ccspsnafquickreference

Table of Contents

Copyright................................................................................................................................ 1About the Author............................................................................................................... 0About the Technical Editor..................................................................................................... 3Section 1. Cisco Firewall and ASA Technology........................................................................ 4

Firewall Basics................................................................................................................................................................................................................................. 4Packet Filtering............................................................................................................................................................................................................................ 6Proxy Servers.......................................................................................................................................................................................................................... 0Stateful Packet Filtering......................................................................................................................................................................................................... 0

The Cisco Adaptive Security Appliance.......................................................................................................................................................................................... 8Cisco ASA Product Family............................................................................................................................................................................................................. 10

Cisco ASA 5505........................................................................................................................................................................................................................... 11Cisco ASA 5510....................................................................................................................................................................................................................... 0Cisco ASA 5520.......................................................................................................................................................................................................................... 12Cisco ASA 5540....................................................................................................................................................................................................................... 0Cisco ASA 5550........................................................................................................................................................................................................................... 13Cisco ASA 5580....................................................................................................................................................................................................................... 0Service Modules......................................................................................................................................................................................................................... 14AIP SSM...................................................................................................................................................................................................................................... 15CSC SSM................................................................................................................................................................................................................................. 04-Port Gigabit Ethernet SSM................................................................................................................................................................................................. 0

Summary........................................................................................................................................................................................................................................ 16

Section 2. Initial ASA Configuration...................................................................................... 17CLI and ASDM Connection............................................................................................................................................................................................................ 17

CLI........................................................................................................................................................................................................................................... 0ASDM...................................................................................................................................................................................................................................... 0

Interface Configuration Using CLI and ASDM............................................................................................................................................................................. 23IP Address and Subnet Mask..................................................................................................................................................................................................... 24Interface Name....................................................................................................................................................................................................................... 0Interface Security Level.......................................................................................................................................................................................................... 0ASDM Interface Configuration.............................................................................................................................................................................................. 0

Network Address Translation....................................................................................................................................................................................................... 29Simple NAT Configuration........................................................................................................................................................................................................ 30

Adding a Static NAT Rule with ASDM............................................................................................................................................................................... 0Adding a Dynamic NAT Rule with ASDM.......................................................................................................................................................................... 0Adding a NAT Exempt Rule with ASDM............................................................................................................................................................................ 0

Access Lists................................................................................................................................................................................................................................ 35Configuring ACLs with ASDM............................................................................................................................................................................................ 0Using Object Groups Within ACLs..................................................................................................................................................................................... 0

Routing........................................................................................................................................................................................................................................... 41Configure a Static Default Route on the ASA......................................................................................................................................................................... 0Configure Passive RIP on the ASA......................................................................................................................................................................................... 0

Switching....................................................................................................................................................................................................................................... 44Summary....................................................................................................................................................................................................................................... 46

Section 3. AAA Configuration................................................................................................ 47Authentication: Who Is That User on the System?....................................................................................................................................................................... 47Authorization: What Privileges Does the User Have?............................................................................................................................................................... 0Accounting: What Has the User Done?..................................................................................................................................................................................... 0AAA Configuration........................................................................................................................................................................................................................ 48

Local User Database Configuration....................................................................................................................................................................................... 0External User Database Configuration...................................................................................................................................................................................... 53

Auth-Proxy Configuration............................................................................................................................................................................................................. 56Specify a AAA Server Group................................................................................................................................................................................................... 0Designate an Authentication Server....................................................................................................................................................................................... 0Enable Authentication Proxy User Authentication by Configuring a AAA Authentication Rule......................................................................................... 0

Summary........................................................................................................................................................................................................................................ 59

Section 4. Advanced Configuration....................................................................................... 60Modular Policy Framework.......................................................................................................................................................................................................... 60

Class Maps.............................................................................................................................................................................................................................. 0Policy Maps............................................................................................................................................................................................................................. 0Service Policies....................................................................................................................................................................................................................... 0Step 1: Configure a Service Policy.............................................................................................................................................................................................. 63Step 2: Configure the Traffic Classification Criteria for the Service Policy Rule..................................................................................................................... 64Step 3: Configure Actions on the Traffic Classified by the Service Policy Rule....................................................................................................................... 66

Threat Detection............................................................................................................................................................................................................................ 68Basic Threat Detection........................................................................................................................................................................................................... 0Scanning Threat Detection..................................................................................................................................................................................................... 0

Transparent Firewalling................................................................................................................................................................................................................ 73Transparent Firewall Configuration: CLI.............................................................................................................................................................................. 0

CCSP SNAF Quick Reference. CCSP SNAF Quick Reference, ISBN: 9781587058691Prepared for [email protected], Jeremy KicklighterCopyright © 2009 Cisco Systems, Inc.. This PDF is made available for personal use only during the relevant subscription term, subject to the Safari Terms of Service. Any other use requiresprior written consent from the copyright owner. Unauthorized use, reproduction and/or distribution are strictly prohibited and violate applicable laws. All rights reserved.

Transparent Firewall Configuration: ASDM.......................................................................................................................................................................... 0Verifying the Transparent Firewall........................................................................................................................................................................................ 0

Summary........................................................................................................................................................................................................................................ 81

Section 5. VPN Configuration............................................................................................... 82Site-to-Site VPNs........................................................................................................................................................................................................................... 82Remote-Access VPNs.................................................................................................................................................................................................................... 84Site-to-Site VPN Configuration..................................................................................................................................................................................................... 85

Step 1: VPN Tunnel Type........................................................................................................................................................................................................... 86Step 2: Remote-Site Peer........................................................................................................................................................................................................ 0Step 3: IKE Policy...................................................................................................................................................................................................................... 87Step 4: IPsec Policy................................................................................................................................................................................................................. 0Step 5: Hosts and Networks...................................................................................................................................................................................................... 89Step 6: Summary.................................................................................................................................................................................................................... 0

Remote-Access VPN Configuration.............................................................................................................................................................................................. 90Step 1: VPN Tunnel Type........................................................................................................................................................................................................ 0Step 2: Remote-Access Client................................................................................................................................................................................................. 0Step 3: VPN Client Authentication......................................................................................................................................................................................... 0Step 4: Client Authentication................................................................................................................................................................................................. 0Step 5: Address Pools................................................................................................................................................................................................................ 94Step 6: Client Attributes......................................................................................................................................................................................................... 0Step 7: IKE Policy................................................................................................................................................................................................................... 0Step 8: IPsec Policy................................................................................................................................................................................................................. 0Step 9: Address Translation Exemption.................................................................................................................................................................................... 97Step 10: Summary................................................................................................................................................................................................................... 0

SSL VPN Configuration................................................................................................................................................................................................................. 98Step 1: SSL VPN Connection Type......................................................................................................................................................................................... 0Step 2: SSL VPN Interface......................................................................................................................................................................................................... 99Step 3: User Authentication................................................................................................................................................................................................... 0Step 4: Group Policy............................................................................................................................................................................................................... 0Step 5: Bookmark Lists........................................................................................................................................................................................................... 0Step 6: Summary.................................................................................................................................................................................................................... 0

VPN Troubleshooting.................................................................................................................................................................................................................. 103Summary...................................................................................................................................................................................................................................... 106

Section 6. Failover Configuration........................................................................................ 107Failover Links............................................................................................................................................................................................................................... 107Failover Requirements................................................................................................................................................................................................................ 108Active/Standby Failover Configuration...................................................................................................................................................................................... 109

Step 1: Cable the Interfaces on Both Security Appliances..................................................................................................................................................... 0Step 2: Prepare Both ASAs for Configuration with ASDM.................................................................................................................................................... 0Step 3: Use the ASDM High Availability and Scalability Wizard to Configure the Primary ASA for Failover..................................................................... 0Step 4: Verify That Cisco ASDM Configured the Secondary Security Appliance with the LAN-Based Failover Command Set......................................... 0Step 5: Save the Configuration of the Secondary Security Appliance to Flash Memory...................................................................................................... 0

Active/Active Failover Configuration.......................................................................................................................................................................................... 114Step 1: Cable the Interfaces on Both ASAs............................................................................................................................................................................. 0Step 2: Ensure That Both ASAs Are in Multiple Context Mode............................................................................................................................................ 0Step 3: Configure Contexts and Allocate Interfaces to Contexts........................................................................................................................................... 0Step 4: Enable and Assign IP Addresses to Each Interface That Is Allocated to a Context.................................................................................................... 116Step 5: Prepare Both Security Appliances for Configuration via ASDM............................................................................................................................... 0Step 6: Use the ASDM High Availability and Scalability Wizard to Configure the ASA for Failover................................................................................... 0Step 7: Verify That ASDM Configured the Secondary ASA with the LAN-Based Failover Command Set........................................................................... 0Step 8: Save the Configuration of the Secondary ASA to Flash............................................................................................................................................. 0

Redundant Interfaces................................................................................................................................................................................................................. 0Summary...................................................................................................................................................................................................................................... 120

Section 7. Monitor and Manage the ASA.............................................................................. 121Telnet and SSH Access to the ASA............................................................................................................................................................................................... 121

Telnet Configuration............................................................................................................................................................................................................... 0SSH Configuration.................................................................................................................................................................................................................. 0

Software Image Configuration..................................................................................................................................................................................................... 124Command-Line Software Image Configuration..................................................................................................................................................................... 0ASDM Software Image Configuration..................................................................................................................................................................................... 126

Licensing the ASA........................................................................................................................................................................................................................ 127Configuring Logging on the ASA................................................................................................................................................................................................. 129Summary...................................................................................................................................................................................................................................... 132

CCSP SNAF Quick Reference. CCSP SNAF Quick Reference, ISBN: 9781587058691Prepared for [email protected], Jeremy KicklighterCopyright © 2009 Cisco Systems, Inc.. This PDF is made available for personal use only during the relevant subscription term, subject to the Safari Terms of Service. Any other use requiresprior written consent from the copyright owner. Unauthorized use, reproduction and/or distribution are strictly prohibited and violate applicable laws. All rights reserved.

CCSP SNAF Quick Reference

Section 1: Cisco Firewall and ASA

Technology ...............................................3

Section 2: Initial ASA Configuration ...16

Section 3: AAA Configuration..............46

Section 4: Advanced Configuration....59

Section 5: VPN Configuration..............81

Section 6: Failover Configuration .....106

Section 7: Monitor and Manage

the ASA.................................................120

Andrew Mason

ciscopress.com

CCSP SNAF Quick Reference. CCSP SNAF Quick Reference, ISBN: 9781587058691Prepared for [email protected], Jeremy KicklighterCopyright © 2009 Cisco Systems, Inc.. This PDF is made available for personal use only during the relevant subscription term, subject to the Safari Terms of Service. Any other use requires prior written consent from the copyright owner. Unauthorizeduse, reproduction and/or distribution are strictly prohibited and violate applicable laws. All rights reserved.

[ 132 ]

© 2009 Cisco Systems Inc. All rights reserved. This publication is protected by copyright. Please see page 132 for more details.

CCSP SNAF Quick Reference

Andrew Mason

Copyright © 2009 Cisco Systems, Inc.

Published by:Cisco Press800 East 96th StreetIndianapolis, Indiana 46240 USA

All rights reserved. No part of this digital Short Cut may be reproduced or transmit-ted in any form or by any means, electronic or mechanical, including photocopying,recording, or by any information storage and retrieval system, without writtenpermission from the publisher, except for the inclusion of brief quotations in areview.

First Digital Edition December 2008

ISBN-10: 1-58705-846-4

ISBN-13: 978-1-58705-846-2

Warning and Disclaimer

This digital Short Cut is designed to provide information about networking. Everyeffort has been made to make this digital Short Cut as complete and accurate aspossible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The author, Cisco Press, and CiscoSystems, Inc. shall have neither liability nor responsibility to any person or entitywith respect to any loss or damages arising from the information contained in thisdigital Short Cut.

The opinions expressed in this digital Short Cut belong to the authors and are notnecessarily those of Cisco Systems, Inc.

Trademark Acknowledgments

All terms mentioned in this digital Short Cut that are known to be trademarks or service marks have been appropri-ately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a termin this digital Short Cut should not be regarded as affecting the validity of any trademark or service mark.

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is craftedwith care and precision, undergoing rigorous development that involves the unique expertise of members of theprofessional technical community.

Reader feedback is a natural continuation of this process. If you have any comments about how we could improvethe quality of this digital Short Cut, or otherwise alter it to better suit your needs, you can contact us through emailat [email protected]. Please be sure to include the digital Short Cut title and ISBN in your message.

We greatly appreciate your assistance.

Corporate and Government Sales

The publisher offers excellent discounts on this digital Short Cut when ordered in quantity for bulk purchases orspecial sales, which may include electronic versions and/or custom covers and content particular to your business,training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate andGovernment Sales 1-800-382-3419 [email protected].

For sales outside the United States, please contact: International Sales [email protected].


Licensed byJeremy Kicklighter

2087011

About the AuthorAndrew Mason is the chief technologist at RandomStorm, a UK-based SaaS Vulnerability Management Provider.Andrew has 16 years of experience in the IT industry, working in Internet security for the past several. He holds variousindustry certifications including CISSP and CCIE. Andrew also teaches network security and CCNA at the CiscoNetwork Academy.

About the Technical EditorIan Gyte is a senior consultant in the Networking Solutions business unit of Insight, responsible for the design, deploy-ment and troubleshooting of customer networks with a focus on security. Ian holds a number of security related accredita-tions including Cisco CCIE Security 20061, CCNP, CCSP, CCSA, CCSE, RSA CSE and Information Systems Security(INFOSEC) Professional.

[ 2 ]


CCSP SNAF Quick Reference by Andrew Mason


SECTION 1

Cisco Firewall and ASA Technology

Section 1: Cisco Firewall and ASA TechnologyThis Quick Reference guide provides a handy reference for students studying for the Cisco Securing Networks with ASAFoundation exam and a great refresher on the Cisco Adaptive Security Appliance (ASA). This reference is mapped to therequirements of the 642-524 SNAF exam.

This opening section of this Quick Reference guide to the Cisco SNAF exam provides an overview of firewall technolo-gies and the features of the Cisco ASA Firewall.

Firewall Basics

A firewall is a device that connects two or more networks together and restricts the flow of information between the twoor more networks according to rules configured in a firewall rule base.

