Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.

ASA Firewall Essentials

July 2012
Bogdan Doinea
Assoc. Technical Manager
CEE&RCIS
Cisco Networking Academy
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !
Introd'ction to the ASA (irewall
The ASA )*erating System
ASA (irewall Con%ig'ration
ASA Remote Access
Technical Demo
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential +
, Ada*ti&e Sec'rity A**liance - Cisco.s lead dedicated %irewall
sol'tion /All-in-)ne sol'tion0
(irewall
12N concentrator
I2S
, Ad&anced %eat'res
1irt'al (irewalling
Trans*arent$Ro'ted mode
3igh A&aila4ility
Ad&anced Threat Control /AI2-SSM5 AI2-SSC mod'les0
Identity (irewall
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential 6
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential 7
,
Also monitors the state o% connections
Initiation5 data trans%er5 termination
,
Can detect a4normal connection 4eha&ior that might indicate attacks
or e8*loits.
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential 9
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
,
)nly certain connections get ins*ected
,
The administrator con%ig'res the le&els o% sec'rity %or each inter%ace
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential >
- The *acket is recei&ed on the inside
inter%ace
- The in4o'nd AC< is a**lied and i%
NAT is con%ig'red5 the inside NAT
o*eration is done.
- The *acket is recei&ed on the inside
inter%ace
- The in4o'nd AC< is a**lied and i%
NAT is con%ig'red5 the inside NAT
o*eration is done.
#
#
- ASA randomise? the initial se@'ence
n'm4er o% the connection
- the ASA creates a state o4Aect in memory
retaining layer + and layer 6 in%ormation
%rom the *acket
- The connection is marked as em4ryonic
- ASA randomise? the initial se@'ence
n'm4er o% the connection
- the ASA creates a state o4Aect in memory
retaining layer + and layer 6 in%ormation
%rom the *acket
- The connection is marked as em4ryonic
!
!
- The *acket comes 4ack on the
o'tside inter%ace
- in4o'nd AC<s are a**lied
B i% the *acket is *ermitted 4y the AC<5
the state ta4le isn.t checked and the
4elow ne8t ste* is
- the state ta4le is checked %or a state
o4Aect that matches the in%ormation
contained in the ret'rning *acketC i% the
match is not done5 the *acket is
dro**ed
- The *acket comes 4ack on the
o'tside inter%ace
- in4o'nd AC<s are a**lied
B i% the *acket is *ermitted 4y the AC<5
the state ta4le isn.t checked and the
4elow ne8t ste* is
- the state ta4le is checked %or a state
o4Aect that matches the in%ormation
contained in the ret'rning *acketC i% the
match is not done5 the *acket is
dro**ed
+
+
- the ASA checks the ACD nr in the
*acket relati&e to the SN that is
o&erwritten in the second ste*
- i% the *acket is legitimate5 the ASA
sets the ACD to ISNE# to match the
TC2 in%ormation on the host
- the ASA checks the ACD nr in the
*acket relati&e to the SN that is
o&erwritten in the second ste*
- i% the *acket is legitimate5 the ASA
sets the ACD to ISNE# to match the
TC2 in%ormation on the host
6
6
- the hosts res*onds with an ACD
- the ACD n'm4er is not randomi?ed
- the connection is changed to active-
established and the embryonic co'nter
is reset %or that state o4Aect
- the hosts res*onds with an ACD
- the ACD n'm4er is not randomi?ed
- the connection is changed to active-
established and the embryonic co'nter
is reset %or that state o4Aect
7
7
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential F
, Ro'ted-mode
, the ASA is a layer + de&ice
, all the ASA %eat'res and ca*a4ilities are acti&e
, Trans*arent-mode
, the ASA is a layer ! de&ice/works with 1<ANs instead o% I2 S'4nets0
, can ha&e a glo4al I2 'sed %or remote management
, is in&isi4le to any attacker coming %rom the Internet
, Some %'nctionalities are disa4ledG ro'ting *rotocols5 12Ns5 HoS5 D3C2
Relay.
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential I
, A series o% <EDs
S*eed and link acti&ity <EDs
2ower <ED
Stat's <ED
Acti&e <ED
12N <ED
Sec'rity Ser&ices Card /SSC0 <ED
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #"
, An F-*ort #"$#"" (ast Ethernet switch.
, Three JSB *orts.
, )ne Sec'rity Ser&ice Card /SSC0 slot %or e8*ansion. The slot can 4e 'sed to
add the Cisco Ad&anced Ins*ection and 2re&ention Sec'rity Ser&ices Card /AI2-
SSC0.
Cisco Con%idential !"## Cisco and$or its a%%iliates. All rights reser&ed. ##
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #!
,
Same mod'lar str'ct're as I)S

