CCNA Security Chapter 10 - Implementing Cisco Adaptive Security Appliance (ASA) part 2

part 1 -

3) Cisco Adaptive Security Device Manager - ASDM
Cisco ASDM is a Java-based GUI tool that facilitates the setup, configuration, monitoring, and troubleshooting of Cisco ASA.
The application hides the complexity of commands from administrators, and allows streamlined configurations without requiring extensive knowledge of the ASA CLI.
It works with SSL to ensure secure communication with the ASA. 
Cisco ASDM can be used to monitor and configure multiple ASAs that run the same ASDM version. 

ASDM is now preloaded in flash memory on any ASA running versions 7.0 and later.
ASDM can be run as a Java Web Start application that is dynamically downloaded from the ASA flash. This allows an administrator to configure and monitor that ASA device.
Otherwise ASDM can also be downloaded from flash and installed locally on a host as an application. This allows an administrator to use ASDM to configure and manage multiple ASA devices.

The management interface depends on the model of ASA:
Cisco ASA 5505 - The management switch port can be any port, except for Ethernet 0/0.
Cisco ASA 5510 and higher - The interface to connect is Management 0/0.

To allow access to ASDM, configure the ASA to allow HTTPS connections from any host on the inside network. Use these commands:
http server enable - Enables the ASA HTTP server.
http ip-address subnet-mask interface-name - Specifies a host or hosts that can access the ASA HTTP server using ASDM.
http server enable
http inside
Note: To remove and disable the ASA HTTP server service, use the global configuration command clear configure http.

With a factory default configuration, a host on the network can connect to the ASA default management IP address of using ASDM.

The ASDM launcher window provides three choices:
 - Install ASDM Launcher and Run ASDM - Install ASDM as an application on the host. The advantage of doing so is that one application can be used to manage several ASA devices. An Internet browser will no longer be required to start ASDM.
 - Run ASDM - Run ASDM as a Java Web start application. The advantage is that the ASDM application is not installed on the local host. An Internet browser is required to establish a connection.
 - Run Startup Wizard - Run the ASDM Startup Wizard. This choice is similar to the Setup Initialization wizard and provides step-by-step windows to help initially configure the ASA.

The Cisco ASDM user interface is designed to provide easy access to the many features that the ASA supports.

Other tabs the Home page may display include:
 - Intrusion Prevention - Appears only if an IPS module or card is installed. The additional tab displays status information about the IPS software.
 - Content Security - Appears only if a CSC-SSM is installed in the ASA. The Content Security tab displays status information about the CSC-SSM software.

Cisco ASDM offers several wizards to help simplify the configuration of the appliance:
 * Startup Wizard
 * VPN Wizards (Site-to-site VPN, AnyConnect VPN, Clientless SSL VPN, IPsec (IKEv1) Remote Access VPN)
 * High Availability and Scalability Wizard
 * Unified Communication Wizard
 * Packet Capture Wizard

With Startup Wizard it can be :
- modified existing configuration (Hostname, domain, Enable password, configure interfaces, routes, DHCP server, NAT/PAT, Mgmt Access, Auto Update Server)
- or reset configuration to factory defaults

4) Advanced CLI Configuration
Object Groups
The ASA supports objects and object groups.
Objects are created and used by the ASA in place of an inline IP address in any given configuration. An object can be defined with a particular IP address and netmask pair or a protocol (and, optionally, a port) and it can be re-used in several configurations. The advantage is that when an object is modified, the change is automatically applied to all rules that use the specified object. Therefore, objects make it easy to maintain configurations.

Objects can be attached or detached from one or more object groups when needed, ensuring that the objects are not duplicated but can be re-used wherever needed.
 These objects can be used in NAT, access lists, and object groups. Specifically, network objects are a vital part of configuring NAT.

There are two types of objects that can be configured:
Network object - Contains a single IP address/mask pair. Network objects can be of three types: host, subnet, or range.
Service object - Contains a protocol and optional source and/or destination port.

Note: A network object is required to configure NAT in ASA image versions 8.3 and higher.

