CCNA Security – ASA 5505
Views
configure terminal
configure factory-default
reload save-config noconfirm
a, Configure hostname ‘ASA01’
configure terminal
hostname ASA01
b, Set password ‘cisco’
enable password cisco
c, Configure SSH
! create user ‘root’ with password ‘toor’
username root password toor
aaa authentication ssh console LOCAL
! generate RSA key pair
crypto key generate rsa modulus 1024
! enable 192.168.10.2 to use ssh on ASA
ssh 192.168.10.2 255.255.255.255 inside
d, Configure interfaces
Each interface has a security level, between 0 and 100. Traffic is permitted from higher to lower security level. ACL can disable traffic from higher to lower security level, and can permit from lower to higher security level.
interface vlan 100
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
no shutdown
exit
interface vlan 200
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
interface vlan 300
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
interface e0/0
switchport access vlan 100
no shutdown
exit
interface e0/1
switchport access vlan 200
no shutdown
exit
interface e0/2
switchport access vlan 300
no shutdown
exit
In case of higher than 5505, use this syntax:
interface g0/0
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
no shutdown
exit
e, Configure default route
! default route toward 172.16.10.2, f0/0 interface of R2 router
route outside 0.0.0.0 0.0.0.0 172.16.10.2
If the outside interface gets the IP address through DHCP, then the syntax is:
ip address dhcp setroute
In this case setroute configures the given IP address as a default route.
Hint: Configure the routers and test the connectivity with: telnet <IP_address>
a, Static Object NAT
Let us say, that R3 is a web server with IP address 10.1.1.2. NAT will make it accessible from outside as 172.16.10.3.
object network WEB_SERVER
host 10.1.1.2
nat (dmz,outside) static 172.16.10.3
In this case an ACL is also necessary as dmz has higher security level than outside.
access-list OUTSIDE_ACCESS extended permit tcp any object WEB_SERVER eq www
access-group OUTSIDE_ACCESS in interface outside
‘Public Server’ option in ASDM can do all these things in one step.
b, Static Object NAT with port translation
This is similar to the previous one, but the inside web server port number is 8080, which can be seen as 80 from outside.
object network WEB_SERVER
host 10.1.1.2
nat (dmz,outside) static 172.16.10.3 service tcp 8080 www
It is possible to translate another port to the same IP address. 10.1.1.3 is an FTP server:
object network WEB_SERVER
host 10.1.1.3
nat (dmz,outside) static 172.16.10.3 service tcp ftp ftp
c, Dynamic NAT
Translates the inside subnet into 172.16.10.10-20 range.
object network NATPOOL
range 172.16.10.10 172.16.10.20
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic NATPOOL
d, Dynamic PAT
Translates the inside subnet into 172.16.10.10.
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic 172.16.10.10
Translates the inside subnet into the outside interface. This is useful if the IP address of the outside interface is given through DHCP.
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
e, Identity NAT
Identity NAT maps an IP address to itself. It is useful if we want to exclude an IP from NAT, for example in case of VPN.
object network IDENTITY_NAT
host 10.1.1.10
nat (inside,outside) static 10.1.1.10
f, Monitoring NAT
show nat
show nat pool
show running-config nat
show xlate
a, ACLs overwrite the security level restrictions.
access-list ACL1 permit tcp any object WEB_SERVER eq http
access-group ACL1 in interface outside
b, Network object groups represent more than one network objects.
object-group network DMZ_SERVERS
network-object host 10.1.1.2
network-object host 10.1.1.3
network-object host 10.1.1.4
Service object groups represent more than one service objects.
object-group network DMZ_SERVICES tcp
port-object eq http
port-object eq https
port-object eq smtp
ACL with network and service object group groups servers together (easier management).
access-list ACL1 extended permit tcp any object-group DMZ_SERVERS object-group DMZ_SERVICES
c, Check ACLs
show conn
show conn details
Class-map identifies the traffic. Policy-map identifies the action, that should be taken for the specific traffic (class-map). Service-policy enables policy on an interface or globally.
a, Configure Class-map
class-map CLASS_MAP1
match access-list ACL_NAME
match port [tcp | udp] [eq TCP_PORT_NUM | range PORT1 PORT2]
match any
match default-inspection-traffic
b, Configure Policy-map
The ASA supports only one Policy-map per interface and one global Policy-map. Thus more than one Class-map and the required actions can be assigned to a Policy-map. Actions can be:
Class-map for a web-server (192.168.10.10) can be created the following way:
! ACL for the traffic
access-list ACL_WEB_TRAFFIC permit tcp any host 192.168.10.10 eq 80
! Class-map which identifies the traffic
class-map CLASS_MAP_WEB_TRAFFIC
match access-list ACL_WEB_TRAFFIC
Let us say we have two Class-maps: CLASS_MAP_WEB_TRAFFIC and CLASS_MAP_SMTP_TRAFFIC.
