ASA

ASA Initialization
ASA CLI Initialization
 * 1) IP address (ip address [standby], ipv6 address [standby])
 * 2) Interface name (nameif)
 * 3) By default the security-level is set to 100 for "inside" and 0 for anything else
 * 4) Security Level (security-level)
 * 5) Failover interfaces don't use names and security levels
 * 6) Affects the default ASA's filtering logic
 * 7) (Optional) VLAN (vlan)
 * 8) Subinterfaces - remember about Native VLAN and lack of DTP
 * 9) You have to set the switch as a trunk for subinterfaces and the native VLAN is set by the switch. So if you want the main interface to be in VLAN 100, you have to set the native VLAN on the switch to 100.
 * 10) Enable interface (no shutdown)

Security Level Exception What about if ingress interface is the same as egress? (aka "Hairpinning")
 * The traffic between interfaces configured for the same security level does not flow by default.
 * Change with same-security-traffic permit inter-interface
 * Blocked by default
 * Enable using same-security-traffic permit intra-interface
 * Useful for some VPN scenarios

Redundant Interfaces Switch considerations
 * Used to increase ASA's reliability, not to be confused with failover
 * Logical group of two interfaces (similar to a cluster)
 * Active-standby
 * No load balancing
 * MAC address of the primary interface represents the logical interfaces
 * Remember to mirror switchport configuration

EtherChannel Interfaces Switch considerations
 * Used to increase ASA's reliability and not to be confused with Failover
 * Logical grouping of up to 16 interfaces (only 8 can be active)
 * All interfaces participate in traffic forwarding (Load balancing)
 * Use LACP whenever possible
 * MAC address of the lowest numbered channel interface represents the logical interface
 * Remember to configure corresponding switchports for EtherChannel

Redundant Interface Configuration int redundant 1 member-interface f0/1 member-interface f0/2

EtherChannel Configuration int gi0/0, 0/1 channel-group 1 mode [active|passive|on]

Any further configuration should be applied to the logical interface - Redundant or PortChannel. You can't use the same interface as part of a redundant interface and etherchannel at the same time.

Verification: show interfaces [detail], show port-channel [summary]

ASA Initialization - DEMO
To view some configuration details of a redundant interface: show interface redundant 1 show interface redundant 1 | begin Redundancy show interface redundant 1 | include MAC You can manually change the active interface in a redundant pair: (if gi0/1 and gi0/2 are in a pair and gi0/1 is currently active) redundant-interface redundant 1 active-member g0/2

Configuration to the redundant pair should be done on the redundant interface level and not the individual interface: interface redundant 1 ip address 172.10.40.40 255.255.255.0 ipv6 address 2001:10:40::40/64 nameif outside security-level 0

EtherChannel Interface configuration int gi0/1 channel-group 1 mode active int gi0/3 channel-group 1 mode active int port-channel 1 nameif inside ip address 172.5.40.40 255.255.255.0 ipv6 address 2001:5:40::40/64

You have to make sure the switch configuration has LACP configured for the above configuration (use passive mode)

ASA Management and ACLs
Firewall Management Default Management interface varies by platform (typically 0/0 or 0/1)
 * ASA can be managed by connecting to:
 * Any through-traffic interface
 * Management Interface (OOB)
 * Does not support transit traffic
 * Also supported in Transparent Mode
 * And Multiple Mode (as subinterfaces)
 * Any data interface can be used instead of default (management-only)

By default ASA does not expect to receive any packets destined to itself (except ICMP)
 * This means no remote management; only console port can be used to access the ASA.

When ports and protocols (e.g. OSPF multicast) are activated is controlled by individual commands
 * Management/Monitoring commands (telnet, ssh http, icmp)
 * Routing protocol configuration, enabling ISAKMP, etc.

Remote management access can be enabled for Telnet, SSH and HTTPS (ASDM) Example: telnet 2001:5:100::200/128 inside ssh 0 0 outside You cannot use telnet to access the outside (least secure) interface unless via VPN tunnel established with the firewall.

