Security - Cisco Firewall

TRAINING
 Course Flow

Day 1 Day 2 Day 3

Nội Dung
Mục Tiêu Lesson 2: Lesson 5:
Lesson 1:
Getting Started with
AM Lịch Học: Trong 5
Cisco Security ngày
Cisco Security
Cisco Adaptive
Appliances Security Device
Appliances
8h30-11h30 Sáng
Overviewtừ 9h-11h30
(continue)
Manager
Lesson 2:
Theory Chiều từ 14h-16h30
Getting Started with
Lesson :3 Lesson 6:
Cisco Security Managing the Firewall Switch
Appliances Security Appliance Modules (FWSM)
Lession 4:
Access Control Lists

Lession 1: Console Lession 4:

connection setting Configure NAT, and Lession 7: Managing
PM Routing the Security
Appliance
Lession 2: Execute Lession 5: Test the
14h-17h general command Inside, Outside, and
DMZ Interface
Hand-on Lab Lession 3: Configure
Connectivity
Security Appliance Lession 6 :Configure
Interfaces ACLs on the
Security Appliance
 Introduction

 Trainer Introduction
1. Name:
2. Position :
3. Experiences:

 Trainee Introduction
1. Name
2. Position :
3. Security Network knowledges and experiences…
 Lession 1
Cisco Security Appliances Overview
 What Is a Firewall?

DMZ
Network

Internet

Outside Inside
Network Network

A firewall is a system or group of systems that

manages access between two or more networks.
 Firewall Technologies

Firewall operations are based on one of three

technologies:
 Packet filtering
 Proxy server
 Stateful packet filtering
 Packet Filtering

DMZ:
Server B

Inside:
Host A Data A B
Server C

Internet

Data A C
AB-Yes
AC-No

Limits information that is allowed into a network

based on the destination and source address
 Proxy Server

Proxy
Server

Internet

Outside Inside
Network Network

Requests connections on behalf of a client

 Stateful Packet Filtering

DMZ:
Server B

Inside:
Host A Data HTTP A B
Server C

Internet

State Table
Limits information that is allowed Source address 192.168.0.20 10.0.0.11

Destination address 172.16.0.50 172.16.0.50

into a network based not only on Source port 1026 1026
the destination and source addresses, Destination port 80 80

but also on the packets state table Initial sequence no. 49769 49091

Ack
content Flag Syn Syn
 Security Appliances: What Are They?

Cisco security appliances deliver enterprise-class security for small-to-

medium-sized business and enterprise networks in a modular, purpose-
built appliance. Some features of Cisco security appliances are:
 Proprietary operating system
 Stateful packet inspection
 User-based authentication
 Protocol and application inspection
 Modular policy framework
 Virtual private networking
 Security contexts (virtual firewalls)
 Stateful failover capabilities
 Transparent firewalls
 Web-based management solutions
 Proprietary Operating System

 Eliminates the risks associated with

general-purpose operating systems
 Stateful Packet Inspection

 The stateful packet inspection algorithm provides stateful

connection security.
• It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags.
• It randomizes the initial TCP sequence number of each new connection.

 By default, the stateful packet inspection algorithm allows

connections originating from hosts on inside (higher security level)
interfaces.
 By default, the stateful packet inspection algorithm drops
connection attempts originating from hosts on outside (lower
security level) interfaces.
 The stateful packet inspection algorithm supports authentication,
authorization, and accounting.
 Application-Aware Inspection

FTP
Server Client

Data Control Control Data

Port Port Port Port
20 21 2008 2010
Data - Port 2010

Port 2010 OK

Data

 Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections
to dynamically assigned source or destination ports through the firewall.
 The security appliance inspects packets above the network layer.
 The security appliance securely opens and closes negotiated ports for
legitimate client-server connections through the firewall.
 Modular Policy

System Engineer Internet

Headquarters
T1
SE
exec
Executives Internet

S2S S2S

Site C Site B

Class Map Policy Map Service Policy

Traffic Flow Services Interface/Global
Default Inspect Global
Internet IPS Outside
Systems Engineer Police
Executives Priority
Site to Site
 Virtual Private Network

B
A NK

BA
NK

Site to Site

Internet

IPsec VPN
SSL VPN
Headquarters
Remote Access
 Security Context (Virtual Firewall)

One Physical Firewall

Four Physical Firewalls
Four Virtual Firewalls

Internet Internet

Ability to create multiple security contexts (virtual firewalls)

within a single security appliance
 Failover Capabilities: Active/Standby,
Active/Active, and Stateful Failover
Failover: Active/Standby Failover: Active/Active

Contexts

1 2 1 2
Primary: Secondary:
Failed Firewall Active Firewall
Primary: Secondary:
Failed/Standby Active/Active

Internet Internet
 Failover protects the network if the primary security appliance goes offline..
– Active/standby: Only one unit can be actively processing traffic; the other is hot standby.
– Active/Active: Both units can process traffic and serve as backup units.
 Stateful failover maintains the operating state during failover.
 Transparent Firewall

192.168.1.5

192.168.1.2

Internet

 Has the ability to deploy a security appliance in a secure bridging mode

 Provides rich Layers 2 through 7 security services as a Layer 2 device
Web-Based Management Solutions

Adaptive
Security
Device
Manager
Models and Features of
Cisco Security Appliances
 ASA 5500 Series

