1) Cisco ASA Overview
2) Basic CLI Configuration
4) Advanced CLI Configuration [Object Groups, ACLs, NAT, Access Control, Service Policies]
5) ASA Remote-Access VPN Options
Link to part 2 - http://sclabs.blogspot.com/2013/01/ccna-security-chapter-10-implementing.html
Cisco ASA install on GNS3
Cisci ASA with ASDM
Implement VPNs with Cisco ASA
- Clientless SSL VPN (WebVPN) - Official Cert Guide : Chapter 21
- AnyConnect VPN (Client VPN) - Official Cert Guide : Chapter 21
1) Overview of the ASA
For over two decades, firewall solutions have evolved to meet the increasing security requirements. Today there are many types of firewalls, including packet-filtering, stateful, application gateway (proxy), address-translation, host-based, transparent, and hybrid firewalls.
The IOS firewall solution does not scale well and typically cannot meet the needs of a large enterprise.
Cisco provides two firewall solutions: the firewall-enabled ISR and the Cisco Adaptive Security Appliance (ASA).
The Cisco ASA 5500 series is a primary component of the Cisco Secure Borderless Network. It delivers superior scalability, a broad range of technology and solutions, and effective, always-on security designed to meet the needs of a wide array of deployments.
There are six ASA models, ranging from the basic 5505 branch office model to the 5585 data center version. The biggest difference between the models is the maximum traffic throughput handled by each model and the number and type of interfaces.
Main 3 differences between Cisco ASA 5505 and 5510:
- the maximum traffic throughput supported,
- the number of interfaces,
- types of interfaces (L2/L3).
Cisco ASA devices scale to meet a range of requirements and network sizes. The choice of ASA model will depend on an organization's requirements, such as maximum throughput, maximum connections per second, and budget.
In May 2005, Cisco introduced the Adaptive Security Appliance (ASA) which combines functionality from the PIX, VPN 3000 series and IPS product lines. The ASA series of devices run PIX code 7.0 and later. Through PIX OS release 7.x the PIX and the ASA use the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination.
The ASA software combines firewall, VPN concentrator, and intrusion prevention functionality into one software image. Previously, these functions were available in three separate devices, each with its own software and hardware.
Three security features do ASA models 5505 and 5510 support by default:
- intrusion prevention system (IPS),
- stateful firewall,
- VPN concentrator.
Other advanced ASA features include these:
- ASA virtualization - A single ASA can be partitioned into multiple virtual devices. Each virtual device is called a security context. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
- High availability with failover - Two identical ASAs can be paired into an active / standby failover configuration to provide device redundancy. One physical device is designated as primary, the other as secondary. One of the ASAs is elected to be in active state (forwarding traffic) and the other in hot standby state (waiting). The status of the active ASA device is monitored over the LAN failover interface by the standby ASA. Both platforms must be identical in software, licensing, memory, and interfaces, including the Security Services Module (SSM).
- Identity firewall - The ASA provides optional granular access control based on an association of IP addresses to Windows Active Directory login information. The ASA uses Active Directory as the source to retrieve the current user identity information for specific IP addresses and allows transparent authentication for Active Directory users.
- Threat control and containment services - All ASA models support basic IPS features. However, advanced IPS features can only be provided by integrating special hardware modules with the ASA architecture.
* IPS capability is available using the Advanced Inspection and Prevention (AIP) modules,
* anti-malware capabilities can be deployed integrating the Content Security and Control (CSC) module.
* The Cisco Advanced Inspection and Prevention Security Services Module (AIP-SSM) and Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC) deliver protection against tens of thousands of known exploits. They also protect against millions more potential unknown exploit variants using specialized IPS detection engines and thousands of signatures.
Cisco Services for IPS provides signature updates through a global intelligence team working 24 hours a day to help ensure protection against the latest threats.
|Cisco ASA models comparison|
ASA’s Adaptive Security Algorithm is responsible for inspecting all traffic that traverses the ASA, and based on its configured security policies will either permit or deny the traffic.
When discussing networks connected to a firewall, there are some general terms to keep in mind:
Outside network - Network that is outside the protection of the firewall.
Inside network - Network that is protected and behind the firewall.
DMZ - Demilitarized zone, while protected by the firewall, limited access is allowed to outside users.
Cisco ISRs can provide firewall features by using either zone-based policy firewall (ZPF) or by using the older context-based access control (CBAC) feature. An ASA provides the same features but the configuration differs markedly from the IOS router configuration of ZPF.
The ASA is a dedicated firewall appliance. By default, it treats a defined inside interface as the trusted network, and any defined outside interfaces as untrusted networks. Network resources that are needed by outside users, such as a web or FTP server, can be located in a DMZ. The firewall allows limited access to the DMZ, while protecting the inside network from outside users.