Create network object (can contain only one IP address and mask pair)
object network <object-name>
Network objects can be defined using one of the following three methods:
host <ip-addr>    - Assigns an IP address to the named object.
subnet <net-address> <net-mask>     - Assigns a network subnet to the named object.
range <ip-addr-1> <ip-addr-n>          - Assigns IP addresses in a range.
Create a service object
object service <object-name>
There are five service options:
service protocol [source [operator port]] [destination [operator port]] - Specifies an IP protocol name or number.
service tcp [source [operator port]] [destination [operator port]] - Specifies that the service object is for the TCP protocol.
service udp [source [operator port]] [destination [operator port]] - Specifies that the service object is for the UDP protocol.
service icmp icmp-type - Specifies that the service object is for the ICMP protocol.
service icmp6 icmp6-type - Specifies that the service object is for the ICMPv6 protocol.
show running-config object

A network object name can contain only one IP address and mask pair. Therefore, there can only be one statement in the network object. Entering a second IP address/mask pair will replace the existing configuration.

object network EXAMPLE-1 
show run object
 object network EXAMPLE-1 

object service SERVICE-1

service tcp destination eq ftp
service tcp destination eq www
Object Groups
Objects can be grouped together to create an object group.
The following guidelines and limitations apply to object groups:
 - Objects and object groups share the same name space.
 - Object groups must have unique names.  
 - An object group cannot be removed or emptied if it is used in a command.
 - The ASA does not support IPv6 nested object groups.

The ASA supports the following types of object groups:
 - Network      o
bject-group network grp-name

 - Protocol     object-group protocol grp-name
 - ICMP-type  object-group icmp-type grp-name
 - Service       object-group service grp-name

 Note: A network object group cannot be used to implement NAT. A network object is required to implement NAT.
clear configure object-group - remove all the object groups from the configuration

object-group network ADMIN-HOST
  description Administrative hosts
  network-object host 
  network-object host
object-group network ALL-HOSTS
  description All inside hosts
  network-object host
  group-object ADMIN-HOST
ASA ACLs are similar to IOS ACLs in the following manner:
 - ACLs are made up of one or more ACEs.
   An ACE is a single entry in an access list that specifies a permit or deny rule (to forward or drop the packet) and is applied to a protocol, to a source and destination IP address or network, and, optionally, to the source and destination ports.
 - ACLs are processed sequentially from top down.
 - A criteria match will cause the ACL to be exited.
 - There is an implicit deny all at the bottom.
 - Remarks can be added per ACE or ACL.
 - Only apply one access list per interface, per protocol, per direction.
 - ACLs can be enabled/disabled based on time ranges.

ASA ACLs differ from IOS ACLs :
 - that they use a network mask (e.g., instead of a wildcard mask (e.g.,
 - all ASA ACLs are named instead of numbered,
 - By default, interface security levels apply access control without an ACL configured:
 - traffic from a more secure interface (such as security level 100) is allowed to access less secure interfaces (such as level 0). 
 - traffic from a less secure interface is blocked from accessing more secure interfaces. 

Note: To allow connectivity between interfaces with the same security levels, the global configuration command is required.
same-security-traffic permit inter-interface

To enable traffic to enter and exit the same interface, such as when encrypted traffic enters an interface and is then routed out the same interface unencrypted, use the global configuration command:
same-security-traffic permit intra-interface
ACLs on a security appliance can be used not only to filter out packets passing through the appliance but also to filter out packets destined to the appliance.
 - Through-traffic filtering - Traffic that is passing through the security appliance from one interface to another interface. The configuration is completed in two steps;
   Set up an ACL and apply that ACL to an interface.
 - To-the-box-traffic filtering - Also known as a management access rule, applies to traffic that terminates on the ASA.
   Introduced in version 8.0 to filter traffic destined to the control plane of the ASA.
   It is completed in one step but requires an additional set of rules to implement access control.

The ASA supports 5 types of access lists:
1) Extended access lists - The most common type of ACL. Contains one or more ACEs to specify source and destination addresses and protocol, ports (for TCP or UDP), or the ICMP type (for ICMP).
 - Filters on source/destination port and protocol

2) Standard access lists - Unlike IOS where a standard ACL identifies the source host/network, ASA standard ACLs are used to identify the destination IP addresses.
   They are typically only used for OSPF routes and can be used in a route map for OSPF redistribution.
 - Used for routing protocols, not firewall rules
 - Cannot be applied to interfaces to control traffic

3) EtherType access lists - An EtherType ACL can be configured only if the security appliance is running in transparent mode.

4) Webtype access lists - Used in a configuration that supports filtering for clientless SSL VPN.

5) IPv6 access lists - Used to determine which IPv6 traffic to block and which traffic to forward at router interfaces.
help access-list
remark - create ACE description
I) Create Extended ACL (ACL SYNTAX)

II) Apply the ACL to an interface in either the inbound or the outbound direction:
access-group access-list {in | out} interface interface-name [per-user-override | control-plane]

III) To verify ACLs, use the  commands.
show access-list and show running-config access-list
To erase a configured ACL, use
clear configure access-list id

Object Groups in ACL
access-list id [line line-num] [extended] {deny | permit}
[object-group protocol-obj-grp-id
 object-group network-obj-grp-id
 object-group service-obj-grp-id]
[object-group network-obj-grp-id object-group service-obj-grp-id]
[log level] [interval secs] [[disable | default] | [time-range time-range-ID]] | [inactive]
Note: Object groups can also be nested in other object groups.

