Overview
Recommended Reading
Cisco Press - Cisco ASA: All-in-One Firewall, IPS, Anti-X, and
VPN Adaptive Security Appliance 2nd edition (2010)
Cisco Press - Cisco Firewalls (2011)
Cisco ASA 5500 Series Configuration Guide 8.x
Cisco ASA 5500 Series Command Reference 8.x
Cisco ASA 5500 Migration to Version 8.3 and Later
Cisco ASA New Features by Release
CCNP Sec Firewall 642-618 Certification Guide guide
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Firewalls Overview
Stateful Firewalls
The firewall creates a State Table
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Firewalls Overview
Stateful Firewalls (cont.)
TCP State Table
Src IP
10.0.1.1
Src IP
10.0.1.1
Src Port
1055
Src Port
1055
Dst IP
20.0.1.5
Dst IP
20.1.1.5
Dst Port
23
Dst Port
53
Seq #
2650914815
Idle time
1min 5 sec
Flags
PUSH
Idle time
15min 15sec
10.0.1.1
Dst IP
20.0.1.5
Src IP
10.0.1.1
ICMP Type
Dst IP
20.1.1.5
ICMP Code
SPI
0xDFC15269
Packet ID
Idle time
8 sec
Idle time
1 sec
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
1.
2.
3.
4.
1.
2.
3.
4.
1.
2.
3.
4.
5.
ROUTE-LOOKUP
ACL (CUST1_ACL)
NAT (Source NAT)
VPN Encrypt
ACL (CUST2_ACL)
UN-NAT (Dest NAT)
ROUTE-LOOKUP (VPN peer)
VPN Encrypt
1.
2.
3.
4.
1.
2.
3.
4.
1.
2.
3.
4.
5.
ROUTE-LOOKUP
ACL (CUST1_ACL)
NAT (Source NAT)
VPN Encrypt
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
10
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
1.
2.
3.
4.
5.
6.
7.
11
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
1.
2.
3.
4.
12
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
1.
2.
3.
4.
5.
13
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
14
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
uAuth
Egress capturing
VPN Encryption
Ingress capturing
NAT
ACL
Routing
15
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
PIX/ASA Evolution
In 1994 Brantley Coile and John Mayes, owners of Network
Translation Inc created PIX (Private Internet eXchange). PIX
uses Finesse OS (Fast InterNet Server Executive) (now called
PIX OS) written by Brantley Coile
In 1995 Cisco bought Network Translation Inc
In May 2005 Cisco introduced ASA (Adaptive Security
Appliance) which inherited much of PIX features. ASA run PIX
OS code 7.0 and later. ASA also replaces Cisco VPN 3000
concentrators
As from ASA 8.0, ASA runs on Linux kernel. PIX 8.0 continues
using PIX OS/Finesse OS
In July 2008 Cisco announced PIX End of Sale (EoS)
Last date of PIX SW, licenses and accessories sales Jan 2009
PIX end of support/end of life is 27 July 2013
16
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
PIX/ASA Evolution
ASA/PIX evolution overview
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA 5500 Model Comparison
Small Office and Branch Office
Internet Edge
18
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
Main features
Stateful Packet Inspection (Adaptive Security Algorithm)
NAT
Advanced Routing capabilities
Dot1q subinterfaces
Modular Policy Framework (MPF)
Security contexts
19
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
Main features (cont)
IPsec VPN/SSL VPN
Asymmetric routing support (as from 8.2(1))
LACP EtherChannel support (as from 8.4(1))
CSC-SSM (Content Security Control Security Service Module)
provides anti-X capabilities (anti-X = blocks viruses, spam,
spyware, URL blocking) for FTP, HTTP, POP3, SMTP
IPS capabilities (AIP-SSM module Adaptive Inspection and
Prevention)
20
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
Main features (cont)
QoS Traffic Shaping 8.1(2)
Botnet Traffic Filter (malware protection) - 8.2(1)
Global ACLs - 8.3(1)
Stateful Failover with Dynamic Routing Protocols - 8.4(1)
TCP Ping Enhancement - 8.4(1)
Identity Firewall - 8.4(2)
Mixed firewall mode support in multiple context mode - 8.5(1)
ASA Clustering 9.0 ASA 5580 and 5585
VPN and dynamic routing in contexts
21
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA/PIX Unsupported features
ASA doesnt support ISP load balancing
ASA cannot block applications that negotiate dynamic ports
over encrypted channels (e.g. Skype). ASA CX is the new
weapon.
ASA doesnt support PBR
ASA cannot be configured as EZVPN Client (only exemption is
ASA 5505)
ASA doesnt support VTIs
PIX doesnt support SSL VPNs
PIX doesnt support AIP-SSM and CSC-SSM modules
22
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA Basic Configuration
5 modes of configuration:
EXEC or nonprivileged mode
ciscoasa> enable
Privileged mode
ciscoasa#configure terminal
ROMMON mode
rommon>
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA Basic Configuration
ASA keeps last 19 entered commands in memory
ASA# show history
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA Basic Configuration
To erase the existing running configuration:
ASA(config)# clear configure all or
ASA(config)# configure factory-default
CLI
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA Licensing
A License is a 160-bit value (activation key) specifies the
features that are enabled on ASA
By default the ASA will come with a license depending on the
order (www.cisco.com/go/license)
There are permanent licenses and Time-Based licenses
(Evaluation)
The activation key is tied to the serial number of the device
To enter an activation key (reload might be required)
ASA# activation-key 0xa1b34b58c 0x42afb341d ..
To see the activation key
ASA# show activation-key
Or
ASA# show version
26
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA File System
disk0 = flash0
To view the contents of flash
ASA# dir
To delete a file
ASA# delete flash0:/{file_name}
27
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA Boot Files and HW
ASA can keep in Flash one or more OS images
To specify from which to boot
1. ASA(config)# boot system {image}
2. ASA# copy running-config startup-config
3. ASA# reload
Note
In case of an image upgrade do not forget to remove the previous
boot system command - the new command doesnt overwrite
the old (ACL logic). More on this later
28
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
ASA Basic Interface Configuration
Basic interface configuration:
ASA(config)# interface Ethernet0/0
ASA(config-if)# nameif dmz
ASA(config-if)# security-level 50
ASA(config-if)# ip address 100.0.104.10 255.255.255.0
ASA(config-if)# no shut
On subinterfaces I have to specify the VLAN:
ASA(config)# interface Ethernet0/2.104
ASA(config-subif)# vlan 104
29
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
Security Levels
Interfaces are assigned security levels 0-100
Traffic from Higher to Lower Security Level is allowed by
default. How the ASA will know the exit interface?
Based on the routing lookup (unless NAT is used)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Overview
Questions
What happens by default if you configure two interfaces
with the same security level?
1. Traffic will pass freely between those connected networks
2. Traffic will not pass between those interfaces
3. Specific ACLs must allow traffic between those interfaces
31
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
34
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
35
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
36
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
37
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
38
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
41
Source IP
Source interface
Destination IP
Destination port
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Note
Packet-tracer will cause a hit-count increase in the ACL
42
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
44
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
45
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
46
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
47
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
48
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
49
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
50
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
General overview and ARP
ASA 8.x supports the following routing options:
Static routing
RIPv1/v2
EIGRP
OSPF
Proxy ARP is used when a device responds to an ARP request with its own MAC
address, even though the device does not own the IP address. The ASA uses
proxy ARP when you configure NAT and specify a mapped address. There are
rare cases where I want to disable Proxy ARP. I do this with the command:
ASA(config)# sysopt noproxyarp ifname
ARP is handled by CPU and ARP flooding is possible cause of DoS
When an interface goes down, the ARP entries are not deleted
51
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
Static routing
Syntax:
ASA(config)# route OUTSIDE 10.0.2.2 255.255.255.255
100.0.123.2 1
Routing verification
In order to display the routing table
ASA# show route
52
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
RIP
RIP support added in version 7.0(1)
ASA supports RIPv1 and RIPv2
Basic config
ASA(config)# router rip
ASA(config-router)# network 10.0.0.0
Passive-interface command is supported
In RIPv2 I can disable auto-summarization with the command
no auto-summary
ASA(config-router)# no auto-summary
I can redistribute routes from OSPF, EIGRP, Static or
Connected into RIP
53
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
RIP
RIPv1 doesnt support authentication. RIPv2 supports text and
MD5 authentication
ASA(config-if)# rip authentication key CISCO key_id 1
ASA(config-if)# rip authentication mode md5
In order to generate a default route with RIP:
ASA(config-router)# default-information originate
I can filter RIP updates by using distribute-lists (I must use a
Standard ACL in order to denote what traffic will be allowed
and denied by the distribute-list)
ASA(config)# access-list ACL extended permit ip any any
ASA(config-router)# distribute-list ACL out
ERROR: Access-list ACL does not exist or not standard type acl
54
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
RIP
Verification/Troubleshooting
ASA# show run router rip
ASA# show rip database
Useful RIP debug commands:
ASA# debug rip events
ASA# debug rip database
Note Use debug with caution!
