Showing posts with label firewall. Show all posts
Showing posts with label firewall. Show all posts

Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.


Enable ISAKMP on the interface:

ASA-2(config)# crypto ikev1 enable outside

ASA-2(config)# crypto ikev1 policy 1

ASA-2(config-ikev1-policy)# encryption 3des

ASA-2(config-ikev1-policy)# authentication pre-share

ASA-2(config-ikev1-policy)# hash md5

Setup your Group Policies & Tunnel Policies

ASA-2(config)# group-policy oscar_GP internal

ASA-2(config)# group-policy oscar_GP attributes

ASA-2(config-group-policy)# vpn-tunnel-protocol ikev1

ASA-2(config-group-policy)# address-pools value oscar_pool

 *******************

ASA-2(config)# tunnel-group oscar_tg type remote-access

ASA-2(config)# tunnel-group oscar_tg general-attributes

ASA-2(config-tunnel-general)# default-group-policy oscar_GP

ASA-2(config-tunnel-general)# authentication-server-group LOCAL 

ASA-2(config)# tunnel-group oscar_tg ipsec-attributes

ASA-2(config-tunnel-ipsec)# ikev1 pre-shared-key C1sc0

 *******************

ASA-2(config)# crypto ipsec ikev1 transform-set oscar_trans esp-3des esp-md5-hmac

ASA-2(config)# ip local pool oscar_pool 10.1.2.140-10.1.2.145 mask 255.255.255.0

ASA-2(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set oscar_trans

ASA-2(config)#username oscar password omEMDQBc9noujG1X encrypted privilege 15

ASA-2(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ASA-2(config)# crypto map outside_map interface outside


From http://adrian-brayton.blogspot.com.ar/2011/07/cisco-asa-84-ios-remote-access-vpn.html
No comments:

Site to Site vpn config example ASA 8.4 or newer.

Just copy paste.
Mirror this config on the other side.

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
object network OBJ-SiteA
subnet 10.0.0.0 255.255.255.0
object network OBJ-SiteB
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-TRAFIC extended permit ip object OBJ-SiteA object OBJ-SiteB
nat (inside,outside) source static OBJ-SiteA OBJ-SiteA destination static OBJ-SiteB OBJ-SiteB no-proxy-arp route-lookup
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2 (Optional)
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-3des esp-md5-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-TRAFIC
crypto map CRYPTO-MAP 1 set pfs group2 (Optional)
crypto map CRYPTO-MAP 1 set peer 200.200.200.200
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside



Related Article :

http://www.petenetlive.com/KB/Article/0000050.htm

No comments:

Cisco ASA - IOS NAT Cheat Sheet


No comments:

Basic Cisco Commands and Descriptions

Basic Cisco Commands and Descriptions

Suggested prerequisite reading
»Cisco Forum FAQ »The most straight-forward way to configure Cisco router: Introduction to CLI

CCNA level Cisco Commands and Descriptions


Following is a list of commands that are applicable to most IOS-based equipments such as routers and switches. Check out the following links for full commands.

IOS Commands 12.4 version on Routers
IOS and Catalyst OS Commands on 6500 series Switches
IOS Commands 12.2 version on 4500 series Switches
IOS Commands 12.2 version on 3560 series Switches
ASA and PIX Firewall OS Commands 6.2 version and above

? Gives you a help screen

0.0.0.0 255.255.255.255 A wildcard command; same as the any command

access-class Applies a standard IP access list to a VTY line

access-list Creates a list of tests to filter the networks 9

any Specifies any host or any network; same as the 0.0.0.0 255.255.255.255 command

Backspace Deletes a single character

bandwidth Sets the bandwidth on a serial interface

banner Creates a banner for users who log into the router

cdp enable Turns on CDP on an individual interface

cdp holdtime Changes the holdtime of CDP packets

cdp run Turns on CDP on a router

cdp timer Changes the CDP update timer

clear counters Clears the statistics from an interface

clear line Clears a connection connected via Telnet to your router

clear mac-address-table Clears the filter table created dynamically by the switch

clock rate Provides clocking on a serial DCE interface

config memory Copies the startup-config to running-config

config network Copies a configuration stored on a TFTP host to running-config

config terminal Puts you in global configuration mode and changes the running-config

config-register Tells the router how to boot and to change the configuration register setting

copy flash tftp Copies a file from flash memory to a TFTP host

copy run start Short for copy running-config startup-config; places a configuration into NVRAM

copy run tftp Copies the running-config file to a TFTP host

copy tftp flash Copies a file from a TFTP host to flash memory

copy tftp run Copies a configuration from a TFTP host to the running-config file

Ctrl+A Moves your cursor to the beginning of the line

Ctrl+D Deletes a single character

Ctrl+E Moves your cursor to the end of the line

Ctrl+F Moves forward one character

Ctrl+R Redisplays a line

Ctrl+Shift+6, then X (keyboard combination) Returns you to the originating router when you telnet to numerous routers

Ctrl+U Erases a line

Ctrl+W Erases a word

Ctrl+Z Ends configuration mode and returns to EXEC

debug dialer Shows you the call setup and teardown procedures

debug frame-relay lmi Shows the lmi exchanges between the router and the Frame Relay switch

debug ip igrp events Provides a summary of the IGRP routing information running on the network

debug ip igrp transactions Shows message requests from neighbor routers asking for an update and the broadcasts sent from your router to that neighbor router

debug ip rip Sends console messages displaying informa-tion about RIP packets being sent and received on a router interface

debug ipx Shows the RIP and SAP information as it passes through the router

debug isdn q921 Shows layer-2 processes

debug isdn q931 Shows layer-3 processes

delete nvram Deletes the contents of NVRAM on a 1900 switch

delete vtp Deletes VTP configurations from a switch

description Sets a description on an interface

dialer idle-timeout number Tells the BRI line when to drop if no interesting traffic is found

dialer list number protocol protocol permit/deny Specifies interesting traffic for a DDR link

dialer load-threshold number inbound/outbound/either Sets the parameters that describe when the second BRI comes up on an ISDN link

dialer map protocol address name hostname number Used instead of a dialer string to provide more security in an ISDN network

dialer string Sets the phone number to dial for a BRI interface

disable Takes you from privileged mode back to user mode

disconnect Disconnects a connection to a remote router from the originating router

duplex Sets the duplex of an interface

enable Puts you into privileged mode

enable password Sets the unencrypted enable password

enable password level 1 Sets the user mode password

enable password level 15 Sets the enable mode password

enable secret Sets the encrypted enable secret password. Supersedes the enable password if set

encapsulation Sets the frame type used on an interface

encapsulation frame-relay Changes the encapsulation to Frame Relay on a serial link

encapsulation frame-relay ietf Sets the encapsulation type to the Internet Engineering Task Force (IETF); connects Cisco routers to off-brand routers

encapsulation hdlc Restores the default encapsulation of HDLC on a serial link

encapsulation isl 2 Sets ISL routing for VLAN

encapsulation ppp Changes the encapsulation on a serial link to PPP

erase startup Deletes the startup-config

erase startup-config Deletes the contents of NVRAM on a router

Esc+B Moves back one word

Esc+F Moves forward one word

exec-timeout Sets the timeout in seconds and minutes for the console connection

exit Disconnects a connection to a remote router via Telnet

frame-relay interface-dlci Configures the PVC address on a serial interface or subinterface

frame-relay lmi-type Configures the LMI type on a serial link

frame-relay map protocol address Creates a static mapping for use with a Frame Relay network