Then this Policy-map will send the traffic trough the CSC module:
policy-map GLOBAL_POLICY_MAP
class CLASS_MAP_WEB_TRAFFIC
csc [fail-open|fail-close]
exit
class CLASS_MAP_SMTP_TRAFFIC
csc [fail-open|fail-close]
exit
! set global policy-map
service-policy GLOBAL_POLICY_MAP global
! set policy-map on an interface (outside)
service-policy POLICY_MAP interface outside
fail-open: traffic will be forwarded if the CSC module fails
fail-close: traffic will be dropped if the CSC module fails
c, Check configuration
show run class-map
show run policy-map
show run service-policy
show conn
show conn detail
! clear all configuration
clear config all
! check firewall mode
show firewall
! switch into transparent mode
firewall transparent
! configure BVI
interface BVI 1
ip address 192.168.1.1
exit
! enable management
http server enable
http 0 0 inside
! configure vlans
interface vlan 100
nameif outside
security-level 0
no shutdown
exit
interface vlan 200
nameif inside
security-level 100
no shutdown
exit
! configure interfaces
interface e0/0
switchport access vlan 100
bridge-group 1
no shutdown
exit
interface e0/1
switchport access vlan 200
bridge-group 1
no shutdown
exit
1, Reset to factory defaults:
enableconfigure terminal
configure factory-default
reload save-config noconfirm
2, Minimal configuration
a, Configure hostname ‘ASA01’
configure terminal
hostname ASA01
b, Set password ‘cisco’
enable password cisco
c, Configure SSH
! create user ‘root’ with password ‘toor’
username root password toor
aaa authentication ssh console LOCAL
! generate RSA key pair
crypto key generate rsa modulus 1024
! enable 192.168.10.2 to use ssh on ASA
ssh 192.168.10.2 255.255.255.255 inside
d, Configure interfaces
Each interface has a security level, between 0 and 100. Traffic is permitted from higher to lower security level. ACL can disable traffic from higher to lower security level, and can permit from lower to higher security level.
interface vlan 100
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
no shutdown
exit
interface vlan 200
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
no shutdown
exit
interface vlan 300
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
interface e0/0
switchport access vlan 100
no shutdown
exit
interface e0/1
switchport access vlan 200
no shutdown
exit
interface e0/2
switchport access vlan 300
no shutdown
exit
In case of higher than 5505, use this syntax:
interface g0/0
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
no shutdown
exit
e, Configure default route
! default route toward 172.16.10.2, f0/0 interface of R2 router
route outside 0.0.0.0 0.0.0.0 172.16.10.2
If the outside interface gets the IP address through DHCP, then the syntax is:
ip address dhcp setroute
In this case setroute configures the given IP address as a default route.
Hint: Configure the routers and test the connectivity with: telnet <IP_address>
3, Configure NAT
Detailed description can be found here.a, Static Object NAT
Let us say, that R3 is a web server with IP address 10.1.1.2. NAT will make it accessible from outside as 172.16.10.3.
object network WEB_SERVER
host 10.1.1.2
nat (dmz,outside) static 172.16.10.3
In this case an ACL is also necessary as dmz has higher security level than outside.
access-list OUTSIDE_ACCESS extended permit tcp any object WEB_SERVER eq www
access-group OUTSIDE_ACCESS in interface outside
‘Public Server’ option in ASDM can do all these things in one step.
b, Static Object NAT with port translation
This is similar to the previous one, but the inside web server port number is 8080, which can be seen as 80 from outside.
object network WEB_SERVER
host 10.1.1.2
nat (dmz,outside) static 172.16.10.3 service tcp 8080 www
It is possible to translate another port to the same IP address. 10.1.1.3 is an FTP server:
object network WEB_SERVER
host 10.1.1.3
nat (dmz,outside) static 172.16.10.3 service tcp ftp ftp
c, Dynamic NAT
Translates the inside subnet into 172.16.10.10-20 range.
object network NATPOOL
range 172.16.10.10 172.16.10.20
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic NATPOOL
d, Dynamic PAT
Translates the inside subnet into 172.16.10.10.