55
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
OSPF
Basic OSPF configuration
ASA(config)# router ospf 1
ASA(config-router)# network 100.0.101.10
255.255.255.255 area 0
Note that we dont use wildcard masks
ASA supports intra-area routes (LSA1, LSA2), inter-area
routes (LSA3, LSA4), external routes (LSA5) and LSA7
Virtual Link support
Null, clear text and MD5 authentication. MD5 auth example:
ASA(config)# int e0/2.124
ASA(config-subif)# ospf message-digest-key 1 md5 CISCO
ASA(config-subif)# ospf authentication message-digest
56
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
OSPF
ASA can be DR, BDR or ASBR
Support for Stub areas (blocks LSA3 and LSA4) and NSSA
(allows LSA7)
ASA supports LSA3 filtering (create a prefix-list and apply it
under the filter-list command in config-router mode)
I can change the OSPF network type on the ASA interface:
ASA(config-if)# ospf network point-to-point nonbroadcast
I need also to configure the neighbor command in order to
sent unicast hellos
ASA(config)# router ospf 1
ASA(config-router)# neighbor 100.0.104.4 interface dmz
57
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
OSPF
I can redistribute routes into and from OSPF. In order to
redistribute e.g. EIGRP into OSPF I go under OSPF process:
ASA(config)# router ospf 1
ASA(config-router)# redistribute eigrp 1 subnets
If not set, default metric will be 20 as for IOS
In order for ASA to advertise a default route into OSFP:
ASA(config)# router ospf 1
ASA(config-router)# default-information-originate
{always}
58
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
OSPF
OSPF verification/troubleshooting
ASA# show route
ASA#
ASA#
ASA#
ASA#
show
show
show
show
run router
ospf
ospf interface
ospf neighbor
59
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
EIGRP
Basic EIGRP configuration
ASA(config)# router eigrp 1
ASA(config-router)# network 100.0.123.10
255.255.255.255
ASA(config-router)# no auto-summary
I can filter outgoing and incoming EIGRP route advertisement
by using distribute-lists
ASA(config)# access-list STOP_EIGRP standard deny
10.0.22.0 255.255.255.0
ASA(config)# access-list STOP_EIGRP standard permit any
ASA(config)# router eigrp 1
ASA(config-router)# distribute-list STOP_EIGRP in
60
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
EIGRP
ASA supports EIGRP MD5 authentication
ASA(config)# int e0/1
ASA(config-if)# authentication mode eigrp 1 md5
ASA(config-if)# authentication key eigrp 1 EIGRP
On non-broadcast networks I must define static EIGRP
neighbors
ASA(config)# router eigrp 1
ASA(config-router)# neighbor 136.0.123.2 interface
outside
In order to redistribute into EIGRP I must define the metric
ASA(config)# router eigrp 1
ASA(config-router)# redistribute ospf 1 metric 1 1 1 1 1
61
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
EIGRP
In order to disable EIGPR split-horizon on non-broadcast
networks:
ASA(config)# int e0/1
ASA(config-if)# no split-horizon eigrp 1
In order to send a default route:
ASA(config)# int e0/1
ASA(config-if)# summary-address eigrp 1 0.0.0.0 0.0.0.0
or
ASA(config)# route dmz 0.0.0.0 0.0.0.0 100.0.104.4
ASA(config)# router eigrp 1
ASA(config-router)# redistribute static
62
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
EIGRP
EIGRP verification/troubleshooting
ASA# show eigrp neighbors
ASA# show eigrp topology {all-links}
ASA# show eigrp interfaces
Useful EIGRP debug commands:
ASA# debug eigrp fsm
ASA# debug eigrp packets (useful for authentication problems)
Note Use debug with caution!
63
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
Local Name resolution
If I want to use names instead of IPs on ASA, I have to enable
the feature by typing names and then create static name
entries
ASA(config)# names
ASA(config)# name 100.0.101.1 R1
Note
names feature can make troubleshooting very challenging
Lab 3
64
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Routing
Questions
Which routing protocols are supported on ASA?
How do you clear the ARP entry for IP 100.0.123.2 on
interface outside?
65
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA IP Connectivity
Configuring DHCP
I can configure ASA as:
DHCP Client (DHCP Client can not be enabled while in Failover mode)
DHCP Server
DHCP Relay Agent
Configuration
FW1(config)#int e0
FW1(config-if)# nameif outside
FW1(config-if)# ip address dhcp
FW1(config-if)# no shut
FW1# debug dhcpc packet
66
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA IP Connectivity
ASA as DHCP Server
To enable it on an interface:
FW1(config)#dhcpd enable {nameif}
DHCP verification
In order to display the DHCP server status
FW1# show dhcpd state
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA IP Connectivity
ASA as DHCP Relay
68
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Monitoring
SNMP
SNMP implementation requires an SNMP Manager (e.g.
CiscoWorks) and an SNMP Agent (e.g. ASA)
SNMP uses 5 message types. 3 of them are sent by the SNMP
Manager and 2 by the SNMP Agent:
Note
ASA doesnt accept SNMP SET messages
ASA supports only SNMP read access
ASA supports SNMPv1, SNMPv2c and SNMPv3 (8.2(1))
69
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Monitoring
SNMP
70
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Monitoring
SNMP
In order to enable snmp traps:
ASA(config)# snmp-server enable traps snmp authentication
linkup linkdown coldstart
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Monitoring
SNMP For your reference
Useful SNMP OIDs
Usage
OID
1.3.6.1.4.1.9.9.109.1.1.1.1.3.1
1.3.6.1.4.1.9.9.109.1.1.1.1.4.1
1.3.6.1.4.1.9.9.109.1.1.1.1.5.1
Connections (current)
1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6
1.3.6.1.2.1.2.2.1.16.n
1.3.6.1.2.1.2.2.1.10.n
72
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Monitoring
Questions
Which syslog level will produce the most messages?
1.
2.
3.
4.
5.
6.
Errors
Critical
Informational
Debugging
Alerts
Notifications
73
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
75
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
76
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
77
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
ACL Overview
By default, traffic from lower security interface to higher
security interface is not allowed. ACLs (Access Control Lists)
can be used to overcome this restriction
ACL can allow return traffic that is not inspected by default
As soon as I apply an ACL on an interface, the security level is
not important anymore (note same sec-level!)