Host Specifies a single host address

hostname Sets the name of a router or a switch

int e0.10 Creates a subinterface

int f0/0.1 Creates a subinterface

interface Puts you in interface configuration mode; also used with show commands

interface e0/5 Configures Ethernet interface

interface ethernet 0/1 Configures interface e0/1

interface f0/26 Configures Fast Ethernet interface 26

interface fastethernet 0/0 Puts you in interface configuration mode for a Fast Ethernet port; also used with show commands

interface fastethernet 0/0.1 Creates a subinterface

interface fastethernet 0/26 Configures interface f0/26

interface s0.16 multipoint Creates a multipoint subinterface on a serial link that can be used with Frame Relay networks

interface s0.16 point-to-point Creates a point-to-point subinterface on a serial link that can be used with Frame Relay

interface serial 5 Puts you in configuration mode for interface serial 5 and can be used for show commands

ip access-group Applies an IP access list to an interface

ip address Sets an IP address on an interface or a switch

ip classless A global configuration command used to tell a router to forward packets to a default route when the destination network is not in the routing table

ip default-gateway Sets the default gateway of the switch

ip domain-lookup Turns on DNS lookup (which is on by default)

ip domain-name Appends a domain name to a DNS lookup

ip host Creates a host table on a router

ip name-server Sets the IP address of up to six DNS servers

IP route Creates static and default routes on a router

ipx access-group Applies an IPX access list to an interface

ipx input-sap-filter Applies an inbound IPX SAP filter to an interface

ipx network Assigns an IPX network number to an interface

ipx output-sap-filter Applies an outbound IPX SAP filter to an interface

ipx ping A Packet Internet Groper used to test IPX packet on an internetwork

ipx routing Turns on IPX routing

isdn spid1 Sets the number that identifies the first DS0 to the ISDN switch

isdn spid2 Sets the number that identifies the second DS0 to the ISDN switch

isdn switch-type Sets the type of ISDN switch that the router will communicate with; can be set at interface level or global configuration mode

K Used at the startup of the 1900 switch and puts the switch into CLI mode

line Puts you in configuration mode to change or set your user mode passwords

line aux Puts you in the auxiliary interface configuration mode

line console 0 Puts you in console configuration mode

line vty Puts you in VTY (Telnet) interface configuration mode

logging synchronous Stops console messages from overwriting your command-line input

logout Logs you out of your console session

mac-address-table permanent Makes a permanent MAC address entry in the filter database

mac-address-table restricted static Sets a restricted address in the MAC filter database to allow only the configured interfaces to communicate with the restricted address

media-type Sets the hardware media type on an interface

network Tells the routing protocol what network to advertise

no cdp enable Turns off CDP on an individual interface

no cdp run Turns off CDP completely on a router

no inverse-arp Turns off the dynamic IARP used with Frame Relay; static mappings must be configured

no ip domain-lookup Turns off DNS lookup

no ip host Removes a hostname from a host table

No IP route Removes a static or default route

no shutdown Turns on an interface

o/r 0x2142 Changes a 2501 to boot without using the contents of NVRAM

ping Tests IP connectivity to a remote device

port secure max-mac-count Allows only the configured amount of devices to attach and work on an interface

ppp authentication chap Tells PPP to use CHAP authentication

ppp authentication pap Tells PPP to use PAP authentication

router igrp as Turns on IP IGRP routing on a router

router rip Puts you in router rip configuration mode

secondary Adds a second IPX network on the same physical interface

Service password-encryption Encrypts the user mode and enable password

show access-list Shows all the access lists configured on the router

show access-list 110 Shows only access list 110

show cdp Displays the CDP timer and holdtime frequencies

show cdp entry * Same as show cdp neighbor detail, but does not work on a 1900 switch

show cdp interface Shows the individual interfaces enabled with CDP

show cdp neighbor Shows the directly connected neighbors and the details about them

show cdp neighbor detail Shows the IP address and IOS version and type, and includes all of the information from the show cdp neighbor command

show cdp traffic Shows the CDP packets sent and received on a device and any errors

Show controllers s 0 Shows the DTE or DCE status of an interface

show dialer Shows the number of times the dialer string has been reached, the idle-timeout values of each B channel, the length of call, and the name of the router to which the interface is connected

show flash Shows the files in flash memory

show frame-relay lmi Shows the LMI type on a serial interface

show frame-relay map Shows the static and dynamic Network layer-to-PVC mappings

show frame-relay pvc Shows the configured PVCs and DLCI numbers configured on a router

show history Shows you the last 10 commands entered by default

show hosts Shows the contents of the host table

show int f0/26 Shows the statistics of f0/26

show inter e0/1 Shows the statistics of interface e0/1

show interface s0 Shows the statistics of interface serial 0

show ip Shows the IP configuration of the switch

show ip access-list Shows only the IP access lists

show ip interface Shows which interfaces have IP access lists applied

show ip protocols Shows the routing protocols and timers associated with each routing protocol configured on a router

show ip route Displays the IP routing table

show ipx access-list Shows the IPX access lists configured on a router

show ipx interface Shows the RIP and SAP information being sent and received on an individual interface; also shows the IPX address of the interface

show ipx route Shows the IPX routing table

show ipx servers Shows the SAP table on a Cisco router

show ipx traffic Shows the RIP and SAP information sent and received on a Cisco router

show isdn active Shows the number called and whether a call is in progress

show isdn status Shows if your SPIDs are valid and if you are connected and communicating with the provider's switch

show mac-address-table Shows the filter table created dynamically by the switch

show protocols Shows the routed protocols and network addresses configured on each interface

show run Short for show running-config; shows the configuration currently running on the router

show sessions Shows your connections via Telnet to remote devices

show snmp Gives you the router's serial number as the "chassis" output

show start Short for show startup-config; shows the backup configuration stored in NVRAM

show terminal Shows you your configured history size

show trunk A Shows the trunking status of port 26

show trunk B Shows the trunking status of port 27

show version Gives the IOS information of the switch, as well as the uptime and base Ethernet address

show vlan Shows all configured VLANs App.