ASA 5550

ASA 5540
Price

ASA 5520

ASA 5510

ASA 5505

Gigabit Ethernet

SOHO ROBO SMB Enterprise SP

Functionality SP = service provider

 PIX 500 Series
PIX 535

PIX 525
Price

PIX 515E

PIX 506E

PIX 501

Gigabit Ethernet

SOHO ROBO SMB Enterprise SP

Functionality
 Cisco ASA 5510 Adaptive Security
Appliance

 Delivers advanced security and networking services,

including high-performance VPN services, for small and
medium-sized businesses and enterprise branch offices
 Provides up to 130,000 concurrent connections
 Provides up to 300-Mbps firewall throughput
 Provides interface support
• Up to 5 10/100 Fast Ethernet interfaces
• Up to 25 VLANs
• Up to 5 contexts
 Supports failover
• Active/standby
 Supports VPNs
• Site to site (250 peers)
• Remote access
• WebVPN
 Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port
Gigabit Ethernet SSM)
 Cisco ASA 5520 Adaptive Security
Appliance

 Delivers advanced security services, including high-performance VPN services, for medium-
sized enterprise networks
 Provides up to 280,000 concurrent connections
 Provides up to 450-Mbps firewall throughput
 Provides Interface support
• 4 10/100/1000 Gigabit Ethernet interfaces
• 1 10/100 Fast Ethernet interface
• Up to 100 VLANs
• Up to 20 contexts
 Supports failover
• Active/standby
• Active/active
 Supports VPNs
• Site to site (750 peers)
• Remote access
• WebVPN
 Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port
Gigabit Ethernet SSM)
 Cisco ASA 5540 Adaptive Security
Appliance

 Delivers high-performance, high-density security services, including high-performance VPN

services, for medium-sized and large enterprise networks and service provider networks
 Provides up to 400,000 concurrent connections
 Provides up to 650-Mbps firewall throughput
 Provides Interface support
• 4 10/100/1000 Gigabit Ethernet interfaces
• 1 10/100 Fast Ethernet interface
• Up to 200 VLANs
• Up to 50 contexts
 Supports failover
• Active/standby
• Active/active
 Supports VPNs
• Site to site (5,000 peers)
• Remote access
• WebVPN
 Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port
Gigabit Ethernet SSM)
ASA 5510, 5520, and 5540 Adaptive
Security Appliances Front Panel

Status Flash
Power Active VPN
 ASA 5510, 5520, and 5540 Adaptive
Security Appliances Back Panel

CompactFlash

Fixed interfaces
Security services
module
 ASA 5510, 5520, and 5540 Adaptive
Security Appliances Connectors

CompactFlash

10/100 out-of-band Console Power supply

management port port (AC or DC)

Four 10/100/1000 AUX ports

Gigabit Ethernet ports*

Two USB 2.0 ports

*ASA 5510 Adaptive Security Appliance supports 10/100 Fast Ethernet ports.
 Cisco ASA Security Services Module

 High-performance module
designed to provide additional
security services
 Diskless (Flash-based)
design for improved reliability
 Gigabit Ethernet port for
out-of-band management
 •SSM Models

SSM-10
 2.0-GHz processor
Speed
 1.0 GB RAM
SSM-20
 2.4-GHz processor
 2.0 GB RAM Link and
activity

Power Status
Four-Port Gigabit Ethernet SSM
RJ-45 link SFP link
LED LED

RJ-45 SFP
speed speed
LED LED

Status
LED SFP
RJ-45 Power
ports LED ports
 Summary

 A firewall is a system or group of systems that

manages access between two or more networks.
 Statefull firewall is a device works most effectively
 Cisco Security Appliance including Cisco PIX and ASA.
 Security devices ASA 5510, 5520 targeting the small and medium
enterprises.
 The function of security devices can be expanded by the SSMs
 Lession 2

Getting Started with Cisco

Security Appliances
User Interface
 Security Appliance Access Modes

A Cisco security appliance has four main

administrative access modes:
Unprivileged ciscoasa>
Privileged
Configuration ciscoasa#

Monitor ciscoasa(config)#

monitor>
 Access Privileged Mode

Internet

ciscoasa>
enable [priv_level]
Used to control access to the privileged mode
Enables you to enter other access modes
ciscoasa> enable
password:
ciscoasa#
 Access Configuration Mode: configure
terminal Command
ciscoasa#
configure terminal
Used to start configuration mode to enter configuration commands from a terminal
ciscoasa#
exit
Used to exit from an access mode

ciscoasa> enable
password:
ciscoasa# configure terminal
ciscoasa(config)# exit
ciscoasa# exit
ciscoasa>
 help Command

ciscoasa > help ?

enable Turn on privileged commands
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP
address
quit Exit the current command mode
ciscoasa > help enable

USAGE:
enable [<priv_level>]
File Management
 Viewing and Saving Your Configuration

The following commands

enable you to view your
configuration: To save configuration changes:
 Show running-config copy run start
 Show startup-config
startup- running-
The following commands Configuration
config config Changes
enable you to save your
(saved)
configuration:
 copy run start
 write memory
 Clearing Running Configuration

Clear the running configuration:

clear config all

startup- running-
config config

(default)

ciscoasa(config)#
clear configure all
Clears the running configuration

ciscoasa(config)# clear config all

 Clearing Startup Configuration

Clear the startup configuration:

write erase

startup- running-
config config
(default)

ciscoasa#
write erase
Clears the startup configuration

ciscoasa# write erase

 Reload the Configuration: reload
Command

ciscoasa#
reload [at hh:mm [month day | day month]]
[cancel] [in [hh:]mm] [max-hold-time [hh:]mm]
[noconfirm] [quick] [reason text] [save-config]
Reboots the security appliance and reloads the configuration
Allows scheduled reboots

ciscoasa# reload
Proceed with reload?[confirm] y
Rebooting...
 File System

Release 7.0
and later

 Software image
 Configuration file
 Private data
 ASDM image
 Backup image*
 Backup
configuration file*
 Displaying Stored Files: System and
Configuration