Implicit deny at the end (like in IOS)
An ACL consists of one or more ACEs (Access Control Entries)
There are 5 types of ACLs:
78
Extended
Standard
EtherType (only in Transparent mode)
WebType (for Clientless SSL VPN)
IPv6
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
ACL Overview
I can name or number an ACL as I want regardless its type (unlike
IOS that I have the number ranges depending on type)
The order of ACEs is important. Put more specific ACEs at the top
For TCP and UDP connections, regardless if the ASA works in routed
(L3) or transparent mode (L2), I do not need an access list to allow
returning traffic
For ICMP you have to allow the returning traffic unless ICMP
inspection engine is on
One Extended and one Ethertype ACL per interface per direction
79
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Extended ACLs
Extended ACLs can be used in order to:
80
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Extended ACLs
I can insert an ACE by using the line keyword. Otherwise, the ACE
will be added at the end
ASA(config)# access-list OUTSIDE_IN line 2 extended permit
tcp host 5.5.5.5 host 6.6.6.6 eq www
access-list OUTSIDE_IN
access-list OUTSIDE_IN
after insertion
access-list OUTSIDE_IN
access-list OUTSIDE_IN
access-list OUTSIDE_IN
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
The log keyword
'permit' without 'log' keyword
%ASA-6-302020: Built outbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/0 laddr 100.0.101.1/0
%ASA-6-302020: Built inbound ICMP connection for faddr 100.0.123.2/0 gaddr 100.0.101.1/0 laddr 100.0.101.1/0
82
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Extended ACLs
Router ACL vs ASA/PIX ACL
The ASA/PIX ACL will check only the first packet of a connection
Any = 0.0.0.0 0.0.0.0, host = 255.255.255.255
ASA(config)# access-list OUT_IN permit ip 100.0.123.2
255.255.255.255 0.0.0.0 0.0.0.0
the same as:
ASA(config)# access-list OUT_IN permit ip host 100.0.123.2 any
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
ACL limits and ACL optimization
On ASA, the number of ACEs is limited only by memory (check FWSM
limits on https://supportforums.cisco.com/docs/DO-8786)
Each ACE uses at least 212 Bytes of RAM
High number of ACEs can affect session establishment and throughput
In order to see how many ACEs has each ACL:
ASA# show access-list | in elements
Max recommended
ACEs
Tested ACEs
Max observed
from customers
550
5
551
0
5520
554
0
555
0
25k
80k
80k
5580
5585/60
ASA SM
200k
500k
700k
750k
2m
2m
300k
700k
700k
1m
2m
2m
2.74m
2.77m
After 8.3 ASA, the following command can save some CPU and memory
resources by not expanding network object-groups, but expands only
service object-groups (ACL Optimization)
ASA(config)# object-group-search access-control
84
Only INBOUND ACLs will be optimized
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Standard ACLs
Syntax
ASA(config)# access-list ACL1 standard permit host
226.0.0.10
Standard ACLs can be used for:
PIM
Route-maps
Distribute Lists
85
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Object-grouping
Object groups can be used in order to ease the ACL
administration and avoid repetitive tasks
4 types of object groups:
Protocol object-group
I can group IP protocols (e.g. TCP, UDP, ICMP, ESP etc)
ASA(config)# object-group protocol TCP
ASA(config-protocol)# description Whole TCP Protocol
ASA(config-protocol)# protocol-object tcp
Network object-group
I can group IP hosts and networks
ASA(config)# object-group network OUTSIDE_HOSTS
ASA(config-network)# description Outside Hosts
ASA(config-network)# network-object host 100.0.123.2
ASA(config-network)# network-object 10.0.2.0 255.255.255.0
86
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Object-grouping
ICMP type
I can group different ICMP types (e.g. echo, echo-reply etc)
ASA(config)# object-group icmp-type TRACEROUTE
ASA(config-icmp)# description Traceroute Group
ASA(config-icmp)# icmp-object time-exceeded
ASA(config-icmp)# icmp-object unreachable
Service object-group
I can group TCP ports, UDP ports, ICMP
ASA(config)# object-group service TCP_GROUP1 tcp
ASA(config-service)# description TCP Group1
ASA(config-service)# port-object eq telnet
ASA(config-service)# port-object eq www
ASA(config-service)# port-object eq https
87
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Object-grouping
Enhanced Service object-group
As from 8.0(2) version Enhanced Service Object grouping allow the
mixing of TCP, UDP and ICMP into a single group
ASA(config)# object-group service ENHANCED_GROUP1
ASA(config-service)# description Enhanced Group 1
ASA(config-service)# service-object tcp eq www
ASA(config-service)# service-object udp eq tftp
ASA(config-service)# service-object icmp echo
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Using Object-grouping with ACLs
ASA(config)# object-group network OUTSIDE_HOSTS
ASA(config-network)# description Outside Hosts
ASA(config-network)# network-object host 100.0.123.2
ASA(config-network)# network-object 10.0.2.0 255.255.255.0
!
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Object-group verification/modification
Displaying Object-groups
To show all object-groups
ASA# show run object-group
To show all object-groups from a specific type
ASA# show run object-group service
To show only a specific object-group
ASA# show run object-group id GROUP1
Object-group modification
I can remove an object-group if it is not used in any ACL
ASA(config)# no object-group icmp-type TRACEROUTE
In order to remove an object from an object-group
ASA(config)# object-group network OUTSIDE_HOSTS
ASA(config-network)# no network-object host 100.0.150.24
90
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Questions
What are the 4 types of ACL object groups? Which one
is the most flexible?
Which rule is applied inbound to the inside interface, by
default?
1. All IP traffic sourced from any source to any less secure
destination is permitted
2. All IP traffic is denied
3. All IP traffic is permitted
4. All IP traffic sourced from any source to any more secure
destination is permitted
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA ACLs
Questions
. When ASA denies transit traffic does it send TCP RST? How
can I change the default behavior?
92
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Low sec-level
High sec-level
I have to configure
NAT. Otherwise I get
error message 305005
High sec-level
Low sec-level
I have to configure
NAT. Otherwise I get
error message 305005
Between
interfaces of
same sec-level
94
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Step 2 Configure the pool that will be used for address translation
ASA(config)# global (nameif) 1 100.0.123.80-100.0.123.90
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
97
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
98
nat (inside) 1 0 0
nat (dmz) 1 100.0.104.0 255.255.255.0 0 0
!
global (outside) 1 100.0.123.100-100.0.123.110
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Traffic can be initiated only from the real IP side. In case there
is xlate open, the remote side can reach the source by using
the appropriate IP/dst-port
99
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
100
nat (inside) 1 0 0
nat (dmz) 1 100.0.104.0 255.255.255.0 0 0 udp 0
!
global (outside) 1 interface
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
101
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
102
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
103
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
104
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA(config)#
ASA(config)#
ASA(config)#
ASA(config)#
106
ASA(config)#
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
107
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
110
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
113
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
114
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Note 1
The ACL allows to specify only the whole IP protocol
ERROR: access-list has protocol or port
Note 2
The ACL that is used with NAT Exemption doesnt increase the
hitcounts
117
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
The solution:
ASA(config)# static (inside,outside) 100.0.123.100
100.0.101.250 netmask 255.255.255.255 dns
119
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
121
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
122
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
NAT Exemption (Bidirectional exempts the real IP from the NAT process)
Host 100.0.101.1 will not be NATed as it goes to host 100.0.104.4
ASA(config)# access-list NO_NAT permit ip host 100.0.101.1 host 100.0.104.4
ASA(config)# nat (inside) 0 access-list NO_NAT
123
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Lab 4
Identity NAT
Static NAT
PAT
NAT Exemption
Dynamic NAT
124
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
125
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
126
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3
ASA1(config)# static (LONDON,PARIS) 100.0.123.101 100.0.11.1
ASA1(config)# access-list PARIS_IN permit ip any host 100.0.123.101
ASA1(config)# access-group PARIS_IN in interface PARIS
Post-8.3 config
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3 config
ASA1(config)# nat (LONDON) 1 1.1.1.0 255.255.255.0
ASA1(config)# global (PARIS) 1 100.0.123.50-100.0.123.51
Post-8.3 config
ASA1(config)# object network RANGE_100.0.123.50-51
ASA1(config-network-object)# range 100.0.123.50 100.0.123.51
ASA1(config)# object network NET_1.1.1.0_24bits
ASA1(config-network-object)#subnet 1.1.1.0 255.255.255.0
ASA1(config-network-object)#nat (LONDON,PARIS) dynamic RANGE_100.0.123.50-51
Or (Twice NAT)
ASA1(config)#nat (LONDON,PARIS) source dynamic NET_1.1.1.0_24bits
RANGE_100.0.123.50-51
131
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3
ASA1(config)# nat (LONDON) 1 0 0
ASA1(config)# global (PARIS) 1 interface
Post-8.3 config
ASA1(config)# object network ANY
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PARIS) dynamic interface
Or (Twice NAT)
ASA1(config)# nat (LONDON,PARIS) source dynamic any interface
132
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3
ASA1(config)# static (LONDON,PARIS) tcp 100.0.123.111 9999 100.0.11.1 23
ASA1(config)# access-list PARIS_IN permit tcp any host 100.0.123.111 eq 9999
ASA1(config)# access-group PARIS_IN in interface PARIS
Post-8.3 config
ASA1(config)# object network R1_NAT
ASA1(config-network-object)# host 100.0.123.111
ASA1(config)# object network R1_REAL
ASA1(config-network-object)#host 100.0.11.1
ASA1(config-network-object)#nat (LONDON,PARIS) static R1_NAT service tcp 23 9999
133
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
Post-8.3 config
ASA1(config)# object network R1_REAL
ASA1(config-network-object)# host 100.0.11.1
ASA1(config)# object network R1_NAT1
ASA1(config-network-object)# host 100.0.123.102
134
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
135
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
nat (LONDON) 1 0 0
global (PARIS) 1 interface
access-list NO_NAT permit ip host 100.0.11.1 host 2.2.2.2
nat (LONDON) 0 access-list NO_NAT
Post-8.3 config
ASA1(config)# object network ANY
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PARIS) dynamic interface
ASA1(config)# object network R1_100.0.11.1
ASA1(config-network-object)# host 100.0.11.1
ASA1(config)# object network R2_2.2.2.2
ASA1(config-network-object)# host 2.2.2.2
ASA1(config)# nat (LONDON,PARIS) 1 source static R1_100.0.11.1
R1_100.0.11.1 destination static R2_2.2.2.2 R2_2.2.2.2
136
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Pre-8.3
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#
nat (LONDON) 1 0 0
global (PARIS) 1 interface
global (PRAGUE) 1 interface
access-list NO_NAT permit ip host 1.1.1.1 any
nat (LONDON) 0 access-list NO_NAT
Post-8.3 config
ASA1(config)# object network ANY
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PARIS) dynamic interface
ASA1(config)# object network ANY2
ASA1(config-network-object)# subnet 0 0
ASA1(config-network-object)# nat (LONDON,PRAGUE) dynamic interface
ASA1(config)# nat (LONDON,any) 1 source static R1_1.1.1.1 R1_1.1.1.1
137
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
138
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
139
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Note
Follows the ACL logic
140
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
141
no
no
no
no
logging
logging
logging
logging
message
message
message
message
305009
305010
305011
305012
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
142
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Lab 5
143
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Local-host Table
Maintains information per-IP that goes through the FW
In order to verify connections through the FW:
ASA# show local-host 100.0.101.1
145
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ICMP Inspection
ICMP is not inspected by default
I can allow ICMP returning traffic by:
ACL
ASA(config)# access-list OUTSIDE_IN permit icmp host
100.0.123.2 host 100.0.101.1 echo-reply
Opens a permanent hole
Enabling ICMP inspection
ASA(config)# policy-map policy_default
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect icmp
Opens one connection per ICMP packet.