show vlan-membership Shows all port VLAN assignments

show vtp Shows the VTP configuration of a switch

shutdown Puts an interface in administratively down mode

Tab Finishes typing a command for you

telnet Connects, views, and runs programs on a remote device

terminal history size Changes your history size from the default of 10 up to 256

trace Tests a connection to a remote device and shows the path it took through the internetwork to find the remote device

traffic-share balanced Tells the IGRP routing protocol to share links inversely proportional to the metrics

traffic-share min Tells the IGRP routing process to use routes that have only minimum costs

trunk auto Sets the port to auto trunking mode

trunk on Sets a port to permanent trunking mode

username name password password Creates usernames and passwords for authentication on a Cisco router

variance Controls the load balancing between the best metric and the worst acceptable metric

vlan 2 name Sales Creates a VLAN 2 named Sales

vlan-membership static 2 Assigns a static VLAN to a port

vtp client Sets the switch to be a VTP client

vtp domain Sets the domain name for the VTP configuration

vtp password Sets a password on the VTP domain

vtp pruning enable Makes the switch a pruning switch

vtp server Sets the switch to be a VTP server
No comments:

Understanding PIX Firewall/ASA

Official Cisco Support
Using PIX Firewall
Cisco Security Appliance Command Line Configuration Guide, Version 7.0

Security Level as Stateful Firewall feature foundation

Cisco ASA/PIX Firewall is designed as stateful firewall. From Cisco implementation perspective, there is a concept of Security Level as foundation of all stateful firewall features.

In basic firewall concept, there are three security zones. The first zone is Untrusted network where Cisco implements as Outside network. The second zone is Trusted network where Cisco implements as Inside network. The third zone is DMZ network where Cisco also implements as DMZ network.

Following basic firewall concept, a firewall is designed as perimeter guarding traffic flow between zones. With the concept of Security Level, the Untrusted (Outside) network has the lowest level of trust where Cisco by default assign the trust level as 0 (zero). Consequently the Trusted (Inside) network has the highest level of trust where Cisco by default assign the security level of 100. Since DMZ network is considered somewhat trusted and untrusted, Cisco by default assign (typically) even number between 0 and 100.

Based on associated Security Level; you may notice that the higher a network level is, the more trusted a network is. In other words, Inside network is more trusted or more secure that DMZ network and DMZ network is more trusted or more secure than Outside network. When you put Cisco ASA/PIX Firewall as your Internet gateway or Internet firewall for example, the Outside network is the Internet, the Inside network is your internal network, and the DMZ network is your publicly-accessible web or email server.

If you like to go further, you may segment your internal network further by putting a dedicated firewall between your internal servers and users' PC where the Inside network is where the internal servers are and the Outside network is where the users' PC are. When you consider to use only one firewall for all, then you may want to create multiple DMZ networks where the Outside network (Security Level 0) is the Internet, Inside network (Security Level 100) is the internal servers, DMZ 1 network (i.e. Security Level 1) is the publicly-accessible web or email server, DMZ 2 network (i.e. Security Level 4) is a guest wireless network, DMZ 3 network (i.e. Security Level 6) is the user's PC, and so on and so forth.

Also based on associated Security Level, any incoming traffic from lower Security Level to higher Security Level is by default denied. When you have publicly-accessible web or email server let's say on your DMZ network, then you have to permit certain incoming traffic from the lower Security Level (the Internet or Outside) network to enter higher Security Level network which is the DMZ by using either nat command or static command. You can also control how many incoming permitted sessions for further protection.

How Cisco ASA/PIX Firewall Treats TCP-based traffic differently than ICMP-based traffic

You also have to permit incoming ICMP echo reply packets from least trusted network as a response of ICMP echo packets issued by a machine within more trusted network. For TCP-based traffic, by default all returning TCP traffic coming from least trusted network as a response of TCP packet initiated by a machine within more trusted network are permitted. Therefore you don't need to create rules to permit such returning TCP traffic.

The reason of no need to create rules to permit such returning TCP traffic is that the firewall understands the concept of 3-way TCP handshake. Every time there is outbound TCP-based traffic initiated from more trusted network to less trusted network is inspected and stored in connectivity table (the show conn command reveals such table). When the firewall sees matching TCP packet coming from less trusted network toward the more trusted network as part of the 3-way handshake, the firewall permits those returning traffic.

ICMP-based traffic however has different properties. Since there is no concept of 3-way handshake in ICMP, each ICMP traffic is treated as one-way traffic. Therefore you have to permit any necessary incoming ICMP traffic from less trusted network towards more trusted network when you plan to use something like ICMP ping or traceroute from more trusted network to less trusted network.

TCP Transaction Protection

For those TCP traffic, all incoming TCP traffic are inspected by Cisco ASA/PIX Firewall to make sure that there will be a 3-way handshake per TCP mechanism to complete TCP transaction. The firewall will drop any incomplete TCP transaction for protection from possible TCP-based attack.

As example, the firewall keeps TCP session as part of the TCP 3-way handshake protection mechanism where there is some kind of hold timer. The firewall expects to receive responses from server within the hold timer interval, which the timer will expire. At the time the firewall does not receive the server response when the timer expires, the firewall drops any related TCP session and also drops "late" server response.

Another example is having the firewall drops TCP packets when the TCP client keeps sending TCP synchronization (SYN) packet or sending TCP acknowledge (ACK) packet without sending TCP SYN packet first. In this situation, the firewall drops the TCP SYN and TCP ACK accordingly.

There is also a TCP Initial Sequence Number (ISN) randomization protection feature which by default randomizing TCP sequence number to negotiate between client and server in order to provide TCP Sequence Prediction Attacks protection.

One optional feature is setting maximum number of simultaneous TCP and UDP connections through the firewall for the entire subnet. The default is 0, which means unlimited connections and the firewall lets the server determine the number.

Another optional feature is specifying the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.

The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall and ASA accomplish TCP intercept functionality using SYN cookies.

TCP/UDP Application-Specific Protocol Protection

By default, the PIX Firewall and ASA provide TCP/UDP application-specific protection of the following protocols.
Protocol                      TCP/UDP Port            Protocol-Specific Protection
dns                                53                  packet maximum length 512
ftp                                21
h323 h225                         1720
h323 ras                        1718-1719
http                               80
rsh                                514
rtsp                               554
sip                               5060
sip udp                           5060
skinny                            2000
smtp                               25
sqlnet                            1521
tftp                               69


Various Cisco ASA/PIX Firewall Features

1. SSH and Telnet as firewall management access

You can only use SSH for the firewall management access when you are sitting in non-Inside network. By default you can use either telnet or SSH for the firewall management access when you are sitting in Inside network.

2. NAT

In the PIX or ASA OS version prior 8.3, by default there is NAT in place for traffic between zones. In earlier OS version, you typically use the nat 0 command to eliminate NAT for traffic between zones. You could also use static command with the same IP subnet of pre- and post- NAT process. Further, there is a rule called NAT Order of Operation in earlier OS version to make sure that the NAT-related business is in order.

