236 47 69MB
English Pages 752 Year 2009
Cisco ASA Configuration ®
ABOUTTHEAUTHOR Forovertenyears,RichardDealhasoperatedhisowncompany,TheDealGroupInc., inOviedo,Florida,eastofOrlando.Richardhasover20yearsofexperienceinthecomputing and networking industry including networking, training, systems administration,andprogramming.InadditiontoaBSinMathematicsfromGroveCityCollege, heholdsmanycertificationsfromCiscoandhastaughtmanybeginningandadvanced Ciscoclasses.ThisbookreplacesRichard’sCiscoPIXFirewalls(2002),anin-depthbook onCisco’sPIXfirewallsandtheirimplementation,publishedbyMcGraw-HillProfessional.RichardhasalsowrittentworevisionsfortheCCNAcertificationforMcGrawHill,CCNACiscoCertifiedNetworkAssociateStudyGuide(2008)andwillbefinishinghis bookfortheCCNASecuritycertificationinmid-2009:CCNACiscoCertifiedNetworkAssociateSecurityStudyGuide.RichardisalsotheauthoroftwobookswithCiscoPress:The CompleteCiscoVPNConfigurationGuide(2005)andCiscoRouterFirewallSecurity(2004), namedaCiscoCCIESecurityrecommendedreading.Inall,Richardhasmorethanten booksunderhisbelt. Richardalsoperiodicallyholdsboot-campclassesontheCCNAandCCSP,which providehands-onconfigurationofCiscorouters,switches,andsecuritydevices.
AbouttheTechnicalEditor Ryan Lindfield has worked in IT since 1996 and is currently teaching Cisco certificationcoursesatBosonTrainingandconsultingforWestchaseTechnologies.Ryanholds severalcertificationsincludingCCSP,CISSP,CEH,GCFA,CCSI,andMCSEandenjoys vulnerabilityresearchandexploringthelatesttrendsinsecuritytechnologies.Helives inTampa,Florida,withhiswife,Desiree,andhisdog,Logan.
Cisco ASA Configuration ®
RICHARDA.DEAL
NewYorkChicagoSanFrancisco LisbonLondonMadridMexicoCityMilan NewDelhiSanJuanSeoulSingaporeSydneyToronto
Copyright © 2009 by The McGraw-Hill Companies. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-162268-4 MHID: 0-07-162268-3 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-162269-1, MHID: 0-07-162269-1. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at [email protected]. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
Idedicatethisbooktomytwodaughters,thelovesofmylife: AlinaandNika.Maylifebringyoulove,health,andhappiness.
This page intentionally left blank
AT A GLANCE PartI
▼ ▼ ▼ ▼
1 2 3 4
PartII ▼ ▼ ▼ ▼ ▼
5 6 7 8 9
IntroductiontoASASecurityAppliances andBasicConfigurationTasks ASAProductFamily . . . . . . . . . . . . . . . . . . . 3 CLIBasics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 BasicASAConfiguration . . . . . . . . . . . . . . . . 45 RoutingandMulticasting . . . . . . . . . . . . . . . 75 ControllingTrafficThroughtheASA AddressTranslation . . . . . . . . . . . . . . . . . . AccessControl . . . . . . . . . . . . . . . . . . . . . . WebContent . . . . . . . . . . . . . . . . . . . . . . . . CTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
105 151 189 207 233
vii
viii
Cisco ASA Configuration
PartIII ▼ ▼ ▼ ▼ ▼
10 11 12 13 14
PartIV ▼ ▼ ▼ ▼ ▼ ▼
15 16 17 18 19 20
PartV ▼ ▼ ▼ ▼ ▼
21 22 23 24 25
PolicyImplementation ModularPolicyFramework . . . . . . . . . . . . ProtocolsandPolicies . . . . . . . . . . . . . . . . . DataApplicationsandPolicies . . . . . . . . . . VoiceandPolicies . . . . . . . . . . . . . . . . . . . . MultimediaandPolicies . . . . . . . . . . . . . . .
247 277 295 327 347
VirtualPrivateNetworks(VPNs) IPSecPhase1 . . . . . . . . . . . . . . . . . . . . . . . IPSecSite-to-Site . . . . . . . . . . . . . . . . . . . . . IPSecRemoteAccessServer . . . . . . . . . . . . IPSecRemoteAccessClient . . . . . . . . . . . . SSLVPNs:Clientless . . . . . . . . . . . . . . . . . SSLVPNs:AnyConnectClient . . . . . . . . . .
371 395 409 441 451 487
AdvancedFeaturesoftheASA TransparentFirewall . . . . . . . . . . . . . . . . . . Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . NetworkAttackPrevention . . . . . . . . . . . . SSMCards . . . . . . . . . . . . . . . . . . . . . . . . .
509 523 541 577 597
PartVI
ManagementoftheASA
▼ 26 ▼ 27
BasicManagementfromtheCLI . . . . . . . . 619 ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
▼
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
CONTENTS Foreword . . . . . . . Preface . . . . . . . . . Acknowledgments Introduction . . . .
.. .. . ..
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
xxiii . xxv xxvii . xxix
PartI IntroductiontoASASecurityAppliancesandBasicConfigurationTasks
▼ 1 ASAProductFamily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 ASAFeatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . OperatingSystem . . . . . . . . . . . . . . . . . . . . SecurityAlgorithm . . . . . . . . . . . . . . . . . . . Redundancy . . . . . . . . . . . . . . . . . . . . . . . . AdvancedFeaturesoftheOperatingSystem ASAHardware . . . . . . . . . . . . . . . . . . . . . . . . . . ASAModels . . . . . . . . . . . . . . . . . . . . . . . . HardwareModules . . . . . . . . . . . . . . . . . . . Licensing . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .
. . . . . .. .. .. ..
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
4 5 7 15 18 23 23 28 30
ix
x
Cisco ASA Configuration
▼ 2 CLIBasics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 AccesstotheAppliance . . . . . . . . . . . . . . . ConsoleAccess . . . . . . . . . . . . . . . . . OtherAccessMethods . . . . . . . . . . . CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ASABootupSequence . . . . . . . . . . . CLIModes . . . . . . . . . . . . . . . . . . . . ASAandRouterIOSCLIComparison
. . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
34 34 35 36 36 38 41
▼ 3 BasicASAConfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 SetupScript . . . . . . . . . . . . . . . . . . . BasicManagementCommands . . . . ViewingConfigurations . . . . . CopyCommands . . . . . . . . . . WriteCommands . . . . . . . . . . ClearCommands . . . . . . . . . . BasicConfigurationCommands . . . HostandDomainNames . . . . DeviceNames . . . . . . . . . . . . . Passwords . . . . . . . . . . . . . . . . LoginBanner . . . . . . . . . . . . . Interfaces . . . . . . . . . . . . . . . . DynamicAddressing . . . . . . . Management . . . . . . . . . . . . . . . . . . RemoteAccess . . . . . . . . . . . . ConnectivityTesting . . . . . . . . HardwareandSoftwareInformation VersionInformation . . . . . . . . MemoryUsage . . . . . . . . . . . . CPUUtilization . . . . . . . . . . . ASAConfigurationExample . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . .. .. .. ..
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
46 48 48 49 51 51 52 52 53 53 54 55 62 65 65 68 70 71 72 72 73
▼ 4 RoutingandMulticasting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 RoutingFeatures . . . . . . . . . . . . . . . . . . . RoutingRecommendations . . . . . . AdministrativeDistance . . . . . . . . . StaticRoutes . . . . . . . . . . . . . . . . . . RIP . . . . . . . . . . . . . . . . . . . . . . . . . OSPF . . . . . . . . . . . . . . . . . . . . . . . . EIGRP . . . . . . . . . . . . . . . . . . . . . . . MulticastFeatures . . . . . . . . . . . . . . . . . . MulticastTrafficandtheAppliances MulticastUsage . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. . ..
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
. . . . . . . . . .
76 76 76 77 82 84 91 95 95 96
Contents
StubMulticastRouting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 PIMMulticastRouting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
PartII ControllingTrafficThroughtheASA
▼ 5 AddressTranslation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 ProtocolOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCPOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UDPOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ICMPOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . OtherProtocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ProtocolandApplicationIssues . . . . . . . . . . . . . . . . . . . . TranslationsandConnections . . . . . . . . . . . . . . . . . . . . . . . . . Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TCPConnectionExample . . . . . . . . . . . . . . . . . . . . . . . . AddressTranslationOverview . . . . . . . . . . . . . . . . . . . . . . . . PrivateAddresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NeedsforAddressTranslation . . . . . . . . . . . . . . . . . . . . ExamplesofAddressTranslation . . . . . . . . . . . . . . . . . . AddressTranslationConfiguration . . . . . . . . . . . . . . . . . . . . . RequiringAddressTranslation . . . . . . . . . . . . . . . . . . . . ConfiguringDynamicAddressTranslation . . . . . . . . . . . ConfiguringStaticNATTranslation . . . . . . . . . . . . . . . . ConfiguringStaticPATTranslation . . . . . . . . . . . . . . . . . FindingaMatchingTranslationPolicy . . . . . . . . . . . . . . TCPSYNFloodAttacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TheOriginalTCPIntercept . . . . . . . . . . . . . . . . . . . . . . . TCPInterceptwithSYNCookies . . . . . . . . . . . . . . . . . . TranslationandConnectionVerification . . . . . . . . . . . . . . . . . ViewingActiveTranslations . . . . . . . . . . . . . . . . . . . . . . ViewingActiveConnections . . . . . . . . . . . . . . . . . . . . . . ViewingLocalHostInformation . . . . . . . . . . . . . . . . . . . ClearingEntriesintheXlateandConnTables . . . . . . . . .
106 106 108 109 110 110 113 113 115 115 119 119 120 122 128 128 129 138 140 141 143 143 143 144 144 146 147 148
▼ 6 AccessControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 AccessControlLists(ACLs) . . . . IntroductiontoACLs . . . . . CreatingandActivatingACLs ACLActivation . . . . . . . . . ACLVerification . . . . . . . .
... ... . ... ...
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
152 152 155 160 160
xi
xii
Cisco ASA Configuration
ACLMaintenance . . . . . . . . . . . . . . . ACLConfigurationExamples . . . . . . . ObjectGroups . . . . . . . . . . . . . . . . . . . . . . AdvantagesofObjectGroups . . . . . . . CreatingObjectGroups . . . . . . . . . . . ExaminingYourObjectGroups . . . . . . DeletingObjectGroups . . . . . . . . . . . UsingObjectGroups . . . . . . . . . . . . . ObjectGroupConfigurationExample . ICMPFiltering . . . . . . . . . . . . . . . . . . . . . . ICMPTrafficThroughtheAppliances . ICMPTrafficDirectedattheAppliances ConnectionTroubleshooting . . . . . . . . . . . . PacketTracerFeature . . . . . . . . . . . . . PacketCaptureFeature . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. . .. .. ..
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
161 163 171 171 171 174 174 175 176 177 178 179 181 181 184
▼ 7 WebContent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 JavaandActiveXFiltering . . . . . . . . . . JavaandActiveXIssues . . . . . . . . JavaandActiveXFilteringSolutions ConfiguringJavaFilters . . . . . . . . ConfiguringActiveXFilters . . . . . WebContentFiltering . . . . . . . . . . . . . WebFilteringProcess . . . . . . . . . . URLFilteringServer . . . . . . . . . . URLFilteringVerification . . . . . . . URLFilteringExample . . . . . . . . . WebCaching . . . . . . . . . . . . . . . . . . . . WCCPProcess . . . . . . . . . . . . . . . WCCPConfiguration . . . . . . . . . . WCCPVerification . . . . . . . . . . . . WCCPConfigurationExample . . .
... ... . . ... ... ... ... ... ... ... ... ... ... ... ...
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
190 190 191 191 192 192 193 195 200 202 203 203 204 205 206
▼ 8 CTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 AAAOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AAAComponents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AAAExample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AAAProtocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AAAServers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AAAServerConfiguration . . . . . . . . . . . . . . . . . . . . . . . CTPAuthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CTPOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ApplianceConfigurationofCTPAuthentication . . . . . . . VerifyingCTPAuthentication . . . . . . . . . . . . . . . . . . . . .
208 208 208 209 211 211 213 214 215 222
Contents
CTPAuthorization . . . . . . . . . . . . . . . . . . . CTPAuthorizationOptions . . . . . . . . ClassicAuthorizationConfiguration . . DownloadableACLConfiguration . . . CTPAccounting . . . . . . . . . . . . . . . . . . . . ApplianceConfigurationforAccounting CiscoSecureACSReports . . . . . . . . .
. . . . .
. . . . . . ..
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
224 225 226 228 230 230 231
▼ 9 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 IPv6Overview . . . . . . . . . . . . . . . . . . . . . . IPv6CapabilitiesoftheAppliances . . . IPv6LimitationsoftheAppliances . . . IPv6InterfaceConfiguration . . . . . . . . . . . . StatelessAutoconfiguration . . . . . . . . Link-LocalAddressConfiguration . . . GlobalAddressConfiguration . . . . . . IPv6InterfaceConfigurationVerification IPv6Routing . . . . . . . . . . . . . . . . . . . . . . . IPv6Neighbors . . . . . . . . . . . . . . . . . . . . . NeighborSolicitationMessages . . . . . RouterAdvertisementMessages . . . . . IPv6ACLs . . . . . . . . . . . . . . . . . . . . . . . . . IPv6ACLConfiguration . . . . . . . . . . . IPv6ACLExample . . . . . . . . . . . . . . .
. . . . . . .
. . . . . . . . .. .. .. .. .. .. ..
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
234 234 235 236 236 237 237 238 238 239 240 241 242 242 244
PartIII PolicyImplementation
▼ 10 ModularPolicyFramework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 MPFOverview . . . . . . . . . . . . . . . . . MPFPolicies . . . . . . . . . . . . . . . WhyMPFIsNecessary . . . . . . . MPFComponents . . . . . . . . . . . ClassMaps . . . . . . . . . . . . . . . . . . . . Layer3/4ClassMaps . . . . . . . . ApplicationLayerClassMaps . . PolicyMaps . . . . . . . . . . . . . . . . . . . Layer3/4PolicyMap . . . . . . . . Layer7PolicyMap . . . . . . . . . . ServicePolicies . . . . . . . . . . . . . . . . . ActivatingaLayer3/4PolicyMap ServicePolicyVerification . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . ..
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
248 248 249 252 252 253 256 260 261 271 274 274 275
xiii
xiv
Cisco ASA Configuration
▼ 11 ProtocolsandPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 ICMPInspectionPolicies . . . . . . . . . . . . . . ICMPIssues . . . . . . . . . . . . . . . . . . . ICMPInspectionConfiguration . . . . . DCE/RPCInspectionPolicies . . . . . . . . . . . DCE/RPCPolicyConfiguration . . . . . DCE/RPCExampleConfiguration . . . SunRPCInspectionPolicies . . . . . . . . . . . . SunRPCPolicyConfiguration . . . . . . SunRPCExampleConfiguration . . . . ILS/LDAPInspectionPolicies . . . . . . . . . . MechanicsofILS/LDAPConnections . ILS/LDAPPolicyConfiguration . . . . . ILS/LDAPExampleConfiguration . . . NetBIOSInspectionPolicies . . . . . . . . . . . . NetBIOSPolicyConfiguration . . . . . . NetBIOSExampleConfiguration . . . . IPSecPass-ThruInspectionPolicies . . . . . . . IPSecPass-ThruPolicyConfiguration . IPSecPass-ThruExampleConfiguration PPTPInspectionPolicies . . . . . . . . . . . . . . PPTPPolicyConfiguration . . . . . . . . . PPTPExampleConfiguration . . . . . . . XDMCPInspectionPolicies . . . . . . . . . . . . MechanicsofXDMCPConnections . . . XDMCPPolicyConfiguration . . . . . . . EstablishedCommandConfiguration . XDMCPExampleConfiguration . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .. .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
278 278 279 280 280 281 281 282 283 284 284 285 285 285 286 286 287 287 288 288 289 289 289 290 291 291 293
▼ 12 DataApplicationsandPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 DNSInspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNSInspectionFeatures . . . . . . . . . . . . . . . . . . . . . . . . DNSPolicyConfiguration . . . . . . . . . . . . . . . . . . . . . . . DNSExampleConfiguration . . . . . . . . . . . . . . . . . . . . . SMTPandESMTPInspection . . . . . . . . . . . . . . . . . . . . . . . . . SMTPandESMTPInspectionFeatures . . . . . . . . . . . . . . SMTPandESMTPPolicyConfiguration . . . . . . . . . . . . . SMTPandESMTPExampleConfiguration . . . . . . . . . . . FTPInspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FTPOperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FTPInspectionFeatures . . . . . . . . . . . . . . . . . . . . . . . . . FTPPolicyConfiguration . . . . . . . . . . . . . . . . . . . . . . . . FTPExampleConfiguration . . . . . . . . . . . . . . . . . . . . . .
296 296 299 301 302 302 303 305 306 306 309 309 311
Contents
TFTPInspection . . . . . . . . . . . . . . . . TFTPOperation . . . . . . . . . . . . . TFTPPolicyConfiguration . . . . . HTTPInspection . . . . . . . . . . . . . . . . HTTPInspectionFeatures . . . . . HTTPPolicyConfiguration . . . . HTTPExampleConfiguration . . InstantMessagingInspection . . . . . . . IMPolicyConfiguration . . . . . . . IMExampleConfiguration . . . . . RSHInspection . . . . . . . . . . . . . . . . . MechanicsofRSHConnections . RSHPolicyConfiguration . . . . . SNMPInspection . . . . . . . . . . . . . . . . SNMPPolicyConfiguration . . . . SNMPExampleConfiguration . . SQL*NetInspection . . . . . . . . . . . . . . MechanicsofSQL*NetConnections SQL*NetPolicyConfiguration . .
. . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . ...
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
312 312 313 313 313 314 317 318 318 320 321 321 322 322 322 323 323 323 325
▼ 13 VoiceandPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 SIPInspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SIPConnectionsandApplicationInspection . . . SIPPolicyConfiguration . . . . . . . . . . . . . . . . . SIPExampleConfiguration . . . . . . . . . . . . . . . SCCPInspection . . . . . . . . . . . . . . . . . . . . . . . . . . . SCCPConnectionsandApplicationInspection . SCCPPolicyConfiguration . . . . . . . . . . . . . . . . SCCPExampleConfiguration . . . . . . . . . . . . . . CTIQBEInspection . . . . . . . . . . . . . . . . . . . . . . . . . CTIQBEConnectionsandApplicationInspection CTIQBEPolicyConfiguration . . . . . . . . . . . . . . MGCPInspection . . . . . . . . . . . . . . . . . . . . . . . . . . MGCPConnectionsandApplicationInspection . MGCPPolicyConfiguration . . . . . . . . . . . . . . . MGCPExampleConfiguration . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
. . . . . . . . . . . . . . .
328 328 331 334 335 335 337 339 340 340 341 342 343 344 345
▼ 14 MultimediaandPolicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 MultimediaOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 CommonProblemswithMultimedia ApplicationsandFirewalls . . . . . . . . . . . . . . . . . . . . . 348 FirewallSolutionsforMultimediaApplications . . . . . . . . 348
xv
xvi
Cisco ASA Configuration
RTSPInspection . . . . . . . . . . . . . . . . . . . . . . . . . RTSPConnectionsandApplicationInspection RTSPPolicyConfiguration . . . . . . . . . . . . . RTSPExampleConfiguration . . . . . . . . . . . H.323Inspection . . . . . . . . . . . . . . . . . . . . . . . . H.323Overview . . . . . . . . . . . . . . . . . . . . . H.323ConnectionsandApplicationInspection H.323PolicyConfiguration . . . . . . . . . . . . H.323ExampleConfiguration . . . . . . . . . . .
... . . ... ... ... ... . ... ...
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
349 350 353 355 355 356 357 364 366
PartIV VirtualPrivateNetworks(VPNs)
▼ 15 IPSecPhase1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 IPSecIntroduction . . . . . . . . . . . . . . . . . . IPSecPreparations . . . . . . . . . . . . . . SameInterfaceTraffic . . . . . . . . . . . . ISAKMPConfiguration . . . . . . . . . . . . . . GlobalISAKMPProperties . . . . . . . . ISAKMPPolicies . . . . . . . . . . . . . . . NATTraversalandIPSecoverTCP . . VPNTrafficandACLs . . . . . . . . . . . TunnelGroups . . . . . . . . . . . . . . . . . . . . . TunnelGroupCreation . . . . . . . . . . GeneralTunnelGroupAttributes . . . VPN-SpecificTunnelGroupAttributes CertificateAuthorities . . . . . . . . . . . . . . . IntroducingCertificates . . . . . . . . . . ObtainingCertificates . . . . . . . . . . . UsingCertificates . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. . .. .. .. ..
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
372 372 373 373 373 375 375 377 378 378 379 380 380 381 381 392
▼ 16 IPSecSite-to-Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Site-to-SitePreparation . . . . . . . . . . . . . ISAKMPPhase1Configuration . . TunnelGroupConfiguration . . . . VPNTrafficandAddressTranslation ISAKMPPhase2Configuration . . . . . . CryptoACLs . . . . . . . . . . . . . . . . TransformSets . . . . . . . . . . . . . . . ConnectionLifetimes . . . . . . . . . . CryptoMaps . . . . . . . . . . . . . . . .
.... .... .... .. .... .... .... .... ....
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
396 397 397 398 399 400 400 401 402
Contents
Site-to-SiteVerification . . . . . . . . . . . . ViewingandClearingConnections TroubleshootingConnections . . . Site-to-SiteExample . . . . . . . . . . . . . .
.. . .. ..
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
404 405 407 407
▼ 17 IPSecRemoteAccessServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 EasyVPNOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EasyVPNProducts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EasyVPNFeatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . EasyVPNConnectivity . . . . . . . . . . . . . . . . . . . . . . . . . RemoteAccessPreparation . . . . . . . . . . . . . . . . . . . . . . . . . . . VPNTraffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPNTrafficandAddressTranslation . . . . . . . . . . . . . . . TunnelLimits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ISAKMPPhase1Configuration . . . . . . . . . . . . . . . . . . . . . . . ISAKMPPhase1Commands . . . . . . . . . . . . . . . . . . . . . GroupPolicyConfiguration . . . . . . . . . . . . . . . . . . . . . . TunnelGroupConfiguration . . . . . . . . . . . . . . . . . . . . . AutoUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ISAKMPPhase2Configuration . . . . . . . . . . . . . . . . . . . . . . . DynamicCryptoMaps . . . . . . . . . . . . . . . . . . . . . . . . . . StaticCryptoMaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . RemoteAccessVerification . . . . . . . . . . . . . . . . . . . . . . . . . . . ViewingRemoteAccessConnections . . . . . . . . . . . . . . . DisconnectingRemoteAccessUsers . . . . . . . . . . . . . . . . IPSecRemoteAccessServerExample . . . . . . . . . . . . . . . . . . . VPNLoadBalancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ClusteringOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . ClusteringConfiguration . . . . . . . . . . . . . . . . . . . . . . . . ClusteringExample . . . . . . . . . . . . . . . . . . . . . . . . . . . .
410 411 412 413 414 415 415 415 416 416 417 425 428 430 430 431 432 432 434 434 436 437 438 439
▼ 18 IPSecRemoteAccessClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 ConnectionModes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ClientMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NetworkExtensionMode . . . . . . . . . . . . . . . . . . . . NetworkExtensionPlusMode . . . . . . . . . . . . . . . . ASA5505RemoteClient . . . . . . . . . . . . . . . . . . . . . . . . . HardwareClientXAUTHAuthenticationMethods . UserAuthentication . . . . . . . . . . . . . . . . . . . . . . . . BasicClientConfiguration . . . . . . . . . . . . . . . . . . . TunnelMaintenance . . . . . . . . . . . . . . . . . . . . . . . . EasyVPNConfigurationExamplewithaHardwareRemote ASA5505ConfigurationExample . . . . . . . . . . . . . . ExampleEasyVPNServerConfiguration . . . . . . . .
. . . . . . . . .
. . . . . . . . . . .. ..
. . . . . . . . . . . .
. . . . . . . . . . . .
442 442 444 445 445 445 446 447 448 449 449 449
xvii
xviii
Cisco ASA Configuration
▼ 19 SSLVPNs:Clientless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451 IntroductiontoSSLVPNs . . . . . . . . . . . . . . . . . . ConnectionModes . . . . . . . . . . . . . . . . . . . WebVPNRestrictions . . . . . . . . . . . . . . . . . BasicWebVPNConfiguration . . . . . . . . . . . . . . . ImplementingSSLPolicies . . . . . . . . . . . . . EnablingWebVPN . . . . . . . . . . . . . . . . . . . SupportingBothWebVPNandASDM . . . . PerformingDNSLookups . . . . . . . . . . . . . ImplementingWebProxying . . . . . . . . . . . DefiningGeneralWebVPNProperties . . . . . WebVPNGroupPolicies . . . . . . . . . . . . . . . . . . ConfiguringGroupPolicies . . . . . . . . . . . . OverridingGroupPoliciesonaPer-UserBasis TunnelGroups . . . . . . . . . . . . . . . . . . . . . . . . . . TunnelGroupGeneralAttributes . . . . . . . . TunnelGroupWebVPNAttributes . . . . . . . GroupMatchingMethods . . . . . . . . . . . . . WebVPNClientlessHomePortal . . . . . . . . . . . . LoginScreen . . . . . . . . . . . . . . . . . . . . . . . HomePortalOverview . . . . . . . . . . . . . . . HomePortalTabs . . . . . . . . . . . . . . . . . . . Non-WebTraffic . . . . . . . . . . . . . . . . . . . . . . . . PortForwarding . . . . . . . . . . . . . . . . . . . . WebBrowserPlug-Ins . . . . . . . . . . . . . . . . SmartTunneling . . . . . . . . . . . . . . . . . . . . WebVPNVerificationandTroubleshooting . . . . . showCommands . . . . . . . . . . . . . . . . . . . . debugCommands . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
452 453 454 455 455 456 456 457 458 460 460 460 465 467 467 468 469 470 471 472 473 475 476 480 481 485 485 485
▼ 20 SSLVPNs:AnyConnectClient . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 AnyConnectClientOverview . . . . . . . . . . . . . . . . . WebVPNNetworkClients . . . . . . . . . . . . . . . AnyConnectClientImplementation . . . . . . . . AnyConnectClientConnections . . . . . . . . . . . AnyConnectClientPreparationandInstallation . . . ASAPreparationfortheAnyConnectClient . . AnyConnectPolicies . . . . . . . . . . . . . . . . . . . WebVPNTunnelGroups . . . . . . . . . . . . . . . . ClientProfiles . . . . . . . . . . . . . . . . . . . . . . . . ManagingandTroubleshootingAnyConnectSessions ConnectingtoaWebVPNServer . . . . . . . . . . . ViewingandManagingConnectedUsers . . . .
.. .. .. .. .. .. .. .. .. . .. ..
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . .
488 488 489 489 490 491 493 497 499 501 501 504
Contents
PartV AdvancedFeaturesoftheASA
▼ 21 TransparentFirewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Layer2ProcessingofTraffic . . . . . . . . . . . . . . . . . . . . . . . . . . Routedvs.TransparentMode . . . . . . . . . . . . . . . . . . . . . Bridgesvs.TransparentMode . . . . . . . . . . . . . . . . . . . . . SupportedandUnsupportedFeatures . . . . . . . . . . . . . . . TrafficFlowandACLs . . . . . . . . . . . . . . . . . . . . . . . . . . ConfiguringTransparentMode . . . . . . . . . . . . . . . . . . . . . . . . SwitchingtoTransparentMode . . . . . . . . . . . . . . . . . . . ManagementIPAddress . . . . . . . . . . . . . . . . . . . . . . . . MACAddressTableandLearning . . . . . . . . . . . . . . . . . AdditionalLayer2Features . . . . . . . . . . . . . . . . . . . . . . . . . . Non-IPTrafficandEther-TypeACLs . . . . . . . . . . . . . . . . ARPInspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TransparentFirewallExampleConfiguration . . . . . . . . . . . . . .
510 510 511 513 515 515 516 516 517 518 518 519 520
▼ 22 Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 ContextOverview . . . . . . . . . . . . . . . . . . . . . . . Licensing . . . . . . . . . . . . . . . . . . . . . . . . . ContextUses . . . . . . . . . . . . . . . . . . . . . . . ContextRestrictions . . . . . . . . . . . . . . . . . . ContextImplementation . . . . . . . . . . . . . . . TrafficClassification . . . . . . . . . . . . . . . . . . ContextMode . . . . . . . . . . . . . . . . . . . . . . . . . . SwitchingtoMultipleMode . . . . . . . . . . . . SystemAreaConfiguration . . . . . . . . . . . . DesignatingtheAdministrativeContext . . . CreatingContexts . . . . . . . . . . . . . . . . . . . ManagingResources . . . . . . . . . . . . . . . . . ContextManagement . . . . . . . . . . . . . . . . . . . . . SwitchingBetweenContexts . . . . . . . . . . . . SavingConfigurations . . . . . . . . . . . . . . . . RemovingContexts . . . . . . . . . . . . . . . . . . ContextExample . . . . . . . . . . . . . . . . . . . . . . . . Example:ChangingtoMultipleMode . . . . . Example:SettingUptheInterfaces . . . . . . . Example:CreatingtheContexts . . . . . . . . . Example:ConfiguringtheAdminContext . . Example:ConfiguringthectxContext . . . . . Example:SavingtheApplianceConfiguration
. . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . .
524 524 524 525 526 527 528 528 529 529 530 532 535 535 535 536 536 537 537 538 538 539 540
xix
xx
Cisco ASA Configuration
▼ 23 Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 FailoverIntroduction . . . . . . . . . . . . . . . . . . FailoverTypes . . . . . . . . . . . . . . . . . . . FailoverRequirements . . . . . . . . . . . . . FailoverRestrictions . . . . . . . . . . . . . . SoftwareUpgrades . . . . . . . . . . . . . . . FailoverImplementations . . . . . . . . . . . . . . . Active/StandbyFailover . . . . . . . . . . . AddressingandFailover . . . . . . . . . . . Active/ActiveFailover . . . . . . . . . . . . . FailoverCabling . . . . . . . . . . . . . . . . . . . . . FailoverLink . . . . . . . . . . . . . . . . . . . . StatefulLink . . . . . . . . . . . . . . . . . . . . PIXCabling . . . . . . . . . . . . . . . . . . . . . ASACabling . . . . . . . . . . . . . . . . . . . . FailoverOperation . . . . . . . . . . . . . . . . . . . . FailoverCommunications . . . . . . . . . . FailoverTriggers . . . . . . . . . . . . . . . . . SwitchConnections . . . . . . . . . . . . . . . Active/StandbyConfiguration . . . . . . . . . . . Active/Standby:PIXsandtheSerialCable Active/Standby:LBF . . . . . . . . . . . . . . Active/Standby:OptionalCommands . Active/Standby:ExampleConfiguration Active/ActiveConfiguration . . . . . . . . . . . . Active/Active:LBFConfiguration . . . . Active/Active:OptionalCommands . . . Active/Active:ExampleConfiguration .
. . . . . . . . . . . . . . . . . . . . . . . . . .
.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . .. .. .. .. .. .. ..
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . .
542 542 543 545 545 545 546 546 547 548 548 549 550 550 551 551 552 554 555 555 558 560 561 566 566 569 570
▼ 24 NetworkAttackPrevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 ThreatDetection . . . . . . . . . . . . BasicThreatDetection . . . . ScanningThreatDetection . ThreatDetectionStatistics . IPAudit . . . . . . . . . . . . . . . . . . IPAuditSignatures . . . . . . IPAuditConfiguration . . . AdditionalFeatures . . . . . . . . . . TCPNormalization . . . . . . ReversePathForwarding . . FragmentationLimits . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . .
578 578 582 584 587 587 590 590 590 593 594
Contents
▼ 25 SSMCards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 AIP-SSMCard . . . . . . . . . . . . . . . . . . . . . . . . AIP-SSMCardModesandFailureOptions TrafficandtheAIP-SSMCard . . . . . . . . . TrafficForwardingtotheAIP-SSMCard . AIP-SSMBasicConfiguration . . . . . . . . . CSC-SSMCard . . . . . . . . . . . . . . . . . . . . . . . TrafficandtheCSCCard . . . . . . . . . . . . ForwardingTraffictotheCSC-SSMCard . SettingUptheCSC-SSMCard . . . . . . . . SSMCardManagement . . . . . . . . . . . . . . . . . VerifyinganSSMCardOperationalStatus HardwareModuleCommands . . . . . . . . Re-ImaginganSSMCard . . . . . . . . . . . .
.. . .. .. .. .. .. .. .. .. . . .. ..
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
598 598 599 600 601 606 606 607 609 612 612 614 615
PartVI ManagementoftheASA
▼ 26 BasicManagementfromtheCLI . . . . . . . . . . . . . . . . . . . . . . . . . . 619 DHCPServices . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCPServer . . . . . . . . . . . . . . . . . . . . . . . . . DHCPRelay . . . . . . . . . . . . . . . . . . . . . . . . . RemoteManagementFeatures . . . . . . . . . . . . . . . . DateandTime . . . . . . . . . . . . . . . . . . . . . . . . Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FileManagement . . . . . . . . . . . . . . . . . . . . . . . . . . FilesandFlash . . . . . . . . . . . . . . . . . . . . . . . . OSUpgrades . . . . . . . . . . . . . . . . . . . . . . . . . ControllingtheBootupProcess . . . . . . . . . . . . LicenseKeys . . . . . . . . . . . . . . . . . . . . . . . . . PasswordRecovery . . . . . . . . . . . . . . . . . . . . . . . . RestrictingthePasswordRecoveryProcess . . . PerformingthePIXPasswordRecoveryProcess PerformingtheASAPasswordRecoveryProcess AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RestrictingCLIAccess . . . . . . . . . . . . . . . . . . CommandAuthorization . . . . . . . . . . . . . . . . ManagementAccounting . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .. .. .. ..
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .
620 620 622 623 623 625 629 630 630 631 633 634 635 635 636 638 639 639 642 645
xxi
xxii
Cisco ASA Configuration
▼ 27 ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 ASDMOverview . . . . . . . . . . . . . . . . . . . . ASDMRequirements . . . . . . . . . . . . . ASDMRestrictions . . . . . . . . . . . . . . ASDMConfigurationPreparations . . . . . . . SetupScript . . . . . . . . . . . . . . . . . . . . BasicConfigurationCommands . . . . . ASDMAccess . . . . . . . . . . . . . . . . . . . . . . WebBrowserAccess . . . . . . . . . . . . . StartupWizard . . . . . . . . . . . . . . . . . ASDMHomeScreen . . . . . . . . . . . . . . . . . MenuItems . . . . . . . . . . . . . . . . . . . . ToolbarButtons . . . . . . . . . . . . . . . . . HomeScreenElements . . . . . . . . . . . . ASDMConfigurationScreens . . . . . . . . . . . DeviceSetupTab . . . . . . . . . . . . . . . . FirewallTab . . . . . . . . . . . . . . . . . . . . RemoteAccessVPNTab . . . . . . . . . . . CiscoSecureDesktop . . . . . . . . . . . . . Site-to-SiteVPNTab . . . . . . . . . . . . . . DeviceManagementTab . . . . . . . . . . ASDMMonitoringScreens . . . . . . . . . . . . . InterfacesTab . . . . . . . . . . . . . . . . . . VPNTab . . . . . . . . . . . . . . . . . . . . . . RoutingTab . . . . . . . . . . . . . . . . . . . . PropertiesTab . . . . . . . . . . . . . . . . . . LoggingTab . . . . . . . . . . . . . . . . . . . ASDMandContexts . . . . . . . . . . . . . . . . . InitialAccessandContextManipulation Failover . . . . . . . . . . . . . . . . . . . . . . .
▼
. . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . ..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
648 648 649 650 650 651 651 652 653 654 655 661 662 663 663 664 668 678 690 691 692 693 694 694 695 695 697 698 700
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
FOREWORD O
verthepastdecadecomputernetworksaswellastheattacksagainst them have become increasingly complex. As information technology professionals we are faced with overcoming challenges every day,andlearningnewsecurityconceptsshouldnotbeoneofthem.Ihave known Richard, the author of this book, during this same time, and his giftofmakingdifficulttechnologyconceptsunderstandablehasremained constant. Whether he is presenting to a room of information technology professionalsorwritingbooks,Richard’scommunicationskillsareunsurpassed.
Astheimportanceofnetworkscontinuestogrow,securitybecomesevermore vital.TheCiscoAdaptiveSecurityAppliancesintelligentthreatdefenseoffersthe neededprotectionforbusinessestodayaswellasforthefuture.Technologiesand devicesbasedonInternetprotocolcontinuallytoucheveryaspectofourlives—we needtobeconfidentthatourdataissafe.CiscoASAConfigurationisagreatreferenceandtoolforansweringourchallenges.
SteveMarcinek,CCIE7225 SystemsEngineer,CiscoSystems
xxiii
This page intentionally left blank
PREFACE O
verthelastseveralyearswehaveseenariseinthenumberofattacks launchedagainstournetworks.Theseattacksarenotonlymoreplentiful,butalsobecomingmoresophisticated.Thecomplexitiesofour networksgrowatanequalrate,whileITdepartmentsandbudgetsshrink. Thenumberofprotocolsonournetworksisalsorising,andthenumberof clientsisincreasing.Meanwhilethereisthedemandtokeepservicesavailableandtokeepdatafrombeingleaked.
Whilethereisnosingletechnologythatcanguaranteeasecurenetwork,one ofthemostcriticalcomponentsinyourinfrastructureisthefirewall.Possessinga solidunderstandingoffirewallcapabilitiesisacriticalprerequisitetofortifyyour defenses. TheCiscoASA5500seriesproductsandthelatestrevisionsofCisco’sfirewall softwarehaveintroducedsomeawesomenewfeatures.Topicsdiscussedwithin thisbookincludeModularPolicyFramework,transparentfirewalls,deeppacket inspection, contexts, failover, WebVPN, and more.A plethora of capabilities on yourfirewallsiswaitingtobeunleashed;thekeyisknowingwhatthesefeatures are,understandinghowthetechnologyworks,andthenhowtoconfigurethem. Richardhasputtogetheranexcellentreferencewithover20chaptersoftechnologies,explanations,andconfigurationexamples.
xxv
xxvi
Cisco ASA Configuration
RichardhasbeenrecognizedasanexpertontheCiscofirewallformanyyears,and thisbookisanexcellentfollow-uptohisCiscoPIXFirewallsbookfrom2002.Thisbook doesagreatjobofwalkingyoustep-by-stepthroughthetechnologiesandconfiguration behindtheASA5500.CiscoASAConfigurationisanexcellentresourceforboththenovice andseasonedCiscoPIXadministrator. RyanLindfield SeniorTechnicalInstructor BosonTraining
ACKNOWLEDGMENTS I
wouldliketothankthefollowingpeople:
▼
his book would not have been possible without the support of family. T Abookofthissizeisverytime-consuming,especiallywhenyouhaveto balanceabook,ajob,and,mostimportantly,afamily.Mytwogirlsarethe loveofmylife.
■
specialthankstoRyanLindfieldforprovidingexcellentfeedbackand A encouragement on the technical content of this book. I’ve worked with Ryan for quite some years, and I’ve always been impressed with his securityand,especially,hishackingskills.Andcongratulationstohimfor gettingmarried!
▲
heteamatMcGraw-Hill,especiallyJaneBrownlow,JoyaAnthony,Carly T Stapleton,VipraFauzdar,JanetWalden,andJanJue.Ioweadebtofgratitude to this team, especially in pulling all of the pieces together for the finalproofing—thanksforyourhelp!
Bestwishestoall!Andcheers!
xxvii
This page intentionally left blank
INTRODUCTION F
orthoseofyouwhohavekeptaskingmewhenthereplacementfor myPIXbookwouldbeout,Iappreciateyourlongpatience.Overthe pastfiveyearsIhavefocusedmybusinesssolelyonsecurity,spendingmostofmytimewithCisco’ssecurityproductsliketheASAsandPIXs, andwithVPNtechnologies.
Firewalls,asatechnology,havebeenaroundforoveradecade.However,it wasn’tuntiltheexplosionoftheInternetthattheuseoffirewallshasbecomecommonplaceincorporateandsmalloffices,andeveninhomeenvironments.(Iuse anASA5505formyhomeofficeandEsetonmylaptop.)I’mcontinuallyamazed atthenumberoftimescuriouspeopleandhackersontheInternethaveattempted toscanandprobemyhomeofficenetwork. Becauseofthelargenumberofproductsavailable,Ihavelimitedthefocusofthis bookprimarilytoCisco’sASAsecurityappliancefamily.MostofwhatIdiscussin thisbookalsoappliestoCisco’send-of-salePIXsecurityappliances,andwherethere aredifferencesIpointthemout.Manyofthereadersofmypreviousbookonthe PIXshaveconstantlyaskedmetoupdateit;havingafamilylifehassloweddown mywriting,butI’mbackinthegroove.Somanycriticalchangeshaveoccurredsince version 6 of the security appliances that I have finally succumbed to my faithful readers.Mostmedium-to-enterprisecompaniesI’veconsultedforuseCisco’ssecurityappliances,sohavingagoodbackgroundinunderstandingtheircapabilities
xxix
xxx
Cisco ASA Configuration
andconfiguringtheirfeaturesmakesyoumoremarketableasaconsultantandmore valuableasanemployee.Ihavewrittenthisbookforthefollowingreasons:
▼ T obringyouuptodateonthelargenumberofveryimportantchangesinthe securityapplianceoperatingsystemsinceversion6ofthePIXs.
■ T oexplorenetworksecurity,ahottopicbecauseofincreasinglevelsofthreats anddamage,aswellastheexplosivegrowthofInternetservices.
■ TofamiliarizeyouwithASAandPIXsecurityappliances.Youarelikelytorun intotheminyourjobbecauseCiscoisthemarketshareleaderinenterprisenetworkingsolutions.
■ T o fill the need for a really good, focused book on Cisco’s security appliance products.
▲ TomakeyoumoreawareoftheproducttechnologyandintelligenceCiscobrings tothesecurityarena,becauseIhaveneverseenanetworkingcompanyofferabettersetofenterpriseproductsandtop-notchtechnicalsupport.
THEINTENDEDAUDIENCE Theconceptsandconfigurationsprovidedinthisbookarenotforpeoplethinkingabout acareerincomputernetworking,butforpeoplewhoareusingASAs(andPIXs)tosecuretheirinternalnetworks.Thisbookcaneasilybereadbynotonlynetworkadministrators,engineers,andtechnicians,butalsobynetworkingsalespersonsandmanagers. Theobjectiveofthisbookistoprovideyouwithanunderstandingofthefunctionsofa firewall;anoverviewofCisco’sASAsecurityappliancefamily;thefeaturesavailableon theASAs,includingthoseinthemostrecentoperatingsystemversions(version8.0);and theconfigurationoftheASAs.
WHATTHISBOOKCOVERS ImakenoassumptionsaboutyourskilllevelwithASAs,andIhaveattemptedtopresenteverysubjectinaclearandeasy-to-understandlayout.I’veseparatedthebookinto differentsectionsinordertomakethepresentationofthematerialeasiertounderstand, and to provide a step-by-step progression in setting up your security appliance. This bookcontainssixparts,withatotalof27chapters.Iassumethatyouhaveneverseen thecommand-lineinterface(CLI)orgraphical-userinterface(GUI)ofaCiscosecurity appliance. PartIintroducesyoutotheASAproductfamily,theCLIinterface,andbasicconfigurationtasks,likesettingupinterfacesandrouting.PartIIdiscussescontrollingtrafficthrough the security appliances, including address translation, access control lists (ACLs), object groups,filteringwebcontent,filteringconnectionsusingAAA(calledCut-throughProxy),
Introduction
andIPv6.PartIIIcoverstheimplementationofpoliciesforprotocols,dataapplications, voice,andmultimediathroughtheuseoftheModularPolicyFramework(MPF).PartIV introducestheconfigurationofVPNimplementations,includingIPSecsite-to-site,IPSec remoteaccess,andCisco’simplementationofSSLVPNs,calledWebVPN.PartVintroducestheadvancedfeaturesofthesecurityappliances,includingthelayer2transparent firewall,securitycontexts,failover,networkattackpreventionfeatures,andtheAIP-SSM and CSC-SSM cards for theASAs. The end of the book, Part VI, introduces you to the managementoftheappliances,includingbasicadministrativetasksyouperformfromthe CLIandCisco’sGUI-basedproducttomanagetheappliances:AdaptiveSecurityDevice Manager(ASDM).
FINALWORDS EventhoughIdiscussmanyofthecomponentsandconfigurationsofthesecurityappliances,itisimpossibletocovereverytypeofconfigurationandnetworkscenarioina singlebook.IhighlyrecommendthatyouuseCisco’swebsite(http://www.cisco.com) aswellasvariousUsenetnewsgroupsasadditionalresources.Icannotbegintocount thenumberoftimesthatIhavefoundtheanswertoaquestionineitherofthesetwo places.Becauseofthevalueofthisinformation,I’verarelyhadtocallTAC(Technical AssistanceCenter)atCiscoforhelpwithasecurityapplianceconfigurationissue,except fortheoccasionalbugsthatI’vediscovered. I wish you the best in your networking endeavors and hope that this book helps makeyourjobeasierwhenitcomestousingCisco’ssecurityappliances,especiallythe ASAs.Ilovetohearfrommyreaders,soanyandallfeedbackisappreciated! Cheers!
xxxi
This page intentionally left blank
I Introduction to ASA Security Appliances and Basic Configuration Tasks
1
This page intentionally left blank
1 ASA Product Family
3
4
Cisco ASA Configuration
T
his chapter introduces the features and hardware of Cisco’s Adaptive Security Appliance(ASA)productline.Thetopicsinclude
▼ F eaturesoftheASA,includingtheoperatingsystem,securityalgorithm, redundancy,andothers
▲ T hehardwareoftheASAproductline,includingthemodels,supported hardwaremodules(cards),andlicensing
ASAFEATURES Cisco’sASAisasetofstatefulsecurityappliancesrangingfromthemodel5505,which isdesignedforSmallOffice,HomeOffice(SOHO)environments,tothe5580,whichis designedforlargeenterprisenetworksandISPsites.Alloftheseproductsusethesame operatingsystemandmanagementtools,easingyourimplementationandmonitoring tasks.Becauseallthesecurityappliancesusethesameoperatingsystem,themajordifferencesbetweenthemodelsprimarilyconcernscalabilityandperformance. TheASAfamilyofproducts(andtheiroldersiblings,thePIXproducts)canbestbe describedashybridfirewalls.Cisco,however,doesnotliketousetheterm“firewall”to describetheASAandPIXproductfamily.Instead,Ciscoprefersusingtheterm“security appliance,”mainlybecausetheASAproductsandtheproductstheyreplaced,thePIX products,arenotjuststatefulfirewalls;theyalsosupportmanyothersecurityfeatures, including
▼ Secure,real-time,proprietaryoperatingsystem
■ StatefulfirewallusingtheCiscoSecurityAlgorithm(SA)
■ SequenceNumberRandomization(SNR)tosecureTCPconnections
■ Cut-throughProxy(CTP)forauthenticatingtelnet,HTTP,andFTPconnections
■ Defaultsecuritypoliciestoensuremaximumprotection,aswellastheability tocustomizethesepoliciesandbuildyourownpolicies
■ Virtualprivatenetwork(VPN)abilities:IPSec,SSL,andL2TP
■ Intrusiondetectionandpreventionsystems(IDSandIPS)
■ Addresstranslationusingdynamicandstaticnetworkandportaddress translation
■ StatefulredundancyofconnectionsandVPNsbetweentwosecurityappliances
▲ Virtualizationofpoliciesusingcontexts
This is just a small list of some major features of the security appliances. The followingsectionsprovideanoverviewofsomeofthesefeatures.ThefeaturesthatIdon’t brieflycoverinthischapterarecoveredinsubsequentchapters.
Chapter 1:
ASA Product Family
NOTE Throughoutthebook,whenevertheterms“securityappliance”or“appliance”areused,they refertoboththeASAandPIXproductsunlessotherwisenoted.
OperatingSystem Theoperatingsystem(version7andlater)youcurrentlyseeontheASAappliancesand on the PIX 515 and higher appliances is based on the PIX Finesse Operating System (FOS). The FOS is a proprietary, stand-alone operating system. It implements the actualsecurityfunctionsthatthesecurityappliancehardwareperforms.Inthissense,it issomewhatsimilartotheInternetworkOperatingSystem(IOS)ofCiscoroutersand switches, or what the Microsoft Windows XP or Linux operating systems are to PCs. Cisco no longer uses the term FOS to describe the operating system, though. Starting inversion7andlater,Ciscoreferstothesecurityapplianceoperatingsystemasjustthe “operatingsystem.” NOTE EventhoughCisco’sPIXappliancesarenolongerforsale,whichCiscodenotesasendof-sale(EOS),thePIX515sandhighersupportthesameoperatingsystemastheASAs.Themain differencebetweenthePIXsandASAsisthatthelower-endPIX501and506Edonotsupportversion 7andlateroftheOS,andnoneofthePIXssupportsSSLVPNs.Thisbookfocusesontheuseofthe ASAs;however,thetopicsdiscussedcanbeequallyappliedtothePIXsinmostsituations.
FirewallApplications Somefirewallproductsrunontopofanoperatingsystem;thesesolutionsarecommonly calledfirewallapplications.Onedisadvantagethatfirewallapplicationshavecompared withaproprietaryoperatingsystemisthatthefirewallvendormustdealwithtwosoftwareproductsincreatingafirewall:theoperatingsystemandthefirewallapplication. Thisprocesscanoftenleadtoalesssecuresystem.ThisisespeciallytruewhenyouconsiderallthesecuritythreatsthathavebeendirectedspecificallyatUNIXandMicrosoft operatingsystems. AnexampleofafirewallproductthatusesfirewallapplicationsisCheckPoint.Thisis nottosaythatCheckPoint’sfirewallisaworsesolutionthanafirewallproductthatuses aproprietaryoperatingsystem.However,afirewallvendorlikeCheckPointwillhaveto domanymorethingstoensurethatthefirewallapplicationandoperatingsystemprovide asecuresolution.(NotethatCheckPoint’snext-generationproduct,SecurePlatform1,is movingawayfromthisapproachandmovingtowardanintegratedsolution.) Themainproblemwithafirewallapplicationsolutionisthatthevendornotonlyhas toprovideasecurefirewallapplication,butmustalsosecuretheoperatingsystemitruns on.However,firewallapplicationsdoprovidetwoadvantages:
▼ T heytendtobeeasytoinstallandmaintain.
▲ T heyrunonawidevarietyofPC/serverplatforms.
5
6
Cisco ASA Configuration
ProprietaryOperatingSystem Proprietaryoperatingsystemsprovideasecurityadvantageoverfirewallapplications—a proprietaryoperatingsystemvendorhastobeconcernedaboutonlyonesystem,instead oftwo,inprovidingasecurefirewallsolution.Anotherhugeadvantageofproprietary operatingsystemsisscalability.Becauseaproprietaryoperatingsystemcanbecustomizedtoaspecifichardwareplatform,thisfirewallsystemcanprovideextremelyfastpacketfilteringabilitiesandsecuritycapabilities. Off-the-shelf operating systems like UNIX and Microsoft Windows are general- purposeoperatingsystemsthatweredevelopedtoperformmanytasks,notallofwhich areperformedatanoptimallevel.Usingageneraloperatingsystemdecreasestheperformance of the packet filtering and firewall functions of the firewall application. To provideforscalability,youmustloadyourfirewallapplicationonveryexpensiveserver platforms. Usingaproprietaryoperatingsysteminafirewallsolutionalsomakesitmuchmore difficultforhackerstopenetratethefirewall.Attackersarefamiliarwiththefunctionsof commonoperatingsystemslikeUNIXandMicrosoftproducts,whichmakesitalittlebit easierforthemtoattackthefirewallapplication.However,whenvendorsuseaproprietaryoperatingsystemtoimplementtheirfirewallsolution,anattackerwillhavelittle ornoknowledgeaboutthefunctionsandprocessesoftheoperatingsystem,makingit verydifficultfortheattackertocompromisethefirewallsolution. Usingaproprietaryoperatingsystemhassomedisadvantages.First,becausetheoperatingsystemisproprietary,yoursecuritypersonnelwillhavetolearnthenewsystem. ManyofyourpersonnelwillalreadyhaveexperiencewithUNIXorMicrosoftWindows, andthustheirlearningcurveinimplementingthesolutionwillbeshortened. NOTE WhenyouareusinganunderlyingproprietaryoperatingsystemsuchasCisco’ssecurity appliances,theadministratorisunabletointeractwiththeunderlyingOS. Also, because firewall applications are developed for a specific operating system platformlikeUNIXorMicrosoftWindows,yoursecuritypersonnelwillalreadybefamiliar with the interface that is employed by the firewall. A good example of this is CheckPoint’sfirewallsolution—ithasaverygood,intuitiveGUIinterface,whichmakes configurationeasyandalsoreducesthelikelihoodofmakingmistakesandopeningup unintendedholesinyourfirewallsystem. HerearesomeofthemainadvantagesofusingproprietaryOSsforfirewalls:
▼ T heytendtobemoresecurethanfirewallapplications.
▲ T heyprovideforbetterscalabilityandpacketfilteringspeedsbecausethe operatingsystemiscustomizeddirectlytoworkwithspecifichardware.
ASAManagement Because the security appliances use the same operating system, the configuration of Cisco’sASAsandPIXsissimplified.Youhaveachoiceofthreemethodstoconfigure yoursecurityappliance:
Chapter 1:
ASA Product Family
▼ C ommand-lineinterface(CLI)
■ AdaptiveorApplianceSecurityDeviceManager(ASDM)
▲ C iscoSecureManager(CSM),whichisthereplacementfortheCiscoWorks product
TheCLIimplementedonthesecurityappliancesissomewhatsimilartoCisco’sIOSbasedrouterCLI.Asyouwillseeinlaterchapters,however,theCLIsofbothplatforms differinmanyways.TheASDMinterfaceisaJava-basedgraphicaluserinterface(GUI) toolthatallowsyoutoremotelymanageasecurityappliancewithawebbrowser.CSM isacompletemanagementpackagethatallowsyoutomanagethesecuritypoliciesand configurationsforCiscofirewalls(ASAs,PIXs,andIOS-basedrouters),CiscoIPSdevices (4200s,AIP-SSM cards, IDMS2 cards, andAIM-IPS cards), Cisco VPN devices (ASAs, PIXs,IOS-basedrouters,andthe3000concentrators),andCiscohostIPSimplementations(CiscoSecurityAgent[CSA]). Asyoucansee,youhavemanyoptionsavailabletoconfigureyoursecurityapplianceandtoimplementyoursecuritypolicies.Thisbookprimarilyfocusesonusingthe CLI,butChapter27coverstheASDMGUI.
SecurityAlgorithm Onemainfunctionthesecurityappliancesperformisastatefulfirewall.Astatefulfirewalladdsandmaintainsinformationaboutauser’sconnection(s).Inversion6andearlieroftheoperatingsystem,theAdaptiveSecurityAlgorithm(ASA)implementedthe stateful function of the PIX firewall by maintaining connection information in a state table,referredtoasaconntable.WhenCiscointroducedtheASAhardwareplatformin version7,itdroppedtheterm“adaptive”andnowjustreferstotheprocessthathandles thesecurityfunctionsasthe“securityalgorithm.”Thesecurityappliancesusetheconn tabletoenforcethesecuritypoliciesforusers’connections. Hereissomeoftheinformationthatastatefulfirewallkeepsinitsstatetable:
▼ S ourceIPaddress
■ DestinationIPaddress
■ IPprotocol(likeTCPorUDP)
▲ I Pprotocolinformation,suchasTCP/UDPportnumbers,TCPsequence numbers,andTCPflags NOTE ThesecurityappliancesprovideastatefulprocessforTCPandUDPtrafficonly,bydefault. Startinginversion7,ICMPcanalsobetreatedstatefully,butthisisdisabledbydefault.
StatefulFirewallExplanation Figure1-1isasimpleexamplethatillustratesthestatefulprocessperformedbyastateful firewall.ThesearethestepsshowninFigure1-1:
1. A user(PC-A)insideyournetworkperformsanHTMLrequesttoawebserver outsideyournetwork.
7
8
Cisco ASA Configuration
Connection Table Inside IP Address IP Protocol Inside IP Port Outside IP Address Outside Port TCP 11000 201.201.201.1 80 200.200.200.2
2
Internal Network
Internet Stateful Firewall 1
3
PC-A 200.200.200.2
Web Server 201.201.201.1
Figure1-1. Astatefulfirewalladdsaconnectiontoitsconnectiontable.
2. A stherequestreachesthestatefulfirewall,thefirewalltakestheuser’s information,forexample,thesourceanddestinationaddress,theIPprotocol, andanyprotocolinformation(suchasthesourceanddestinationportnumbers forTCP),andplacesthisdatainthestateorconnectiontable.
3. Thefirewallforwardstheuser’sHTTPrequesttothedestinationwebserver.
Figure1-2showsthereturningtrafficfromtheHTTPserver.Thesearethestepsas thetrafficreturnsfromthewebserver:
1. Thedestinationwebserversendsthecorrespondingwebpagebacktotheuser.
2. T hefirewallinterceptstheconnectionresponseandcomparesitwiththe entriesthatithasinitsstatetable.
■
Ifamatchisfoundintheconnectiontable,thereturningpacket(s)are permitted.
■
Ifamatchisnotfoundintheconnectiontable,thereturningpacket(s)are dropped.
Chapter 1:
ASA Product Family
Connection Table Inside IP Address IP Protocol Inside IP Port Outside IP Address Outside Port 200.200.200.2 TCP 11000 201.201.201.1 80
2
Internal Network
Internet Stateful Firewall 2A
1 2B
PC-A 200.200.200.2
Web Server 201.201.201.1
Figure1-2. Thestatefulfirewallchecksthereturningtrafficagainsttheinformationintheconnection table.
Astatefulfirewallmaintainsthisconnectiontable.Ifitseesaconnectionteardownrequestbetweenthesourceanddestination,thestatefulfirewallremovesthecorrespondingconnectionentry.Ifaconnectionentryisidleforaperiod,theentrywilltimeout,and thestatefulfirewallwillremovetheconnectionentry.
Statefulvs.PacketFilteringFirewalls The example in the previous section shows the difference between a stateful firewall andapacketfirewall.Astatefulfirewallisawareoftheconnectionsthatpassthroughit. Packetfirewalls,ontheotherhand,don’tlookatthestateofconnections,butjustatthe packetsthemselves. A good example of a packet filtering firewall is the extended access control lists (ACLs)thatCiscoIOSroutersuse.WiththeseACLs,therouterwilllookonlyatthefollowinginformationineachindividualpacket:
▼ S ourceIPaddress
■ DestinationIPaddress
9
10
Cisco ASA Configuration
■ IPprotocol
▲ I Pprotocolinformation,likeTCP/UDPportnumbersorICMPmessagetypes
Atfirstglance,becausetheinformationisthesamethatastatefulfirewallexamines, itlookslikeapacketfilteringfirewallperformsthesamefunctionsasastatefulfirewall. However,aCiscoIOSrouterusingACLsdoesn’tlookatwhetherthisisaconnection setuprequest,anexistingconnection,oraconnectionteardownrequest—itjustfilters individualpacketsastheyflowthroughtheinterface. NOTE CiscoIOSrouters,however,dosupporttwofeaturesthatimplementstatefulfirewallfunctions likethesecurityappliances:Context-BasedAccessControl(CBAC)anditsreplacement,Zone-Based Firewalls(ZBF). Some people might argue that the established keyword with Cisco’s extended ACLsimplementsthestatefulfunctionfoundinastatefulfirewall;however,thiskeywordonlylooksforcertainTCPflagslikeFIN,ACK,RST,andothersintheTCPsegment headersandallowsthemthrough.Again,therouterisnotlookingatthestateoftheconnectionitselfwhenusingextendedACLs,justinformationfoundinsidethelayer3and layer4headers.
SequenceNumberRandomization The security appliances include a security feature called Sequence Number Randomization(SNR),whichisimplementedbythesecurityalgorithm.SNRisusedtoprotectyou againstreconnaissanceandTCPsessionhijackingattacksbyhackers.Oneproblemwith theTCPprotocolisthatmostTCP/IPprotocolstacksuseafairlypredictablemethod when using sequence numbers—a sequence number in a TCP segment indicates the numberofbytessent.Withmanyconnectiontypes,ahackercanusethisinformationto makepredictionsconcerningthenextsetofdatatobesent,andthusthecorrectsequence number.Sophisticatedhackerswillthenusethisinformationtohijackthesession. The security appliance’s SNR feature addresses this problem by randomizing the TCPsequencenumbersthattheTCP/IPapplicationplacesintheTCPsegmentheader. Thesecurityappliancewillplacetheoldsequencenumberaswellasthenewsequence numberinitsconntable.Astrafficisreturnedfromthedestination,throughtheappliance,backtothesource,theappliancelooksforthisinformationandchangesitbackfor acknowledgmentpurposes. Forexample,aTCPsegmentmightpassthroughthesecurityappliancewherethe sequencenumberis578inthesegment,asshowninFigure1-3.TheSNRchangesthis sequencenumbertoarandomnumberandplacesitinthestatetable(992inthiscase), andforwardsthesegmenttothedestination.Thedestinationisunawareofthischange andacknowledgestothesourcethereceiptofthesegment,usinganacknowledgment number of 993. The appliance, upon receiving the reply, undoes the SNR process by changingthe993valueto579,sothatthesourcedeviceisnotconfused.Rememberthat theTCPacknowledgementprocesshasthedestinationincreasethesequencenumberby oneandusesthisastheacknowledgmentnumber.
