SNAF
Securing Networks
with ASA
Fundamentals
Volume 1
Version 1.0
Student Guide
Text Part Number 97-2680
aiftales Corse Boe Poe
Cece: a Esa see
[DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED "AS IS CISCO MAKES AND VOU RECEIVE NO WARRANTIES IN
ICONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF
ITHIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED
WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR
PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This luring proust may contin carly ease
oui, and while Cisco bios ito be aerate i fills sujet othe seam above.
Printos in Canada
Table of Contents
Volume 4
Introducing Cisco Security Appliance Technology and Features 44
Overview 4
Objectives 14
Firewalls 1-2
‘Security Appliance Essentials 17
Summary 1-22
Introducing the Cisco ASA and PIX Security Appliance Families 24
Overview 24
Objectives 2
Models and Features of Cisco Security Appliances 22
Cisco ASA Security Appliance Licensing 2-24
‘Summary 2-27
Getting Started with Cisco Security Appliances 34
Overview 34
Objectives 3
User Interface 32
File Management 3-7
‘Security Appliance Security Levels 345
Cisco ASOM Essentials and Operating Requirements 349
Windows Requirements 3.28
Mac OS X Requirements 324
Linux Requirements 3:25
Preparing to Use Cisco ASDM 3-28
Navigating Cisco ASDM Windows 3.37
Summary 363
Configuring a Security Appliance 44
Overview 44
Objectives a4
Basic Security Appliance Configuration 42
Examining Security Appliance Status 431
Time Setting and NTP Support 4-43
Syslog Configuration 450
Summary 472
Configuring Translations and Connection Limits 54
Overview 54
Objectives 54
Transport Protocols 52
Understanding NAT 58
Understanding PAT 53
Static Translations 5.50
Connections and Translations 5-72
‘Summary 5:83
Using ACLs and Content Filtering 6-1
Overview 61
Objectives 64
‘ACL Configuration 62
Malicious Active Code Filtering 635
URL Filtering 639
Packet Tracer 6-48
Summary 654
oor
Configuring Object Grouping
Overview 7
Objectives 7A
Essentials of Object Grouping 72
Configuring and Using Object Groups 76
‘Summary 724
Switching and Routing on Cisco Security Appliances 8-1
Overview 8-1
Objectives. 84
VLAN Capabilities 8-2
Static Routing 8-11
Dynamic Routing 8-23
‘Summary 837
it ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 ‘© 2008 Cisco Systems, inc.
tfectfne
cisco
Students, this letter describes important
course evaluation access information!
Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program,
Cisco Systems is committed to bringing you the highest-quality training in the industry.
Cisco learning products are designed to advance your professional goals and give you
the expertise you need to build and maintain strategic networks.
Cisco relies on customer feedback to guide business decisions; therefore, your valuable
input will help shape future Cisco course curricula, products, and training offerings.
We would appreciate a few minutes of your time to complete a brief Cisco online
course evaluation of your instructor and the course materials in this student kit. On the
final day of class, your instructor will provide you with a URL directing you to a short
post-course evaluation. If there is no Internet access in the classroom, please complete
the evaluation within the next 48 hours or as soon as you can access the web,
On behalf of Cisco, thank you for choosing Cisco Learning Partners for your
Internet technology training.
Sincerely,
Cisco Systems Learning
Lesson 1
Introducing Cisco Security
Appliance Technology and
Features
Overview
This lesson enables you to select a firewall technology that meets the needs of your network
Objectives
Firewalls
This topic describes firewalls.
What Is a Firewall?
\B— mene —¥y——H
Oulside
Network
A firewall is a system or group of systems that
manages access between two or more networks.
By conventional definition, a firewall is partition made of fireproof material designed to
prevent the spread of fire from one part of a building to another. It can also be used to isolate
one compartment from another
ems that
When applying the term to a computer network, a firewall is a system or group of sy
between two or more networks.
‘manages act
42 Securing Networks wih ASA Fundamentals (SNAF) vt 0 2008 Cisco Systems, ne
Firewall Technologies
Firewall operations are based on one of three
technologies:
» Packet filtering
+ Proxy server
Stateful packet fitering
Firewall operations are based on one of these three technologies:
= Packet filtering: Limits information that is allowed into a network based on static packet
header information,
= Proxy server: Requests connections on bebalf of the client, acting as an intermediary
between the two end systems. It operates at the application layer of the firewall, wher
ends of a connection are forced to conduet the session through the proxy.
both
= Stateful packet filterin;
technologies,
: Combines the best of pack
1 filtering and proxy server
2008 Cisco Systems, Ine Introducing Cisco Secunty Appliance Technology and Features 1-3
Packet Filtering
Inside
Server ©
‘KC-No
Limits information that is allowed into a network based on
the destination and source address
AA firewall can use packet filtering to limit information that enters a network and information
moving from one segment of a network to another, Packet filtering uses access control lists
(ACLs), which allow a firewall to accept or deny access based on packet types and other
variables,
This method is effective when a protected network receives a packet from an unprotected
network. Any packet that is sent to the protected network and does not fit the eriteria defined by
the ACLs is dropped.
Problems with packet filtering are as follows:
= Arbitrary packets can be sent that fit the ACL criteria and therefore pass through the filter.
Packets can pass through the fi
ler by being fragmented.
.
® Complex ACLs are difficult to implement and maintain correctly
.
‘Some services cannot be filtered
14
Securing Networks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, nc
Requests connections on behalf of a client
A proxy server is a firewall device that examines packets at higher layers of the Open Systems
Interconnection (OSI) model. This device hides valuable data by requiring users to
‘communicate with a secure system by means of a proxy. Users gain access to the network by
going through a process that establishes session state, user authentication, and authorized
policy. This means that users connect to outside services via application programs (proxies)
that are running on the gateway that is connected to the outside unprotected zone.
Problems with the proxy server are as follows:
m= The proxy server creates a single point of failur that if the entrance to the
network is compromised, then the entire network is compromised,
Adding new services to the firewall is difficult
The proxy server performs more slowly under stress,
© 2008 Cisco Systems, Inc. Introducing Cisco Security Appliance Technology and Featues 15
Limits information that is allowed
into a network based not only on
the destination and source addresses,
but also on the contents of the state table
Stateful packet filtering is the method that is used by Cisco security applian«
technology maintains complete session state. Each time a TCP or User Datagram Protocol
(UDP) connection is established for inbound or outbound connections, the information is
logged in a stateful session flow table.
The stateful session flow table, also known as the state table, contains the source and
destination addresses, port numbers, TCP sequencing information, and additional flags for each
‘TCP or UDP connection that is associated with that particular session. This information erates
connection object, and consequently, all inbound and outbound packets are compared against
session flows in the stateful session flow table. Return data is permitted through the firewall
only if an appropriate connection exists to validate its passage.
This method is effective for three reasons.
= It works both on packets and on connections,
It operates at a higher performance level than packet filtering or using a proxy server
= Itrecords data in a table for every connection and connectionless transaction. This table
serves as a reference point for determining if packets belong to an existing connection or
are from an unauthorized source
1-8 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Ine
Security Appliance Essentials
‘This topic describes the essentials of security appliances.
Security Applianc
2S: What Are They
Cisco secunty appliances deliver enterprise-class security for small-o-
medium-sized business and enterprise networks in a modular, purpose-
built appliance. Some features of Cisco security appliances are
Stateful packet inspection firewalls
User-based authentication
Protocol and application inspection
* Modular Policy Framework
IPsec VPN
«SSL VPN (adaptive security appliances only)
Intrusion prevention (IPS) (adaptive securty appliances only)
Content secury (adaptive security appliances only)
‘Security contexts (vital frewalls)
Statetulfalover capabilies
‘Transparent firewalls,
Web-based management solutions
The Cisco ASA 5500 Series Adaptive Security Appliances and the Cisco PIX S00 S
Security Appliances are key elements in the overall Cisco end-to-end security solution. The
market-leading Cisco security appliances provide enterprise-class, integrated network security
services—including stateful inspection firewalling, protocol and application inspection, virtual
private networks (VPNs), inline intrusion prevention, and rich multimedia and voice security—
in cost-effective, easy-to-deploy solutions. Ranging from compact “plug-and-play” desktop
firewalls for small offices to carrier-class gigabit firewalls for the most demanding enterprise
and service-provider environments, Cisco security appliances provide robust security,
performance, and reliability for network environments of all sizes.
Some features of the Ci
co ASA and PIX security appliances are as follows:
State-of-the-art stateful packet inspection firewall
= User-based authentication of inbound and outbound connections
‘= Integrated protocol and application inspection engines that examine packet streams at
Layers 4 through 7
= Highly flexible and extensible next-generation modular security policy framework
= Robust VPN for secure site-to-site and remote access connections
= Clientless and client-based Secure Sockets Layer (SSL) VPN (available in the adaptive
security appliance only)
‘= Full-featured intrusion prevention system services for day-zero protection against threats,
including application and operating system vulnerabilities, directed attacks, worms, and
other forms of malware (available in the adaptive security appliance only)
© 2008 Cisco Systems, Ine Invoducing Cisco Secunty Appliance Technology and Features 1-7
Content security services, including URL filtering, anti-phishing, antispam, antivirus,
antispyware, and content filtering (available in the adaptive security appliance only)
Multiple security contexts (virtual firewalls) within a single appliance
Stateful failover capabilities that ensure resilient network prot
ion
‘Transparent deployment of security appliances into existing network environments without
requiring readdressing of the network
Intuitive single-device management and monitoring services with the Cisco Adaptive
Security Device Manager (ASDM) and enterprise-class multidevice management services
through Cisco Security Manager
6
‘Seouring Networks with ASA Fundamentals (SNAF)vi.0 {© 2008 Cisco Systems, Ine
Stateful Packet Inspection
‘The stateful packet inspection algorithm provides stateful
connection security in these ways:
It tracks source and destination ports and addresses, TCP
Sequence numbers, and additional TCP flags.
It randomizes the initial TCP sequence number of each new
connection,
By default, the stateful packet inspection algorithm allows
‘connections originating from hosts on inside (higher security level)
interfaces,
By default, the stateful packet inspection algorithm drops
Connection attempts originating from hosts on outside (lower
security level) interfaces,
‘The stateful packet inspection algorithm supports authentication,
‘authorization, and accounting.
The heart of the security appliance is the stateful packet inspection algorithm, whieh maintains
the secure perimeters between the networks that are controlled by the security appliance. The
‘connection-oriented stateful packet inspection algorithm design creates session flows based on
source and destination addresses. The stateful packet inspection algorithm randomizes TCP
sequence numbers, port numbers, and additional TCP flags before completion of the
connection, This funetion is always in operation, monitoring return packets to ensure that they
are valid, and allows one-way (inside-to-outside) connections without an explicit configuration
for each intemal system and application, Randomizing the TCP sequence numbers minimizes
the risk of a TCP sequence number attack. Because of the stateful packet inspection algorithn
the security appliance is less complex and more robust than a packet filtering-designed firewall
Stateful packet filtering is a secure method of analyzing data packets by placing extensive
information about a data packet into a stateful session flow table. Each time a TCP connection
is established for inbound or outbound connections through the security appliance, the
information about the connection is logged in the stateful session flow table. For data to retum
via the security appliance, information about the connection must match information stored in
the table. With stateful packet filtering, the stateful filters work on the connections rather than
the packets, making it a more stringent security method and making its sessions immune to
hijacking.
Stateful packet filtering does the following:
‘© Obtains the session-identifying parameters, IP addresses, and ports for each TCP connection,
m Logs the data in a stateful session flow table and creates a session object,
= Compares the inbound and outbound packets against session flows in the connection table
m= Allows retum data packets to flow through the security appliance only if'an appropriate
connection exists to validate their passage
= Temporarily sets up a con
ction object until the connection is terminated
© 2008 Cisco Systems, Ine Invodueing Cisco Secunly Applance Technology and Features 1.9
Cut-Through Proxy Operation
1 The wor makes 3
2. Tha sect appliance
tram or yg IHIO 8 BP Intercepts the connec,
= BE ies enter
i tepance pangs
aero then
| espe
abuser csr
eqeen ‘*
ites ¢comecon fom j
iy appliance
‘osinatn
5. The sacuty appance dae connoets the
Internal or entra! ur ot SP via
the wecuntyappance Communion then
takes place ata ower ov! ofthe O5! mode
Cut-through proxy is a method of transparently verifying the idemtity of users at the security
appliance and permitting or denying access to any TCP- or UDP-based applications. Cut-
through proxy is also known as user-based authentication of inbound and outbound
connections. Unlike a proxy server, which analyzes every packet at the application layer of the
OSI model, the security appliance first challenges a user at the application layer. After the user
is authenticated and the policy is checked, the security appliance shifts the session flow toa
lower layer of the OSI model for faster performance. This process allows security policies to be
enforced on a per-user-identification basis,
be
Connections must be authenticated with a user identification and password before they
established, The user identification and password are entered via an initial HTTP, HTTPS,
Telnet, or FTP connection. This method eliminates the performance impact that UNIX system-
based firewalls impose in similar configurations and allows a finer level of administrative
control over connections. The eut-through proxy method of the security appliance also
leverages the authentication and authorization services of the Cisco Secure Access Control
Server (ACS).
Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
Protocols such as FTP, 1.323, and SQL*Net need lo negotiate connections to
‘ynamicaly assigned source or destination ports though the firewall,
“The security appliance inspects packets above the network layer.
‘The securty appliance securely opens and closes negotiated ports for legtimate
lent server connections through the frewal
Many corporations use the Internet for business transactions. To keep their internal networks
secure from potential threats from the Intemet, corporations can implement firewalls on their
intemal network. While firewalls help protect the intemal networks of a corporation from
external threats, firewalls have caused problems as well. For example, some of the protocols,
and applications that the corporations use to communicate are not allowed through the
firewalls. Specifically, protocols such as FTP, H.323, and SQL*Net must negotiate connections
to dynamically assigned source ports, destination ports, or IP addresses, through the
A good firewall must inspect packets above the network layer and must do the following as
required by the protocol or application:
= Securely open and close negotiated ports or IP addresses for legitimate client-server
connections through the firewall
Use Network Address Translation (NAT)-relevant instances of an IP address inside a
packet
© Use Port Address Translation (PAT)-relevant instances of ports inside a packet
Inspect packets for signs of malicious application misuse
You can configure the security appliance to allow the required protocols or applications
through the security appliance, which enables the internal networks of a corporation to remain
secure,
{© 2008 Cisco Systems, nc Inodueing Cisco Secunly Appliance Technology and Features 1-11
Cisco Modular Policy Framework
System Engineer Ineernet
a
Exceutives
Service Policy
“Tafiefow nieracerGloel
‘etaut = stat
Internet 1-5 = ouside
System Enginoee Poice
Execaeon Prost
Stew sie
Construction of flow-based policies:
* Identity specific flows,
* Apply services to that low.
Cisco ASA and PIX Security Appliance Software version 7.0 introduced the highly flexible and
extensible Cisco Modular Policy Framework (MPF). The MPF enables you to construct flow-
based policies by identifying specific traffic flows and then applying policies (such as
application inspection policies, VPN policies, and quality of serviee [QoS] policies) to the
flows. In the figure, four traffic flows are identified: Internet traffic, systems engineer VPN
traffic, executive VPN traffic, and site-to-site voice traffic. A policy is associated with each of
the flows, For example, in the site-to-site traffic flow, voice is given priority; in the VPN flows,
the traffic throughput of each group is policed; and Intemet traffic undergoes application
inspection and is routed through a Cisco Intrusion Prevention System (IPS) module. This
uration provides significantly improved granular control over traffic flows and servi
and enables inspection engines to have flow-specific settings.
12
‘Securing Networks with ASA Fundamentals (SNAF) v1 0 © 2008 Cisco Systems, ne
Site to Site
Sooo
SSL VPN. j
enn & Foner
A VPN is a service that offers secure, reliable connectivity over a shared public network
infrastructure such as the Internet. Because the infrastructure is shared, connectivity ean be
provided at a cost that is lower than that of existing dedicated private networks. The security
appliance enables IP Security (IPsec) VPNs for both site-to-site and remote-access networks.
SSL VPN (WebVPN) complements IPsec-based remote access by allowing secure remote
access to corporate network resources over the Internet via SSL. VPN.
© 2008 Cisco Systems, Inc Tnvoducing Cisco Secunty Appliance Technology and Features 1-13
Cisco ASA 5500 S.
J OMZ Servers
a
AIP-SSM
Cs Fao!
esc'sst
APSSM Scsam
~ Runs Cisco IPS 6.0 code or lator» Trend Micro tecmnology
* Configurable for inne oF + Antivius, antispyware, antispam,
promiscuous mode antiphishing
+ Managed through Cisco ASDM, > URL and content tering
IDM, or CSM Managed through Cisco ASDM and
Trend Mico interface
‘The full-featured Cisco IPS services and the content security services of the Cisco ASA
security appliance are implemented in Security Services Modules (SSMs). IPS services are
provided by the Cisco ASA Advanced Inspection and Prevention (AIP)-SSM, while content
security services are provided by the Cisco ASA Content Security Control (CSC) SSM. Only
‘one module at a time can populate the SSM slot on the Cisco ASA security appliance.
The Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP-SSM) is
fully functioning IPS running within the Cisco ASA security appliance and rans Cisco IPS 5.0
code or later. The Cisco ASA AIP-SSM can operate in either inline mode, which places the
Cisco ASA AIP-SSM directly in the traffic flow, or in promiscuous mode, which sends a
duplicate stream of traffic to the Cisco ASA AIP-SSM for inspection. The Cisco ASA AIP-
SSM can be managed with Cisco ASDM, Cisco IPS Device Manager (IDM), or Cisco Secure
Manager.
The Cisco ASA CSC SSM is an anti-X module running within the Cisco ASA security
appliance. It runs on Trend Micro technology to enable antivirus, antispyware, antispam, and
antiphishing. It can scan HTTP, FTP, Post Office Protocol version 3 (POP3), and Simple Mail
Transfer Protocol (SMTP) traffic that has been diverted to it. The Cisco ASA CSC SSM can be
managed with Cisco ASDM via the Trend Micro interface.
1-14 Securing Networks with ASA Fundamentals (SNAF) v1.0 % 2008 Cisco Systems, ne
Security Context (Virtual Firew
Physical Firewalls One Physica Firewall
ere . Four Virtual Firewalls:
Ability to create multiple security contexts (virtual firewalls) within
a single security appliance
Cisco ASA and PIX Security Appliance Software version 7.0 introduced the ability to en
ultiple security contexts (virtual firewalls) within a single appliance, with each context having,
‘own set of security policies, logical interfaces, and administrative domain. In the figure, the
secutity appliance on the right is logically divided into tour virtual firewalls. This provides.
businesses with a convenient way to consolidate multiple firewalls into a single physical
appliance, and to retain the ability t manage each of these virtual instances separately. For the
Cisco ASA 5500 Series Adaptive Security Appliances, security contents are a licensed feature,
with multiple tiers of supported security contexts (2, 5, 10, 20, and 50), and these virtu
firewalls are available on the Cisco ASA 5510, $520, 5540, and 5550 Adaptive Security
Appliances. Also, for the Cisco PIX 500 Series Security Appliances, security contexts are a
censed feature, with multiple tiers of supported security contexts (2, 5, 10, 20, and 50), and
virtual firewalls are available only on the Cisco PIX 515, SISE, 525, and 535 Security
Appliances with an unrestricted (UR) or failover (FO) license.
(© 2008 Cisco Systems, ne Introducing Gisco Securty Appance Technology and Features 1-15
High Availability
Redundant interfaces 1 Failover: ActvelStandby Fallover: ActiveiActve
és Pe
ee ee eee ae
1 hale pres tarorentnetaraysorcais
gaa OW ev ae ev psceae ae ee po.
fe eee eee re
+ sual re rae be a aaah
Failover provides a mechanism for the security appliance to be redundant by allowing two
identical security appliances to serve the same function. The active security appliance performs
normal security functions while the standby security appliance monitors, ready to take control
if the active security appliance fails. Under the active/standby failover model, only one security
appliance actively processes user traffic while the other unit acts as a hot standby, prepared to
take over if the active unit fails. Inthe active/standby failover example in the figure, the
primary security appliance has failed and the secondary security appliance becomes active.
After the failure, all traffic flows through the secondary security appliance.
Cisco ASA and PIX Security Appliance Software version 7.0 supports a two-node activela
failover configuration with two failover groups. The active/active failover feature requir
security contexts. The active/active example in the figure displays a failover cluster of two
security appliances. Each security appliance has two contexts. Under normal conditions in each
security appliance, one context is active and the other is standby. One context actively
processes firewall traffic while the other context serves as a backup for the other security
appliance. Thus active/active failover provides load-sharing of traffic between the two sccurity
appliances when both security appliances are up and running. As in the active/standby example,
when one of the security appliances fails in an active/active failover, the other security
appliance will have both contexts active and will process 100 percent of the traffi
In both of these scenarios, the security appliance ean be configured for stateful failover so that
active connections remain when failover occurs. The stateful feature passes per-connection
stateful information to the standby unit. After a failover occurs, the same connection
information must be available at the new
7-16 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2006 Cisco Systems, ine
Starting in the Cisco ASA and PIX Security Appliance Software version 8.0, you can also
gure redundant interfaces to inerease security appliance reliability. This feature is separate
from the device-level failover, but you can use redundant interfaces and failover in the same
configuration, A redundant interface provides intra-device, physical interface-level redundancy
by pairing two physical interfaces. At any given time, only one physical interface passes trafic.
The other interface remains in a standby state. When the active physical interface fails, traffic is
diverted to the standby physical interface. In the figure, redundant interface RI pairs physical
interfaces GigabitEthemet0/ and GigabitEthernet0/2. Because GigabitEthernet0/1 has failed,
traflic is diverted to GigabitEthemet0/2
1© 2008 Cisco Systems, Inc Introducing Cisco Security Applance Technology and Features 1-17
Transparent Firewali
Ss Ly
uy
Intoret
~ Has the ability to deploy a security appliance in a secure bridging mode
Provides rich Layers 2 through 7 secunly services as a Layer 2 device
Cisco ASA and PIX Security Appliance Software version 7.0 introduced the ability to deploy a
security appliance in a secure bridging mode as a Layer 2 device to provide rich Layers 2
through 7 security services for the protected network. This enables businesses to deploy
security appliances into existing network environments without requiring readdressing of the
network. Although the security appliance can be completely invisible to devices on both sides
ofa protected network, you can manage it via an exposed IP address (which can be hosted on a
separate interface), You can also specify ethertype-based ACLs for access control over Layer 2
devices and protocols.
1-18 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne
| Adaptive
Security
| Device
Manager
‘The Cisco ASDM browser-based configuration tool is designed to help you set up, configure
and monitor Cisco PIX 500 Series Security Appliances and ASA 5500 Series Security
Appliances graphically, without requiring you to have extensive knowledge of the command.
line interface (CLI) of the security appliance. Cisco ASDM is loaded from the security
appliance to which you connect via a browser.
Cisco ASDM 6.0 new features include the following:
= Easier access to all services offered by a Cisco ASA security appliance via afresh new
interface
Drag-and-drop and in-place editing for simplified policy editing
User interface customization with dockable windows and toolbars
New Firewall Dashboard that provides at-a-glance status of firewall services
Live ACL hit count in firewall rule table for easy policy auditing
Device-ist dockable pane for switching to another security appliance that runs the same
version of Cisco ASDM that you are currently running.
(© 2008 Cisca Systems, Inc. Introducing Cisco Security Appliance Technology and Features 1-19,
Web-Based Management Solutions (Cont
Cisco
Security
Map-Centic <=
Wew
The Cisco Security Manager version 3.1 enables you to manage security policies on the
security appliance and other Cisco security devices. Cisco Security Manager supports
integrated provisioning of firewall, IPS, and VPN (site-to-site, remote-access, and SSL)
services across the following devices:
= Cisco ASA and PIX security appliances
Cisco 10S routers
Cisco Catalyst 6500/7600 services modules
Firewall Services Module (FWSM)
— VPN Services Module (VPNSM)
— IPsec VPN Shared Port Adapter (VPN SPA)
— Intrusion Detection Services Module-2 (IDSM-2)
= Cisco IPS appliances
= Cisco IPS modules
— _ AIP-SSM for Cisco ASA security appliances
— Cisco IDS Network Module (NM-CIDS) for IOS routers
Note For a complete list of devices and operating system versions supported by Cisco Security
Manager, refer to the document eniilled Supported Devices and Software Versions for Cisco
Security Manager 3.1 on Cisco.com
1-20 Securing Networks with ASA Fundamentals (GNAF) v1.0 © 2006 Cisco Systems, ne
‘The Cisco Security Manager is part of the Cisco Security Management Suite, which delivers
comprehensive policy administration and enforcement for the Cisco Self-Defending Network.
The suite provides a comprehensive solution for provisioning, monitoring, mitigation, and
identity to keep networks safer, more resilient, and easier to operate. The suite also includ
Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) for
‘monitoring and mitigation,
You can use the policy-based management techniques of the Cisco Security Mai
manage networks of all sizes, and you can configure security policies on a per-dleviee, per-
device group, or global basis. The Cisco Security Manager provides multiple views into the
application, such as the device-centric and map-centrie views shown in the figure, to
accommodate different tasks and user experience levels.
© 2008 Cisco Systems, in. Introducing Cisco Security Appliance Technology and Featues 1-21
Summary
This topic summarizes the key points that were discussed in this lesson.
Summary
= There are three firewall technologies: packet filtering, proxy
server, and stateful packet filtering,
* Features of the Cisco ASA and PIX Security Appliances include
the following: stateful packet inspection, cut-through proxy,
stateful falover, the Cisco Modular Policy Framework, VPNs,
transparent firewall, security contexts, intrusion prevention,
content security, and web-based management
4-22 Securing Networks with ASA Fundamentals (SNAF) v1 0 © 2008 Cisco Systems, ne.
Lesson 2
Introducing the Cisco ASA and
PIX Security Appliance
Families
Overview
Cisco PIX 500 Appliance that best
Objectives
Models and Features of Cisco Security
Appliances
This topic deseribes the Cisco ASA 5500 Series Adaptive S
PIX 500 Series Security Appliance.
curity Appliance and the Cisco
Company XYZ
Branch Offes Seouty
Fram Ralay
Corporate
Seely
ction system (IDS) appliance to protect its headquarters, and a firewall to protect its branch
‘The branch office connects to headquarters via a Frame Relay virtual private network
(VPN) because neither the perimeter routers nor the firewalls owned by Company XYZ support
IP security (IPsec) VPNs. Recently, Company XYZ has begun to experience the following
problems:
= Frame Relay is not the most cost-eflective means of connecting branch office users to the
headquarters. The company is experiencing high growth and many more branches will be
opening soon,
= Network attacks have increased and becom
more sophisticated.
= Employee productivity has decteased due to the use of instant messaging and peer-to-peer
applications.
= The company virus protection does not prevent new viruses from infecting the network
before a patch is available to combat it
= The company firewalls cannot keep pace with the demands of the rapidly growing
‘company.
2-2 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Ine.
istrator is overburdened by the need to examine dozens of logs
from various security solutions.
| More and more mobile workers need to connect securely to headquarters over a broadband
Internet connection. The current dialup connection to headquarters is too slow.
‘The network security administrator has heard that Cisco offers solutions for the problems that
the company is experiencing and decides to take a look at the Cisco ASA and PIX Security
Appliance families.
Note Company XYZ is a fictitious company that is used throughout this course to demonstrate the
functionality of Cisco ASA and PIX securiy appliances,
‘© 2008 Cisco Systems, Inc Introducing the Cisco ASA end PIX Security Appliance Families 23
ASA Adaptive Security Appliance F.
—~
~~
asa ssi0
Functionality
The Cisco ASA $500 Series and Cisco PIX S00 Series Security Appliances scale to mee
range of requirements and network sizes. The ASA 5500 Series consists of five models: the
Cisco ASA 5505, 5510, 5520, 5540, and 5550 Adaptive St Appliances.
The Cisco ASA adaptive security appliance is secure right out of the box. After a few
installation procedures and a brief initial configuration, your Cisco ASA security appliance is,
operational and protecting your network,
2-4 Seouring Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Gisco Systems, Inc
1X Security Appliance Family
Scenes
Presse
Eine
Functionality
The Cisco PIX 500 Series consists of five models: the Cisco PIX S01, SO6E, S15E, 525, and
535 Security Appliances. The Cisco PIX security appliance is secure right out of the box. A\
soine installation procedures and commands for initial configuration, your PIX security
appliance is operational and protecting your network
Note The Cisco PIX 501, 506, and 506E Security Appliances do not support Cisco PIX Security
Appliance Software version 7.0 and later. For more detailed information on the Cisco PIX
security appliance hardware, refer to the Cisco PIX 500 Series Security Appliances Install
and Upgrade Guides at hitp:/www.ciseo.com,
1 2008 Cisco Systems, ine. Introducing the Cisco ASA and PIX Seeunty Appliance Families
2
ASA 5505 Adaptive Security Appliance
Bultin Layer 2 switch with eight Fast Ethornot pots
(One 802.10 unk port
POE on two ports
* Up totes VLAN
Actvoletandby falover (stateless)
IPsec and SSL VPN Cconsle
Pot
4
t
t Reset
caer PoE Pons Button
The ASA 5505 Adaptive Security Appliance is designed for small offices, home offices
(SOHOs), and enterprise teleworker environments. It provides a high-performance and flexible
Upgrade from the Cisco PIX 501 and SO6E Security Appliances and the Cisco VPN 3002
Hardware Client
The ASA $505 Adaptive Security Appliance supports a built-in switch and has these two types
of ports and interfaces to configure:
Physical switch ports: The adaptive security appliance has eight Fast Ethemet switch ports
that forward traffic at Layer 2, using the switching funetion in hardware. Two of these ports
support Power over Ethemet (PoE) and are therefore capable of powering IEEE 802.3at
compliant devices. You can connect these interfaces directly to user equipment stich as
PCs, IP phones, or a DSL modem, or you can connect to another switch, The ASA
Adaptive Security Appliance itself cannot be powered via PoF
= Logical VLAN interfaces: In routed mode, logical VLAN interfaces forward traffic
between VLAN networks at Layer 3, using the configured security policy to apply firewall
and VPN services. In transparent mode, these interfaces forward traffic between the
VLANS on the same network at Layer 2, using the configured security policy to apply
firewall services. VLAN interfaces let you divide your ASA 5505 Adaptive Security
Appliance into separate VLANs, such as home, business, and Intemet VLANs.
Note Subinterfaces are not available for the ASA 5505 Adaptive Security Appliance
To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN
interface, Switch ports on the same VLAN can communicate with each other using hardware
switching. But when a switch port on VLAN | wants to communicate with a switch port on.
VLAN 2, the adaptive security appliance applies the security policy to the traffic and routes or
bridges between the two VLANs.
2-6 Securing Networks with ASA Fundamentals (SNAF) v1.0, © 2008 Cisco Systems, Inc
In routed mode, you can configure up to three active VLANs with the Base license and up to 20
e VLANs with the Security Plus license, In transparent firewall mode, you can configure
two active VLANS in the Base license and three active VLANs in the Security Plus license, one
‘of which must be for failover. An active VLAN is a VLAN with a nameif command
With the Base license, the thitd VLAN can only be configured to initiate traffic to one other
VLAN. With 20 active VLAN interfaces available with the Security Plus license, you can
configure a VLAN interface for failover and a VLAN interface as a backup link to your
Internet service provider (ISP). This backup interface does not pass through traffic unless the
route through the primary interface fails. You can configure trunk ports to accommodate
multiple VLANs per port.
In routed firewall mode, all VLAN interfaces share a MAC address. You should ensure that any
connected switches can support MAC address sharing. If the connected switches require unique
MAC addresses, you can manually assign MAC addresses. In transparent firewall mode, each
VLAN has a unique MAC address. You can override the generated MAC addresses if desired
by manually assigning MAC addresses.
The ASA $505 Adaptive Security Appliance has a throughput of 150 Mb/s with the ability to
handle up to 25,000 concurrent connections, and supports the following functions:
= Stateless acti
tandby failover
Easy VPN hardware client for remote-access VPNs
Site-to-site VPN
WebVPN
Enhanced auto update
PPP over Fthemet (PPPoE)
Dynamic Domain Name System (DNS)
Routed and transparent modes of operation
Note Cisco ASA 5505 Adaptive Security Appliance configurations and operations are discussed in
more detail in the Securing Networks with ASA Advanced course.
‘The figure shows the back panel of the ASA 5505 Adaptive Security Appliance. The
components are as follows:
= Power connector: Used for attaching the power cord.
m= SSC slot: Reserved for future use.
= Console port: Used to connect a computer to the ASA 5505 Adaptive Security Appliance
for console operations,
= Reset but
Reserved for future use.
| Universal Serial Bus (USB) ports: Reserved for future use.
© 2008 Cisco Systoms, ne. Introducing the Cisco ASA and PIX Secunly Appliance Familes 27
= Ethernet ports 0 through
configuration,
Layer 2 switch ports that provide flexible VLAN
© PoE ports 6 and 7: Used for PoE devices that can be powered by the network interface,
such as IP phones. Ports 6 and 7 are the only ports that can be used for IP phones or other
PoE devices; however, they are not restricted to that use. They can also be used as Ethernet
switch ports, If a PoE: device is not attached, power is not supplied to the port
Noto The concurrent firewall connections given in this lesson for the Cisco 5500 Series Adaptive
‘Security Appliances are based on a traffic mix of 80% TCP and 20% User Datagram
Protocol (UDP), with one host and one dynamic translation for every four connections.
28
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne
Power Adve SSC
peices” al ff J
VIAAAAA ©
LA hh hh
Speed
tneator
USB Port
The following bullets describe the LEDs on the front pancl of the ASA 5505 Adaptive Security
Appliance:
= USB po
Reserved for future use.
Speed indicator: Indicates the operating speed for the interface. Each Ethernet interface
has two LEDs: one to indicate the operating speed and one to indicate whether the physical
link is established. When the speed indicator is not lit, network traffic is flowing at
10 Mb/s. When itis green, network traffic is flowing at 100 Mbis.
= Link and activity indicator:
light is steady green, the physic:
is network activity,
indie:
ies whether the physical link is established. When the
link is established. Wh
the light is flashing green, there
= Power: Indicates whether the Cisco ASA security appliance is on or off. When it is on, the
light is green. When it is off, the light is off
= Status: When the light is flashing g
green, the power-up diagnostics are running or the
system is booting. When the light is steady green, the system is operational. When the
is steady amber, the system has encountered « problem.
= Active: When the light is steady green, there is network activity. Ifthe system is part of a
high availability setup, a steady green light indicates that the link is forwarding traffi,
When the light is steady amber, the system is on standby. Ifthe system is part of a high
availability setup, a steady amber light indicates that the system is the standby unit
© VPN: If the light is steady green, the VPN tunnel is established. If itis flashing green, the
system is initiating the VPN tunnel. A steady amber light means that the tunnel failed to
initiate.
SSC slot: Reserved for future use.
2008 Cisco Systems, ne Introducing the Cisco ASA and PIX Security Applianoe Fam
ASA 5510, 5520, and 5540 Adaptive
Security Appliances
IPsec and SSL VPN
* VLAN support
* Context support
* Activelstandby and active/active failover
* Optional SSM support
CompactFlash
10/100 OuvotBand | Console Power Supply
Management Port Pot (AC or DC)
+ +
t
Securty Services out 10/100/1000
Module Gigabit Ethernet Ports
Two USB 2.0 Ports
‘The Cisco ASA 5510 Adaptive Security Appliance delivers advanced security and networking
services for small and medium-sized businesses (SMBs) and enterprise remote offices, while
the Cisco ASA 5520 Adaptive Security Appliance delivers these services for medium-sized
enterprise networks, and the Cisco ASA 5540 Adaptive Security Appliance provides them for
‘medium-sized and large enterprise networks and service provider networks.
The figure shows the back panel of the ASA 5510, $520, and 5540 Adaptive Security
Appliances. The components are described here:
= Power supply
supports either an AC or a DC power supply module
© Console port: Used to connect a computer to the AS:
for console operations
100 Adaptive Security Appliance
= CompactFlash memory: User external compact flash memory
m Slot for security services module: Enables you to add one of the following high-
performance service modules to the security appliance:
Cisco ASA Advanced Inspection and Prevention (AIP;
Module (SSM): Provides inline intrusion prevention
Security Services
Cisco ASA $500 Series Content Security and Control (CSC) SSM: Provides
comprehensive antivirus and content control services
Four-port Gigabit Ether
yet SSM: Provides additional interface support
= Two USB 2.0 ports: For future enhancements,
= Auxiliary (AUX) port: Used to connect a modem to the security appliance for dial-in
troubleshooting or out-of-band management
210 Securing Networks with ASA Fundamentals (SNAF) v1.0 > 2008 Cisco Systems, nc
= Four fixed Ethernet ports: The ASA 5510, 5520, and $540 Adaptive Security Appliances
support 10/100/1000 Gigabit Ethernet ports
= One 10/100 Fast Ethernet management port: For out-of-band management. In the Cisco
ASA $520 and 5540 Adaptive Security Appliances, this port can be used for management
traftic or data traffic.
The ASA 5510, 5520, and 5540 Adaptive Security Appliances deliver a multilayered defense
for enterprise networks through rich, integrated security services, including stateful inspection
firewall services, advanced application and protocol inspection, site-to-site and remote:
VPNs, WebVPN, intrusion prevention, and robust multimedia and voice security—all in a
single, integrated solution. The level of support for some features varies among the ASA $510,
5520, and 5540 Adaptive Security Appliances, as follows
= VLANs:
88
ASA 5510 Adaptive Security Appliances: Up to 100 VLANs
— ASA 5520 Adaptive Security Appliances: Up to 150 VLANs
— ASA 5540 Adaptive Security Appliances: Up to 200 VLANs
= Contexts:
— ASA 5510 Adaptive Security Appliances: Up to 5 contexts
— ASA 5520 Adaptive See
ty Appliances: Up to 20 contexts
— ASA 5540 Adaptive Security Appliances: Up to 50 contexts
= Failover:
— _ ASA5510 Adaptive Security Appliances: Active/standby and activevactive
failover with a Security Plus license
ASA 5520 Adaptive Security Appliances: Active/standby and active/active
ASA 5540 Adaptive Security Appliances: Active/standby and active/active
= Firewall throughput.
— ASA 5510 Adaptive Security Appliances: Up to 300 Mb/s
— ASA 5520 Adaptive Security Appliances: Up to 450 Mbis
— ASA 5540 Adaptive Security Appliances: Up to 650 Mb/s
= Concurrent connections:
— ASA 5510 Adaptive Security Appliances: Up to 130,000 connections.
— ASA 5520 Adaptive Security Appliances: Up to 280,000 connections,
ASA 5540 Adaptive Security Appliances: Up to 400,000 connections
Note For the most current performance statistics on each Cisco ASA 5500 Series Adaptive
Security Appliance model, reer to the Cisco ASA $500 Series Adaptive Secunty Appliances
‘Models Comparison document on htip//wwww.cisco.com.
{© 2008 Cisco Systems, nc Introducing the Cisco ASA and PIX Secuniy Appliance Families 2-11
ASA 5510, 5520, and 40 Ada
Security Appliances (Cont.)
Active
re shows the LEDs on the tront panel of the ASA $510, 5520, and 5540 Adapt
Security Appliances, as follows:
= Power: When the Cisco ASA security appliance is powered on, the light is green.
= Status: When the power-up diagnostics are running or the system is booting, the light
flashes. When the system passes power-up diagnostics, the light is green. When power-up
diagnostics fail, the light is amber
Active: When there is network activity, the light flashes.
Flas!
‘When the CompactFlash memory is a
sed, the light is green
VPN: If the light is steady green,
system is i
initiate
¢ VPN tunnel is established. If it is flashing green, the
ting the VPN tunnel. A steady amber light means that the tunnel failed to
242
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, ne
ASA 5550 Adaptive Se
IPsce and SSLVPN
Context support
Aetvostanaby and actveactve faover
IgroD owe Band GompacFiash
| ee ‘onsale Powe
—t, i ij
pee moNeY,, | usn20 cost namet Pom
(harass | sel
yeti Eto ;
Pont
Of the 12 Gigabit Ethernet ports, up to & can be active simultaneously
co ASA 5550 Adaptive Security Appliance delivers gigabit-class security services for
terprise and service provider networks in a reliable, 1-rack unit (RU) form factor. Using
its eight Gigabit Ethernet interfaces, four small form-factor pluggable (SFP) fiber interfaces,
and support for up to 250 VLANs, you can segment your network into numerous k
pexforinmnbe bots foe inravedl Sexist
The ASA 5550 Adaptive Security Appliance has a throughput of up to 1.2 Gbis and the ability
to handle up to 650,000 concurrent connections. It supports active/standby and activelaetive
failover as well as site-to-site, remote-access, and WebVPN applications. In addition, the
ASA 5550 Adaptive Security Appliance scales with your business as its network security
requirements grow. You can scale your IPsec and Secure Sockets Layer (SSL) VPN capacity in
a variety of ways to support a larger number of mobile workers, remote sites, and business
partners. For example, you can scale up to 5000 SSL VPN peers on each ASA 5550 Adaptive
Security Appliance by installing an SSL VPN upgrade license. You can also increase VPN
capacity and resiliency by taking advantage of the integrated VPN clustering and load-
balancing capabilities of the ASA 5550 Adaptive Security Appliance, which supports up to 10
appliances in a cluster and a maximum of $0,000 SSL VPN peers or 50,000 IPsec VPN peers
per cluster. Using the optional security context capabilities of the ASA 5550 Adaptive Security
Appliance, you can deploy up to 50 virtual firewalls within one security appliance to enable
compartmentalized control of security policies on per-department or per-customer basis.
The figure shows the fixed interface connectors on the back panel of the ASA 5550 Adaptive
Security Appliances. These connectors are described as follows:
= Eight Gigabit Ethernet interfaces
= Four fiber
it Ethernet ports
= One 10/100 Fast Ethernet out-of-band management port
© Two USB 2.0 ports for future enhians
ments,
= Console port, to conni
console operations
computer to the ASA $550 Adaptive Security Appliance tor
© 2008 Cisco Systems,
Introducing the Cisco ASA and PIX Security Appliance Families 2.13
CompactFlash memory
Single AC/DC power supply
Power switeh
AUX port, to connect a modem to the security appliance for dial-in troubleshooting or out-
‘of-band management
Note Of the 12 Gigabit Ethernet ports in the ASA 5550 Adaptive Security Appliance, up to eight
ports can be used at any given time: four ports can be used for copper Gigabit Ethernet
termination only, while the remaining four ports can be used for either copper or fiber Gigabit
Ethernet termination
214 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Inc
\SA 5550 Adaptive Security /
Cont.)
Incoming and ——_tncoming and
uigoing Traffic Oulgeing Trae
The ASA 5550 Adaptive Security Appliance has two internal buses providing eopper Gigabit
Ethemet and fiber Gigabit Ethemet connectivity. As shown in the figure, slot 0, whieh
corresponds to bus 0, has four embedded copper Gigabit Bthemet ports. Slot 1, which
corresponds to bus 1, has four embedded copper Gigabit Ethernet ports and four embedded
SFPS that support fiber Gigabit Ethernet connectivity. Although slot | has four eopper and four
fiber Ethemet ports, you can use only four slot | ports at a time. For example, you could use
two slot 1 copper ports and two fiber ports, but you cannot use fiber ports if you are already
using all four slot 1 copper ports.
To maximize traffic throughput, configure the Cisco ASA security appliance so that traffic is
distributed equally between the two buses. In th
bus 1, entering through one bus and exiting thro
igure, all traffic flows through both bus 0 and
tn the other. The figure illustrates this traffic
distribution over copper and fiber ports, but the same could be done by using Ethemet ports
from bus 0 and bus 1. To see the traffic throughput over each bus, use the show traffic
command, which has no arguments or keywords, in privileged EXEC mode
Note In the ASA 5550 Adaptive Securily Appliance, the four Gigabit Ethernet SSMSs in slot 1 are
builtin and not user-removable.
To establish fiber connectivity on the Cisco ASA security appliance, you must order and install
‘SFP modules for each fiber port that you want to use. Only SFP modules certified by Cisco are
supported on the Cisco ASA security appliance. For further information on supported SFP.
modules, see the "Installing SFP Modules" section of the Cisco ASA 5500 Getting Started
Guide, 8.0 at http://www ciseo.com.
© 2008 Cisco Systems, Inc Introducing the Cisco ASA and PIX Security Appliance Families 2-18
ASA 5550 Ada Security Appliance
Front Panel
Power Acie
The following describes the LEDs on the front panel of the ASA 5550 Adaptive Security
Appliance:
= Power: When the Cisco ASA security appliance is powered on, the light is green.
m= Status: When the power-up diagnostics are running or the system is booting, the light
flashes. When the system passes power-up diagnostics, the light is steady green, When
power-up diagnostics fail, the light is steady amber
= Active: When there is network activity, the light flashes.
Flash: When the CompactFlash inemory is accessed, the light is green
VPN: If the
system is init
initiate.
ght is steady green, the VPN tunnel is established. If itis Mashing green, the
ting the VPN tunnel. A steady amber light means that the tunnel failed to
236
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine
High-performance module
designed to provide additional
security services
Diskless (flash memory-
based) design for improved
reliability
Gigabit Ethernet port for
out-of-band management
‘The Cisco ASA 5500 Series Adaptive Security Appliances deliver a wide range of security
features, including a firewall, IPsec, and SSL VPN services. Additional security servie
provided on the optional SSM plug-in hardwa
a Pentium 4 processor. The diskless, flash memor
These are the current offerings:
are
Ms are high-performance modules based on
‘based design provides improved reliability
= Cisco ASA AIP-SSM: Can accurately identity, classi
including worms, spyware, adware, and network virus
Cisco ASA 5500 Series CSC SSM: Provides comprehensive antivirus, a
blocking, antispam, antiphishing, URL blocking and filter
and stop malicious traffic,
, before they affect your network.
spyware, file
and content-filtering
services.
. 4-port Gigabit Ethernet SSM: Provides additional interface support. The 4-port
Gigabit Ethemet SSM is not an intelligent SSM and does not have a separate software
release
Note The SSM configurations and operations are discussed in more detail in the Securing
Networks with ASA Advanced course.
2008 Cisco Systoms, In. Introducing the Cisco ASA and PIX Secunty Appliance Families 2-17
SSM Models
‘SSM-10 (CSC SSM and AIP-SSM)
© 2.0:GHz processor
1.0 GB RAM
‘SSM-20 (CSC SSM and AIP-SSM)
= 2.4-GHz processor
» 20GB RAM
Speed
Power Status
The Cisco ASA 5500 Series CSC SSM runs content security and control software that provides
protection against unwanted traffic such as viruses, spyware, and spam; the Cisco ASA AIP-
SSM nuns Cisco Intrusion Protection System (IPS) software that provides advanced security
inspection.
Both the Cisco ASA CSC and Cisco ASA AIP.
sent to them by the Cisco ASA security appliance. You must con
appliance to divert the traffic that you want scanned to the SSM. The Cisco ASA AIP-SSI
scan any traffic that you specify, but the Cisco ASA CSC SSM scans only FTP, HTTP, Post
Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) traftic. Traffic
utilizing other protocols, such as HTTPS, is not scanned by Cisco ASA CSC SSM.
SSM accomplish their tasks by scanning traffic
You can control how the Cisco ASA adaptive security appliance treats traftic when the
installed SSM is unavailable. You can configure the Cisco ASA adaptive security appliance to
block all traffic or allow all traffic through uninspected if the SSM is unavailable
Cisco ASA AIP-SSM and Cisco CSC SSMs are available in two versions: SSM-10 and SSM-
20. As shown in the figure, the SSM-20 models have faster processors and more memory than
the SSM-10 models. Both the Cisco ASA CSC SSM-10 (which provides support for
organizations with up to 500 users) and Cisco ASA CSC SSM-20 (which provides support for
organizations with up to 1000 users) are supported on the Cisco ASA $510, 5520, and $540
Adaptive Security Appliances. However, the Cisco ASA AIP-SSM-10 is supported on the
Cisco ASA 5510 and 5520 Adaptive Security Appliances, while the Cisco ASA AIP-SSM-20 is
supported on the ASA 5520 and 5540 Adaptive Security Applia
218
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Ine
The Cisco ASA CSC and
isco AIP-SSM LEDs are described as follows:
=| Power: When the Cisco ASA CSC or Cisco AIP-SSM is powered on, the light is green,
| Status: When the power-up diagnostics are running or the system is booting, the light
flashes. When the system passes power-up diagnostics, the light is steady green. When
power-up diagnostics fail, the light is steady amber.
Speed: With 10 Mb/s of traffic, the light is off. With 100 Mb/s of traffic, the light is green,
With 1000 Mb/s of traffic, the light is amber.
© Link and activity: The light flashes when there is network activity.
(© 2008 Cisco Systems, Inc Iniroducing the Cisco ASA and PIX Secunty Appliance Families 2-19
Four-Port Gigabit Eth
R45 Link
LED
In addition to the Cisco ASA ATP-SSM and Cisco CSC SSMs, the Cisco ASA 5500 Series
Adaptive Security Appliance supports another SSM, the four-port Gigabit Ethernet SSM. The
four-port Gigabit Ethernet SSM provides additional interfaces on the Cisco ASA security
appliance and enables you to better segment network traffic into separate security zones. This
provides more granular security for your network environment, These separations can range
from the Internet to internal corporate departments or sites to demilitarized zones (DMZs),
This high-performance SSM supports both copper and optical connection options by including
eight Ethernet ports: four 10-, 100-, or 1000-Mb/s copper RJ-45 ports and four 1000-Mb’s SEP
fiber ports. You can mix the copper and fiber ports using the same four-port Gigabit Ethernet
SSM. By default, the connectors used on the four-port Gigabit Ethernet SSM are RU-45
connectors.
‘The figure shows SFP modules installed in the SFP ports. In addition to setting the media type
to SFP, you must order and install an SFP module in each SFP port that you want to use. The
SFP module is a hot-swappable input or output device that plugs into the SFP ports. Only SFP.
modules certified by Cisco are supported on the Cisco ASA security appliance. The following
SFP module types are supported:
= Long wavel
= Short wavelength 1000BASE-SX
ength or long-haul 1000BASE-LX or 1000BASE-LH
‘The four-port Gigabit Ethernet SSM is supported on the ASA 5510, 5520, and 540 Adaptive
Security Appliances. The ASA 5550 Adaptive Security Appliance includes a built-in four-port
Gigabit Ethemet SSM, which cannot be removed by the user
2-20 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Inc
‘The four-port Gigabit Ethernet SSM LEDs are described as follows:
= Power: When the SSM is powered on, the light is green
‘= Status: When the system is booting, the light flashes green. When the system has booted
correctly, the light is steady green, When power-up diagnostics fail, the light is steady
amber.
Speed: With 10 Mb/s of tratfc, the light is off. With 100 Mb/s of traffic, the light is green,
With 1000 Mbis of traffic, the light is amber.
Link: When there is an Ethernet link, the light is steady green. When there is network
activity, the light flashes green,
Note For futher information on optional SSMs and SFP modules, see the Cisco ASA 6500
Getting Started Guide, Software Version 8.0(2) on htip:iWwuw cisco.com.
‘© 2008 Cisco Systems, ne Tnttoducing the Cisco ASA and PIX Security Appliance Families 2-21
Company XYZ
+ Corporate
headquarters
Ne frevall
i
ou Maoond VPN
Branch | $A _ eet terveta being
a =. won
f Ps
Activote
+ Branch Otice Soaunty ="
* Headend VPN Services
((Psee an WabvPN)
1
Sy fy
&
Headquarters
After comparing the models in the Cisco ASA and Cisco PIX security appliance families, the
security administrator for Company XYZ decides to purchase the following devices:
= Cisco ASA 5540 Adaptive Security Appliance: With a Cisco ASA AIP-SSM installed,
the ASA can replace both the firewall and the IDS at headquarters, which solves the
following problems experienced by Company XYZ:
— Cost of Frame Relay: Frame Relay is not the most cost-effective means of
connecting branch office users to headquarters. Frame Relay is no longer necessary
as the ASA 5540 Adaptive Security Ap, work with the ASA 5505
Adaptive Security Appliance at the br to create a secure, cost-effective
IPsec site-to-site VPN.
