Sei sulla pagina 1di 87
CCIE Security Version 4 Advanced Technologies Class ASA Firewall
CCIE Security Version 4 Advanced Technologies Class
CCIE Security Version 4
Advanced Technologies Class

ASA Firewall

Agenda
Agenda

ASA Feature Overview • ASA Stateful Filtering Overview • Single & Multiple Context Overview • Routed & Transparent Firewall Overview • VPN Termination Overview

Copyright © www.INE.com
Copyright © www.INE.com
Overview •   Routed & Transparent Firewall Overview •   VPN Termination Overview Copyright © www.INE.com
ASA and CCIE Security v4
ASA and CCIE Security v4

CCIE SCv4 Blueprint defines multiple ASA hardware & software versions

ASA with 8.2.x and 8.4.x – ASA-X with 8.6.x

Why multiple releases?

Lots of feature additions and changes in ASA starting with version 8.3, e.g. NAT, global ACLs, etc.

Our technical discussion is relevant for 8.2.x, 8.4.x, and 8.6.x

8.4.x and 8.6.x are effectively equivalent – Code 9.x adds further changes outside our scope, e.g. VPNs in multiple context

Copyright © www.INE.com
Copyright © www.INE.com
–   Code 9.x adds further changes outside our scope, e.g. VPNs in multiple context Copyright
ASA Overview
ASA Overview

Stateful Firewall Filtering

Supports Application Aware Inspection

VPN Termination

Supports both IKEv1/IKEv2 IPsec and SSL VPNs

Intrusion Prevention System (IPS)

IPS on Advanced Inspection and Prevention (AIP) Security Service Module (SSM) for ASA5500 models – IPS built-in software module for ASA5500-X models

Content Filtering (URL Filtering, AVC, Virus, Spyware, Spam,etc.)

Content Security and Control (CSC) Security Services Module (SSM) for ASA5500 models – ASA-CX built-in software module for ASA5500-X models

Copyright © www.INE.com
Copyright © www.INE.com
Module (SSM) for ASA5500 models –   ASA-CX built-in software module for ASA5500-X models Copyright ©
ASA Security Levels
ASA Security Levels

ASA classifies the level of “trust” of an interface by its security-level

Range of 0 – 100

100 is the most trusted interface

Assigned to interface “inside” by default

0 is the most untrusted interface

Assigned to all other interfaces by default

ASA interfaces can only pass traffic if both nameif and security-level are defined

Copyright © www.INE.com
Copyright © www.INE.com
•   ASA interfaces can only pass traffic if both nameif and security-level are defined Copyright
ASA Security Levels
ASA Security Levels

Traffic from higher to lower security level…

Permit by default – E.g. Inside to Outside

Traffic from lower to higher security level…

Permit if state already exists – Deny if no state by default – E.g. Outside to Inside

Traffic between interfaces of same security…

Deny by default – Exception with same-security-traffic permit inter-interface same-security-traffic permit intra-interface is NOT related to security-levels, allows traffic hairpining

Security-levels are bypassed by inbound or global ACL’s

Copyright © www.INE.com
Copyright © www.INE.com
traffic hairpining •   Security-levels are bypassed by inbound or global ACL’s Copyright © www.INE.com
ASA Stateful Firewall Filtering
ASA Stateful Firewall Filtering

Enabled by default for TCP/UDP traffic and cannot be disabled

E.g. Inside to Outside interface

Track traffic that moves from trusted network to the untrusted

network

Create an entry in the state table for the traffic flow

E.g. TCP port 80 HTTP session from client A to server B

Track traffic that tries to enter from the untrusted network to the trusted network

If an entry exists in the state table, permit it

E.g. the return HTTP flow from server B to client A

If no entry exists in the state table, deny it

E.g. NMAP port scan from the outside network

Copyright © www.INE.com
Copyright © www.INE.com
entry exists in the state table, deny it •   E.g. NMAP port scan from the
ASA Traffic Inspection
ASA Traffic Inspection

Modular Policy Framework (MPF) used to control how traffic is

inspected MPF controls…

What traffic is inspected

Basic layer 3 & 4 inspection of TCP, UDP, & ICMP • Application aware inspection of HTTP, SMTP, DNS, SIP, etc.

How traffic is inspected

Connection limits, QoS parameters, etc.

Direction of inspection

E.g. Inside to Outside vs. Inside to DMZ vs. Outside to DMZ, etc.

Access Control Lists (ACLs) are used to exempt or include traffic into MPF engine

Copyright © www.INE.com
Copyright © www.INE.com
•   Access Control Lists (ACLs) are used to exempt or include traffic into MPF engine
ASA Context Modes
ASA Context Modes

ASA supports two different Context Modes of operation

Single Context Mode – Multiple Context Mode (Virtual Firewalls)

Single Context Mode

Shared configuration for all interfaces, security policies, routing table, administrators, etc.