A stateful firewall, such as the ASA, tracks the state of the TCP or UDP network connections traversing it. The firewall is programmed to determine legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
If the packet creates a new connection, the ASA has to check the packet against access lists and perform other tasks to determine if the packet is permitted or denied. To perform this check, the first packet of the session goes through the Session Management Path, which is part of the management plane. Depending on the type of traffic, it might also pass through the "control plane path."
The session management path is responsible for the following tasks:
- Performing the access list checks
- Performing route lookups
- Allocating NAT translations (xlates)
- Establishing sessions in the "fast path"
Layer 7 inspection engines are required for protocols that have two or more channels: a data channel (which uses well-known port numbers), and a control channel (which uses different port numbers for each session).
If the connection is already established, the ASA does not need to re-check packets. Most matching packets can go through the "fast" path in both directions.
The fast path is responsible for the following tasks:
- IP checksum verification
- Session lookup
- TCP sequence number check
- NAT translations based on existing sessions
- Layer 3 and Layer 4 header adjustments.
For UDP or other connectionless protocols, the ASA creates connection state information so that it can also use the fast path.
There are two firewall modes of operation available on ASA devices: routed mode and transparent mode.
- traditional mode for deploying a firewall where there are two or more interfaces that separate Layer 3 networks
- can perform NAT between connected networks
- applies policy to flows as they transit the firewall.
Two statements correctly describe the ASA as an advanced stateful firewall:
- In routed mode, an ASA can support two or more Layer 3 interfaces,
- The first packet of a flow examined by an ASA goes through the session management path.
Transparent Mode (is often referred to as a "bump in the wire," or a "stealth firewall"
- ASA functions like a Layer 2 device,
- requires only one management IP address configured in global configuration mode
- may be used to simplify a network configuration or be deployed where the existing IP addressing cannot be altered
- useful for making the firewall invisible to attackers
- no support for dynamic routing protocols, VPNs, QoS, or DHCP Relay.
A license specifies the options that are enabled on a given ASA. Most ASA appliances come pre-installed with either a Base license or a Security Plus license. To provide additional features to the ASA, additional time-based or optional licenses can be purchased. Combining these additional licenses to the pre-installed licenses creates a permanent license. The permanent license is then activated by installing a permanent activation key using the activation-key command
activation-key 0xb27bcf4a 0x1c71314f 0x7a33bcbc 0xc4f7a09c 0x0e2455b6
2) Basic ASA Configuration
The Cisco ASA 5505 is a full-featured security appliance for small businesses, branch offices, and enterprise teleworker environments. It delivers a high-performance firewall, SSL VPN, IPsec VPN, and rich networking services in a modular, plug-and-play appliance.
Cisco ASA 5505 Defaults:
- DRAM memory is 256 MB (upgradable to 512 MB),
- internal flash memory is 128 MB.
In a failover configuration, the two units must be identical models with the same hardware configuration, the same number and types of interfaces, and the same amount of RAM.
The front panel of the ASA 5505 features:
- USB Port - Reserved for future use.
- Speed and link activity LEDs - A solid green speed indicator LED indicates 100 Mb/s. If the LED is off, this indicates 10 Mb/s. When the link activity indicator LED is on, it indicates that a network link is established. When it is blinking, it indicates network activity.
- Power LED - Solid green indicates that the appliance is powered on.
- Status LED - Flashing green indicates that the system is booting and power-up tests are running. Solid green indicates that the system tests passed and the system is operational. Amber solid indicates that the system tests failed.
- Active LED - Green indicates that this Cisco ASA is active when configured for failover.
- VPN LED - Solid green indicates that one or more VPN tunnels are active.
- Security Services Card (SSC) LED - Solid green indicates that an SSC card is present in the SSC slot.
- An 8-port 10/100 Fast Ethernet switch. Each port can be dynamically grouped to create up to three separate VLANs or zones to support network segmentation and security. Ports 6 and 7 are Power over Ethernet (PoE) ports to simplify the deployment of Cisco IP phones and external wireless access points.
- Three USB ports. These ports (one on the front and two on the backplane) can be used to enable additional services and capabilities.
- One Security Service Card (SSC) slot for expansion. The slot can be used to add the Cisco Advanced Inspection and Prevention Security Services Card (AIP-SSC). The AIP-SSC card enables the Cisco ASA 5500 to provide intrusion prevention services to stop malicious traffic before it can affect a network. Cisco IPS with Global Correlation increases the efficacy of traditional IPS. With updates every five minutes, Cisco IPS with Global Correlation provides fast and accurate threat protection with real-time global intelligence from Cisco IPS, firewall, e-mail, and web appliances.
The ASA assigns security levels to distinguish between inside and outside networks.