Is Removed from state table:
146
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
147
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Create a Policy-map
Applies policies to identified traffic
149
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
L3/L4 Policy-map
Applies actions to L3/L4 Class-map
Inspection Policy-map
Applies special actions to applications
150
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Extended ACL
ASA(config-cmap)# match access-list ACL1
Port numbers
ASA(config-cmap)# match port tcp eq 80
151
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Default-inspection-traffic
ASA(config-cmap)# match default-inspection-traffic
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
153
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
QoS Policing
QoS Shaping
QoS Priority
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
155
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
156
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Take into account the overlap between the Global and perinterface policies (per-interface takes precedence)
To verify service-policy
ASA# show service-policy
157
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
158
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Lab 6
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
160
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
161
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
162
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
163
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
164
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
TCP Intercept
Threat detection
IPS
uRPF
ICMP
SIP
NETBIOS
HTTP
FTP
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Overview
I can partition a single appliance into multiple virtual firewalls.
Every context has its own routing, FW policy and resources
The number of contexts depends on the model and the license
I can use Active/Active failover or Active/Standby failover
Unsupported features in FW Multimode (before 9.0 ver)*
166
*I cannot run dynamic routing protocols, but only use static routes
*VPN termination is not supported
Multicast routing is not supported
QoS is not supported
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Types of contexts
System context
Admin context
User context(s)
167
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
System context
Doesnt have any interfaces
It is used in order to do 3 main tasks:
Create and maintain other contexts (including admin)
Allocate interfaces to other contexts
Specify the location of the configuration file of other contexts
168
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Admin context
Automatically created after converting from single to multiple
mode
I can connect to the Admin context remotely and then jump
to the other contexts. In order to do this:
Allocate an interface
Assign IP, nameif
Configure Telnet, SSH or ASDM access
169
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
User-defined (customer) contexts
Manually created from system context
In order to create it:
ASA(config)# context <context-name>
ASA(config-ctx)# allocate-interface <if>
ASA(config-ctx)# config-url <path:/name>
Optionaly, I can allocate resources to the context
170
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Interface allocation
Interfaces can be non-shared or shared
Unique interface per context
Unique subinterface per context
Shared interface or subinterface between contexts
171
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Packet classification rules (ASA Classifier)
The FW must know to which context to send inbound traffic
If an interface (or subinterface) belongs to a single context, the
ASA will classify the packet into that context
If multiple contexts share an interface (or subinterface), then the
classification is done based on interface destination MAC
ASA(config)# mac-address auto
or
ASA(config-if)# mac-address <MAC>
172
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Resource management
By default, all security contexts share the same HW resources
One context could exhaust all physical resources of the firewall
Configuration of resource management is a two-step process:
Step 1 Define a resource class
ASA(config)# class Silver
ASA(config-class)# limit-resource xlates 1500
ASA(config-class)# limit-resource cons 10000
ASA(config-class)# limit-resource ssh 3
Verification
ASA# show resource {usage}|{allocation}|{types}
ASA# show resource usage detail resources allocated/ context
ASA# show resource usage context <context-name>
173
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Example 1 Non-shared interfaces
174
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Contexts
Example 1 Shared interfaces
175
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Lab 7
ASA Contexts
Questions
What is the command to show if the FW runs in single
or multiple context mode?
In Active/Active context, on which context will you
troubleshoot failover link issues?
1. Customer Contexts
2. System Context
3. Admin Context
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
180
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Overview
ASA supports 2 types of failover configurations:
Active/Standby (A/S)
Active unit passes traffic
Standby unit monitors the Active unit and waits to take over
Standby unit takes over IP and MAC during failover Except
Failover and Stateful Failover interfaces
Single or Multiple Context mode Routed or Transparent
Active/Active (A/A)
Both units can pass traffic (load balancing)
Supported only in Multiple Context mode Routed & Transparent
Contexts are assigned to failover groups. Per group failover
Both units must have the same HW, SW, mode, license (8.3(1))
Commands are replicated from Active to Standby
Both types support Stateless or Stateful failover
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Standby
182
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Failover Health Monitoring
The 2 units monitor each other in 2 ways:
Unit Health Monitoring
Hello messages over Failover Link (IP 105)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Failover Behavior
Event
Active unit fails (HW or
SW failure)
.
Formerly Active recovers
Primary unit
action (Active)
-
Becomes Standby
Secondary unit
action (Standby)
Notes
Becomes Active
Marks ex-Active as
Failed
No action
No preemption*
preemption
State information
becomes outdated
Active will not
attempt any failover
ASA Failover
Failover Behavior
Q: What happens when the LAN Failover interface goes down?
A: Depends on the ASA OS version (CSCsw37519):
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Failover design options
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Failover design options
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Failover design options
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Standby Configuration
3 main-steps
Step 1 - Configure Primary unit (6 sub-steps)
Step 2 - Configure Secondary unit (3 sub-steps)
Step 3 - Configure Optional features
Configuring Primary Unit
Substep 1 Configure Data interfaces
ASA(config)# int e0/1
ASA(config-if)# ip address 100.0.101.10 255.255.255.0
standby 100.0.101.11
ASA(config-if)# nameif inside
ASA(config-if)# no shut
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Standby Configuration (cont.)
Substep 3 Set the unit as Primary
ASA(config)# failover lan unit primary
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Standby Configuration (cont.)
Substep 6 Enable Failover
ASA(config)# failover
191
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Standby Configuration (cont.)
Configuring Optional features
Stateful Failover HTTP Replication
By default, HTTP connections are not replicated
ASA(config)# failover replication http
192
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Standby Configuration (cont.)
Interface Health Polltime
ASA/PIX sends Hellos out each data interface to monitor remote interface
PIX/ASA hello every 5 sec, holdtime 5 x Hello Polltime
ASA(config)# failover polltime interface 2 {holdtime 15}
If 2 consecutive Hello messages are missed on a monitored interface, the
interface goes into testing mode. If all tests fail, the interface is marked as
failed
Note
If an ASA monitored interface goes DOWN then the failover happens
immediately without going through any tests (ASA 9.1 config guide page
8-17)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Controlling Failover
In order to force the Standby unit to become Active:
From the Active unit
ASA(config)# no failover active
or
From the Standby unit
ASA(config)# failover active
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Failover Verification
In order to verify failover status
ASA# show failover {state} {history}
Failover debugging
In order to debug failover
ASA# debug fover cable {cmd-exec}|{fail}|{fmsg}|{ifc}|
{open}{rx}{rxdmp}|{rxip}|{switch}|{sync}|{tx}|
{txdmp}|{txip}|{verify}
Lab 8
195
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Upgrade
Zero Downtime upgrade
Major Release
I can upgrade from the last minor release of the previous version to
the next major release.
E.g. 7.2(1) to 8.0(1)
Minor Release
I can upgrade from a minor release to the next minor release. I
cannot skip a minor release.