Multiple Context Mode

Separate configuration, interfaces, policies per virtual context – Allows for multiple virtual firewalls for managed services or policy separation

Copyright © www.INE.com
Copyright © www.INE.com
context –   Allows for multiple virtual firewalls for managed services or policy separation Copyright ©
ASA Firewall Modes
ASA Firewall Modes

ASA supports two different Firewall Modes of operation

Routed Firewall – Transparent Firewall

Routed Firewall

Interfaces are in different subnets and different VLANs – Traffic is routed between interfaces

Implies the need for static or dynamic routing protocols

Transparent firewall

Interfaces are in the same subnet but different VLANs – Traffic is bridged between interfaces – Only one bridge-group can be created between two interfaces before 8.4 – Up to 8 bridge-groups with 4 interfaces per bridge-group starting with 8.4

Copyright © www.INE.com
Copyright © www.INE.com
before 8.4 –   Up to 8 bridge-groups with 4 interfaces per bridge-group starting with 8.4
ASA Context Modes & Firewall Modes
ASA Context Modes & Firewall Modes

Context Modes and Firewall Modes can run in any combination – Single Context Mode Routed Firewall – Single Context Mode Transparent Firewall – Multiple Context Mode Routed Firewall – Multiple Context Mode Transparent Firewall

Mixed transparent/routed contexts are not supported in 8.x code

Copyright © www.INE.com
Copyright © www.INE.com
Transparent Firewall •   Mixed transparent/routed contexts are not supported in 8.x code Copyright © www.INE.com
ASA VPN Termination
ASA VPN Termination

Supports both IKEv1/IKEv2 IPsec and SSL VPN termination

IPsec with ESP, ESP over UDP and TCP – SSL over TCP (TLS) and UDP (DTLS) – AH not supported

Supports both LAN to LAN and Remote Access VPNs

IPsec LAN to LAN

AKA Site to Site

IPsec Remote Access

AKA Easy VPN Server / Client

SSL Remote Access

Clientless VPN (WebVPN) • Anyconnect SSL VPN Client

Copyright © www.INE.com
Copyright © www.INE.com
–   SSL Remote Access •   Clientless VPN (WebVPN) •   Anyconnect SSL VPN Client
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda
Agenda

ASA Management Methods • Basic ASA Initialization

Copyright © www.INE.com
Copyright © www.INE.com
Agenda •   ASA Management Methods •   Basic ASA Initialization Copyright © www.INE.com
ASA Management
ASA Management

ASA supports two methods of management

Command Line Interface (CLI) – Cisco Adaptive Security Device Manager (ASDM) – Both supported in the current CCIE SCv4 Blueprint

CLI Management

Local via Console port – Remote via Telnet or SSH

ASDM Management

Remote via HTTPS – There are certain tasks which can only be completed using the GUI (SSL VPN Bookmarks, AnyConnect Client Profiles, DAP Policies)

Copyright © www.INE.com
Copyright © www.INE.com
can only be completed using the GUI (SSL VPN Bookmarks, AnyConnect Client Profiles, DAP Policies) Copyright
Basic ASA Initialization
Basic ASA Initialization

Connect to Console • Clear existing configuration

write erase or clear startup-config clear configure all

Does not prompt for confirmation

ASA defaults to Single Context Mode Routed Firewall

Copyright © www.INE.com
Copyright © www.INE.com
Does not prompt for confirmation –   ASA defaults to Single Context Mode Routed Firewall Copyright
Basic ASA Initialization
Basic ASA Initialization

Initialize interfaces

Enable interfaces

no shutdown

Choose Trunk or Access Mode

Create subinterface and apply vlan for trunking

Assign security levels

security-level number

Assign interface’s name

nameif name

Assign IP Addressing

ip address ip_address [mask] standby ip_address

Copyright © www.INE.com
Copyright © www.INE.com
–   Assign IP Addressing •   ip address ip_address [ mask ] standby ip_address Copyright
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda
Agenda

ASA Routing Protocols Overview • ASA Static Routing Examples • ASA Dynamic Routing Examples • ASA Route Tracking Examples

Copyright © www.INE.com
Copyright © www.INE.com
Routing Examples •   ASA Dynamic Routing Examples •   ASA Route Tracking Examples Copyright ©
ASA IPv4 Routing •   ASA supports IPv4 routing via… –   Static Routes –

ASA IPv4 Routing ASA supports IPv4 routing via…

Static Routes – RIPv1 / v2 maximum one process – OSPF maximum two processes – EIGRP maximum one process – Per protocol functionalities are not as advanced as in IOS code

Copyright © www.INE.com
Copyright © www.INE.com
maximum one process –   Per protocol functionalities are not as advanced as in IOS code
ASA IPv4 Routing
ASA IPv4 Routing