— Network attacks: Network attacks are increasing and becoming more sophisticated
The Cisco ASA adaptive security appliance delivers strong application
security through intelligent, application-aware inspection engines that examine
network flows at Layers 4-7. The network security administrator can configure the
inspection engines to prevent malicious or unauthorized behavior, such as misuse of
e-mail connectivity or port 80 tunneling, in which applications masquerade as HTTP
port 80 traffic in order to gain passage through firewalls,
— Decreasing employee productivity due to the use of instant messaging (IM) and
file-sharing applications: With the Cisco ASA adaptive security appliance, the
network security administrator can granularly control IM and pecr-to-peer file
sharing, as well as tunneling applications, by blocking HTTP requests that contain
specific headers and header field values. By using regular expressions to define
custom HTTP header field names and values, the administrator can even detect and
block new IM, peer-to-peer, or tunneling applications
222 Seouring Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systoms, Ine.
— Antivirus protection not preventing new viruses from infecting the network
before a patch is available to combat it: The Cisco ASA AIP-SSM installed in the
isco ASA adaptive security appliance can run Cisco IPS 6.0 software. In addition
to providing full-featured inline intrusion prevention services to stop malicious
traffic, including worms and network viruses, before they can affect your network,
this software can share information with the Cisco Security Agent 5.2 to minimize
false positive alarms,
Note Cisco Security Agent software provides preventative rather than reactive securiy for server,
* Privileged EXECS tecotont
* Configuration
FL etecones iconttgn
» ROMMON
MN ne he ene
25
Li
Re
Cisco security appliances contain a command set based on Cisco IOS Software and they
provide four main administrative access modes:
© Unpriviteged mode: Available when you first access the security appliance. The > prompt
is displayed, This mode provides a restricted view of security appliance settings
= Privileged EXEC mode: Displays the # prompt and enables you to change the current
settings. Any unprivileged command also works in privileged EXEC mode.
= Configuration mode: Displays the (contig)# prompt and enables you to change system.
configurations. Alll privileged, unprivileged, and configuration commands work in this
mode,
= ROM monitor (ROMMON) mode: A special mode that enables you to update the image
over the network or to perform password recovery. While in the ROMMON mode, you can
center commands to specify the location of the TFTP server and the location of the security
appliance software image or password recovery binary file to download. You ean enter
ROMMON or monitor mode during security appliance power-up by pressing Ctrl for
the Cisco ASA adaptive security appliance or Eseape for the Cisco PIX security appliance
Within each access mode, you can abbreviate most commands down to the fewest unique
characters for a command. For example, you can use sh run to view the configuration rather
than the full command show running-config. You can use en rather than enable to start
privileged mode, and con t rather than configuration tern
inal to start configuration mode.
3:2 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, nc.
Note ‘You can create your configuration on a text editor, and then cut and paste it into the
‘configuration, You can paste the configuration one line at a time or you can paste the entire
‘configuration at ence. Always check your configuration after pasting large blocks of text to be
sure that everything was copied correctly.
{© 2008 Cisco Systems, Inc. Getting Started with Cisco Security Appliances 33
clecoasal
‘You can use the enable command to access the privieged EXEC mode. This
enables you to ener other access modes
Upon first accessing a security appliance, you are presented with one of two prompts:
ciscoasa> for a Cisco ASA 5500 Series Adaptive Security Appliance or pixfirewall>
for a Cisco PIX 500 Series Security Appliance. This is the unprivileged mode, which enables
‘you to view restricted settings. To get started with the security appliance, the first command
you need to know is the enable command, which provides entrance to the privileged access
modes. After you enter enable, the security appliance prompts you for your privileged EXEC
mode password. By default, a password is not required, so you can press Enter at the password
prompt or you can create a password. Afier you are in privileged EXEC mode, notice that the
prompt has changed to #
‘You can use the Device Setup menu in Cisco ASDM or the enable password command, which
is available in configuration mode, to set the privileged mode password. The password is a
case-sensitive string of up to 16 alphanumeric and special characters. You can use any
character in the password except a question mark or a spa
Ifyou create a password, write it down and store it in a manner consistent with your site
security policy. After you create this password, you cannot view it again because itis stored as
‘a Message Digest 5 (MDS) hash. The show running-config enable command lists the
encrypted form of the password. Afier passwords are enerypted, they cannot be reversed to
Note ‘An empty password is also changed into an encrypted string
3:4 Securing Notworks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne.
Acce!
sing the CLI Configuration Mode
ciscoasa> enable
Password.
ciscoasat configure terminal
ciscoasa(config)# exit
ciscoasat disable
ciscoasa>
= You can use the configure terminal command to start
configuration mode, which enables you to enter configuration
‘commands from a terminal
* You can use the exit command to exit from a configuration mode.
= You can use the disable command to exit from privileged EXEC
mode.
Use the configure terminal command to move from privileged EXEC mode to global
configuration mode. As soon as you enter the command, the prompt changes to (config)
Configuration mode enables you to change system configurations. Use the exit, end, or quit
command to exit and return to the previous mode. Use the disable command to exit from
privileged EXEC mode.
From global configuration mode, some commands enter a command-specific configura
mode, For example, the interface command enters interface configuration mode and the
prompt changes as follows:
ciscoasa(config)# interface Gigabitethernet0/1
ciscoasa(config-if) #
© 2008 Cisco Systems, Ine Gating Started with Cisco Secunty Appliances 3-5
help Command
‘clecoasa > help ?
enable Turn on privileged comands
exit” Beit the current command ode
losin Log in ae a particular uo
Logout Exit from current user profile to unprivileged mode
perfson Change or view performance monitoring options
Ping Test connectivity from specified interface to an IP
addrese
quit mele the current command mode
checoaea > help enable
‘enable ()
enable ‘urn on privileged commande
Help information is available via the security appliance command-line interface (CLI). If you
center help 2, as shown in the figure, all commands that are available in the current privilege
level and mode are displayed. In the figure, all the commands for unprivileged mode are
displayed. You can see help, usage, description, and syntax for an individual command by
ntering the help command followed by the command name, In the figure, the usage and
description for the enable command are displayed
Ifyou do not know or are unsure of a command string, enter ? after the command. The
command syntax will be displayed, as shown in the following example:
ciscoasa> enable ?
<0-15> Enter optional privilege level (0-15)
36 Securing Networks with ASA Fundamentals (SNAF) v1 0 (© 2008 Cisco Systems, Ine
File Management
This topic describes the file management system in the security appliance.
Viewing 2
The following commands enable
you to view or save your
Configuration: To save configuration changes:
copy run start copy run start
‘show running-config,
‘show startup-config startup] [running Configuration
write memory config config Changes
write terminal seve
Me
There are two configuration memories in the Cisco security appliances: running configuration
and startup configuration. The show running-eonfig command displays the current
configuration in the security appliance RAM on the terminal. Any changes made to the security
appliance configuration are written into the running configuration. This is volatile RAM. If the
security appliance loses power or is rebooted, any changes to the running configuration that
were not previously saved arc lost. You can also display the current running configuration by
using the show running-config command or the write terminal command.
‘The copy run start command and the write memory command save the current running
configuration to flash memory, startup configuration. It isthe same as answering "Yes" to the
setup dialog prompt that asks if you wish to save the current configuration to flash memory.
When the configuration is written to flash memory, you can view it by using either the show
startup-config command or the show configure command,
Another useful command is show history, which displays previously entered commands. You
can examine commands individually with the up and down arrows or by entering Cer-P to
view previously entered lines and CtrN to view the next line.
(© 2008 Cisco Systems, Inc Getting Started with Cisco Securty Appliances 3.7
Clearing the Running Configuration
Clear the running configuration:
‘lear config all
Startup: running
‘contig config
(defaulty
Clears the running configuration
The clear config all command clears the running configuration. When you issue this command,
the current running configuration is lost and is reset to the default running configuration. The
startup configuration is not defaulted.
You can use the configure factory-default command in global configuration mode to restore
the configuration to the factory default. The factory default configuration is the contiguration
applied by Cisco to new security appliances. This command is supported on all platforms
except for the Cisco PIX 525 and 535 Security Appliances; it clears the current running
configuration and then configures several commands. For the Cisco PIX 515 and 1SE
Appliances and the Cisco ASA 5510 and higher Adaptive Security Appliances, the factory
default configuration automatically configures an interface for management so that you can
connect to it using Cisco ASDM, with which you can then complete your configuration, For the
Cisco ASA $505 Adaptive Security Appliance, the factory default configuration automatically
configures interfaces and Network Address Translation (NAT) so that the security appliance is
ready to use in your network,
writy
38
‘Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2006 Cisco Systems, Inc
Clearing the Startup Configura
Clear the startup configuration,
write erase
startup: running
contig config
(default)
ciscoasal write erase
~ Clears the startup configuration
‘The write erase command clears the startup configuration, When you issue this command, you
are prompted to confirm that you want to erase the startup configuration. If you enter Yes, the
startup configuration is erased. At this point, you can power- cyele or reboot the security
appliance. The security appliance reverts to the default configuration. You can copy the
running configuration to flash memory by issuing the copy run start command,
(© 2008 Cisco Systeme, nc otting Started with Cisco Secunty Appliances 3.9
Reloading the Configuration
ciscoasat reload
Proceed with reload? [confirm] y
Rebooting...
+ Reboots the security appliance and reloads the configuration
* Allows scheduled reboots,
‘You can use the System Reboot option in the Cisco ASDM Tools menu or the CLI reload
‘command to reboot the security appliance. The figure shows use of the reload command to
reboot the security appliance. By default, the command is, curity appliance
first checks to determine if the configuration has been modified and not saved. If'so, it prompts
‘you to save the configuration. By default, the process operates in “graceful” (also known as
‘nice”) mode. It notifies all registered subsystems that a reboot is about to occur, allowing these
subsystems to shut down before the reboot
You can use the reload cancel command to cancel a scheduled reload. You cannot cancel a
reload that is already in progress.
If you wish to return the security appliance to a default configuration, use the write erase and
reload commands. The write erase command clears the startup configuration and reverts it to
default parameters. The reload command reboots the security appliance using the startup
configuration, in this ease the default configuration,
‘You can also use Cisco ASDM or the reload command options to control the behavior of the
reload process. For example, you can configure the security appliance to reload as follows:
= Save the configuration without prompting,
= Avoid waiting until all registered subsystems are shut down to reboot, and wait for an
amount of time you specify.
= Perform scheduled reloads.
Note Use of Cisco ASDM is discussed later in this lesson, Exact syntax for Cisco ASA and PIX
‘Security Appliance version 8.0 commands is available in the Cisco Security Appliance
‘Command Reference, version 6.0 on Cisco.com. Syntax assistance is also provided by the
command-ine interface itself, via the help command and the question mark
3-10 Securing Networks with ASA Fundamentals (SNAF) v1.0 1 2008 Cisco Systems, ne
File System
nent yg 4
Release 6.0 and earlier Release 7.0 and later
Software image Software image
Configuration file Configuration fle
Private data file Private data
POM image ‘ASDM image
* Crash information Backup image”
Backup configuration fle*
Virtual firewall configuration file”
* Space available
In Cisco PIX Firewall Software Version 6.3 and earlier, the Cisco PIX security appliance file
system supports a single version of the operating system image, the Cisco Pix Device Manager
(PDM) image and files. In Cisco ASA and PIX Firewall Software Version 7.0 and later, the
Cisco ASA security appliance models and the PIX 515E, 525, and 535 Security Appliance
models support multiple images, configuration files, and syslog files. The number and size of
the additional files is dependent on the amount of flash memory in the security appliance. The
PIX 51SE, 525, and 535 Security Appliances ship with 16 MB of flash memory, which may
support only one software image, a Cisco ASDM image, and several configuration files. The
Cisco ASA security appliance models with 64 MB of flash memory may support multiple
images and configuration files. The number of images and files is dependent on the amount of
resident flash memory on the specific security appliance.
(© 2008 Gisco Systems, Ine Getting Saris with Cisco Secunty Appliances 3-11
Displaying Stored Files: System and
Configuration
it gi
Ss
diskO Appliance:
diskt Flash Memory
ciecoasat dir
Directory of ateko:/
8 14524416 19:37+33 oct 28 2007 a2a802-K8.bin
1264 -rwx- 6889764 13:21113 oct 26 2007 aedn-602.bin
62947320 bytee total (49152000 by!
* Displays the directory contents
To display the directory contents, use the dir command in privileged EXEC mode. The
command without keywords or arguments displays the directory contents of the curren
directory. In the figure, asdm-602.bin and asa802-k8.bin software files are resident in flash
memory. The command also displays the amount of free space available.
312 Securing Networks with ASA Fundamentals (SNAF) v1.0, © 2008 Cisco Systems, inc.
Selecting the Boot System File
clecoasa dir
Directory of disk0:/
suwx- 14524416 13:37:33 Oct 28 2007 agabo2-K8.bin
rwe- 6889764 13:21:13 Oct 28 2007 asda-602.bin
62947328 bytes total (49152000 bytes free)
ciacoasa (config)¥ boot system disk0: /asaeoa-Ke.bin
Can store more than one system image and configuration file
Designates which system image and startup configuration file to
boot
To specily which system image the system will use at next reload and which configuration file
the system will use at startup, use the boot system command in global configuration mode. For
the boot system command, there are no defaults. Upon reload or a power cycle, if the boot
environment variable is not configured, the system will boot the first valid image found in the
internal flash memory. If no valid image is found, no system image will be loaded and the
system will remain in a boot loop until ROMMON mode is broken into by using CtrleR for the
Cisco ASA security appliance or Eseape for the PIX security appliance.
You can enter up to four boot system commands to specify different images from which to
boot in order, and the security appliance will boot the first valid image that it finds. Use the
form of the command to restore the default value.
© 2008 Cisco Systems, Inc Getting Statod wih Cisco Secunty Appliances 3:13
Verifying the Startup System Image
iE a j
Za
Boot image
diskO:fasa802-K8 bin
ciscoasal show bootvar
BOOT variable = disk0:/asas02-k8.bin <————t- Running
Current BOOT variable = disk0:/asa802-k9.bin +{~ Configured
CONFIG FILE variable
Current CONFIG FILE variable =
* Displays the system boot image
To show the configured and running boot files, use the show boot command in privil
EXEC mode. In the figure, “Current BOOT variable” is the configured boot variable,
disk0:/asa802-k8.bin, The disk0:/asa802-K8.bin image file is booted when the system reloads or
is power-cycled. The boot variable, disk0:/asa802-K8.bin, is the currently running version of
the operating software. Upon reload or a power cycle, if the Current BOOT variable is not
configured, the system will boot the first valid image that it finds in the internal flash memory.
314 Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systems, ne
Security Appliance Security Levels
This topie discusses the security levels of the Cisco security appliances.
Functions of the Security Appliance
Security Algorithm
Implements stateful connection control through the security
appliance,
Allows one-way (outbound) connections with a minimum number
of configuration changes. An outbound connection is a connection
‘originating from a host on a more- protected interface and destined
for @ host on a less-protected network.
Monitors return packets to ensure that they are valid.
Randomizes the first TCP sequence number to minimize the risk
of attack.
The security appliance security algorithm is a stateful approach to security. Every inbound
packet (the packet originating from a host on a less-protected network and destined for a host
on a more-protected network) is checked against connection state information in the security
appliance memory. Knowledge of the security algorithm is fundamental to implementing
Intemet access security because it performs the following tasks:
‘= Implements stateful connection control through the security appliance.
Allows one-way (outbound) connections with @ minimum number of conti
changes. An outbound connection is a connection originating from a host on a more-
protected interface and destined for a host on a less-protected network.
| Monitors return packets to ensure that they are valid.
= Randomizes the first TCP sequence number to minimize the risk of attack
‘The seeurit
igorithm maintains the secure perimeters between the networks controlled by the
security appliance, The stateful connection-oriented security algorithm design creates session
flows based on source and destination addresses as well as TCP and User Datagram Protocol
(UDP) port numbers. The security algorithm randomizes TCP sequence numbers before the
completion of the connection. ‘The security algorithm is always running, monitoring return
packets to ensure that they are vali.
© 2006 Cisco Systems, Inc Gating Started with Cisco Securty Appliances 3.19
Security Levels
The security te
Security Level 80 —» g0/2|
Less usted
Lessproccies «= FR
we
1
‘Security Level 100,
Trusted
Moro protacted
The security level designates whether an interface is trusted (and more protected) or untrusted
(and less protected) relative to another interface. An interface is considered trusted (and more
protected) in relation to another interface if its security level is higher than the security level of
the other interface. An interface is considered untrusted (and less protected) in relation to
‘another interface if its security level is lower than the security level of the other interface.
Security levels range from 0 to 100. Traffic originating from a more secure interface (the higher
security level) and destined for a less secure interface (the lower security Ievel) follows this
rule: Allow all IP-based traffic unless restricted by access control lists (ACLs), authentication,
‘or authorization, The figure illustrates this rule by showing that traffic from the inside interface
of the security appliance with a security level of 100 to the demilitarized zone (DMZ) interface
of the security appliance with a security level of 50 is permitted by default
Traffic originating from a less secure interface (lower security level) and destined for a more
secure interface (higher security level) follows this rule: Drop all packets unless specifically
allowed by an access-list command; further restrict the traffic if authentication and
authorization is used. The figure also illustrates this rule by showing that traffic from the DMZ
interface of the security appliance with a security level of 50 to the inside interface of the
security appliance with a security level of 100 is denied by default.
By default, no traffic flows between two interfaces with the same security level. However, with
Cisco ASA and PIX Security Appliance Software Version 7.2 and higher, you can permit
communication between interfaces with equal security levels by using the same-security-
traffie permit command.
The primary rule for security levels is that an interface with a higher security level can access
an interface with a lower security level. Conversely, an interface with a lower security level
‘cannot access an interface with a higher security level without an ACL, which is discussed later
in the lesson.
3-16 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systoms, ne
‘The security levels are described as follows:
| Security level 100: This is the highest security level for the inside interface of the security
appliance, This is the default setting for the security appliance and cannot be changed.
Because 100 is the most trusted interface security level, your corporate network should be
set up behind it, This is so that no one else can access it unless they are specifically given
permission and so that every device behind this interface can have access outside the
corporate network.
= Security level 0: This is the lowest security level for the outside interface of the security,
appliance. This is the default setting for the security appliance and cannot be changed.
Because 0 is the least-trusted interface security level, you should set your most untrusted
network behind this interface so that it does not have access to other interfaces unless it is
specifically given permission, This interface is usually used for your Internet connection.
= Security levels 1-99: These are the security levels that you can assign to the perimeter
interfaces connected to the security appliance. You assign the security levels based on the
type of access that you want cach device to have.
(© 2008 Gisco Systems, nc Geatng Started with Cisco Securty Appliances 3.17
Security Level Example
Company XYZ
DMZ Network
In the figure, Company XYZ has assigned security levels to three Cisco ASA security
appliance interfaces. Security level 100, the highest security level, is assigned to the
interface. Security level 50 is assigned to the DMZ interface, and security level 0, the lowest
security level, is assigned to the outside interface. Trafic initiated by an inside host is now
permitted by default, whether destined for a host on the DMZ ora host on the outside inter
Traflic from a host on the DMZ is permitted when destined for a host on the outside interface.
Note Traffic is permitted to flow if the three interfaces are enabled. All Cisco ASA security
appliance interfaces are disabled by default,
The table further explains the diagram in the f
Security Levels
Relative Interface
Relationship for
co Pale onfiguration Guidelines
birtia Gigabitethernetor2 (oMz) _| Configuration Guideli
Interface
—————— ee
‘Outside security 0 to DMZ DMZ is considered trusted Static translations and ACLS
security 50, must be configured to enabie
sessions that originate from the
outside interface to the DMZ
interface
Inside security 100 10 DMZ is considered untrusted. | Sessions that originate from the
DMZ secunty'50 inside interface to the OMZ
intertace are permitted by
default
318
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ine
Cisco ASDM Essentials and Operating
Requirements
This topic describes Cisco ASDM and its operating requirem
Internet
SSL Secire Tumnsl |
ASDM is a browser-based configuration tool designed to
help configure and monitor your security appliance.
Cisco ASDM is a browser-based configuration tool designed to help you set up, configure, and
monitor Cisco ASA and PIX security appliances graphically, without requ
configure multiple security appliances that run the sam
{© 2008 Giseo Systems, nc Geiting Started wih Cisco Security Appliances
ing extensive
knowledge of the security appliance CLI. Ciseo ASDM 6.0 can be used to monito
Cisco ASDM version.
and
Cisco ASDM Features
Runs on a variety of platforms
Implemented in Java to provide robust, real-time monitoring
Works with SSL to ensure secure communication with the security
appliance
Comes preloaded in flash memory on new security appliances running
versions 7.0 and later
Can manage multiple security appliances simultaneously
Cisco ASDM sessions
5 Cisco ASDM sessions per unit (single mode) or context
(multimode)
32 sessions per unit in multimode
* Operates on Cisco PIX 515E, 525, and 535" Security Appliances
* Operates on Cisco ASA 5505, 5510, 5520, 5540, and 5550 Security
Appliances
“ ASOM Version 6.0is not supported on the PIX 501 oF 506 Security Appliance
Cisco ASDM is secure, versatile, easy to use, and requires no complex software installations. It
manages Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX 500 Series
Security Appliances and runs on a variety of platforms. Cisco ASDM Version 6.0 comes
preloaded into flash memory on new security appliances running Software Cisco ASA and PIX
urity Appliance Version 8.0.
Cisco ASDM enables you to remotely and securely configure and monitor a security appliance.
Its ability to work with the Secure Sockets Layer (SSL) protocol ensures that communication
with the security appliance is secure, and because itis implemented in Java, itis able to provide
robust, real-time monitoring.
A single instance of Cisco ASDM 6.0 can manage multiple security appliances simultaneously.
Cisco ASDM also allows multiple PCs or workstations to each have one browser session open
with the same security appliance software. A single security appliance in single, routed mode
‘can support up to five concurrent Cisco ASDM 6.0 sessions; however, a single security
appliance supports only one session per browser per host. In multimode, five concurrent Cisco
ASDM sessions are supported per context, up to a maximum of 32 total connections for each
security appliance.
Cisco ASDM supports almost all commands available for the security appliance, but it ignores
some commands in an existing configuration, which can remain in your configuration. Cisco
ASDM does not change or remove them from your running configuration. They are supported
in the configuration when added through the CLI, but they cannot be added or edited in Cisco
ASDM, If Cisco ASDM ignores a command, it does not appear in the Cisco ASDM GUI. Other
commands are view-only, which means that they appear in the GUI but you cannot edit them.
via the GUL. The Ciseo ASDM Tools menu contains an option called Show Commands Ignored
by ASDM on Device that displays the unsupported commands in your current configuration,
isco ASDM does 101 support IP version 6 (IP¥6). If Cisco ASDM loads an existing running
configuration and finds IPv6-related commands, it displays a dialog box informing you that it
does not support IPv6. You cannot configure any IPv6 commands in Cisco ASDM.
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systoms, nc
If you load an existing running configuration that includes the alias command, Cisco ASDM.
enters monitor-only mode. Monitor-only mode limits Cisco ASDM funetionality to the
‘monitoring area and the CLI tool. You can exit monitor-only mode by using the CLI tor
the alias command, If Cisco ASDM loads an existing running configuration and finds other
unsupported commands, Cisco ASDM operation is unaffected.
wove
Note ‘See the ASDM 6.0 User Guide on hitp:/imww cisco.com for a complete list, as well as the
effects, of unsupported commands,
‘© 2008 Gisco Systems, Ine ‘Getting Started with Cisco Secumty Appliances 3.21
Cisco ASDM Security Appliance
Requirements
A security appliance must meet the following
requirements to run Cisco ASDM:
* DES or 3DES-AES activation key
* Security appliance software version compatible with the Cisco
ASDM software version *
» Hardware model compatible with the Cisco ASOM software
version
* ASDM Version 6.0 requires ASA Security Appliance Software Version & 0
A security appliance must meet the following requirements to run Cisco ASDM:
= You must have an activation key that enables Data Encryption Standard (DES) or the more
secure Triple Data Encryption Standard (3DES), which Cisco ASDM requires for support
of the SSL protocol. If your security appliance is not enabled for DES, you need a new
security appliance activation key.
= Verify that your security appliance meets all requirements listed in the release notes for the
security appliance software version that you are using
= Verify that your security appliance hardware model, software version, and Cisco Device
Manager versions are compatible. The table shows the compatibility of Cisco ASDM
322
Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine
Claco ASOM Version ‘Security Appliance Software
cee Security Appliance Mode!
POM 1.0, 60 0r6.1 PIX 806, 515, 520, 525, and 535
‘Secunty Appliances
POM 11 PIX 506, 515, 520, 25, and 535
Security Appliances
POM 20 62 IX 501,506 and 506E, 515 and
515E, 520, 525, and 535
Security Appliances,
POM 2.1 62 PIX 501, 506 and S08E, 515,
and S15E, 520, 528, and 535,
Security Appliances
PDM30 63 PIX 501, 506 and S06E, 515
‘and 515E, 520, 525, and 535
Security Appliances
‘ASDM 5.0 70 PIX 515 and 515E, 525, and
536 Secunty Appliances; ASA
5510, 8520, and 6540 Security
Appliances:
‘ASDM 5.2 72 PIX 515E, 625, and 535
Security Appliances: ASA 5505,
15510, 8520, 6540, and 5550
Security Appliances,
‘ASDM6.0 80 PIX 5156, 625, and 535
‘Security Appliances, ASA 5505,
'5510, 5520, 5540, and 5550
Security Appliances
(© 2008 Cisco Systems, Inc. Geting Startee with Cisco Secunty Appliances 3.25
PC Operating $
Requirements
| a | ah
€
7
* Windows:
= Apple Mac OS X
* Linux
Cisco ASDM can operate in browsers running on Windows, Mac OS X, or Linux operating
systems. The requirements for each operating system are as follows:
Windows Requirements
The requirements for using Cisco ASDM with Windows are as follows:
Operating system
— Windows Vista (English or Japanese version)
— Windows 2003 Server (English or Japanese version)
— Windows XP (English or Japanese version)
— Windows 2000 with Service Pack 4 (English or Japanese version)
= Browser
— Internet Explorer 6.0 or 7.0 with Sun Java SE2 plug-in 1.4.2, 5.0 (1.5.0), or 6.0
F plug-in 1.4.2, $.0(1.5.0), oF 6.0
— Firefox 1.5 or 2.0 with Java §
lll available encryption options enabled for SSL in the browser preferences
HTTP 1.1 for both proxy and non-proxy connections in Internet Options > Advanced >
HTTP 1.1 settings
Mac OS X Requirements
The req
-ments for using Cisco ASDM with Mac OS X are as follows
= Operating system: Mac OS X
= Browser: Firefox 1.5 or 2.0 or Safari 2.0 with Java SE plug-in 1.4.2, 5.0 (1.5.0), or 6.0
3-24 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, nc
Linux Requirements
‘The requirements for using Cisco ASDM with Linux are as follows:
Operating system: Red Hat Desktop, Red Hat Enterprise Linux WS version 4 running
GNOME or KDE
Browser: Firefox 1.5 or 2.0 with Java SE Plug-in 1.4.2, 5.0 (1.5.0), or 6.0
{© 2008 isco Systems, Inc Getting Started with Cisco Security Appliances 3.25
Running Cisco ASDM
Run Cisco ASDM as a local application, as 9 Java applet, or i
cinco AsoM 60
Cm Lis
Cis ASDM Locher
When you first access Cisco ASDM via a browser, you are presented with the pane! shown in
the figure, and you have the following three options for running Cisco ASDM:
= Local application: You can choose to run Cisco ASDM as a local application. To run
ASDM as a local application, click Install ASDM Launcher and Run ASDM. By
installing the ASDM Launcher, you can start Cisco ASDM from a desktop shortcut rather
than from a browser. The desktop shortcut enables you to connect to multiple security
appliances via SSL. The ASDM Launcher, which is only provided for Windows platforms,
avoids double authentication and certificate dialog boxes, launches more quickly, and
caches previously entered IP addresses and usernames.
Jaya Web Start: To run Cisco ASDM as Java Web Start, click Rum ASDM. Java Web
Start downloads Cisco ASDM from the security appliance with the IP address that you
centered in the browscr to your local machine and starts executing it.
= Demo mode: Cisco ASDM version 6.0 also features a demo mode, which is a separately
installed application that allows you to run Cisco ASDM without having a live device
available. In demo mode, which you access from the Cisco ASDM Launcher login window,
you can do the following:
— Perform configuration and selected monitoring tasks via Cisco ASDM as though you
were interacting with a real device.
— Demonstrate Cisco ASDM or security appliance features using the Cisco ASDM
interface.
Perform configuration and monitoring tasks with the Cisco ASA 5500 Series
Content Security and Control (CSC) Security Services Module (SSM),
— Obtain simulated monitoring and logging data, including real-time system log
messages. The data shown is randomly generated; however, the experience is
identical to what you would see when you are connected to a real device.
3-25 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, nc
From the Cisco ASDM 6.0 welcome panel, shown in the figure, you can also launch the Cisco
ASDM Startup Wizard. The Startup Wizard walks you step-by-step through the initial
configuration of your security appliance.
Note For more information on demo mode, refer to the ASDM 6 0 User Guide at
|itp:/aww.cisco.com,
© 2008 Cisco Systems, Inc ‘Geting Stated wih Cisco Secunty Appiances 3.27
Preparing to Use Cisco ASDM
This topic describes how to configure the security appliance to use Cisco ASDM.
Configure the Security Appliance to Use
Cisco ASDM
Before you can use Cisco ASDM, you need to configure the following
‘on the security appliance via a console terminal
+ Time
“Inside interface namo, IP address, and network mask
Hostname
+ Domain name
Enable the HTTP server on te securty appliance
+ IP adgresses of hosts authotized to access the HTTP server
fore than one Cisco ASDM image is stored in the flash memory of
your security appliance, also specify the Cisco ASDM image to be
used
All Cisco security appliances, except the Cisco PIX 525 and 535 Security Appliances, are
shipped with a factory default configuration that enables quick startup. For the Cisco ASA
5510, 5520, 5540, 5550, and PIX SISE Security Appliances, the factory default configuration
configures an interface for management so that you can connect to it using Cisco ASDM. For
the Cisco ASA 5505 Security Appliance, the factory default configuration configures interfaces
and NAT so that the security appliance is immediately ready to use in your network. The HTTP
server is enabled in the factory default configurations for all security appliance models and is,
accessible to users on the 192.168. 1.0 network.
With the factory default configuration, you can connect to the default management address by
pointing your browser to https://192,168. .1, Altematively, you can use the Cisco ASDM
Launcher (if it is already installed) to connect to Cisco ASDM. For the Cisco ASA $505
‘Adaptive Security Appliance, the switch port to which you connect to Cisco ASDM ean be any
port, except for Ethemet 0/0. On the ASA 5510 and higher versions of adaptive security
appliances, the interface from which you connect to Cisco ASDM is Management 0/0. For the
Cisco PIX S1SE Security Appliance, the interface from which you connect to Cisco ASDM is
Ethemet 1, The factory default configuration is available only for routed firewall mode and
single context mode
If you do not have a factory default configuration, you can use one of the following methods to
configure the minimum parameters for accessing Cisco ASDM:
‘© Enter the information requested by the interactive prompts of the setup command,
3-28 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine.
= Enter the individual commands for each of the following parameters:
— Time: Set the security appliance clock to Coordinated Universal Time (UTC), also
known as Greenwich Mean Time (GMT). For example, if you are in the Paci
daylight saving time (DST) zone, set the clock eight hours ahead of your local time
to set the clock to UTC. Enter the year, month, day, and time. Enter the UTC time in
24-hour time as hour:minutes:seconds (Ih:tm:ss). The command syntax for setting
the clock is as follows:
clock set bh.
1 day month year
— Inside IP address and network mask: Specify the IP address of the inside
interface of the security appliance. Ensure that this IP address is unique on the
network and not used by any other computer or network device, such as a router. To
configure an IP address on the security appliance, you must first use the interface
command in global configuration mode to enter configuration mode for the interface
you specify. After entering the interface command, the CLI prompt changes to the
interface configuration subcommand level. With interface configuration
subcommands, you can configure hardware speed and duplex, assign a name, assign
a security level, assign an IP address, and configure many other settings. For an
interface to pass traffic, you must configure these subcommands: nameif, ip
address, and no shutdown. You must also verify the security level for the interface
by accepting the default or change the security level from the default so that
interfaces can communicate with each other. The command syntax for the interface
and ip address commands is as follows:
interface physical interface
ip address ip address (netmask)
— Host name: Specify up to 63 characters as a name for the security appliance. The
hostname must start and end with a letter or digit and have as interior characters only
letters, digits, or a hyphen. The command syntax for sett
follows:
a hostname is as
hostname newname
— Domain name: Specify up to 63 characters as a domain name for the security
appliance. The domain name must begin and end with a letter or digit. Only letters,
digits, and a hyphen are allowed as intemal characters. The command syntax for
‘enabling the domain name is as follows:
¢omain-name name
— IP addresses of hosts authorized to access the security appliance HTTP serve
Specify the IP address of the workstation that will access Cisco ASDM from its
browser. The command syntax for granting permission for a host (o connect to the
security appliance with SSL is as follows:
http ip address netmask if name
In addition, the HTTP server must be enabled on the security appliance. The command syntax
Ling the HTTP server on the security appliance
http server enable
‘© 2008 Cisco Systems, ne. Gotting Started with Cisco Secunty Appliances 3-29
If more than one Cisco ASDM image is stored in the flash memory of your security appliance,
‘you must also specify the Cisco ASDM image to be used. You can use the asdm image
‘command to specify the image that you want to use and its location in flash memory. If you do
not include this command in your startup configuration, the security appliance uses the first
Cisco ASDM image that it finds at startup. It searches the root directory of intemal flash
‘memory and then external flash memory. The security appliance then inserts the asdm image
‘command into the running configuration if it discovered an image. The following example scts
the Cisco ASDM image to asdm-602.bin on an adaptive security appliance:
coasa(config)# asdm image disk0:/asdm-602.bin
‘eiecoasa (config)# interface g0/2
ciscoasa(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
® Assigns a name and a default security level to interface g0/1
* Enables you to use the setup command interactive prompts to
bootstrap the security appliance
You can use the setup command interactive prompts to completely he security
appliance to use Cisco ASDM for management and monitoring; however, before you can use
the setup command, you must have an inside interface already configured, The default
configuration for the PIX 500 Series appliances includes an inside interface (Bthemet 1), but
the default configuration for the ASA 5500 Series appliances does not include an inside
interface. Before using the setup command, enter the interface command for the interface that
you want to make inside, and then enter the nameif inside command,
In the figure, the network security administrator for Company XYZ assigns the name inside to
interface g0/1. Because the interface is now the designated inside interface, the highest se
level, 100, is automatically assigned to the interface.
3-30 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Gisco Systems, ne.
Company XYZ Prey
ASDM (Cont.)
B,—isonewon
Jz 4
‘Pee-configure Virevall sow through Luvaraccive prompts Wyesl?
Pirovall Hodes (Routed! +
aable password (cose current passwords]: ciecol2)
‘Year (20071: center>
Dey (26)
‘ime (301211491 28:26:00
Inside 1P addreas (0.0.0.0): 10.0.1.2
Inside network mask (255.255.285.255]: 255.285.255.0
(etecoasal
You can access the sctup dialog by entering setup at the global configuration mode prompt
The dialog asks for several responses, including the inside IP address, network mask, host
ame, domain name, and Cisco ASDM host. The host name and domain name are used to
generate the default certificate for the SSL connection, The example in the figure shows how to
respond to the setup command prompts, Pressing the Enter key instead of entering a value at
the prompt accepts the default value within the brackets. You must fill in any fields that show
no default values and change default values as necessary, After the configuration is written to
flash memory, the security appliance is ready to start Ciseo ASDM.
Note ‘The clock must be set for Cisco ASDM to generate a valid certificate Set the security
appliance clock to UTC (also known as GMT),
‘The prompts in the setup dialog are as follows:
= Firewall Mode [Routed]: Enables you to specify the security appliance mode, routed or
transparent, Inthe figure, the network security administrator for Company XYZ accepts the
default to use routed mode.
Enables you to specify an enable password for this security appliance.
ctwork security administrator for Company XYZ sets the enable
password to ciscol23.
| Allow Password Recovery: Enter Yes or No. In the figure, the network security
administrator for Company XYZ accepts the default to allow password recovery
‘Company XYZ accepts the default because the current year is displayed.
© 2008 Cisco Systome, ne. Gotting Started wih Cisco Secunty Appliances 3-31
— Month [system month]: Enables you to specify the current month or return to the
‘month stored in the security appliance. In the figure, the network sceurity
administrator for Company XYZ accepts the default because the current month is
displayed.
— Day [system day]: Enables you to specify the current day or return to the day stored
in the security appliance. In the figure, the network security administrator for
Company XYZ accepts the default because the current day is displayed
— Time [system time}: Enables you to specity the current time in hh:mm:ss format or
return to the time stored in the security appliance. In the figure, the network security
administrator for Company XYZ changes the time to the current time, 3:26 pm,
Inside IP Address: The network interface IP address of the security appliance. In the
figure, the network security administrator for Company XYZ enters 10.0.1.1 as the inside
IP address.
Inside Network Mask: A network mask that applies to the inside IP address. In the figure,
the network security administrator for Company XYZ enters 255.255.255.0, the mask for
the Company XYZ inside network
Host Name: The hostname you want to display in the security appliance command-line
prompt. In the figure, the network security administrator for Company XYZ assigns the
hostname asal to the security appliance.
Domain Name: The Domain Name System (DNS) domain name of the network on which
the security appliance runs (for example, cisco.com). In the figure, the network security
administrator for Company XYZ assigns the domain name cisco.com to the security
appliance.
IP Address of Host Running ASDM: IP address on which Cisco ASDM connects to the
security appliance, In the figure, the network security administrator for Company XYZ.
specifies host 10.0.1.11 on the inside network as the Cisco ASDM host.
Use This Configuration and Write to Flash?: Enables you to store the new configuration
to flash memory. Itis the same as the write memory command. If the answer is “Yes,” the
inside interface is enabled and the requested configuration is written to flash memory. If the
uuser answers anything else, the setup dialog repeats using the values already entered as the
defaults for the questions.
332
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne
Using Individual Commands to Initialize
the Security Appliance f
ie ao
mt SS —
1 (eontig-i)# aanedt inside
aro: Security level tor “inal 0 200 by darauie
1 (eontsg-48)4 speed 1000
1 contsg-48 duplex full
a eontig-i8)# anit
2 (contig) # domain-name ciaco.com
contig) asda Smage disk: /audn-602 bin
The figure illustrates using individual commands to prepare the security appliance for
configuration via Cisco ASDM. If the network security administrator for Company XYZ had
used the individual commands, they would have been used as follows
hostname: Used in global configuration mode to assign the unique hostname a
corporate security appli
al to the
= enable password: Used in global configuration mode to set the privileged! mode password
to ciseol23
= clock set: Used in privileged EXEC mode to mi
wally set the clock on the security
appliance to 12:21 pm on September 15, 2007.
™ interface: Used in global configuration mode to enter configuration mode for gO/1, the
inside interface.
| nameif: An interface subcommand used to assign a name to an interface
name is requited in many configuration commands on the security appliance i
interface type and ID (such as GigabitEthemet0/1), Do not use the no form of th
ccoiniand because doing so causes all commands that refer to the deleted name to be
deleted as well
address: An interface subcommand used to assign an IP address to the current interface.
fn interface on the security appliance can be configured with an IP address. If you make
‘a mistake while entering this command, reenter it with the correct information, The clear
configure ip command resets all interface IP addresses to no IP address.
= speed: Interface subcommand used to set the hardware speed of an interface. The hardware
speed is set to automatic speed sensing by default itis recommended that you specify the
speed of the network interfaces. This enables the security appliance to operate in network
environments that may include switches or other deviees that do not handle automatic
sensing correctly. To restore the speed setting to the default, use the no form of this
command
{© 2008 Cisco Systems, Inc Getting Stated with Cisco Securty Appliances 3.33
duplex: Interface subcommand used to set the duplex of RJ-45 Ethemet interfaces. To
restore the duplex setting to the default, use the no form of this command, Because the
four-port Gigabit Ethemet SSM supports RJ-45 and small form-factor pluggable (SFP)
connectors for the same interface, the media-type interface subcommand is available for
selecting the connector type. This applies to the optional four-port Gigabit Ethernet SSM
for the ASA 5510, $520, and 5540 Adaptive Security Appliances as well as the built-in
four-port Gigabit Ethernet SSM on the ASA 5550 Adaptive Security Appliance. Use the
media-type rj45 command to set the media type to copper RJ-45, or use the media-type
sfp command to set it to fiber SFP. The default is RI-45. The duplex subcommand is not
available if the media type is SFP.
shutdown: Interface subcommand used to disable an interface. By default, all physical
interfaces are shut down and must be enabled before any traffic can pass through them, Use
the no form of the shutdown command to enable the interfaces.
domain-name: Used in global configuration mode to specify eisco.com as the domain
Ittp server enable: Used in global configuration mode to enable the security app!
HTTP server.
‘http: Used in global configuration mode to specify that host 10.0.1.11 on the inside
interface can access the HTTP server internal to the security appliance.
asdm image: Used in global configuration mode to specify asdm-602.bin on disk0 as the
Cisco ASDM file to use.
304
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systeme, ne.
To start C
Step 1
Step 2
Step 3
Accessing Cisco ASDM
https:l! IP address of security appliance
0 ASDM from a web browser, complete the following steps:
From a supported web browser on the security appliance network, enter the
following URL, where interface_ip_address is an IP address on the security
appliance that is accessible from the system running the web browser. (As shown in
the figure, the network security administrator for Company XYZ enters the IP
address of the inside security appliance interface, 10.0.1.1,)
https: //interface_ip address
Answer Yes to all browser prompts. The Ci
displaying the following buttons:
= Install ASDM Launcher and Run Cisco ASDM.
= Run Cisco ASDM
co ASDM 6.0(2) Welcome page opens,
= Run Startup Wizard
Ifyou want to run Cisco ASDM as Java Web Start, click Run ASDM and complete
the following sub-steps:
1. Answer Yes to all the browser prompts.
2. When prompted for a username and password, leave the Usemame field blank,
If you configured an enable password when responding to the setup dialog
interactive prompts, enter that password in the Password field. The network
security administrator for Company XYZ must enter the password eisco123.
3. Click OK. Cisco ASDM loads the current configuration from your sceurity
appliance and opens in a separate window.
{© 2008 Cisco Systems, nc
GGotting Stated with Cisco Secunty Appliances 2-36
Ifyou choose to download the Cisco ASDM Launcher, click Install ASDM Launcher and
Run ASDM on the welcome screen and complete the following sub-steps:
|, When prompted for a usemame and password, leave the Username field blank. If you
configured an enable password when responding to the setup dialog interactive prompts,
center that password in the Password field. The network security administ
(or for Company
XYZ must enter the password eisco123,
2. Click OK. The File Download window opens.
3. Click Save and save the Cisco ASDM Launcher file to your computer.
4, Run the installer to install the Cisco ASDM Launcher.
5. Alter you click Finish, you are prompted to log in to Cisco ASDM. Enter your enable
password in the Password field.
6. Click OK.
7. Answer Yes to any browser prompts. Cisco ASDM loads the current configuration from
your security appliance and opens in a separate window.
‘To start Cisco ASDM from the ASDM Launcher at a later time, complete the following steps:
Step 1 Double-click the Cisco ASDM Launcher shortcut on your desktop, or open it from
the Start menu. The Cisco ASDM Launcher login window opens.
Step2 _In the Device IP Address/Name field, enter the adaptive security appliance 1P
address or hostname to which you want to connect, or select it from the drop-down
menu, To clear the list of IP addresses, click the trash can icon in the bottom right-
hand comer of the window.
Step3__Enter your enable password in the Password field
Note I you have downloaded the Cisco ASDM Demo Mode installer and installed the Demo Mode
software, you can optionally select the Run in Demo Mode check box to run Cisco ASDM in
Demo Mode.
Step4 Click OK.
Stop Answer Yes to any browser prompts. Ifthere is a new version of Cisco ASDM on
the adaptive security appliance, the ASDM Launcher automatically downloads the
new version and requests that you update the current version before starting Cisco
ASDM.
Step6 Cisco ASDM opens in a new window.
3-35 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, nc
Navigating Cisco ASDM Windows
This topic describes the layout of the Cisco ASDM configuration windows
Cisco ASDM Interface
The Cisco ASDM interface is designed to provide easy access to the many features that the
adaptive security appliance supports. The Cisco ASDM interface includes the followin
components:
| Menu Bar: Provides quick access to files, tools, wizards, and help. Many menu items also
have keyboard shortcuts,
4% Toolbar: Enables you to navigate Cisco ASDM. From the toolbar you ean access and
navigate among the Home, Configuration, and Monitoring panes. The following buttons
are also available in the Toolbar
Save: Saves the running co1
accessible contexts only.
figuration to the startup configuration for write-
— _ Refresh: Refieshes Cisco ASDM with the current running configuration, except for
graphs in any of the monitoring graphs.
— Back: Takes you back to the last pane of Cisco ASDM that you visited.
Forward: Takes you forward to the last pane of Cisco ASDM that you visited.
— Help: Shows context-sensitive help for the screen that is currently open.
= Navigation: Enables you to nav
dockable pane. You can cl
igate the Configuration and Monitoring panes. This is a
k one of the three buttons in the header to maximize or restore
this pane or make it a floating pane that you can move, hide, or close. To reset the dockable
panes to the default configuration, click View in the menu bar and choose the Reset,
Layout option.
Status Bar: Shows the time, connection status,
r, and privilege level.
© 2008 Cisco Systems, ne. Getting Started wth Cisco Security Appliances 3-37
Displays a list of devices that you can access through Cisco ASDM. The
device list is a dockable pane. You can click one of the three buttons in the header to
maximize or restore this pane, make it a floating pane that you can move, hide, or close. To
reset the dockable panes to the default configuration, click View in the menu bar and
choose the Reset Layout option
This pane is available in the home, configuration, monitoring, and system views. You can
Use it to switch to another device; however, that device must run the same version of
ASDM that you are currently running,
To add a device to the Device List, complete the following steps:
Step1 Click Add. The Add Device dialog box is displayed
Step2 _ Inthe Device IP Address/Name field, enter the device name or IP address of the
device.
Step3 Click OK.
To remove a device from the lis, sclect the device in the Device List panel and click Delete.
When you are ready to connect to another device, select the device in the Device List panel,
click Conneet, and then log in to the device when prompted.
3:38 Seouring Networks with ASA Fundamentals (SNAF) vt 0 (© 2008 Cisco Systems, Inc
Most Cisco ASDM 6.0 frames are dockable and hideable and can be maximized. You can click
the small buttons in the headers to manage the frames. You can also drag column headings to
move the frames. The figure shows the Device List docked and expanded. The figure also
shows the tool tip feature, which displays the contents of a cell when you hold the cursor over
the cell. In Cisco ASDM 6.0, changes you make are persistent between launches of Cisco
ASDM.
Note You do not have to send configuration changes to the security appliance when navigating
between functional areas,
‘© 2008 Gisco Systems, nc ‘Gotting Stared with Cisco Secunty Appiances 3-39
‘The File menu manages adaptive security applia
Refresh Cisco
‘ASM wih
unning contig
+ Reset deve to
factory detaut
‘config
+ Show running
contig
+ Save running
contig
but
+ Print
Clear isco
‘ASDM cache
+ Clea internal |
butter a
items:
File Menu
Save internal log
Hee
ae
configurations, and includes the following
Refresh ASDM with the Running Configuration on the Device: Loads a copy of the
running configuration to Cisco ASDM.
Reset Device to the Factor
factory default. When you
Configuration dialog box is displayed, which enables you to configure the man
Default Configuration: Restores the configuration to the
lect this option, the Reset Device to the Factory Default
ment
interface IP address.
‘Show Running Configuration in New Window: Displays the current running
configuration in a new window.
Save Run)
1g Configuration to Flash: Writes a copy of the running configuration to
flash memory.
Save Running Configuration to TFTP Serv.
configuration file on a TFTP server. When you sel
tores a copy of the current running
4 this option, the Save Running
Configuration to TFTP Server dialog box is displayed. This dialog box enables you to
specify the TFTP server IP address and the configuration file path.
‘Save Running Configuration to Standby Unit:
file on the primary unit to the running cont
Save Internal Log Buffer to Flash: Saves the internal log buffer to flash mn
Print: Prints the current page. Land
rules. If Cisco ASDM is running in Netscape Communicator and you hat
print privileges to the Java applet, a security dialog box appears to request that you g
‘ends a copy of the running configuration
ration of a failover standby unit
nory,
pe page orientation is recommended for pi
jt yet granted
printing privileges. Click Grant to grant the applet printing privileges. When you use
Internet Explorer, perm
signed applet.
Clear ASDM Cache: Removes local Cisco ASDM im:
images locally when you com
sion to print is already granted when you originally accepted the
Cisco ASDM downloads
cet to it
340
‘Securing Nelworks with ASA Fundamentals (SNAF) v1.0 1© 2008 Cisco Systoms, ne
= Clear Internal Log Buffer:
m= Exit: Closes Cisco ASDM.
Empti
the system log message butter
{© 2008 Cisco Systems, Inc Getting Stated with Cisco Security Appliances 3-41
View Menu
ten
1 eee
Neu
Boe
iam
Teno
: Seance
+ Select revous|
Back
+ Foewars
edn SOM
Reset Layout
ice Look ane
The View menu enables you to display various parts of the Cisco ASDM interfuce. Certain
items are dependent on the current view. You cannot select items that cannot be displayed in
the current view. For example, the Latest ASDM Syslog Messages pane is only available when
the Home view is displayed. The View menu includes the following items:
m= Home: Displays the Home view.
Configuration: Displays the Configuration view.
‘Monitoring: Displays the Monitoring view
Device List: Displays a list of devi
s in a dockable pane.
Navigation: Shows or hides the d
Monitoring views.
play of the Navigation pane in the Configuration and
= Latest ASDM Syslog Messages: Shows or hides the display of the Latest ASDM Syslog.
Messages pane in the Home view.
Addresses: Shows or hides the display of the Addresses pane. The Addresses pan is only
available for the Access Rules, NAT Rules, Service Policy Rules, authentication,
authorization, and accounting (AAA) Rules, and Filter Rules panes in the Configuration
= Services: Shows or hides the display of the Servives pane. The Services pane is only
available for the Access Rules, NAT Rules, Service Policy Rules, AAA Rules, and Filter
Rules panes in the Configuration view.
‘= Time Ranges: Shows or hides the display of the Time Ranges pane. The Time Ranges
pane is only available for the Acecss Rules, Service Policy Rules, AAA Rules, and Filter,
Rules panes in the configuration view.
= Global Pools: Shows or hides the display of the Global Pools pane. The Global Pools pane
is only available for the NAT Rules pane in the configuration view
m= Select Next Pane: Moves the focus to the next pane when multiple panes are displayed.
3.42 Securing Networks with ASA Fundamentals (SNAF) v1.0 '© 2008 Cisco Systems, nc
Select Previous Pane: Moves the focus to the previous pane when multiple panes are
displayed,
Back: Retums you to the previous pane.
Forward: Takes you to the next pane
Find in ASDM; Locates an item for which you
ASDM Assistant.
searching, such as a feature or the
m= Reset Layout: Retums the layout to the default configuration.
Office Look and Feel: Changes the screen fonts and colors to the Microsoft Office
settings.
{© 2008 Cisco Systems, no. Getting Started with Cisco Security Appliances 3-43
Fl Management
rade Sotware
Comper
+ Uporade Sotware
from Cisco.com
+ System Reload
= Aamiiator Alon
to Clentens 93
Ven Users
+ Prelerences
+ ASDM Java
Conse
The Tools menu provides you with the following series of tools to use with Cisco ASDM:
= Command Line Interface: Provides a text-based tool for sending commands to the
adaptive security appliance and viewing the results.