Chapter 1:
ASA Product Family
Connection Table Inside TCP Sequence Number 578
Internal Network
SNR Sequence Number 992
578
992 Internet
579
Security Appliance
PC-A 200.200.200.2
993
Web Server 201.201.201.1
Figure1-3. ThesecurityapplianceSNRfeature
SECURITYALERT! Toboththesourceanddestinationdevices,theSNRprocessistransparent. Ciscohighlyrecommendsthatyoudonotdisablethisfeature.DisablingSNRopensyournetwork to TCP session hijacking attacks. However, in certain situations, like the use of MD5 for packet signatures,havingthesecurityappliancechangethesequencenumberwouldcorruptthesignature. Asyouwillseelaterinthisbook,youcandisableSNRgloballyorbeveryspecificaboutwhenitis disabled(likebetweentwoBGProutersusingMD5signatures).
Cut-throughProxy Asyousawintheprevioussection,thesecurityalgorithmimplementsmanysecurity featuresoftheoperatingsystembesidesthestatefulfirewallfunctionsoftheappliances. AnothersecurityalgorithmenhancementistheCut-throughProxy(CTP)feature.CTP allowstheappliancestointerceptincomingand/oroutgoingconnectionsandauthenticatethembeforetheyarepermitted.CTPistypicallyusedinsituationswheretheendservertheuserisconnectingtocan’tperformauthenticationitself. Theuserconnectionsarenottypicallyauthenticatedbytheapplianceitself,butby an external security server, such as the Cisco SecureAccess Control Server (CSACS).
11
12
Cisco ASA Configuration
CiscosupportsboththeTACACS+andRADIUSprotocolsforauthentication.TheCTP featureonanappliancecanauthenticatethefollowingconnectiontypes:
▼ F TP
■ HTTPandHTTPS
▲ T elnet
WhenthesecurityalgorithmisconfiguredforCTP,itfirstauthenticatesconnectionsbefore permittingthemthroughthefirewall.Figure1-4illustratesthestepsthatoccurforCTP:
1. UserPonginitiatesanFTPto200.200.200.2.
2. T heapplianceinterceptstheconnectionandchecksforanentryinitsconn table—iftheentryexists,theappliancepermitstheconnection(step4A).Inthis case,theuserhaspreviouslybeenauthenticated.
3. I ftheappliancedoesnotfindanentryintheconntable,itwillpromptthe userPongforausernameandapassword,andforwardthisinformationtothe securityserverforauthentication.
Authentication Table Allowed User Ping Pong
Allowed Application HTTP to 200.200.200.1 FTP to 200.200.200.2
User Ping
Cisco Secure ACS 3 2
4
Internal Network
Internet Security Appliance 4A
HTTP Server 200.200.200.1
4B
FTP Server 200.200.200.2
Figure1-4. ThebasicstepsoftheCut-throughProxyfeature
1
User Pong
Chapter 1:
ASA Product Family
4. T hesecurityserverexaminesitsinternalauthenticationtablefortheusername andpasswordandwhatservicethisuserisallowedaccessto—thesecurity serversendseitheranallowordenymessagetotheappliance.
■
Iftheappliancereceivesanallowmessage,itaddstheuser’sconnection informationtotheconntableandpermitstheconnection.
■
Iftheappliancereceivesadenymessage,itdropstheuser’sconnection,or, possibly,repromptstheuserforanotherusername/passwordcombination.
Oncetheuserhasbeenauthenticated,alltrafficwillbeprocessedbytheapplianceprimarilyatlayers3and4oftheOSIReferenceModel,sincetheuser’sconnectionisplaced intheconntable.ThisisdifferentfromyourtraditionalApplicationlayerproxy,where all traffic, from the authentication phase to the user’s actual data traffic, is processed atlayer7oftheOSIReferenceModel.WithCTP,theauthenticationphaseisprocessedat layer7,butdatatrafficis,forthemostpart,processedatlayers3and4. NOTE Cut-throughProxyauthenticatestheconnectionattheapplicationlayer,butprocessesthe subsequentdatastreamatlayers3and4. TheCTPfeatureissusceptibletoeavesdroppingbecausetheusernameandpassword aresentacrossthenetworkincleartext;thiscanbealleviatedbyusingHTTPSinstead oftelnet,FTP,orHTTP,sinceHTTPSusesSSLforencryption.Ifahackerhappenedtobe eavesdroppingonaclear-textconnectionwhiletheusernameandpasswordwerebeing transferredtotheappliance,thehackercouldusethisinformationtogainunauthorized accesstoyourinternalnetwork.Youcouldremovethisweaknesseitherbyusingonetimepasswords(OTPs)orbyusingasmartcardsystemwherethesmartcard-generated keyisonlyvalidonce.AnotherproblemwiththeCTPprocessisthattheusermighthave toauthenticatetwice:onceviaCTP,andthenagainattheactualend-servertheuseris attemptingtoaccess.CTPisdiscussedinChapter8.
PolicyImplementation Thesecurityalgorithmisresponsibleforimplementingandenforcingyoursecuritypolicies.Thealgorithmusesatieredhierarchythatallowsyoutoimplementmultiplelevels ofsecurity.Toaccomplishthis,eachinterfaceontheapplianceisassignedasecuritylevel numberfrom0to100,where0istheleastsecureand100isthemostsecure.Thealgorithmusesthesesecuritylevelstoenforceitsdefaultpolicies.Forexample,theinterface connectedtothepublicnetworkshouldhavethelowestsecuritylevel,whereastheinterfaceconnectedtotheinsidenetworkshouldhavethehighestsecuritylevel.Herearethe fourdefaultsecuritypolicyrulesfortrafficasitflowsthroughtheappliance:
▼ T rafficflowingfromahigher-levelsecurityinterfacetoaloweroneispermitted bydefault.
■ Trafficflowingfromalower-levelsecurityinterfacetoahigheroneisdenied bydefault.
13
14
Cisco ASA Configuration
■ Trafficflowingfromoneinterfacetoanotherwiththesamesecuritylevelis deniedbydefault.
▲ T rafficflowingintoandthenoutofthesameinterfaceisdeniedbydefault.
Figure1-5showsasimpleexampleofwhatisandisnotallowed.Inthisexample, theinternaluserwhoinitiatesaconnectiontoawebserverontheInternetispermitted out.Also, the security algorithm adds a connection in its conn table so that the returningtrafficfromtheexternalwebserverwillbepermittedbacktotheuser.Once theuserterminatestheconnection,theentrywillberemovedfromtheconntable.At thebottomofFigure1-5,auserontheInternetistryingtoaccessawebserveronthe inside of the network. The algorithm rules on the appliance automatically drop this trafficbydefault. Therulesinthepreviouslistarethedefaultrules.Youcancreateexceptionstothese rulesforthesecurityalgorithm,whichgenerallyfallintotwocategories:
▼ A llowingaccessbasedonauseraccount
▲ A llowingaccessbasedonafilter
Web Server
Internal User
Internal Network
Internet Security Appliance
Web Server
Figure1-5. Defaultrulesforthesecurityalgorithm’ssecuritypolicies
Internet User
Chapter 1:
ASA Product Family
Forexample,auserfromtheInternetwhoistryingtoaccessanFTPserveronthe insideofyournetworkisbydefaultdeniedtheconnection.Youcoulduseacoupleof methodstoopenasmallholeinthefirewalltoallowthisconnection:
▼ S etupCTPtoallowtheuser’sconnection.
▲ U seanaccesscontrollist(ACL)toopenatemporaryhole.
If only a handful of outside users need access to the FTP server, CTP is an excellent methodtouse.However,ifthisisapublicFTPserverwherepeoplefromtheInternetare constantlyaccessingfilesintheserver,andthesepeoplecouldbeanyoneintheworld, CTPdoesn’tprovideascalablesolution. Instead,youcanuseanACLtoopenatemporaryholeinthesecurityalgorithmto allowFTPtraffictothespecificFTPserverinsideyournetwork.Inthissense,youarecreatinganexceptiontotheappliance’sdefaultsecuritypolicy,whichistodenyallinbound trafficbydefault.BothoftheseexceptionrulesarediscussedinChapters6(ACLs)and 8(CTP). NOTE ConduitsandoutboundfiltersareCisco’solderimplementationonthePIXstofiltertraffic betweeninterfaces.BothmethodshavebeensupplantedonsecurityappliancesbyACLs.Startingin version7,conduitsandoutboundfiltersarenolongersupported.
Redundancy Cisco’ssecurityappliancessupporttwoformsofredundancy:
▼ T ype Hardwareandstatefulfailover
▲ I mplementation Active/standbyandactive/active
Not all appliances support failover. For failover to function properly, you need to meetthefollowingrequirements:
▼ F orthePIXs,useamodel515/515E,525,or535.FortheASAs,usetheASA 5505orhigher.
■ Useidenticalhardwaremodelsandcardsrunningthesameversionof software.
▲ C onnectthesecurityappliancestogetherwithafailovercable.
Thefollowingsectionswillbrieflyintroducethetwotypesandtwoimplementationsof failover.Chapter23willcoverfailoverinmoredepth.
FailoverTypes Thissectionwillintroducethetwotypesoffailover:hardwareandstatefulfailover.
15
16
Cisco ASA Configuration
Hardware Failover With hardware failover, only chassis redundancy is provided: if the primary security appliance in the failover configuration fails, the standby appliance will begin processing traffic. The only item replicated between the two appliances is theconfigurationused.Thistypeoffailoverisdisruptiveforcommunicationsthatwere beingtransportedbytheprimaryappliancebecausethenecessarytableinformationto maintain connections, like the state table, the translation table, and the VPN tables, is notsynchronizedbetweentheprimaryandstandbyappliances.Therefore,thistypeof failoverisnotstateful—usershavetoreestablishtheirconnectionswhenafailoveroccurs. ThetoppartofFigure1-6showsanexampleofanon-stateful(chassis)failoversetup. Stateful Failover A stateful failover configuration performs the same functions as a hardwarefailover—thetwomaindifferencesarethatastatefulfailoversetuprequires adedicatedFastorGigabitEthernetconnectionbetweentheprimaryandstandbyunit, andthestateinformationontheprimaryissynchronizedwiththestandbyacrossthis connection.ALANconnectionisusedtosynchronizetheprimary’sstate,translation, andVPNtableswiththestandbyunit. Aswithachassisfailover,thestandbyunitmonitorstheprimaryunit,andwhenit seesthattheprimaryisnotfunctioningcorrectly,thestandbyunitpromotesitselftothe
Primary
Non-Stateful Failover
Internal Network
Failover Cable
Internet
Secondary
Primary
Stateful Failover
Internal Network
Dedicated Fast Ethernet Cable
Failover Cable
Secondary
Figure1-6. Hardwarevs.statefulfailover
Internet
Chapter 1:
ASA Product Family
primaryrole.Whenitdoesthis,thecutovershouldbecompletelytransparenttotheusers andtheirconnectionsbecausethestatetableonthestandbyisthesameasthatontheprimary.AnexampleofastatefulfailoversetupisshowninthebottompartofFigure1-6. NOTE Startinginversion7.0oftheOS,VPNsessionsarealsoreplicatedbetweenthefailover appliances.
FailoverImplementations Thissectionwillintroducethetwofailoverimplementations:active/standbyandactive/ active. Active/Standby Failover Up through version 6 of the operating system, only active/ standbyfailoverwassupported.Bothhardwareandstatefulfailoveraresupportedinthis configuration. With the active/standby failover implementation, the primary security appliance assumes the active role, and the secondary appliance assumes the standby role.Whenanapplianceisinanactivestate,itforwardstrafficbetweeninterfaces;this isnottrueofthestandbyunit.Anapplianceinastandbystateonlymonitorstheactive unit,waitingforafailovertotakeplaceandthencuttingovertoanactiverole.Thesetwo rolesareshowninFigure1-7. Active/ActiveFailover Startinginversion7oftheoperatingsystem,Ciscoaddedanew failoverimplementationcalledactive/activefailover.Bothhardwareandstatefulfailover aresupportedinthisconfiguration.Withactive/activefailover,bothsecurityappliances can be processing traffic, basically taking advantage of the money you spent on both appliancesaswellasthebandwidthoftheEthernetcablesconnectedtothem.
Before Failure
Primary: Active
After Failure
Secondary: Standby
Figure1-7. Active/standbyfailoverimplementation
Primary: Failed
Secondary: Active
17
18
Cisco ASA Configuration
Before Failure
CTX1 CTX2
CTX1: Active CTX2: Standby
CTX1 CTX2
CTX1: Standby CTX2: Active
After Failure
CTX1 CTX2
CTX1: Failed CTX2: Failed
CTX1 CTX2
CTX1: Active CTX2: Active
Figure1-8. Active/activefailoverimplementation
Active/active failover is demonstrated in Figure 1-8. Use of active/active failover requirestheuseoftwocontexts,commonlycalledvirtualfirewalls(contextsarediscussed inthe“AdvancedFeaturesoftheOperatingSystem”section).Onasecurityappliance, foronecontexttheappliancewillperformtheactiverole,andfortheothercontextthe standbyrole.Ontheothersecurityappliance,therolesforthetwocontextsarereversed. Oftheappliancesthatsupportedfailover,onlytheASA5505doesn’tsupporttheactive/ activefailoverimplementation,sinceitdoesn’tsupportcontexts. NOTE TheASA5505doesnotsupportactive/activefailover.
AdvancedFeaturesoftheOperatingSystem AsImentionedearlier,Ciscodoesn’tusetheterm“firewall”whenreferringtotheASAs andPIXssincetheseproductsaremultifunctionsecuritydevices.Thissectionwillintroducesomeoftheadvancedfeaturesthatwillbediscussedthroughoutthebook.
AddressTranslation Few people realize the importance of the next statement, but the PIX was originally designed as an address translation solution: PIX actually stands for “Private Internet Exchange.” Only later were security features built into the product. Therefore, one of securityappliance’smainstrengthsisitsaddresstranslationabilities.Itcanperformthe followingtypesofaddresstranslation:
▼ D ynamicnetworkaddresstranslation(NAT)andportaddresstranslation(PAT)
■ StaticNATandPAT
Chapter 1:
ASA Product Family
■ Identityaddresstranslation:commonlyreferredtoastranslationexemption orNAT0
▲ P olicyaddresstranslation:controllingwhentranslationshouldtakeplace basedonthesourceanddestinationaddressesinvolved
AddresstranslationisdiscussedinChapter5.
TrafficFiltering ACLsarethemostcommonmethodofallowingtraffictotravelfromalowertohigher interface,aswellasrestrictingtrafficfromahighertoalowerinterface.ACLsaremade upoftwocomponents:creatingalistoffilteringstatementsandapplyingthestatements toaninterface.TohelpwiththeimplementationofACLs,inversion6.2oftheoperating system, Cisco introduced a concept called object groups. Basically an object group is a groupofobjectsofasimilartype,likeIPaddressesandnetworknumbers,TCPand/or UDP port numbers, IP protocols, and ICMP message types. You can create an object groupandthenreferenceitinasingleACLstatement. Forexample,ifyouneedtoallowwebtraffictothreedifferentservers,withoutobject groups,youwouldneedthreeindividualACLstatements.Instead,youcancreateanobjectgroupthatcontainsthethreeaddresses,andinasingleACLstatement,referencethe objectgroup.Objectgroupsthusgreatlysimplifythemaintenanceandunderstandingof ACLpolicies.ACLsandobjectgroupsarediscussedinChapter6. CiscoalsosupportsthefilteringofHTTPandFTPcontent,includingActiveXscripts, Javaapplets,andwebURLs.Thelastisonlysupportedwhenusedincombinationwitha webproxyserver.CurrentlyonlyWebsenseandSmartfilteraresupportedasproxyservers.Withatraditionalproxy,theuserestablishesaconnectiontotheproxy,andtheproxy connectstotheactualdestination,requiringtheproxytomaintaintwoconnectionsto transmit the data. With Cisco’s solution, the security appliance passes the URL to the proxyserver,theproxydetermineswhetheritisallowed,andtheresultispassedbackto theappliance,whichimplementsthepolicy.Thisapproachgreatlyincreasesthroughput and supports more connections since the user’s connection isn’t being proxied in the traditionalsense.
RoutingandMulticasting Originallytheappliancessupportedstaticrouting.Startinginversion6oftheoperating system, passive RIP and then OSPF were added. With passive RIP, the appliance can learnroutesfromneighboringRIProuters,butcanonlypassadefaultroutertoother RIProuters.WithOSPF,thesecurityapplianceisafullfunctioningOSPFrouter,having almostallthesameabilitiesasaCiscoIOSrouterrunningOSPF. Starting in version 8 of the operating system, Cisco enhanced the appliance’s RIP implementationtoincludeafullfunctioningRIProutingprocess.Ciscoalsoaddedthe supportfortheirproprietaryTCP/IProutingprotocol,EIGRP. Priortoversion6.2,thesecurityappliancescouldnotprocessmulticasttraffic:only unicasttrafficwouldbetransmittedbetweeninterfaces.Originally,tosolvethisproblem,
19
20
Cisco ASA Configuration
arouterwasplacedoneachsideofthesecurityappliance,andthemulticasttrafficwas tunneledusingtheGRETCP/IPprotocol,whichusesunicasts.Theproblemwithusing GREisthatitaddsoverheadtothetransmissionprocess:longerpacketsandincreased delay.Startinginversion6.2,Ciscoaddedsomemulticastcapabilitiestotheappliances: theycanproxyIGMPmessagesfromuserdevicestoanIGMProuter,andtheycanroute multicasttrafficusingstaticmulticastroutesorCisco’sproprietaryPIMroutingprotocol. RoutingandmulticastingarediscussedinmoredepthinChapter4.
IPv6Traffic Startinginversion7oftheoperatingsystem,IPv6supportwasadded.Today,youcan processbothIPv4andIPv6onthesameinterfaces.IPv6supportincludesthefollowing features,whicharediscussedinChapter9:
▼ I Pv6addressing,includingdualstackingofIPv4andIPv6addresseson interfaces
■ DefaultandstaticIPv6routes
■ FilteringIPv6packets
▲ I Pv6neighbordiscovery:staticanddynamic
Contexts Contexts,commonlycalledvirtualfirewalls,areanewfeatureintroducedinversion7of theoperatingsystem.ContextsarenotthesameasaproductlikeVMware,wheremultiple operating systems and their applications can be running on one device. Instead, contexts allow you to have multiple policies for different groups of people or traffic. Whenyou’reusingcontexts,allcontextsusethesameoperatingsystemandsharetheresourcesoftheappliance;however,eachcontextcanhaveitsownsecuritypoliciesandits owndedicatedorsharedresources(RAM,interfaces,andsoon).Twocommonexamples wherecontextsareusedinclude
▼ A ctive/activefailoverimplementation:twocontextsareneededonthe appliancetoimplementactive/activefailover.
▲ T wofirewalls,geographicallyclosetoeachother,withdifferentpolicies: insteadofpurchasingtwofirewalls,purchaseasecurityappliancewithtwo contexts,reducingyouroverallequipmentcosts.
ContextsarediscussedinmoredepthinChapter22.
TransparentFirewall Anotherfeaturedaddedinversion7isthetransparentfirewallfeature.Upthroughversion 6, the security appliances were layer 3, or routed, devices; you had to assign IP addressesontheinterfacesandroutebetweenthem.Nowyouhavetheoptionofrunningyourapplianceintransparentmode,whereitcanbehavesimilarlytoalayer2or transparentbridgeorswitch.AsyouwillseeinChapter21,whenrunningintransparent
Chapter 1:
ASA Product Family
mode,thesecurityappliancewillnotbehaveexactlyasatruetransparentbridge.For example,youcanstillapplypoliciesonyourappliancethatallowyoutoexaminethe payloadsofpackets(layer7oftheOSIReferenceModel).Twoadvantagesthattransparentmodeprovidesinclude
▼ Y oucaninsertasecuritydeviceintoanexistingLANsegmentorVLAN withouthavingtoreaddressthedevices.
▲ T heappliancetransparentlybridgedinterfacesdon’thaveIPaddresseson them,thusrestrictingaccesstotheappliance,whichgreatlyreducesthe likelihoodofanaccessattack.
VirtualPrivateNetworks(VPNs) CiscohassupportedVPNfunctionalityonthesecurityappliancessinceversion5ofthe operating system. Originally the only VPN solution supported was IPSec, with PPTP andL2TPaddedlater.Whenversion7wasrolledout,PPTPandL2TPsupportwerediscontinued;however,becauseofcustomerdemand,L2TPsupportwasaddedbackstartinginversion7.2.Anothermajoradd-onforVPNsinversion7wasSSLVPNs.Cisco’s SSLVPNimplementationisWebVPNandsupportsclientless,thinclient,andnetwork clientconnectionmethods.CurrentlyonlytheASAssupportSSLVPNs. ImplementingIPSecisdiscussedinthesechapters:
▼ C hapter15:ConfiguringIPSecPhase1policiesandparameters
■ Chapter16:ConfiguringIPSecsite-to-siteconnections
■ Chapter17:ConfiguringanIPSecremoteaccess(EasyVPN)server
■ Chapter18:ConfiguringanASA5505asaremoteaccessclient
■ Chapter19:ImplementingclientlessmodewithWebVPN
▲ C hapter20:ImplementingnetworkmodewithWebVPN
WebVPNisdiscussedinthesechapters:
TheconfigurationofL2TPisnotdiscussedinthisbook.
Anti-XCapabilities TheCiscoASA5500SeriesContentSecurityEditionisprovidedbytheContentSecurity and Control (CSC) Security Services Modules (SSM), or CSC-SSM for short. The CSC-SSMistechnologydevelopedbyTrendMicroandintegratedintoCisco’sASAhardwareplatform.TrendMicro’stechnologyincludesantivirus,antispyware,URLfiltering, antiphishing,andantispam.Becauseoftheterm“anti”inmanyofitsfeatures,thecard iscommonlycalledtheAnti-Xcard.BasicallythiscardallowsyoutocentralizethesecapabilitiesandpoliciesontheASAforsmallcompaniesthatdon’twanttomanagethese technologiesonindividualuserdesktops.Thesecardsaremanagedthroughtheuseof ASDMandarenotsupportedonthePIXappliances.Thecardsarediscussedinmore depthinChapter25.
21
22
Cisco ASA Configuration
IntrusionDetectionandPreventionSystems Allthesecurityappliancesimplementaverybasicformofintrusiondetectionandpreventionsystems(IDSandIPSrespectively).TheASAs,however,supportafull-blown implementationofIDS/IPSwiththeadd-onAdvancedInspectionandPrevention(AIP) SSMmodules(AIP-SSMforshort).ThesecardssupportthefullfunctionalityofCisco’s 4200seriessensors,includingthedetectionandpreventionofthefollowing:
▼ A pplicationandoperatingsystemattacks,includingweb,e-mail,andDNS attacks
■ Externalattacksfromhackers
■ Internalattacksfromdisgruntledemployees
■ Zero-dayexploits
▲ I nternetworms(throughtheuseofanomalydetectiontechniques)
TheAIP-SSMcardsarediscussedinmoredepthinChapter25.
NetworkAttackPrevention Thesecurityappliancessupportahandfulofnetworkattackpreventionfeatures:
▼ T hreatdetection
■ TCPnormalization
■ Connectionlimitsandtimeouts
▲ I Pspoofingprevention
Withthreatdetection,theappliancemonitorstherateofdroppedpacketsandsecurityevents,whichcanbecausedbymatchesonACLdenystatements,receivinginvalid packets,exceedingconnectionlimits(totalconnectionsandTCPconnectionsthatdon’t completetheinitialthree-wayhandshake),detectingdenialofserviceattacks,receiving suspiciousICMPpackets,overloadinginterfaces,detectingareconnaissancescan,and manyotherfactors.Whenathreatisdetected,alogmessageisgenerated. TheTCPnormalizationfeatureletsyouspecifymatchingcriteriathatidentifyabnormalTCPpackets,whichthesecurityappliancedropswhendetected.TCPnormalizationis implementedusingtheModularPolicyFramework(MPF,discussedinChapter10).TCP normalizationcanidentifyandpreventinconsistentTCPretransmissionsbyvalidating TCPchecksums,allowingordroppingTCPsegmentsthatexceedthemaximumsegment size(MSS),limitingthenumberofout-of-orderpacketsforaconnection,droppingSYN segmentswithdata,andhandlingmanyotherabnormalitieswithTCPtransmissions. CiscosupportsaTCPInterceptfeaturethatallowsyoutoplacelimitsonthenumber ofcompleteand/orhalf-openconnections.Ahalf-openconnectionisonethathasnotcompletedtheinitialthree-wayhandshake:SYN,SYN/ACK,andACK.Thisfeaturecanbe usedtodefeatorgreatlylimittheeffectofaTCPSYNfloodattack.
Chapter 1:
ASA Product Family
IPspoofing,wherethesourceaddresshasbeenchanged,canbedetectedandpreventedusingACLs.However,CiscosupportsafeaturecalledReversePathForwarding(RPF) thatprovidesamoreefficientprocess,wheretheappliancedoesareverse-routelookup— examinesthesourceaddressandcomparesitwiththeroutingtableentries—todetermine ifthesourceaddressiscomingfromaninterfaceitisexpectedtobeconnectedto. NetworkattackpreventionfeaturesarediscussedinmoredepthinChapter24.
ASAHARDWARE TheASAs are one of Cisco’s newer security products, introduced in May 2005 along withtheversion7.0operatingsystemupdate.TheASA5510,5520,and5540werethe firstASAs.Sincethen,threenewmodelswereaddedtotheproductline—the5505,5550, and5580—andfourrevisionsofthesoftwarehavebeenintroduced—version7.1,7.2,8.0, and8.1.ThefollowingsectionswilldiscusstheASAmodelsyoucanpurchaseaswellas thelicensingmethodCiscousestocontrolthefeaturesthatareactivatedonthesecurity appliances. NOTE Asofthewritingofthisbook,theASA5580ssupport8.1—theremainderoftheASAandPIX securityappliancessupportupto8.0.
ASAModels Unlike the PIX security appliances, which were originally designed on a PC-/serverbasedIntelarchitecture,theASAsaredesignedonaproprietaryhardwarearchitecture. Afewreasonsarebehindthischangeinphilosophy:
▼ B ecausethePIXsarebasedonanIntelPC/serverarchitecture,itispossible tobuildyourownboxandrunCisco’ssoftwareonthis(eventhoughthisis illegal).Ciscowantstomakesurethatyourunonlytheirsoftwareontheir hardware;therefore,theASAshardwarehasbeencustomizedtoaddressthis andotherissues.
▲ U singagenericmotherboardlimitsthecapabilitiesoftheappliances.By customdesigningtheASAs,Ciscohascreatedamuchmoreflexible,faster,and morecapableproduct.
TheremainderofthissectionwillprovideanoverviewoftheASAmodels. NOTE SincethePIXsareend-of-sale(EOS),theirarchitectureandcapabilitiesarenotdiscussedin thisbook.Sufficeittosay,however,thattheASAsbyfaroutperformthePIXsandhavemorecapacity thanthePIXs.Likewise,theASAsarethereplacementoftheCiscoVPN3000concentrators,which arealsoEOS.
23
24
Cisco ASA Configuration
ASA5505 TheASA5505isoneofthenewerASAsandreplacesthePIX501.Itismeantasasmall office,homeoffice(SOHO)device;however,itsthroughputandcapabilitiesputitalmost inparallelwithCisco’solderPIX515,whichtargetedmedium-sizecompanies.The5505 runsversion7.2andlateroftheoperatingsystem.Table1-1hasanoverviewofthefeaturesandcapabilitiesoftheASA5505.UnliketheotherASAs,the5505canbepurchased witha10-user,50-user,orunlimiteduserlicense.(TheotherASAsplacenorestrictionon thenumberofusers,oruniqueIPaddresses,theycanprocess.) Figure 1-9 displays the front and rear of theASA 5505 chassis. The front only has LEDsonit,whiletherearhastheconnectors.Thepowersupplyisexternaltothechassis. Abovethisisaslotthatisnotcurrentlyused:CiscoplansonproducingasmallerversionoftheCSC-SSMcardfortheASA5505;however,asofthewritingofthisbook,the cardisstillunavailable.Thereareeight“10/100”autosensingEthernetports.Thetwo ontheleftsupportPoE.TogaininitialCLIaccesstotheunit,aproprietaryCiscorollover cableisused:pins1–8ononesidearereversedontheother(8–1).Theconsolecableis alsousedwiththeotherASAswiththeexceptionofthe5580s.ThetwoUSBportscanbe usedtooffloadencryption/signaturekeyinginformation.Thereisalockdownconnector thatyoucanattachalockdowncabletosothatsomeonedoesn’twalkoffwiththeunit: it’sabout1/8thofthesizeofa1U(oneunithigh)chassisliketheASA5510.Belowthe lockdownconnectorisaresetbutton:whenit’spressed,ahardresetisperformed. NOTE It’salsorumoredthattheUSBportswilleventuallybeabletobeusedforadditionalflash storage.
Characteristic
Value
RAM
256MB
Flash
64MB
Includedinterfaces
8switchports,including2Power-over-Ethernet(PoE)
Throughput
150Mbps
Connections
10,000–25,000
IPSec/L2TPconnections 10–25 SSLVPNconnections
2–25
VPNthroughput
100Mbps
VLANs
3(trunkingdisabled)to20(trunkingenabled)
Table1-1. ASA5505Features
Chapter 1:
Power, Status, Active, VPN, and SSC LEDs
Link/activity LED
ASA 5505 Chassis (Front)
1
0
USB port
ASA Product Family
2
3
4
5
6
7
Speed LED Console port
SSC slot (future)
Lockdown connector
ASA 5505 Chassis (Rear) 7
Power connector
6
5
4
PoE ports 6–7
3
2
Ethernet ports 0–5
1
0
USB Reset ports button
Figure1-9. ASA5505chassisfrontandrear
ASA5510,5520,5540,and5550 TheASA5510,5520,5540,and5550allusethesamephysicalchassis:themaindifferencesbetweenthemaretheCPUandRAMusedonthemotherboard.Theseunitswere primarilytargetedatbranchofficetosmallerenterprisecustomers.The5510,5520,and 5540werethefirstASAsintroducedbyCisco.TheASA5550wasintroducedaboutthe sametimeastheASA5505.Table1-2hasanoverviewofthefeaturesandcapabilitiesof theseASAs. Figure1-10displaysthefrontandrearoftheASA5510,5520,5540,and5550chassis. Theunitisrack-mountableandisa1Uchassis.ThefrontonlyhasLEDsonit,whilethe rearhastheconnectors.OntheleftisanSSMslotforanoptionalSSMcard:AIP-SSM, CSC-SSM,andthe4-portGEcards.Totherightofthisisa10/100FastEthernetmanagementport.Themanagementportismeanttobeusedforout-of-bandmanagementof theappliancewhenusingthingslikeASDM,SSH,telnet,FTP,andotherIPmanagement protocolsorapplications.BelowthisaretwoUSBports.TotherightofthesearefourEthernetports.Onthe5520sandhighertheseareautosensing10/100/1000.Forthe5510, thesearelockeddown,insoftware,to10/100.Totherightoftheseportsisacompact flashcardslot.TheseASAshavebuilt-inflashonthemotherboard(seeTable1-2);you canaddadditionalflashbyinsertingacompactflashcard.Totherightoftheflashslot
25
26
Cisco ASA Configuration
Characteristic
5510
5520
5540
5550
RAM
256MB
512MB
1GB
4GB
Flash
64MB
64MB
64MB
64MB
Included interfaces
5FEand 1FE,4GE, 1FE,4GE,and 1FEand8GE optional4GE andoptional optional4GE 4GE
Throughput
300Mbps
450Mbps
650Mbps
1.2Gbps
Connections
50,000– 130,000
280,000
400,000
650,000
IPSec/L2TP connections
250
750
5,000
5,000
SSLVPN connections
2–250
2–750
2–2,500
2–5,000
VPNthroughput 170Mbps
250Mbps
325Mbps
425Mbps
VLANs
150
200
250
50–100
Table1-2. ASA5510,5520,5540,and5550Features
aretheconsole(CON)andauxiliary(AUX)ports—theyusethesamerollovercableas the5505uses.Totherightofthesearetheon/offswitchandthepowerreceptacle.(The powersupplyisbuiltintothesechassis,andonlyapowercordisnecessary.)
ASA5580 TheASA5580sarethenewestASAsintheASAlineup.Architecturally,theyarevery differentfromtheotherASAsandarethemostscalableofalltheASAs.Therearetwo models:theASA5580-20and5580-40.Theseunitsprimarilytargetlargedatacenterand campus environments. The 5580s require at least version 8.1 of the operating system. Table1-3hasanoverviewofthefeaturesandcapabilitiesoftheseASAs.Unliketheother ASAs,nodatainterfacesareincluded(onlytwomanagementinterfaces)—youbuythe cards you need. The Ethernet frame sizes used (normal versus jumbo) will affect the throughputforyourmodel. Figure 1-11 displays the front and rear of theASA 5580 chassis. The unit is rackmountable and is a 4U chassis. The front has LEDs on it, along with a power button, whiletherearhastheconnectorsandslots.UnliketheotherASAs,the5580shavetwo powersuppliesforredundantpower(thetopleftandrightofthechassis).Onthebottom leftaretwoUSBconnectorsthatperformthesameroleasontheotherASAs.Totheright
Chapter 1:
ASA Product Family
Power, Status, Active, Flash, and VPN LEDs ASA 5510, 5520, 5540, and 5550 Chassis (Front)
10/100 out-of-band management port ASA 5510, 5520, 5540, and 5550 Chassis (Rear)
Compact flash
0/3 0/2 0/1 0/0
SSM card slot
Two USB Four Ethernet ports: ports 5510: 10/100 5520, 5540, 5550: 10/100/1000
Figure1-10. ASA5510,5520,5540,and5550chassisfrontandrear
Characteristic
5580-20
5580-40
RAM
8GB
12GB
Flash
1GB
1GB
Includedinterfaces
None
None
Throughput
5–10Gbps
10–20Gbps
Connections
1,000,000
2,000,000
IPSec/L2TPconnections
10,000
10,000
SSLVPNconnections
2–10,000
2–10,000
VPNthroughput
1Gbps
1Gbps
VLANs
100–250
100–250
Table1-3. ASA5580Features
On/off switch
−0
Console and AUX ports
Power supply
27
28
Cisco ASA Configuration
Active, System, Power, M0/0, and M0/1 LEDs
Power button
ASA 5580 Chassis (Front)
Power supply
Console port 9
8 7
6
5
4 3
Power supply
2 1
ASA 5580 Chassis (Rear) 0/1 0/0 Two USB ports
PCI card slots: 1, 2, and 9 are reserved
Management 10/100 ports
Figure1-11. ASA5580chassisfrontandrear
oftheseareninePCIslotsforGigabitEthernet(GE)cards.Someslotsare“dual”slots, meaningthatsomecardstakeuptwoslots:theseareslots1and2,3and4,and7and8. Theotherslotsaresingle-cardslots.Slots1,2,and9arecurrentlyreservedandcannotbe usedforGEcards.TotherightofthePCIslotsisaDB-9consoleport.Andtotherightof thisportaretwo10/100FastEthernetmanagementports.
HardwareModules AlloftheASAssupportatleastonemodularcardslot.TheASA5505hasnocurrent cards available for it, but the otherASAs do. This section will briefly cover the cards availablefortheASA5510sandhigher.
GigabitEthernetModules TheASA5510throughthe5550supportoneGigabitEthernetmodule,calledtheCisco ASA4-PortGigabitEthernetSecurityServicesModule(4GESSM).Ithasfour10/100/1000 RJ-45portsandfoursmallform-factorpluggable(SFP)portsthatsupportbothcopper andfiberconnections.Eventhoughthecardhasatotalofeightports,youcanonlyusea
Chapter 1:
ASA Product Family
totaloffourbetweenthetwosets.IfyouusethefirstcopperRJ-45port,thenyoucannot usethefirstSFPport.WiththeASA5550,thiscardautomaticallyshipswiththeunit. TheASA5580ssupportahandfulofcardsthatyoucanplugintotheirPCIslots:
▼ C iscoASA55804-PortGigabitEthernetCopper
■ CiscoASA55804-PortGigabitEthernetFiber
▲ C iscoASA55802-Port10GigabitEthernetFiber
AIP-SSMModules TheAIP-SSMmodulesprovidethesamefunctionalityasthe4200IPSsensorsfortheASA 5510,5520,and5540appliances.HavingtheAIP-SSMcardsislikehavingaboxinsidea box:theyhavetheirownRAM,aflash-baseddrive,theirownprocessor,andtheirown operating system. They have one Gigabit Ethernet port for out-of-band management usingIP,likeCLIaccessusingSSHorGUIaccessusingIPSDeviceManager(IDM).To gettraffictothecardsothatthecardcanexamineitforattacks,youmustsetuppolicies intheASAoperatingsystemtohavetrafficeithercopiedtothecard(thecardactsasan IDS)and/orredirectedthroughthecard(thecardactsasanIPS).Thethreemodelsofthe cardareAIP-SSM-10,AIP-SSM-20,andAIP-SSM-40.Table1-4comparesthecards. NOTE Minimally,youmustberunningversion5oftheIPSsoftwareonthesecards.Ifyouwantto runversionIPS6.0orlater,Ciscorecommendsthattheappliancesberunningversion8.0orlater. Also,toobtainsignatureupdatesofnewattacksfromCisco,youmustpurchaseaseparatelicense forthecarditself.
CSC-SSMModules TheCSC-SSMcardsarefairlynewandprovideAnti-Xfeaturestothesecurityappliances.CiscoandTrendMicrohaveworkedtogethertodesignthesecards:Ciscoprimarily designedthehardware,andTrendMicroprovidedthetechnologybehindthesoftware.
Characteristic
AIP-SSM-10
AIP-SSM-20
AIP-SSM-40
Modelsupportand 5510:150Mbps 5510:300Mbps 5520:450Mbps throughput 5520:225Mbps 5520:375Mbps 5540:650Mbps 5540:500Mbps RAM
1GB
2GB
4GB
Flash
256MB
256MB
2GB
Table1-4. AIP-SSMFeatures
29
30
Cisco ASA Configuration
Characteristic
CSC-SSM-10
CSC-SSM-20
Modelsupport
5510 5520 5540
5520 5540
RAM
1GB
2GB
Flash
256MB
256MB
Standarduserlicense
50users
500users
Userupgradelicenses
100users 250users 500users
750users 1,000users
Table1-5. CSC-SSMFeatures
LiketheAIP-SSMcards,theCSC-SSMcardshavetheirownCPU,RAM,flashdrive,and operatingsystem.The“Anti-XCapabilities”sectionpreviouslyintroducedthecapabilitiesofthesecards.Thissectionwillfocusprimarilyonthetwodifferentcardsthatyou canpurchase. Thecardscomewithoneoftwolicenses:BaseandPlus.TheBaselicensesupports antivirus,antispyware,andfileblocking.ThePluslicenseaddsthesefeaturestotheBase license:antispam,antiphishing,URLblockingandfiltering,andcontentcontrol.When youpurchaseoneofthesecards,itincludesaone-yearsubscriptionforupdates;after thatperiod,youmustpurchaseanextensiontoyourlicensetocontinuereceivingupdatesforviruses,spyware,andsoon.Table1-5comparesthetwocards.
Licensing Thesecurityappliances,bothPIXsandASAs,areunusualcomparedwithmanyofCisco’sotherproducts:theyusealicenseschemetolockdownthefeaturesthatcanbeused bytheproduct.MoreandmoreofCisco’sproductsaremovinginthisdirection.Alicense key,whichispartlybasedontheserialnumberoftheappliance,isusedtounlockfeaturesoftheoperatingsystem.Sincetheserialnumberoftheapplianceisusedforthelicensekey,youcannottakeakeyfromoneapplianceanduseitonadifferentappliance. Licensekeyscanbeusedtounlockthefollowingfeaturesonsomeoftheappliances:
▼ N umberofconnectionsallowedinthestatetable
■ Numberofinterfacesthatcanbeused
■ AmountofRAMthatcanbeused
■ Encryptionalgorithmsthatcanbeused:DES,3DES,and/orAES
Chapter 1:
■ NumberofIPSec/L2TPVPNsessionssupported
■ NumberofSSLVPNsessionssupported
■ Numberofusersthattheappliancesupports
■ NumberofVLANsthatcanbeused
■ Whetherfailoverissupported
▲ N umberofcontextssupported
ASA Product Family
As mentioned in the “ASA 5505” section, per-user licensing is implemented. The ASA 5505 and 5510 have a Base and Security Plus license: these licenses restrict the numberofinterfacesyoucanuse,thenumberofentriesallowedinthestatetable,and whetherfailovercanbeimplemented.OnalltheASAs,yougettwoSSLVPNlicensesfor WebVPN.Ifyouwantmorethantwo,youhavetopurchasetheappropriatelicenseto unlockadditionalWebVPNsessions.Thisisalsotrueofcontexts:ontheASA5510,you minimallyneedtheSecurityPluslicensetousecontexts,butthisisnottruefortheother higher-endASAs.AssumingyourASAsupportscontexts,yougettwocontextsforfree: foradditionalcontexts,youpurchasetheappropriatelicenseforthenumberofcontexts youneed.Upgradingyourlicensekeytounlockfeaturesisdiscussedinmoredepthin Chapter26.
31
This page intentionally left blank
2 CLI Basics
33
34
Cisco ASA Configuration
T
helastchapterfocusedonthefeaturesoftheCiscoASAsecurityappliancesand thevariousASAmodelsintheCiscoproductlineup.Startingwiththischapterand continuingthroughtheremainderofthisbook,Iwillfocusonhowtoconfigure yoursecurityappliancetomeettherequirementsoutlinedinyoursecuritypolicy.This chapterwillfocusonthefollowingtwoitems:
▼ A ccessingtheappliance
▲ B ecomingfamiliarwiththecommand-lineinterface(CLI)oftheappliance
Thenextchapterwillfocusoncreatingaverybasicconfigurationforyourappliance.
ACCESSTOTHEAPPLIANCE Ciscooffersthreemainmethodsforconfiguringyoursecurityappliance:
▼ C ommand-LineInterface(CLI)
■ AdaptiveSecurityDeviceManager(ASDM)
▲ C iscoSecurityManager(CSM)
Thefollowingsectionsprovideanoverviewoftheseaccessmethods.
ConsoleAccess Themostpopularmethodofconfiguringthesecurityappliance,andyourinitialaccess toit,isbyusingtheCLI.TheCLIissimilartothatusedbyCisco’sIOS-basedroutersand switches.IfyouhaveconfiguredCiscoroutersand/orswitchesbefore,becomingaccustomedtotheappliance’sCLIandconfiguringandmanagingtheappliancewillbefairly easy.TogainaccesstotheCLI,youcanuseoneofthefollowingaccessmethods:console port,auxiliaryport(oncertainASAmodels),telnet,andsecureshell(SSH). Forconsoleaccess,youneedtoconnectoneendofCisco’sribbonserialcabletothe consoleinterfaceoftheappliance,andtheotherendtoanRJ-45-to-DB9terminaladapter thatyou’llattachtotheserialportofyourPC.OnyourPC,you’llneedtorunasoftwarepackagelikeHyperTerm,Putty,TeraTerm,orsomeotherprogramthatperforms terminalemulation.Inyourterminalemulationprogram,you’llneedtousethesettings showninTable2-1foraccesstothesecurityappliance’sconsoleport. YoucanalsoaccesstheCLIofthesecurityapplianceviatelnetandSSH.Forsecurity reasons,Ciscodeniesbothofthesetypesofremoteaccess—youmustperformsomeconfigurationtaskstoallowtheseaccessmethods.Ofthesetwomethods,SSHismoresecure becauseSSHencryptsinformationbetweenyourPCandtheappliance.Iwilldiscussthe configurationsofthesetwomodesofaccesstotheapplianceinthenextchapter.
Chapter 2:
Setting
Configuration
BaudRate
9600bps
DataBits
8
StopBits
1
Parity
None
FlowControl
None
CLI Basics
Table2-1. TerminalEmulationSettingsfortheAppliance’sConsoleAccess
OtherAccessMethods CiscosupportstwoGUI-basedproductsthatallowyoutoconfigureandmanageyour securityappliance.TheAdaptiveSecurityDeviceManager(ASDM)isusedasanalternativetotheCLI.ManyadministratorsareveryfamiliarwithGUI-basedinterfacesand don’tfeelcomfortableworkingwiththeOS-styleCLI.Forthem,CiscoofferstheASDM software.ASDMoffersaneasy-to-useweb/Java-basedGUIthatletsyounotonlyconfigureyourappliance,butalsomanageit.WithASDM,youcanperformcomplexconfigurationtasksandgatherimportantstatistics.Chapter27coverstheuseoftheASDM. NOTE ASDMreplacesthePIXDeviceManager(PDM)startinginversion7oftheoperatingsystem. Ifyouarerunningversion6orearlieronaPIX,thenyou’llneedtousePDMforaGUI-basedtool. CiscoalsooffersanalternativeGUIproductcalledtheCiscoSecurityManager(CSM). CSMismoreofamanagementtoolthanaconfigurationtool.Oneproblemthatlarger internetworksfaceisthemanagementofpolicies,especiallysecuritypolicies,acrossa broadrangeofdevices.Ifyouhave50perimeterroutersand20ASAs,ensuringthatallof thesesecuritydeviceshavetheappropriatesecuritypoliciesappliedtothemcanbecome adauntingtask.CSMallowsyoutocreateyoursecuritypoliciesfromasinglemanagementplatformandthenhavethesepoliciesappliedtotheappropriatedeviceorgroup ofdevices.WithCSM,youcancreateseparatesetsofpoliciesbasedonthelocationand thetrafficflowingthroughthesedevices.CSMevensupportschangemanagementtools toensurethatanextrasetofeyescanviewandapprovethechangesbeforetheyareappliedtodevicesinyournetwork. NOTE Inthissense,CSMisnotatoolyou’dusetoconfigureanindividualsecurityappliance,but ratheratoolyou’dusetomanagethesecuritypoliciesonmultiplesecurityappliances.
35
36
Cisco ASA Configuration
CLI MostofthisbookwillfocusontheCLIoftheASAoperatingsystem(OS).Asyouwill seethroughoutthisbook,theCLIthattheOSusesisverysimilartothatofCisco’sIOSbasedroutersandswitches.BeforewarnedthattherearedifferencesbetweentheCLIsof theseoperatingsystems.Inotherwords,youwillseemanyofthesamecommandsused onbothproducts;however,justasmanycommandsaswellasotheritemsmakethetwo CLIsdistinctlyunique. NOTE UnderstandthatthesecurityappliancesdonotruntheIOS—Ciscoroutersandswitchesuse theIOSoperatingsystem.CiscohasdesignedtheOSofthesecurityappliances,especiallystarting inversion7andlater,tohighlymimicthatoftheIOSCLI.However,thegutsoftheoperatingsystem (thecodetoimplementthesecurityalgorithmandmanyoftheappliance’sfeatures)aredifferentfrom theIOS.
ASABootupSequence Thesecurityappliancebootupsequenceissimilartothebootupofanynetworkingdevice.TheappliancefirstloadsitsBIOS,performssomediagnosticchecksonitshardware components,andthenloadstheOS,asshowninListing2-1. Listing2-1.ThebootupsequenceofanASA5505 CISCOSYSTEMS EmbeddedBIOSVersion1.0(12)608/21/0617:26:53.43 LowMemory:632KB HighMemory:251MB PCIDeviceTable. BusDevFuncVendIDDevIDClassIrq 00010010222080HostBridge 00010210222082ChipsetEn/Decrypt11 000C0011484320Ethernet11 CiscoSystemsROMMONVersion(1.0(12)6)#0:MonAug2119:34:06 PDT2006 PlatformASA5505 UseBREAKorESCtointerruptboot UseSPACEtobeginbootimmediately. LaunchingBootLoader... Defaultconfigurationfilecontains1entry. Searching/forimagestoboot. Loading/asa803-k8.bin...Booting...
Chapter 2:
CLI Basics
Loading... Processormemory188010496,Reservedmemory:20971520(DSOs:0+ kernel:20971520) TotalSSMsfound:0 TotalNICsfound:10 88E6095rev2GigabitEthernet@index09MAC:0000.0003.0002 88E6095rev2Ethernet@index08MAC:001f.9e2e.e519 88E6095rev2Ethernet@index07MAC:001f.9e2e.e518 88E6095rev2Ethernet@index06MAC:001f.9e2e.e517 Licensedfeaturesforthisplatform: MaximumPhysicalInterfaces:8 VLANs:20,DMZUnrestricted InsideHosts:10 Failover:Active/Standby VPN-DES:Enabled VPN-3DES-AES:Enabled VPNPeers:25 WebVPNPeers:2 DualISPs:Enabled VLANTrunkPorts:8 AnyConnectforMobile:Disabled AnyConnectforLinksysphone:Disabled AdvancedEndpointAssessment:Disabled ThisplatformhasanASA5505SecurityPluslicense. CiscoAdaptiveSecurityApplianceSoftwareVersion8.0(3) Cryptochecksum(unchanged):5e355bee9afd42b6c4dc6f57fb869c8e Typehelpor'?'foralistofavailablecommands. ciscoasa>
Listing2-1isanexampleofthebootupsequencefromanASA5505.I’veomittedsome outputinformationfromListing2-1,focusingonsomeofthemoreimportantinformation.YoucanseesomebasicinformationaboutyourASA,liketheversionofitsBIOS,the versionoftheOS,andthefeaturesenabledforyourappliance. TheASA5505inListing2-1hasthefollowingfeaturesenabled:10insidehosts(users); 25 VPN peers; 2 WebVPN peers; DES, 3DES, andAES encryption algorithms; active/ standbyfailover;andanunrestrictedDMZ. Oncetheappliancehascompletedbooting,theCLIpromptappears.ForaPIX,this wouldbepixfirewall>;foranASA,thiswouldbeciscoasa>,asshownatthebottom ofListing2-1.
37
38
Cisco ASA Configuration
CLIModes ThesecurityappliancessupportdifferentlevelsofaccesstotheOS.Theselevels,andthe userpromptsthatgowiththem,areshowninTable2-2. LookingatthelevelsofaccessanduserpromptslistedinTable2-2,youwouldthinkthat youweredealingwithaCiscoIOSdevice.LikeaCiscoIOSdevice,thesecurityappliances havethreemainlevelsofaccess:UserEXEC,PrivilegeEXEC,andConfigurationmodes.
UserEXECMode UserEXECmodeisthefirstmodethatyouarepresentedwithonceyoulogintoasecurityappliance.Youcantellthatyouareatthismodebyexaminingtheprompt:the promptwillcontainthenameoftheappliance,whichdefaultstopixfirewallforaPIX orciscoasaforanASA,andisfollowedbythe>symbol.Thefollowingisanexample ofgainingaccesstoUserEXECmode: Typehelpor'?'foralistofavailablecommands. ciscoasa>
Within any of the access modes of the appliance CLI, you can pull up context- sensitivehelpbyeithertypinginthehelpcommandorenteringa?,likethis: ciscoasa>? clearResetfunctions enableTurnonprivilegedcommands exitExitfromtheEXEC helpInteractivehelpforcommands loginLoginasaparticularuser logoutExitfromtheEXEC pingSendechomessages quitExitfromtheEXEC showShowrunningsysteminformation tracerouteTraceroutetodestination ciscoasa>
LevelofAccess
UserPrompt
UserEXECmode
ciscoasa>
PrivilegeEXECmode
ciscoasa#
Configurationmode
ciscoasa(config)#
MonitororROMMONmode
>orrommon>
Table2-2. TheLevelsofAccesstotheAppliance
Chapter 2:
CLI Basics
OnaCiscoIOSdevice,UserEXECmodeallowsyoutoexecutealimitednumberof basic management and troubleshooting commands. However, from User EXEC mode onanappliance,youronlyrealoptionsaretoenterPrivilegeEXECmode,logoutofthe appliance,performbasicIPconnectivitytroubleshooting,andtoexecuteonlyahandful ofshowcommands.TologoutoftheappliancewhileinUserEXECmode,usetheexit orquitcommands.
PrivilegeEXECMode PrivilegeEXECmodeisalevelofaccessonestepaboveUserEXECmode.Accesstothis modegivesyoucompleteaccesstoyourappliance.Togainaccesstothismode,youfirst mustaccessUserEXECmodeandthentypeintheenablecommand,asshownhere: ciscoasa>enable Password: ciscoasa#
YouwillalwaysbepromptedforthePrivilegeEXECpassword,evenifoneisnotconfigured. Asyoucanseeinthisexample,theCLIpromptchangesfromciscoasa>to ciscoasa#, indicatingthatyouarenowatPrivilegeEXECmode.Toviewthecommandsthatyoucan useinPrivilegeEXECmode,eithertypeinthe helpcommandorentera ?.Becauseyou areinPrivilegeEXECmode,youwillseeacoupleofscreenswithcommandsthatyoucan execute—manymorethaninUserEXECmode. TogobacktoUserEXECmode,usethedisablecommand.Whenyouexecutethis command,thepromptwillchangefroma#toa>.Ifyouwanttologoutoftheappliance, fromeitherUserorPrivilegeEXECmode,usetheexitorquitcommand.
ConfigurationMode Configurationmodeisusedtoentermostofyourappliance’sconfigurationimplementationsandchanges.ToenterConfigurationmode,you’llneedtoexecutetheconfigure terminalcommandfromPrivilegeEXECmode,asshownhere: ciscoasa#configureterminal ciscoasa(config)#
Noticethatthepromptchangedfrom#to(config)#whenyouenteredtheconfigure terminalcommand,indicatingthatyouarenowinConfigurationmode.Toviewthe commandsthatyoucanexecuteinConfigurationmode,enterthehelpcommandor?. Ifthemessageshowsupatthebottomofthescreen,thereismoreinfor-
mationthancanfitintoonescreen.Pressing ENTERwillscrolldownthroughtheoutput onelineatatime;pressingthe SPACEBARwillscrolltheinformationdownonescreenat atime. TIP Interestingly,unlikewithCisco’sIOSdevices,youcanexecutePrivilegeEXECcommandsin Configurationmodeonasecurityappliance.
39
40
Cisco ASA Configuration
ToexitConfigurationmode,eitherentertheexitorendcommand,orpressCTRL-Z, whichwillreturnyoutoPrivilegeEXECmode. NOTE LikeCiscoIOSdevices,theappliancessupportvarioussubconfigurationorsubcommand modestoconfigurevariouscomponentssuchasinterfacesandroutingprotocols.
ROMMonitor(ROMMON)Mode ROMMONmodeissimilartoROMMONonaCiscoIOSdevicelikearouter—itistypicallyusedtoperformpasswordrecovery,low-leveltroubleshooting,andtorecoverfrom alostorcorruptoperatingsystem.ThePIXssupportasimilarmodecalledMonitormode thatperformsthesefunctions. ToaccessROMMONmode,you’llfirstneedtorebootyourappliancetohaveaccess to the appliance’s console port.As the appliance boots up, you’ll see a message that statesUseBREAKorESCtointerruptflashboot.Pressoneofthesekeyswithin 10secondsofseeingthismessage,andyou’llbetakenintoROMMONmode,asshown inListing2-2. Listing2-2:AccessingMonitormodeonyourPIX CISCOSYSTEMS EmbeddedBIOSVersion1.0(12)608/21/0617:26:53.43 EvaluatingBIOSOptions... LaunchBIOSExtensiontosetupROMMON CiscoSystemsROMMONVersion(1.0(12)6)#0:MonAug2119:34:06 PDT2006 PlatformASA5505 UseBREAKorESCtointerruptboot. UseSPACEtobeginbootimmediately. Bootinterrupted. Ethernet0/0 MACAddress:001f.9e2e.e51a LinkisDOWN Use?forhelp. rommon#0>
NoticethatattheendofListing2-2,thepromptnowreadsrommon#0>.Toseethe commands that you can execute at ROMMON mode, enter the help command or ?. TohavetheASAloadtheOSandcontinuewiththebootupprocess,eitherrepowerthe ASA,orexecutethe reloadcommand.IwilldiscussROMMONmodeinmoredepth whenIcoverthepasswordrecoveryprocedureinChapter26.
Chapter 2:
CLI Basics
NOTE Whileyou’reinROMMONorMonitormode,thesecurityapplianceswillnotpassanytraffic betweeninterfaces;youmusthavetheapplianceloadtheOStoaccomplishthis.
ASAandRouterIOSCLIComparison Sofarinthischapter,theCLIthatappliancesuseappearstobeverysimilartowhatCisco’s IOSdevicesuse.HerearesomeofthedifferencesbetweentheapplianceandIOSCLI:
▼ W iththeappliances,youcanexecuteshowcommandsinbothPrivilegeEXEC andConfigurationmode.
▲ U serEXECmodeonanappliancehasaverylimitedsetofcommandsthatyou canexecutecomparedwiththecommandsforIOSdevices.
Giventhesedifferences,however,thesetwoproductshavemanyCLIfeaturesincommon:
▼ C ontext-sensitivehelp
■ Commandabbreviation
■ Historyrecall
▲ C LIeditingfeatures
ThefollowingsectionscoverthebasicsofthesePIXCLIfeatures.
Context-SensitiveHelp Ihavealreadycoveredthehelpand?commandstopulluphelpateachaccesslevel.Inadditiontoseeingalistofcommandsavailabletoyouateachaccesslevel,youcanalsoaccess helpforaspecificcommand.Ciscoreferstothishelpascontext-sensitivehelp.Thecontextsensitivehelpavailabletoyouwasradicallychangedfromversion6oftheOStoversion7. Inversion6andearlier,theCLIhelpofthePIXwasnotasfeature-richasthatofIOS-based devices.Startinginversion7,theCLIhelpmimicswhatisfoundonIOSdevices. Youcanpulluphelpforacommandbytypinginthecommandandfollowingitby aspaceanda?,likethis: ciscoasa(config)#clock? configuremodecommands/options: summer-timeConfiguresummer(daylightsavings)time timezoneConfiguretimezone execmodecommands/options: setSetthetimeanddate ciscoasa(config)#clock
Inthisexample,IwasinConfigurationmodewhenIusedhelpfortheclockcommand.Thehelpcanbebrokenintotwoormoresections.Intheprecedingexample,ConfigurationandEXECmodeparameterscanbeexecutedfromthemodeI’mcurrentlyin. TheConfigurationmodecommandsare clock summer-timeand clock timezone,
41
42
Cisco ASA Configuration
andtheEXECmodecommandis clock set.Alsonoticethatafterthehelpoutputis displayed,thecommandthatyoutypedisredisplayedonthecommandline;inthiscase, it’stheclockcommand.
CommandAbbreviation AnothernicefeatureoftheapplianceCLIisthatyoucanabbreviatecommandsandcommandparameterstotheirmostuniquecharacters.Forexample,togofromUserEXEC toPrivilegeEXECmode,youusethe enablecommand.The enablecommandcanbe abbreviatedto en.Whenyouentera ?ataUserEXECprompt,you’llnoticethatthere aretwocommandsinUserEXECmodethatstartwiththelettere: enableand exit. Therefore,youcannotabbreviatetheenablecommandtothelettere.Ifyouweretoattemptto,theappliancewouldgiveyouanambiguouscommanderrormessage. Thecommandabbreviationfeatureisnotjustrestrictedtoappliancecommands,but alsoappliestotheparametersforthesecommands.Asanexample,toaccessConfigurationmode,youcanenter con t,whichisshortfor configure terminal.Youcan use another useful abbreviation when you are entering a wildcard for an IP address: 0.0.0.0canbeabbreviatedtojustthenumber0. If you are not sure how to spell a command, you can start typing in some of the characters and press TAB to autocomplete the command—if you don’t type in enough characters to make the command unique, nothing will be displayed. However, if you typeinenoughcharacterstomakethecommandunique,you’llseesomethinglikethe followinglisting: ciscoasa>en ciscoasa>enable
HistoryRecall Eachaccessleveloftheappliancestoresthecommandsthatyoupreviouslyexecutedina historybuffer—thesecommandscanberecalled,edited,andthenexecuted.Thehistory recallfeatureworksthesameasthatonIOSdevices.Table2-3liststhecontrolsequences torecallcommands.
ControlSequence
Explanation
CTRL-P
Recallthelastcommand.
UPARROW
Recallthelastcommand.
CTRL-N
Fromapreviouscommandinthehistorylist,recallamore recentone.
DOWNARROW
Fromapreviouscommandinthehistorylist,recallamore recentone.
Table2-3. ControlSequencesfortheHistoryFeature
Chapter 2:
CLI Basics
Toviewthecommandsthatyouhaveexecutedatanaccesslevel,movetothataccess level,andexecutetheshowhistorycommand,likethis: ciscoasa(config)#showhistory en cont exi cont showhistory ciscoasa(config)#
OneinterestingpointaboutthisexampleisthatfromConfigurationmode,youcansee commandsthatyouexecutedinbothConfigurationmodeandPrivilegeEXECmode.
EditingFeatures Whenyouusethehistoryrecallfeature,youmaywanttoeditthecontentsofarecalled command.Thecontrolsequencesusedbythesecurityappliancesarealmostthesameas thoseusedbyIOSdevices.ThesesequencesarelistedinTable2-4. Ifyouseea$signatthebeginningofacommandlinewhenyouareperformingyour editingfunctions,thisindicatesthatthecompletecommandcannotfitinthedisplayand thatmorelettersaretotheleftofthe$.Bydefault,youcanhaveupto512characterson acommandline—anyextracharactersareignored.