ASA miscellaneous routing features…

Multiple Routing Processes – Routing Authentication – Route Filtering – Redistribution – Redistribution Filtering – Equal Cost Multipath

Supported over the same interface only

Route Tracking – Multicast Routing

Copyright © www.INE.com
Copyright © www.INE.com
  Supported over the same interface only –   Route Tracking –   Multicast Routing Copyright
Reliable Static Routes on ASA
Reliable Static Routes on ASA

Like IOS, uses two parts…

Service Level Agreement (SLA) / Response Time Reporter (RTR)

Checks reachability with ICMP Echo (PING) • No advanced SLA metrics like in IOS

Enhanced Object Tracking

Object references SLA instance • If SLA instance PING is successful, Object is “up” • If SLA instance PING fails, Object is “down”

Static route references Object

Route can only be installed if Object is “up” – Allows for reliable floating static routes

Copyright © www.INE.com
Copyright © www.INE.com
can only be installed if Object is “up” –   Allows for reliable floating static routes
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda
Agenda

ASA Access Control Lists (ACLs) • ASA Object Groups & Objects

Copyright © www.INE.com
Copyright © www.INE.com
Agenda •   ASA Access Control Lists (ACLs) •   ASA Object Groups & Objects Copyright
Access-Lists (ACLs)
Access-Lists (ACLs)

By default ASA allows…

Traffic from higher security to lower security – Traffic from lower security to higher security if state already exists

Not all traffic is actually inspected by default

Access Control Lists (ACLs) allow manual exceptions to inspected traffic • Inbound ACL’s and global ACL’s bypass security-level functionality • There can be one inbound and one outbound ACL per interface, along with one global

Copyright © www.INE.com
Copyright © www.INE.com
•   There can be one inbound and one outbound ACL per interface, along with one
Access-Lists (ACLs)
Access-Lists (ACLs)

Order of processing is:

Inbound ACL – Global ACL – Outbound ACL

When global ACL is configured, the implicit deny from the inbound ACL is automatically removed When both inbound ACL and global ACL’s are used we can say that:

Rules from both ACL’s are merged – First are processed rules from the inbound ACL – Second are processed rules from the global ACL – Only global ACL has the default implicit deny

Copyright © www.INE.com
Copyright © www.INE.com
are processed rules from the global ACL –   Only global ACL has the default implicit
Access-Lists (ACLs)
Access-Lists (ACLs)

Like in IOS, ASA ACLs match traffic based on…

Source IP Address – Destination IP Address – IP Protocol Number – TCP & UDP Ports – ICMP Type Codes – Time Range

Like in IOS, ACLs always end in implicit deny

Copyright © www.INE.com
Copyright © www.INE.com
  ICMP Type Codes –   Time Range •   Like in IOS, ACLs always end
Access-Lists (ACLs)
Access-Lists (ACLs)

Like in IOS, ASA ACLs can be…

Standard

Matches only on source IP addresses

Extended

Matches on any combination of src, dst, port, etc.

Unlike in IOS, ASA ACLs…

Use the same naming convention for standard and extended

Cannot mix both in the same list

Use subnet masks instead of wildcard masks

Copyright © www.INE.com
Copyright © www.INE.com
•   Cannot mix both in the same list –   Use subnet masks instead of
Object Groups
Object Groups

Object Groups simplify ACL management by grouping similar objects together

E.g. PUBLIC_WEB_SERVERS grouping

Allows for more modular changes

Change to Object Group affects all ACEs that reference the group

Copyright © www.INE.com
Copyright © www.INE.com
more modular changes –   Change to Object Group affects all ACEs that reference the group
Object Groups
Object Groups

Four types of Object Groups

Protocol

E.g. TCP, UDP, ESP, GRE, etc.

Network

IP address, subnet address, etc.

Service

TCP & UDP port numbers

ICMP type

Echo, Echo-Reply, Unreachable, etc.

Copyright © www.INE.com
Copyright © www.INE.com
  TCP & UDP port numbers –   ICMP type •   Echo, Echo-Reply, Unreachable, etc.
ACL Example Without Object Groups
ACL Example Without Object Groups

access-list 1 extended permit tcp host 200.0.0.1 host 10.0.0.100 eq www access-list 1 extended permit tcp host 200.0.0.1 host 10.0.0.100 eq https access-list 1 extended permit tcp host 200.0.0.1 host 10.0.0.100 eq smtp access-list 1 extended permit tcp host 200.0.0.1 host 10.0.0.101 eq www access-list 1 extended permit tcp host 200.0.0.1 host 10.0.0.101 eq https access-list 1 extended permit tcp host 200.0.0.1 host 10.0.0.101 eq smtp access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.100 eq www access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.100 eq https access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.100 eq smtp access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.101 eq www access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.101 eq https access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.101 eq smtp

