skimppimppin along! NEWS   FORUM   DOWNLOAD   LINKS    
HOME ACCOUNT PRIVATE MESSAGE  
Login
Username:

Password:


Lost Password?

Register now!

Main Menu

Search

Advanced Search
skimpydog.com Forum Index
   Cisco Notes
  ASA's basics

Browsing this Thread:   2 Anonymous Users

 

 Bottom   Previous Topic   Next Topic
12>
  •  Rate Thread
      Rate this Thread
      Excellent
      Good
      Average
      Bad
      Terrible
Poster Thread Rated:  2 Votes
ASA's basics
#1
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

Cisco ASA



By Reading ANY of this, you agree as follows:
I will not provide Firmware, or answers to questions - You are on your own!!
I will not provide any softwares!!
I will not be held responsible for YOU messing up anything!!
This is for MY Personal Reference!! - That is all - This is not intended for You!!


Note: There are not a lot of links referenced directly to Cisco's site (specific pages) as Cisco changes their site frequently, and links will likely break
If you do not have any Cisco experience; (working with Cisco devices from the command line - asdm, and asm don't count) then likely you will not know the actual basics of networking. If this is the situation, read over the materials for the CCNA as working with upstream equipment will be necessary to properly troubleshoot! The CCNA materials cover the basics of working with Cisco Switches, and Routers, and are the groun basis for using Cisco's products.

Adaptive Security Appliance


This article can also apply to PIX, however it will depend on the firmware on the PIX

Hardware


The ASA has been created based on x86 hardware, utilizing Intel, and AMD processors, with Intel, and Geode ChipSets. They will generally ship with 256MB-12GB RAM depending on the model.
The ASA comes with a USB port for additional Portable Storage for upgrading firmware, or to copy a configuration.

Software


The Cisco ASA does not run IOS technically, although it runs similar to IOS. The software run on the ASA will be known as "PIX code", or "ASA code"[3]
The Firmware used with the ASA has been specifically written for working deeper with packet inspections, specified flow analysis to improve security, improve scalability, and VPN services. The ASA has the option to use the available ASDM GUI interface which was developed to compete with Cisco's competitors.
The ASA is the next generation of three previously developed technologies knows as "PIX", "IPS 4200", & the "VPN 3000 Series Concentrators"[4], and have developed what is known as the "Self Defending Network"[5].

Simulators


A Simulator may be used to test what the ASA is capable of, however not all simulators have actual usability such as DoS, and DDoS mitigation, or VPN tunnel negotiations:

GNS3 - This can be complex to setup for any practical testing, so do beware - OpenSource
ProfSIMs - Closed Source
Boson NETSIM - Closed Source

A few basic commands as this appears to be necessary for the lazy "RTFM"


enable (aka: en)
?
show (aka: sh)
sh ?
sh run
sh run all
sh run access-list
sh run access-group
sh run nat
sh run global
sh run int
sh run static
sh run | i [IPADDRESS (example of an IP address - other elements may be used)]
sh run | b [IPADDRESS (example of an IP address - other elements may be used)]
sh firewall
sh run crypto
sh crypto isa sa
sh cry ips sa
debug ?
debug cry isa 255
debug cry ips 255
debug cry cond peer [IPADRESS]
no debug all
conf t [DO NOT USE UNLESS YOU KNOW WHAT THIS IS!!!]
wr me
copy run start
wr erase [DO NOT USE UNLESS YOU KNOW WHAT THIS IS!!!]
reload [DO NOT USE UNLESS YOU KNOW WHAT THIS IS!!!]
Posted on: 2012/1/9 10:59
Create PDF from Post Print
Top
Re: ASA's basics
#2
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

ASA Firmware Explained


The ASA uses proprietary firmware which entails two segments:

Firmware - Actually used to run the security appliance - As enhancements are made, the code structure changes
ASDM - GUI interface which may be used to configure the security appliance - As enhancements are made, the ASDM becomes more functional

Upgrading Firmware


Upgrading the firmware should include the Hardware Firmware, and the ASDM software.
The upgrade process may be completed via USB Flash, ASDM, & TFTP.
The following steps may be used to upgrade the firmware on an ASA