ASDM Setup
 * 1) Make sure ASDM image is stored in flash (show flash:)
 * 2) Check what ASDM version device will try to use (show asdm image)
 * 3) Specify who should be able to use ASDM using IPv4/IPv6 (http)
 * 4) Enable HTTPS server (http server enable)

Connect to the ASA's IP address using HTTPS
 * By default enable password (enable password) is used for authentication (no username)
 * Ideally use AAA (aaa authentication http console)

Access-Lists ASAs IPv4 and IPv6 access-lists applied to the interface via access-group are for TRANSIT traffic To further control traffic to the ASA, use Control Plane ACL
 * Standard, Extended, WebType, EtherType, IPv6
 * They do NOT affect traffic to-the-box
 * Management commands take precedence for the respective protocols
 * Apply using access-group with the control-plane option

Global Access Rules
 * A single global rule applied ingress to all traffic (-> all interfaces)
 * Useful for migration scenarios

Access Rules order of operation
 * 1) Interface ACLs (perits & denies)
 * 2) Global rule ACL (permits & denies)
 * 3) Interface ACL Implicit deny

Configure using access-group with globaloption.

Some protocols are not inspected by default by MPF like ICMP and GRE. You will have to explicitly apply an ACL to allow these protocols or add then to the default policy for inspection.

Objects
 * Reusable components making ASA's configuration easier to maintain
 * An Ojbect (object) be either type of network or service
 * Only capable of storing a single element (IP address/IP range/service)
 * Also used for NAT configuration (8.3 and above)

Object Groups allow for grouping multiple objects and individual components
 * Multiple types are available: IP Protocol, Network, ICMPv4, Service, User
 * The 'Service' type allows you to mix services and different protocols in a single group
 * Configure using the object-group [protocol|network|icmp-type|service|user]

Access-List Examples (IPv4, EtherType, WebType): access-list OUTSIDE permit tcp any object-group SERVERS object-group PORTS

access-list NON_IP ethertype deny bpdu access-list NON_IP ethertype permit any

access-list WEB webtype permit tcp host 1.2.3.4 eq www access-list WEB webtype permit url http://cisco.com/* access-list WEB webtype permit url ftp://*.cisco.com

ICMP to the ASA
 * By default allowed but only from the local network
 * Controlled by the icmp and ipv6 icmp commands
 * Entries are processed in top-down fashion like a regular ACL

Don't forget about PMTUd, MLD and Neighbor Discovery (ipv6 icmp) icmp dny any echo outside icmp permit any outside

ipv6 icmp deny any echo outside ipv6 icmp permit any outside

ASA Management and ACLs - DEMO
You can first see what management services are running on the ASA by default by the following command. As you can see there are no services listed. ASA-FW# show asp table socket Protocol Socket    Local Address               Foreign Address         State To allow telnet connections on the inside interface: telnet 10.1.1.10 255.255.255.255 in We can now see the service listened for: ASA-FW# show asp table socket Protocol Socket    Local Address               Foreign Address         State TCP      000388bf  10.1.1.10:23                0.0.0.0:*               LISTEN TCP      0004c82f  2001:1:1::10:23             :::*                    LISTEN

We then add SSH to the mix: ssh 0 0 out

ASA-FW# show asp table socket Protocol Socket    Local Address               Foreign Address         State TCP      000388bf  10.1.1.10:23                0.0.0.0:*               LISTEN TCP      0004c82f  2001:1:1::10:23             :::*                    LISTEN TCP      0006776f  100.2.2.10:22               0.0.0.0:*               LISTEN TCP      0008091f  2001:2:2::10:22             :::*                    LISTEN

To authenticate these services: aaa authentication ssh console LOCAL username admin password admin domain-name ipexpert.com crypto key generate rsa

ASA-FW(config)# show crypto key mypubkey rsa Key pair was generated at: 21:57:49 UTC Dec 17 2013 Key name:  Usage: General Purpose Key Modulus Size (bits): 1024 Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c26ac9 83cb6177 89587a9c 5efe4644 0967ef8e ade8b8ce 8c569363 3ad8935f 20f95e9c 1a389733 66da81f6 5ad70d8b df1bb9df 5b2a4981 a1d5dc66 9755576e 6d80bfed 519a4f6c 707258a1 27a785f4 eb51322d a3a076e8 dccf1939 46c2354d 45926c26 5d77725c 938a2bc4 44bc5ffe 4f13ec49 74e7dec8 1f0be31d e44fd68b 31020301 0001