In ASDM, access rules can be created and maintained using the Access Rules window. To open the window, choose Configuration > Firewall > Access Rules.

NAT Services
Like IOS routers, the ASA supports NAT and PAT and these addresses can also be provided either statically or dynamically.

NAT and PAT can be deployed using one of these methods:
 - Inside NAT - The typical NAT deployment method is when a host from a higher-security interface has traffic destined for a lower-security interface and the ASA translates the internal host address to a global address. The ASA then restores the original inside IP address for return traffic.
 - Outside NAT - This method is used when traffic from a lower-security interface is destined for a host on the higher-security interface is translated. This method may be useful to make a host on the outside appear as one from a known internal IP address.
 - Bidirectional NAT - Indicates that both inside NAT and outside NAT are used together.

By default, Cisco ASA does not require an address translation policy to be created when the higher level security interfaces need to access resources on lower security-level interfaces. However, if a packet matches a NAT/PAT policy, the ASA translates the address.

Traditionally, NAT was configured using the nat, global, and static commands.
However, Auto-NAT is a new feature introduced in ASA version 8.3 that has replaced that method of configuring NAT. The global and static commands are no longer supported.
Auto-NAT has considerably simplified the configuration and troubleshooting of NAT.
nat [(real-ifc,mapped-ifc)] dynamic {mapped-inline-host-ip [interface] | [mapped-obj] [pat-pool mapped-obj [round-robin]] [interface]} [dns]

asa-5520# show run nat 
nat (inside,out) source static any any destination static NETWORK_OBJ_10.100.100.0_26 NETWORK_OBJ_10.100.100.0_26 no-proxy-arp route-lookup
The ASA divides the NAT configuration into two sections:
 - The first section defines the network to be translated using a network object.
 - The second section defines the actual nat command parameters.
These appear in two different places in the running-config.
show run object    - to display the network object
show run nat         - to display the NAT running configuration
Cisco ASA supports the following common types of network address translation:
 - Dynamic NAT - Many-to-many translation. Usually an inside pool of private addresses requiring public addresses from another pool.
 - Dynamic PAT - Many-to-one translation. Usually an inside pool of private addresses overloading an outside interface or outside address.
 - Static NAT - A one-to-one translation. Usually an outside address mapping to an internal server.

Another ASA version 8.3 feature is called Twice-NAT.
Twice-NAT identifies both the source and destination address in a single rule (nat command). Twice-NAT is used when configuring remote-access IPsec and SSL VPNs.

Cisco ASA Configure NAT @

show nat
show xlate
clear nat counters
To configure Dynamic NAT in ASDM, choose Configurations > Firewall > Objects > Network Objects/Groups and then click Add > Network Object.

Access Control
Using AAA only, authenticated and authorized users can be permitted to connect through the ASA.
The ASA caches the first 16 authorization requests per user. Therefore, if the user accesses the same services during the current authentication session, the ASA does not resend the request to the authorization server.

Accounting tracks traffic that passes through the ASA, enabling administrators to have a record of user activity. Accounting information includes session start and stop times, usernames, the number of bytes that pass through the ASA for the session, the service used, and the duration of each session.

username name password password [privilege priv-level]     - without aaa
aaa-server server-tag protocol protocol   - Creates a TACACS+ or RADIUS AAA server group.
aaa-server server-tag [(interface-name)] host {server-ip | name} [key] - Configures a AAA server as part of a AAA server group
aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server-group [LOCAL]}
To bind the authentication with the AAA Server Groups and local database, choose
Configuration > Device Management > Users/AAA > AAA Access
( ASDM menu sequence would be required to configure Telnet or SSH AAA authentication using a TACACS server first or the local device user database if the TACACS server authentication is unavailable )

Service Policies
Modular Policy Framework (MPF) provides a consistent and flexible way to configure security appliance features in a manner similar to Cisco IOS software QoS CLI. 
For example, you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications.

Modular Policy Framework is supported with these features:
  • IPS
  • TCP normalization, and connection limits and timeouts
  • QoS policing (rate limit)
  • QoS priority queue
  • Application inspection

Cisco MPF uses these three configuration objects to define modular, object-oriented, hierarchical policies: 
0) Configure extended ACLs to identify specific granular traffic. This step may be optional.
1) Class maps - Define match criterion by using the class-map global configuration command.
2) Policy maps - Associate actions to the class map match criteria by using the policy-map global configuration command.
3) Service policies - Enable the policy by attaching it to an interface, or globally to all interfaces using the service-policy interface configuration command.
Modular Policy Framework
The ASA supports Layer 5 through Layer 7 inspections using a richer set of criteria for application-specific parameters.