Copyright © www.INE.com
Copyright © www.INE.com
host 10.0.0.101 eq https access-list 1 extended permit tcp host 200.0.0.2 host 10.0.0.101 eq smtp Copyright
ACL Example With Object Groups
ACL Example With Object Groups

object-group network OUTSIDE_TRUSTED_HOSTS network-object host 200.0.0.1 network-object host 200.0.0.2 object-group network PUBLIC_INSIDE_SERVERS network-object host 10.0.0.100 network-object host 10.0.0.101 object-group service PUBLIC_INSIDE_SERVER_PORTS tcp port-object eq www port-object eq https port-object eq smtp

!

access-list 2 extended permit tcp object-group OUTSIDE_TRUSTED_HOSTS object-group PUBLIC_INSIDE_SERVERS object-group PUBLIC_INSIDE_SERVER_PORTS

Copyright © www.INE.com
Copyright © www.INE.com
OUTSIDE_TRUSTED_HOSTS object-group PUBLIC_INSIDE_SERVERS object-group PUBLIC_INSIDE_SERVER_PORTS Copyright © www.INE.com
Objects
Objects

Added along with NAT changes in 8.3 • Different than object-groups • Required for Object-NAT

More on this later…

Can contain a single entry/definition

Network

Subnet, range, host

Service

Protocol, TCP/UDP source/destination ports • TCP/UDP ports can only be used in Twice NAT

Copyright © www.INE.com
Copyright © www.INE.com
Protocol, TCP/UDP source/destination ports •   TCP/UDP ports can only be used in Twice NAT Copyright
Object Groups vs. Objects
Object Groups vs. Objects

Object groups can contain one or more entries

E.g. multiple hosts, ports, etc.

Object can contain only one entry

E.g. single host, subnet, port, etc.

Why use both?

Object is called from both ACL and NAT in newer code – Allows NAT and ACL config changes to be synchronized

E.g. web server moves to a new internal address; change the object and both NAT and ACLs are updated

Copyright © www.INE.com
Copyright © www.INE.com
web server moves to a new internal address; change the object and both NAT and ACLs
ACL Example With Objects
ACL Example With Objects

object network SOURCE host 10.10.10.10 object network DESTINATION subnet 100.100.100.0 255.255.255.0 object service PROTOCOL service ip

!

access-list ACL permit object PROTOCOL object SOURCE object DESTINATION

Copyright © www.INE.com
Copyright © www.INE.com
PROTOCOL service ip ! access-list ACL permit object PROTOCOL object SOURCE object DESTINATION Copyright © www.INE.com
ACLs in the CCIE Lab Exam
ACLs in the CCIE Lab Exam

In the lab exam ACL requirements may not be explicit

E.g. if RADIUS server is on the “inside” and a host authenticating to it is on the “outside” you must manually allow this on the ASA

Draw out network flows to visualize what needs to be allowed

E.g. AAA, NTP, BGP, GRE, ESP, ISAKMP, etc.

Logging can be helpful to see what is dropped

Explicit deny ip any any log at end of ACL

Copyright © www.INE.com
Copyright © www.INE.com
can be helpful to see what is dropped –   Explicit deny ip any any log
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda
Agenda

ASA High Availability Overview • Redundant Interfaces • Failover

Copyright © www.INE.com
Copyright © www.INE.com
Agenda •   ASA High Availability Overview •   Redundant Interfaces •   Failover Copyright ©
ASA High Availability
ASA High Availability

Link High Availability

Dynamic routing

Generic solution relying on infrastructure redundancy

Reliable static routing

Tracking next-hop reachability

Redundant Interfaces

Binding multiple physical interfaces

Node High Availability

Failover

Copyright © www.INE.com
Copyright © www.INE.com
  Binding multiple physical interfaces •   Node High Availability –   Failover Copyright © www.INE.com
Redundant Interfaces
Redundant Interfaces

Groups multiple physical interfaces into one logical interface

interface Redundant [num]

member-interface [physical-interface]

Only one interface is active

Not like EtherChannel in Catalyst switching active-member <physical-interface>

Copyright © www.INE.com
Copyright © www.INE.com
Not like EtherChannel in Catalyst switching –   active-member <physical-interface> Copyright © www.INE.com
Redundant Interfaces
Redundant Interfaces

Physical interfaces should only have physical parameters

Speed, duplex, no shutdown, etc.

Redundant interface has logical parameters

nameif, security-level, ip address, etc.