Firewalls have been in use for more than 20 years, but only in the past 10 years (because of the rapid growth of theInternet) has the need for firewalls increased, along with their capabilities.

In an ideal world, a firewall would not be required. You could just allow everybody full access to all your resources, andyou could trust them to access what they required. However, in the real world, firewalls have become a necessity for allorganizations to limit the access to their resources to users who require access to those resources.

The Internet is a great business enabler, connecting businesses together across the entire world. However, with thisenabler comes a great risk. Numerous individuals and organizations specialize in hacking (breaking into other people’snetworks for fun or profit).

Figure 1 shows a a typical firewall deployment.

[ 3 ]




SECTION 1


Firewalls are deployed to mitigate such risk, allowing the organization to enforce a policy on the firewall that states whatcan and cannot be accessed. Note, however, that the firewall is only as good as the configuration deployed on it. If theconfiguration allows an attacker access to a resource, the firewall is not performing in its intended role.

Three types of firewalls are in use today, and are based on the following technologies:

n Packet filtering

n Proxy server

n Stateful packet filtering

[ 4 ]



Internet

ASAFirewall

WebServer

MailServer

VPNServer

User

Internal Network

FIGURE 1

A Typical FirewallDeployment


SECTION 1


Packet FilteringPacket filtering is the oldest type of firewall technology, and it is still put to good use today. Because the name suggests, apacket filter based on an access control list (ACL) is applied to an interface to filter packets traversing the interface. TheACL dictates the security policy or firewall rule base and specifies what traffic can and cannot traverse the firewall.

Figure 2 shows a simple packet filter in place.

[ 5 ]



Inside:Server C

DMZ:Server B

Internet

Host A

BAData

AB-YESAC-NO

CAData

FIGURE 2

Packet Filtering

Most Cisco network devices perform some level of packet filtering implemented as ACLs.

Proxy ServersGenerally, a proxy server is an application that acts as a proxy for a service. The traditional use of a proxy server has beenfor web traffic. In this instance, a proxy server exists on the inside of the network. Clients are configured to channel anyweb requests through the proxy server. The proxy server uses its own security features to restrict those who can andcannot use the service.


SECTION 1


Because these devices operate at higher layers in the OSI model, they can be resource intensive and may perform moreslowly under stress.

Figure 3 shows the placement of a proxy server within a network.

[ 6 ]



ProxyServer

Internet

InsideNetwork

OutsideNetwork

FIGURE 3

Proxy Server

Stateful Packet FilteringStateful packet filtering is the method deployed by Cisco Firewall appliances. A stateful packet filter is implemented simi-larly to a standard packet filter, with the primary difference being that a stateful packet filter maintains complete sessionstate. Every TCP connection or UDP flow, both inbound and outbound, is logged into the stateful session flow table.

All inbound and outbound packets are compared against the session flow table. Return data is permitted through the fire-wall even though a distinct rule does not allow it based on its entry in the session table. The outbound initiation of aconnection permits the return of the traffic.

Figure 4 shows stateful packet filtering.


SECTION 1


The Cisco Adaptive Security Appliance

The Cisco Adaptive Security Appliance (ASA) is a key component in the Cisco end-to-end security solution. The ASA isnow the market-leading Cisco security appliance and provides enterprise-class, integrated network security services.

[ 7 ]



Inside:Server C

DMZ:Server B

Internet

Host A

BAHTTPData

Limits information that is allowedinto a network based not only onthe destination and source addresses,but also on the contents of the state table.

Source Address

Destination Address

Source Port

Destination Port

Initial Sequence Number

ACK

Flag

192.168.0.20 10.0.0.11

172.16.0.50 172.16.0.50

1026 1026

80 80

49769 49091

Syn Syn

State Table

FIGURE 4

Stateful PacketFiltering


SECTION 1


The ASA product line offers cost-effective, easy-to-deploy solutions. The product line ranges from compact “plug-and-play” desktop firewalls for small offices to carrier-class gigabit firewalls for the most demanding enterprise and service-provider environments.

Cisco ASA features include the following:

n State-of-the-art stateful packet inspection firewall

n User-based authentication of inbound and outbound connections

n Integrated protocol and application inspection engines that examine packet streams at Layers 4 through 7

n Highly flexible and extensible modular security policy framework

n Robust virtual private network (VPN) services for secure site-to-site and remote-access connections

n Clientless and client-based Secure Sockets Layer (SSL) VPN

n Full-featured intrusion prevention system (IPS) services for day-zero protection against threats, including applicationand operating system vulnerabilities, directed attacks, worms, and other forms of malware

n Content security services, including URL filtering, antiphishing, antispam, antivirus, antispyware, and content filter-ing using Trend Micro technologies

n Multiple security contexts (virtual firewalls) within a single appliance

n Stateful active/active or active/standby failover capabilities that ensure resilient network protection

n Transparent deployment of security appliances into existing network environments without requiring re-addressingof the network

n Intuitive single-device management and monitoring services with the Cisco Adaptive Security Device Manager(ASDM) and enterprise-class multidevice management services through Cisco Security Manager

[ 8 ]




SECTION 1


Cisco ASA Product Family

The Cisco ASA product family currently consists of six different models. These range in use all the way from a smalloffice up to an enterprise or service provider network. Because you might expect, the higher the model, the higher thethroughput, number of ports, and cost.

The product range consists of the following devices:

Cisco ASA 5505

Cisco ASA 5510

Cisco ASA 5520

Cisco ASA 5540

Cisco ASA 5550

Cisco ASA 5580-20

Cisco ASA 5580-40

Figure 5 shows the Cisco ASA product family.

[ 9 ]



FIGURE 5

Cisco ASA ProductFamily



2087011

SECTION 1


Cisco ASA 5505The ASA 5505 is available in two models: a Base model and a Security Plus model. The ASA 5505 is aimed at smallbusinesses, branch offices, and enterprise teleworkers. The ASA 5505 is a small form factor appliance.

n Maximum throughput: 150 Mb/s

n Maximum connections: 10,000 (25,000 Security Plus)

n Maximum connections/sec: 4,000

n Maximum 3DES/AES throughput: 100 Mb/s

n Maximum VPN sessions: 10 (25 Security Plus)

n Maximum SSL VPN sessions: 25

Cisco ASA 5510The ASA 5510 is available in two models: a Base model and a Security Plus model. The ASA 5510 is aimed at deploy-ment at the Internet edge. The ASA 5510 is a 19” 1U rack-mountable appliance.


n Maximum connections: 50,000 (130,000 Security Plus)



n Maximum VPN sessions: 250


[ 10 ]




SECTION 1


Cisco ASA 5520The ASA 5520 is aimed at deployment at the Internet edge. The ASA 5520 is a 19” 1U rack-mountable appliance.


n Maximum connections: 280,000



n Maximum VPN sessions: 750


Cisco ASA 5540The ASA 5540 is aimed at deployment at the Internet edge. The ASA 5540 is a 19” 1U rack-mountable appliance.





n Maximum VPN sessions: 5,000

n Maximum SSL VPN sessions: 2,500

[ 11 ]




SECTION 1


Cisco ASA 5550The ASA 5550 is aimed at deployment at the Internet edge or within a campus network environment as an internal fire-wall. The ASA 5550 is a 19” 1U rack-mountable appliance.

n Maximum throughput: 1.2 Gb/s






Cisco ASA 5580The ASA 5580 is available in two models: the ASA 5580-20 and the ASA 5580-40. Both models are aimed at serviceprovider or data center deployments and for use as internal firewalls for campus networks. Both ASA 5580 models are3U 19” rack-mountable appliances.

n Maximum throughput: 5 Gb/s (10 Gb/s 5580-40)

n Maximum connections: 1,000,000 (2,000,000 5580-40)

n Maximum connections/sec: 90,000 (150,000 5580-40)

n Maximum 3DES/AES throughput: 1 Gb/s



[ 12 ]




SECTION 1


Service ModulesThe features and functionality of the ASA can be enhanced by introducing a Security Services Module (SSM) into theASA. You can install SSMs into the 5510, 5520, and 5540 appliances.

Currently, three SSMs are available for the ASA:

n Advanced Inspection and Prevention Security Services Module (AIP SSM)

n Content Security and Control Security Services Module (CSC SSM)

n 4-Port Gigabit Ethernet SSM

Figure 6 shows a Cisco ASA SSM.

[ 13 ]



NOTE

Because the ASA hasonly a single SSM slot, itis important to select theappropriate SSM basedon your requirements.

FIGURE 6

Cisco SecurityServices Module


SECTION 1


AIP SSMThe AIP SSM provides a full-featured IPS on a module that it used to stop malicious traffic such as viruses, worms, anddirected attacks from entering your network. The AIP SSM is configured the same as the standalone Cisco IPS appliancesand benefits from the same code and signature databases as the standalone IPS appliances.

The AIP SSM comes in three models:

n AIP-SSM-10 provides 150-Mb/s throughput on the ASA 5510 and 225-Mb/s throughput on the ASA 5520.



CSC SSMThe CSC SSM provides a content security solution within the ASA. The CSC SSM is based on software from TrendMicro that enables you to inspect traffic such as HTTP and Simple Mail Transfer Protocol (SMTP) for viruses, Trojans,and other malicious files.

The CSC SSM works in the same way as most standalone content security platforms, but one benefit is that you cantotally integrate it into the ASA without incurring cost of owning a dedicated server to perform the same role.

4-Port Gigabit Ethernet SSMThe 4-port Gigabit Ethernet SSM provides an extra four ports of connectivity to the ASA. The SSM has four copper RJ-45 interfaces and four fiber small form-factor pluggable (SFP) interfaces, but only the copper or fiber interfaces can beused and not a mixture of both (which, if possible, would provide four more interface ports).

[ 14 ]




SECTION 1


Summary

This first section provided an overview of firewall technologies and the Cisco ASA family. The next section covers theinitial steps required to configure the ASA. In the next section, we examine basic command-line connection and how toconfigure the ASA through the ASDM.

[ 15 ]




SECTION 2

Initial ASA Configuration

Section 2: Initial ASA ConfigurationThis section covers configuration fundamentals for a Cisco ASA. This section covers basic command-line interface (CLI)configuration, but mainly focuses on configuring the ASA through the graphical Adaptive Security Device Manager(ASDM).

CLI and ASDM Connection

There are two ways to configure a Cisco ASA: through the CLI, or through the ASDM.

Both the CLI and ASDM offer benefits for configuration, and people disagree as to the best method. The CLI versus GUIconfiguration argument has been around since the days of UNIX versus Windows. The CLI is fast, after you havemastered it, but the GUI is very intuitive and easier to configure, especially with the wizard quick-configuration optionsnow available.

CLIThe CLI is the historic way in which all Cisco devices were configured. This is a command-based interface similar to aUNIX- or DOS-based operating system. Commands are typed through a terminal connection to the ASA, and these arethen written to the configuration. The CLI is powerful and fast, but learning how to use the CLI is like learning anotherlanguage.

You can either connect to the CLI through the console port using a console cable or by using Telnet or Secure Shell(SSH).

Using a console cable is called an out-of-band connection, and using Telnet or SSH is called an in-band connection.

When you initially connect to an ASA, you are greeted with the following prompt:

ciscoasa>

[ 16 ]



NOTE

Because Telnet is sent inclear text and SSH is anencrypted session, youshould always use SSHto connect to anynetwork device.


SECTION 2


This is called unprivileged mode and is represented by the > after the hostname. Entering enable at this prompt placesyou into privileged EXEC mode, and you will see the following prompt:

ciscoasa#

From privileged EXEC mode, you can then enter the configuration mode to enter configuration commands into the ASA.The show and debug commands to monitor and troubleshoot the ASA are also entered in privileged EXEC mode.

ASDMYou access the ASDM through a web browser. ASDM is a Java-based application, so any modern browser that supportsJava will suffice (for instance, Safari, Firefox, or Internet Explorer). The connection to ASDM is over SSL, so the config-uration is always encrypted between the client and the ASA through the web browser.

Because you have to connect to ASDM through a browser interface, you must configure an IP address on the inside inter-face to enable you to connect your browser to it. The next section covers interface configuration in more depth.

In addition to setting the IP address, you must enter some other basic configuration commands via the CLI to the ASA toconfigure the initial connection to the ASDM.

We will now run through the necessary commands on an ASA that has a blank configuration. The commands shown arethe bare minimum to enable a connection to the ASDM.

Because this is an ASA with a blank configuration, the only way to connect is via the CLI using a serial connection.

The first step is to assign an IP address to the inside interface of the ASA. To enter these commands, you need to be inconfiguration mode on the ASA. We assume from this point forward that you are in configuration mode; the promptshows which configuration mode is required:

ciscoasa#configuration terminal

ciscoasa(config)#interface vlan 1

ciscoasa(config-if)#ip address 192.168.1.254 255.255.255.0

[ 17 ]



NOTE

You can use the quick-configuration system toconfigure the initialparameters of the ASA tofacilitate ASDM connec-tion, but we are provid-ing the basic config-uration commandswithout using the quickconfiguration.


SECTION 2


Because this VLAN is going to be the inside network, we now have to name the VLAN interface as the inside interface:

Ciscoasa(config-if)#nameif inside

INFO: Security level for “inside” set to 100 by default.

When the nameif command is entered, because the value is inside, the default security level of 100 is attributed to theVLAN interface.

VLAN1 is now configured as the inside interface with the IP address of 192.168.254.1/24. By default, all ports are inVLAN1, so we now need to tell the ASA 5505 which physical Ethernet port is the inside connection. In this example, weare using Ethernet0/1 as the inside interface, so we enter the following commands to bring up Ethernet0/1, because bydefault all ports are in an administrative shutdown mode:

ciscoasa(config)#interface ethernet0/1

ciscoasa(config-if)#no shutdown

Running a show interface for Ethernet0/1 now displays the following:

ciscoasa#show interface ethernet0/1

Interface Ethernet0/1 “”, is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001b.53a0.4e91, MTU not set

IP address unassigned

16423 packets input, 1256399 bytes, 0 no buffer

Received 896 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

6518 packets output, 5096677 bytes, 0 underruns

[ 18 ]



NOTE

For these examples, theconfiguration from aCisco ASA 5505 is used.The ASA 5505 has abuilt-in eight-port switchwith no fixed interfaces.IP addresses on the ASA5505 are configured toVLAN interfaces, andthen the VLANs areassigned to the Ethernetinterfaces. For other ASAmodels, the IP address isadded straight to thecorresponding Ethernetinterface.