E.g. I can upgrade from 7.0(1) to 7.1(1)
Maintenance Release
I can upgrade from any maintenance release to any other
maintenance release within a minor release
E.g. I can upgrade from 7.0(1) to 7.0(4)
196
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Upgrade
Zero Downtime upgrade on A/S Failover way 1
Step 1 - Download the software on both devices
Step 2 - Specify the new boot image on both units. Delete the old
boot system path
ASA(config)# boot system asa842-k8.bin
ASA(config)# no boot system disk0:/asa832-k8.bin
Step 3 - Reload the Standby unit to boot with the new image
From the Active unit: failover reload-standby or
From the Standby unit: reload
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Upgrade
Zero Downtime upgrade on A/S Failover way 2
Step 1 - Download the software on both devices
Step 2 - Specify the new boot image on both units. Delete the old
boot system path
ASA(config)# boot system asa842-k8.bin
ASA(config)# no boot system disk0:/asa832-k8.bin
Step 3 swap the failover so that the unit that was Active is now
Standby
On the Standby unit: failover active
Step 4 - Reload the former Active unit (current Standby)
newstandby# reload
Step 5 Wait few minutes for the 2 units to get synchronized
(show conns, show xlate, show crypto isakmp sa etc)
Step 6 - Make the former Active unit (current Standby), Active
again
newstandby# failover active
Step 7 Reload the Standby unit so it boots with the new image
Step 8 - Verify that the Standby got synchronized with the Active
198
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
199
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
200
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Step 5 Make sure that the devices are synchronized and make device1
(Primary unit) Active again:
failover active
201
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Upgrade
Case study
After downloading the new image to flash and reloading the device, ASA
cannot find the new image. The ASA writes the errors in a file:
ASA# more flash:upgrade_startup_errors_201301092038.log
Solution
The ASA File System was corrupted. Fsck command utility fixed the issue:
ASA# fsck disk0:
202
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Questions
What is the correct order of operation in order to
perform upgrade with zero downtime on 2 ASAs
operating in Active/Standby failover mode? Put the
following actions in the correct order:
Reload the Standby ASA
Force the Active ASA to failover to the Standby ASA
Reload the former Active ASA
Download the new ASA image
Specify on ASA to boot from the new image
Make the former Active ASA, Active again
What will happen if you dont put the standby IPs?
What will happen if you put no failover on Active unit?
What will happen if you do clear configure all on Active
unit?
203
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Questions
How do you replace the Active unit?
What is the difference between Active and Standby?
What is the difference between Primary and
Secondary?
What is the difference between Serial and LAN-based
failover?
What is the difference between Stateless and Stateful
failover?
In case of LAN-based failover, what happens if the LAN
failover interface goes down?
204
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Overview
Only available in multiple context mode
Both appliances can pass traffic
Divide the contexts in up to 2 failover groups
One failover group contains 1 or more contexts
Admin context is in failover group 1
To save the configs on both appliances 'write memory all'
from the system context of the unit that has group 1 Active
Group failover can be triggered by:
monitored interface in failover group < threshold
no failover active group group_id or failover active
group 1|2
205
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Overview
Primary/Secondary definitions
primary/secondary dictates which unit provides the running configuration
to the peer when they boot at the same time
ASA(config)# failover lan unit primary
If I dont specify failover lan unit primary to at least one device, the 2
peers will not detect each other
I can dictate which will become Active if they boot simultaneously per group
level by specifying the preference
ASA(config)# failover group 1
ASA(config-fover-group)# primary
This also dictates the MAC addresses that will be used for the active IPs
If an appliance boots while the peer is down, both failover groups in the
appliance will be Active
When using A/A failover, the contexts will use Virtual MACs in the form of:
Use debug fover only from System context (use with caution!)
206
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Overview
207
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Configuration
Active/Active configuration implies multiple context config
Convert BOTH ASAs to multiple mode:
ciscoasa(config)# mode multiple
Context config necessary only on Primary unit
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Configuration (cont)
Substep 2 - System context - (PIX only)
PIX(config)# failover lan enable
209
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Configuration (cont)
Substep 6 - System context - Configure failover groups
ASA(config)#context CUST1
ASA(config-ctx)# join-failover-group 1
ASA(config)#context CUST2
ASA(config-ctx)# join-failover-group 2
210
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Configuration (cont)
Configure Secondary unit
Substep 1 - System context - (PIX only)
PIX(config)# failover lan enable
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active Configuration (cont)
Configure Optional features (cont)
Configure HTTP Replication
ASA(config)# failover group 1
ASA(config-fover-group)# replication http
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Controlling Failover
In order to force the Standby unit to become Active:
From the Active unit
ASA(config)# no failover active group {1}|{2}
or
From the Standby unit
ASA(config)# failover active group {1}|{2}
Active/Active Verification
ASA# show failover
ASA# show ip
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Active/Active failover example
214
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Questions
Which 3 ASA modes do not support VPN termination
and dynamic routing protocols?
1.
2.
3.
4.
5.
215
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Questions
How many ASA Firewalls can you operate in a highavailability failover cluster?
Does failover support preemption?
What are the HW and SW requirements for failover?
Which of the following causes a failover event?
1. A reboot or power interruption on the active ASA Firewall
2. Low HTTP traffic on the outside interface
3. Issuance of the no failover active command on the standby ASA
Firewall
4. Low memory utilization for several consecutive seconds
216
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Failover
Questions
How do I replicate the config from the Active to the
Standby unit? Does configuration replication save the
running configuration to Flash memory on the standby
unit?
Based on the following configuration, which command
enables the stateful failover option?
ASA(config)# failover lan unit primary
ASA(config)# failover lan interface FOVER e0/2
ASA(config)# failover interface ip FOVER 10.0.1.1
255.255.255.0 standby 10.0.1.2
ASA(config)# failover link interface FOVER e0/2
ASA(config)# failover key $ecRet1
ASA(config)# failover
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
VPN goals
In general, a VPN must meet 4 goals:
1. Data confidentiality (encryption)
2. Data integrity (hashing also often documented as
message authentication)
3. Anti-replay (prevent the sender from denying that it sent
the message)
4. Authentication (the message came from where it was
supposed to come)
218
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Data confidentiality
Two main types of encryption:
1. Symmetric key encryption
219
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Data integrity (hashing)
The sender appends a hash of the message to the original message
The receiver runs the same hash algorithm to the original message and
compares the hashes
MD5, SHA1
Digital Signature
It is a hash encrypted with senders Private key
The attachment of a Digital signature to a message is called signing
220
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Digital Certificate
Binds the identity of a device with its Public key
A Digital Certificate contains 3 main values:
1. Device ID (Subject)
2. Device Public key
3. CAs Digital Signature
Diffie-Hellman
Algorithm used to produce a Shared Secret key over an insecure medium
Assuming that I have 2 hosts: A and B
. Host A chooses 2 prime numbers (P1,P2) and sends them to B
. Both hosts generate a Private key (PrivK1,PrivK2)
. Both hosts calculate their Public Keys: PubK1=(P2^PrivK1)modP1
. The two hosts exchange their Public Keys
. Both hosts generate a Shared Secret: DH1 = (PubK2^PrivK1)modP1
221
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Authentication with PKI
222
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Security Protocols
AH (Authentication Header)
IP Protocol 51
Doesnt provide encryption
AH Transport mode
AH Tunnel mode
223
Note
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
IPsec Security Association (SA)
It is a simplex connection that provides security services to the traffic
carried by it (RFC 4301)
Each VPN connection requires at least 2 SAs (one per each direction)
SA is identified by 3 things:
Security Parameter Index (SPI) - 32-bit number
Destination IP
A security protocol (AH/ESP)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Questions
What is the difference between an HMAC and a Digital
signature?
What is the purpose of the CA Digital Signature in a
Digital Certificate?
What are the 2 variations of asymmetric key
encryption?
How do Transport and Tunnel modes differ?
What port is used by ESP?
225
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
messages in total
First two messages negotiate policy
Next two messages exchange DH Public Keys + Extra data
Last two messages authenticate the two peers (device authentication)
Pre-shared keys
RSA signatures
CRACK (if you dont want to use PKI)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Note
228
RFC
RFC
RFC
RFC
RFC
2408
2409
4301
3947
4306
(ISAKMP)
(IKE_v1)
(IPsec)
(NAT-Traversal in the IKE)
(IKEv2)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
229
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
230
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
After QM message 2:
Initiator generates IPsec keying material
IPsec session key for incoming IPsec SA = PRF (SKEYID_d, protocol
(ISAKMP), new DH shared secret, SPIr, Ni', Nr')
IPsec session key for outgoing IPsec SA = PRF (SKEYID_d, protocol
(ISAKMP), new DH shared secret, SPIi, Ni', Nr')
232
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Questions
What are the 2 modes in IKE phase 1? How do they
differ?
