Table of Contents Volume 1 Advanced NAT 14 Overview 14 Module Objectives: 1-4 Applying NAT 0 and Policy NAT 43 Overview 13 Objectives 13 ACLs 14 NAT 113 Translation Behavior 1-29 NAT Exemption 1-32 Policy NAT 1-36 Verify and Troubleshoot 1-49 Summary 1-66 Module Summary 1-67 Advanced Protocol Handling 24 Overview Module Objectives Applyina the Cisco Modular Policy Framework Overview Objectives Cisco \odular Policy Framework Overview Configuring the Cisco Modular Policy Framework Configuring a Layer 7 Class Map Configuring a Regular Expression Class Map Confiouring a Layer 7 Policy Map Verity ig tne Cisco Modular Policy Fmework Configuration Summary ‘i Handling Advanced Protocols 2-47 ‘Overview 2-47 Objectives 247 Protocol Inspection Overview 2-48 FTP Inspection 2-55 HTTP Inspection 2-80 Instant Messaging Inspection 2.98 ESMTP Inspection 2-108 DNS Inspection 2-420 ICMP Inspection 2-431 Verifying Protocol Inspection 2-433 ‘Summary 2437 Module Summary 2138 Dynamic Routing and Switching 3-4 Overview 34 Module Objectives a4 ‘Switching with VLANs 3-3 ‘Overview 33 Objectives 33 Cisco ASA VLAN Operations 34 VLAN Configuration. 36 \VLAN Configuration on the Cisco ASA 5505 Appliance at VLAN Verification 348 ‘Summary 3-23Rout Overview Objectives Dynamic versus Static Routing RIP OSPF EIGRP Redistribution Verification and Troubleshooting Summary Module Summary 3-25 3-25 3-26 3-28 3.37 3-53 367 3-73 3.91 3-92 ‘Securing Networks with ASA Advanced (SNAA) v.0 (© 2008 Cisco Systems, neModule 1 Advanced NAT Overview As the use of the Internet has expanded, so has the complexity of the network security requirements of companies to mect the challenges of a dynamic security policy. As needs arise or threats grow, security managers, admin'strators, and engineers require more capabilities, from the Cisco ASA adaptive security appliance. In this module, we will examine the Cisco ASA security appliance advanced Network Address ‘Translation (NAT) capabilities, These advanced NAT features give administrators the flexibility to configure the Cisco ASA security appliance to meet security requirements. Module Objectives Upon completing this module, you will be able to explain how the Cisco ASA security appliance performs NAT, the order of NAT matching, and policy-based NAT with the use of ACLs. This ability includes being able to meet these objectives: = Configure NAT exemption = Configure NAT based on traffic type1-2 Securing Networks wih Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, nc.Lesson 1 Applying NAT 0 and Policy NAT Overview This lesson discusses the Cisco ASA adaptive security appliance advanced Network Address ‘Translation (NAT) features of NAT 0 and policy NAT. It begins with a general discussion of 85 conttol lists (ACLs) and NAT. It then describes how to configure NAT 0 and policy NAT. It ends with the commands to verify NAT configuration and troubleshoot NAT operations. Objectives Upon completing this lesson, you will be able to describe how to configure NAT based on traffic type and the appropriate policy. This ability includes being able to mect these objectives: = Describe how to configure ACLS for the Cisco ASA security appliance ‘= Describe the function of NAT and how to implement basic NAT = Describe NAT 0 function and the steps necessary to implement NAT 0 = Describe policy NAT and the steps necessary to implement policy NAT = Explain how to verify and troubleshoot NAT configuration and operationACLs ‘This topic describes access control lists and how they are configured What Are ACLs? Access control lists (ACLs) + Define or identity traffic = Has at least one access control entry (ACE) = Types Standard: Specifies source and destination address = Extended: Specifies source and destination address and service Webtype: Specifies URL permitted or denied for Cisco 10S WebVPN connections ~ Ethertype: Specifies Layer 2 trafic allowed while in Transparent mode ACLs are used by the Cisco ASA security appliance to identify interesting traffic. Fach ACL has at least one access control entry (ACE), and cach ACE within an ACL describes the action taken on the traffic that the ACE identifies. The action that the security appliance can take on identified traffic is either permit or deny. The Cisco ASA security appliance supports four types of ACLs, which are described in the following table. oc ee ACL Type | Description m4 ———— Standard | Identifies trafic based on IP address or IP network address Extended | Identifies trafic based on source IP address and service and destination IP address. and service Webtype | Identifies URL for Cisco IOS WebVPN trafic Ethertype | Identifies traffic based on the Ethernet type defined in the Ethernet frame of Layer 2 traffic 1-4 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncSecurity Appliance ACL Configuration tent Host fi Na cmc ae ago ge Eee << ise =g eet fc oo = anc ores 192.168.1004 The Cisco ASA adaptive security appliance uses ACLs to identity traffic that is: ~ Allowed or denied on an interface ‘Translated by NAT rules — Placed into @ VPN tunnel ~ Controlled by modular policy framework ‘Subjected to authentication, authorization, and accounting (AAA) rules ‘The Cisco ASA security appliance uses ACLs to identify traffic. Once trafic is identified the security applisnce can take the appropriate action. One of the most common uses of ACLs on the security appliance is to allow or deny traffic on an interface. However, ACLs can be used in many other ways. ACLs can define which traific is translated when NAT control is enabled, ACLs also can define what traffic flows through a virtual private network (VPN) tunnel or what traffic has modular policy framework rules applied to it Inthe figure, «wo hosts are attempting to access a web server on the inside of a security appliance. An ACL applied to the outside interface of the security appliance is allowing the host at 192.168.10.11 to make the connection to the web server, but itis denying access to the host at 192.168.100.4. Note ‘The IP addressing schemes used in this course are not legally routable on the Internet. They are RFC 1918 addresses that are used inthe lab exercises for this course. ‘© 2008 Cisco Systeme, Ine ‘Advanced NAT 18Access List Configuration ‘To configure an access rule, complete the following steps: Step Click the Configuration button on th toolbar. Step2 Choose Firewall from the navigation pane. Step3__ Choose Access Rules from the Firewll menu. The Access Rules pane! is displayed The figure shows the implicit access rules for each configured inte*' sce. The implicit rules shown here are graphical representations of the default behavior of the security appliance. Higher security levels can access lower security levels but not vice versa; lower security levels need an ACL to access higher security levels. Although you ‘can add new access rules for an interface, you cannot edit the implicit rules themselves. Step4 Click Add and choose Add Access Rule, The Add Access Rule window opens. 1-8 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Inc.Access List Configuration (Cont.) Imemet Host ‘Acme Transport 62,168.10.11 Sab. ¢ aa To create an inbound access rule to permit only HTTP traffic from an outside host to a host on the inside of the security appliance: Step 5 Stop 6 ‘Step 7 ‘Step 8 ‘Choose the interface to which the rule applies from the Interface drop-down list. In the figure, the network security administrator for Aeme Transport has chosen the ‘ouiside interface because the goal isto permit HTTP traffic frorn an outside host to a host om the inside of the security »pplianee. ‘Choose the action that applies tothe rule by clicking the Permit radio button or the Deny radio button. Inthe figure, Permit is chosen. Enter the source IP address from which traflic is permitted or denied. You also can click the “..” button to choose an address from a predefined list of known objects. To specify a host address, you can enter 32 for the subnet mask, or you can enter the IP address without a subnet mask. To specify a network address, enter the subnet mask in slash notation after the IP address. For example, to specify the network 192.168.1.0 255.255.255.0, enter 192.168. 1.0/24. Inthe figure, the IP address 192,168.10.11 is entered as the source IP address to specify that the host at this IP address outside of the security appliance is permitted by the rule. Specify the destination IP address 10 which traffic is permitted or denied. You also can click the.” button to choose an address from a pre-defined list. To specify a host address, you can enter /32 for the subnet mask, or you can enter the IP address without a subnet mask. To specify a network address, enter the subnet mask in slash notation after the IP address. In the figure, the destination address is 192.168.1.33 Specify the service or protocol for the rule in the Service field. You can click the “..0" button to choose a service from a pre-defined list. Or, you can begin typing the acronym for the protocol; a window list will pop up with the matching leters. In the figure, tep/http is entered, (© 2008 Cisco Systems, lc ‘Advonced NAT 17