SECTION 2


0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

We can see that the interface is up. We should now be able to ping the inside interface of the ASA 5505 from a worksta-tion connected to the 192.168.1.0/24 network and be able to ping workstations on the 192.168.1.0/24 network from theASA 5505.

The next step is to configure a secure password on the ASA. We are about to provide access to the web-based administra-tion interface of the ASA, so we want to ensure that it is protected and locked down with authentication.

We will set an enable password on the ASA:

ciscoasa(config)#enable password securepassword

The preceding line creates the enable password securepassword. Obviously, you would replace this with a very secure,strong password.

At this point, the interface is up and has a valid IP address configured. However, we must complete a couple more stepsto facilitate a connection to the ASDM. Running a browser to https://192.168.1.254 at this point will return with a “PageNot Found” message.

The ASA has a built-in web server. This is what serves the ASDM to users requesting it through their browsers. Bydefault, this web server is not enabled.

The internal web server in the ASA is enabled with the following command:

ciscoasa(config)#http server enable

This enables the HTTP server on the ASA, but if you tried a connection to the ASDM, you still would not be able toconnect. This failure to connect results because the ASA operates in a closed policy, unlike the HTTPS server on a router.

[ 19 ]





2087011

SECTION 2


On the ASA, all connections to the HTTP server are denied by default, and you must enter a configuration command tospecify the IP addresses that are allowed to access the ASDM. On a router, by default all IP addresses can connect to theHTTP server, and you must create an access list to restrict this access.

In this example, we want to allow the whole inside network access to the ASDM:

ciscoasa(config)#http 192.168.1.0 255.255.255.0 inside

The preceding command allows all hosts on the 192.168.1.0/24 network, which is located on the inside interface, accessto the ASDM.

Connecting now with a web browser to https://192.168.1.254 will display the initial ASDM connection screen shown inFigure 7.

[ 20 ]



FIGURE 7

ASDM ConnectionScreen


SECTION 2


You can either run the ASDM or the Startup Wizard to take you through the initial setup of the ASA. We are going toclick the Run ASDM button to launch ASDM.

The next window that appears asks for authentication (see Figure 8).

[ 21 ]



FIGURE 8

ASDM Authentication

The authentication box requests a username and password. Because we have not configured any users on the system, wejust need to enter the enable password into the Password field and leave the Username field blank.

We are now presented with a connection to the ASDM (see Figure 9).

NOTE

In a real-world situation,always ensure that youuse a username and pass-word combination forauthentication to theASA. Never rely on justthe enable password forauthentication.


SECTION 2


[ 22 ]



FIGURE 9

Initial ASDMConnection

Interface Configuration Using CLI and ASDM

The ASA is a network device. Therefore, for it to function, you must configure the network interfaces. We look here athow to configure the interface parameters via both the CLI and ASDM.

The three aspects to configuring an interface on a Cisco ASA are as follows:

n IP address and subnet mask

n Interface name

n Interface security level


SECTION 2


IP Address and Subnet MaskEach interface requires its own IP address that exists in a different subnet. The ASA can operate in two modes: routed andtransparent. For these examples, we use routed mode (the default). Transparent mode is covered in Section 4 of thisQuick Reference guide.

We have already applied an IP address of 192.168.1.254/24 to the inside interface of the ASA. We now configure the IPaddress of 10.0.0.1/24 to the outside interface. This setup follows the simple network diagram shown in Figure 10.

[ 23 ]



E0/1

192.168.1.254/24

E0/0

10.0.0.1/24

FIGURE 10

Simple ASA Network

To assign an IP address to an interface, you use the ip address command from interface configuration mode. The follow-ing example sets the IP address of 10.0.0.1/24 to Ethernet0/0:



In our example, we are using an ASA 5505, and we assigned an IP address of 192.168.1.254/24 to the VLAN1 interface.The configuration command for this is as follows:

ciscoasa(config)#interface vlan1


Interface NameAll interfaces on an ASA must be given a name. These names are used in other configuration items, such as NetworkAddress Translation (NAT) and access control lists (ACLs). Some common names include outside, inside, and DMZ. It isworthwhile to provide a meaningful name.


SECTION 2


To give Ethernet0/1 the name of inside, we issue the following command:


ciscoasa(config-if)#nameif inside

In our example, we are using an ASA 5505, and we assigned the name of inside to the VLAN1 interface. The configura-tion command for this is as follows:


ciscoasa(config-if)#nameif inside

Interface Security LevelThe ASA in its default state uses interface security levels to determine traffic flow and to ascertain what action the appli-ance should take on traffic traversing it. Every interface must have a security level. This originated from a PIX technologycalled the Adaptive Security Algorithm (confusingly, also ASA).

The two important factors are as follows:

n Traffic from a higher-security interface to a lower-security interface is by default allowed. This is classed asoutbound traffic. Configuration is required to allow the traffic, but it will flow without the use of ACLs.

n Traffic from a lower-security interface to a higher-security interface is by default disallowed. This is classed asinbound traffic. The use of ACLs is required to allow inbound traffic.

Some default security levels are assigned to interfaces. By default, the outside interface always has a security level of 0,and the inside interface has a security level of 100.

The minimum level is 0, and the maximum level is 100. Therefore, these two interfaces are placed at either end of thescale and thus allow additional interfaces, such as the DMZ, to be placed between these values to further enhance thesecurity design of the network. It is common for a DMZ interface to be assigned a security level of 50.

[ 24 ]




SECTION 2


To give Ethernet0/1 the security level of 100, we issue the following command:


ciscoasa(config-if)#security-level 100

In our example, we are using an ASA 5505, and we assigned the name of inside to the VLAN1 interface. This configura-tion means that this interface will have a security level of 100. The configuration command for this is as follows:


ciscoasa(config-if)#security-level 100

ASDM Interface ConfigurationYou can configure an interface via ASDM from a single configuration screen.

You must select Configuration from the toolbar, and then Device Setup. You can then add, edit, or delete interfaces fromthe configuration.

Because we have already configured the inside interface in our example as VLAN1, we will now enhance this by onlyconfiguring VLAN1 on the Ethernet0/1 physical port.

We highlight the inside interface and then click Edit. Figure 11 shows the Edit Interface screen.

As you can see from Figure 11, the IP address, interface name, and security level can all be entered into the ASA config-uration from this single screen. In this example, you can see that Ethernet0/1 has been selected and has an IP address of192.168.1.254/24, with an interface name of inside and a security level of 100.

No firewall is complete with a single interface, so let’s go ahead and configure the outside interface of the ASA.

[ 25 ]




SECTION 2


Figure 12 shows the configuration screen on the ASA for the outside interface.

[ 26 ]



FIGURE 11

ASDM InterfaceConfiguration


SECTION 2


You can see in Figure 12 that we have assigned Ethernet0/0 an IP address of 10.0.0.1/24. We have named this interfaceoutside and given it a default security level of 0.

We now have the network as shown in Figure 13.

[ 27 ]



FIGURE 12

ASDM OutsideInterfaceConfiguration

Security Level - 100E0/1

192.168.1.254/24Inside


10.0.0.1/24Outside

FIGURE 13

Simple Network withthe ASA

Now the interfaces are configured, let’s move on and look at the other areas of initial configuration required to get theASA functioning.


SECTION 2


Network Address Translation

Network Address Translation (NAT) is a key concept and technology used by the ASA. The main purpose of NAT is totranslate one IP address into another. It is commonly used to translate private RFC 1918 IP addresses into publiclyroutable IP addresses for use over the Internet.

Figure 14 shows how NAT would be used in the simple network we have configured on the ASA.

[ 28 ]



192.168.1.10/24

Private Network

NAT

Public Network

FIGURE 14

Simple NAT with theASA

NAT, in the true sense, translates one address to another address. There is also another technology called Port AddressTranslation (PAT). PAT is where multiple internal addresses are translated into a single external address. Different sourceports are used on the external address to differentiate between the internal addresses, and this information is held by thedevice performing the translation so that it can work out where to send the return packets. PAT is also called NAT-Overload.

On the ASA, NAT is required when traffic is flowing from a lower-security interface to a higher-security interface. Forexample, the outside interface has a security level of 0, and the inside interface has a security level of 100. Therefore,NAT is required for hosts on the outside to communicate with hosts on the inside.

NAT is not required by default for traffic flowing from a higher-security interface to a lower-security interface. This hasbeen the case since Cisco released PIX and ASA 7.0. You can enable this setting by issuing the nat-control command,which then forces NAT on all interfaces in all directions.


SECTION 2


Simple NAT ConfigurationTo configure NAT on the ASDM, choose Configuration from the toolbar and then Firewall. NAT rules are created on theASA and perform the translations depending on the configuration. By default, no NAT rules are configured on the ASA.

You can add three main types of NAT rules: static NAT rules, dynamic NAT rules, and NAT exempt rules.

We can start by adding a static NAT rule.

Adding a Static NAT Rule with ASDMStatic NAT is where you are performing a one-to-one NAT translation; a single internal IP address is translated to a singleexternal IP address. This is normally used for inbound access where external users are accessing resources such as acorporate web or email server.

Figure 15 shows the inclusion of a web server in our simple network topology.

[ 29 ]



Public Network

Web Server

.250

192.168.1.0/24

192.168.1.250 10.0.0.5TranslatesTo

.254 .1

10.0.0.0/24

FIGURE 15

Web Server

The web server has an internal IP address of 192.168.1.250/24. Hosts from the outside cannot access this server on thisaddress, because it is not routable via the outside interface (because a NAT translation is required).

What we need to configure is a static NAT entry from 192.168.1.250 that translates to 10.0.0.5. Doing so then enablesexternal users to access the web server on 10.0.0.5.

We have chosen to add a static NAT translation and then entered the settings as shown in Figure 16.



2087011

SECTION 2


You can see in Figure 16 that we have entered the original and translated addresses into the ASDM. This setting willtranslate 192.168.1.250 to 10.0.0.5 on the outside interface. When we apply this setting, we are then taken back to theNAT Rules configuration screen that is shown in Figure 17.

This screen lists all the configured NAT rules on the ASA, which in this case is only the single static NAT rule.

Now that we have configured a static NAT rule through the ASDM, the next rule to look at is a dynamic NAT rule.

[ 30 ]



FIGURE 16

Static NATConfiguration


SECTION 2


Adding a Dynamic NAT Rule with ASDMStatic NAT translations provide a one-to-one translation of IP addresses. A dynamic NAT rule creates a one-to-manytranslation of IP addresses.

The most common use of dynamic NAT is when the ASA is placed at the network perimeter between the corporatenetwork and the Internet. Users on the corporate network want Internet access, so they require a NAT translation to trans-late their private IP address to a publicly routable IP address. If there are 50 internal users, you require 50 publicaddresses for the translation.

Dynamic NAT uses a single public IP address and allows all the internal users access to the Internet. They all use thesame public IP address, and they are tracked by the ASA by using different source ports for each internal client.

[ 31 ]



FIGURE 17

NAT Rules Screen


SECTION 2


When we add a dynamic NAT rule, we have to link it to an address pool. You can create these address pools via Objects> Global Pool, or you can create them while adding the dynamic NAT rule.

You can see from Figure 18 that we have created a dynamic NAT rule that applies to 192.168.1.0/24 and uses the addressof the outside interface for the translation.

[ 32 ]



FIGURE 18

Adding a DynamicNAT Rule

When we apply this rule, we are taken back to the NAT Rules screen. We can now see on this screen, as shown in Figure19, that there is a configured static NAT rule and a dynamic NAT rule.

The last type of NAT rule that we are going to look at is a NAT exempt rule.


SECTION 2


Adding a NAT Exempt Rule with ASDMWe have just configured static and dynamic NAT on the ASA via ASDM. We will now look at the third option availablewhen adding a NAT rule, a NAT exempt rule.

NAT exemption exempts addresses from NAT translation. When NAT is configured on an interface, you sometimes mightneed a specific host to bypass NAT and be exempt from the NAT rules. A common use of this is when configuring VPNsand you want the local private network to be able to communicate with the remote private network without being trans-lated.

[ 33 ]



FIGURE 19

NAT Rules Screen


SECTION 2


Access ListsWe have just looked at configuring NAT on the ASA. Now that you have configured NAT, the next element to look at isACLs.

ACLs are the restrictive lists that define a firewall. These can be also be called a firewall rule set or rule base. The ACL isone of the most important aspects of the firewall because it permits and denies traffic through the firewall. The incorrectconfiguration of an ACL can result in a security hole that a potential attacker may use to exploit an internal system.

Configuring ACLs with ASDMIn our example, we have shown a web server on the inside of the network. This web server has a static NAT translation.We are now going to provide an ACL that allows inbound traffic matching the web server address to access the webserver.

To configure ACLs, select Configuration from the toolbar and then Firewall > Access Rules.

You will see that by default some rules are already applied to the ASA. These are the implicit rules configured by defaulton the ASA device. These rules cannot be removed; they are the catchall rules that are matched if no other rule ismatched first.

Figure 20 shows these implicit rules.

Looking at Figure 20, we can see that there are three implicit access rules. Two are applied to the inside interface and oneto the outside interface.

The implicit access rules applied to the inside interface are as follows:

n Permit traffic from anywhere destined to a lower-security interface

n Deny any traffic from anywhere to anywhere

[ 34 ]




SECTION 2


This rule implements the Adaptive Security Algorithm (ASA) mentioned earlier. Any traffic from the inside interface ispermitted only to lower-security interfaces. All other traffic is denied.

The implicit access rule applied to the outside interface is as follows:

n Deny any traffic from anywhere to anywhere

Because the outside interface has the lowest available security level (0), all traffic is by default denied unless a morespecific access rule permits it. This default ensures that nothing enters the firewall from the outside without previousconfiguration.

[ 35 ]



FIGURE 20

Implicit Access Rules


SECTION 2


Clicking Add brings up the Add an Access Rule screen. We want to add a rule on the outside interface to allow access tothe internal web server on TCP port 80.

Figure 21 shows the completed screen to create this access rule.

[ 36 ]



FIGURE 21

Add an Access Rule

You can see from Figure 21 that we have created a rule that permits TCP port 80/HTTP traffic from anywhere to accessthe outside interface and the address 10.0.0.5. This is the address that we used for the static NAT translation for the webserver.