What is NONCE and what is its role?
When I use preshared keys for authentication how the 2
peers authenticate each other?
Where is typically used the Aggressive mode?
When we say an ISAKMP message is authenticated
what does that mean?
Which ISAKMP messages are authenticated?
How the ISAKMP messages are authenticated?
Which ISAKMP messages are encrypted?
How the ISAKMP messages are encrypted?
234
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
VPN Overview
Questions
What is the purpose of NAT-T and how it works?
What is the difference between the Hash in messages 56 in MM and the 3 Hashes in QM?
How IPsec encrypts the user data?
235
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA VPN Overview
ASA supports:
Site-to-site VPNs (L2L)
IKEv1
IKEv2 - 8.4(1) and later
236
DMVPNs
GET VPNs
VTIs (forthcoming feature)
GRE tunnels
Remote access VPN with Multiple Contexts (forthcoming feature)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA VPN L2L IKEv1 Configuration
ASA1 (pre-8.4)
ASA2 (post-8.4)
In ASA post-8.4 the isakmp keyword was replaced by the ikev1 and ikev2 keywords
237
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA VPN Configuration key points
Regarding the ISAKMP policy, all the values must match. The only
exception is the lifetime where in case of difference the lowest value
will be chosen
Note
Different lifetimes are supported only between Cisco devices. If
you have a VPN between ASA and another vendor make sure that
the P1 and P2 timers match
If I use pre-shared keys for authentication, the tunnel-group name
must be the IP of the remote peer
The crypto ACLs of the VPN peers must be mirror of each other. The
only exception is overlapping subnets. In this case, only the peer with
the stricter ACL can initiate the VPN (see next slide)
PFS is optional and can add a bit more security
In the static crypto map must be specified 3 things:
set peer = Who
match address = What
set transform-set = How
238
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
Be aware of overlapping ACLs!
In this case only the spokes will be able to initiate the VPN tunnel
239
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA VPN features
Lifetimes and Timeouts
ISAKMP SA lifetime
IPsec SA lifetime
By default, if there is data traffic, both ISAKMP Sas and Ipsec Sas stay UP.
This is because the default VPN Session Timeout is none
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# vpn-session-timeout none
240
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA VPN features
VPN Idle Timeout
If there is no VPN traffic both inbound and outbound expired SPIs are deleted. The
other SPIs remain UP. If the SPIs were the last ones, ISAKMP SA also is deleted
In order to set the VPN Idle-Timeout for all tunnels to 120 minutes:
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# vpn-idle-timeout 120
In order to verify the VPN uptime and idle-timeout use the command:
ASA# show vpn-sessiondb detail l2l
241
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA VPN features
DPD Keepalives (RFC 3706)
The isakmp keepalive feature is enabled by default:
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
242
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA Filtering VPN traffic
By default, ASA will allow encrypted traffic arriving on the VPN
interface even if you have ACL with deny ip any any. This is
due to command sysopt connection permit-vpn
ASA VPN
ASA Filtering VPN traffic
Note Pay special attention to ICMP VPN-Filters since the logic is not
very straight forward! Test in a lab before implementing
244
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA VPN
ASA Filtering VPN traffic
Note 1
If I only put the following line:
access-list VPN_FILTER_ACL extended permit icmp host 3.3.3.3 host 1.1.1.1 echo
The ICMP packets will reach R3, but the ICMP echo-replies will be dropped on ASA1
Note 2
For TCP, the VPN Filter doesnt allow the traffic to be transmitted over the tunnel
245
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
246
show
show
show
show
run
run
run
run
crypto {isakmp|ipsec|map}
{all} tunnel-group
{all} group-policy
access-list
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
247
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
248
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
249
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
251
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Note that the default debug level is 1. Level 127 will provide
enough information for troubleshooting
Use condition per peer:
ASA# debug crypto condition peer 10.0.23.12
252
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Relevant configuration
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
254
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
255
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
256
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Relevant configuration
crypto isakmp identity auto
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Relevant configuration
tunnel-group 10.0.22.11 type ipsec-l2l
tunnel-group 10.0.22.11 ipsec-attributes
pre-shared-key cisco
259
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Relevant configuration
crypto ipsec transform-set ESP_AES_SHA esp-aes esp-sha-hmac
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
261
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
262
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
(Initial contact)
Phase 1 proposals
Vendor IDs (VID)
ASA2# Jan 14 13:32:05 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing SA payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Oakley proposal is acceptable
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received NAT-Traversal ver 02 VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received NAT-Traversal ver 03 VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing VID payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, Received Fragmentation VID
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, processing IKE SA payload
Jan 14 13:32:05 [IKEv1 DEBUG]IP = 10.0.12.10, IKE SA Proposal # 1, Transform # 1 acceptable
Matches global IKE entry # 1
Relevant configuration
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
263
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
265
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
266
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Relevant configuration
tunnel-group 10.0.12.10 type ipsec-l2l
tunnel-group 10.0.12.10 ipsec-attributes
ikev1 pre-shared-key cisco
267
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Relevant configuration
crypto isakmp identity auto
268
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Jan 14 13:32:06 [IKEv1 DECODE]IP = 10.0.12.10, IKE Responder starting QM: msg id = 35e9bd82
Jan 14 13:32:06 [IKEv1]IP = 10.0.12.10, IKE_DECODE RECEIVED Message (msgid=35e9bd82) with payloads : HDR + HASH (8) + SA (1)
+ NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing hash payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing SA payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing nonce payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 14 13:32:06 [IKEv1 DECODE]Group = 10.0.12.10, IP =10.0.12.10, ID_IPV4_ADDR_SUBNET ID received--10.0.11.0--255.255.255.0
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received remote IP Proxy Subnet data in ID Payload: Address 10.0.11.0,
Mask 255.255.255.0, Protocol 0, Port 0
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing ID payload
Jan 14 13:32:06 [IKEv1 DECODE]Group = 10.0.12.10, IP =10.0.12.10, ID_IPV4_ADDR_SUBNET ID received--10.0.23.0--255.255.255.0
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Received local IP Proxy Subnet data in ID Payload: Address 10.0.23.0, Mask
255.255.255.0, Protocol 0, Port 0
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing notify payload
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, QM IsRekeyed old sa not found by addr
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Static Crypto Map check, checking map = mymap, seq = 10...
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, Static Crypto Map check, map mymap, seq = 10 is a successful match
Jan 14 13:32:06 [IKEv1]Group = 10.0.12.10, IP = 10.0.12.10, IKE Remote Peer configured for crypto map: mymap
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, processing IPSec SA payload
Jan 14 13:32:06 [IKEv1 DEBUG]Group = 10.0.12.10, IP = 10.0.12.10, IPSec SA Proposal # 1, Transform # 1 acceptable Matches
global IPSec SA entry # 10
Relevant configuration
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Note
The outbound SPI matches the inbound SPI of the remote peer and vice versa
270
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
271
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Message 1
SA
Message 2
SA
Message 3
Message 4
Message 5
ID, HASH
Message 6
ID, HASH
Message 2
Message 3
HASH
DPD Keepalive
HASH, NOTIFY
273
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
274
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
275
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
276
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
277
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
278
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
279
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
280
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
30 00:05:56
30 00:05:56
30 00:05:56
30 00:05:56
(11) + NONE
Nov 30 00:05:58
Nov 30 00:05:58
Nov 30 00:05:58
Nov 30 00:05:58
(11) + NONE
Nov 30 00:06:00
Nov 30 00:06:00
Nov 30 00:06:00
Nov 30 00:06:00
(11) + NONE
Nov 30 00:06:02
Nov 30 00:06:02
0x0020c062,
Nov 30 00:06:02
Nov 30 00:06:02
Nov 30 00:06:02
Nov 30 00:06:02
Nov 30 00:06:02
(12) + NONE
Nov 30 00:06:02
Nov 30 00:06:02
282
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE (seq number 0x75bf1ee8)
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=963b86e9) with payloads : HDR + HASH (8) + NOTIFY
(0) total length : 84
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=aa2f9995) with payloads : HDR + HASH (8) + NOTIFY
(0) total length : 84
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Sending keep-alive of type DPD R-U-THERE
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=28f0bd25) with payloads : HDR + HASH (8) + NOTIFY
(0) total length : 84
[IKEv1]: Group = 10.0.22.11, IP = 10.0.22.11, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE SA MM:7574c8b1 rcv'd Terminate: state MM_ACTIVE flags
refcnt 1, tuncnt 1
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, sending delete/delete with reason message
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing blank hash payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing IPSec delete payload
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, constructing qm hash payload
[IKEv1]: IP = 10.0.22.11, IKE_DECODE SENDING Message (msgid=fec694b7) with payloads : HDR + HASH (8) + DELETE
(0) total length : 68
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, Active unit receives a delete event for remote peer 10.0.22.11.
