CCNP Security Summer Training Report on ASA Firewalls

REPORT OF SUMMER TRAINING
CCNP SECURITY-ASA FIREWALL

Prepared by: Hussein El-Hajj
Presented for: Dr. Jamal Haydar

Islamic University Of Lebanon
Faculty of Engineering CCE
Fourth Year
October 9, 2013
Report of summer training CCNP SECURITY-ASA Firewall

P a g e 1 | 40


P a g e 2 | 40

ACKNOLEDGMENTS
I would like to thank my university and especially our responsible, Dr. Jamal Haydar, for giving
me the opportunity to work in such a great company.
I would like to thank the staff of TerraNet for helping me improving my skills in networking.
I would like to offer my special thanks to Mr. Hussein Majed (Cisco ASA Specialist) for helping
me and giving me the information needed in this field.


P a g e 3 | 40

Table of contents:

I. Introduction ........................................................................................................................... 4
II. Firewall ............................................................................................................................... 5
II.1. Definition ........................................................................................................................... 5
II.2. Firewall techniques .............................................................................................................. 7
II.3. Firewall Features ................................................................................................................. 7
III. ASA Firewall ...................................................................................................................... 9
III.1. ASA Features ..................................................................................................................... 9
III.2. ASA Models ..................................................................................................................... 10
IV. Virtual work environment and default inspection ....................................................... 13
IV.1. Virtual work environment ................................................................................................ 13
IV.1.1. GNS 3 ........................................................................................................................ 13
IV.1.2. Virtual Box ................................................................................................................ 14
IV.2. Default inspection ............................................................................................................ 18
IV.2.1. Scenario 1 .................................................................................................................. 19
V. Access rules and NAT rules ................................................................................................ 27
V.1. Access rules ....................................................................................................................... 27
V.1.1. Scenario 2 ................................................................................................................... 28
V.2. Network Address Translation (NAT) ................................................................................ 32
V.2.1. Difference between NAT and PAT ............................................................................ 32
V.2.2. Scenario 3 ................................................................................................................... 34
VI. Conclusion ........................................................................................................................ 39
VII. References ........................................................................................................................ 40


P a g e 4 | 40

I. Introduction

Founded in 1999, TarraNet launched a comprehensive range of leading Internet connectivity
services and Web solutions. TerraNet designs, develops, and customizes a complete line of
industry-leading, high-performance Internet services and solutions.
TerraNet offers hosting and Web development services, customized Web solutions, wireless data,
and other Internet technologies and applications that are redefining the country's communications
around the power and potential of the Internet.

My training was based on the CCNP security course, we worked on the ASA firewall and we
learned the configurations and some of its features.

In the first chapter we prepared the virtual environment to test and work on the ASA firewall using
GNS3 and the Oracle virtual box.

In the second chapter we will define the firewall, its functions and features.

In the third chapter we will show the features and the types of an ASA firewall and we will
configure the default inspection on the firewalls interfaces.

In the fifth chapter we will define and configure access lists and the NAT and the PAT rules and
we configured NAT rules on the interfaces.


P a g e 5 | 40

II. Firewall

II.1. Definition
A firewall is a software or hardware-based network security system that controls the incoming and
outgoing network traffic by analyzing the data packets and determining whether they should be
allowed through or not, based on a rule set. A firewall establishes a barrier between a trusted, secure
internal network and another network (e.g., the Internet) that is not assumed to be secure and
trusted.
Basically, a firewall, working closely with a router program, examines each network packet to
determine whether to forward it toward its destination. A firewall also includes or works with a
proxy server that makes network requests on behalf of workstation users. A firewall is often
installed in a specially designated computer separate from the rest of the network so that no
incoming request can get directly at private network resources.
There are a number of firewall screening methods. A simple one is to screen requests to make sure
they come from acceptable (previously identified) domain name and Internet Protocol addresses.
For mobile users, firewalls allow remote access in to the private network by the use of secure logon
procedures and authentication certificates.
As a simple example, a small company decides to protect itself from the public Internet.
The security domain forms where the companys network meets the Internet, and everything inside
the company network resides within a secure boundary

Figure 1: A Simple Security Domain
The most common and effective way to implement a security domain is to place a firewall at the
boundary between the trusted and untrusted parts of a network. By definition, a firewall is a device
that enforces an access control policy between two or more security domains. Firewalls have
interfaces that connect into the network. In order for a firewall to do its job, all traffic that crosses
a security domain boundary must pass through the firewall.
In effect, a firewall becomes the only pathway or chokepoint to get in or out of the security
domain.