Applying this access rule takes us back to the Access Rules screen of the ASDM, as shown in Figure 22.

You can now see the new rule that has been configured on the outside interface and has been placed above the implicitrule that denies all other traffic.

Traffic can now access the website from anywhere on the Internet.


SECTION 2


Using Object Groups Within ACLsWe now want to extend this further and permit HTTPS into the web server. We also want to use the name webserver-public rather than the public IP address of the web server.

We can achieve both of these goals by configuring objects on the ASA.

Let’s start by defining the web server as an object within the ASA. Navigate to Firewall > Objects > IP Names. Add anentry using the public IP address of the web server and the name of webserver-public. You can see this completed inFigure 23.

[ 37 ]



FIGURE 22

Access Rules Screen


SECTION 2


[ 38 ]



FIGURE 23

Configure an IP Name

We have now configured a more meaningful name for the public IP address of the web server. Next we want to configurean access rule to also allow HTTPS access to the web server.

We could just add another access rule that permits HTTPS from anywhere to the web server, as we did with the initialaccess rule that permitted HTTP. However, we are going to achieve this is by creating a service group. Navigate toFirewall > Objects > Service Groups, and then click Add to add a new service group.

Because both HTTP and HTTPS are TCP protocols, we need to select TCP Service Group. Let’s call the group web-access and let’s add both HTTP and HTTPS to the group.

Figure 24 shows that we have created a single TCP service group that now contains two protocols.

The next step is to go back to the Access Rules configuration screen and change the existing access rule to use the newgroup.

When we navigate to Firewall > Access Rules, note that the Destination field for the access rule that we created has nowchanged from 10.0.0.5 to webserver-public. This is because we have added the IP name object for the web server. Fromnow on, the ASA will know 10.0.0.5 as webserver-public, making it easier to read the rule base and understand it.


SECTION 2


Highlight the rule we created earlier and click Edit. Select the service by clicking the ellipsis (…) button next to theservice. We now need to add the TCP service group that we have just created. The service group should be at the top ofthe list. Select it and click OK to return to the main Access Rules screen, as shown in Figure 25.

Looking at Figure 25, we can see that the destination name is now webserver-public and the service is now webaccessand not HTTP.

We have just created a single rule that allows both HTTP and HTTPS access inbound on the outside interface to thepublic address of the web server.

[ 39 ]



FIGURE 24

Edit TCP ServiceGroup



2087011

SECTION 2


Routing

The ASA supports both static and dynamic routing. The ASA supports the Routing Information Protocol (RIP), OpenShortest Path First (OSPF) Protocol, and Enhanced Interior Gateway Routing Protocol (EIGRP).

Configure a Static Default Route on the ASAOne of the commonly used routes on the ASA will always be the static default route. This is the destination of last resortand where all packets are sent that do not match a more specific route on the ASA.

A high percentage of ASAs are deployed at the network perimeter, normally acting as the firewall between the corporatenetwork and the public Internet. In these cases, a static default route will always be used that points out to the Internet.

[ 40 ]



FIGURE 25

Access Rules Screen


SECTION 2


To configure a static default route, select Configuration from the ASDM toolbar and then Device Setup. One of theoptions now presented is Routing. The first option configures static routes.

Click Add to add a static route. Figure 26 shows a default static route that we have entered that will send traffic to thenext hop from the ASA out to the public Internet.

[ 41 ]



FIGURE 26

Static Default Route

You can see from Figure 26 that we have set a route to 0.0.0.0 0.0.0.0 that points to 10.0.0.2. The notation of 0.0.0.00.0.0.0 is the default catchall address, which can also be represented as 0 0.

Configure Passive RIP on the ASARIP can be configured on the ASA. The ASA supports both RIPv1 and RIPv2. Earlier security devices such as the PIXwould only operate in passive mode, in which the interfaces configured for RIP would only accept routes and not propa-gate routing information from the device. The ASA allows the device to participate in full RIP routing.

For this example, we configure passive RIP on the ASA, which is a requirement of the SNAF exam.


SECTION 2


RIP configuration is performed from the RIP section of the Routing navigation which is located underConfiguration>Device Setup. The first step is to enable RIP on the ASA. Figure 27 shows the configuration required forpassive RIP.

[ 42 ]



FIGURE 27

Passive RIPConfiguration

Figure 27 shows that we have enabled RIP, set it to use RIPv2, and globally set all interfaces to be passive. This setupmeans that the ASA will listen and accept routes learned via RIP but will not advertise any of its own routes out to adja-cent RIP neighbors.


SECTION 2


Switching

The ASA allows you to configure multiple logical interfaces that are connected to a single physical interface. Therefore,you can assign the logical interfaces to specific VLANs. The logical interfaces are called subinterfaces. You can assignonly a single VLAN to a subinterface. Each subinterface must have a VLAN ID before it can pass traffic. BecauseVLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces avail-able to your network without adding additional physical interfaces or security appliances. Therefore, you can use the ASAin areas that require more interfaces than exist on the installed ASA.

When a physical interface is split into subinterfaces, the physical interface becomes an 802.1Q trunk. This is the sameconcept as when a switch port on a Cisco Catalyst switch is configured as a trunk to pass VLAN traffic between switches.

The following table shows the maximum number of physical and logical interfaces that you may configure per ASAmodel.

Maximum Number of Interfaces

ASA Model Physical Interfaces Logical Interfaces

ASA 5505 8 3 (20*)

ASA 5510 3 (5*) 50 (100*)

ASA 5520 5 150

ASA 5540 5 200

ASA 5550 13 250

ASA 5580 10 100

* Indicates with the Security Plus license

To configure a logical interface, you must add an interface from the Add Interface screen (see Figure 28).

[ 43 ]



NOTE

You cannot configuresubinterfaces on the ASA5505 because it is aswitch-based appliancewhere the eight physicalinterfaces are part of theswitch and must beassigned to a VLANinterface.


SECTION 2


You can then select which interface this subinterface is to be bound to and set the options such as the VLAN ID andsubinterface ID to configure the subinterface.

[ 44 ]



FIGURE 28

Creating aSubinterface


SECTION 2


Summary

This section covered the initial configuration of the Cisco ASA. We started by looking at using the CLI and ASDM forconfiguration and then moved on to how to configure IP addresses on the interfaces and names and security levels. Wethen covered NAT, routing, and switching on the ASA.

This section provided a simple network that saw us address the interfaces, configure NAT for outbound access, and allowa static translation to an internal web server. We also created an access rule that allowed inbound HTTP and HTTPStraffic to the web server using an object group rather than individual access contol list entries.

The next section covers the configuration of authentication, authorization, and accounting (AAA, pronounced “triple A”)on the ASA.

[ 45 ]




SECTION 3

AAA Configuration

Section 3: AAA ConfigurationAuthentication, authorization, and accounting (AAA) are three services common to most Cisco devices. They are corenetworking services, and are related to users on the system.

The first thing you want to do is authenticate your users to see who they are and to ensure they are allowed to connect tothe system. After you have authenticated the users, you can then authorize them to perform specific activities (so that allusers do not have the same access rights on the system). You might also want to enable accounting to record what yourusers are doing on the system; you can log such items as logon and logoff times and any commands entered if they areconnected in-line to a device.

Authentication protocols are used to provide the AAA services. The two authentication protocols used in Cisco environ-ments are TACACS+ and RADIUS. Both TACACS+ and RADIUS can be used on the Cisco ASA for AAA services.

Authentication: Who Is That User on the System?

Authentication is the process of identifying users on the system. This is the username and password identification that weare all so familiar with.

Three types of authentication are supported on the Cisco ASA:

n Security appliance console access: Access to the security device through a protocol such as Telnet or SSH.

n Cut-through proxy: Requires user authentication for a session through the ASA. Successful authentication enablesaccess through the ASA to specific resources.

n Tunnel access: For authenticating remote VPN users within a VPN tunnel to provide an extra level of security.

[ 46 ]




SECTION 3

AAA Configuration

Authorization: What Privileges Does the User Have?

Authorization occurs after authentication. Users have to be authenticated to be authorized. Authorization is provided torestrict what authenticated users can do on the ASA and through resources offered by the ASA.

n Security appliance console access: Lets you control what commands authenticated users can issue on the ASA.

n Cut-through proxy: Apply ACLs to authenticated users using the cut-through proxy service of the ASA.

n Tunnel access: The remote VPN users can have a series of rules enforced on them once authenticated, includingVPN access hours, simultaneous logons, client block rules, personal computer firewall type, idle timeout, and so on.The tunnel user or group information is applied to the tunnel before the tunnel is fully established.

Accounting: What Has the User Done?

Once authenticated, the user’s activity can be tracked; this is called accounting. Activity such as logging on to the ASA orusing the cut-through proxy service can be recorded, as can which configuration commands have been entered for usersauthenticated against the security appliance console access.

AAA Configuration

We now turn our attention to using the ASDM to configure AAA services on the ASA.

The first thing to consider when configuring AAA services is the user database. Two main types of user databases can beused in the configuration of AAA: the local user database and an external user database.

Local User Database ConfigurationThe ASA comes with the built-in capability to store user account information in an internal database, the local user data-base. This database is used when an external user database is not available or as a backup in case the external user data-base were to fail or not be reachable from the ASA.

[ 47 ]




SECTION 3

AAA Configuration

By default, a single default user is created in the local account database: the user called enable_15.

Figure 29 shows the default User Accounts screen that you can access by selecting Configuration on the toolbar and thenDevice Management > Users/AAA > User Accounts.

[ 48 ]



FIGURE 29

Default User Accounts

To enter a user into the local user database, click Add. The Add User Account screen will open.

Let’s add a user called testuser1 to the local account database. Enter the username testuser1 into the Username field.Enter the password cisco123 into the Password field.

Confirm the password, and then click OK to add the user to the local user database. You can see the completed Add UserAccount screen in Figure 30.

NOTE

The minimum passwordlength is 4 characters, andthe maximum is 32 charac-ters (recommended = 8).Passwords are case sensi-tive. When you enter apassword, the Passwordfield displays only asterisks.


SECTION 3

AAA Configuration

You now have two users in the local user database: the default enable_15 user, and the newly created testuser1. The userenable_15 has a privilege level of 15, and you can see that the testuser1 has a privilege level of 2.

You can set a local user lockout policy so that the user account locks after a maximum number of failed authenticationattempts. This lockout is a very useful security feature that helps prevent dictionary and brute-force attacks against useraccounts.

To configure the local user lockout, navigate to the Device Management > Users/AAA > AAA Server Groups screen(see Figure 31).

[ 49 ]



FIGURE 30

Add User Account



2087011

SECTION 3

AAA Configuration

From this screen, you can see that the only created AAA server group is the LOCAL group. Click Edit, and the EditLOCAL Server Group window will appear (see Figure 32).

[ 50 ]



FIGURE 31

AAA Server Groups

FIGURE 32

Edit LOCAL ServerGroup


SECTION 3

AAA Configuration

Click to enable local user lockout and set the maximum attempts to 5, as shown in Figure 32.

At this point, we have just enabled local user lockout. If a user gets his password wrong five times in a row, his account islocked. The user account has to be manually unlocked. You can unlock it from the AAA Local Locked Out User screenthat is available by choosing Monitoring from the toolbar and then navigating to Properties > Device Access > AAALocal Locked Out Users.

Figure 33 shows the AAA Local Locked Out Users screen.

[ 51 ]



FIGURE 33

AAA Local LockedOut Users

To reenable a locked account, you select the locked-out account and then click the Clear Selected Lockout button.


SECTION 3

AAA Configuration

External User Database ConfigurationThe second type of authentication database is an external user database. This is a database that sits external from theASA.

The ASA supports the following external user databases:

n RADIUS

n TACACS+

n Microsoft Windows NT domain

n SDI

n Kerberos

n LDAP

n HTTP Form

Cisco Access Control Server (ACS) is a software application for Windows or UNIX that provides RADIUS andTACACS+ authentication protocols. Cisco Secure ACS is also available as an appliance that exists on a prebuilt serverand can be treated as a true authentication appliance.

To use an external user database, you must define the AAA server group and then add the authentication servers into thegroup.

Navigate to the Device Management > Users/AAA > AAA Server Groups screen. You should just see the defaultLOCAL server group. Add a new server group called ACS and select the defaults.

You now have the groups LOCAL and ACS (see Figure 34).

[ 52 ]




SECTION 3

AAA Configuration

We now need to add a server to the group. Ensure the ACS group is highlighted, and then click Add under Servers in theselected group.

In the example, we are configuring access to a RADIUS server on the inside interface with an IP address of192.168.1.251. We have to set a server secret key that is also configured on the ACS server to authenticate it against theASA.

Figure 35 shows the Add AAA Server screen

[ 53 ]



FIGURE 34

AAA Server Groups


SECTION 3

AAA Configuration

You now have the ACS AAA server group and the single server in that group. You can have multiple servers in a groupfor redundancy and for load balancing when the network is heavily used.

To enable authentication against the AAA server that you have just added, you need to navigate to the DeviceManagement > Users/AAA > AAA Access screen. From this screen, you can enable AAA for the server group that youjust created.

Figure 36 shows the AAA Access screen and the configuration options on the Authentication tab.

[ 54 ]



FIGURE 35

Add AAA Server


SECTION 3

AAA Configuration

Auth-Proxy Configuration

The authentication proxy is where the ACS prompts the user for authentication against a specific service on the initiationof the session, and then after successful authentication, the user is authorized to use the services for a determined timeperiod without reauthentication or reauthorization.

The ASA supports the following protocols for authentication proxy:

n TCP Port 21 for FTP

n TCP Port 23 for Telnet

n TCP Port 80 for HTTP

n TCP Port 443 for HTTPS

[ 55 ]



FIGURE 36

AAA Access Screen

NOTE

Authentication proxy isalso known as auth-proxyand cut-through proxy.The feature is also avail-able on the PIX, IOSFirewall, and otherleading security vendors.


SECTION 3

AAA Configuration

To configure authentication proxy on the ASA, you must complete three steps:

1. Specify a AAA server group.

2. Designate an authentication server.

3. Enable authentication proxy user authentication by configuring a AAA authentication rule.

Specify a AAA Server GroupThe first step in authentication proxy configuration is to specify a AAA server group. We already configured a AAAserver group called ACS that we can use for this example. Figure 34 shows the ACS server group.