Security levels define the level of trustworthiness of an interface. The higher the level, the more trusted the interface. The security level numbers range between 0 (untrustworthy) to 100 (very trustworthy). Each operational interface must have a name and a security level from 0 (lowest) to 100 (highest) assigned.
When traffic moves from an interface with a higher security level to an interface with a lower security level, it is considered outbound traffic.
Traffic moving from an interface with a lower security level to an interface with a higher security level is considered inbound traffic.
|Cisco ASA Zones|
Traffic originating from the Inside network going to the DMZ network is permitted.
Traffic originating from the Outside network going to the DMZ network is selectively permitted.
Traffic originating from the Outside network going to the Inside network is denied.
Traffic originating from the DMZ network going to the Inside network is denied.
Security levels help control:
- Network access - By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access hosts on a lower security interface. Multiple interfaces can be assigned the same security level. If communication is enabled for same security interfaces, there is an implicit permit for interfaces to access other interfaces at the same security level or lower.
- Inspection engines - Some application inspection engines are dependent on the security level. When interfaces have the same security level, the ASA inspects traffic in either direction.
- Filtering - Filtering applies only for outbound connections (from a higher level to a lower level). If communication is enabled for same security interfaces, traffic can be filtered in either direction.
Outbound traffic is allowed and inspected by default. Returning traffic is allowed because of stateful packet inspection.Traffic that is sourced on the outside network and going into either the DMZ or the inside network, is denied by default.
Any exception to this default behavior requires configuration of an ACL to explicitly permit traffic from an interface with a lower security level to an interface with a higher security level (e.g. outside to inside).
The ASA 5505 is different from the other 5500 series ASA models. With other ASAs, the physical port can be assigned a Layer 3 IP address directly, much like a Cisco router. With the ASA 5505, the eight integrated switch ports are Layer 2 ports, and therefore cannot be assigned IP addresses directly.
On an ASA 5505, Layer 3 parameters are configured on a switch virtual interface (SVI). An SVI, a logical VLAN interface, requires a name, interface security level, and IP address. The Layer 2 switch ports are then assigned to a specific VLAN. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the ASA applies the security policy to the traffic and routes between the two VLANs.
The ASA 5505 is commonly used as an edge security device that connects a small business to an ISP device, such as a DSL or cable modem, for access to the Internet. It can be deployed to interconnect and protect several workstations, network printers, and IP phones.
Higher-end ASA models such as the Cisco ASA 5510 are designed to deliver advanced security services for medium-sized businesses and enterprise branch offices. The ASA 5510 supports 300 Mb/s throughput and 9,000 firewall connections per second capacity. This makes the ASA 5510 very suitable for most office deployments.
The Cisco ASA 5510, 5520, 5540, and 5550 are all one-rack units (1RU). Each of these has an expansion slot for security-services modules.
The default factory configuration for the ASA 5510 and higher includes configuration of the management interface, DHCP server support, and ASDM support. The default factory configuration includes the following:
- The management interface, Management 0/0, is preconfigured with the IP address 192.168.1.1 and mask 255.255.255.0.
- The DHCP server is enabled on the ASA, so a PC connecting to the interface receives an address between 192.168.1.2 and 192.168.1.254.
- The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.
ASA Firewall Configuration
ASA devices can be configured and managed using either the command-line interface (CLI) or the Adaptive Security Device Manager (ASDM) GUI.
The ASA CLI is a proprietary OS which has a similar look and feel to the router IOS.
There are many similar commands between the ASA CLI and the IOS CLI. There are also many different commands.
The Cisco ASA contains a command set structure similar to that of a Cisco IOS router and offers the following access modes:
User EXEC mode - ciscoasa> enUnlike an ISR, the ASA performs as follows:
Privileged EXEC mode - ciscoasa# config t
Global configuration mode - ciscoasa(config)#
Various sub-configuration modes, for example - ciscoasa(config-if)#
ROMMON mode - ROMMON> (Read-Only-Memory Monitor mode)
- Execute any ASA CLI command regardless of the current configuration mode prompt. The IOS "do" command is not required or recognized.
- Provide a brief description and command syntax when help is entered followed by the command. For example, typing help reload will display the command syntax for reload, a description, and the supported arguments.
- Interrupt show command output using Q. The IOS requires the use of Ctrl+C (^C).
In ROMMON mode, an administrator can use a TFTP server to load a system image into the security appliance. ROMMON mode is also used to recover the system password.
IOS Router Command
Equivalent ASA Command
|erase startup-config||write erase|
|enable secret||enable password|
|line con 0
|show ip interfaces brief||show interfaces ip brief|
|show ip route||show route|
|show ip nat translations||show xlate|
|show vlan||show switch vlan|
|ip route||route outside|
The ASA 5505 ships with a default configuration that, in most cases, is sufficient for a basic SOHO deployment.