NAT Concept on PIX Firewall running OS version 6.3 or later and ASA running OS version prior 8.3

Introduction to NAT Operation

In network environment where there is a private network that is not (and should not) be visible directly from Outside network should be made invisible to the Outside network. PIX Firewall and ASA were originally designed to provide such invisibility and do NAT by default for traffic across security zones such as between Inside and Outside network.

When the Outside network access is needed from more trusted network, you need to NAT the outbound traffic by using nat command. If the traffic is just outbound where connections are initiated from more trusted network to less trusted network, then the nat command should be associated with a global command.

For inbound traffic where connections are initiated from less trusted network to more trusted network, the static command is needed to accommodate the NAT process. With the static command, the traffic flow between the less and more trusted network is established both way; meaning that the Outside network (less trusted network) can initiate traffic to the Inside network (more trusted network) at anytime and vice versa. There is no need to create specific nat command to accommodate the traffic flow.

In regards of the static command use, you have a choice to either use the same or different IP address/subnet between the less and more trusted network. Following is list of possibilities where you want to use different IP address/subnet appearing on the less trusted network.

1. The private network (residing at the more trusted network) uses IP scheme that is not routable at the less trusted network; i.e. Internet access from LAN using private network of 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16

2. The less trusted network is unable to do routing. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP subnet

3. There is conflicting IP scheme between less and more trusted network. In this case, the more trusted network uses NAT-ed IP address that is within the less trusted network IP scheme. Furthermore, you need to NAT the inbound traffic from less to more trusted network using NAT-ed IP address that is within the more trusted network IP scheme.

When none of the above situation meets, you should use the same IP address/subnet between less and more trusted network. Note that just because you use the same IP address/subnet between less and more trusted network, it does not mean that there will be security risk on the more trusted network since the PIX Firewall or ASA provides sufficient stateful security feature as mentioned at earlier discussion.

Different Types of NAT

1. Dynamic PAT

Commands to use: nat, global
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is not needed

Example 1.1
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 203.43.45.93

Description:
Any hosts within Inside IP subnet of 192.168.1.0/24 will be PAT-ed into 203.43.45.93 when there is outbound traffic from Inside to Outside network

Example 1.2
nat (outside) 1 203.43.45.0 255.255.255.0
global (inside) 1 192.168.1.93

Description:
Any hosts within Outside IP subnet of 203.43.45.0/24 will be PAT-ed into 192.168.1.93 when there is inbound traffic from Outside to Inside network

2. Static PAT

Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed

Example 2.1
static (inside,outside) tcp 203.43.45.93 80 192.168.45.93 80 netmask 255.255.255.255

Description:
Host 192.168.45.93 will be PAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using TCP port 80 as source TCP port to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using TCP port 80 as destination TCP port in order to access 192.168.45.93 on TCP port 80

Example 2.2
static (outside,inside) tcp 192.168.45.93 80 203.43.45.93 80 netmask 255.255.255.255

Description:
Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using TCP port 80 as source TCP port to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using TCP port 80 as destination TCP port in order to access 203.43.45.93 on TCP port 80

3. Static NAT of single IP address

Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address.

Example 3.1
static (inside,outside) 203.43.45.93 192.168.45.93 netmask 255.255.255.255

Description:
Host 192.168.45.93 will be NAT-ed to 203.43.45.93 when there is outbound traffic initiated from 192.168.45.93 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.93 using any IP protocol in order to access 192.168.45.93.

Note:
This static statement may seem as security risk since you are opening the IP address to any incoming IP protocol from less to more trusted network. Such risk is mitigated when there is access-list controlling inbound traffic to open necessary IP protocol and ports (i.e. just open inbound TCP port 80 and 443 where others are denied).

Example 3.2
static (outside,inside) 192.168.45.93 203.43.45.93 netmask 255.255.255.255

Description:
Host 203.43.45.93 will be PAT-ed to 192.168.45.93 when there is inbound traffic initiated from 203.43.45.93 (within the Outside network) using any IP protocol (including ESP, TCP, and UDP) to the Inside network. Similarly, any IP address within Inside network will access 192.168.45.93 using any IP protocol in order to access 203.43.45.93.

4. Static NAT of entire IP subnet

Commands to use: static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address.

Example 4.1
static (inside,outside) 203.43.45.0 192.168.45.0 netmask 255.255.255.0

Description:
Any hosts within 192.168.45.0/24 will be NAT-ed to 203.43.45.0/24 when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, any IP address within Outside network will access 203.43.45.0/24 using any IP protocol in order to access 192.168.45.0/24.

Using IP subnet static NAT indicates the following static NAT in place
  Outside                  Inside
203.43.45.1     <====>  192.168.45.1         
203.43.45.2     <====>  192.168.45.2
203.43.45.3     <====>  192.168.45.3
     .
     .
     .
203.43.45.254   <====>  192.168.45.254

As you can see, the last octet will be the same while only the first three octets are different between the Outside and the Inside IP addresses.

Note:
The command is useful when you need to NAT the entire subnet without the requirement of creating multiple static command of each pair of Outside-Inside IP addresses. You can simply create static NAT for the entire subnet instead.

Example 4.2
static (outside,inside) 192.168.45.0 203.43.45.0 netmask 255.255.255.0

Description:
Any hosts within 203.43.45.0/24 will be NAT-ed to 192.168.45.0/24 when there is outbound traffic initiated from the Inside network using any IP protocol (including ESP, TCP, and UDP) to the Outside network. Similarly, IP address within 203.43.45.0/24 Outside network will access the any IP addresses within Inside network as 192.168.45.0/24 using any IP protocol.

5. Static NAT of entire IP subnet and keep the same IP scheme between less and more trusted network

Command to use: access-list, nat 0, and/or static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network.

Example 5.1 - NAT exemption

access-list nonat_inside-outside permit ip 192.168.45.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat_inside-outside

Description:
Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to the Outside network of 192.168.1.0/24. Similarly, any IP address within Outside network of 192.168.1.0/24 will access 192.168.45.0/24 using any IP protocol directly.

Example 5.2

static (inside,outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

Description:
Any hosts within 192.168.45.0/24 will appear as themselves when there is outbound traffic initiated from 192.168.45.0/24 (within the Inside network) using any IP protocol (including ESP, TCP, and UDP) to any Outside network IP address. Similarly, any IP address within Outside network will access 192.168.45.0/24 using any IP protocol directly.

Example 5.3 - Identity NAT

nat (inside) 0 192.168.45.0 255.255.255.0
static (inside, outside) 192.168.45.0 192.168.45.0 netmask 255.255.255.0

Description:
The behavior is similar as Examples 5.1 and 5.2. This configuration is less popular since it seems more complex than it has to.

6. Static NAT Policy

Command to use: access-list and static
Objective: to allow outbound traffic from more trusted network to less trusted network where inbound traffic is needed. Furthermore, the command uses the entire IP protocols and ports within the provided IP address. All of these processes take place while keeping the same IP scheme between less and more trusted network.