P a g e 6 | 40

For the simple network shown in the figure above a firewall would sit on the trust boundary and
become the only path between Company As internal trusted network and the untrusted public
Internet.

The firewall must be the only path into and out of the secured network. No other paths around the
firewall or backdoors into the network behind the firewall can exist.
The firewall can enforce security policies on only the traffic that passes through it, not around or
behind it.

The firewall itself must be hardened or made resistant to attack or compromise. Otherwise,
malicious users on the untrusted side might take control of the firewall and alter its security policies.

Now consider a different scenario. Company A is surrounded by a security domain at the
Internet boundary. It wants to allow its internal, trusted users to connect to resources out on the
public Internet through the Internet firewall. Company A also has some web servers that it wants
to have face the public so that untrusted Internet users can interact with the business.

If the web servers are located somewhere inside the security domain, then untrusted users would
be granted access into the trusted environment. That isnt necessarily bad, except that malicious
users might be able to attack or compromise one of the web servers. Because the web server is
already a trusted resource, the malicious users might then use that server to attack other trusted
resources.
A better solution is to put the web servers into a security domain of their own, somewhere between
the trusted internal network and the untrusted Internet. This is commonly called a demilitarized
zone (DMZ).

Figure 2: Using a Single Firewall to Form Multiple Security Domains


P a g e 7 | 40

II.2. Firewall techniques

A firewall can take one of the following approaches to its access control:

Permissive access control: All traffic is allowed to pass through unless it is explicitly
blocked.
Restrictive access control: No traffic is allowed to pass through unless it is explicitly
allowed.

II.3. Firewall Features

A firewall can use its access control approach to evaluate and filter traffic based on the methods
and techniques described in the following sections:

Stateless Packet Filtering:
Some firewalls examine traffic based solely on values found in a packets header at the network or
transport layer. Decisions to forward or block a packet are made on each packet independently.
Therefore, the firewall has no concept of a connection state; it knows only whether each packet
conforms to the security policies.

Stateful Packet Filtering:
Stateful packet filtering (SPF) requires that a firewall keep track of individual connections or
sessions as packets are encountered. The firewall must maintain a state table for each active
connection that is permitted, to verify that the pair of hosts is following an expected behavior as
they communicate.

Stateful Packet Filtering with Application Inspection and Control:
To move beyond stateful packet filtering, firewalls must add additional analysis at the application
layer. Inspection engines in the firewall reassemble UDP and TCP sessions and look inside the
application layer protocols that are passing through. Application inspection and control (AIC)
filtering, also known as deep packet inspection (DPI), can be performed based on the application
protocol header and its contents, allowing greater visibility into a users activity.

Network Intrusion Prevention System:
A network intrusion prevention system (NIPS) examines and analyzes network traffic and compares
it to a database of known malicious activity. The database contains a large number of signatures or
patterns that describe specific known attacks or exploits. As new attacks are discovered, new
signatures are added to the database.
In some cases, NIPS devices can detect malicious activity from single packets or atomic attacks. In
other cases, groups or streams of packets must be collected, reassembled, and examined. A NIPS
can also detect malicious activity based on packet and session rates, such as a denial-of-service
TCP SYN flood, that differ significantly from normal activity on the network.


P a g e 8 | 40

Network Behavior Analysis:
Network behavior analysis (NBA) systems examine network traffic over time to build statistical
models of normal, baseline activity. This isnt a simple bandwidth or utilization average; rather,
the models consider things like traffic volume, traffic rates, connection rates, and types of
application protocols that are normally used. An NBA system continually examines traffic and
refines its models automatically, although human intervention is needed to tune the results.