MAC address taken from first member

MAC could be encoded manually

Copyright © www.INE.com
Copyright © www.INE.com
etc. •   MAC address taken from first member –   MAC could be encoded manually
ASA Failover Overview •   ASA supports two types of failover… –   Active/Standby •

ASA Failover Overview ASA supports two types of failover…

Active/Standby

Active unit passes traffic • Standby unit waits

Active/Active

Both units forward traffic • Only supported in multiple context mode • Different contexts active in same or different units

Copyright © www.INE.com
Copyright © www.INE.com
supported in multiple context mode •   Different contexts active in same or different units Copyright
ASA Failover Overview •   Active/Standby supports… –   Single Context Mode Routed Firewall –

ASA Failover Overview Active/Standby supports…

Single Context Mode Routed Firewall – Single Context Mode Transparent Firewall

Active/Active supports…

Multiple Context Mode Routed Firewall – Multiple Context Mode Transparent Firewall

Copyright © www.INE.com
Copyright © www.INE.com
  Multiple Context Mode Routed Firewall –   Multiple Context Mode Transparent Firewall Copyright © www.INE.com
ASA Failover Overview
ASA Failover Overview

Standby unit monitors active in two ways…

Failover link monitoring

Layer 2 polling through hello packets

Interface monitoring

If hello packets not received, interface testing starts:

Link Up/Down Test – Is there received traffic over the interface? – ARP Requests to hosts from ARP cache – Broadcast PING test

Copyright © www.INE.com
Copyright © www.INE.com
over the interface? –   ARP Requests to hosts from ARP cache –   Broadcast PING
ASA Failover Overview
ASA Failover Overview

Stateless failover

Connection state table not copied from active to standby – All connections dropped and must be reestablished – Default mode

Stateful failover

Active unit constantly replicates state table

xlates, TCP, UDP, IKE & IPsec SA, ARP, etc.

Requires dedicated “stateful failover link” or the failover link can be used

Copyright © www.INE.com
Copyright © www.INE.com
etc. –   Requires dedicated “stateful failover link” or the failover link can be used Copyright
Active/Standby Failover
Active/Standby Failover

Uses designated failover interface

Requires a dedicated physical LAN link – Standby polls the active firewall

Configuration replicated from active to standby • State tables not replicated by default

Upon failover…

Units change roles

Standby unit assumes IPs and MACs of primary

Failover can be forced or detected

Copyright © www.INE.com
Copyright © www.INE.com
  Standby unit assumes IPs and MACs of primary –   Failover can be forced or
Active/Standby Primary Configuration
Active/Standby Primary Configuration

Configure primary/secondary unit addressing

ip address <active_addr> <netmask> standby <standby_addr> ipv6 address <active_addr>/<netmask> standby <standby_addr>

Designate primary unit

failover lan unit primary

Designate failover interface

failover lan interface …

Configure failover interface IP addressing

failover interface ip [ifname] [active_addr] [netmask] standby standby_addr

Enable failover

failover

Copyright © www.INE.com
Copyright © www.INE.com
[active_addr] [netmask] standby standby_addr •   Enable failover –   failover Copyright © www.INE.com
Active/Standby Secondary Config
Active/Standby Secondary Config

Designate secondary unit

failover lan unit secondary

Designate failover interface

failover lan interface …

Configure failover interface IP addressing

failover interface ip [ifname] [active_addr] [netmask] standby standby_addr

Enable failover

failover

Ensure configuration has been replicated from primary

Copyright © www.INE.com
Copyright © www.INE.com
failover –   failover •   Ensure configuration has been replicated from primary Copyright © www.INE.com
Health Monitoring
Health Monitoring

Failover polling detects unit failure

Timeout via failover polltime

Interface fault detected via interface polling

Enabled by default for all interfaces but not for sub-interfaces – Interface needs an IP address for monitoring – Define interfaces with [no] monitor-interface … Timeout via failover polltime interface …

Interface monitoring policy

failover interface-policy {N|%} Failover if this many interfaces have failed (1 by default)

Copyright © www.INE.com
Copyright © www.INE.com
interface-policy {N|%} –   Failover if this many interfaces have failed (1 by default) Copyright ©
Stateful Failover
Stateful Failover

Configured separately from LAN failover • Uses stateful failover “link” for replication

Could be shared with LAN failover link – Normally recommended to be separate

State information may generate excessive amount of traffic

Configured using single command

failover link …

Copyright © www.INE.com
Copyright © www.INE.com
excessive amount of traffic •   Configured using single command –   failover link … Copyright
Active/Active Failover
Active/Active Failover

One unit is active for a group of contexts • Another unit is active for a different group of contexts • Uses the concept of failover groups • Defined in system context • There are only 2 failover groups, it makes no sense to have more • Admin context is always member of failover group 1, and it’s non-configurable

Copyright © www.INE.com
Copyright © www.INE.com
more •   Admin context is always member of failover group 1, and it’s non-configurable Copyright
HA Commands
HA Commands

failover exec [active|mate|standby] <command>

E.g. failover exec mate show version

show failover exec [active|mate|standby]

to identity the peer current configuration mode

show failover show failover history show failover group only in A/A mode show monitor-interface only in A/A mode

Copyright © www.INE.com
Copyright © www.INE.com
  show failover group only in A/A mode •   show monitor-interface only in A/A mode
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda
Agenda

Multiple Context Mode Overview • System, Admin, and User Contexts • Interface Sharing • Classification Rules • Context Resources • Routing in Multiple Context Mode

Copyright © www.INE.com
Copyright © www.INE.com
  Classification Rules •   Context Resources •   Routing in Multiple Context Mode Copyright ©
ASA Context Modes
ASA Context Modes

ASA supports two different Context Modes of operation

Single Context Mode – Multiple Context Mode (Virtual Firewalls)

Single Context Mode

Shared configuration for all interfaces, security policies, routing table, administrators, etc.