ControlSequence
Description
CTRL-A
Takesyoutothebeginningofthecommandline
CTRL-E
Takesyoutotheendofthecommandline
CTRL-B
Takesyoubackonecharacteratatime
LEFTARROW
Takesyoubackonecharacteratatime
CTRL-F
Takesyouforwardonecharacteratatime
RIGHTARROW
Takesyouforwardonecharacteratatime
CTRL-D
Deletesthecharacterthatthecursorison
BACKSPACE
Deletesthecharacterthatistotheleftofthecursor
CTRL-L
Redisplaysthecurrentline
CTRL-U
Erasesthecurrentlineandputsthecursoratthebeginning
CTRL-W
Erasesthecharacterstotheleftofthecursoruntilthenext spaceisreached
Table2-4. ControlSequencesforEditing
43
This page intentionally left blank
3 Basic ASA Configuration
45
46
Cisco ASA Configuration
T
helastchapterfocusedonintroducingyoutothecommand-lineinterface(CLI) ofthesecurityappliances.Startingwiththischapterandcontinuingthroughthe remainderofthisbook,Iwillfocusonhowtoconfigureyourappliancetomeetthe requirementsoutlinedinyoursecuritypolicy.Thischapterwillfocusoncreatingavery basic configuration for your appliance. If you have configured Cisco IOS devices like routersandswitches,theconfigurationoftheappliances,asyouwillsee,issomewhat similar.Thetopicsinthischapterinclude
▼ U singthesetupscripttoplaceaninitial,andverybasic,configurationonan appliance
■ Usingbasicmanagementcommandstoview,backup,andrestoreyour applianceconfiguration
■ Enteringcommandstoplaceabasicconfigurationonyourappliance,including aname,passwords,aloginbanner,andinterfaceparameters
■ AllowingremoteaccesstoyourapplianceusingtelnetandSSH,andtesting connectivitywithpingandtraceroute
■ Viewinginformationaboutyourappliance,includinghardwareandversion informationandCPUandmemoryutilization
▲ U singasimpleconfigurationexampletopulltogethertheinformation discussedinthechapter
SETUPSCRIPT Theappliancessupportashortscriptingutilitythatenablesyoutocreateaverybasic configurationontheapplianceandtostorethatconfigurationinflash.Whenyouboot upanewsecurityappliance,orifyouerasetheconfigurationfilewiththewriteerase commandandrebootthesecurityappliance,theappliancewillstartthesetupscriptutilityautomaticallybeforepresentingyouwiththeUserEXECCLI. Withthesetupscript,youcanbasicallyconfigurethefollowing:
▼ W hethertheapplianceisrunninginroutedortransparentmode(routedis thedefault)
■ Theenablepassword(PrivilegeEXECaccess)
■ Thepasswordrecoveryprocess(discussedinChapter26)
■ Thecurrentdateandtime
■ TheIPaddressandsubnetmaskoftheinsideinterface
■ Anameanddomainnamefortheappliance
▲ T hemanagementstationorPCthatcanaccesstheapplianceontheinside interfaceusingASDM(discussedinChapter27)
Chapter 3:
Basic ASA Configuration
YoucanalsostartthescriptmanuallybyenteringConfigurationmodeandexecuting thesetupcommand,asshownhere: ciscoasa(config)#setup Pre-configureFirewallnowthroughinteractiveprompts[yes]? FirewallMode[Routed]: Enablepassword[]: Allowpasswordrecovery[yes]? Clock(UTC): Year[2008]: Month[Jul]: Day[17]: Time[09:46:57]: InsideIPaddress:10.0.1.1 Insidenetworkmask:255.255.255.0 Hostname:bigdog Domainname:dealgroup.com IPaddressofhostrunningDeviceManager:10.0.1.11 Thefollowingconfigurationwillbeused: Enablepassword: Allowpasswordrecovery:yes Clock(UTC):09:46:57Jul172008 FirewallMode:Routed InsideIPaddress:10.0.1.1 Insidenetworkmask:255.255.255.0 Hostname:bigdog Domainname:dealgroup.com IPaddressofhostrunningDeviceManager:10.0.1.11 Usethisconfigurationandwritetoflash?yes INFO:Securitylevelfor"inside"setto100bydefault. WARNING:httpserverisnotyetenabledtoallowASDMaccess. Cryptochecksum:411b602526142b6fcff4a91151351c72 1409bytescopiedin1.860secs(1409bytes/sec) Typehelpor'?'foralistofavailablecommands. bigdog(config)#
The script prompts you for your configuration parameters. If an entry appears in brackets([]),youcanpress ENTERtoacceptthisdefaultvalue.Ifadefaultvalueisnot listed,youmustenteraparameter.Onelimitationofthescriptisthatifyoumakeamistake,youhavenowayofgoingbacktothepreviousquestion;however,youcanpress CTRL-Ztoabortthescriptanditschanges.Ofcourse,onceyouaredoneansweringthese questions, you can answer “no” to the question “Use this configuration and write to flash?”andrestartthescript.Asyouwillseethroughoutthisbook,mostconfiguration
47
48
Cisco ASA Configuration
tasksrequireyoutoentertheactualcommand(becausethescriptlacksmostconfiguration tasks). Because of this, most security appliance veterans never bother using the setupcommand,butmanuallyperformthisprocessbyenteringtheappropriate appliancecommandsinConfigurationmode. NOTE IfyouareexecutingthesetupscriptfromConfigurationmode,oneinterfacemustbelabeled as“inside,”haveasecuritylevelassignedtoit,andenabled.
BASICMANAGEMENTCOMMANDS ThesecurityappliancesuseflashmemorytostoretheOS,theASDMimage,andthe applianceconfigurationfile.AswithIOSdevices,wheneveryoumakeconfiguration changes, these changes affect only the configuration that is running in RAM—the configurationthattheapplianceisactivelyusing(commonlycalledtherunningconfiguration,orrunning-configforshort).Youmustmanuallyenteracommandtocopy theconfigurationtoflashinordertosaveit.Thissectioncoversthecommandsthat youcanusetomanipulateyourconfigurationfiles.Manipulatingotherfilesinflash isdiscussedinChapter26.
ViewingConfigurations Onthesecurityappliances,youhavetwolocationsforaconfigurationfile:
▼ R AM Commonlycalledtherunning-config
▲ F lash Commonlycalledthestartup-config
ViewingtheRunning-ConfigFile ToviewtheconfigurationrunninginRAM,usetheshowrunning-configcommand, whichrequiresyoutobeineitherPrivilegeEXECorConfigurationmodetoexecuteit: bigdog#showrunning-config :Saved : ASAVersion8.0(3) ! hostnamebigdog domain-namedealgroup.com enablepassword8Ry2YjIyt7RRXU24encrypted names
Chapter 3:
Basic ASA Configuration
ViewingtheStartup-ConfigFile Toviewthestartup-configfileinflash,usetheshowstartup-configcommand: bigdog#showstartup-config :Saved :Writtenbyenable_1at09:47:01.816UTCThuJul172008 ! ASAVersion8.0(3) ! hostnamebigdog domain-namedealgroup.com enablepassword8Ry2YjIyt7RRXU24encrypted names
Youcanstoremorethanoneconfigurationfileinflash;however,thedefaultfilethat isloadedonbootupisthestartup-configfile,unlessyouoverridethisbehavior.Moreon thistopicisdiscussedinChapter26.
ViewingPartialConfigurations Youalsohavetheabilitytoviewpartialconfigurationsorcommandsfromtherunningconfigfilebyusingtheshowcommand: ciscoasa#show{running-config|startup-config}command
Here’sanexampleofviewingtheinterfaceconfigurationsintherunning-config: ciscoasa#showrunning-configinterface ! interfaceVlan1 nameifinside security-level100 ipaddress10.0.1.1255.255.255.0 ! interfaceEthernet0/0 shutdown ! interfaceEthernet0/1 !
CopyCommands The copyand writecommands(coveredinthenextsection)workineitherPrivilege EXEC or Configuration mode. The copy command works the same way it does on
49
50
Cisco ASA Configuration
IOSdevices:youneedtospecifyasourceandadestination.Thiscommandcanbeused todothefollowing:
▼ B ackuptherunning-configconfigurationtoflash
■ Mergeaconfigurationfilewiththerunningconfiguration
■ Restorethestartupconfigurationfileinflashfromaremoteserver
■ Backuptherunning-configorstartup-configtoaremoteserver
■ CopyanASDMimagetoflash(discussedinChapter26)
▲ C opyanoperatingsystemtoflash(discussedinChapter26)
Table3-1liststhe copycommandsforconfigurationfiles.WhenspecifyingaURL, usethefollowingsyntax: file_type://destination_IP_or_name/[directory_name/]file_name
Supportedfiletypesinclude
▼ d isk0orflash Flashonthemotherboard
■ disk1 ThecompactflashcardontheASA
■ ftp FTPserver
■ smb Windowsserver
▲ tftp TFTPserver
Command
Explanation
copyrunning-config startup-config
SavesyouractiveconfigurationfileinRAM toflash
copystartup-config running-config
Mergesthestartup-configfileinflashwiththe running-configinRAM
copy{running-config| startup-config}URL
Savesyourrunningorstartupconfigurationto thedestinationspecifiedintheURL
copyURL{running-config|CopiesthefilefromtheURLtotherunning startup-config} orstartupconfiguration(mergeswiththe
running-config,butreplacesthestartup-config)
Table3-1. ThecopyCommandsforConfigurationFiles
Chapter 3:
Basic ASA Configuration
WriteCommands The write commands are used to save, view, or remove your configuration file and werethecommandsused,alongwiththeconfigurecommand,toperformthesefunctionsbeforetheintroductionofthecopycommand. NOTE Withtheexceptionofthe configure terminalcommand,theother configure commandshavebeendeprecated.Youmustusethe copycommandinstead;however,thisisnot trueofthewritecommands,whichstillwork. Table3-2liststhewritecommands. TIP Aquickwayofsavingyourrunning-configtothestartupconfigistousetheabbreviatedformof thewritememorycommand(copyrunning-configstartup-config):wr. Onemiscellaneouscommandthatyoushouldrememberisthereloadcommand.Use thiscommandineitherPrivilegeEXECorConfigurationmodetorebootyourappliance. Whenrebooting,ifyou’vemadechangestoyourrunning-configandhaven’tsavedthem, theappliancewillpromptyoutosaveordiscardthesechangestothestartup-configfile inflash.
ClearCommands Theclearcommandperformstwofunctionsontheappliance:
▼ R esetsthestatisticsforthespecifiedprocess
▲ R emovesaconfigurationcommandorcommandstothereferencedprocess
Command
Explanation
writememory
SavesyouractiveconfigurationfileinRAMtoflash
writeterminal ViewsyourconfigurationfileinRAM(wasusedbeforethe
showrunning-configcommandwasintroduced,butis stillsupported) writenetURL
SavesyourconfigurationfileinRAMtoaremoteserver
writeerase
Erasesyoursavedconfigurationfile(startup-config)inflash
writestandby
CopiestheconfigurationfilefromRAMonthisapplianceto theRAMofthestandbyappliancewhenfailoverhasbeen configured(discussedinChapter23)
Table3-2. ThewriteCommands
51
52
Cisco ASA Configuration
Forexample,ifyouwantedtoresetthestatisticscountersforaninterface,youwould usethefollowingsyntax: ciscoasa#clearinterfacephysical_if_name
Ifyouwantedtoremoveorundoaconfigurationfromyourappliance,usetheclear
configurecommand(youmustbeinConfigurationmode): ciscoasa(config)#clearconfigurecommand
Use care when executing this command. For example, if you were to enter clear configureaccess-list,thiswoulddeleteeveryaccesscontrollist(ACL)onyourap-
pliance!Youcanqualifythecommandwithwhichitemyouwanttoclear.Forexample, withanACL,youcouldenter clear configure access-list ACL_ID,specifying theexactACLyouwishtodelete.Toresettheapplianceconfigurationbacktoitsfactory defaults,usetheclearconfigureallcommand. NOTE Beverycarefulaboutusingtheclearconfigurecommand.Theappliancedoesnot promptyoutoverifyifyouwanttoactuallyperformtheaction:theappliancejustperformstheaction. IfyouwanttodeleteaspecificcommandsuchasanentryinanACL,prefacethecommandwiththe noparameter,whichisthesamewayofdoingitonanIOSdevice.
BASICCONFIGURATIONCOMMANDS Thissectioncoverssomeofthecommandsthatyouusetocreateabasicconfigurationfor yoursecurityappliance.Someofthesecommandsarethesameorsimilartothosefound onanIOSdevice;othercommands,however,arequitedifferent.Inmostsituations,ifyou needtoundoaconfigurationcommand,youwilleitherprefacethecommandwiththe no(whichiswhatyouwoulddoonanIOS-basedrouter)orusetheclearconfigure command(deleteallthereferencedcommands).
HostandDomainNames ThenameofyourappliancedefaultstoeitherciscoasaifitisanASAorpixfirewall ifitisaPIX.YoucanchangetheappliancenamewiththehostnameConfigurationmode command: ciscoasa(config)#hostnamename_of_your_appliance
Thenamethatyougiveyourapplianceonlyhaslocalsignificance.Theonlyvisible effect of executing this command is that your prompt will include the new name, likethis: ciscoasa(config)#hostnamealina alina(config)#
Chapter 3:
Basic ASA Configuration
Toassignadomainnametoyourappliance,usethedomain-namecommand: ciscoasa(config)#domain-nameyour_appliance’s_domain_name
DomainnamesarerequiredwhenyougenerateRSAencryptionkeysforfunctionslike SSHordigitalcertificates.
DeviceNames One handy feature of the appliance is that you can use the name command to build astaticDomainNameService(DNS)resolutiontable: ciscoasa(config)#nameIP_addressdevice_name ciscoasa(config)#names
ThenamecommandperformsasimilarfunctionastheiphostcommanddoesonIOS devices:itmapsanIPaddresstoaparticularname.However,onemajordifferencebetweentheapplianceandIOSdevicesisthatwhenyou’reusingnamesontheappliances, anyconfigurationcommandthatreferencesanIPaddressusedbyanamecommandwill bereplacedwiththenameinthe namecommand.Toenabletheuseofthe namecommands,executethenamescommand. TIP When using names on the appliances, since they will appear in configuration commands withthecorrespondingIPaddress,you’llwanttogivethedevicesdescriptivenames.Forexample, “inside_PC”or“web_server”asnamesarenotverydescriptive;however,“nikas_PC”or“DMZ_web_ server” are more meaningful. Once you execute the names command, any static IP address in your configuration that has a corresponding name will be displayed with the name instead of the IPaddress.
Passwords The appliances support two levels of passwords: one for access to User EXEC mode viatelnetandSSH,andoneforaccesstoPrivilegeEXEC.ThesepasswordsareautomaticallyencryptedwhenstoredinRAMorflashtoprotectthemfromeavesdropping attacks.
UserEXECPassword ToconfiguretheUserEXECpassword,usethepasswdcommand: ciscoasa#passwdpassword
Note that this command is really spelled with the letters “or” missing, like the correspondingUNIXcommand.Thepasswordiscase-sensitiveandcanbeanycombination ofcharactersandnumbers.Thelimittothelengthofthepasswordis16characters.The defaultpasswordisciscoforUserEXECaccess.
53
54
Cisco ASA Configuration
SECURITYALERT! ThedefaultUserEXECpasswordiscisco—you’lldefinitelywanttochangethis! UserEXECaccessviatheconsoleportdoesnotusethispassword.Actually,thereisnopasswordfor consoleaccessunlessyouimplementAAA,whichisdiscussedinChapter26.
PrivilegeEXECPassword TosetthePrivilegeEXECpassword,usetheenablepasswordcommand: ciscoasa#enablepasswordpassword
It is highly recommended that you configure a Privilege EXEC password because thereisnodefaultpassword.ThiscommandissomewhatsimilartotheoneforIOS devices, except that this command automatically encrypts the password. The password is case-sensitive and can be any combination of characters and numbers. The lengthofthepasswordislimitedto16characters.Rememberthatwhenyouaccess PrivilegeEXECmode,you’llalwaysbepromptedforapassword,evenifonehasn’t beenconfigured. SECURITYALERT! ThereisnodefaultPrivilegeEXECpassword—itishighlyrecommendedthat youconfigureone.
LoginBanner Youcancreateloginbannersthataredisplayedduringtheloginprocesstotheappliance byusingthebannercommand: bigdog(config)#bannerbanner_typebanner_description
Table3-3liststhebannertypesyoucancreate.
BannerType
Explanation
asdm
Displaysapost-loginbannerforASDMaccess
exec
DisplaysabannerbeforetheCLIpromptisdisplayed
login
Displaysabannerbeforetheusernameandpasswordprompts
motd
Displaysamessageoftheday(MOTD)banner
Table3-3. TheBannerTypes
Chapter 3:
Basic ASA Configuration
Interfaces Nowthatyouhaveconfiguredthename,passwords,andloginbanneronyourappliance, you are ready to proceed with the configuration of the appliance interfaces. Before I discuss the configuration of the interfaces, I’ll first discuss the nomenclature used for interfaces.
InterfaceNomenclature Interfacesonyourapplianceshavetwonamestodistinguishthem:
▼ P hysicalname,commonlycalledahardwarename
▲ L ogicalname Thefollowingsectionswilldiscussthedifferencesbetweenthetwo.
PhysicalNames Thephysicalnameisusedwheneveryouneedtoconfigurethephysical properties of an interface, like its speed, duplexing, or IP address. The appliance you havewillaffectthephysicalnamesyouuse.OnthePIX,allthenamesofthephysical interfacesbeginwith“ethernet,”whichcanbeabbreviatedtothelettereandisfollowed withtheinterfacenumber,whichbeginswith0.Forexample,thefirstinterfaceonaPIX isethernet0,ore0forshort. TheASAsaredifferentwiththeirnomenclature:
▼ T he5505physicalinterfacenamesareethernet0/number,wherethenumbers rangefrom0to7.Anexamplewouldbeethernet0/0,ore0/0forshort.
■ The5510physicalinterfacenamesareethernetslot/number,wheretheslot numberof0isthefourfixedinterfacesonthechassis,andslot1referstothe interfacesontheSSMcardifit’sinstalled.Forexample,ethernet0/0,ore0/0 forshort,wouldrefertotherightmostdatainterfaceonthechassis.
▲ T he5520sandhigheruseaphysicalnameof“gigabitethernet”: gigabitethernetslot/number.Forexample,gigabitethernet0/0,or g0/0forshort,wouldrefertotherightmostdatainterfaceonthechassis.
The5510sandhighersupportamanagementinterface(the5580ssupporttwomanagementinterfaces).Thenomenclatureofthisinterfaceismanagement0/0.Themanagement interface, by default, will not pass traffic through it: only traffic to it or from it. Cisco designedthisinterfaceprimarilyforout-of-bandmanagementoftheapplianceusingIP. However,youcanoverridethisbehaviorandusethemanagementinterfaceasadatainterface.Tousethemanagementinterfaceasadatainterface,configurethefollowing: ciscoasa(config)#interfacemanagement0/0 ciscoasa(config-if)#nomanagement-only
Onceyouhavedonethis,youcantreatthemanagementinterfaceasaphysicalinterface andreferenceitinyourpolicycommands,likeACLsandaddresstranslationcommands.
55
56
Cisco ASA Configuration
NOTE Onthe5510s,youneedtheSecurityPluslicenseinordertousethemanagementinterface asadatainterfacebecauseoftherestrictiononthenumberofphysicalinterfacesthatcanbeused withthe5510Baselicense. LogicalNames Logicalnamesareusedinmostothercommands,likeapplyinganACL toaninterface,orspecifyinganinterfaceforanaddresstranslationpolicy.Logicalnames should be descriptive about what the interface is connected to. Two common names usedare“inside”(connectedtoyourinternalnetwork)and“outside”(connectedtothe externalorpublicnetwork).
SecurityLevels Eachinterfacehasasecuritylevelassignedtoitthatcanrangefrom0to100.Theleast secureis0andthemostsecureis100.Assumingyouareusingthenameof“inside”for aninterface,thesecurityleveldefaultsto100.Allotherinterfacenameshavethesecurity level default to 0 (the least secure). The security algorithm uses the security levels to enforceitssecuritypolicies.Herearetherulesthatthealgorithmuses:
▼ T rafficfromahighertoalowersecuritylevelispermittedbydefault, unlessyouhaverestrictedtrafficwithanACL.Thisiscalledanoutbound connection.
■ Trafficfromalowertoahigherlevelisdenied,bydefault,unlessyouexplicitly permititbyconfiguringaccesscontrollists(ACLs),discussedinChapter 6,and/orconfigureCut-throughProxy(CTP)authentication,discussedin Chapter8.Thisiscalledaninboundconnection.
▲ T rafficfromthesamesecurityleveltothesamelevelisdeniedbydefault.
To allow traffic between interfaces with the same security level, use the following command: ciscoasa(config)#same-security-trafficpermitinter-interface
Once you execute this command, all traffic is permitted between interfaces with the samelevelnumber;ifyouwanttorestrictthistraffic,useACLs,whicharediscussedin Chapter6. SECURITY ALERT! By default, outbound traffic on your appliance is permitted. However, inboundtrafficisautomaticallydroppedwhenit’sgoingtoanyotherinterface,unlessyouexplicitly permitit. Let’slookatanexampletoillustratetheuseofsecuritylevels.Figure3-1showsa network that I use throughout the rest of this chapter. In this example, the appliance has three interfaces: an external (connected to the perimeter router and the Internet),
Chapter 3:
Basic ASA Configuration
ASA Configuration Interface Name E0/0 E0/1 E0/2
User 192.168.3.2/24
IP Address and Mask
outside 192.168.1.1/24 inside 192.168.3.1/24 dmz 192.168.2.1/24
Internal Network E0/1 = 192.168.3.1
ASA
Perimeter Router E0/0 = 192.168.1.1 E0 = 192.168.1.2
Internet
E0/2 = 192.168.2.1
DMZ User 192.168.3.3/24
Web Server 192.168.2.2
Web Server 192.168.2.3
Figure3-1. Asamplenetworkwithasecurityappliance
aninternal,andaDMZinterface.Withtheappliancesecurityalgorithminaction,here arethedataconnectionsthatare,bydefault,permitted:
▼ T rafficfromtheinsideinterfacetotheDMZ
■ Trafficfromtheinsideinterfacetotheoutside
▲ T rafficfromtheDMZinterfacetotheoutside
Ifthetrafficoriginatesfromanysourceotherthantheoneslistedhereandisgoing toanyotherdestinationthroughthesecurityappliance,theappliancewillautomatically denyit.
PhysicalInterfaceConfiguration Toconfigurethepropertiesofaphysicalinterface,accesstheinterfaceusingtheinterface command, referencing its physical interface name. (This will take you into a subcommandmodewherethecommandsyouenteraffectonlythespecifiedinterface.) ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#nameiflogical_if_name
57
58
Cisco ASA Configuration ciscoasa(config-if)#ipaddressIP_address[subnet_mask] ciscoasa(config-if)#security-levelnumber ciscoasa(config-if)#speed{10|100|1000|auto|nonegotiate} ciscoasa(config-if)#duplex{auto|full|half} ciscoasa(config-if)#[no]shutdown
Inversion7.0,CiscointroducedanInterfacesubcommandmode;inpriorversions, global commands were used to configure interface properties. The interface commandspecifiesthenameofthephysicalinterfaceandtheinterfaceidentifier(slotand port).Thenameifcommandassignsalogicalnametotheinterface.Ifyouassignaname of“inside”totheinterface,thesecurityleveldefaultsto100.Anyotherlogicalnamedefaultsthesecuritylevelto0.TheipaddresscommandassignsastaticIPaddresstothe interface;omittingthesubnetmaskwillcausethemasktodefaulttotheconfiguredclass oftheIPaddress.YoucanalsoassignadynamicaddresstotheinterfaceusingDHCPor PPPoE—thisisdiscussedlaterinthechapterinthe“DynamicAddressing”section.The security-levelcommandassignsasecurityleveltotheinterface:thiscanrangefrom 0(leasttrusted)to100(mosttrusted).The speedand duplexcommandssetthespeed andduplexingoftheinterface.Bydefault,interfacesaredisabledandneedtobeenabled withthenoshutdowncommand.
VLANConfiguration Startinginversion6.3,thesecurityapplianceoperatingsystemsupportstrunkconnections.Ofalltheappliances,onlythePIX501lackssupportfortrunksandVLANs.Only the802.1Qtrunkingprotocolissupported:Cisco’sproprietaryISLisnot. VLANs are implemented by creating a subinterface (a logical interface associated withaphysicalinterface)andbyassociatingtheVLANidentifier(theVLANnumber) thatthesubinterfaceshouldprocess.Forthephysicalinterfacethesubinterfacesareassociatedwith,typicallyonlyhardwarecharacteristics(speed,duplexing,bringingitup) are configured. IP addresses, security levels, and logical names are configured on the subinterfaces.TheoneexceptiontothisruleisifyouneedtousethenativeVLANin 802.1Q;inthisinstance,youconfiguretheIPaddress,securitylevel,andlogicalnameon thephysicalinterface(thephysicalinterfacehandlesuntaggedframes). CreatingaVLANinterfaceisdonethesameasit’sdoneonaCiscoIOSrouter;however,associatingtheVLANtagtothesubinterfaceisdifferentfromthatonaCiscorouter. Here is the configuration to create the subinterface and to identify the VLAN for the subinterface: ciscoasa(config)#interfacephysical_nameslot_#/port_#.subid_# ciscoasa(config-subif)#vlanvlan_#
Thesubid_#isthenumberofthesubinterface.Thenumberyouspecifyheredoesn’thave tomatchtheVLANnumbertheinterfacewillprocess;however,itiscommonpractice. TIP To make it easier to determine what subinterfaces are processing which VLANs, I typically prefertomatchtheVLANnumberonthesubinterfacewiththesubinterfacenumber.Rememberthat bydefaultthereisnocorrelationbetweenthesetwonumbers,however.
Chapter 3:
Basic ASA Configuration
HereisasimpleexampleillustratingtheuseofVLANsonaphysicalinterface: ciscoasa(config)#interfaceethernet0/0 ciscoasa(config-if)#noshutdown ciscoasa(config-if)#exit ciscoasa(config)#interfaceethernet0/0.1 ciscoasa(config-subif)#vlan10 ciscoasa(config-subif)#ipaddress192.168.10.1255.255.255.0 ciscoasa(config-subif)#nameifdmz1 ciscoasa(config-subif)#security-level51 ciscoasa(config-subif)#exit ciscoasa(config)#interfaceethernet0/0.2 ciscoasa(config-subif)#vlan20 ciscoasa(config-subif)#ipaddress192.168.20.1255.255.255.0 ciscoasa(config-subif)#nameifdmz1 ciscoasa(config-subif)#security-level50 ciscoasa(config-subif)#exit
Notice that the only thing done on the physical interface is to enable it, since in this exampletheappliancedoesn’tneedtoprocesstrafficforthenativeVLAN.
ASA5505InterfaceConfiguration The model 5505 use of interfaces differs from all the otherASAs: the eight interfaces (e0/0through e0/7)arelayer2switchports.UnliketheotherASAs,the5505doesn’t usesubinterfacestoassociateinterfaceswithVLANs.Instead,alogicallayer3interface calledaVLANinterfaceisused.Asyouwillseeshortly,theconfigurationissomewhat similartoCisco’sIOSswitches.WithaBaselicenseinstalled,threeVLANinterfacesare supported.WiththeSecurityPluslicense,threeVLANinterfacesaresupportedusing thelocalinterfaces,andoneinterfacecanbesetupasatrunk,supportingatotalof20 VLANsacrossthephysicalinterfacesandthetrunk. Bydefault,twoVLANinterfacesareconfiguredontheASA5505.Table3-4displays thepropertiesofthesetwologicalinterfaces.
Property
VLAN1
VLAN2
Logicalname
inside
outside
Securitylevel
100
0
IPaddress
192.168.1.1/24
DHCPclient
Physicalinterfacesassociatedwithit
Allexcepte0/0
e0/0
Table3-4. DefaultASA5505LogicalInterfaces
59
60
Cisco ASA Configuration
To change the properties of the two logical VLAN interfaces, or to create a new logicalVLANinterface,usethefollowingconfiguration: ciscoasa(config)#interfacevlanvlan_# ciscoasa(config-if)#nameiflogical_name ciscoasa(config-if)#ipaddressIP_address[subnet_mask] ciscoasa(config-if)#security-levelnumber
To associate a physical interface with a logical VLAN interface, use the following configuration: ciscoasa(config)#interfacephysical_name ciscoasa(config-if)#switchportaccessvlanvlan_#
Here’sanexampleconfigurationwiththreelogicalinterfaces:inside,outside,anddmz: ciscoasa(config)#interfacevlan1 ciscoasa(config-if)#nameifinside ciscoasa(config-if)#ipaddress192.168.1.1255.255.255.0 ciscoasa(config-if)#security-level100 ciscoasa(config-if)#exit ciscoasa(config)#interfacevlan2 ciscoasa(config-if)#nameifoutside ciscoasa(config-if)#ipaddress200.1.1.1255.255.255.248 ciscoasa(config-if)#security-level0 ciscoasa(config-if)#exit ciscoasa(config)#interfacevlan3 ciscoasa(config-if)#nameifdmz ciscoasa(config-if)#ipaddress192.168.2.1255.255.255.0 ciscoasa(config-if)#security-level50 ciscoasa(config-if)#exit ciscoasa(config)#interfaceethernet0/0 ciscoasa(config-if)#switchportaccessvlan2 ciscoasa(config-if)#noshutdown ciscoasa(config-if)#exit ciscoasa(config)#interfaceethernet0/1 ciscoasa(config-if)#switchportaccessvlan1 ciscoasa(config-if)#noshutdown ciscoasa(config-if)#exit ciscoasa(config)#interfaceethernet0/2 ciscoasa(config-if)#switchportaccessvlan3 ciscoasa(config-if)#noshutdown ciscoasa(config-if)#exit
Chapter 3:
Basic ASA Configuration
Usethe show switch vlancommandtoverifyyourVLANconfigurationonthe ASA5505(fromtheprecedingconfiguration): ciscoasa#showswitchvlan VLANNameStatusPorts ------------------------------------------------------------ 1insideupEt0/1,Et0/3,Et0/4,Et0/5, Et0/6,Et0/7 2outsideupEt0/0 3dmzupEt0/2
InterfaceVerification Now that you have set up your physical and/or logical interfaces, you are ready to verifyyoursettingsbyusing showcommands.Toexamineaninterface,usethe show interfacecommand: ciscoasa#showinterface InterfaceEthernet0/0"",isadministrativelydown, lineprotocolisdown Hardwareis88E6095,BW100Mbps,DLY100usec Auto-Duplex,Auto-Speed Availablebutnotconfiguredvianameif MACaddress001f.9e2e.e512,MTUnotset IPaddressunassigned 0packetsinput,0bytes,0nobuffer Received0broadcasts,0runts,0giants 0inputerrors,0CRC,0frame,0overrun,0ignored,0abort
Theformatoftheoutputofthiscommandisverysimilartothesamecommandused onIOSdevices.Oneimportantitemtopointoutisthefirstlineofoutput,wherethestatusisshownforboththephysicalanddatalinklayersrespectively.Inthisexample,the interfaceisdisabled.Herearethestatusvaluesoftheinterface:
▼ I fyouseeupandup,boththephysicalanddatalinklayersarefunctioning correctly.
■ Ifyouseeupanddown,thereisadatalinklayerproblem.
■ Ifyouseedownanddown,thereisaphysicallayerproblem.
▲ I fyouseeadministrativelydownanddown,theinterfacehasbeen manuallydisabled.
Theshowinterfacecommanddisplaysalloftheinterfacesontheappliance.Ifyou areonlyinterestedinseeingthestatusofasingleinterface,enterthe show interface
61
62
Cisco ASA Configuration
commandfollowedbythephysicalnameoftheinterface,like ethernet0/0.Youcan alsodisplayjustthestatusofasubinterface,likeethernet0/0.1,oraVLANinterface ona5505,likevlan1. Youcanuseeithertheshowinterfaceorshowip[address]commandtoview theIPconfigurationofyourapplianceinterfaces: ciscoasa(config)#showip SystemIPAddresses: ipaddressoutside192.168.1.1255.255.255.0 ipaddressinside192.168.3.1255.255.255.0 ipaddressdmz192.168.2.1255.255.255.0 CurrentIPAddresses: ipaddressoutside192.168.1.1255.255.255.0 ipaddressinside192.168.3.1255.255.255.0 ipaddressdmz192.168.2.1255.255.255.0
The System IP Addresses are the IP addresses assigned to the active appliance whenyouhavefailoverconfigured.Ifthisappliancewerethestandbyunit,itwould assume these addresses on the interface when a failover occurred. The Current IP AddressesaretheIPaddressescurrentlybeingusedontheinterface.Failoverisdiscussed inChapter23. TIP RememberthatshowcommandscanbeexecutedineitherPrivilegeEXECorConfiguration mode.
DynamicAddressing BesidesspecifyingastaticIPaddress,youcanalsoacquireaddressingdynamicallyby using DHCP (Dynamic Host Configuration Protocol) or PPP over Ethernet (PPPoE). Thefollowingtwosectionswilldiscusstheseapproaches.
DHCPClient YourappliancecanbeaDHCPclientandobtainitsaddressinginformationoninterface(s) dynamically from a DHCP server. Here’s the interface syntax for an interface using DHCPtoacquireitsaddressinginformation: ciscoasa(config)#interfacephysical_name ciscoasa(config-if)#ipaddressdhcp[setroute][retryretry_count]
ThesetrouteparametercausestheappliancetoacceptthedefaultroutefromtheDHCP server—this is typically done when your outside interface is acquiring its addressing dynamicallyfromtheISP.Ifyouomitthisparameter,you’llneedtoconfigureadefault routeonyourappliance(thisisdiscussedinChapter4).Youcanalsospecifythenumber oftimestheapplianceshouldattempttoobtainitsaddressing.
Chapter 3:
Basic ASA Configuration
NOTE Bydefault,theASA5505ispreconfiguredfromCiscotoincludeethernet0/0inVLAN2 (theoutsideinterface),andthisinterfaceissetupasaDHCPclient. Toverifyyouraddressinginformation,usetheshowipaddressdhcpcommand: ciscoasa#showipaddressoutsidedhcplease TempIPAddr:200.200.200.2forpeeroninterface:outside Tempsubnetmask:255.255.255.0 DHCPLeaseserver:200.200.199.2,state:3Bound DHCPTransactionid:0x4123 Lease:7200secs,Renewal:1505secs,Rebind:7000secs Tempdefault-gatewayaddr:200.200.200.1 Nexttimerfiresafter:6809secs Retrycount:0,Client-ID:cisco-0000.0000.0000-outside
Toperformdetailedtroubleshooting,theappliancessupportdebugcapabilitiessimilartoIOS-baseddevices.Ciscoalsosupportsdebugcommandsfortroubleshootingthe DHCPclientontheappliance.Herearethedebugcommandsthatyoucanuse:
▼ d ebugdhcpcpacket DisplaysthepartialcontentsofDHCPclientpackets
■ debugdhcpcerror DisplaysDHCPclienterrorinformation
▲ d ebugdhcpcdetail DisplaysallinformationrelatedtoDHCPclientpackets TIP Todisablealldebugfunctions,usethenodebugallorundebugallcommand.
PPPoverEthernet(PPPoE) PPPoEistypicallyusedonbroadbandDSLconnectionstoanISP.ConfiguringPPPoE involvesthesetasks:
▼ C reatingaPPPoEgroup
■ SpecifyingthePPPauthenticationmethod:PAP,CHAP,orMS-CHAP
■ AssociatingausernametothePPPoEgroup
■ CreatingalocalusernameaccountandpasswordassignedbytheISP
▲ E nablingPPPoEontheinterface NOTE PPPoEwasintroducedinversion6.2andisonlysupportedinsingle-routedmodewithout failoverconfigured.
63
64
Cisco ASA Configuration
Hereisthesyntaxtoaccomplishtheprecedingtasks: ciscoasa(config)#vpdngroupgroup_namerequestdialoutpppoe ciscoasa(config)#vpdngroupgroup_namepppauthentication {chap|mschap|pap} ciscoasa(config)#vpdngroupgroup_namelocalnameusername ciscoasa(config)#vpdnusernameusernamepasswordpassword[store-local] ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipaddresspppoe[setroute]
Thefirst vpdn groupcommandspecifiesalocallysignificantgroupnamethatgroups together the appliance PPPoE commands for an interface. The second vpdn group commandspecifiesthePPPauthenticationmethodtouse.ThethirdvpdngroupcommandspecifiesthelocaluseraccounttheISPassigned.Thevpdnusernamecommand specifiestheusernameandpasswordassignedbytheISP;thestore-localparameter causestheappliancetostoretheusernameandpasswordinaspecialplaceinflashso thata clear configurecommandwillnoteraseit.Onceyouhaveconfiguredyour PPPoEparameters,enablePPPoEontheinterfacewiththeipaddresspppoecommand; the setrouteparameterperformsthesamefunctionaswiththe ip address dhcp commandfromtheprevioussection. OnceyouhaveconfiguredPPPoE,usetheseshowcommandsforverification:
▼ showipaddresslogical_if_namepppoe DisplaystheIPaddressing fortheoutsideinterface
▲ showvpdn[sessionpppoe] DisplaysthePPPoEsessioninformation
ThefirstshowcommanddisplaystheappliancePPPoEclientconfigurationinformation. Itsoutputissimilartothatoftheshowipaddressdhcpcommand.Theshowvpdn commandshowsabriefoverviewofthePPPoEsessions: ciscoasa#showvpdn Tunnelid0,1activesessions timesincechange1209secs RemoteInternetAddress192.168.1.1 LocalInternetAddress200.200.200.1 12packetssent,12received,168bytessent,0received RemoteInternetAddressis192.168.1.1 SessionstateisSESSION_UP
ThisexamplehasoneactivePPPoEsession.Youcanrestricttheoutputofthiscommand byaddingthe sessionpppoeparameters—thiswillonlydisplayPPPoEinformation, andnoVPNinformation. FordetailedtroubleshootingofPPPoE,usethedebugcommand: ciscoasa(config)#debugpppoe{event|error|packet}
Chapter 3:
Basic ASA Configuration
The event parameter displays protocol event information concerning PPPoE. The errorparameterdisplaysanyPPPoEerrormessages.The packetparameterdisplays thepartialcontentsofPPPoEpackets.
DynamicDNS DynamicDNSisafeaturewheretheappliance,actingasaDHCPclient,obtainsitsIP addressdynamicallyfromaDHCPserver.TheappliancecanthenupdateaDNSserver withitsnameandthedynamicaddress.Therefore,nomatterwhatdynamicIPaddress isassignedtotheappliance,youcanalwaysusethesamenametoreachit. Toconfigurethisprocess,usethefollowingcommands: ciscoasa(config)#dhcp-clientupdatednsservernone ciscoasa(config)#ddnsupdatemethodddns-2 ciscoasa(DDNS-update-method)#ddnsboth ciscoasa(DDNS-update-method)#exit ciscoasa(config)#interfacephysical_if_name ciscoasa(if-config)#ddnsupdateddns-2 ciscoasa(if-config)#ddnsupdatehostnameappliance’s_FQDN
The dhcp-clientupdatecommandspecifiesthattheclient(theapplianceitself), ratherthantheDHCPserver,willupdatetheDNSserverwiththedynamicaddressing information.The ddns updateand ddns bothcommandsspecifythattheappliance willupdateboththeAandPTRDNSrecordsontheDNSserver. Onceyouhavedonethis,youneedtoenabledynamicDNSonthephysicalorVLAN interfacewiththe ddns update ddns-2commandandtospecifythefullyqualified domainname(FQDN)beingpassedtotheDNSserverwiththeddnsupdatehostname command,like“appliance.dealgroup.com”.
MANAGEMENT This section rounds out the basic security appliance configuration commands. In the followingsections,IcoverhowtoallowremoteCLIaccesstotheapplianceformanagementpurposesandsomebasictestingandmonitoringtoolsthatyoucanuseonyour appliance.
RemoteAccess By default, the only access that the appliance allows is on the console port—HTTP (ASDM),telnet,andSSHaccessaredenied.Thefollowingsectionsshowyouhowto enable the latter two types of access to the appliance;ASDM access is discussed in Chapter27.
65
66
Cisco ASA Configuration
Telnet To allow telnet access to your appliance, you need to configure two commands. First,youshouldassignatelnetpasswordwiththe passwdcommanddiscussedin the“UserEXECPassword”sectionofthischapter.Second,youmustspecifytheIP addresses that are allowed access to the appliance with the telnet Configuration modecommand: ciscoasa(config)#telnetIP_addresssubnet_mask[logical_if_name]
Ifyouomitthenameofthelogicalinterface,itdefaultstoinside.Youcanlistupto16 hostsornetworkswithmultipletelnetcommands. If you want to allow telnet access from all internal machines, use the following syntax: ciscoasa(config)#telnet00inside
Rememberthatyoucanabbreviate0.0.0.0as0. Toallowaccessfromonlyaspecificinternalnetworksegment,usethissyntax: ciscoasa(config)#telnet192.168.4.0255.255.255.0inside
Ifyouwanttoallowtelnetaccessfromonlyaspecificmachine,usethisconfiguration: ciscoasa(config)#telnet192.168.5.2255.255.255.255inside
Notethatyoucanenterthetelnetcommandmultipletimestosetyourtelnetaccess policies.Toseeyourtelnetaccesspolicies,usetheshowruntelnetcommand. Thedefaulttimeoutforidletelnetsessionsis5minutes.Youcanchangethiswith thetelnettimeoutcommand: ciscoasa(config)#telnettimeoutnumber_of_minutes
Thetimecanrangefrom1to60minutes. Toseewhoiscurrentlyloggedintotheapplianceviatelnet,usethewhocommand: ciscoasa#who 1:From192.168.1.7 2:From192.168.1.2
ThefirstnumberisthesessionIDandisuniqueforeachlogged-inuser.Youcanterminateatelnetconnectionbyusingthekillcommand: ciscoasa#killsession_ID
YoucanviewthesessionIDsbyusingthe whocommand.Whenyou’reterminatinga session,theapplianceallowsthetelnetusertopermitanycurrentlyexecutingcommand andthen,withoutwarning,terminatestheuser’stelnetconnection.
Chapter 3:
Basic ASA Configuration
SSH Secureshell(SSH)allowsausertoestablishapseudo-consoleconnectionviaaremotesecureshell.SSHbasicallyprovidesanencryptedCLIconnectionbetweentheclientandthe appliancebyusingtheRSAencryptionalgorithm.Onelimitationofusingtelnetisthatyou cannottelnettotheappliancefromtheoutsideinterface;SSHdoesnothavethislimitation. ToallowSSHaccess,youmustconfigurethefollowingonyourappliance:
▼ D efineahostnameanddomainname.
■ Generateapublic/privateRSAkeycombination.
▲ S pecifytheaddressesallowedtoaccesstheapplianceviaSSH.
Ihavealreadytalkedaboutassigningahostnameanddomainnametotheappliance in the “Host and Domain Names” section.A public/private RSA key combination is usedtosecuretheconnectionforthesecureshell.Tocreateyourkeyinginformation,use thecryptokeygeneratersacommand: ciscoasa(config)#cryptokeygeneratersa[modulus_size]
To execute the preceding command, you must first install either a DES or 3DES/AES licensekeyifonehasnotalreadybeeninstalled.Themodulussizecanbe512,768,1024, or2048bits;ifyouomitit,themodulusdefaultsto1024bits.Thelargerthesize,themore securetheconnectionwillbe. HereisanexampleofgeneratinganRSAkeypairforSSH: bigdog(config)#cryptokeygeneratersa WARNING:YouhaveaRSAkeypairalreadydefinednamed . Doyoureallywanttoreplacethem?[yes/no]:yes Keypairgenerationprocessbegin.Pleasewait... bigdog(config)#
YoucanhavemultipleRSAkeypairsonyourappliance,whicharediscussedinChapter 15. By default, SSH uses the “Default-RSA-Key” pair; so if it already exists, you’ll be promptedtooverwriteit. Toseethepublickeycreatedbythecryptokeygeneratersacommand,usethe showcryptokeymypubkeyrsacommandlikethis: ciscoasa(config)#showcryptokeymypubkeyrsa Keypairwasgeneratedat:13:27:25UTCJul182008 Keyname: Usage:GeneralPurposeKey ModulusSize(bits):1024 KeyData: 30819f300d06092a864886f70d010101050003818d00308189028181 00b27da43243ec84e8b440591c8393f692b3db8cfa641f39ee0c3775 afe8bb24792f26910cace31d619183d9f7efdaa152ba98fe79152d66
67
68
Cisco ASA Configuration a71b7e7e8969e9afd256bbfef0d14ed044ea416b0becbd5ceb4ec25d 74b6049e5ea4a064ee12550b3b4d989f5e9205a10092c0332119641f 770a62d38ee7c9dbc560185df7f7aabdff0203010001
UsethewritememorycommandtostoreRSAkeypairsinflashmemory.IdiscussRSA andpublic/privatekeysinmoredepthinChapters15and16. OnceyouhavecreatedyourRSAkeypair,youcannowspecifytheaddressespermittedtoestablishSSHconnectionstotheappliance.Usethe sshcommandtospecify permittedaddresses: ciscoasa(config)#sship_addresssubnet_mask[logical_if_name]
ThedefaultidletimeoutforSSHsessionsis5minutes.Toalterthisvalue,usethessh
timeoutcommand:
ciscoasa(config)#sshtimeoutminutes
ToseeyourSSHcommands,usetheshowrunsshcommand. ToseewhatusershavecurrentSSHconnectionstotheappliance,usetheshowssh sessionscommand: ciscoasa#showsshsessions SessionIDClientIPVersionEncryptionStateUsername 0192.168.1.21.5DES6pix
Todisconnectasession,usethesshdisconnectcommand: ciscoasa#sshdisconnectsession_ID
ThesessionIDnumberisshownwiththeshowsshsessionscommand. NOTE Ifyou’reloggingintotheapplianceusingSSHwhenyouarenotusingAAA,theusername youenteris“pix”(forboththePIXandASA),andthepasswordisthepasswordfromthe passwd command.
ConnectivityTesting ToverifythatyouhaveIPconnectivity,youcanusethreebasictroubleshootingcommands: ping, traceroute, and show arp. The following two sections cover these appliancecommands.
Ping TotestwhetheryouhaveaconnectionwithotherIPdevices,youcanexecutetheping command: ciscoasa#ping[logical_if_name]destination_IP_address [datapattern][repeatcount][sizebytes] [timeoutseconds][validate]
Chapter 3:
Basic ASA Configuration
The logical_if_nameparameterallowsyoutospecifywhichinterfaceIPaddressto useasthesourceoftheping.Ifyouomitthename,itwilldefaulttotheIPaddressof theinterfacethattheappliancewillusetoreachthedestination.Youcanincludeadata patternintheICMPpayload,specifythenumberofpingstoperform(fourbydefault), thesizeofthepings(100bytesbydefault),thetimeoutwhenwaitingforechoreplies (2secondsbydefault),andvalidationofthepayload. Ifyoucannotpingadestination,verifythattheappliance’sinterface(s)areupandthat youhavethecorrectIPaddressesassignedtothem.Youcanusetheshowinterfaces orshowipcommandtoverifythis.Youcanalsousethedebugicmptracecommand toseetheactualICMPpackets.OnceyouhaveassignedanIPaddresstoaninterfaceon theappliance,youcanverifyitsaccessibilitybypingingitfromanothermachineinthe samesubnet.Ontheappliance,firstenterthedebugicmptracecommandtoenable debuggingforICMPtraffic.Thengotoanothermachineonthesamesubnet,andping theappliance’sinterface.Youroutputwilllooksomethinglikethis: ciscoasa#debugicmptrace ICMPtraceon Warning:thismaycauseproblemsonbusynetworks ciscoasa# 1:ICMPechorequest(len32id2seq256)192.168.1.2>192.168.1.1 2:ICMPechoreply(len32id2seq256)192.168.1.1>192.168.1.2
Theoutputofthecommandisfairlyreadable:therewerefourechorequestsfromthe machineandfourrepliesfromtheappliance(thelasttwosetswereomittedfromthe output).ToturnoffthedebugforICMP,prefacetheprecedingcommandwiththe no parameter: nodebugicmptrace;oryoucouldusethe undebugallor nodebug allcommands.
Traceroute Starting in version 7.2, the security appliances support the traceroute command, whichallowsyoutotracethelayer3hopsthatpacketsgothroughtoreachadestination. Hereisthesyntaxofthecommand: ciscoasa#traceroutedst_ip_address[sourcesrc_ip_addr| logical_src_if_name][numeric][timeouttimeout_value] [probeprobe_num][ttlmin_ttlmax_ttl] [portport_value][use-icmp]
TheonlyrequiredparameteristhedestinationIPaddress.Optionally,youcanspecify adifferentsourceIPaddressontheappliancethantheoneitwillusewhenexitingthe destinationinterface.Also,youcandisablethereverse-DNSlookupwiththenumeric parameter.Thedefaulttimeoutforrepliesis3secondsandcanbechangedwiththe timeoutparameter.Thedefaultnumberofprobesforeachlayer3hopis3,butcan be changed with the probe parameter. You can control the number of hops with
69
70
Cisco ASA Configuration
the ttlparameter.Bydefault,tracerouteusesUDPport33,434,butcanbechanged withtheportparameter.AndinsteadofusingUDP,youcanspecifytheuseofICMP whenperformingthetraceroutewiththeuse-icmpparameter.
AddressResolutionProtocol(ARP) TheTCP/IPARPprotocolresolvesanIPaddress(layer3)toaMACaddress(layer2). MACaddressesareusedforcommunicationsbetweendevicesonthesamesegmentor subnet,thatis,thesameLANmedium.Anytimetheapplianceinitiatesconnectionsor receivesrequestsforconnectionstoitself,itwilladdtheconnecteddevice’sIPandMAC addresses to its localARP table. To view the applianceARP table, use the show arp command,asshownhere: ciscoasa#showarp inside192.168.7.20000e0.9871.b91e
Currently one entry is in the appliance ARP table: a device with an IP address of 192.168.7.200thatisoffoftheinsideinterface.YoucancleartheentriesintheARPtable withthecleararp[logical_if_name]command. Bydefault,theappliancekeepsaddressesintheARPtablefor4hours(14,400seconds). YoucanmodifythetimeoutforARPentrieswiththearptimeoutcommand: ciscoasa(config)#arptimeoutseconds
Toviewthetimeoutthatyouhaveconfigured,usethe show run arp timeoutcommand. YoucanmanuallyaddorremoveanentryfromtheARPtablebyusingtheappliance Configurationmodecommandsshownhere: ciscoasa(config)#arplogical_if_nameIP_addressMAC_address[alias] ciscoasa(config)#noarplogical_if_nameIP_address
You need to specify the name of the interface that the device is off of, as well as the deviceIPandMACaddresses.Ifyouaddthe aliasparameter,theentrywillbecome a permanent entry in the ARP table; if you save the appliance’s configuration, then thestaticARPentryissaved,evenuponarebootoftheappliance.Ifyouomitthealias parameter,anyrebootingoftheappliancewillcausetheappliancetolosethestaticARP configuration.
HARDWAREANDSOFTWAREINFORMATION Thesecurityappliancessupportamultitudeof showcommands.ManyofthesecommandsarethesamecommandsthatyouwouldexecuteonanIOS-baseddevicetosee thesamekindsofinformation.Thefollowingsectionswillcoversomecommon show commands,includingshowversion,showmemory,andshowcpuusage.
Chapter 3:
Basic ASA Configuration
VersionInformation To display the hardware and software characteristics of your security appliance, use theshowversioncommand.Theinformationthatyoucanseefromthiscommandis similartothe show versioncommandonanIOS-baseddevice.Withthiscommand, youcanseethefollowinginformationaboutyourappliance:OSsoftwareandASDM versions,uptimesincelastreboot,typeofprocessor,amountofRAMandflash,interfaces,licensedfeatures,serialnumber,activationkey,andthetimestampshowingwhen configurationwaslastchanged. ThefollowingisanexampleoftheshowversioncommandonanASA5505running version8.0(3): bigdog#showversion CiscoAdaptiveSecurityApplianceSoftwareVersion8.0(3) DeviceManagerVersion6.1(1) CompiledonTue06-Nov-0722:59bybuilders Systemimagefileis"disk0:/asa803-k8.bin" Configfileatbootwas"startup-config" bigdogup2hours39mins Hardware:ASA5505,256MBRAM,CPUGeode500MHz InternalATACompactFlash,128MB BIOSFlashM50FW080@0xffe00000,1024KB Encryptionhardwaredevice:CiscoASA-5505on-boardaccelerator (revision0x0) Bootmicrocode:CN1000-MC-BOOT-2.00 SSL/IKEmicrocode:CNLite-MC-SSLm-PLUS-2.01 IPSecmicrocode:CNlite-MC-IPSECm-MAIN-2.04 0:Int:Internal-Data0/0:addressis001f.9e2e.e51a,irq11 1:Ext:Ethernet0/0:addressis001f.9e2e.e512,irq255 2:Ext:Ethernet0/1:addressis001f.9e2e.e513,irq255 3:Ext:Ethernet0/2:addressis001f.9e2e.e514,irq255 4:Ext:Ethernet0/3:addressis001f.9e2e.e515,irq255 5:Ext:Ethernet0/4:addressis001f.9e2e.e516,irq255 6:Ext:Ethernet0/5:addressis001f.9e2e.e517,irq255 7:Ext:Ethernet0/6:addressis001f.9e2e.e518,irq255 8:Ext:Ethernet0/7:addressis001f.9e2e.e519,irq255 9:Int:Internal-Data0/1:addressis0000.0003.0002,irq255 10:Int:Notused:irq255 11:Int:Notused:irq255 Licensedfeaturesforthisplatform:
71
72
Cisco ASA Configuration MaximumPhysicalInterfaces:8 VLANs:20,DMZUnrestricted InsideHosts:10 Failover:Active/Standby VPN-DES:Enabled VPN-3DES-AES:Enabled VPNPeers:25 WebVPNPeers:2 DualISPs:Enabled VLANTrunkPorts:8 AnyConnectforMobile:Disabled AnyConnectforLinksysphone:Disabled AdvancedEndpointAssessment:Disabled ThisplatformhasanASA5505SecurityPluslicense. SerialNumber:JMX1209Z0CM RunningActivationKey:0x84016a7e0x0c293f620x9c7201c80x85641c50 0x882de4ab Configurationregisteris0x1 Configurationlastmodifiedbyenable_15at14:33:47.385 UTCFriJul182008 bigdog#
NoticethatthelicenseinstalledontheASA5505istheSecurityPluslicense,whichallowsforfailover(active/standby),moreVLANs,andanunrestrictedDMZ.
MemoryUsage ThesecurityappliancesuseRAMtostoremanyoftheircomponents,includingtheiractive configuration,thetranslationtable,thestate(conn)table,theARPtable,aroutingtable, andmanyothertables.BecauseRAMisanimportantresourcethattheappliancesuseto enforcetheirsecuritypolicies,youshouldperiodicallycheckhowmuchRAMisfreeonthe appliance.Toviewthisinformation,usetheshowmemoryPrivilegeEXECcommand: ciscoasa#showmemory Freememory:141399240bytes(53%) Usedmemory:127036216bytes(47%) ----------------------------- Totalmemory:268435456bytes(100%)
CPUUtilization ToseetheprocessCPUutilizationofyoursecurityappliance,usetheshowcpuusage PrivilegeEXECcommand,asshownhere: ciscoasa#showcpuusage CPUutilizationfor5seconds=20%;1minute:14%;5minutes:14%
Chapter 3:
Basic ASA Configuration
YoucanseetheCPUutilizationoverthelast5seconds,1minute,and5minutes.Again, periodicallyyoushouldcheckthistoensurethatyourapplianceCPUcanhandlethe load that goes through it; if not, you’ll need to replace your appliance with a higher model.
ASACONFIGURATIONEXAMPLE Inthissection,IwillgooverabasicapplianceconfigurationusinganASA5510byusingthenetworkshowninFigure3-1.Listing3-1showsthebasicconfigurationforthe applianceshowninFigure3-1. Listing3-1.AsampleASAconfigurationforFigure3-1 ciscoasa#configureterminal ciscoasa(config)#hostnameasa asa(config)#domain-namedealgroup.com asa(config)#enablepasswordOpenSaysMe asa(config)#interfaceethernet0/0 asa(config-if)#nameifoutside asa(config-if)#security-level0 asa(config-if)#ipaddress192.168.1.1255.255.255.0 asa(config-if)#noshutdown asa(config-if)#exit asa(config)#interfaceethernet0/1 asa(config-if)#nameifinside asa(config-if)#security-level100 asa(config-if)#ipaddress192.168.3.1255.255.255.0 asa(config-if)#noshutdown asa(config-if)#exit asa(config)#interfaceethernet0/2 asa(config-if)#nameifdmz asa(config-if)#security-level50 asa(config-if)#ipaddress192.168.2.1255.255.255.0 asa(config-if)#noshutdown asa(config-if)#exit asa(config)#passwdNoEntry bigdog(config)#cryptokeygeneratersa WARNING:YouhaveaRSAkeypairalreadydefinednamed . Doyoureallywanttoreplacethem?[yes/no]:yes Keypairgenerationprocessbegin.Pleasewait... asa(config)#ssh192.168.3.0255.255.255.0inside asa(config)#exit asa#writememory
73
74
Cisco ASA Configuration Buildingconfiguration... Cryptochecksum:21657c19e04a2a24e502173c8626e76d [OK] asa#
The first command that I executed in Listing 3-1 was to change the hostname of the appliance to asa and a domain name of dealgroup.com. Following this, I configuredaPrivilegeEXECpasswordofOpenSaysMe.Ithenconfiguredthethreeinterfaces, assigning them logical names, security levels, and IP addresses, and enabling them. OnceIPwasconfigured,IwantedtobeabletoSSHonthisappliance,soIassigned aUserEXECpasswordofNoEntry,generatingthepublicandprivateRSAkeysand allowinganyinternalcomputerSSHaccess.Finally,Isavedtheapplianceconfiguration— rememberthatyoucanexecutethewritememorycommandateitherPrivilegeEXEC orConfigurationmode. You will actually need to do quite a few more things to pass traffic through your appliance,likesettinguprouting,configuringtranslationpolicies(ifnecessary),setting upACLs,andmanyotherpolicyconfigurations.Thischapter,aswellasthisexample, onlyfocusedonthebasics—preparingyourappliancesothatyoucanimplementyour security policies. The following chapters will deal with traffic as it flows through the appliance.
4 Routing and Multicasting
75
76
Cisco ASA Configuration
T
his chapter will introduce you to the routing and multicasting capabilities of thesecurityappliances.Appliancessupportstaticroutinganddynamicrouting protocols, including RIP, OSPF, and EIGRP, the newest edition. The appliances alsohavelimitedmulticastcapabilities,includingsupportforinteractionwithmulticast clientsusingtheIGMPprotocolandroutingofmulticasttraffic.Thetopicsinthischapter include
▼ R outingfeatures
▲ M ulticastfeatures
ROUTINGFEATURES Youcanusetwomethodstogetroutinginformationintoyourappliance:staticroutes andadynamicroutingprotocol.Thethreedynamicroutingprotocolssupportedinclude RIP,OSPF,andEIGRP.Theappliancesneedsomebasicroutinginformationtotakeincomingpacketsandforwardthemoutofanappropriateinterfacetoreachadestination thatismorethanonehopaway.Thefollowingsectionscovertheimplementation,configuration,andverificationofroutingonyourappliance.
RoutingRecommendations Itisimportanttopointoutthatyourapplianceisnotafull-functioningrouter.Thiswas veryapparentupthroughversion6.2oftheoperatingsystem.Withtheintroductionof version6.3,OSPFwasaddedasaroutingprotocol.Asyouwillseelaterinthe“OSPF” section,theapplianceshavemostoftheOSPFcapabilitiesofCiscoIOSrouters;however, theydon’thaveallthesamecapabilities. You can use two common practices for routing on the appliances, depending on whethertheapplianceisattheperimeterofyournetwork,orlocatedinsidethecampusordatacenter.Forsmallnetworks,itiscommontouseadefaultroutepointingto the router connected to the outside interface and to use static routes pointing to your networks connected to your remaining appliance interfaces. For large networks, it is commontousestaticroutingontheperimeterappliances,buttouseadynamicrouting protocolforapplianceslocatedwithinthecampusordatacenter. TIP Themostpreferredroutingmethodonaperimeterapplianceistohaveadefaultroutepointing totheoutsideinterfaceandtohaveaspecificroute(s)pointingtotheinternalinterface(s).
AdministrativeDistance Ifyouhavemultiplepathstoreachthesamedestinationwithinaroutingprotocol,the appliance uses the lowest metric value when choosing a route and places the lowest metricrouteintheroutingtable.However,ifmorethanoneroutingprotocolislearning
Chapter 4:
RoutingProtocol
Routing and Multicasting
AdministrativeDistance
Connectedinterface
0
Staticroute
1
EIGRPsummarizedroute
5
InternalEIGRProute(withinanautonomoussystemorAS)
90
OSPF
110
RIP
120
ExternalEIGRProute(differentAS)
170
Unknown
255
Table4-1. AdministrativeDistancesofRoutingProtocols
aroute,Ciscousesaproprietaryfeaturecalledadministrativedistancetoranktherouting protocols.Theroutingprotocolwiththelowestadministrativedistancevaluewillhave itsrouteplacedintheroutingtable.Table4-1liststheadministrativedistancesofthe routingprotocols.NotethatCiscousesthesameadministrativedistancevaluestorank routingprotocolsontheirIOSrouters.
StaticRoutes Thethreekindsofstaticroutesare
▼ C onnectedroute
■ Staticroute
▲ D efaultroute
OnceyouconfigureanIPaddressonyourappliance’sinterface,theapplianceautomaticallycreatesastaticrouteforthespecifiednetworknumberandassociatesitwiththe configuredinterface.Thisisreferredtoasaconnectedroute.Whenyou’redeterminingwhat routetousetoreachadestination,connectedrouteshavethehighestpreference(lowest administrativedistance).OnceyouaredoneconfiguringyourinterfaceIPaddresses,the appliancewillknowaboutallofthedirectlyconnectednetworks.However,theappliance doesn’tknowaboutnetworksmorethanonehopawayfromitself.Tosolvethisproblem, one option is to configure static, or default, routes. This topic is discussed in the next section.