Designate an Authentication ServerThe second step in authentication proxy configuration is to configure an authentication server within the authenticationgroup that you have just created. This authentication server is where the authentication will be carried out for the cut-through proxy. We already added an authentication server at 192.168.1.251, as shown in Figure 35.

Enable Authentication Proxy User Authentication by Configuring a AAA AuthenticationRuleThe third and last step in authentication proxy configuration is to create a AAA authentication rule that will enableauthentication proxy.

To do this, you must navigate to Firewall > AAA Rules.

By default, no AAA rules are configured. We have to add an authentication AAA rule to enable authentication proxy.

First select the Add button and then select Add Authentication Rule to be taken to the Add Authentication Rule screen.

[ 56 ]




SECTION 3

AAA Configuration

We are going to create an authentication rule to authenticate traffic from anywhere going to the web server we previouslycreated. We are going to authenticate on the webaccess group that we created earlier, which contains both HTTP andHTTPS.

Figure 37 shows the completed Add Authentication Rule screen.

[ 57 ]



FIGURE 37

Add AuthenticationRule

In this example, after the authentication rule is applied, users are prompted for a username and password when they startHTTP or HTTPS connections to 10.0.0.5 from the outside. The AAA server verifies whether the username and passwordare correct. If they are correct, the security appliance cut-through proxy permits further traffic between the initiating hostand the target host.

Figure 38 shows the AAA Rules screen with the applied authentication rule.


SECTION 3

AAA Configuration

Summary

This section covered authentication, authorization, and accounting (also known as AAA, or the triple-A services) on theASA. We started with an overview of the roles for AAA before moving on and discussing how to configure a local userdatabase and remote-user database.

We ended this section by discussing how to configure the authentication proxy service on the ASA. This service allowsthe ASA to dynamically permit or deny user access to a service based on authentication credentials, and it offers anotheruseful layer of security between the network and the users.

In the next section, we look at some more advanced features of the ASA, and cover such things as threat detection, theModular Policy Framework, and transparent firewalling.

[ 58 ]



FIGURE 38

Add Rules Screen


SECTION 4

Advanced Configuration

Section 4: Advanced ConfigurationWe have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover someof the more advanced features of the ASA that break it away from a traditional stateful firewall.

Modular Policy Framework

The Modular Policy Framework (MPF) is an advanced feature of the ASA that provides the security administrator withgreater granularity and more flexibility when configuring network policies. The security administrator is able to do thefollowing:

n Define flows of traffic

n Associate security policies to traffic flows

n Enable a set of security policies on an interface or globally

Modular policies consist of the following components:

n Class maps

n Policy maps

n Service policies

Class MapsA class map is a configuration element that is used to match something. A class map is similar in operation to an accesscontrol list (ACL), but with class maps you can match other items that ACLs cannot match.

[ 59 ]





2087011

SECTION 4


Class maps can define a class of traffic by matching via the follow command keywords:

n access list: An entry in an ACL.

n any: Any packet.

n default inspection traffic: The default TCP and UDP ports used by all applications that the security appliance caninspect. You can specify an ACL-based class along with the default inspection traffic class to narrow the matchedtraffic.

n dscp: A differentiated services code point (DSCP) value in the IP header defined by the Internet Engineering TaskForce (IETF).

n flow: All traffic going to a unique IP destination address.

n port: Traffic using the TCP or UDP destination port or a contiguous range of ports.

n precedence: The precedence value represented by the Type of Service (ToS) byte in the IP header.

n rtp: Real-Time Transport Protocol (RTP) destination port.

n tunnel-group: VPN tunnel traffic. If you use this criterion, you can also configure the class to match a specificdestination IP address within the tunnel group.

Class maps are assigned to policy maps.

Policy MapsClass maps are assigned to policy maps. The class map determines what is matched, and the policy map associates one ormore actions with a class of traffic.

[ 60 ]




SECTION 4


The policy actions that can be configured are as follows:

n Forward the traffic flow to the Security Services Module (when present) for intrusion protection or content securityand control services by creating an intrusion prevention system (IPS) or a content security and control (CSC) policy.

n Perform a specified protocol inspection or inspections by creating an inspection policy.

n Police the bandwidth used by the specified flow by creating a quality of service (QoS) police policy.

n Direct the flow to the low-latency queue by creating a QoS priority policy.

n Set connection parameters on the flows by creating a set connection policy.

Service PoliciesThe service policy activates a policy map on a targeted interface or globally on all interfaces. Service policies are repre-sented as service policy rules in the ASDM.

To configure a service policy rule, you first need to navigate to Firewall > Service Policy Rules. You will see a screenthat shows the default service policy rule (see Figure 39).

Clicking Add launches the Add Service Policy Rule Wizard. Three steps to this wizard configure a service policy rule:

Step 1: Configure a service policy.

Step 2: Configure the traffic classification criteria for the service policy rule.

Step 3: Configure actions on the traffic classified by the service policy rule.

[ 61 ]




SECTION 4


Step 1: Configure a Service PolicyIn Step 1, you have to give the service policy a name and either apply it to a specific interface or apply it globally, whichapplies the policy on all interfaces. You can also provide a description of the service policy. You can see the screen inFigure 40.

[ 62 ]



FIGURE 39

Service Policy Rules


SECTION 4


Step 2: Configure the Traffic Classification Criteria for the Service Policy RuleYou are now asked to either create a new traffic class or use an existing traffic class.

When creating a new traffic class, you must enter the name for the new traffic class and supply a description. You havethe option to match traffic against the criteria we covered earlier in this section about class maps.

This is shown in Figure 41.

When you select one of the traffic-match criteria, the next screen you are shown is the configuration screen for that crite-ria. We chose Tunnel Group as the traffic-match criteria, and Figure 42 shows that you have the option now to select atunnel group to match.

[ 63 ]



FIGURE 40

Service Policy Step 1


SECTION 4


[ 64 ]



FIGURE 41

Traffic Classification

FIGURE 42

Tunnel Group


SECTION 4


Step 3: Configure Actions on the Traffic Classified by the Service Policy RuleThe next screen is the Rule Actions screen. Three tabs display at the top of the screen:

n Protocol Inspection

n Connection Settings

n QoS

The Protocols Inspection tab enables you to configure protocol-specific inspections if the traffic-match criteria allow it.Figure 43 shows this screen.

[ 65 ]



FIGURE 43

Protocol Inspection


SECTION 4


The Connection Settings tab enables you to set the maximum connections for TCP and UDP connections and the TCPtimeout. You can also choose to randomize the TCP sequence number and enable TCP normalization.

Figure 44 shows this screen.

[ 66 ]



FIGURE 44

Connection Settings

You can use the QoS tab to enable priority and policing for the traffic flow. When policing is selected, you can apply QoSsettings to the flow to restrict the amount of bandwidth the flow is provided when traversing the interfaces of the firewall.

You can use this setting to reduce potential denial-of-service (DoS) attempts, because you can limit the amount of band-width allocated to a protocol.


SECTION 4


Figure 45 shows this screen.

[ 67 ]



FIGURE 45

QoS

You click Finish to apply the service policy rule. It is added to the ASA when you click Apply from the main ServicePolicy Rules window on the ASDM.

Threat Detection

Threat detection on the ASA is similar in operation to an IPS.

Two types of threat detection are available on the ASA:

n Basic threat detection

n Scanning threat detection


SECTION 4


Basic threat detection is enabled by default. You can enable both basic and scanning threat detection independently ofeach other. One is not dependent on the other, and therefore you can have one, both, or neither configured on your ASA.

Basic Threat DetectionThe security appliance basic threat detection feature provides threat-related drop statistics by monitoring the rate ofdropped packets and security events per second (eps).

When the rate of dropped packets or security events exceeds established thresholds, basic threat detection generates asyslog message.

This enables you to detect activity that might be related to an attack, such as a DoS attack.

The ASA basic threat detection provides threat-related drop statistics by monitoring the following events:

n Access list denials

n Bad packet format

n Exceeded connection limits

n Detection of DoS attacks

n Failed basic firewall checks

n Detection of suspicious Internet Control Message Protocol (ICMP) packets

n Packets failing application inspection

n Interface overload

n Detection of scanning attacks

n Detection of incomplete sessions, such as TCP SYN attacks or no data UDP session attacks

[ 68 ]



NOTE

Basic threat detection isenabled by default on theASA. There is a minimalimpact on performancewhen there are drops orpotential threats on theASA.


SECTION 4


The ASA tracks two types of rates for each monitored events: the average rate and burst rate.

The average rate is the average rate over a time interval, and the burst rate is the one-tenth of the average rate or 10seconds, whichever is the highest.

Syslog messages are generated when either of the rates for the monitored events is exceeded.

The following table shows the default threshold rates for basic threat detection.

Default Threshold Rates for Basic Threat Detection

Packet Drop Reason Average Rate Burst Rate

DoS attack detected 100 drops per second over the last 600 seconds 400 drops per second over the last 10-second periodBad packet formatConnection limits exceededSuspicious ICMP packets

Scanning attack detected 5 drops per second over the last 600 seconds 10 drops per second over the last 10-second period

Incomplete session 100 drops per second over the last 600 seconds 200 drops per second over the last 10-second period

Denial by access list 400 drops per second over the last 600 seconds 800 drops per second over the last 10-second period

Basic firewall checks failed 400 drops per second over the last 600 seconds 1600 drops per second over the last 10-second periodPacket failed application inspection

Interface overload 2000 drops per second over the last 600 seconds 8000 drops per second over the last 10-second period

Basic threat detection is configured from the Firewall > Threat Detection screen. This is shown in Figure 46.

[ 69 ]





2087011

SECTION 4


[ 70 ]



FIGURE 46

Threat Detection

You can see from Figure 46 that basic threat detection is enabled on this ASA. To disable it, uncheck the check box.

Tuning of the basic threat detection is performed in the CLI configuration with the threat-detection command. This isbeyond the scope of the SNAF exam.

Scanning Threat DetectionThe scanning threat detection feature of the ASA is concerned with hosts performing network scans against networksprotected by the ASA.

Network reconnaissance scans, or port scans as they are commonly known, are normally a precursor to an attackerlaunching a full-blown attack on a system. The first step is normally to identify which ports and services are available on


SECTION 4


a system before enumerating and fingerprinting these ports to check for known vulnerabilities. A known vulnerability isalways the preferred route in for attackers because they can use simple attack scripts to gain access and then escalate priv-ileges.

When performing scanning threat detection, the ASA utilizes an extensive database of host statistics to generate syslogmessages when a host is identified as either an attacker, or a target.

As with basic threat detection, scanning threat detection is configured from the Firewall > Threat Detection screen.

We have now enabled scanning threat detection and selected to shun hosts detected by scanning threat.

Figure 47 shows the Threat Detection configuration window with both basic threat detection and scanning threat detectionenabled.

[ 71 ]



NOTE

The scanning threatdetection feature cansignificantly affect theperformance and memoryuse of the ASA while itcreates and gathers thehost- and subnet-baseddata structure and infor-mation. Performanceimpact varies dependingon the ASA platform.

FIGURE 47

Threat Detection:Basic and Scanning


SECTION 4


When a shun is activated, all current connections from the malicious host are dropped, and all future connections areblocked at the outside interface of the ASA. Shuns are dynamic in nature, and are not stored as a part of the configura-tion. If the security appliance loses power or reloads, any active shuns are lost.

You can specify a network, or network object, that will not be shunned. In the example, we have set that 10.1.0.0/24 willnot be shunned. This setting is useful for entering networks that should never be blocked, such as testing partners or third-party support organizations.

Transparent Firewalling

In Section 2, we mentioned the two modes of operation for the Cisco ASA: routed and transparent.

Routed mode is the default mode, and this is where the ASA acts as a Layer 3 device, requiring an IP address on eachinterface that is from a different Layer 3 subnet. The ASA operates like a router.

Transparent mode is where the ASA acts like a Layer 2 bridge. The ASA is based on MAC addresses, and it will nolonger sit on the perimeter between subnets; instead, it will act as a transparent bridge. An ASA running in transparentmode differs from routed mode in the following ways:

n Supports only two interfaces

n Requires only one IP address

n Bridges packets from one interface/VLAN to the other

n Performs MAC address lookups rather than routing table lookups

n Can pass traffic that cannot be passed by a security appliance in routed mode

[ 72 ]




SECTION 4


The following are limitations that you must consider when implementing an ASA in transparent mode:

n Dynamic DNS is not supported.

n Dynamic routing protocols are not supported.

n IPv6 is not supported.

n DHCP Relay is not supported.

n QoS is not supported.

n Multicast is not supported.

n Virtual private network (VPN) termination is not supported.

One of the main advantages of using an ASA in transparent mode is that you can place the ASA in the network withoutre-addressing. This makes the firewall a viable solution where the infrastructure already exists and re-addressing wouldprove troublesome.

We will now look at how to configure the ASA as a transparent firewall using both the CLI and the ASDM.

Transparent Firewall Configuration: CLIFrom the command line, you can verify what the current firewall mode is with the show firewall command:

ciscoasa#show firewall

Firewall mode: Router

This shows that the current firewall is in routed mode. We can switch the ASA to transparent mode with the followingcommand:

ciscoasa(config)#firewall transparent

[ 73 ]




SECTION 4


Checking the current firewall mode now shows the following:


Firewall mode: Transparent

The ASA is now in transparent mode. If you now check the running configuration, you will see that all the interfaces willbe in a shutdown state, with the entire VLAN, interface, and IP configuration that we have previously entered absent.

The first configuration step with transparent mode is to assign the management IP address. Because the ASA does notnow participate in IP routing, we have to give the ASA an IP address so that we can access it via SSH and the ASDM formanagement.

Let’s use the same IP address as before, 192.168.1.254, but this time it will be as the management IP address. We config-ure this with the following command.

ciscoasa(config)#ip address 192.168.1.254 255.255.255.0

This sets the management IP address to be 192.168.1.254/24. We can use the show ip address command to verify this:

ciscoasa#show ip address

Management System IP Address:

ip address 192.168.1.254 255.255.255.0

Management Current IP Address:

ip address 192.168.1.254 255.255.255.0

We now need to configure the two interfaces that we are going to use with the ASA. For ease of use, we will call thesethe default inside and outside interfaces, as covered in Section 2.