Multiple Context Mode

Separate configuration, interfaces, policies per virtual context – Allows for multiple virtual firewalls for managed services or policy separation

Copyright © www.INE.com
Copyright © www.INE.com
context –   Allows for multiple virtual firewalls for managed services or policy separation Copyright ©
Multiple Context Mode Overview
Multiple Context Mode Overview

Separates ASA into multiple virtual firewalls • Each context is assigned…

Interfaces

Physical or 802.1Q Subinterfaces

Resource limits

Number of connections, hosts, xlates, etc.

Firewall policy

MPF Inspections, ACLs, NAT, etc.

Copyright © www.INE.com
Copyright © www.INE.com
hosts, xlates, etc. –   Firewall policy •   MPF Inspections, ACLs, NAT, etc. Copyright ©
Multiple Context Mode Overview •   When in multi-context mode ASA supports… –   Routed

Multiple Context Mode Overview When in multi-context mode ASA supports…

Routed Firewall – Transparent Firewall – Active/Active Failover

Primary forwards for one context • Secondary forwards for other context

Copyright © www.INE.com
Copyright © www.INE.com
•   Primary forwards for one context •   Secondary forwards for other context Copyright ©
Multiple Context Mode Overview
Multiple Context Mode Overview

When in multi-context mode ASA does not support…

VPN termination – Dynamic routing protocols – QoS features

Copyright © www.INE.com
Copyright © www.INE.com
support… –   VPN termination –   Dynamic routing protocols –   QoS features Copyright ©
Multiple Context Mode Overview •   Three types of contexts… –   System Context –

Multiple Context Mode Overview Three types of contexts…

System Context – Admin Context – User Defined Contexts

Copyright © www.INE.com
Copyright © www.INE.com
of contexts… –   System Context –   Admin Context –   User Defined Contexts Copyright
System Context
System Context

Used to create new contexts and define context parameters

Interface to context assignments – Resource allocation – Configuration file location

Allows changing between contexts for management

changeto context [name]

Initially only accessible via the console

Copyright © www.INE.com
Copyright © www.INE.com
management –   changeto context [name] •   Initially only accessible via the console Copyright ©
Admin Context
Admin Context

Used for remote access to system context

Only context that remotely supports changeto system command

Automatically created when multiple context mode enabled

Uses configuration file admin.cfg by default

Like other contexts, has no resources allocated by default

For management access you must…

Allocate an interface • Assign nameif, security level, and IP address • Enable Telnet, SSH, or ASDM access

Copyright © www.INE.com
Copyright © www.INE.com
  Assign nameif, security level, and IP address •   Enable Telnet, SSH, or ASDM access
User Defined Contexts
User Defined Contexts

Used for logical separation of traffic flows

Created under system context by…

Specifying context name – Allocating interfaces – Allocating resources – Allocating configuration file

All additional configuration occurs in the user context mode

changeto context [name] from system or admin context

Management connections to user defined contexts can only access themselves

changeto command not available

Copyright © www.INE.com
Copyright © www.INE.com
to user defined contexts can only access themselves –   changeto command not available Copyright ©
Context Interface Allocation
Context Interface Allocation

Contexts can have interfaces allocated three ways…

Unique physical interfaces per context – Unique subinterfaces per context – Shared interfaces between contexts

E.g. shared “outside” interface

Physical interface parameters defined in system context

E.g. speed, duplex, no shutdown

Logical interface parameters defined in admin/user context

E.g. nameif, security-level, ip address, etc.

Shared interfaces must conform to classifier rules

Copyright © www.INE.com
Copyright © www.INE.com
security-level, ip address, etc. •   Shared interfaces must conform to classifier rules Copyright © www.INE.com
Context Classification Rules
Context Classification Rules

ASA must be able to associate inbound traffic with the correct context • Three possible ways classify traffic…

Unique physical interfaces or subinterfaces – Unique MAC address per-context for shared interfaces – Unique NAT translations per-context for shared interfaces

Copyright © www.INE.com
Copyright © www.INE.com
for shared interfaces –   Unique NAT translations per-context for shared interfaces Copyright © www.INE.com
Context Classification Rules •   Unique physical interfaces or subinterfaces –   Separates traffic at

Context Classification Rules Unique physical interfaces or subinterfaces

Separates traffic at physical or link access layer (e.g. VLANs) – Best practice in most cases, but may consume public IPs