77
78
Cisco ASA Configuration
StaticRouteConfiguration Tocreateastaticordefaultroute,usetheroutecommand,asshownhere: ciscoasa(config)#routelogical_if_namenetwork_numbersubnet_mask next_hop_IP_address[metric][tunneled]
Asyoucanseefromthesyntax,theconfigurationofthiscommandisnottoodifferent fromconfiguringastaticrouteonanIOSrouter.Thefirstparameteryoumustenterfor the route command is the logical name of the interface where the destination route exists.IfyouexamineFigure4-1,for192.168.4.0/24and192.168.5.0/24,thiswouldbe theinsideinterface.Next,youfollowitwiththenetworknumberandthesubnetmask. Foradefaultroute,enter0.0.0.0forthenetworknumber,or0forshort,and0.0.0.0 forthesubnetmask,whichcanalsobeabbreviatedto0. After you’ve entered the network number and subnet mask, specify the router’s IPaddressthattheappliancewillforwardthetraffictoinordertogetthetraffictothe correctdestination.Again,forthe192.168.4.0/24and192.168.5.0/24networks,thenexthopaddressis192.168.3.2.
ASA Configuration Interface Name E0/0 E0/1 E0/2
192.168.4.0/24
IP Address and Mask
outside 192.168.1.1/24 inside 192.168.3.1/24 dmz 192.168.2.1/24
Internal Network
Internal Router E0/1 = 192.168.3.1
ASA
Perimeter Router E0/0 = 192.168.1.1 E0 = 192.168.1.2
E0 = 192.168.3.2
E0/2 = 192.168.2.1
DMZ 192.168.5.0/24
Web Server 192.168.2.2
Web Server 192.168.2.3
Figure4-1. Asamplenetworkwithasecurityappliance
Internet
Chapter 4:
Routing and Multicasting
Youcanoptionallyaddahopcounttorankstaticrouteswhenyourapplianceisconnectedtomorethanonerouterandyouwanttheappliancetoknowaboutbothrouting paths—thisisconfiguredwiththemetricparameter.Thisparameterweightsthestatic routes,givingpreferencetotheonewithalowermetricvalue. Whenyoucreateadefaultroutewiththe tunneledparameter,allencryptedtraffic that arrives on the appliance which cannot be routed using a dynamically learned routeorastaticrouteissenttothisroute.Otherwise,ifthetrafficisnotencrypted,the appliance’sstandarddefaultrouteisused.Tworestrictionsapplywhenyou’reusingthe tunneledoption:
▼ Y oucannotdefinemorethanonedefaultroutewiththisoption.
▲ I CMPfortunneledtrafficisnotsupportedwiththisoption. NOTE The security appliances will not load-balance between multiple paths—they will only use one path. If the metric is different, the appliance will use the path with the lower metric value.Ifthemetricvalueisthesame,theappliancewillusethefirstroutecommandthatyou configured.
RouteVerification Toviewtheroutesinyourappliance’sroutingtable,usethefollowingcommand: ciscoasa#showroute[logical_if_name[ip_address[netmask[static]]]]
Hereisanexampleoftheuseoftheshowroutecommand: Listing4-1.AstaticrouteconfigurationforFigure4-1 ciscoasa(config)#showroute S0.0.0.00.0.0.0[1/0]via192.168.1.2,outside C192.168.3.0255.255.255.0isdirectlyconnected,inside C*127.0.0.0255.255.0.0isdirectlyconnected,cplane C192.168.2.0255.255.255.0isdirectlyconnected,dmz C192.168.1.0255.255.255.0isdirectlyconnected,outside S192.168.4.0255.255.255.0[1/0]via192.168.3.2,inside S192.168.5.0255.255.255.0[1/0]via192.168.3.2,inside
AstaticrouteisrepresentedbyanSintheroutingtable.Adirectlyconnectedrouteis representedbyC.Ifyouseea127.0.0.0route,itindicatesthatyouareonanASA—this addressisusedtoaccessthepseudo-consoleportofaninstalledIPSorCSCcard.For nonconnectedroutes,aswithstaticroutes,you’llseetwonumbersinbrackets(“[]”). Thefirstnumberistheadministrativedistanceoftheroutingprotocol,andthesecond numberisthemetricoftheroute.
79
80
Cisco ASA Configuration
StaticRouteConfigurationExample To illustrate the configuration of static routes, I’ll use the network shown previously inFigure4-1.Hereistheconfigurationtoaccomplishtheroutingtableoutputshown previouslyinListing4-1: ciscoasa(config)#routeoutside00192.168.1.2 ciscoasa(config)#routeinside192.168.4.0255.255.255.0192.168.3.2 ciscoasa(config)#routeinside192.168.5.0255.255.255.0192.168.3.2
StaticRouteTracking Oneproblemwithstaticroutesisthattheappliance,bydefault,hasnowayofknowing ifthepathtothedestinationisavailableunlesstheinterfaceontheapplianceassociated with the static route were to go down. However, if the next-hop neighbor were to go down,theappliancewouldstillforwardtraffictothisdestination. Static route tracking is a new feature, introduced in version 7.2, to deal with this problemwhenusingstaticroutes.Thisfeatureallowsanappliancetodetectthataconfiguredstaticroutethatiscurrentlyintheroutingtableisnolongerreachableandto useabackupstaticroutethatyou’veconfigured.ICMPisusedbytheappliancetotest connectivityforthestaticroutecurrentlyintheapplianceroutingtable.IfICMPecho repliesarenotreceivedforapreconfiguredperiodfromthemonitoreddeviceassociatedwiththecurrentstaticroute,theappliancecanthenremovetheassociatedstatic routefromitsroutingtable,anduseaconfiguredbackupstaticroute. NOTE Onerestrictionwiththestaticroutetrackingfeatureisthatitcannotbeusedwithastatic routethathasthetunneledoptionenabled. StaticRouteTrackingConfiguration Usethefollowingcommandstoconfigurestaticroute tracking: ciscoasa(config)#slamonitorSLA_ID ciscoasa(config-sla-monitor)#typeechoprotocolipIcmpEcho monitor_device_IPinterfacelogical_if_name ciscoasa(config-sla-monitor-echo)#timeoutmilliseconds ciscoasa(config-sla-monitor-echo)#frequency#_missed_echo_replies ciscoasa(config)#slamonitorscheduleSLA_IDlifeforever start-timenow ciscoasa(config)#tracktrack_IDrtrSLA_IDreachability ciscoasa(config)#routelogical_if_namenetwork_numbersubnet_mask next_hop_IP_address[metric]tracktrack_ID
Theslamonitorcommandspecifieshowthetrackingshouldbedone.TheSLA_ID associatesanidentificationvaluetothetrackingprocess.Thetypesubcommandmode commandspecifiestheprotocoltousewhenperformingthetest,thedevicetotestaccessto,
Chapter 4:
Routing and Multicasting
and the interface the monitored device is connected to. Currently the only protocol supportedfortestingisICMP(ipIcmpEcho).Thetimeoutcommandspecifiesthenumberofmillisecondstowaitfortheechoreply.The frequencycommandspecifiesthe numberofechorepliesthatmustbemissedbeforethetrackedstaticrouteisconsidered bad.The sla monitor schedulecommandspecifieswhenmonitoringshouldstart andforhowlong.Normallyyouwantthetrackingtostartrightnowandcontinueforever,butyoucanchangethesevalues.The trackcommandassociatesthe SLA_IDfor monitoringwiththetrackingIDspecifiedintheroutecommand(s). StaticRouteTrackingConfigurationExample Toillustratehowstaticroutetrackingisused, examineFigure4-2.Inthisexample,theperimeterapplianceisconnectedtotwoISPsvia twodifferentperimeterrouters,whereISP1isthedefaultpathandISP2isthebackup. However, if either of these two ISP links were to go down, the appliance, since it is notconnectedtothem,wouldnotknowthis.Hereistheconfigurationforstaticroute trackingforthisexample: ciscoasa(config)#slamonitor100 ciscoasa(config-sla-monitor)#typeechoprotocolipIcmpEcho 200.1.1.1interfaceoutside ciscoasa(config-sla-monitor-echo)#timeout1000 ciscoasa(config-sla-monitor-echo)#frequency3 ciscoasa(config-sla-monitor-echo)#exit ciscoasa(config)#slamonitorschedule100lifeforeverstart-timenow ciscoasa(config)#track1rtr100reachability ciscoasa(config)#route00outside1192.168.1.11track1 ciscoasa(config)#route00outside2192.168.2.12track1
Intheprecedingconfiguration,theapplianceistrackingadevice,probablyarouter, in the ISP1 network (200.1.1.1). If an echo reply is not received when tracking within 1second(1,000milliseconds)andthisprocessisrepeatedthreetimes,theprimarydefault
ISP1 (200.1.1.1)
192.168.1.1 Outside 1 Inside Outside 2
ISP2
Figure4-2. Staticroutetrackingexample
192.168.2.1
81
82
Cisco ASA Configuration
route is considered bad (the 192.168.1.1 neighbor with a metric of 1), and the backup defaultroutefortheoutside2interfacewillbeused.
RIP Untilversion8oftheoperatingsystem,theapplianceswererestrictedinhowtheyran RIP: they could only accept RIP routes and optionally advertise a default route; they couldnottakerouteslearnedfromoneRIPneighborandadvertisetheseroutesonanother interface. Starting in version 8, the appliance is a full-functioning RIP router. If morethanoneroutingprocessisrunningontheappliance,youcanevenredistribute routesfromoneprocess,likeRIP,intoanotherroutingprocess. BothRIPv1andRIPv2aresupported.WithRIPv2,youcanauthenticateroutingupdatesfromneighboringRIPv2routers.Youcanalsocontrol,onaninterface-by-interface basis,whatRIPversionisrunonaninterface.
RIPConfiguration The configuration of RIP is performed globally, with some features controlled on an interface-by-interfacebasis.ThefollowingtwosectionswillcovertheconfigurationofRIP. RIP Global Configuration Configuring RIP on an appliance is similar to configuring RIPonaCiscorouter.ToenableRIP,usethe router ripglobalConfigurationmode command: ciscoasa(config)#routerrip ciscoasa(config-router)#networknetwork_address ciscoasa(config-router)#version[1|2] ciscoasa(config-router)#default-informationoriginate ciscoasa(config-router)#passive-interface[default|logical_if_name] ciscoasa(config-router)#noauto-summarize
The router ripcommandtakesyouintotheRIProutingprocess.The network commandspecifiesthenetworksthattheapplianceisconnectedtothatshouldbeincludedintheRIPprocess.Theversioncommandspecifies,globally,theRIPversionthe applianceshouldrun.(Thiscanbeoverriddenonaninterface-by-interfacebasis.)The default-informationcommandallowsadefaultroutetopropagateintoandthrough theRIProutingprocessontheappliance.Thepassive-interfacecommandspecifies whetherallinterfacesorjustthespecifiedinterfaceisallowedtopropagateRIProutesto otherneighbors(theinterfaceisoperatinginpassivemode). Bydefault,theRIProutingprocesswillautomaticallysummarizeClassA,B,andC networknumbersattheirclassboundary.The no auto-summarizecommandworks onlyforRIPv2:itdisablesautomaticsummarizationofsubnetsbacktotheirClassA,B, and/orCnetworknumberswhenadvertisingnetworksacrossanetworkboundary,like 172.16.0.0/16to10.0.0.0/8.
Chapter 4:
Routing and Multicasting
RIPInterfaceConfiguration YouhavetwoconfigurationoptionsforRIPonanappliance’s interface:controllingtheRIPversion(s)thatrunontheinterfaceandtheauthentication ofroutingupdates.Herearethecommandstoconfiguretheseoptions: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#rip{receive|send}version{[1][2]} ciscoasa(config-if)#ripauthenticationmode{text|md5} ciscoasa(config-if)#ripauthenticationkeykey_#key-idkey_ID
Youcanrunbothversion1and2ofRIPonaninterfaceifyouhaveRIProutersspeaking both versions.You can control this in both the send and receive directions on the interfacewiththeripsendandripreceivecommands.TorunRIPincompatibility mode,makesurebothversionsofRIPareenabledontheinterfaceintheappropriate direction(s). AssumingyouarerunningRIPv2onaninterface,youcanalsoauthenticaterouting updateswithRIPv2peersconnectedtotheinterface.The rip authenticationcommandallowsyoutosetupauthenticationforRIPv2.Youhavetwochoicesforvalidating apeer:
▼ S endtheauthenticationinformationincleartext(text)intheroutingupdate.
▲ D igitallysigntheroutingupdateusingMD5authentication(md5).
ItishighlyrecommendedtousetheMD5hashfunctionandnotcleartextforauthentication.WhenspecifyingMD5,youneedtospecifytheencryptionkey,whichcanbeup to16characterslong,aswellasthekeyidentificationnumber,whichcanbeanumber between1and255.NotethatonyourpeerRIPv2neighbors,you’llneedtomatchthese values.IdiscussMD5inmoredepthinChapter15. SECURITYALERT! RIPversion1hasnosecuritymechanismbuiltintoitandthuscanbeeasily spoofed. Therefore, you should use RIP version 2 on your appliance, with MD5 authentication configured,andtheroutersconnectedtoyourappliance.Thisalsoappliestotheapplianceifyouare usingOSPForEIGRP:useMD5authenticationtogreatlyreducethelikelihoodthatyourappliance wouldacceptaspoofedroutefromaroguerouter.
RIPVerification ToviewtheroutingtablethathasRIProutes,usetheshowroutecommand: ciscoasa(config)#showroute S0.0.0.00.0.0.0[1/0]via192.168.1.2,outside C192.168.3.0255.255.255.0isdirectlyconnected,inside C*127.0.0.0255.255.0.0isdirectlyconnected,cplane C192.168.2.0255.255.255.0isdirectlyconnected,dmz C192.168.1.0255.255.255.0isdirectlyconnected,outside R192.168.4.0255.255.255.0[120/1]via192.168.3.2,inside R192.168.5.0255.255.255.0[120/1]via192.168.3.2,inside
83
84
Cisco ASA Configuration
Inthisexample,youcanseetheconnectedroutes,aswellasadefaultroutethatwas staticallyconfigured.Atthebottom,youcanseethetwoRIProutes,designatedbyanR, learnedfromthe192.168.3.2RIPneighbor. TIP The clear route [logical_if_name] command clears dynamic routes—RIP, OSPF,andEIGRP—fromthelocalroutingtable. ForfurthertroubleshootingofRIP,youcanusethedebugripcommand.Here’san example: RIP:broadcastinggeneralrequestonEthernet0/1 RIP:Receivedupdatefrom192.168.3.2on0/1 192.168.4.0in1hops 192.168.5.0in1hops RIP:Sendingupdateto255.255.255.255viaEthernet0/1(192.168.3.1) subnet192.168.1.0,metric1 subnet192.168.2.0,metric1
You can qualify the output of the preceding command by using the debug rip eventscommandtoseeinformationthatisbeingsharedbetweenRIPdevices.Usethe debug rip databasecommandtoseehowthelocalRIPdatabaseandroutingtable areupdatedwithRIProutes.
RIPConfigurationExample ToillustratetheconfigurationofRIP,I’llusethenetworkshownpreviouslyinFigure4-1. I’llassumethatInternalRouterunderstandsRIPv2andthatadefaultrouteisusedto reachnetworksbeyondtheExternalRouter.Inthisexample,thee0/1interface(inside) isincludedinRIP,andMD5authenticationisused. ciscoasa(config)#routeoutside00192.168.1.2 ciscoasa(config)#routerrip ciscoasa(config-router)#network192.168.3.0 ciscoasa(config-router)#version2 ciscoasa(config-router)#default-informationoriginate ciscoasa(config-router)#exit ciscoasa(config)#interfaceethernet0/1 ciscoasa(config-if)#ripauthenticationmodemd5 ciscoasa(config-if)#ripauthenticationkeypeekabooiseeukey-id100
OSPF OSPFsupport,withtheexceptionoftheFirewallServicesModule(FWSM),isnewto theappliancesinversion6.3.TheexceptiontothisisthePIX501,whichdoesn’tsupport OSPF.TheappliancessharemostofthefeaturesthatCiscoIOSrouterssupportforOSPF. Forexample,theappliancessupportintra-arearouting,inter-arearouting,andexternal
Chapter 4:
Routing and Multicasting
type-1andtype-2routing.Theappliancescanplaytheroleofadesignatedrouter(DR) andbackupDR(BDR)inanarea,anareaborderrouter(ABR),andanautonomoussystemboundaryrouter(ASBR).TheappliancessupportadvancedOSPFfeatureslikeroute authenticationwithMD5,stubbyandNSSAareas,ABRlinkstateadvertisement(LSA) type-3filtering,virtuallinks,androuteredistribution,providingyouwithalotofflexibility insettingupOSPFonyourappliancetoprovideascalableOSPFnetworkdesign. NOTE The OSPF discussion in this book is kept somewhat brief, covering about 70 percent of the actual OSPF capabilities of the appliances.The topics that are discussed are the ones most commonlyimplementedbyadministrators.
BasicOSPFConfiguration EnablingOSPFisatwo-stepprocess:
1. CreateyourOSPFprocess.
2. Specifytheinterfacesthatareassociatedwithaparticulararea. ThebasicconfigurationofOSPFissimilartothatdoneonaCiscorouter:
ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#networkIP_addresssubnet_maskareaarea_# ciscoasa(config-router)#timersspfspf_delayspf_holdtime
First,createyourOSPFprocesswiththe router ospfcommand,givingtheOSPF aprocessID—youcanhaveonlytwoOSPFprocessesrunningsimultaneouslyonyour appliance.NoticethatthiscommandtakesyouintoasubcommandmodefortheOSPF routingprocess. Second,youusethenetworkcommandtospecifywhichinterfaceisinwhicharea. Thisisalmostliketherouter’sOSPFnetworkcommand…withoneexception:youdon’t specifyawildcardmask;instead,youspecifyasubnetmask.Toputaspecificinterface intoaspecificarea,usetheinterface’sIPaddressandasubnetmaskof255.255.255.255. Optionally,youcanchangetheshortest-pathfirst(SPF)delayandhold-downtime withthetimersspfcommand.Thedelayisthenumberofsecondstheappliancewill waituponreceivingatopologychangeandrunningtheSPFalgorithm;thisdefaultsto 5seconds.Ifyouspecify0,thentheappliancedoesn’twaitwhenachangeisreceived. Thehold-downperiodisthenumberofsecondstheappliancewaitsbetweentwoSPF calculations;bydefaultthisis10seconds.Thesetimersareusedtopreventaflapping routefromcausingCPUissuesonanappliancebydelayingtheSPFcalculationwhena changeisreceived. Hereisasimpleexampleofasingle-processconfigurationofOSPFonanappliance, basedonthenetworkshowninFigure4-3: ciscoasa(config)#routerospf1 ciscoasa(config-router)#network10.0.0.0255.0.0.0area0 ciscoasa(config-router)#network192.168.1.0255.255.255.0area1 ciscoasa(config-router)#network192.168.2.0255.255.255.0area1
85
86
Cisco ASA Configuration
Internet
192.168.1.0/24 Area 1
10.0.0.0/8 Area 0 192.168.2.0/24 Area 1
Figure4-3. SimplenetworkwithanappliancerunningOSPF
Intheprecedingexample,anyinterfacebeginningwith10isplacedinarea0;anyinterface beginningwith192.168.1or192.168.2isinarea1.
OSPFInterfaceParameters Youcantunemanyinterface-specificOSPFparameters,butthisistypicallyunnecessary. Herearesomeoftheinterface-specificOSPFcommandsonanappliance: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-interface)#ospfcostcost ciscoasa(config-interface)#ospfprioritypriority ciscoasa(config-interface)#ospfhello-intervalseconds ciscoasa(config-interface)#ospfdead-intervalseconds
Theospfcostcommandhard-codesthecostofaninterface,overridingthedefault calculationthatisused.Thecostneedstomatchwhattheneighborsuse,orinadvertent SPFcalculationscanoccur.The ospfprioritycommandisusedtoelecttheDRand BDR—thedefaultpriorityis1;settingitto0causestheinterfacetonotparticipateinthe electionprocess. Theospfhello-intervalcommandspecifieshowoftenLSAmessagesaregenerated.Theospfdead-intervalcommandspecifiesthenumberofsecondsafterwhich ifaneighbor’shellomessagesaren’tseen,theneighborisdeclareddead.Thehelloand deadintervaltimersdefaultto10and40seconds,respectively,andmustmatchupwith the value configured on OSPF neighbors connected to the interface, or the appliance won’tformanadjacencywiththem.
OSPFAuthentication OSPFandtheappliancessupportauthenticationofroutingupdatesbyusingaclear-text passwordortheMD5function.IfyouwanttoauthenticateOSPFroutingupdates,you mustenableauthenticationforeachareayouwillbedoingthiswithintheOSPFrouting process.Herearethecommandstoaccomplishthis: ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#areaarea_#authentication[message-digest]
Chapter 4:
Routing and Multicasting
ForMD5,youneedthemessage-digestparameter.Withoutit,clear-textkeysareused forauthenticationinsteadofMD5signatures. Afterenablingauthenticationforanareaorareas,you’llneedtoconfigureauthenticationontheinterface(s)thatwillbeusingit: ciscoasa(config)#interfaceinterface_name ciscoasa(config-if)#ospfauthentication[message-digest|null] ciscoasa(config-if)#ospfauthentication-keykey ciscoasa(config-if)#ospfmessage-digest-keykey_#md5key
Ontheinterface,ifyou’reusingclear-textauthentication,usethe ospf authenticationandospfauthentication-keycommands.ForauthenticationusingMD5,use theospfauthenticationmessage-digestandospfmessage-digest-keycommands. Here’sanexampleofusingMD5authenticationforanarea: ciscoasa(config)#routerospf1 ciscoasa(config-router)#area0authenticationmessage-digest ciscoasa(config-router)#exit ciscoasa(config)#interfacee0/1 ciscoasa(config-if)#ospfauthenticationmessage-digest ciscoasa(config-if)#ospfmessage-digest-key500md5cisco123abc
Inthisexample,MD5authenticationisusedinarea0,whichincludesthee0/1interface. Thekeynumberusedis500,andtheactualsignaturekeyiscisco123abc. NOTE Toprotectagainstroutingattacks,itishighlyrecommendedtoconfigureyourappliancewith OSPFauthentication,whichsupportsMD5signaturesforauthenticationofroutingupdates.
OSPFAreaStubs Stubsareusedtolimitthenumberofroutesinanarea.Astubhastype-1andtype-2intra-areaLSAs,type-3andtype-4inter-areaLSAs,andadefaultrouteinjectedintothem bytheABRforexternalroutesfromadifferentautonomoussystem.Ifyourapplianceis anABRandyouwanttodesignateanareaasastub,usethefollowingconfiguration: ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#areaarea_#stub[no-summary] ciscoasa(config-router)#areaarea_#default-costcost
Toconfigureanareaasastub,usetheareastubcommand.Anytype-5LSAs(external routestype1andtype2)willnotbeforwardedintothespecifiedarea;insteadadefault route is forwarded. The stub function must be configured on all OSPF devices in the area, including theABR. On theABR, if you specify the no-summary parameter, you aremakingthearea“totallystubby.”ThisisaCiscoproprietaryfeature:externalroutes
87
88
Cisco ASA Configuration
fromASBRsandroutesfromotherareasarenotinjectedintoatotallystubbyarea:onlya defaultrouteisinjected.Theareadefault-costcommandallowsyoutoassignacost metrictotheinjecteddefaultroutethatwillbeadvertisedintoastubarea. NSSAstandsfor“not-so-stubbyarea.”SupposeyourapplianceisanASBRanditisnot connectedtoarea0,buttoadifferentarea,andthatareaisastub.Togettheexternalroutes tothebackbonethroughthestubbyarea,theASBRmustadvertisetheexternalroutesas type7;thisisreferredtoasanot-so-stubbyarea(NSSA).Again,allOSPFdevicesinthearea mustbeconfiguredasNSSA.Whenconfiguredassuch,thedevicesintheareawillforward type-7LSAstothebackbone(area0),butwillnotincorporatethemintotheirlocalOSPF database.ToconfigureyourABRapplianceforNSSA,usethefollowingconfiguration: ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#areaarea_#nssa [default-informationoriginate] ciscoasa(config-router)#areaarea_#default-costcost
On the ASBR that’s NSSA, the area nssa command makes the device understand aboutthisissue.Addingthedefault-informationoriginateparametercausesthe appliance,whenitisanASBR,toinjectadefaultrouteintotheNSSAarea.The area default-costcommandallowsyoutochangethedefaultcostofthedefaultroute.
OSPFSummarization IfyourapplianceisanABR,itcansummarizeroutesbetweenareaswiththearearange command: ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#areaarea_#rangenetwork_#subnet_mask [advertise|not-advertise]
This command only summarizes routes located in the area specified. The advertise parameteristhedefault—itadvertisesthesummarizedroute.Thenot-advertiseparameterwillnotadvertiseanyroutesmatchingthenetwork/subnetmaskspecifiedfor theareatoanyotherconnectedareas(type-3andtype-4LSAs). Herearethecommandsnecessarytoperformsummarizationonanappliancethatis anASBR: ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#default-informationoriginate [always][metricmetric-value] [metric-type{1|2}][route-mapmap-name] ciscoasa(config-router)#summaryaddressnetwork_#subnet_mask [not-advertise][tagtag]
YoucaninjectadefaultrouteintoyourOSPFprocesswiththe default-information originate command. The always parameter causes the appliance to always inject a
defaultrouteintotheOSPFprocess,evenifonedoesn’texistinthelocalroutingtable.
Chapter 4:
Routing and Multicasting
Wheninjectingadefaultroute,youcanassignametrictoitwiththe metricparameter, specifythetypeofexternalroutewiththemetric-typeparameter,andapplyaroutemap totheprocess,whichcanbeusedtochangepropertiesoftheroute.Routemapsarebeyond thescopeofthisbook. Youcanalsosummarizeexternalroutesusingthesummaryaddresscommand.As inthepreviousconfiguration,thenot-advertiseparameterwillnotadvertiseexternal routesthatmatchthenetworknumberandsubnetmaskvaluesconfiguredintothelocalOSPFprocess.Thetagvalueisa32-bitnumberthatOSPFitselfdoesn’tuse,butthat otherroutingprotocolslikeBGPcanuse. NOTE Youcannotcreateasummaryrouteof0.0.0.0/0;insteadyouneedtousethe defaultinformationoriginatecommand.
OSPFRouteFiltering Theappliancessupportfilteringoftype-3LSAs;thismightbenecessaryifyouareusing privatenetworknumbersoncertaininterfacesanddonotwanttopasstheseasroutes viaOSPF.Configuringprefixfiltering(filteringoftype-3LSAs)isatwo-stepprocess: ciscoasa(config)#prefix-listprefix_list_name{permit|deny} network_#/prefix_length ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#areaarea_#filter-list {prefix_list_namein|out}
Configureyourlistofprefixroutesthatwillorwillnotbefilteredwiththeprefixlistcommand.Theorderyouentertheprefixlistisimportant,sincetheapplianceprocessesthelisttop-down.Thepermitstatementsallowtheroute,whiledenystatements
filtertheroute.Tospecifyaprefix,enterthenetworknumber,followedbyaslash(“/”) andthenumberofnetworkbits,like10.0.0.0/8. YouthenapplytheprefixlisttoanareainanOSPFroutingprocesswiththe area filter-listcommand.Youcanfilterroutingupdatesenteringanarea(inparameter) orleavinganarea(outparameter).
OSPFRouteRedistribution Youcantakeroutesfromanexternalsourceonyourappliance,assumingit’sactingas anASBR,andinjectthemintoOSPF,andviceversa.Theconfigurationofredistribution ontheappliancesissimilartohowitisconfiguredonCiscoIOSrouters.Redistribution isaccomplishedbyusingtheredistributecommand. ciscoasa(config)#routerospfprocess_ID ciscoasa(config-router)#redistribute{connected|static} [[metricmetric_value][metric-type {type-1|type-2}][tagtag_value] [subnets][route-maproute_map_name]
89
90
Cisco ASA Configuration ciscoasa(config-router)#redistributeospfprocess_ID [match{internal|external[1|2]| nssa-external[1|2]}][metricmetric_value] [metric-type{type-1|type-2}][tagtag_value] [subnets][route-maproute_map_name] ciscoasa(config-router)#redistributerip[metricmetric_value] [metric-type{type-1|type-2}][tagtag_value] [subnets][route-maproute_map_name] ciscoasa(config-router)#redistributeeigrpAS_#[metricmetric_value] [metric-type{type-1|type-2}][tagtag_value] [subnets][route-maproute_map_name]
Theredistributecommandtakesroutesfromanexternalroutingprocessandredistributes them into the current OSPF process. The metric parameter allows you to associateacosttotheredistributedroutes.The metric-typeparameterallowsyouto specify if the redistributed routes are type-1 or type-2 external routes—the default is type-2 if omitted. You can also tag the route with a number with the tag parameter: OSPFdoesn’tprocessthisinformation,butanASBRspeakingBGPcanusethisinformation.Ifyouomitthe subnetsparameter,onlyclassfulroutesareredistributedinto OSPF—notthesubnetsofanetworknumber.The matchparameterisusedwhentakingroutesfromanotherOSPFprocess—youcancontrolifyou’lltaketheotherprocess’ internaland/orexternaltype-1ortype-2routesintothelocalOSPFprocess.Witheach oftheprecedingredistributecommands,youcanusetheroute-mapparameterand change information related to the matching routes, like their metrics. Route maps are beyondthescopeofthisbook. To illustrate the simplicity of configuring route redistribution, examine the networkshowninFigure4-4.Inthisnetwork,theappliancewillredistributeroutesfrom autonomous system (AS) 100 intoAS 200. Here’s the redistribution configuration to accomplishthis: ciscoasa(config)#routerospf100 ciscoasa(config)#routerospf200 ciscoasa(config-router)#redistributeospf100matchinternal
Public
Internet
OSPF 100 Area 0
OSPF 200 Area 10 Appliance OSPF 200 Area 10
Figure4-4. ASBRapplianceperformingredistribution
Private
Chapter 4:
Routing and Multicasting
NOTE Ifthereareoverlappingnetworknumbersinthetworoutingprocesseswhenyou’reperforming redistribution,you’llneedtofilterthemusingLSAtype-3filtering,oryouwillcreatereachabilityissues withyourroutingprocesses.
OSPFVerification WhenrunningOSPF,usetheshowroutecommandtoviewtheroutesinyourrouting table:OSPFroutesshowupasan Ointheroutingtable.Thiscommandwasdiscussed earlierinthechapter.OthercommandsyoucanuseincludetheonesshowninTable4-2.
EIGRP SupportforCisco’sproprietaryEIGRProutingprotocolwasaddedtotheappliancesin version8.0.VerysimilarEIGRPcapabilitiesareontheappliancesthatyoumayhaveused ontheCiscoIOSroutersformanyyears.Somesupportedfeaturesincludethefollowing:
▼ N eighborauthentication
■ Routesummarization
■ Routefiltering
■ Redistributionwithotherroutingprotocols(verysimilartoredistribution discussedinthe“OSPFRouteRedistribution”sectionandthereforeomitted fromthissection)
▲ S tubrouting NOTE TheEIGRPdiscussioninthisbookiskeptsomewhatbrief,coveringabout70percentof theactualEIGRPcapabilitiesoftheappliances.Thetopicsthatarediscussedaretheonesmost commonlyimplementedbyadministrators.
OSPFCommand
Explanation
showospf[process_ID[area_#]]
Viewinginformationabout theOSPFroutingprocess
showospf[process_ID[area_#]]database DisplayingtheOSPF
database
showospfinterface[logical_if_name]
DisplayingtheOSPF interfaceinformation
showospfneighbor[logical_if_name] [neighbor_ID][detail]
DisplayingtheOSPF neighbortable
Table4-2. CommandstoVerifyYourOSPFConfiguration
91
92
Cisco ASA Configuration
BasicEIGRPConfiguration SettingupEIGRProutingonanapplianceisverysimilartosettingituponaCiscoIOS router.HerearethebasiccommandstoenableEIGRProuting: ciscoasa(config)#routereigrpAS_# ciscoasa(config-router)#networkIP_address[subnet_mask] ciscoasa(config-router)#[no]passive-interface{default| logical_if_name}
ToenabletheEIGRProutingprocess,youneedtoassignitanASnumber.Withinthe routingprocess,foreverynetworkyoulist(withthe networkcommand)thatmatches aninterfaceontheappliance,thatinterfaceisincludedintheEIGRProutingprocess.If youomitthesubnetmask,itdefaultstothenetworkclassmask(A,B,C). The passive-interfacecommandplacesaspecifiedinterfaceinapassivemode: the appliance will not process any EIGRP updates on the interface. The default parameterdisablesEIGRPonallinterfaces:thentoenableforspecificinterfaces,usethe no passive-interface command, referencing the specific logical interface names. Here’sasimpleexample,basedonFigure4-3,ofenablingEIGRPonalltheappliance interfaces: ciscoasa(config)#routereigrp1 ciscoasa(config-router)#network192.168.1.0255.255.255.0 ciscoasa(config-router)#network192.168.2.0255.255.255.0 ciscoasa(config-router)#network10.0.0.0255.0.0.0
Inthisexample,allthreeinterfacesareinautonomoussystem1.
EIGRPAuthentication Setting up authentication of EIGRP routing updates is easy. Enter the interface the EIGRPneighbor(s)areconnectedto,andfortheAS,specifythatMD5isusedwiththe authenticationmodecommand.Thenconfigurethekeyandkeynumberusedwithin theASonthatinterfacewiththeauthenticationkeycommand: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#authenticationmodeeigrpAS_#md5 ciscoasa(config-if)#authenticationkeyeigrpAS_#keykey-idkey_#
NotethatallEIGRProutersconnectedtotheinterfaceneedtohavethesameASnumber alongwiththesamekeyvalueandkeynumber.Here’sasimpleexamplebasedonthe codelistinginthepreviousexample: ciscoasa(config)#interfacee0/1 ciscoasa(config-if)#authenticationmodeeigrp1md5 ciscoasa(config-if)#authenticationkeyeigrp1cisco123abckey-id100
Chapter 4:
Routing and Multicasting
EIGRPSummarization By default, EIGRP behaves, in many instances, like a distance vector protocol. One exampleofthisprocessiswhenEIGRPadvertisessubnetsacrossnetworkboundaries: beforeadvertisinganysubnetsacrossadifferentnetworknumber,EIGRPautomatically summarizesthesubnetsbacktothenetworkclassboundary(A,B,orC)andadvertises thenetworkclassaddressinstead.Youcandisablethisautomaticsummarizationwith thenoauto-summarycommandintheEIGRProutingprocess: ciscoasa(config)#routereigrpAS_# ciscoasa(config-router)#[no]auto-summary
Executingtheprecedingdisablesallsummarization. Toperformmanualsummarization,entertheinterfacethesummarizationshouldbe performedon,andusethe summary-addresscommandtosummarizethecontiguous networksorsubnets: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#summary-addresseigrpAS_#network_#subnet_mask [administrative_distance]
Whenyourapplianceisattheedgeofthenetwork,likeaWANlinkortheaccess layerinthecampusnetwork,itistypicallynotnecessarytoshareanentirenetwork’slist ofEIGRProutestoedgedevices.EIGRPsupportsaprocesssimilartoOSPFcalledstubs. HereistheconfigurationtosetupstubroutingforEIGRPonyourappliance: ciscoasa(config)#routereigrpAS_# ciscoasa(config-router)#eigrpstub[receive-only|[connected] [redistributed][static][summary]]
You need to specify which network types will be advertised by the stub routing process on the appliance to any connected EIGRP distribution layer routers with the eigrpstubcommand;youcanconfiguremorethanoneoptiononaline. The receive-only parameter will receive routes from neighbors, but will not advertiseroutes.Staticandconnectednetworksarenotautomaticallyredistributedinto thestubroutingprocess;ifyouwanttoincludethem,specifytheconnectedandstatic parametersrespectively.Theredistributedparametercausestheappliancetoadvertise routes that were redistributed from other routing protocols on the appliance. The summaryparameterallowstheappliancetoadvertisesummarizedroutes. Herearesomeexamplesoftheuseoftheeigrpstubcommand:
▼ e igrpstubconnectedsummary Advertisesconnectedandsummarized routes
■ eigrpstubconnectedstatic Advertisesconnectedandstaticroutes
▲ eigrpstubredistributed AdvertisesroutesredistributedintoEIGRP fromotherroutingprotocols
93
94
Cisco ASA Configuration
EIGRPRouteFiltering YoualsohavetheabilitytofilterEIGRProutesenteringorleavingtheEIGRPprocessora particularinterface.Thisisaccomplishedusingaccesscontrollists(ACLs)anddistribution lists,asitisdoneonCiscoIOSrouters: ciscoasa(config)#access-listACL_IDstandard[lineline_#] {deny|permit}{any|hostIP_address| IP_addresssubnet_mask} ciscoasa(config)#routereigrpAS_# ciscoasa(config-router)#distribute-listACL_ID{in|out} [interfacelogical_if_name]
First,youneedtodefineastandardACL(access-listcommand)thatwilllistthe EIGRProutesthatarepermittedand/ordenied;notethatyouareenteringnetworknumbersforroutes—youarenotusingthestandardACLtofilterdatatraffic.ACLsandtheir syntaxarediscussedinmoredepthinChapter6.Oneimportantitemtopointoutabout ACLs,though,isthatACLsontheappliances,unlikeIOSrouters,usesubnetmasks,not wildcardmasks,tomatchonrangesofaddresses. Within the EIGRP routing process, use the distribute-list command.You can filtertrafficinoroutoftheEIGRPprocessitselforforaparticularlynamedinterface.
EIGRPVerification WhenrunningEIGRP,usetheshowroutecommandtoviewtheroutesinyourrouting table:EIGRProutesshowupasa Dintheroutingtable.Thiscommandwasdiscussed earlierinthechapter.OtherEIGRPcommandsyoucanuseincludetheonesshownin Table4-3.
OSPFCommand
Explanation
showeigrp[AS_#]interfaces ViewtheEIGRPoperationonthe [logical_if_name][detail] interfaces. showeigrp[AS_#]neighbors [logical_if_name]
DisplaytheEIGRPneighbortable.
showeigrp[AS_#]topology
DisplaytheEIGRPtopologytable.
showeigrp[AS_#]traffic
ViewEIGRPtrafficstatistics.
Table4-3. CommandstoVerifyYourEIGRPConfiguration
Chapter 4:
Routing and Multicasting
MULTICASTFEATURES TCP/IPv4hasthreekindsofaddresses:unicast,broadcast,andmulticast.Multicasttraffic isdatasenttooneormoredevicescomprisingamulticastgroup,wheremembershipof thegroupisdynamic.Auniquemulticastaddressisusedtorepresentmembershipinthe group,wheremulticastaddressesrangefrom224.0.0.0through239.255.255.255.
MulticastTrafficandtheAppliances Beforeversion6.2,thePIXswouldonlyforwardunicastpacketsbetweeninterfaces:multicasttrafficbetweeninterfaceswouldbedropped.Tosolvethisproblem,administrators originallywouldplacearouteroneachsideofthePIXandbuildaGREtunnelbetween thetwo,andthenwouldencapsulatethemulticastpacketsinGREunicastpackets.GRE isalayer3IPprotocolthattheappliancecanswitchbetweeninterfaces(seethetoppart ofFigure4-5).Theproblemwiththissolutionisthatitintroducesdelayinthemulticast datastreamsandcreatesmoreoverhead,sincetheoriginalmulticastpacketsmusthave anouterIPandGREheaderaddedtothem. Startinginversion6.2,CiscointroducedtheabilityforthePIXstomovemulticast trafficbetweeninterfaces.Theappliancessupportbothstubmulticastrouting(SMR)and PIMmulticastrouting;however,youcanonlyenableoneortheotherontheapplianceat atime.SMRwasintroducedinversion6.2andPIMinversion7.0.
GRE Tunnel
Before 6.2:
Outside
Multicast Server
Inside
Multicast Router
Multicast Router Multicast Client Multicast Transmission
After 6.2:
Outside
Multicast Server
Multicast Router
Inside
Appliance: Stub Multicast Router (Proxy) Multicast Client
Figure4-5. Multicasttrafficandtheappliances
95
96
Cisco ASA Configuration
MulticastUsage Whether you are using PIM or SMR, you must first enable multicast routing on your appliance: ciscoasa(config)#multicast-routing
The multicast-routing command allows the appliance to process and forward multicastpackets.Onceyouconfigurethecommand,PIMandIGMPareautomatically enabled on all the appliance’s interfaces. IGMP version 2 (IGMPv2) is enabled by default,whereasIGMPv1isdisabled.Thisshouldn’tbeanissuesincenoapplications todayusetheolderprotocol;however,theappliancedoessupportboth.Theamount ofRAMyourappliancehaswillaffectthesizeofthemulticasttablestheappliance maintains.Table4-4liststhetablelimits. NOTE Enabling multicasting on a perimeter appliance is very rare; normally this is done on appliancesinadatacenterorwithinacampusnetwork.
StubMulticastRouting Stubmulticastrouting(SMR)allowsendstations,likeuserPCs,toregisterforthemulticast streamstheywanttoreceiveviatheIGMPprotocolandallowformulticastrouting.When theapplianceusesSMR,itactsasanIGMPproxy,whereitdoesn’tfullyparticipateinthe multicastprocess.
IGMPProtocolandIGMPProxying WhenactingasanIGMPproxy,theappliancetakesIGMPqueriesfromfullyfunctional multicastroutersandforwardsthemtotheend-userstations.IGMPqueriesallowamulticastroutertolearntheendstationsthatwishtoreceiveorcontinuereceivingamulticast stream.Foramulticaststreamwherenoresponseisreceived,themulticastrouterassumes that no end stations wish to receive the stream and stops forwarding the stream to the associatednetworksegment.
TableLimitations
16MB
128MB
128+MB
NumberofMulticastForwardingInformation Base(MFIB)entries
1,000
3,000
5,000
NumberofIGMPgroups
1,000
3,000
5,000
NumberofPIMroutes
3,000
7,000
12,000
Table4-4. MulticastTableSizeLimitations
Chapter 4:
Routing and Multicasting
TheappliancealsotakesIGMPreportsfromendstationsandforwardsthemtofully functionalmulticastrouters.Reportsincludethemulticastdatastreamorstreamsanend stationwantstoreceive.InIGMPversion2(IGMPv2),endstationscanalsogeneratejoin andleavemessages,respectively,tospeeduptheprocessofalertingamulticastrouter thatastreamneedstobeforwardedtothesegmentand/orthatastreamisnolonger desiredbytheendstation. Theappliance’sroleinthisprocessistoproxytheIGMPmessagesbetweenthemulticastrouterandtheendstationsaswellastoforwardthemulticastdatastreamsbetweenitsinterfaces.
InterfaceConfigurationforIGMP ThissectionwilldiscusssomeoftheIGMPpropertiesyoucanmanageonyourappliance’s interfaces.HerearethecommandsyoucanconfigureforIGMP: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#igmpforwardinterfacelogical_if_name ciscoasa(config-if)#igmpjoin-groupmulticast_group_address ciscoasa(config-if)#igmpstatic-groupmulticast_group_address ciscoasa(config-if)#igmpquery-timeoutseconds ciscoasa(config-if)#igmpquery-intervalseconds ciscoasa(config-if)#igmpquery-max-response-timeseconds ciscoasa(config-if)#igmpversion{1|2}
The only required command for SMR (besides enabling multicast routing) is the
igmp forward interfacecommand.Thiscommandisconfiguredontheinterface
where the end stations are connected and specifies the logical interface name where thefullyfunctionalmulticastrouterresides.Therestofthecommandsdiscussedinthis andthenextsectionareoptionalforSMR. Theigmpjoin-groupcommandconfigurestheappliancetoactlikeanendstation andwilladvertise,byanIGMPreportmessagetoamulticastserver,thattheappliance wantstheconfiguredmulticastdatastream(multicastIPaddress)tobeforwardedtothe appliance. NOTE Normallythiscommandisconfiguredtotesttheappliance’smulticastconfigurationtoensure thatmulticastdatastreamsareforwardedthroughtheappliance—onceyouhavethisworking,make sureyoudisablethecommand.OtherwiseeverytimeamulticastroutergeneratesanIGMPquery,the appliancewillalwaysrespondbackwithanIGMPreportwiththeconfiguredmulticastgroupaddress. Therefore,theconfiguredmulticastdatastreamwillalwaysbeforwardedtotheappliance,whetheror notanyconnectedendstationswanttoviewmulticastdata. The igmp static-group command performs a similar function as does the igmp join-groupcommand.Wherethelattercommandcausestheappliancetoaccept,process, andforwardmulticastpackets,theformercommandcausestheappliancetoforwardonly themulticastpacketsouttheconfiguredinterface.Theigmpstatic-groupcommandis
97
98
Cisco ASA Configuration
usedwheneitheryouhaveanendstationthathasanIGMPcompatibilityissuewiththe multicastrouterandtheendstationneedstoreceivethespecifiedmulticaststream,oryou alwayswantthespecifiedmulticasttraffictobeforwardedouttheconfiguredinterface whetherornotaconnectedendstationwishestoreceiveit. Bydefault,itistheresponsibilityofthefullyfunctionalIGMProutertoperiodicallygeneratetheIGMPquerymessages,whichtheappliancewillproxy.Ifthereisafailureinthis process,theappliancecangeneratethequerymessagesitself.Bydefault,iftheappliance doesn’treceiveaquerymessagefromtheIGMProuterwithin225seconds,theappliance promotesitselftothisrole.Youcanchangethetimeoutwiththeigmpquery-timeout command.WhenactingasanIGMProuter,theappliancewillgeneratequeriesevery 125secondstotheendstations;youcanchangethiswiththeigmpquery-interval command.Also,whenactingasanIGMProuterandwhentheappliancegeneratesaquery, itexpectsareportmessagebackwithin10seconds;otherwisethespecifiedmulticastdata streamwillnolongerbeforwardedouttheendstations.Youcanchangethisintervalwith theigmpquery-max-response-timecommand. NOTE The igmp query-timeout and igmp query-intervalcommandsareonly applicabletoIGMPv2. AsImentionedinthe“MulticastUsage”section,whenmulticastroutingisenabled ontheappliance,alltheinterfacesuseIGMPv2.Youcanchangethisonaninterface-byinterfacebasiswiththeigmpversioncommand. NOTE Since I was first introduced to multicasting in the late 1990s, I have yet to run into an implementationthatonlyusesIGMPv1;therefore,youwillprobablyneverusetheigmpversion command.Ontopofthis,aninterfaceonlysupportsoneversionofIGMPonaninterfaceatatime. However,connectedendstationsshouldsupportbothprotocols.
LimitingtheIGMPProxyProcess Thissectionwilldiscusshowyoucanlimittheproxyingroletheapplianceplayswhenit isconfiguredasanSMR.Herearethecommandsyoucanconfigure: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#[no]igmp ciscoasa(config-if)#igmplimitnumber
As mentioned earlier in the “Multicast Usage” section, when you execute the
multicast-routingcommand,IGMPisenabledonalltheapplianceinterfaces.You canoverridethisonaninterface-by-interfacebasiswiththenoigmpcommand. The igmp limit command allows you to limit the number of multicast groups
(addresses) the appliance will accept on an interface and thus controls the number of multicastdatastreamsforwardedouttheinterface.Thisnumbercanrangefrom0to500; ifyouconfigure0,thenonlythosemulticastgroupsdefinedwiththeigmpjoin-group and/origmpstatic-groupcommandsareforwarded.
Chapter 4:
Routing and Multicasting
Anotheroptionyouhaveavailabletolimitmulticasttrafficforwardedtoasegment istospecificallycontrolwhichmulticastgroupstheappliancecanprocessbyfiltering IGMPjoinandreportmessagesfromendstationswithanACL: ciscoasa(config)#access-listACL_IDstandard{permit|deny} IP_addrmask ciscoasa(config)#access-listACL_IDextended{permit|deny}udp src_IP_addrsrc_maskdst_IP_addrdst_mask ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#igmpaccess-groupACL_ID
YoucaneitheruseastandardorextendedACLtolistthemulticastaddressesthat shouldbeforwarded(ACLsarediscussedinChapter6).WithastandardACL,specifythe multicastIPaddressinthesourcefield,alongwitha32-bitsubnetmask(255.255.255.255). WithanextendedACL,thesourceIPaddressistheaddressoftherequester(ifyouwant tobespecificaboutwhatuserrequestswhichstream),andthedestinationaddressisthe actualmulticastaddressofthemulticastdatastream.TheuseofstandardACLsisthe mostcommonimplementation.
SMRConfigurationExample ExaminethenetworkshowninFigure4-6.Thefollowingconfigurationillustrateshow tosetuptheapplianceasanSMR: ciscoasa(config)#multicast-routing ciscoasa(config)#interfaceethernet0/1 ciscoasa(config-if)#igmpforwardinterfacedmz
Multicast Server 192.168.2.2
Multicast Stream 239.70.70.80 dmz E0/2 Inside E0/1
Figure4-6. SMRconfigurationexample
E0/0
ISP
99
100
Cisco ASA Configuration
Inthisexample,theIGMPendstationsareconnectedtotheinsideinterface.Once multicast routing has been enabled on the appliance, the inside interface is set up to proxytheIGMPmessagesfromtheinsideinterfacetothedmzinterface.
PIMMulticastRouting Dynamicroutingofmulticasttrafficcanoccurintwomodes:
▼ D ensemode(DM)
▲ S parsemode(SM)
UseDMwhenyouhavelotsofbandwidth,andmostpeopleneedtoseeamulticast stream or streams. With DM, the network floods with the multicast streams; then, usingIGMP,themulticastrouterslearnwhichdevicesdon’twishtoreceiveastreamand prunebacktheflooding. Use SM when you’re concerned about bandwidth usage and only want multicast traffictraversingyournetworkwhenpeoplehaveaneedtoseeit.WithSM,noflooding initiallytakesplace.Instead,IGMPisusedtolearnwhichdeviceswanttoreceivemulticaststreams,andthenthestreamsareintelligentlyrouteddowntothesesegments.SM requirestheuseofarendezvouspoint(RP),whichisamulticastrouterresponsiblefor disseminatingandroutingthemulticaststreams.YoucanhavemorethanoneRPtosplit uptheforwardingofthemulticaststreamsinordertoreducethemulticastloadonthe RP:differentRPscanberesponsiblefordifferentmulticaststreams. NOTE YoucanactuallyusebothDMandSMmodesinanetwork:somestreamscanberouted usingdensemodeandsomeusingsparsemode.
PIMRoutingProtocol TheProtocolIndependentMulticast(PIM)routingprotocolwasoriginallydesignedby Ciscotohandledynamicandintelligentroutingofmulticasttraffic.PIMisnowdefined inahandfulofdifferentRequestsforComments(RFCs).Othermulticastroutingprotocolsexist;however,theappliancesonlysupportstaticroutingandPIM.Theirsupportof PIMincludesPIM-SM(sparsemode)andbi-directionalPIM. NOTE Cisco’sIOSroutersalsosupportDistanceVectorMulticastRoutingProtocol(DVMRP)to connecttoothermulticastnetworks,butprimarilyrelyontheuseofPIMwithinanetworkofCisco devices. PIM-SMisasubsetofPIMthatdealswithroutingofmulticasttrafficusingSM.It builds unidirectional trees with the root being an RP. Only one RP is responsible for a particular multicast stream. Through the use of IGMP, edge multicast routers learn which streams wish to be received by end stations and build a branch (link), using a shortest-path-first approach, back to the RP. Once this is done, the RP intelligently forwardsthemulticaststreamtothesegmenttheendstationsareconnectedto.
Chapter 4:
Routing and Multicasting
Bi-directionalPIMissimilartoPIM-SMexceptthatbi-directionaltreesarebuilt.End stations use join messages to signify they wish to participate in a particular multicast group.MulticaststreamsarethenforwardedfromthemulticastserverstotheRPand thendownthetreetotheendstations.Bi-directionalPIMwasprimarilydesignedfor many-to-manyapplicationsinordertoreducetheoverheadofaddingnewsourcesand receivers. PIM-SM is primarily used when the multicast servers (the disseminators of multicaststreams)arestatic. NOTE PIMisalayer3TCP/IProutingprotocolandwillnotworkwithanytypeofPATtranslation (PATisdiscussedinChapter5).
PIMConfiguration ThefollowingsectionswilldiscusshowtosetupPIMonyourappliance. NOTE Thesecurityappliancessupportmanymulticastfeatures,includingmixingbi-directionaland SMPIM,controllingthepropagationofPIMmessagesbydefiningamulticastboundary,andothers. However,becauseofspaceconstraints,thissectiononlydiscussesthemorecommonlyconfigured PIMfeatures. PIM and Interfaces When you enable multicast routing with the multicast-routing command,bothIGMPandPIMareautomaticallyenabledonallinterfaces.Todisableor enablePIMonaninterface,usethefollowingconfiguration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#[no]pim
StaticRPs WhenusingPIMSM,youneedtodefineoneormoreRPsthatwilldisseminate the multicast stream down to the segments. Unfortunately, the appliances currently do notsupportauto-RP,likeCiscorouters,wheretheRPsinthenetworkcanbedynamically learned.Ontheappliance,usethepimrp-addresscommandtostaticallydefinetheRP: ciscoasa(config)#pimrp-addressip_address[ACL_ID][bidir]
The ip_address parameter defines a unicast IP address associated with the RP. Optionally, you can create a standard or extended ACL that defines the multicast streamsthattheRPisresponsiblefor—thisallowsyoutohavemorethanoneRPinyour network,wheredifferentRPsareresponsiblefordifferentmulticaststreams.Ifyoudon’t specifyanACL,thenthedefinedRPisresponsibleforallmulticaststreams(224.0.0.0/4). If you omit the bidir command, then the multicast streams operate using only SM; specifyingtheparameterenablesbi-directionalSM. NOTE The appliances always advertise bi-directional capabilities in their PIM routing messages regardlessofwhetheryouconfiguredthebidirparameterinthestaticRPdefinition.
101
102
Cisco ASA Configuration
DesignatedRouters(DR) WhenusingPIM,adesignatedrouter(DR)iselectedforeach network segment. The DR is responsible for sending PIM join, register, and prune messagestotheRP.TheelectionoftheDRisbasedonapriorityvalue:theonewiththe highestpriorityiselectedastheDR.Bydefault,thepriorityis1;therefore,ifyoudon’t changethedefaultsonyourPIMrouters,theonewiththehighestIPaddressiselected. TochangetheDRpriorityofasegmenttheapplianceisconnectedto,usethefollowing configuration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#pimdr-prioritypriority_#
TheDRisresponsibleforsendingrouterquerymessagesonasegmenttoparticipating endstations;bydefault,thesearesentevery30seconds.Youcanchangethisperiodwith thefollowingcommand,wheretherangeisfrom1to3,600seconds: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#pimhello-intervalseconds
Likewise,theDRsendsjoinandprunemessagestoendstationsevery60seconds; this can be changed with the following command, where the range is from 10 to 600 seconds: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#pimjoin-prune-intervalseconds
II Controlling Traffic Through the ASA
103
This page intentionally left blank
5 Address Translation
105
106
Cisco ASA Configuration
I
nChapter3,Italkedaboutsomeofthesecurityappliancecommandstocreateabasic configurationforyourappliance;andinChapter4,Idiscussedhowtosetuprouting toreachremotenetworks.Manyfactors,however,canrestricttrafficflowthroughthe appliance.Forexample,youwillhavetoconfigurecertainsettingsontheapplianceto allowtraffictoflowfromlower-security-levelinterfacestohigheronesandviceversa. Inaddition,whenNATcontrolisenabled,notrafficisallowedthroughtheappliance unlesstranslationpoliciesareconfigured.Thischapterfocusesonaddresstranslation, whilethenextchaptercoversaccesscontrollists(ACLs),whichyoucanusetofilterthe trafficflowthroughyourappliance. Thischapterwillintroduceyoutoaddresstranslationandthecapabilitiesoftheappliances.Thetopicsinclude
▼ A noverviewofprotocolsandtheeffectapplianceshaveontheprotocols
■ Anintroductiontotranslationsandconnections
■ Anoverviewofaddresstranslation
■ Configurationofdynamicandstaticaddresstranslationpolicies
■ HowtheappliancesdealwithTCPSYNfloodattacks
▲ V erifyinginformationinthetranslationandstatetables
PROTOCOLOVERVIEW BeforeIbegindiscussingthecommandsthatallowtraffictoflowthroughtheappliances,youfirstneedtohaveagoodunderstandingofthemechanicsofthethreemost-used protocols: TCP, UDP, and ICMP. This is important because the appliance treats these trafficstreamsdifferentlyinitsstatefulpacket-filteringprocessimplementedbytheappliancesecurityalgorithm.
TCPOverview TCP,theTransmissionControlProtocol,isaconnection-orientedprotocol.Thismeansthat beforeanytransferofdatacantakeplace,certainconnectionparameterswillhavetobe negotiatedinordertoestablishtheconnection.Toperformthisnegotiation,TCPwillgo throughathree-wayhandshake:
1. I nthefirstpartofthethree-wayhandshake,thesourcesendsaTCPSYN segment,indicatingthedesiretoopenaconnection(SYNisshortfor “synchronize”).EachTCPsegmentsentcontainsasequencenumber.
2. W henthedestinationreceivestheTCPSYN,itacknowledgesthiswithits ownSYNaswellasanACK(shortfor“acknowledgment”).Thisresponseis commonlycalledaSYN/ACK.TheACKportionindicatestothesourcethatthe destinationreceivedthesourceSYN.
3. T hesourcethensendsanACKsegmenttothedestination,indicatingthatthe connectionsetupiscomplete.
Chapter 5:
Address Translation
Ofcourse,duringthisthree-wayhandshake,thedevicesarenegotiatingparameters likethewindowsize,whichrestrictshowmanysegmentsadevicecansendbeforewaitingforanacknowledgmentfromthedestination.Alsoduringthetransmissionofactual data,thesourceanddestinationacknowledgethereceiptofreceivedsegmentsfromthe otherdevice. TheTCPsetupprocessisoftenreferredtoasadefinedstatemachinebecauseaconnectionisopenedfirst,dataissent,andtheconnectionistorndownuponcompletionofthe datatransaction.
OutgoingConnectionRequests Youmaybeaskingwhatthishastodowithastatefulfirewalllikethesecurityappliances. First,understandthatwhenconnectionsarebeingsetup,trafficflowsintwodirections throughtheappliance.Assumethatyouhaveauserontheinsideofyournetworkwho initiatesaTCPconnectiontoadeviceontheoutsideofyournetwork.BecauseTCPhasa definedsetofrulesforsettingupaconnection,itiseasyfortheappliancetounderstand whatishappeningintheconnectionsetupprocess.Inotherwords,itiseasyfortheappliancetoinspectthistraffic.AsIdiscussedinChapter1,astatefulfirewallkeepstrack ofthestateofaconnection. Inthisexample,theapplianceseestheoutgoingSYNandrealizesthatthisisasetup requestfromaninsideuser.Becauseitisastatefulfirewall,theappliancewilladdan entryinitsconnection(state)tablesothattheSYN/ACKfromthedestinationwillbe permittedbackin,andtheinsideuserwillbeabletocompletetheconnectionwiththe finalACK.Theappliancewillthenpermittraffictoflowbackandforthbetweenthese twomachinesforonlythisconnection(unlesstheinsideuseropensanotherconnection tothisdestination). Likewise,TCPgoesthroughawell-definedprocesswhentearingdownaconnection. Whentheapplianceseesthetear-downprocess(theFINandFIN/ACKoranRST),the applianceknowsthattheconnectionisbeingterminatedandwillremovetheconnection fromitsstatetable.Therefore,oncetheentryisremovedfromtheappliancestatetable, iftheoutsidedestinationdevicetriestosendtrafficthroughtheapplianceusingtheold connectionparameters,theappliancewilldropthetraffic.
IncomingConnectionRequests Becauseitisastatefulfirewall,theappliancedrops,bydefault,allnewinboundTCP connectionsthattrytoenteryournetwork.Toallowthistraffic,youwillhavetoexplicitlypermittheTCPconnectiontypesthatyouwant. SECURITY ALERT! By default the appliances deny all traffic flows that originate from a lowersecurity-levelinterfaceandthataretryingtoreachahigher-security-levelinterface. OneproblemthatTCPhas,however,isthatitisverypredictable,whichsometimes playsintothehandsofattackers.Forinstance,anattackermightattempttosendaflood ofTCPSYNstoaninternaldevice,pretendingtotrytosetupTCPconnections.Thereal intentionoftheattacker,however,isnottocompletethethree-wayhandshakeforeach
107
108
Cisco ASA Configuration
oftheseTCPSYNs,buttokeeponsendingSYNstotieupresourcesontheinternalmachine.AsIdiscusslaterinthischapterandinChapter10,theapplianceshavecapabilitiesthatyoucanconfiguretodealwiththesekindsofattacks.
UDPOverview UDP,theUserDatagramProtocol,isaconnectionlessprotocoland,unlikeTCP,hasno definedstatemachine.Thismeansthatthereisnopreliminarytransportlayernegotiationbetweenthetwodevicesthatwillbecommunicating.Instead,adevicejuststarts sendingUDPsegmentswhenitwishestocommunicatewithanotherdevice:thereisno definedprocess,atlayer4,astohowthisshouldoccur.Likewise,thereisnosignalatthe transportlayerindicatingtheendoftheactualUDPtransmission.UDPitselfalsohas nobuilt-inflowcontroltoregulatetheflowoftrafficbetweentwomachines.Because oftheselimitations,UDPistypicallyusedonlytosendasmallamountofinformation betweendevices. AgoodexampleofthisistheDNSprotocol—usedwhenadeviceneedstoresolve ahostnametoanIPaddress.ThedevicesendsaDNSquery(UDPsegment)toaDNS server,andtheserverrespondswithasinglereply.Inthisexample,usingUDPisamore efficientprocessthanTCPbecauseonlytwosegmentsneedtobesent.