= Show Commands Ignored by ASDM on Device: Displays unsupported commands that
have been ignored by Cisco ASDM. Cisco ASDM supports almost all commands available
for the adaptive security appliance but ignores some commands in an existing
configuration, Cisco ASDM does not change or remove ignored commands from your
running configuration, but the commands do not appear in the Cisco ASDM GUI. Other
‘unsupported commands are view-only. These are commands that have been added
CLI and appear in the Cisco ASDM GUI but cannot be added or edited in Cisco ASDM. It
Cisco ASDM loads an existing running configuration and finds 1Pv6-related commands,
Cisco ASDM displays a dialog box informing you that it docs not support IPv6. You
cannot configure any IPv6 commands in Cisco ASDM, but other configurations are
available. If you load an existing running configuration that includes the alias command,
ASDM enters monitor-only mode. This mode allows you to access only the monitoring
area and the CLI tool. To exit monitor-only mode, use the CLI tool or access the adaptive
security appliance console and remove the allas command. You ean use outside NAT
instead of the alias command. If Cisco ASDM loads an existing running configuration and
finds other unsupported commands, Cisco ASDM operation is unaffected
| Packet Tracer: Enables you to trace a packet from a specified source address and interface
to a destination. You can specify the protocol and port of any type of data and view the
lifespan of packet, with detailed information about actions taken on it
= Ping: Enables you to verify the configuration and operation of the adaptive security
appliance and surrounding communications links, as well as perform basic testing of other
network devices,
m= Traceroute: Enables you to determine the route that packets will take to their destination,
3:44 Securing Networks with ASA Fundamentais(SNAF) v1.0 © 2008 Cisco Systems, in,
= File Management: Enables you to view, move, copy, and delete files stored in flash
‘memory. You can also create a directory in flash memory. You can also display the File
Transfer dialog box to transfer files between various file systems, including TFTP, flash
memory, and your local PC
% Upgrade Software from Local Computer: Enables you to choose an adaptive security
appliance image, Cisco ASDM image, or another image on your PC and upload the file to
flash memory.
= Upgrade Software from Cisco.com: Enables you to automatically upgrade adaptive
security appliance software and Cisco ASDM software through a wizard
© Upload ASDM Assistant Guide: Enables you to upload an XML file to flash memory that
contains information used in the Cisco ASDM Assistant. You can download these files
from hitp://www.cisco.com.
= System Reload: Enables you to restart the security appliance and save the running
configuration at the time of reload. The System Reload tool also enables you to schedule a
system reload or cancel a pending reload.
= Administrator's Alerts to Clientless SSL VPN Users: Enables an administrator to send
‘an alert message to clientless SSL virtual private network (VPN) users,
= Preferences: Changes the behavior of specified Cisco ASDM functions between sessions,
= ASDM Java Console: Displays the Java console, You can use the Cisco ASDM Java
console to view and copy logged entries in a text format, which ean help you to
troubleshoot Cisco ASDM errors.
Note For further information on any of the options availabe in the Tools menu, see the ASDM 6.0
User Guide at hitp://www.ciseo.com,
© 2008 Cisco Systems, inc Gating Started wih Cisco Secunty Appliances 3-85
System Reload
COMRALe
ree st tran eels eaters
‘Seheding anosonaig
Configuration ——— cage soe
State Teentaal
‘The System Reload tool enables you to schedule a system reload or cancel a pending reload. To
schedule a reload, complete the following steps:
Stop 1
Step 2
Step 3
Step 4
Step 5
In the Reload Scheduling panel, click one of the following Configuration State radio
buttons.
Save the Running Configuration at Time of Reload
m= Reload Without Saving the Ru
ng Configuration
For the Reload Start Time,
ick one of the following radio buttons:
= Now: To perform an immediate reload.
= Delay: To delay the reload by a specified amount of time. Enter the time to
elapse before the reload in hours and minutes or only minutes.
Schedule at: To schedule the reload to occur at a specific time and date. Enter
the time of day that the reload is to occur, and use the drop-down menus to
select the date of the scheduled reload,
In the Reload Message field, enter a message to send to open instances of Cisco
ASDM at reload time.
Check the On Reload Failure, Force Immediate Reload check box to show the
amount of time elapsed in hours and minutes or minutes only before a reload is
attempted again,
Click Schedule Reload to schedule the reload as configured.
‘The Reload Status panel displays the status of the reload. Click Caneel Reload to stop a
scheduled reload. Click Refresh to refresh the Reload Status display after a scheduled reload is
Isto display the details of a scheduled reload
3.46
‘Securing Networks wth ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, inc
Preferences
Preven
tere send
nade
multe CL
Contem before P ceuemma at
ening Cntmtaor one
Show P sum cimanin miicennaion
‘confusion Fenn soem go pee ASO
Enable seen
eae spon
Seep
ppreaton
The Preferences feature of the Tools menu enables you to change the behavior of some Cisco
ASDM functions between sessions. The Preferences window contains the following tabs:
= General:
in the General tab, you can select the following general preferences:
Preview Commands Before Sending Them to the Device: Enables you to view
CLI commands generated by Cisco ASDM.
— Enable Cumulative (Batch) CLI Delivery: Enables Cisco ASDM to send multiple
‘commands in a single group to the security appliance, This option is selected by
default
- Confirm Before Exiting ASDM: Configures Cisco ASDM to display a prompt
‘when you try to close it to confirm that you want to exit, This option is enabled by
default.
— Show Configuration Restriction Message to Read-Only User: Configures Cisco
ASDM to display the following message to a read-only user at startup: “You are not
allowed to modify the ASA configuration, because you do not have sufficient
privileges.” This option is selected by default
Enable Screen Reader Support (Requires ASDM Restart): Enables screen
readers to work. You must restart Cisco ASDM to enable this option
— Warn That Easy VPN Is Enabled When Visiting VPN Section: Configures Cisco
ASDM to display a warning message when a user accesses Cisco ASDM through a
VPN connection. This option is available for ASA 5505 Adaptive Security
Appliances only
Packet Capture Wizard: Enables the Cisco ASDM Packet Capture Wizard to
display captured packets. To enable this option, enter the name of the network
sniffer application or click Browse to find i.
'© 2008 Cisco Systems, Inc. ‘Getting Started with Gisco Security Appliances 3-47
= Rule Tables: In this tab, you can specify preferences for the Rules table, including the
following:
Display Settings: Enables you to change the way that rules are displayed in the
Rules table. Cheek the Auto-Expand Network and Service Object Groups with
Specified Prefix check box to display the network and service object groups
automatically expanded based on the Auto-Expand Prefix. In the Auto-Expand
Prefix field, specify the prefix of the network and service object groups to expand
automatically when displayed. Check the Show Members of Network and Service
Object Groups check box to display members of network and service object groups
and the group name in the Rules table. Ifthe check box is not selected, only the
group name is displayed. In the Limit Members To field, enter the number of
network and service object groups to display. When the object group members are
displayed, only the first n members are displayed. Check the Show All Actions for
Service Policy Rules check box to display all actions in the Rules table. When
unchecked, a summary is displayed.
Deployment Settings: Enables you to configure the behavior of the security
appliance when deploying changes to the Rules table. Check the Issue “lear xlate’
‘Command When Deploying Access Lists check box to clear the NAT table when
deploying new access lists. This setting ensures that the access lists configured on
the security appliance are applied to all translated addresses.
Access Rule Hit Count Settings: Enables you to configure the frequeney for which
the hit counts are updated in the Access Rules table. Hit counts are applicable for
explicit rules only. No hit count will be displayed for implicit rules in the Access,
Rules table. Check the Update Access Rule Hit Counts Automatically check box to
have the hit counts automatically updated in the Access Rules table. In the Update
Frequency field, specify the frequency in seconds that the hit count column is
updated in the Access Rules table, Valid values are 10-86,400 seconds.
= Syslog Colors: In this tab, you can specity the background and foreground text colors for
system log messages displayed on the Home pane.
Note
Each time a preference is checked or unchecked, the change is saved to the .conf file and
‘becomes available forall the other Cisco ASDM sessions running on the workstation at the
time. You must restart Cisco ASOM for all changes to take effect.
248
‘Securing Networks with ASA Fundamentals (SNAF) v1.0
> 2008 Gisco Systems, In.
Startup Wizard
* IPsec VPN
Ward
‘SSL VPN Wizard
High Avalabilty
‘and Sealauity
Wears
+ Packet Gapture
wizard
The Cisco ASDM Wizards menu provides the following wizards to simplify the configuration
of security appliance features:
= Startup Wizar:
‘or initial configuration of the
curity appliance
IPsec VPN Wizard: For configuring site-to-site or remote access IPsec VPNs.
m= SSL VPN Wizard: For configuring SSL remote access VPN connections
= High Availability and Sealability Wizard: For configuring active/standby failover,
activelactive failover, and VPN cluster load balancing
.
Packet Capture Wizard: For configuring and running packet capture
(© 2008 Cisco Systems, Ine Gating Started with Cisco Secunty Appliances 3-49
Hale Topics
* Help for Curent
Seen
Release Notes
Ceting Stated
VEN 3000
agraon Guce
Glossary
ASM Resistant
eon Legend
Aeplnce (ASA)
= Aut Cisco
ASOU G0
The Help menu provides links to online help, as well as information about Cisco ASDM and.
the adaptive security appliance. The following options are available in the Help menu
= Help Topics: Opens a new browser window with help organized by contents, sereen name,
and indexed in the left frame, Use these methods to find help for any topic, or search using
the Search tab,
™ Help for Current Screen: Opens context-sensitive help about the current sereen. The
wizard runs the screen, pane, or dialog box that is currently open. You can also click the
question mark (2) help icon for context-sensitive help,
= Release Notes: Opens the most current version of the Cisco ASDM Release Notes on
hutp://www.cisco.com, The Release Notes contain the most current information about Cisco
ASDM software and hardware requirements, and the most current information about
‘changes in the software
= Getting Started: Opens the Getting Started help topic to help you begin using Cisco
ASDM,
= VPN 3000 Migration Guide: Opens this document on http://www ci
migrate from the VPN3000 series concentrator to the adaptive set
‘o.com to help you
y appliance.
© Glossary: Contains definitions of terms and acronyms,
= Feature Matrix: Opens the most current version of the Cisco ASDM Release Notes on
hhttp://www-cisco.com, which includes the most current licensing information,
= ASDM Assistant: Opens the Cisco ASDM Assistant, which lets you search downloadable
content from hitp://www.cisco.com, with details about performing certain tasks.
‘= Icon Legend: Provides a list of icons used in Cisco ASDM and explains what they
represent.
350
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, nc
|= About Cisco Adaptive Security Appliance (ASA): Displays information about the
adaptive security appliance, including the software version, hardware set, configuration file
Toaded at startup, and software image loaded at startup. This information is helpful in
troubleshooting.
|= About Cisco ASDM 6.0: Displays information about Cisco ASDM such as the software
version, hostname, privilege level, operating system, device type. and Java version.
{© 2008 Cisco Systems, Inc. Getting Started wit Cisco Secunty Applances 3-51
Home
Home tab —
Device —> “ius
Dashboard “Tic
fang Firewall Sow eterna
Dashboard nat
tas mo
‘The Cisco ASDM Home window enables you to view important information about the security
appliance, such as the status of the interfaces, the version running, licensing information, and
performance details. The Home window provides a useful and quick way to sce how the
security appliance is running, Status information on the home pane is updated every ten
seconds, You can access the Home window any time by clicking Home on the main toolbar
‘The Home window usually has two tabs: Device Dashboard and Firewall Dashboard, which are
explained in depth later in this lesson
Ifyou have Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security
Services Module (AIP-SSM) installed in your adaptive security appliance, the Intrusion
Prevention tab also appears on the Home pane. The additional tab displays status information
about Cisco Intrusion Prevention System (IPS), such as the following:
are and percentage of missed packets
System resource information, such as CPU and memory usage
Device information, such as version of the IPS soft
Interface status information, such as whether a link is up or down
Alert summary, with assigned values of High, Med, Low, antl Info, and the assigned threat
rating,
= Alert profile showing alerts received in a color-coded graph with assigned values of High
(red), Med (yellow), Low (green), and Info (blu
ind the assigned threat rating (magenta)
Ifyou have a Cisco ASA 5500 Series CSC SSM installed in your adaptive security appliance,
the Content Security tab also appears on the Home pane. This additional tab displays important
information about the CSC SSM installed in the security appliance, such as the following:
= Device information such as model, version of the SSM software, and date of last software
update obtained from Trend Micro
= System resource information such as CPU and memory usage
3-52 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Syatems, ne.
= Data about threats detected by the CSC SSM, such as threat type and the number of threats
detected for each threat type in the past 24 hours,
= Latest security events in real time
Note you have not completed the CSC Setup Wizard by choosing Configuration > Trend
Micro Content Security > CSC Setup, you cannot access the panes under Home >
Content Security. Instead, a dialog boxs displayed. This dialog box enables you to access
the Setup Wizard directly trom this location,
‘© 2008 Cisco Systems, nc Goittng Started wih Cisco Security Appliances 3.53
eco —e ¥
Daehboara| imi
ener and
Ceense tbs
aS
System
Resources
‘The Device Dashboard tab lets you view, at a glance, important information about your sceurity
appliance, such as the status of your interfaces, the version you are running, licensing
information, and performance. The Device Information panel contains the following tabs that
display device information:
= Gener
he General tab displays the following information
— Host Name: The security appliance hostname
— ASA Version: The security appliance software version
— SDM Version: The Ci
co ASDM version
irewall Mode: The firewall mode, either routed or transparent
— Total Flash: The total amount of available flash memory
— Device Uptime: How long the security appliance has been running
— Device Type: The security appliance model
~ Context Mode: The context mode, cither single mode or multimode
‘Total Memory: The total amount of available RAM
wed features on the se
License: The License tab displays the level of support for I
appliance, including the following:
— Encryption: Type of encryption supported
— Failover: Types of failover supported
— Max VLANs: Maximum number of VLANs supported
— License: Current security appliance license
— _ Clientleys SSL VPN Peers: Maximutn number of Clientless SSL VPN peers
supported
— GTP/GPRS:
inabled or disabled
3-54 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ine
— VPN Peers: Maximum number of VPN peers supported
Max Physical Interfaces: Maximum number of physical interfaces supported
‘The Device Dashboard also contains the following components:
VPN Tunnels: Displays the number of connected Intemet Key Exchange (IKE) tu
the number of connected IPsec tunnels, the number of connected Clientless SSL VPN
tunnels, and the number of connected SSL VPN client tunnels (routed, single mode only)
= System Resources Status: Displays the following CPU and memory usage statist
CPU: The current percentage of CPU being used
— CPU Usage (percent): The CPU usage for the last five minutes
— Memory: The current amount of memory being used in megabytes
Memory Usage (MB): The memory usage for the last five minutes is
Interface Status: Displays the status of each interface. Ifyou selec
input and output throughput in Kb/s is displayed beneath the table. The following
information is shown for each configured interface
— _ Imterface: Interface name
IP Address/Mash
IP address and subnet mask of the interface (routed mode only)
— Line: Status of the interface. A red icon is displayed if the line is down, and a green
icon is displayed if the line is up.
Link: Link status of the interface. A red icon is displayed if the link is down, and a
‘green icon is displayed if the link is up.
— Kbps:
© Traffic Status: Displays graphs for connections per second for
traffic throughput of the lowest security interface. The Tra
following components:
Current number of throughput in Kb/s that crosses the interface
interfaces and for the
Status panel contains the
— Connections per Second Usage: The UDP and TCP conneetions per second du
the last five minutes. This graph also shows the current number of connections by
type, UDP, TCP, and the total
Interface Traffic Usage (Kbps): The traffic throughput for
the lowest security interface. If you have multiple interfaces at the same level, Cisco
ASDM shows the first interface alphabetically. This graph also shows the current
throughput by type, input Kb/s, and output Kb/s
= Latest ASDM Syslog Messages: Shows the most recent system messages generated by the
security appliance, up to a maximum of 100 messages. Click the square icon in the header
to expand the logging pane. Click the double square icon in the header to return to the
default size. Drag the divider up or down to resize the pane. You can also right-click an
event and choose Clear Content to clear the current message, Save Content to save the
urrent messages to a file on your PC, Copy to copy the content, and Color Settings to
change the background and foreground colors of system messages according to their
severity. You can use the following buttons on the right-hand side of the panel to control
logging:
— Stop message
Hay: Click the red icon to stop logging to Cisco ASDM.
(© 2008 Cisco Systems, ne Getting Started with Cisco Securty Appliances 3.65
— Resume message display:
ASDM.
Configure ASDM Syslog Filters:
pane, where you
the green icon to con
inuc logging to Cisco
Click the filters icon to open the Logging Filters
in configure logging filters.
Home tab» hare mr J
Fone > [ ese aieatncs
Dashboard pe Sao:
connection
States
Dropped —e ta |
ate {
Firewall Dashboard tab lets you view important information about the traffic passing
through your security appliance, including the number of connections, NAT translations,
dropped packets, attacks, and top usage statistics. The Firewall Dashboard contains the
following components:
Traffic Overview: Shows runtime statisties, including the following:
— Connection Statisties: Shows the number of connections and NAT translations,
— Dropped Packets Rate: Shows the rate of dropped packets per second caused by
access list denials and application inspections.
— Possible Scan and SYN Attack Rates: Shows the rate of dropped packets per
second that are identified as part ofa scanning attack. This panel also shows the rate
of dropped packets per second that are identified as part of an incomplete session,
such as a TCP SYN attack or a no-data UDP session attack.
= Top 10 Access Rules: Displays the most active access rules, including the following,
— Interval: Enables you to view information based on the interval you choose from
the drop-down list. The avaiable values are Last | hour, Last 8 hours, and Last 24
hours.
— Based on: Shows that this statistic displays number of packet hits only.
— Display: Enables you (o view the same information in three different formats: Table,
Pie, or Bar, depending on which format you select from the drop-down list. In the
‘Table view, you can select a rule in the list and right-click the rule to display a
popup menu item, Show Rule. Choose this item to go to the Access Rules table and
select that rule in this table,
356 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, nc
Interface: Shows the interface to which the rule is applied
Rule#: Shows the rul
umber used,
Hits: Shows the number of packet hits that occurred.
Source: Shows the source IP address.
Dest: Shows the destination IP address,
Servic
hows the service (protocol or port) for the connection.
Action: Shows whether the rule is a permit or deny rule.
Top Usage Status: Provides usage status for hosts (source and destinations), ports, and
protocols, including the following:
Interval: Enables you to view information based on the interval you choose from
the drop-down list. Available values are Last | hour, Last 8 hours, and Last 24
hours.
Based On: Enables you to specify how statistics are displayed by selecting Packet
Hits or Bytes from the drop-down menu
Display: Enables you to view the same information in Table, Pie, or Bar format,
depending on which format you select from the drop-down list
‘Top 10 Services: Shows statistics for the top 10 services, including the combined
statisties of TCP/UDP port and IP protocol types.
Top 10 Sources: Shows the top 10 host source addresses.
‘Top 10 Destinations: Shows the top 10) host destination addresses.
(© 2008 Cisco Systems, Ine.
Getting Started with Cisco Secunty Appliances 3-87
Configuration
Device Soup —e|
To use Cisco ASDM to configure the security appliance, click Configuration on the toolbar
and then select one of the following feature buttons to display the associated configuration
pane:
= Device Setu
bles you to do the following:
— Launch the Startup Wizard to create security policy.
c
igure basic interface parameters, including IP address, name, and security level,
— Configure static routes, Open Shortest Path First (OSPF), Routing Information,
Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and
multicast routing. You can also enable and disable proxy Address Resolution
Protocols (ARPs) on specific interfaces.
Configure the device name and device password.
Set the system time and configure Network Time Protocol (NTP),
= Firewall:
rnables you to configure sceurity policy, including the following:
Access Rules to specify what traffic is allowed through the security appliance
NAT Rules to translate the real address in a packet to a mapped address that is
routable on the destination network. One benefit of NAT is that it enables you to use
private addresses, which are not routable on the Internet, on your inside networks.
— Service Policy Rules to apply application inspection, connection limits, and TCP
normalization, TCP normalization drops packets that do not appear normal
— AAA Rules to determine authentication and authorization for certain types of traffi
such as HTTP. You can also configure the security appliance to send accounting,
information to a RADIUS or TACACS+ server
— Filter Rules to prevent outbound access to specific sites.
358
Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
— URL Filtering Servers to enable the security appliance to work with a URL filtering
server to prevent outbound access to specific web sites. You must add a URL
filtering server before adding a filter rule.
— Threat Detection to detect activity that might be related to an attack.
— Objects to provide a single location where you can configure, view, and modify the
reusable components that you need to implement your policy on the security
appliance, You ean configure several types of reusable components, or objects,
including regular expressions and time ranges.
— Advanced firewall protection such as anti-spootin;
‘enerypted traffic inspection, IP
fragment parameters, and global timeouts.
Remote Access VPN: Enables you to configure the following:
— IPsec VPNs
— Clientless SSL VPN connections
AAA for remote-access VPNs
— Cisco Secure Desktop
— Certificates for remote access VPNs
— Load balancing for VPN connections
— DHCP server and DNS services
— Advanced settings such as e-mail proxies, which extend remote e-mail capability to
Clientless SSL VPN users
Site-to-Site VPN:
ables you to configure the following:
—__Site-to-site VPN connections
— Group policies
Certificates
— Advanced settings such as IKE Policies and IKE Parameters
IPS: Enables you to configure the Cisco AIP-SSM. The IPS feature button is available only
if you have a Cisco AIP-SSM installed in the security appliance. The figure shows that a
Cisco AIP-SSM is installed in the security appliance because the IPS feature button is
available.
‘Trend Micro Content Security: Fnables you to configure the Cisco ASA 5500 Series
CSC SSM. The Trend Micro Content Security feature button is available only if you have a
CSC SSM card installed in the security appliance.
Device Management: Enables you to configure the following:
— Access to the security appliance
— Image updates, activation keys, and the image that you want to boot
— Failover
— Logging, including e-mail, event lists,
Mail Transfer Protocol (SMTP)
ers, rate limit, syslog servers, and Simple
— User accounts and AAA authentication
— Certificates
— DHCP Relay and DHCP Server services
‘© 2008 Gisco Systems, nc Gettng Started with Cisco Securty Appliances 3-59
— DNS Client and Dynamic DNS services
— Advanced options such as static ARP cache ent
secacas |e
Ven ——olaaee
es —
Rowing —e| ee
Properties |g sr
togoina > [bres
ie 88a Beene
‘To monitor the adaptive security appliance, click Monitoring on the toolbar and then click one
of the following feature buttons to display the associated monitoring pane:
= Interfaces: Enables you to monitor the ARP table, DUCP services, dyn
the PPP over Ethemet (PPPOE) client, and interface statistics.
= VPN: Enables you to monitor VPN connections
'& IPS: Enables you to monitor IPS statistics and Cisco AIP-SSM features.
= Trend Micro Content Security: Enables you to monitor Cisco ASA 5500 Series CSC
SSM statistics, CSC SSM-related features, and information about various types of threats
detected by the CSC SSM. If you have not completed the CSC Setup Wizard in
Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panes
‘under Monitoring > Trend Micro Content Security. Instead, a dialog box appears and lets
you access the CSC Setup Wizard directly from Monitoring > Trend Micro Content
Security,
= Routing: Enables you to monitor routes, OSPF link-state advertisements (LSAs), OSPF
neighbors, EIGRP neighbors, and routes.
™ Properties: Enables you to monitor management sessions, AAA servers, device access,
connection graphs, failover, certificate revocation lists (CRLs), the DNS cache, system,
statisties, and Web Cache Communication Protocol (WCC).
= Logging: Enables you to monitor system log messages, including the Real-Time Log
‘Viewer and the log butfer.
360
‘Securing Networks with ASA Fundamentals (SNAF) vi.0 {© 2008 Cisco Systems, ne
The Interface Graphs
window enables you to
monitor per-interface
statistics, such as bit rates,
for each enabled interface
on the security appliance.
One of the features of the Monitoring component in Cisco ASDM is the Interface Graph
(Monitoring > Interfaces > Interface Graphs). The Interface Graphs panel enables you to view
statistics in graph or table form for any configured interface. [fan interface is shared among,
contexts, the se
urity appliance shows only statistics for the current context. The number of
a subinterf
ce is a subset of the number of statistics shown for a physical
interface.
You can create a graph that monitors the following statistics for any configured interface
= Byte Ci
unts: The number of bytes input and output on the interface
= Packet Counts: The number of packets inpu
and output on the interface
Packet Rates: The rate of packets input and output on the inte
= Bit Rates: The bitrate for the input and output of the interface
= Drop Packet Count: The number of packets dropped on the interface
The following additional statistics are available for physical interfaces;
= Buffer Resources: Statistics such as No Buffer, which is the number of received packets
discarded because there was no buffer space in the main system,
= Packet Errors: Statistics such as the number of frame errors. Bad frames include packets
with an incorrect length or bad ff
me checksums. This error is usually the result of
collisions or a malfunctioning Ethernet device
= Miscellaneous: Statistics for received broadeasts.
= Collision Counts: St
transmitted because the
counter should only iner
istics such as Output Errors, which is the number of frames not
mifigured maximum number of collisions was exceeded, This
nent during heavy network traffic. This statistic is for Fast
Ethernet interfaces only
2008 Cisco Systoms, ne Goting Started with Cisco Securty Appliances 3-61
= Input Queue: The number of packets in the input queue, the current and the maximum,
including the number of packets in the hardware queue and the number of packets in the
software queue.
© Output Queue: The number of packets in the output queue, the current and the maximum,
including the number of packets in the hardware queue and the number of packets in the
software queue.
Note For more details on these statistics, refer to the Monitexing Interfaces section of the Cisco
ASDM User Guide, 6.4 at htip:/vww.ciseo.com
Using Cisco ASDM to Configure a
Multimode Security Appliance
Device List
System
Contexts
The figure shows the Device List for a multimode security appliance. Beneath the security
appliance IP address, Cisco ASDM displays System and Contexts icons, A multimode security
appliance is explained in depth in another lesson,
3-62 Seouring Networks with ASA Fundamentals (SNAF) v1.0 £2008 Cisco Systems, Inc
Summary
This topic summarizes the key points that were di
Summary
Cisco security appliances have four main administrative access
modes: unprivileged, privileged EXEC, configuration, and
ROMMON.
There are two configuration memories in the Cisco security
appliances: running configuration and startup configuration
Interfaces with a higher security level can access interfaces with a
lower security level, but interfaces with a lower security level
cannot access interfaces with a higher security level unless given
permission
Cisco ASDM is a browser-based tool used to configure and
‘monitor your security appliance
Minimal setup on the security appliance is required to run Cisco
ASDM.
ASDM contains several wizards that simplify security appliance
configuration.
© 2008 Cisco Systems, ne GGotting Startog with Cisco Secunty Appliances 3-63
3-64 Securing Networks with ASA Fundamentals (SNAF) vi 0 {© 2008 Gisco Systems, ne.
Lesson 4|
Configuring a Security
Appliance
Overview
This lesson enables you to perform the initial, essential security appliance configuration,
Objectives
Upon completing t
network connectivity. This ability includes bein
Jesson, you will be able to configure the security appliance for basic
ble to meet these objectives:
Contig
-curity appliance for basie network connectivity
Verify the initial configuration
Set the clock and synchronize the time on a security appliance
ure a security appliance to send syslog messages to a syslog server
Basic Security Appliance Configuration
‘This topic describes the basic commands that make the security appliance operational.
importing the Security Appliance
Configuration to Cisco ASDM
i The Reliesh
tutor loads the
configuration fom
the socunty
‘appilance
Tre hostname
and domain
| name contigured
by using the CLI
‘splayed in he
‘Gio ASDM
cul
‘After using the command-line interface (CLI) to bootstrap the security appliance, you can use
Cisco Adaptive Security Device Manager (ASDM) to verify and complete your configuration.
‘When you open Cisco ASDM, the current security appliance configuration is imported into it,
In the figure, the hostname, asal, and the domain name, cisco.com, were configured by using
the CLI. They are now displayed in the Cisco ASDM Device Name/Password panel. You can
import the current configuration from the security appliance to Cisco ASDM at any time by
clicking Refresh in the toolbar
42 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine.
Configuring S:
and Passwords
Configuration —~
Deuce Setup
Device ——+l
NamePassword
curity Appliance Name
aad lea
ee fone
ee traces
Domain name
Enable
a Password
Telnet
E Psswors
To configure the security appliance name, domain name, and passwords, follow these steps:
step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Choose Configuration from the toolbar
Choose Device Setup from the navigation pane.
Choose Device Name/Password from the navigation pane.
Enter a name for the sceurity appliance in the Hostname field. The hostname must
be less than 64 characters in length: it must start and end with a letter or digit and
have as interior characters only letters, digits, or a hyphen. The hostname is
displayed in the command-line prompt, and if you establish sessions to multiple
devices, the hostname helps you keep track of where you enter commands. The
hostname is also used in system messages,
Enter a domain name for the security appliance in the Domain Name field. The
domain name must be less than 64 characters in length: it must begin and end with a
letter or digit and have as interior characters only letters, digits, or a hyphen. The
security appliance appends the domain name as a suffix to unqualified names, For
‘example, if you set the domain name to “example.com” and specify a syslog server
by the unqualified name “jupiter.” the security appliance qualifies the name to
jupiter.example.com.”
To change the enable password, complete the substeps below. The enable password
enables you to access privileged EXEC mode after you log in. In addition, this
password is used to access Cisco ASDM as the default user, which is blank. The
enable password is blank by default.
L. Check the Change the Privileged Made Password check box.
a
fer the old password in the Old Password field.
{© 2008 Cisco Systems, Inc
Configuring a Securiy Appliance 4.3,
3. Enter the new password in the New Password field
4. Enter the new password again in the Confirm New Password field.
Step7 To change the Telnet password, complete the substeps below. The Telnet password,
which is “cisco” by default, enables you to access privileged EXEC mode if you
connect to the security appliance using a Telnet or Secure Shell (SSH) session
1. Check the Change the Password to Access the Console of the Security
Appliance check box.
2, Enter the old password in the Old Password field.
3. Enter the new password in the New Password field
4, Enter the new password again in the Confirm New Password field,
‘Securing Notworks with ASA Fundamentals (SNAF) v1.0 {©2008 Cisco Systoms, nc
Verifying the Interf
Configuration + (repre! ome
The Interfaces panel displays all physical interfaces available on your security appli
enables you to enter configuration mode for the interface that you select, The following
colutnns in the Interfaces pancl display the settings for each interface:
© Interface: Displays the interface hardware identifier
= Name: Displays the interf
ce name.
= Enabled: Displays Yes if the interface is enabled and No if itis not enabled,
& Security Level: Displays the interface security level, which must be in the range 0-100,
The default security level for the inside interface is 100, while the default security level for
all other interfaces is 0.
= IP Address: Displays the IP address
Subnet Mask: Displays the subnet mask.
= Redundant: Displays Yes if the interface is a redundant interface and No if itis not a
redundant interface. Redundant interfaces are explained in the Failover lesson of this
course
= Member: Displays Yes if the inber of a redundant interface and No if itis
not a member of a redundi
= Management Only: Displays Yes if the interface is configured (o allow wattie to the
security appliance or for management purposes only. It displays No if the interface is
configured to pass traffic like any other interface.
© MTU: Displays the Maximum Transmission Unit (MTU) for the interface. By default, the
MTU is 1500,
= Active MAC Address: Displays the active MAC address, if'you assigned one manu
the Advanced tab of the Add Interface or Fait Interface window
ly on
{© 2008 Giseo Systems, ne. Configuring a Security Appliance 4.5
= Standby MAC Address: Displays the standby MAC address (for failover), if you assigned
‘one manually. Failover is explained later in the course.
™ Description: Displays a description of the interface,
‘You can enable interfaces on the same security level to communicate with each other by
checking the Enable Traffic Between Two or More Interfaces Which are Configured with
‘Same Security Level check box. The Enable Traffic Between Two or More Hosts Connected
to the Same Interface check box enables communication between hosts connected to the same
interface
For an interface to pass traffic, you must enable it and configure its name, IP address, and
security level. For physical interfaces, the default state is shut down. To begin configuring an
interface in Cisco ASDM, select the interface from the Interfaces panel and click Edit
+5
‘Securing Networks with ASA Fundamentals (GNAF) v1.0 © 2008 Cisco Systems, I.
When you click Edit in the Interface
i
aor aso ea
Edit interface ————I
General
Interface Name
Security Level .
Enable nteraco
IP Address
‘Subnet Mask
unel, the Edit Interface window for the interface you
selected opens. To configure the interface, complete the following steps:
Step 1
Step 2
step 3
Step 4
Step 5
Step 6
step7
step 8
Verify that the General tab is selected
Verify that the interface you selected is displayed next to Hardware Port at the top of
the tab.
Enter a name for the interface in the Interface Name field, The name can be up to 48
characters in length. In the figure, interface GigabitEthernet0(0 is assign
“outside”
ed the name
In the Security Level field, enter a number from 0 to 100. The default security level
is 0; however, if you name an interface “inside” and you do not set the security level
explicitly, the security appliance sets the sccurity level to 100. You should assi
evel 100 to your most secure network, such as the inside host network. The outside
network connected to the Internet ean be level 0. Other networks, such as
demilitarized zones (DMZs), can use security levels 1-99. You ean assign
to the same security level. In the figure, GigabitEthernet0/0 is assigned a security
level of 0.
rf
(Optional) To configure this interface as a management-only interface, check the
Dedicate This Interface to Management-Only check box. Through traffic is not
accepted on a management-only interface, so this check box is not selected for
GigabitEthemet0/0, which is the outside interface.
Check the Enable Interface check box to enable the interface. In the figure,
GigabitEthemet0/0 is enabled
To assign a static IP address (o the interface, click the Use Statie IP radio button.
er the IP address for the interface in the IP Address field. In the figure, the
‘outside interface is configured with an IP address of 192.168.1.2.
© 2008 Cisco Systems, Inc. Configuring a Secunty Appliance 47
Step9 Select the subnet mask from the Subnet Mask drop-down list. In the figure, the
outside interface is configured with a mask of 255.255.255.0.
Step 10 Click OK.
Step 11 Click Apply in the Interfaces panel
Note ‘The IP addressing schemes used in this course are not legally routable on the Internet. They
are RFC 1918 addresses that are used in the lab exercises for this course
48 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, no.
Media Type ———+ media ty50
Dope
= Use
string.
\terface_name>-"': Specifies use of the default
Step 3 (Optional) To obtain the default route from the DHCP server, check the Obtain
Default Route Using DHCP check box.
Step 4 (Optional) To assign an administrative distance to the learned route, enter a value
between I and 255 in the DHCP Learned Route Metric field. If this field is left
lank, the administrative distance for the learned route is 1
410
‘Securing Networks with ASA Fundamentais (SNAF) v1.0 {© 2008 Gisco Systems, ne.
Step 5
Step 6
(Optional) To enable tracking for DHCP-leamed routes, check Enable Tracking for
DHCP Learned Routes, and set the values listed below. The route tracking feature
of the security appliance provides a method for tracking the availability of a static
route and installing a backup route if the primary route should fail. Route tracking is
explained in depth in another lesson of this course.
= Track ID: Enter a unique identifier for the route tracking process. Valid values
are from 1 to 500.
= Track IP Address: Enter the IP address of the target being tracked. Typically,
this would be the IP address of the next-hop gateway for the route, but it could
be any network object available off of that interface.
= SLA ID; Enter a unique identifier for the service level agreement (SLA)
inonitoring process. Valid values are from 1 to 2147483647.
= Monitoring Options: Click this button to open the Route Monitoring Options
dialog box. This is where you can configure the tracked object parameters
(Optional) To allow the security appliance to set the broadcast flag in the DHCP.
client packet, check the Enable DHCP Broadcast Flag for DHCP Request and
Discover Messages check box. This option sets the broadcast flag to 1 in the DHCP
packet header when the DHCP client sends a discover packet requesting an IP
address. The DHCP server listens to this broadcast flag and broadcasts the reply
packet if the flag is set to 1. Without this option, the broadcast flag is set to 0, and
the DHCP server unicasts reply packets to the client with the offered IP address. The
broadcast flag option provides a solution for DHCP clients that are unable to receive
a packet with a specific IP address. These clients can ask the DHCP server or relay
agent to use the broadcast IP address in the replies. The security appliance DHCP
client can receive both broadcast and unicast offers trom the DHCP server.
In the figure, the security appliance is configured to receive an IP address on the outside
interface vi
client
DHCP. You can click Renew DHCP Lease to rei
ew the lease on the DHCP
{© 2008 Cisco Systems, Inc.
Configuring a Secunty Appliance 4-11
Commands for DHCP-Assigned Address
Taterface Gigabitnthernet0/o
129 shutdown
names outaide
Ap address dhcp setroute
Designes
a
= The outside interface, g0/0, is enabled and assigned the name outside,
+ The outside interface wil receive its IP address from a DHCP server.
* The security appliance will use the default route supplied by the DHCP.
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
configuring GigabitEthcrnet0/0 to receive its IP address and default gateway from a DHCP
server, The commands are as follows:
interface Gigabitethernet0/0
no shutdown
nameif outside
ip address dhcp setroute
The interface command is used to enter configuration mode for the GigabitEthernet0/0
interface. When the nameif command is used to assign the name “outside” to the intert
security level of 0 is assigned by default. The ip address dhep command is used to configure
the security appliance to receive a DHCP-assigned address on this interface, The setroute
‘option is used so that the DHCP server also provides a default gateway for the security
appliance, The no shutdown command enables the interface.
412 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ine
Viewing DHCP Lease Information
Lease
Information
Axtnbutes
‘ans
Values
The DHCP Client Lease Information panel displays information about the DHCP lease. To
view the DHCP Client Lease Information panel, complete the following steps
Step Sclect Monitoring trom the Cisco ASDM toolbar.
Step2 Select Interfaces from the navigation pane.
Step3 Expand the DHCP menu.
Step4 Choose DHCP Client Lease Information,
‘The DHCP Client Lease Information panel contains the following components
= Select a DHCP Interface: The drop-down list shows the security appliance interfaces,
Choose the interface for which you want to view the DHCP lease, If an interface has
multiple DHCP leases, choose the interface and IP address pair that you want to view.
irrent values for each
.e drop-down list:
= Attribute and Value columns: List the following attributes and the
attribute for the interface you select from the Select a DHCP Interf
— Temp IP addr: IP address assigned to the interface
— Temp subnet mask:
— DHCP lease server: DHCP server
Subnet mask
igned to the interface,
dress,
tate of the DHCP lease, which can be one of the following:
‘© Initial: The initialization state, where the security appliance begins the process
of acquiring a lease. This state is also shown when a lease ends or when a I
negotiation fails
Selecting: The security appliance is waiting to re
from one or more DHCP servers,
¢ DHCPOFFER messages
= Requesting: The sccurity appliance is waiting to hear back from the server to
which it sent its request.
'© 2008 Cisco Systems, ne. Configuring @ Security Appliance 4-13
= Purging: The security appliance is removing the lease because of an error.
Bound: The security appliance has a valid lease and is operating normally.
‘= Renewing: The security appliance is trying to renew the lease. It regularly sends
DHCPREQUEST messages to the current DHCP server and waits for a reply.
‘© Rebinding: The security appliance failed to renew the lease with the original
server and now sends DHCPREQUEST messages until it gets a reply from any
server or the lease ends,
© Holddown: The security appliance started the process to remove the lease
= Releasing: The security appliance sends release messages to the server
indicating that the IP address is no longer needed.
— Lease: Length of time, specified by the DHCP server, that the interface can use this
IP address,
— Renewal: Length of time until the interface automatically attempts to renew this
Tease.
— _ Rebind: Length of time until the security appliance attempts to rebind toa DHCP
server. Rebinding occurs if the security appliance cannot communicate with the
original DHCP server and 87.5 percent of the lease time has expited. The security
appliance then attempts to contact any available DHCP server by broadcasting
DHCP requests.
— Next timer fires after: Number of seconds until the internal timer triggers,
— Retry count: Number of times that the security appliance tried to send a DHCP
message. This field displays a value greater than 0 if the security appliance is
attempting to establish a lease. For example, if the security appliance is in the
Selecting state, this value shows the number of times the security appliance sent
discover messages. If the security appliance is in the Requesting state, this value
shows the number of times the security appliance sent request messages.
— — Client-1D: Client 1D used in all communication with the server,
— Proxy: Displays True if this interface is a proxy DHCP client for virtual private
network (VPN) clients. Otherwise, the value for this attribute is False.
— Hostname: Client hostname,
= Refresh button: Refreshes the information displayed in the Value column,
You can use the show ip address dhep command to view current information about your
DHCP lease and the DHCP server. You can also use the debug dhepe {detail | packet | error}
[level] command to display DHCP client debug information. However, because debugging
‘output is assigned high priority in the CPU process, it ean render the system unusable. For this
reason, use debug commands only to troubleshoot specific problems or during troubleshooting
sessions with Cisco technical support staff. Moreover, itis best to use debug commands during
periods of lower network traffic and fewer users. Debugging during these periods decreases the
likelihood that increased debug command processing overhead will affect system use.
rary
(SNAF) v1.0
> 2008 Cisco Systems, inc
Device Satu
Ena Wafic beeen to
‘or more interfaces ich
are contgured wah same
socutty level
By default, interfaces on the same security level cannot communicate with each other.
Allowing communication between same-security interfaces lets you configure more than 101
communicating interfaces. If you use different levels for each interface and do not assign any
interfaces to the same security level, you can configure only one interface per level (0 to 100),
‘You might also want to assign two interfaces to the same level and allow them to communicate
freely without access lists (for example, if you have two departments that are equally secure).
Also, if you enable Network Address Translation (NAT) control, you do not need to conti
NAT between same security level intertaces.
If you enable same security interface communication, you can still configure interfaces at
different security levels. To enable interfaces on the same security level to communicate with
cach other, check the Enable Traffic Between Two or More Interfaees Which Are
Configured with Same S y Levels check box in the Interfaces panel. From this panel,
you can also enable communication between hosts connected to the same interface
© 2008 Cisco Systems, In: ‘Coniguring a Security Appliance 4-15,
Commands for Enabling Communication
Between Interfaces with Same Security Level
same-security-traffic permit inter-interface
nz
, / cee)
PartnerNet
Enables traffic between two or more interfaces
that are configured with the same securiy level
The figure shows the command that Cisco ASDM sends to the security appliance as a result of
‘enabling communication between interfaces with the same security level. The command is as
follows:
same-security-traffic permit inter-interface
4-16 Securing Networks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, nc
Enabling Management Interface to Pass
Through-Traffic
Dedicate this ntrtace tp}
Management Oniy
The Cisco ASA 5510, 5520, 5540, and $550 Adaptive Security Appliances include a dedicated
management interface called Management0/0, This interface is configured by default to support
management traffic to the security appliance only; however, you can disable management-only
mode so that the interface allows through-traffic. To disable management-only mode, uncheck
the Dedicate This Interface to Management Only check box on the General tab of the Add
Interface or Edit Interface window. In the figure, this check box has been unchecked for the
Management0/0 interface so that it can pass traffic like any other interface. You can also.
dedicate any interface to management traffic by checking the Dedicate This Interface to
‘Management Only check box.
'© 2008 Cisco Systems, nc. Configuring a Security Appliance 417
Commands for Enabling Management
interface to Pass Through-Traffic
Tatar face Wansgament0/0
‘The management interface, m0/O, is enabled and assigned the name Mgmt
with a security level of 60.
sManagement-only mode is disabled so that the management interface can
pass through trafic just ike any other interface.
'The IP address 10.1.1.1/24 is assigned to the management interface,
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the management interface configuration on the previous page. The commands are as follows:
interface Management0/0
no shutdown
nameif Mgnt
security-level 60
no management -only
ip address 10.1.1.1 255.255.255.0
‘The no management-only command enables the management interface to pass traffic like any
other interface
418
‘Securing Networks with ASA Fundamentals (SNAF) vi.0 ‘© 2008 Cisco Systems, Inc
Configuring a Static Route
a STS
om ;
4 tora
Contguration P= =
Fouting
Static Routes 1
In the figure, a default route is created so that the security appliance knows where to send
packets destined for any network that is not direetly connected to the security appliance. All
such packets are sent to IP address 192,168.11
You can use the Static Routes panel to create a default gateway and other static routes for the
security appliance. Static routes enable access to specific networks beyond those that are
locally connected.
The Static Routes panel also displays the static route table. Compl
create a static route:
e the following steps to
Step1 Select Co
iguration from the Cisco ASDM toolbar.
Step2 Select Device Setup from the navigation pane.
Step3 Expand the Routing menu.
Step 4 Choose Statie Routes from the Routing menu, The Statie Routes panel is displayed
Step 5 Click Add. The Add Static Routes window opens.
{© 2008 Cisco Systems, Ine. Configuring a Securty Appliance 4-19
Configuring a Static Route (Cont.)
Delay Route Stale Rowe
2 TF |
‘Add Static Route, —+ CAEN 2
ledace Name ——e ssn
Address ——— esis fT oP
Gateway P ——— ae es fin —— sf oe Mott
Step 6
‘Step7
Step 8
Step 9
Step 10
Step 11
From the Add Static Routes window, choose the interface for which you want to
create a static route from the Interface Name drop-down list.
Enter the network IP address in the IP Address field. Use 0.0.0.0 to specify a default
route. The 0.0.0.0 IP address can be abbreviated as 0,
Select the network mask that applies to the IP address from the Mask drop-down list.
Use 0.0.0.0 to specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.
Enter the IP address of the gateway router in the Gateway IP field. The gateway
router is the next-hop address for this route. You can use the IP address of one of the
security appliance interfaces as the gateway address. If this is done, the security
appliance broadcasts an Address Resolution Protocol (ARP) request for the MAC
address of the destination IP address in the packet instead of broadcasting a request
for the MAC address of the gateway IP address.
Enter the administrative distance of the route in the Metric field. The default is 1 ita
metric is not specified. Leave the Metric at the default unless you are sure of the
number of hops to the gateway router.
Click one of the following radio buttons from the Options panel
= None: Sets no options for the static route, This is the default setting.
= Tunneled: Specifies the route as the default tunnel gateway for VPN trattic
= Tracked: Specifies that the route is tracked. The route tracking feature of
the security appliance provides a method for tracking the availability of a
static route and installing a backup route if the primary route should fail
Route tracking is explained in depth in another lesson of this course. If you
select this option, the following are enabled:
‘Track ID field: Enter a unique identi
values are from 1 to 500.
for the route tracking process. Valid
4-20 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Ciseo Systems, ne
— Track IP Address ficld: Enter the IP address of the target being tracked.
Typically, this would be the IP address of the next-hop gateway for the route,
but it could be any network object available off of that interface.
— SLA ID field: Enter a unique identifier for the SLA monitoring process. Valid
values are from | to 2147483647.
| Monitoring Options button: Click this button to open the Route Monitoring Options
dialog box, in which you can configure the parameters of the tracked object monitoring
process,
In the figure, a static route is configured. The static route enables the security appliance to send
all packets destined to the 10.1.1.0 255.255.255.0 network from the inside interface to the
router at IP address 10.0.1.102
(© 2008 Cisco Sytoms, Ine. Configuring a Securty Appliance 4-21
Command for Configuring a Static Route
Foute inside 10.1.1,0 255,255.555.0 10,0.1.402 7
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
i Toone wi
4
* The securty appliance sends all packets destined tothe 10.1.1.0
£255,255 .255 0 network from the inside interface tothe router at IP address
40.0.4.102,
* The security appliance transmits all destination packets not listed in its routing
table from the outside interface tothe router at IP address 192, 168.1.1
ure shows the commands that Cisco ASDM sends to the security appliance as a result of
‘configuring the default route and the static route shown in the figure. The commands are as
follows:
route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
The first static route enables the security appliance to send all packets destined to the 10.1.1.0
$5.255.255.0 network from the inside interface to the router at IP address 10.0.1.102. The
second static route is the default route. It enables the security appliance to transmit all
destination packets not listed in its routing table from the outside interface to the router at IP
address 192.168.1.1
4-22 Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systoms, nc
Configuring Hostnam
Mappings
Configuration ede finns Joon
IP Names
The IP Names panel enables you to configure a list of hostname-to-IP address mappings on the
sceurity appliance. This allows the use of names in the configuration instead of IP addresses. In
the figure, the IP address, 10.0.1.10, is mapped to the name “insidehost.” To ereate a hostname-
to-IP address mapping, complete the following steps:
Step 12. Select Configuration trom the Cisco ASDM toolbar
Stop 13 Select Firewall from the navigation pane.
Step 14 Expand the Objects menu.
Step 15. Choose IP Names from the Objects
The IP Names panel is displayed.
Step 16 Click Add. The Add IP Name window opens,
© 2008 Cisco Systems, Inc. Contguring a Secunty Applance 423,
Configuring Hostname-to-IP Address
Mappings (Cont.}
“pastonost
7216440
‘eidonos
toons
foostantost
IPAdoress —e Ip Address: [T7ZTeT IO
Desciption J
a Het
Step 17 Enter a name for the host in the Name field. Allowable characters for the name are
as follows: a through z, A through Z, 0 through 9, a dash (-), and an underscore (_)
‘The name cannot start with a number. If the name is more than 63 characters long,
the name command fails. After the name is defined, it can be used in any security
appliance command reference in place of an IP address.
Step 18 Enter the IP address of the host in the IP Address field.
Step 19 Click OK.
Step 20 Click Apply in the IP Names panel
4-24 Securing Networks with ASA Fundamentals (SNAF) v1.0, '© 2008 Cisco Systems, ne
Command for Configuring Hostname-to.
IP Address Mappings
‘name 10.0.1.10 insidehost
name 172.16.1.10 bastionhost
‘astonhost
* The name “insidehost’ can be used in place of IP address 10.0.1.10 in any
‘Security appliance command reference.
+ The name “bastionhost” can be used in place of IP address 172.16,1.10 in any
‘security appliance command reference.
The figure shows the commands that Cisco ASDM sends to the security appliance when the
“insidehost” and “bastionhost” name mappings are created. The commands are as follows:
name 10.0.1.10 insidehost
name 172.16.1.10 bastionhost
The names “insidehost” and “bastionhost” can be used in place of an IP address in any security
appliance command reference. For example, you can ping the inside host by executing the
following command:
ping insidehost
‘You can use the no names CLI command to disable the use of names without removing the
hostname-to-IP address mappings from your configuration. The names command enables the
use of the mappings. Use of hostname-to-1P adlress mappings is automatically enabled when
you configure the mappings in Cisco ASDM.
{© 2008 Cisco Systems, nc Configuring a Security Appliance 425
Company XYZ Configuration Exampie
“Ea
Corporate Headquarters
‘The network security administrator for Company XYZ used Cisco ASDM to configure the
basic settings for the adaptive security appliance at corporate headquarters. The figure shows a
portion of the resulting CLI configuration. The hostname command changes the CLI prompt
from the default to “asal.” The domain-name command specifies tra
ning,com as the domain
name for the security appliance. The enable password command defines an enable password.
The names command shows that names can be used to refer to hosts on the network instead of
IP addresses. The name commands enable use of the name “bastionhost” to refer to host
172.16.1.10 and “insidehost” to refer to host 10.0.1.10. The interface command enters
configuration mode for GigabitE:themet0/0, where the speed, duplex, nameif, security-level
and ip address subcommands configure parameters for th
interface.
GigabitEthemet0/0 is assigned the name “outside” and is using its default security level. Ibis
set for 1000-Mb/s,full-duplex communications. The last interface configuration subcommand
is the ip address command, which assigns IP address 192,168. 1,2 255,255.255.0 to the outside
interface.
428 Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systoms, ne.
Company XYZ Config
(Cont.)
ation Example
Corporate
ass fe Headguarters
cia
s4
Tatertace GigableEcherseto/a
‘speed 1000
The figure shows the configuration of GigabitEthemet0/1 and Gigabit
ibitFthernet0/I is assigned the nam
themnet0/2
nside” and is using its default security level of 100.