[Example]:

conf t
 
copy tftp flash
IP_OF_TFTP_Server
asa822-k8.bin
 
copy tftp flash
IP_OF_TFTP_Server
asdm-621.bin
 
boot system disk0:/asa822-k8.bin
asdm image disk0:/asdm-621.bin
 
wr mem
reload

"IP_OF_TFTP_Server" is the TFTP server where the firmware resides
"boot system disk0:/asa822-k8.bin" this tells the ASA to boot to this image (you may have a backup image as well if necessary)
"asdm image disk0:/asdm-625.bin" This tells the ASA which ASDM image to use
The Firmware version, and ASDM image correspond with each other
It is possible to have a similar minor-release ASDM image per the firmware's requirements
The corresponding versions may be found on Cisco's WebSite

For the asa7.* firmwares I will advise to use asdm-524.bin
For the ASA Firmware <8.3 (8.0-8.2.X) I will advise to research the ASDM image which Cisco states as stable for the Firmware Image used
"Generally", the following combinations will be acceptable for 8.0.X-8.2.X and ASDM combination (this may be somewhat inaccurate, however as stated in the previous line do the research directly from Cisco for the most accurate information):
asa8.0.2-asa8.0.5 -> asdm-5.12-asdm-5.2.4
asa8.2.1-asa8.2.2 -> asdm-6.0.3-asdm-6.2.1
asa8.3.1 -> 6.3.1
If you do not know what you are doing with the ASA's I will highly advise to NOT use the 8.3.X branch as the syntax for many operations has changed - this is for all versions starting with >8.3.X!!

Incremental Upgrade Process


When performing a Firmware UpGrade from the 7.X branch, be sure to perform the upgrade incrementally.
The incremental upgrade does not seen to be pushed in steps in the 7.X branch to the 8.X branch as much as moving from 7.X to 8.2 for example should be preformed as follows:
7.X -> 8.0.X
8.0.X -> 8.2.X
Posted on: 2012/1/9 16:02
Create PDF from Post Print
Top
Re: ASA's basics
#3
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

Backup an ASA/PIX


Beware: When making a backup of an ASA, and if you intend on restoring the configuration, you must use the same firmware, or a newer firmware.
If you are migrating from major-release to another major-release the configuration may break
If you are Migrating from ASA-7.2 to ASA-8.2.(2) the code should apply with no issues
If you are Migrating from ASA-8.2.(2) to ASA-7.2 the code will most likely fail
Depending on what you are required to backup on the appliance will depend on what should be run to get the information you require
This is learned with trial and error as the configuration is complex
too much to explain in an article...
- You may read a lot more about this by reading Cisco's Documentation on Cisco's website, and books
Show the basic running configuration
Generally this is what should be copied - however this may not grab all what may be necessary for a complete restore
This can be used if the configuration is fairly simple to backup and restore
sh run

Show the running-configuration excluding pre-shared-keys (for example)
This may be too much information for many scenarios
sh run all

Show the entire running-configuration including pre-shared-keys for VPN tunnels (for example)
This may be too much information for many scenarios
more system:running-config

Backing up


To actually make the backup of the configuration, simply "sh run", and copy the output.
If the ASA has VPN tunnels, be sure to run "more system:running-config", look for the pre-shared-keys, and put them into the configuration of the "sh run" output

ASDM BackUp


The ASDM can be a great tool for backing up a configuration. As previously stated the firmware will need to match up, this is especially true with the ASDM backup and restore options.

The ASDM will allow the ENTIRE configuration to be backed up, not only portions of it
The ASDM backup will be saved as a *.ZIP file
the ASDM may be used to restore the configuration as well

Firewall Modes


There are 2 basic modes with the ASA firewall
Routed
The firewall is able to use resources such as
NAT
routes
VPN
# sh firewall
Firewall mode: Router

Transparent
The transparent firewall has limited resources
the firewall does not appear as a "hop"
NAT is not available
Routing on the ASA is not available
VPN is not available (unless using Firmware 8.3 or greater)[/code]
# sh firewall
Firewall mode: Transparent
Posted on: 2012/1/9 16:03
Create PDF from Post Print
Top
Re: ASA's basics
#4
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

Interfaces


An interface on an ASA has limitations that must be followed in order to allow traffic to traverse the appliance
Physical interface
Sub-Interface

Physical Interfaces


The physical interface is literal per the terminology "Physical Interface". A patch cable is connected, and that is now the interface connection. Typically the "Outside" interface will be connected to the one VLAN, and the "Inside" interface will be on another VLAN.
The interfaces will be constructed as follows:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.254 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.16.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
no security-level
 no ip address

Other physical interfaces should be in the "shutdown" status.