OutgoingConnectionRequests Let’slookatanotherexampletoillustrateoneoftheproblemsthattheapplianceshave withitsstatefulnatureandUDPtraffic.Inthisexample,assumethattheuserisperformingaTFTPtoadeviceoutsideofyournetwork.WhentheuserinitiatestheTFTPconnection,theapplianceperformsitsstatefulprocessandaddsatemporaryconnectioninits connectiontabletoallowanyUDPsegmentsfromthedestinationTFTPservertoreturn throughtheappliance. TheproblemisthatoncetheuserhascompletedtheTFTPfiletransfer,theappliance hasnoideathattheconnectionhascompleted.Ofcourse,youdon’twanttheappliance to keep this temporary entry in the connection table after the transmission has completed.Tosolvethisproblem,theapplianceusesaless-than-elegantsolution:itkeeps trackoftheidletimefortheUDPconnection.Oncetheapplianceseesnotrafficforthe idleperiod,itwillremovetheconnection.ForUDP,theidletimerdefaultsto2minutes; however, you can customize this. Using an idle timer is not a very clean solution becauseavalididleperiodmightoccurwhilethetwoUDPdevicesareperformingother processesandwillresumetheircommunicationshortly.Inthisexample,theappliance might remove the temporary connection from its state table; when the device on the outside of your network resumes its transmission, the appliance will drop the traffic becauseitassumedtheconnectionwasover,andthustheconnectionisnolongerfound inthestatetable. Note that some UDP applications, like DNS, are more predictable than TFTP. In a DNSexample,whereauserisinitiatingaDNSquery,oneandonlyoneresponseshould be coming back from the DNS server. In this situation, it makes sense to remove the connectionfromtheconnectiontableoncetheapplianceseesthereturningDNSreply.
Chapter 5:
Address Translation
Theappliancedoesthisbydefault.ThisfeatureiscalledDNSGuardandisdiscussedin Chapter12. SECURITYALERT! TheappliancestreatUDPasastatefulconnection,likeTCP.However,because thereisnodefinedconnectionteardownprocess,theapplianceswillexaminetheidleperiodofaUDP connectiontodeterminewhenitshouldberemovedfromtheconnectiontable.Thisprocessmakes inboundUDPsessionsmoresusceptibletoIPspoofingandsessionreplayattacks.
IncomingConnectionRequests AsImentionedearlier,becausetheapplianceisastatefulfirewall,itwillnotallowany traffic into your network if the source of the traffic is located on the outside of your network(inboundconnections).Youwillhavetoexplicitlypermitthistraffictoallow theUDPconnection.SinceUDPisconnectionless,dealingwithincomingconnections opensyoutomoreofasecurityrisk.WhenaUDPconnectionisterminated,theappliancemightnotknowthisandthuswouldkeeptheconnectionintheconnectiontable.A sophisticatedattackercouldexploitanIPspoofingattack,whichusesasourceaddress oftheoutsidedeviceoftheoriginalUDPconnection.Theappliancewouldbeunableto identifytheintrusionandwouldthenresetitsidletimerandallowthespoofedtraffic through. Also,becauseUDPdoesn’tuseanytypeofconnectionsetupwheninitiatingatraffic stream, the appliances have problems differentiating between the start, continuation, andendingofaUDPconnection.Therefore,anattackercouldbeperformingasession replayattack,whichreplayssomeofthesameUDPsegmentsthatthehackersawinan earliertransmission.Fromtheperspectiveoftheappliance,thiscouldappeartobethe continuationoftheoriginalUDPdatastream.
ICMPOverview ICMP,theInternetControlManagementProtocol,isaconnectionlessprotocoland,like UDP, has no real defined state machine. ICMP is used for many purposes, including testingconnectivityandsharingerror,control,andconfigurationinformation.ICMPhas somecharacteristicsthatareverysimilartoUDP:it’sconnectionless,andithasnoflow control.Therefore,theapplianceshavethesameproblemsdealingwithICMPconnectionsastheydowhendealingwithUDP. Bydefault,theappliancesdonotaddoutboundICMPmessagestotheirstatetable. Therefore,youeithermustuseanaccesscontrollist(ACL)toallowthereturningICMP packets,orenablestatetrackingforICMP.StatetrackingforICMPisnewinversion7, butisdisabledbydefault.OnceyouenablestatefultrackingforICMP,whenanICMP messageissent,itcontainsasequencenumberintheICMPheaderthatisincludedin thestatetable.TheappliancethenlooksatreturningICMPtrafficandthecontainedsequencenumbertodetermineifitispartofanexistingconnection.Priortoversion7,the onlywaytoallowICMPinboundthroughaPIXwastouseACLs.
109
110
Cisco ASA Configuration
OtherProtocols AllotherTCP/IPprotocolsandtheirassociatedconnectionsarenottrackedbytheappliances;inotherwords,theappliancesneveraddtheseconnectionstothestatetable.For example,ifyouhaveaGREtunnelbetweentworouters(GREisalayer3TCP/IPprotocol),andanappliancesitsbetweenthem,theGREtunnelwillbreakbydefault.Toallow GREtofunctioncorrectlythroughtheappliance,youmusthaveanACLruleinboundon thelower-levelinterfacetoallowit. NOTE RememberthattheappliancesbydefaultwillonlyaddTCPandUDPconnectionstothe statetable.Startinginversion7,youcanoptionallyenablestatetrackingforICMP,whichisdiscussed inChapter11.Forallotherinboundconnections,youmustuseACLs,discussedinChapter6,toallow themtogofromalower-tohigher-levelinterfaceontheappliance.
ProtocolandApplicationIssues Thethreemainproblemsthatstatefulfirewallsfaceinclude
▼ A pplicationsthathavemultipleconnections
■ Applicationsandprotocolsthatembedaddressingandconnectioninformation intheapplicationlayerpayloads
▲ A pplicationsandprotocolsthathavesecurityissues
Thissectionprovidesanintroductiontoissueswithprotocolsandapplications,andhow statefulfirewalls,likeCisco’ssecurityappliances,candealwiththem.
ApplicationswithMultipleConnections One problem firewalls have is dealing with applications that involve more than one connection,likeFTP,multimedia,voice,databaseconnectivity,andsoon.Someformof protocolandapplicationinspectionisnecessarytosecurelyallowtheadditionalconnectionsthroughthefirewall. Let’slookatanexample,showninFigure5-1,toillustratethisissueandprovidea solutiontotheproblem.Inthisnetwork,aclientisopeningastandardmode,sometimes calledanactivemode,FTPconnection.Withthistypeofconnection,theclientopensa TCPcontrolconnectiontoport21ontheFTPserver.WhenevertheusersendsanFTP command,likea getora put,acrossthisconnection,theclientincludesthelocalport numbertheservershoulduse.Theserverthenopensasecondconnection,commonly calledadataconnection,withasourceportnumberof20andadestinationportnumber includedintheclientcommandrequest.Sointhisexample,theclientisopeningthecontrolconnectiontotheserver,andtheserverisopeningthedataconnectiontotheclient. AssumethatthefirewallisaCiscosecurityapplianceandthattheuserisconnected tothehigher-security-levelinterface,liketheinside.Theuser’soutboundcontrolconnection(port21)isallowedbydefault,sincetheconnectionisgoingfromahigherto
Chapter 5:
Client
Src Port = 50000 Dst Port = 51001
Address Translation
Server
Control Connection Data Connection
Dst Port = 21 Src Port = 20
Figure5-1. Exampleofanapplicationwithmultipleconnections
alowersecuritylevel.However,thesecondconnection(port20dataconnection)isdeniedbydefault,sinceitisgoingfromalowertoahighersecuritylevel. ThesolutiontothisproblemistohavethesecurityapplianceexaminetheapplicationlayerpayloadoftheFTPcontrolconnectiontodeterminethemode(active/standard), the command being executed, and the port number the client wants to use for thedataconnection.Thenhavethesecurityapplianceaddthissecondconnectiontothe statetabletoallowit,evenbeforethesecondconnectionhasbeenbuilt.Thisprocessis discussedinmuchmoredepthinPartIIIofthebook. Without this approach, you would have to have anACL that would allow the inbounddataconnection;andifyoudidn’tknowtheIPaddressoftheFTPservers,you wouldhavetoallowallsourceaddressesforFTP.Theproblemwiththisapproachisthat theACLisopeningapermanentholeinthefirewall—withtheapplicationinspection process of the appliances, the data connection is only opened when needed and torn downwhendone.
ApplicationsandEmbeddedAddressingInformation Some applications embed addressing information in the payload of connections, expectingthedestinationtousethisinformationforadditionalconnectionsthatmightbe opened;however,thisaddressinginformationmightalreadybeinthetranslationtable ofafirewallforanotherconnection,creatinganaddressingconflict.ExamineFigure5-2, whereI’lluseFTPactivemodetoillustratethisproblem.Forthedataconnectionthat needstobeopened,theclientwantstousealocalportnumberof51,001;however,there isalreadyaconnectionwiththisportnumberinthetranslationtableonthefirewall.If thefirewalldoesn’tfixtheproblem,thenanytrafficonthedataconnectionwouldbe incorrectlytranslatedandsenttoadifferentinternaldevice. Agoodfirewallshouldchangethepayloadaddressinginformationtosomethingdifferentandshouldcreateanewtranslationinthetranslationtableforthisconnection,afeaturetheCiscoappliancessupportformanyprotocolsandapplications.Thisisillustrated inFigure5-2,wheretheappliancenoticestheconflict,translatesthedataconnectionport
111
112
Cisco ASA Configuration
Client
Src Port = 50000 Dst Port = 51001
Server
Dir Using Port 51001 Xlate: 51001 ←→ 60000
Dst Port = 21 Src Port = 20
Figure5-2. Exampleofanapplicationembeddingaddressinginformationinpayloads
oftheclientto60,000,andaddsthistothetranslationtable.Theappliancealsoupdatesthe payloadoftheFTPcontrolconnectionwithport60,000.Sowhentheserverreceivesthe connectionrequestonthecontrolconnection,itwilluseport60,000forthedataconnection toconnectbacktotheclient,whichtheappliancewilltranslatecorrectlyto51,001.This processisdiscussedinmoredepthlaterinthe“DisadvantagesofAddressTranslation” section.
ApplicationsandSecurityIssues Certainbehaviorsbyapplicationsortheiruserscanbemalicious,creatingsecurityissues.I’lluseFigure5-3toillustratethisproblem,whereanFTPactivemodeconnection isbeingused.Inthisexample,theservermightnothavebeenproperlyconfigured,and auserhastheabilitytouploadfilesontheFTPserver,possiblyevenoverwritingexisting files,whentheusershouldonlybeabletodownloadfiles. Agoodfirewallsolutionshouldlookforsecurityissuesandmaliciousbehaviorin protocolsandapplicationpayloads,andpreventthemfromoccurring.Inthisexample,
Server
Src Port = 50000 Dst Port = 51001
Put bad_file.txt Data Connection
Figure5-3. Exampleofanapplicationwithsecurityweaknesses
Dst Port = 21 Src Port = 20
Chapter 5:
Address Translation
thefirewallisexaminingthecommandsthatarebeingexecutedontheFTPcontrolconnectionandcomparingthemagainstalistofallowedcommandsintheFTPpolicy.Ifthe commandisn’tlistedinthepolicy,itisnotallowedbythefirewall.Asyouwillseein PartIIIofthisbook,Cisco’ssecurityapplianceshavethiscapabilityformanyapplicationsandprotocols.
TRANSLATIONSANDCONNECTIONS BeforeIcontinue,Iwanttodifferentiatebetweentwotermscommonlyusedwhendealing withtrafficthatflowsthroughCiscosecurityappliances:translationsandconnections. AtranslationisanIP-address-to-IP-address(andpossiblyport)mapping.TheappliancesusetranslationstoperformNetworkAddressTranslation(NAT)andPortAddress Translation(PAT).YouuseNATandPATwhenyouhavedeployedprivateaddresses inyourinternalnetwork,andyouneedtotranslatetheseaddressestoapublicaddress space before they leave your network. (I’ll be discussing these terms in more depth, alongwithotheraddresstranslationterms,laterinthe“AddressTranslationOverview” section.)Translationsarestoredinatranslationtableontheappliances,commonlycalled anxlatetable. Aconnection,ontheotherhand,isbasicallyaTCP,UDP,orICMPsessionbetween twodevices.Aconnectionspecifiesalloftheparametersusedtosendtraffictoadevice, likethesourceanddestinationIPaddresses,theTCP/IPprotocol,theapplicationport numbers(TCPandUDP),sequencenumbers(TCPandICMP),acknowledgmentnumbers(TCP),thestateoftheconnection(TCPcontrolflags),andotherinformation.Connectionsarestoredinastatetableontheappliances,commonlycalledaconnectionor conntable. Thefollowingtwosectionswillfurtherdefinethesetwotermsandhowtheyapplyto theappliances.ThethirdsectiongivesanexampleofhowaTCPconnectionishandled throughanappliancewhenaddresstranslationisenabled.
Connections AsImentionedearlier,theappliancesrefertoaconnectionasaTCP,UDP,andpossibly, ICMPsession.Thenumberofsessionssupportedbyanappliancedependsonthemodel aswellasthelicensethatyoucurrentlyhaveinstalledontheappliance.
ConnectionLimits Table5-1statesthelicenselimits,whichwerediscussedinChapter1. AsImentionedinChapter1,theASA5505alsousesauserlicensescheme,along withaconnectionlicensescheme.Withuserlicensing,the5505onlyallowsthefirstset ofusers,uptothelicenselimit,throughthe5505;anyadditionalusersarenotpermitted, evenifanyofthefirstsetofusersisnotsendinganytraffic.Therearethreeuserlicenses forthe5505:10,50,andunlimitedusers.
113
114
Cisco ASA Configuration
ASAModel
LicenseLimits
5505
10,000–25,000
5510
50,000–130,000
5520
280,000
5540
400,000
5550
650,000
5580-20
1,000,000
5580-40
2,000,000
Table5-1. TheLicenseLimitsoftheVariousASAModels
Forkeepingtrackofconnections,whenanend-userdevicestartsaconnection,the appliance counts the connection against the license limit, and the appliance subtracts thisconnectionfromthetotalavailableconnections.Oncetheconnectionhasbeenterminated,theapplianceadds1toitscountofavailableconnections.
RemovingConnections As I already mentioned in the last section, the appliance can only keep track of TCP, UDP,andpossiblyICMPconnectionsinthestatetable.Todeterminewhenaconnection isoverandtoremoveitfromthestatetabledependsontheprotocolthattheconnection uses:TCP,UDP,orICMP. ForTCP,thefollowingcriteriaareused:
▼ A FINandFIN/ACKareintheTCPheadercontrolfield.
■ AnRSTisintheTCPheadercontrolfield.
■ TheTCPconnectionisidleformorethan3,600seconds(1hour)bydefault.
▲ T heconnectionisremovedfromtheappliancestableswiththeclearxlate command(discussedinthe“ClearingEntriesintheXlateandConnTables” sectionattheendofthechapter). ForUDP,thefollowingcriteriaareusedtoremoveentriesfromthestatetable:
▼ T heUDPconnectionisidleformorethan120seconds(twominutes)bydefault.
■ ForaDNSquery,theassociatedDNSreplyisseen.
▲ T heconnectionisremovedfromtheappliancestableswiththeclearxlate command.
Chapter 5:
Address Translation
ForICMP,thefollowingcriteriaareusedtoremoveentriesfromthestatetable:
▼ T heICMPconnectionisidleformorethan2secondsbydefault.
▲ T heconnectionisremovedfromtheappliancestableswiththeclearxlate command.
Translations Upthroughversion6oftheoperatingsystem,thePIXsrequiredyoutodefineaddress translationpoliciestomovetrafficthroughtheappliance:inboundandoutbound.The primaryreasonforthisbehaviorisbasedontheverybeginningsofthePIXoperating system:itwasdesignedasanaddresstranslationdevice.Andthiswasveryapparent throughversion6oftheOS. Startinginversion7,addresstranslationisoptionalanddisabledbydefault.However,onceyourequireaddresstranslation,youmustdefineatranslationpolicyforall trafficthatwillflowthroughtheappliance—inboundoroutbound—otherwisetheappliancewilldropthetraffic.Theoneexceptiontothisruleisiftwointerfaceshavethe samesecuritylevel,andaddresstranslationisenabled;inthisinstance,youcanoptionallydefinetranslationpoliciesforthetwointerfaces,orjusthavetrafficmovedbetween theinterfaceswithoutaddresstranslation. Whenyouenableaddresstranslation,thetranslationsthatrepresentadeviceora connectionarestoredinaseparatetable,calledatranslationor,morecommonly,anxlate table.Entriesareremovedfromthistablewhenanyofthefollowingoccur:
▼ N etworkAddressTranslation(NAT)entriesareremovedfromthetableonce theyareidleforatime(bydefault3hours).Youcancontrolthiswiththe timeoutxlatecommand.
■ PortAddressTranslation(PAT)entriesareremovedfromthetranslationtable whenthecorrespondingconnectioninthestatetableexpires.
▲ N ATandPATentriesarebothremovedfromthetablewhentheymatch criteriaintheclearxlatecommand.
TCPConnectionExample To illustrate how the appliance deals with translations and connections, examine Figures5-3and5-5.I’llusetelnet,whichusestheTCPprotocol,asanexample,andI’ll assumethataddresstranslationisrequiredontheappliance.Also,I’llassumethesource (10.0.1.11)isconnectedtotheinsideinterfaceandthatthedestination(172.26.26.50)is beyondtheoutsideinterface.Inthisexample,I’llonlyfocusonthethingsthatoccurduringtheTCPthree-wayhandshake.
Parts1and2 ExamineFigure5-4:Thefirstthingthathappensisthatthesourceopensatelnetconnectiontothedestination,settingtheSYNflagintheTCPheader.Theotherconnection
115
116
Cisco ASA Configuration
Inside Network Source Address
10.0.1.11
Destination Address 172.26.26.50 Source Port Destination Port Initial Sequence No.
50000 23 49000
ACK 10.0.1.11
Flag
SYN
Part 1 Part 4
Outside Network Incoming packet: 192.168.0.20 1. Check state table for existing entry. 172.26.26.50 2. Check ACL if traffic allowed. 3. Check for an existing 50000 translation in xlate table. 23 4. Check for translation policy to create the translation. 70000 5. Add connection to state table, randomizing the TCP sequence #. SYN 6. Increment the embryonic connection counter. 7. Start the idle timer for the conn and xlate.
172.26.26.50 10.0.1.11 23 50000 IP Header
90000
TCP Header
49001 SYN/ACK
172.26.26.50 Returning traffic: 1. Check state table and the idle timer. 2. Unrandomize the acknowledgment number. 3. Undo the translation. 4. Reset the idle timer for the conn and xlate.
172.26.26.50 Part 2 Part 3
192.168.0.20 23 50000 90000 70001 SYN/ACK
Figure5-4. FirsttwostepsinTCPthree-wayhandshake
parameters in the IP and TCP header are shown in part 1 under the Inside Network column. Theappliancecomparespacketinformationagainsttheexistingconnectionstothe statetabletodetermineifthepacketisneworpartofanexistingconnection.Sinceitis anewconnection,itwon’tbefound.TheappliancethenlooksforanACLappliedinboundintheinterface.Ifoneexists,thepacketmustmatchapermitstatementinthelist ofstatementstobeallowed. Ifthepacketisallowed,theappliancethencomparesthepacketheaderinformation withtheexistingtranslationentriesinthetranslationtabletoseeifanexistingtranslationcanbeused,orifanewoneneedstobecreated.Fortheformer,thisiscommonly referredtoaslookingfora“matchingtranslationslotentry.”Asyouwillseeinthe“Address Translation Overview” section, for NAT translations, multiple connections from thesamesourcecanhavethesameNATtranslation.Sointhisexample,ifthesourcehas existingconnectionsopen,thetablemighthaveaNATtranslationtheappliancecanuse. I’llassume,however,thatthisisthefirsttimethesourcehassentapacketthroughthe appliance,sonoexistingtranslationentriesinthexlatetablewillmatch. Nexttheappliancecomparestheinformationinthepacketheaderwiththeconfiguredtranslationpolicies—staticanddynamic—foramatch.Ifamatchisnotfound,then
Chapter 5:
Address Translation
thepacketisdropped.Ifamatchisfound,atranslationentryisbuiltandaddedtothe xlatetable,theTCPsequencenumberisrandomized,andtheTCPconnectionisadded totheconntable. Theappliancethenincrementstheembryonicconnectioncounter.Anembryonicconnectionisahalf-openconnection:ithasn’tgonethroughthethree-wayhandshake.The appliancekeepstrackofthiskindofinformationtolimittheeffectivenessofTCPSYN flood attacks. If the limit is exceeded, the appliance will implement its TCP Intercept feature,discussedlaterinthechapter.Thetwoidletimersarethenstartedfortheconnectionintheconnandxlatetablesrespectively. If you examine the Outside Network column above part 2, this shows the packet headerasitleavestheappliance.Noticethatthesourceaddresswaschangedbecause ofamatchontheconfiguredtranslationpolicy,andtheTCPsequencenumberwasrandomized.Alsonoticethatthesourceportnumberwasnotchanged.
Parts3and4 Once the destination receives the packet, it responds back with a TCP SYN/ACK responseinpart3ofFigure5-4.Uponreceivingthepacket,theappliancecomparesthe headerinformationwiththeconntabletofindamatch;inthiscase,sincethesourceinitiatedtheconnectioninpart1,theconnectionisinthetable.Theappliancethenvalidates theidletimertoensurethattheentryinthestatetablehasn’texpired:Iftheentryhas expired,itisremovedfromtheconntableandthepacketisdropped.Iftherewasn’ta matchintheconntableortheentryhadtimedout,thentheACLontheinterfacewould beusedtovalidatewhetherthepacketwasallowedinboundtotheinsideinterface. Originallythesourceusedasequencenumberof49,000,whichwasrandomizedby the appliance to 70,000. The destination acknowledges back one greater than the randomizedsequencenumber:70,001.However,thesourceisexpecting49,001:therefore, theappliancethenundoestherandomizationoftheacknowledgmentnumber.Thisis thesequencenumberrandomization(SNR)featureatwork,whichisusedtodefeatsessionhijackingattacks. Theappliancethenundoesthetranslation,changingthedestinationIPaddressfrom 192.168.0.20to10.0.1.11.Afterthis,theapplianceresetstheidletimersfortheentriesin thexlateandconntables.Lastly,theapplianceforwardsthepacketouttheinsideinterface,showninpart4.
Parts5and6 Inpart5,thesourcecompletesthethree-wayhandshakebysendingaTCPACK,shown inFigure5-5.Theappliancefirstcomparespacketinformationtotheexistingconnections tothestatetabletodetermineifthepacketisaneworpartofanexistingconnection.Since itisanexistingconnection,itshouldbeinthestatetable.Theappliancethencompares thepacketheaderinformationwiththeexistingtranslationentriesinthetranslationtable toseeifanexistingtranslationcanbeusedorifanewoneneedstobecreated.Again, thispacketinformationshouldbethere,andtheapplianceusestheexistingtranslationto translatethesourceaddressfrom10.0.1.11to192.168.0.20.Theappliancethenrandomizes
117
118
Cisco ASA Configuration
Inside Network Source Address
10.0.1.11
Destination Address 172.26.26.50 Source Port Destination Port
50000 23
Initial Sequence No.
49001
ACK
90001
Flag
ACK
10.0.1.11
Part 5
Incoming packet: 1. Check state table for existing entry–found. 2. Check for an existing translation in xlate table– found. 3. Randomize the TCP sequence #. 4. Decrement the embryonic connection counter. 5. Reset the idle timer for the conn and xlate.
Outside Network 192.168.0.20 172.26.26.50 50000 23 70001 90001 172.26.26.50
ACK Part 6
IP Header TCP Header
Figure5-5. LaststepinTCP’sthree-wayhandshake
theTCPsequencenumberandupdatestheconntablewiththisinformation.Sincetheconnectionhascompletedthethree-wayhandshake,theappliancedecrementstheembryonic connectioncounter. If you examine the Outside Network column above part 2, this shows the packet headerasitleavestheappliance.Noticethatthesourceaddresswaschangedbecause ofamatchontheconfiguredtranslationpolicy,andtheTCPsequencenumberwasrandomized.Thecorrespondingidletimersintheconnandstatetablesarereset,andthe packetisforwardedtothedestination,showninpart6. Again,theappliancekeepstrackofthepacketsfortheconnectionandupdatesthe conntableappropriately.Ifnopacketsareseenforthedurationoftheidletimerorthe connectionistorndownbythesourceordestination,theentryisremovedfromtheconn table. NOTE Youwillseeinlaterchaptersthatalotmoreisgoingonthanwhatwasdescribedinthis sectiontohandleaconnectionthroughtheappliance.Otherchaptersaddtothis,butChapter10 coversitmorethoroughly.
Chapter 5:
Address Translation
ADDRESSTRANSLATIONOVERVIEW Oneofthemanyissuesthatyouwillhavetodealwithinyournetworkistheassignment ofaddressestoallofyournetworkingdevices.BecauseoftheshortageofpublicIPv4 addresses,inmanycasesyouwillhavetouseprivateaddressesforyourinternaldevices.Asyouwillseeinthefollowingsections,however,privateaddresses,eventhough theyallowallofyourdevicestocommunicateviaTCP/IP,alsocreateproblems.Iwill firstprovideanoverviewofprivateaddressesandoutlinetheprosandconsofusing privateaddresses;thenIwilldiscusshowtheappliancesdealwiththetranslationofIP addresses.
PrivateAddresses Toaddresstheshortageofaddresses,andtoaccommodatethegrowingneedforconnectingcompaniestotheInternet,theInternetEngineeringTaskForce(IETF)developed RFC1918.Table5-2liststheprivateaddressesassignedinRFC1918forIPv4. AsyoucanseefromtheaddresseslistedinTable5-2,youshouldhavemorethan enoughaddressestomeettheinternaladdressneedsofanycompany.Eachofthedevicesinyournetworkcanbegivenauniqueaddress.RFC1918,however,definesone restriction:apacketcontainingaprivateaddressineitherthesourceordestinationIP addressfieldscannotbeforwardedtoapublicnetwork. Imaginetwocompanies,CompanyAandCompanyB,thatbothuse10.0.0.0/8for theirinternaladdressingandforcommunicatingwitheachother,asshowninFigure5-6. Obviously,thiswillcreatemanyproblemsbecausebothcompaniesmayhaveoverlappingnetworkissues—eachcompanymightbeusingthesamesubnetnumbers.Inthis situation,theoverlappingsubnetswouldnotbeabletocommunicatewitheachother. Forexample,bothcompaniesmighthavea10.1.1.0/24subnet,asshowninFigure5-6. Withintheirowncompaniesnoconnectivityissuesarise,butassoonasthesetwosubnetsneedtoreacheachother,theywillbeunableto.Theboundaryrouterbetweenthese twonetworkswillhaveadilemmawhentryingtoreach10.1.1.0/24—doesitforward traffictoCompanyAortoCompanyB?
AddressClass
Addresses
A
10.0.0.0–10.255.255.255
B
172.16.0.0–172.31.255.255
C
192.168.0.0–192.168.255.255
Table5-2. ThePrivateAddressesSpecifiedbyRFC1918
119
120
Cisco ASA Configuration
Company A 10.2.0.0/24 10.2.1.0/24
Company B
Boundary Router
10.1.1.0/24
10.3.0.0/24 10.1.1.0/24
10.2.2.0/24
10.3.1.0/24 10.3.2.0/24
Figure5-6. Connectingtwonetworkswithoverlappingaddresses
NeedsforAddressTranslation To solve the problem of overlapping addresses, as well as to address the problem of usingprivateaddressesandaccessingapublicnetwork,theIETFdevelopedRFC1631, whichdefinestheprocessofaddresstranslation.Thisallowsyoutotranslateaprivate address inanIPpacketheadertoanotheraddress—eitherpublicor private.Hereare somecommonexampleswhereyoumightneedtodeployaddresstranslation:
▼ Y ouaremergingtwonetworksthathaveanoverlappingaddressspace.You needtomakeitappearthattheoverlappingnetworknumbersareuniqueto thetwodifferentsides.
■ YourISPhasassignedyouaverysmallnumberofpublicaddresses,andyou needtoprovidemanyofyourdevicesaccesstotheInternet.
■ YouwereassignedapublicaddressspacebyyourISP,andwhenyouchange ISPs,yournewISPwillnotsupportyourcurrentlyassignedaddressspace.
▲ Y ouhavecriticalservicesonasingledevice,andyouneedtoduplicatethese resourcesacrossmanydevices.However,youneedtomakeitappearthatallof thedevicesthatcontaintheseresourcesappearasasingleentity.
Asyouwillseeinthenextfewsections,usingaddresstranslationtosolvetheseproblemshasbothadvantagesanddisadvantages.
AdvantagesofAddressTranslation Oneofthemainadvantagesofaddresstranslationisthatyouhaveanalmostinexhaustiblenumberofprivateaddressesatyourdisposal:over17million.Thisincludes1classA networknumber,16classBnetworknumbers,and256classCnetworknumbers.When youuseprivateaddressesandifyouchangeISPs,youwillnothavetore-addressyour network—youonlyhavetochangeyourtranslationrulesonyourtranslationdeviceto matchupwiththenewpublicaddresses.
Chapter 5:
Address Translation
Becausealltrafficmustpassthroughyourtranslationdevicetoreachyourdevices withprivateaddresses,youhavestrictcontroloverthefollowing:
▼ W hatresourcestheInternetaccessesontheinsideofyournetwork
▲ W hichusersontheinsideofyournetworkareallowedaccesstotheInternet
DisadvantagesofAddressTranslation Asyouhaveseen,addresstranslationsolvesmanyaddressingproblems,butnotallof them.Infact,itactuallyintroducessomenewproblems.First,whenaddresstranslation isperformedbyyouraddresstranslationdevice(liketheCiscosecurityappliances),it willhavetochangetheIPaddressesintheIPpacketheaderandpossiblyeventheport numbersinTCPorUDPsegmentheaders.Becauseofthis,theaddresstranslationdevice willhavetoperformadditionalprocessingnotonlytohandlethetranslationprocess, butalsotocomputenewchecksumsforthepackets,puttinganadditionalburdenonthe translationdevice. Anotherproblemthataddresstranslationintroducesdealswithtroubleshootingnetworkproblems.Becauseaddresstranslationchangesthesourceand/ordestinationIP addressesinthepacketheaders,itbecomesmoredifficulttotroubleshootnetworkproblems.Whenyouexaminetheaddressesinthepacketheader,youdon’tknowwhether youaredealingwiththeaddressesthatthesemachineshaveassignedonthem,orwith theaddressesthattheyhavebeentranslatedtobyanaddresstranslationdevice.This alsomakesiteasierforattackerstohidetheiridentity. Not all applications work with address translation. Most translation devices only performaddresstranslationforaddressesintheIPpacketheader.SomeapplicationsembedIPaddressesinthedatapayload,whichanaddresstranslationdevicecannotcatch. IfareceivingdeviceusestheIPaddressinthedatapayload,itwon’tbeabletoreachthe transmitterofthepacket.Figure5-7showsanexampleofthisprocess.Inthisexample, adeviceontheright(172.16.1.1)sendsapackettoamachineontheleft(200.200.200.1). Insidethepayload,the172.16.1.1deviceembedsitsownIPaddress.WhenthisIPpacket reachestheaddresstranslationdevice,thedevicetranslatestheaddressinginformation inthepacketheaderbasedontherulesdefinedinthedevicetranslationtable.However, thetranslationdeviceisnotsmartenoughtofigureoutthatanIPaddressisalsoembedded in the payload—172.16.1.1’s own IP address. When the half-translated packet reachesthedestination(192.168.1.1),ifthedestinationtriestouse172.16.1.1toreturna replyinsteadof201.201.201.1,thetranslationdevicewillbeconfusedandbeunableto forwardthepacketcorrectly. NOTE As you will see in Part III of the book, the appliances have the ability to examine the applicationlayerpayloadsofmanytypesofconnectionsforembeddedaddressinginformationand tofixtheseissues.
121
122
Cisco ASA Configuration
Translation Table Inside Address 192.168.1.1 172.16.1.1
Translation 200.200.200.1 201.201.201.1
Internal Network
192.168.1.1
Src IP = 201.201.201.1
Address Translation Firewall
Dst IP = 192.168.1.1
172.16.1.1
Src IP = 172.16.1.1
Payload = 172.16.1.1
Dst IP = 200.200.200.1
Payload = 172.16.1.1
Figure5-7. Embeddedaddressesinthedatapayloadcancreatereachabilityproblems.
AddressTranslationTermsandDefinitions Adevicethatperformsaddresstranslationcantakeonmanyforms.Thisdevicecanbea firewall,arouter,aproxygateway,orevenafileserver.Cisco’sroutersasofIOS11.2and theappliancesbothsupportaddresstranslation.Forabetterunderstandingofthecommandsusedontheappliancetoconfigureaddresstranslation,youmustfirstunderstand someofthetermsthatarecommonlyusedinaddresstranslation,showninTable5-3.Note thatmanyofthetermscanbecombined,like“staticinsideglobaladdress”:thiswouldbe amanuallytranslatedaddressthatrepresentsaninternaldevice.
ExamplesofAddressTranslation AsyoucanseefromTable5-3,differenttypesofaddresstranslationcanbeperformedby anaddresstranslationdevice.Inthissection,you’lllookattwoexamples:onethatuses NATandonethatusesPAT.
Chapter 5:
NATTranslationType
Address Translation
DefinitionofTranslationType
Localorrealaddress AnIPaddressassignedtoaninternaldeviceeither staticallyordynamicallyviaDHCP,whichcanbeeithera privateorpublicaddress. Globaladdress
AnIPthatrepresentsthesourcethatthedestination devicessee:thiscouldbethelocaladdressoratranslated address,andeitheraprivateorpublicaddress.
Insideaddress
AnIPaddressofadevicelocatedinsideacompany’s network.
Outsideaddress
AnIPaddressofadevicelocatedoutsideacompany’s network.
Statictranslation
Theaddresstranslationismanuallyconfiguredbyan administrator.
Dynamictranslation Theaddresstranslationisperformeddynamicallybyan addresstranslationdevice. NetworkAddress Translation(NAT)
AsingleIPaddressismappedtoanotherIPaddress;this canbedonestaticallyordynamically.
PortAddress Translation(PAT)
Eachdevicethathasitsaddresstranslatedistranslated tothesameIPaddress.Tokeepeachoftheseconnections unique,thesourceportnumberoftheconnectionisalso changed;thiscanbedonestaticallyordynamically.
Table5-3. DifferentTypesofAddressTranslation
NATExample NAT,asImentionedearlier,performsaone-to-oneaddresstranslation.Typicallyyou usestatictranslationwhenyouhaveaserverthatyouwantexternaluserstoreachfrom theInternet.Foryourinternalusers,however,youwilltypicallycreateapoolofIPaddressesandletthetranslationdevicerandomlyassignanunusedglobaladdresstothe device(dynamicNAT).Inthisexample,auserontheinsideofyournetworkisgoingto accessresourcesontheoutsideofyournetwork(theuseron192.168.1.5istryingtoaccess201.201.201.2.).Figure5-8illustratesthisexample.
123
124
Cisco ASA Configuration
1
3
4
SRC IP = 192.168.1.5 DST IP = 201.201.201.2
SRC IP = 200.200.200.1 DST IP = 201.201.201.2
SRC IP = 200.200.200.1 DST IP = 201.201.201.2
192.168.1.5 2
Internet Translation Device
201.201.201.2
192.168.1.6
Inside Local IP Address
Inside Global IP Address
192.168.1.5
200.200.200.1
Figure5-8. Theusersendsapackettoadestinationwithaprivateaddressinit.
In Figure 5-8, you can see the actual transmission from 192.168.1.5 (step 1). The translationdevicereceivesthepacketfrom192.168.1.5,determinesifitneedstoperform translation(anddoesitifnecessary),andforwardsthepackettothedestination. As you can see in step 2, the address translation device sees the incoming packet andcomparesitagainstitsaddresstranslationrules.Becausethepacketmatchesarule in its address translation policies, the address translation device translates the source IPaddressinthepacketfrom192.168.1.5to200.200.200.1,whichisaglobalIPaddress. Thisprocesscanbeseeninstep3ofFigure5-8.Notethatifyouhaveconfiguredastatic translationfortheinternaluser,theaddresstranslationdevicewillknowexactlyhowto translatethesourceaddress.However,ifyouareusingdynamictranslation,theaddress translationdevicewillpickanunusedaddressfromitsaddresstranslationpool,assign theaddresstotheuser,andthenaddthisentrytotheaddresstranslationtable. Instep4ofFigure5-8,youcanseethatthedestination(201.201.201.2)hasreceived thepacket.Fromtheperspectiveofthedestination,thesourceappearstohaveanaddressof200.200.200.1.Thisistransparentbothtothelocaluserandtothedestination.
Chapter 5:
6
5
SRC IP = 201.201.201.2 DST IP = 192.168.1.5
SRC IP = 201.201.201.2 DST IP = 200.200.200.1
Address Translation
192.168.1.5
Internet Translation Device
201.201.201.2
192.168.1.6
Inside Local IP Address
Inside Global IP Address
192.168.1.5
200.200.200.1
Figure5-9. ThedestinationsendsitsresponsebacktotheglobalIPaddress.
Whenthedestinationsendstheresponsebacktotheuser,itusestheglobalIPaddressthatitsawinthetranslatedpacket:200.200.200.1,whichcanbeseeninstep5of Figure5-9. Instep6,theaddresstranslationdevicereceivesthepacketandexaminesitsaddress translation policy.After determining that it needs to translate the packet, it examines itsaddresstranslationtabletoseehowtoperformthetranslation.Itseestheentryfor 200.200.200.1,changesthisglobaldestinationIPaddresstoalocaladdressof192.168.1.5, andforwardsthepackettotheinsideuser. NOTE Theaddresstranslationprocessistransparenttothesourceanddestinationdevices.
PATExample WithPAT,anaddresstranslationdevicewillpossiblychangeboththepacketIPaddress andtheTCPorUDPsegmentportnumber.Thisexampleexaminesasituationinwhich
125
126
Cisco ASA Configuration
1
3
SRC IP = 192.168.1.5 SRC Port = 1024 DST IP = 201.201.201.2 DST Port = 23
SRC IP = 200.200.200.1 SRC Port = 1024 DST IP = 201.201.201.2 DST Port = 23
192.168.1.5 2
Internet Translation Device
201.201.201.2
192.168.1.6
Inside Local IP Address and Port
Inside Global IP Address and Port
192.168.1.5 and 1024
200.200.200.1 and 1024
Figure5-10. Ausertelnetsto201.201.201.2.
yourISPassignedyouasingleIPaddress,andyouneedtousethisoneaddressforallof yourusers’connectionstotheInternet.Inthisexample,theuseratthe192.168.1.5device telnetsto201.201.201.2,asshowninstep1ofFigure5-10. Instep2ofFigure5-10,theaddresstranslationdevicereceivesthepacket.Itcompares the packet information with its internal address translation policies and determineswhetheritneedstoperformaddresstranslationonthepacket.Thisexamplehasa policymatch,sothetranslationdeviceperformsitsaddresstranslationandchangesthe localaddressof192.168.1.5to200.200.200.1.Inthisinstance,thesourceportnumberof 1024isunusedintheaddresstable,sotheaddresstranslationdeviceleavesitasis.Note thattheaddresstranslationdeviceaddsanentrytoitsaddresstranslationtablesothat itcanhandlethereturningtrafficforthisdevice.Instep3ofFigure5-10,thedestination receivesthetranslatedpacket.Again,thetranslationprocessistransparenttoboththe sourceanddestinationdevices. When the destination device sends its reply, it uses a destination IP address of 200.200.200.1 and a destination port of 1024. When the translation device receives the
Chapter 5:
Address Translation
4 SRC IP = 201.201.201.2 SRC Port = 23 DST IP = 192.168.1.5 DST Port = 1024 192.168.1.5
Internet Translation Device
201.201.201.2
192.168.1.6
Inside Local IP Address and Port
Inside Global IP Address and Port
192.168.1.5 and 1024 200.200.200.1 and 1024
Figure5-11. Theaddresstranslationdeviceundoestheaddresstranslation.
inboundpacket,itdeterminesthataddresstranslationshouldbeperformed,andthen looksforamatchinitsaddresstranslationtable.Itseesamatch,changesthedestination IPaddressto192.168.1.5,andleavesthedestinationportnumberthesame.Thisprocess isshowninFigure5-11. To illustrate the implementation of PAT, assume that 192.168.1.6 also telnets to 201.201.201.2withasourceportof1024,asshowninstep5ofFigure5-12.Theaddress translation device receives the packet, determines that there is an address translation policy match, and then creates an entry in its address translation table for the user’s connection.Inthisinstance,thesameglobalIPaddressisusedforthetranslationofthe sourceIPaddress.However,becausethesourceport1024isalreadyintheaddresstranslationtable,theaddresstranslationdeviceassignsasourceportof1025fortheuser’s connection,asshowninstep6ofFigure5-12.Thetranslationofthesourceportnumber allowsthedestinationdevicetodifferentiatebetweentheconnectionsfrom192.168.1.5 and192.168.1.6,andalsoallowstheaddresstranslationdevicetoundoitstranslationfor returningtrafficfrom201.201.201.2.
127
128
Cisco ASA Configuration
192.168.1.5
Translation Device Internet
5
6
201.201.201.2
192.168.1.6 SRC IP = 192.168.1.6 SRC Port = 1024 DST IP = 201.201.201.2 DST Port = 23 Inside Local IP Address and Port
Inside Global IP Address and Port
192.168.1.5 and 1024 192.168.1.6 and 1024
200.200.200.1 and 1024 200.200.200.1 and 1025
Figure5-12. Asecondusertelnetstothedestination.
ADDRESSTRANSLATIONCONFIGURATION Theremainderofthischapterwillfocusonconfiguringaddresstranslationpoliciesto translate traffic going through your appliance. I’ll discuss how to configure dynamic NATandPAT,staticNATandPAT,limitingthenumberofembryonicTCPconnections topreventTCPSYNfloodattacks,andverifyingyourtranslationconfiguration.
RequiringAddressTranslation Inversion6oftheOSandearlier,youalwayshadtoconfigureatranslationrulefora packet;otherwise,ifthepacketcouldn’tbematchedagainstexistingtranslationrules,it wasdropped.Thisruleappliedwhetherthetrafficwasinboundoroutbound. Starting in version 7, translation is optional and not required. To require address translation,usethefollowingcommand: asa(config)#nat-control
Onceyourequireaddresstranslationwiththe nat-controlcommand,thesamerules applyastheydidinversion6:ifthereisnomatchingtranslationpolicyforinboundor
Chapter 5:
Address Translation
outboundtraffic,andaddresstranslationisenabled,thepacketisdropped.Thereisone exceptiontothispolicy:ifthetwointerfacesinvolvedinthecommunicationhavethe same security level, then you don’t need an address translation rule to move packets betweenthem. NOTE Ifyoudon’tconfigurethe nat-controlcommand,thenaddresstranslationisoptional. Theappliancewilluseanyaddresstranslationpoliciesyou’veconfigured,andifapacketdoesn’t matchatranslationpolicy,itisn’ttranslated,butforwardedasis.
ConfiguringDynamicAddressTranslation Configuringdynamicaddresstranslation(NATorPAT)involvesatwo-stepprocess:
▼ I dentifyingthelocaladdressesthatwillbetranslated
▲ C reatingglobaladdresspoolsthatlocaladdressescanbetranslatedto
Theorderinwhichyouconfigurethesetwoitemsdoesn’tmatter.Thefollowingsections will discuss how to set up dynamic NAT and PAT translation rules, as well as cover manydifferentexamplesofdynamictranslationexamples.
IdentifyingLocalAddressesforTranslation Toidentifythelocaladdressesthatcanbetranslated,usethenatcommand: ciscoasa(config)#nat(logical_if_name)NAT_ID local_IP_addrsubnet_mask [tcp]max_TCP_conns[embryonic_conn_limit] [udpmax_UDP_conns][dns][norandomseq]
Thenatcommandspecifieswhichlocaladdresseswillbetranslatedtothepoolspecifiedintheglobalcommand.Thelogicalnameoftheinterfacewherethelocaldevices arelocatedappearsinparentheses(“()”),like(inside),forexample. TheNAT_IDtiesthenatandglobalcommandstogether,creatingapolicy.Withone exception,thenumberyouusefortheNAT_ID(thepolicynumber)doesn’tmatter.There isaspecialinstanceofusingaNAT_IDnumber:ifyouenter0,youaretellingtheappliancethattheaddressesthatfollowthisinthe natcommandshouldnotbetranslated. Cisco refers to this feature as Identity NAT, which was introduced in version 6.2.You mightwanttouseIdentityNATifyouhaveamixtureofpublicandprivateaddresses beingusedontheinsideofyournetwork—forthemachineswithpublicaddresses,you candisableNATbyusingthenat0commandandspecifyingtheaddressoraddresses ofthosedevices. Ifyouspecifyanetworknumberforthelocal_IP_addr,alsospecifytheappropriatesubnetmask.Byenteringanetworknumberandasubnetmask,youarespecifying
129
130
Cisco ASA Configuration
arangeofaddressestobetranslated.Totranslatealladdressesontheinsideinterface, usethefollowingsyntax: ciscoasa(config)#nat(inside)10.0.0.00.0.0.0
Thentiethepool/NATID“1”tothecorresponding globalcommand.Notethatyou canabbreviate0.0.0.00.0.0.0tojust00. YoucanalsolimitthetotalnumberofTCPconnections(max_TCP_conns)aswellas thenumberofhalf-open/embryonicTCPconnections(embryonic_conn_limit).Startinginversion7.0,youcanalsolimitthemaximumnumberofUDPconnections.Ifyou don’tconfigureconnectionlimitsfordevicesthatmatchatranslationpolicy,thenwhatevertheconntablesupportsiswhattheappliancewillallow.I’lldiscusstheuseofthese parametersinmoredepthlaterinthe“TCPSYNFloodAttacks”section. ItishighlyrecommendedthatyoudonotturnofftheTCPSequenceNumberRandomizationfeatureoftheappliance.Youshouldonlydothisifthisfeatureiscausinga problemwithaparticularapplication,orifdigitalsignaturesareusedonthepacketand changingthesequencenumberwouldcorruptthedigitalsignature,likeaBGPsession betweentworoutersusingMD5.ThednsparameterenablestheDNSdoctoringfeature, discussedinChapter12. Todisplayyournatcommands,usetheshowrunnatcommand.
CreatingGlobalAddressPools Translationpoliciesarealwaysconfiguredbetweenpairsofinterfaces,likeinsideand outside,ordmzandoutside.The natcommanddefinesthelocalorsourceinterfaceof addressesyouwanttotranslate.Todefinethedestinationorexitinterfacethatcontains theglobaladdresspool(theaddressoraddressesyoucanuseforatranslationpolicy), usetheglobalcommand: ciscoasa(config)#global(logical_if_name)NAT_ID {first_global_IP_addr[-last_global_IP_addr] [netmasksubnet_mask]|interface}
Thelogical_if_nameparameterspecifiesthenameofthelogicalinterfacethattrafficwillexitandhavetranslationperformedonit.TheNAT_IDparameterbasicallyspecifiesforwhichnatcommandstheglobalpoolofaddressescanbeused.Forexample,all natcommandsthathaveaNAT_IDof1canuseglobalcommandswithaNAT_IDof1 whenmatchingpacketstravelbetweentheseinterfaces. NOTE Oncethepoolofaddressesisusedup,nofurthertranslationscantakeplaceforadditional internaldevicesmatchingthesamepolicy—theirtrafficisdropped. If you specify a range of addresses in the pool, along with an appropriate subnet mask,thentheapplianceperformsdynamicNAT;oncetheaddressesareusedupinthe poolorpools,additionaltranslationsaredenied.Toovercomethisissue,PATiscommonlyused.ToimplementPAT,enterasingleIPaddressinthepoolwithasubnetmask
Chapter 5:
Address Translation
of255.255.255.255.Optionally,youcanusetheinterfaceparameterinsteadofentering asingleIPaddress;thiscausestheappliancetoperformPATusingtheapplianceIPaddressontheassociatedinterface. NOTE CiscorecommendsthatifyouwanttoperformPATusinganIPaddressontheappliance interface, always use the interface parameter instead of hard-coding the IP address in the globalcommand.Thisisobvious,ofcourse,iftheapplianceinterfaceisacquiringtheinterface addressviaDHCPorPPPoE. PAT translations are removed from the translation table when the corresponding connectionintheconntableexpires.IdleNATtranslationsareeventuallyagedoutof thetranslationtablebyusinganidletimer.Thetimeoutxlatecommandcontrolsthe idletimeout,whichbydefaultis3hours. Toviewyourglobalcommands,usetheshowrunglobalcommand. NOTE Theoneexceptionwhereyoudon’tneedacorresponding globalcommandfora nat commandisifyouareperformingIdentityNAT(nat0).
UsingACLswithAddressTranslationPolicies One problem with the nat command is that, by default, translation can only be controlledbasedonthelocaladdressessendingpackets;youcannotcontroladdresstranslationbasedonthesourceanddestinationaddressesgiventhesyntaxIdiscussedinthe “IdentifyingLocalAddressesforTranslation”section. Toovercomethisproblem,Ciscoallowsyoutoassociateanaccesscontrollist(ACL) withyourtranslationpolicy.Iftrafficmatchesa permitstatementintheACL,thecorrespondingtranslationpolicyisused.ThisfeaturecanbeusedwithIdentityNAT(exemptingtrafficfromtranslation)orPolicyNAT(controllingwhentranslationtakesplace basedonboththesourceanddestinationinformation). HereisthesyntaxofthenatcommandtocontroltranslationpolicieswithanACL: ciscoasa(config)#nat[(logical_if_name)]NAT_ID access-listACL_ID [tcp]max_TCP_conns[embryonic_conn_limit] [udpmax_UDP_conns][dns][norandomseq]
EventhoughIhaven’tcoveredACLsyet(cominginChapter6),ifyou’veworked with Cisco IOSACLs before, then understanding what’s happening with translations usingACLs isn’t that difficult. In the preceding syntax, traffic must match a permit statementintheACLinorderforthetranslationpolicytobeused.Ihavetwoexamples thatuseACLsinthenextsection. SECURITYALERT! ACLsonanapplianceuseasubnetmask—notawildcardmasklikeCisco IOSroutersuse!
131
132
Cisco ASA Configuration
AddressTranslationExamples Nowthatyouhaveanunderstandingofthesyntaxofthenatand globalcommands, let’slookatafewexamplessothatyoubetterunderstandhowtoconfiguredynamicaddresstranslationpoliciesontheappliances. SimpleNATExample I’llfirsttakealookatasimpleNATexample,usingthenetwork showninFigure5-13.Inthisnetwork,theappliancewillperformNATforanyinternal address (192.168.3.0/24 and 192.168.4.0/24). Here’s the NAT policy configuration for thisexample: ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#global(outside)1200.200.200.10-200.200.200.254 netmask255.255.255.0
In this example, address translation is required (nat-control command). All of the devicesoffoftheinsideinterfacewillhavetheirsourceaddressestranslatedtoanaddressinthe200.200.200.0subnetwhenexitingtheoutsideinterface.Theaddressesare dynamicallyassignedbytheappliancebychoosingunusedonesinthepool. NOTE OneimportantpointtomakeaboutthenetworkinFigure5-13andtheconfigurationshown earlieristhattheconnectionbetweentheapplianceandtheperimeterrouterisusingthe192.168.1.0/24 subnet,andtheapplianceistranslatingpacketstothe200.200.200.0subnet.Bydefaulttheperimeter routerdoesn’tknowaboutthisnetwork.Theeasiestsolutiontothisproblemistocreateastaticroute ontheperimeterrouterpointingto192.168.1.1toreachthe200.200.200.0subnet.
Perimeter Router Physical E0/0 E0/1
Logical outside inside
Internet
Security Level 0 100
192.168.1.2/24 E0/0
192.168.1.1/24
Appliance 192.168.2.1/24
E0/1
192.168.2.2/24 192.168.3.0/24
Figure5-13. SimpleNATexample
192.168.4.0/24
Chapter 5:
Address Translation
InterfacePATExample I’llusethenetworkinFigure5-14toillustratetheconfigurationof aPATpolicyusingtheapplianceoutsideinterface.Here’stheconfiguration: ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)100 ciscoasa(config)#global(outside)1interface
ThisisaspecialexampleofPAT,wheretheapplianceisusingtheoutsideinterfaceIP addressforthePATaddresspool.ThiscouldbeastaticIPaddressontheinterfaceorone dynamicallyassignedtotheapplianceusingDHCPorPPPoE.Inthisexample,theapplianceisdirectlyconnectedtotheISPandgetstheoutsideinterfaceaddressdynamically. NATandPATExample ToillustratetheuseofbothNATandPATpoliciesonanappliance, I’llusethenetworkshownpreviouslyinFigure5-13.Hereistheconfiguration: ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)1192.168.3.0255.255.255.0 ciscoasa(config)#global(outside)1200.200.200.1-200.200.200.125 netmask255.255.255.128 ciscoasa(config)#nat(inside)2192.168.4.0255.255.255.0 ciscoasa(config)#global(outside)2200.200.200.126 netmask255.255.255.255
Inthisexample,acombinationofNATandPATisusedfortheinternaldevices:thetwo internalsubnetsareeachassignedtheirownpoolofpublicaddresses:
▼ F orpolicy1,192.168.3.0/24istranslatedto200.200.200.1–125(thisusesNAT)
▲ F orpolicy2,192.168.4.0/24istranslatedto200.200.200.126(thisusesPAT)
Physical E0/0 E0/1
Logical outside inside
Internet
Security Level 0 100
E0/0
???—DHCP Client
Appliance 192.168.1.1/24 192.168.1.0/24
Figure5-14. InterfacePATexample
E0/1 Inside Network
133
134
Cisco ASA Configuration
PATExamplewithTwoGlobalPools Toillustratetheuseoftwoglobaladdresspoolsonan applianceforonegroupofdevices,I’llusethenetworkshownpreviouslyinFigure5-13. Hereistheconfiguration: ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#global(outside)1200.200.200.1 netmask255.255.255.255 ciscoasa(config)#global(outside)1200.200.200.2 netmask255.255.255.255
ThisconfigurationperformsPATonallinside-to-outsideconnectionsbyusingthetwo addressesinthetwoglobalcommands. NOTE Thesecondglobalcommanddoesn’toverwritethefirstone:itcreatesasecondaddress tousewithPAT,supportingmoreconnectionsinthetranslationtable.EachPATaddresscanhandle about64,000connections;soifyouhaveanappliancethatsupports130,000connections,youwould realisticallyneedthreeglobalcommandswithasingleIPaddressineach. PAT and Identity NAT Example To illustrate the use of PAT and Identity NAT on an appliance,I’llusethenetworkshowninFigure5-15.Inthisexample,Iwanttoperform PAT for 192.168.3.0/24, but to perform no address translation on machines with an addressfrom200.200.200.128/25—thelatterdevicesalreadyhaveapublicIPaddress. Hereistheconfiguration: ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)0200.200.200.128255.255.255.128 ciscoasa(config)#nat(inside)1192.168.3.0255.255.255.05025 ciscoasa(config)#global(outside)1200.200.200.1 netmask255.255.255.255
Perimeter Router Physical E0/0 E0/1
Logical outside inside
Internet
Security Level 0 100
192.168.1.2/24 E0 192.168.1.1/24
Appliance 192.168.2.1/24
E1
192.168.2.2/24 192.168.3.0/24
Figure5-15. PATandnoNATexample
Inside Router
200.200.200.128/25
Chapter 5:
Address Translation
Inthisexample,the192.168.3.0/24subnetistranslatedto200.200.200.1usingPATwhen goingfromtheinsideinterfacetotheoutside,alongwithconnectionrestrictions(50completeand25embryonicconnections).The200.200.200.128/25isexcludedfromtranslationbetweenanyinterfaces. Three-Interface NAT Example With two interfaces, configuring translation policies is straightforward; adding interfaces complicates matters. Let’s look at an example to illustratethecomplexitythatthreeinterfacesaddtothesituation.I’llusethenetwork showninFigure5-16.Here’stheconfigurationfortheappliance: ciscoasa(config)#nat-control ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#nat(dmz)1192.168.5.0255.255.255.0 ciscoasa(config)#global(outside)1200.200.200.10-200.200.200.254 netmask255.255.255.0 ciscoasa(config)#global(dmz)1192.168.5.10-192.168.5.254 netmask255.255.255.0
TIP Whenlookingforatranslationmatch,alwayslookforthesameNATIDvalueinboththenat andglobalcommandsforthetwointerfacesinvolvedwiththetraffic. Inthisexample,threeinterfacesareinvolvedwithaddresstranslation:inside,outside,anddmz.Here’sabreakdownoftheaddresstranslationpolicies:
▼ i nside-to-dmz Thistranslationpolicyusesthenatcommandontheinside andtheglobalcommandonthedmzinterface(theybothhaveaNATID of1).Anytrafficgoingfromtheinsideinterfacetothedmzinterfacewillbe translatedwithNATusingthe192.168.5.10–192.168.5.254rangeofaddresses. NoticesomethinginterestingabouttheaddresspoolfortheDMZsegment:
Perimeter Router Physical E0/0 E0/1 E0/2
Logical outside inside dmz
Security Level 0 100 50
Internet 192.168.1.2/24 E0/0
Appliance 192.168.2.1
192.168.1.1/24 E0/2 192.168.5.1/24 E0/1
192.168.2.2 192.168.3.0/24
Figure5-16. Three-interfaceNATexample
192.168.4.0/24
192.168.5.2
135
136
Cisco ASA Configuration
ithasunusedaddressesfromthe192.168.5.0/24network.FromtheDMZ serverperspective,theinsidedeviceswilllookliketheyarephysically connectedtotheDMZ,wheninrealitytheyarebeingtranslated.IntheDMZ serverARPcache,theapplianceMACaddressforE0/2wouldappearforthe translatedIPaddresses,whichmeansthatifaDMZserverwouldARPfora translatedinsidedevice,theappliancewouldrespondbackwithitsownMAC addressonE0/2(thisprocessisreferredtoasproxyARP).
■ inside-to-outside Thistranslationpolicyusesthenatcommandonthe insideandtheglobalcommandontheoutsideinterface(theybothhave aNATIDof1).Anytrafficgoingfromtheinsideinterfacetotheoutside interfacewillbetranslatedwithNATusingthe200.200.200.10–200.200.200.254 rangeofaddresses.
▲ d mz-to-outside Thistranslationpolicyusesthenatcommandonthedmz andtheglobalcommandontheoutsideinterfaces(theybothhaveaNAT IDof1).Anytrafficgoingfromtheinsideinterfacetotheoutsideinterface willbetranslatedwithNATusingthe200.200.200.10–200.200.200.254rangeof addresses.Noticethatboththeinsideanddmzinterfacesusethesameglobal poolwhenaccessingtheoutsidenetwork.Thisisavalidconfiguration;the onlyproblemyoumightexperienceisthattwosetsofnetworksaresharinga limitedpoolofaddresses. TIP WheneverIaddanewserviceordevice,andtrafficisnotflowingthroughtheapplianceforthe newaddition,Itypicallyfirstlookataddresstranslationpolicies,assumingnat-controlhasbeen configuredandthusaddresstranslationisrequired.Frommyexperience,mostconnectivityproblems arerelatedtofirst,misconfiguredtranslationpolicies,andsecond,misconfiguredACLs.
PolicyNATExample ThenextexamplewillshowasimpleconfigurationusingPolicyNAT, wherethetranslationiscontrolledbasedonthedestinationthesourceistryingtoreach. ACLs(discussedinChapter6)mustbeusedinthissituation.Here’stheconfiguration example,basedonthenetworkshowninFigure5-17: ciscoasa(config)#access-listSite_Apermittcp10.0.1.0255.255.255.0 host172.16.10.1 ciscoasa(config)#nat(inside)100access-listSite_A ciscoasa(config)#global(outside)100172.16.1.100 netmask255.255.255.255 ciscoasa(config)#access-listSite_Bpermittcp10.0.1.0255.255.255.0 host172.17.10.2 ciscoasa(config)#nat(inside)101access-listSite_B ciscoasa(config)#global(outside)101172.17.1.88 netmask255.255.255.255
In the preceding example, any packets from 10.0.1.0/24 being sent to 172.16.10.1 are translatedusingPATtoanIPaddressof172.16.1.100.Ifanypacketsfrom10.0.1.0/24are
Chapter 5:
Address Translation
Site A
172.16.1.100
Your Company
172.16.10.1 Internet Site B
172.17.1.88
10.0.1.0/24
172.17.10.2
Figure5-17. PolicyNATexample
beingsentto172.17.10.2,however,theyaretranslated,usingPAT,toadifferentglobal address,172.17.1.88.Inthisexample,anACLisusedtocontrolwhenaddresstranslation takesplace:thesourceanddestinationinvolvedintheconnection. PolicyIdentityNATExample ThelastdynamictranslationpolicyI’llshowisbasedonthe networkinFigure5-18.Inthisexample,I’mconfiguringtheapplianceattheSOHOsite, wheretraffictraversingtheVPNtotheCorporatesiteshouldbeexemptedfromaddress translation(IdentityNAT),andtrafficgoingtotheInternetshouldbetranslatedusing PAT.Here’stheconfigurationfortheappliance: SOHO(config)#access-listVPN-EXEMPT-NATpermitip 10.100.10.0255.255.255.0 10.10.0.0255.255.0.0 SOHO(config)#nat-control SOHO(config)#nat(inside)0access-listVPN-EXEMPT-NAT SOHO(config)#nat(inside)110.100.0.0255.255.0.0 SOHO(config)#global(outside)1interface
Intheprecedingexample,thefollowingtranslationpoliciesareconfigured:
▼ W hentrafficgoesacrossthesite-to-siteVPNtunneltotheCorporateoffice,it shouldnotbetranslated:theaccess-listandnat(inside)0commands implementthispolicy.
▲ W hentrafficgoesfromtheSOHOtotheInternetlocations,itwillbetranslated usingPAT:thenat(inside)1andglobal(outside)1commands implementthispolicy.