The ip address subcommand assigns IP address 10.0.1. 255.255.255.0 to the inside interface
ibitEthernei0/2 is assigned the name “dmz” and a security level of $0. The ip address
subcommand assigns IP address 172.16.1.1 255.255.255.0 to the DMZ interface. Both
interfaces are set for 1000-Mb/s, full-duplex commut
© 2008 Cisco Systems, in.
Configuring a Secuity Applionce 427
Company XYZ Configuration Example
(Cont.)
Corporate Headquarters
ee nee
ciaat
MB Lgrooss0
$ ‘AS0u
route {naide 19,2.2,0 255,255.255.0 10.0.2.202 2
This figure shows the static routes configured on the security appliance. A default route using
the next-hop router of 192.168.1.1 is configured. The security appliance by default cannot
reach the hosts on the 10.1.1,0/24 network. To access the 10.1.1.0/24 network, a static route to
the 10.1.1.0/24 network using the next-hop router of 10.0.1.102 is defined. Any security
appliance packets bound for the 10.1.1.0 network are forwarded to the router at IP address
10.0.1.102,
‘The figure also shows that the HTTP server on the security appliance is enabled, and host
10.0.1.10 on the inside network is the only host that is allowed to access it,
‘The following output from the show run command displays the entire configuration
asal (config) # show run
Saved
ASA Version 8.0(2)
hostname asal
domain-name training.com
enable password 2KFQabNIAx.2KYOU encrypted
name 172.16.1.10 bastionhost
name 10.0.1.10 insidehost
interface Gigabitutherneto/o
speed 1000
duplex full
nameif outeide
security-level 0
Ap address 192.168.1.2 255.255.255.0
'
interface Gigabitethernet0/1
‘speed 1000
@uplex ful2
naneif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
428 Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systems, ne.
interface Gigabitetherneto/2
speed 1000
duplex full
nameif dz
security-level 50
ip address 172.16.1.1 255.255.255.0
'
interface Gigabitetherneto/3
‘shutdown
ho namesé
no security-level
no ip addresa,
interface Managemento/0
‘no managenent-only
nameit DMz2
security-level 60
ip address 10.1.1.1 255.255.255.0
Passwd 2KFOnbNIAI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDns
domain-name training.com
Pager lines 24
mtu inside 1500
mtu outside 1500
‘mtu _dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asda history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 2
route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
timeout xlate 3:00:00
Eimeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Eimeout sunrpc 0:10:00 323 0:05:00 h225 1:00:00 mgep 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip media 0:02:00 sip-invite 0:03:00 sip-dssconnect
0:02:00,
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DéltAccessPolicy
http server enable
http 10.0.1.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldatart
no crypto isaknp nat-travereal
telnet timeout
sah timeout §
console timeout 0
threat-detect ion basic-threat
threat-detection statistics access-list
Class-map inspection default
match default-inspection-traffic
policy-map type inepect dns preset_dna_nap
parameters
‘mescage-length maximum $12
policy-map global policy
clase inspection default
inspect dns preset_dne_map
inspect ftp
inspect n323 n225
inspect h323 ras
inspect netbios
inspect rsh
inspect reap
inspect skinny
inspect esntp
inspect eqinet
{© 2008 Cisco Systems, re ‘Contiguring a Secunty Appliance 429
inspect sunrpc
inspect tftp
inspect sip
inspect xdmep
service-policy global _policy global
prompt hostname context
Cryptochecksum:d24a072ad¢7claiciazi2162ecds4336
4-30 Securing Networks with ASA Fundamentals (SNAF) v1.0 [© 2008 Cisco Systome, ne
Examining Security Appliance Status
This topic describes the basic show commands needed to examine the status of Cisco security
appliances.
show Commands
T32.Ne0.1.2 255.255.255.0 show run interface
Entering show run plus a command option typically displays x static sereen that shows how a
particular parameter is configured in the running configuration, whereas, entering show plus a
command option displays a screen with information that may change each time the show
command is entered. For example, show run interface displays how the interfaces are
configured in a static screen, but show interface displays a screen with numerous counters. The
counts in these counters may change (update) each time you enter the show interface
command. These counters are useful for troubleshooting.
For example, the show interface output in the figure shows 567 runts, Runts are packets that
are smaller than the minimum packet size of 64 bytes. The output indicates that 567 packets
were discarded because they were runts, Runts are usually caused by collisions. They might
also be caused by poor wiring and electrical interference.
Note For a complete description of the show interface command output, refer to the Cisco
Security Appliance Command Reference, Version 8.0 on hitp:// www iseo.comn.
© 2008 Gisco Systems, ne. ‘Configuring a Security Appliance 4.31
interface command enables you to view network interface information. This is one
of the first commands you should use when trying to establish connectivity,
‘The following are explanations of some of the information that is displayed after you enter the
show interface command:
Interface ID: In the example in the figure, the interface ID is GigabitEthemet0/0.
= Interface name: The interface name that is set with the nameif command. If you have not
configured a name, the following message appears after the hardware line: “Available but
not configured via nameif.” In the example in the figure, the interface name is “outside.”
‘= is state: The administrative state, which can be one of the following:
— up: The interface is not shut down.
— administratively down: The interface is shut down with the shutdown command
= Line protocol is state: The line status, whieh can be one of the following:
up: A working cable is plugged into the network interface.
— dow
Rither the cable is incorrect or not plugged into the interface connector.
= Hardware: The interfa
= MAC addres
type, inaximum bandwidth, duplex, and spec.
‘The interface MAC address,
© MTU (maximum transmission unit): The optimum size in bytes that data ean be sent
over the network.
= Packets input: Indicates that packets are being received in the security appliance.
& Packets output: Indicates that packets are being sent from the security appliance.
452 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, nc
‘The following are explanations of show interface command output that can indicate interface
problems:
© No buffer: Indicates that the security appliance is out of memory or slowed down due to
heavy traffic and cannot keep up with the received data
his output indicates framing errors.
| Ignored and aborted errors: Provided for future use, but is not currently che
security appliance does not ignore or abort frames.
ed; the
m= Underruns: Occurs when the security appliance is overwhelmed and eannot get data to the
network interface card fast enough.
= Overruns: Occurs when the network interface card is overwhelmed and cannot butter
received information before more information needs to be sent
= Output errors: The number of frames not transmitted because the configured maximum
number of collisions was exceeded, This counter should only increment during heavy
network traffic
ions (single and multiple collisions): The number of messages retransmitted
of an Ethernet collision. This usually occurs on an overextended LAN when the
Ethemet or transceiver cable is too long, there are more than two repeaters between
stations, or there are too many cascaded multiport transceivers. A packet that collides is
‘counted only once by the output packets,
|= Interface resets: The number of times an interface has been reset, If an interface is
to transmit for three seconds, the security appliance resets the interface to restart
transmission. During this interval, the connection state is maintained. An interface res
also happen when an interface is looped back or shut down,
Late collisions: The number of frames that were not transmitted because a collision
‘occurred outside the normal collision window. A late collision is a collision that is detected
late in the transmission of the packet. Normally, late collisions should never happen. When
‘wo Ethernet hosts try t talk at once, they should collide early in the packet and both back
off, or the second host should see that the first one is talking and wait
If you get a late collision, a device is jumping in and trying to send on the Ethernet while
the security appliance is partly finished sending the packet. The security appliance does not
resend the packet because it may have freed the buffers that held the first part of the packet.
This is not a real problem because networking protocols are designed to cope with
collisions by resending packets, However, late collisions indicate that a problem exists in
your network, Common problems are large repeated networks and Ethernet networks that
run beyond the specification.
Deferred: The number of frames that were deferred before transmission because of activity
‘on the link
Input queue: Input (receive) hardware and software queue.
— Hardware (current and maximum packets): The number of packets currently in
the input hardware queue and the maximum number of packets that has been present
in that queue.
© 2008 Cisco Systems, ine. Configuring a Secunty Appliance 433,
Software (curren
input software queue and the maximum number of packets that has been pres
that queue,
ind maximum packets): The number of packets currently in the,
in
= Output queue: Output (transmit) hardware and software queue.
Hardware (current and maximum packets): The number of packets currently
present in the output hardware queue and the maximum number of packets that has
been present in that queue.
Software (current and maximum packets): The number of packets currently
present in the output software queue and the maximum number of packets that has
been present in that queue,
Note
Note
The number of bytes transmitted or received in the Hardware count and the Tratfic Statistics
Count may be different. In the Hardware count, the amount is retrieved directly from
hardware and reflects the Layer 2 packet sizo. In traffic statistics, it reflects the Layer 3
Packet size. The count difference is varied based upon the design of the interface card
hardware,
Starting with Cisco PIX Firewall Software Version 6 0(1), FDDI, Cisco Secure PIX Firewall
Private Link 2 (PL2), and Token Ring interfaces are not supported.
+4
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 '© 2008 Cisco Systems, ne
memory Command
‘asal® show memory
Free memory: 431623680 bytes (80%)
Used memory: 105247232 bytes (20%)
536870912 byt.
(200%)
‘The show memory command displays a summary of the maximum physical memory, current
used memory, and current free memory available to the security appliance operating system
‘The example in the figure shows sample show memory command output from a Cisco ASA
5520 Adaptive Security Appliance
'© 2008 Cisco Systems, Ine Configuring @ Security Applance 4.35,
asal# show cpu usage
cpu utilization for 5 seconds
18%; 5 minutes: 16%
The show cpu usage command displays CPU use. Inthe following sample output for the show
pu usage command, 18% is the percentage of CPU used for 5 seconds, I minute, and 5
minutes:
CPU utilization for 5 seconds: 18%; 1 minute: 18%; 5 minutes
18%
The percentage of usage shows as NA (not available) if the usage is not available for any of the
time intervals, This can happen if you ask for CPU usage before the S-second, 1-minute, or 5-
‘minute time interval has elapsed.
436
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 ‘© 2008 Cisso Systems, ne.
show version Command
aeaif chow version
Cinco Adaptive security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiied on Fri 15-Jun-07 19:29 by builder
System image file is =disk0:/asaG02-ke.Din"
Config file at boot was "starcup-contig"
‘sel up 18 mins 11 secs
Mardware: ASAS520, 512 MB RAM, CPU Fentiua 4 Celeron 2000 me
Internal ATA Compact Flaah, 64M
‘BIOS Flan ATASEMOBO @ Oxfte00000, 1024KB
™ Daplys te secntyapplanc stare version, opraing ime ances al aboot
[otestor ype. Fash memory pe, natace Domes sera number (10S tiation,
End action key vue
The show version command displays the software version, operating time since the last reboot,
processor type, flash partition type, interface boards, serial number (BIOS 1D), activation key
value, license, and timestamp for when the configuration was last modified,
‘The serial number listed with the show version command is for the flash memory partition
BIOS. This number is different from the serial number on the chassis. When you get a license
upgrade, you will need the serial number that appears in the shew version command, not the
chassis number.
For ASA and PIX Security Appliance Software Version 8.0 and later, th
appears as follows:
asal# show version
show version output
Cisco Adaptive Security Appliance Software Version 8,0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-gun-07 19:29 by builders
System image file is "disk0:/asa802-k8 bin"
Config file at boot was "startup-config"
eal up 18 mins 11 secs
Hardware; ASASS20, 512 MB RAM, CPU Pentium 4 Celeron 2000 Hitz
Internal ATA Compact Flash, 64Mi
BIOS Flash AT49LW080 w Oxfte00000, 1024KB
Encryption hardware device : Cisco ASA-55x0
board accelerator (revision
0x0)
Boot microcode (cn1000-mc-soor-
2.00
SSL/TKE microcode: .CNLite-NC-SSim-PLUS-2.01
TPSec microcode; \CNlite-MC-IPSECn-MAIN 2.04
©: Ext: Gigabitetherneto/o + address ia 0013.ci#2.2e52, irq 9
1: Ext: Gigabitetherneto/ ; address 2053, irg 9
2: Ext: Gigabitgtherneto/2 ; address 2054, ira 9
3: Ext: Gigabitetherneto/3 : address 2ess, irq 9
4: Ext: Managemento/0 address 2e51, irq 11
5: Int: Internal-Datao/o address (0002, irq 11
(© 2008 Cisco Systems, Ine Configuring a Secunty Appliance 437,
Int: Internal-Control0/a : address ia 0000.0001.0001
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANS 150
Inside Hosts Unlimited
Failover + Active/Active
\VPN-DES + Bnabled
VPN-3DES-AES : Enabled
Security Contexts 10
ore /ceRs Enabled
VPN Peers 750
WebvEN Peers + 00
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5520 VPN Plus license.
Serial Number: gMKo944Ko6T
Running Activation Key: 0%96311f61 oxesceséce
0xe4138530 0x631454e0 oxeda4dgad
Configuration register is 0x2001
Configuration last modified by enable15 at
19:40:50.350 UTC Tue Sep 25 2007
In the example, notice the following important paraneters:
Hardware: ASA5520, 512 NB RAM
Flash: 64NB
Licensed Features
Maximum Physical Interfaces: unlimited
Maximum VLANs: 150
Inside Hosts: unlimited
Failover: Active/Active
VPN-Dgs: Enabled
VPN-3DES-AES: Enabled
Security Contexta: 10
GTP/GPRS: Enabled
VPN Peers: 750
WebVPN Peers: 500
‘This platform has an ASA $520 VPN Plus license.
Serial Number: dMx0944Ko6T
ira 5
436
‘Securing Networks with ASA Fundamentals (SNAF) v1.0
© 2008 Cisco Systems, Ine
show ip addre:
aot
5 Command
y—
The show ip address command enables you to view which IP addresses are assigned to the
network interfaces, The current IP addresses are the same as the system IP addresses on the
failover active security appliance. When failover is enabled and the active security appliance
fails, the current IP addresses become that of the standby security appliance.
show nameif Command
‘aeai¥ ahow nanei®
Interface Name Security
Gigabitetherneto/o outside °
Gigebitethernet0/2 inside 100
GigabseRthernet0/2 ans, 50
wt0/2 has,
“outside”, GigabitEthernet0/1 has the name “inside”, and GigabitE
c “mz”. The inside interface has a default security level of 100; the outside inter
has a default security level of 0, and the DMZ interlace has a security level of 50,
+39
© 2008 Cisco Systems, Ine Configuring a Secunty Appliance
show route Command
1721010 eo
192168.10
7 we
aealt show route
Codes: C - connected, $ - static, T- KORP, R- RIP, M- mobile, 8 - nop
Gateway of last renort ts 192.168.1.1 to network 0.0.0.0
172.16.1.0 255.255.255.0 48 directly connected, ame
327.0.0.0 255.255.0.0 ie directly connected, eplane
30.4.1,0 255.255.255.0 [1/0] via 10.0.1.102, inaide
30,0.1.0 255.255.255.0 ia directly coanacted, ineide
292.168.1.0 255.255.255.0 is directly connected, outaide
0.0,0.0'00.0.0 (1/0) via 192.168.1.1, outei
You can use the show route command to view configured static routes. To display the security
appliance routing table, use the show route command in privileged EXEC mode, as shown in
the figure. The routing table can be populated by statically defined routes, directly connected
routes, and routes discovered by the Routing Information Protocol (RIP), Enhanced Interior
Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF) routing protocols.
If the destination address in a packet does not match an entry in the routing table, the packet is
forwarded through the interface specified for the default route (the S* 0.0.0.0 0.0.0.0 route). Ifa
default route has not been configured, the packet is discarded. If the destination address
‘matches a single entry in the routing table, the packet is forwarded through the interface
associated with that route,
Note Passive RIP routing is covered later in this course, Other dynamic routing is covered in the
Securing Networks with ASA Advanced (SNAA) course.
440 Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systems, no.
ping Command
‘ a |
FH ein ore! ~
J
‘aealt ping 192-160.12
Type encape sequence to abort
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout ie 2 aeconda:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 me
Determines whether other devices are visible from the secuiy appkance
‘The ping command determines if the security appliance has connectivity and if' host is
available (visible to the security appliance) on the network. The command output shows if the
Ping was received and responded to by the pinged host. The ! indicates that a ping was
successful. If none of the pings were successful, the command output displays the message,
Success rate is 0 percent.” In that case, you would use the show interface command to ensure
that the security appliance is connected to the network and is passing traftic,
After your security appliance is configured and operational, you will not be able to ping the
inside interface of the security appliance from the outside network or from the outside
interfaces of the security appliance. If you can ping the inside networks from the inside
interface and if you can ping the outside networks from the outside interface, the security
appliance is functioning normally.
You can specify the host to ping by using the IP address of the host or the name that was.
previously assigned to the host with the name command. If you want internal hosts to be able
to ping external hosts, you must create an access control list (ACL) to allow the return echo
reply or configure inspection of the outbound Internet Control Message Protocol (ICMP)
traffic. If you ping through the security appliance between hosts or routers and the pings are not
successful, use the debug iemp trace command to monitor the success of the pil
{© 2008 Gisco Systems, Ine CConiiguring a Secunty Appliance 4-41
traceroute Command
S al
af —. nt _— S59 —+
172.28,26.20
‘asailtraceroute 172.26.26.20
Type escape sequence to abort
Tracing the route to 172.26.26.20
1 192.168.1.1 10 meec 0 msec 0 meee
2 172.26.26.20 90 msec 50 msec 200 mec
* Determines the route that packets wil ake to their destination
You can use the traceroute command to determine the route that packets will take to their
destination, The command prints the result of each probe sent. Every line of output
increasing order
corresponds
The output symbols printed by the traceroute command are as follows:
|= *: No response was received for the probe within the timeout period,
= nn msec:
probes.
‘or cach node, the round-trip time (in milliseconds) for the specified number of
IN.: The ICMP network is unreachable.
‘The ICMP host is unreachable.
: Th
¢ ICMP protocol is unreachable.
1A: ICMP is administratively prohibited.
2: There is an unknown ICMP error.
442 Securing Networks wit ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, nc.
Time Setting and NTP Support
This topic describes how to set the clock on the security appliance and synchronize the times of
devices operating over an IP data network.
‘The Clock panel in Cisco ASDM enables you to manually set the date and time for the security
appliance. The time displays in the Cisco ASDM status bar. The clock setting is retained in
memory when the power is off by a battery on the security appliance motherboard.
‘The security appliance generates syslog messages for system events and it can log these
messages to a syslog server. If you want the messages to contain a time-stamp value, you must
‘configure the security appliance to include the timestamp in syslogs and set the system clock to
‘ensure that the correct time appears on the syslog messages.
Its also important to ensure that the clock is correctly set if you use public key infrastructure
(PK1), which uses digital certificates for authentication of VPN peers, The Cisco PKI protocol
uses the clock to make sure that a certificate revocation list (CRL) is not expired. Otherwise,
the certificate authority (CA) may reject or allow certificates based on an incorree! time st
‘The lifetimes of certificates and CRLs are checked in Coordinated Universal Time (UTC). It
you are using certificates with IPsec for VPNs, set the security appliance clock to UTC time
one to ensure that CRL checking works correctly.
‘To set the system clock, complete the following steps:
Step1 Choose Configuration from the toolbar
Step2 Choose Device Setup from the navigation pane.
Step3 Expand the System Time menu.
Step4 Choose Cloek. The Clock panel is displayed,
© 2008 Cisco Systems, ne Configuring a Security Appliance 4.43
Step 5
Step 6
Step 7
Step 8
step 9
‘You can click the Update Displ
Choose the time zone from the Time Zone drop-down list. Your selection sets the
time zone as GMT plus or minus the appropriate number of hours. If you choose the
Eastern Time, Central Time, Mountain Time, ot Pacific Time zone, the time adjusts
automatically for daylight savings time, from 2:00 a.m. on the second Sunday in
March to 2:00 a.m. on the first Sunday in November. In the figure, Central Time is
chosen
Use the Date drop-down list to display the calendar.
Navigate to the correct date by completing the following substeps:
1. Click the name of the month to display a list of months,
2. Click the desired month. The calendar updates to that month, You can click the
arrows to the right and left of the month and year display to scroll the calendar
forward and backwards one month at a time.
3. Click the year to change the year. You can use the up and down arrows to scroll
through the years, or you can type a year in the entry field,
4, Click a day on the calendar to set the date.
Use the Time fields to enter the time (hour, minutes, and seconds) in 24-hour format
Click Apply.
Time button to update the time shown in the bottom right
comer of the Cisco ASDM status bar. The current time updates automatically every ten
seconds.
+4
‘Securing Networks vith ASA Fundamentals (SNAF) vi.0 (© 2008 Cisco Systoms, le.
Commands for Setting the System ¢
clock sumer-time COT recurring 2 Sun Mar 2:00 1 Sun Mov 2:00 60
clock set 14:32:20 sept 24 2007
s
10.0.1.10
ft Iniemet
14:32:20 cor
Fri Sep 28 2007
Sets the time zone to Central Standard Time
‘Specifies that summertime starts onthe second Sunday in March at 2 a.m. and
fends on the ist Sunday in November at 2a.
+ Sets the security appliance clock to 2:32 p.m, Seplember 26, 2007
‘The figure shows the commands that Ciseo ASDM sends to the sceurity appliance as a result of
setting the system clock. The commands are as follows:
clock timezone cst -6
clock sunmer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60
clock set 14:32:20 SEP 28 2007
{© 2008 Cisco Systems, nc Configuring @ Secunty Applance 445,
‘Network Time Protocol (NTP) is used to implement a hierarchical system of servers that
provide a precisely synchronized time among network systems. This kind of accuracy is
required for time-sensitive operations that include a precise time stamp, such as validating
CRLs. Time derived from an NTP server overrides any time set manually in the Clock panel
You can configure multiple NTP servers. The security appliance chooses the server with the
lowest stratum, which is a measure of how reliable the data is. You can also configure the
security appliance to require authentication before synchronizing with the NTP server
‘To dynamically set the time using an NTP server, complete the following steps:
Step 1 Choose Configuration from the toolbar
Step2 Choose D.
Setup from the navigation pane.
Step3 Expand the System Time menu.
Step4 Choose NTP. The NTP panel is displayed.
Step§ (Optional) Check the Enable NTP Authent check box to enable
authentication for all servers. Inthe figure, the box is checked
Step6 Click Add. The Add NTP Server Configuration window opens.
446
Securing Networks with ASA Fundamentals (SNAF) v1.0
Configuring NTP (Cont.)
fH vent Gy
100832
a
IP Address ep Addvess fiat 1 wlened <— pasar
aco ——+ beace: fos]
‘ahentcaion —» bubertcatonky
TO feet fi TE] teste tates
eyvaue
tcemer tay IT tener terse
ac a coert_|
tie |
Step7 Enter the IP address of the NTP server in the IP Address field. The security
appliance listens for NTP packets (port 123) only on interfaces that have an NTP.
server configured. NTP packets that are not responses from a request by the security
appliance are dropped. In the figure, host 10.0.1. 12 is designated as the preferred
NTP server.
Step 8 (Optional) Specify the outgoing interface for NTP packets by sele.
from the Interface drop-down list. If you do not specify an inter
security appliance us
inside
cting an in
we here, the
es the default interface in the routing table. Inthe figure, the
face is chosen as the outgoing interface for NTP packets.
Step9 (Optional) Check the Preferred check box to designate this NTP server as a
preferred server. NTP uses an algorithm to determine which server is the most
‘accurate and synchronizes to that server. If servers are of similar accuracy, the
preferred server is used. However, ifa server is significantly more accurate than the
preferred one, the security appliance uses the more accurate one. The sceurity
appliance uses a more accurate server over a less accurate server that is preferred. In
ure, host 10.0.1. 12 is the preferred NTP server.
Step 10 (Optional) If'you enabled NTP authentication, enter the authentication key ID
umber in the Key Number field. The NTP server packets must also use this key ID.
The NTP server needs to include this number in its NTP packets in order for the
security appliance to accept synchronization with the NTP server. If you previously
configured a key ID for another server, you ean select it from the drop-down lis;
otherwise, enter a number between | and 4294967295. In the figure, the
authentication key ID number is 1234.
‘Step 11 (Optional) In the Key Valve field, enter the authentication key as a string up to 32
characters in length. With authentication configured, the security appliance uses
Message Digest 5 (MDS) authentication for communicating with the NTP server.
‘The security appliance and NTP server must be configured with the same key if
authentication is used. In the figure, the authentication key is ciseo123.
© 2008 Cisco Systems, Ine Configuring a Secunty Applance 4.47
Step 12 (Optional) Enter the authentication key again in the Re-enter Key Value field. In the
figure, the authentication key, cisco123, is entered again in this field
Step 13 (Optional) Check the Trusted check box to set this key as a trusted key. You must
check this check box for authentication to work. In the figure, the Trusted check box
is checked.
You can use the show run ntp command to display the current NTP configuration and the
show ntp status command to display the NTP clock information. The elear configure ntp
command removes the NTP configuration, including disabling authentication and removing all
authentication keys and NTP server designations.
4-48 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
Commands for Configuring NTP
‘tp authentication key i234 ma clecol2s
tp trusted-key 1234
nntp server 10,0.1-12 key 1234 source inside prefer
tp authenticate
—
fmm, ig $a at
3 =.
on 100..12 a ore conn ne prtorod NT sre
Te srry open routes eubwcston teetering al ta NT
Te ory plane srfgre ih on storicaton ty 1 (1234) and an
DED arr feral meee anes
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
configuring NTP. The commands are as follows:
ntp authentication-key 1234 md5 cisco123
ntp trusted-key 1234
ntp server 10.0.1.12 key 1234 source inside prefer
ntp authenticate
Use of NTP (o set the system time is configured with the ntp server command, which also
specifies host 10.0.1.12 as the preferred NTP server, specifies the inside interface as the
outgoing interface for NTP packets, and specifies the authentication key ID "1234" for this
NIP server. The NTP server needs to include this number in its NTP packets in order for the
security appliance to accept synchronization with the NTP server.
‘The ntp authentication-key command specifies the authentication key “eiscol23” for
authenticating with the NTP server. The security appli nd the NTP server must be
configured with the same authentication key if authentication is used. The ntp trusted-key
command specifies that the authentication key ID is trusted, which is required for
authentication with an NTP server. The ntp authenticate command enables NTP
authentication
© 2008 Cisco Systems, Inc Contiguring a Secuniy Applance 4.49
Syslog Configuration
This topic describes how to configure Cisco security appliances to send syslog messages to a
syslog server.
Monitoring System Events via Sysiog
Messages
Ls
¥
F syst0g
Steve
The security appliance supports an audit trail of system log messages that describes its
activities. For example, the security appliance generates syslog messages for system events
such as resource depletion and messages that describe the types of network trafic that has been
allowed and denied. Syslog messages can be used to create log files or can be displayed on the
console of a designated host. The security appliance can send syslog messages to any syslog
server. The security appliance can send clear text or encrypted (secure) syslog messages.
+50
‘Securing Networks with ASA Fundamentals (NAF) vi.0 5 2008 Cisco Systems, Ine
Logging Configuration Overview
oaging Soe
Ma Setup
Event Liste
Rate Lit
Syslog Servers
Syslog Seti —I
swe.
The figure displays the Cisco ASDM Logging menu, from which you can enable log,
configure logging parameters. The Logging menu includes the following options:
ng and
= Logging Setup: Choosing Logging Setup enables you to enable system logging on the
security appliance and specify general logging parameters. Logging Setup also enables you
to change default settings for the internal log buffer and the security appliance logging
queue. In the figure, logging is enabled.
= E-Mail Setup: Choosing E-Mail Setup enables you to set up a source e-mail address as
‘well as a list of recipients for specified system log messages to be sent as e-mail messages
for notification purposes. You can filter the system log messages sent to a destination
e-mail address by severity level. The severity level is the relative importance of the event
that generated the message in the normal functioning of the network.
= Event Lists: Choosing Event Lists enables you to create custom lists of events that specify
which syslog messages are sent to a specific destination. An event list can be defined by
‘message ID, which is a numeric value that uniquely identifies each message, by severity
level, or by message class, A message class is a group of syslog messages related to a
security appliance feature, For example, the auth class contains all syslog messages that are
related tow
© Logging Filters: Choosing Logging Filters enables you to specify th ia to be used to
filter the messages sent to each log destination. You can use severity level, me:
message ID, or events lists as criteria for creating filters,
= Rate Limit: Choosing Rate Limit enables you to specify a rate limit for a message logging
level or for a specific message. The rate limit is applied to the severity level or to the
message ID, not to a destination. Therefore, rate limits affect the volume of messages b
sent to all configured destinations.
= Syslog Servers: Choosing Syslog Servers enables you to specify one or more syslog
servers to which the security appliance sends system log messages,
{© 2008 Cisco Systems, inc CContiguring a Secunty Appliance 4.51
Syslog Setup: Choosing Syslog Setup enables you to set the facility code to be included in
system log messages that are sent to syslog servers, specify that a timestamp is included in
each message, view the severity levels for messages, modify the severity level for
messages, and suppress messages.
SMTP: Choosing Simple Mail Transfer Protocol (SMTP) enables you to specify one or
more SMTP servers to which the security appliance can send e-mail alerts and notif
messages.
452
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne
Enabe Logging
‘Meesages ae Syslog
Enable Loggng tone
Fnover Standby Unt
Send Systogsin
EWBLEM Porat
1 eter sce
L_ save gutter To
FIP Server
Loren
In the figure, the Logging Setup panel is displayed, showing that logging is enabled, By
default, logging is disabled. From this panel, you can enable and disable logging, and you can
use the following components to configure logging parameters:
= Enable Logging on the Failover Standby Unit:
for the standby security appliance, if available.
Click this check box to turn on logging
= Send Debug Messages as Syslogs: Click this check box to redirect all debug output to
system logs. By default, the security appliance does not include debug output in system log
‘messages. Checking this box redirects debug messages to logs as system log messages
711001 issued at severity level 7.
= Send Syslogs in EMBLEM format: Click this check box to enable Cisco EMBLEM
format so that it is used for all log destinations, except syslog servers. EMBLEM syslog
format is designed to be consistent with the Cisco IOS format
Buffer Size: Use this field to specify the size of the internal log buffer to which system log
messages are saved if the logging buffer is enabled. When the buffer is full, messages are
overwritten unless you save the logs to an FTP server or to internal flash memory. The
default buffer size is 4096 bytes. You can specify a size from 4096 to 1048576 bytes
= Save Buffer To: Click one of the following check boxes to specify where logs are saved
when the security appliance butfer is full
— FTP Server: Choosing this option saves the logs to an FTP server. If you choose
this option, click the Configure FTP Settings button to identify the FTP server and
configure the FTP parameters used to save the buffer content.
— Flash: Choosing this option saves the buffer content to internal flash memory. If
you choose this option, click Configure Flash Usage to specify the maximum space
to be used (in KB) in internal flash memory for logging and the minimum free space
to be preserved. Enabling this option creates a di
device disk on which messages are stored.
tory called “syslog” on the
© 2008 Cisco Systems, ine. Configuring @ Security Applance 483,
= Queue Size: Use this field to specify the number of system log messages retained
Cisco ASDM log buffer. The Cisco ASDM log butter is a different bute
log buffer. The default Cisco ASDM syslog butfer size is 100 messages. When the Cisco
ASDM log buffer is full, the security appliance deletes the oldest message to make room
the buffer for new messages.
454 Securing Notworks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, nc
Logging Destinations
1.
arin@oxampl.com ial ig con
OB sscin
\g= Internet = een
temas Systog
Butler SB Sener
Intemal bute
Telnet or SSH session \gewe
mal adress as
Send sysog
oulputio C= < Console
Cisco ASO
Sysog server
SNMP NMS.
After you enable logging in the Logging Setup panel, you can conti
the security appliance
to send syslog messages to one or more of the following locations:
= Internal buffer: Use the Logging Filters panel to specity which syslog messages are sent
to the log buffer. You can use the Logging Setup panel to specify the size of the internal
buffer to which syslogs are saved. By default, the buffer size is 4096 bytes.
H or Telnet session: Use the Logging Filters panel to specify which syslog messages.
are displayed in SSH and Telnet sessions. See the Cisco Security Appliance Command Line
Configuration Guide Version 8.0 at http:/'www.cisco.comn for information about viewing
the messages within a session.
= E-mail address: Use the E-Mail Setup panel to enable the securit
syslog messages by e-mail and specify which messages are sent by e-mail for noti
purposes. You can use the SMTP panel to specify the SMTP server to be used when
sending system log messages to an e-mail destination. See the Cisco Security: Appliance
Command Line Configuration Guide Version 8.0 at hitp://www.ciseo.com for further
information,
= Console: You can use the Logging Filters panel to specify which syslog messages appear
on the security appliance console as each message occurs; however, because this c
degrade system performance, logging to the intemal buffer is recomm
= Cisco ASDM: Use the Logging Filters panel to specify which syslog messages are sent to
the Cisco ASDM log buffer.
= Syslog server: Use the Syslog Server panel to define a syslog server. Use the Logging
Filters panel to specify which syslog messages the security appliance sends to the syslog
server
= SNMP network m:
panel to enable syslog traps. Use the Logging Filters panel to specify which syslog
‘messages are sent to the NMS. See the Cisco Security Appliance Command Line
Configuration Guide Version 8.0 at hitp://www.cisco.com for further information,
Note For the securiy appliance to send syslog messages to any of these locations, you must
{enable logging to contigure the security appliance to generate syslog messages.
1 2008 Cisco Systems, Inc Configuring @ Security Applance 455
ae
ae
a
i en
Liga sete
See
ie
ieee
‘The logging level that you specify indicates the level you want plus all higher levels. For
example, ifthe log level is 3, the syslog displays messages 0, 1, 2, and 3. Possible number and
string level values are as follows:
m= 0~ Emergencies: System unusable messages
m= 1~Alerts: Take immediate action
. Critical condition
.
.
= 5— Notifications: Normal but significant condition
6~ Informational: Information message
= 7— Debugging: Debug messages and log FTP commands and World Wide Web
456 Securing Networks with ASA Fundamentals (SNAF) v1 0 © 2008 Cisco Sytoms, nc
Tasks for Contiguring Message Output tc
a Syslog Server
JS
PY
SF Server
Syslog
Messages
10.0.1.10
* Designate the syslog host server.
* Set the logging level.
* Enable logging
Configuring the adaptive security appliance to send logs to a syslog server enables you to
archive logs, limited only by the available disk space on the server. You can then manipulate
log data after itis saved. For example, you can specify actions to be executed when certain
types of system log messages are logged, extract data from the log, and save the records to
another file. You can specify up to 16 syslog servers.
‘Complete the following tasks to configure message output to a syslog server
= Designate a syslog server to receive the logs.
= Set the logging level to specify which messages should be sent to the syslog server.
= Enable logging.
(© 2008 Cisco Systems, Ine Configuring a Security Appliance 457
Contguraton efi tinmren
Inttace —enetoce: [aad
1 accross —» Pacers. ORT TE
Prolacal —e Focal ¢ TCP © w0P
Pot——e Pon
F Logneceagesia Cisco EMLEM est(UOP enh)
To send syslog messages to a syslog server, complete the following steps:
Step t
Step 2
Step 3
Step 4
Step 5
Step 6
Choose Configuration from the toolbar.
Choose Device Management from the navigation pane.
Expand the Logging menu,
Choose Systog Servers. The Syslog Servers panel is displayed.
Click Add. The Add Syslog Server window opens. This window enables you to
specify the syslog servers to which the security appliance should send system log
messages.
Complete the following substeps to add a syslog server:
1, From the Interface drop-town list, choose the interface that the security
appliance will use to communicate with the syslog server. In the figure, the
inside interface is cho:
2. Inthe IP Address field, enter the IP address of the syslog server. In the figure,
the IP address of the syslog server is 10.0.1.10.
3. Click one of the Protocol radio buttons (TCP or UDP) to specity the protocol
used by the syslog server to communicate with the security appliance. The
default protocol is User Datagram Protocol (UDP). You can configure the
adaptive security appliance to send data to a syslog server using either UDP or
TCP, but not both. If you specify TCP, the adaptive security appliance discovers
when the syslog server fails and, by default, stops sending logs. If you specify
UDP, the adaptive security appliance continues to send logs regardless of
whether the syslog server is operational. In the figure, UDP is chosen,
458 Securing Networks with ASA Fundamentals (SNAF) v1.0 » 2008 Cisco Systoms, Ine
In the Port field, enter the port number that the syslog server will use to
communicate with the security appliance. Valid port values are 1025 through
65535 for both TCP and UDP. The default UDP port is 514. The default TCP
port is 1470.
(Optional) Check the Log Messages in Cisco EMBLEM Format (UDP only)
ccheck box. This option is available only if UDP is selected as the protocol.
Click OK. Your configuration is displayed in the Syslog Servers panel
(Optional) Specify the number of messages that are allowed to be queued on the
security appliance when a syslog server is busy. Use 0 to specify an unlimited
queue size, The default is 512 messages.
(Optional) Click the Allow User Traffic to Pass When TCP Syslog Server Is
Down check box.
Note
When you select the Protocol: TCP radio button, the Enable Secure Syslog Using SSL/TLS.
‘check box becomes available. Check this check box to use secure sysiog,
© 2008 Cisco Systems, Ine
Configuring a Secunty Appliance 450
Setting the Logging L
Syslog
Messages
igen Levels 0-7
en es 2 Meee
Device ——+|ffmeome
Stop 7
Complete the followin
1
substeps to set the logging level
Choose Logging Filters from the Logging menu. The Logging Filters panel is,
displayed. The Logging Filters panel enables you to apply message filters to a
log destination. Filters applied to a log destination select the messages that are
sent to that destination. You can filter messages according to messa
severity level, or use an event lst t
ce class and
at you can create in the Event Lists panel
Choose Syslog Servers from the Logging Dest
Filters panel.
tions list in the Logging
Click Edit, The E
lit Logging Filters window opens.
From the Syslogs for All Event Classes are
buttons:
choose one of the following radio
m= Filter on Severity: Enabl ler system log messages according to
their severity level and specify the level of system log messages on which to
filter. In the figure, this radio button is selected, and Debugging is chose
from the drop-down list. It sets the maximum level for system log messages
For example, if you set the level to 3, the security appliance generates
system log messages for levels 3, 2, 1, and 0.
= Use Event List: Enables you to specify that an event list will be used for
this filter and to specify the event list to use or add a new event list
you to
= Disable Logging from All Event Classes: Enables you to disable all
logging to the selected destination.
Click OK.
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 1 2008 Cisco Systems, Inc
Device
Management
Step8 Choose Logging Setup from the Logging n
displayed.
1, The Logging Setup panel is
Step9 Check the Enable Logging check box to enable logging. To use the syslog server
you defined, you must enable logging using the Logging Setup panel
Step 10 Click Apply
{© 2008 Cisco Systems, Inc. Configuring @ Security Appliance 4.8
Commands for Cor
Output to a Syslog
iguring f
server
Jogging host inside 10.0.1.10
logging trap debugging
logging enable
in apt $
ad BP sytog
Syslog oF Server
Messages
10.01.10
Inside host 10.0.1.10is the designated syslog server
* The logging levels set to debugging
* Logging is enable,
‘The figure shows the commands that Cisco ASDM
ands to the security appliance as a result of
configuring message output to a syslog server. In the figure, the security appliance is
configured to send the logging messages to syslog server 10.0.1.10. Th
will provide detailed information about every network even
messages that are sent
Finally, logging is enabled.
462
‘Securing Networks with ASA Fundamentals (SNAF) v1.0
{© 2008 isco Systems, Inc.
Company XYZ Customizes Syslog
Output
Sysiog Sup
‘You can use the Syslog Setup panel (o set the facility code to include in messages destined for
syslog servers, and to determine whether system log messages should include a timestamp. This
panel also enables you to change message severity levels and suppress messages that you do
not want to be logged.
To set the facility code, choose a facility code from the Facility Code to Include in Syslogs
drop-down list, which is located in the Syslog Format area of the Syslog Sctup panel. Syslog
servers use the system log facility as a basis for filing messages. Severity codes are combined
with facility codes to generate a message priority. Syslog servers use these facility codes to
organize event messages as they arrive, Fight logging facilities are available, LOCALO to
LOCAL7. LOCAL4(Q20) is the default for all Cisco ASA and PIX Security Appliance events.
To include the date and time in every system log message sent to the syslog server, check the
Include Timestamp in Syslogs check box, which is also located in the Syslog Format area of
the Syslog Setup panel. In the figure, the network security administrator for Company XYZ has
enabled timestamps for syslog messages.
‘The Syslog ID Setup area of the Syslog Setup panel enables you to suppress the output of any
unwanted event messages and to change the severity level of specitie messages. By default, all
syslog messages, along with their severity levels and suppression status, are displayed in the
Syslog Setup panel table. You can change this display by selecting one of the following from
the Show drop-down
= Suppressed Syslog IDs: Causes the table to display only system log message IDs that have
been explicitly suppressed.
Syslog IDs with Changed Logging Levels: Causes the table to display only the system log
message IDs with severity levels that have changed from their default values.
Syslog IDs That Are Suppressed or with a Changed Logging Level: Causes the table to
isplay only the system log message IDs with severity levels that have been modified and
the IDs of system log messages that have been explicitly suppressed.
{© 2008 Cisco Systoms, nc Configuing a Securiy Appliance 4.63
To change the logging level of a message or suppress the message, select the message from the
table and click Edit. The Edit Syslog ID Settings window opens. Check the Suppress
“Messages check box to suppress the message. To specify whether system log messages should
include a device ID, click Advanced,
Note In the table in the Syslog Setup panel, you can select individual messages or ranges of
‘message IDs that you want to modify. To select more than one message ID, click the fist ID
in the range and shift-click the last ID in the range
Company XYZ Customizes Syslo
Output (Cont.)
ot Sysog 10 Setings TEEPE
Disallows unwanted
syslog message
Syslog IDs —————+ yen
‘ri0008
Suppress Messoges —t © Eimesneiinne
Lagpestent (osaaez ———S)
[T]_ cmt fw
Edit Syslog IO Settings TRESSRNMSE Tit
res
cea Changes the level
a ‘of syslog
: messages 302013
pean ‘and 302014 to
level 4 (warnings)
Syslog ths
‘The network security administrator for Company XYZ noticed that the company syslog server
was flooded with NetBIOS message 710005. As shown in the figure, you can resolve this
problem by configuring the security appliance to stop sending message 710005, by completing
the following steps
Step 1 _ In the Syslog Setup panel, choose the unwanted message, 710005
Step2 Click Edit. The Fait Syslog ID Settings window shown in the figure opens,
displaying the selected syslog message identification number in the Syslog IDs text
box. In the figure, syslog ID 710005 is displayed.
Step3 Check the Suppress Messages check box. This box is checked in the upper window
in the figure.
Step4 Click OK.
464 Securing Networks with ASA Fundamentals (SNAF) vt 0 © 2006 Cisco Systems, ne
After suppressing message 710005, the network security administrator for Company XYZ was
still overwhelmed with other event messages. The administrator raised the logging level for
messages sent to the syslog server from debugging to warning (level 4). The number of syslog,
event messages decreased significantly. Unfortunately, some of the level 5, 6, and 7 syslog
messages that the administrator wanted to view (specifically, %ASA-6-302013 built outbound
TCP connection and %ASA-6-302014 teardown TCP connection) were no longer outputted by
the security appliance, The network security administrator solved the problem by changing the
logging level on these messages. Afier changing the 302013 and 302014 message levels to
level 4, the security appliance began to output syslog messages 302013 and 302014 to the
syslog server. This was accomplished by completing the following steps:
Step1 In the Syslog Setup panel, select the message whose logging level is to be changed.
The network security administrator sclected both 302013 and 302014,
Step2 Click Edit. The Fdit Syslog ID Settings window opens, displaying the selected
syslog message identification numbers in the Syslog IDs text box. In the figure,
syslog IDs 302013 and 302014 are displayed.
Step3 Choose the desired logging level (“Warnings”, in this example) from the Logging
Level drop-down list.
Step4 Click OK.
Step 5 Click Apply in the Syslog Setup panel,
{© 2008 Gisco Systems, ne. Configuring @ Security Appliance 4-65
Company XYZ Customizes Syslog
Output (Cont.)
sone Sty = [EERSTE
Configuration
Configure syslog messages incide a levice 0 tie teature 2
enabed, tie device ID willbe included in ll nor-EMBLEM rounnted
Syslog meseages
Enable Syslog 3
Device ID ————» Enable Syslog device I
Device 1D Dewce ©
Hostname ——————» @ Hosmeme
IP Adieess —————+ > Pedeoss
Sting —————+ © suing
The network security administrator for Company XYZ also wants the security appliance to
include a device ID in system log messages and would like to use the s
name as the device ID. The adminis
curity appliance host
sh this by completing the following
Step1 In the Syslog s
window oper
tup panel, click Advanced. The Advanced Syslog Configuration
Step2 Check the Enable Syslog Device ID check box. If this check box is checked, the
device ID is included in all non-EMBLEM formatted system log messages.
Step3 Choose one of the following device ID radio buttons:
s that the hostname is used as the device ID. This radio
button is chosen in the figure.
IP Address: Specifies thatthe IP address of the interface you choose from the
Interface Name drop-down list is used as the device ID.
= String: Specifies that a string you define is used as the device ID. Enter the
alphanumeric string in the User-Defined ID field
Step4 Click OK.
Step 5 Click Apply in the Syslog Setup pa
4-65 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systoms, ne.
Syslog Output Example
Logging level
Logging device IP address
Logging date and time stamp
Logging device identifier
Message identifier
In the example syslog output, you can view the following information:
|= Priority: The security appliance message logging level, such as Warning.
© Hostname: The IP address of the security appliance, such as 10.0.1.1
| Message: The message sei
following information:
from the security appliance. The message includes the
— Logging date and time stamp, such as Oct 1 2007 17:43:33
— Logging device identifier, such as asal
— Message ide uch as %ASA-4-209005 (where %ASA is the device type,
severity level (4) and event message number [209005])
Message text, such as Discard IP fragment set with more than 24 elements:
sre = insidehost, dest = 192.168.1.1, proto = ICMP, id = 32120
(© 2008 Cisco Systems, Inc. Configuring a Secunty Appliance 467
Company XYZ Logging Configuration
~The ging level ot level 4 Warning).
+ Time stamps are enabled fr ssiog messanes
+ The loging device is enitid by its hostname
‘The ogg love et messages 302013 an 302014 change to Warnings.
+ Message 720008 suppressed
Host 100.1.101s he desgrated systg sever
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the logging configuration implemented by the network security administrator of Company
XYZ. The commands are as follows:
logging enable
logging trap Warnings
logging timestamp
logging device-id hostname
logging message 302013 level Warnings
logging message 302014 level Warnings
no logging message 710005
logging host inside 10.0.1.10
The logging enable command enables logging. The logging trap command sets the logging
level to 4, which is Warnings. This means that Emergency, Alert, Critical, Error, and Waring
syslog messages (levels 0-4) will be sent to the syslog server. The logging timestamp
command configures the security appliance to include time stamps in syslogs, and the logging
device-id command configures the security appliance to include its hostname in syslog
‘messages as the device identifier. The logging message commands change the logging levels of
syslog messages 302013 and 302014 to Wamings so that they are displayed on the syslog,
server, while the no logging message command suppresses syslog message 720005. Finally,
the logging host command designates host 10.0.1.10 on the inside interface as the destination
for security appliance systogs.
“4-58 Securing Networks with ASA Fundamentals (SNAP) v1.0 © 2008 Cisco Systems, ne
show logging Command
s
Oi sisoa
B server
100.1.10
Use the show logging command (o see the logging configuration and any internally buffered
messages. Use the clear logging buffer command to clear the buffer to make it easier to view
the most current messages, The figure shows an example of show logging command output
The output shows that logging is enabled. The security appliance will send warning messages
and messages of higher severity to a syslog server on its inside interface, On syslog messages,
the asal device identifier and a time stamp will be appended.
The following is an example of show logging command output when secure logging is enabled
asal# show logging
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level warnings, facility 20, 705 messages
logged
Logging to inside insidehost tcp/1470 SECURE
History logging: disabled
Device ID: hostname “asal”
Mail logging: disabled
ASDM logging: disabled
© 2008 Cisco Systems, inc. Configuring @ Security Appliance 4-69
Secure Logging
\ Syslog Messaves /
go ne SSL Connection
sat Syslog
Server with
SSUTLS
worse Capabity
sscoyno — RENN 4)
IP Address ——p IP Address [011]
Proc. ——— Protocol
Pot —————» Fon
Fico)
Enable Secure —+ FF Enable cur eyslog using SSUTLS
Sista Using
a (erase Heo
The security appliance can deliver syslogs to remote syslog servers using UDP or TCP as a
transport protocol. Prior to Cisco ASA 5500 Series and PIX $00 Series Security Appliance
Software version 8.0, syslogs were only transferred in clear text with no means of
authentication between the security appliance and the syslog servers. Cisco ASA $500 Series
and PIX 500 Series Security Appliance Software version 8.0 introduces secure logging, a
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) transport layer between the
security appliance and remote syslog servers. Certificate authentication and encrypted data
transfer help mitigate security threats to the logging service.
Note Secure logging isnot available on the PIX securty appliance platforms
To configure secure logging, complete the following steps
Step 1 Choose Configuration from the toolbar.
Step 2 Choose Device Management from the navigation pane.
Stop3 Expand the Logging menu.
Step4 Choose Syslog Servers. The Syslog Servers panel is displayed.
Step5 Click Add. The Add Syslog Server window opens.
Step6 From the Interface drop-down list, choose the interface that the security appliance
will use to communicate with the syslog server. In the figure, the inside interface is
chosen,
Step7 In the IP Address field, enter the IP address of the syslog server. In the figure, the IP
address of the syslog server is 10.0.1.10,
4-70 Securing Networks with ASA Fundamentals (SNAF) vi. {© 2008 Cisco Systems. nc.
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
To use secure logging, you must also set up an SSL connection between the s
Click the TCP radio button. Secure logging does not support UDP. An error occurs
if you try to use UDP. When you specify TCP as the protocol used to communicate
with the syslog server, the security appliance will drop connections across the
firewall if the syslog server is unreachable.
In the Port field, enter the port number that the syslog server will use to
communicate with the security appliance, or accept the default TCP port, which is
1470.
Check the Enable Secure Syslog Using SSL/TLS check box.
Click OK. Your configuration is displayed in the Syslog Servers panel
(Optional) Check the Allow User Traffie to Pass When TCP Syslog S
Down check box.
Click Apply in the Syslog Servers panel
log server
the security appliance, The syslog server used must have SSL/TLS capability. This aspect of
the secure logging configuration is beyond the scope of this lesson. For further information,
refer to the ASDM 6.0 User Guide on hiip:/'www.cisco.com
{© 2008 Cisco Systems, Inc.
Configuring @ Security Appliance 4.71
Summary
This topic summarizes the key points that were discussed in this
Summary
‘After using the CLI to bootstrap the securty appliance, you can use the
Device Setup menus in Cisco ASDM to complete the essential
Configuration tasks, including configuring interfaces and static routes,
‘Several commands are available for verifying and troubleshooting the
initial configuration, including show run, show interface, show run
interface, show version, show ip address, and show route
The Device Setup > System Time menu items enable you to manually
set the system clock or synchronize the security appliance with an NTP.
server that you specify,
‘The security appliance can send syslog messages to a syslog server.
472 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne.
Lesson 5
Configuring Translations and
Connection Limits
Overview
This lesson describes security appliance translations and connections, how the sec
appliance processes TCP and User Datagram Protocol (UDP) traffic, and how to configure
dynamic and static Network Address Translations (NATs) ina security appliance.
Objectives
Upon completing this lesson, you will be able fo perform NAT on a security appliance. This
ability includes being able to meet these objectives:
= Describe how the TCP and UDP protocols fune
within the security appliance
= Describe and configure dynamic address translations
Describe and configure port address translation
= Describe and configure static address translations
nneetion limi
Transport Protocols
This topic describes TCP and UDP, which will help you to understand how a sec
operates.
ty appliance
Network Sessions
Annetwork session is a transaction between two end
systems and is carried out primarily over these two
transport layer protocols:
“TCP
* UDP
A network session is carried out over two transport layer protocols:
= TCP: This connection-oriented protocol is easy to inspect because the firewall can use the
connection information to determine which connections between hosts are allowed.