Sub-Interface


A "sub-interface" is constructed differently than a physical interface, and will rely on VLAN Trunking. The sub-interface will be created/used when there are not enough physical interfaces to support the environment, therefore the upstream switch will be required to support VLAN Trunking as well; the corresponding uplink switch port will be required to be "mode trunk" instead of an "access" port.

This may be necessary for multiple DMZ's - or limited on physical interfaces
The interfaces will be constructed as follows:

interface Ethernet0/0
 nameif public
 security-level 0
 ip address 1.1.1.254 255.255.255.0
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1.123
 vlan 123
 nameif DMZ
 security-level 100
 ip address 2.2.2.254 255.255.255.0
!
interface Ethernet0/1.456
 vlan 456
 nameif WEB
 security-level 100
 ip address 3.3.3.254 255.255.255.0
!
interface Ethernet0/1.789
 vlan 789
 nameif DataBase
 security-level 100
 ip address 4.4.4.254 255.255.255.0

The sub interface is defined with: "interface Ethernet0/1.XXXX"
The interfaces are tagged for their corresponding VLAN by using "vlan XXXX"
The sub-interface identifier, and the vlan tag do not need to match, this is done for ease of reading in a complex infrastructure

access-group's


The access-group is used to define which direction the traffic is allowed to flow. By default traffic is NOT allowed to traverse the appliance; therefore the access-group is necessary to be created.
There may only be one access-group created per direction of flow per interface
Do not create excessive access-group's, this can be extremely complex to control
access-group's may be constructed as follows: 
access-group 101 in interface outside
access-group 102 out interface inside
access-group 103 in interface DMZ
access-group 104 in interface WEB
access-group 105 in interface DataBase

Therefore, since the access-group defines the flow of traffic, the access-list is directly related to the corresponding access-group which then limits what is allowed
By default the ASA is in a blocking state
An example of using the access-list construct with the access-group: 
access-list 101 extended permit ip any any
access-list 102 extended permit ip any any
access-list 103 extended permit ip any any
access-list 104 extended permit ip any any
access-list 105 extended permit ip any any

Therefore the interfaces must match up with the "access-group" in order for the traffic to be recognized: 
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.254 255.255.255.0
!
interface Ethernet0/1.123
 vlan 123
 nameif inside
 security-level 60
 ip address 2.2.2.254 255.255.255.0
!
interface Ethernet0/1.456
 vlan 456
 nameif DMZ
 security-level 45
 ip address 3.3.3.254 255.255.255.0
!
interface Ethernet0/1.789
 vlan 789
 nameif WEB
 security-level 30
 ip address 4.4.4.254 255.255.255.0
!
interface Ethernet0/1.147
 vlan 147
 nameif DataBase
 security-level 100
 ip address 5.5.5.254 255.255.255.0

Portmap Translation


Once the traffic is permitted to traverse, you have to create the portmap translation
This will allow the WEB, and DataBase interfaces to communicate
This is known as creating the "Portmap Translation"
static (DataBase,WEB) 5.5.5.0 4.4.4.4.0 netmask 255.255.0.0
static (WEB,DataBase) 4.4.4.0 4.4.4.0 netmask 255.255.0.0

Portmap Translation - Related Error


If the directive is not set, you will see a similar following error:
%ASA-3-305006 4.4.4.2 portmap translation creation failed for tcp src DataBase:5.5.5.2/2393 dst WEB:4.4.4.2/80

Translation Group


Traffic outside the scope of the interface specification (IP and Subnet Mask) will not traverse the firewall
This means if the interface has specified 2.2.2.0/24, and there are IP's on the VLAN outside of this range, such as 3.3.3.0/24; the 3.3.3.0/24 traffic will not traverse the firewall
This is the purpose of using multiple interfaces on the security appliance, and specifying "security-level X"
Higher level "security-level's" are allowed to reach lower levels
Lower level "security-level's" must be specifically allowed for the traffic to pass to a higher level
Interfaces with the same "security-level" may communicate freely IF "same-security-traffic permit inter-interface" is used
This is known as creating the "Translation Group"
same-security-traffic permit inter-interface

Translation Group - Related Error


If the directive is not set, you will see a similar following error:
%ASA-3-305005: No translation group found for icmp src WEB:4.4.4.2 dst DMZ:3.3.3.2 (type 8, code 0)

Caveats


If an interface exists, do not re-apply the interface in it's entirety. Re-applying the interface in it's entirety can bring the device down.
This can remove access-group's
This can remove global policies
This can break existing routes on the appliance
Therefore, when needing to make a change to an interface, be sure to only apply what is required, and have a good backup.
Posted on: 2012/1/9 16:04
Create PDF from Post Print
Top
Re: ASA's basics
#5
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