137
138
Cisco ASA Configuration
Corporate Office
SOHO VPN (NAT 0)
Internet 10.100.10.0/24 Non-VPN 10.10.0.0/16
Figure5-18. PolicyidentityNATexample
ConfiguringStaticNATTranslation StaticNATtranslationsarecommonlyusedforinboundconnections:youhaveaserver onahigher-levelinterfacethatyouwantlower-levelinterfaceuserstoaccess,likeInternetusersaccessingDMZweb,e-mail,andDNSservers.Thissectionwilldiscusshowto createastaticNATtranslation,andshowasimpleexampleofitsusage.
StaticNATSyntax TocreateastaticNATtranslation,usethefollowingcommand: ciscoasa(config)#static(local_if_name,global_if_name) global_IP_addrlocal_IP_addr [netmasksubnet_mask] [tcp[max_conns[embryonic_conn_limit]] [udpmax_conns[dns][norandomseq]
OfallthecommandsI’veworkedwithonCiscodevices,thestaticcommandistheone I’vemostcommonlyseenmisconfiguredbecauseoftheorderoftheparameters:local interface,globalinterface,globalIPaddress,andlocalIPaddress—noticethatthelocal andglobalvaluesdon’tmatchupinalogicalorder! NOTE Theinterfacenamesandtheaddresseslistedinthestaticcommandarereversed,which hascreatedalotofconfusionfornetworkadministratorssettingupstatictranslations! Rememberthattranslationpoliciesalwaysinvolveapairofinterfaces,ascanbeseen fromtheprecedingsyntax.Theinterfacenamesareseparatedbyacommawithnospace.
Chapter 5:
Address Translation
Foroutboundaccess,trafficenteringthelocalinterfacewiththespecifiedlocalIPaddress (inthesourceIPaddressfieldoftheIPpacket)willbetranslatedwhenleavingtheglobal interfacetothespecifiedglobalIPaddress.Forinboundaccess,trafficenteringtheglobal interfacewithadestinationaddressthatmatchestheglobalIPaddressinthe static commandwillbetranslatedtothelocalIPaddressandforwardedoutthespecifiedlocal interface. When configuring a static NAT translation, you can translate a single IP address, specifyingasinglelocalandglobaladdresswitha255.255.255.255subnetmaskvalue (thisisthedefault),oryoucanconfigurewhatCiscoreferstoasanetstatic,mappingone rangeofaddressesinanetworktoasecondnetworkwiththesamerangeofaddresses, likemapping10.0.1.0/24to192.1.1.0/24,where10.0.1.1wouldmapto192.1.1.1,10.0.1.2 wouldmapto192.1.1.2,andsoon.Withanetstatic,youneedtoconfiguretheappropriatesubnetmaskvalue.Theadvantageofusinganetstaticisthattheappliancecan nowdistinguishbetweenhost,network,anddirectedbroadcastaddressesforanetwork number,ofwhichtheappliancewillnottranslateorforwardthelattertwo. Theotherparameterswerediscussedpreviouslyinthe“IdentifyingLocalAddresses forTranslation”section. TIP Irecommendagainstusingnetstatics,butinsteadrecommendusingindividualstatics.The problemwithanetworkstaticisthatallthemappingsyoucreateusethesameparametersinthe staticcommand,liketotalTCPconnectionsortotalembryonicconnections.Forexample,Iwould assumethatane-mailserverandwebserverwouldprobablyhavedifferentconnectioncharacteristics, andtorepresentthese,Iwouldneedseparatestaticstatements.Youcanovercomethisissueby usingtheModularPolicyFramework(MPF)featurediscussedinChapter10,butthisassumesyou haveversion7orlateronyourappliance.
StaticNATExample To illustrate the configuration of static NAT translation policies, I’ll use the network shown in Figure 5-19. The following configuration shows the appliance configuration forbothstaticNATanddynamicNATtranslationpolicies: ciscoasa(config)#nat-control ciscoasa(config)#static(dmz,outside)200.200.200.1192.168.5.2 netmask255.255.255.255 ciscoasa(config)#static(dmz,outside)200.200.200.2192.168.5.3 netmask255.255.255.255 ciscoasa(config)#static(inside,outside)200.200.200.3192.168.4.1 netmask255.255.255.255 ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#global(outside)1200.200.200.10-200.200.200.254 netmask255.255.255.0 ciscoasa(config)#global(dmz)1192.168.5.10-192.168.5.254 netmask255.255.255.0
139
140
Cisco ASA Configuration
Perimeter Router Internet 192.168.1.2/24 Physical E0/0 E0/1 E0/2
Logical outside inside dmz
Security Level 0 100 50
E-mail Server 192.168.5.2
192.168.1.1/24 E0/0 E0/2 Appliance 192.168.5.1/24 E0/1 192.168.2.1/24 FTP Server 192.168.4.1
192.168.2.2/24 192.168.3.0/24
Web Server 192.168.5.3
Inside Router
192.168.4.0/24
Figure5-19. StaticNATexample
In this example, the appliance has three interfaces: inside, outside, and dmz. The first static command creates a static NAT translation policy for the DMZ public e-mail server: outside users send traffic to 200.200.200.1, which will be translated to 192.168.5.2andforwardedtothedmzinterface.Thesecondstaticcommandcreatesa staticNATtranslationpolicyfortheDMZpublicwebserver:outsideuserssendtraffic to200.200.200.2,whichwillbetranslatedto192.168.5.3andforwardedtothedmzinterface.Thethird staticcommandcreatesastaticNATtranslationpolicyfortheinside publicFTPserver:outsideuserssendtrafficto200.200.200.3,whichwillbetranslatedto 192.168.4.1andforwardedtotheinsideinterface. NOTE Eventhoughthe staticcommandssetupthestaticNATtranslations,trafficwillnotbe allowedtogofromtheoutsidetothedmz,orfromoutsidetoinsideinterfacesuntilyouconfigureACL entries,whichisdiscussedinthenextchapter. Therearetwoadditionaltranslationpoliciesforoutboundaccess.Wheninsideusers send traffic to the outside, the addresses will be translated, using NAT, to the addresspoolrangingfrom200.200.200.10to200.200.200.254.Also,wheninsideusersaccess the DMZ segment, the addresses will be translated to the address pool ranging from 192.168.5.10to192.168.5.254.
ConfiguringStaticPATTranslation TheappliancessupportstaticPAT,sometimesreferredtoasportaddressredirection(PAR). PARissometimesnecessarywhenyourISPassignsyouasinglepublicIPaddressthat
Chapter 5:
Address Translation
youneedtoputontheoutsideinterfaceofyourappliance,butyouwantInternetusers toaccessserversbehindyourappliance,likeaweb,DNS,and/ore-mailservers.Basically,PARredirectstrafficsenttooneIPaddressandportnumbertoadifferentIPaddressand,possibly,toadifferentportnumber.Thefollowingtwosectionswillshowyou thesyntaxforconfiguringPARaswellasasimpleexample.
StaticPATSyntax The staticcommandisusedtoredirecttrafficfromonedestinationaddressanddestinationporttoadifferentinternalmachine(andpossiblytoadifferentdestinationport number).Hereisthesyntaxofthecommand: ciscoasa(config)#static(local_if_name,global_if_name){tcp|udp} {global_IP_addr|interface} global_dest_port_#local_IP_addrlocal_port_# [netmasksubnet_mask] [tcp[max_TCP_conns[embryonic_conn_limit]] [udpmax_UDP_conns[dns][norandomseq]
For port redirection, specify the IP protocol: tcp or udp. The global_IP_addr is the global/publicIPaddressthattheoutsideworldsendstrafficto.Insteadofusingthisaddress,youcanspecifytheinterfaceparameter,whichwillhavetheapplianceusethe addressassignedtothe global_if_nameinterface.Theglobalportnumberistheport numberoftheapplicationthattheexternaldeviceistryingtoreach,like21forFTP. The local_IP_address is the actual IP address assigned to the internal device, andthelocal_port_#istheportnumbertheapplicationislisteningtoontheinternal device.Theotherparameterswerediscussedpreviouslyinthe“IdentifyingLocalAddressesforTranslation”section.
StaticPATExample ToillustratetheconfigurationofstaticPATorPARtranslationpolicies,I’llusethenetworkshowninFigure5-20.ThefollowingconfigurationshowstheapplianceconfigurationforPAR: ciscoasa(config)#static(inside,outside)tcpinterface80 192.168.1.2080netmask255.255.255.255
Inthisexample,webtrafficsenttoport80totheIPaddressontheoutsideinterfaceofthe appliancewillberedirectedto192.168.1.20onport80oftheinsideinterface.
FindingaMatchingTranslationPolicy Anaddresstranslationisconfiguredforeverysourceanddestinationinterfacepair:this allowstheappliancetotranslateasourceaddresstosomethingdifferentdependingon the destination interface the source is trying to reach. When address translation is required(NATcontrolisenabled),theremustbeanexistingentryinthexlatetable,orthe
141
142
Cisco ASA Configuration
Internet Physical E0/0 E0/1
Logical outside inside
Security Level 0 100
E0/0
200.1.1.1
Appliance WWW Server 192.168.1.20
192.168.1.1/24 192.168.1.0/24
E0/1 Inside Network
Figure5-20. StaticPATexample
appliancemustbeabletobuildanentrybeforetheappliancewillswitchapacketbetweeninterfaces:Buildingtranslationpoliciescanbedonedynamically(natandglobal commands)orstatically(staticcommand).Theexceptionstothisrulearethe nat 0 commands,whichcreateexemptionstotheaddresstranslationprocess. However,whenmultipletranslationpoliciesareconfigured,thequestioniswhich translationpolicyshouldbeusedbytheappliance.Whenlookingforamatchingtranslationpolicy,theappliancegoesthroughthefollowingsteps:
1. T heappliancelooksforanexistingtranslationinthetranslationtable; sometimesCiscowillrefertothisastryingtofinda“matchingxlateslot”inthe translationtable.
2. I fnoentryexistsinthetranslationtable,theappliancelooksforaddress translationexceptionsinthenat0commandsonabest-matchbasis.
3. I ftherearenomatchesontheIdentityNATcommands,theappliancewilltry tofindamatchagainsttheconfiguredstaticNATcommandsbasedona best-matchbasis.
4. I ftherearenomatchesonthestaticNATcommands,theappliancewilltry tofindamatchagainsttheconfiguredstaticPAT(PAR)policiesonabestmatchbasis.
5. I fnomatchisfoundwithinthePARtranslationpolicies,theappliance thenlooksforamatchinitspolicynatandglobalcommandswitha correspondingACL.
6. I fthereisnotamatchonapolicytranslationconfiguration,theappliancethen looksforamatchinitsnormalnatandglobalcommands.
7. I fatranslationortranslationpolicydoesn’texistforthepacket,theappliance willdropthepacketifNATcontrolisenabled;ifNATcontrolisnotenabled, thenthepacketisnottranslated,butcanflowthroughtheappliance,assuming otherappliancepoliciesallowit.
Chapter 5:
Address Translation
TCPSYNFLOODATTACKS Sometypesoftrafficaremalicious.OneexampleistheweaknessthatTCPhasduring thethree-wayhandshakewhenestablishingaconnection:thedestinationassumesthat whenitreceivesaSYN,itisalegitimateconnectionattempt.However,attackerscould usethistotheiradvantageandspoofthousandsofTCPSYNs,makingitlooklikethere arethousandsoflegitimateconnectionrequests. Theissuethedestinationhasisthatsincethedestinationassumestheconnectionrequestsarevalid,itmustmaintainthemforaperiodbeforedeterminingthattheyaren’t goingtocompletethethree-wayhandshakeandremovingthemfromthelocalconnectiontable.Thiscanhaveadevastatingimpactonthedestination,sincemostoperating systemswillkeeptheconnectionintheirlocaltablefrom30to60seconds,andtheconnectiontablehasfiniteresourcestostoreconnections.Soanattackercouldeasilyfillupthe connectiontableanddenylegitimateconnectionattemptswhiletheattackisongoing.
TheOriginalTCPIntercept CiscointroducedtheTCPInterceptfeatureonthePIXsbackinversion5.2tolimitthe effectivenessofthesekindsofattacks.Intheoriginalimplementation,youwoulddefine embryonicconnectionlimitsinthe staticand/or natcommands.Oncetheselimits werereached,theappliancewouldintercepttheTCPSYNsandproxytheconnection, sending back a SYN/ACK, pretending to be the destination. The appliances would maintainthisconnectionintheirconntable.IfanACKwasnotreceivedin30seconds, thehalf-openconnectionwasremovedfromtheconntable.Ifitwasreceivedwithin30 seconds, the appliance would perform a three-way handshake to the real destination, bindthetwoconnections—sourceanddestination—andplacethesingleboundconnectionintheconntable. NOTE Besidesspecifyingconnectionlimitswiththe staticand natcommands,youcanalso set up policies using the Cisco Modular Policy Framework (MPF) starting with version 7.0. The advantageofMPFisthatitismoregranularandwillworkwithorwithoutaddresstranslation.MPFis discussedinChapter10.
TCPInterceptwithSYNCookies Topreventanattackerfromfillingtheconntablewithhalf-openTCPconnections,Cisco enhancedtheTCPInterceptfeaturewithTCPSYNcookiesinversion6.2.Insteadofproxyingthehalf-openTCPconnectionsandmaintainingthemintheconntable,theappliance generates a cookie by hashing certain parts of the TCP header—this is then included in theSYN/ACKsentbacktothesource.NothingabouttheoriginalTCPSYNconnection ismaintainedinthestatetablebytheappliance.Ifaconnectionattemptislegitimate,the sourcewillrespondwiththeTCPACK,whichshouldcontainthecookieinformationinthe TCPheader.Atthispoint,theapplianceitselfwillproxytheconnectiontothedestination
143
144
Cisco ASA Configuration
andaddthenewconnectiontothestatetable.WiththeSYNcookiefeature,theappliance doesn’thavetomaintainanyconnectioninformationfortheinitialSYNconnectionattempt, greatlyreducingtheoverheadinvolvedwhendealingwithaTCPSYNfloodattack. NOTE ThisisnottosaythatTCPInterceptwithSYNcookiesisthebestfeatureatdealingwith TCPSYNfloodattacks,butitismuchbetterthanwhatCiscoIOSrouterssupportandbetterthan theoriginalTCPInterceptimplementationontheappliances.Ciscohastwoproducts,theGuardand TrafficAnomalyDetector,whichweredesignedspecificallyforfloodattacks.Thesecanbepurchased asstand-aloneappliancesorascardsforthe6500switchesor7600routers.
TRANSLATIONANDCONNECTIONVERIFICATION Onceyouhaveconfiguredyouraddresstranslationpolicieswiththe global, nat,and staticcommands,youarenowreadytouseshowcommandstoverifyyourconfiguration.Thefollowingsectionscoverthesecommands.
ViewingActiveTranslations Oneofthemoreimportantcommandsthatyouwillusewhentroubleshootingproblems withconnectionsisthe show xlatecommand.Thiscommandshowsthetranslations thatareinthetranslationorxlatetable.Thesyntaxoftheshowxlatecommandis ciscoasa#showxlate[detail][{global|local} IP_address1[-IP_address2] [netmasksubnet_mask]] {gport|lport}port[-port]] [interfaceinterface_name_1[,interface_name_X] [statestate_information]
Typingshowxlatebyitselfliststheentiretranslationtable.Table5-4explainstherest oftheparametersforthiscommand. Anexampleoftheoutputoftheshowxlatecommandisshownhere: ciscoasa#showxlate Global200.200.200.10Local172.16.7.80nconns1econns0 Global200.200.200.11Local172.16.7.81nconns3econns0
Inthisexample,theglobaladdressistheaddressthatexternaldevicesusetoaccessthe internaldevice,displayedasthelocaladdress.Forexample,ifsomeonefromtheoutside worldwantedtoaccess172.16.7.80,hewoulduseadestinationaddressof200.200.200.10. Twootheritemsinthisdisplayareofinterest: nconnsreferstothenumberofconnectionsthatarecurrentlyopentothisaddress,and econnsreferstothenumberofhalfopen(embryonic)connections.
Chapter 5:
Address Translation
Parameter
Explanation
detail
Displaysthetranslationtypeaswellastheinterfacesthe connectiontraverses.
global|local
Displaysonlytheglobalorlocaladdressesintheoutput.
gport|lport
Displaystranslationsforthespecifiedglobalorlocal portnumber(s).
interface
Displaysonlythetranslationsforthespecifiedinterfaces.
state
Displaystheconnectionsbytheirstate.Youcanalso limittheoutputofthedisplaybyspecifyingthestate(s) thatyouareinterestedin:translationsconfiguredbythe staticcommand(static);translationsbeingremoved (dump);translationsconfiguredwithPATbyglobal command(portmap);translationsdefinedbythenat orstaticcommandwiththenorandomseqparameter (norandomseq);ortranslationsdefinedwiththenat0 configuration(identity).
Table5-4. TheParametersfortheshowxlateCommand
Thefollowingisanexampleusingthedetailparameter: ciscoasa#showxlatedetail 3inuse,3mostused Flags:D-DNS,d-dump,I-identity,i-inside,n-norandom, o-outside,r-portmap,s–static TCPPATfrominside:172.16.7.80/1026tooutside:200.200.200.1/1024 flagsri UDPPATfrominside:172.16.7.80/1028tooutside:200.200.200.1/1024 flagsri ICMPPATfrominside:172.16.7.80/21505tooutside:200.200.200.1/0 flagsri
ThisexamplehasthreePATconnections.Noticetheflagslistedattheend.The rindicatesthatthisisaportmap(PAT)connection,andtheiindicatesaninsideaddress.Also noticethatyoucanseetheinterfacesinvolvedinthetranslation—allthreearebetween theinsideandoutsideinterfaces.
145
146
Cisco ASA Configuration
ViewingActiveConnections Theapplianceskeeptrackoftheconnectionsgoingthroughthembyplacingconnection informationinastate/connectiontable,calledaconntable.RememberthattheappliancesareonlystatefulforTCPandUDPconnectionsbydefault,butcanalsobestateful forICMP.Theappliancesallowtrafficfromalower-level-securityinterfacetoahigherleveloneifthereisacorrespondingentryintheconnectiontable.Anentryisplacedin theconnectiontableintwobasicways:
▼ A connectionisaddedwhenaTCPorUDPconnectionisinitiatedfroma higher-levelinterfacetoalowerone—thisallowsthereturninginboundtraffic tothesource.
▲ A connectionisaddedwheninboundtrafficisallowedbyanACLanda connectionmatchesapermitstatement—thisallowsthereturningoutbound traffictothesource. Toseetheconnectionsintheconnectiontable,usetheshowconncommand:
ciscoasa#showconn[detail][count][{foreign|local} IP_address_1[-IP_address_2]] [netmasksubnet_mask] [protocol{tcp|udp|protocol]} [fport|lportport_1[-port_2]] [statestate_information]
Typing show connbyitselfliststheentirestatetable.Table5-5explainstherestof theparametersforthiscommand. Anexampleoftheoutputoftheshowconncommandisshownhere: ciscoasaa#showconn 6inuse,6mostused TCPout202.202.202.1:80in192.168.1.5:1404idle0:00:00Bytes11391 TCPout202.202.202.1:80in192.168.1.5:1405idle0:00:00Bytes3709 TCPout202.202.202.1:80in192.168.1.5:1406idle0:00:01Bytes2685 TCPout202.202.202.1:80in192.168.1.5:1407idle0:00:01Bytes2683
Inthisoutput,theinternalhost(in)192.168.1.5accessedanexternalwebserver(out)at 202.202.202.1. Anexampleoftheoutputoftheshowconndetailcommandisshownhere: ciscoasa(config)#showconndetail 1inuse,2mostused Flags:A-awaitinginsideACKtoSYN,a-awaitingoutsideACKtoSYN, B-initialSYNfromoutside,D-DNS,d-dump, E-outsidebackconnection,f-insideFIN,F-outsideFIN, G-group,H-H.323,I-inbounddata,M-SMTPdata,
Chapter 5:
Address Translation
Parameter
Explanation
detail
Displaysthetranslationtypeaswellastheinterfacesthe connectiontraverses.
count
Displaysonlythenumberofconnectionsinthetable—this canhelpyoufigureoutifyouhavepurchasedtheright connectionlicenseand/orsecurityappliance.
foreign|local
Displaysonlythespecifiedforeignorlocaladdresses.
protocol
DisplaysonlythespecifiedIPprotocol.
fport|lport
Displaystranslationsforthespecifiedforeignorlocalport number(s).
state
Displaystheconnectionsbytheirstate.Youcanalsolimit theoutputofthedisplaybyspecifyingthestate(s)thatyou areinterestedin.
Table5-5. TheParametersfortheshowconnCommand
O-outbounddata,P-insidebackconnection, q-SQL*Netdata,R-outsideacknowledgedFIN, R-UDPRPC,r-insideacknowledgedFIN, S-awaitinginsideSYN, s-awaitingoutsideSYN,U–up TCPoutside:202.202.202.32/23inside:192.168.1.10/1026flagsUIO
Inthisexample,atthetopofthedisplayisatableexplainingtheflagsthatyoumaysee at the end of a connection entry. Below this table is a TCP telnet connection that was initiatedby192.168.1.10(inside)to202.202.202.32(outside).Itsflagsindicatethatitis activeandthatitallowsbothinboundandoutboundtransferofdata.
ViewingLocalHostInformation Startinginversion7.0,youcanviewandclearthetranslationsandconnectionsoflocal hostsinonecommand: show local-hostor clear local-host.Thesecommands allowyoutoviewtheconnandxlateentriesforallhostsassociatedwithaninterface orinterfaces,oraparticularhost,makingiteasiertounderstandwhattrafficisgoing throughtheappliance.Thefullsyntaxofthesecommandsisasfollows: ciscoasa#showlocal-host[IP_address][detail] ciscoasa#clearlocal-host[IP_address][all]
147
148
Cisco ASA Configuration
Here’sanexampleofviewingasummaryofthehostinformation: ciscoasa#showlocal-host Licensedhostlimit:Unlimited Interfaceinside:1active,5maximumactive,0denied Interfaceoutside:0active,0maximumactive,0denied
Inthisexample,noper-hostlicensingisontheappliance,andcurrentlyoneconnection isinthestatetableassociatedwiththeinsideinterface.Thiscommandgivesyouaquick ideaastothenumberofentriesinthestatetableperinterface,andthemaximumthat wasseenforeachinterface. Here’sanotherexampleofthiscommand,butspecifyingasinglehostandusingthe detailparameter: ciscoasa#showlocal-host10.1.1.1detail Interfacethird:0active,0maximumactive,0denied Interfaceinside:1active,1maximumactive,0denied localhost:, TCPflowcount/limit=1/unlimited TCPembryoniccountto(from)host=0(0) TCPinterceptwatermark=unlimited UDPflowcount/limit=0/unlimited Xlate: TCPPATfrominside:10.1.1.1/4984tooutside:192.1.1.1/1024flagsri Conn: TCPoutside:192.1.1.1/21inside:10.1.1.1/4984flagsUIInterface outside:1active,1 maximumactive,0denied
Inthisexample,youcanseeonePATtranslationinthexlatetableandoneconnectionin theconntablefor10.1.1.1.
ClearingEntriesintheXlateandConnTables Anytime that you make policy changes (as with the nat, global, static, accesslist,andmanyothercommands)thataffectexistingentriesinthetranslationand/or conn tables, you should execute the clear xlate command to remove the existing
entriessothatthenewpolicychangeswillapplytotheusers:executingthiscommand willenforcethenewchanges. Thesyntaxoftheclearxlatecommandisshownhere:
ciscoasa#clearxlate[globalip1[-ip2][netmaskmask]] [localip1[-ip2][netmaskmask]] [gportport1[-port2]][lportport1[-port2]] [interfacelogical_if_name][statestate]
Chapter 5:
Address Translation
Ifyoudon’tspecifyanyparameters,alltranslationswillbeclearedfromthexlatetable andallconnectionswillbeclearedfromtheconntable.Mostpeopleassumethatsince thecommandhas“xlate”init,thatthecommandonlyaffectsthexlatetable:thisisnot true!Ofcourse,youcanbespecificaboutwhichentry(orentries)istobecleared.Refer toTable5-4foranexplanationoftheseparameters. SECURITYALERT! Anytimeyouadd,change,ordeleteatranslationpolicy,youshouldclearthe translation table with the clear xlate command in order for your changes to take effect on existingtrafficandconnections.Also,whenusingtheclearxlatecommand,alwaysqualifyit: withoutanyparameterstoqualifythecommand,theentireconnandxlatetablesarecleared,breaking anyexistingconnectionsinthestatetable,whichmightupsetquiteafewadministratorsandusers!
149
This page intentionally left blank
6 Access Control
151
152
Cisco ASA Configuration
I
n the previous chapter, I talked about some of the security appliance commands to perform address translation, like global, nat, and static. This chapter will expand on the topic of controlling traffic through the appliance, discussing these topics:
▼ Usingaccesscontrollists(ACLs)tofiltertrafficthroughtheappliance
■ UsingobjectgroupstosimplifythemanagementofACLs
■ FilteringICMPpacketsdestinedtoanappliance
▲ T roubleshootingconnectionsusingthepackettracerandpacketcapturefeatures
ACCESSCONTROLLISTS(ACLs) Beginningwithversion5.3,CiscointroducedACLstostandardizetheimplementationof filtersontheappliances.Theterm“ACLs,”eventhoughitisanacronym,issometimes pronouncedasaword:“ackles.”BeforeACLs,CiscoPIXsusedconduitsandoutbound filters.Conduitswereusedtoallowinboundconnections,andoutboundfilterswereused torestrictoutboundconnections.Conduitsandfiltershadsomemajorlimitationsintheir filteringabilities.Therefore,CiscoportedtheirACLtechnologyfromtheIOS-basedrouters tothePIXplatform.Allthreefilteringfeatures—ACLs,conduits,andoutboundfilters— weresupportedthroughversion6.Startinginversion7,conduitsandoutboundfiltersare nolongersupported:youmustuseACLstofiltertrafficthroughyourappliances. Asyouwillseethroughoutthissectionofthebook,ACLshavemanycomponents incommonwiththeimplementationofACLsonCiscoIOSrouters.Forexample,you’ll have to go through two steps to set up and activate yourACLs—create theACL and applyittoaninterface.However,differencesexistintheconfigurationandoperationof ACLsontheapplianceswhencomparedwithIOSrouters.
IntroductiontoACLs ACLsonCiscoIOS-basedroutersandontheappliancesareverysimilarintheirfunction,processing,andconfiguration.Sinceconduitsandoutboundfiltersarenolonger supportedontheappliances,youmustuseACLstoexemptinboundconnectionsandto controloutboundconnections.
ApplianceandIOSRouterACLComparison Ciscoisattemptingtomovetoamoreuniformcommand-lineinterfaceacrossitsnetworkingproducts,whichyoucanseewiththeACLcommandsontheappliances.This sectionwillcoverboththemanysimilaritiesandafewdifferencesbetweenACLsonthe appliancesandACLsonIOSrouters.
Chapter 6:
Access Control
Ifyou’veconfiguredACLsonIOSroutersinthepast,learningtouseACLsonthe appliances will be easy. Here are some of theACL features the two products have in common:
▼ AgroupingofACLsislabeledwithagroupidentifier.
■ B othstandardandextendedACLsaresupported(standardACLsarenewin version7.0).
■ ACLsareactivatedonaninterfaceineitheraninboundoroutbounddirection.
■ Thegeneralsyntaxofthestatementsisthesame.
■ E achstatementhasacounterthatkeepstrackofthenumberofmatchesonthe statement.
■ E achstatementcanhaveloggingenabled,displayingasummaryofthepacket thatmatchedonthestatement.
■ Statementsareprocessedinatop-downorder,startingwiththefirststatement, untilamatchisfound.
■ A ninvisiblestatement,calledtheimplicitdenystatement,isattheendofthe listandwilldroptrafficifitdoesn’tmatchanyotherstatementinthelist.
■ W henaddingstatementstoalist,statementsareaddedattheendofthelistby default.
■ W heneditingACLs,youcandeletespecificstatementsandinsertstatements intothelist.
■ YoucanhavemultipleremarksinyourACLs.
■ A CLstatementscanbeenabledordisabledbasedonthecurrentdateandtime (referredtoasatimedACLentry).
▲ A CLscanbeusedforfunctionsotherthanfiltering,suchasclassifyingtraffic forotherfeatureslikeaddresstranslation,VPNs,andsoon. Table6-1coverssomeofthedifferencesbetweenACLsonappliancesandIOSrouters. SECURITYALERT! TherearetwomaindifferencesbetweenACLsonappliancesandthoseonIOS routers.First,rememberthatapplianceACLsusesubnetmasks,notwildcardmasks,whenmatching onpacketaddressingcontents.Second,applianceACLsfiltertrafficflowingthroughtheappliance, nottoit.OthercommandsontheappliancefiltertrafficsenttoanIPaddressontheappliance.
ProcessingofACLs InChapter5,IwentthroughasimpleexampleofTCPtrafficflowingthroughtheapplianceinthe“TCPConnectionExample”section.I’llbuildonthistopictogiveyou a better understanding of what the appliance is doing to packets as they enter and
153
154
Cisco ASA Configuration
Component
Appliances
IOSRouters
ACLidentification ACLscanbeidentifiedwith NamedACLsmustuse anameornumber. names,andnumberedACLs mustusenumbers. ActivatingACLs
Aglobalcommandis usedtoactivateanACL.
ACLsareactivatedinan interfacesubcommandmode.
Matchingona Subnetmasksareused. rangeofaddresses
Wildcardmasksareused.
Loggingof Whenthesamesourceis statementmatches continuallymatchingona statement,youcancontrol theperiodthatamessage shouldberegeneratedaswell ascontrollingthenumberof logmessagesgeneratedbya statementwithinaperiod,no matterhowmanysourcesare matchingonit.
Whenthesamesourceis continuallymatchingon astatement,amessageis generatedeitherevery5 minutesoreveryxpackets thatmatch.
InsertingACL statements
ACLstatementsarenumbered sequentiallyfrom1(1,2,3, 4…);toinsertastatement, specifytheexactlinenumber thestatementshouldbe placedin.
ACLstatementsarenumbered inincrements(like10,20,30, 40…);toinsertastatement, usealinenumberthatdoesn’t currentlyexistintheACL.
Filteringtraffic
ACLsappliedtointerfaces ACLsappliedtointerfaces filtertrafficflowingthrough filtertraffictoandthroughthe theappliance,nottothe router. appliance.
Table6-1. ComparingACLsonAppliancesandIOSRouters
leaveitsinterfaces.Herearethestepsthatapacketwillgothroughuponenteringan interface:
1. T heappliancecomparesthepacketinformationtotheexistingconnections tothestatetabletodetermineifthepacketisanew,orispartofanexisting, connection.Ifit’sanexistingconnection,thepacketisallowedthrough,and theremainderoftheACLcheckslistedherearebypassed.
Chapter 6:
Access Control
2. A ssumingaddresstranslationisenabled,thisstepisperformed.Forinbound connections,thedestinationaddressiscomparedwiththetranslation policiestomakesurethatitcanbetranslated.Foroutboundconnections,the destinationaddressiscomparedwiththetranslationpoliciestomakesure thatitcanbetranslated.Ifthereisnomatchingtranslationpolicy,thepacketis dropped.Notethattranslationdoesn’tactuallyoccuratthisstep.
3. I fthisisaninboundpacket,thepacketmustmatchapermitACLstatement appliedinboundontheincominginterface;otherwisethepacketisdropped. IfthisisanoutboundpacketandnoACLexists,trafficisallowedtogofroma highertoalowersecuritylevelbydefault;otherwise,ifanACLexistsinbound ontheinterface,thepacketmustmatchapermitACLstatementoritisdropped.
4. T heappliancethendoesaroutelookuptodeterminetheexitinterfacethe applianceshoulduse.ThisisnecessarytodeterminetheACLstoprocessand toperformaddresstranslation,ifenabled.
5. A ssumingthataddresstranslationhasbeenconfigured,thedestination addressinginformationisuntranslatedwithastaticcommandortranslated withthenatandglobalcommands.
6. IfanACLexistsoutboundontheexitinterface,thenthisisprocessed.
7. Atthispointtheconnectionisaddedtotheconntableandistracked.
The appliance might perform additional steps on the packet, but I’ll discuss these in PartIIIofthebookconcerningtheimplementationofpolicies.
CreatingandActivatingACLs The configuration ofACLs on your appliance is very similar to configuringACLs on anIOS-basedrouter.Theconfigurationprocessinvolvestwosteps:createyourfiltering ruleswiththeaccess-listcommands,andactivateyourfilteringrulesonaninterface with the access-group command. The following sections cover the configuration of standardandextendedACLs,aswellassomeACLfeaturesliketimedACLentries,loggingmatchesonACLs,andupdatingACLs.
StandardACLs LikeIOSrouters,appliancessupportstandardACLs,whichfilterpacketsbasedononly anaddressoraddresses.However,standardACLsonappliancescannotbeusedtofilter trafficenteringorleavinganinterface;instead,standardACLsareusedwithotherfeatures,likesplittunnelingwithremoteaccessVPNs,orfilteringrouteswhenperforming redistribution,andmanyothers.OnlyextendedandEtherTypeACLscanbeusedonthe appliancestofiltertrafficthroughtheapplianceinterfaces. HereisthesyntaxforcreatingastandardACL: ciscoasa(config)#access-listACL_IDstandard[lineline_#] {deny|permit}{any|hostIP_addr| IP_addrsubnet_mask}
155
156
Cisco ASA Configuration
Ontheappliance,eachACLisdifferentiatedfromotherACLsbyauniqueidentifier (ACL_ID):thiscanbeaname,number,ormixtureofcharactersandnumbers.Youmust usethe standardparameter;otherwisetheACLtypedefaultstoanextendedACL.If youdon’ttelltheappliancewhatlinenumbertouseforthestatement,thestatementis addedattheendoftheexistingACLstatements.Nextyouneedtospecifywhatshould happenwhenthereisamatchonthecondition:allow(permit)ordrop(deny)thepacket.Last,youspecifytheaddressyouwanttomatchon:
▼ any Anypacketmatches.
■ hostIP_addr OnlythatparticularIPaddressmatches.
▲ IP_addrsubnet_mask Onlythespecifiedrangeofaddressesmatches.
Rememberthatyouneedtoconfigureasubnetmask,notawildcardmask,whenmatchingonarangeofaddresses.
ExtendedACLs TheprimaryuseofextendedACLsistofiltertraffic,buttheycanbeusedforotherfeaturesontheappliances.HereisthesyntaxforconfiguringanextendedACL: ciscoasa(config)#access-listACL_ID[extended]{deny|permit} IP_protocol {src_addrsubnet_mask|hostsrc_addr|any} [protocol_info] {dst_addrsubnet_mask|hostdst_addr|any} [protocol_info] [disable|default]
The first part of the ACL syntax is similar to a standard ACL. If you omit the
extended parameter, theACL defaults to an extendedACL. Unlike with a standard
ACL,youmustspecifyeitherthenameornumberoftheTCP/IPprotocolyouwantto filter,liketcp,udp,icmp,andothers.IfCiscodoesn’thaveanameforaparticularprotocol,youcanenteranumberinstead.TomatchonanyTCP/IPpacket,useaprotocol nameof ip.ForacompletelistingofIPprotocolnumbers,visithttp://www.iana.org/ assignments/protocol-numbers. FollowingtheIPprotocoldesignation,youneedtospecifythesourceIPaddressing informationthatyouwanttomatchon.Thesyntaxforthiswasdiscussedpreviously inthe“StandardACLs”section.IfyouarefilteringonTCPorUDPtraffic,youcanalso specifythesourceportorportsyouareinterestedinmatchingon.Followingthisisthe destinationaddressand,optionally,destinationprotocolinformation. IfyouarefilteringTCPorUDPtraffic,youcanspecifyanoperatorandaportnumber ornametobespecificaboutthetrafficthatistobefiltered.Youcanspecifyanoperator andtheportnameornumber,orarangeofnumbers.Operatorsinclude eq(equalto),
Chapter 6:
Access Control
neq(notequalto),lt(lessthan),gt(greaterthan),andrange.Tospecifyarangeofport
numbersornames,enterthebeginningandendingportnumbersornames,andseparate themwithahyphenwithnospacesbetweenthehyphensandtheports.Ifyouomitthe portinformation,theapplianceassumesthatyouaretalkingaboutallportsforthespecifiedprotocolandaddress.Forinformationaboutvalidportnumbers,visithttp://www .iana.org/assignments/port-numbers.
TIP RememberthattheappliancesprocessfilterfunctionslikeACLsbeforeanyaddresstranslation isperformed,soyoushouldplacethesourceaddressintheACLthattheappliancewillseeinthe actualpacketheader.Forexample,ifaserverhasaprivateaddressof192.168.1.1,butisrepresented by a public address of 200.1.1.1, and the appliance is doing translation, then yourACL needs to permittrafficto200.1.1.1.Herewouldbethestaticconfiguration:static(inside,outside) 200.1.1.1 192.168.1.1. In this example, when traffic enters the outside interface, the applianceislookingatadestinationaddressof200.1.1.1.OncepassedtheACLcheck,theappliance willtranslateittotheserverlocaladdress,192.168.1.1. ForICMPtraffic,youcanspecifyanICMPmessagetype(eitherbynameornumber) followingthedestinationaddress.Ifyouomitthemessageinformation,theappliance assumesthatyouaretalkingaboutallICMPmessages.RememberthatforICMPtraffic,theapplianceisnotstatefulbydefault;inversion6andearlier,thePIXswerenever statefulforICMP.Therefore,ifyouwantICMPrepliestoyourusers’trafficandtests, andstatefulprocessingofICMPisdisabledorunavailable,thenyouneedtoexplicitly permitICMPtrafficwithanACLappliedontheinterfacewherethereturningrepliesare received.Typicallyyou’llwanttoallowechoreply,unreachable,timeexceeded,andTTL exceededmessages.ForinformationaboutICMPmessagetypes,visithttp://www.iana .org/assignments/icmp-parameters. The disable parameter allows you to disable the specifiedACL statement while stillkeepingitintheACL—thisishandyifyouwanttotemporarilydisableastatement to allow (or deny) certain connections, but then want to re-enable the statement once theconnection(s)complete.The defaultparametersetstheACLstatementbacktoits defaultconfiguration. YoucanconfigureotherparameterswithanextendedACLstatement,butI’llbecoveringtheseinlatersections.
ACLRemarks OnehandyfeatureofACLsisthatyoucanincluderemarkswiththiscommand: ciscoasa(config)#access-listACL_ID[lineline_#]remarktext
ThereisnoreallimittothenumberofremarksinanACL,anditisrecommended,especiallyinlargeACLs,tocopiouslyuseremarkstohelpyourselfandotheradministrators understandwhatdifferentlinesorsectionsoftheACLareaccomplishing.
157
158
Cisco ASA Configuration
ACLLogging Youcanhavetheappliancegeneratea106100logmessagewhenthereisamatchonan ACLcommandbyaddingthelogparametertoyourACLstatement: ciscoasa(config)#access-listACL_name[extended]{deny|permit} ACL_parameters[log[[disable|default]| [level]]][intervalseconds]
If you don’t configure a logging level (level parameter), it defaults to informational (level6).Theintervalparameterspecifiestheamountoftimebetween106100logmessages, preventing an overrun of log messages, which might create a denial of service (DoS)attack.Thedefaultintervalis300seconds.Theintervalfunctionworksasfollows:
▼ T hefirstmatchinthematchingflowiscached,andsubsequentmatches incrementthehitcounterontheACLstatement.(Hitcountsarediscussedlater inthe“ACLVerification”section.)
▲ New106100messagesaregeneratedattheendoftheintervalvalue.
Withtheintervalfunction,ifitisthesamesourcematchingonthestatement,thenalog messageisgeneratedonlyonceeveryxseconds,dependingontheconfiguredinterval. However,theappliancestillkeepstrackofthenumberofmatchesonthestatement(the hitcount),butdoesn’tgeneratealogmessagefortheseadditionalmatches. OtherACLLoggingIssues Oneproblemwiththeprecedingsolutionandintervallogging isthatitworksgreatwithoneattacker,butwithathousandattackers,youwouldseeone logmessagefromeachattackerforeachACLstatementtheymatchedoninthedefined interval,resultinginatleast1,000logmessageseveryxseconds.Tosolvethisproblem, Ciscoallowsyoutocontrolthemaximumnumberofconcurrentdenylogmessagesthat theappliancewillcreatewiththiscommand: ciscoasa(config)#access-listdeny-flownumber
Thedefaultis4,096uniquesourcesforACLlogging:whenthislimitisreached,amessage is generated with an ID of 106101.Any packet matches above this limit are not logged,buttheyarestilldropped,andthehitcounterisstillincremented. Bydefault,theappliancegeneratesthe106101logmessageevery300secondswhile thedenyflowlimitisexceeded,remindingyouthatsourcesarebeingdroppedbythe ACLstatement,butthatyou’renotseeingsomeoftheselogmessagesbecausethedeny flowlimitwasexceeded.Youcanchangehowoftenyouseethisremindermessagewith thiscommand: ciscoasa(config)#access-listalert-intervalseconds
ACLLogMessage Hereisthesyntaxofthe106100logmessage: %ASA-6-106100:access-listACL_ID{permitted|denied|est-allowed} protocolinterface_name/source_address(source_port)->
Chapter 6:
Access Control
interface_name/dest_address(dest_port)hit-cntnumber ({firsthit|number-secondinterval})
Here’sanexampleofalogmessageresultingfromamatchonanACLstatement: %ASA-6-106100:access-listOUTSIDEdeniedtcpoutside/192.1.1.1(51588) ->inside/200.1.1.1(23)hit-cnt1firsthit[0x22e8ca12,0x0]
TIP CiscorecommendsthatyoulogACLmatchestotheapplianceinternalbufferortoanexternal syslogserver.LoggingisdiscussedinmoredepthinChapter27.
TimedACLEntries TimedACLentriesarenewinversion7.0andareconfiguredthesameastheyareonIOS routers.TimedACLentriescanbetoggledonoroffdependingonthedateandtimeof day.Forexample,youmighthaveacontractorwhoneedsaccesstoaserverfrom8:00 inthemorningto6:00atnightfromMay23,2009,toNovember1,2009.Withatimed ACLentry,youcanhavetheACLstatementactiveduringthistime,allowingtheaccess; outsidethistime,theACLstatementwouldbeinactiveandwouldnotbeusedbythe appliance,therebydenyingthecontractor’saccesstotheserver. Creating timedACL entries is a two-step process: creating a time range, and then associatingitwithoneormoreACLstatements.Thefollowingtwosectionswilldiscuss howtocreateatimerangeandhowtoassociateitwithanACLstatementorstatements. CreatingTimeRanges Thefunctionofatimerangeontheapplianceistospecifyadate andtimerangethatyouwanttoassociatewithanACLentryorentries.Creatingatime rangeisbasicallydonethesameasitisdoneonaCiscoIOSrouter,byusingthetimerangecommand: ciscoasa(config)#time-rangerange_name ciscoasa(config-time-range)#absolute[starthh:mmdate] [endhh:mmdate] ciscoasa(config-time-range)#periodicdays_of_weekhh:mmto [days_of_week]hh:mm
Thetimerangemustbeassignedauniquename.Whenyouexecutethe time-range command,youaretakenintoasubcommandmodewhereyouenteryouractualdate andtimerange. Theabsolutecommandspecifiesanexacttimerange,likeAugust1,2008,through August31,2008.Withtheabsolutecommand,ifyoudon’tspecifyastartdateandtime, thenthecurrentdateandtimeareused.Ifyoudon’tspecifyanendingperiod,thenit defaultstoindefinite.Onlyoneabsolutecommandissupportedpertimerange. Theperiodiccommandspecifiesarecurringperiod,likeeverydayorweekdays.The days_of_week value can be monday, tuesday, wednesday, thursday, friday, saturday,sunday,daily(MondaythroughSunday),weekdays(MondaythroughFriday), andweekend(SaturdayandSunday).
159
160
Cisco ASA Configuration
If you are using both absolute and periodic commands in a time range, the periodic command qualifies the absolute time in the absolute command. You can havemultipleperiodiccommandsinatimerange. AssociatingTimeRangestoACLStatements Onceyouhavecreatedyourtimerange,you thenactivateitbyassociatingthetimerangetooneormoreACLstatementsusingthe followingsyntax: ciscoasa(config)#access-listACL_ID[extended]{deny|permit} ACL_parameters[time-rangerange_name]
ToaddatimerangetoanexistingACLcommand,reentertheACLcommandalongwith thetimerangeparameters.
ACLActivation OnceyouhavecreatedyourACL,youneedtoactivateitonaninterface.Thefollowingis thesyntaxoftheaccess-groupcommandthatyouneedtousetoactivateyourACL: ciscoasa(config)#access-groupACL_ID{in|out} interfacelogical_if_name [per-user-override|control-plane]
TheACL_IDspecifieswhichACLyouareactivating.Beforeversion7.0,youcouldonly activateanACLinboundonaninterface(inparameter).Startinginversion7.0,youcan activateanACLinbound(in—astrafficenterstheinterface)and/oroutbound(out—beforetrafficleavestheinterface).Aftertheinterfaceparameter,youneedtospecifythe logicalnameoftheinterfacewherethisACListobeactivated.ToremoveanACLapplied toaninterface,precedetheaccess-groupcommandwiththenoparameter. The per-user-override parameter is used with downloadableACLs (discussed inChapter8).Thecontrol-planeparameterisusedtorestricttraffictotheappliance itself:thelatterisnewinversion8.0.
ACLVerification TolistthestatementsinyourACL,youhavetwoviewingchoices.First,the showrun access-listandshowrunaccess-groupcommandsdisplaythoserespectivecommands in the running-config in RAM. The downside of these commands is that they don’tdisplayanyinformationabouttheoperationofyourACL(s)onyourappliance. Yoursecondoptionistheshowaccess-listcommand:
ciscoasa(config)#showaccess-list[ACL_ID]
Ifyoudon’tspecifyaspecificACL,allACLsareshownontheappliance. Here’sanexampleoftheuseofthiscommand: ciscoasa(config)#showaccess-list access-listcachedACLlogflows:total0,denied0
Chapter 6:
Access Control
(deny-flow-max4096) alert-interval300 access-listACLOUT;4elements access-listACLOUTline1extendedpermittcp 192.168.10.0255.255.255.0host192.168.11.11eqwww (hitcnt=4)0x954ebd70 access-listACLOUTline2extendedpermittcphost192.168.10.10 host192.168.11.11eqftp(hitcnt=1)0x33490ecd access-listACLOUTline3extendedpermittcpanyhost192.168.11.9 eqwww(hitcnt=8)0x83af39ba access-listACLOUTline4extendeddenyipanyany(hitcnt=4) 0x2ca31385
WhendisplayinganACL,youseethehitcountsthatshowthematchesonthestatements(the hitcntparameter).AttheendofeachACLstatement,youcanalsoseea hexadecimalnumber,whichisusedtouniquelyidentifyeachentryintheACL. TIP AttheendofeveryACLontheapplianceisanimplicitdenystatement—thisdropsalltrafficthat isnotmatchedonapreviousstatement.ThisstatementisinvisiblewhenyoulookattheACLwitha showaccess-listcommand.Therefore,Irecommendthatyouincludeadenyipanyany commandattheendofeveryextendedACLsothatyoucanseethehitcountofdroppedpackets.
ACLMaintenance The following two sections will discuss how to insert statements into existingACLs, deletestatementsfromACLs,anddeleteanentireACL.
UpdatingACLs Startinginversion6.3,theappliancessupportafeaturecalledsequencedACLs,whereyou caninsertanACLstatementintoanalreadyexistingACL.Thisisaccomplishedbyusing thelineparameterintheaccess-listcommand: ciscoasa(config)#access-listACL_ID[extended]lineline_# {deny|permit}ACL_parameters
Whenspecifyingalinenumber,usethenumberofthelinewhereyouwanttoinsertthisstatement.Forexample,ifyouwantanewstatementtobethethirdlineinan ACL,use3asthelinenumber.Ifthereisanexistingline3,itandtheentriesbelowitare pusheddownintheACLandarerenumberedstartingat4. NOTE Ifyouexecutetheshowrunning-configcommand,ACLlinenumbersarenotseen; noraretheysavedinflashwhenyouexecutethe writememorycommand.However,youcan seethelinenumberswiththeshowaccess-listcommand.
161
162
Cisco ASA Configuration
Toillustratehowtoinsertstatements,let’slookatanexampleACL: ciscoasa(config)#showaccess-list access-listaclexline1permittcpanyhost192.168.1.1 eqwww(hitcnt=0) access-listaclexline2permittcpanyhost192.168.1.3 eqwww(hitcnt=0)
Inthisexample,theACLhastwostatements. I’llnowinsertastatementbetweenthetwoACLs: ciscoasa(config)#access-listaclexline2permittcpany host192.168.1.2eqwww
Hereistheresultofthisconfigurationchange: ciscoasa(config)#showaccess-list access-listaclexline1permittcpanyhost192.168.1.1 eqwww(hitcnt=0) access-listaclexline2permittcpanyhost192.168.1.2 eqwww(hitcnt=0) access-listaclexline3permittcpanyhost192.168.1.3 eqwww(hitcnt=0)
Noticethattheaccess-listcommandinsertedanewACLentryasline2,andtheold line2becameline3. NOTE AnytimeyoumakeachangetoanACL,itdoesn’taffectexistingconnectionsintheconn table.Toensurethatalltrafficusesyourpolicychanges,clearanyrelatedtranslationsinthexlate tableandconnectionsintheconntablebyexecutingtheclearxlatecommand.Rememberto alwaysqualifythiscommandwiththeaddressesthatareaffectedbythepolicychange—notallIP addresses.TheuseofthiscommandwasdiscussedintheChapter5.
ACLRemoval TodeleteasingleACLstatement,prefacethestatementwiththenoparameter;notethat youmustincludetheentireACLcommandwhendeletingit.TodeleteanentireACLor multipleACLs,usethefollowingcommand: ciscoasa(config)#clearconfigureaccess-list[ACL_ID]
SECURITYALERT! Ifyoudon’tspecifyanACL_ID,alltheACLsonyourappliancearedeleted… withoutanywarning!It’samazingthatCiscowouldhavetheappliancedosomethingsodramaticwithout promptingyou.Sobeverycarefulwhenexecutingthiscommand.Also,whenyoudeleteanACLorACLs withtheprecedingcommand,theassociatedaccess-groupcommand(s)arealsodeleted.
Chapter 6:
Access Control
ACLConfigurationExamples TohelpillustratetheuseofACLs,let’stakealookatsomeexamples.I’llstarteasywith anexampleofanappliancethathastwointerfacesandproceedtoanexamplewithan appliancethathasthreeinterfaces.
AppliancewithTwoInterfaces:Example1 Thissimpleexampleinvolvesanappliancethathasonlytwointerfaces.Takealookat thenetworkshowninFigure6-1.Inthisexample,theinternalnetworkisusingaprivate classaddress(192.168.1.0/24)andhasbeenassignedthefollowingpublicaddressspace: 200.200.200.0/29.HerearethesecuritypoliciesthatyouneedtosetupwithACLs:
▼ Allowalloutboundtraffic(thisisthedefault).
▲ Restrictinboundtraffictoonlytheinternalservers. Listing6-1showstheaddresstranslationandACLconfigurationoftheappliance.
Listing6-1.ConfiguringACLsfortheapplianceinFigure6-1 ciscoasa(config)#global(outside)1200.200.200.1 ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#static(inside,outside)200.200.200.2192.168.1.2 ciscoasa(config)#static(inside,outside)200.200.200.3192.168.1.3 ciscoasa(config)#static(inside,outside)200.200.200.4192.168.1.4 ciscoasa(config)# ciscoasa(config)#access-listPERMIT_INpermittcp anyhost200.200.200.2eq80 ciscoasa(config)#access-listPERMIT_INpermittcp anyhost200.200.200.3eq25 ciscoasa(config)#access-listPERMIT_INpermitudp anyhost200.200.200.4eq53 ciscoasa(config)#access-listPERMIT_INdenyipanyany ciscoasa(config)# ciscoasa(config)#access-groupPERMIT_INininterfaceoutside
Before I discuss theACL configuration in Listing 6-1, notice that the appliance is performingPAT(using200.200.200.1)whenusers’trafficheadsouttotheInternet.Also, therearethreestaticcommandstoperformtheaddresstranslationforthethreeinternalservers. LookattheACLnamed PERMIT_INinListing6-1;thefirstlineallowsTCPtraffic fromanysourceifitisheadedto200.200.200.2andonlyifthistrafficisforport80,the webserverprocessrunningonthewebserver.NoticethatIusedthepublicaddressas thedestinationaddress.RememberthatACLsareprocessedbeforeaddresstranslation isperformed(the staticand nat/globalcommands).Oneotherthingtopointout abouttheACListhatIhaveaddeda deny ip any anystatementattheendofthe
163
164
Cisco ASA Configuration
Internet
outside E0/0 199.199.199.2/30 Appliance GroupB GroupA 192.168.1.128– 192.168.1.192– 192.168.1.191 192.168.1.254
inside E0/1
192.168.1.1
Web Server E-mail Server DNS Server 192.168.1.2 192.168.1.3 192.168.1.4
192.168.1.0/24
Figure6-1. ACLexamplefeaturinganappliancewithtwointerfaces
ACL—this is unnecessary because there is an implicit deny at the end of everyACL; however,Iwanttoseethehitcountsforeachdroppedpacket,whichthisstatementaccomplishes.Thelastthingthatwasconfiguredinthisconfigurationistheactivationof the PERMIT_INACLontheoutsideinterface,whichfilterstrafficasitcomesinbound fromtheInternet.
AppliancewithTwoInterfaces:Example2 In this example, I want to expand on the example in Figure 6-1 and Listing 6-1. Assumethatyouhavetwogroupsofinternaldevices,asisdepictedinFigure6-1:GroupA (192.168.1.128–192.168.1.191)andGroupB(192.168.1.192–192.168.1.254).HerearethefilteringrulesthatwillbesetupforGroupA:
▼ Denyaccesstoalldevicesonnetwork131.108.0.0/16.
■ Denyaccesstothefollowingwebservers:210.210.210.0/24.
▲ AllowaccesstoallotherInternetsites.
HerearethefilteringrulestosetupforGroupB:
▼ Allowaccesstoalldevicesinnetwork140.140.0.0/16.
■ A llowaccesstothefollowingwebservers:210.210.210.5/32and 211.211.211.3/32.
▲ DenyaccesstoallotherInternetnetworks.
Chapter 6:
Access Control
I’llassumethattheinboundpoliciesremainthesame;thereforeIcanbuilduponthe exampleinListing6-1.Listing6-2showsthecommandstoaccomplishtheadditional policyrestrictions. Listing6-2.Thisexamplefiltersoutboundtraffic. ciscoasa(config)#access-listPERMIT_OUTdenyip 192.168.1.128255.255.255.192 131.108.0.0255.255.0.0 ciscoasa(config)#access-listPERMIT_OUTdenytcp 192.168.1.128255.255.255.192 210.210.210.0255.255.255.0eq80 ciscoasa(config)#access-listPERMIT_OUTpermitip 192.168.1.128255.255.255.192any ciscoasa(config)# ciscoasa(config)#access-listPERMIT_OUTpermitip 192.168.1.192255.255.255.192 140.140.0.0255.255.0.0 ciscoasa(config)#access-listPERMIT_OUTpermittcp 192.168.1.192255.255.255.192 host210.210.210.5eq80 ciscoasa(config)#access-listPERMIT_OUTpermittcp 192.168.1.192255.255.255.192 host211.211.211.3eq80 ciscoasa(config)#access-listPERMIT_OUTdenyip 192.168.1.192255.255.255.192any ciscoasa(config)# ciscoasa(config)#access-groupPERMIT_OUTininterfaceinside
InListing6-2,I’vebrokentheACLcalledPERMIT_OUTintotwosections—oneforGroupA and one for GroupB. Remember thatACLs are processed top-down, and the order of yourstatementsdoesmatter.OneotheritemtopointoutisthatthesourceIPaddresses listedintheACLstatementsaretheaddressesbeforetranslation,becausetheappliance processesACLsbeforeanyaddresstranslationpolicies. TakealookattheGroupAstatementsfirst.TheveryfirstentryintheACLdenies allIPtrafficfrom192.168.1.128/26ifitisdestinedfor131.108.0.0/16.Thesecondstatementdeniesalltrafficfrom192.168.1.128/26ifitisdestinedforTCPport80onanyweb serverinnetwork210.210.210.0/24.ThethirdstatementallowsanyotherIPtrafficfrom 192.168.1.128/26togoanywhereelseontheInternet. In the GroupB configuration (the second half of theACL), the first permit statement (after the GroupA statements) allows any IP traffic from 192.168.1.192/26 to 140.140.0.0/16.Thesecondandthirdstatementsallowalltrafficfrom192.168.1.192/26 toreachthetwowebservers:210.210.210.5and211.211.211.3.Thelaststatementinthe ACLdeniesanyothertrafficfrom192.168.1.192/26.Thelastpartoftheconfiguration inListing6-2showstheapplicationoftheACL(PERMIT_OUT)totheinsideinterfaceas trafficcomesintothisinterface.
165
166
Cisco ASA Configuration
AppliancewithThreeInterfaces TohelpyouunderstandhowflexibleACLsare,I’llshowamorecomplicatedexample: youhaveanappliancethathasthreeinterfaces,andyouwanttocontroltrafficbetween theseinterfaces,asshowninFigure6-2. Listing6-3showsjusttheaddresstranslationconfigurationonthisappliance. Listing6-3.ThebasicconfigurationofthePIXwiththreeinterfaces ciscoasa(config)#access-listNONATdenyip192.168.1.00.0.0.255 192.168.5.00.0.0.255 ciscoasa(config)#access-listNONATpermitip192.168.0.00.0.255.255 192.168.5.00.0.0.255 ciscoasa(config)#nat(inside)0access-listNONAT ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#nat(dmz)10.0.0.00.0.0.0 ciscoasa(config)#global(outside)1200.200.200.10-200.200.200.253 netmask255.255.255.0 ciscoasa(config)#static(dmz,outside)200.200.200.1192.168.5.5 ciscoasa(config)#static(dmz,outside)200.200.200.2192.168.5.6 ciscoasa(config)#static(inside,dmz)192.168.5.0192.168.5.0 netmask255.255.255.0
Perimeter Router Internet 192.168.1.2/24 E-mail Server Web Server 192.168.5.5 192.168.5.6
ASA Configuration E0/0 outside 0 E0/1 inside 100 E0/2 dmz 50
192.168.1.0/24 E0/0 192.168.1.1/24 E0/2
192.168.5.0/24
Appliance 192.168.5.1/24 E0/1 192.168.2.1/24 192.168.2.2/24
192.168.3.0/24
192.168.2.0/24
Inside Router
192.168.4.0/24
Figure6-2. ConfiguringACLsonanappliancewiththreeinterfaces
Chapter 6:
Access Control
ExplanationoftheBasicConfiguration BeforeIgointotheconfigurationoftheACLs,Iwill firstdiscusswhatthenetworkinFigure6-2andtheconfigurationshowninListing6-3are doing.Asyoucanseefromthisexample,youaredealingwithanappliancethathasthree interfaces—outside, dmz, and inside. The outside interface is connected to the perimeter router,which,inturn,isconnectedtotheISP.Adefaultroutepointstotherouter’sinside interface.Thedmzinterfacehassomeuserdevices,aswellastwoservers:ane-mailserver andawebserver.Theinsideinterfaceisconnectedtoaninsiderouter,which,inturn,is connectedtotwosubnets:192.168.3.0/24and192.168.4.0/24.I’llassumethattwostatic routesarealreadyconfiguredforthesetwosubnets. Listing 6-3 has one global command and three nat commands. I’ll look at these fromtheperspectivesofboththeinsideinterfaceandthedmzinterface.Ifadevicefrom theinsideinterfacetriestoaccessadeviceonthedmzinterface,itwillnothaveitsaddress translated—this is based on the static and access-list NONAT commands in the configuration.Withtheexceptionofthe192.168.1.0/24subnet,anyother192.168.0.0/16 subnetthatsendstrafficto192.168.5.0/24isexemptedfromtranslation.Ifadeviceonthe insideinterfacetriestoaccesstheInternet,itsaddressistranslatedtoapublicaddress: 200.200.200.10through200.200.200.253. Ifadeviceonthedmzinterfacetriestoaccessadeviceontheoutsideinterface,itsaddresseswillbetranslatedtothesamepublicaddressspaceasthedevicesontheinside interface. The exceptions to this translation are the two Internet servers. Two static commandsperformtheaddresstranslationstatically.These staticcommandschange thee-mailserversourceaddressfrom192.168.5.5to200.200.200.1,andthewebserver address from 192.168.5.6 to 200.200.200.2. The reverse process takes place when Internetuserssendtraffictotheservers:theyusedestinationaddressesof200.200.200.1and 200.200.200.2,whicharetranslatedto192.168.5.5and192.168.5.6respectively. Configuring Filtering Policies Now that I have discussed the basic configuration of the applianceshowninListing6-3,I’lltalkaboutconfiguringsomefilteringpoliciesforthis appliance.AsImentionedintheprevioussection,thetwoserverslocatedonthedmz interfaceneedtoaccesstheinternalnetwork.Here’salistofallthepoliciesthatneedto beimplementedforusers/serversontheDMZsegment:
▼ Usersshouldnotbeallowedtoaccessanythingon192.168.1.0/24.
■ Device192.168.5.5and192.168.5.6shouldbeallowedaccessto192.168.2.0/24.
▲ D evicesontheDMZsegmentshouldbeallowedtoaccessanydestinationon theInternet. Here’salistofthepoliciesthatneedtobeimplementedforinternalusers:
▼ U sersshouldbeallowedaccesstothee-mailandwebserveron192.168.5.0/24, butnottootherdevicesonthissegment.
■ Usersshouldnotbeallowedaccessto192.168.1.0/24.