Note that although the inside and outside interfaces are on the same subnet, they have to be on different VLANs; other-wise, the ASA will not pass traffic. Figure 48 shows the change to the topology that we are using so that the ASA in ourexample will be used in transparent mode.

[ 74 ]



NOTE

When switching modesbetween routed andtransparent, the ASA willclear the configuration.Therefore, it is importantthat you have a backup ofthe current configuration.The ASA provides nowarning or no confirma-tion, so this commandcan be very dangerous ifused incorrectly. So, youshould also change themode while connectedvia the console cable. ASecure Shell (SSH) orTelnet connection to theASA will result in a lossof connection if the fire-wall mode is changed.


SECTION 4


We now have to follow the steps outlined in Section 2 to set up the ASA so that we can access ASDM. In brief, we needto enable and configure an interface and enable the HTTP server on the ASA. When that is completed, you will be able toconnect to the ASDM using the 192.168.1.254 management address that we configured.

Figure 49 shows us connected again to the ASDM. Notice that the firewall mode is shown as transparent.

[ 75 ]



ManagementIP Address

192.168.1.254/24


192.168.1.0/24 VLAN 1Inside

192.168.1.0/24VLAN 2Outside


FIGURE 48

Transparent ModeTopology

FIGURE 49

ASDM: TransparentMode


SECTION 4


We are now going to configure the transparent firewall in ADSM.

If you need to switch back to router mode, you must use the no firewall transparent command to return to the originalrouted mode of the ASA:

ciscoasa(config)#no firewall transparent

Checking the current firewall mode now shows the following:


Firewall mode: Router

Transparent Firewall Configuration: ASDMOnce you are connected to the ASDM, you will notice that some of the configuration options available when the ASAwas in routed mode are not available any more. When the ASA is in transparent mode, there is limited functionality andnew functionality such as the ability to create Ethertype rules.

Adding an access rule on a transparent firewall is the same as adding an access rule on a routed firewall. You do it fromthe Firewall > Access Rules screen, and the format is the same for a transparent ASA as for a routed ASA.

Figure 50 shows the default access rules for the ASA in transparent mode.

Note that these default rules are the same as with a routed ASA. Therefore, the Adaptive Security Algorithm still appliesto the security level, allowing traffic only to flow in one direction by default (without the addition of access rules topermit it).

We are now going to look at two functions that you can perform with the ASA in transparent mode that you cannot do inrouted mode. These are permitting multicast and broadcast traffic through the ASA and configuring an Ethertype ACL.

[ 76 ]




SECTION 4


Permitting Multicast and Broadcast TrafficBecause the ASA is now operating as a bridge, it is possible to pass multicast and broadcast traffic through it. This isgood for passing traffic such as dynamic routing protocols, DHCP, and multicast streams, all of which cannot passthrough a traditional routed ASA.

Let’s create an access rule to permit Open Shortest Path First (OSPF) Protocol traffic through the ASA in both directions.OSPF uses multicast addresses to communicate with its neighbors and to send routing updates. Figure 51 shows an accessrule that will allow any traffic destined for the multicast address 224.0.0.5 or 224.0.0.6.

[ 77 ]



FIGURE 50

Access Rules:Transparent Mode


SECTION 4


We then create a rule on the outside interface to allow OSPF to be allowed from the outside in. When this is applied, weare presented with the Access Rules screen, as shown in Figure 52.

Configuring an Ethertype ACLWhen the Cisco ASA is in transparent mode, it can also allow non-IP traffic through the firewall, something that the ASAin routed mode would not be able to do. This is achieved by creating what is called an Ethertype ACL.

Layer 2 traffic has an Ethertype that can be seen in the Layer 2 headers of the frame. These Ethertypes are assigned bythe Internet Assigned Numbers Authority (IANA), and the list of assigned Ethertypes can be downloaded fromhttp://www.iana.org/assignments/ethernet-numbers.

[ 78 ]



FIGURE 51

OSPF Access Rule


SECTION 4


To configure an Ethertype rule, navigate to Firewall > Ethertype Rules. From here, you can add a new rule.

Figure 53 shows the Add Ethertype Rule window. From here, you can select the interface, action, and Ethertype to permitor deny.

[ 79 ]



FIGURE 52

Access Rules ScreenShowing OSPF

FIGURE 53

Ethertype Rules



2087011

SECTION 4


The common supported Ethertypes on the ASA are as follows:

n BPDU

n IPX

n MPLS-Multicast

n MPLS-Unicast

In addition to these built-in Ethertypes, you can enter any value for any Ethertype, as outlined in the IANA Ethertypeassignments. The value has to be entered in hexadecimal format. For example, ARP would be 0x0806.

Verifying the Transparent FirewallFrom the CLI, you can use a few commands to verify the transparent firewall. Some of the main ones are listed here:

n show firewall: Displays the mode the firewall is in.

n show access-list: Displays the currently configured access lists.

n show mac-address-table: Displays the bridging MAC address table.

n show arp: Displays the Address Resolution Protocol (ARP) table of the ASA.

Summary

In this section, we have progressed and looked at some of the more advanced features of the ASA, including the ModularPolicy Framework, threat detection, and transparent firewalling. This section provided a background on the technologiesand configuration guidelines for each technology.

In the next section, we cover VPNs on the Cisco ASA. We look at the difference between site-to-site and remote-accessVPNs before describing how to configure each type of VPN using ASDM’s built-in wizards.

[ 80 ]




SECTION 5

VPN Configuration

Section 5: VPN ConfigurationVirtual private networks (VPNs) are a way to establish private connections over public networks. They have replaced thetraditional leased-line connectivity method when connecting two sites together, especially for smaller sites within anorganization.

There are two main types of VPNs:

n Site-to-site VPNs

n Remote-access VPNs

Site-to-Site VPNsSite-to-site VPNs are used to connect two sites together. These are normally to connect a branch office to the centraloffice, as shown in Figure 54.

[ 81 ]



Internet

Head Office

RemoteSite B

VPN Tunnel VPN Tunnel

FIGURE 54

Site-to-Site VPN


SECTION 5

VPN Configuration

The site-to-site VPN provides connectivity between the branch office and central office so that workers in the branchoffice can access resources such as email and file and print services that are located at the central office. The implementa-tion of a site-to-site VPN is transparent to the end user, because they are not required to perform any actions to connect tothe central office.

Site-to-site VPNs use IPsec to provide data authentication and confidentiality.

The use of IPsec allows the ASA to accomplish the following:

n Negotiation of tunnel parameters

n Establishment of tunnels

n Authentication of users and data

n Management of security keys

n Encryption and decryption of data

n Management of data transfer across tunnels

n Management of data transfer inbound and outbound as tunnel endpoints and router

IPsec commences a five-step procedure:

n Interesting traffic: Traffic is deemed interesting when the VPN device recognizes that the traffic you want to sendneeds to be protected.

n IKE Phase 1: A basic set of security services are negotiated and agreed on between peers. These security servicesprotect all subsequent communications between the peers. IKE Phase 1 sets up a secure communication channelbetween peers.

n IKE Phase 2: IKE negotiates IPsec security association (SA) parameters and sets up matching IPsec SAs in thepeers. These security parameters are used to protect data and messages that are exchanged between endpoints.

[ 82 ]




SECTION 5

VPN Configuration

n Data transfer: Data is transferred between IPsec peers based on the IPsec parameters and keys that are stored in theSA database.

n IPsec tunnel termination: IPsec SAs terminate through deletion or by timing out.

The Cisco ASA supports the configuration of a site-to-site VPN using IPsec.

Remote-Access VPNsA remote-access VPN provides secure connectivity to remote workers. The traditional model of remote-access VPNs iswhere a user has a software VPN client on his laptop and uses this to connect to the central site from a remote location.

Once connected to the remote-access VPN, the user has a network connection to the central office and can accessresources such as email and file and print services that are located at the central office. Figure 55 shows a remote-accessVPN.

[ 83 ]



Internet

ASA

Remote Access User

FIGURE 55

Remote-Access VPN


SECTION 5

VPN Configuration

Cisco ASA supports two types of remote-access VPN: the client-based and the clientless remote-access VPN.

The client-based remote-access VPN is the traditional remote-access VPN. This is where the user has what is commonlycalled an IPsec client on her computer. She has to initiate this software client to make a connection to the central officenetwork.

The clientless method is a newer method of remote-access VPN. Originally, this was called WebVPN, but it is nowreferred to as SSL VPN. SSL VPN uses a web browser such as Microsoft Internet Explorer or Firefox to act as the client.The protection is provided by Secure Sockets Layer (SSL) rather than IPsec as the client connects to a secure gatewayand then resources are made available from the gateway.

There are advantages to both methods for remote-access VPN. The IPsec client version gives a more transparent solutionwhere network access is provided, and the SSL clientless version benefits from having no client on the user’s computerand so access can be provided from public hotspots and third-party computers.

Site-to-Site VPN Configuration

Before you configure any VPN, you must decide which parameters you want to use for the IKE and IPsec policies.

When configuring an IPsec site-to-site VPN, it is important that both peers of the VPN agree on the IKE and IPsec poli-cies. The local and remote network VPN configuration must mirror the other peer.

Site-to-site VPNs can be configured from the ASDM using the IPsec VPN Wizard. Select Wizards from the ASDM menubar, and then choose IPsec VPN Wizard to start the VPN configuration.

There are six steps to complete this wizard.

[ 84 ]




SECTION 5

VPN Configuration

Step 1: VPN Tunnel TypeThe first step is to select the VPN tunnel type. The options are Site-to-Site or Remote Access. For this example, we useSite-to-Site, as shown in Figure 56.

[ 85 ]



FIGURE 56

VPN Tunnel Type

The VPN tunnel interface has been set to outside, and we want IPsec to bypass interface access lists so that the firewallaccess rules do not interfere with the VPN traffic.

Step 2: Remote-Site PeerAt Step 2, you must enter the IP address of the remote-site device. This is the other end of the VPN that also needsconfiguring with an identical, mirrored configuration. A preshared key or certificate and the tunnel group name is alsorequired, as shown in Figure 57.


SECTION 5

VPN Configuration

Step 3: IKE PolicyIn Step 3, you define the IKE policy. You can see from Figure 58 that we have used the default Internet Key Exchange(IKE) policy of 3DES encryption, secure hash authentication (SHA), and the DH group of 2.

Step 4: IPsec PolicyIn Step 4, you define the IPsec policy. You can see from Figure 59 that we have used the default IPsec policy of 3DESencryption and SHA.

[ 86 ]



FIGURE 57

Remote-Site Peer


SECTION 5

VPN Configuration

[ 87 ]



FIGURE 58

IKE Policy

FIGURE 59

IPsec Policy


SECTION 5

VPN Configuration

Step 5: Hosts and NetworksIn Step 5, you define the local and remote networks over the VPN. This is the network on the local side of the ASA andthe remote network that it requires access to. This setting has to mirror what is configured on the remote VPN peer.Figure 60 shows this screen.

[ 88 ]



FIGURE 60

Hosts and Networks

You can see from Figure 60 that the local network is 192.168.1.0/24 and the remote network is 192.168.2.0/24. Therefore,traffic from 192.168.1.0/24 sent to 192.168.2.0/24 will be encrypted and sent over the VPN.

Step 6: SummaryIn Step 6, you can review the settings that you are about to apply. You have the option to go back and change anythingfrom any step in the configuration, or you can click Finish to write the configuration to the device. Figure 61 shows thisscreen.


SECTION 5

VPN Configuration

Remote-Access VPN Configuration

Before you configure any VPN, you must decide which parameters you want to use for the IKE and IPsec policies.

Remote-access VPNs can be configured from the ASDM using the IPsec VPN Wizard. Select Wizards from the ASDMmenu bar, and then choose IPsec VPN Wizard to start the VPN configuration.

Once the ASA is configured, you then have to configure the appropriate VPN client with the settings that you configureas part of the IPsec VPN Wizard.

There are 10 steps to complete this wizard.

Step 1: VPN Tunnel TypeThe first step is to select the VPN tunnel type. The options are Site-to-Site or Remote Access. For this example, we willuse Remote Access, as shown in Figure 62.

[ 89 ]



FIGURE 61

IPsec Summary



2087011

SECTION 5

VPN Configuration

The VPN tunnel interface has been set to outside, and we want IPsec to bypass interface access lists so that the firewallaccess rules do not interfere with the VPN traffic.

Step 2: Remote-Access ClientIn Step 2, you decide which remote-access client you are going to use. We are going to use the Cisco remote-accessclient, as shown in Figure 63.

Step 3: VPN Client AuthenticationIn Step 3, we set what method the VPN client will use to authenticate. We can choose either a preshared key or a certifi-cate. We are using a preshared key (see Figure 64).

[ 90 ]



FIGURE 62

VPN Tunnel Type


SECTION 5

VPN Configuration

[ 91 ]



FIGURE 63

Remote-Access Client

FIGURE 64

VPN ClientAuthentication


SECTION 5

VPN Configuration

We have also set the tunnel group name to RemoteVPN. When you configure the VPN client, you will be required toenter this tunnel name and also the preshared key.

Step 4: Client AuthenticationIn Step 4, we decide on the client authentication. With remote-access VPNs, the VPN client authenticates with the VPNendpoint, and the user is prompted for client authentication.

You have the option to use the built-in local user database or a AAA server group if one has been defined (see Figure 65).

[ 92 ]



FIGURE 65

VPN ClientAuthentication

You can see that we have chosen to use the ACS AAA server group that we previously configured. Therefore, the userswill be authenticated against this group rather than the local user database on the ASA.


SECTION 5

VPN Configuration

Step 5: Address PoolsIn Step 5, we have to assign an address pool to the VPN group. The address pool is the range of addresses that the VPNclient will use to connect the remote client. This range of addresses has to be reachable by the ASA because this is the IPaddress the remote client will use to communicate on the local network. Figure 66 shows this screen.

[ 93 ]



FIGURE 66

Address Pools

You can see from Figure 66 that we have created an address pool called VPNPool. This pool is from 192.168.1.50 to192.168.1.60.

Step 6: Client AttributesBecause the remote client will get its address from the ASA when connected to the VPN, you can also push to it attributessimilar to the attributes you are given when using DHCP. If you are using an internal DNS or WINS system, these mightbe required for the remote client to get applications working over the VPN that rely on fully qualified domain names(FQDNs). Figure 67 shows the screen where you do this.