NAT


There are several types of NAT and PAT.
Static NAT
Static PAT
Policy NAT
Policy PAT
Dynamic NAT
Dynamic PAT
NAT order of operation:
# NAT 0 access-list
# STATIC NAT/PAT
# Policy NAT
# Dynamic NAT/PAT

Static NAT


Inside Static NAT (host)


Standard 1-to-1 translation
static (inside,outside) 210.185.200.226 192.168.10.10 netmask 255.255.255.255

Limiting the max simultaneous tcp connection limits to 1000, and embronic connections to 100, and udp to 1000 max simultaneous connections
static (inside,outside) 210.185.200.226 192.168.10.10 netmask 255.255.255.255 tcp 1000 100 udp 1000

Inside Static NAT (network)


static (inside,outside) 210.185.200.232 192.168.10.1 netmask 255.255.255.248

Outside Static NAT


If the IP 210.185.201.1 attempts to reach the inside interface from the outside world, translate the IP to 192.168.10.100 before it reaches the inside network 
static (outside,inside) 192.168.10.100 210.185.201.1 netmask 255.255.255.255

Policy Static NAT


The following will create a NAT rule which will allow traffic from 10.1.2.27 destined toward "209.165.201.0 255.255.255.224", and "209.165.200.224 255.255.255.224" to be mapped to their respective IP (either 209.165.202.129, or 209.165.202.130), depending on the matched rule:
access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1
static (inside,outside) 209.165.202.130 access-list NET2

Dynamic NAT


On the outside interface there is a block of available IP's of 209.165.200.230-209.165.200.237 - This will allow the public IP's to be translated to the pool of 192.168.10.0 255.255.255.0 on the inside network dynamically
global (outside) 1 209.165.200.230-209.165.200.237 netmask 255.255.255.0
nat (inside) 1 192.168.10.0 255.255.255.0

Static PAT


This is basically Port Redirection whereas if the IP 209.165.200.229 is reached via port 33988 it will forward the traffic to 192.168.10.1 port 22
static (inside,outside) tcp 209.165.200.229 33988 192.168.10.10 22 netmask 255.255.255.255

Another example
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the ASA's outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15
access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0 255.255.255.0
static (inside,outside) tcp 10.1.2.14 telnet access-list HTTP

Dynamic PAT


For example: This is basically a type of NAT in which a private IP is translated into a pool of Public IP's
object-group network MyInside
 network-object 192.168.10.0 255.255.255.0
 
nat (inside,outside) source dynamic MyInside interface

Same as
nat (inside) 1 192.168.10.0 255.255.255.0
 
global (outside) 1 209.165.200.230-209.165.200.237 netmask 255.255.255.0
global (outside) interface

Another Example:
Have the static translations removed, and instead assign inside hosts 192.168.30.53, and 192.168.30.55 to use PAT but only when the traffic is coming from IP 75.125.82.53. Inbound traffic will not be permitted to 75.125.82.53 an therefore hosts 192.168.30.53, and 192.168.30.55 will not be reachable from the outside.
Remove the existing ACL references, in this case the ACL refers to an object-group, if the ACL referred to the IP directly you would need to remove that ACL rule. Be aware if the ACL rule refers to a subnet that includes those IPs you will need to rewrite the ACL to omit them.

object-group network ssh_destin
 no network-object host 75.125.82.53
 no network-object host 75.125.82.55

Remove the existing Static Translations: 
no static (inside,outside) 75.125.82.53 192.168.30.53 netmask 255.255.255.255 dns
no static (inside,outside) 75.125.82.55 192.168.30.55 netmask 255.255.255.255 dns

Add PAT configuration and access list to allow those IPs to communicate. 
access-list pNat_2 extended permit ip host 192.168.30.53 any
access-list pNat_2 extended permit ip host 192.168.30.55 any
 
nat (inside) 2 access-list pNat_2
 
global (outside) 2 75.125.82.53 netmask 255.255.255.224
Posted on: 2012/1/9 16:10
Create PDF from Post Print
Top
Re: ASA's basics
#6
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