Application Layer Gateway (Proxy):
An application layer gateway (ALG) or proxy is a device that acts as a gateway or intermediary
between clients and servers. A client must send its application layer requests to the proxy, in place
of any destination servers. The proxy masquerades as the client and relays the clients requests on
to the actual servers. Once the servers answer the requests, the proxy evaluates the content and
decides what to do with them.
Because a proxy operates on application requests, it can filter traffic based on the IP addresses
involved, the type of application request, and the content of any data that is returned from the server.


P a g e 9 | 40

III. ASA Firewall

III.1. ASA Features

Even further, the ASA has many features that go beyond the basic firewall techniques, giving it
great versatility. A summary of the ASA features is presented in the following sections.

Stateful packet filtering engine: The SPF engine tracks connections and their states, performing
TCP normalization and conformity checks, as well as dynamic session negotiation.

Application inspection and control: The AIC function analyzes application layer protocols to
track their state and to make sure they conform to protocol standards.

User-based access control: The ASA can perform inline user authentication followed by Cut-
through Proxy, which controls the access that specific users are allowed to have. Once a user is
authenticated, Cut-through Proxy also accelerates inspection of a users traffic flows.

Cryptographic Unified Communications (UC) proxy: When Cisco Unified Communications
traffic must pass through an ASA, the ASA can be configured as an authorized UC proxy. The
ASA can then terminate and relay cryptographically protected UC sessions between clients and
servers.

Denial-of-service prevention: An ASA can leverage traffic-control features like protocol
normalization, traffic policing, and connection rate controls to minimize the effects of denial-of-
service (DoS) attacks.

Site-to-site VPNs: An ASA can support IPsec VPN connections between sites or enterprises. Site-
to-site or LAN-to-LAN VPN connections are usually built between firewalls or routers at each
location.

Powerful Network Address Translation (NAT): As an ASA inspects and forwards packets, it
can apply a rich set of NAT functions to alter source and destination addresses.

And so many other features


P a g e 10 | 40

III.2. ASA Models

The Cisco ASA family consists of seven different models:

ASA 5505
The ASA 5505 is the smallest model in the ASA lineup, in both physical size and performance.
It is designed for small offices and home offices (SOHO). For a larger enterprise, the
ASA 5505 is frequently used to support teleworkers in remote locations.

Figure 3: ASA 5505

ASA 5510, 5520, and 5540
The ASA 5510, 5520, and 5540 models all use a common chassis and have identical front panel
indicators and hardware connections.

Figure 4: ASA 5520


P a g e 11 | 40

ASA 5550
The ASA 5550 is designed to support large enterprises and service provider networks.

Figure 5: ASA 5550

ASA 5580
The ASA 5580 is a high-performing model in the family and is designed for large enterprises, data
centers, and large service providers.

Figure 6: ASA 5580


P a g e 12 | 40

ASA 5585-X
The ASA 5585-X is the highest-performing model in the family and is designed for large
enterprises and mission critical data centers.

Figure 7: ASA 5585-X


P a g e 13 | 40

IV. Virtual work environment and default inspection

IV.1. Virtual work environment

Since ASA firewall is not available because of its price and its access that requires a high
privilege, we will use a simulation environment.

The simulation needs two softwares: GNS 3 and Virtual Box.
IV.1.1. GNS 3
It is a simulation program of professional networking capable of booting multiple images of various
Cisco equipment (routers, switches, firewalls ).

Figure 8: GNS 3 interface
To use the equipment we must first specify the appropriate Cisco image for each device.


P a g e 14 | 40

Figure 9: choosing the cisco image
In the figure above, we used the ASA 8.4 image that allows us to use the ASA firewall device in
GNS3.

IV.1.2. Virtual Box

We need to create three different areas of interaction (inside, outside, DMZ) so we used three
instances of the virtual box XP reacting as real networks in our simulation.
This program is able to start these instances simultaneously.