■ D eviceson192.168.2.0/24and192.168.3.0/24shouldbeallowedaccesstoany destinationontheInternet.
167
168
Cisco ASA Configuration
▲ Deviceson192.168.4.0/24shouldonlybeallowedaccessto131.108.0.0/16, 140.140.0.0.16,and210.210.210.0/24outontheInternet.
Here’salistofallofthepoliciesthatneedtobeimplementedforexternaluserstrying toaccessresourcesinyournetwork:
▼ Usersshouldbeallowedaccessspecificallytothee-mailserver.
■ Usersshouldbeallowedaccessspecificallytothewebserver.
▲ Allothertypesofaccessshouldbedenied.
Toenforcethesepolicies,youneedtocreatethreeACLsandtoapplythemtothe threerespectiveinterfacesoftheappliances.Listing6-4showstheconfigurationofthe policiesfortheDMZ. Listing6-4.TheconfigurationforsecuritypoliciesfortheDMZsegment ciscoasa(config)#access-listDMZdenyipany 192.168.1.0255.255.255.0 ciscoasa(config)#access-listDMZpermitiphost192.168.5.5 192.168.2.0255.255.255.0 ciscoasa(config)#access-listDMZpermitiphost192.168.5.6 192.168.2.0255.255.255.0 ciscoasa(config)#access-listDMZdenyipany 192.168.2.0255.255.255.0 ciscoasa(config)#access-listDMZdenyipany 192.168.3.0255.255.255.0 ciscoasa(config)#access-listDMZdenyipany 192.168.4.0255.255.255.0 ciscoasa(config)#access-listDMZpermitip 192.168.5.0255.255.255.0any ciscoasa(config)#access-listDMZdenyipanyany ciscoasa(config)# ciscoasa(config)#access-groupDMZininterfacedmz
Listing 6-4 is fairly straightforward. The first ACL statement denies access to the 192.168.1.0/24segment.ThesecondandthirdACLstatementsallowallIPtrafficfrom 192.168.5.5 and 192.168.5.6 to travel to 192.168.2.0/24—this is denied by default becauseofthesecuritylevelsofthetwointerfacesinvolved.Thefourth,fifth,andsixth ACLsdenyanytrafficfromtheDMZheadedtothethreeinternalsubnets.Thisprevents otherdevicesonthedmzinterfacefromaccessingresourceson192.168.2.0/24andalso preventsanydeviceonthissegmentfromaccessingthetwonetworksontheinternal router:192.168.3.0/24and192.168.4.0/24.Thesestatementsareneededbecauseofthe statementthatfollowsthis(theseventhstatement),whichallowstrafficfromanydevice on 192.168.5.0/24 to go anywhere—you need to deny the specifics before you permit everything.Thesecondtothelaststatementintheconfigurationdropsallpackets.I’ve
Chapter 6:
Access Control
addedthissothatIcanseeahitcountofalldroppedpackets—thisgreatlyfacilitatesthe troubleshootingofconnectivityproblemswhentheapplianceisdroppingpacketsbased onitsfilter(s).ThelastcommandinthisconfigurationisactivationoftheACLonthe dmzinterface. TIP Rememberthatyoucanusesubnetmaskstomatchonanyrangeofaddresses.Forexample, insteadofhavinganindividualACLstatementfordenyingaccesstoeachCclassnetwork,youcan haveonestatementandtheappropriatesubnetmaskvalue:access-listDMZdenyipany 192.168.2.0255.255.254.0.Thisstatementwoulddenyaccesstothe192.168.2.0/24and 192.168.3.0/24subnets. Here is an interesting question: based on theACL in Listing 6-4, if a device from 192.168.3.0/24accessesthewebserverandthewebserverresponds,isthereturnpermittedthroughthefirewall?Oneimportantpointaboutthesefilteringpoliciesisthatthe appliancewillbeperformingtwotaskstodetermineifthetrafficisallowedordropped. Theappliancefirstlooksintoitsconntabletoseeifthereisaconnectionalreadythere. In this situation, the device from 192.168.3.0/24 initiated the connection, and because theDMZisalower-security-levelinterface,andnoACLisconfiguredontheinsideinterface,theappliancepermitstheconnectionandaddsthetemporaryconnectiontoits conntable.Thus,whenthereturncomesbackthroughtheappliance,theapplianceexaminesitsconntable,seestheentrythatwasjustcreated,andallowstheresponseback tothe192.168.3.0/24network.TheonlytimetheACLisusediswhenthereisnoentry intheconntable—thentheapplianceexaminestheACLtodeterminewhetheraholein thefirewallshouldbeopenedtoallowthetraffic.Ifyouwantedtodenythistraffic,you wouldneedtocreateanACLandapplyittotheinsideinterface. Look at the configuration for the filtering policies for the internal users, shown in Listing6-5. Listing6-5.Theconfigurationofsecuritypoliciesfortheinternalsegments ciscoasa(config)#access-listINTERNALpermittcpany host192.168.5.5eq25 ciscoasa(config)#access-listINTERNALpermittcpany host192.168.5.6eq80 ciscoasa(config)#access-listINTERNALdenyipany 192.168.5.0255.255.255.0 ciscoasa(config)#access-listINTERNALdenyipany 192.168.1.0255.255.255.0 ciscoasa(config)#access-listINTERNALpermitip 192.168.2.0255.255.255.0any ciscoasa(config)#access-listINTERNALpermitip 192.168.3.0255.255.255.0any
169
170
Cisco ASA Configuration ciscoasa(config)#access-listINTERNALpermitip 192.168.4.0255.255.255.0 131.108.0.0255.255.0.0 ciscoasa(config)#access-listINTERNALpermitip 192.168.4.0255.255.255.0 210.210.210.0255.255.255.0 ciscoasa(config)#access-listINTERNALdenyipanyany ciscoasa(config)# ciscoasa(config)#access-groupINTERNALininterfaceinside
Thefirstandsecondcommandsallowallusersontheinsideinterfacetoaccesstheweband e-mailserveron192.168.5.0/24,andthethirdstatementdeniesallotherinternaltrafficto thisnetwork.Thefourthstatementdeniesallinternaltrafficdestinedto192.168.1.0/24. The fifth and sixth statements allow 192.168.2.0/24 and 192.168.3.0/24 to access any othernetwork.Theseventhandeighthstatementsallowdevicesfrom192.168.4.0/24to 131.108.0.0/16and210.210.210.0/24.Anyothertrafficnotmatchinganyofthe permit statementsinthislistwillbedropped(includingaccessto192.168.1.0/24).ThelaststatementintheconfigurationactivatestheACLontheinsideinterface. Listing6-6showstheconfigurationforthefilteringpoliciesthataffecttheexternal users(theonesontheInternet,orlocatedon192.168.1.0/24). Listing6-6.Theconfigurationofsecuritypoliciesforexternalusers ciscoasa(config)#access-listEXTERNALpermittcpany 200.200.200.1eq25 ciscoasa(config)#access-listEXTERNALpermittcpany 200.200.200.2eq80 ciscoasa(config)#access-listEXTERNALdenyipanyany ciscoasa(config)#access-groupEXTERNALininterfaceoutside
OfthethreeACLs,theonefortheexternalusersisthesimplest.Thefirstandsecond statementsallowinternalusersaccesstothee-mailandwebserverson192.168.5.0/24— noticethatthedestinationaddressesarethepublicaddresses,becausethisiswhatthe appliancesees.Thethirdstatementdropsalltraffic,andthelaststatementactivatesthe ACLontheoutsideinterface. Asyoucanseefromthisexample,theconfigurationofACLscanbeaverycomplex process.YoushouldalwaystestanychangesyoumaketoyourACLstoensurethatyou arenotinadvertentlyopeninganyunnecessaryholesinyourappliance. TIP IhighlyrecommendyoureadachapterinmyCiscoPressbook,CiscoRouterFirewallSecurity (CiscoPress,2004),onbasicACLs—youshouldbefilteringmany,manyaddresses,connections, applications,andprotocolsfromuntrustedsources.Forexample,theACLinListing6-6willhave dozens or hundreds of statements before the specific permit statements for the DMZ servers, droppingallkindsofundesirabletrafficthatyoudon’twantyourserverstosee.
Chapter 6:
Access Control
OBJECTGROUPS Inversion6.2,CiscointroducedafeaturethatsimplifiesthemanagementofACLs,called objectgroups.Objectgroupsallowyoutocreategroupsofrelatedinformationthatyou applytoyourfilteringpolicies,therebyreducingthenumberoffilteringcommandsthat youhavetoenter.ThiseasesyourACLimplementationandmaintenance,andalsoensuresthatyouapplythesamepolicytoeverydevicewhenapolicyneedstobeapplied acrossagroupofdevices. Objectgroupsallowyoutocreatethefollowingobjecttypes:
▼ Protocols TCP/IPprotocols,likeTCP,UDP,GRE,andothers
■ Services TypesofTCPandUDPservices(portnamesand/ornumbers)
■ ICMP TypesofICMPmessages
▲ Networks Networknumbersandhostaddresses
Once you have created your various groups of objects, you can include them in your ACLcommandstopermitordenypacketsbasedonmatchesintheobjectgroups.
AdvantagesofObjectGroups I’lloutlinesomesituationswhereobjectgroupsdoanddonotmakesense.Forexample,ifyouneedtodefineafilteringpolicythatdeniestelnettrafficfrom192.168.1.1to 192.168.2.2, you could easily accomplish this with a singleACL command. However, ifyouhavealistoftenclientstryingtoaccessthreeserversforbothtelnetande-mail, thefilteringconfigurationbecomesverycomplexwhenusingACLsalone.Alternatively, you could use object groups to create a network group for the ten clients, a network groupforthethreeservers,andaservicegroupfortelnetande-mail,andthenusethese groupingsinasingleACLcommand. Anothernicefeatureofobjectgroupsisthatyoucanembedanobjectgroupwithin another object group; this is called nesting.As an example, you might have two networkobjectgroups,andwanttocreateafilterthatincludesbothgroups.Originally,this wouldrequiretwoACLstatements.Tosolvethisproblem,youcancreateathirdobject groupandcanincludethefirsttwonetworkobjectgroupswithinthisnewgroup.Then createasingleACLstatementthatreferencestheobjectgroupthatincludesthenesting ofthetwospecificobjectgroups.
CreatingObjectGroups Thegeneralsyntaxforcreatinganobjectgroupisverysimple,asshownhere: ciscoasa(config)#object-grouptype_of_objectgroup_ID[protocol_name]
Youcanspecifyfourdifferentobjecttypesforthetype_of_objectparameter.Table6-2 liststhevalidobjecttypes.
171
172
Cisco ASA Configuration
ObjectType
Explanation
icmp-type
SpecifiesagroupingofICMPmessages
network
Specifiesagroupingofhostsand/orsubnets/networks
protocol
SpecifiesagroupofIPprotocols,likeIP,ICMP,TCP,UDP, orotherIPprotocols
service
SpecifiesagroupofTCPorUDPapplications,orboth
Table6-2. AvailableObjectTypesforObjectGroups
Onceyouhavespecifiedanobjecttype,youneedtofollowitwithanIDforthegroup— thisisanamethatgroupstogetherthevariousobjecttypesthatyouwillcreate.Ifyouspecifiedserviceasthetypeofobject,youneedtotelltheappliancewhichprotocolstoinclude inthelistofapplications,whereyouroptionsaretcp,udp,ortcp-udp(forboth).
Descriptions Whenyouexecutetheobject-groupcommand,youaretakenintoaSubconfiguration mode(commonlycalledasubcommandmode),wheretheappliancepromptchangesto reflectthetypeofobjectgroupyouareconfiguring.Somecommandsarespecifictoone typeofobjectgroup,andotherscanbeusedinanytypeofobjectgroup.Forexample,the descriptioncommandcanbeusedinanyobjectgroup.Thedescriptioncommand allowsyoutoenterupto200charactersasadescriptionforanobjectgroup.Thesyntax ofthedescriptioncommandis ciscoasa(config-protocol)#descriptiondescriptive_text
Inthisexample,I’minProtocolSubconfigurationmode;however,thiscommandworks inallSubconfigurationmodesforobjectgroups.
NestingObjectGroups Anothercommandcommontoallobjectgroupsisthe group-objectcommand.The group-objectcommandallowsyoutoaddapreviouslycreatedgrouptoagroupofthe
sametype.Thisprocessisreferredtoasnesting.Thesyntaxofthiscommandis ciscoasa(config-protocol)#group-objectgroup_ID
Tousethe group-objectcommand,youneedtocreateanobjectgroupwithyour includedservices,protocols,networks,orICMPmessagetypes.Youcanthencreatea newobjectgroupofthesametype,andusethe group-objectcommandtoreference youralreadycreatedobjectgroup.Youneedtousethe group_IDnumberofthepreviousgroupwhenusingthegroup-objectcommand.
Chapter 6:
Access Control
NOTE Nestingisrestrictedtoincludingobjectsofthesametype.Forexample,youcouldnotinclude anetworkobjectgroupinaserviceobjectgroup,sincethetypesaredifferent.
NetworkObjectGroups Youcancreateanobjectgrouptospecifyhostaddressesand/ornetworknumbersthat youuseinyourACLcommands.Tocreateanetworkobjectgroup,usethecommands shownhere: ciscoasa(config)#object-groupnetworkgroup_ID ciscoasa(config-network)#network-objecthosthost_address ciscoasa(config-network)#network-objectnetwork_addresssubnet_mask
Thefirstcommand,object-groupnetwork,createsanetworkobjectgroupandtakes youintotheNetworkSubconfigurationmode.Thesecondandthirdcommandsallow you to specify the devices in the object group—the first is for a specific host, and the secondisforanetworkorsubnetnumber.Youcanuseacombinationofnetworksand hostsinanobjectgroup.
ProtocolObjectGroups YoucancreateanobjectgroupforIPprotocolsthatyouuseinyourACLcommands. Tocreateaprotocolobjectgroup,usethesecommands: ciscoasa(config)#object-groupprotocolgroup_ID ciscoasa(config-protocol)#protocol-objectprotocol_name_or_number
Thefirstcommand,object-groupprotocol,createsaprotocolobjectgroupandtakes youintotheProtocolSubconfigurationmode.ThesecondcommandallowsyoutospecifytheTCP/IPprotocolnameornumberintheobjectgroup.Youcanspecifyaprotocol name,liketcp,udp,oricmp,oryoucangivetheIPprotocolnumberinstead,like6for TCPor17forUDP.
ServiceObjectGroups YoucancreateanobjectgroupforTCPandUDPapplicationsthatyouuseinyourACL commands.Tocreateaserviceobjectgroup,usethesecommands: ciscoasa(config)#object-groupservicegroup_ID{tcp|udp|tcp-udp} ciscoasa(config-service)#port-objecteqport_name_or_number ciscoasa(config-service)#port-objectrangefirst_portlast_port
Thefirstcommand,object-groupservice,createsaservicesobjectgroupandtakes you into the Service Subconfiguration mode.You need to specify either TCP, UDP, or both protocols—this refers to the types of ports within this object group. The second command,theonewiththeeqparameter,specifiesaspecificportnumber(orname)in theobjectgroup.Youcanalsospecifyarangeofportnamesand/ornumbers—youneed tousethekeywordrangefollowedbythefirstnumberinthelistandthelastnumber.
173
174
Cisco ASA Configuration
ICMPObjectGroups YoucancreateanobjectgroupforICMPmessagesthatyouuseinyourACLcommands. TocreateanICMPobjectgroup,usethesecommands: ciscoasa(config)#object-groupicmp-typegroup_ID ciscoasa(config-icmp-type)#icmp-objectICMP_message
Thefirstcommand, object-group icmp-type,createsanICMPmessagetypeobject groupandtakesyouintotheICMPSubconfigurationmode.ThesecondcommandspecifiestheICMPmessagetype(liketheICMPnameornumber)intheobjectgroup.
ExaminingYourObjectGroups Once you have configured your object groups, you can display them with the show
object-groupcommand.Thefollowingisthesyntaxofthiscommand:
ciscoasa#showrunobject-group{[protocol|network|service| icmp-type]|[group_ID]}
Ifyouonlytypeintheshowrunobject-groupcommandanddonotspecifyany parameters,theappliancewilldisplayallofyourobjectgroups.Youcanlimitthisby specifyingaspecifictypeofobjectgroup,oraspecificobjectgroup.Here’sanexample ofthiscommand: ciscoasa#showrunobject-group object-groupnetworkweb_servers description:ThisisalistofWebservers network-objecthost200.200.200.2 network-objecthost200.200.200.9 object-groupnetworktrusted_web_servers network-objecthost192.199.1.7 network-object201.201.201.0255.255.255.0 group-objectweb_servers
Thisexamplehastwoobjectgroups.Thefirstoneiscalled web_serversandcontains twohosts:200.200.200.2and200.200.200.9.Thesecondobjectgroupiscalled trusted_ web_serversandcontainsonehost(192.199.1.7),onenetwork(201.201.201.0/24),and oneembedded,ornested,objectgroupcalledweb_servers.
DeletingObjectGroups Toremoveallobjectgroupsonyourappliance,usethe clear configure objectgroupcommand.Optionally,youcanremovealloftheobjectgroupsofaspecifictype byaddingthetypetotheendoftheclearconfigureobject-groupcommand.The followingisthesyntaxofthiscommand: ciscoasa(config)#clearconfigureobject-group[protocol|network| services|icmp-type]
Chapter 6:
Access Control
Ifyouonlywanttoremoveaspecificobjectgroup,usethissyntax: ciscoasa(config)#noobject-groupgroup_ID
NOTE Youcannotdeleteanobjectgroupthatiscurrentlybeingreferencedbyanotherappliance command,suchasanestedreferenceortheaccess-listcommand.
UsingObjectGroups TohelpyouunderstandhowobjectgroupsareusedbyACLcommands,I’llnowexaminehowtheyareusedinthe access-listcommand.Thefollowingisthesyntaxfor thetwovariationsofusingobjectgroups,wherethefirstisforICMPandthesecondfor anythingelse: ciscoasa(config)#access-listACL_ID{deny|permit}icmp {source_address_and_mask| object-groupnetwork_object_group_ID} {destination_address_and_mask| object-groupnetwork_object_group_ID} [{icmp_type| object-groupicmp_type_object_group_ID}] ciscoasa(config)#access-listACL_ID{deny|permit} {IP_protocol| object-groupprotocol_object_group_ID} {source_address_and_mask| object-groupnetwork_object_group_ID} [{operatorsource_port| object-groupservice_object_group_ID}] {destination_address_and_mask| object-groupnetwork_object_group_ID} [{operatordestination_port| object-groupservice_object_group_ID}]
Asyoucansee,youcanuseobjectgroupswheretheysuityou.Forexample,youcould list a network object group for the source address information, but list a specific host address for the destination—you can mix and match object groups and specificACL protocolinformationbasedonyourconfigurationneeds. OnceyouhavereferencedyourobjectgroupsinACLcommands,youcanseethe commandsyouenteredandtheexpansionoftheobjectgroupreferences: ciscoasa(config)#showaccess-list access-listACLOUT;9elements access-listACLOUTline1extendedpermittcpany object-groupDMZ_HOSTSobject-groupDMZ_PORTS0x959c5b39
175
176
Cisco ASA Configuration access-listACLOUTline1permittcpanyhost192.168.1.1 eq80(hitcnt=0) access-listACLOUTline1permittcpanyhost192.168.1.1 eq443(hitcnt=0) access-listACLOUTline1permittcpanyhost192.168.1.1 eq21(hitcnt=0)
Noticethatintheprecedingexample,thefirstlistingofline1isthecommandItypedin. Thesecond,third,andfourthappearanceofline1istheexpansionoftheobjectgroup referencesthat theappliancecreated.Notethatwhenyouexecutethe write memory command, the expanded statements are not saved to flash: only the commands you physicallyenteredaresavedtoflash. NOTE Ifyouusethe show access-listcommandtodisplayyourACLconfiguration,the appliancewilldisplaytheobjectgroupconfigurationandtheACLsthatarecreatedtoenforcethese policies.The appliance will replace the object references with the actual IP protocols, addresses/ networknumbers,andservicesinrealACLcommands.
ObjectGroupConfigurationExample To help illustrate the use of object groups with ACLs, I’ll use the network shown in Figure6-3.Inthisexample,Iwillallowoutsideaccesstotheinternalservers,butonlyfor webandFTPaccesstothespecificservers.
Internet
outside E0/0 199.199.199.2/30 Web Server 192.168.1.2
Web Server 192.168.1.3
Appliance inside E0/1
Web/FTP Server 192.168.1.4 192.168.1.1
192.168.1.0/24
Figure6-3. Asimplenetworkthatneedsfiltering
FTP Server 192.168.1.5
FTP Server 192.168.1.6
Chapter 6:
Access Control
Listing6-7hastheconfiguration,includingaddresstranslation,fortheappliance. Listing6-7.TheconfigurationobjectgroupswithACLs ciscoasa(config)#global(outside)1200.200.200.1 netmask255.255.255.0 ciscoasa(config)#nat(inside)10.0.0.00.0.0.0 ciscoasa(config)#static(inside,outside)200.200.200.2192.168.1.2 ciscoasa(config)#static(inside,outside)200.200.200.3192.168.1.3 ciscoasa(config)#static(inside,outside)200.200.200.4192.168.1.4 ciscoasa(config)#static(inside,outside)200.200.200.5192.168.1.5 ciscoasa(config)#static(inside,outside)200.200.200.6192.168.1.6 ciscoasa(config)# ciscoasa(config)#object-groupnetworkweb_servers ciscoasa(config-network)#network-objecthost200.200.200.2 ciscoasa(config-network)#network-objecthost200.200.200.3 ciscoasa(config-network)#network-objecthost200.200.200.4 ciscoasa(config-network)#exit ciscoasa(config)#object-groupnetworkftp_servers ciscoasa(config-network)#network-objecthost200.200.200.4 ciscoasa(config-network)#network-objecthost200.200.200.5 ciscoasa(config-network)#network-objecthost200.200.200.6 ciscoasa(config-network)#exit ciscoasa(config)#access-listPERMIT_INpermittcp anyobject-groupweb_serverseq80 ciscoasa(config)#access-listPERMIT_INpermittcp anyobject-groupftp_serverseq21 ciscoasa(config)#access-listPERMIT_INdenyipanyany ciscoasa(config)#access-groupPERMIT_INininterfaceoutside
Twonetworkobjectgroupsarehere,oneforwebserversandoneforFTPservers.TwoACL statementsallowaccesstothesewebserversandFTPservers,butdenyeverythingelse.If youdidn’tuseobjectgroups,youwouldneedsixstatementsfortheserversandthenthe denyipanyanyifyouwantedtoviewthehitcountsofalldroppedpackets.
ICMPFILTERING ManypeopleunderstandhowIOSroutersdealwithACLsandapplythisknowledgeto theappliances,expectingthemtobehavethesamewayastherouters;however,thisis notcorrect.I’lldealwithtwoissuesconcerningICMPinthischapter:ICMPtrafficpassingthroughtheapplianceandICMPtrafficdirectedattheappliance.
177
178
Cisco ASA Configuration
ICMPTrafficThroughtheAppliances AsImentionedinChapter5,ICMPtrafficisnotstatefulbydefaultontheappliances. ICMP messages by default are permitted when traveling from a higher-security-level interfacetoalower-levelone.However,ICMPtrafficisdeniedbydefaultfromalowersecurity-levelinterfacetoahigher-levelone,evenifitisanICMPmessageresponsetoa user’sICMPquery. Typically you should allow the following ICMP message types into your network tohelpprovidesomebasicmanagementandtroubleshootingabilitiesforyourinternal devices:echoreply,sourcequench,unreachable,andtimeexceeded.Forexternaldevices totestconnectivitytoyournetwork,youmightalsowanttopermittheICMPechomessage,butIwoulddefinitelyrestrictwhatICMPmessagesInternetuserscangenerateand whatdestinationsinyournetworkcanreceivethesemessages. To allow ICMP traffic to travel from a lower-level to a higher-level interface, you needtoenableoneoftwothings:
▼ StatefulprocessingofICMP
▲ AnACLentryorentriesfortheICMPmessages NOTE Ifaddresstranslationisrequired,youalsoneedamatchingtranslationpolicyfortheICMP traffic.
Startinginversion7.0oftheOS,youcanenablestatefulprocessingofICMPtraffic using the Cisco Modular Policy Framework (MPF), discussed in Chapters 10 and 11. However,asyouwillseeinthesechapters,enablingstatefulprocessingofICMPtraffic hasitsownsetofproblems.AndstatefulprocessingofICMPisonlynewasofversion 7.0oftheappliances;inpriorversions,youhadtousethesecondoption:ACLs. I’llusethenetworkshownpreviouslyinFigure6-3toillustratewhatanACLtoallowreturningICMPtraffictoyouruserswouldlooklike.I’llbuildupontheListing6-7 examplethatIcoveredintheprevioussection.Here’sanexampleoftheconfigurationto allowreturningICMPtraffic: ciscoasa(config)#object-groupicmp-typeicmp_traffic ciscoasa(config-icmp-type)#icmp-objectecho-reply ciscoasa(config-icmp-type)#icmp-objectsource-quench ciscoasa(config-icmp-type)#icmp-objectunreachable ciscoasa(config-icmp-type)#icmp-objecttime-exceeded ciscoasa(config-icmp-type)#exit ciscoasa(config)#object-groupnetworkALL_servers ciscoasa(config-network)#group-objectweb_servers ciscoasa(config-network)#group-objectftp_servers ciscoasa(config-network)#exit ciscoasa(config)#access-listPERMIT_INpermittcp anyobject-groupweb_serverseq80
Chapter 6:
Access Control
ciscoasa(config)#access-listPERMIT_INpermittcp anyobject-groupftp_serverseq21 ciscoasa(config)#access-listPERMIT_INpermiticmp anyanyobject-groupicmp_traffic ciscoasa(config)#access-listPERMIT_INpermiticmp anyobject-groupALL_serversecho ciscoasa(config)#access-listPERMIT_INdenyipanyany ciscoasa(config)#access-groupPERMIT_INininterfaceoutside
I’vecreatedtwoadditionalobjectgroups:oneforallowingICMPreturningtraffic,and onethatputsthewebandFTPserversintoanetworkgroupsothatyoucanspecifically allow ICMP echo messages to them. The first two entries in theACL are the same as intheprevioussection.ThetwoACLentriesafterthosearenew.Thefirstoneallows ICMPtrafficfromanywhereandtoanywhereifitmatchestheICMPmessagetypesin theICMPicmp_trafficobjectgroup.TheentryafterthisallowsanyechoesfromanywhereiftheyaredestinedtothedevicesspecifiedintheALL_serversobjectgroup.
ICMPTrafficDirectedattheAppliances Untilversion5.2.1oftheOS,anyICMPtrafficdestinedforanyoftheinterfacesofthe appliances would be allowed, and the appliances would automatically respond. One unfortunatedrawbackofthisprocessisthatanattackercoulduseICMPtolearnthata securityapplianceexisted,andpossiblylearnsomebasicinformationaboutit.Upuntil version 5.2.1, you could not disable this function and make the appliance invisible to otherdevices.Startingwithversion5.2.1,younowhavetheoptionofmakingtheappliancestealthy—youcancontrolhowtheapplianceitselfwillrespondtoICMPmessages, orpreventthemaltogether. Untilversion8.0,youonlyhadoneoptionforcontrollingthis,ICMPfiltering.Startinginversion8.0,youhaveasecondoptionwiththeuseofanACLappliedtotheapplianceitself(notaninterface),referredtoascontrolplanefiltering.Withtheformer,you cancontrolwhatICMPmessagestheappliancewillprocesswhendirectedtooneofits interfaces;withthelatter,youcancontrolanytypeoftrafficthattheappliancewillprocesswhendirectedtoitself.Withthesecondoption,youcreateyourACLandapplyitto theappliancewiththeaccess-groupcommand,usingthecontrol-planeparameter (insteadofapplyingittoaninterface). NOTE The ACL option gives you more flexibility in controlling what the appliance will process on an interface; however, the ICMP filtering option is much easier to set up, especially if you’re onlyinterestedincontrollingtheICMPtrafficdirectedattheappliance.AsdiscussedinChapter3, andlaterinChapter27,youcancontrolwhatdevicescanremotelyaccesstheapplianceusingthe telnet, ssh,and httpcommands.(Remoteaccessisdeniedbydefaultandmustbeenabled foreachinterface,andthehostorhostsmustbeallowedtoaccesstheapplianceonthespecified interfaces.)
179
180
Cisco ASA Configuration
RestrictingICMPTrafficDirectedattheAppliance TheremainderofthissectionwillfocusonusingtheICMPfilteringfeature.Tocontrol ICMPmessagesdestinedtoaninterfaceontheappliance,usetheicmpcommand: ciscoasa(config)#icmp{permit|deny} src_IP_addresssrc_subnet_mask [ICMP_message_type]logical_if_name
YoumustspecifyasourceIPaddressandasubnetmask.UnlikewithanextendedACL, thereisnodestinationIPaddress,becausethesecurityappliance,itself,isthedestination. YoucanqualifywhichICMPmessagesareallowedordeniedbyenteringavaluefor theICMP_message_typeparameter.Themessagetypescanbeenteredaseitheraname oranumber.Ifyouomitthemessagetype,theappliancewillassumethatyouwanttoallowordenyallICMPmessages.Thelastparameteristhenameoftheinterfaceforwhich youwanttorestrictICMPmessages. The appliance processes the icmp commands top-down for an interface. In other words,whentheappliancereceivesanICMPpacketdestinedtooneofitsinterfaces,it checkstoseeifanyicmpcommandsareassociatedwiththeinterface.Ifnoneisdefined fortheinterface,theapplianceprocessestheICMPmessageandrespondswiththeappropriateICMPresponse.IfanICMPfilterisontheinterface,theapplianceprocesses theicmpcommandsbasedontheorderinwhichyouenteredthem.Iftheappliancegoes throughtheentirelistanddoesn’tfindamatch,theappliancedropstheICMPmessage; thisisliketheimplicitdenystatementattheendofanACL. Toremoveaspecificicmpcommand,prefaceitwiththenoparameter.Todeleteallthe icmpcommandsthatyouhaveconfigured,usetheclearconfigureicmpcommand. NOTE AswithACLs,animplicitdenyisattheendoftheicmpcommandlist.Therefore,ifyouuse the icmpcommand,youshouldatleastspecifyone permitstatementperinterface,unlessyou wantyourappliancetobecompletelyinvisiblefromICMPtrafficonthespecifiedinterface.
ICMPFilteringExample Nowlet’stakealookatanexampleonhowtousetheicmpcommandtorestrictICMP messagesdirectedatanapplianceinterface.Inthisexample,youwanttobeabletotest connectivityfromtheappliancetootherdestinationsontheInternet,andyouwantthe appliancetoprocessonlycertainICMPpacketstoaidinconnectivitytesting—allother ICMPmessagesshouldbedropped.Here’sanexampleofhowtoaccomplishthis: ciscoasa(config)#icmppermitanyconversion-erroroutside ciscoasa(config)#icmppermitanyecho-replyoutside ciscoasa(config)#icmppermitanyparameter-problemoutside ciscoasa(config)#icmppermitanysource-quenchoutside ciscoasa(config)#icmppermitanytime-exceededoutside ciscoasa(config)#icmppermitanyunreachableoutside ciscoasa(config)#icmpdenyanyoutside
Chapter 6:
Access Control
Asyoucansee,onlycertainitemsarepermitted—basicallyICMPrepliestoICMPmessagesthattheappliancegenerates,aswellastoanyerrormessages.
CONNECTIONTROUBLESHOOTING To round off this chapter, I’ll discuss connection troubleshooting features.A problem manyadministratorswillfacewhensettingupanapplianceistroubleshootingconnection problems where connections break when trying to go through the appliance. In otherwords,you’renotsurewhypacketsarenotflowingthroughtheappliance.Traditionally,youbasicallyhadtousetheseappliancecommandstotroubleshootproblems:
▼ showaccess-list LookatthehitcountonACLstatements.
■ showxlate Lookatthetranslationsinthetranslationtable.
■ showconn Lookattheconnectionsinthestatetable.
▲ debug Examineeventsandtraffic.
Theproblemwithusingthesecommandsisthatitisnotalwayseasytopinpointthe problemthatcausesaconnectiontobreak.Therefore,Ciscointroducedtwonewfeatures tohelpadministratorswithconnectionproblemsthroughtheappliance:
▼ Packettracer(version7.2)
▲ Packetcapture(version6.2)
Theremainderofthischapterwilldiscussthesetwofeatures.
PacketTracerFeature PackettracerisaoneoftheuniquefeaturesfromCiscothatIwishwereavailableoneveryoneoftheirproducts:routers,switches,andsoon;unfortunately,itisonlyavailable ontheappliancesstartinginversion7.2.Packettracerallowsyoutocreatea“pretend” packetandhavetheappliancecomparethepretendpacketwiththepoliciesyou’veconfiguredonyourappliancetoseewhatiscausingtherealpacketstobedropped(orallowed).PackettracerissupportedfromtheCLIaswellasASDM.
PacketTracerfromtheCLI FromtheCLI,usethefollowingcommandstocreateapretendpacketandhavetheappliancecomparethepacketwithitspolicies: ciscoasa(config)#packet-tracerinputsrc_if_nameprotocol src_addr[src_port]dest_addr[dest_port] [detailed][xml] ciscoasa(config)#packet-tracerinputsrc_if_nameicmp src_addrICMP_messageICMP_code ICMP_identifierdest_addr[detailed][xml]
181
182
Cisco ASA Configuration
Thesrc_if_nameparameterspecifiesthelogicalsourceinterfaceforthepackettrace— theinterfacethepacketisreceivedon.The protocolparameterspecifiestheprotocol typeforthepackettrace;supportedprotocolsinclude icmp, rawip, tcp,or udp.(The rawip parameter should be used for protocols other than TCP, UDP, and ICMP.) FollowingthisisthesourceIPaddress.Thetypeofprotocolwillaffecttheinformationthat follows.ForTCPorUDP,youenterasourceportnumber;forICMP,youneedtoenter anICMPmessagetype,anICMPmessagecode,andanICMPidentifier(sequencenumber).AfterthisinformationisthedestinationIPaddress;andiftheprotocolisTCPor UDP,thedestinationportnumberaswell.The detailedparameterprovidesdetailed informationinthepackettrace,andthe xmlparameterdisplaysthetraceoutputinan XMLformat. NOTE ForICMPtypesandcodes,examineRFC792athttp://www.ietf.org/rfc/rfc0792.txt.
PacketTraceExample Let’slookatanexampleofusingpackettrace.Inthisexample,I’llassumethatanexternaluser(192.168.1.11)istryingtoaccessaninternalFTPserverwithaglobaladdressof 192.168.2.11.Here’sthesyntaxtodothepackettrace: bciscoasa#packet-tracerinputoutsidetcp192.168.1.111025 192.168.2.1121detail Phase:1 Type:FLOW-LOOKUP Subtype: Result:ALLOW Config: AdditionalInformation: Foundnomatchingflow,creatinganewflow Phase:2 Type:UN-NAT Subtype:static Result:ALLOW Config: static(inside,outside)192.168.2.1110.0.2.11netmask255.255.255.255 nat-control matchipinsidehost10.0.2.11outsideany statictranslationto192.168.2.11 translate_hits=7,untranslate_hits=2 AdditionalInformation: NATdiverttoegressinterfaceinside Untranslate192.168.2.11/0to10.0.2.11/0usingnetmask255.255.255.255
Chapter 6:
Access Control
Phase:3 Type:ACCESS-LIST Subtype:log Result:DROP Config: access-groupACLOUTininterfaceoutside access-listACLOUTextendeddenyipanyany AdditionalInformation: ForwardFlowbasedlookupyieldsrule: inid=0x3fde388,priority=12,domain=permit,deny=true hits=0,user_data=0x3fde348,cs_id=0x0,flags=0x0,protocol=0 srcip=0.0.0.0,mask=0.0.0.0,port=0 dstip=0.0.0.0,mask=0.0.0.0,port=0 Result: input-interface:outside input-status:up input-line-status:up output-interface:inside output-status:up output-line-status:up Action:drop Drop-reason:(acl-drop)Flowisdeniedbyconfiguredrule
NOTE ForTCP and UDP connections, typically the source port number you enter is something above1,023.Also,theoutputyouseeintheprecedingexamplewilldifferbasedontheprotocolyou aretesting,whetherthepacketmatchesanentryintheconntable,whethertheaddresstranslationis enabled,whethertheconnectionisoutboundversusinboundandifACLsareused,andsoon. Inphase1,theapplianceseesifanentryforthisconnectionisalreadyinthestate table:inthisexample,noentryisintheconntable,sotheapplianceassumesit’sanew connection.Inphase2,theapplianceisdoinganxlatelookuptofindthelocaladdress (therealaddress)ofthedestination.Noticethatnat-controlisenabled,andthestaticcommandthepacketmatcheson.Inphase3,thepacketiscomparedwiththeACL ontheoutsideinterface—noticethattheACLiscalled“ACLOUT”andthatthepretend packetmatchedonthedenyipanyanystatement.Inthelastpart,theresult,asummaryisdisplayedaboutthepolicyissue:whattheactionwasforthepacket(drop)and whytheactionwastaken(matchonaconfiguredACLrule). NOTE You can find another good example of packet tracing on this web site: http://www .networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit.
183
184
Cisco ASA Configuration
PacketCaptureFeature Thepacketcapturefeaturewasaddedinversion6.2andallowsyoutocapturerealpackets on interfaces. Packet capture supports multiple, simultaneous capture processes; however,packetcapturecanaffecttheperformanceoftheappliance,sodisableitwhen youarefinishedtroubleshootingyourproblem.Whencapturingpackets,youcancontrol whatiscapturedbyusingvariousfilters,likeanACL.Oncepacketsarecaptured,you canviewthemfromtheCLIorsavethemtoafileinalibpcapformatfile,whichcanthen beviewedbyaprotocolanalyzerlikeWireShark(whichisafreeprotocolanalyzer).
CreatingaPacketCaptureProcess Toconfigureapacketcaptureprocess,usethefollowingsyntax,whereTable6-3covers theparametersinthecapturecommand: ciscoasa#capturecapture_name[type{asp-drop[drop_code]| raw-data|isakmp|webvpnuserwebvpn_user [urlurl]}][access-listACL_ID][bufferbuffer_size] [ethernet-typetype][interfacelogical_if_name] [packet-lengthbytes][circular-buffer] [tracetrace_count]
Parameter
Explanation
capture_name
Specifiesthenameofthepacketcapture.Youcanusethe samenameonmultiplecapturecommandstocapture multipletypesoftrafficinonecapturedprocess.
type
Optionallyletsyouspecifythetypeofdatacaptured.
asp-drop
Optionallycapturespacketsdroppedbytheaccelerated securitypath.Thedrop_codespecifiesthetypeoftraffic thatisdroppedbytheacceleratedsecuritypath.Usethe showaspdropframecommandforalistofdropcodes. Notethatifyoudonotenteradropcode,thenalldropped packetsarecaptured.
raw-data
Optionallycapturesinboundandoutboundpacketsonone ormoreinterfaces—thisisthedefaultsetting.
isakmp
OptionallycapturesIPSecISAKMPtraffic.
webvpn
OptionallycapturesWebVPNdataforaspecificWebVPN connection.
Table6-3. PacketCaptureParameters
Chapter 6:
Access Control
Parameter
Explanation
url
OptionallyspecifiesaURLprefixtomatchfordatacapture— typicallythisisdoneforWebVPNusers.Usethiskindof syntaxfortheURL:http://server/pathorhttps:// server/pathtocapturetraffictoawebserver.
access-list
Optionallycapturestrafficthatmatchesonlyonpermit statementsintheACL.
buffer
Optionallydefinesthebuffersizeusedtostorethepacketin bytes;oncethebytebufferisfull,thepacketcaptureprocess stops.
ethernet-type
OptionallyselectsanEthernettypetocapture,wherethe defaultisIPpackets.Anexceptionoccurs,however,with the802.1QorVLANtype.The802.1Qtagisautomatically skipped,andtheinnerEthernettypeisusedformatching.
interface
Optionallydefinesthelogicalnameoftheinterfaceonwhich toenablepacketcapture.Notethatyoumustconfigure aninterfaceforanypacketstobecaptured;however,you canconfiguremultipleinterfacesusingmultiplecapture commandswiththesamecapture_name.Ifyouwant tocapturepacketsonthedataplaneofanASA,usethe interfacekeywordwithasa_dataplaneasthename oftheinterface.(Thisisusedtocapturepacketsfromthe optionalIPSandCSCcardsintheASA.)
packet-length
Optionallysetsthemaximumnumberofbytesofeach packettostoreinthecapturebuffer.
circularbuffer
Optionallyoverwritesthebuffer,startingfromthe beginning,whenthepacketcapturebufferisfull.
trace
Optionallycapturespackettraceinformationandthe numberofpacketstocapture.ThisisusedwithanACLto inserttracepacketsintothedatapathwhentroubleshooting connectionproblemswiththepacket-tracercommand.
Table6-3. PacketCaptureParameters(Continued)
Here’sanexamplethatillustratestheuseofpacketcapturing: ciscoasa#access-listhttpACLpermittcpanyhost192.168.1.10eq80 ciscoasa#capturehttpcapaccess-listhttpACLpacket-length250 interfaceoutside
185
186
Cisco ASA Configuration
Intheprecedingexample,thefirst250bytesofpacketssentto192.168.1.10,onTCPport 80,arecapturedastheyentertheoutsideinterface. TIP Tomakeiteasiertotroubleshootconnections,associateanACLtothepacketcaptureprocess tolimittheinformationyou’recapturingtothespecificproblemaconnectionishaving.
ViewingCapturedPackets Toviewthepacketsinapacketcapturefile,usetheshowcapturecommand: ciscoasa#showcapture[capture_name][access-listACL_ID] [countnumber][decode][detail][dump] [packet-numbernumber]
The capture_nameparameterspecifiesthenameofthepacketcapturethatyouwant to view. The access-list parameter filters out the packet information in the packet capturebasedonthepermitstatementsintheACL.Thecountparameterdisplaysthe first x number of packets specified in the capture. The decode parameter is used for VPNtunnelsterminatedontheappliance:ISAKMPdataflowingthroughthatinterface willbecapturedafterdecryptionandshownwithmoreinformationafterdecodingthe fields.Thedetailparameterdisplaysadditionalprotocolinformationforeachpacket. Thedumpparameterdisplaysahexadecimaldumpofthepackets.Thepacket-number parameterstartsdisplayingthepacketsatthespecifiedpacketnumber. NOTE Withoutanyparameters,onlyyourcurrentcaptureconfigurationisshown—nottheactual capturedpackets. Hereisanexamplethatdisplaysthecaptureprocessesenabledontheappliance: ciscoasa#showcapture capturearpethernet-typearpinterfacedmz
Here’sanexamplethatdisplayspacketscapturedbythecaptureprocesscalledarp: ciscoasa#showcapturearp 2packetscaptured 19:12:23.478429arpwho-has172.16.1.2tell172.16.1.1 19:12:26.784294arpwho-has172.16.1.2tell172.16.1.1 2packetsshown
Inthisexample,thepacketscapturedaretwoARPpackets. NOTE Visitthiswebsiteforagoodoverviewandexampleofpacketcapturingontheappliances: http://security-planet.de/2005/07/26/cisco-pix-capturing-traffic/.
Chapter 6:
Access Control
CopyingCapturedPackets Ifyouwanttosavethepacketsyou’vecapturedforacaptureprocess,usethecopycapturecommandtocopytheinformationtoafileinflashortoanexternalserver: ciscoasa#copy[/noconfirm][/pcap]capture:capture_nameURL
Thenoconfirmparametercopiesthefilewithoutaconfirmationprompt.Thepcapparameter copies the packet capture as raw data for a protocol analyzer. The capture_ nameparameterspecifiesthecaptureprocessthatyouwishtocopy.TheURLparameter specifiesthelocationyouwishtocopythepacketsto.Youneedtoincludethedestinationtype(disk0or flash, disk1, ftp, http, https,or tftp),possiblythedirectory, andthefilenamethepacketswillbestoredin.
ManagingPacketCapturing Tokeepapacketcaptureprocess,buttoclearthepacketsintheappliancebuffer,usethe clearcapturecommand: ciscoasa#clearcapturecapture_name
Onceyouaredonewithapacketcaptureprocess,youshouldremoveitwiththefollowingcommand: ciscoasa#nocapturecapture_name[access-listACL_ID] [circular-buffer][interfacelogical_if_name]
TIP RememberthatpacketcapturingisveryCPU-andmemory-intensivefortheappliances,so disablethepacketcapturingprocess(es)whenyouhavecompletedyourtroubleshooting.However, thepackettracertoolrequiresfewresources.TypicallyI’llusepackettracerfirsttogetanideaasto whataproblemis;ifthisisn’thelpful,thenI’llusethepacketcapturetool.
187
This page intentionally left blank
7 Web Content
189
190
Cisco ASA Configuration
I
nChapter6,Italkedaboutsomeoftheadvancedfilteringabilitiesoftheappliances, includingACLs.OnelimitationofACLsisthattheycanonlyfilteronthenetwork and transport layers of the OSI Reference Model—they cannot filter on content information (information found in the payload). For instance, one type of attack that hackersliketouseistocreatemaliciousJavaorActiveXappletsthatuserswilldownload and run. This traffic is downloaded using HTTP port 80. The problem with ACLs is thatanACLcaneitherpermitordenyportTCP80traffic,whichincludestheapplets embeddedwithintheconnection—ACLscannotfilterjusttheappletsthemselves. Likewise,ACLshaveissueswhendealingwiththefilteringofwebcontent.Imagine thatyouhaveasecuritypolicythatprohibitsthedownloadingofpornographicmaterial. Becausewebinformationchangesallthetime,youwouldhavetocontinuallyfindthese sitesandaddthemtoyourACLconfiguration,whichisanunmanageableprocess. Ontopofthesecurityproblems,anissuewithdownloadingwebcontentisthatthe processcanbebandwidth-intensive,especiallyifmultipleusersaregoingtothesame sitesanddownloadingthesamecontent. Theapplianceshavethreesolutionstotheseproblems.Thefirstsolutionistheability oftheappliancestofilteronJavaandActiveXscriptsthatareembeddedinHTTPconnections.Thesecondsolutionforfilteringcontentallowstheappliancestoworkwith third-partycontentfilteringsoftwaretofilterHTTPandFTPtraffic.Thethirdsolution is the included support for the Web Cache Communications Protocol (WCCP), which allowstheappliancestoredirectwebrequeststoanexternalwebcacheservertodownloadthecontent. Thetopicsincludedinthischapterareasfollows:
▼ J avaandActiveXfiltering
■ Webcontentfiltering
▲ Webcaching
JAVAANDACTIVEXFILTERING MostwebsitestodayuseJavaappletsandActiveXscriptstoaddfunctionalitytotheir webservices.Thesemechanismscantaketheformofanimatedpictures,dynamiccontent, multimedia presentations, and many other types of web effects.Although these toolsprovidemanyadvantagestowebdevelopers,inthewronghandstheycanbeused togatherinformationaboutacomputer,ortodamagethecontentsonacomputer.
JavaandActiveXIssues Onesolutiontothisproblemistousethefilteringabilitiesbuiltintoauser’swebbrowser.Almosteverywebbrowserincludesthesefilteringabilities,likecurrentversionsof MozillaFirefox,NetscapeNavigatorandCommunicator,andMicrosoftInternetExplorer. This type of filtering typically has two problems, however. First, you must ensure
Chapter 7:
Web Content
thateveryuser’sdesktopconfigurationisthesameandstaysthesame,whichmeans thatyou’llhavetoplacesometypeofsoftwareoneachuser’sPCtolockdownthesesettingsandprohibittheuserfromchangingthem.Second,theconfigurationsettingsfor filteringinmostbrowsersarenotasimplematter.Forexample,IuseFirefox,andtheir controlsarefairlysimple,butnotfortheuneducatedJavauser;InternetExplorer6.0has almostadozendifferentsettingsforJavaandActiveX.Forthenoviceandintermediate user,anincorrectwebbrowsersettingmightopenauser’sdesktoptoattackbyJavaand ActiveX.
JavaandActiveXFilteringSolutions TheappliancescanfilteronbothembeddedJavaappletsandActiveXscriptswithout anyadditionalsoftwareorhardwarecomponents.Basicallytheapplianceslookforembedded HTML commands and replace them with comments. Some of these commandsinclude,,and. This filtering feature allows you to prevent the downloading of malicious applets andscriptstoyourusers’desktopswhilestillallowinguserstodownloadwebcontent. Oneadvantageofusingtheappliancesisthattheyprovideacentralpointforyourfilteringpolicies.However,thefilteringcanonlybedonebasedonawebserver’sIPaddress. Therefore,youdonothavesomeofthefilteringabilitiesthatabrowserorcontentfilteringenginehas,butyoucanusetheapplianceincombinationwithothertools,likesecure browser settings and a content filtering engine, to provide the maximum security for yournetwork.ThefollowingtwosectionsdiscusshowtofilterJavaappletsandActiveX scriptsonyourappliances. SECURITYALERT! WhentheappliancesarefilteringJavaappletsandActiveXscripts,iftheHTML objecttagsaresplitacrossmultipleIPpackets,theapplianceswillbeunabletofiltertheappletor script.
ConfiguringJavaFilters YoubasicallyhaveonlyonemethodoffilteringJavaappletsdirectlyonyourappliance: thefilterjavacommand.Thesyntaxofthiscommandisshownhere: ciscoasa(config)#filterjavaport_name_or_#[-port_name_or_#] internal_IP_addresssubnet_mask external_IP_addresssubnet_mask
Onethingthatyou’llnoticeisthatyoudonotneedtoactivatethefilteronaninterface,asinthecaseofACLs.The filter javacommandisautomaticallyappliedto trafficenteringanyinterfaceontheappliance.Thefirstparameteryouenteristheport nameornumberthatwebtrafficrunson;obviouslyoneportyouwouldincludewould be80.Youcanenterarangeofports,oriftheyarenoncontiguous,youcanenterthem withseparatefilterjavacommands.
191
192
Cisco ASA Configuration
FollowingtheportinformationaretwoIPaddressesandsubnetmasks.Noticethat thisisnotthesyntaxanACLuses,whichspecifiesasourceanddestinationaddress.The formatofaddressinginthefilterjavacommandhasyouconfiguretheIPaddressing informationconnectedtothehigher-security-levelinterfacefirst,andthenyouconfigure theIPaddressinginformationofthelowerinterface. Forexample,ifyouwantedtofilterallJavaappletsforHTTPconnections,youwould usethefollowingsyntax: ciscoasa(config)#filterjava800.0.0.00.0.0.00.0.0.00.0.0.0 -or- ciscoasa(config)#filterjavahttp0000
NOTE Rememberthatyoucanabbreviate0.0.0.0asasingle0.
IfyouwantedtofilterJavaappletsforthe192.1.1.0/24externalnetworkforallyour internalusers,theconfigurationwouldlooklikethis: ciscoasa(config)#filterjava8000192.1.1.0255.255.255.0
ConfiguringActiveXFilters InadditiontobeingabletofilterJavaapplets,youcanalsofilterActiveXscriptsusing thefilteractivexcommand.Hereisthesyntaxofthiscommand: ciscoasa(config)#filteractivexport_name_or_#[-port_name_or_#] internal_IP_addresssubnet_mask external_IP_addresssubnet_mask
Thesyntaxofthefilteractivexcommandisbasicallythesameasthefilterjava commandandbehavesinthesamemanner.IfyouwanttofilterallActiveXscripts,use thisexample: ciscoasa(config)#filteractivex800000 -or- ciscoasa(config)#filteractivexhttp0000
Asyoucansee,filteringActiveXscriptsisnodifferentfromfilteringJavaapplets—both areeasytosetup.
WEBCONTENTFILTERING OnemajorconcernofmanycompaniesconnectedtotheInternetisthetypeofinformationthattheiremployeesaredownloadingtotheirdesktops.Quiteafewstudieshave beendone,and,onaverage,30–40percentofacompany’sInternettrafficisnonbusiness
Chapter 7:
Web Content
in nature (I’m actually surprised that the statistic isn’t higher). In some instances, the informationthatemployeesdownloadcanbeoffensivetootheremployees.Thisinformationcanrangefrompornographytopoliticalandreligiouscontent.Alotofthedownloadedcontentlikestockquotesandaudioandvideostreamingisinoffensive,butcan useupexpensivebandwidth. The appliances have limited and nonscalable abilities when filtering web content (IdiscussthisinChapter12).Amuchmorescalablesolutionistohavetheappliances work with third-party products to provide comprehensive web filtering features. The following sections cover how the appliances and web filtering products interact, the third-party web filtering products that the appliances support, and web filtering configurationontheappliances.
WebFilteringProcess Toimplementwebcontentfiltering,sometimesreferredtoaswebfiltering,twocomponentsareinvolved:
▼ P oliciesmustbedefinedthatspecifywhatisorisn’tallowedbyusers.
▲ T hepoliciesmustbeenforced. Twomethodsthatperformtheseprocessesarecommonlydeployedinnetworks:
▼ A pplicationproxy
▲ M odifiedproxy
Thefollowingtwosectionswilldiscusstheseapproaches.
ApplicationProxy Withanapplicationproxy,bothcomponents—definitionandenforcementofpolicies— areperformedononeserver.Eitherusers’webbrowsersareconfiguredtopointtothe proxy,ortheirtrafficisredirectedtotheproxy. Withanapplicationproxy,thefollowingstepsoccurwhenauserwantstodownload webcontent:
1. Theuseropensawebpage.
2. A llconnectionsareredirectedtotheapplicationproxyserver,whichmight requiretheusertoauthenticatebeforeexternalaccessisallowed.
3. T heapplicationproxyexaminestheconnection(s)attemptandcomparesit withthelistofconfiguredpolicies.
4. I ftheconnectionisnotallowed,theuseristypicallyshownawebpageabout thepolicyviolation.
5. I ftheconnectionisallowed,theproxyopensthenecessaryconnectionsto downloadthecontent.Thecontentisthenpassedbackacrosstheuser’soriginal connectionsandisdisplayedintheuser’swebbrowser.
193
194
Cisco ASA Configuration
Applicationproxiesworkquitewellinsmallenvironmentsthathaveasmallnumber ofsimultaneouswebrequests.Rememberthatdownloadingeachelementonawebpage, likegraphics,applets,andsoon,requiresaseparateconnectionforeachelement.Therefore,themorepagesthatmultipleusersrequest,thelessthroughputoccursthroughthe proxy—itmusthandletwicethenumberofconnections:fromtheusertotheproxy,and fromtheproxytotheexternalwebservers.Thisprocesscanquicklybecomeabottleneck ontheproxy,beingCPU-andmemory-intensive.Andiftheproxyiscachinginformation,theprocesscanbecomedisk-intensive.
ModifiedProxy Amodifiedproxysplitsoutthetwopolicycomponents:anexternalserverhasthelist ofpolicies,andanetworkdeviceimplementsthepoliciesaswebtrafficflowsthrough it.Theappliancessupportthemodifiedproxyapproach:tofilterwebcontent,theappliancesmustinteroperatewithanexternalwebcontentserver. Figure7-1showstheactualinteractionbetweentheusers,theappliance,thepolicy server,andtheexternalwebserver.Inthisexample,ausersendsanHTMLrequesttoan externalwebserver(step1).Theappliancethendoestwothingsinstep2:
▼ F orwardstheHTMLrequest(theURLinformationonly)tothewebcontent policyserver
▲ F orwardstheHTMLrequesttotheactualwebserver
Web Content Policy Server
2
3
1 Internet 5
Appliance
Internal Users
2 4 Web Server
Figure7-1. Outgoingandreturningwebtraffic
Chapter 7:
Web Content
Instep3,thewebcontentpolicyservercomparestheURLrequestwithitsinternal policiesandsendsbacktheactiontotheappliance.Theappliancethenenforcestheactiononthereturningtraffic(step4).Ifthewebcontentpolicyserversaystodenythe traffic,theappliancedropsthereturningwebtraffic.If,however,thewebcontentpolicy serversaystopermitthetraffic,theapplianceforwardsthetraffictotheinternaluser (step5). Asyoucanseefromthisexplanation,theappliancedoesn’tactuallyfiltertheoutboundconnection.Thisprocessbasicallyallowsenoughtimeforthewebcontentpolicy servertosendbackanactiontotheappliancebeforetheexternalwebserverrepliesto theuser,therebyintroducinglittleifanydelayintheuser’strafficstream.Unlikewith anapplicationproxy,theappliancesarenotproxyingtheconnections:they’reallowing themoutboundandenforcingthepoliciesonthereturningtraffic.Thisismuchmore CPU- and memory-friendly than using a true application proxy. However, if the web contentpolicyserverishandlingthousandsofrequests,yourusersmayexperiencedelayintheirtrafficstream.Ciscodoessupportalimitedformofloadbalancingtosplit policylookupsacrossmultiplewebcontentpolicyservers. TIP Becausethepoliciesaredefinedexternallytotheappliance,Irecommendthatthewebcontent policyserverbelocatedclosetotheappliance.Fortworeasons,Icommonlyplacethepolicyserver eitherinapublic,ormorecommonly,asemiprivate,DMZthatisdirectlyconnectedtotheappliance. First, it minimizes delay in getting a policy response from the server, which means the appliance shouldn’thavetobufferconnectionrepliesfromexternalwebservers.Second,companiescommonly purchaseasubscriptionwiththewebcontentpolicyserversothattheycangetweeklyupdatesabout newsitesandtheirclassification,likeanupdatedlistofpornographicsites,sothatadministrators don’thavetomanuallyupdateordefinetheseclassificationsthemselves.
URLFilteringServer Webcontentfilteringontheappliancesallowsyoutofilterwebinformationforusers accessingwebresourcesontheoutsideofyournetwork.Ciscosupportstwowebcontentpolicy/filteringproducts:WebsenseandSecureComputing’sSmartFilter(formerly N2H2’sSentianproduct).Theproductshavethecapabilityofinteractingwithanexternaldevice,liketheappliances,inamodifiedproxyrole,orcanfunctionasapplication proxies.TheseproductssupportpoliciesforHTTP,HTTPS,andFTPURLs. You must configure two things on the appliance to interact with the web content filteringserver:
▼ I dentifythewebcontentfilteringserver.
▲ S pecifythetraffictobefiltered.
Youcancompleteotherconfigurationtasksoptionally.Thefollowingsectionscoverthe webcontentfilteringcommandsoftheappliances.
195
196
Cisco ASA Configuration
ServerIdentification The first thing that you need to configure is the identity of the web content filtering serverthattheappliancewilluse.Thisisaccomplishedwiththeurl-servercommand. Yourproducttypewilldeterminetheparametersavailable. HereisthesyntaxtoconfiguretheapplianceinteractionwithaWebsenseserver: ciscoasa(config)#url-server[logical_if_name][vendorwebsense] hostserver_IP_address[timeoutseconds] [protocol{tcp|udp}][connections#_of_conns] [version{1|4}]
Ifyouomitthenameoftheinterface,itdefaultstoinside.Ifyouomitthevendorparameter,itdefaultstoWebsense.Thetimeoutvaluedefaultsto5seconds—iftheappliance doesn’tgetareplywithin5secondsfromtheWebsenseserver,itwillcontactasecond Websenseserver,ifyouhaveconfiguredone.Youmightwanttoincreasethistimeout periodiftheWebsenseserverislocatedataremotesitefromtheappliance.Thedefault protocolisTCP,butcanbeconfiguredforUDPifyouarerunningversion4ofWebsense. Thedefaultversionis1.Theconnectionsparameterallowsyoutolimitthenumberof lookupstoaserver,sothatyoucansplitlookupsacrossmultipleservers. IfyouareconnectingtoaSmartFilterserver,thesyntaxisasfollows: ciscoasa(config)#url-server[interface_name]vendorsmartfilter hostserver_IP_address[portport_number] [timeoutseconds][protocol{tcp|udp}] [connections#_of_conns]
TheconfigurationofSmartFilterisverysimilartothatofWebsense.Onedifferenceis that you can specify a port number for the TCP or UDP connection. The default port numberis4005. NOTE You can configure multiple policy servers by executing the url-server command multipletimes(upto16servers).However,youcanonlyuseWebsenseorSmartFilter—youcannot usebothoftheseonthesameappliance.
TrafficFilteringPolicies Onceyouhaveidentifiedthewebcontentpolicyserverorserversthatyourappliancewill use,youmustnowidentifywhichcontenttraffic(URLs)theappliancewillforwardtothe policyservers.Thecommandtoidentifythetraffictobefilteredisthefiltercommand. Thecommandhasthreevariations,dependingontheprotocolyouwanttoprocess:
▼ C lear-textURLs
■ FTPURLs
▲ H TTPSURLs
Thesearediscussedinthefollowingsections.