Example 6.1

access-list nat1_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.6.0 255.255.255.0
access-list nat2_inside-outside permit ip 192.168.45.0 255.255.255.0 23.54.7.0 255.255.255.0
nat (inside) 1 0.0.0.0
static (inside,outside) 23.54.6.254 access-list nat1_inside-outside
static (inside,outside) 23.54.7.254 access-list nat2_inside-outside
global (outside) 1 203.43.45.32

Description:
Any 192.168.45.x within Inside network will be statically NAT as 23.54.6.254 when 192.168.45.x access 23.54.6.x that resides at Outside network. Similarly, any 192.168.45.x within Inside network will be statically NAT as 23.54.7.254 when 192.168.45.x access 23.54.7.x that resides at Outside network. When 192.168.45.x access any other IP addresses at Outside network beside 23.54.6.x and 23.54.7.x, the 192.168.45.x will be dynamically PAT-ed as 203.43.45.32.

NAT Implementation Illustration

For the sake of illustration, we assume the following

Outside network: any IP subnet
DMZ 1 network: 192.168.0.0/24, 192.168.1.0/24
DMZ 2 network: 192.168.2.0/24, 192.168.3.0/24
Inside network: 192.168.32.0/24, 192.168.33.0/24, 192.168.45.0/24

Example 1

access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.32.0 255.255.255.0
global (outside) 1 203.45.32.84

Description:
When any IP address within 192.168.32.0/24 access the 192.168.1.0/24, the 192.168.32.x appears as themselves. If the 192.168.32.x access anything else that is at Outside network, there will be dynamic PAT to use 203.45.32.84 IP address to appear on the Outside network.

Further, any machine within 192.168.1.0/24 can access 192.168.32.0/24 as themselves. In other words, 192.168.32.0/24 appears as themselves in the 192.168.1.0/24 presence and vice versa.

The 192.168.33.x cannot access anything beyond Inside network. Similarly, the 192.168.0.x cannot access anything beyond DMZ 1 network. Anything at Outside and DMZ 2 cannot access anything at DMZ 1 and 192.168.33.x Inside network.

Example 2

access-list nonat permit ip 192.168.32.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0
nat (dmz1) 2 192.168.0.0 255.255.255.0
global (dmz2) 1 192.168.2.254
global (outside) 2 204.54.65.231
static (inside,outside) 192.168.32.0 192.168.32.0 netmask 255.255.254.0

Description:
The 192.168.0.x and 192.168.32.x can see each other as themselves. Any IP address within Inside network (including those that are not 192.168.32.x or 192.168.33.x if any such as 192.168.45.x) is able to access 192.168.2.x and 192.168.3.x using PAT-ed IP address of 192.168.2.254. Both 192.168.32.x and 192.168.33.x will appear as themselves when they are accessing Outside network. Any 192.168.0.x will appear as 204.54.65.231 to access Outside network.

Example 3

access-list nonat permit ip 192.168.32.0 255.255.254.0 192.168.0.0 255.255.254.0
access-list nonat permit ip 192.168.45.0 255.255.255.0 192.168.0.0 255.255.254.0
access-list nat1_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.2.0 255.255.255.0
access-list nat1_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat2_inside-dmz2 permit ip 192.168.32.0 255.255.254.0 192.168.3.0 255.255.255.0
access-list nat2_inside-dmz2 permit ip 192.168.45.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list nat_inside-outside permit ip 192.168.32.0 255.255.254.0 any
access-list nat_inside-outside permit ip 192.168.45.0 255.255.255.0 any
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat1_inside-dmz2
nat (inside) 2 access-list nat2_inside-dmz2
nat (inside) 3 access-list nat_inside-outside
global (dmz2) 1 192.168.2.254
global (dmz2) 2 192.168.3.254
global (outside) 3 204.54.65.231-204.54.65.253
global (outside) 3 204.54.65.254
static (dmz1,outside) 204.54.64.0 192.168.0.0 netmask 255.255.255.0

Description:
The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as themselves when they access 192.168.0.x, 192.168.1.x and vice versa. The 192.168.32.x, 192.168.33.x, and 192.168.45.x appear as 192.168.2.254 when they access 192.168.2.x and appear as 192.168.3.254 when they access 192.168.3.x.

The 192.168.0.x appear as 204.54.64.x when they access Outside network. Similarly, Outside network access 204.54.64.x in order to access 192.168.0.x.

The 192.168.32.x, 192.168.33.x, and 192.168.45.x on the Inside network appear as any available IP address within range of 204.54.65.231 and 204.54.65.253 when those Inside networks access Outside network. Such range is called NAT pool where there will be dynamic one-one NAT relationship between 192.168.32.x, 192.168.33.x, 192.168.45.x on the Inside network and any available IP address within range of 204.54.65.231 and 204.54.65.253. When all IP addresses within the NAT pool are used up, the 204.54.65.254 will be used as last resort (as dynamic PAT instead of dynamic NAT).

Note:
For illustration, please check out all sample configuration using Cisco ASA/PIX Firewall in this Cisco Forum FAQ to better understand how Cisco firewall implementation look like.

Traffic Flow Across Security Zones

1. Default Behavior and Ways To Tweak

As a firewall, PIX Firewall and ASA by default expect to have traffic flow comes from one security zone to another. Any routing traffic that comes from one security zone and bounce back to the same security zone (called hair pinning) is denied. Another default behavior is to block traffic flow between security zones with equal security level.

In regards of traffic flow coming from one security zone to another, following is default behavior

* Initiated from Less-Trusted zone to More-Trusted zone, traffic is denied
* Initiated from More-Trusted zone to Less-Trusted zone, traffic is permitted
* Initiated from one security zone to another with equal security level, traffic is denied
* Initiated from one security zone and bounce back (hair pinning), traffic is denied

To adjust the above default behavior, following is the list of choices that applies for PIX Firewall and ASA running OS version 6.3 and later

* Implement nat 0 or static command in addition to implement access-group command tied with specific access-list command to allow initiating traffic from Less-Trusted zone to More-Trusted zone
* Implement access-group command tied with specific access-list command to restrict initiating traffic from More-Trusted zone to Less-Trusted zone

When the PIX Firewall or ASA runs OS version 7.0 or later, following is a list of choices to adjust various default behaviors

* Implement same-security-traffic permit command to allow initiating traffic from one security zone to another with equal security level. The same command is used to also allow hair-pinning traffic
* Transform the Layer-3 firewall default behavior into Layer-2 firewall using firewall transparent command to avoid the firewall participating in routing
* Transform the single physical firewall into multiple virtual firewall using mode command to allow Active/Active or Active/Standby traffic flow separating routing table between each virtual firewall

2. Traffic Flow Order of Operation

For those traffic flow initiating from Less-Trusted to More-Trusted network, here is what Cisco devices including PIX Firewall and ASA expect

* Incoming traffic hits IP address as seen in the IP scheme of the Less-Trusted network. If there is NAT in place, then the incoming traffic hits the NAT-ed IP address.
* Cisco devices check incoming traffic to see if there is a match within the access-list. When there is a match; Cisco devices stop searching, treat the traffic per the rule, and exit. When there is no match, by default Cisco devices deny traffic
* If static command is in place to manage the NAT/PAT-ed IP addresses, Cisco devices translate IP address accordingly and forward the traffic based on the routing table

Since PIX Firewall and ASA are firewall, by design the firewall does traffic inspection before forwarding traffic based on the routing table as mentioned in early discussion. Any traffic that do not pass the inspection will be dropped and will not be forwarded.