Internet

ASA PIX Security

disk0: Appliance
ciscoasa# disk1: flash:
dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: |
flash: | system:]
Display the directory contents
ciscoasa# dir
Directory of disk0:/
8 -rw- 8202240 13:37:33 Jul 28 2006 asa721-k8.bin
1264 -rw- 5539756 13:21:13 Jul 28 2006 asdm-521.bin
62947328 bytes total (49152000 bytes free)
 Security Level Example

DMZ Network
GigabitEthernet0/2
Security level 50
Interface name = DMZ
g0/2

Internet
g0/0 g0/1

Outside Network Inside Network

GigabitEthernet0/0 GigabitEthernet0/1
Security level 0 Security level 100
Interface name = outside Interface name = inside
Examining Security
Appliance Status
 show Commands
asa1# show run interface
. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0 show run interface
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0 . . .

asa1# show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Detected: Speed 1000 Mbps, Full-duplex
Requested: Auto
MAC address 000b.fcf8.c538, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
show interface 0 packets output, 0 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 0 VLAN untagged packets, 0 bytes
Dropped 0 VLAN untagged packets
 show memory Command

ciscoasa#

show memory

asa1# show memory

Free memory: 468962336 bytes (87%)
Used memory: 67908576 bytes (13%)
------------- ----------------
Total memory: 536870912 bytes (100%)
 show cpu usage Command

Internet
10.0.1.11

10.0.1.4
ciscoasa#

show cpu usage

asa1# show cpu usage

CPU utilization for 5 seconds = 0%; 1 minute:
0%; 5 minutes: 0%
 show version Command
asa1# show version
Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is "disk0:/asa721-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 2 mins 51 secs

Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000

MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
. . .
 show ip address Command

172.16.1.0
.1

192.168.1.0 10.0.1.0 10.1.1.0

Internet
.2 .1 .1

asa1# show ip address

System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 192.168.1.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.1.1 255.255.255.0 CONFIG

Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 192.168.1.2 255.255.255.0 CONFIG
GigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.1.1 255.255.255.0 CONFIG
 show interface Command

asa1# show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
 show nameif Command

GigabitEthernet0/2
Interface name = dmz
Security level = 50
g0/2
Internet
g0/0 g0/1
GigabitEthernet0/0 GigabitEthernet0/1
Interface name = outside Interface name = inside
Security level = 0 Security level = 100

asa1# show nameif

Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/2 dmz 50
 show run nat Command

Internet
10.0.1.11
X.X.X.X 10.0.1.X

NAT
10.0.1.4

ciscoasa#
show run nat
Displays a single host or range of hosts to be translated

asa1# show run nat

nat (inside) 1 10.0.1.0 255.255.255.0 0 0
 show run global Command

Internet
10.0.1.11
10.0.1.X

Mapped Pool
192.168.1.20-192.168.1.254 10.0.1.4

ciscoasa#
show run global
Displays the pool of mapped addresses

asa1# show run global

global (outside) 1 192.168.1.20-192.168.1.254
netmask 255.255.255.0
 show xlate Command

Internet
10.0.1.11
192.168.1.20 10.0.1.11

Outside Inside
mapped pool local 10.0.1.4
Xlate Table
192.168.1.20 10.0.1.11
ciscoasa#
show xlate
Displays the contents of the translation slots

asa1# show xlate

1 in use, 1 most used
Global 192.168.1.20 Local 10.0.1.11
 show route Command

172.16.1.0
g0/2
192.168.1.0 10.0.1.0
Internet
.1 g0/0 g0/1

ciscoasa#

show route [interface_name [ip_address [netmask [static]]]]

Displays the contents of the routing table

asa1(config)# show route

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
C 10.0.1.0 255.255.255.0 is directly connected, inside
C* 127.0.0.0 255.255.0.0 is directly connected, cplane
C 172.16.1.0 255.255.255.0 is directly connected, dmz
C 192.168.1.0 255.255.255.0 is directly connected, outside
 ping Command

Internet
10.0.1.11

10.0.1.4
ciscoasa#

ping [if_name] host [data pattern] [repeat count] [size bytes]

[timeout seconds] [validate]
Determines whether other devices are visible from the security appliance

asa1# ping 10.0.1.11

Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
 traceroute Command

Internet

example.com

ciscoasa#

traceroute {destination_ip | hostname} [source source_ip | source-

interface] [numeric] [timeout timeout_value] [probe probe_num] [ttl
min_ttl max_ttl] [port port_value] [use-icmp]
Determines the route packets will take to their destination

asa1#traceroute 172.26.26.20
Basic Security
Appliance Configuration
 Basic CLI Commands for Security
Appliances

 hostname
 interface
• nameif
• ip address
• security-level
• speed g0/2
• duplex Internet
• no shutdown g0/0 g0/1
 nat-control
 nat
 global
 route
 Assigning a Hostname to Security
Appliance: Changing the CLI Prompt
New York
( asa1)
Server
Boston
(asa2)
Server
Internet

Dallas
(asa3)
Server

ciscoasa(config)#
hostname newname
Changes the hostname in the security appliance CLI prompt
ciscoasa(config)# hostname asa1
asa1(config)#
 interface Command and
Subcommands

