ASA Firewall Essentials

July, 2012

Bogdan Doinea
Assoc. Technical Manager
CEE&RCIS
Cisco Networking Academy
2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Introduction to the ASA Firewall

The ASA Operating System

ASA Firewall Configuration
ASA Remote Access
Technical Demo

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 Adaptive Security Appliance - Ciscos lead dedicated firewall

solution (All-in-One solution)

Firewall
VPN concentrator
IPS

Advanced features
Virtual Firewalling
Transparent/Routed mode
High Availability
Advanced Threat Control (AIP-SSM, AIP-SSC modules)
Identity Firewall

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 Also monitors the state of connections

Initiation, data transfer, termination
Can detect abnormal connection behavior that might indicate attacks

or exploits.

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

DMZ
Security Level 50

inside
Security Level 100

outside
Security Level 0
E0/2
E0/1

Internet

E0/3

Only certain connections get inspected

The administrator configures the levels of security for each interface

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

- The packet is received on the inside

interface
- The inbound ACL is applied and if
NAT is configured, the inside NAT
operation is done.
1

- The packet comes back on the outside

interface
- inbound ACLs are applied
* if the packet is permitted by the ACL,
the state table isnt checked and the
below next step is
- the state table is checked for a state
object that matches the information
contained in the returning packet; if the
match is not done, the packet is
dropped
3

2011 Cisco and/or its affiliates. All rights reserved.

- ASA randomisez the initial sequence

number of the connection
- the ASA creates a state object in memory
retaining layer 3 and layer 4 information
from the packet
- The connection is marked as embryonic
2
- the ASA checks the ACK nr in the
packet relative to the SN that is
overwritten in the second step
- if the packet is legitimate, the ASA
sets the ACK to ISN+1 to match the
TCP information on the host
4
- the hosts responds with an ACK
- the ACK number is not randomized
- the connection is changed to activeestablished and the embryonic counter
is reset for that state object
5

Cisco Confidential

 Routed-mode
the ASA is a layer 3 device
all the ASA features and capabilities are active

Transparent-mode
the ASA is a layer 2 device(works with VLANs instead of IP Subnets)
can have a global IP used for remote management
is invisible to any attacker coming from the Internet
Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP
Relay.

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 A series of LEDs
Speed and link activity LEDs
Power LED
Status LED
Active LED
VPN LED
Security Services Card (SSC) LED

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

 An 8-port 10/100 Fast Ethernet switch.

Three USB ports.

One Security Service Card (SSC) slot for expansion. The slot can be used to

add the Cisco Advanced Inspection and Prevention Security Services Card (AIPSSC).

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10

 2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

 Same modular structure as IOS

Unprivileged mode
Limited rights

Privileged mode
Generaly used for show commands

Global configuration
Used for general configurations (e.g password for priviledged mode, static routes,
banners, hostname configuration etc)

Configuration sub-modes
Used for advanced configurations of specific features (firewall, VPN, routing
protocols etc)

Same help system

ciscoasa > ?
enable

2011 Cisco and/or its affiliates. All rights reserved.

Turn on privileged commands

Cisco Confidential

12

ciscoasa>enable 15
Password:

ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>

The default password is ?

CR + LF
2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

13

ciscoasa > ?

enable

Turn on privileged commands

exit

Exit the current command mode

login

Log in as a particular user

logout

Exit from current user profile to unprivileged mode

perfmon

Change or view performance monitoring options

ping

Test connectivity from specified interface to an IP

address

quit

Exit the current command mode

ciscoasa > help enable

USAGE:
enable [<priv_level>]

DESCRIPTION:
enable
2011 Cisco and/or its affiliates. All rights reserved.