What Is New On ASA (Or PIX OS 7.2 and above) Compared To PIX Firewall Running PIX OS 6.3?

Note:
* PIX Firewall 500 series only support PIX OS up to 8.0(4) version. The ASA 5500 series support beyond OS 8.0(4) with possible DRAM/Flash upgrade
* There is no known "real" differences between PIX OS 7.x and ASA OS 7.x from software perspective

For further info, check out the following official Cisco online documentation links for specific OS version features.

Features

Legacy OS 6.3(5)
http://www.cisco.com/en/US/docs/security/pix/pix63/release/notes/pixrn635.html

OS 7.0(1)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix_70rn.html#wp169795

OS 7.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix704rn.html#wp213502

OS 7.0(5)
http://www.cisco.com/en/US/docs/security/pix/pix70/release/notes/pix705rn.html#wp213502

OS 7.2(1)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn72.html#wp185529

OS 7.2(2)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn722.html#wp191103

OS 7.2(3)
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn723.html#wp213761

OS 8.0
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn80.html#wp191103

OS 8.0(3)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/prn803.html#wp191103

OS 8.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html#wp191103

OS 8.1
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html#wp229690

Enable/Disable Communication on OS 7.0 image and newer

1. Troubleshooting on OS 7.0 image and newer

Establish and Troubleshoot Connectivity through PIX/ASA
Packet/Traffic Troubleshooting

2. Sample Configuration on OS 7.0 image and newer

ASA/PIX EIGRP Routing Support

Backup/Failover Routing

Single Firewall Partitioned Into Multiple Independent Firewalls: Introduction to Multiple Context

Active/Active PIX/ASA Stateful Redundancy

Active/Standby PIX/ASA Stateful Redundancy

Transparent (Layer-2) Firewall

QoS

ASA As SSL Server
SSL VPN Client (SVC) on ASA with ASDM Configuration Example
Clientless SSL VPN (WebVPN) on ASA Configuration Example
Thin-Client SSL VPN (WebVPN) on ASA with ASDM Configuration Example

Block or Restrict the Instant Messaging (IM) Traffic

URL Filtering

New Features and Deprecated Commands Starting OS version 8.3

You may notice that PIX Firewall appliances are unable to run latest OS version. PIX 501 can only run up to OS version 6.3(5) while PIX 515E and larger appliances can only run up to OS version 8.0. You need ASA 5500 series appliance to run newer OS version than 8.0.

Cisco ASA 5500 Migration Guide for Version 8.3

Discussion of OS version 9.1
»ASA 5520 Fan Question

Licenses

For those who are eager to get their hands on ASA or PIX Firewall, they need to consider the license factor. With either ASA or PIX Firewall, you should get the one with Unlimited Inside Hosts instead of 10 or 50 Inside Hosts. For PIX Firewall, one with Unrestricted license has more features compared to one with Restricted license; while one with the Failover license can only work as backup firewall of the Unrestricted license. For ASA, one with Security Plus license supports more features similarly. Both Inside Hosts number and license type that firewall carries can be verified through the show version.

Upgrading from lower license to higher license may cost you dearly where at that point, getting a new firewall with higher license may cost you less compared to upgrade your existing firewall to have higher license.

You can check out the following discussion for some illustration.
»[HELP] Upgrade ASA 5505 License



Thanks to http://www.dslreports.com/faq/15531
No comments:

NAT Control

The firewall has always been a device supporting and even requiring NAT for maximum flexibility and security. NAT control is available as a capability in the new software release on the Security Appliance.
NAT control dictates the firewall if the address translation rules are required for outside communications and ensures that the address translation behavior is the same as versions earlier than 7.0.
The NAT control feature works as follows:
  • When NAT control is disabled, and the firewall forwards all packets from a higher-security (such as Inside) interface to a lower-security (such as Outside) interface without the configuration of a NAT rule. Traffic from a lower-security interface to a higher-security interface only requires that it be permitted in the access lists, and no NAT rule is required in this mode.
  • When NAT control is enabled, this dictates the requirement of using NAT. (The NAT rule is compulsory in this case.) When NAT control is enabled, it is also required that packets initiated from a higher security-level interface (such as Inside) to a lower security-level interface (such as Outside) must match a NAT rule (nat command with a corresponding global, or a static command), or else processing for the packet stops. Traffic from a lower-security interface to a higher-security interface also requires a NAT and is permitted in the access lists to be forwarded through the firewall.

    Example NO NAT with NAT control enable:
             static (Higher security-level IF, Lower security-level IF) 10.10.10.1 10.10.10.1 netmask 255.255.255.255
The default configuration is the specification of the no nat-control command (NAT control disabled mode). With version 7.0 and later, this behavior can be changed as required.
To enable NAT control, use the nat-control command in the global configuration mode, as shown next:
hostname(config)# nat-control

Note
The nat-control command is available in routed firewall mode and in single and multiple security context modes.

When the nat-control is enabled, each Inside address must have a corresponding Inside NAT rule. Similarly, if an Outside dynamic NAT is enabled on an interface, each Outside address must have a corresponding Outside NAT rule before communication is allowed through the Security Appliance.
By default, NAT control is disabled (no nat-control command). The no nat-control command allows Inside hosts to communicate with outside networks without the need to configure a NAT rule. In essence, with NAT control disabled, the Security Appliance does not perform an address translation function to any packets. To disable NAT control globally, use the no nat-control command in global configuration mode:
hostname(config)# no nat-control

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the higher-level interface. The no nat-control command does not have this requirement, nor does it require a static command to allow communication from the lower-level interface (from Outside to Inside); it relies only on access-policies—for example, permitting the traffic in ACL and having corresponding route entries.
To summarize, traffic traversing from a
More Secure to a Less Secure interface
  • Is designated as outbound traffic.
  • The firewall will allow all IP-based traffic unless restricted by access lists, authentication, or authorization.
  • One or more of the following commands are required:
    - nat, nat 0, global, static
Less Secure to a More Secure interface
  • Is designated as inbound traffic.
  • Outside to Inside connections.
  • Inbound permission is required.
  • The firewall will drop all packets unless specifically allowed in the access-list that is applied on the arriving interface. Further restrictions apply if authentication and authorization are used.
  • One or more of the following commands are required:
    - nat 0 with ACL, static and inbound access-list on the ingress interface.
No comments:

NAT Overview

In this table, when NAT performs the global to local, or local to global, translation is different in each flow.
Inside-to-Outside
 Outside-to-Inside
  • If IPSec then check input access list
  • decryption - for CET (Cisco Encryption Technology) or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • policy routing
  • routing
  • NAT inside to outside (local to global translation)
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect (Context-based Access Control (CBAC))
  • TCP intercept
  • encryption
  • Queueing
  • If IPSec then check input access list
  • decryption - for CET or IPSec
  • check input access list
  • check input rate limits
  • input accounting
  • redirect to web cache
  • NAT outside to inside (global to local translation)
  • policy routing
  • routing
  • crypto (check map and mark for encryption)
  • check output access list
  • inspect CBAC
  • TCP intercept
  • encryption
  • Queueing
No comments:

642-637 SECURE v1.0 Exam Topics (Blueprint)

Exam Description

The 642-637 Secure v1.0 Securing Networks with Cisco Routers and Switches exam is associated with the CCSP, and CCNP Security certifications. This exam tests a candidate's knowledge and skills needed to secure Cisco IOS Software router and switch-based networks, and provide security services based on Cisco IOS Software. Candidates can prepare for this exam by taking the Securing Networks with Cisco Routers and Switches course.


Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.


Pre-Production Design

Choose Cisco IOS technologies to implement HLD

Choose Cisco products to implement HLD

Choose Cisco IOS features to implement HLD 2
Integrate Cisco network security solutions with other security technologies
Create and test initial Cisco IOS configurations for new devices/services

Complex Operations Support



Optimize Cisco IOS security infrastructure device performance
Create complex network security rules to meet the security policy requirements
Optimize security functions, rules, and configuration
Configure & verify NAT to dynamically mitigate identified threats to the network
Configure & verify IOS Zone Based Firewalls including advanced application inspections and URL filtering
Configure & verify the IPS features to identify threats and dynamically block them from entering the network
Maintain, update and tune IPS signatures
Configure & verify IOS VPN features
Configure & verify Layer 2 and Layer 3 security features


Advanced Troubleshooting

Advanced Cisco IOS security software configuraiton fault finding and repairing
Advanced Cisco routers and switches hardware fault finding and repairing
No comments:

642-617 Deploying Cisco ASA Firewall Solutions Exam Topics (Blueprint)

Exam Description

The 642-617 Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0) exam is associated with the CCSP, CCNP Security and Cisco Firewall Specialist certifications. This exam tests a candidate's knowledge and skills needed to implement and maintain Cisco ASA-based perimeter solutions. Successful graduates will be able to reduce risk to the IT infrastructure and applications using Cisco ASA features, and provide detailed operations support for the Cisco ASA. Candidates can prepare for this exam by taking the Deploying Cisco ASA Firewall Solutions course.


Exam Topics

The following information provides general guidelines for the content likely to be included on the exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes the guidelines below may change at any time without notice.


Pre-Production Design

Choose ASA Perimeter Security technologies/features to implement HLD based on given security requirements
Choose the correct ASA model to implement HLD based on given performance requirements
Create and test initial ASA appliance configurations using CLI
Determine which ASA licenses will be required based on given requirements

Complex Operations Support

Optimize ASA Perimeter Security features performance, functions, and configurations

Create complex ASA security perimeter policies such as ACLs, NAT/PAT, L3/L4/L7 stateful inspections, QoS policies, cut-thru proxy, threat detection, botnet detection/filter using CLI and/or ASDM

Perform initial setup on the AIP-SSM and CSC-SSM using CLI and/or ASDM

Configure, verify and troubleshoot High Availability ASAs (A/S and A/A FO) operations using CLI and/or ASDM

Configure, verify and troubleshoot static routing and dynamic routing protocols on the ASA using CLI and/or ASDM

Configure, verify and troubleshoot ASA transparent firewall operations using CLI

Configure, verify and troubleshoot management access/protocols on the ASA using CLI and/or ASDM

Describe Advanced Troubleshooting

Advanced ASA security perimeter configuraiton/software/hardware troubleshooting using CLI and/or ASD fault finding and repairing
No comments:

ASA packet-tracer

Use the packet-tracer option.

From previous sections, the ASA administrator has learned enough information to use the packet-tracer option in the ASA.

Note: The ASA supports the packet-tracer command starting in version 7.2.

ciscoasa#packet-tracer input inside tcp 192.168.1.50 1025 172.22.1.1 http

!- This line indicates a source port of 1025. If the source
!- port is not known, any number can be used.
!- More common source ports typically range
!- between 1025 and 65535.

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.22.1.0 255.255.255.0 outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.50/1025 to 172.22.1.254/1028
using netmask 255.255.255.255

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (172.22.1.254)
translate_hits = 6, untranslate_hits = 0
Additional Information:

Phase: 10
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 94, packet dispatched to next module

Phase: 15
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 172.22.1.1 using egress ifc outside
adjacency Active
next-hop mac address 0030.a377.f854 hits 11

!- The MAC address is at Layer 2 of the OSI model.
!- This tells the administrator the next host
!- that should receive the data packet.


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

The most important output of the packet-tracer command is the last line, which is Action: allow.

The three options in Step 3 each show the administrator that the ASA is not responsible for the application X issues. The application X traffic leaves the ASA and the ASA does not receive a reply from the application X server.
No comments:

Pix ASA Debug icmp

Debug

The debug icmp trace command is used to capture the ICMP traffic of the user.

ciscoasa#debug icmp trace

The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.

ciscoasa#

!- Output is suppressed.

ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32

!- The user IP address is 192.168.1.50.

In order to disable debug icmp trace, use one of these commands:

no debug icmp trace

undebug icmp trace

undebug all, Undebug all, or un all

Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is 192.168.1.50. The administrator is ready to learn more about application X and determine the cause of the problem.
No comments:

ASA Capture Feature

ASA Capture Feature

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside

The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show capture inside_interface
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request

!- The user IP address is 192.168.1.50.

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.


!- Open an Internet Explorer and browse with this https link format:

https://[ (pix_ip) / (asa_ip) ]/capture/(capture name)/pcap

Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.
No comments:

Pix ASA Basic Syslog logging

Basic Syslog

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Use these commands to enable logging, view logs, and view configuration settings.

logging enable—Enables the transmission of syslog messages to all output locations.

no logging enable—Disables logging to all output locations.

show logging—Lists the contents of the syslog buffer and the current logging configuration.