© UDP: The state of a session is difficult to maintain because it is conneetionless with no,
clear beginning, flow state, or end,
Note In the context of this training, the term ‘oulbound” means connections from a more trusted
side of the security appliance to a less-trusted side of the security appliance. The term
“inbound” means connections from a less-trusted side of the security appliance to a more-
trusted side of the security appliance.
52 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ine,
TCP
* TCP isa connection-oriented, reliable-delivery, robust, and high-
performance transport layer protocol
«TCP features include the following
‘Sequencingand acknowledgment of data
‘A defined state machine (open connection,
data flow, retransmit, close connection)
Congestion detection and avoidance mechanisms
TCP is a connection-oriented protocol. When a network session is started from a secure host
inside a security appliance, the security appliance creates an entry in the stateful session flow
table. The security appliance is able to extract network sessions from the network flow and
actively verify their validity in real time, The stateful session flow table maintains the state of
‘each network connection and checks subsequent protocol units against its expectations, When a
TCP session is initiated through a security appliance, the security appliance records the network
flow and looks for an acknowledgment from the device with which the host is trying to initiate
communications. The security appliance then allows traftic to flow between the hosts that are
involved in the connection based on a suecesstul three-way handshake,
'© 2008 Cisco Systems, nc ‘Contiguring Translations and Connection Lnits 5.3
When a TCP session is established over a security appliance, the following steps occur
Step 1 ‘The TCP information embedded in the first IP packet from an inside host is used to
create a connection slot in the security appliance. The connection slot is marked as
“embryonic” (not established yet)
Step2 The security appliance randomizes the initial sequence number of the connection,
stores the delta value, and forwards the packet onto the outgoing interface.
Step3_ The security appliance now expects a synchronization-acknowledgment (SYN-
ACK) packet from the destination host. When the SYN-ACK packet arrives, the
security appliance matches the received packet against the connection slot.
Step4 If the SYN-ACK packet matches the expected connection slot information, the
security appliance computes the sequencing information and forwards the return
packet to the inside host
5a
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 cisco Systems, Inc.
TCP initialization:
(Cont)
Pree Notwark Pible Naor
ouch ==)
Dnthatenhden Lezzse
iid Sequence oz
oaseo20 2 5 me
ig
y
Step 5S The inside host completes the connection setup, the three-way handsha
an ACK.
se, with
Step6 The connection slot on the security appliance is marked as connected, or active-
established, and data is transmitted. The embryonic counter is then reset for this
connection.
‘© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits SS
UDP
* Connectionless protocdl
Efficient protocal for some services
* Resourceful, but difficult to secure
UDP is connectionless. The security appliance must take measures to ensure its security
Applications using UDP are difficult to secure properly because there is no handshaking or
sequencing, It is difficult to determine the current state of a UDP transaction. It is also difficult
to maintain the state of a session because it has no clear beginning, flow state, or end. However
the security appliance creates a UDP connection slot when a UDP packet is sent from a more-
secure to a less-secure interface. All subsequent returned UDP packets that match the
connection slot are forwarded to the inside network.
56
‘Seauring Networks wih ASA Fundamental (SNAF) v1.0
{© 2008 Cisco Systems, ne
UDP (Cont.)
Frito Netrk
wevean yy : temoso
When a UDP connection slot is idle for more than the configured idle time, it is deleted from
the connection table. Some UDP characteristics are as follows:
= UDP is an unreliable but efficient transport protocol.
= Spoofing UDP packets is very easy because there is no handshaking or sequencing.
Because there is no state machine, the initiator of the transaction or the current state usually
cannot be determined.
= UDP has no delivery guarantees.
‘= There is no connection setup and termination.
= UDP has no congestion management or avoidance.
Services that use UDP can generally be divided into two categories:
® Request-reply, or “ping-pong” services, such as Domain Name System (DNS)
= Flow services, such as video, VoIP, and Network File System (NFS)
{© 2008 Cisco Systems, ne. ‘Configuring Translations and Connection Limits 5.7
Understanding NAT
This topic describes the translation process in Cisco security appliances and the two types of
inside translations: dynamic and state.
Addressing Scenarios
NAT
» NAT was created to overcome several addressing problems that
occurred with the expansion of the Intemet
To mitigate global address depletion
To use RFC 1918 addresses intemally
To conserve intemaladdress plan
© NAT also increases security by hiding the internal topology.
Invented in 1994 by Paul Francis and Kjeld Borch Egevang, Network Address Translation
(NAT) is a popular technique for saving official network addresses and hiding network
topology from the Internet. Francis and Egevang have written several RFCs about NAT, the
‘most important of which is RFC 1631, The IP Network Address Translator (NAT).
NAT is critical to the mitigation of global Internet address depletion. Usually, private networks
are assigned numbers from network blocks defined in RFC 1918, Because these addresses are
intended for local use only, NAT is required to connect to the Internet. NAT is sometimes used
to preserve the inside addresses of an enterprise, such as when changing the Internet service
provider (ISP).
In the figure, the private network uses private IP addressing, 10.0.1.0/24. Before a packet can
bbe sent to the Internet, it must be translated into a public, routable address. In this example, the
security appliance translates IP address 10,0.1.11 into routable IP address 192.168.1.9.
Note The IP address 192.168.1.9is used as an oxample to represent the routeable public IP
‘adress, even though the 192.168. 1.0 network is not actually a public routeable network
5-8 Securing Networks with ASA Fundamentals (SNAF) v1.0 '© 2008 Cisco Systems, ne.
When NAT Is Required for Acce
Through the Security Appliance
Less Secure More Secure
Allowed
(unless expicity dorios)
0 Parmemet
Security Level 50
02 owe 0/4 irranet
Sectrty Level 30 secuty Level 70
bent — o>
(900 ose j Mine oF
Security Level CD secinty Level 100
Less Secure ————+ More Secure
Denied
unbss exptcity alowed via
Narang acest cortal it)
When you configure multiple interfaces, remember that the security level designates whether an
interface is inside (trusted) or outside (untrusted) relative to another interface. An interface is
considered to be inside in relation to another interface if its security level is higher than the
security level of the other interface, and an inter dered to be outside in relation to
another interface if its security level is lower than the security level of the other interface,
The primary rule for security levels is that an interface with a hi
an interface with a lower security level. Connections initiated from the inside to the outside are
allowed unless they are explicitly denied. If you enable NAT control (nat-control command),
all packets traversing the security appliance require a translation rule. The nat and global
‘commands work together to create these translation rules, which enable your network to use
any IP addressing scheme and to remain hidden from the external network
her security level can ae
An interface with a lower security level cannot access an interface with a higher security level
unless you specifically allow it by implementing NAT and
sees contro! lists
© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits 5.9
NAT Control
¥
aman ee eee
NAT
* By default, NAT control is disabled; therefore, hosts can make
‘outbound connections without NAT.
* With NAT control enabled, a packet cannot be switched across
the security appliance if it does not match a translationsiot in the
‘ranstation table.
If there is no translation slot, the security appliance tries to create
a translation slot from its transiation rules,
* IFINAT control is enabled and no translation slot match is found,
the packet is dropped,
The nat-control command was introduced in Cisco ASA and PIX Firewall Software Version
7.0. By default, NAT control is disabled, so the security appliance does not require NAT for
outbound traffic. With NAT control disabled, if'a NAT rule matches outbound traffic, the
security appliance performs the translation and forwards the packet; if no NAT rule matches,
the security appliance forwards the packet anyway.
‘bling NAT control configures the security appliance to require a translation rule for all
packets that traverse it. NAT control requires that packets traversing from a higher security
interface (inside) to a lower security interface (outside) or from a lower security interface
(outside) to a higher security interface (inside) match a NAT rule. Otherwise, processing for the
packet stops. Although you ean use NAT between same security level interfaces, NAT is not
required between same security level interfaces even if you enable NAT control
Note The security appliance does not support VoIP inspection engines when you configure NAT
‘on same-securly interfaces,
5-10
Securing Networks with ASA Fundamentals (SNAF) v1.0 1 2008 Cisco Systems, Inc
Scenario: insufficient Registered IP
Addresses
$ soor2
se Bs
Intemet —_—t —S ;
“yoo14
Company XYZ uses RFC 1918 IP addresses for its 250 inside hosts
‘Company XYZ has only 235 registered IP addresses (192.168.1.20-
192.168.1.254),
* Solution:
‘Company XYZ can use dynamic inside NAT to enable hosts on its
inside network to share its registered IP addresses when connecting
to the Internet.
In the scenario in the figure, Company XYZ. uses private IP addresses for its inside hosts
because it does not have enough registered IP addresses to accommodate all the inside hosts.
This presents a problem with Intemet access; however, the problem can be solved by using
dynamic inside NAT to enable the inside hosts to share the 235 global addresses assigned to
Company XYZ.
Note The 192.168.1.0 network is used as an example to represent the routeable public network
even though the 192.168.1.0 network is not actually a public routeable network
‘© 2008 Cisco Systems, ne Configuring Translations and Connection ints 5-11
Internet es
a
Outside Global
IP Address Pool
192.168.1.20.254
Dynamic
Translation
Outside Giobal aa
Sotic IPAs 1p vee
Translation [182-168 110] ——| “fs
Inside NAT tanslatesadsresses of hosts on higher security level t a
lo55-seoure interac”
Dynamic translation
Static tansiaton
‘The security appliance supports the following two main types of address translation:
= Dynamic translation: Translates host addresses on more-secure interfaces to a range or
pool of IP addresses on less-secure interfaces. This allows internal users to share registered
IP addresses and hides internal addresses from view on the public Internet
‘= Static translation: Provides a permanent, one-to-one mapping between an IP address on a
‘more-secure interface and an IP address on a less-seeure interface. With the appropriate
access control lists (ACLs) in place, a static translation can allow users on a less-secure
interface to access a host on a more-secure interface without exposing the actual IP address
of the host on the more-secure interface, For example, this configuration can allow Internet
lasers to access your corporate web server without exposing the actual inside IP address of
the web server. Examples of static translation are static NAT and identity NAT.
Note You can also configure the security appliance for outside NAT, which is also referred to as
bidirectional NAT. Outside NAT is useful in situations in which two networks use an
‘overlapping address space, but hosts on the networks must communicate. For further
information on outside NAT. refer to the "Configuring NAT” section of the Cisco Secunty
Appliance Command Line Configuration Guide, Version 8.0 on ht://www cisco.com
‘Securing Networks with ASA Fundamentals (SNAF) v1.0, © 2008 Cisco Systems, Inc
Configuring Dynamic NAT
With dynamic translations (dynamic NAT), you must first define which hosts are eligible for
translation and then define an address pool to be used for the translations. For example,
dynamic inside source address translations are used for outbound connections from the inside
hosts; for these translations, the pool for address allocation is chosen on the outgoing interface
based on the NAT identifier (NAT ID).
To configure dynamic translations in Cisco ASDM, complete the following steps:
Step 1 Go to Configuration > Firewall > NAT Rules,
Step2 From the Add drop-down menu, choose Add Dynamic NAT Rule. The Add
Dynamic NAT Rule dialog box opens.
‘© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits 5-13,
Configuring Dynamic NAT: Specifying
the Real IP Addresses
Na
es
fener GS
In the Cisco ASDM window, define the real IP addresses to be translated a
which they are located,
the interface on
Step1 From the Interface drop-down list within the Original area, choose the interface that
is connected to the hosts with real addresses that you want to translate. For this,
‘example, hosts on the inside network are eligible for translation,
Step2 Enter the real addresses in the Source field of the Original area, or click the ellips
(.-) button to choose an IP address that you already defined in Cisco ASDM. If you
enter the addresses manually, specify the address and subnet mask using prefix and
ength notation, such as 10,0.1.0/24. If you enter an IP address without a mask,
Cisco ASDM recognizes it as a host address, even ifit ends with a 0 in the last octet
In the example in the figure, the drop-down menu was used to select the inside
network, which was previously detined in Cisco ASDM.
ed for these
Step3 Click Manage to begin configuring the address pool to be
translations. The Manage Global Pool window, which is not shown in the figure,
opens. The Manage Global Pool window allows you to choose a global pool that his
already been defined, edit a global pool that has already been defined, or ereate a
new global pool. If you click Add to create a new global pool, the Add Global
‘Address Pool window opens.
514 Securing Networks wth ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Inc.
toads
Configuring Dynamic NAT: Creating a
Global Address Pool
Nat
F oD wor pe
nen — i oa 2 —y- soas2
CORE |
Interac p> wma 3]
Pod ID > te F———
IP Adresses “> Sagan
Carnpary {
ere
Regstowed —FFamaantmnzaunea
I adaresses Tar
In this Cisco ASDM window, define the pool of addresses to which the real IP addresses will
be translated.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
stop 7
Step 8
From the Interface drop-down menu, select the interface where the translated
addresses will be used. In this example, the translated addresses will be used on the
outside interface,
In the Pool ID field (whieh is the NAT-ID in the CLI), enter a number between |
and 2147483647 to identify the address pool. When you create a dynamic NAT rule,
Cisco ASDM uses this number to pair the real (original) addresses you entered with
the global poo! of addresses. Cisco ASDM does this by inserting the Pool ID in both
the nat and global commands, which are used together to configure NAT in the
CLI In this example, the Pool ID is 1
Click the Range radio button from the IP Addresses to Add panel. The other options
in this panel are not used for dynamic NAT.
Enter the first IP address for the range in the Starting IP Address field. In this
example, the starting address is 192.168. 1.20.
Enter the last IP adress for the range in the Ending LP Address field. The mapped
pool may inelude fewer addresses than the real group. In this example, the ending
address is 192.168, 1.254, making the mapped pool of addresses 192.168. 1.20
through 192,168, 1.254 and enabling up to 235 individual IP addresses. When this
pool of 235 IP addresses is exhausted, no further translations are possible in this
example,
Enter the netmask for the address range
he Netmask (optional) field
Click Add to move the address range you created to the Addresses Poo! ist
Click OK.
{© 2008 Cisco Systems, nc
‘Configuring Translations and Connection Limits 5-15
Step9 Click OK in the Manage Global Poo! window.
Step 10 Click OK in the Add Dynamic NAT Rule window,
Step 11 Click Apply. Because Preview Commands Before Sending Them To The Device is
selected in the Tools > Preferences window, the Preview CLI Commands window
opens, displaying the commands that Cisco ASDM will send to the security
appliance as a result of your configuration.
Step 12 After verifying the commands, click Send to apply the configuration to the security
appliance.
5418 ‘Securing Networks wih ASA Fundamentals (GNAF) v1.0 '© 2008 Cisco Systems, ne.
Commands for Dynamic inside NAT
nat (inside) 1 10.0.1.0 255.255.255.0 tep 0 0 udp 0
global (outside) | 192.168.1.20-192.158.1.254 netmask
255.255.255.0
NAT NAT
adress
10013
~The nat and global commands work together to configure dynamic NAT.
* The nat and global commands are linked by their NAT IDs,
‘The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the dynamic NAT configuration in the Company XYZ scenario. The commands are as follows
nat (inside) 1 10,0.1.0 255.255.255.0 tep 0 0 udp 0
global (outside) 1 192.168.1.20-192.168.1.254 netmask
255.255.255.0
‘The nat and global commands work together to configure dynamic address translation. They
are linked by the NAT ID. The nat command is used to identify the 10.0.1.0/24 addresses as,
the real addresses to be translated; this command also identifies the inside interface as the
location of the real addresses. The global command creates a pool of translated addresses,
192.168.1.20 through192.168.1.254, to which the real addresses will be translated, The NAT
ID of | links the NAT real addresses to the corresponding global translated addresses.
Note ‘The tep 0 0 udp 0 portion of the nat command in the example refers to connection limits
Note Exact syntax for ASA and PIX Security Appliance Software Version 8.0 commands is
available in the Cisco Security Appliance Command Reference, Version &.0 at
up: //www.ciseo.com. Syntax assistance is also provided by the CL! itself via the help
command and the question mark
{© 2008 Cisco Systems, ne Configuring Translations and Connection mts 5417
Dynamic NAT for Single interface with
Multiple Subnets
Seba Poot?
swore 17-32 <4
cota Fos
waren 3-10 “f
‘You can enable hosts on different networks off a single interface to
make outbound connections using separate global address pools
You can create multiple dynamic NAT rules on a single interface so that different sets of real
addresses on the same interface can use different global address pools. For example, on the
inside interface, you can have two dynamic NAT rules with two different global address pools.
The network in the figure has two subnets on the inside interface of the security appliance. By
configuring a separate dynamic NAT rule for each subnet, hosts on subnet 10.0.1.0/24 ean
receive IP addresses from global address pool | (192.168.1.3-16) when making Intemet
Connections and hosts on subnet 10,2.1.0/24 can receive IP addresses from global address pool
2 (192.168.1.17-32) when making Internet connections
5:18 Securing Networks with ASA Fundamentals (SNAF) vt 0 © 2008 Ciseo Systems, ne
Configuring Multiple Global Address
Poois for a Single Interface
COE a
eaten Global Address Poo! for
sl — ee NAT Rule 1
Fe (Sree
‘Address Poo!
for Dynamic
Both gbtal address pemerrls
pools are forthe ofside — Patasms ait
eee areca eectasataerneats |
IDs ae diferent. fost meee |e)
‘The figure shows the configuration of global address pool I and global address pool 2. These
global address pools are used in separate NAT rules for use on a single interface
= Global address pool 1: The panel on the left in the figure shows the global address pool
configured during the Dynamic NAT Rule | configuration, Dynamic NAT Rule | specifies
NAT for an inside subnet, subnet 10.0.1.0/24, This global address pool will be used on the
‘outside interface and has a pool ID of 1. This Pool ID links the global address poo! of
192.168.1.3-16 to the NAT ID of Dynamic NAT Rule 1. When hosts on inside subnet
10,0.1.0/24 make Internet connections, they will receive addresses from this global pool
© Global address pool 2: The panel on the right in the figure shows the global address poo!
configured during the Dynamic NAT Rule 2 configuration. Dynamic NAT Rule 2 also
specifies NAT for an inside subnet, but a different subnet, 10.2.1.0/24. This global address
pool will also be used on the outside interface; therefore, it must have a different pool ID. It
«d a pool ID of 2. This poo! ID links the global address pool of 192.168.1.17-32 0
the NAT ID of Dynamic NAT Rule 2. When hosts on inside subnet 10.2.1.0/24 make
Internet connections, they will receive addresses from this global pool.
'© 2008 Gisco Systems, nc ‘Conviguring Translations and Connection Limits 5.19
Commands for Dynamic NAT for Single
interface with Multiple Subnets
to2ron
Gots Ps 2 4
192 8 1.132 «
e $
Gibal Fos
1 16813-16¢
1001024
Tat Galle) l0-P ave SSE Cop TO aT
nat (imeide) 0.0.1.0 255.255.255.0 tep 0 0 uly 0
Global (outside) : 192.168.1.17-192.168.1.32 netmask 255.255.255.0
global (outwide) | 192.168-1,3-192.168.1.16 netmask 255.255.355.0
* The IP address of any hast on inside network 10.0.1 0/24 is translated to
an address in the range 192.168 1.316 for outbound connections.
* The IP addross of any host on inside network 10.2.1.0/24 is translated to
an address in the range 192. 168.1. 17-32 for outbound connections
When you ereate this configuration in Cisco ASDM, Ciseo ASDM sends the following
commands to the security appliance:
nat (inside) 2 10.2.1.0 255.255.255.0 tep 0 0 udp 0
pat (inside) 1 10.0.1.0 255.255.255.0 tcp 0 0 udp 0
global (outside) 2 192.168.1.17-192.168.1.32 netmask
255.255.255.0
global (outside) 1 192.168.1.3-192.168.1.16 netmask
255.255.255.0
NAT ID | tells the security appliance to translate the 10.0.1.0 addresses to those in the global
address pool containing Pool ID 1, Likewise, NAT ID 2 tells the security appliance to translate
addresses for hosts on network 10.2.1.0 to the addresses in the global address pool containing
Pool ID 2.
5:20
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne
Dynamic NAT with Two Interfaces
Internet ee --
Outside
* One dynamic NAT rule for the inside interface can enable hosts on the
Inside Interface to start connections to hosts on interfaces with lower
security levels.
‘One dynamic NAT rule for the DMZ interface can enable hosts on the OMZ
to also start connections to hosts on interfaces with lower security levels,
Suppose you are using three interfaces on your security appliance (the inside, outside, and
demilitarized zone [DMZ] interfaces), and you would like to configure dynamic NAT for wo
interfaces, inside and DMZ. By creating one dynamic NAT rule for the inside interface, you
can cnable hosts on the inside interface, which has a security level of 100, to start connections,
to hosts on interfaces with lower security levels. In this case, that includes hosts on the outside
interface and hosts on the DMZ. By adding a dynamic NAT rule for the DMZ. interface, you
can enable hosts on the DMZ, which has a security level of 50, to also start connections to hosts
on interfaces with lower security levels. In this ease, that includes only the outside interface.
{© 2008 cisco Systems, Ine ‘Configuring Translations and Connection Limits §-21
Configuring Dynamic NAT with Two
interfaces
aoa
eg hoe EET
henaswomon SIS sein || Global addresses
© tne mae Ba for eonpectone
To et faminsde
Inert
In this figure, a global address pool is added for connections from the inside to Internet, outside
interfaces. To create this configuration in Cisco ASDM, complete the following steps:
Stop Click the Configuration button in the Cisco ASDM too! bar,
Step2 Click Firewall in the navigation pane.
Step3_— Choose NAT Rules from the Firewall ment
Step4 From the Add drop-down menu, choose Add Dynai
Dynamic NAT Rule dialog box opens.
NAT Rule, The Add
Step 5 From the Interface drop-down list within the Original area, choose
in the example in the figure.
le, as shown
Step 6 In the Source ficld, enter the network IP address of the inside network, or click the
ellipsis (..) button to select the inside network, as shown in the figure.
Step7 Click Manage in the Add Dynamic NAT Rule window to begin configuring the
‘address pool to be used for these translations. The Manage Global Pool window
‘opens (not shown in the graphic).
Step 8 For this example, click Add in the Manage Global Pool window to create a new
global pool. The Add Global Address Pool window shown in the figure opens.
Step 9 From the Interface drop-down menu, choose outside, beca
addresses will be used on the outside interface
the translated
Step 10 In the Pool ID field, enter 1
Step 11 Click the Range radio button from the IP Addresses to Add
Step 12 Enter 192.168.1.20 in the
arting IP Address field,
Step 13 Enter 192.168.1.254 in the Ending IP Address field.
5:22 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
Step 14 Finter 255.255.255.0 in the Netmask (optional) field
Step 15 Click Add to move the address range you created to the Addresses Pool list.
Step 16 Click OK.
‘© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits 5-23
Configuring Dynamic NAT with Two
interfaces (Cor
ae Global address poo!
‘paaonito at Torcomections.
Fees See 7 <— fam nade to OME
‘ag hee 7 ES
Fram ining tars Fae a
a |
1 Tete
Eee Paneer tone. |
a Berets weirs
assigned fo bath
bal aides,
fools
{mn the figure, a global address pool is added for connections from the inside to DMZ interfaces.
Step Click Add again in the Manage Global Pool window to add another global address
pool to this dynamic NAT rule. The Add Global Address Pool window opens.
Stop2__ From the Interface drop-down menu, choose dmz, because this global address pool
will be used on the DMZ
Step 3 Verify that “I” is displayed in the Pool ID field. The “1” should be displayed
because this is the first global address pool to be configured for the DMZ
Step4 Click the Range radio button from the IP Addresses to Add panel.
Step In the Starting IP Address field, enter 172.16.1.20.
Step 6 In the Ending IP Address field, enter 172.16.1.254.
Step7 Enter 255.255.255.0 in the Netmask field
Step8 Click Add tom
¢ the address range you created to the Addresses Pool list.
Stop® Click OK. The Manage Global Poo! window displays both global address pools (not
shown in the graphic),
Step 10 Click OK. The Add Dynamic NAT Rule window displays the two global address
pools with the same Pool ID of 1. If multiple global pools on different interfaces
share the same pool ID, they are grouped as shown in the figure. If you choose a
‘multi-interface pool ID, as in this example, traffic is translated as specified when it
accesses any of the interfaces in the pool.
Step 11 Select the Pool ID 1 DMZ entry, and click OK.
5:24 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ine
Configuring Dynamic NAT with Two
Interfaces (Cont.)
[a acd yar NAT Rule
Onorel
Souee: [rvewedea
Selecta glaal pool eynarc rasan ‘:
Pest itace ~Reeseoe Past —
3 Goudy ‘So as onga acess (ar)
[fae Sere se ong oss (ert)
de Pies ateteasee Manage,
Global adcraises for comectons
‘fem OMZ wo terre
Connection Setings :
In the figure, a dynamic NAT rule is added for connections trom the DMZ to outside interfaces.
Step 12 Next, create the dynamic NAT rule for the DMZ interface. Begin by selecting Add
> Add Dynamic NAT Rule from the NAT Rules window. The Add Dynamic NAT
Rule window opens.
Stop 13. From the Interface drop-down list within the Original area, choose dm
Step 14 Enter the real network address for the DMZ in the Source field of the Original area,
or click the ellipsis (..) button to select the DMZ network, as shown in the figure.
Step 15 Select the global address pool that has been defined for the outside interface. This is
the global address pool with the Pool ID of |
Step 16 Cli
‘Stop 17 Click Apply in the NAT Rules window.
‘© 2008 Cisco Systoms, ne. Configuring Translations and Connection Limits 525,
Commands for Dynamic NAT with Tv
interfaces
‘at (nz) 1 172.16.1,0 255.255,255.0 top © 0 wip 0
nat (inside) 1 10.0.1.0 255.255.2550 tep 0 0 udp 0
Global (daz) 1 172.1611.20-172.16.1.254 netmask 255.255.255.0
siobal (outside) 1 192.168.1.20-192.160.1.254 netmask 255.255.255.0
= Nei erm w
Outside
* Ineideusers canstart ouboundccnnectionsto both the DMZ and the Internet
* The nat (dmz) command enzbles DNZ servicesto access the Internet
= The global (dmz) command onaties inside users to access the DMZ welb
In the figure, the nat (inside) 1 command enables hosts on the inside interface, which has a
security level of 100, to start connections to hosts on interfaces with lower security levels. In
this case, that includes hosts on the outside interface and hosts on the DMZ. The nat (dmz) 1
‘command enables hosts on the DMZ, which has a security level of 50, to start conncetions to
hosts on interfaces with lower sccurity levels. In this case, that includes only the outside
interface,
Because both of the global address pools and the NAT rule for the inside interface use a NAT
ID of 1, addresses for hosts on the 10.0.1.0 network can be translated to those in either mapped
Pool. Therefore, when users on the inside interface access hosts on the DMZ, the global poo!
for the DMZ interface causes their source addresses to be translated to addresses in the
172.16.1.20 to 172.16.1.254 range. When they access hosts on the outside, the global pool for
the outside interface causes their source addresses to be translated to addresses in the
192,168.1.20 to 192.168.1.254 range.
When users on the DMZ access outside hosts, the global pool for the outside interface causes
their source addresses to be translated to addresses in the 192.168.1.20 to 192.168.1.254 range
5:25 Securing Networks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, in
identity NAT (nat 0)
twemet
DMZ. ig Sever
192.1680.9
te Poo | Inside
Wtemet | ES —_—+ ft
ne esate je 4
With NAT control enabled
« Allpackets traversing a security appliance require a translation
rule.
= Identity NAT is used to create a transparent mapping,
“IP addresses on the high security interface translate to
‘themselves on all lower security interfaces.
Ifyou want the added security of NAT control but do not want to translate certain inside
addresses, you can apply the identity NAT rule to those addresses. Identity NAT enables you to
map IP addresses transparently so that inside IP addresses are visible on the outside without
address translation. IP addresses on the higher security interface translate to themselves on all
lower security interfaces. Use this feature when you have Internet Network Information Center
(lnter'NIC)-registered IP addresses on your inside network that you want accessible on the
‘outside network. Use of identity NAT depends on your security policy. If your policy allows
internal clients to have their IP addresses exposed to the Internet, use identity NAT to provide
that serv
Your network security policy may dictate that the IP addresses of most, but not all, hosts need
to be protected by employing NAT. With NAT control disabled, which is the default, only
hosts whose addresses must be protected need an address translation tule to be configured for
them. Ifa traversing packet matches a translation rule, the address is translated. If there are no
NAT mules that match the traversing packet, NAT is not applied. Disabling NAT control may
obviate the need to configure identity NATs in your network. You still need to add an ACL to.
allow users on the outside to initiate connections with inside devices via their real
(nontranslated) IP addresses,
{© 2008 Gisco Systems, ne Configuring Translations and Connection Limits 527
Configuring Identity NAT Intemet
ow sp ezienoo
SP grates
wernay | Ef
SF 102168122 ete
Tate speci
Eee ‘whe hosts located
la ay
Re Sta taeeab)
ae ee reece
a a Sport iy RA
. Sumas sone Mdertity NAT en sures that
= thet nternet server is
Masia te one
‘aera ln
Seotylenisrenann
Steaua t
In the figure, the address 192, 168.0.9 will not be translated because identity NAT is being
configured. It is important to note that identity NAT, which is also called NAT 0, makes the
Internet server address visible on the outside interface.
To configure identity NAT in Cisco ASDM, complete the following steps:
Step 1 Go to Configuration > Firewall > NAT Rules
Step 2 From the Add drop-down menu, choose Add Dynamic NAT Rule. The Add
Dynamic NAT Rule dialog box opens (not shown in the figure),
Step3 From the Interface drop-down list in the Original area, choose the interface that is
connected to the host whose address you want to bypass translation, For this
example, the host whose address will remain untranslated is on the DMZ interface,
Note The figure shows the Edit Dynamic NAT Rule window, which displays a preconfigured
Identity NAT rule. In the Add Dynamic NAT Rule window, which is used to configure a new
Identity NAT rule, the Interface field is @ drop-down list from which you can choose the:
original interface
Step4 Enter the real addresses in the Source field of the Original area, or use the drop-
down menu to choose an IP address that you already defined in Ciseo ASDM. If you
enter the addresses manually, specify the address and subnet mask using prefix and
length notation, such as 10.0.1.0/24. Ifyou enter an IP address without a mask,
Cisco ASDM recognizes it as a host address, even if it ends with a 0. In this
example, the host address 192,168.0.9, which is the IP address of the DMZ Internet
server, is entered in the Source field,
Step5 Select a global pool. For this example, Poo! ID 0 (outbound) is selected so that the
of host 192.168.0.9 is translated to itself when making outbound
5:28 Securing Networks wth ASA Fundamentals (SNAF) v1.0 1 2008 Cisco Systems, Ine
Step6 Click OK in the Add Dynamic NAT Rule window,
Step7 Click Apply.
'© 2008 Cisco Systems, nc ‘Configuring Translations and Connection Liits 5:28
Commands for Identity NAT
(amz) 0 192,160.0.9 255,255.75
55 top 0 0 udp 0
eer
onz 9B Saver
I 92.16609
Se
Egress
19216809 #
Intemet | - 4
12.1681. indo”
The IP address 192.168.0.9 wil be translated to itself, 192. 168.09,
The figure shows the command that Cisco ASDM sends to the security appliance as a result of
the identity NAT configuration in the Company XYZ scenario. The nat 0 command configures
the security appliance to translate the IP address of the Intemet server, 192.168.0.9, to
192.168.0.9. Even with NAT control enabled, users on the outside can access the Inter
server by using its real IP address.
5:30 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne
Understanding PAT
This topic describes how to cont
Port Address Translation (PAT),
urity appliance to take advantage of
Scenario: Need to Conserve Registered
iP Address
Problem
Company XYZ uses RFC 1918 id
adcresses fr the hunc’ais of a
hodtsin ts engineesng and sates vam
epanmerts
‘Compary XYZ:has ony a ew
ba IP adresses
Some the gbbal IP adsress0s i,
‘re being Used by publicly A
‘ocessBe servers on the DMZ.
Solution
CCompary XYZ can use PAT 10
‘enable the hosts wily RFC 1918
‘doresses lo share a shgle
‘obal P adress when
connecting t the ltemet
Company XYZ is using private IP addresses for most of its protected hosts. To enable these
hosts to access the Internet, the network security administrator has configured dynamic inside
NAT. The protected hosts share global IP addresses when making Internet connections.
Like most enterprise networks, Company XYZ has received only a sivall number of global IP
addresses from its ISP. The company already has far more hosts than global IP addresses and is
growing rapidly. One of the global addresses is taken by the perimeter router, and one is taken
by the security appliance. In addition, some of the global addresses are being used by company
Internet servers, for whieh the security administrator has configured transparent translations
(identity NAT). Obviously, Company XYZ needs to carefully conserve its global IP addresses,
PAT, which is an enhancement of NAT, provides a solution,
'© 2008 Cisco Systems, nc. ‘Configuring Translations and Connection ints 5:31
Port Address Translation
wevass mn Es Ss
mee, | pon ot ow
Pon 028 4, |
10030 jonas
PAT is a combination of an IP address and a source port number.
* Many different sessions can be muliplexed over a single global IP
address.
* Sessions are kept distinct by the use of different port numbers.
Using PAT, multiple connections originating from different hosts on the inside networks ean be
multiplexed by a single mapped IP address. The multiplexing identifier is the source port
number. PAT translates the real IP addresses of various hosts to a single mapped IP address.
Specifically, PAT translates the real address and source port to the mapped address and a
lunique port above 1024. Each connection requires a separate translation because the source port
differs for each connection. In the figure, the IP addresses of the two hosts an the inside
network are translated to a PAT IP address of 192.168.1.3 and source ports 1024 and 1025.
‘The security appliance PAT feature expands an address pool as follows:
= One outside IP address is used for up to approximately 64,000 inside hosts
= PAT maps TCP and UDP port numbers to a single IP address.
= PAT hides the inside source addresses by using a single IP address from the s
appliance.
rity
|= PAT and NAT can be used together. This is useful, for example, if you need to use
dynamic NAT but want to have a backup PAT in case the dynamic NAT addresses are all
depleted.
= A PAT address can be a virtual address, different from the outside address.
Do not use PAT when running certain multimedia applications through the security appliance.
These multimedia applications need access to specifi ict with port
mappings provided by PAT.
ports and can con
5:32 Securing Networks with ASA Fundamentals (SNAF) v4.0 (© 2008 Cisco Systams, nc
Configuring PAT
+ Configuring
Patisthe
cortgurrg a
namic NAT
‘Ue with one
‘excepto Use
asrge P
adoress for te
Gobal pool aos» |}
+ SoloctPon gab © ForAsitessTislown PAN) i
Ades etna]
Waders RETORTT
Trarsiton Nemesk(optonay FE RESTS
an) ape at
+ Enter a ange I © Singer ta ace
IPs tn <——
the P Adress
te (eT) cot _J tow
aE
Configuration > Firewall > NAT Rules > Add > Add Dynamic
NAT Rule> Manage > Add Giobal Address Pool
In this example of PAT, the Company XYZ security appliance is configured as follows:
IP addresses are assigned to the internal and extemal interfaces. A sing]
is put into the global pool and is shared by all hosts on the inside security
for outgoi
Inside IP address: 10.0.1.1 255.255.255.0
Outside IP address: 192.168.1.2 255.255.255.0
Default gateway: 192.168.1.1
registered IP address
appliance interface
To configure PAT in Cisco ASDM, complete the following steps:
Step 1
Step 2
step 3
Stop 4
Step 5
Go to Configuration > Firewall > NAT Rules.
From the Add drop-down menu, choose Add Dynamic NAT Rule. The Add
Dynamic NAT Rule dialog box opens (not shown in the figure)
From the Interface drop-down list within the Original area, choose the interface that
is connected to the hosts with real addresses that you want to translate, For this
example, hosts on the inside network are eligible for translation,
Enter the real addresses in the Source field of the Original area, or use the drop
down menu to choose cither any or an IP address that you already defined in C
ASDM. If you enter the addresses manually, specify the address and subnet mask
using prefix and length notation, such as 10.0.1,0/24. If you enter an IP address
‘without a mask, Cisco ASDM recognizes it as a host address, even if it ends with a
0. In this example, any is selected so that any real IP address on the inside interface
is affected by the rule
Click Manage. The Manage Global Pool window opens.
{© 2008 Gisco Systems, ne
‘Configuring Translations and Connection Limits 5-33
Note The figure shows only the Add Global Address Pool window; it does not show the Ada
Dynamic NAT Rule window.
Step6 Click Add. The Add Global Address Pool window opens.
Step7 From the Interface drop-down menu, select the interface where translation will be
used. In this example, the translation will be used on the outside interface.
Step 8 In the Pool ID field, enter a number between | and 2147483647 to identity the
address pool. In this example, the Pool ID is 1
Step9 Click the Port Address Translation (PAT) radio button from the IP Addresses to
Add pane,
Step 10 Enter the IP address to be used for PAT in the IP Address field. In this example, the
PAT IP address is 192.168.1.3.
Step 11. Enter 255.255.255.255 in the Netmask (optional) field.
Step 12 Click Add to move the address to the Addresses Pool list.
Step 13 Click OK.
Step 14 Click OK in the Manage Global Poo! window.
Step 18 Click OK in the Add Dynamic NAT Rule window
Step 16 Click Apply.
58
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Inc
Commands for PAT
ture Kg i ae
reanes les
When you apply the PAT configuration by dicking Apply in the NAT.
Rules window, Cisco ASDM sends the following commands to the
security appliance:
192.168.1.3
~ For oulbound connections, source IP addresses of al hosts on the inside
interface of the ASA ere translated to 192. 168.13.
‘The source port is dynamically changed to a unique number greater than
1023.
The figure shows the comman
js that Cisco ASDM sends to the security appliance as a result of
the PAT configuration in the Company XYZ scenario. The commands are as follows:
nat (ingide) 1 0.0.0.0 0.0.0.0 tcp 0 0 udp 0
global (outside) 1 192.168.1.3 netmask 255.255.255.255
Note In the nat command, 0.0.0.0 0.0.0.0 matches any addresses.
‘© 2008 Cisco Systems, ine Configuring Translations and Connection Limits 5:35,
Configuring PAT to Use the Outside
interface Address
Pe Go ee
=o Lien
ee
secre Gall
oars
i oa acess
en
tries eee
es es
bats
atm one we Surname)
Interface rather gt
than conigring|
a gobal pool ee
Configuration > Firewall > NAT Rules > Add > Add Dynamic
NAT Rule> Manage > Add Global Address Poo!
‘You can use the IP address of the outside interface as the PAT address by clicking the Port
Address Translation (PAT) Using IP Address of the Interface radio button rather than the
Port Address Translation (PAT) radio button in the Add Global Address Pool window. This
is important when using DHCP for the outside interface IP address because it allows the
DHCP-retrieved address to be used for PAT
5:36
Securing Networks wit) ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
PAT Using Outside Interface Addres:
The outside interface of the security appliance is Fy
configured as a OHCP client.
= When you apply the PAT configuration using the outside ~~
interface address by dicking Apply in the NAT Rules
window, Cisco ASDM sends the following commands to
the security appliance:
(aaa |
For outbound connections, IP addresses of all —oo
hostson the inside interface of the security 5
appliance are translated to the IP address & - eo
thal the oulside interface recelvestrom a weazo | 10030
DHCP sener i
su
The source port is dynamically changed toa
unique number greater tan 1023. meng See
In the figure, the outside interface of the security appliance is configured to obtain an IP
address from a DHCP server. When you apply the PAT configuration, Cisco ASDM sends the
following commands to the security appliance:
nat (inside) 1 0.0.0.0 0.0.0.0 tep 0 0 udp 0
global (outside) 1 interface
Source addresses for any hosts on the inside interface are then translated to the DHCP-retrieved
IP address of 192.168.1.2 for outgoing access, and the source port is changed to a unique
number greater than 1023,
© 2008 Cisco Systems, nc Configuring Translations and Connection Limits 5:37
Mapping Subnets to PAT Addresses
Optionally, you can map subnets to
PAT addresses to track the use of IP
addresses among your various
subnets,
* Each internal subnetis mapped to a
different PAT address.
» Source addresses of hosts in
network 10.0.2.0 are translated to
192.168.1.8 for outgoing access,
© Source addresses of hosts in
network 10.0.3.0 are translated to
192.168.1.9 for outgoing access.
The source portis changed toa
unique number greater than 1023.
With Cisco ASA Adaptive Security Appliance and PIX Firewall Software Version 5.2 and
later, you can specify multiple PATS to track use among different subnets. Inthe figure,
network 10.0.2.0 and network 10.0.3.0 are mapped to different PAT addresses. Outbound
sessions from hosts on internal network 10.0.2.0 will seem to originate from address
192.168.1.8, and outbound sessions from hosts on internal network 10,0.3.0 will seem to
originate from address 192.168.1.9.
5-38 Securing Networks wth ASA Fundamentals (SNAF) v4.0 {© 2008 Gisco Systoms, nc.
Configuring the Mapping of Subnets to
PAT Addresses
COREE
« Wepsiyeghe—p SSS)
Ce a
Ee te
ren
es
Soo
esa
© Whenthe ta |
eee eds || tee eS
ee
ees, ead
Sean
pool arse (coe |__|
In this example, two NAT rules are being ereated for the same interface (inside). The interface
where the translations for both rules will be used is also the same (outside)
In the figure, the global pool (which is a PAT address for this example) is being created for the
second NAT rule. When outside is again sclected from the Interface drop-down menu, Cisco
ASDM automatically inerements the Pool ID by |. Ifyou enter a Pool ID that is already in use,
your configuration is rejected.
‘© 2008 Cisco Systems, ne Configuring Translations and Connection Limits 5:39
Configuring the Mapping of Subnets to
PAT Addresses (Cont.)
* Croaea
separate
‘dynamic NAT
rue foreach
‘subnet cn the
source interface. ar 10 for
nie : hoo2onde
source interface P |uato tor
Senet foo sore
muitplerules,
GiscoASOM
incremerts the
NATIDby 1 for
eachnewrle,
To map subnets to PAT addresses, use a separate NAT rule for each subnet. When you create
multiple NAT rules for a single interface, Cisco ASDM automatically increments the NAT ID
by I for each new rule. In this example, two NAT rules are created for the inside interface, one
for the 10.0.2.0 network and one for the 10,0.3.0 network. Cisco ASDM assigned NAT IDs |
and 2 to the rules.
540 Secuting Networks with ASA Fundamentals (SNAF) v1.0 '© 2008 Cisco Systems, ne.
Commands for Mapping Subnets to PAT
Addresses
nat (inside) 255.255.255.0 tep 0 0 udp 0
nat (inside) 255.255.255.0 tcp 0 0 udp 0
global (outside) netmask 255.255.255.255
global (outside) netmask 255.255.255.255
The > configured in Cisco ASDM
the NATIO nthe global command.
* The Pool ID pars the PAT ackress wit)
the) 0110 the nat command,
IP addresses on netwotk 10.02.0 are
Wwanslated to 192168.18
* adwesses on network 10.030 ae
‘warelated to 192.168 19,
‘The figure shows the commands that Cisco ASDM sends to the security appliance to map
subnets to PAT addresses. Each global command is linked to a nat command by its NAT ID,
which is called a Pool ID in Cisco ASDM. The commands sent are as follows:
nat (inside) 2 10.0.3.0 255.255.255.0 tep 0 0 udp 0
nat (inside) 1 10.0.2.0 255.255.255.0 tcp 0 0 udp 0
global (outside) 2 192.168.1.9 netmask 255.255.255.255
global (outside) 1 192.168.1.8 netmask 255.255.255.255
© 2008 Cisco Systems, Ine ‘Configuring Translations and Connection Linits 5-41
Backing Up PAT Addresses by Using
Multiple PATs
* Source addresses of hosts on
the inside interface of the
security appliance are translated
to 192.168. 1.8 for outgoing
access,
* Address 192.168.1.9 will be used
‘only when the port pool from
192.168.1.8is at maximum,
capacity,
You also can back up your PAT address by configuring multiple PAT addresses with the same
Pool ID. In the figure, address 192.168.1.9 will be used for all outbound connections from the
inside network when the port pool from 192.168. 1.8 is at maximum capacity.
5-42 Securing Networks with ASA Fundamentals (SNAF) v1.0 122008 Cisco Systems, ne.
nfiguring Backup PAT Addre
ing Multiple PATs
ae Adynarnic NAT ro i
a ‘created forthe sige
bherlace
Starts rence ‘any’ selected as the
source address
‘The PAT address and a EE
the backup PAT Rismic Casnee Ooh
address ae inthe © Sugita
Same gbtal poo.
In the example, a dynamic NAT rule is created for the inside interface. Choose any from the
Source drop-down menu to specify that th
rule applies to any IP address assigned to a host on
the inside interface. To complete the configuration for backing up a PAT address, follow these
steps’
Step
Step2
Stop 3
step 4
Step 5
Step 6
‘Step7
step 6
Stop 9
Step 10
Step 11
After specifying the original interface and source in the Add Dynamic NAT Rule
‘window shown in the figure, click Manage. The Manage Global Pool window opens
(not shown),
Click Add. The Add Global Address Pool window ope
Choose outside from the late
-e drop-down menu.
Verify that a valid Pool ID (1 to 2147483647) is displayed in
this example, the Pool 1D is 1
Pool ID field. For
Click the Port Address Translation (PAT) radio button from the IP Addresses to
‘Add pane.
Enter the first PAT address in the IP address field, For this example, t
address is 192.168.1.8.
st PAT
Enter 255.255.255.255 in the Netmask (optional) field
Click Add. The IP address moves to the Addresses Pool pane,
Enter the second PAT address in the IP Address field, For this example, the seu
PAT address is 192.168.1.9,
nd
Enter 255.285.255.255 in the Netmask (optional) field
Click Add again. The second PAT address moves to the Addresses Pool pane.
{© 2008 Cisco Systems, inc.
CContiguning Translations and Connection Limits 5-43,
Step 12 Click OK. The Manage Global Pool window displays the new Pool 1D, the interface
6on which the pool will be used, and the two PAT addresses,
Step 13 Click OK. The Add Dynamic NAT Rule window is displayed,
Step 14 Verify that the new pool is selected in the Add Dynamic NAT Rule window, and
click OK,
Step 15 Click Apply in the NAT Rules window.
5:44 Securing Networks wth ASA Fundamentals (SNAF) vt 0 (© 2008 Cisco Systems, ne
Commands for Backing Up PAT
Addresses by Using Multiple PATs
‘nat (inside) | 0.0.0.0 0.0.0.0 top 00 wap 0
Global (cutside) | 192.168.1.8 netmask 255.255.255.255
global (outside) | 192.168.1.9 netmask 255.255.255.255
(sco ASDM sends the global poo! to
smeurty appliance as wo yobal
‘commands win te same NAT ID,
After you click Apply, Cisco ASDM sends the following commands to the security appliance,
linking both global commands to the nat command by the NAT ID 1
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 0 udp 0
global (outside) 1 192.168.1.8 netmask 255.255.255.255
global (outaide) 1 192.168.1.9 netmask 255.255.255.255
{© 2008 Cisco Systems, Inc. Configuring Translations and Connection Limits
5.85
Augmenting a Global Pool with PAT
When hosts on the inside network
access the outside network through
the security appliance, they are
assigned public addresses from the
192.168.1.20to 192,168.1.253
range.
When the addresses fromthe
global pool are exhausted, PAT
begins with the next available IP
‘address, in this case,
192.168.1.254.
‘You can augment a pool of mapped addresses with PAT. When all IP addresses from the
mapped pool are in use, the security appliance begins PAT, using the single IP address you
specify as the PAT address.
In the figure, hosts on the internal networks are assigned addresses from the mapped pool
192.168.1.20 through 192.168.1.253 as they initiate outbound connections. When the addresses
from the mapped pool are exhausted, packets from all hosts on these networks seem to originate
from 192.168.1.254,
5:40 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ine
Configuring Augmenting a Global Pool
with PAT
(COE
oo + Agyramie NAT rue
fag ee ‘realed tor the inside
jae Frerioce
© ‘any’ selected as the
fe [ae aise surce access.
Pate
eS
a feaaeratn
ce TE
Therange of NAT ones coke ESSER
addresses and te PAT
Siicmashite (ooeserssreo
same gotal poo.
In this example, a dynamic NAT rule is created for the inside interface. Enter any in the Source
field to specify that the rule applies to any IP address assigned to a host on the inside interface
To complete the configuration for augmenting a global pool with PAT, follow these steps:
Step1 After specifying the original imterface and source in the Add Dynamic NAT Rule
‘window shown in the figure, click Manage. The Manage Global Pool window opens
(not shown)
Step2 Click Add. The Add Global Address Pool window opens.
Step3 Choose outside from the Inter
-e drop-down menu,
Step4 Verify that a valid Pool ID (1 to 2147483647) is displayed in the Pool ID field. For
this example, the Pool ID is 1
Step 5 Click the Range radio button from the IP Addresses to Add pane.
Step6 Enter the first IP address for the global poo! in the Starting IP Address ti
‘example, the starting address is 192,168.1.20,
id. In this
Step7 Enter the last IP address for the global pool in the Ending IP Address field. In this,
example, the last address is 192.168.1.253
Step8 Enter 255,255.255.
in the Netmask (optional) field.
Step9 Click Add. The IP address range is displayed in the Addresses Poo! panel
Step 10 Click the Port Address Translation (PAT) radio button in the IP Addresses
panel.
to Add
Step 11 Enter the PAT address in the IP Address field. For this example, the PAT address is
192.168.1254.
Step 12 Enter 2
55
255.255 in the Netmask (optional) field.
© 2008 isco Systems, ne. Configuring Translations and Connection ints 5-47
Step 13 Click Add again. The PAT address moves to the Addresses Poo! panel
Step 14 Click OK. The Manage Global Pool window displays Pool ID | along with the
global pool address range and the PAT address.
Step 15 Click OK.
Step 16 Verify that the new pool is selected in the Add Dynamic NAT Rule window, and
click OK.
Step 17 Click Apply in the NAT Rules window
548 Securing Networks wth ASA Fundamentals (SNAF) v4.0 © 2008 Ciseo Systems, Inc
Commands for Augmenting a Global
Pool with PAT
‘at (inside) 1 0.0.0.0 0.0.0.0 tep 00 udp 0
global (outeide) 1 192.168.2.20-192.168.1.253 netmask
255.255 .255.0
global (outside) 1 192.168.1,254 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0 tcp 0 0 udp 0
global (outside) 1 192.168.1.20-192.168.1.253 netmask
255.255.255.0
global (outside) 1 192.168.1.254 netmask 255.255.255.255
{© 2008 Cisco Systems, ne. ‘Configuring Translations and Connecton Limits 5-49
Static Translations
This topic describes how to configure a permanent mapping between two IP addresses through
«a Cisco secutity appliance.
Ietornot
(Gebal NAT: pe
+ For dynamic NAT and PAT adsress assignments
* Inside ond user recewves an address Irom a pool of avaiable adcresses
+ Usedmosty ter oulbourd end-user connections,
Wabserver FIP sever
1721619 § j 7216110
ie a Stone
terete
Static Nes Yoon
* ForNAT permanent” aides assignments
Used mosty for server comectons
Global NAT configurations are typically used to assign a dynamic address to an end user
attempting to make a connection to a resource on the outside network. The source IP address is
‘wanslated to either a mapped NAT or PAT address. The address is assigned dynamically. Each
time an end user attempts an outside connection, a different translated address can be assigned
{o the end user. In the reverse direction, users from the outside network cannot reliably initiate
connection to a host that uses a dynamic address, Besides the fact that you cannot predict the
dynamic IP address of the host, the security appliance creates a translation only when the inside
hhost is the initiator.
Static NAT creates a fixed translation of inside addresses into mapped addresses. With dynamic
NAT and PAT, each time an end user attempts an outside connection, a different translated
address can be assigned. With static NAT, the mapped address is the same for each consecutive
connection. A persistent translation rule exists. Static NAT allows hosts on the outside network
to initiate traffic to an inside host using a fixed IP address (if there is an ACL that allows i)
You can use static translations when you want an inside server to always appear with a fixed IP
address on the security appliance outside network. Static translations are used as follows to map
‘an inside host address to a static, outside, mapped address:
= Use static translations for outbound connections to ensure that packets leaving an inside
host are always mapped to a specific IP address (such as an inside DNS or Simple Mail
‘Transfer Protocol [SMTP] host.
| Use static translations for inbound cor
wections that must be mapped to the same IP address.