[IKEv1 DEBUG]: Group = 10.0.22.11, IP = 10.0.22.11, IKE Deleting SA: Remote Proxy 10.0.23.0, Local Proxy 10.0.11.0
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
284
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
288
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
What will happen in the following scenario if R3 10.0.13.3 tries to connect to R5 (10.0.35.5)?
289
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
290
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
e) If you use VPN Filters make sure that they are properly configured
show vpn-sessiondb detail l2l
show run group-policy
show run tunnel-group
Check the following link for most common L2L VPN problems:
www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0ac
a.shtml#solution13
Labs 9-10
294
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
295
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
After IKE_SA_INIT messages the 2 peers will generate SKEYSEED (prf(Ni | Nr, g^ir))
similar to SKEYID in IKEv1
From SKEYSEED, seven other secret keys are generated:
SK_ai = message authentication of initiator (similar to SKEYID_a)
SK_ar = message authentication of responder (similar to SKEYID_a)
SK_ei = message encryption of initiator (similar to SKEYID_e)
SK_er = message encryption of responder (similar to SKEYID_e)
SK_pi = to generate an AUTH payload
SK_pr = to generate an AUTH payload
SK_d = used for derivation of further keying material for CHILD_SAs
The two directions of traffic flow use different keys
Messages IKE_AUTH and all data are encrypted and authenticated
296
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
297
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
298
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
AAA Overview
AAA = Authentication, Authorization, Accounting
Authentication = Who are you?
Authorization = What can you do?
Accounting = What did you do?
Cisco proprietary
299
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using the local database
On ASA I have to refer to the local database as LOCAL
(uppercase). The Cisco routers or switches dont care about
the uppercase
LOCAL database can be used for Authentication, Authorization,
but not for Accounting
If you use LOCAL database for Authentication, do not forget
first to create users in the LOCAL database. Otherwise you can
lock your self out of the ASA
To create a user in the LOCAL database
ASA(config)# username <name> password|nopassword
{privilege} <0-15>
The privilege keyword is used with command authorization
Default privilege level is 2
Username must be at least 4 characters
300
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using the local database (cont)
To enable authentication for Console access by using the local database
ASA(config)# aaa authentication serial console LOCAL
To enable authentication for Telnet access by using the local database
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using the local database Example 1
Step 1 I create a user in the local database
ASA(config)# username user1 password cisco
This user will get the default privilege level (2)
ASA# show run all username
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using the local database - Command privileges
Command authorization by using the local database uses the
concept of privilege levels
By default, ASA commands belong to privilege level 0, 1 or 15
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using the local database - Command privileges (cont)
If I configure aaa authorization command LOCAL, I can set
privilege levels for ASA commands different than their default.
In order to do this I have to use the privilege command
ASA(config)# privilege {show|clear|configure} level level
command command
show, clear and configure are the command forms and are
optional. If I dont specify the command form then all are affected
Example moving a command to different privilege level
I use the user1 that I created in the previous example in order to login via
Telnet into ASA. Since the user user1 has privilege level of 2 and the show
run command belongs to lev-15, user1 cannot run the command show run.
I move the command show run to lev-2
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using external server for AAA
I order to configure an external server for AAA I have to follow
the following steps:
Step 1 - I have to create at least one AAA server group per AAA
protocol
ASA(config)# aaa-server group_name protocol protocol
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA authentication example
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA authentication example (cont)
ACS configuration specify ASA1 as AAA Client
307
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA authentication example (cont)
ACS configuration create user user1
308
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA authentication example (cont)
Verification
ASA# show run aaa
ASA# sh run aaa-server
ASA# show aaa-server
Server
Server
Server
Server
Server
Group: TACACS_GROUP
Protocol: tacacs+
Address: 100.0.101.250
port:
49
status: ACTIVE, Last transaction at 01:30:44 UTC Tue Nov 30 1999
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA authorization example
I create 2 groups on ACS: GROUP1_ASA_LAB and GROUP2_ASA_LAB
I also create 2 users on ACS: user1 and user2. user1 belongs to
GROUP1_ASA_LAB while user2 belongs to GROUP2_ASA_LAB
310
On ASA I configure:
Use ACS and then LOCAL database for Telnet authentication
ASA(config)# aaa authentication telnet console TACACS_GROUP
LOCAL
Use ACS and then LOCAL database for enable authentication
ASA(config)# aaa authentication enable console TACACS_GROUP
LOCAL
Use ACS and then LOCAL database for command authorization
ASA(config)# aaa authorization command TACACS_GROUP LOCAL
LOCAL command authorization is based on user and cmd privileges
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA authorization example
Under the GROUP1_ASA_LAB and GROUP2_ASA_LAB settings I set:
311
Now user1 is able to Telnet to ASA, but doesnt have access to config t
command. User user2 has access to all commands
ASA# conf t
Command authorization failed
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Using TACACS+ for AAA Accounting
I can configure ASA to send accounting messages to TACACS+
server whenever a user enters a command
ASA(config)# aaa accounting command TACACS_GROUP
Command accounting doesnt account show commands
The result on ACS server:
312
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Lab 11
ASA AAA
Cut-Through Proxy
With Cut-Through Proxy a user has first to authenticate before
being able to pass any traffic
I can authenticate the users against a remote AAA server (e.g.
ACS or the LOCAL database)
In order for traffic to be permitted, the ASA has also to permit
the traffic (via ACL or sec-level)
As soon as a user (from a specific IP) authenticates then all
services specified by the uauth ACL and the ASA policy are
permitted. In order to authenticate I have to use one of the
following interactive protocols:
313
HTTP
HTTPS
FTP
Telnet
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Cut-Through Proxy (cont)
In order to configure Cut-Through Proxy I need to follow the
following steps:
Step 1 Configure an AAA server for authentication (server-group)
In case I use the LOCAL database, this step is optional
Step 4 (Optional) for HTTP and HTTPS I can configure the ASA to
redirect users to an internal web page for authentication
ASA(config)# aaa authentication listener http(s) <nameif> redirect
314
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Cut-Through Proxy (cont)
Step 5 (Optional) The authenticated session stays active until a
timeout expires (absolute or inactive). I can change the timers:
ASA(config)# timeout uauth 1:00:00 absolute uauth 0:20:00 inactivity
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA AAA
Cut-Through Proxy example 1
Using the LOCAL database for authentication
ASA AAA
Cut-Through Proxy example 2
Using TACACS for authentication
Lab 12
ASA AAA
Questions
Where can users be stored and used for authentication?
What is the default privilege level for a user? What is
the highest?
What options are available to authenticate users on a
ASA Firewall?
What options are available for Command Authorization
on a ASA Firewall?
1.
2.
3.
4.
318
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
319
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
320
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
'url' = http
'port specifies the port if different than the default
'allow' will permit connections if the URL server is unavailable
Verification
ASA# show url-server statistics
ASA# show run url-server
ASA# show run filter
321
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
322
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
323
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
Verification
ASA# show service-policy police
325
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
326
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA QoS
Questions
Which option can be applied to which feature?
1.
2.
3.
4.
5.
6.
7.