Dynamic PAT - 2


All hosts from the inside 192.168.10.0/24 network will be translated to 10.1.5.5 when it reaches the outside interface
object-group network MyInside_Translated_out
 network-object 192.168.10.0 255.255.255.0
 
nat (inside,outside) source dynamic MyInside_Translated_out 10.1.5.5

Same as
nat (inside) 1 192.168.10.0 255.255.255.0
 
global (outside) 1 10.1.5.5

Policy NAT/PAT


Force host which is sourcing from subnet "174.122.254.128 255.255.255.248" destined toward "192.168.1.0 255.255.255.0" to appear to be sourced from "174.123.3.74"
access-list pnat_3287 extended permit ip 174.122.254.128 255.255.255.248 192.168.1.0 255.255.255.0
 
nat (inside) 3287 access-list pnat_3287
 
global (outside) 3287 174.123.3.74

Another example, force host on the inside 192.168.17.5 when reaching out to appear as 74.53.5.201 to the world, and allow port access inbound to the host via IP 74.53.5.201:
access-list acl_PAT3 extended permit ip host 192.168.17.5 any
 
global (outside) 3 74.53.5.201
 
nat (inside) 3 access-list acl_PAT3
 
object-group service 74.53.5.201_ports
 service tcp eq 80
 service tcp eq 443
 service tcp eq 3389
 
access-list 101 extended permit object-group 74.53.5.201_ports any host 74.53.5.201

ByPassing NAT


If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts or you can disable NAT control.

Identity NAT


nat (inside) 0 10.1.1.0 255.255.255.0

Static Identity NAT


This example uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside
static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255

This example uses static identity NAT for an outside address (209.165.201.15) when accessed by the inside
static (outside,inside) 209.165.201.15 209.165.201.15 netmask 255.255.255.255

This example statically maps an entire subnet
static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0

This example, using "static identity policy NAT", shows a single real address that uses identity NAT when accessing one destination address, and a translation when accessing another
access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224
static (inside,outside) 10.1.2.27 access-list NET1
static (inside,outside) 209.165.202.130 access-list NET2
Posted on: 2012/1/9 16:11
Create PDF from Post Print
Top
Re: ASA's basics
#7
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

Policy Static NAT, with NAT exemption


You may initiate traffic from the real host, however the destination address in the ACL is only used for traffic initiated by the real host. For traffic to the real host from the destination network, the source address is not checked, and the first matching NAT rule for the real host is used, therefore configure "static Policy NAT"
Then when hosts on the 10.1.2.0/27 network access 209.165.201.0/24, they are translated to corresponding addresses on the 209.165.202.128/27 network. But any host on the outside can access the mapped addresses 209.165.202.128/27, and not just hosts on the 209.165.201.0/24 network
For the same reason (the source address is not checked for traffic to the real host), you cannot use policy static NAT to translate different real addresses to the same mapped address
[6]
access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0 255.255.255.224
static (inside,outside) 209.165.202.128 access-list NET1

Further elaboration:
The following example will allow 209.165.201.2 to connect to 209.165.200.225, it only allows 209.165.200.225 to be translated to 10.1.1.1
This is because the first matching ACE will be the translation 
static (inside,outside) 209.165.200.225 access-list policy-nat
access-list policy-nat permit ip host 10.1.1.1 host 209.165.201.1
access-list policy-nat permit ip host 10.1.1.2 host 209.165.201.2

Caveat


Do be warned different forms of NAT do take precedence over one another[7] - more detailed information may be obtained from Cisco
The order of the rules will dictate the actual flow of traffic
The order of the rules in the configuration will make a big difference
If a static rule is above a PAT rule, the static rule will take precedence
If a PAT rule is above a static rule, the PAT rule will take precedence
When all else fails, look over the configuration line by line - take your time, and do not rush

Allowing traffic between interfaces


The following will be necessary (as an example) to have the interfaces communicate (such as internal and internal1, like a DMZ).
This is working with "security-levels" which have different security-levels.
The following will only permit host 192.168.30.148 to communicate with host 192.168.10.150 via port tcp/10050 from internal, to internal1.
Configuration example:
 
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 75.53.15.254 255.255.255.128
!
interface GigabitEthernet1/0
 nameif inside
 security-level 100
 ip address 192.168.30.1 255.255.240.0
!
interface GigabitEthernet1/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1.123
 vlan 123
 nameif inside1
 security-level 90
 ip address 192.168.10.1 255.255.255.0
!
nat-control
global (inside1) 1 interface
nat (inside) 1 192.168.16.0 255.255.240.0
nat (inside1) 1 192.168.10.0 255.255.255.0
!
access-list inside1_inbound extended permit tcp host 192.168.30.148 host 192.168.10.150 eq 10050
access-list inside1_inbound extended deny ip host 192.168.30.148 host 192.168.10.150
access-list inside1_inbound extended permit ip any any
!
static (outside,inside) 174.16.2.2 192.168.32.2 netmask 255.255.255.255
static (inside,inside1) 192.168.16.0 192.168.16.0 netmask 255.255.240.0
!
access-group 101 in interface outside
access-group inside1_inbound out interface inside1
!
route outside 0.0.0.0 0.0.0.0 75.53.15.129 1
Posted on: 2012/1/9 16:12
Create PDF from Post Print
Top
Re: ASA's basics
#8
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