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic 172.16.10.10
Translates the inside subnet into the outside interface. This is useful if the IP address of the outside interface is given through DHCP.
object network INSIDE_NET
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
e, Identity NAT
Identity NAT maps an IP address to itself. It is useful if we want to exclude an IP from NAT, for example in case of VPN.
object network IDENTITY_NAT
host 10.1.1.10
nat (inside,outside) static 10.1.1.10
f, Monitoring NAT
show nat
show nat pool
show running-config nat
show xlate
4, Access Control Lists
ACLs can be standard, extended and global. There are no wildcard masks on ASA, just normal masks.a, ACLs overwrite the security level restrictions.
access-list ACL1 permit tcp any object WEB_SERVER eq http
access-group ACL1 in interface outside
b, Network object groups represent more than one network objects.
object-group network DMZ_SERVERS
network-object host 10.1.1.2
network-object host 10.1.1.3
network-object host 10.1.1.4
Service object groups represent more than one service objects.
object-group network DMZ_SERVICES tcp
port-object eq http
port-object eq https
port-object eq smtp
ACL with network and service object group groups servers together (easier management).
access-list ACL1 extended permit tcp any object-group DMZ_SERVERS object-group DMZ_SERVICES
c, Check ACLs
show conn
show conn details
5, Modular Policy Framework
MPF can be used to configure QoS, send traffic to IPS to inspection, configure application traffic stateful inspection with dynamic port allocation, limit maximum TCP connections to a server, and generally to create more granular configuration of inspection.Class-map identifies the traffic. Policy-map identifies the action, that should be taken for the specific traffic (class-map). Service-policy enables policy on an interface or globally.
a, Configure Class-map
class-map CLASS_MAP1
match access-list ACL_NAME
match port [tcp | udp] [eq TCP_PORT_NUM | range PORT1 PORT2]
match any
match default-inspection-traffic
b, Configure Policy-map
The ASA supports only one Policy-map per interface and one global Policy-map. Thus more than one Class-map and the required actions can be assigned to a Policy-map. Actions can be:
- CSC, send the traffic through Content Security and Control module
- IPS, send the traffic through Intrusion Prevention System module
- set connection, enforce connection limits
- inspect, apply protocol inspection
- police, apply rate limit for traffic
- priority, apply priority for voice traffic
Class-map for a web-server (192.168.10.10) can be created the following way:
! ACL for the traffic
access-list ACL_WEB_TRAFFIC permit tcp any host 192.168.10.10 eq 80
! Class-map which identifies the traffic
class-map CLASS_MAP_WEB_TRAFFIC
match access-list ACL_WEB_TRAFFIC
Let us say we have two Class-maps: CLASS_MAP_WEB_TRAFFIC and CLASS_MAP_SMTP_TRAFFIC.
Then this Policy-map will send the traffic trough the CSC module:
policy-map GLOBAL_POLICY_MAP
class CLASS_MAP_WEB_TRAFFIC
csc [fail-open|fail-close]
exit
class CLASS_MAP_SMTP_TRAFFIC
csc [fail-open|fail-close]
exit
! set global policy-map
service-policy GLOBAL_POLICY_MAP global
! set policy-map on an interface (outside)
service-policy POLICY_MAP interface outside
fail-open: traffic will be forwarded if the CSC module fails
fail-close: traffic will be dropped if the CSC module fails
c, Check configuration
show run class-map
show run policy-map
show run service-policy
show conn
show conn detail
Transparent mode
In transparent mode ASA works like a switch. The interfaces do not have IP address but they are placed into a bridge-group. ASA inspects the traffic, which goes through the device. By default ICMP, broadcast and multicast are not inspected. BVI (Bridge Virtual Interface) is the management IP address.! clear all configuration
clear config all
! check firewall mode
show firewall
! switch into transparent mode
firewall transparent
! configure BVI
interface BVI 1
ip address 192.168.1.1
exit
! enable management
http server enable
http 0 0 inside
! configure vlans
interface vlan 100
nameif outside
security-level 0
no shutdown
exit
interface vlan 200
nameif inside
security-level 100
no shutdown
exit
! configure interfaces
interface e0/0
switchport access vlan 100
bridge-group 1
no shutdown
exit
interface e0/1
switchport access vlan 200
bridge-group 1
no shutdown
exit