SECTION 5

VPN Configuration

You can see in Figure 67 that we have set the primary DNS to 192.168.1.10 and the secondary DNS to 192.168.1.11. Thedomain name has been set to ciscopress.com.

Step 7: IKE PolicyIn Step 7, you define the IKE policy. You can see from Figure 68 that we have used the default IKE policy of 3DESencryption, SHA authentication, and the DH group of 2.

Step 8: IPsec PolicyIn Step 8, you define the IPsec policy. You can see from Figure 69 that we have used the default IPsec policy of 3DESencryption and SHA.

[ 94 ]



FIGURE 67

Client Attributes


SECTION 5

VPN Configuration

[ 95 ]



FIGURE 68

IKE Policy

FIGURE 69

IPsec Policy


SECTION 5

VPN Configuration

Step 9: Address Translation ExemptionIn Step 9, you can add a NAT exemption to allow VPN users to see the internal network. This exemption is normallyrequired to enable the VPN users access to the internal resources (see Figure 70).

[ 96 ]



FIGURE 70

NAT Exemption

We have added an exemption rule for the inside network, 192.168.1.0/24. We have also enabled split tunneling. Splittunneling allows the user to access the Internet at the same time as connected to the VPN. Without split tunneling, alltraffic from the client is sent over the VPN. If the VPN does not route out to the Internet, this can result in users losingInternet connectivity every time they connect to the VPN.

Step 10: SummaryIn Step 10, you can review the settings that you are about to apply. You have the option to go back and change anythingfrom any step in the configuration, or you can click Finish to write the configuration to the device (see Figure 71).


SECTION 5

VPN Configuration

SSL VPN Configuration

SSL VPNs can be configured from the ASDM using the SSL VPN Wizard. Select Wizards from the ASDM menu bar,and then choose SSL VPN Wizard to start the VPN configuration.

There are six steps to complete this wizard.

Step 1: SSL VPN Connection TypeThe first step is to select the SSL VPN connection type. The options are for Clientless SSL VPN access or Cisco SSLVPN Client access. We are going to choose the Clientless option, as shown in Figure 72.

[ 97 ]



FIGURE 71

Remote-AccessSummary


SECTION 5

VPN Configuration

Step 2: SSL VPN InterfaceIn Step 2, we give the connection a name and set which interface the SSL VPN is going to listen on (see Figure 73).

It is advisable to use a digital certificate with your SSL VPN. Doing so prevents the client’s browser from warning aboutan invalid or self-signed certificate when connecting.

Step 3: User AuthenticationWhen users connect to the SSL VPN, they are prompted for authentication. On this screen, you can choose to use thelocal ASA user database or a AAA server group if one has been configured (see Figure 74).

[ 98 ]



FIGURE 72

SSL VPN ConnectionType


SECTION 5

VPN Configuration

[ 99 ]



FIGURE 73

SSL VPN Interface

FIGURE 74

SSL VPN UserAuthentication



2087011

SECTION 5

VPN Configuration

You can see from Figure 74 that we have chosen to use the ACS AAA group that we configured earlier.

Step 4: Group PolicyIn Step 4, you can create a new or use an existing group policy. There is a default group policy called DfltGrpPolicy, butwe advise it best practice to create a new policy. You can see in Figure 75 that we are creating a new policy calledSSLVPN.

[ 100 ]



NOTE

It is always a good idea touse a two-factor authenti-cation solution with anSSL VPN. The security ofthe system is only asgood as the passwords inuse by your users.

FIGURE 75

SSL VPN GroupPolicy

Step 5: Bookmark ListsAt Step 5, you can preconfigure some bookmarks that the user can connect to. A bookmark is a hyperlink that the client-less SSL VPN user can click to access an internal service (see Figure 76).


SECTION 5

VPN Configuration

Figure 76 shows a bookmark list we have created called Intranet. This list displays a link on the clientless user’s screen,once logged on, that allows the user to access the intranet. You can use this functionality to build a custom menu of linksto make it easier for end users to access the resources they require.

Step 6: SummaryIn Step 6, you can review the settings that you are about to apply. You have the option to go back and change anythingfrom any step in the configuration, or you can click Finish to write the configuration to the device (see Figure 77).

[ 101 ]



FIGURE 76

SSL VPN BookmarkList


SECTION 5

VPN Configuration

VPN Troubleshooting

There are two main configuration areas for VPNs on the ASA and ASDM. For looking at the configuration of remote-access VPNs, you need to navigate to Remote Access VPN, as shown in Figure 78.

[ 102 ]



FIGURE 77

SSL VPN Summary


SECTION 5

VPN Configuration

For looking at the configuration of site-to-site VPNs, you need to navigate to Site-to-Site VPN, as shown in Figure 79.

[ 103 ]



FIGURE 78

Remote Access VPN


SECTION 5

VPN Configuration

In addition to these configuration screens, you can see information about VPNs in the Device Dashboard and via theMonitoring tab, which has its own section for monitoring VPNs (see Figure 80).

[ 104 ]



FIGURE 79

Site-to-Site VPN


SECTION 5

VPN Configuration

Summary

This section provided a brief overview of VPNs and the associated technologies. We looked at the difference betweensite-to-site VPNs and remote-access VPNs before moving on to configuring both site-to-site VPNs and remote-accessVPNs using ASDM. We covered both the IPsec and SSL alternatives of the remote-access VPN.

In the next section, we cover failover on the ASA.

[ 105 ]



FIGURE 80

Monitoring VPNs


SECTION 6

Failover Configuration

Section 6: Failover ConfigurationFailover provides redundancy for the ASA in the event of hardware of software failure. The ASA supports two types offailover:

n Hardware failure

n Stateful failover

Hardware failover provides redundancy in case of a hardware failure. This is achieved with another ASA that acts as astandby unit to take over from the primary ASA in the event of a failure. With hardware failover, the connections aredropped, and clients much reestablish their sessions.

Stateful failover passes per-connection state information from the active to the standby unit. In the event of a failure, thestate table is on the standby unit, and most client applications would not require reconnecting. This should offer trans-parency to the end user if a failover occurs.

There are two modes of operation for failover, and we cover these throughout the rest of this section:

n Active/standby failover

n Active/active failover

Failover Links

To facilitate failover, the ASAs participating in failover pass between themselves information about the state of eachdevice. There are two types of failover links:

n LAN-based failover links

n Stateful failover links

[ 106 ]




SECTION 6


With LAN-based failover links, the failover messages are transferred over Ethernet connections. LAN-based failover linksprovide message encryption and authentication using a manual preshared key for added security. LAN-based failoverlinks require an additional Ethernet interface on each ASA to be used exclusively for passing failover communicationsbetween two security appliance units.

The stateful failover interface passes per-connection stateful information to the standby ASA unit. Stateful failoverrequires an additional Ethernet interface on each security appliance with a minimum speed of 100 Mb/s to be used exclu-sively for passing state information between the two ASAs. The LAN-based failover interface can also be used as thestateful failover interface.

Failover Requirements

To successfully configure failover, some requirements must be met:

n ASAs have to be the same model number and hardware configuration.

n The same Security Service Modules must be installed.

n Before version 7, the same software version must be used.

n Same operating mode.

n Same features (DES or 3DES).

n Same amount of flash memory and RAM.

n Proper licensing to support failover.

[ 107 ]




SECTION 6


Active/Standby Failover Configuration

Active/standby failover is where one ASA acts as the active or primary firewall and the other device acts as the secondaryor standby firewall.

The primary ASA and secondary ASA communicate to each other over the configured interfaces and over the LAN-basedfailover link.

The primary ASA is active and passes traffic. In the event of a failure, the secondary ASA becomes active and passestraffic on behalf of the primary ASA.

We are now going to look at how to configure active/standby failover on a pair of ASAs using the ASDM.

There are five steps to this configuration:

Step 1: Cable the interfaces on both security appliances.

Step 2: Prepare both ASAs for configuration with ASDM.

Step 3: Use the ASDM High Availability and Scalability Wizard to configure the primary ASA for failover.

Step 4: Verify that Cisco ASDM configured the secondary security appliance with the LAN-based failover commandset.

Step 5: Save the configuration of the secondary security appliance to flash memory.

The requirements for failover must be met before you can start this configuration. Without the correct licensing, youcannot complete the configuration.

Step 1: Cable the Interfaces on Both Security AppliancesThe first step is to cable the interfaces on both of the ASAs so that the corresponding interfaces are on common networks.

Figure 81 shows a sample cabling setup for an active/standby failover environment.

[ 108 ]




SECTION 6


[ 109 ]



10.0.1.0192.168.1.0

g0/0 g0/1

g0/0 g0/1

g0/2

g0/2

Internet LAN Failover

SecondarySecurity Appliance

PrimarySecurity Appliance

FIGURE 81

Active/StandbyFailover Network

As shown in Figure 81, a LAN-based failover connection is required between the primary and secondary ASA. If youplan to use stateful failover, an interface on the ASA must be dedicated to this function, unless you configure statefulfailover to share the same interface as the LAN-based failover connection.

Step 2: Prepare Both ASAs for Configuration with ASDMThe second step is to prepare both ASAs for ASDM configuration. Section 2 of this Quick Reference guide covered howto configure the ASA so that you can access it using ASDM.

Both the primary and secondary ASAs require an IP address be assigned on the inside interface that can be accessed viaASDM.

Step 3: Use the ASDM High Availability and Scalability Wizard to Configure the PrimaryASA for FailoverThe third step is to configure active/standby failover using the High Availability and Scalability Wizard on the ASDM.



2087011

SECTION 6


From the Wizards menu in the ASDM menu bar, select the High Availability and Scalability Wizard option.

Ensure that you are on the primary (active) ASA.

There are six steps to this wizard, which we cover now.

Step 1: Configuration TypeSelect Configure Active/Standby Failover from the wizard screen 1 of 6.

Click Next to be taken to Step 2.

Step 2: Failover Peer ConnectivityThe next step is to enter the IP address of the peer. This is the IP address that you configured for the secondary (standby)unit.

When you click Next, the following tests are performed to determine whether the ASA at the IP address you entered is acompatible failover peer for the ASA you are configuring:

n Connectivity test from this Cisco ASDM to the peer security appliance (secondary unit)

n Connectivity test from this security appliance (primary unit) to the peer security appliance (secondary unit)

n Hardware compatibility test

n Software version compatibility test

n Failover license compatibility test

n Routed or transparent firewall mode compatibility test

n Single or multiple context mode compatibility test

If all the tests are passed, you are taken to Step 3.

[ 110 ]




SECTION 6


Step 3: LAN Link ConfigurationAt Step 3, you configure the failover interface that is used to communicate between the primary and secondary ASAs.

You have to enter the following:

n Interface

n Logical name

n Active IP address

n Standby IP address

n Subnet mask

n Secret key (if encryption is being used)

Click Next to go to Step 4.

Step 4: State Link ConfigurationIn this step, you configure the stateful failover link. You have the options to do the following:

n Disable stateful failover

n Use the LAN link as the state link

n Configure a separate stateful failover interface


Step 5: Standby Address ConfigurationIn this step, you can configure the standby IP address for each interface that has an active IP address. The active IPaddresses are displayed, and the standby IP address has to be on the same Layer 3 subnet and reachable from the activeIP address.

[ 111 ]




SECTION 6


By default, every interface is monitored for failure. If you do not want to monitor an interface, deselect the Monitoredcheck box at the side of the interface.


Step 6: SummaryThe final step provides a summary of the configuration that you have just entered. You have the option at this point toreview what you are about to do and if necessary go back into the wizard to amend any step.

When you are happy with your configuration, click the Finish button to complete the wizard and apply the configurationto the primary ASA.

The Waiting for Config Sync window will display. This window displays while the configuration from the primary ASAis transferred to the secondary ASA.

When this has completed, the failover configuration has been applied to both the primary and secondary ASA.

Step 4: Verify That Cisco ASDM Configured the Secondary Security Appliance with theLAN-Based Failover Command SetOnce active/standby failover is configured on the primary unit, the configuration of the primary unit should have trans-ferred over to the secondary unit. It is advisable to log on to the ASDM on the secondary unit and confirm that thesecondary ASA has been configured for failover and contains the LAN-based failover command set.

Step 5: Save the Configuration of the Secondary Security Appliance to Flash MemoryThe fifth and final step is to save the configuration on both ASAs to flash memory.

A common mistake is to save the configuration to flash memory on the primary ASA and forget about the secondaryASA. When the secondary ASA is powered off, it will lose its configuration unless the configuration is saved to flash.

[ 112 ]




SECTION 6


Active/Active Failover Configuration

We are now going to look at how to configure active/active failover on a pair of ASAs using the ASDM.

With active/standby failover, one ASA is active, and the other ASA is redundant, waiting to take over the role of theactive ASA in the event of a failure. With active/active failover, the ASA firewalls must be configured in multiple contextmode so that both devices can pass traffic while at the same time serving as a backup for the other peer ASA.

Active/active configuration leverages the virtual context feature on the ASA. Each ASA is partitioned into two contexts:CTX1 and CTX2. Under normal conditions, there is one active context and one standby context per ASA. The activecontext on one ASA has a standby context on the second ASA and vice versa.

Figure 82 shows active/active failover.

[ 113 ]



ASA1 ASA2

1 2 1 2

g0/1

g0/0

m0/0

g0/3

g0/2CTX1-Active

CTX2-Standby

172.17.1.1

Failover Link

g0/1

g0/0

m0/0

g0/3

CTX1-Active

CTX2-Standbyg0/2

172.17.1.7

FIGURE 82

Active/Active FailoverNetwork


SECTION 6


When one context or ASA fails, the other ASA takes over the active role for either, or both contexts.

There are eight steps to configure active/standby failover:

Step 1: Cable the interfaces on both ASAs.

Step 2: Ensure that both ASAs are in multiple context mode.

Step 3: Configure contexts and allocate interfaces to contexts.

Step 4: Enable and assign IP addresses to each interface that is allocated to a context.

Step 5: Prepare both security appliances for configuration via ASDM.

Step 6: Use the ASDM High Availability and Scalability Wizard to configure the ASA for failover.

Step 7: Verify that ASDM configured the secondary ASA with the LAN-based failover command set.