ACL's


Writing ACL's can be easy and complex - this truly depends on what you are working to accomplish.

Basic ACL


access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any host 192.168.30.2 eq 80

These two rules will permit ICMP traffic from anywhere to any host behind the ASA, and will permit TCP/80 from anywhere to host 192.168.30.2

service-ports & network-objects


Another example of allowing ports, is using a service-group with network-objects (only available on firmware >8.0):

object-group network 53_8080_8443_hosts
 network-object host 175.129.135.18
 network-object host 175.129.135.20
 network-object host 175.129.134.58
 network-object host 175.129.134.60
 
object-group service 53_8080_8443_ports
 service-object tcp-udp 53
 service-object tcp 8080
 service-object tcp 8443
 
access-list 101 extended permit object-group 8080_8443_ports any object-group 53_8080_8443_hosts

This allows in one ACL the ability to permit ingress TCP, and UDP ports

Order of Rules


ACL's are processed from the top down.
By default all traffic is denied unless it is specifically permitted!!!
To specify the order of the rules, you may specify the line number.
It is not necessary to specify a line number every time an ACL is entered; only when the order of the rule matters within the list
Deny Statements:
It is necessary to specify a deny statement before the allow
The following will block the requested IP(s), but will allow port 80 access to everyone else: 
access-list 101 line 1 extended deny ip host 81.2.2.5 any
access-list 101 extended permit tcp any any eq 80

object-group network Blocked_IPs
 network-object host 81.2.2.5
 network-object 152.4.5.0 255.255.255.0
 
access-list 101 line 1 extended deny ip object-group Blocked_IPs any
access-list 101 extended permit tcp any any eq 80

Working with deny statements within egress traffic

Ex: You need to block outbound traffic from specified servers, let's say to block specified ports if a server is constantly attacking others:
Example:
I would like to block all outbound traffic from my servers destined toward ports tcp & udp 6666-7000

I would build the access-group, and ACL's as follows:

object-group service deny_outbound
 service-object tcp-udp range 6666 7000
!
access-list 102 extended deny object-group deny_outbound any any
access-list 102 extended permit ip any any
!
access-group 102 in interface inside

If you do not specify to permit other traffic, the traffic will be blocked as by default the ASA blocks all traffic unless it is specifically specified.
If you do not specify all other traffic as allowed, you may not be able to reach your servers, and from the servers, they cannot reach outbound.

Inactive Rules


To make a rule inactive, simple perform the following:


If the rule is already there such as: 
access-list 102 extended deny object-group deny_outbound any any
access-list 102 extended permit ip any any

And you wish for the Deny rule to become inactive allowing all traffic across the interface, simple add "inactive" at the end: 
access-list 102 extended deny object-group deny_outbound any any inactive

Caveat


When removing "Line 1" in the ACL list, be sure to specify "line 1", such as:
no access-list 101 line 1 extended permit ip any any


Failure to specify "line 1" when removing line one will break the "access-group", therefore causing the possibility to clear all of the existing ACL's in the list - this does depend on the firmware, and configuration of the ASA.
The access-group will need to be re-applied to the interface!!
The access-group specifies the direction the access-list is permitted to pass through the interface, such as:
access-group 101 in interface outside
Posted on: 2012/1/9 16:13
Create PDF from Post Print
Top
Re: ASA's basics
#9
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

VPN


There are a few types of VPN available - however depending on the environment, the requested option may not be available for all apparent reasons - You will need to understand how VPN operated to understand these concepts
Routed Firewall - should be no issues
Transparent Firewall
VPN is not available on a transparent firewall as the transparent firewall does not support routing of any kind unless using firmware greater than 8.3
L2L IPSec VPN (Site-to-Site tunnel)
Remote Access (RA) IPSecVPN (Using the Cisco VPN Client)
Remote Access (RA) SSL VPN (Using the Cisco AnyConnect VPN Client)
- PPTP tunnels are not supported as they are deprecated
There are other forms of VPN as well, however you will likely not see them