Copyright © www.INE.com
Copyright © www.INE.com
link access layer (e.g. VLANs) –   Best practice in most cases, but may consume public
Context Classification Rules
Context Classification Rules

Unique MAC address per-context for shared interfaces

Shared interfaces use the same MAC address by default Make addresses unique with…

mac-address auto command in system context • Interface level mac-address in user contexts

Copyright © www.INE.com
Copyright © www.INE.com
auto command in system context •   Interface level mac-address in user contexts Copyright © www.INE.com
Context Classification Rules
Context Classification Rules

Unique NAT translations per-context for shared interfaces

Static or Dynamic NAT/PAT

Allows for overlapping inside addresses between contexts • Outside address must still be unique per context

Identity NAT

Inside and outside addresses must be unique per context

Copyright © www.INE.com
Copyright © www.INE.com
context –   Identity NAT •   Inside and outside addresses must be unique per context
Context Resources
Context Resources

Resources can be limited on a per context basis

Connections – Translations (xlates) – MAC Addresses – Management sessions

Critical if you have licensing limitations • Resources defined by class in system context

limit-resource [ASDM | All | Conns |

]

Assign resource class in context subconfiguration mode

member [class]

Copyright © www.INE.com
Copyright © www.INE.com
| ] •   Assign resource class in context subconfiguration mode –   member [class] Copyright
Context Routing •   Only static routes supported –   Even for connected prefixes in

Context Routing Only static routes supported

Even for connected prefixes in other contexts

Contexts may be “cascaded”

Default route from one context points to inside interface of another context – This allows for context architectures, e.g. shared firewall

Copyright © www.INE.com
Copyright © www.INE.com
of another context –   This allows for context architectures, e.g. shared firewall Copyright © www.INE.com
Multiple Context Configuration
Multiple Context Configuration

Enable Multiple Context Mode

ASA(config)# mode multiple Requires reboot and configuration erase

Define contexts

ASA(config)# context ABC

Assign interfaces to context

ASA(config-ctx)# allocate-interface

Specify configuration file storage

ASA(config-ctx)# config-url

Complete configuration in user context mode

ASA# changeto context ABC ASA/ABC#

Copyright © www.INE.com
Copyright © www.INE.com
configuration in user context mode –   ASA# changeto context ABC –   ASA/ABC# Copyright ©
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda •   ASA Transparent Firewall Copyright © www.INE.com

Agenda ASA Transparent Firewall

Copyright © www.INE.com
Copyright © www.INE.com
Agenda •   ASA Transparent Firewall Copyright © www.INE.com
ASA Firewall Modes
ASA Firewall Modes

Routed Firewall

Interfaces are in different subnets and different VLANs – Traffic is layer 3 routed between interfaces based on routing table

Transparent firewall

Interfaces are in the same subnet but different VLANs – Traffic is layer 2 bridged between interfaces based on CAM table

Copyright © www.INE.com
Copyright © www.INE.com
but different VLANs –   Traffic is layer 2 bridged between interfaces based on CAM table
ASA Transparent Firewall
ASA Transparent Firewall

Limitations

VPNs not supported for transit traffic

Supports local management via site-to-site IKEv1/IKEv2 IPsec tunnel

Only static routing supported

E.g. default route

Multicast IP routing

Multicast traffic can be allowed through ACL

QoS not supported – DHCP Relay Agent not supported, but DHCP Server is

Inspection engine works as in routed mode

Copyright © www.INE.com
Copyright © www.INE.com
Relay Agent not supported, but DHCP Server is •   Inspection engine works as in routed
ASA Transparent Firewall
ASA Transparent Firewall

Before 8.4

 

Maximum two interfaces/vlans used for bridging traffic

 

One additional interface/vlan used for failover

 
 

Mgmt interface can be dedicated for management

 
 

Global IPv4 address required for IPv4 traffic to be bridged, optionally configure the mgmt interface with IPv4 address

After 8.4

Interfaces can be paired into bridge-groups

 
 

No direct traffic allowed between bridge-groups, similar to multi-context mode

 
 

Maximum 8 bridge-groups supported with maximum 4 interfaces per bridge-group

 
 

Mgmt interface can be dedicated for management

 
 

Each bridge-group requires an IPv4 address to bridge IPv4 traffic, optionally configure the mgmt interface with IPv4 address

Starting with 8.2 IPv6 traffic supported in transparent mode

Link-Local IPv6 address is good enough for IPv6 traffic bridging

Copyright © www.INE.com
Copyright © www.INE.com
in transparent mode –   Link-Local IPv6 address is good enough for IPv6 traffic bridging Copyright
ASA Transparent Firewall
ASA Transparent Firewall

Traffic forwarding policy differs from Routed Firewall • Inside to Outside

High security to low security level – Permit ARP – Permit Broadcasts – Permit Inspected Unicast