Jn*ri&ileged mode

<imited rights

2ri&ileged mode

Keneraly 'sed %or show commands

Klo4al con%ig'ration

Jsed %or :general= con%ig'rations /e.g *assword %or *ri&iledged mode5 static
ro'tes5 4anners5 hostname con%ig'ration etc0

Con%ig'ration s'4-modes

Jsed %or ad&anced con%ig'rations o% s*eci%ic %eat'res /%irewall5 12N5 ro'ting

*rotocols etc0
,
Same hel* system
ciscoasa > ?
enable Turn on privileged commands
ciscoasa>
ciscoasa#
ciscoasa(config)#
Ciscoasa(config-if)#
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #+
,
The de%a'lt *assword is LM

CR E <(
ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #6
ciscoasa > ?
enable Turn on privileged commands
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP
address
uit Exit the current command mode
ciscoasa > help enable
!"#$E%
enable &'priv(level>)
*E"C+IPTI,-%
enable Turn on privileged commands
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #7
,
(irst we deleteL
start'*-con%ig r'nning- con%ig
Deleting
con%ig'rations
RAM (lash
ciscoasa. clear configure all
ciscoasa. write erase
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #9
,
Then we sa&eN
Sal&area con%ig'raOiei
RAM (lash
ciscoasa. co! running startu
ciscoasa. write mem
ciscoasa. wr
ciscoasa. s"ow running
ciscoasa. s"ow startu
start'*-con%ig r'nning- con%ig
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #>
,
It doesn.t e8ist in I)S/on ro'ters and switches0
,
Ena4les the s*eci%ic deletion o% con%ig'rations in RAM
ciscoasa/config0. s"ow running-config # include isa$m
isa$m enable outside
isa$m olic! 10 aut"entication re-s"are
isa$m olic! 10 encr!tion %des
isa$m olic! 10 "as" md5
isa$m olic! 10 grou &
isa$m olic! 10 lifetime '()00
ciscoasa/config0. clear configure isa$m
ciscoasa/config0. s"ow running-config # include isa$m
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #F
,
Con%ig'ring a hostname
,
Con%ig'ring a *assword %or the telnet line
,
Con%ig'ring a *assword %or *ri&ileged mode. 3ow did we
con%ig're this on a ro'terM
ciscoasa/config0. "ostname id
ipd/config0.
ipd/config0. asswd cisco
ipd/config0. enable assword cisco
ipd. s" run # i ass
enable assword &*+,nb-.d./&*012 encr!ted
asswd &*+,nb-.d./&*012 encr!ted
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #I
,
In order to *ass tra%%ic 4etween ! inter%aces5
le&els o% sec'rity need to 4e de%ined %or each
inter%ace.
,
Sec'rity le&els re*resent the sim*lest state%'l
%irewall model that the ASA o%%ers
,
2ackets get ins*ected 4y the %irewall engine when the tra&erse %rom a
higher sec'rity le&el inter%ace to a lower sec'rity le&el inter%ace
,
2ackets that try to *ass %rom a lower sec'rity inter%ace to a higher
sec'rity inter%ace5 witho't ha&ing a state%'l o4Aect related to them in
the memory o% the ASA5 will get dro**ed 4y de%a'lt.
,
Besides sec'rity le&els5 e&ery ASA inter%ace needs a :name=. This
:name= is going to 4e re%%ered in all commands that want to 'se this
inter%ace
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !"
,
Con%ig'ring sec'rity le&els is done %rom /con%ig-i%0P
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !#
,
An ASA inter%ace that has no name or sec'rity le&el does
not ha&e <+ connecti&ity
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
ciscoasa/config0. interface e0/1
ciscoasa/config1if0. nameif inside
.-+1: 3ecurit! le4el for 5inside5 set to 100 b! default/
ciscoasa/config1if0. i address 16&/1('/1/1 &55/&55/&55/0
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !!
,
Can 4e con%ig'red 'sing the security1level command
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif 789