5-50 Securing Networks with ASA Fundamentals (SNAF) vt 0 © 2008 Ciseo Systems, ne.
‘The following information can help you determine when to use static translations in the
security appliance:
& Do not create static translations with overlapping IP addresses. Each IP address should
be unique.
Static NAT rules take precedence over dynamic NAT rules,
© [fa mapped IP address is used for PAT, do not use the same mapped IP address for a static
translation,
{© 2008 Cisco Systems, inc. ‘Configuring Translations and Connection Limits 5:51
internet Server Addressing
ow
sy
pang
Werserer
5 MS sso
Outen go Boa sun
~ Prcblem
Campany XYZ has web serverson ts OMZ newark thal vse vale
ascrenses
Heats onthe outside netork mustbe able o access each wa server at
a fied ares at al res
+ Soldion
Campany X¥2 can use staictransiaions to pemanenty map a global P
‘sdorees beached saver
‘An access control list must alsobe canfiguredbetare outside hosts can
initiate connections o the web servers.
Company XYZ has decided to assign RFC 1918 private addresses to all its protected hosts and
to use acldress translation for Intemet access and hiding the private addresses. Because the
company has few registered (global) IP addresses, hosts on the inside network will share a
range of the registered IP addresses via dynamic NAT. With dynamic NAT, the translation is
made only when the real host initiates the connection. The translation is in place only for the
duration of the connection, and a given user does not keep the same IP address after the
translation times out. Users on the outside network, therefore, cannot initiate a reliable
‘connection to a host that uses dynamic NAT, although the connection is allowed by an access
list; the security appliance rejects any attempt to connect to a real host address directly,
Company XYZ needs to allow users on the outside network to initiate reliable connections to
its e-commerce web server and the FTP server on the DMZ. Static NAT provides the solution
for this scenario.
552
‘Seouring Networks with ASA Fundamentals (SNAF) vi.0 © 2008 Cisco Systems, ne.
Freat >
To configure static translations in Cisco ASDM, complete the following steps:
Step 1 Go to Configuration > Firewall > NAT Rules,
Step2 From the Add drop-down menu, choose Add Statie NAT Rule. The Add Static
NAT Rulle dialog box opens,
‘© 2008 Cisco Systems, ne ‘Configuring Translatons and Connection Limits 5-53
Configuring Static Transiations (Cont.)
‘As Sie NAT Fe —
ma
ee
seal
‘ntertacee er. ee dee st
mein Foe eT
ee}
Use IP Address
mapped Pada Teno PAR
inet F EnatleFan Aer Tandon PAT
feo
se
(ce meat new
Step 3 From the Interface drop-down list in the Original area, choose the interface that is
connected to the host with real addresses that you want to translate. For this
‘example, the host resides on the DMZ interface.
Step4 Enter the real addresses in the Source field of the Original arca. When you enter the
IP address without a mask, Cisco ASDM recognizes it as a host address, even if it
ends with a 0. In the example in the figure, the real IP address of the Company XYZ,
web server, 172.16.1.9, is entered in this field
Note ‘You cannot use the same real or mapped address in multiple static rules between the same
{wo interfaces unless you use static PAT. Static PAT is the same as static NAT, excopt that
it lets you specify the protocol (TCP or UDP) and por for the real and mapped addresses
This feature lets you identity the same mapped address across many different static
statements, provided the port is diferent for each statement
Step§ From the Interface drop-down menu in the Translated area, choose the interface
where you want to use the mapped (translated) address, In the example inthe figure,
the mapped address will be used on the outside interface.
Step Click the Use IP Address radio button, and enter the mapped IP address in the
corresponding field. Do not use a mapped address that is also defined in a global
ool for the same mapped interface, For this example, the mapped IP address is
192,168.13.
Step7 Click OK. The Add Static NAT Rule window closes.
Step 8 Click Apply in the NAT Rules window
5-54 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systoms, nc.
Commands for Static Translations
WoDsarver FIP Sener
if
sieis—q< Ap Brine
ey - com Wreide a
J canna
[Aer you conigute the state tanslatons for both DMZ servers and olck Apply
inthe NAT Rules wiciow, Cisco ASDM sends the fdlowing commands tothe
secunty applarce:
255:255.255.955 tep 0-0 wap 6
Packets sor fo 192,168.13 For fre outside are Wandated t
«Packets sent to 192. 168.14 from te outside ae ransated 10
te
In the example, a static NAT rule was created to permanently map the IP address of the web
server, 172.16.1.9, to 192.168.1.3. After another static NAT rule is created to permanently map
the IP address of the FTP server, 172.16.1.10, to 192,168.14 and the configuration is applied,
Cisco ASDM sends the following commands to the security appliance:
static (duz, outside) 192.168.1.3 172.16.1.9 netmask
255.255.255.255 tep 0 0 udp 0
static (dmz,outside) 192.168.1.4 172.16.1.10 netmask
255.255.255.255 tcp 0 0 udp 0
You can use the show run static command to view static statements in the configuration,
which indicates the followin;
© Packets sent to 192.168.1.3 from the outside are translated to 172.16.1.9 on the DMZ.
m= Packets se
to 192.168, 4 from the outside are translated to 172.16.1.10 on the DMZ.
When a packet sourced from the web server traverses the se
DMZ and the outside interfac
translated to 192.168.1.3.
ty appliance between the
the web server source IP address of 172.16.1.9 is
© When a packet sourced from the FTP server traverses the security appliance between the
DMZ and the outside interfaces, the FTP server source IP address of 172.16.1.10 is
translated to 192.168.1.4.
{© 2008 Gisoo Systems, ne Configuring Translations and Connecton Limits 555,
Net Static
Werserve j j FIP Sener
192168.109 a. aid
ices a. 19268100" H
Ouse
Seas
* Creates mappings between IP addresses on one subnet and IP
‘addresses on another subnet
= Unlike dynamic NAT, allows a remote host to initiate a connection
toa translatedhost (if an access list exists that allows it)
‘Translates 172.16.1.x {rom the DMZ to 192.168.10.x
‘You can permanently map host addresses on one subnet to a subnet that is on a lower security
interface. Such mappings are known as “net statics.” Net statics enable you to translate multiple
hosts on one subnet to another using a single NAT rule. In the figure, the administrator wants
the server addresses on the DMZ to be translated to a subnet on the outside interface. To
accomplish this task, the administrator configures a static NAT rule with two subnets rather
than two host addresses. Any packet sourced from a server address on subnet 172.16. 1.0/24 on
the DMZ is translated to a host address on the 192.168.10.0/24 subnet on the outside interface,
586 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
Configuring a Ne
Ad¢StstcNAT Rule—> [EERE
————
taeda TETERTTGET
Invotace 7 Usaimesce Aes
{mapped wertace}
Fo Ace Tanton AT
Use IP Address fH: ©
(rapped network (ar
sides) =
Configuring a net static is much like configuring a regular static translation, Like other static
translations, the net static is configured in the Add Static NAT Rule window. The only
difference is that the IP addresses used in the Source and Use IP Address fields are subnet, or
network, addresses rather than individual host IP addresses.
In the Source field, enter the real network address, or click the ... button to choose an add
that you already defined in Cisco ASDM. Specify the address and subnet mask using prefix
length notation, such as 10.0.1.0/24
‘To specify the mapped IP address, click the Use IP Address radio button, Then enter the
‘mapped network address or click the .. button to choose a network address that you already
defined in Cisco ASDM. Specify the address and subnet mask using prefix length notation,
such as 10.0.1.0/24.
In the example in the figure, the DMZ network 172.16.1,0/24 will be translated to
192,168.10.0/24.
{© 2008 Cisco Systems, Inc Configuring Translations and Connection its 5-57
mmand for Net Static
Wb Sener 4 ps
=<
jwzi6a 1010 4
oa i
+
* Cisco ASDM sends the following single command to the security
appliance:
atic (dme,outeide) 192
255.255.255.0 top 00 udp
* This command causes the security appliance to translate host IP
‘addresses on the 172.16.1.0 subnet to IP addresses on the
192.168.10.0 subnet,
After you complete the net static configuration and click Apply in the NAT Rules window,
Cisco ASDM sends the following command to the security appliance:
static (dmz,outside) 192.168.10.0 172.16.1.0 netmask
255.255.255.0 tep 0 0 udp 0
This static command causes the security appliance to translate host IP addresses on the
172.16.1.0 subnet to IP addresses on the 192.168.10.0 subnet. As shown in the figure, servers
‘on the DMZ appear on the outside interface as addresses on the 192.168.10.0 network.
558 Securing Networks wih ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, ie
Static PAT: Port Redirection
ss
J
+ Used to create a permanent translation between a mapped IP
address and port number and a specific real IP address and port
‘umber
redirected to
redirected to
The security appliance provides static PAT capability. This enables outside users to connect to
a particular IP address and port. The sccurity appliance redirects traffic to the appropriate inside
server and port number. This capability can be used to send multiple inbound TCP or UDP
services to different intemal hosts through a single global address. The shared address can be a
‘unique address, or it can be shared with the extemal interface.
For example, if you want to provide a single address for global users to access the FTP and web
servers, but these are all actually different servers on the local network, you can create two
static translations, one for each of the following:
= Mapped HTTP IP address to real IP address: 192.168.1.94vww to 172.16.1.9/www
© Mapped FTP IP address to real IP address: 192.168.1,9/ftp to 172.16.1.10/fip
In the example in the figure, if'a web packet is sent 10 192.168.1.9, itis redirected to the web
server at IP address 172.16.1.9. If an FTP packet is sent to 192.168. 1.9, itis redirected to th
PIP server at IP address 172.16.1.10
You also can use this feature to translate a well-known port to a lesser-known port or vice
versa. For example, if the inside web server uses port 80, you can allow outside users to
connect to port 8080 and then translate them to the correct port. Similarly, if you want to
provide extra security, you ean tell your web users to connect to lesser-known port 6785 and
then translate them to port 80 on the local network.
© 2008 Cisco Systems, Inc Configuring Translations and Connection Limits 5-59
Use IP Address ——® Use Passes (TF
Pataca Tin FAT.
Emtle Pots Tron PAT)
a
Tanta ag ——
Like net statics and other statie translations, static PAT is also configured in the Add Static
NAT Rule window, Complete the following steps to configure static PAT
Step 1
Step 2
Step 3
Stop 4
Step §
step 6
Go to Configuration > Firewall > NAT Rules,
From the Add drop-down menu, choose Add Static NAT Rule. The Add Static
NAT Rule dialog box opens.
From the Interface drop-down list in the Original area, choose the interface that is
connected to the host with the real address that you want to translate. For this
example, the host resides on the DMZ interface.
Enter the real addresses in the Source field of the Original area, When you enter the
IP address without a mask, Cisco ASDM recognizes it as a host address, even if it
cends with a 0. In the example in the figure, the real IP address of the Company XYZ,
‘web server, which is172.16.1.9, is entered in this field
From the Interface drop-down menu in the Translated area, choose the interface
where you want to use the mapped (translated) address. In the example in the figure,
the interface will be the outside interface.
Click the Use IP Address radio button, and enter the mapped’ TP address in the
corresponding field. Optionally, you can click Use Interface IP Address to use the
IP address of the outside security appliance interface as the mapped address. If you
sclect this option, the real and mapped addresses must have the saine subnet mask
For this example, 192.168.1.9 is used as the mapped IP address.
Note
Static PAT allows you to identily the same mapped address across many different static
rules, provided the por is diferent for each rule. You cannot use the same mapped address
for multiple static NAT rules.
560
Securing Networks with ASA Fundamentals (SNAF) v1 0 © 2008 Cisco Systems, inc
step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Check the Enable Port Address Transl
n (PAT) check box.
For the Protocol, select TCP or UDP. Because FTP uses TCP as its transport
protocol, TCP is selected for this example.
In the Original Port field, enter the real port number. You can specify ports by either
a literal name or a number in the range of 0 to 65535. For this example, Ittp is
entered to indicate that static PAT should be triggered by FTP connection attempts.
In the Translated Port field, enter the mapped port number. You can specity ports by
either a literal name or a number in the range of O to 65535. In this translation, http
is entered in both the Translated Port field and the Original Port field.
Click OK. The Add Static NAT Rule window closes.
Click Apply in the NAT Rules window.
{© 2008 Cisco Systems, ne
‘Configuring Translations and Connection Limits 5-61
Configuring Static PAT (Cont.)
Add State NAT Rule —> [IRE
Pa —
Use IP Adcress —® 6 Useadéene, [TEES
cngestroe
a
(5) cme
The figure shows how to configure static PAT for the Company XYZ FTP server. The
following values are the same in the static PAT rules ereated for the web server and the FTP
server:
= 0
inal interface: As with the web server, the FTP server resides on the DMZ int
‘ranslated interface: As with the web server, the mapped address for the FTP server will
be used on the outside interface
"Translated IP address: Both the web server and the FTP server will use 192.168.1.9 as
the mapped IP address.
Use of PAT: PAT is enabled for both translations
= Protocol: TCP is selected as the protocol for both translations because the servers will
handle HTTP and FTP requests, and both HTTP and FTP use TCP as their transport
protocol
The following values must be different for the FTP server configuration:
= Source (original) LP address: The real address for the FTP server is 172.16.1,10
= Port: While the web server will handle port 80 requests to 192.168.1.9, the FTP server will
handle port 21 requests to 192.168.1.9. In the example in the figure, ftp is entered in the
port fields,
5-62 Securing Networks with ASA Fundamentals (SNAF) v4.0 © 2008 Cisco Systems, ne
Commands for Sta
Webserver FIP Saver
‘Ons nse ‘
= Cisco ASDM sends the following commands to the security appliance:
aeatic (dz ,outeiae) top
netmask 255.255.255.255 tep 00 udp 0
static (4m,outside) top
netmask 255.255.255.255 tep 0 0 udp 0
Packets destined for ‘are redirected 10
Packetsdestined for are redirected 10
{After you complete the static PAT configuration and click Apply in the NAT Rules window,
Cisco ASDM sends the following command to the security applianee:
static (dmz,outeide) tp 192-168.1.9 80 172.16.1.9 €0 netmask
255.255.255.255 tcp 0 0 udp 0
static (dmz,outeide) tcp 192-168.1.9 21 172.16.1.10 21 netmask
255.255.255.255 tp 0 0 udp 0
In the figure, an external user directs an FTP request to the security appliance address
192,168. 1.9. The security appliance redirects the request to the DMZ FTP server at IP address
172.16.1.10. To access the web server, the extemal user directs an HTTP request to the security
appliance address 192.168.1.9 port 80. The security appliance redirects the request to the web
server at IP address 172.16.1.9, (For external users to aceess the DMZ servers, an ACL would
also have to be present in the configuration.)
Note If you use the CLI to configure the security appliance, remember that specifying the keyword
{ep or udp in the static command configures static UDP or TCP port redirection,
{© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits 5.63,
Order of NAT Commands Used to Match
Real Addresses
* Acomectionis intiatedat an inside interface:
‘The seourity appliance corsuits the access rules frst
‘The seourity appliance makes a rauting decsien to determine the
‘outbound interface
‘Thesource addressis checked against the local addresses inthe translation
table:
found, the source address is translated aocerdingto the translation slot
Gtherwise, the security appliancelooks for a maichto the local address in the
following onier
NAT exemption (NATO with ACL): ln order, until frst match
StalicNAT and static PAT (reguar and paicy):In order, unt frst match
Policy dynamic NAT: n order, uti first match
Regular dynamic NAT (incudingNAT 0 vithaut ACL): Best match
NAT control is enabled and no match is found, the packetis dropped
For outbound connections with NAT control enabled, the destination interface is evaluated
according to the routing table; it must be at a lower security level than the originating interface
unless the same-security-traffie option is configured. The security appliance then compares the
source address with the inside-local entries in the translation table. Ifa match is found, the
translation is used, Ifno translation for this source-destination interface pair exists, the security
appliance matches local traffic to translation commands in the following order
= NAT exemption (nat 0 access-list): In order, until the first match. Identity NAT is not
included in this category. NAT exemption exempts addresses from translation
= Static NAT and static PAT (regular and policy): In order, until the first match,
Policy dynamic NAT (nat nat_id access.
): In order, until the first match,
= Regular dynamic NAT (including NAT 0 without ACL): Best match. Regular identity
NAT is included in this category and is matched first. The order of the other regular
dynamic NAT rules does not matter; the NAT rule that best matches the real address is
used. For example, you ean create a general rule to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address,
you can ereate a rule to translate only 10.1.1.1. When 10.1.1.1 makes a connection
specific rule for 10.1.1.1 is used because it matches the real address best. Using
overlapping rules is not recommended; overlapping rules use more memory and can slow
the performance of the security appliance.
A new translation is created according to the translation rules. With NAT control enabled, the
security appliance enforces address translation. When no matching translation rule for this new
connection is found, the packet is dropped. With NAT control disabled, when no match for this
new connection is found, the NAT is not applied to the packet and the packet is forwarded if
the security policy permits it
5:64 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, nc.
TCP SYN Cookies and Connection Limits
This topic describes the TCP SYN cookies feature and how to set embryonic, TCP, and UDP
connection limits in Cisco security appliances.
Connection L
You can set the following connection limits on the
security appliance:
Embryonic connection limit: Maximum number of embryonic
connections per host. An embryonic connection is a connection
request that has not completed a TCP three-way handshake
between the source and the destination
TCP maximum connection limit: Maximum number of
simultaneous TCP connections that each real IP host is allowed
touse. Idle comections are closed after the time specified in
‘Configuration > Firewall > Advanced > Global Timeouts.
UDP maximum connection limit Maximum number of
simultaneous UDP connections that each real IP hostis allowed
touse
Protection against various denial of service (DoS) attacks has increased through newer versions
of security appliance operating systems. Beginning in Cisco PIX Firewall Software Version
5.2, TCP Intercept provided tor proxy resets of sessions without any knowledge or interference
from the destination station, Version 6.2 introduced TCP SYN cookies, a proxy verification
tool that the security appliance operating system uses to validate a new TCP session.
Setting the maximum TCP connections in a static or dynamic NAT tule enables you to limit the
number of TCP connections that a host is permitted to use. Setting the maximum embryonic
conneetions in a statie or dynamic NAT rule enables you to specify the maximum number of
‘embryonic connections per host. An embryonic connection is a connection request that has not
finished the necessary three-way TCP handshake between source and destination. Cisco ASA
and PIX Security Appliance Software Version 7.0 introduced the maximum UDP connections
feature, which, when used in a static or dynamic NAT nule, enables you to limit the number of
UDP connections that a host is permitted to use.
{© 2008 Cisco Systoms, le ‘Configuring Translations and Connecton Limits 5-05
TCP Three-Way Handshake
Note SN, SRC: 17226 0145, 0sT 10007
172.16.16.20,
SYN flood attacks, also known as TCP flood attacks and half-open, or embryonic, connections
attacks, are common DoS attacks perpetrated against IP servers, The attacker spoofs a
nonexistent source IP address and floods the target with SYN packets that are pretending to
come from the spoofed host. SYN packets to a host are the first step in the three-way
handshake of a TCP-type connection; therefore, the target responds as expected with SY
ACK packets destined for the spoofed host or hosts. Because these SYN-ACK packets are sent
to hosts that do not exist, the target sits and waits for the corresponding ACK packets that never
show up. This causes the target to overflow its port buffer with embryonic connections and to
stop responding to legitimate requests.
5-68 Securing Networks with ASA Fundamentals (SNAF) vt 0 '© 2008 Cisco Systems, ne.
SYN Cooki
om
SACK (Coa)
Normal |
Internet =
The security appliance responds to the SYN, which includes a
cookie in the TCP header of the SYN-ACK. The security
appliance keeps no state information.
* Thecookieis a hash of parts ofthe TCP header and a secret key encoded
into the ISN field tht the appliance rospands with ints SYN-ACK.
* Alegimatecint completes he handshake by sencing the ACK back wh
* Ifthe cooke is authent, the security applianceprosios the TOP session
In Cisco PIX Firewall Software Version 6.2, the TCP SYN cookies feature was introduced,
‘This feature is a less CPU-intensive method of checking the validity of incoming TCP sessions.
With TCP SYN cookies, the security appliance does not need to allocate memory, therefore it
has a higher resilience to a DoS attack. Instead, the most basic data comprising the connection
state is compressed into the bits of the sequence number used in the SYN-ACK. For a
legitimate connection, an ACK segment will be received that echoes this sequence number plus
one.
With TCP SYN cookies, after the embryonic connection limit is reached, the security appliance
receives a SYN packet and responds with a SYN-ACK packet in which the ACK sequence
number is calculated from the source address, source port, source sequence number, destination
address, destination port, and a secret seed. Then the security appliance releases all state
information. If an ACK returns trom the client, the security appliance can recalculate it to
determine if itis a response to a previous SYN-ACK. If'so, the security appliance can attempt
to open a conneetion to the server. In this way, both the security appliance and the server avoid
‘managing a batch of potentially useless embryonic conncetions. The SYN cookies feature is
more sealable in terms of performance. This feature replaces TCP Intercept
"© 2008 Cisco Systems, nc Conigoring Transtalons and Connection ints 5.67
Configuring Embryonic Connection
Limits
Adcdycanc Nat —- CEES
Ss
<5}
‘Seting the embryoric cornecton iit enables TCP proay va SYN cookies,
‘A velue of 0 which isthe default. dsebles protacton
When theemtxonic comecton iit exceaded, all connections are proxed
‘To protect internal hosts against DoS attacks, you can limit the number of embryonic
connections that are allowed per host. To accomplish this, click the Connection Settings
double arrow to expand the connection scttings content. Set the embryonic connections limit, or
threshold, to a number from | to 65535, inclusive. If the number of embryonic, or half-open,
connections excceds the embryonic connections threshold, the security appliance will reply to
any new open connections with a SYN cookie until the number of half open connections falls
below the threshold. A value of 0, the default, means unlimited half-open connections and no
SYN cookie responses by the security appliance. You can use the show local-host command to
view the embryonic count,
The embryonic connections threshold is configurable using either a dynamic NAT rule or a
static NAT rule. In the figure, the embryonic connections threshold is set to 25 in a dynamic
NAT rule, Thresholds for TCP and UDP connections can also be configured in a dynamic NAT
rule, The default is 0, which means unlimited connections.
You can use a dynamic NAT rule to protect hosts on lower-seeurity level interfaces from DoS
attacks by limiting the number of embryonic connections from hosts on hi
interfaces,
her-security level
568
Securing Networks with ASA Fundamentals (SNAF) v1.0, © 2008 Cisco Systems, In
Configuring T onnectio
Limits
Add Siatc —__+ IRIE pes n un ne
NAT Rue = ofsimuitaneous
TCP or UDP
= ceannedtions that
aa the local IP hosts
oe are alowed
Tove fe — Valueotaabes
yamine protection (default)
gh aa eae
Clvesatertne
tinspetiodn
Joba timecuts
Maximum TOP 2
Cormections mec es Pe een
Fone na Saupe
fonttoeen
ete
Sire ae
To configure connection settings in the Add Dynamic NAT Rule window or the Add Static
NAT Rule window, click the Connection Settings double arrow to expand the connection
settings content, Use the Maximum TCP Connections field to set the maximum number of
simultaneous TCP connections that each internal network IP host is allowed to use. Idle
connections are closed after the time that is specified as the connection global timeout. The
default is | hour. In the static NAT rule example in the figure, the maximum number of TCP
connections is set to 200 and the embryonic limit is set to 25.
Use the Maximum UDP Connections field to set the maximum number of simultaneous UDP.
connections that each internal network IP host is allowed to use. Idle connections are closed
after the time that is specified as the UDP global timeout. The default is 2 minutes.
Note ‘You can configure global timeouts in Cisco ASDM at Configuration > Firewall > Advanced >
Global Timeouts,
In both the Add Dynamic NAT Rule window and the Add Static NAT Rule window, you can
set the maximum number of simultaneous UDP connections even when the maximum number
of simultaneous TCP connections is not set. This allows the two limits to be exclusively
configured
You can also set TCP, UDP, and embryonic limits as part of a service policy rule. This method
is discussed in another lesson. If you configure connection limits for the same traffic using both
methods (the service policy and NAT rule methods), the security appliance uses the lower limit
‘The show local-host command enables you to view the connection slots for lo
host is any host that forwards traffic to, or through, the security appliance. This command also
displays the connection limit values. If a connection limit is not set, the value displays as 0 and
the limit is not applied. When a maximum embryonic connection limit is configured for a host,
the show local-host command also displays the total embryonic connections to the host from
other hosts. To view the number of active TCP connections, use the show conn command.
hosts, A local
'© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits 5.69
sonnection L
cain dete
Wie
SYHLACK (Coke, smack coy. | if
l 82 1981.1
TP Connect
nat (inside) 1 0.0.0.0 0.0.0.0 tep 0 udp ©
static (dmz,outside) 192.168.1.11 172.16.1.2 netmask
255.255.255.255 tcp udp 0
When you apply the configuration in this example, Cisco ASDM sends the following
‘commands to the security appliance:
nat (inside) 1 0.0.0.0 0.0.0.0 tep 0 25 udp 0
static (dmz,outside) 192.168.1.11 172.16.1.2 netmask
255.255.255.255 tep 200 25 udp 0
As show in the figure, these commands configure the security appliance as follows:
IP addresses of all hosts on the inside network are dynamically translated for outbound
connections (if global address pool exists in the configuration)
= The DMZ host (172.16.1.2) appears on the outside network to have the IP address
192.168.1.11.
= After 200 TCP connections are made to the DMZ server, the security appliance drops new
connections
= After 25 embryonic connections are made to the DMZ server, the security appliance
intercepts and proxies the three-way handshake using TCP SYN cookies.
= After 25 embryonic connections are initiated from the inside host to an outside server, the
security appliance imtercepts and proxies the three-way handshake using TCP SYN cookies,
570
‘Securing Notworks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, ie
Connections and Translations
This topic describes how connections and translations are different and how to verify them in a
-0 security appliance.
Connections Ver tions
Ten Connections:
f
Ne Translation
fae ekg
Translation
comection
Comection
© Translation:
NAT: Mapper ads to real address
PAT: Mappod adress ard port to real asress ar pat
* Connections: Host adress and por to host axcress and part
With NA’
address and mapped port number are tra
" mapped IP addresses are translated to real IP addresses. With PAT, the mapped
ted to the real address and real port number.
Connections are atthe transport layer and are from a source host and port number to a
destination host and port number. Connections are subsets of translations. You ean have many
connections open that are all using one address translation
{© 2008 Cisco Systems, Ine. Configuring Translations and Connecton Limits 71
Using the CLI to View Connections
Connection
Soon
sai show conn
2 in use, 9 most used
TOP out 192.168.10.7:80 in 10.0.1.11:2824 idle 0:00:03
bytes 2320 flags UIO
TCP out 192.168.10.7:80 in 10,0.1.11:2623 idle 0:00:03,
bytes 3236 flags UIO
The show conn command displays the number of active connections and information about
them. In the figure, there are two connections between inside (in) host 10.0.1.11 and outside
(out) web server 192.168.10.7. Connections are addressed to TCP port 80 on the web server
The replies are addressed to host 10.0.1.11, ports 2824 and 2823.
‘The syntax for the show conn command is as follows:
show conn [all | count] [state state _typel | [({foreign |
jocal} ip {-ip2] netmask mask}] | [long | detail) | [{(2port |
fport} porti} [-port2]] | (protecol {tep | udp}]
Syntax Description
all Keyword for displaying connections to the device or from the
device
‘count Displays only the number of used connections, The precision of
the displayed count may vary depending on traffic volume and the
{ype of traffic passing through the secunty appliance.
detail Displays connections in deta, including translation types and
interface information
“foreign ~ | Keyward fr displaying active connections by tho foreign IP
address.
fthort Keyword for displaying foreign active connections by por.
IP address or beginning address in a range of IP addresses.
ip2 | Ening iP adaress in a range of P addresses a
local : Keyword for displaying active connections by the local IP address
port Keyword for displaying local active connections by port.
tong Displays connections in long format
“netmask Keyword for specifying aneimask
5-72 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine
Syntax
Description
mask ‘Netmask for ip. p2, or both
portt Port number or beginning port number in a range of por
numbers,
porta Ending port number ina range of port numbers.
protocol Koyword for displaying active connections by protocol ype
state Keyword for specifying a connection state
state_type Connection state. You can spec the foloing ‘connection sate
iypes:
= up: Connections in the up state
= finin: FIN inbound connections
f= finout: FIN outbound connections
= htp_get: HTTP get connections
‘= smtp_data: SMTP mail data connections
‘= nojava: Connections that deny access to Jave applets
f= data_n: Inbound data connections
1» data_out: Outbound data connections
‘= sunrpe: Remote procedure call (RPC) connections
#22: 1225 connections
f= 323: H.323 connections
2 sainet_fixup_data: SQL"Net data inspection engine
connections
‘# conn_inbound: Inbound connections
1» sip: Session ination protocol (SIP) connections
‘= mgcp: Media Gatoway Control Protocol (MGCP)
‘connections
18 ctiqbe: Computer Telephony interface Quick Buffer
Encoding (CTIOBE) connections
‘© skinny: Skinny Ciient Control Protocol (SCCP) connections
1 service_module: Connections being scanned by a Cisco
Security Services Module (SSM)
tcp Keyword for displaying TCP connections
“udp Keyword for displaying UDP connections
© 2008 Gisco Systems, nc
‘Configuring Translations and Connection ints $73,
When you use the shew conn detail option, the system displays information about the
translation type, interface information, the IP address and port number, and connection flags. In
the figure, the two connections display a flag value of UIO. This means that the connections are
up with inbound and outbound data,
5-74 Securing Networks with ASA Fundamentals (SNAF) v4.0 (© 2008 Cisco Systoms, no
To view connection and translation information about the security appliance in graph forn
complete the following steps:
Step 1
Step 2
Step 3
Step 4
to Monitoring > Properties > Connection Graphs,
To view the number of connections that occur each second, select Perfmon and then
select Connections Perfmon from the Available Graphs list. To view the number of
translation slots in use, select Xlates and then select Xlate Utilization from the
Available Graphs list.
Click Add to move your selection to the Selected Graphs ist
Click Show Graphs to display the graph window with the selected statistics.
Note
‘You can also select multiple available graphs to be displayed at once.
"© 2008 Cisco Systems, Ine
Configuring Translations and Connection Limits 575
576
Securing Networks with ASA Fundamentals (SNAF) V1.0
bist
When you click Show Graphs, the graph is displayed in a separate window. The window has
two tabs, which enable you to view the selected statistics in graph or table form,
The figure shows the connections per second in a Connections Perfmon
aph, which is set to
display updated statistics in real time every 10 seconds. Both the graph view and the table view
display the following:
= Number of connections per second
= Number of UDP connections per second
= Number of TCP conn
ctions per second
= Number of TCP intercepts per second
isco Systems ne
‘You can view runtime connection statistics in the Traffic Overview area of the Cisco ASDM
Firewall Dashboard tab. The Firewall Dashboard resides in the ASDM Home pane and displays
important information about the traffic passing through your security appliance, including
number of connections, NAT translations, and other statisties. In the figure, the Conn
Statistics panel shows that there is currently only one connection and one translation.
{© 2008 Cisco Systems, ne. ‘Configuring Tronslatone and Connecton Limits 5-77
show local-host Command
i Sy
The show local-host command enables you to display the network states of local hosts. A local
host is created for any host that forwards traffic to or through the security appliance. This
command lets you show the translation and connection slots for the local hosts. In the figure
the inside host 10.0.1.11 establishes two web connections with server 192.168.10.7. The output
of show local-host is displayed.
‘This command also displays the conn
count for lo
ction limit values. In the figure, the current TCP flow
I host 10.0.1.11 is 2 with a limit of 300, If @ connection limit is not set, the value
displays as “unlimited.” In the event of a SYN attack (with TCP SYN cookies), the show local-
host command output includes the TCP embryonic count to host and the TCP Intercept
watermark. In the figure, the embryonic threshold is set for local host 10.0.1.11 at 25 and the
current number of embryonic conncetions is 0
‘You can use the command elear local-host [ip_adidress] to clear the network state of all local
hosts or of a specific IP address. It stops all connections and translations that are associated
with the local hosts or with the specific IP address specified in the command.
The syntax for the local-host command is as follows
clear local-host [ip address] (all)
show local-host [ip_address] [a1] [detail]
‘Syntax Description
(Optional) Specities to clear the local hosts state-made
connections, including to and from the security appliance
detail (Optional) Displays the detailed network states of local host
Information, including more information about active xlates and
etwork connections
ip_address (Optional) Local host IP address. You can specify an IPv4 or IPvS
address,
5:78 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, In.
show xlate Command
Translation
pao egeelgny 4
ciscoasat
show xlate
™ Enables you © view (randlation slot information
‘asalfshow xlate
1 in use, 2 most used
Global 192.168.0.20 Local 10.0.0.11
The show xlate command enables you to show or clear the contents of the translation slots
Always use elear xlate or reload after adding, changing, or removing access-list, global, nat,
route, or statie commands in your configuration. In the figure, host 10.0.0.11 is translated to a
global address of 192,168.0.20 by the security appli
The syntax for the xlate command is as follows:
clear xlate (global ipi{-ip2] [netmask mask]] [local ip1{-ip2]
[netmask mask]] [gport portil-port2]] [lport porti{-port2]
linterface if_name] (state state]
show xlate [count] | [debug] {detail} (global ipt{-ip2)
[netmask mask]] {gport porti [-port2]] [interface if_name]
[local ipi [-ip2] [netmask mask]] [lport port [-port2)]
[state state]
{© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Limits 5.79
—.
Syntax
Description
TT
count Keyword for displaying the translation count
debug Keyword for displaying debug information a
etal Keyword for displaying detailed information
global ot F402) (Optional Clears the active translations by global IP address or
Tange of addrosses,
‘gpont portt|-portj (Optional) Clears the active translations by the global port or
interface if_name
range of ports
(Optional Displays the active translations by interface
local ip -ip2) (Optional) Clears the active translations by local IP address or
range of addresses
Iport ports-port2] (Optional) Clears the active transiations by local port or range of
ports
netmask mask (Optional) Specifies the network mask to qualify the global or
local IP addresses,
slate state (Optional) Clears the active translations by state, You can enter
‘one or more of the following states:
= static: specifies static translations
= portmap: specifies PAT global translations
= norandomseq: specifies a NAT or static translation with the
norondomseq setting
‘= identity: speciies NAT 0 identity address transiations
When specifying more than one state, separate the states with a
space.
5.80
‘Socuring Networks with ASA Fundamentals (GNAF) v1.0 (© 2008 Cisco Systems, nc
show xlate detail Com:
Translation
fee ul
Je ake Gs
‘aaal# show xlate detail
Lin use, 3 most used
Flaga: D'- DNS, d - dump, I - identity, 1 - dynamic, m -
no random, r'- portmap, s - static
NAT from ingide:10.0.0.11 to outeide:192.168.0.20 Flags i
When you use the show xlate detail command, the system displays information about the
translation, interface information, the IP address, and the type of translation, In the figure, the
translation displays an “i” flag value, which means that the translation is a dynamie translation,
'© 2008 Cisco Systems, ne ‘Configuring Translations and Connection Lins 5-81
Summary
This topic summarizes the key points that were discussed in this lesson.
ummary
* The seaurity appliance manages the TCP and UDP protocols through
the use of a translation table (for NAT sessions) and a connection.
table (for TCP and UDP sessions),
By translating real IP addresses to global IP addresses, NAT enables you
to conserve official global network addresses and hide your network
topology from the Internet.
* By translating real IP addresses of various hosts to a single global IP
‘address and using different port numbers to keep sessions distinct, PAT
enables you to conserve global IP addresses.
* Bypermanently mapping a real IP address to a global IP address, a
static translation (when used with an ACL) allows users on the outside
‘network to initiate reliable connections to an internal host.
* SYN cookies, which you enable by setting embryonic connection
limits in dynamic or static NAT rules, provide means of checking
the validity of incoming TCP sessions,
582
‘Securing Networks wit) ASA Fundamentals (SNAF) v1.0
'© 2008 Cisco Systems, ne.
Lesson 6 |
Using ACLs and Content
Filtering
Overview
This lesson describes how to control access through Cisco security appliances using access
control lists (ACLs), and provides detailed examples of special-use ACLs. The lesson also
explains how to configure Cisco security appli
configure URL filtering,
\ces to filter malicious active codes and how to
Objectives
Upon completing this lesson, you will be able to configure security appliance a
This ability includes being able to meet these objectives:
cess control,
= Configure and explain the functions of ACLs.
= Configure active code filtering (Microsoft ActiveX and Java applets)
|= Configure the security appliance for URL filtering
= Use the Packet Tracer for troubleshooting
ACL Configuration
This topic discusses how to use ACLs for access control through Cisco security appliances,
Security Appliance ACL Configuration
one _Glg_ rte
———
re Na pcan
pene
pees
Internat
Security appliance configuration philosophy is interface-based.
* Interface ACL permits and denies the initial Incoming and outgoing
packets on that interface
‘An AGL must describe only the initial packet ofthe application; return
traffic does not need to be described
Ino ACL is attached to an interface:
‘The outbound packet is permitted by default
‘The inbound packet is denied by default
There is nothing more secure than an interface with a security level of 100 and nothin
secure t
less
n an interface with a security level of 0. The security level protects higher-security
networks from lower-security networks. By default, all communications are permitted in an
outbound direction, from a more-secure level to a less-secure level. Also by default, all
communications are prohibited in an inbound direction, from a less-secure level to a more-
secure level. You can use ACLs to modity this default behavior by explicitly permitting or
denying certain traffic, When you create an ACL, the security appliance automatically applies
an implicit rule at the end of the ACL. This implicit rule denies all traffic that you have not
explicitly permitted. ACLs can be applied in the inbound or outbound direction on an interface.
In the security appliance CLI, you can configure ACLs by using the access-list command,
ACLs are made up of one ot more access control entries (ACEs). An ACE is a single entry in
‘an ACL that specifies a permit or deny rule and is applied to a protocol, a source and
destination IP address or network, and, optionally, the source and destination ports. After an
ACL is configured, it must be activated and applied to an interface with an access-group
command. In Cisco Adaptive Security Device Manager (ASDM), ACEs are called access rules.
When an access rule is configured in Cisco ASDM, it ereates both the access-list command and
the corresponding aecess-group command in the security appliance configuration.
The following are guidelines for designing and implementing ACLs:
= For tratfic moving from higher to lower security, note the followit
important points:
— The ACL is used to restriet outbound traffie
‘The source address of the ACL is the actual address of the host or network
62 Securing Networks with ASA Fundamentals (SNAF) v4.0 © 2008 Cisco Systems, Inc
= Fortraffic moving from lower to higher security, note the following important points:
— The ACL is used to restrict inbound traffic.
— The destination address of the ACL is the translated global IP address.
Note ACLs are always checked before translation is performed on a secutity appliance.
(© 2008 Cisco Systems, Ine. Using ACLS and Content Fitering 63
Company XYZ Need: Inbound HTTP
Access to DMZ Web Server
Mz
oor Se mite
Sh 4
There is no ACL, so by default, inbound access is denied. To
use Cisco ASDM to permit inbound traffic, complete the
following steps:
* Configure a static translation for the web server address,
* Configure an ACL (access rule) for the outside interface
The network security administrator for the fictitious Company XYZ needs to enable Intemet
Users 10 access the company public web server with Network Address Translation (NAT)
control enabled. The web server is isolated on the security appliance demilitarized zone (DMZ).
By default, any inbound access to the web server from the Internet is denied. To grant access to
Internet users, the administrator must complete the following steps:
= Configure a static translation for the web server address. This hides the web server address
from Internet users.
™ Configure an inbound ACL on the outside interface that grants access to the specitie DMZ
web server and protocol or port.
4
‘Securing Networks with ASA Fundamentals (GNAF) v4 0 (© 2008 Cisco Systems, ine.
Creating a Static Translation for the Web
server
|
eS
Outside |
Sree
DMZ etc
Inside
4
cow | $
Configuration > Firewall > NAT Rules > Add > Add Static NAT Rule
‘To configure static NAT translation of the DMZ server IP address, the first step is to map the IP
address of the web server to a fixed outside address. This hides the true address of the web
server. Internet hosts access the DMZ web server via the mapped outside IP address. The
security appliance performs the necessary translations to send the packet from the outside
interface to the DMZ interface. To accomplish this translation, go to Configuration > Firewall >
NAT Rules > Add > Add Static NAT Rule and create a static NAT rule. The figure shows IP
address 192.168.1.11 on the outside interface mapped to 172.16.1.10 on the DMZ,
{© 2008 Cisco Systems, inc Using ACLS and Content Fitering 6-5
Access mules enable you to specify if an IP address is permitted or denied access to a port or
protocol. To configure an access rule, complete the following steps:
Step 1
Step 2
Step 3
Click Configuration in the Cisco ASDM toolbar.
Choose Firewall from the navigation pane
Choose Access Rules from the Firewall menu, The Access Rules panel is displayed.
‘The figure shows the implieit access rules for each configured interface. You cannot
cedit the implicit rules themselves,
Note
Step 4
| you execute the show run, show run all, or show access-list CLI commands, implicit
ACLs are not shown. They are only shown if you manually add entries to the implicit ACL. in
Which case only those manually added entries are shown with the show commands.
Click Add and choose Add Access Rule. The Add Access Rule window opens.
6-6 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne
Creating an inbound Access Rule (Com
To create an inbound access rule to only permit HTTP traffi
Foret msc aPMz
from any outside host to the DMZ
server, continue with these steps:
Step 5
Step 6
step7
Choose the interface to which the rule applies from the Interface drop-down list. In
the figure, the network security administrator for Company XYZ chooses the outside
interface because the goal is to permit HTTP traffic from any outside host to the
public web server.
Choose the action that applies to the rule by clicking the Permit or Deny radio
button. In the figure, Permit is chosen.
In the Source field, enter the IP address from which traffic is permitted or denied.
You can also click the ellipsis (..) button to choose an address trom a predefined
list. To specify a host address, you can enter /32 for the subnet mask, or you can
‘enter the IP address without a subnet mask. To speci
subnet mask in slash notation after the IP address. For example, to specify the
network 192.168.1.0 255.235.255.0, enter 192.168.1,0/24. In the figure, the word
“any” is entered as the source IP address to specify that any outside host is permitted
by the rule.
network address, enter the
Note
Step 8
Ifthe ACL is for restricting outbound traffic (more-secure intertace to less-secure interface),
the source address is the address before NAT has been performed.
In the Destination field, specify the IP address to which traffic is permitted or
denied. You can also click the ellipsis (.~) button to choose an address from a
predefined list. To specify a host address, you can enter /32 for the subnet mask, oF
you can enter the IP address without a subnet mask. To specify a network address,
tater the subnet mask in slash notation after the IP address. For inbound
connections, the destination address is the global, translated address if NAT is used.
Inthe figure, the destination address is 192.168.1.11
{© 2008 Cisco Systems, nc
Using ACLs and Content Fiterng 6-7
Step 9
Step 10
Step 14
Step 12
Stop 13,
Stop 14
Stop 15
Step 16
Specify the service or protocol for the rule in the Service field. You can also click
the ellipsis (..) button to choose a service from a predefined list. In the figure,
tep/htp is entered,
Optionally, you can specify a descriptive comment about the ACE.
Optionally, you can disable the logging function, which is enabled by default.
Click the More Options double arrow to configure additional settings for the rule,
Verify that the Enable Rule check box is checked.
Click the In or Out radio button in the Traftie Direction area to specify the direction
of traffic to which the rule should be applied. The rule is applied to traffic on an
interface in the direction that you specify, inbound or outbound. You can apply only
‘one access list to each direction of an interface. In the figure, the In radio button is
‘chosen since the ACL is applied to the inbound traffic on the outside interfa
Click OK.
Click Apply in the Access Rules panel
68
Securing Networks with ASA Fundamentals (SNAF) v1.0 1© 2008 Cisco Systems, Inc
Commands for Creating an Inbound
ACL: Company XYZ Solution
‘@tatic (dnz, outside) 192,166.11 172.161.10 notmak
255.255.255.255 tap 00 udp o
access-list outside access_in line 1 extenled permit tp 0.0.0.0
0.0.0.0 bose 192.161 a beep
ccess-growp outaide access in in interface outside
one,
5 ese
ouside
The static translation and the ACL work together to permt outside HTTP.
trafficto access the public web server
‘The figure shows the commands that Cisco ASDM sends to the s
the access rule configuration. The access-list command specifies that HTTP traffie from any
source (0.0.0.0 0.0.0.0) is permitted when destined for IP address 192.168.1.11. The access
group command binds the ACL to the outside interface in the inbound direction.
curity appliance as a result of
Access lists provide the solution that the network security administrator for Company XYZ,
needs. The administrator permits Internet users to access the public web server by completing
the following tasks:
Configure a static translation that permanently maps the web server IP address 172.16.1.10
to the routable address 192.168.1.11. This both hides the actual web server address from
Internet users and enables the administrator to create an ACL that permits HTTP traffic to
the mapped address,
= Configure an inbound ACL on the outside interface that permits HTTP traffic from any
outside host to the web server via IP address 192.168.1.11
Note The IP addressing schemes used in this course are not legally routable on the Internet. They
are RFC 1918 addresses that are used in the lab exercises for this course
‘© 2008 Cisco Systems, nc Using ACLS and Content Fitering 6-8
Direction
Web Sores
112563050
| cp t0t10 warn
| swse''s2 68110
An outbound access list is uscful, for example, if you have multiple inside interfaces and you
want to allow only certain hosts on your inside networks to access a web server on the outside
network. Rather than creating multiple inbound access rules on the different inside interfaces to
restrict access, you can create a single outbound access list on the outside interface that allows
only the specified inside hosts to the outside web server.
Note ‘By default, there are no implicit ACLs appli on the oulbound direction on any interface.
‘After an outbound ACL is created, the security appliance automatically applies an implicit
‘ule atthe end of the ACL. This implicit nule denies all trafic that you have not explicitly
permitted
For example, if you create an outbound access rule to only permit HTTP traffic from the
10.0.1.10 inside host to the 172.26.26.50 outside web server, all other traffic will be denied by
the implicit deny any ACE.
1n the figure, an outbound ACL is configured on the outside interface of the security appliance
This outbound ACL permits HTTP connections from inside host 10.0.1.10 to the web server at
172.26.26.50 and prohibits all other traffic from exiting the outside interface
Note ‘Since the ACL is applied on the outside interface, the source address specified is he
Statically translated global address of 192.168 1.10.
An outbound access rule is configured in Cisco ASDM the same way you configure an inbound
access rule, The only difference is that you click the Out Traffic Direetion radio button
instead of the In Traffic Direction radio button,
60
Securing Networks war ASA Fundamentals (SNAF) v4.0 © 2008 Gisco Systems, ne.
Commands for AC
Direction
L Apptied in Outbound
aed permit
72.26.26.50 eq beep wensave,
Teimplet ACL on the side terface permis all
IPtaficenterng the secuity apsiance on the oe
ride interface,
Thecorfigured ACLon the outside intertace
pamts HTTP vate fom host 192 168.110 (the
Salcaly wandaled gobal IP aides of he rside
host 10.01.10) o the 172.26 25.50 outside wed
‘server to ext the securty applance on he outside
rere,
Thecorfigured ACL preverts al ther trac from
cexting the security applance onthe ouside
riertace
sensi gous
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the configured access rule. Cisco ASDM automatically names the access rule
‘outside_access_out and uses the out option in the aceess-group command to apply the nule in
the outbound direction.
2008 Cisco Systems, ine Using AGL and Content Fitering 6-11
Internet iil-—- ice Eone Ropiy
x
Outsits Inside
= The security appliance does not allow return ICMP traffic from
lower security level interfaces with ICMP inspection disabled
* By default, attempts to ping through the security appliance fail,
‘even when initiated from a higher security level interface
To permit Internet Control Message Protocol (ICMP) traffic through the security appli
you must configure an access rule to allow ICMP on the lower security level interfi
need to enable the security appliance ICMP inspection engine.
ce,
or you
‘The ICMP inspection engine treats ICMP sessions as stateful connections.
‘The ICMP inspection engine is disabled by default. Without the ICMP inspection
enabled, allowing ICMP through the security appliance with an access rule is not
recommended. Without stateful inspection, [CMP can he used to attack your network. The
ICMP inspection engine ensures that there is only one response for each request.
sequence number is correct.
6-12 Securing Networks with ASA Fundamentals (SNAF) v1 0 {© 2008 Cisco Systems, nc
ICMP Access Rules
AddAecess
Rue
Inertac® > rece [r=]
“ers pant ous
Configuration > Firewall > Access Rules > Add > Add Access Rule
If you want to allow ICMP through the security appliance with an access rule, perhaps for
preliminary testing or troubleshooting, without enabling the ICMP inspection engine, you can
create an access rule as shown in the figure. Based on your network security policy, you should
then consider configuring the security appliance to deny all ICMP traffic through the security
appliance, particularly through the outside interface,
You can configure an ICMP access rule to apply to all ICMP message types by entering only
emp in the Service field. To configure an ICMP access rule to apply to a specific ICMP
‘message type, enter iemp/ and the message type, or select the ICMP message type from the
drop-down lis.
In the figure, an ICMP access rule is ereated for the outside interface. This access rule allows
only retum ICMP echo-reply messages through the security appliance when an inside user
pings an outside host, For an outside user to ping an inside host, you would have to add another
rule to the outside interface ACL to permit ICMP echo messages as well.
'© 2008 Cisco Systems, Inc. Using ACLs and Content Fiterng 6-13,
in Line 1 extended permit leap
0.0.0 0-0-0.0 0.0.0.0 echo-reply
accesn-group outeide access in in interface outside
outside
SE none ES
* Outbound pings trom hosts on the insi¢e interface succeed after the ICMP ACL
's applod to the outside interface.
Inbound pings from hosts on the outside interface ar stil denied.
‘The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the ICMP access rule configuration, These commands only allow ICMP echo-reply messages in
response to echo requests from hosts on interfaces that have security levels higher than that of
the outside interface. All other ICMP messages are blocked.
Note If pings fail after you configure ICMP access rules to allow the desired traffic, it could be
because NAT is not configured correctly on the securiy appliance. This fallure is more likely
to occur if NAT control is enabled,
6-14 Securing Networks with ASA Fundamentals (SNAF) vt 0 © 2008 Cisco Systems, nc
‘components of the Access Ru
Move Up arrow: Moves a rule up in the list of rules, Rules are assessed in the order they
appear in this table, so the order can matter if you have overlapping rules.
Move Down arrow: Moves a rule down.
Cut button: Cuts a rule from the list.
Copy button: Copies the parameters of a nile so that you can start a new rule with the
same parameters by using the Paste button
Paste button: Opens an Add or Edit Rule window with the copied or cut parameters of a
rule prefilled, You can then make any modifications and add the rule to the table. The Paste
button adds the rule above the selected rule, The Paste After item, available from the Paste
drop-down list, adds the rule after the selected rule.
Find button: Filters the display to show only matching rules. Clicking Find opens the
Filter field, Click Find again to hide the Filter field.
Filter drop-down list: Enables you to choose the filtering criteria, You can filter on
Interface, Sourve, Destination, Source or Destination, Service, or Query. A nile
query is a collection of criteria that you can save and use repeatedly. If you choose
Source, Destination, Source or Destination, or Service for the filtering criteria,
another drop-down list is activated. From this additional drop-down list, you can
‘choose the condition Is or Contains. If you choose Interface or Query from the
Filter drop-down list, the condition is set to Is.
{© 2008 Cisco Systems, nc Using ACLS and Content Fitering 6-15
~ Filter field: If you choose Interface as the criterion from the Filter drop-down list,
this field becomes a drop-down list so that you can choose an interface name. For
the Source and Destination criteria, this field accepts an IP address. You can enter an
IP address manually or browse for an IP address by clicking the ellipsis (...) button
and launching the Browse Source dialog box. For the Service criterion, this field
aceepts a TCP, User Datagram Protocol (UDP), TCP-UDP, ICMP, or IP protocol
type. You can enter a protocol type manually or browse for a protocol type by
clicking the ... button and launching the Browse Service dialog box. The filter field
accepts multiple entries separated by a comma or space. Wildcards are also allowed.