GigabitEthernet0/2

g0/2
Internet
g0/0 g0/1

GigabitEthernet0/0 GigabitEthernet0/1

ciscoasa(config)#

interface {physical_interface[.subinterface] | mapped_name}

Enters configuration mode for the interface you specify

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)#
 Assign an Interface Name:
nameif Subcommand

GigabitEthernet0/2
Interface name = dmz

g0/2
Internet
g0/0 g0/1
GigabitEthernet0/0 GigabitEthernet0/1
Interface name = outside Interface name = inside

ciscoasa(config-if)#

nameif if_name
Assigns a name to an interface on the security appliance.
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
 Assign Interface IP Address:
ip address Subcommand

g0/2
Internet
g0/0 g0/1

GigabitEthernet0/0
Interface name = outside
IP address = 192.168.1.2
ciscoasa(config-if)#

ip address ip_address [mask] [standby ip_address]

Assigns an IP address to each interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address 192.168.1.2 255.255.255.0
 DHCP-Assigned Address
DHCP
Assigned

Internet
g0/0
GigabitEthernet0/0
Interface name = outside
IP address = dhcp
ciscoasa(config-if)#

ip address dhcp [setroute]

Enables the DHCP client feature on the outside interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address dhcp
 Assign a Security Level: security-level
Subcommands

g0/2
Internet
g0/0 g0/1
GigabitEthernet0/0
Interface name = outside
IP address = 192.168.1.2
Security level = 0
ciscoasa(config-if)#

security-level number

Assigns a security level to the interface

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside
asa1(config-if)# ip address 192.168.1.2
asa1(config-if)# security-level 0
 Interfaces with Same Security Level:
same-security-traffic Command
DMZ Network
GigabitEthernet0/2
Security level 100
Interface name = dmz

g0/2

Internet
g0/0 g0/1

Inside Network
GigabitEthernet0/1
Security level 100
Interface name = inside
ciscoasa(config)#
same-security-traffic permit {inter-interface | intra-interface}

Enables communication between interfaces with the same security level or allows traffic to enter and exit the same interface

asa1(config)# same-security-traffic permit inter-interface

 Assign an Interface Speed and Duplex:
speed and duplex SubCommands
GigabitEthernet0/0
Speed =1000
Duplex = full g0/2
Internet
g0/0 g0/1

ciscoasa(config-if)#

speed {10 | 100 | 1000 | auto | nonegotiate}

duplex {auto | full | half}
Enable the interface speed and duplex

asa1(config)# interface GigabitEthernet0/0

asa1(config-if)# nameif outside
asa1(config-if)# ip address 192.168.1.2
asa1(config-if)# security-level 0
asa1(config-if)# speed 1000
asa1(config-if)# duplex full
 ASA Management Interface
Management0/0
Management only = no

g0/2
m0/0
Internet
g0/0 g0/1

ciscoasa(config-if)#
management-only
Configures an interface to accept management traffic only

no management-only
Disables management-only mode

Disables management-only
asa1(config)# mode (for ASA 5520, 5540 and 5550)
interface management0/0
asa1(config-if)# no management-only
 Enabling and Disabling Interfaces:
shutdown Subcommand

g0/2
Internet
g0/0 g0/1

GigabitEthernet0/0
Enabled
ciscoasa(config-if)#
shutdown
Disables an interface
no shutdown = enabled

Disables management-only
asa1(config)# interfacemodeGigabitEthernet0/0
(for ASA 5520, 5540 and 5550)
asa1(config-if)# no shutdown
 Network Address Translation

NAT

192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10 .11

Outside Inside
Mapped Pool Local 10.0.0.4
Translation Table
192.168.0.20 10.0.0.11
 Enable NAT Control

NAT

192.168.0.20 10.0.0.11
Internet
10.0.0.11
200.200.200.11

Outside Inside
Mapped Pool Local 10.0.0.4
Translation Table
192.168.0.20 10.0.0.11

Enable or disable NAT configuration requirement

asa1(config)# nat-control
 nat Command

Internet
10.0.1.11
X.X.X.X 10.0.1.11

NAT
10.0.1.4

ciscoasa(config)#
nat (if_name) nat_id address [netmask] [dns]

Enables IP address translation

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

 global Command

Internet
10.0.1.11
192.168.1.20 10.0.1.11

NAT
ciscoasa(config)# 10.0.1.4

global(if_name) nat_id {mapped_ip[-mapped_ip]

[netmask mapped_mask]} | interface
Works with the nat command to assign a registered or public IP
address to an internal host when accessing the outside network
through the firewall, for example, 192.168.0.20-192.168.0.254

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

asa1(config)# global (outside) 1 192.168.1.20-192.168.1.254
 Configure a Static Route: route
Command

Default Route Static Route

Internet
10.1.1.11
192.168.1.1 10.0.1.102

ciscoasa(config)#
10.1.1.4
route if_name ip_address netmask gateway_ip
[metric]
Defines a static or default route for an interface

asa1(config)# route outside 0.0.0.0 0.0.0.0

192.168.1.1 1
asa1(config)# route inside 10.1.1.0 255.255.255.0
10.0.1.102 1
 Host Name-to-IP-Address Mapping:
name Command
“bastionhost”
172.16.1.2
.2
172.16.1.0
.1
10.0.1.0 “insidehost”
Internet 10.0.1.11
.1 .11

ciscoasa(config)#

name ip_address name

Configures a list of name-to-IP-address mappings on the security
appliance

asa1(config)# names
asa1(config)# name 172.16.1.2 bastionhost
asa1(config)# name 10.0.1.11 insidehost
 Configuration Example

172.16.1.
0 .1
192.168.1.0 10.0.1.0 10.1.1.0
Internet .1
.2 .1

GigabitEthernet0/0 GigabitEthernet0/1
Interface name = outside Interface name = inside
Security level = 0 Security level = 100
IP address = 192.168.1.2 IP address = 10.0.1.1

asa1(config)# write terminal

. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0 . . .
 Configuration Example (Cont.)