.-+1: 3ecurit! le4el for 57895 set to 0 b! default/
ciscoasa(config-if)#securit!-le4el 50
ciscoasa(config-if)#i address 16&/1('/&/1 &55/&55/&55/0
ciscoasa(config-if)#no s"utdown
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !+
,
By de%a'lt access is not allowed
,
I% no *assword is set5 4y de%a'lt it.s :cisco=
,
Access thro'gh telnet on the o'tside inter%ace/sec'rity-le&el "0 is not
*ermitted 'nless the telnet connection is coming thro'gh an I2Sec
t'nnel
,
Monitoring connections
ciscoasa(config)# telnet 10/10/0/0 &55/&55/&55/0 inside
ciscoasa(config)# telnet timeout 10
ciscoasa(config)# asswd cisco1&%
ciscoasa# w"o
0: 10/10/0/1%&
ciscoasa# $ill 0
ciscoasa# w"o
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !6
,
2ermitted on any inter%ace
,
Ste* #G generate the keys
,
Ste* !G acti&ate SS3
,
By de%a'lt5 the 'ser is :*i8= and the *assword is the one
con%ig'red with passwd
ciscoasa(config)# cr!to $e! generate rsa modulus 10&)
:;<-.-=: 0ou "a4e a <3; $e!air alread! defined named
>7efault-<3;-*e!>/
7o !ou reall! want to relace t"em? @!es/noA: !es
*e!air generation rocess begin/ Please wait///
ciscoasa(config)# ss" 1)1/'5/%B/0 &55/&55/&55/0 outside
ciscoasa(config)# ss" 4ersion &
ciscoasa(config)# ss" timeout 10
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !7
,
Con%ig'ring a s*eci%ic inter%ace
,
Name o% the inter%ace and sec'rity le&els
asa1# s"ow run interface C0/%
interface Ct"ernet0/%
seed 10
dulex full
nameif outside
securit!-le4el 0
i address 16&/1('/%/1 &55/&55/&55/0
asa1# s"ow nameif
.nterface -ame 3ecurit!
=igabitCt"ernet0/0 outside 0
=igabitCt"ernet0/1 inside 100
=igabitCt"ernet0/& dmD 50
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !9
,
All the *arameters o% an inter%ace
asa1# show interface
.nterface =igabitCt"ernet0/0 5outside5E is uE line rotocol is u
Fardware is i'&5)(=G re40%E G: 1000 8bs
+ull-7ulex(+ull-dulex)E 100 8bs(100 8bs)
8;C address 001%/c)'&/&e)cE 8H2 1500
.P address 16&/1('/1/&E subnet mas$ &55/&55/&55/0
' ac$ets inutE 10B' b!tesE 0 no buffer
<ecei4ed ' broadcastsE 0 runtsE 0 giants
0 inut errorsE 0 C<CE 0 frameE 0 o4errunE 0 ignoredE 0 abort
0 I& decode dros
0 ac$ets oututE 0 b!tesE 0 underruns
0 outut errorsE 0 collisions
0 late collisionsE 0 deferred
inut Jueue (curr/max bloc$s): "ardware ('/0) software (0/0)
outut Jueue (curr/max bloc$s): "ardware (0/0) software (0/0)
Hraffic 3tatistics for 5outside5:
' ac$ets inutE 6%) b!tes
0 ac$ets oututE 0 b!tes
' ac$ets droed
1 minute inut rate 0 $ts/secE 0 b!tes/sec
1 minute outut rate 0 $ts/secE 0 b!tes/sec
1 minute dro rateE 0 $ts/sec
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !>

27
,
Qhat command did we 'se in I)S to see the <! and +
stat's o% inter%aces in a R4rie%R o't*'tM

show ip interface brief

,
ASA does it slightly di%%erent

show interface ip brief

ciscoasa(config)# s" int i br
.nterface .P-;ddress 1*? 8et"od 3tatus Protocol
Ct"ernet0/0 16&/1('/1/1 0C3 manual u u
Ct"ernet0/1 10/10/1/1 0C3 manual u u
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !F
,
I)S HG can we r'n a show command %rom con%ig modeM

AG yes5 'sing the arg'ment :do= in %ront o% the command

,
Qe don.t ha&e :do= in ASA )S5 4't L

L yo' can gi&e show commands %rom anywhere in the )S

,
There.s also the *ossi4ility o% %iltering o't*'t 4y 'sing :S=
and the arg'mentsG:i=5 :4=5 :gre*=
normalKciscoKrouter(config)#do s"ow cloc$
L15:0':0B/'(B 2HC H"u +eb 1B &011
ciscoasa(config-if)# s" cloc$
15:5):01/1%6 2HC H"u +eb 1B &011
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2!
ASA
e0/0 e0/0
R1 R2
G0
G1
outside
inside
"han# you.