Verbiage


Encryption Domain
This is the specified traffic allowed to traverse the tunnel known as "Interesting Traffic" (This is not necessarily the entire subnet(s) behind the VPN termination point)
Local Encryption Domain
This is the local end of the VPN termination point
This may also be know as the NAT masquerade for the local peer
This is the traffic allowed on the "Local" end of the tunnel known as "Interesting traffic"
Remote Encryption Domain
This is the remote end of the VPN termination point
This may also be known as the NAT masquerade for the Remote peer
This is the traffic allowed on the "Remote" end of the tunnel known as "Interesting traffic"
Interesting Traffic
Interesting traffic is what the VPN concentrator understands it should encrypt through the tunnel
Phase I
Phase I of the VPN tunnel is known as ISAKMP
Phase II
Phase II of the VPN tunnel is known as IPSec

Site-to-Site Phase1, and Phase 2 questionnaire/Verifier


The following may assist in ensuring you have all necessary information for a Site-to-Site tunnel:

Phase I and Phase II

Local End:

IKE Phase 1:
Encryption: 3DES
Authentication: SHA 1
DH Group: Group 2
Lifetime: 86400 Seconds (1440 Minutes)
 
IKE Phase 2:
Encryption: 3DES
Authentication: SHA 1
PFS: Yes
DH Group: PFS Group 2
Lifetime: 3600 Seconds (60 Minutes)
 
Local Peer IP: IP_ADDRESS
Local Encryption Domain: IP_SUBNET, or solo IP's
 
Remote End:
 
Remote Peer IP: Remote_IP_Address_of_VPN_PEER
Remote Encryption Domain: IP_SUBNET, or solo IP's
Pre-Shared Key: Random Characters (excluding "?")


(Site-to-Site) L2L VPN - Configuration - examples


These examples are only for reference

Site-to-Site (L2L) IPSec Tunnel


Local Peer IP: 79.56.4.61

Local Encryption Domain:

192.168.16.58/255.255.255.255

Remote Peer IP: 196.28.52.15

Remote Encryption Domain:

66.50.210.216/255.255.255.255

66.50.210.215/255.255.255.255

Pre-Shared Key: uH63KKb8s

Ike Phase 1:

Encryption: 3DES

Authentication: SHA1

DH Group: Group 2

Lifetime: 28800 (480 Minutes)
Ike Phase 2:

Encryption: 3DES

Authentication: SHA1

PFS: Off

DH Group: PFS Disabled

Lifetime: 3600 (60 Minutes)

crypto isakmp enable outside
access-list inside_nat0_outbound line 1 extended permit ip host 192.168.16.58 host 66.50.210.215 
access-list outside_1_cryptomap line 1 extended permit ip host 192.168.16.58 host 66.50.210.215 
access-list inside_nat0_outbound line 1 extended permit ip host 192.168.16.58 host 66.50.210.216 
access-list outside_1_cryptomap line 1 extended permit ip host 192.168.16.58 host 66.50.210.216 
tunnel-group 196.28.52.15 type ipsec-l2l
tunnel-group 196.28.52.15 ipsec-attributes
  pre-shared-key uH63KKb8s
  isakmp keepalive threshold 10 retry 2
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set  peer  196.28.52.15
crypto map outside_map 1 set  transform-set  ESP-3DES-SHA
crypto map outside_map interface  outside
nat (inside) 0 access-list inside_nat0_outbound  tcp 0 0 udp 0

Dynamic L2L VPN


A Dynamic L2L VPN may be used for peers on Dynamic IP's, such as a home user
Only the remote peer sourcing from the Dynamic IP may negotiate the tunnel as the statically assigned peer will not know the remote peer IP
Local Peer IP: 79.56.4.61

Local Encryption Domain:

192.168.16.0/24

Remote Peer IP: DYNAMIC IP - Tunnel Group Name "My_hq2" ("Nickname" AKA "identity" == "My_hq2")

Remote Encryption Domain:

192.168.2.0/24

Pre-Shared Key: "!!Ev3nl3s5!!" - (with the quotes)



Ike Phase 1:

Encryption: AES256

Authentication: SHA1

DH Group: Group 2

Lifetime: 28800 (480 Minutes)



Ike Phase 2:

Encryption: AES256

Authentication: SHA1

PFS: Off

DH Group: PFS Disabled

Lifetime: 3600 (60 Minutes)


access-list outside_hq2 extended permit ip 192.168.16.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.2.0 255.255.255.0
!
crypto dynamic-map dyn-map 65535 set transform-set ESP-AES256-SHA
crypto dynamic-map dyn-map 65535 match address outside_hq2
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
tunnel-group My_hq2 type ipsec-l2l
tunnel-group My_hq2 ipsec-attributes
   pre-shared-key "!!Ev3nl3s5!!"