P a g e 15 | 40

Figure 10: 3 instances in the Virtual Box
In this figure we created three instances XP with predefined configurations that depend on the
physical capabilities of the machine.

Figure 11: use of three different instances


P a g e 16 | 40

After the startup of an instance we must install the ASDM. Its an application created by Cisco to
organize and simplify the configuration of the ASA firewall from a GUI.

To install the ASDM an image ASDM must be installed in the ASA firewall, this file can be
downloaded via a TFTP server.
We used the SUPERPUTTY as a connection method to make the configurations on the ASA
firewall, give the IP and subnet mask to the intefaces and start the HTTP server used to allow the
download of the ASDM application on the authorized hosts via the web browser.

Figure 12: downloading the ASDM using the web browser
After downloading the application we are now able to access the ASA firewall easily.


P a g e 17 | 40

Figure 13: access on the ASA firewall

Figure 14 : configuration interface

And now we have a simple interface to make all the necessary configurations.


P a g e 18 | 40

IV.2. Default inspection

This inspection allows us to have a security based on different security levels. For example if you
have two hosts, the first with a security level 50 and the second with a security level 100 in this
case the one having a higher level can communicate with the other one but in the opposite case, the
one having lower security level cannot communicate with the other.

The communication permitted by this inspection can be defined by the network administrator that
can add or remove specific protocols.
The default inspection is organized by the ASA in 3 different levels:

Service policy: An entire set of policies that is applied to one or all ASA interfaces, configured
with the service-policy command

Policy map: Where an action is taken on matched traffic, configured with the policy-map
command

Class map: Where specific traffic flows are identified or classified, configured with the class-
map command

A service policy can contain one or more policy maps, which can, in turn, contain one or more class
maps. As well, any class maps you define can be referenced in multiple policy maps and service
policies.


P a g e 19 | 40

Figure 15 : MPF Organisation and Structure

IV.2.1. Scenario 1

In this scenario we divided the network into three parts: the first is the inside network (with the
highest security level (100), the second is the demilitarized zone (DMZ) with a medium security
level (50) and the third is the outside network with the lowest security level (0).

So we can conclude that after the configuration of the default inspection the inside network can
communicate with the DMZ and the outside because it has a higher level of security, the DMZ can
communicate only with the outside and the outside cannot communicate with anyone.

The figure below shows the construction of network in GNS with the necessary IP addresses.


P a g e 20 | 40

Figure 16: network division

The Figure below shows the commands required to configure the IP addresses of the networks:

Figure 17: configuration of the interfaces


P a g e 21 | 40

The configuration of the inside network is:

Figure 18: configuration of the inside network

We have now two LAN networks and we only use the second one so we have to disable the first
one.

Figure 19: two different LAN networks

The configuration of the DMZ network is:

Figure 20: configuration of the DMZ network

And the configuration of the outside network is:

Figure 21: configuration of the outside network

P a g e 22 | 40

After the configuration is applied and without the default inspection, the three networks cannot
communicate with each other so we have to configure it and choose the desired protocols.

First of all, we should open the ASDM on the host of the inside network:

Figure 22: Access from the inside network

We choose the configuration of the firewall we add a new global service-policy (global indicates
that it will be applied on all of the firewalls interfaces).

Figure 23: adding a new service-policy

Then we should create a class-map and choose that it is a default inspection.


P a g e 23 | 40

Figure 24: creation of a new class-map

Then we should choose the protocols that will be inspected on the interfaces:

Figure 25: adding protocols to the default inspection


P a g e 24 | 40

Figure 26: choosing the protocols

After the configuration, some access rules will be applied on each interface:


P a g e 25 | 40

Figure 27: default access rules

And with these steps we finished the configuration we should test the communication between the
networks:

Ping from the inside to the two other networks: SUCCEEDED

Figure 28: ping from the inside to the other networks

Ping from DMZ to the inside network: FAILED

Figure 29: ping from the DMZ to the inside network

P a g e 26 | 40

Ping from DMZ to the outside network: SUCCEEDED

Figure 30: ping from the DMZ to the outside

Ping from the outside to the other networks: FAILED

Figure 31: ping from the outside to the other networks


P a g e 27 | 40

V. Access rules and NAT rules

V.1. Access rules

The Cisco ASA is, at its foundation, a stateful packet filtering device that is application aware, and
is capable of verifying the legitimacy and correctness of packets arriving at its interfaces by using
various state tables combined with configured access policies. If a packet arrives at an ASA
interface, it either must match expected traffic definitions from an existing session or will be
compared against the inbound interface security policy applied to that interface.
To determine whether the interface security policy will be applied to packets, therefore, the ASA
must be able to determine if arriving packets match expected traffic from an existing connection.
The ASA does this by maintaining state tables, as just mentioned. State tables act as short-term
memory for the device on active connections.

Figure 32: output of the command show run


P a g e 28 | 40

V.1.1. Scenario 2

To understand the access lists we took the previous scenario and we considered the host of the
DMZ as a TFTP server and we must allow the access from the outside network on the server:

Figure 33: division of the network

Configurations are already mentioned in the previous part (default inspection).

To allow connection from outside network to the TFTP server we must create an access list.
This rule should allow the 10.10.10.0/24 network to only use the protocol TFTP server to the
network 172.16.0.0/24.

On the outside network we should add the new access rule:

Figure 34: adding the access rule

P a g e 29 | 40

Figure 35: configuration of the access rule

And we replace the IP in the service field by the TFTP protocol:

Figure 36: choosing the TFTP protocol


P a g e 30 | 40

Figure 37: configured access rule

And now we have the new access rule.

We can see the access rule command with the command show run

Figure 38: output of the command show run

Now we should save the configuration using the command copy running-config startup-config

Figure 39 : saving the configurations

And now we should test the communication:
On the DMZ host we created a text file (test.txt) on the Desktop to try to download it from the
outside host.
Then we start the TFTP server on the DMZ host and we specified the Desktop as the directory:

Figure 40 : TFTP server

P a g e 31 | 40

If we try to ping the DMZ from the outside it will failed because we didnt permit the ICMP
protocol:

Figure 41: ping from the outside to the DMZ

Now we try to download the file on the outside network using this command:

Figure 42: output of the command GET

And it will succeed.

The access lists are very important to manage the access through the firewalls interfaces and
especially when we needed to permit packets from lower to higher security level.


P a g e 32 | 40

V.2. Network Address Translation (NAT)

The ASA firewall is often deployed on the border between
a network using a private IP addressing scheme and the Internet.
To solve the problems in the interconnection of these networks, the Cisco ASA
supports IP address translation (NAT) and Port Address Translation (PAT).

There simply were not enough addresses available in the originally designed IP addressing scheme
to accommodate universal connectivity, especially given the manner in which addresses were
originally assigned. Therefore, a system of private IP addresses was developed, first in RFC
1597, which was then superseded by the better-known RFC 1918, which allows multiple networks
around the world to deploy the exact same IP addresses for addresses that require only local
uniqueness. This eliminates the need to maintain globally unique addresses for every connected
host worldwide.

Because private IP addresses are intended for local use only and are considered nonroutable on
the public Internet, NAT is required to translate these private (local) IP addresses to public (global),
routable addresses when hosts on a private network need to communicate with hosts outside of that
private network.
Additionally, because many organizations can deploy the same private IP addresses, due to local
significance, NAT is required if hosts on these networks with overlapping addresses need to
communicate with each other.

Figure 43: basic address translation example

V.2.1. Difference between NAT and PAT

When you use inside NAT, only the source IP address of the internal host is translated, and a one-
to-one mapping is made between the original (local) IP address and the translated (global) address
assigned to the host. The global address can be assigned in either a static (fixed and permanent) or
dynamic (from a pool and temporary) manner. If there are not enough global IP addresses to support
all internal hosts, some hosts will not be able to communicate through the ASA.