Ifyou choose Query from the Filter drop-down list and no rule queries are defined,
the filter field area becomes a Define Query button. Click the Define Query button
to open the Define Query window, which enables you to create a query.
— Filter: Runs the filter
— Clear: Clears the matches and displays all
= Diagram button: Displays a rule flow diagram under the rule table. This diagram shows
the networks, type of traffic, interface name, direction of flow, and action,
= Export button: Exports to a file in either comma-separated value (CSV) or HTML format.
= Show Log button: Displays the syslogs generated by the selected access rule in the Real
Time Log Viewer.
= Hits column: Shows the number of hits for the rule, This column is dynamically updated
depending on the frequency set in the Preferences dialog box. Hit counts are applicable for
‘explicit rules only. No hit count is displayed for implicit rules in the Access Rules table.
616
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne.
S (ee
‘The Access Rules panel displays access rules in the order of execution, You can use the Move
Up and Move Down arrows to change the order of the rules. You can also insert a rule in the
list of rules. To insert a rule, first select from the list of rules the rule before or after which you
‘want to insert a new rule. To insert a new rule before the selected rule, choose Insert from the
Add drop-down list, which opens the Insert Access Rule window. To insert a new rule after the
selected rule, choose Insert After from the Add drop- 2 — inside access,
- 192, 168.1.0 wS
192168.6.10
agai (contigh® abr aocean Tiat
Uist cached AGL log flova: total 0, detied 0 (deny-Clow-nax 4096)
sccess- let outsige access_in Line 4 extended deny ip any any (hitent =)
‘ny echo-caply. thitente12).exabess 3g
sccess: List inside_access in line 1 extended pemit tep any host
192, 160.6.10 og wow Eene=}3)_ ta dae ae
You can also view all configured ACLs by using the show access-list command. The show
access-list command lists all the configured ACLs, the ACEs for each ACL, hit counts for cach
ACE, and a unique hexadecimal identifier for each ACE. In the figure, there are three ACLs:
outside_aceess_in, dmz_access_in, and inside_access_in. Within each ACL, there are one or
more ACEs, Each ACE is denoted by a line number. In the figure, outside_access_in has four
ACEs, numbered line 1 through line 4
6-20 Securing Networks with ASA Fundamentals (SNAF) v1.0
© 2008 Cisco Systems, Inc
Access Ri
Settings
ereremey
You can use the Cisco ASDM Preferences window to configure access rule hit count settings
and access rule deployment settings. To confi
Step 1
Step 2
Step 3
Step 4
Step 5
re these settings, complete the following steps:
Right-click any rule in the access rule table and choose Rule Table Settings. The
Preferences window opens. You can also access the Preferences window from the
Tools menu in the menu bar
Click the Rule Table tab.
In the Deployment Settings pane, check the Issue “clear xtate’ Command When
Deploying Access Lists check box if'you want to clear the security appliance NAT
table when you deploy new access lists. This setting ensures that the access lists that
are configured on the security appliance are applied to all translated addresses.
In the Access Rule Hit Count Settings pane, check the Update Access Rule Hit
Counts Automatically check box if you want to have hit counts automatically
updated in the Access Rules table, This is the default setting, If you check the
Update Access Rule Hit Counts Automatically check box, you can then use the
Update Frequency field to specify the frequency, in seconds, that the hit count
‘column is updated in the Access Rules table. The default setting is 30 seconds and
valid values are 10 to 86,400 seconds.
Click OK.
{© 2008 Cisco Systems, he
Using ACLS and Content Fitering 6-21,
clear access-list counters Command
Web Serer
172161.10
192.1686.10
rea t60..0 1
= inside acces:
Pet onsen
{G91 (COGELG)9 clear accese-tise outside accoms_in comtera
Acoess-Lise cached ACL og Eleva: total 0, denied 0 ideny-tlowaax 4096
acoees-list outside access in line 3 extended permit
You can use the elear access-list counters command to clear the counters (hit counts) for a
specific ACL or for all ACLs. If no ACL is specified, all the ACL counters are cleared. The
clear access-list counters command is useful for troubleshooting network a
example in the figure, the remote uscr at 192.168.6.10 is trying to access the server at
172.16.1.10 via HTTP. The outside address for the web server is 192.168.1.11. The
administrator can use the show access-list command or the Hits column in the Cisco ASDM
Access Rules panel to view the ACL counters and determine whether the source packet reached
the security appliance ACL. If the ACL outside_access_in linc | hit count was incremented,
the packet reached the security appliance ACL. If the ACL outside_access_in line 4 extended
deny IP any any hit count was incremented, the packet reached the security appliance but was
denied access by the explicitly configured deny ip any any ACE. If neither hit count was
incremented, the packet never reached the security appliance ACL. To check the progress of the
troubleshooting, the administrator can clear the ACL counters.
seess. In the
622
‘Securing Networks with ASA Fundamentals (SNAF] v1.0, '© 2008 Gisco Systems, ne
When you add or edit an access rule, you can optionally use the Description field shown in the
figure to add a description, or remark, to the rule, You can use remarks to make the access rule
ceasier to scan and interpret. The remark text can be up to 100 characters long, including spaces
‘and punctuation, In the figure, the description "HTTPtoBASTIONHOST” is configured for the
access rule that permits HTTP access to the Company XYZ web server. The implicit access
rule has predefined remarks,
'© 2008 Cisco Systems, ne Using ACLS and Content Fiteing 6.25
Command for ACL Remarks
List citeide_sccoss_ in line 5 resark NITPIOBASTIONIOGT
‘sal contig) show accoas Tint
S50 out eide_access-in Line 1 extended pemit top any he
acceas-ist dutside access in 1ine 2 extended permit tcp any host
oc rea in Lim ¢ enced pei ca Hort a
former
line 5
The figure shows the command that Cisco ASDM sends to the security appliance as a result of
the access rule remark configuration, Cisco ASDM inserts the command above the access rule
to which it is applied.
Ifyou create a remark by using the CLI, you can place it before or after an access-list
command statement. The remark statement should be placed in a consistent position so that itis
clear which remark describes which access-list command. For example, it would be confusing
to have some remarks before the associated access imands and some remarks after the
associated aecess-list commands,
624 Seouring Networks with ASA Fundamentals (SNAF) v1.0 1 2008 Cisco Systems, ine
se Jte
Enables we 7 ggg wth 9yep message 706100 fa Wbaund ICMP
to 192.18 1.1 and sts to kang nieve o 6 second
By default, when traffic is denied by an access rule, the security appliance generates system
message 106023 for each denied packet. If the security appliance is attacked, the number of
system messages for denied packets can be very large. Therefore, enabling logging using syslog
‘message 106100 is recommended instead. This message provides statistics for each access rule
and lets you limit the number of system messages produced. Alternately, you can disable all
logging.
Syslog message 106100 is generated for every matching permit or deny access nule flow that
passes through the security appliance. The first-match flow is cached, Subsequent matches
increment the hit count for the access rule. New 106100 messages are generated at the end of
the interval that you specify, if the hit count for the flow is not 0.
‘he following example illustrates the use of ACL-based logging in an ICMP content
L. An inbound ICMP echo request from 192.168.10.12 to 192.168.1.11 arrives on the outside
interface,
2. An ACL called OUTSIDE-ACL is applied for the access check.
3. The packet is permitted by the first access rule of OUTSIDE-ACL, which has the log
option enabled.
4, The log flow (ICMP, 192.168.10.12, 0, 192.168.1.11, 8) has not been cached, so the
following syslog message is generated and the log flow is cached:
106100: access-list OUTSIDE-ACL permitted icmp
outaide/192.168.10.12(0) -> inside/192.168.1.11(8) hit-cnt 1
(firet hit)
5. Within the next 10 minutes (600 seconds), 20 such packets arrive on the outside interface.
Beeause the log flow has been cached, the log flow is located and the hit count of the log
flow is incremented for each packet
{© 2008 Giseo Systems, ne ‘Using AGL and Content Fitering 6:25
6. At the end of the 10th minute, the following syslog message is generated and the hit count
of the log flow is reset to 0:
106100: access-list OUTSIDE-ACL permitted icmp
outside/192.168.10.12(0) -> inside/192.168.1.11(a) hit-cnt 20
(600-second interval)
7. No such packets arrive on the outside interface within the next 10 minutes. The hit count of
the log flow remains 0,
8. Atthe end of the 20th minute, the cached flow (ICMP, 192.168.10.12, 0, 192.168.1.11, 8)
is deleted because of the 0 hit count.
When you add an access rule in Ciseo ASDM, the Enable Logging check box is checked by
default, and the word “Default” is displayed in the Logging Level drop-down list. These default
settings indicate that syslog message 106023 is generated when an IP packet is denied by this,
access rule,
To cnable logging via syslog message 106100 instead of message 106023, choose one of the
other options from the drop-down list. The other options are the logging levels 0 through 7,
Emergencies through Debugging. The security appliance will log the 106100 messages at that
selected level
{In the More Options area, you can also use the Logging Interval field to specify the amount of
time in seconds that the security appliance waits before sending the flow statistics to the syslog
server. This setting also serves as the timeout value for deleting a flow if no packets match the
ess rule, The default is 300 seconds, and valid values are 1 to 600.
626
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systeme, ne.
Commands for ACL Logging
‘access-list cuteide access in line 5 extended permit icmp
(0.0.0.0 0.0.0.0 host 192.160.1.11 log 7 interval 600
font ES $
Ace $M syca
‘Messages: u Sener
‘The secunty applance generates sydog message 105100 when apacket
matches the ACL.
The secutty applance logs message 106100 at love 7, debugang
* The secunty appliance waits 600 seconds before sending the flow statistics to
the syslog sewer.
‘The securly appllance waits 600 seconds belore deleting a tow if no packets
match the acooss re
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the ACL logging configuration, Because a logging level, rather than the Default option, was
chosen from the Logging Level drop-down ist, the security appliance generates syslog message
106100 rather than message 106023 when a packet matches the ACL. The security appliance
logs message 106100 at level 7, which is debugging, and waits 600 seconds before sending the
flow statistics to the syslog server. The sccurity appliance also waits 600 seconds before
deleting a flow if no packets match the access rule
{© 2008 Gisco Systems, ne. Using ACLs and Content Fitering 6-27
Mog 106907
Deny Reached
Ifa packet matches an access rule and ACL logging for message 106100 is enabled, the
security appliance ereates a flow entry to track the number of packets received within a specifie
interval. A large number of flows can exist concurrently at any point in time. To prevent
unlimited consumption of memory and CPU resources, the security appliance places a limit o
the number of concurrent deny flows; the limit is placed only on deny flows (and not permit
flows) because they can indicate an attack. When the limit is reached, the security appliance
stops creating deny flows until the existing flows expire, and generates syslog message 106100
For example, when under a denial of service (DoS) attack, the security appliance can ereate a
very large number of deny flows in a very short period of time. Restricting the number of deny
flows prevents unlimited consumption of memory and CPU resources.
To configure the maximum number of deny flows and set the interval between deny flow limit
reached messages (106101), complete the following steps:
Step1 Click Advanced in the Access Rules panel. The Access Rules Advanced Options
window opens.
Step2 In the Maximum Deny-flows field, enter the maximum number of deny flows
permitted before the security appliance stops logging. You can specify a number
between 1 and the default value of 4096,
Step 3 In the Alert Interval field, specify an alert interval to limit the rate at which
messagel06101 is generated to alert the condition of reaching the maximum deny
flow limit, You can configure a time interval between 1 and 3600 seconds. The
detault is 300 seconds,
Step4 Click OK.
Step 5 Click Apply in the Access Rules panel
628 Securing Networks with ASA Fundamentals (SNAF) v1.0. (© 2008 Cisco Systems, ne
Note You can also enable the per-user override feature in the Access Rules Advanced Options.
window.
Commands for Advanced Logging
Settings
access-ist deny-flow-max 1024
access-list alert-interval 120
fm oy
Deny bw Rabe
DOS Attack ——>
* The maximum number of concurrent deny flows that can be
created is 1024.
* Syslog message 106101, the deny flowlimit reached message,
is generated every 120 seconds
‘The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the advanced logging configuration. The access-list deny-flow-max command specifies a
‘maximum of 1024 concurrent deny flows. The access-list alert-interval command specifies
120 seconds between deny flow limit reached messages.
{© 2008 Ciseo Systems, ne Using ACLS and Content Fitering 6-29
comparste oftce
100.1026
ACLs can be used for puposes other than permting or denying trafic at an
interface
* You can use an ACL to identify a vale fow and then apply an action tothe
traffic ow
For exame, an ACL can be used to erty traffic that & to remain
Uuntansiated in aNAT sconano,
Besides being used to identify traffic that is to be either permitted or denied at an interface,
ACLs can also be used to identify traffic flows for other uses. For example, in the figure, the
is a small office, home office (SOHO) application. The administrator wants all traffic from the
SOHO that is bound for the Internet to be translated, and all SOHO traffic that is bound for the
corporate office to remain untranslated, Identity NAT (configured in the CLI with the nat 0
command) enables you to exempt a host or network from NAT, The NAT exemption feature of
the security appliance takes this a step further by enabling you to exempt from NAT any traffic
that is matched by an access rule.
Another use of ACLs is for differentiating traffic that is to be protected by encryption from
traffic that does not need protection. In this scenario, the ACL works with a erypto map, which
binds together various virtual private network (VPN) configuration parameters. Traffic
permitted by the ACL is protected,
ACLs can also work with authentication. For example, you might want to authenticate certain
Internet sourced hosts when they attempt to connect to protected hosts on your DMZ. You
could use an ACL to identify any host trying to access hosts on the DMZ using HTTP. You
could then apply authentication to the flow. Any host matching the ACL would be
authenticated.
630 Securing Networks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, Ine
‘ac Nat —
Exenpt Rule
‘ona forrest ——
=. -—_
Eee |_ wee
Configuration > Frewall > NAT Rules > Add > Add NAT Exempt Rule
Complete the following steps to configure NAT exemption’
Step 1 Click Configuration in the Cisco ASDM tool bar.
Step2 Choose Firewall from the navigation pane.
Step3_ Choose NAT Rules from the Firewall n
u. The NAT Rules panel is displayed.
Step4 Click Add.
Step5 Choose Add NAT Exempt Rule from the Add drop-down list. The Add NAT
Exempt Rule window that is shown in the figure opens.
Step6 Click the Exempt radio button in the Action area.
Step7 In the Original area, from the Interface drop-down list, choose the interface that is
‘connected to the hosts with real addresses that you want to exempt, Inthe figure, the
inside interface is chosen
Step8 Ener the real addresses in the Source field, or click the . button to choose an IP
address that you already defined in Cisco ASDM. Specify the address and subnet
mask using slash notation, such as 10.0.1.0/24. If you enter an IP address without a
imask, it is considered a host address, even if it ends with a zero, Separate multiple
real addresses by a comma. In the figure, 10.100.1.0/24 is specified as the source
address.
Note ‘You can later specify addresses that you do not want to exempt. For example, you can
specify a subnet to exempt such as 10.0 10/24, but if you want to transiate 10.0.1.50, you
can create a separate rule for that address that removes the exemption,
{© 2006 Cisco Systems, ne Using ACLS and Content Fiteing 6-31
Stop 9
Step 10
Step 14
Step 12
Step 13,
Enter the destination addresses in the Destination field, or elick the .. button to
choose an IP address that you already defined in Cisco ASDM. Specify the address
and subnet mask using slash notation, such as 10.0.1.0/24. If you enter an IP address
without a mask, itis considered to be a host address, even if it ends with a 0,
Separate multiple destination addresses by a comma. By default, the field displays
the word “any,” which allows any destination address. In the figure, 10.0.1.0/24 is
specified as the destination address.
In the NAT Exempt Direction area, choose one of the following radio buttons: (In
the figure, the default setting of NAT Exempt Outbound Traffic from Interface
is chosen.)
= NAT Exempt Outbound Traffic from Interface “inside” to Lowe
Interfaces (default): Exempts trom the selected interface (inside.
example) traffic going to lower security interfaces
curity
n this
= NAT Exempt Inbound Traffic from Interface "inside" to Higher Security
Interfaces: Exempts traffic from the selected interface (inside, in this example)
going to higher security interfaces
(Optional) Enter a description in the Description field.
Click OK.
Click Apply in the NAT Rules panel
632
Securing Networks with ASA Fundamentals (GNAF) v1.0 © 2008 cisco Systems, Ine.
Commands for NAT Exemption
Tocona list inside auto outbound line 1 extended permit Ip
10.100.1.0 255.255.255.0 10.0.1.0 255.255.255.0
nat (inside) 0 access-list inside nat0 outbound top 00 udp 0
i venowroy
a !
tort
When NAT confgued fa te 10.10.10 netwark a re fom the SOHO tha tour fr the
Inemel swans, a at SOMO waite rt Isboud fr he caypate ofce ware unas
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the NAT exemption configuration. These commands would be used in a VPN configuration
that included NAT. The following is an example:
access-list inside_nato_outbound line 1 extended permit ip
10.100.1.0 255.255.255.0 10.0.1.0 255.255.255.0
nat (inside) 0 access-list inside_nato_outbound tcp 0 0 udp 0
nat (inside) 1 10.100.1.0 255.255.255.0
global (outside) 1 interface
The inside_nat0_outbound ACL identifies a traffic flow between 10.100.1.0/24 and
10.0.1.0/24. ACL inside_nat0_outbound is then used in the mat 0 command to permit internal
hosts on 10.100,1.0/24 subnet to bypass NAT when connecting to corporate hosts on the
10.0.1.0/24 subnet. NAT exemption is usually used in VPN scenarios.
{© 2008 Gisco Systems, Ic Using AGLS and Content Fitering 6-33
Renaming an Existing ACL
‘asal(config)# show runing config access-list
access-list outside access in extended permit tcp any host
192.168.2.11 eq http
sa (config) # access-list outside access in rename
‘asa (config) # show running-config access-list
access-list extended permit top any host
192.168.1.11 eg http
» Changes the name of the ACL named outside_access_into
OUTSIDE
In Cisco ASA and PIX Security Appliance Software Version 8.0, you can use the CLI to
rename an existing ACL. To rename an ACL, use the access-list rename command in global
configuration mode. The figure shows how to rename an ACL from outside_access_in to
OUTSIDE.
634 Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systems, re.
Malicious Active Code Filtering
This topie describes how the security appliance can fil
used in such applications as Java and ActiveX.
icious active codes, which can be
= Java programs and
‘ActiveX controls can
enable attackers to
invade network systems,
Cisco security appliances
can be used tb filer Java
applets and block ActiveX
controls,
Egnaring
100.10
Java applets are executable programs that are banned by many site security policies because
they can provide a means of invading and compromising inside systems. Some Java applets can
contain hidden code that ean destroy data on the internal network. Java applets ¢
downloaded when you permit access to HTTP port 80.
nbe
ActiveX controls, formerly known as Object Linking and Embedding (OLE) controls, are
applets—often used in animations—that ean be inserted in web pages or in other applications
ActiveX controls also ereate a potential security problem by providing a way for someone to
attack servers. You ean use your security appliance to filter java applets and block ActiveX
controls.
‘The Java applet filter of Cisco security appliances can stop Java applications on a per-client or
per-IP address basis. This is a sample Java class code snippet
00000000; café babe 003 002d 0099 0900 8345 0098
When Java filtering is enabled, the security appliance searches for the programmed
string, and, if found, it drops the Java applet
Java filtering filters out Java applets that return to the security appliance from an outbound
connection, The user still receives the HTML page, but the web page source for the applet is
‘commented out so that the applet cannot execute.
{© 2008 Gisco Systems, nc. Using ACL and Content Fitenng 6-35.
To filter ActiveX or Java, complete the folloy
Step 1
Step?
Step
Step 4
Step 5
iitering Java and ActiveX
Configuration
Sto Stem 3
VEN
fae
ing steps:
Click Configuration in the Cisco ASDM tool bar.
Choose Firewall from the navigation pane.
Choose Filter Rules from the Firewall menu. The Filter Rules panel is displayed.
Click Add.
Choose Add Filter ActiveX Rule to add an ActiveX filter, or choose Add
Java Rule to create a Je
chosen. The Add Filt
ilter
a filter. In the figure, the Add Filter ActiveX Rule option is
‘ActiveX Rule window opens.
6:36
‘Securing Networks wih ASA Fundamentals (SNAF) v4 0 © 2008 Cisco Systems, Ine.
Filtering Java and ActiveX (Cont.)
Step 6
Step 7
Stop 8
Step 9
Aidit —- CERES
Ifyou are configuring an ActiveX filter,
you are configuring a Java filt
selected.
ick the Filter ActiveX radio button. 1°
click Filter Java, In the figure, Filter ActiveX is
In the Source field, en
applies. In the figur
the following ways:
1 the source of the traffic to which the fill
the word "an:
wg action
" js entered. You can enter the source in one of
m= Enter any to indicate any source address,
m Enter a hostname.
ner an IP address and optional network mask. You can express the netmask in
slash notation or dotted decimal notation.
Click the .. button to open the Browse Source dialog box, where you can select
a host or address from the list.
In the Destination field, identify the destination of the traffic to which the filtering
action applies. In the figure, the word "any" is entered. You can enter the destination
in one of the following ways:
= Enter any to indicate any source address.
m= Enter a hostname.
nter an IP address and optional network mask. You can express the netmask in
slash notation or dotted decimal notation.
= Click the ... button to open the Browse Source dialog box, where you can select
a host or address from the list
In the Service field, identity the service of the traffic to which the filtering action
applies. You can enter the service name or click the ellipsis (..) button to select a
service froma list. HTTP is the de
‘© 2008 Cisco Systems, Inc
Using ACLs and Content Fitenng 6-37
Step 10 Click OK.
Step 11 Click Apply in the Filter Rules panel.
In the figure, the configuration specifies that ActiveX is being filtered on port 80 from any
internal host and for connections to any external host
‘ActiveX blocking applies to web
traffic on port 80 from any local
host and to any foreign host.
Ergneemg Te Nerkaig
100.10 Rew 00.2.
iy oy
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the ActiveX filtering configuration, The filter ActiveX command is used to block ActiveX on
Port 80 from any local host and for connections to any foreign host. ActiveX objects are
blocked on all outbound connections.
If an identical Java filter is created in Cisco ASDM, ASDM sends the following command to
the security appliance:
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
‘This command specifies that the Java applet blocking applies to web traffic on port 80 from any
local host and for connections to any foreign host. Java applets are blocked on all outbound
connections.
The following command example prevents host 192.168,3.3 from downloading Java applets
hostname(config)# filter java http 192.168.3.3 255.255.255.255
oo
6-38 Securing Networks wth ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Inc
URL Filtering
This topic discusses how to configure Cisco sceurity appliances for URL filtering
HTTP URL Filtering
ve Sere”
* Websenseand Secure
Computing SmarFilter a
HTTP URL-filtering =
applications can be used
10 block the responses of
specific URLs.
URL filtering can be
configured on the
eae ee: URL Fiteng
Designate a aa er
URL-iltering server
Enable filtering
URL:
administrators to effectively monitor and control network traffic. URL
can be used to block specific URLs.
The se
rity appliance can be enabled to work with the Websense and Secure Computing URL-
filtering applications. This is useful because between 9 a.m, and 5 p.m
30 to 40 percent of Internet surfing is not business-related,
= 70 percent of all Internet pomography trattie occurs
= More than 60 percent of onli
purchases are made
Note This information is taken from statistics compiled by Websense. Information about
Websense, Secure Computing, and other Cisco Partners is available at
hup:/Awww.ciseo.com,
When the security appliance receives a request from a user to access a URL, it queries the
URL -filtering server to determine whether to return, or block, the requested web page. The
URL-filtering server checks its configurations to determine whether the URL should be
blocked. If the URL should be blocked, URL-fitering applications can display blocking
‘messages or direct the user that is requesting the URL to a specified website.
Note ‘Secure Computing acquired NZH2 and incorporated it into the Secure Computing
‘SmartFiter product
{© 2008 Cisco Systoms, inc. Using ACLS and Content Fitering 6-39
URL-Fitering
‘Server Type
Before you can begin URL filtering, you must designate at least one server on which the
‘Websense or SmartFilter URL-filtering application will run. The limit is 16 URL servers. If
you configure multiple servers, the security appliance uses the servers in order until a server
responds, You can use only one application at a time, either SmartFilter or Websense.
Additionally, changing your configuration on the security appliance does not update the
configuration on the application server; this must be done separately, according to the
instructions of the vendor.
To designate a URL filtering server, complete the following steps
Step1 Click Configuration in the Cisco ASDM tool bar.
Step2 Choose Firewall from the navigation pane.
Step3 Choose URL Filtering Servers from the Firewall menu, The URL Fil
1g Servers
Step4 Choose the URL filtering server type by clicking the Websense or Secure
Computing SmartFilter radio button. If you choose Secure Computing SmartFilter,
enter the Secure Computing SmarFilter port in the Secure Computing Smar‘Filter
Port field. The default is 4005. In the figure, Websense is chosen as the URL
filtering server type.
Step5 Click Add. The Add Parameters for Websense URL Filtering window or the Add
Parameters for Secure Computing SmartFilter URL Filtering opens, depending on
your choice in Step 4
640 Securing Networks wih ASA Fundamentals (SNAF) v4.0. {© 2008 Gisco Systems, nc
Designating a URL-Filtering Server
(Cont)
URL tering
one,
TcP.
4
CEE ieee
URUFietng
uensee: fae I Herve
adders [FEISTT 1 waccess
Ree is feo nhac
Petal CTP) © TEE © UoPA + Protocol
TP Connections: B 1 ace tonsaihe
% covet | __ tp
+ Designates @ URL flierng server that runs a Webserse URL-terhg appleaton
Step 6
‘step7
Step 8
Step 9
Use the Intertace drop-down list to specify the interface on which the URL-filtering
server is connected, In the figure, the DMZ interface is chosen.
Enter the IP address of the URL filtering server in the IP Address f
172.16.1.3 is specified as the IP address of the URL-iltering server.
ld. In the figure,
In the Timeout field, specify the number of seconds after which a request to the
filtering server times out, or accept the default setting of 30 seconds. In the figure,
the default setting is used.
In the Protocol field, click a radio button to specify the protocol that the security
appliance will use tor communicating with the URL filtering server. In the figure,
the TCP 4 radio button is chosen, For Websense, you can choose 0
following radio buttons:
= TCP I: Specifies TCP Version 1
ies TCP Version 4
UDP Version 4
e of the
For Secure Computing SmartFilter, choose one of the following radio buttons:
= TCP
= UDP
Step 10
Step 11
Step 12
In the TCP Connections field, enter the 1
allowed for communicating with the
setting of 5 is used,
sximum number of TCP connections
L filtering server. In the figure, the default
Click OK.
Click Apply in the URL Filtering Servers panel
‘© 2008 Cisco Systems, Inc.
Using ACLS and Content Fitering 6-41
Enabling HTTP URL Filtering
After designating which server runs the URL-filtering application, create an HTTP filtering rule
to tell the security appliance to send URL requests to that server for filtering. Complete the
following steps to create the rule:
Step1 Click Configuration in the Cisco ASDM too! bar.
Step2 Choose Firewall from the navigation pane.
Step3 Choose Filter Rules from the Firewall menu.
Step4 Click Add
Step Choose Add Filter HTTP Rule. The Add Filter HTTP Rule window opens.
Note ‘You cannot add an HTTP fiter until you have defined the URL-fitering server.
642 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Gisco Systems, ne.
Enabling HTTP URL Filtering (Cont.)
{SS mere eg —
vworupecnitt con Reyust Aces to
‘Wes Sawer Dery access TH neponbtos com
172013 fuReFterna
‘Add Fite no
HTTP Rule —> CREE + Prownts wes
Alon esa fami COP fon exmsis
Soins eee rent 6
Dactnation —+ Cems fp Ut teeng seer
Senice———e sven} ‘Mowe at URL
HTTP Options.» wry ‘ier
Mem ecnemmpanaase STATI ——=}_ tine what
ead oh aa fiton sore
[etertomecrgee tT pee own
Cee
Step6 Click the Filter HTTP radio button in the Action field. In the figure, the Filter
HTTP radio button is selected.
Step7 —_ In the Source field, enter the source of the traffic to which the filtering action
applies. In the figure, the word “any” is entered. You can enter the source in one of
the following ways:
= Enter any to indicate any source address,
Enter a hostname.
= Enter an IP address and optional network mask. You can express the netmask in
slash notation or dotted decimal notation.
= Click the ellipsis (...) button to open the Browse Source dialog box, where you
can select a host or address from the list
Step8 —_ In the Destination ficld, identify the destination of the traffic to whieh the filter
action applies. In the figure, the word “any” is entered. You can enter the destination
in one of the following ways
m= Enter any to indicate any source address,
= Entera hostname
nter an IP address and optional network mask. You can express the netmask in
slash notation or dotted decimal notation,
= Click the ellipsis (..) button to open the Browse Source dialog box, where you
can select a host or address from the lis.
Step 9 Verify that “http” is displayed in the Service field.
{© 2008 Cisco Systems, Inc ‘Using ACLs and Content Fiterng 643,
Step 10
Step 11
Step 12
Step 13
From the HTTP Options area, choose one of the following options from the When
URL Exceeds Maximum Permitted Size drop-down list. In the figure, the default
setting of Drop HTTP Traffic is accepted.
= Drop HTTP Traffic
= Truncate URL Sent to URL Server
From the HTTP Options area, choose one or more of the following options:
= Allow Outbound Traffic When URL Server Is Down: When this option is
enabled, if the URL filtering server is down or connectivity is interrupted to the
security appliance, users will be able to connect without URL filtering being
performed. If this option is disabled, users will not be able to connect to Internet
websites when the URL server is unavailable. In the figure, this option is
enabled,
= Block Users from Connecting to an HTTP Proxy Server: This option
prevents HTTP requests that are made through a proxy server
= Truncate CGI Parameters from URL Sent to the URL Server: If this option
is enabled, the security appliance forwards only the CGI script location and the
script name, without any parameters, to the filtering server.
Click OK.
Click Apply in the Filter Rules panel.
eas
Securing Networks wih ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine
jurl-erver (ams) vendor websense host 172.16.1.3 timeout
30 protocol TCP version 4 connections 5
f1lter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
URLFiterng |
Sener
721613,
= The scurty applance sends al URL requests to the Websense URL-flteing
server at 172461 3.
+ The URL tering server determines whether requested URLs shoul! be blocked
+ ifthe URLtenng server goes offine, tho secunly appliance alows all URL
requests tocomtinue waht teng,
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the HTTP filtering configuration. The url-server command tells the security appliance that the
URL -filtering server is host 172.16.1.3 on the DMZ and that itis a Websense server. This
‘command also specifies that requests to the URL-filtering server will time out after 30 seconds,
the security appliance will use TCP version 4 for communicating with the URL-filtering server.
and the maximum number of TCP connections allowed for communicating with the URL
filtering server is 5.
‘The filter url command instructs the security appliance to send all URL requests on port 80 to
the URL--filtering server. The allow option in the filter url command configures the security
appliance to allow all URL requests to continue without filtering in the event that the URL=
filtering server goes offline.
{© 2008 Cisco Systeme, Ine. ‘Using ACLs and Content Fiterng 645,
Fre
Fitering
aL Aten
Soret ad Fer
‘The security appliance filtering features extend web-based URL filtering to HTTPS and FTP.
Both HTTPS and FTP filtering are available with Websense and Secure Computing URL.
filtering,
Configure HTTPS or FTP filtering the same way that you configure an HTTP filter—only the
protocol options differ. For example, when configuring HTTPS filtering, there is only one
HTTPS option, the option to allow outbound traffic if the URL-filtering server is unavailable.
When configuring FTP filtering, you can choose one or both of the following options:
"Allow Outbound FTP Traffic When URL Server Is Down: When this option is enabled,
if the URL-filtering server is down or connectivity is interrupted to the security appliance,
Users can connect without URL filtering being performed. If this option is disabled, users
cannot connect to Internet websites when the URL server is unavailable,
= Block Interactive FTP Sessions (Block If Absolute FTP Path Is Not Provided): When
this option is enabled, FTP requests are dropped if they use a relative path name wo the FTP
directory.
In the figure, both HTTPS and FTP filtering are configured, The Filter HTTPS and Filter FTP
radio buttons are selected in their respective windows. The Source and Destination fields
display the word “any,” meaning that the filtering actions apply to any source address and any
destination address, HTTPS appears in the Service field for the HTTPS filtering rule, and FTP
appears in the Service field for the FTP filtering rule. Both rules are configured to let outbound
connections pass through the security appliance without filtering if the URL-filtering server is
down of connectivity is interrupted to the security appliank
646
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, In
Commands for HTTPS and FTP Filtering
Url-server (duz) vendor websense host 172.16.1.3 timeout
30 protocol TCP version 4 connections 5
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Eu
io ae
ny Asse ff HTTPS a FF
riery
ure Fueea
«+ Theseculy applace sends al HTTPS ar FTPURL mae tothe URL-
Ising sover be Mere
«1 URL tering server goes oe, te secu sppanceatows al HTTPS
Ire FTBURL rojas tocortrun witout tng,
‘The figure shows the commands that Ciseo ASDM sends to the security appliance as result of
the HTTPS and FTP filtering configuration. The url-server command tells the security
appliance that the URL-filtering server is host 172.16.1.3 on the DMZ and that itis a Websense
server. This command also specifies that requests to the URL-filtering server will time out after
30 seconds, the security appliance will use TCP version 4 for communicating with the URL-
filtering server, and the maximum number of TCP connections allowed for communicating
with the URL filtering server is 5.
The filter https and filter ftp commands instruct the security appliance to send all HTTPS and
FTP URL requests to the URL-filtering server. The allow option in both these commands,
configures the security appliance to allow all URL requests to continue without filtering in the
‘event that the URL -filtering server goes offline, The filter https command specifies default
HTTPS port 443 as the TCP port to which HTTPS filtering is applied. The filter ftp command
specifies default FTP port 21 as the TCP port to which FTP filtering is applied. Typically, port
443 is used for HTTPS filtering and port 21 is used for FTP filtering, but other values can be
specified,
‘© 2008 Cisco Systems, nc. Using ACLs and Content Fitering 6-47
Packet Tracer
‘The topic explains how to use the security appliance Packet Tracer tool to troubleshoot your
nctwork.
Enables packotiracing capabities for packet anfing and network fuk inka
The security appliance Packet Tracer tool provides packet-tracing capabilities for packet
sniffing and network fault isolation. It provides detailed information about the packets
traversing your network and how they ate processed by the security appliance. This greatly
simplifies troubleshooting regardless of the complexity of your network design.
The Packet Tracer tool provides information about the cause of dropped packets in an easily
readable manner. For example if a packet was dropped because of an invalid header, the
following message is displayed:
packet dropped due to bad IP header (reason)
The Packet Tracer feature provides more information than syslogs with far less overhead than
debugs. It is especially useful if you have many ACL and NAT rules configured and you need
to find out exactly which rule packets are matching
‘The Packet Tracer feature enables you to do the following:
© Debug all packet drops in a production network and associate them with the relevant
configuration.
Verify that your configuration is working as intended
View all rules applicable to a packet and the CLI lines contain the rules.
View a timeline of packet changes in a data path.
Inject tracer packets into a data path
648
‘Securing Networks wih ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine.
| Capture packets
m= Trace the I
expected,
span of a packet through the security appliance to sce if itis behaving as
‘The figure shows the Cisco ASDM version of the Packet Tracer, which enables you to casily
trace the life span of a packet through the security appliance in an animated packet flow mode.
‘The tool provides the attributes of a packet such as source and destination IP addresses with a
visual representation of the different phases of the packet and the relevant configuration, which
is accessible with a single click. For each phase, it displays whether the packet is dropped or
allowed.
‘Complete the following steps to use the Packet Tracer took:
Step 1 Inthe Cisco ASDM menu bar, click Tools.
Step2 Choose Packet Tracer from the Tools menu. The Packet Tracer window opens,
Step3 Choose the source interface for the packet trace from the Interface drop-down list. In
the figure, the inside interface is chosen.
Step 4 Choose one of the following radio buttons to specity the protocol type for the packet
trace: (In the figure, TCP is chosen.)
= TCP
= UDP
= ICMP
=P
Step S Enter the source address for the packet trace in the Source IP Address field. In the
figure, the source address is 10.0.1.11
Step 6 Choose the source port for the packet trace from the Source Port drop-down list or
enter a port number in the field. If you do not know the source port, you can use any
number. Source ports typically range from 1025 to 65535. In the figure, 1025 is
specified as the source port.
Step7 Enter the destination address for the packet trace in the Destination IP Address field
In the figure, the destination adclress is 192.168.1.1
Step 8 Choose the destination port for the packet trace from the Destination Port drop-down,
list or enter a port number in the field, In the figure, the destination port is 23.
Stop9 To display a graphical representation of the packet trace, check the Show
Animation check box. The Show Animation check box is checked in the figure.
Step 10 Click Start to trace the packet, The Packet Tracer displays detailed messages about
the packet trace and a graphical representation of the packet trace.
{© 2008 Cisco Systoms, Inc Using ACLS and Content Fitering 6-49
Command for Configuring the Packe’
Trac
[packet-tracer input inside top 0,0,1a1 10a5 19816
When this command is entered at the
CLI information about Telnet
‘connections from inside host 10.0.1.11
tothe external router 192,168.11 is
displayed in XML format on the security
appliance console
* Toview the output at the CL! without the
XML formatting, enter the command
without the xm option,
toon
‘The figure shows the command that Cisco ASDM sends to the security appliance a:
the packet tracer configuration. If you enter this command manually at the CLI exactly as Cisco
ASDM delivers it to the security appliance, the output is displayed on the security appliance
console in XML format. You can enter the command without the xml option to view the output
without XML formatting, or you can replace the aml option with the detailed option to obtain
‘more detailed output,
6-50
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Inc
A user at the Company XYZ branch office contacts the company network security
administrator. The user wants to know why FTP requests to corporate headquarters host
192.168.1.10 are unsuccessful. The network security administrator quickly diagnoses the
problem by using the Packet Tracer
(© 2008 Cisco Systems, Ine. Using ACL and Content Filtering 6.51
Troubleshooting with the Packet
(Cont.)
With the configuration shown in the figure, the seeurity appliance injects sample traffic to
check and display its handling of FTP packets sent to inside host 192,168. 1.10 from an outside
source.
‘The final result of the trace is shown in the figure. If you click the Show Rule in Access Rules
Table link, Cisco ASDM takes you directly to the access rule that causes the FTP connections
to be dropped,
Note ‘Although the results ofthe trace are clearly displayed in the Cisco ASDM Packet Tracer, the
CLI output is used on subsequent pages to explain details of the trace results. This is due to
the limitations of aisplaying the Cisco ASDM Packet Tracer in the figure,
6-52 Securing Networks with ASA Fundamentals (SNAF) v1.0 2008 Cisco Systems, ne
Packet Tracer
utput
‘Ryper Fiow- voor
Found no matching flow, creating 4 new flow
Looking for anetsting Now
me
Firing the real IP adsress of the destination host
‘The Phase 1 output shows that the security appliance first looks for an existing flow but does
not find one, soit creates a new flow. In Pha
configuration, Finding that 192.168.1.10 is
the security appliance checks its NAT
atic translation for host insidehost, it
untranslates 192,168.1.10 to insidehost, which is a name mapped to insidehost, IP address
10.0.1.10,
Packet Tracer Output (Cont.)
Checking access tts
°
The Phase 3 output shows that the security appliance applies access list outside_aceess_in to
the outside interface, Finally, the Result section tells the administrator that the r
denied FTP connections is a configured a
won for the
list inbound on the outside interface
© 2008 Cisco Systems, Inc.
‘Using ACLs and Content Fitenng
653
Summary
This topic summarizes the key points that were discussed in this lesson.
ACLs can be used to specify which systems are allowed to
establish connections through your security appliance; they can
also be used to define traffic flows for other uses.
‘The security appliance can be configured to filter malicious
active code.
‘The security appliance can work with URL-fitering software to
control and monitor Internet activity.
‘The security appliance Packet Tracer tool provides packet-tracing
capabilities for packet sniffing and network fault isolation
6-54 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems nc.
Lesson 7|
Configuring Object Grouping
Overview
This lesson describes object grouping concepts and explains how to use the object-group
command to configure object grouping. The lesson also explains the various types of object
groups and how to use them in access control lists (ACLs)
Objectives
Upon completing this lesson,
feature of Cisco security appli
‘ou will be able to describe and configure the object grouping
ces, This ability includes being able to meet these objectives:
= Describe the object grouping feature of the sceurity appliance and its advantages
© Configure object groups and use them in ACLS
Essentials of Object Grouping
This topic describes object grouping,
Using Object Groups in ACL
t
192.1681.
a
An ACL can cause a security appliance (o allow a designated client to access a particular server
for a specific service. When there is only one client, one host, and one service, only a minimum
number of lines is needed in an ACL, However, as the number of clients, servers, and services
increases, the number of lines required in an ACL increases exponentially
In the figure, the Internet hosts ate granted HTTP, HTTPS, and FTP access to specific hosts in
the demilitarized zone (DMZ). An ACL is configured for each individual destination host and
protocol combination. There are three destination hosts, each with three protocols; therefore,
nine lines are needed in the ACL
72.
‘Securing Networks vith ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, Ine
Grouping Objects
Geni contig) # shoe Fun arate sicunviows oronialsichvbe’
Acle (deeovene) 92. 168.1.8 | DMZ_SERVICES
static (daz outaise) 192.268.1.9 HTTP
Yraaset-d metaaee 256.258.255.255 res
FTP
Host and network groups, such as
fe DMZ_SERVERS
= 192 168.1.8
1921681 192.168.1.9
192.168.1.10
Can apply group names to ACLS
static (dee,cuteide) 192.268.1.10
mz yl
You can group network objects such as hosts and services to simplify the task of ereating and
applying ACLs. This reduces the numnber of access control entries (ACES), or access rules, that
are required to implement complex security policies. For example, a security policy that
normally contains 3300 ACEs within an ACL might require only several lhundred ACEs within
that ACL afier hosts and services are properly grouped.
Applying a security appliance object group to a security appliance command is the equivalent
of applying every element of the object group to the command. For example, the group
DMZ_SERVERS contains servers 192.168.1.8, 192.168.1.9, and 192.168.1.10. The group
DMZ_SERVICES supports HTTP, HTTPS, and FTP protocols. Applying the groups
DMZ. SERVERS and DMZ_ SERVICES to an ACE is the same as applying all the individual
hosts and protocols to the ACE. Therefore, this command:
access-list OUTSIDE permit tcp any object-group DMZ_SERVERS
object -group DMZ_SERVICES
is equivalent to the following commands:
asal(config)#i access-list OUTSIDE permit tep any host
192.168.1.8 eq http
asal(config)# access-list OUTSIDE permit tcp any host
192.168.1.8 eq https
agal (config) # access-list OUTSIDE permit tcp any host
192.168.1.8 eq ftp
asal (config) # access-list OUTSIDE permit tcp any host
192.168.1.9 eq http
asal(config)# access-list OUTSIDE permit tcp any host
192.168.1.9 eq https
asal (config) # access-list OUTSIDE permit tcp any host
192.168.1.9 eq ftp
agai (config) # access-list OUTSIDE permit tcp any host
192.168.1.10 eq http
'© 2008 Cisco Systems, nc ‘Contiguring Object Grouping 7-3
asal(config)# access-list OUTSIDE permit tep any host
192.168.1.10 eq https
asal(config)# access-list OUTSIDE permit tcp any host
192.168.1.10 eq ftp
Note citing the contents of an object group automatically updates the policy of any ACL that
references the object group.
7-4 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Sysioms, ne.
Grouping Objects of Similar Types
ea BD ocmowas
janie INSIDE HOSTS
Pratocas
ciscoasa(cantigi# access-list outside_acoess_h permit ep
cscoasa(contg)taccess-ist outside_access_h permit ianp ho-reply
Object grouping provides a way to group objects of a similar type so that a single ACE can
apply to all the objects in the group. You can create the following types of object groups:
Network: Used to group client hosts, server hosts, or subnets
= Protocol: Used to group protocols. It can contain names of protocols or integers in the
range 1 through 254 representing IP protocol numbers.
‘Service: Used to group TCP or User Datagram Protocol (UDP) port numbers assigned to a
different service. In Cisco ASA and PIX Security Appliance Software Version 8.0 and
higher, a service group can contain a mix of TCP services, UDP services, Intemet Control
Message Protocol (ICMP)-type service, and any protocol.
= ICMP-type: Used to group ICMP message types to which you permit or deny access,
‘© 2008 Gisco Systems, ne. ‘Contiguring Object Grouping 7-5
Configuring and Using Object Groups
This topic explains how to configure object groups, display object groups, and use object.
groups in ACI
Configuring and Using Obje
ct Groups
Complete the following tasks to create object groups and
use them in your configuration:
Task 1: Specify the type of object group that you want to
create and configure a name for the group.
Task 2: Define the members of the object group.
Task 3: (Optional) Configure a description for the object
group.
Task 4: Apply the object group to an ACL.
Complete the following tasks to create any type of object group and use it in your
configuration:
Task 1: Specify the type of object group you want to create and configure a1
group.
me for the
Task 2: Define the members of the object group.
Task 3: (Optional) Configure a description for the object group.
m= Task 4: Apply the object group to an ACL. You can use object groups as access rule
parameters, including source, destination, protocol, and service,
7.8 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Inc.
You can use a network object group not only for ACLs, but for most configurations that require
you to identify an IP address or network. When you configure Network Address Translation
(NAT) or security policy rules, the Cisco ASDM window
Judes a side pane at the let that
shows available IP address objects, network object groups, and other global objects; you can
add, edit, or delete objects directly inthe side pane.
To configure a network object group, complete the following steps:
Step t
Step2
Step 3
Step 4
Step 5
Click Configuration in the Cisco ASDM tool bar.
Choose Firewall from the navigation pane.
Expand the Objects menu.
Choose Network Object Groups. The Network Object Groups panel is displayed,
Click Add, The Add Network Object Group window opens,
{© 2008 Cisco Systems, Inc.
‘Gontiguring Object Grouping 7-7
step 6
Step7
step 8
step 9
Step 10
Configuring Network Object Groups
(Cont.)
00.00/24
S{F nse ene
toma egpptemse 7
$ seine mers
10010704
Enter a name for the group in the Group Name field. The group name ean be up to
64 characters in length, The name must be unique for all object groups. A network
‘object group name cannot share a name with a service group. In the figure, the
network object group is named INSIDE_ENG.
From the Existing Address list, choose the object you want to add to the group.
Existing IP address objects are derived from other configurations, such as access
rules and authentication, authorization, and accounting (AAA) rules. You can also
enter @ new address in the Address field. In the figure, two new addresses, 10.0.0.1
and 10.0.0.2, the two hosts on the 10.0.0.0/24 subnet, are added to the group.
Click Add to move the address to the Members in Group pane.
When you have finished adding all the addresses that you want to add, click OK.
Click Apply in the Network Object Groups panel
7-8 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
Commands for Configuring Network
Object Groups
Object-group network INSIDE ENG
network-object host 10.0.0.1
network-object host 10.0.0.2
yoo0078
om |
2 INSIDE_ENG
$
“INSIDE MTG
4
too.108%
amt —Spetsssse ley
Creates a network object goup named INSIDE_ENG
‘Adds hosts 100.0.1 ard 1000.02 tothe INSIDE ENG network object group
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the network object group conti c object-group network command creates a
network object group named INSIDE_ENG. The network-object commands add host
addresses 10.0.0.1 and 10.0.0.2 to the INSIDE_ENG group.
© 2008 Cisco Systems, Ine ‘Conigunng Object Grouping 7-9
ervice Object Groups
Although you can configure object groups that are
protocol-specific, ICMP-type-specific, or service-specific,
you can also configure service object groups that contain
a combination of TCP services, UDP services, ICMP-type
services, and protocols.
‘sai (config) object grow service WGROD
‘ral (contig-tervice) # service-cbject source range 2000 2000
‘echo
seurce range 3001 2020 ea ftp
ae
fatal (contig-servicel # Fange 1002 1006
‘You can configure service object groups that contain any combination of TCP services, UDP
services, ICMP-type services, and protocols. If you use service groups in this manner, you do
not need to use ICMP-type object groups or protocol object groups. Service object groups also
cenable you to specify both source and destination services. You can use a service object group
for most configurations that require you to identify a port, ICMP type, or protocol. In the
figure, TCP services, UDP services, an (CMP-type service, and the Encapsulating Security
Payload (ESP) protocol are combined in one service object group.
7-10 Securing Networks wth ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
To configure a service object group, complete the following steps:
Step t
Step 2
Step 3
Step 4
Steps
step 6
Click Configuration in the Cisco ASDM too! bar:
Choose Firewall from the navigation pane
Expand the Objects menu.
Choose Service Groups. The Service Object Groups pane is displayed.
Click Add. The following list of service types is displayed:
Service Group: Creates a service object group
TCP Service Group: Creates a service object group
UDP Service Group: Creates a service object group
‘TCP-UDP Service Group: Creates a service object group
ICMP Group: Create:
iemp-type object group
: Creates a protocol object group
Protocol Grow
Choose the type of service group that you want to configure. The window that opens
a a result of your selection matches the type of service group that you are adding
For example, if you are adding a TCP service group, the Add TCP Service Group
window opens. In the figure, the TCP Service Group is chosen
© 2008 Cisco Systems, Inc
CContiguring Object Grouping 7-11
Configuring Service Object Groups
(Cont)
Host seRvces |
unre § wpe enc
= fines g io000
aeotee tarat bees Benne, "
Seve
“ INSIDE MKT
[owa5ae
camo
Sewe
Step 2
Stop 3
Step 4
Step 5
figure a TCP service group, complete the following steps
Enter a name for the group in the Group Name field. The name can be up to 64
characters in length. The name must be unique for all object groups. A service group
ame cannot share a name with a network object group. In the figure, the TCP
service group is named HOST_SERVICES.
From the Existing Service/Service Group, choose the members of the service group.
You can choose from predefined service groups, or you can choose from a list of
commonly used port, type, or protocol names. Otherwis
member in the Create New Member area by clicking the Create New Member radio
button, specifying the Port Range, and then clicking Add. The name of the field in
the Create New Member area varies depending upon the type of service group that
you are creating. Because a TCP Service Group is being created in the figure, the
field is labeled Port/Range. In the figure, HTTP, HTTPS, and FTP are chosen from
the Existing Services list, and a port range of 137-139 (the NetBIOS port range) is
entered as a new member.
Click Add to add the group members to the Members in Group pane.
Click OK.
Click Apply in the Service Groups pane.
Note
The protocol type of a service group object and the protocol type of the ACE to which itis
associated must match. For example, if the sorvice object group HOST_SERVICES is
created for TCP services, such as HTTP and FTP, this service object group can only be
‘associated with an ACE (permit or deny) that also refers to TGP services, as in the folowing
‘example:
asai (config) # access-list INSIDE permit tep object-group
INSIDE_ENG any object-group HOST_SERVICES
72
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, ne
Commands for Con
Object Groups
‘THiect- group service WET SERIE top
port-cbject eq http
port-cbject oq https
portobject 7 ftp
Host seRvces
os
INSIDE ENG
4
* Createsa TCP service group named HOST. SERVICES
* Adds four services as members of the HOST_SERVICES group
The figure shows the commands that Cisco ASDM sends to
the service object group configuration. These commands ere:
HOST_SERVICES, which contains the HTTP, HTTPS, and
as the port range 137 to 139 to specify NetBIOS services,
the security appliance as a result of
ate a service object group named
FTP individual protocols as well
'© 2008 Cisco Systems, Inc
Contiguing Object Grouping 7-13
Pg
wereio} © eho
Jy
bs
INSIDE wore ee
INSIDE ENG
To configure an ICMP-type object group, complete the following steps:
Stop 1
Step 2
Step 3
Step 4
Stop 5
Step 6
Choose the ICMP Group option from the Add menu in the Service Groups pane
The Add ICMP Group window shown in the figure opens.