Debugging


debug crypto isakmp LEVEL 
debug crypto ipsec LEVEL 
debug vpn-sessiondb LEVEL
debug crypto vpnclient 
debug crypto condition peer PEER-IP
debug webvpn svc LEVEL
debug webvpn session LEVEL
debug ?
Posted on: 2012/1/9 16:15
Create PDF from Post Print
Top
Re: ASA's basics
#10
Webmaster
Joined: 2007/6/10
From Dallas, TX
Posts: 79
Level : 7
HP : 0 / 170
MP : 26 / 8767
EXP : 83
Group:
Webmasters
Registered Users
Offline

Remote Access VPN - Client - Configuration - example


IPSec Remote Access


Cisco IPSec VPN client

The IPSec Remote Access VPN will require the Cisco Remote Access VPN Client the client must be obtained directly from cisco, and there are legal restrictions which must be met.
IPSec Remote Access Client Configuration Example

isakmp enable outside
!
access-list split_tunnel standard permit 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.16.0 255.255.255.0 192.168.1.0 255.255.255.0
!
ip local pool VPNClient_pool 192.168.1.1-192.168.1.254 mask 255.255.255.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
group-policy User_RAVPN internal
group-policy User_RAVPN attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
!
username User_1 password Whym3!-!
username User_1 attributes
vpn-group-policy User_RAVPN
!
username User_2 password ID0ntl!k3Th!5
username User_2 attributes
vpn-group-policy User_RAVPN
!
tunnel-group User_RAVPN type remote-access
tunnel-group User_RAVPN general-attributes
address-pool VPNClient_pool
default-group-policy User_RAVPN
tunnel-group User_RAVPN ipsec-attributes
pre-shared-key m5Sm!th
!
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp nat-traversal  10
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

SSL Remote Access


The SSL remote Access VPN will require the Cisco Any-Connect VPN client which may be obtained directly from the appliance via web-interface
You will be required to transfer the necessary Any-Connect images to the appliance manually if they do not already exist on the appliance
http server enable
http 0.0.0.0 0.0.0.0 net-mgmnt
!
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc image disk0:/anyconnect-linux-2.2.0140-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.2.0140-k9.pkg 3
svc image disk0:/anyconnect-macosx-powerpc-2.2.0140-k9.pkg 4
svc enable
!
crypto key generate rsa label sslvpnkeypair
crypto ca trustpoint localtrust
enrollment self
fqdn My.local
subject-name CN=My.local
keypair sslvpnkeypair
!
crypto ca enroll localtrust
ssl trust-point localtrust outside
!
name 192.168.60.0 WEBVPNClient
object-group network VPNClient
 network-object WEBVPNClient 255.255.255.0
!
! access-list trusted_nat0_outbound extended permit ip VPNClient 255.255.255.0 any
! access-list trusted_nat0_outbound extended permit ip any VPNClient 255.255.255.0
! access-list split_tunnel standard permit trusted-servers 255.255.255.0
! access-list split_tunnel standard permit web-servers 255.255.255.0
!
ip local pool WebVPN_Pool 192.168.60.1-192.168.60.14 mask 255.255.255.240
!
group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
!
tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
default-group-policy WebVPNPolicy
address-pool WebVPN_Pool
!
webvpn
tunnel-group-list enable
!
tunnel-group WebVPN webvpn-attributes
group-alias Group enable
!
username webUser1 password j03bl0w privilege 0
username webUser1 attributes
vpn-group-policy WebVPNPolicy
!
nat (outside) 0 access-list outside_nat0_outbound
nat (web) 0 access-list trusted_nat0_outbound
nat (trusted) 0 access-list trusted_nat0_outbound
Posted on: 2012/1/9 16:16
Create PDF from Post Print
Top
 Top   Previous Topic   Next Topic
12>

 

 You cannot start a new topic.
 You can view topic.
 You cannot reply to posts.
 You cannot edit your posts.
 You cannot delete your posts.
 You cannot add new polls.
 You cannot vote in polls.
 You cannot attach files to posts.
 You cannot post without approval.
Links