GigabitEthernet0/2
“bastionhost”
Interface name = dmz
172.16.1.2
Security level = 50 “insidehost”
172.16.1.0 IP address = 172.16.1.1 10.1.1.11
.1
192.168.1.0 10.0.1.0 10.1.1.0
Internet
.2 .1 .1

interface GigabitEthernet0/2
nameif dmz
security-level 50
speed 1000
duplex full
ip address 172.16.1.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asa1
names
name 172.16.1.2 bastionhost
name 10.1.1.11 insidehost
 Configuration Example (Cont.)

“bastionhost”
172.16.1.2
Default Route 172.16.1.0 .2 “insidehost”
Static Route
.1 10.1.1.11
192.168.1.0 10.0.1.0 10.1.1.0
Internet
.1 .2 .1 .102 .1

Mapped Pool 10.0.0.0

192.168.1.20 - 254

nat-control
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 192.168.1.20-192.168.1.254
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
 Summary
 Cisco security appliances have four main administrative access modes:
unprivileged, privileged, configuration, and monitor.
 There are two configuration memories in the Cisco security appliances:
running configuration and startup configuration.
 The show running-config command displays the current configuration in
the security appliance RAM on the terminal.
 You can use the copy run start or the write memory command to save the
current running configuration to flash memory, startup configuration.
 Interfaces with a higher security level can access interfaces with a lower
security level, but interfaces with a lower security level cannot access
interfaces with a higher security level unless given permission.
 The security appliance show commands help you manage the security
appliance.
 The basic commands that are necessary to configure Cisco security
appliances are the following: interface, nat, global, and route.
 The nat and global commands work together to translate IP addresses.
 Lession 3

Managing the
Security Appliance
Managing System Access
 Configuring Telnet Access to the
Security Appliance Console
Telnet 10.0.0.11
Internet

ciscoasa(config)#
telnet {{hostname | IP_address mask interface_name} |
{IPv6_address interface_name} | {timeout number}}
Enables you to specify which hosts can access the security appliance console
with Telnet and set the maximum time a console Telnet session can be idle
before being logged off by the security appliance
ciscoasa(config)#
passwd password [encrypted]
Sets the password for Telnet access to set the security appliance

asa1(config)# telnet 10.0.0.11 255.255.255.255 inside

asa1(config)# telnet timeout 15 
asa1(config)# passwd telnetpass
 Viewing and Disabling Telnet

ciscoasa#
show running-config telnet [timeout]
Displays IP addresses permitted to access the security appliance via Telnet

ciscoasa(config)#
clear configure telnet
Removes the Telnet connection and the idle timeout from the configuration

ciscoasa#
who [local_ip]
Enables you to view which IP addresses are currently accessing the security appliance
console via Telnet
ciscoasa#
kill telnet_id
Terminates a Telnet session
 SSH Connections to the Security
Appliance

SSH connections to the security appliance:

 Provide secure remote access
 Provide strong authentication and encryption
 Require RSA key pairs for the security appliance
 Require 3DES/AES or DES activation keys
 Allow up to five SSH clients to simultaneously access
the security appliance console
 Use the Telnet password for local authentication
 Configuring SSH Access to the
Security Appliance Console

ciscoasa(config)#
crypto key zeroize {rsa | dsa}
[label key-pair-label] [default]
[noconfirm]
Removes any previously generated RSA keys
ciscoasa(config)#
crypto key generate rsa [usage-
keys | general-keys] [label
key-pair-label] [modulus size]
[noconfirm]
Generates an RSA key pair

ciscoasa(config)# ciscoasa(config)#
write memory ssh {ip_address mask |
Saves the CA state ipv6_address/prefix} interface
Specifies the host or network authorized to
initiate an SSH connection

ciscoasa(config)# ciscoasa(config)#

domain-name name ssh timeout number

Configures the domain name Specifies how long a session can be idle before
being disconnected
 Connecting to the Security Appliance
with an SSH Client

username: pix
password: telnetpassword

SSH
Internet

172.26.26.50

asa1(config)# crypto key zeroize rsa

asa1(config)# write memory
asa1(config)# domain-name cisco.com
asa1(config)# crypto key generate rsa modulus 1024
asa1(config)# write memory
asa1(config)# ssh 172.26.26.50 255.255.255.255 outside
asa1(config)# ssh timeout 30
Managing Software,
Licenses, and
Configurations
 Viewing Directory Contents

10.0.0.11
dir
Internet
192.168.0.0 10.0.0.3
ciscoasa#
dir [/all] [/recursive] [all-filesystems | [disk0: |
disk1: | flash: | system:] path]
Displays the directory contents
asa1# dir
Directory of disk0:/
4346 -rw- 8202240 15:01:10 Oct 19 2006 asa721-k8.bin
6349 -rw- 5539756 15:30:39 Oct 19 2006 asdm521.bin
7705 -rw- 3334 07:03:57 Oct 22 2006 old_running.cfg
62947328 bytes total (29495296 bytes free)

You can use the pwd command to display the current working directory.
 Copying Files