Default Global Policy
 By default, the configuration includes a policy that matches all default application inspection traffic and applies inspection to the traffic on all interfaces (a global policy). You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one.

The default policy configuration includes the following commands:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
class class-map-name
service-policy policy-map-name [global | interface intf]
To configure a service policy using ASDM, choose Configuration > Firewall > Service Policy Rules, and click Add.

5) ASA Remote-Access VPN Options
ASA is usually the choice when supporting a large remote networking deployment (supporting concurrent user scalability from 10 to 10,000 sessions per device).

The ASA supports three types of remote-access VPNs:
1) Clientless SSL VPN Remote Access (using a web browser)
2) SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect client)
3) IPsec (IKEv1) VPN Remote Access (using Cisco VPN client, which is End-of-sale and end-of-life dates).

The ASA supports IKEv1 for connections from the legacy Cisco VPN client.
IKEv2 is required for the AnyConnect VPN client.
For IKEv2, it is possible to configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy. With IKEv1 for each parameter, only one value can be set per security policy.

"IKE" (Internet Key Exchange) - a protocol that belongs to the IPsec protocols suite. Its responsibility is in setting up security associations that allow two parties to send data securely.  
IKE v1 versus IKE v2: 
1.IKEv2 does not consume as much bandwidth as IKEv1.
2.IKEv2 supports EAP authentication while IKEv1 doesn’t.
  - It supports Pre-shared key authentication, certificate authentication. IKEv1 also has them.
  - More importantly, it provides EAP authentication and hence it is suitable to integrate with existing authentication systems in Enterprises. IKEv1 does not have this capability.
3.IKEv2 supports MOBIKE while IKEv1 doesn’t.
4.IKEv2 has built-in NAT traversal while IKEv1 doesn’t.
5.IKEv2 can detect whether a tunnel is still alive while IKEv1 cannot.

EAP - Extensible Authentication Protocol
MOBIKE - IKEv2 Mobility and Multihoming Protocol (changing IP addresses on devices)

SSL is a cryptosystem that was created by Netscape in the mid-1990s and was designed to enable secure communications on an insecure network such as the Internet. It provides encryption and integrity of communications along with strong authentication using digital certificates.
 - Clientless SSL VPN - Clientless, browser-based VPN that lets users establish a secure, remote-access VPN tunnel to the ASA using a web browser. After authentication, users access a portal page and can access specific, supported internal resources.
 - Client-Based SSL VPN - Provides full tunnel SSL VPN connection but requires a VPN client application to be installed on the remote host (such as the Cisco AnyConnect VPN client to be installed on the host). Without a pre-installed client, remote users can connect to the ASA using an HTTPS browser connection, and authenticate to the ASA. To support IT consumerization, the Cisco AnyConnect client is available at no cost for select platforms such as iPhones, iPad, Android, and BlackBerry devices.
Configuration > Remote Access VPN > Network (Client) Access .

ASDM provides two tools for initially configuring a clientless SSL VPN on an ASA:
 - ASDM Assistant - This feature guides an administrator through the SSL VPN configuration.
 - VPN wizards - This is an ASDM wizard that simplifies the SSL VPN configuration.

The conventional teleworker remote-access solution is IPsec VPN which requires a VPN client to be pre-installed on the host.

Three components must be configured when implementing a clientless SSL VPN on an ASA 5505 device? (Choose three.)
- bookmark lists
- connection profile name  
- group policy.

Three components must be configured when implementing a client-based SSL VPN on an ASA 5505 device:
- client address assignment
- client image
- SSL or IPsec.

A remote host is connecting to an ASA 5505 via a VPN connection.

Once authenticated, the host displays the highlighted system tray icon.
On the basis of the information that is presented, what three assumptions can be made:
 - The host has connected to the ASA via a client-based SSL VPN connection.
 - The host is connected via the AnyConnect VPN client.
 - Using the ipconfig command on the host displays an IP address from the originating network and an IP address for the VPN connection.

A clientless SSL VPN via a web browser (sample configuration):

Three components must be configured when using the Site-to-Site VPN Connection Setup wizard in ASDM:
 - authentication method
crypto maps
 - encryption algorithms
GRE tunnel specifications
 - IKE version 

An administrator has successfully configured a site-to-site VPN on an ASA 5505.
Which ASDM menu sequence displays the number of packets encrypted, decrypted, and security association requests?
Monitoring > VPN > VPN Statistics > Crypto Statistics.


No comments :

Post a Comment