TCP, UDP, default inspection class

Most control plane protocols denied

OSPF, EIGRP, PIM, CDP, VTP, etc. • Use ACL deny logging if you’re not sure

Copyright © www.INE.com
Copyright © www.INE.com
•   OSPF, EIGRP, PIM, CDP, VTP, etc. •   Use ACL deny logging if you’re
ASA Transparent Firewall
ASA Transparent Firewall

Outside to Inside

Lower security to higher security – Permit return of inspected traffic

Most control plane protocols are not inspected

Deny all others

ACL exceptions may be needed for Inside to Outside as well as Outside to Inside

Ethertype ACLs needed to permit non-IP packets – Ethertype ACLs are not stateful – ARP and BPDU are allowed by default

Copyright © www.INE.com
Copyright © www.INE.com
packets –   Ethertype ACLs are not stateful –   ARP and BPDU are allowed by
Transparent Firewall Configuration 8.2
Transparent Firewall Configuration 8.2

Enable Transparent Firewall

[no] firewall transparent

Enable Interfaces

no shutdown

Assign interface names

nameif [name]

Assign interface security levels

security-level [num]

Assign default global management IP

ip address <active_addr> <netmask> standby <standby_addr>

Configure optional management interface

interface mgmt0/0 nameif [name] management-only ip address <active_addr> <netmask> standby <standby_addr>

Copyright © www.INE.com
Copyright © www.INE.com
–   ip address <active_addr> <netmask> standby <standby_addr> Copyright © www.INE.com
Transparent Firewall Configuration 8.4
Transparent Firewall Configuration 8.4

Enable Transparent Firewall

[no] firewall transparent

Enable Interfaces

no shutdown

Assign names

nameif [name]

Assign security levels

security-level [num]

Assign interface to a bridge-group

Bridge-group [num]

Configure bridge-group IP address

Interface BVI [num] ip address <active_addr> <netmask> standby <standby_addr>

Configure optional management

interface mgmt0/0 management-only nameif [name] ip address <active_addr> <netmask> standby <standby_addr>

Copyright © www.INE.com
Copyright © www.INE.com
–   ip address <active_addr> <netmask> standby <standby_addr> Copyright © www.INE.com
Transparent Firewall and NAT
Transparent Firewall and NAT

NAT is supported in Transparent Firewall mode as of 8.0(2) • NAT Caveats…

Inside and Outside are on the same IP subnet – Translation to pool not on the subnet is supported, but routing must be taken into account – Interface PAT not supported because there is no interface IP address – ARP inspection not supported

Copyright © www.INE.com
Copyright © www.INE.com
PAT not supported because there is no interface IP address –   ARP inspection not supported
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda •   ASA Transparent Firewall & ARP Filtering Copyright © www.INE.com

Agenda ASA Transparent Firewall & ARP Filtering

Copyright © www.INE.com
Copyright © www.INE.com
Agenda •   ASA Transparent Firewall & ARP Filtering Copyright © www.INE.com
Transparent Firewall and ARP Spoofing
Transparent Firewall and ARP Spoofing

Transparent Firewall forwards all ARP by default • Network attack can occur by host impersonating another’s MAC address

I.e. “ARP Spoofing”

ARP inspection allows static ARP to be checked as ARP transits

If static match and wrong address, drop – If no static match, drop or forward

Copyright © www.INE.com
Copyright © www.INE.com
–   If static match and wrong address, drop –   If no static match, drop
Transparent Firewall and ARP Spoofing •   Configuration –   arp inside 1.2.3.4 1234.5678.9abc –

Transparent Firewall and ARP Spoofing Configuration

arp inside 1.2.3.4 1234.5678.9abc arp-inspection inside enable [flood | no-flood]

Copyright © www.INE.com
Copyright © www.INE.com
  arp inside 1.2.3.4 1234.5678.9abc –   arp-inspection inside enable [flood | no-flood] Copyright © www.INE.com
Transparent Firewall and MAC Learning
Transparent Firewall and MAC Learning

In transparent mode ASA learns MAC addresses like a normal transparent bridge • MAC learning can be disabled and replaced with static entries • Prevents unauthorized hosts on the segment • Configuration

mac-address-table static… mac-learn [inside|outside] disable

Copyright © www.INE.com
Copyright © www.INE.com
Configuration –   mac-address-table static… –   mac-learn [inside|outside] disable Copyright © www.INE.com
Questions?
Questions?
Copyright © www.INE.com
Copyright © www.INE.com
Questions? Copyright © www.INE.com
Agenda
Agenda

Active/Standby Transparent Failover • Active/Active Transparent Failover

Copyright © www.INE.com
Copyright © www.INE.com
Agenda •   Active/Standby Transparent Failover •   Active/Active Transparent Failover Copyright © www.INE.com