10.0.0.11
copy
Internet
192.168.0.0
10.0.0.3

ciscoasa#
copy [/noconfirm | /pcap] {url | running-config |
startup-config} {running-config | startup-config | url}
Copies a file from one location to another

asa1# copy disk0:MYCONTEXT.cfg startup-config

Copies the file MYCONTEXT.cfg from disk0 to the startup configuration
 Downloading and Backing Up
Configuration Files Example

10.0.0.11
Internet
192.168.0.0 config
10.0.0.3

FTP server
ciscoasa#
copy ftp: startup-config
Copies the configuration file from an FTP server

ciscoasa
#
copy running-config ftp:
Copies the configuration file to an FTP server
Image Upgrade
 Viewing Version Information

version?
10.0.0.11
Internet

10.0.0.3

ciscoasa#
show version

Displays the software version, hardware configuration, license key, and related uptime data
asa1# show version

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Compiled on Wed 31-May-06 14:45 by root

System image file is “disk0:/asa721-k8.bin”
Config file at boot was “startup-config”

asa1 up 17 hours 40 mins . . .

 Image Upgrade

10.0.0.11

Internet
TFTP
10.0.0.3

ciscoasa#
copy tftp://server[/path]/filename flash:/filename
Enables you to change software images without accessing the TFTP
monitor mode.

asa1# copy tftp://10.0.0.3/asa721-k8.bin flash

The TFTP server at IP address 10.0.0.3 receives the command and
determines the actual file location from its root directory information.
The server then downloads the TFTP image to the security appliance.
 Summary

 SSH provides secure remote management of the security appliance.

 TFTP is used to upgrade the software image on security appliances.
 You can enable Telnet to the security appliance on all interfaces.
.
 Lesson 4

Access Control Lists (ACLs)

 Security Appliance ACL
Configuration

Outside Inside
Internet
ACL for ACL for
Inbound Access Outbound Access
No ACL
- Outbound permitted by default
- Inbound denied by default
Security appliance configuration philosophy is interface-based.
Interface ACL permits and denies the initial incoming and outgoing packets on that
interface.
An ACL must describe only the initial packet of the application; return traffic does not
need to be described.
If no ACL is attached to an interface:
The outbound packet is permitted by default.
The inbound packet is denied by default.
 Inbound Traffic to DMZ Web Server

DMZ
Public Web
Server
Inbound
X Inside
192.168.1.0
Internet
.1 .2 10.0.1.0
Outside

There is no ACL, so by default, inbound access is denied.

To permit inbound traffic, complete the following steps:
Configure a static translation for the web server address
Configure an inbound ACL
Apply the ACL to the outside interface
 Create a Static Translation for Web
Server

DMZ
172.16.1.2 Public Web
Server

192.168.1.9 Inside
192.168.1.0
Internet
.1 .2 10.0.1.0
Outside

asa1(config)# static (DMZ,outside) 192.168.1.9 172.16.1.2 0 0

Maps an inside private address to an outside public address
 access-list Command
DMZ
Permit 172.16.1.2 Public Web
Inbound Server

HTTP
192.168.1.9 Inside

192.168.1.0
Internet
.1 .2 10.0.1.0
ciscoasa(config)# Outside
access-list id [line line-number] [extended] {deny | permit} {protocol
| object-group protocol_obj_grp_id}{host sip | sip smask | interface
ifc_name | object-group network_obj_grp_id | any} [operator port
[port] | object-group service_obj_grp_id] {host dip | dip dmask |
interface ifc_name | object-group network_obj_grp_id | any}
[operator port [port] | object-group service_obj_grp_id | object-
group icmp_type_obj_group_id] [log [[level] [interval secs] |
disable | default]] [inactive | time-range time_range_name]

asa1(config)# access-list ACLOUT permit tcp any host 192.168.1.9

eq www
Permits outside HTTP traffic to access the public web server
 access-group Command

Apply ACL DMZ

to interface Public Web
Server

Inside
192.168.1.0
Internet
.1 .2 10.0.1.0
Outside
ciscoasa(config)#
access-group access-list {in | out} interface
interface_name [per-user-override]
Applies an ACL to an interface

asa1(config)# access-group ACLOUT in interface

outside
 show access-list Command

ICMPDMZ

ACLOUT ACLIN
Internet
192.168.1.0
192.168.6.10
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACLOUT; 4 elements
access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host
192.168.1.11 eq www (hitcnt=4)0x984ebd70
access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq
ftp (hitcnt=1) 0x53490ecd
access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=8)
0x83af39ca
access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385
access-list ICMPDMZ; 1 elements
access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply
 clear access-list counters Command

Web Server
172.16.1.2
192.168.6.10
192.168.1.9
ACLIN
Internet ACLOUT

asa1(config)# clear access-list ACLOUT counters

asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACLOUT; 4 elements
access-list ACLOUT line 1 extended permit tcp 192.168.6.0 255.255.255.0 host
192.168.1.11 eq www (hitcnt=0) 0x984ebd70
access-list ACLOUT line 2 extended permit tcp host 192.168.6.10 host 192.168.1.11 eq
ftp (hitcnt=0) 0x53490ecd
access-list ACLOUT line 3 extended permit tcp any host 192.168.1.9 eq www (hitcnt=0)
0x83af39ca
access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385
 ACL Logging