Turn on privileged commands

Cisco Confidential

14

 First we delete
startup-config

running- config

Flash

RAM

Deleting configurations

ciscoasa# clear configure all

ciscoasa# write erase

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15

 Then we save!
startup-config

running- config

Flash

RAM

ciscoasa# show running

ciscoasa# show startup

Salvarea configuraiei

ciscoasa# copy running startup

ciscoasa# write mem
ciscoasa# wr

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

16

 It doesnt exist in IOS(on routers and switches)

Enables the specific deletion of configurations in RAM
ciscoasa(config)# show running-config | include isakmp
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

ciscoasa(config)# clear configure isakmp

ciscoasa(config)# show running-config | include isakmp

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

17

 Configuring a hostname
ciscoasa(config)# hostname ipd
ipd(config)#

Configuring a password for the telnet line

ipd(config)# passwd cisco

Configuring a password for privileged mode. How did we

configure this on a router?

ipd(config)# enable password cisco
ipd# sh run | i pass
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18

 In order to pass traffic between 2 interfaces, levels

of security need to be defined for each interface.

Security levels represent the simplest stateful

firewall model that the ASA offers

Packets get inspected by the firewall engine when the traverse from a

higher security level interface to a lower security level interface

Packets that try to pass from a lower security interface to a higher security

interface, without having a stateful object related to them in the memory of

the ASA, will get dropped by default.
Besides security levels, every ASA interface needs a name. This name is

going to be reffered in all commands that want to use this interface

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19

DMZ
Security Level 50

inside
Security Level 100

outside
Security Level 0
E0/2
E0/1

Internet

E0/3

Configuring security levels is done from (config-if)#

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

 An ASA interface that has no name or security level does not

have L3 connectivity
DMZ
Security Level 50

inside
Security Level 100

outside
Security Level 0
E0/2
E0/1

Internet

E0/3

ciscoasa(config)# interface e0/1

ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

21

 Can be configured using the security-level command

DMZ
Security Level 50

inside
Security Level 100

outside
Security Level 0
E0/2
E0/1

Internet

E0/3

ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#no shutdown

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

22

 By default access is not allowed

ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside
ciscoasa(config)# telnet timeout 10
ciscoasa(config)# passwd cisco123

If no password is set, by default its cisco

Access through telnet on the outside interface(security-level 0) is not

permitted unless the telnet connection is coming through an IPSec tunnel

Monitoring connections
ciscoasa# who
0: 10.10.0.132
ciscoasa# kill 0
ciscoasa# who

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

23

 Permitted on any interface

Step 1: generate the keys
ciscoasa(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
<Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...

Step 2: activate SSH

ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 10

By default, the user is pix and the password is the one

configured with passwd

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

24

 Configuring a specific interface

asa1# show run interface E0/3
interface Ethernet0/3
speed 10
duplex full
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0

Name of the interface and security levels

asa1# show nameif
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2

2011 Cisco and/or its affiliates. All rights reserved.

Name
outside
inside
dmz

Security
0
100
50

Cisco Confidential

25

 All the parameters of an interface

asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

26

 What command did we use in IOS to see the L2 and 3 status of

interfaces in a "brief" output?

show ip interface brief

ASA does it slightly different

show interface ip brief
ciscoasa(config)# sh int ip br
Interface
IP-Address
Ethernet0/0
192.168.1.1
Ethernet0/1
10.10.1.1

27

2011 Cisco and/or its affiliates. All rights reserved.

OK? Method Status

YES manual up
YES manual up

Protocol
up
up

Cisco Confidential

27

 IOS Q: can we run a show command from config mode?

A: yes, using the argument do in front of the command
normal_cisco_router(config)#do show clock
*15:08:07.867 UTC Thu Feb 17 2011

We dont have do in ASA OS, but

you can give show commands from anywhere in the OS
ciscoasa(config-if)# sh clock
15:54:01.139 UTC Thu Feb 17 2011

Theres also the possibility of filtering output by using | and

the arguments:i, b, grep

2011 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

28

R1

ASA
e0/0

G0

G1

e0/0

R2

outside
inside

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

29

Thank you.