327
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
330
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
331
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Fundamentals
Cisco recommends RTP checking
RTP Route Translation Permission - Are necessary for any
flow to work through the FW
R = Routing
Make sure the interfaces are properly configured and Routing is OK
ASA# show route
T = Translation
Make sure NAT is OK
ASA# show nat
P = Permission
High-to-Low is allowed by default
Packet-tracer utility
ASA# show access-list | in 1.1.1.*5529
332
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Performance issues
In order to see the resource usage on the FW
ASA# show resource usage
Resource
Current
Peak
Limit
Denied Context
SSH
1
5
5
0 System
Syslogs [rate]
26
6271
N/A
0 System
Conns
1082
8175
650000
0 System
Xlates
25
28
N/A
0 System
Hosts
860
7001
N/A
0 System
Conns [rate]
8
2431
N/A
0 System
Inspects [rate] 1
1622
N/A
0 System
333
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Performance issues
In order to see the CPU load
ASA# show cpu usage
When CPU utilization > 90% the FW starts dropping packets
ASA Troubleshooting
Troubleshooting Performance issues
1. Attack due to infected hosts
In order to identify infected hosts trying to establish too many TCP, UDP or
embryonic connections:
ASA# show local-host | in host|count/limit
local host: <100.0.123.3>,
TCP flow count/limit = 15/unlimited
TCP embryonic count to host = 12124
UDP flow count/limit = 9/unlimited
View capture
ASA# show capture CAP_INSIDE
Remove capture
ASA# no capture CAP_INSIDE
335
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Performance issues
3. Inspections can cause high CPU
See what inspections are used and how many packets each one has
processed
ASA# show service-policy
Remove inspections one-by-one to see if CPU goes down
336
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Performance issues
Issue show interface command
ASA# show interface inside | in buffer|collisions|software|overrun|underrun
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Performance issues
Issue show memory command to see the free memory
ASA# show memory
Free memory:
10721224 bytes ( 8%)
Used memory:
123496504 bytes (92%)
---------------------------Total memory:
134217728 bytes (100%)
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Performance issues
show perfmon will show the total number of connections
ASA# show perfmon
PERFMON STATS:
Current
Average
Xlates
0/s 0/s
Connections
24/s
0/s
TCP Conns
21/s
0/s
UDP Conns
1/s 0/s
URL Access
0/s 0/s
URL Server Req
0/s
0/s
TCP Fixup
0/s
0/s
TCP Intercept Established Conns
0/s
0/s
TCP Intercept Attempts
0/s
0/s
TCP Embryonic Conns Timeout
0/s
0/s
HTTP Fixup
0/s
0/s
FTP Fixup
0/s
0/s
AAA Authen
0/s
0/s
AAA Author
0/s
0/s
AAA Account
0/s
0/s
VALID CONNS RATE in TCP INTERCEPT: Current
Average
N/A
99.00%
339
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Connections
show local-host will show all connections and xlates (only dynamic)
for a specific host IP
ASA# show local-host 100.0.101.1
Interface dmz: 0 active, 0 maximum active, 0 denied
Interface outside: 1 active, 1 maximum active, 0 denied
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <100.0.101.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Xlate:
PAT Global 100.0.123.10(1024) Local 100.0.101.1(47551)
Conn:
TCP out 100.0.123.3:23 in 100.0.101.1:47551 idle 0:00:08 bytes 53 flags UIO
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Connections
When a connection is terminated the FW shows in the log the
teardown reason (syslog level 6)
ASA# show log
%ASA-6-302014: Teardown TCP connection 3 for outside:100.0.123.3/23 to
inside:100.0.101.1/19810 duration 0:00:00 bytes 0 TCP Reset-I
Reason
Description
Conn Timeout
SYN Timeout
TCP Reset-I
TCP Reset Was Sent From the Inside Host (host from the higher
security interface)
TCP Reset-O
TCP Reset Was Sent From the Outside Host (host from the lower
security interface)
See Cisco doc Syslog Messages, message 302014 for more details
341
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Quick Reference of TCP Connection Termination Reasons
Reason
Description
Deny Terminate
FIN Timeout
Invalid SYN
Idle Timeout
IPS Fail-Close
342
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Quick Reference of TCP Connection Termination Reasons
Reason
Description
SYN Control
SYN Timeout
TCP Fins
Xlate Clear
Unauth Deny
Unknown
Catch-All Error
343
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Connections
The total limit of connections it is specified by the HW platform
Limiting the number of embryonic conns protects from a DoS attack
To manually set the maximum connection limit for the whole device:
TCP max conns 20000, TCP max embryonic 1000, UDP max 10000:
ASA(config)# class-map TCP_TRAFFIC
ASA(config-cmap)# match port tcp range 1 65535
ASA(config-cmap)# class-map UDP_TRAFFIC
ASA(config-cmap)# match port udp range 1 65535
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class TCP_TRAFFIC
ASA(config-pmap-c)# set connection conn-max 20000 embryonicconn-max 1000
ASA(config-pmap-c)# class UDP_TRAFFIC
ASA(config-pmap-c)# set connection conn-max 10000
In order to verify
ASA# show service-policy global set connection
344
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Connections
To manually set the maximum connection limit per host: TCP max
conns per host 100, TCP max embryonic conns per host 50:
ASA(config)# class-map TCP_TRAFFIC
ASA(config-cmap)# match port tcp range 1 65535
ASA(config-cmap)# policy-map global_policy
ASA(config-pmap)# class TCP_TRAFFIC
ASA(config-pmap-c)# set connection per-client-embryonic-max 50
ASA(config-pmap-c)# set connection per-client-max 100
show conn will show all connections through the FW. Adding
keyword all will show also connections to and from the FW
ASA# show conn all
ICMP out 100.0.123.3:0 in 100.0.101.1:2 idle 0:00:01 bytes 144
TCP out 100.0.123.3:23 in 1.0.101.1:4726 idle 0:02:08 bytes 11280 flags UIO
TCP out 100.0.1.250:1295 in 1.0.1.10:443 idle 0:00:03 bytes 8294 flags UOB
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Connections Out-of-Order TCP packets
Inspections and packets sent to SSM (AIP or CSC) require
packets to arrive in order
By default, ASA will buffer up to 3 TCP packets
The buffer size can be increased
How to detect the problem
ASA# show asp drop
Frame drop:
No route to host
Flow is denied by configured rule
First TCP packet not SYN
TCP packet bucket full
346
39
506
27
58135
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting Connections Out-of-Order TCP packets
How to fix
ASA(config)# access-list OOO_ACL permit tcp any any
ASA(config)# class-map OOO_CMAP
ASA(config-cmap)# match access-list OOO_ACL
ASA(config)# tcp-map OOO_TCP_MAP
ASA(config-tcp-map)# queue-limit 10
ASA(config)# policy-map global_policy
ASA(config-pmap)# class OOO_CMAP
AAA(config-pmap-c)# set connection advanced-options
OOO_TCP_MAP
How to verify
ASA# show service-policy
Class-map: OOO_CLASS
...
Out-of-order packets: 0
347
No buffer drops
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
:0
ASA Troubleshooting
Troubleshooting HTTP Latency
Host outside the FW has also the same latency symptoms?
1.
2.
3.
4.
5.
6.
7.
8.
9.
348
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting HTTP Latency
Step 1 Is HTTP inspection enabled?
ASA# show service-policy flow tcp host 1.1.1.1 host 2.2.2.2 eq 80
349
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting HTTP Latency
Step 3 Content filtering is enabled?
ASA# show run filter
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Troubleshooting HTTP Latency
Step 7 Check NAT, PAT, Static
The remote site doesnt allow certain IP addresses
Change your NAT IP
Clear xlate
ASA# clear xlate 100.0.101.1
Try again
351
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Questions
What is an embryonic connection?
What are the default timeouts for TCP, UDP, ICMP and
embryonic connections?
What command shows all active connections on ASA?
1.
2.
3.
4.
show
show
show
show
conn
xlate
connection status
local-host
aB
U
UIO
aAB
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Questions
What can be determined from the following output?
Which IP initiated the connection?
ASA# show conn
19 in use, 158 most used
TCP NET1 100.0.123.3:23 NET2 100.0.101.1:22830 idle 0:00:02
bytes 53 flags UIO
1. The host in the lower security level is waiting for ACK
2. The connection was initiated from the higher security level
3. The connection is UP and has received inbound and outbound
traffic
4. The host in the higher security level is waiting for SYN-ACK
5. The connection was initiated from the lower security level
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Questions
What can be determined from the following output?
ASA# show local-host 100.0.101.1
Interface dmz: 0 active, 0 maximum active, 0 denied
Interface outside: 1 active, 1 maximum active, 0 denied
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
31511 in use, 52242 most used
TCP out 150.0.10.3:231 in 100.0.101.1:47262 idle 0:02:07 bytes 10 flags saA
TCP out 1.0.123.3:23 in 100.0.101.1:47262 idle 0:02:08 bytes 10 flags saA
TCP out 100.0.121.2:1295 in 100.0.101.1:4113 idle 0:00:03 bytes 4 flags saA
TCP out 113.0.12.3:213 in 100.0.101.1:47262 idle 0:02:08 bytes 10 flags saA
TCP out 150.0.10.25:1295 in 100.0.101.1:4133 idle 0:00:03 bytes 4 flags saA
354
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Troubleshooting
Questions
What is happening in the following example?
355
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
ASA Revision
Course revision Confirm what you learnt
356
2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.