PIX can send syslog messages to various destinations. Use the commands in these sections to specify the location to which messages should be sent:
Internal Buffer

logging buffered severity_level

External software or hardware is not required when you store the syslog messages in the PIX internal buffer. Use the show logging to view the stored syslog messages.
Syslog Message Server

logging host interface_name ip_address [tcp[/port] | udp[/port]] [format emblem]

logging trap severity_level

logging facility number

A server that runs a syslog application is required in order to send syslog messages to an external host. PIX sends syslog on UDP port 514 by default.
E-mail Address

logging mail severity_level

logging recipient-address email_address

logging from-address email_address

smtp-server ip_address

An SMTP server is required when you send the syslog messages in e-mails. Correct configuration on the SMTP server is necessary in order to ensure that you can successfully relay e-mails from the PIX to the specified e-mail client.
Console

logging console severity_level

Console logging enables syslog messages to display on the PIX console (tty) as they occur. Use this command when you debug problems or when there is minimal load on the network. Do not use this command when the network is busy as it can degrade performance.
Telnet/SSH Session

logging monitor severity_level

terminal monitor

Logging monitor enables syslog messages to display as they occur when you access the PIX console with Telnet or SSH.
ASDM

logging asdm severity_level

ASDM also has a buffer that can be used to store syslog messages. Use the show logging asdm command in order to display the content of the ASDM syslog buffer.
SNMP Management Station

logging history severity_level

snmp-server host [if_name] ip_addr

snmp-server location text

snmp-server contact text

snmp-server community key

snmp-server enable traps

Users need an existing functional Simple Network Management Protocol (SNMP) environment in order to send syslog messages using SNMP.

Refer to Commands for Setting and Managing Output Destinations for a complete reference on the commands you can use to set and manage output destinations

Refer to Messages Listed by Severity Level for messages listed by severity level.
Example 1

This output shows a sample configuration for logging into the console with the severity level of debugging.

logging enable

logging buffered debugging

This is sample output.

%PIX|ASA-6-308001: console enable password incorrect for number tries (from 10.1.1.15)
No comments:

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup site-to-site steps

Steps to configure a simple site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha

3. Configure transform-set

crypto ipsec transform-set myset esp-3des esp-sha-hmac

4. Configure ACL

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 10.10.4.108
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside

7. Enable isakmp on interface

crypto isakmp enable outside
No comments:

Steps to configure a simple remote access IKE/IPSec connection with examples:

ciscoasa(config)# vpnsetup ipsec-remote-access steps

Steps to configure a simple remote access IKE/IPSec connection with examples:

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 10.10.4.200 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.0.20 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha

3. Setup an address pool

ip local pool client-pool 192.168.1.1-192.168.1.254

4. Configure authentication method

aaa-server MyRadius protocol radius
aaa-server MyRadius host 192.168.0.254
key $ecretK3y

5. Define tunnel group

tunnel-group client type remote-access
tunnel-group client general-attributes
address-pool client-pool
authentication-server-group MyRadius
tunnel-group client ipsec-attributes
pre-shared-key VpnUs3rsP@ss

6. Setup ipsec parameters

crypto ipsec transform-set myset esp-3des esp-sha-hmac

7. Setup dynamic crypto map

crypto dynamic-map dynmap 1 set transform-set myset
crypto dynamic-map dynmap 1 set reverse-route

8. Create crypto map entry and associate dynamic map with it

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

9. Attach crypto map to interface

crypto map mymap interface outside

10. Enable isakmp on interface

crypto isakmp enable outside
No comments:

Pix/Asa basic must commands

terminal monitor

terminal page 0
No comments:

ASA Pre-8.3 to 8.3 NAT configuration examples


VERSION 10  Click to view document history
Static NAT/PAT

Pre-8.3 NAT
8.3 NAT
Regular Static NATstatic (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255
object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100   
Regular Static PATstatic (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255
object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NATaccess-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1
 object network obj-10.1.2.27
   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100
                      destination static obj-10.76.5.0 obj-10.76.5.0


Pre-8.3 NAT
8.3 NAT
Regular Dynamic PAT
nat (inside) 1 192.168.1.0 255.255.255.0
 nat (dmz) 1 10.1.1.0 255.255.255.0
 global (outside) 1
192.168.100.100
object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT
nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 192.168.100.100
 global (dmz) 1 192.168.1.1
object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.2.0-01
   subnet 10.1.2.0 255.255.255.0
   nat (inside,dmz) dynamic 192.168.1.1
Regular Dynamic PAT-3

nat (inside) 1 0 0
 global (outside) 1 interface
object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface
Dynamic Policy NAT

object-group network og-net-src
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0
 object-group network og-net-dst
   network-object 192.168.200.0 255.255.255.0
 object-group service og-ser-src
   service-object tcp gt 2000
   service-object tcp eq 1500
 access-list NET6 extended permit object-group og-ser-src
                  object-group og-net-src object-group og-net-dst
 nat (inside) 10 access-list NET6
 global (outside) 10 192.168.100.100
object network obj-192.168.100.100
   host 192.168.100.100
 object service obj-tcp-range-2001-65535
   service tcp destination range 2001 65535
 object service obj-tcp-eq-1500
   service tcp destination eq 1500
 nat (inside,outside) source dynamic og-net-src
             obj-192.168.100.100 destination
             static og-net-dst og-net-dst
             service obj-tcp-range-2001-65535
             obj-tcp-range-2001-65535
 nat (inside,outside) source dynamic og-net-src
             obj-192.168.100.100 destination
             static og-net-dst og-net-dst
             service obj-tcp-eq-1500 obj-tcp-eq-1500
Policy Dynamic NAT (with multiple ACEs)

access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.1.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.2.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.3.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.4.0 255.255.255.0
 nat (inside) 1 access-list ACL_NAT
 global (outside) 1 192.168.100.100
object network obj-172.29.0.0
   subnet 172.29.0.0 255.255.0.0
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
   subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
   subnet 192.168.3.0 255.255.255.0
object network obj-192.168.4.0
   subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.4.0 obj-192.168.4.0
Outside NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40
NAT & Interface PAT together
nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface
 global (outside) 1 192.168.100.100-192.168.100.200
object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic
            obj-192.168.100.100_192.168.100.200 interface
NAT & Interface PAT with additional PAT together
nat (inside) 1 10.0.0.0 255.0.0.0
  global (outside) 1 192.168.100.1-192.168.100.200
  global (outside) 1 interface
  global (outside) 1 192.168.100.210
object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0
 object network second-pat
   host 192.168.100.210
 object-group network dynamic-nat-pat
   network-object object obj-192.168.100.100_192.168.100.200
   network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Static NAT for a Range of Ports

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT
           (in)    (out)
10.1.1.1-------ASA-----
        --xlate-------> 10.2.2.2
Original Ports: 10000 - 10010
Translated ports: 20000 - 20010
object service ports
 service tcp source range 10000 10010
object service ports-xlate
 service tcp source range 20000 20010
object network server
 host 10.1.1.1
object network server-xlate
host 10.2.2.2


nat (inside,outside) source static server server-xlate service ports ports-xlate

No comments:
Subscribe to: Posts (Atom)