Internet

ACL Syslog Syslog

Messages Server
ciscoasa(config)#
access-list id [line line-number] [extended] {deny | permit} {protocol |
object-group protocol_obj_grp_id}{host sip | sip smask | interface
ifc_name | object-group network_obj_grp_id | any} [operator port [port]
| object-group service_obj_grp_id] {host dip | dip dmask | interface
ifc_name | object-group network_obj_grp_id | any} [operator port [port]
| object-group service_obj_grp_id | object-group
icmp_type_obj_group_id] [log [[level] [interval secs] | disable |
default]] [inactive | time-range time_range_name]

asa1(config)# access-list OUTSIDE-ACL permit icmp any host

192.168.1.11 log 7 interval 600
Enables the logging option for inbound ICMP to 192.168.1.11
 ACL Comments
ciscoasa(config)#

access-list id [line line-number] remark text

Inserts ACL comment

asa1(config)# access-list ACLOUT line 2 remark WebMailA access-list

asa1(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-
interval 300
access-list ACLOUT; 6 elements
access-list ACLOUT line 1 extended permit tcp any host 192.168.1.7 eq www (hitcnt=0)
0x3df6ed1e
access-list ACLOUT line 2 remark WebMailA access-list
access-list ACLOUT line 3 extended permit tcp any host 192.168.1.8 eq www (hitcnt=0)
0xd5383eba former
access-list ACLOUT line 4 extended permit tcp any host 192.168.1.9 eq www
(hitcnt=0)0x2c4288ad line 2
access-list ACLOUT line 5 extended permit tcp any host 192.168.1.10 eq www
(hitcnt=0) 0xb70c935b
access-list ACLOUT line 6 extended permit tcp any host 192.168.1.11 eq www
(hitcnt=0) 0x8b43382e
 Inbound HTTP Access Solution

DMZ
172.16.1.2 Public Web
Server
Inbound
192.168.1.9 Inside

192.168.1.0
Internet
.1 .2 10.0.1.0
Outside

asa1(config)# static (DMZ,outside) 192.168.1.9

172.16.1.2 0 0
asa1(config)# access-list ACLOUT permit tcp any host
192.168.1.9 eq www
asa1(config)# access-group ACLOUT in interface outside
Permits outside HTTP traffic to access the public web server
 icmp Command

Outside Inside
Internet
ICMP Echo X
ICMP Unreachable
ciscoasa(config)#
icmp {permit | deny} {host sip | sip smask | any}
[icmp-type] if_name
Enables or disables pinging to an interface

asa1(config)# icmp permit any echo-reply outside

asa1(config)# icmp permit any unreachable outside
Permits all unreachable messages at the outside interface and denies all ping
requests at the outside interface
 Summary

 ACLs enable you to determine which systems can

establish connections through your security appliance.
 With ICMP ACLs, you can disable pinging to a security
appliance interface so that your security appliance
cannot be detected on your network.
.
 Lession 5

Cisco Adaptive
Security Device
Manager
ASDM Overview and
Operating Requirements
 What Is ASDM?

Internet
SSL Secure Tunnel

ASDM is a browser-based configuration tool designed to

help configure and monitor your security appliance.
 ASDM Features

 Runs on a variety of platforms

 Implemented in Java to provide robust, real-time monitoring
 Works with SSL to ensure secure communication with the PIX security
appliance
 Comes preloaded in flash memory on new Cisco ASA and Cisco PIX
security appliances running Versions 7.2 and later
 ASDM sessions
• 5 ASDM sessions per unit (single mode) or context (multiple mode)
• 32 sessions per unit in multiple mode
 Operates on PIX 515E, 525, and 535* Security Appliances
 Operates on Cisco ASA 5505, 5510, 5520, 5540, and 5550 Security
Appliances

* ASDM Version 5.2 is not supported on the PIX 501 or 506 Security Appliance.
 ASDM Security Appliance
Requirements

A security appliance must meet the following

requirements to run ASDM:
Activation key that enables DES or 3DES
Supported Java plug-in
Security appliance software version compatible with the
ASDM software version you plan to use*
Hardware model compatible with the ASDM software
version you plan to use

 * ASDM Version 5.2 requires Security Appliance Software Version 7.2.

 ASDM Browser Requirements

To access ASDM from a browser, the

following requirements must be met:
 JavaScript and Java must be enabled on the
computer where the browser resides.
 SSL must be enabled in the browser.

Popup blockers may prevent ASDM from starting.

 Supported Platforms

 Windows
 Sun Solaris
 Linux
 Running ASDM

Run ASDM as a:
 Local
application
 Java applet

Launch
Startup
Wizard
 Configure the Security Appliance to
Use ASDM

Before you can use ASDM, you need to enter the following
information on the security appliance via a console terminal:
 Time
 Inside IP address
 Inside network mask
 Host name
 Domain name
 Enable the HTTP server on the security appliance
 IP addresses of hosts authorized to access
HTTP server

If more than one ASDM image is stored in the flash memory of your security
appliance, also specify the ASDM image to be used.
 Setup Dialog

Pre-configure Firewall now through interactive prompts [yes]? <Enter>

Firewall Mode [Routed]:
Enable Password [<use current password>]: cisco123
Allow password recovery [yes] ?
Clock (UTC)
Year [2006]: <Enter>
Month [Sep]: <Enter>
Day [2]: <Enter>
Time [10:21:49]: <Enter>
Inside IP address: 10.0.1.1
Inside network mask: 255.255.255.0
Host name: asa1
Domain name: ciscoasa.com
IP address of host running Device Manager: 10.0.1.11
Use this configuration and write to flash? Y
Navigating ASDM
Configuration Windows
 ASDM Home Window

Menu bar
Main toolbar

Device
Information Interface
General Status
License
VPN Status

Traffic
System
Status
Resources

Syslog
Messages
 ASDM Home Window (Cont.)