The configuration includes two preconfigured VLAN networks: VLAN1 and VLAN2.
VLAN 1 is for the inside network and VLAN 2 is for the outside network.
The inside interface also provides DHCP addressing and NAT features. Clients on the inside network obtain a dynamic IP address from the ASA so that they can communicate with each other and with devices on the Internet.
Specifically, the default factory configuration for the ASA 5505 configures the following:
* A default host name of ciscoasa
* Console or enable passwords which are blank.
* An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
* An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address from the ISP using DHCP.
* The default route that is derived from DHCP.
* All inside IP addresses to be translated when accessing the outside using interface PAT.
* The HTTP server to support ASDM access.
* An internal DHCP server to provide addresses between 192.168.1.5 and 192.168.1.36 for hosts that connect to a VLAN 1 interface.
The ASA can be restored to its factory default configuration by using the global configuration command:
configure factory-defaultThe ASA startup configuration can be erased using the commands:
write erase and reloadOnce rebooted, the ASA displays the following prompt "Pre-configure Firewall now through interactive prompts [yes]?"
hostname name - Changes the name of the ASA
clock set 8:05:00 3 OCT 2011
domain-name name - Changes the domain name.
enable password password - Configures the privileged EXEC mode password. Note that there is no secret option.
passwd password - Configures the Telnet / SSH password
key config-key password-encryption [new-passphrase [old-passphrase]] - Creates or changes an existing master passphrase created to encrypt all passwords (aes). (similar to IOS service password-encryption
password encryption aes
Configure the Interfaces (vlan interfaces)
interface vlan <vlan-number> - Creates a switch virtual interface (SVI).
nameif <name> - Assigns a name to the SVI interface.
security-level <value> - Assigns a security level to the SVI interface
no shutdown - enables the Layer 2 port
show switch vlan
show int ip brief
IP address config
ip address ip-address netmask - ManuallyCAUTION: An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created.
ip address dhcp - Using DHCP
ip address dhcp setroute - also requests and installs a default route to the upstream device.
ip address pppoe - Using PPPoE
ip address pppoe setroute - also requests and installs a default route
If an ASA is configured as a DHCP client, then it can receive and install a default route from the upstream device.
Default static route will have to be configured using the usingcommand
route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-addressConfigure Telnet Access
route outside 0.0.0.0 0.0.0.0 188.8.131.52
passwd password - Configures the Telnet / SSH password.SSH is also supported but requires AAA authentication to be enabled.
telnet - Identifies which inside host can telnet to the ASA.
telnet 0.0.0.0 0.0.0.0 management
telnet timeout minutes - Alters the default exec timeout of 5 minutes
username name password password - Creates a local database entry.Configure NTP Services
aaa authentication ssh console LOCAL - Configures SSH to refer to the local database for authentication. The LOCAL keyword is case sensitive and is a predefined server tag.
crypto key generate rsa modulus 1024 - Generates the RSA key required for SSH encryption.
ssh ip-addresssubnet-maskinterface-name - Identifies which inside host can SSH to the ASA.
ssh timeout minutes - Alters the default exec timeout of 5 minutes.
ntp server ip-address - Identifies the NTP server address.
ntp authentication-key - Configures the authentication key and password.
ntp trusted-key value - Identifies which configured key is to be trusted.
ntp authenticate - Enables NTP authentication.
show ntp status
show ntp associations
Configure DHCP Services
An ASA can be configured to be a DHCP client and a DHCP server.
dhcpd enable inside - Enables the DHCP server service (daemon) on the inside interface of the ASA.
dhcpd address [start-of-pool]-[end-of-pool] inside - Defines the pool of IP addresses and assigns the pool to inside users. Notice that the start-of-pool and end-of-pool IP addresses are separated by a hyphen.
Note: The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32.
DHCP options such as DNS, domain name, WINS, and lease time can all be manually configured as follows:
dhcpd domain domain-name - Configures the DNS domain name.
dhcpd dns dns-ip-address - Configures the DNS server IP address.
dhcpd wins wins-ip-address - Command to configure the WINS server address.
dhcpd lease seconds - Configures the lease time in seconds. The default is 3600 seconds (1 hour).
dhcpd option value - Configures the DHCP option code. Option code is in the range 0 - 250.
If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.
show dhcpd state - Displays the current DHCP state for inside and outside interfaces.
show dhcpd binding - Displays the current DHCP bindings of inside users.
show dhcpd statistics - Displays the current DHCP statistics.
To clear the DHCP bindings or statistics, use the commands
clear dhcpd binding
clear dhcpd statistics
Cisco ASA part 2