P a g e 33 | 40

Figure below illustrates the use of NAT with an example of inside NAT. Recall that inside
NAT means that traffic from the host subject to translation ingresses the ASA on a more secure
interface than it egresses the ASA. In the figure, two hosts connected to the inside interface of the
ASA both need to communicate with destinations on the Internet.

Figure 44: dynamic inside NAT scenario

In this Figure, hosts on the internal 10.0.0.0/24 network share a pool of global addresses,
209.165.200.235-254, from which addresses are dynamically allocated to hosts as they make
connections, and to which addresses are returned after an idle period. But in the previous example
we have a static NAT which all addresses will be translated to a single global address.

When you use inside NAT, only the source IP address of the internal host is translated, and a one-
to-one mapping is made between the original (local) IP address and the translated (global) address
assigned to the host. With PAT, however, both the source IP address and source port (for TCP and
UDP packets) are translated, which creates a many-to-one mapping, with multiple internal hosts
sharing a single global IP address, and each of their TCP or UDP connections being assigned a
unique port number, tracked by the ASA for the duration of the connection. This allows for
maximum efficiency in conserving global IP addresses, but is not compatible with all applications.


P a g e 34 | 40

Figure below illustrates the use of a dynamic NAT with an interior PAT:

Figure 45: Dynamic inside PAT scenario

V.2.2. Scenario 3

To understand the NAT we had a scenario where we have three security zones: inside, outside
and DMZ.
In this scenario we have to do a NAT for the http server in the DMZ to the outside and we should
permit the DMZ to use the FTP server of the interior network.

Figure 46: network division

To configure a NAT rule we need to open the ASDM window on the inside host and select NAT
Rules then ADD:

P a g e 35 | 40

Figure 47: NAT rule configuration

Source interface is the outside
the destination interface is the DMZ
the source address is any because any external host wants to access the http server must pass
through the NAT rule
Destination address is a fake IP from the outside network (10.10.10.80) it permits the translation
of the server IP address (172.16.0.2) to this fake address
Service: any
Type of NAT: Static
destination address: 172.16.0.2 is the address of the web server


P a g e 36 | 40

Figure 48: configuration of the interfaces

Figure 49 : NAT rule

Any host of the outside network tries to access the DMZ with the fake ip will be directed to the
web server.

But first we must add an access rule to allow access from a lower security level (outside) to a higher
security level (DMZ).


P a g e 37 | 40

Figure 50: configuration of the access rule needed for the NAT rule

Source is Any & destination is the web server because they have two different security levels.

Now we should test the connection: on the outside host we open the web browser and use the fake
IP 10.10.10.80:

Figure 51: loading the web page


P a g e 38 | 40

The web page is loaded successfully
We can confirm it by using the command netstat n on the outside host

Figure 52: output of the command netstat n

This is a sample page that can be found in the IIS by default. The IIS is the web server launched on
the DMZ host.

Now we should permit the access from the DMZ host to the ftp server on the inside host.

Figure 53: configuring the access rule

Now we should test the ftp connection using this command:

Figure 54: FTP connection

The result of this command will be the same as the connection to the TFTP server.


P a g e 39 | 40

VI. Conclusion

I learned during the training the importance and the necessity of the hardware based firewall in the
security domain by controlling access through multi-optional access rules, masking private ip by
applying simple or sophisticated NAT rules, protecting critical data, filtering and detecting
malicious activities, intrusion prevention ,detection and many other features.
Also I learned how to create multiple instances of virtual machines to operate and simulate real
cases networks.
Finally, I learned that security is very important parameter in implementing networks due the
escalating threats ,excessive attacks, viruses spreading and hacking techniques all over the cyber
world.


P a g e 40 | 40

VII. References

- CCNP Security-FIREWALL 642-618-Official Cert Guide
- www.wikipedia.com

CCNP Security Summer Training Report on ASA Firewalls

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNP Security Summer Training Report on ASA Firewalls

Uploaded by

Copyright:

Available Formats

REPORT OF SUMMER TRAINING

CCNP SECURITY-ASA FIREWALL

You might also like