Enter a name up to 64 characters in length in the Group Name field. The name must
bbe unique for all object groups. In the figure, an ICMP-type object group name is,
PING,
From the Existing Service/Serviee Group list, choose the members for the ICMP-
type object group. You can choose from predefined service groups, or you can
choose from a list of ICMP message types. You can also create a new member in the
Create New Member area of the window. In the figure, echo and echo-reply message
types are made members of the PING group.
Click Add to add the group members to the Members in Group p
Click OK.
Click Apply in the Service Groups pane.
‘The following are valid ICMP message types:
m= alternate-address
= conversion-error
= echo
= echo-reply
= information-reply
= information-request
m= mask-reply
74
‘Securing Networks with ASA Fundamentals (SNAF) v1 0 © 2008 Cisco Systems, nc
mask-request
‘mobile-redirect
parameter-problem
redirect
router-advertisement
router-solicil
source-quench
time-exceeded
timestamp-reply
timestamp-request
traceroute
unreachable
'© 2008 Cisco Systems, Inc Configuring Object Grouping 7-15.
Commands for Configurin
Object Groups
INSIDE_ENG
4
a § toaores
INSIDE_MKTG
= Echo my OA
+ Exhoseply ,
(Creates an ICMP ype object graup named PING
‘As the ICMP message types echo and echo-reply tothe PING object group
ture shows the commands that Cisco ASDM sends to the security app!
ice as a result of
the ICMP-type object group configuration. These commands create an ICMP-type object group
hamed PING, which contains the ICMP echo and echo-reply message types.
716
‘Seouning Networks with ASA Fundamentals (GNAF) v1.0 © 2008 Cisco Systems, ne
Configuring Protocol Object Groups
sat
ts
C2 commen
poor 5 eer
2 = q
———_ simi
ming
Savor
and
Seon
sisue
Toons
wise ct
To configure a protocol object group, complete the following steps:
Step 1 Choose the Protocol Group option from the Add menu in the Service Groups pane
‘The Add Protocol Group window shown in the figure opens.
Step2 Enter a name up to 64 characters in length in the Group Name field. The name must
be unique for all object groups. In the figure, the protocol object group name is
INSIDE_PROTOCOLS.
Step3 From the Fxisting Service/Service Group list, choose the members for the protocol
‘object group. You can choose from predefined service groups, or you can choose
from a list of protocols. You can also create a new member in the Create New
Member area of the window. In the figure, the TCP and UDP protocols are made
‘members of the INSIDE PROTOCOLS group,
Step4 Click Add to add the group n
bers to the Members in Group pane.
Step Click OK.
Step6 Click Apply in the Service (
© 2006 Cisco Systems, Inc. Configuring Object Grouping 7-17
Commands for Configuring Protoc
Object Groups
‘Beck group protocal TGIDE FROTOCDES
protocol-obsect top
protocol-object wap
InSBE_PROTOCOLS
UDP
oe
Creates apotocol object grasp named INSIDE_PROTOCOLS
‘Assigns the TCP and UDP protocols tothe INSIDE PROTOCOLS gop
‘The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the protocol object group configuration. These commands create a protocol object group natned
INSIDE_PROTOCOLS, which contains the TCP and UDP protocols.
Note To achieve even greater flexibility and modularity for specifying access rules, you can create
hierarchical, or nested, object groups that combine object groups of the same type. See the
Cisco Secunty Appliance Command Line Configuration Guide Version 8.0(2) for details,
718
Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, nc
The last task is to use the object groups in an ACL. To use a configured object group in an
access rule, click the ellipsis (..) button to the right of the Source, Destination, or Service field.
This opens a browser window that enables you to choose configured object groups to be used
as parameters for the access rule. This window is uscd in multiple configuration sereens and is
named appropriately for the current task. For example, from the Add Access Rule window, the
Browse window is named “Browse Source Address,” “Browse Destination Addres
“Browse Service,” as shown in the figure,
8." OF
In the figure, the previously configured object groups are being used to create an access tule
follows:
& The source IP address is the INSIDE_ENG network object group that you created,
The destination IP address is “any.”
mt The service is the HOST_SERVICES service object group that you created,
Note ‘An object group cannot be removed if itis part of an active ACL because its removal would
result in the ACL becoming incomplete or invalid
{© 2008 Gisco Systems, nc
Configuring Object Grouping 7-19
accessist Command with Object Groups
‘access-list inside access in line 4 extended permit tp ject
‘Group INSIDE BIG 0.0.0.0 0.0.0.0 object group Host SERVICE:
access-group inside access_in in intertsce inside
HOST SERVICES
J
INSIDE_ENG. * INSIDE_ENG
100002
INSIDE. MKTG
Pemmits utbound enghwering HTTP, HTTPS, FTP, and NetBIOS trafic
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the access rule configuration. Object groups have been configured so that one ACL entry gives
hosts within the INSIDE_ENG group outbound access with the protocols defined by the
HOST_SERVICES object group. Without object grouping, multiple ACEs would be required.
7-20 Securing Networks with ASA Fundamentals (SNAF) v1.0 > 2008 Gisco Systems, Ine
Summary
‘This topic summarizes the key points that were discussed in this lesson.
Summary
* You can group network objedss, services, protocols, and ICMP
message types to reduce the number of ACES required 0
implement your security policy
To use object groups for reducing the number of ACEs in your
configuration, you must specify a type of object group, configure a
name for the group, define the members of the object group, and
apply the object group to an ACL.
© 2008 Cisco Systems, ne. Configuring Object Grouping 7-21
7-22 Securing Networks wih ASA Fundamentals (SNAF) v1.0 '© 2008 Cisco Systems, ne.
Lesson 8
Switching and Routing on
Cisco Security Appliances
Overview
This lesson describes the VLAN and routing capabilities of Cisco security appliances.
Objectives
Upon con this lesson, you will be able to deseril e switehing and
routing functionality that your security appliance provides. This ability includes being able to
meet these object
= Configure logical interfaces and VLANs
= Configure statie routes and static route tracking
'® Describe the dynamic routing capabilities of Cisco set
passive RIP routing
VLAN Capabilities
This topic describes the VLAN capabilities o
Cisco security appliances.
Company XYZ Problem: Need for
Additional Interfaces
Partner2 Network 4 j
pm2| 1
1 . <
$e ur ———_—
— Outside Ne hside | y
Partnert
yg
‘Tre company adaptive securty apptance has our physical LAN cermections that
rebeing used as flows:
Irie
Outside
paz
Pater network
Company XYZ wants another interface for Partner? toensure wfc separation
‘The Cisco adaptive security appliance (ASA) that is currently protecting the fictitious Company
XYZ corporate network has these four physical interfaces:
= Inside:
‘onnects to the inside host network.
|= Outside: Connects to the outside network for Internet connectivity.
= DMZ: This physical interface is being used for Company XYZ public servers, such as
web servers.
Partner: Because Partner! has its own designated se
and from the Partner! network can be controlled not only with ae:
but with a security level.
ity appliance interface, access to
ss control lists (ACLs)
Company XYZ has recently partnered with another company, Partner2. Because all physical
interfaces are already being used, the network security administrator for Company XYZ wants
to find an alternative means of ensuring traffic separation when connecting Partner2 in order to
mitigate the risk of Partner2 gaining access to Company XYZ employee resources. The
administrator would like to increase the number of interfaces available to the network without
adding additional physical interfaces or security appliances.
82 Securing Networks with ASA Fundamentals (GNAF) v4.0 © 2008 Cisco Systems, ne.
Company XYZ Solution: VLANs
wz | pte
VIAN Tank ot
aera (camera leat
im ‘Outside Inside
Partnert |
Five interfaces 10
* Insite: physica interface
+ Outside: physical terface
Partner! network: pysical nerface
* Puble server: vitual (VLAN) interlace
“Twnk terface
Parine2 network: vital (VLAN) nero a
With Cisco PIX Firewall Software Version 6.3 and later and Cisco ASA and PIX S\
Appliance Software Version 7.0 and later, you can configure multiple logical interf
single physical interface and assign each logical interface to a specific VLAN. Th
interfaces are called “subinterfuces.” You can only assign a single VLAN to
you cannot assign a VLAN to a physical interface. Each subinterface must have a VLAN ID
before it can pass traffic. Because VLANs allow you to keep traftic separate on a given
physical interface, you ean increase the number of interfaces available to your nctwork without
adding additional physical interfaces or security appliances,
rity
“es ona
Note ‘You can create logical subinterfaces and assign VLANS to the subinterfaces on all security
appliance models except those with a builtin switch, such as the Cisco ASA 5505 Adaptive
‘Security Appliance. The ASA 5505 Adaptive Security Appliance is equipped with eight switch
ports. In the case of the ASA 5505 Adaptive Security Appliance, you create a VLAN interface
independent of any physical interfaces. You can then assign one or more physical interfaces
to the VLAN. Refer fo the Cisco Security Appliance Command Line Configuration Guide for
‘more information on how to configure VLANs on an ASA 5505 Adaptive Security Appliance
Subinterfaces are not available for the ASA 5505 Adaptive Security Appliance,
Physical interfaces consist of one interface per network interface card (NIC), in place at boot
time, and not removable. Logical interfaces ean be many-to-one interfaces for each NIC, are
created at runtime, and can be removed through software reconfiguration, For VLANS to be
supported, at least two physical interfaces are required for all security appliance platforms,
Cisco PIX 500 Series Security Appliances (except for the PIX 501Security Appliance) and
Cisco ASA $500 Series Adaptive Security Appliances support only IEEE 802.1Q VLANs.
Specifically, they support multiple 802.1Q VLANS on a physical interface and the ability to
receive and send 802.1Q-tagged packets
2008 Cisco Systems, Ine ‘Switching and Routing on Cisco Security Applances 8.3
An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q
trunk. Cisco security appliances do not currently support executable commands for LAN trunks
(the physical and logical connection between two switches) because the security appliances do
‘hot negotiate or participate in any bridging protocols. The security appliance considers the state
of the LAN trunk to be the same as the state of the physical interface. Ifthe link is up on the
Physical Ethernet, the security appliance considers the trunk as up as soon as a VLAN has been
assigned or configured for it
By default, physical interfaces are disabled. When you add a subinterface, itis enabled by
default. However, for traffic to pass through the subinterface, the physical interface must also
be enabled. If you use subinterfaces, you typically do not want the physical interface to pass
traffic, because the physical interface passes untagged packets. You can ensure that the physical
interface does not pass traffic by not naming it
By using VLANs as shown in the figure, the network security administrator for Company XYZ
can increase the number of interfaces available to the network without adding additional
Physical interfaces or security appliances. The demilitarized zone (DMZ) physical interface
automatically becomes an 802.1Q trunk when configured with two VLAN subinterfaces. These
VLANs will allow the administrator to keep public server and Partner2 traffic separate. With
this plan, the Company XYZ corporate adaptive security appliance interfaces will be used as
follows,
= Four physical LAN connections
— Inside interface
— Outside interface
— Partner! network interface
— Trunk interface
= Two VLANs on trunk physical interface
— Public server VLAN
— Partner? network VLAN
oa
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cieco Systems, ne
Creating Logical Interfaces
To create a logical subinterfa
Step 1
Step 2
Step 3
Step 4
and set its VLAN ID, complete the following steps:
Click Configuration in the Cisco ASDM toolbar
Choose Deviee Setup from the navigation pane.
Choose Interfaces from the Device Setup menu, The Interf
panel is displayed.
Click Add and choose Interface. The Add Interface dialog box is displayed with the
General tab selected,
{© 2008 Cisco Systems, ne
‘Switching and Routing on Cisco Security Applances BS
Creating Logical Interfaces (Cont.)
Ba soe Se |
‘Acs nertace, > CIEE:
Gererel ———eemes fxs
Hauvete Pot ———o mens arg]
wo
vunio. op —
Subinertace I See ar
roan
IntefacoNare Thamar
‘SecurityLevel (es
Enabletntertace: Tommece ane
step 5
Step 6
Step 7
Step 8
Step 9
Stop 10
Step 11
Step 12
Stop 13
‘Step 14
From the Hardware Port drop-down list, choose the physical interface to which you
want to add the subinterface, In the figure, GigabitEthemet0/3 is chosen.
In the VLAN ID field, enter a VLAN ID between | and 4095 for the subinterface,
‘Some VLAN IDs might be reserved on connected switches, so check the switch
documentation for mote information, In the figure, the VLAN ID is 10.
In the Subinterface ID field, enter the subinterface ID as an integer between | and
4294967293. The number of subinterfaces allowed depends on your security
appliance platform. You cannot change the ID after you set it Inthe figure, the
subinterface ID is |
Enter a name for the VLAN in the Interface Name field. The name is used in all
configuration commands on the security appliance instead of the interface type and
ID (such as Gigabit Ethernet 0/1), and is therefore required before traffic can pass
through the interface, fn the figure, VLAN subinterface GigabitE:thernet0/3.1 1s
assigned the name “DMZ.”
Enter a security level for the VLAN in th
VLAN is assigned a security level of 10
‘curity Level field. In the
Check the Enable Interface check box to enable the subinterface
Click the Use Statie IP radio button if you are not using DHCP or PPP over
Ethernet (PPPoE) for IP address assignment,
Enter an IP address for the VLAN in the IP Address field. In the figure, dmzlis
assigned the IP address 172.16.10.1
Choose the subnet mask from the Subnet Mask drop-down list.
Click OK. The Interfaces pane displays your configuration,
86
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems. Ine
Step 15
Step 16
Step 17
Step 18
Step 19
From the Interface list, select the interface for which you created a VLAN. In the
example, this is GigabitEthernet0/3.
Click the Edit button. The Edit Interface window opens,
Check the Enable Interface check box to enable the physical in
Click OK.
Click Apply in the Interfaces pane.
{© 2008 Gisco Systems, ne
‘Switching and Routing Cisco Security Appliances
er
intartace Gigabittthernet0/3
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the VLAN configuration. The commands are as follows
interface GigabitEtherneto/3.1
vlan 10
no shutdown
nameif DMZ
security-level 10
ip address 172.16.10.1 255.255.255.0
interface Gigabitetherneto/3
no shutdown
The first interface command creates a subinterface on physical interface GigabitFthemet0/3
and enters configuration mode for the subinterface. The vlan command enables VLAN 10 on
Gigabit Ethernet subinterface 0/3.1, and the no shutdown command enables the subinterface.
The nameif command assigns the name DMZ to GigabitEthernet0/3.1.The security-level
command sets the security level on GigabitFthernet0/3.1 10 10. The ip address command
assigns the IP address 172.16.10.1 to GigabitEthernet0/3.1. The second interface command
enters configuration mode for physical interface GigabitEthernet0/3, and the no shutdown
command enables it
8-8 Securing Networks with ASA Fundamentals (SNAF) v1.0 16 2008 Cisco Systems, nc
Company XYZ VLAN Configuration
Parner
mens
st
os
wan gay wane
sncrcace cigunsestnemeto/2.2
TESTE fea anaman 4
‘This figure details the configuration of multiple VLANs on a single physical interface. In the
example, VLANs 10 and 20 have been created on the appropriate subinterfaces of interface
GigabitE:thernet0/3. They have also been assigned names, security levels, and IP addresses.
(© 2008 Cisco Systems, nc
‘Switching and Flutng on Cisco Security Appliances 8.9
noe
par
Pix 201 Secunty Apiance
FLX OE Seciry Apptance
PX SISE Securty Apptance
PX 25 Seculy Appionce
PRX 95 Secutly Aplanoe
ASASS06 Seounty Apance
ASAS5% Seaunty Apdance 50
ASAS52) Swamy Apelance 160
ASA35@ Soamty Appance 200
ASASSSD Socinty Applance 250
Nevin rumba of tataes suppres by Cisce FX and ASA Soaurty Apple Setware
Varun 80
20 Unirses Oz)
VLAN are not supported on the Cisco PIX 501 Security Appliance. The number of logical
(virtual) interfaces that you can configure on the other Cisco security appliances varies by
platform and license type.
The table in the figure defines the maximum number of physical and virtual interfaces that the
security appliance family supports begin
Software Version 8.0.
ing with Cisco ASA and PIX Security Appliance
Note Only 9 of the 13 interfaces on the ASA 6550 Security Appliance can be used at one lime
10
Securing Networks with ASA Fundamentals (SNAF) 1,0
© 2008 Cisco Systems, ine
Static Routing
This topic explains the routing capabilities of Cisco security appliances.
Configuring a Static Route
Dealt Rate State Route
of
a SS ortif_orte
Although the security appliance is not a router, it does have certain routing capabilities. You
can use the Static Routes pane! in Cisco ASDM (o create static routes for access
not directly connected to one of the security appliance interfaces. The effect of a
similar to sen
the security appliance has no route is sent to the gateway in the default route
yetworks
ic route is
ng a packet toa router in order to reach a specific network. All traffic for which
Although a gateway IP address usually specifies the IP address of the gateway router, which is
the next-hop address, you
in also specily an interface of the security appliance. When you use
the IP address of a security appliance interface as the gateway IP address, the security appliance
broadcasts an Address Resolution Protocol (ARP) request for the MAC address corresponding
to the destination IP address in the packet instead of broadcasting the ARP request for the MAC
address corresponding to the gateway IP address.
The following steps show how the security appliance handles routing in this situation:
Step1 The security appliance receives a pack
IP address x
from the inside interface destined for
Step2 Because a default route is set to itself, the security appliance sends out an ARP for
address x
Step3 Any Cisco router on the outside interface LAN that has a route to address x replies
to the security appli
‘enabled on that router). Cisco 1OS Software has proxy ARP enabled by 4
ce with its own MAC address as the next hop (if proxy ARP is
© 2006 Cisco Systems, Inc ‘Switching and Routing on Cisco Security Appliances
Stop 4 The security appliance sends the packet to the router
Step5 The security appliance adds the entry to its ARP cache for IP address x with the
MAC address being that of the router.
To enter a default route, set the IP address and subnet mask to 0.0.0.0 as shown in the figure, or
Use the shortened form of 0. In the figure, the security appliance sends all packets for which it
hhas no route to 192,168.11. It sends all packets destined for the inside 10.1.1.0 network to the
router at 10.0.1.102.
All static routes are stored in the configuration when it is saved. They can be displayed by
using the show run route command, and you can clear most routes by using the clear
configure route command. The only routes not removed with the elear configure route
command are the connected routes. Connected routes are routes that the security appliance
automatically creates in its routing table when you enter an IP address for a security appliance
interface, A route created in this manner is a route to the network directly connected to that
interface.
12
Securing Networks with ASA Fundamentals (SNAP) v1.0 1© 2008 Cisco Systems, Ine
Static Route Tracking
Binary Rowe
Target
92 850.1
ES Pmaysr A
corporate
Nawore
EH tron we Eve:
Staticroue trackirg provides a method for tacking the availabilly ofa static
route and for making a ‘valle ifthe primary outs fal,
‘Theseaurity appliance associatosa staticraute wth a monitoring target that
you define
Ifthe soourty appliance dotormines thatthe taigot isunavailabe, it ranoves
‘ho mute associated withthe target from the routing tae and uses a
instead
‘One of the problems associated with static routes is that there is no mechanism to determine if
the route is up or down. The routes remain in the security appliance routing table even if the
next hop is unavailable. Static routes on the security appliance are removed only if the interface
that they are associated with goes down.
The static route tracking feature provides a method for tracking the availability of a static route
and for making a secondary route available if the primary route fails. In order to achieve this
redundancy, the security appliance associates a static route with a monitoring target that you
define. The service level agreement (SLA) operation monitors the target with periodic Internet
Control Message Protocol (ICMP) echo requests. Ifan echo reply is not received within a
specified period of time, the object is considered down, and the associated route for that target
is removed from the routing table. A previously configured backup route is used in place of the
route that is removed. While the backup route is in use, the SLA monitor operation continues
try to reach the monitoring target. Once the target is available again, the first route is returned
to the routing table and the backup route is removed,
The static route tracking feature allows you to configure the security appliance with more than
cone default route. One route would be to the primary Internet service provider (ISP), and
another would be to the secondary ISP in case the primary ISP was no longer available.
When selecting a target, you must be sure that the monitoring target is always available to
receive echo requests so that the tracked route is not removed unnecessarily. In addition, ensure
that the state of your monitoring target (whether or not the target is reachable) is closely tied to
the state of the primary ISP connection, If you choose a monitoring target that is farther away
than the ISP gateway, another link along that route may fail or another device may interfere.
‘This configuration may cause the SLA monitoring operation to conclude that the connection to
the primary ISP has failed and cause the security appliance to unnecessarily fail over to the
secondary ISP link.
© 2008 Cisco Systems, Ine ‘Switching and Routing on Gisco Security Appliances 8-13,
‘The target can be any network object you choose, but persistent network objects,
following, are the best targets:
= ISP gateway address
= Next-hop gateway address
A server on the target network, such as an authentication, authorization, and accounting
(AAA) server that is needed by the security appliance
8:14 Securing Networks with ASA Fundamentals (SNAF) vi.0 © 2008 Cisco Systems, Inc.
Configuring Static Route Tracking
emer
TS rmnse 5i0e2s—uazaing
at SaicRoue + ERATE
IrtertaceName meee tinice [sine =
IP Actress ———e esto [FTF tn ET =] oe Mk
ona ene alte ee
pa
Tracked ————+ « tater
Track. —————+ rea. Teer aie, FRET —— Ascross
SAID ————r aro fa ovat | += Monitoring
ion fu indore sates pt nee ae Options
cet] te
To configure tracking for a static route, first define the primary route as follows:
Step 1 Expand the Routing menu within the Device Setup panel of the navigation pane,
Step2 Choose Static Routes. The Static Routes panel is displayed,
Step3 Ifa default route is already configured, choose it from the Static Routes table and
click Edit. The Edit Static Route window that is shown in the figure opens. Ifa
default route is not configured, click Add to open the Add Static Route window. In
the figure, the Edit Static Route window is shown.
Step4 Verify that the Interface Name field displays the interface for which you want to
‘create a primary route. In the figure, “outside” is displayed in this field,
Step § Verify that the IP Address field displays 0.0.0.0
Step6 Verify that the Mask field displays 0.0.0.0.
Stop7 Verify that the Gateway IP field displays the IP address of the gateway for the
primary route. In the figure, the gateway for the primary route is IP 10.2.2.1
Stop 8 Click the Tracked radio button from the Options area,
‘Step9 Enter a unique identifier for the route tracking process in the Track 1D field. Valid
values are from 1 to S00, In the figure, the Track ID is |
Step 10 Enter a unique identifier for the SLA monitoring process in the SLA ID field, Valid
values are from 1 to 2147483647, In the figure, the SLA ID is 123
Step 11 In the Track IP Address field, enter the IP address or hostname of the target device
‘Typically, this is the IP address of the next-hop gateway for the route, but it could be
any network object available from that interface. Make sure the target responds to
‘echo requests. In this example, the target device is 192.168.50.1, a remote router.
{© 2008 Cisco Systems, nc. ‘Switching and Routing on Cisco Secunty Appliances 8.15
Step 12
Step 13,
Step 14
Step 15
(Optional) To configure the monitoring properties, click the Monitoring Options
button. The Route Monitoring Options window opens, enabling you to configure the
following parameters of the tracked object monitoring process
‘= Frequency: How often, in seconds, that the security appliance should test for
the presence of the tracking target. The default value is 60 seconds. Valid values
are from 1 to 604,800 seconds. The value specified for the frequeney cannot be
less than the value specified for the timeout
= Threshold: The amount of time, in milliseconds, that indicates an over-
threshold event. This does not affect reachability but may be used to evaluate the
proper settings for the timeout argument. This value cannot be more than the
timeout value.
= Timeout: The amount of time, in milliseconds, that the route monitoring
‘operation should wait for a response from request packets. The default value is
5000 milliseconds, which equals 5 seconds, Valid values are from 0 to
{604,800,000 milliseconds, The value specified for the frequency cannot be less
than the value specified for the timeout.
= Data Size: The size of data payload to use in the echo request packets. The
default value is 28, Valid values are from 0 to 16,384.
= ToS: The service type value to be used in the IP header of the echo request. The
CEES
Intertace Name ——e wunsee, Fs
1 Adcress ————+ wats. ae
Gateway [P ———+ Camere [FET
Wav 103
SH Secon SP FF 17102
192108 201
Next, configure a security appliance interface as the backup interface. The backup route is a
static route to the same destination as the tracked route, but through a different interface
gateway. You must assign this route a higher administrative distance (metric) than your tracked
route. For example, this could be the interface through which packets will travel to the
secondary ISP. In the figure, GigabitEthernet0/3 is used as the backup interface. Iti assigned
the name “backup” (although any name could be used), a security level of 0, and an IP address
of 172,17.10.2, The outside interface, GigabitEthemet0/0, will be associated with the primary
route.
Step 16 From the Interface Name drop-down list, choose the interface for which you want to
create the backup route. In the figure, the backup interface is chosen,
Step 17 Enter 0.0.0.0 in the IP Address field
Step 18 Choose 0.0.0.0 from the Mask drop-down list
Step 19 Enter the IP address of the gateway in the Gateway IP field. In th
172.17.10.2 is entered.
figure,
Step 20 Enter the metric in the Metric field, In order to make this route a secondary route,
configure it with a higher metric than the primary route. If the primary route
(primary ISP) fails, that route is removed from the routing table. This secondary
route (secondary ISP) is installed in the routing table instead. In the figure, 254 is
entered as the metric.
Step 21 Click OK.
Step 22 Click Apply in the
iatic Route panel.
{© 2008 Cisco Systems, nc ‘Swing and Routing on Cisco Security Appliances 8-17
Commands for Static Route Tracking
ee aoe
Sire Pina 190 ment
Capt ter
Sr Soe
Track 1 eer 7 Fencbabllity
type e2no protocol iprenpche Ameertace outaide
sun-packece 3
‘Ata owtich he scanty appuanca hash ala elo 10.22 tho pray deat
|An SUA operation man by sonar ewe een aquest evry 10 seconds
an soho rp isnot eave wisn 500 miliscands, the may rues emoved tom es Yt
ssblearethe "Pasodin te noce
The figure shows the commands that Cisco ASDM sends to the security appliance as a result of
the static route tracking configuration. The commands are as follows:
track 1 rtr 123 reachability
sla monitor 123
type echo protocol ipTcmpEcho 192.168.50.1 interface
outside
num-packets 3
frequency 10
sla monitor schedule 123 start-time now life forever
route backup 0.0.0.0 0.0.0.0 172.17.10.2 254
route outside 0.0.0.0 0.0.0.0 10.2.2.1 1 track 1
The track rtr command specifies that the reachability of a target will be tracked, creates a
tracking entry object ID of I, and specifies that the SLA with the ID “123” will be used by
tracking entry 1
Every SLA operation maintains an operation return-code value, which is interpreted by the
tracking process. The return code may be OK, Over Threshold, or one of several other return
codes. The following table displays the reachability state of an object with respect to these
return codes:
Taare Es Tan
Eres =
18
‘Securing Networks with ASA Fundamentals (SNAF) v1.0 1© 2008 cisco Systems, he.
‘The sla monitor command specifies a unique identifier of “123” and enters configuration mode
for the monitoring process. The type echo command configures the SLA operation as an echo
response time probe operation using an ICMP echo request for the echo operation. This
command also specifies 192.168.50.1 as the IP address of the target and the outside interface as
the interface used to send the echo request packets. The num-packets command specifies that
three request packets will be sent during the SLA operation, and the frequeney command
specifies 10 seconds between SLA probes. The sla monitor schedule command schedules the
‘monitoring operation to start immediately and run indefinitely.
The two route commands specify two default routes for the security appliance. The primary
default route is associated with the outside interface, uses the default gateway 10.2.2.1, and has
a metric of 1. Tracking is configured for this route, The secondary, or backup, route is
associated with the backup interface, uses the default gateway 172.17.10.2, and has a metric of
254,
‘© 2008 Gisco Systems, nc. ‘Switching and Routing on Cisco Security Appliances 8-19
The figure shows the Cisco ASDM Routes panel, where the security appliance routing table is
displayed. The routes labeled CONNECTED are routes whose destination networks are directly
connected to a security appliance interface. Routes labeled STATIC are routes that are statically
defined in the configuration, The figure shows the routing table before the primary ISP fails.
The DEFAULT static route points to 10.2.2.1 through the outside interface. To view the routing
table in Cisco ASDM, complete the following steps
Step1 Click the Monitoring button in the Cisco ASDM toolbar.
Step2 Click Routing in the navigation pane.
Step3 Choose Routes from the Routing menu. The Routes panel is displayed.
1820 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systoms, no.
Monitoring Static Route
Montoing — me ea Os Oe
Eestanaannneae as
This figure shows the routing table after the primary ISP fails, the primary default rou
removed, and the backup route is installed. The DEFAULT route now points to 172.17.10.2
through the backup interface.
© 2008 Cisco Systems, Ine ‘Switching and Rauling on Cisco Secunty Appliances 8.21
Configuring Static Route Tracking for
Default Routes Obtained Through DHCP
Edt ineroce —- [AEE
General ——e omeainowet
(Obici Detaut
Route Usirg
HGP
Route Metric enh
Eratie
eee nnocaan Fotos
DHCP Konped | [Eee eoceneteer
Reo ert
Yack ———"s nok tastmen TrackiP
One —towmniwes j=] | dere
cee Monitoring
Options
crimes 5 foo |
|
You can configure static route tracking for default routes obtained through DHCP or PPPoE as
‘well as for statically defined routes. PPPoE. is commonly used with DSL broadband
connections. PPPoE configuration is not covered in this course
atic route tracking for default routes obtained through DHCP is configured in the same way
as for statically defined routes.
822 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne.
Dynamic Routing
This topic describes the dynamic routing capabilities of Cisco s
how to configure the security appl
uvity appliances and explains
to use the Routing Information Protocol (RIP).
Dynamic Routing
a
; Enamel
1 sare
a
The adaptive security appliance supports the following
routing protocols:
“
“a
= OSPF
» EIGRP
Static routing is the simplest form of routing and the most beneficial routing implementation in
some scenarios, Static routes are manuially entered into the security appliance and they force the
security appliance to utilize a particular interface or next-hop IP address for forwarding packets
toa given destination, Static routing is advantageous in the following situations:
| When you have a small network with fewer than five routers and you do not expect the
network to grow.
When you have a medium-sized network using a hub-and-spoke topology
m= When you need to create a route from one router to another device quickly
However, statie routes require manual reconfiguration if the network topology changes. With
dynamic routing protocols, routes do not have to be manually reconfigured in the event of a
topology change. Dynamic routing protocols enable the security appliance to automatically
collect and share routing information. These protocols track the state of connectivity in the
network to provide routing information that is as current and valid as possible. The price for the
convenience of routing protocols is that configuring and troubleshooting them can be complex.
‘Operation of dynamic routing protocols also can be resource-intensive, requiring large amounts
‘of memory and processing resourc
The adaptive security appliance fully supports the Routing Information Protocol version 1
(RIPV1) and RIP version 2 (RIPV2), Open Shortest Path First (OSPF), and Enhanced Internet
Gateway Routing Protocol (FIGRP) routing protocols. All of these routing protocols are
interior gateway protocols (IGPs), An IGP operates within an autonomous system, which is @
group of networks under the same administrative authority and control. External Routing
Protocols (EGPs) provide routing between autonomous systems.
' 2006 Cisco Systems, Inc. ‘Switching and Routing on Cisco Secunty Appliances 8.23
RIPVI does not send the subnet mask with the routing update. RIPV2 sends the subnet mask
with the routing update and supports variable-length subnet masks. Additionally, RIPV2 also
supports neighbor authentication when routing updates are exchanged. This authentication
ensures that the security appliance receives reliable routing information from a trusted source
To leam more about the configuration and deployment of routing protocols, see
htip://www.cisco.com/go/asa,
8-24 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne
‘The security appliance routing table can be populated by statically defined routes, directly
connected routes, and routes discovered by RIP, EIGRP, and OSPF. Because the security
appliance can run multiple routing protocols in addition to having static and connected routes in
the routing table, it is possible that the same route is discovered in more than one manner.
‘When two routes to the same destination are available, the one that gets in the routing table is
determined as follows:
= Ifthe destination addresses in two routes are the same but have different network prefix
lengths (network masks), both routes are considered unique and are entered into the routing,
table. The packet forwarding logic then determines which of the two to use, In the figure,
both RIP and OSPF advertise a route to 172.18.32.0, Because the destination address in the
RIP route has a network mask of /24, and the destination adress in the OSPF route has
network mask of /L9, the security appliance considers the routes to be unique and enters
both in its routing table. This occurs although OSPF routes have the better administrative
distance. Administrative distance is a route parameter used to compare routes and select the
best path when there are two or more different routes to the same destination from different
routing protocols. The smaller the administrative distance value, the more preference is
given to the protocol. The default administrative distance for routes discovered by RIP is
120, and the default administrative distance for routes discovered by OSPF is 110.
= If the sccurity appliance learns about multiple paths to the same destination from
routing protocol, such as RIP, the route with the better metric (as determined by the routing,
protocol) is entered into the routing table, Metrics are values associated with specifi
routes, ranking them from most preferred to least preferred. The parameters used to
determine the metres differ for different routing protocols. The path with the lowest metric
is selected as the optimal path and installed in the routing table. If there are multiple paths
to the same destination with equal metrics, load balancing is done on these equal cost paths
In the figure, RIP advertises two routes to 192,168.30.0. The network mask for the
destination address is /24 for both routes. Therefore, the metric is used to select a route for
the routing table, and the route with
metric of 14
metric of 3 is chosen instead of the route with a
© 2008 Cisco Systems, Ine ‘Switching and Routing on Cisco Secunty Appliances 8-25
= Ifthe security appliance learns about a destination from more than one routing protocol, the
administrative distances of the routes are compared and the route with lower administrative
distance is entered into the routing table, In the figure, RIP and OSPF advertise routes to
172.20.21.0/24. The OSPF route is chosen for the routing table because its administrative
distance is 110, which is lower than that of the RIP route,
The default administrative distance for a static route is 1, giving it precedence over a route
discovered by a dynamic routing protocol. However, if you create a static route and give it an
administrative distance greater than the administrative distance of the routing protocol runn
‘on the security appliance, a route to the specified destination discovered by the routing protocol
takes precedence over the static route. Connected routes always take precedence over static or
dynamically discovered routes.
1826 Securing Networks with ASA Fundamental (SNAF) v1.0 '© 2008 Cisco Systems, ne.
How Forwarding Decisions Are Made
2 Roser
Rowe D a
ery een
maja
ena Rome gap mice og
aw
Rowe Gt two mes0 sa0r0
172,18,32.0 255.255.221.0 (110/5) via 10.0.2. 102, Lnside
372120. 21.0 285.286 266.0 (110/15) via 10.0.1.102, inaide
Forwarding decisions are made as follows:
If the destination address in a packet does not match an entry in the routing table, the
packet is forwarded through the interface specified for the default route. If'a defai
has not been configured, the packet is discarded. In the figure, a default route is configured
with the gateway address 192.168.1.1 (Router A). The packet destined for 172,7.7.12 is
sent to the default gateway because 172.7.7.12 does not match an entry in the routing table.
Ifthe destination address matches a single entry in the routing table, the packet is
forwarded through the interface associated with that route.
‘© If the destination address matches more than one entry in the routing table andl the entries
all have the same network prefix lengths (network mask), the packets for that destination
are distributed among the interfaces associated with that route. In the figure, some packets
destined for 192,168,30.7 are forwarded to Router D, while others are forwarded to Router
E, The security appliance makes this forwarding decision because 192,168.30.7 matches
two different routes with identical network prefix lengths.
If the destination address matches more than one entry in the routing table and the entries
have different network prefix lengths, the packet is forwarded out of the intertace
associated with the route that has the longer network prefix length. In the figure, packets
destined for 172.18.32.9 are sent to Router D rather than to Router C. The security
appliance makes this forwarding decision because the destination address (172.18.32.0/24)
in the route with the gateway 192.168.1.3 has a longer network prefix than the destination
address (172.18.32.0/19) in the other route with the gateway 10.0.1.102,
‘© 2008 Cisco Systems, nc ‘Switching and Routing on Cisco Secunty Appliances 8-27
RIPv2
+ Distance-vector routing protocol
* Uses hop count as metic for path selection,
Updates sent only to neighbors
~ Only one RIP routing process allowed on security appliance
Updates not passed between security appliance inerfaces
RIPv2
*
‘The Neighbor B router sends RIPV2 update messages to Neighbor A and
Neighbor C at regular intervals and when the network topology changes,
The updates contain information about networks thatthe devices can reach, as
well as te number of routers or gatoways that a packet must ravel through to
reach a given destination
There are two basic types of routing protocols, distance vector routing protocols and link-state
routing protocols. With distance vector routing protocols, each router sends all or some portion
of its routing table to its neighbors. A neighbor is a directly-connected router. With link-sta
outing protocols, routers flood routing information to all nodes in the internetwork. Each
router, however, sends only the portion of the routing table that describes the state of its own
links. In essence, link-state routing protocols send small updates everywhere, while distance
vector routing protocols send larger updates only to neighboring routers. The focus of this
course is on distance vector routing protocols, primarily RIP. The Securing Networks with ASA
Advanced (SNAA) course explains the other routing protocols (OSFP and EIGRP).
RIP isa distance-vector routing protocol that uses hop count as the mettic for path selection,
Devices that support RIP send routing update messages at regular intervals and when the
network topology changes. These RIP messages contain information about the networks that
the devices can reach, as well as the number of routers or gateways that a packet must travel
through to reach a given destination address. RIP generates more traffic than some link-state
routing protocols such as OSPF, but is easier to configure.
When RIP is enabled on a security appliance interface, the interface exchanges RIP broadcasts
with neighboring devices to dynamically leam about and advertise routes. By default, the
security appliance sends RIPVI updates and accepts RIPv! and RIPv2 updates,
RIP determines the best path by looking only at the number of hops between two end nodes.
‘This technique ignores differences in line speed, line utilization, and all other metrics, many of
which can be important factors in choosing the best path between two nodes. For this reason
‘many companies with large internetworks are migrating away from RIP to more sophisticated
routing protocols,
RIP works well in small environments but has serious limitations when used in larger
internetworks. For example, RIP limits the number of router hops between any two hosts in an
internetwork to 16. RIP is also slow to converge, meaning that it takes a relatively long time for
network changes to become known (o all routers. Routing protocols need to converge rapidly
8-28 Securing Networks with ASA Fundamentals (SNAF) v1 0 © 2008 Cisco Systems, Ine
Convergence is the process of agreement, by all routers, on optimal routes. When a network
event causes routes to either go down or become available, routers distribute routing update
‘messages that permeate networks, stimulating recalculation of optimal routes and eventually
causing all routers to agree on these routes. Routing protocols that converge slowly can cause
network outages or a network problem known as routing loops, in which packets continue to be
routed in an endless circle, Routing loops can adversely impact your network; in some cases,
they can completely cripple it.
Note Because they converge more quickly, link-stale routing protocols are somewhat less prone
to routing loops than distance vector routing protocols. On the other hand, link-state routing
protocols require more CPU power and memory than distance vector routing protocols. Link-
State routing protocols, therefore, can be more expensive to implement and support. Link
slate routing protocols are generally more scalable than cistance vector routing protocols,
RIP has the following limitations:
= The security appliance cannot pass RIP updates between interfaces.
= RIPv1 does not support variable
ngth subnet masks.
RIP has a maximum hop count of 15. A route with a hop count greater than 15 is
considered unreachable.
= RIP convergence is relatively slow compared to oth
routing protocols.
= You can o
ly enable one RIP routing process on the security appliance.
‘© 2008 Cisco Systems, inc ‘Switching and Routing on Cisco Securiy Appliances 8.29,
Complete the following steps to configure RIP on the security appliance:
Step t
Step 2
Step 3
Step 4
Step 5
Click Configuration in the Cisco ASDM toolbar
Choose Device Setup from the navigation pane.
Expand the Routing menu,
Choose RIP from the Routing menu,
Choose Setup from the RIP menu. The Setup panel shown in the figure is displayed.
You can use the Sctup panel to enable RIP on the security appliance and to
configure global RIP protocol parameters.
8:30
Securing Networks with ASA Fundamentals (SNAF) v1.0
© 2008 Cisco Systems, ne
Ae
Passive
Imtetaces
Step6 Check the Enable RIP Routing check box to enable RIP routing on the security
appliance. When you enable RIP, itis enabled on all interfaces. Checking this check
box also enables the other fields in this panel. In the figure, the Enable RIP Routing
check box is checked.
Step7 (Optional) Uncheck the Enable Auto-Summarization check box if you want 1
disable automatic route summarization. RIPV| always uses automatic summarization
across major network boundaries. You cannot disable automatic summarization for
RIPVI. If you are using RIPV2, you can turn off automatic summarization by
clearing this check box. Disable automatic summarization if you must perform
routing between disconnected subnets. When automatic summarization is disabled,
subnets are advertised. In the figure, the default setting is accepted—the Enable
Auto-Summarization check box remains checked.
Step8 (Optional) Check the Enable RIP Version check box and then click the Version 1
or Version 2 radio button to specify the version of RIP used by the security
appliance. If you choose Version 1, the security appliance sends and receives only
RIPVI updates, and any version 2 updates are dropped. If you choose Version 2, the
security appliance sends and receives only RIPv2 updates, and any version | updates
are dropped. I you clear the Enable RIP Version check box, the security appliance
sends RIPv1 updates and accepts RIPV1 and RIPY2 updates. This setting ean be
overridden on a per-interface basis in the Interface pane. In the figure, Version
chosen,
Note When RIPV2 is configured on an interface, the multicast address 224.0.0 9 is registered on
that interface. When an RIPv2 configuration is removed from an interface. that multicast
address is unregistered. RIPv2 uses the 224 0,0.9 multicast address for routing updates
instead of broadcasting the routing updates
{© 2008 Cisco Systems, Inc ‘Switching and Rauting on Cisco Security Applances 8.31
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
(Optional) Check the Enable Default Information Originate check box to generate
a default route into the RIP routing process, With this feature enabled, the security
appliance sends a default route to neighboring routers through all interfaces on
which active RIP is enabled. With active RIP, the security appliance transmits and
receives RIP routing updates. By default, an interface is enabled for active RIP when
RIP is enabled on it. In the figure, the Enable Default Information Originate check
box is checked.
(Optional) Emer the name of the route map to apply in the Route Map field. The
routing process generates the default route if the route map is satisfied. Route maps
are explained in the Securing Networks with ASA Advanced (SNAA) course.
ner a
network IP address in the IP Network to Add field, and then click the Add
button to define a network for the RIP routing process, The network address
specified must be a classtull address. There is no limit to the number of networks that
you can add. RIP routing updates will be sent and received only through interfaces
(on the specified networks. In the figure, the 192.168. 1.0 and 10.0.1.0 networks are
designated to participate in RIP routing.
(Optional) Check the Passive Interfaces check box to set all interfaces on the
security appliance to passive RIP mode. In passive RIP mode, the security appliance
listens for RIP routing updates on all interfaces and uses that information to populate
its routing table, but it does not send out routing updates.
(Optional) In the Passive Interfaces table, click the check box for the interfaces that
you want to operate in passive mode. The other interfaces will still send and receive
RIP updates. The Passive Interfaces table lists the configured interfaces on the
security appliance. In the figure, the outside interface is configured for passive RIP
only.
Ityou want to configure other optional parameters, choose one of the other options
from the RIP menu in the navigation pane. Otherwise, click Apply.
332
Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Inc.
=e | Auertcates
> )RIP@ Updates
i +) rp upsates
re
——- ee FK——
oe rere,
Authentication
‘The Interface pane! under Routing > RIP enables you to configure optional RIP settings on a
per-interface basis. Each row of the table in this panel displays the int cifie RIP
settings for an interface, To edit the settings, you can either double-click the row for an
interface or select the interface and click Edit, Either mettiod opens the Edit RIP Interface
Entry window for the selected interface. The Edit RIP Interface Entry window enables you to
configure interface-specific RIP settings, including the following:
Send Version: Check the Override Global Send Version check box to choose one of the
following radio buttons to specify the RIP version sent by the interface:
— Version 1
ersion 2
— Versions 1 and 2
Receive Version: Click the Override Global Receive Version check box to specify the
RIP version accepted by the interface. If'an RIP update from an unsupported version of RIP
is received by the interface, itis dropped. You can select one of the following options:
Version |
Version 2
Versions | and 2
= Authentication: Clicking the Enable Authentication Key check box enables you to
configure RIP authentication for the interface. The security appliance supports RIP
message authentication for RIPV2 messages. Inthe figure, the Enable Authentication Key
check box is checked. To enable authentication, you must also supply appropriate
information in the following fields:
— Key: Entera key up to 16 characters in
same on all neighbor devi
figure, the string MYKE
jgth. The authentication key must be the
' that provide RIPV2 updates to the interface. In the
is emtered
1 2008 Cisco Systems, Ine. ‘Switching and Routing on Cisco Secunty Apphances 8-53
— Key ID: Enter a key ID from 0 to 255.The authentication key ID must be the same
on all neighbor devices that provide RIPV2 updates to the interface. In the
key ID 14 is entered.
‘You can also specify the authentication mode by clicking one of
1¢ following radio buttons:
| MDS: Click this radio button to use the Message Digest 5 (MDS) algorithm for RIP
message authentication, This is the recommended mode. In the figure, MDS authentication
mode is chosen.
= Clear Text: Click this radio button to use clear text for RIP message authentication
8.34 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisca Systems, le
Cammands for Configuring RIPv.
Irteret
router rip
router rip
version 2
authenticated
2 JRIVZ Updates
192.1010
defaul t-information originate
network 10.0.0.0
network 192.168.1.0
passive-interface outside
interface Gigabi tetherneto/o
rip authentication key MYKEY key id 14
rip authentication mode md5
ae RIPV2 Updates
re shows the commands that Cisco ASDM sends to the security appliance as a result of
the RIP configuration. The router rip command starts an RIP routing process on the sei
appliance and enters configuration mode for that process. Within the RIP con
the version command specifies that RIPV2 will be used globally. The default-information
originate command configures the security appliance to send a default route to neighboring
routers through any security appliance interface that is configured to transmit RIP updates. In
this example, RIP updates are sent only from the inside interface. This is because RIP is
enabled only on the outside interface attached to network 192,168.1.0 and the inside interface
attached to network 10.0.1.0, and the passive-interface command disables the transmission of
RIP routing updates on the outside interface. The figure shows that the security appliance is,
learning routes from routers on its inside and outside interfaces, but sending routing updates,
including a default route, only on its inside interface:
Note ‘When you enter the IP address of a directly connected subnetwork in the network
‘command, the adaptive security appliance automatically converts the IP address to the
classful network address,
The rip authentication mode command configures MDS authentication on the outside
interface, (GigabitEthernet0/0), and the rip authentication key command specities the
authentication key MYKEY and its key 1D value 14.
In suunmary, the security appliance in this example receives but does not transmit RIPV2
updates on its outside interface. The outside interface does not accept routes that are not
authenticated. The security appliance accepts unauthenticated RIPV2 updates on its inside
interface. It also sends RIPV2 updates including a defa
inside interface.
I route to neighboring routers via the
(© 2008 Cisco Systems, re ‘Switching and Routing on Cisco Secunty Appliances 8.35
Several commands are available for examining various RIP statistics. For example, you can use
the show rip database command to display the contents of the RIP routing database. The RIP
database contains all of the routes leamed through RIP. Routes that appear in this databasé may
not necessarily appear in the routing table.
‘The show running-config router rip command displays the RIP commands in the running
configuration. You can also usc the debug rip command, which displays debug information for
RIP, for troubleshooting. Keep in mind that debugging output is assigned high priority in the
CPU process and can render the system unusable. Itis best to use debug commands during
periods of lower network traffic and fewer users. Debugging during these periods decreases the
likelihood that increased debug command processing overhead will affect system performance.
1835 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Gisco Systems, nc
Summary
This topic summarizes the key points that were discussed in this lesson
Summary
Cisco PIX 500 Series Security Appliances (except PIX 501
Security Appliances) and Cisco ASA 5500 Series Adaptive
Security Appliances support IEEE 802.1 VLANs.
You can add static routes to a security appliance to enable access
to remote networks and track the availability of those routes.
‘Security appliances can be configured to support dynamic routing
protocols RIPV1, RIPv2, and OSPF
{© 2008 Gisco Systems, ne. ‘Switching and Routing on Cisco Security Appliances. 8-37
38 Securing Networks with ASA Fundamentals (SNAF) vt.0 {© 2008 Cisco Systems, no
You might also like
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (821)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (119)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (265)
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (399)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (890)
- SG V2 PDFDocument320 pagesSG V2 PDFShemariyahNo ratings yet
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (537)
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (73)
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5794)
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (587)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2219)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1090)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (344)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (838)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- Chapter 1 Case StudyDocument6 pagesChapter 1 Case StudySubhrendu Guha Neogi100% (1)
- Test - Topic 4 Lab-Maintaining Hard DisksDocument11 pagesTest - Topic 4 Lab-Maintaining Hard DisksShemariyahNo ratings yet
- Topic8 Lab-Basic NetworkingDocument2 pagesTopic8 Lab-Basic NetworkingShemariyahNo ratings yet
- DOS Command Tutorial2Document16 pagesDOS Command Tutorial2ShemariyahNo ratings yet
- Reduce Attachment SizeDocument1 pageReduce Attachment SizeShemariyahNo ratings yet
- Topic7 LabDocument3 pagesTopic7 LabShemariyahNo ratings yet
- Topic6 Lab-1-Overview of Directory Services CommandsDocument2 pagesTopic6 Lab-1-Overview of Directory Services CommandsShemariyahNo ratings yet
- UCCXD Ver2 SG Vol1 PDFDocument341 pagesUCCXD Ver2 SG Vol1 PDFShemariyahNo ratings yet
- WAAS407SG Vol1 PDFDocument226 pagesWAAS407SG Vol1 PDFShemariyahNo ratings yet
- Batch Files Ch10 - DiscussionDocument4 pagesBatch Files Ch10 - DiscussionShemariyahNo ratings yet
- UCCXD Ver2 SG Vol2 PDFDocument210 pagesUCCXD Ver2 SG Vol2 PDFShemariyahNo ratings yet
- VPN10SG Vol3 PDFDocument293 pagesVPN10SG Vol3 PDFShemariyahNo ratings yet
- WAAS407SG Vol2 PDFDocument406 pagesWAAS407SG Vol2 PDFShemariyahNo ratings yet
- VPN10SG Vol2 PDFDocument385 pagesVPN10SG Vol2 PDFShemariyahNo ratings yet
- SNRS 3.0 Lab PDFDocument210 pagesSNRS 3.0 Lab PDFShemariyahNo ratings yet
- VPN10SG Vol1Document383 pagesVPN10SG Vol1No NoNo ratings yet
- UCCXD Ver2 Lab Guide PDFDocument243 pagesUCCXD Ver2 Lab Guide PDFShemariyahNo ratings yet
- SNAA 1.0 Vol3 PDFDocument421 pagesSNAA 1.0 Vol3 PDFShemariyahNo ratings yet
- SNRS 3.0 Vol3 PDFDocument210 pagesSNRS 3.0 Vol3 PDFShemariyahNo ratings yet
- SNRS 3.0 Vol2 PDFDocument354 pagesSNRS 3.0 Vol2 PDFShemariyahNo ratings yet
- SNAA 1.0 Vol1 PDFDocument302 pagesSNAA 1.0 Vol1 PDFShemariyahNo ratings yet
- SNAF 1.0 Lab PDFDocument180 pagesSNAF 1.0 Lab PDFShemariyahNo ratings yet
- SNRS 3.0 Vol1 PDFDocument284 pagesSNRS 3.0 Vol1 PDFShemariyahNo ratings yet
- SNAF 1.0 Vol3 PDFDocument194 pagesSNAF 1.0 Vol3 PDFShemariyahNo ratings yet
- SNAF 1.0 Vol2 PDFDocument430 pagesSNAF 1.0 Vol2 PDFShemariyahNo ratings yet
- SNAA 1.0 Vol4 PDFDocument66 pagesSNAA 1.0 Vol4 PDFShemariyahNo ratings yet
- SNAA 1.0 Vol2 PDFDocument280 pagesSNAA 1.0 Vol2 PDFShemariyahNo ratings yet