Step 8: Save the configuration of the secondary ASA to flash.

Step 1: Cable the Interfaces on Both ASAsThe first step is to cable the interfaces on both of the ASAs so that the corresponding interfaces are on common networks.

A LAN-based failover connection is required between the two ASAs. If you plan to use stateful failover, an interface onthe ASA must be dedicated to this function, unless you configure stateful failover to share the same interface as the LAN-based failover connection.

Step 2: Ensure That Both ASAs Are in Multiple Context ModeFor active/active failover to work, both ASAs must be in multiple context mode.

Step 3: Configure Contexts and Allocate Interfaces to ContextsEnsure that the contexts are created and that the interfaces are allocated into the corresponding contexts.

[ 114 ]




SECTION 6


Step 4: Enable and Assign IP Addresses to Each Interface That Is Allocated to a ContextBoth ASAs require an IP address be assigned on the inside interface that can be accessed via ASDM.

Step 5: Prepare Both Security Appliances for Configuration via ASDMThe fifth step is to prepare both ASAs for ASDM configuration. Section 2 of this Quick Reference guide covered how toconfigure the ASA so that you can access it using ASDM.

Both ASAs require an IP address be assigned on the inside interface that can be accessed via ASDM.

Step 6: Use the ASDM High Availability and Scalability Wizard to Configure the ASA forFailoverThe sixth step is to configure active/active failover using the High Availability and Scalability Wizard on the ASDM.

From the Wizards menu in the ASDM menu bar, select the High Availability and Scalability Wizard option.

Ensure that you are on the system context.

There are seven steps to this wizard, which we cover now.

Step 1: Configuration TypeSelect Configure Active/Active Failover from the wizard screen 1 of 6.

If you are not in multiple context mode, the ASA will prompt you to change the context mode and warn you of the conse-quences.


[ 115 ]




SECTION 6


Step2: Failover Peer ConnectivityThe next step is to enter the IP address of the peer. This is the IP address that you configured for the second ASA thatwill act in the active/active failover pair.

This does not have to be the failover link address, but it does have to be the IP address that has ASDM access enabled on it.

When you click Next, the following tests are performed to determine whether the ASA at the IP address you entered is acompatible failover peer for the ASA you are configuring:

n Connectivity test from this Cisco ASDM to the peer security appliance (secondary unit)

n Connectivity test from this security appliance (primary unit) to the peer security appliance (secondary unit)

n Hardware compatibility test

n Software version compatibility test

n Failover license compatibility test

n Routed or transparent firewall mode compatibility test

n Single or multiple context mode compatibility test

If all the tests are passed, you are taken to Step 3.

Step 3: Security Context ConfigurationAt Step 3, you assign security contexts to failover groups. The page displays the security contexts currently configured onthe ASA along with the failover group each context belongs to. By default, both contexts are assigned to group 1.


[ 116 ]




SECTION 6


Step 4: LAN Link ConfigurationAt Step 4, you configure the failover interface that is used to communicate between this ASA and the failover peer.

You have to enter the following:

n Interface

n Logical name

n Active IP address

n Standby IP address

n Subnet mask

n Secret key (if encryption is being used)


Step 5: State Link ConfigurationIn this step, you configure the stateful failover link. You have the options to do the following:

n Disable stateful failover

n Use the LAN link as the state link

n Configure a separate stateful failover interface


Step 6: Standby Address ConfigurationThis step allows you to configure the standby IP address for each interface that has an active IP address. The active IPaddresses are displayed, and the standby IP address has to be on the same Layer 3 subnet and reachable from the activeIP address.

[ 117 ]




SECTION 6


By default, every interface is monitored for failure. If you do not want to monitor an interface, deselect the Monitoredcheck box at the side of the interface.

From this screen, you can determine which contexts are in which failover groups and which interfaces are allocated toeach context.


Step 7: SummaryThe final step provides a summary of the configuration that you have just entered. You have the option at this point toreview what you are about to do and if necessary go back into the wizard to amend any step.

When you are happy with your configuration, click the Finish button to complete the wizard and apply the configurationto the ASA you are configuring.

The Waiting for Config Sync window will now display. This window displays while the configuration is transferred to theactive failover peer ASA.

When this has completed, the failover configuration has been applied to both of the ASAs that are operating as failoverpeers.

Step 7: Verify That ASDM Configured the Secondary ASA with the LAN-Based FailoverCommand SetOnce failover is configured on the primary unit, the configuration of the primary unit should have transferred over to thesecondary unit. It is advisable to log on to both failover peers’ ASDM and verify the LAN-based failover command set.

Step 8: Save the Configuration of the Secondary ASA to FlashThe eighth and final step is to save the configuration on both ASAs to flash memory.

[ 118 ]




SECTION 6


A common mistake is to save the configuration to flash memory on the primary ASA and forget about the failover peer. Itis important to ensure that the configuration is saved to flash memory on both of the failover peer ASAs.

Redundant Interfaces

In addition to device-level failover, you can configure a redundant interface. Redundant interfaces can be used in conjunc-tion with device-based failover or alone to increase the reliability of the ASA.

A redundant interface is a logical interface made up of two physical interfaces. One physical interface serves as the activeinterface while the other serves as the standby. When the active interface fails, the standby interface becomes active andstarts passing traffic. It does not load share across both interfaces at the same time. A redundant interface is considered infailure state only when both of the underlying physical interfaces fail.

When you configure redundant interfaces. The entire ASA configuration refers to the logical redundant interface ratherthan the physical interfaces.

To configure a redundant interface, you navigate to the Device Setup > Interfaces screen, click the Add button, and thenchoose Redundant Interface.

Summary

This section covered failover on the ASA. Failover is a mechanism to protect your network from failure in the event thatthe ASA should fail for any reason. We looked at the two types of failover that are available on the ASA: active/standbyand active/active.

The next section covers the monitoring and management of a Cisco ASA.

[ 119 ]





2087011

SECTION 7

Monitor and Manage the ASA

Section 7: Monitor and Manage the ASAThe ASA is a network device and requires managing. You can connect to the ASA to manage it through the command-line interface (CLI) or the web graphical user interface (GUI) known as the Adaptive Security Device Manager (ASDM).CLI connections can be through either Telnet or Secure Shell (SSH).

In addition to management, this section discusses the tools available to monitor connections through the AdaptiveSecurity Appliance (ASA).

Telnet and SSH Access to the ASA

We have already connected to the ASA through the console cable and through the ASDM. You can also configure Telnetand SSH access to the ASA to perform command-line configuration.

Telnet ConfigurationTelnet is a protocol used for connecting to line-based applications. Telnet traffic is sent in clear text, so you never want touse Telnet outside of a private network. SSH is always a better option, and Telnet should be used only when SSH isunavailable.

You can enable Telnet to the ASA through any interface. The only caveat is that Telnet to the outside interface must beprotected by IPsec.

To configure Telnet, navigate to Device Management > Management Access > Command Line (CLI) > Telnet.

From this screen, you add the Telnet configuration (see Figure 83).

[ 120 ]




SECTION 7


You can see in Figure 83 that we have enabled Telnet access on the inside interface for the host 192.168.1.15/32.

You now have to enter a Telnet password into the ASA. Navigate to Device Setup > Device Name/Password. Click thecheck box to change the Telnet password. By default, the old password is set to cisco. Enter a new secure password, andthen apply it. Figure 84 shows the Device Name/Password screen.

[ 121 ]



FIGURE 83

Add TelnetConfiguration

FIGURE 84

DeviceName/Password


SECTION 7


Telnet is now configured.

SSH ConfigurationSSH connection is the preferred method over Telnet. Because SSH provides strong authentication and encryption, SSHprovides secure remote access to the command-line interface of the ASA.

Steps required to enable SSH are as follows:

Step 1: Configure hostname.

Step 2: Configure Domain Name.

Step 3: Generate RSA keys.

Step 4: Configure local authentication.

Step 5: Configure SSH on specific interface.

SSH configuration is similar to Telnet configuration. To configure SSH, navigate to Device Management >Management Access > Command Line (CLI) > Secure Shell (SSH).

As you did with Telnet, specify an interface, IP address, and subnet mask for the network that you want to grant SSHaccess to. Note that you can use SSH on the outside interface without requiring IPsec, because SSH itself supports strongauthentication and encryption.

You require the Telnet password to be set so that you can use SSH to connect into an ASA. From the ASA client, youneed to enter a command similar to the following:

userpc$ssh [email protected]

You are then prompted for the password; you enter the password you configured as the Telnet password. When you useSSH to connect into an ASA, the username you use is pix.

[ 122 ]




SECTION 7


Software Image Configuration

The ASA relies on two main software images. The first is the ASA software image that runs the core operating system ofthe ASA. The second is the ASDM image. The ASA will work as a firewall without the ASDM image, but you will beunable to access ASDM and only able to configure the ASA with the CLI.

When you initially purchase an ASA, it comes with both an ASA software image and an ASDM software image alreadypreinstalled on the ASA flash memory.

Command-Line Software Image ConfigurationFrom the CLI, the command show flash displays which software images are located in the flash memory of the ASA:

ciscoasa#sh flash

--#-- --length-- -----date/time------ path

2 4096 Jun 26 2007 11:40:46 log

63 1868412 Mar 26 2007 08:33:42 securedesktop-asa-3.1.1.29-k9.pkg

64 398305 Mar 26 2007 08:33:54 sslclient-win-1.1.0.154.pkg

65 14524416 Jun 26 2007 11:39:02 asa802-k8.bin

67 4096 May 08 2007 12:13:20 sdesktop

70 50 May 08 2007 12:13:22 sdesktop/data.xml

68 6889764 Jun 26 2007 11:39:52 asdm-602.bin

6 4096 Jun 26 2007 11:41:02 crypto_archive

129073152 bytes total (105115648 bytes free)

From the preceding output, you can see there are eight files in the ASA flash. The ones we are interested in are asa802-k8.bin and asdm-602.bin.

The asa802-k8.bin file is the software image for the ASA (in this case, version 8.02).

The asdm-602.bin file is the ASDM software image (in this case, version 6.02).

[ 123 ]




SECTION 7


The other files include the Secure Desktop, the SSL client, and the log file.

To add a file to flash from the CLI, you use the copy command. For example, to copy a file from TFTP to flash, you usethe following:

ciscoasa#copy tftp flash

You are then prompted for the address of the remote TFTP server and the remote filename. In addition to TFTP, thefollowing options are now available with the copy command:

ciscoasa#copy ?

/noconfirm Do not prompt for confirmation

/pcap Raw packet capture dump

capture: Copyout capture buffer

disk0: Copy from disk0: file system

flash: Copy from flash: file system

ftp: Copy from ftp: file system

http: Copy from http: file system

https: Copy from https: file system

running-config Copy from current system configuration

smb: Copy from smb: file system

startup-config Copy from startup configuration

system: Copy from system: file system

tftp: Copy from tftp: file system

As long as there is a single ASA software image in the flash, the ASA will always boot from this. If there are two ormore ASA images in the flash, you have to use the boot system command from global configuration mode to tell the ASAwhich boot image to use.

If you have multiple ASDM images in flash, you have to use the ASDM image command from global configuration modeto tell the ASA which ASDM image to use.

[ 124 ]




SECTION 7


ASDM Software Image ConfigurationFrom the ASDM, navigate to the Device Management > System Image/Configuration > Boot Image/Configurationscreen.

From this screen, you can add files to flash, remove files from flash, set the ASA boot image, and set the ASDM image(see Figure 85).

[ 125 ]



FIGURE 85

BootImage/Configuration


SECTION 7


Licensing the ASA

The ASA is licensed with the use of activation keys. The activation key is tied to the serial number of the ASA, which ishard-coded into the operating code of the ASA.

To enable a feature, you need to purchase the required license. You then redeem this with Cisco after providing yourserial number, at which time you will be provided an activation key. Because it is tied to the serial number, this activationkey will work only on the ASA for which it was requested.

Navigate to Device Management > System Image/Configuration > Activation Key and enter the new activation key(see Figure 86).

[ 126 ]



FIGURE 86

Activation Key


SECTION 7


The current license and features can be seen from the Home screen and the Device Dashboard in ASDM.

From the CLI, the show version command also provides information about the current licensing:

ciscoasa#sh ver

Cisco Adaptive Security Appliance Software Version 8.0(2)

Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 19:29 by builders

System image file is “disk0:/asa802-k8.bin”

Config file at boot was “startup-config”

ciscoasa up 10 days 6 hours

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash LHF00L47 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Int: Internal-Data0/0 : address is 001b.53a0.4e98, irq 11

1: Ext: Ethernet0/0 : address is 001b.53a0.4e90, irq 255








9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

[ 127 ]




SECTION 7


11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Advanced Endpoint Assessment : Disabled

This platform has a Base license.

Serial Number: JMX1113Z00E

Running Activation Key: 0xb10e4b44 0x28a8ad89 0xdc62d5c8 0xb6301430 0x870d098e

Configuration register is 0x1

Configuration last modified by enable_15 at 21:18:37.374 UTC Tue Oct 7 2008

Configuring Logging on the ASA

Logging is disabled by default on the ASA. When you first connect to the ASDM, the first screen you will see is theHome screen and the Device Dashboard (see Figure 87).

[ 128 ]




SECTION 7


You can see from Figure 87 that ASDM logging is disabled. There is a button in the bottom half of the screen that willenable logging. Clicking this button enables logging on the ASA.

Figure 88 shows logging information on the Device Dashboard.

When logging is enabled, you can see the real-time log events in the Device Dashboard. You can also monitor loggingevents from the Monitoring toolbar.

[ 129 ]



FIGURE 87

Device Dashboard



2087011

SECTION 7


From the Configuration toolbar, navigating to Device Management > Logging will provide you with more in-depthconfiguration options for configuring items such as external logging servers, log filters, and external email addresses.Figure 89 shows the Logging Setup screen.

[ 130 ]



FIGURE 88

Device Dashboard:Logging Enabled


SECTION 7


Summary

This final section covered the management and monitoring of the ASA. In this section, we looked at configuring the ASAfor Telnet and SSH connections and how to manage the software images on the ASA through the CLI and ASDM. Wediscussed licensing of the ASA and where to go to get logging statistics from the ASA about the traffic traversing it.

[ 131 ]



FIGURE 89

Logging Setup


ccspsnafquickreference

Documents