License tab
 Startup Wizard

Startup Wizard
 Interfaces
 NAT and PAT
 Hostname
 Domain name
 Enable
password
 VPN Wizard

VPN Wizard
 Site-to-Site
 Remote
Access

Note: Use Configuration > VPN to edit VPN connections.

 High Availability and Scalability
Wizard

High Availability
and Scalability
Wizard
 Active/Active
Failover
 Active/Standby
Failover
 VPN Cluster Load
Balancing
 Configuration Window

Configuration
 Interface
 Security
Policy
 NAT
 VPN
 IPS or
 CSD
Manager
 Routing
 Global
Objects
 Properties
 Interfaces

 IP address
– Static
– DHCP
 Same security
level
 Security Policy

 Access
Rules
 AAA
Rules
 Filter
Rules
 Service
Policy
Rules
 NAT

 Translation Rules
• NAT
• Policy NAT
• NAT
exemption
• Maximum
connections
• Embryonic
connections
 NAT0
 VPN

Edit VPN
 General
 IKE
 IPsec
 IP Address
Management
 Load Balancing
 NAC
 WebVPN
 E-Mail Proxy

Note: Use the Remote Access or Site-to-Site VPN Wizard for new VPN connections.
 Routing

 Static Routes
 Dynamic Routing
– OSPF
– RIP
 Multicast
– IGMP
– MRoute
– PIM
 Proxy ARPs
 Global Objects

 Network Object
Groups
 IP Names
 Service Groups
 Class Maps
 Inspect Maps
 Regular
Expressions
 TCP Maps
 Time Ranges
 Monitoring Button

 Interfaces
 VPN
 IPS or Trend
Micro
Content
Security
 Routing
 Properties
 Logging
 Interface Graphs Panel

The Interface Graphs

panel enables you to
monitor per-interface
statistics, such as bit
rates, for each enabled
interface on the
security appliance.
 Packet Tracer

Interface
Source IP
Destination IP
Source port
Destination port

Flow lookup

Route lookup

Access list
 Options > Preferences

Options
 Tools

Tools
 Command Line
Interface
 Packet Tracer
 Ping
 Traceroute
 File
Management
 Ugrade
Software
 Upload ASDM
Assistant Guide
 System Reload
 ASDM Java
Console
 Help

Help
 Help Topics
 Help for
Current
Screen
 Release
Notes
 Getting
Started
 VPN 3000
Migration
Guide
 Glossary
 ….
Online Help
 Summary

 ASDM is a browser-based tool used to configure your security appliance.

 Minimal setup on the security appliance is required to run ASDM.
 ASDM contains several tools in addition to the GUI to help you configure your
security appliance.
 The following ASDM wizards are available to simplify security appliance
configuration:
• Startup Wizard: Walks you step by step through the initial configuration of
the security appliance
• VPN Wizard: Walks you step by step through the creation of site-to-site
and remote access VPNs
• High Availability and Scalability Wizard: Walks you step by step through
the configuration of active/active failover, active/standby failover, and
VPN cluster load balancing
 Lession 6

Firewall Switch Modules (FWSM)

 Overview

• The Cisco Firewall Services Module (FWSM) is based on Cisco PIX

Security Appliance technology, and therefore offers the same security
and reliability
• The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600 Series Internet routers.

<#>
 FWSM Key Features

• Brings switching and firewalls into a single chassis

• Based on PIX Firewall technology
• Supports transparent or routed firewall mode
• Up to 100 security contexts
– Up to 256 VLANs per context
– Up to 1000 VLANs all contexts
• 5-Gbps throughput
• One million concurrent connections
• 100,000 connections per second
• Multiple blades supported in one chassis (4 maximum)
• Dynamic routing via RIP v1 and v2 and OSPF
• High availability via intra- or inter-chassis stateful failover

<#>
FWSM and PIX Firewall Feature
Comparison

<#>
Network Model

<#>
MSFC placement

<#>
 Getting Started with the FWSM

Before you can begin configuring the FWSM,

complete the following tasks:
• Verify FWSM installation.
• Configure the switch VLANs.
• Configure the FWSM VLANs.

<#>
Verify FWSM Installation

<#>
 Configure the Switch VLANs

Create Vlan

Defines a controlled VLAN on the MSFC. Assigns an IP address.

<#>
 Firewall VLAN-Group

Creates a firewall group of controlled VLANs

Attaches the VLAN and firewall group to the slot where the FWSM is located
 Configure the FWSM Interfaces

Establishes a console session with the module

Processor should always be 1

<#>
 Configure a Default Route

• Default route
• Static routes are required in multiple context mode.
 Configure the FWSM Access-List

FWSM1(config)# access-list 200 permit ip 10.1.1.0 255.255.255.0 any

FWSM1(config)# access-group 200 in interface inside

By default all traffic is denied through the FWSM.

• Traffic permitted into an interface can exit through any other
interface
 Resetting and Rebooting the FWSM

Resets and reboots the FWSM

 Summary

• The FWSM is a line card for the Cisco Catalyst

6500 family of switches and the Cisco 7600 Series
Internet routers.
• The FWSM is a high-performance firewall solution
based on PIX Firewall Security Appliance technology.
• The FWSM supports transparent and routed firewall
modes.
• The FWSM commands are almost identical to security
appliance commands.
• PDM can be used to configure and monitor
the FWSM.