Class inspection_default
This class catches ALL traffic going through the firewall class-map inspection_default match default-inspection-traffic

Policy global_policy
This policy matches all traffic being matched by the class inspection_default policy-map global_policy class inspection_default

Transparent ASA
Transparent ASA Advantages: Disadvantages:
 * Turns a firewall into a bridge (packets are switched) whilst keeping most of its security functions
 * In 8.3 and earlier only two interfaces are supported (optionally +management)
 * In 8.4 and above Bridge Groups are used; each Bridge Group handles up to 4 interfaces
 * External Layer 3 device is required to route between bridge groups
 * Easy to be placed into the existing network infrastructure
 * No Routing Protocols, VPNs, QoS and shared interfaces in multiple mode

The ASA does not forward broadcast frames, but instead sends a PING to the destination Process of ARP broadcasts and handling in transparent mode.

Default Filtering Logic (8.4 and above) - allowed traffic:
 * Unicast IPv4 and IPv6 packets from higher -> lower security level interface
 * Multicast IPv6 packets from higher -> lower
 * ARP & ND packets in both directions
 * Implicit Deny on IPv6 ACL does NOT block ND (explicit does)
 * BPDUs in both directions

Default Filtering Logic (8.4 and above) - dropped traffic:
 * IPv4 multicast (OSPF, EIGRP, RIP) are dropped in both directions
 * Non-IP packets are dropped in both directions (change using EtherType ACL)

ARP Inspection (arp-inspection)
 * Designed to combat ARP Spoofing attacks
 * Legitimate entries are those stored in the ASA's ARP table
 * 1) If MAC, IP and the interfaces match an entry, allow the frame
 * 2) If there is an entry for either IP or MAC but the 3-tuple does not match, drop the frame
 * 3) If there is no entry for both IP and MAC, look at flood / no-flood

CAM Table Control (mac-address-table static)
 * Prevents MAC Spoofing
 * MAC learning should be disabled for ultimate control (mac-learn disable)

Transparent ASA - DEMO
You can see first what mode the firewall is in: ciscoasa# show firewall Firewall mode: Router When you change the mode, the configuration will be wiped clean. Configure a bridge virtual interface and assign the interfaces to it: interface BVI1 ip address 192.168.254.1 255.255.255.0 ipv6 address 2001:10:10::10/64 ! interface GigabitEthernet0 nameif outside bridge-group 1 security-level 0 ! interface GigabitEthernet1 nameif inside bridge-group 1 security-level 100 ! interface GigabitEthernet2 nameif DMZ bridge-group 1 security-level 50

Multi-Context ASA
Virtual Firewalls Advantages: Disadvantages:
 * Turns a single physical ASA into multiple virtual firewalls
 * Once enabled (mode multiple), three types of contexts become available for configuration:
 * 1) System (manages all other contexts and allocates physical resources)
 * 2) Admin (admin-context); remote access to all contexts including system
 * 3) User (context); virtual firewall
 * Each virtual firewall has its own security policy and can be managed independently
 * No routing protocols, VPNs, QoS and Multicasts

Traffic Classifier
 * Each packet entering virtualized ASA must be classified to a particular context
 * Three types of classification methods used are:
 * 1) Unique interfaces
 * 2) Unique MAC addresses
 * 3) Assigned individually to all interfaces
 * 4) Globally generated (mac-address auto); default in 8.6(1) and newer codes
 * NAT

Resource Limits
 * Each context can be limited to certain amount of resources (connections, xlates, inspects, etc)
 * Depending on the resource type, percentage or absolute values can be configured
 * The default settings (class default) only limit telnet, ssh and asdm sessions to 5
 * Admin-defined class, once assigned, overrides the Default Class for the defined settings
 * Undefined settings are inherited
 * Use class to define the limits and member to assign the Class ot the Context
 * Verify with show context and show resource