Chapter 7:
Web Content
Clear-TextURLProcessing Withthe filter urlcommand,youaredefiningthecleartextHTTPURLsyouwanttoforwardtoanexternalwebcontentpolicyserver: ciscoasa(config)#filterurl{port_#[-port_#]|except} internal_IP_addrsubnet_mask external_IP_addrsubnet_mask [allow][proxy-block][longurl-truncate| longurl-deny][cgi-truncate]
Youmustspecifyeitherthename(http)ortheportnumber(s)tohavetheappliance examineandcopythemtotheexternalserver.Thedefaultportnumberforwebtrafficis 80.Irecommendthatyouputinallcommonportnumbers,including8080,usedbyweb servers.NextyouenteryourinternalandexternalIPaddressesandsubnetmasksthat youwanttoperformfilteringon.Toexamineallclear-textwebtraffic,enter 0.0.0.0 0.0.0.00.0.0.00.0.0.0,or0000. NOTE Remember that you are not entering a source and destination address in the filter urlcommand,butaninternalandexternaladdress,wheretheinternaladdresscanrepresentusers and/orwebservers,andlikewiseforexternaladdresses. Someoptionalparametersareattheendofthe filterurlcommand.The allow parameteraffectshowtheappliancewillreactifitdoesn’tgetareplyfromthepolicy server.Bydefault,iftheappliancedoesn’tgetareply,itdeniestheuseraccesstotheexternalwebserver.Youcanoverridethisbyspecifyingthe allowparameter.Whenyou configurethisparameter,theappliancewaitsforaresponsefromthewebcontentpolicy server—ifitdoesn’tgetareply,theapplianceallowsthewebtraffic.Thisallowsyour userstostillaccesstheInternetintheeventthatthewebcontentpolicyserverisdownor unreachable.Theproxy-blockparametercausestheappliancetodropallwebrequests toproxyservers. OneproblemthatthePIXhadinversion6.1andearlierdealtwithlongURLnames. IfaURLwas1,160charactersorlonger,thePIXwouldn’tprocessit—ineffect,allowing theconnection.Thissoundslikeitwouldn’tbeaproblem,becausemostURLsarefewer than80characters.However,manyCGI-BINscriptsandbackendprogramshaveinformationembeddedinaURLpassedtothem—thisinformation,incertaincases,mightbe verylong,whichcreatesaproblemwiththePIX.Asofversion6.2,thislimithasbeenincreasedto4,000characters.However,youmightnotwanttosendalloftheseextracharacterstothecontentpolicyserver,oryoumightevenwanttodenyusersaccesstothese longURLs.The longurl-truncateparametertellstheappliancetosendaportionof theURLtothecontentpolicyserverforevaluation.The longurl-denycommandhas theappliancedenytheuser’swebconnectioniftheURLislongerthanthemaximum defined. The cgi-truncate parameter behaves the same as the longurl-truncate parameterwiththeexceptionthatthisparameteronlyappliestoCGI-BINscriptrequests embeddedinaURL.
197
198
Cisco ASA Configuration
FTPURLProcessing Withthe filter ftpcommand,youaredefiningtheFTPURLs youwanttoforwardtoanexternalcontentpolicyserver: ciscoasa(config)#filterftp{[port_#[-port+#]|except} internal_IP_addrsubnet_mask external_IP_addrsubnet_mask [allow][interact-block]
Thesyntaxofthiscommandissimilartothefilterurlcommand.WithFTPfiltering, the interact-blockparameterpreventsusersfromusinganinteractiveFTPclientto connecttoanFTPserver. HTTPS URL Processing For filtering of HTTP URLs using SSL, use the following command: ciscoasa(config)#filterhttps{[port_#[-port+#]|except} internal_IP_addrsubnet_mask external_IP_addrsubnet_mask[allow]
Thesyntaxofthiscommandissimilartothefilterurlcommand. Policy Exceptions You can override your filtering policies by using the following command: ciscoasa(config)#filter{url|ftp|https}except internal_IP_addresssubnet_mask external_IP_addressexternal_subnet_mask
Insteadofaportnumberornameasinthepreviousexample,youcanusethe except parameter.Thiscreatesanexceptiontoyourappliancefilteringfunction.Forinstance, youmightwanttofilteronalltrafficexceptyourpublicwebserver.Inthiscase,you wouldspecifysomethinglikethis: ciscoasa(config)#filterurl800000 ciscoasa(config)#filterurlexcept192.168.1.1255.255.255.25500 ciscoasa(config)#filterurlexcept00192.168.1.1255.255.255.255
Inthisexample,allwebtrafficwillbefilteredbythewebcontentfilteringserverwiththe exceptionof192.168.1.1.NoticethatIhavetwofilterurlexceptcommands,sinceI wanttomakeexceptionstothepublicserverforinboundandoutboundconnections.
CachingURLInformation Oneoftheissuesofusingawebcontentpolicyserver,asIpointedoutearlier,isthatit canintroduceadelayintheuser’swebtrafficstreamastheapplianceandpolicyserver interacttoenforceyourwebaccesspolicies.Youcanhavetheappliancecachetheinformationreceivedbyafilteringserversothatthenexttimeauseraccessesthesame server, the appliance can use its local cache to perform the filtering policy instead of
Chapter 7:
Web Content
forwardingtherequesttothepolicyserver.Theadvantageofthisapproachisthatyour users’throughputwillincrease.Thedownsideofthisapproachisthatthewebcontent policy server is not seeing the traffic and therefore cannot log it. If you are gathering informationaboutauser’swebhabits,thenyouwouldnotbeabletologallofauser’s connectioninformation.Plus,youaretakingawayRAMresourcesontheappliancefrom otherprocesses. Caching,bydefault,isdisabledontheapplianceandisonlysupportedforWebsense servers.Toenableit,usethefollowingcommand: ciscoasa(config)#url-cache{dst|src_dst}sizecache_size
Youhavetwochoicesonhowtocacheinformation.Ifyouspecifythedstparameter,the appliance caches information based only on the destination web server address—you shouldonlychoosethisoptionifallyourinternalusershavethesameaccesspolicies.If yourinternalusershavedifferentaccesspolicies,specifythe src_dstparameter—this causestheappliancetocacheboththesourceanddestinationaddresses.Thecachesize canrangefrom1KBto128KB.
BufferingWebServerRepliestoUsers AsImentionedatthebeginningofthissection,whenanappliancereceivesauser’sweb request,itsimultaneouslycopiestheURLtothecontentpolicyserveraswellasforwardingtheconnectiontotheexternalwebserver.Oneproblemthatmightoccuristhatthe externalwebserverreplytotheuser’srequestmightcomebacktotheappliancebefore thecontentpolicyserveractionthattheapplianceshouldtake.Ifthisshouldoccur,the applianceautomaticallywoulddroptheuser’swebrequest. To prevent this from happening, you can buffer the external web server reply or replies until the appliance receives the action from the policy server. By default, this featureisdisabled.Toenableit,usethefollowingcommand: ciscoasa(config)#url-blockblockblock_buffer_limit
ThiscommandlimitsthenumberofmemoryblocksURLscanuse.Thelimitisspecified innumberofblocks,whichcanbefrom1to128blocks.Ablockis1,550bytesinsize. ToconfiguretheamountofmemoryavailableforbufferinglongorpendingURLs, usethefollowingcommand: ciscoasa(config)#url-blockurl-mempoolmemory_size
Thememorycanbespecifiedasavaluefrom2KBto10,240KB. AsImentionedearlier,inversion6.2youcanincreasethesizeofURLsforwardedto thepolicyserversbeforetheyaretruncated—however,thedefaultis1,159characters.To increasethesizeforURLs,usethefollowingcommand: ciscoasa(config)#url-blockurl-sizeURL_characters
Youcanenteravalueofupto4,096characters.
199
200
Cisco ASA Configuration
URLFilteringVerification Once you have set up your web content filtering configuration, you can use various showcommandstoverifyyourconfiguration.Toviewthewebcontentfilteringservers that you have configured with the url-server command, use the show run urlservercommand: ciscoasa#showrunurl-server url-server(outside)vendorsmartfilterhost10.1.1.5port4005 timeout5protocolTCPconnections1500 url-server(outside)vendorsmartfilterhost10.1.2.5port4005 timeout5protocolTCP
Inthisexample,twoSmartFilterfilteringservershavebeenconfiguredonthisappliance. Youcanseeserverconnectionstatisticswiththefollowingcommand: ciscoasa(config)#showurl-serverstats GlobalStatistics: ------------------ URLstotal/allowed/denied993487/156548/837839 URLsallowedbycache/server70843/85165 URLsdeniedbycache/server801920/36819 HTTPSstotal/allowed/denied994387/156548/837839 HTTPsallowedbycache/server70843/81565 HTTPsdeniedbycache/server801920/36819 FTPstotal/allowed/denied994387/155648/838739 FTPsallowedbycache/server70483/85165 FTPsdeniedbycache/server801920/36819 Requestsdropped28715 Servertimeouts/retries567/1350 Processedrateaverage60s/300s1524/1344requests/second Deniedrateaverage60s/300s35648/33022requests/second Droppedrateaverage60s/300s156/189requests/second URLServerStatistics: ---------------------- 192.168.2.1UP Vendorwebsense Port17035 Requeststotal/allowed/denied365412/254595/110547 Servertimeouts/retries567/1350 Responsesreceived365952 Responsetimeaverage60s/300s2/1seconds/request 192.168.2.2DOWN Vendorwebsense Port17035
Chapter 7:
Web Content
Requeststotal/allowed/denied0/0/0 Servertimeouts/retries0/0 Responsesreceived0 Responsetimeaverage60s/300s0/0seconds/request
ThisexamplehastwoWebsenseservers,wherethesecondiscurrentlydown.Forthe firstserver,youcanseethat365,412requestsweresenttotheserver,ofwhich254,595 policy-allowand110,547policy-denyactionswerereceived. IfyouhaveenabledcachingofURLinformationonyourappliancethatitreceived fromthecontentfilteringserver,youcanviewthecachingstatisticswiththeshowurlcachestatscommand: ciscoasa(config)#showurl-cachestats URLFilterCacheStats ---------------------- Size:1KB Entries:36 InUse:22 Lookups:241 Hits:207
Inthisexample,thecachesizehasbeensetto1KB.TheEntriesitemspecifiesthetotal numberofcachedentriesthatcanfitinthecachebasedontheconfiguredsize.Inthis example,only36entriescanbecached.TheInUseitemspecifiesthenumberofentries thatarecurrentlycached(22).TheLookupsentryspecifiesthenumberoftimestheappliancehaslookedinthecacheforamatch,andthe Hitsentryshowsthenumberof timestheappliancefoundamatchinthecache. ToviewstatisticsaboutURLinformationreceivedfromexternalwebserversthatis beingtemporarilybufferedbytheappliance,usethiscommand: ciscoasa(config)#showurl-blockblockstat URLPendingPacketBufferStatswithmaxblock 1 ----------------------------------------------------- Cumulativenumberofpacketsheld:53 Maximumnumberofpacketsheld(perURL):1 Currentnumberofpacketsheld(global): 0 Packetsdroppedduetoexceedingurl-blockbufferlimit:78 Packetsdroppeddueto |exceedingurl-blockbufferlimit:|78 |HTTPserverretransmission:|0 Numberofpacketsreleasedbacktoclient:|0
Asyoucanseeinthisexample,53packetswereheldupbecausetheappliancewaswaitingforaresponsefromthewebcontentfilteringserver.Youwillwanttokeeptabson
201
202
Cisco ASA Configuration
thenumberofpacketsbeingdroppedbecausetheyexceededthebufferlimit—ifthisis continuallyincreasing,youwillwanttoincreasetheblocksizeforbuffering.Toclearthe statistics,usetheclearurl-blockblockcommand. Theshowperfmoncommandshowsyouperformanceinformationformanyimportantcomponentsoftheappliance,includingwebcontentfilteringperformance.Hereis anexample: ciscoasa(config)#showperfmon PERFMONSTATS:CurrentAverage Xlates0/s0/s Connections0/s2/s TCPConns0/s2/s UDPConns0/s0/s URLAccess0/s2/s URLServerReq0/s2/s
Withthiscommand,youshouldfocusontheURLServerReqentry,whichdisplaysthe numberoflookupstheapplianceforwardedtothewebcontentpolicyserver.
URLFilteringExample Tohelpillustratetheconfigurationexample,I’llusethenetworkshowninFigure7-2. ThisexampleusesWebsenseforawebcontentfilteringsolution. Listing7-1focusesonlyonthefilteringcommandsforthissetup.
Internet
Websense Server 192.168.1.2
outside E0/0 199.199.199.2/30 Users
Appliance inside E0/1
192.168.1.1
192.168.1.0/24
Figure7-2. NetworkusingWebsense
Chapter 7:
Web Content
Listing7-1.ExampleofaWebsensesetup ciscoasa(config)#url-server(inside)vendorwebsense host192.168.1.2protocoltcpversion4 ciscoasa(config)#filterurl800000 ciscoasa(config)#filterurl8080-80990000 ciscoasa(config)#url-cachedst128
Inthisexample,theurl-servercommandspecifiesthattheserverisaWebsenseserver andthattheconnectionisusingTCP.Anywebtrafficonport80orport8080through 8099willbeexaminedforfiltering.Theappliancecancacheinformationreturnedbythe Websenseserverusing128KBofmemory.Asyoucanseefromthisexample,thesetupof webfilteringontheappliancesiseasy.
WEBCACHING Webcachingisusedtoreducelatencyandtheamountoftrafficwhendownloadingweb content.Assumingawebcacheserverisdeployed,whenauseraccessesawebsite,the contentthatisdownloadediscachedonthecacheserver.Subsequentaccesstothesame content is then delivered from the local cache server versus downloading the content fromtheoriginalserver. TheWebCacheCommunicationsProtocol(WCCP)allowsthesecurityappliancesto interactwithexternalwebcacheand/orfilteringservers.
WCCPProcess To understand the benefits that WCCP provides, I’ll go through the process that the appliancegoesthroughwhenusingWCCP:
1. T heuseropensawebpage,wheretheconnection(orconnections)makesits waytotheappliance.
2. T heapplianceinterceptsthewebconnectionrequest,encapsulatesitinaGeneric RoutingEncapsulation(GRE)packettopreventmodificationbyintermediate devices,andforwardsittothewebcacheserver.
3. I fthecontentiscachedintheserver,itrespondstotheuserdirectlywiththe content.
4. I fthecontentisnotcachedintheserver,aresponseissenttotheappliance, andtheapplianceallowstheuser’sconnectiontoproceedtotheoriginal webserver.
Forstep3duringtheredirectionprocess,theappliancedoesn’taddtheconnection tothestatetableandthereforedoesn’tperformanyTCPstatetracking,doesn’trandomizetheTCPsequencenumberintheTCPheader,doesn’tperformCut-throughProxy
203
204
Cisco ASA Configuration
authorization,doesn’tperformURLfiltering,doesn’tprocessthepacketusingIPS,and doesn’t perform address translation. However, if the web cache server doesn’t have thecontent,asinstep4,thenthesethingsareperformedbytheappliance. SomeofthebenefitsofWCCPinclude
▼ U sersdon’thavetochangetheirwebbrowsersettings.
■ Thewebcachingservercanperformoptionalcontentfiltering.
■ Bandwidthisoptimizedifthecontenttheuserisrequestinghasbeenpreviously cachedonthewebcacheserver.
▲ T hewebcacheservercanlogandreportwebrequestsbyyourusers.
Ciscocreatedtheprotocol,andithastwoversions:1and2.Someenhancementsof WCCPv2includesupportforotherprotocolsbesidesHTTP,multicastingofrequests to the web cache servers, multiple cache servers, load distribution among multiple cache servers, MD5 authentication of information between the redirector and the webcacheserver,andmanyothers.Ofthetwoversions,theappliancessupportonly WCCPv2;however,somefeaturesarenotsupportedbytheappliances,likemulticast WCCP.
WCCPConfiguration WCCPsupportisnewinversion7.2oftheappliances’OS.EnablingWCCPredirection ofusers’webrequestsisatwo-stepprocess:
▼ D efiningaWCCPservergroup
▲ E nablingWCCPonaninterface
Thefollowingtwosectionswilldiscusstheconfigurationofthesetwosteps.
DefiningaWCCPServerGroup TodefinetheWCCPservergroup(thewebcacheservers),usethefollowingcommand: ciscoasa(config)#wccp{web-cache|service_number} [redirect-listACL_ID][group-listACL_ID] [passwordpassword]
The web-cache parameter causes the appliance to intercept TCP port 80 connections andtoredirectthetraffictothewebcacheservers.Youcanredirectotherprotocols,like FTP,byspecifyingaservicenumber,whichrangesfrom0to254.Forexample,service60 representsFTP.Theredirect-listparametercontrolswhattrafficisredirectedtothe
Chapter 7:
Web Content
servicegroup(definedinanACL),andthe group-listcommandspecifiestheIPaddressesofthewebcacheservers(definedinastandardACL).Thepasswordparameter specifies the MD5 key used to create and validate the MD5 authentication signatures usedbythewebcacheservers.
EnablingWCCPRedirectiononanInterface ThesecondstepistoenableWCCPredirectionontheinterfaceconnectedtotheusers andwebcacheserver(s): ciscoasa(config)#wccpinterfacelogical_if_name {web-cache|service_number}redirectin
Thiscommandneedstobeexecutedforeachservicenumber. NOTE WCCPwebredirectionisonlysupportedinboundonaninterface.Likewise,theusersand web cache server(s) must be behind the same interface—the appliance won’t take a user’s web requestononeinterfaceandredirecttoawebcacheserveronadifferentinterface.
WCCPVerification ToverifytheoperationofWCCP,usethefollowingcommand: ciscoasa#showwccp{web-cache|service_number}[detail][view]
The detail parameter displays information about all the router/web server caches; the viewparameterdisplaysothermembersofaparticularservergroupthathaveor haven’tbeendetected. ciscoasa#showwccp GlobalWCCPinformation: Routerinformation: RouterIdentifier:-notyetdetermined- ProtocolVersion:2.0 ServiceIdentifier:web-cache NumberofCacheEngines:0 Numberofrouters:0 TotalPacketsRedirected:0 Redirectaccess-list:web-traffic-list TotalConnectionsDeniedRedirect:0 TotalPacketsUnassigned:0 Groupaccess-list:server-list TotalMessagesDeniedtoGroup:0 TotalAuthenticationfailures:0 TotalBypassedPacketsReceived:0
205
206
Cisco ASA Configuration
WCCPConfigurationExample To see an illustration of the configuration and use of WCCP, examine the network in Figure7-3.Noticethattheusersandthewebcacheserverarelocatedoffthesameinterfaceontheappliance.Here’stheapplianceconfigurationforWCCP: ciscoasa(config)#wccpweb-cachepasswordmyMD5password ciscoasa(config)#wccpinterfaceinsideweb-cacheredirectin
Asyoucansee,theconfigurationisverysimple.
Internet
Web Cache Server 192.168.1.2
outside E0/0 192.1.1.1/26 Users
Appliance inside E0/1
192.168.1.1/24
192.168.1.0/24
Figure7-3. Networkusingawebcacheserver
8 CTP
207
208
Cisco ASA Configuration
I
nthelastchapter,Italkedaboutfilteringwebcontentonyourappliance.Thischapter buildsuponthetrafficcontrollingandfilteringfeaturesthatIhavesofardiscussed. Inthischapter,I’llexplainhowyoucanauthenticateandauthorizeconnectionsgoing throughyourappliancebyusingafeaturecalledCut-throughProxy(CTP).CTPaddsan additionallevelofsecurityoverACLs(discussedinChapter6).Thetopicsdiscussedin thischapterinclude
▼ A noverviewofauthentication,authorization,andaccounting(AAA)
■ ConfigurationofAAAserversandprotocols
■ AuthenticationofconnectionsusingCTP
■ AuthorizationofconnectionsusingCTP
▲ A ccountingofconnectionsusingCTP
AAAOVERVIEW Oneofthemajorproblemsyoufacewhendesigningyournetworkisthemanagement of security. In large networks, you can easily have over 1,000 networking devices to manage,includingrouters,switches,securityappliances,fileservers,andmanyothers. Eachofthesedeviceshasitsownlocalauthenticationmethod.Forinstance,anappliancefirewallhasalocaltelnet/SSHpasswordandaPrivilegeEXECpassword.Imagine ifyouhadtoperiodicallychangethesepasswordson1,000devicestoensureasecure environment.Obviously,thiswouldnotbeeasy,anddefinitelynotscalable.
AAAComponents AAAhelpsyoucentralizeyoursecuritychecksandisbrokenintothreeareas:authentication(who),authorization(what),andaccounting(when).Together,allthreeoftheseareas arereferredtoasAAA. Authentication is responsible for checking a user’s identity to determine if she is allowedaccesstoanetworkingdevice.Ausermustenterausernameandpasswordto validate.Onceshehasgainedaccesstothenetworkingdevice,authorizationdetermines whattheusercando—whatcommandsshecanexecuteandwhatprivilegelevelsshe hasaccessto.Forexample,youcouldallowapersonPrivilegeEXECaccesstoarouter, butnotallowheraccesstoConfigurationmode.Andlast,youcankeeparecordofa user’sactions,likewhatcommandssheexecutedandwhensheexecutedthem,withthe accountingfunction.
AAAExample Asanexample,Iworkedwithacompanythathadabout1,200routers.Thiscompany hadadozennetworkingadministrators,aswellasmanynetworkingcontractorsworkingforthem;onaverage,theyhadabout50to60contractorsworkingthereeachweek.
Chapter 8:
CTP
They basically had three job levels within their networking division: tier 1, tier 2, andtier3.Tier1and2administratorsweregrantedUserEXECaccesstotherouters, andtier3workerswereallowedPrivilegeEXECaccess.Thissoundssimpleenough,but thecompanyhadamajordilemma.Theywouldneverhireatier3contractor,because contractorswouldcomeandgoonaweeklybasis,andthiswouldmeanthatwitheach contractordeparture,theywouldhavetochangeallofthePrivilegeEXECpasswords on all of their 1,200 routers. Instead, they gave their own network administrators tier 3 access, and these individuals were responsible for performing Privilege EXEC functions.Asyoucanimagine,thesedozenemployeeswerecompletelyswampedwith worktryingtomaintainthe1,200routers. Abettersolutiontothisproblemwouldbetohirecontractorsatatier3leveland to give them Privilege EXEC access, offloading a lot of the work from the company’s networkadministrators.Ofcourse,youwouldn’twanttochangepasswordson1,200 routerseverytimeatier3contractorleftthecompany.Tosolvethisproblem,youwould useacentralizedsecuritysolution.Insteadofhavingtheroutersandothernetworking devices perform authentication locally, you could have them forward the authenticationrequeststoacentralizedsecurityserverorservers,whichwouldvalidatetheuser’s identityandpasstheresultsbacktothenetworkingdevices.Thisallowsyoutomaintain useraccountsatonelocation,makingiteasytoaddandremoveaccounts.Whenatier 3contractorishired,youwouldaddthatpersontothesecurityserver,withtheappropriatesecurityaccess,andwhenthecontractisterminated,youwouldsimplydeletethe accountfromasinglesecurityserver. Additionally,agoodsecurityproductshouldalsoofferauthorizationandaccounting features.Withauthorization,youmightwanttocontrolwhat,exactly,atier3contractor coulddowhileinPrivilegeEXECmode(whatcommandshecanexecute);andwithaccounting,youmightwantarecordofwhologgedintowhichnetworkingdevice,what theydid,andwhentheydidit.Ciscoactuallysellsaproduct,calledCiscoSecureACS (CSACS), which performs the functions of a security orAAA server: it allows you to centralizethesecurityforyournetworkingdevices,likerouters,switches,securityappliances,andothernetworkingequipment. NOTE CSACSisonlybrieflycoveredinthisbook—enoughtoimplementthefeaturesdiscussed here. For a better overview of CSACS, read Cisco Access Control Security: AAA Administration ServicesbyBrandonJamesCarroll(CiscoPress,2004).
AAAProtocols To implementAAA, you need a secure protocol to transport security information between the networking device and the security (AAA) server. Three security protocols commonlyareusedtoimplementAAA:
▼ K erberos
■ RemoteAccessDial-InUserService(RADIUS)
▲ T erminalAccessControllerAccessControlSystem(TACACS+)
209
210
Cisco ASA Configuration
SomeCisconetworkingdevicessupportallthreeprotocols;however,Ciscoonlysupports the last two on its security appliances. The next three sections provide a brief overviewofthesesecurityprotocols.
Kerberos KerberoswasdevelopedattheMassachusettsInstituteofTechnology(MIT)anduses DES(40-or56-bitkeys)forencryptinginformationbetweenthenetworkingdeviceand thesecurityserver,referredtoasaKeyDistributionCenter(KDC).Kerberosisanopen standard;however,itfunctionsatonlytheapplicationlayer.Thismeansthatyouneed tomakechangestotheactualapplicationtouseKerberos.OnIOS-basedrouters,Cisco hasincludedKerberosauthenticationfortelnet,RSH,RLOGIN,andRCP.Ciscodoesn’t supportKerberosonthesecurityappliances.
RADIUS RADIUS was developed by the Livingston Corporation, which is now owned by Lucent. It is currently an open standard, defined in RFCs 2138 and 2139. However, manyextensionshavebeenaddedbyvariouscompaniesfortheirnetworkingdevices, makingitasomewhatopenstandard.RADIUSsupportsUDPfortheconnectionbetween the networking device andAAA server; it only encrypts the user’s password usedforauthentication,nothingelse,makingitlesssecure(moresusceptibletoeavesdroppingattacks)thanKerberosorTACACS+.Forexample,ifauserweretryingtolog into a router, the router would forward the authentication information (user’s access method—console, VTY, or other means—and the username) in clear text, but would encrypttheuser’spassword.ProbablyRADIUS’biggestadvantageovertheothertwo securityprotocolsisthat,becauseitwasdevelopedfordialupandnetworkslikeISPs,it hasaveryrobustaccountingsystem:keepingtrackofwhenauserconnected,howlong hewasconnected,andhowmanybytesweretransmittedtoandfromtheuser. NOTE RADIUS is most commonly used on the appliances for connections going through it, like CTP and remote access VPNs. RADIUS is actually required for some security features, like 802.1xandLEAP.RADIUSusesoneUDPconnectionforauthenticationandauthorization,anda second connection for accounting. Depending on implementation of RADIUS, the port numbers for authentication/authorization and accounting are either 1645 and 1646, or 1812 and 1813, respectively.
TACACS+ TACACSwasoriginallydevelopedfortheU.S.DefenseDepartmentandhasbeenupdated over the years by Cisco, resulting in an enhanced version called TACACS+. BecauseofthemanychangesCiscohasmadetotheprotocol,TACACS+isproprietary. UnlikeRADIUS,TACACS+usesTCP(port49)fortheconnectiontotheAAAserverand encryptstheentirepayloadcontentsinthesecuritypackets,makingitmorereliableand more secure than RADIUS. TACACS+ also supports a single connection feature—the networkingdeviceopensasingleTCPconnectiontotheAAAserverandusesthissingle
Chapter 8:
CTP
connectionforallAAAfunctions.Thisfeatureprovidesfasterresponsetimesthanwith RADIUS,becauseRADIUSusesaseparateUDPconnectionforeachAAArequest,like eachusernamelookup,oreachcommandexecutedonthenetworkingdevice. NOTE TACACS+ismostcommonlyusedontheappliancesforcontrollingadministrativeaccess totheapplianceitself.NotethatyoucanusebothRADIUSandTACACS+simultaneouslyonyour appliance.Forexample,youcoulduseTACACS+tocontrolaccesstotheappliance,butuseRADIUS forCTP.ControllingaccesstotheapplianceusingAAAisdiscussedinChapter26.
AAASERVERS ThesecurityappliancessupportAAAfunctionality.Normally,AAAisusedtocontrol accesstothecommand-lineinterfaceshellofanetworkingdevice.TheappliancessupportthisfunctionofAAA,butalsouseAAAfornetworkaccessthroughthem,allowing userstoauthenticatetotheappliancebeforetheirconnectionorconnectionsareallowed through. Some examples of theseAAA appliance features are CTP and remote access VPNs,likeIPSecandWebVPN.
AAAServerConfiguration OneofthefirstitemsyouneedtoconfigureforAAAistheconnectionusedbetween yourapplianceandyoursecurityserver:TACACS+and/orRADIUS.Minimally,you’ll needtoconfiguretheprotocolthatisused,theencryptionkey,andtheremoteserverthe applianceisconnectingto.Thefollowingsectionscontainanoverviewofhowtoconfigure anAAAserverandprotocolonyourappliance.
ApplianceAAAServerConfiguration Onyoursecurityappliance,thefirstthingyouneedtoconfigureisthesecurityprotocol orprotocolsyou’llbeusingbetweentheapplianceandyourAAAserver(s)andwhothe server(s)are.Bothtasksareconfiguredusingtheaaa-servercommand: ciscoasa(config)#aaa-servergroup_tagprotocol{tacacs+|radius} ciscoasa(config)#aaa-servergroup_tag(logical_if_name) hostAAA_server_IP_addressAAA_encryption_key [timeoutvalue_in_seconds] ciscoasa(config-aaa-server-host)#server-portport_number ciscoasa(config-aaa-server-host)#keyencryption_key ciscoasa(config-aaa-server-host)#timeoutseconds
Thefirstcommandspecifieswhichsecurityprotocolyou’llusewhenyourappliance accessestheAAAserver:TACACS+orRADIUS.The group_tagparameterisusedto groupyourpolicyinformation,becauseyoumighthaveonesetofsecurityserversforauthenticatingcommand-lineaccessandanothersetforauthenticatingCTP.Inotherwords,
211
212
Cisco ASA Configuration
the group tag determines where to directAAA traffic (what protocol and server). The grouptagisbasicallyastringofcharacters,andthetagvaluemustbedifferentfromother grouptags. NOTE Cisco’sAAA server, CSACS, supports both RADIUS andTACACS+. Most other vendors onlysupportRADIUS. NextyoumustspecifytheAAAserverthatyourappliancewilluse.Youmustspecifythenameoftheinterfacewherethesecurityislocated;ifyouomitit,thelogical namedefaultstoinside.FollowingthisisthehostparameterandtheIPaddressofthe AAAserver.The AAA_keyparameterspecifiestheencryptionkeyusedtosecurethe connectionbetweentheapplianceandtheAAAserver—thiskeymustalsobeconfigured on theAAA server and is case-sensitive.You can configure up to 256 different securityservers,whereeachAAAserverhasitsownconfigurationcommand. When trying to connect to theAAA server, the appliance will wait for a reply for 5secondsbydefault.ItwilltrytocontactanAAAserveruptofourtimes.Iftheappliancecan’treachtheAAAserver,itwilltrythesecondAAAserverthatyou’veconfigured(ifyouhaveconfiguredanotherone);thereforetheorderoftheserverstatementsis important.Youcanchangethetimeoutvaluewiththeoptionaltimeoutparameter.The timeoutcanbeincreasedupto30seconds. When executing the aaa-server command, you are taken into a subcommand mode.Hereyoucanoptionallychangetheportnumberusedfortheconnection(applicabletoRADIUSonly).Youcanalsoentertheencryptionkeyandtimeoutvaluesifyou omittedthisfromtheaaa-servercommand. Here’sanexampleofdefiningaprotocolandserver: ciscoasa(config)#aaa-serverRADIUS_SERVERprotocolradius ciscoasa(config)#aaa-serverRADIUS_SERVER(inside)host10.0.1.11 ciscoasa(config-aaa-server-host)#keycisco123
CSACSConfiguration Onceyou’veloggedintoCSACS,you’llneedtoindividuallyaddeachofyourappliances underCSACS’sNetworkConfigurationsection. NOTE IfyourapplianceneedstousebothTACACS+andRADIUStoCSACS,you’llneedtoadd theappliancetwicetoCSACS,usingadifferenthostnameforeachinstanceinCSACS. Followthesestepstoaddyourappliance:
1. ClicktheNetworkConfigurationbuttonontheleftsideofthewindow.
2. UndertheAAAClientssection,clicktheAddEntrybutton.
Chapter 8:
CTP
3. OntheAddAAAClientscreen,enterthefollowinginformation:
a. AAAClientHostname Alocallydescriptivenameoftheappliance.
b. A AAClientIPAddress TheIPaddressoraddressestheappliancewilluseto initiateconnectionstoCSACS.
c. SharedSecret ThisistheencryptionkeytoencryptthepasswordsforRADIUS orthepayloadofTACACSpackets.
d. A uthenticateUsing Thedrop-downselectorthatletsyouchoosetheAAA protocol,whichcanbeeither“TACACS+”or“RADIUS(CiscoVPN3000/ ASA/PIX7.x+)”fortheappliances.
e. Alltheotherparametersareoptional.
4. O ntheAddAAAClientwindow,clickeithertheSubmitorSubmit+Apply button. NOTE The difference between the Submit and Submit+Apply buttons is that the Submit button savesyourchange,andSubmit+Applysavesandactivatesyourchange(s).Theproblemofactivating changes in CSACS is that the CSACS processes must be restarted, causing a small amount of disruption;therefore,itisbesttosaveallyourchangesandrestarttheprocessesonce.Youcanalso restarttheprocesseswithintheSystemConfigurationsection.
CTPAUTHENTICATION Insomecircumstances,youmaywanttoauthenticateconnectionsthroughtheappliance itself.You might have a situation where using anACL doesn’t provide enough security.RememberthatACLs,discussedinChapter6,canonlylookatthelayer3and 4information,whichcaneasilybespoofed.Asanaddedsecuritymeasure,youcanuse theapplianceCTPfeature,whichprovidesapplication-layerauthentication. Forexample,youmighthaveaccountingusersinaVLANacquiringtheiraddressing informationviaDHCP.InthedatacenteracrossthecampusresidetheaccountingserversintheirownVLAN.Ifallyoucaredaboutwastorestrictaccessfromtheaccounting userstotheaccountingservers,youcouldeasilyaccommodatethiswithanACL.However,supposeonerestrictedaccountingserverintheserverfarmshouldbeaccessedby onlyahandfulofaccountingusers.SincealltheaccountingusersacquiretheiraddressinginformationviaDHCP,youreallydon’tknowwhatsourceIPaddressoraddresses toallowtotherestrictedserver. Toovercomethisproblem,youcouldstaticallyassignthesmallsetofusersarangeof addressesthatareallowed,butthatmeansyouwouldhavetomanagestaticaddresses. Ontopofthis,theseaddressescouldbespoofed,allowingunauthorizedpeopletoaccess therestrictedserver.Anothersolutionwouldbetocontrolaccessontheaccountingserver itself,which,inmostcases,iswhatadministratorsdo.However,insomecasesthismight notbefeasible,basedonwhattheapplicationontheserversupports.Athirdoptionisto
213
214
Cisco ASA Configuration
usetheapplianceCTPfeature,whichcanauthenticateauser’sconnectionattemptbefore allowingtheusertoreachtherestrictedserverorservers.Thenextsectionwilldiscuss howCTPworks.
CTPOverview WithCTP,theappliancereceivesanewconnectionrequestfromauser.Beforeacceptingtheconnection,theappliancecanfirstauthenticateitbypromptingtheuserwitha usernameandpasswordprompt.Theusermustenterausernameandpassword,which aresenttotheappliance.Theappliancewillthenforwardtheusernameandpassword toanAAAservertohavetheinformationvalidated.Iftheuserispermitted,theappliancesecurityalgorithmopensasmallholeintheappliancetopermittheauthenticated connection. NOTE CTPisprocessedafteranyACLchecks—sotheuser’sinitialconnectionattemptmustbe allowed by anACL on the inbound interface.Assuming the CTP authentication is successful, the connectionisaddedtotheconntable,allowingsubsequentpacketsfortheconnection. One important item to point out is that CTP can authenticate both inbound and outbound connections. Currently Cisco only supports CTP connections for the followingapplications:HTTP,HTTPS,telnet,andFTP.Asyouwillseeinlatersections, youhaveothermethodsfordealingwithotherapplicationsthatdon’tsupportthese protocols. Figure8-1showstheCTPprocesswithanAAAserver:Instep1,anexternaluser attemptstoaccessaninternalwebserver.IftheinboundACLdropsthepacket,CTPis notperformed;sowhenusingCTP,makesuretheinboundACLallowstheconnection. Instep2,theappliancesendsausernameandpasswordprompttotheuser.Theuser thenenterstheAAAusernameandpassword. Onenicefeatureforthispromptisthattheusercanusethefollowingnomenclature whenenteringtheusernameandpassword(FTPandHTTPconnectionsonly): AAA_username@internal_host_username AAA_password@internal_host_password
The AAA username can be up to 127 characters in length, and the password can be 64characterslong.ThefirstusernameandpasswordareforCTPauthentication;thesecondusernameandpasswordarefortheactualserveritself.Rememberthattheappliances areperformingamodifiedproxywhenperformingauthentication. NOTE Withoutthedoubleusername/passwordoption,whereonlyoneusernameandpassword wereentered,thesingleusernameandpasswordwouldbeusedforbothCTPandtheinternalserver authentication.Andiftheinternalserverwereusingadifferentusernameandpasswordthanthat configuredontheAAAserver,authenticationwouldfail.
Chapter 8:
CTP
3
Internet Users
AAA Server 1
Appliance
Router 4
2 Restricted Accounting Server Username:
bugs@bunny
Password:
daffy@duck
OK
Cancel
General Accounting Server
Figure8-1. CTPwithanAAAserver
TheappliancethentakestheAAAusernameandpasswordonlyandforwardsthem totheAAAserver(step3)forvalidation.IftheAAAservercanvalidatetheuser,the servertellstheappliancetopermittheconnection.Otherwise,ittellstheapplianceto deny the connection. If the connection is permitted and added to the conn table and youusedthecorrectnomenclature,theappliancewilltakethesuppliedusernameand passwordandforwardthesetotheinternalserver(step4).Thisalleviatestheuserfrom havingtoenterausernameandpasswordontheserver.
ApplianceConfigurationofCTPAuthentication ThefollowingsectionswilldiscusshowtosetupCTPauthenticationonyourappliance.I’llshowyouhowtochangesomeoftheauthenticationparametersandhowto have the appliance intercept and authenticate the connections before allowing them through.
215
216
Cisco ASA Configuration
ChangingAuthenticationParameters YoumightwanttoconfiguresomeoptionalparametersforCTPauthentication.Some optionalthingsthatyoucanconfigureare
▼ L imitingthenumberofproxyconnectionsperuser
■ Changingtheauthenticationpromptpresentedbytheappliance
▲ C hangingthetimeoutsforauthenticatedconnections
Thefollowingthreesectionscovertheuseandconfigurationoftheseparameters. Limiting Proxy Connections You can limit the number of concurrent proxy connections thatauserisallowedtoestablishwiththeaaaproxy-limitcommand: ciscoasa(config)#aaaproxy-limit{#_of_connections|disable}
For the #_of_connections parameter, you can specify a value from 1 to 128—the defaultis16.Thedisableparameterdisablestheconcurrentproxyconnections. AuthenticationPrompts Theapplianceallowsyoutomodifythepromptsusedduringthe authenticationprocess;youcanmodifywhattheappliancesendstotheuserwiththe followingcommand: ciscoasa(config)#auth-prompt{accept|reject|prompt} prompt_string
Actuallythreepromptscanbeinvolvedinthepasswordcheckingprocess:
▼ p rompt Thistextisdisplayedbeforetheusernameandpasswordprompt.
■ accept Thistextisdisplayedonceauserhassuccessfullyauthenticated.
▲ r eject Thistextisdisplayedonceauserhasfailedauthentication. Thelengthofthepromptislimitedbasedontheapplicationtheuserisaccessing:
▼ F TPandtelnet 235characters
■ MicrosoftInternetExplorer 37characters
▲ N etscapeNavigator 120characters
I recommend that you keep your prompts short so that you’ll be able to support any typeofapplication.Fortheactualprompt,youshouldnotuseanyspecialcharacters; however,youarepermittedtousespacesandpunctuationmarks. Hereisasimpleexampleofsettingtheprompts: ciscoasa(config)#auth-promptpromptFullbodycavitysearch beforeproceeding! ciscoasa(config)#auth-promptacceptGreetingsEarthling! ciscoasa(config)#auth-promptrejectUm...nicetry,butyou’renot evenclose!
Chapter 8:
CTP
OnceyouhaveconfiguredthesepromptsandyourAAAconfiguration,youcantest it. Here is an example of a user performing a telnet that has been intercepted by the applianceconfiguredforCTP: Fullbodycavitysearchbeforeproceeding! Username:Monkey Password:***** Um...nicetry,butyou’renotevenclose! Fullbodycavitysearchbeforeproceeding! Username:Monkey Password:******* GreetingsEarthling!
AuthenticationTimeouts TheappliancesupportstwodifferenttimeoutsforAAAauthenticatedconnections(whichincludeCTP):idleandabsolute.Thesetimeoutsaffectwhen the appliance will terminate anAAA connection that a user has open (remove them fromtheconntable).Bydefault,theappliancecachesthisinformationforanidleperiodof5minutesbeforedisconnectingtheuser.Tosetthesetimeouts,usethetimeout command: ciscoasa(config)#timeoutuauthhh:mm:ss[absolute|inactivity]
Theabsolutetimeoutaffectsthedurationofauser’sconnectionwhethertheuserisactiveoridleontheconnection.Theinactivitytimeouttellstheappliancewhentotear downidleconnectionsassociatedwithanauthenticateduser.Toexamineyourtimeout values,usetheshowruntimeoutcommand.
ControllingAuthentication ToconfigureCTPauthentication,you’llneedtosetupyouraaaauthenticationcommands on your appliance as well as configure yourAAA server with usernames and passwords.Hereisthesyntaxofthetwoauthenticationcommandsontheappliances: ciscoasa(config)#aaaauthentication{include|exclude} application_name {inbound|outbound|interface_name} internal_IP_addressinternal_subnet_mask external_IP_addressexternal_subnet_mask group_tag ciscoasa(config)#aaaauthenticationmatchACL_IDlogical_if_name group_tag
For the first aaa authentication command, the first thing you must specify is eithertheincludeorexcludeparameter,whichtellstheappliancewhichapplications
217
218
Cisco ASA Configuration
willbeinterceptedandauthenticatedandwhichoneswon’t.Afterthisyoumustspecify theapplicationnamethatyou’llauthenticate.Theseincludehttp,https,ftp,telnet, orany(forallfourapplications).Nextyoumustspecifythedirectionorinterfacewhere CTPwillbeperformed:
▼ inbound Fromalowertoahighersecuritylevelinterface
■ outbound Fromahighertoalowersecuritylevelinterface
▲ logical_if_name Inboundonthisinterface
Following the direction are the inside and outside addresses that authentication shouldbeperformedfor.Ifyouwanttoauthenticateallconnections,use0.0.0.00.0.0.0 0.0.0.00.0.0.0or0000—thiswillcausetheappliancetouseCTPforalloftheapplicationsthatyouspecifiedforallconnections.Ifyouwanttoauthenticateconnectionsonly toaspecificwebserver,thenlistthatwebserverastheinternaladdressandeveryonefor theexternaladdress.Finally,youneedtospecifythe group_tagvalue,whichtellsthe appliancewhichsecurityservershouldperformtheauthentication. NOTE Thefirstaddress(es)intheaaaauthenticationinclude/excludecommand representdevicesoffthehigher-levelinterface,andthesecondaddress(es)representdevicesoffthe lower-levelinterface. Your second option with the aaa authentication command is to use an ACL name with the match parameter to specify the traffic to be authenticated. When you dothis,theACLcanonlymatchonHTTP,HTTPS,FTP,andtelnettraffic.Thisoption was introduced in FOS 5.2.ACL statements with permit parameters specify that the matchingtrafficmustbeauthenticated;statementswith denyparametersspecifythat thematchingtrafficisexemptfromauthentication. If you want to use HTTPS authentication for CTP, note that the preceding aaa authenticationcommandsdonotuseSSLtoencrypttheusernamesandpasswords— theSSLfunctiondoesn’ttakeplaceuntiltheuserauthenticatessuccessfullytotheappliance/AAAserverandtheconnectionproceedstothedestinationserver.Ifyouwantto useSSLtoprotecttheusernameandpasswordsentfromtheusertotheappliance,usethe followingcommand: ciscoasa(config)#aaaauthenticationsecure-http-client
HereisasimpleexampleofaCTPconfiguration: ciscoasa(config)#aaa-serverTACSRVprotocoltacacs+ ciscoasa(config)#aaa-serverTACSRV(inside) host192.168.1.10thisisasecret ciscoasa(config)#aaaauthenticationincludehttpoutside 192.168.1.12255.255.255.25500TACSRV
Chapter 8:
CTP
Inthisexample,theapplianceisusingTACACS+tocommunicatetothesecurityserver (192.168.1.10).CTPauthenticationisbeingperformedforonlyHTTPtrafficdestinedto 192.168.1.12whenitenterstheoutsideinterface.Rememberthatthisconnectionmustbe allowedintheACLcheck.AllothertypesoftrafficwillonlyhavetheACLontheoutside interfacedeterminingifthepacketsareallowed. NOTE Rememberthatwebbrowserscancacheusernamesandpasswords.Therefore,ifyouhave configuredtimeoutsforHTTPconnections,whichwillcausetheappliancetore-authenticatetheuser, thewebbrowsermightsendthesameinformationtotheappliance,whichwillbeforwardedtothe AAAserver.Thiscancauseaproblemifyouareusingtokencardsforauthentication;therefore,have theuserclosetheirwebbrowserconnectionandre-openit—thisistrueifauserfailsauthentication andistryingtoauthenticateagain.
ControllingAccessforNonsupportedApplications AsImentionedintheprevioussection,onelimitationofCTPisthatitcanonlybeused to authenticate HTTP, HTTPS, FTP, and telnet connections. If you have other applicationsthatyouneedtoauthenticate,theCTPfeaturewillbeunabletohandletheauthentication.However,youdohavethreeotheroptionsavailable:
▼ U seauthenticationontheapplicationservertheuseristryingtoaccess.
■ UsetheVirtualTelnetfeatureontheappliance—thisisusedwhenthe destinationserverdoesn’tsupportHTTP,HTTPS,FTP,ortelnet.
▲ U setheVirtualHTTPfeatureontheappliance—thisisusedwhenthe applianceanddestinationwebserverdon’tusethesameAAAserver forauthentication;inthissituation,theusermustperformtwoseparate authentications…onetotheapplianceandonetothewebserver.
Oneproblemwithhavingtheapplicationserverperformtheauthenticationisthat yourauthenticationmechanismisn’tcentralized—youneedtosetupauthenticationon everyserverwhereyouneeduserauthentication.VirtualTelnetandVirtualHTTPprovideamorescalablesolution,asyouwillseeinthefollowingsections,andcanauthenticateandauthorizeconnectionsinboththeinboundandoutbounddirections. UsingVirtualTelnet Typically, you’ll use Virtual Telnet when you need to authenticate connections other than HTTP, FTP, or telnet. With Virtual Telnet, the user telnets to a virtual telnet address on the appliance and then supplies a username and password forauthentication.Onceauthenticated,theapplianceterminatesthetelnetsessionand allowstheusertoopenherdataconnection.Inotherwords,theVirtualTelnetaddresson theappliancecannotbeusedtoaccessanEXECshellonit.OneannoyancewithVirtual Telnetisthatitisatwo-stepprocessforausertoconnecttoaresource—theusertelnets intotheappliancetoauthenticate,andthentheuseropenstheapplicationconnectionto theactualservice. Let’slookatasimpleexamplewhereyoucanuseVirtualTelnet.YouhaveaninternalTFTPserver(UDP69).Obviously,CTPcan’tauthenticatethisconnection.Youcan
219
220
Cisco ASA Configuration
authenticatethisconnectionusingVirtualTelnet,however.Toaccomplishthis,theuser firsttelnetstoavirtualIPaddressontheappliance—thisaddressmustbeareachable address(ontheInternet,thishastobeapublicaddress).ActuallythevirtualIPaddress issimilartoaloopbackaddressonanIOS-basedrouter.TheVirtualTelnetconnection mustbepermittedintheACLoftheinterfacetheuser’strafficisentering.Forinbound users,whetherornotNATcontrolisenabled,youmustincludetheVirtualTelnetaddress in a static command. (An identity NAT command is commonly used, where theVirtualTelnetaddressistranslatedtoitself.)The staticcommandisnotrequired foroutboundVirtualTelnet.Theappliancethenpromptstheuserforausernameand password,andthenauthenticatesthisinformationviaanAAAserver.Iftheauthenticationissuccessful,theusercannowsuccessfullyaccessotherserviceslistedinthe aaa authenticationincludeorlistedaspermitstatementsintheACLreferencedinthe aaaauthenticationmatchcommands. If a user wants to gracefully log out of his CTP authenticated session set up with VirtualTelnet,heonlyneedstore-telnettothevirtualaddressandre-authenticate.This secondauthenticationprocesswillunauthenticatetheuser. TosetupVirtualTelnetonyourappliance,addthefollowingcommandtoyourCTP authenticationsetup: ciscoasa(config)#virtualtelnetglobal_IP_address
The IP address must be a public-reachable address—treat this address as a loopback address on the appliance: it is an unused address associated with the appliance. For inboundusers,thiswilltypicallybeapublicIPaddress;foroutboundusers,itcanbe eitherapublicoraprivateIPaddress.Afterconfiguringthiscommand,youmuststill configureyourotherAAAcommandsdiscussedinprevioussections. TohelpillustratetheuseofVirtualTelnet,I’llusethenetworkinFigure8-2. HereisthecodetosetupVirtualTelnetforthisnetwork: ciscoasa(config)#virtualtelnet200.200.200.2 ciscoasa(config)#aaa-serverTACSRVprotocoltacacs+ ciscoasa(config)#aaa-serverTACSRV(inside) host192.168.1.2thisisasecret ciscoasa(config)#access-listINBOUNDpermittcpany200.200.200.2 eq23 ciscoasa(config)#access-listINBOUNDpermitudpany200.200.200.3 eq69 ciscoasa(config)#access-listINBOUNDpermitudpany200.200.200.4 eq80 ciscoasa(config)#access-groupINBOUNDininterfaceoutside ciscoasa(config)#access-listCTP_AUTHpermittcpany200.200.200.2 eq23 ciscoasa(config)#access-listCTP_AUTHpermitudpany200.200.200.3 eq69
Chapter 8:
CTP
Internet Virtual Address 200.200.200.2 outside E0/0 200.200.200.1 Appliance inside E0/1
192.168.1.1
AAA Server TFTP Server 192.168.1.2 192.168.1.3
Web Server 192.168.1.4
192.168.1.0/24
Figure8-2. UsingVirtualTelnetexample
ciscoasa(config)#aaaauthenticationmatchCTP_AUTHoutsideTACSRV ciscoasa(config)#nat-control ciscoasa(config)#static(inside,outside)200.200.200.2 200.200.200.2netmask255.255.255.255 ciscoasa(config)#static(inside,outside)200.200.200.3 192.168.1.3netmask255.255.255.255 ciscoasa(config)#static(inside,outside)200.200.200.4 192.168.1.4netmask255.255.255.255
Inthisexample,theVirtualTelnetaddressis200.200.200.2,whichisinternaltotheapplianceitself:noticethestaticcommandthattranslates200.200.200.2to200.200.200.2, which is the identity NAT translation for the Virtual Telnet address. TheAAA server is 192.168.1.2. The INBOUNDACL allows the Virtual Telnet and TFTP connections. However,theaaaauthenticationcommandspecifiesthattelnet(theVirtualTelnet address), and TFTP traffic should be authenticated via the permit statements in the CTP_AUTHACL. NOTE One other important thing about this example: the INBOUNDACL also permits traffic to thewebserver.However,thisisnotincludedintheCTP_AUTHACL.Therefore,externalusersare allowedtoaccessthewebserverandareexemptedfromCTPauthentication. Using Virtual HTTP Virtual HTTP is used when CTP and the internal web server use different usernames and passwords for authentication because they are not using the sameAAAserver.Inthissituation,youmustusetheVirtualHTTPfeature.Otherwise theusernameandpasswordthattheuserentersfortheappliancearepassedthrough
221
222
Cisco ASA Configuration
tothewebserver,wheretheauthenticationfailswiththeserver,andthustheconnection isbroken. VirtualHTTPworksbyhavingtheappliancemimicawebserver.Theuserattempts toopenaconnectiontoaninternalwebserver,andtheapplianceinterceptstheconnection,asinCTP.Thevirtualwebserverontheapplianceauthenticatestheuserandthen performs a redirect to the user’s web browser—this tells the web browser that a new connectionisbeingbuilt(eventhoughit’stothesameIPaddress),butthewebbrowser won’tusetheAAAusernameandpasswordinitscachefromtheCTPauthentication session.Fromtheuser’sperspective,theinteractionappearstobewiththeinternalweb serverandnotthevirtualwebserver,makingthevirtualwebserverontheappliance seemtransparent. TosetupaVirtualHTTPserveronthesecurityappliances,addthefollowingcommandtoyourAAAconfiguration: ciscoasa(config)#virtualhttpglobal_IP_address[warning]
AsinthecaseofsettingupVirtualTelnet,theIPaddresshereisinternaltotheappliance— useapublicaddressforexternalusersaccessinginternalresources,oraprivateorpublic addressforinternalusersaccessingexternalresources.The warningparameterisonly applicabletotext-basedbrowserswheretheredirectionprocesscannothappenautomatically.PleasenotethatyouneedtosetupanACLforinboundtraffictoallowtheuser’s connectiontothevirtualwebserveraddress(TCP80). TheconfigurationoftheVirtualHTTPfeatureisbasicallythesameasVirtualTelnet. Usingtheexampleinthe“UsingVirtualTelnet”section,theonlythingthatyouwould needtochangewouldbetoremovethe virtual telnetcommandandtoreplaceit withvirtualhttp.AlsoyouwouldneedtochangeyourACLtoreflectport80instead of23.
VerifyingCTPAuthentication NowthatyouhaveconfiguredCTPauthenticationonyourappliance,youwillwantto verifyitsoperation.Youcanusemanytroubleshootingcommands,discussedinthefollowingtwosections.
VerifyingServerInteraction To display your AAA server configuration and status, use the show aaa-server command: ciscoasa#showaaa-server[LOCAL|group_tag[hostserver_IP_addr]| protocolprotocol]
You can qualify the output by specifying what servers to display with a group_tag parameter(andaserverwithinthegroup_tag),bytheprotocolbeingusedbetweenthe applianceandserver,orlocalauthentication(LOCALparameter).Localauthenticationis discussedinChapter26.
Chapter 8:
CTP
Here’sanexampleoftheuseoftheprecedingcommand: ciscoasa(config)#showaaa-server ServerGroup:RADGROUP ServerProtocol:RADIUS ServerAddress:192.168.1.1 Serverport:1645 Serverstatus:ACTIVE.Lasttransaction(success)at 11:23:05UTCFriNov1 Numberofpendingrequests20 Averageroundtriptime4ms Numberofauthenticationrequests25 Numberofauthorizationrequests0 Numberofaccountingrequests0 Numberofretransmissions1 Numberofaccepts20 Numberofrejects5 Numberofchallenges5
Inthisexample,25authenticationrequestswereforwardedtotheAAAserver,where20 weresuccessfulauthenticationsand5failedtheauthenticationprocess. NOTE IfyouareexperiencingproblemswithauthenticationusingCTP,youcanusethe debug aaa authentication command, which displays the authenticationinteraction between the applianceandtheAAAserver.Whenyouaredonetroubleshooting,disablethe debugcommand byprecedingitwiththenoparameter,ordisablealldebugfunctionswiththenodebugallor undebugallcommands.
ViewingAuthenticatedUsers ToseewhichusershaveauthenticatedviaCTPontheappliance,usethe show uauth command: ciscoasa#showuauth[username]
Optionally,youcanqualifytheoutputbyjustlistingoneuser.Hereisanexampleofthe showuauthcommand: ciscoasa#showuauth CurrentMostSeen AuthenticatedUsers33 AuthenInProgress03 user'monkey'from199.199.199.8authenticated user'cow'from199.199.199.22authorizedto: port192.168.1.8/telnet192.168.1.10/http
223
224
Cisco ASA Configuration user'chicken'from205.205.205.89authorizedto: port192.168.1.10/http192.168.1.11/http
Inthisexample,threeusershavebeenauthenticated.Thefirstuserhasbeenauthenticatedonly,andthesecondtwousershavebeenauthenticatedandauthorized.Youcan seethesourceaddressoftheuseraswellastheresourcethatshehasbeenauthorizedto access.CTPauthorizationisdiscussedinthenextsection. Ifyouwanttoforceanauthenticatedusertore-authenticate,usethefollowingclear command: ciscoasa#clearuauth[username]
Omittingausernamewillunauthenticateallusers.
CTPAUTHORIZATION TherearetwomainproblemswithCTPauthentication:
▼ U sersneedtoaccessmultipleinternaldevices,butwithCTPauthentication, theuserwouldhavetoauthenticatetoeachindividualdevice.
▲ C TPauthenticationisglobal:onceauserauthenticates,hecanaccessthe requestedservice;inotherwords,youcan’tcontrolwhoaccesseswhatservice.
The following sections will discuss how CTP with authorization can solve these problems. SECURITYALERT! IfanauthenticateduserisbehindaPATtranslationdevice,allusersthatare mapped to the same address are authenticated. In this situation, I would highly recommend that youkeeptheidletimertoasmallvalue,andalsoconfigureanabsolutetimer,forcingtheuserto periodicallyre-authenticate.
UsersAccessingMultipleServices Let’sdealwiththefirstproblemIintroducedinthelastsection.Forexample,let’sassumeyouhaveasemiprivateDMZwiththreewebserversonit.Ifyouonlyconfigured CTPauthentication,andauserwantedtoaccessallthreeservers,theappliancewould intercepteachseparateserverconnectionandauthenticatetheuser.Inthisexample,the userwouldhavetoauthenticatethreetimes:oneforeachofthesemiprivatewebservers. Themoreserversyouhave,themoreconfusingandaggravatingthisbecomesforyour users. With CTP authorization, the user authenticates once, and an authorization list, storedontheAAAserver,determineswhatconnectionstheuserisallowedtoopen.I’ll discusstheauthorizationlistoptionsinthenextsection.
Chapter 8:
CTP
ControllingAuthenticatedAccesstoMultipleServices NowI’lldealwiththesecondproblemintroducedinthelastsection.Anotherissuewith CTP is that authentication only controls access based on a username and password. However,youmighthaveasituationwhereyouhavetwogroupsofserversthatyou wanttocontrolaccessto.Withthefirstgroupofservers,onlytheprogrammersshould beabletoaccessthem;andwiththesecondgroupofservers,onlythedatabasepeople shouldbeabletoaccessthem.Inotherwords,youdon’twantprogrammersaccessing thedatabaseservers,orthedatabasepersonnelaccessingtheprogrammers’servers.CTP authenticationcan’tsolvethisproblem—itcanonlyauthenticatepeople.However,CTP with authorization can control this: you can set up an authorization list on theAAA serverforthetwodifferentgroupsofpeopletorestrictwhattheycanaccessoncethey haveauthenticated. NOTE Ifyouwanttouseauthorization,youmustuseauthentication—authenticationisdonefirst bytheappliance;however,youcanuseauthenticationwithoutauthorization.Anotherwayoflooking atthisisthatCTPmustauthenticatetheuserfirst;authorizationcanthencontrolwhattheuseris allowedtoaccess.
CTPAuthorizationOptions Ciscosupportstwomethodsforauthorization:
▼ C lassicmethod
▲ D ownloadableACLs
Thefollowingtwosectionswilldiscusstheseoptions. NOTE Ofthetwomethods—classicanddownloadableACLs—Ciscoispushingthelatterasthe preferredmethod.
ClassicMethodforAuthorization Intheclassicmethod,theallowedconnectionsarelistedontheAAAserver,likeTCP port80connectionstoaparticularserverorservers.Onceauserauthenticates,every timesheopensaconnection,includingtheinitialconnection,herconnectioninformation ispassedtotheAAAserver,whichcomparesitwithalistofauthorizedconnections. The AAA server passes back the authorization response—allow or deny—and the appliance enforces the policy. The main disadvantage of this approach is that each connectiontheauthenticateduseropenswillincuraninitialdelaywhilethepolicy lookupoccurs;theadvantageofthissolution,however,isthatanypolicychangeon theAAAserverisinimmediateeffect,sincetheappliancemustlookupeachconnectiontodeterminethepolicy.
225
226
Cisco ASA Configuration
DownloadableACLAuthorizationMethod DownloadableACLsarenewinversion6.2.AssumingyourAAAserversupportsdownloadableACLs,youdefinetheACLontheAAAserverfortheuserorthegrouptheuser belongsto.Whentheuserauthenticates,theACLisdownloadedtotheappliance,and theapplianceusestheACLtodeterminewhattheauthenticatedusercanaccess.Here arethebasicstepsthatoccurwhenyou’reusingdownloadableACLs:
1. T heappliancereceivestheusernameandpasswordfromtheuserand forwardsthisinformationtotheAAAserver.
2. T heAAAserverauthenticatestheuser;iftheuserhassuccessfullyauthenticated, theAAAserversendsthenameofthedownloadedACLthatshouldbeused.
3. TheappliancecheckstoseeiftheACLwasalreadydownloaded.
a. I ftheACLhasalreadybeendownloaded(fromanotheruserwhowasauthenticated and associated with the same ACL), the already downloaded ACLisused.
b. I ftheACLhasn’tbeendownloaded,theappliancerequeststheACLfromthe AAAserver,andtheserverdownloadsittotheappliance.
4. T heapplianceusesthedownloadedACLtoenforceauthorization:theACLis usedtodeterminewhattheusercanaccess.
5. O ncetheuauthtimerexpiresoryouexecutetheclearuauthcommand,the downloadedACLisremovedandtheuserunauthenticated.
Oneimportantpointabouttheprecedingprocessisthat,assumingyousetCTPauthorizationwithdownloadableACLscorrectly,thedownloadedACLisusedtofiltertheauthenticateduser’straffic—theinterfaceACLisignoredfortheauthenticateduser.Bydefault, thereisnolimittothenumberofdownloadedACLsyoucandefineonanAAAserver.
ClassicAuthorizationConfiguration Withclassicauthorization,youmustdefineanauthorizationprofileonyourAAAserver andenableauthorizationonyourappliancewiththeaaaauthorizationcommand(s). PleasenotethatyoumustfirstconfigureAAAauthenticationonyourappliancebefore youcanproceedwiththeauthorizationconfiguration.Inadditiontothis,theappliances onlysupportTACACS+fortheclassicauthorizationmethod.Thefollowingtwosections willdiscusstheconfigurationofclassicauthorizationonCSACSandtheappliances.
CSACSClassicAuthorizationConfiguration Before you configure authorization on your appliance, it is recommended to set up authorizationonyourAAAserverfirst.HerearethestepsifyouareusingCSACS:
1. ClicktheGroupSetupbuttonontheleftsideofthewindow.
2. C hoosetheappropriategroupnamefromthepull-downmenu,andclickthe EditSettingsbutton.
Chapter 8:
CTP
3. GototheShellCommandAuthorizationSetsection.
4. U ndertheUnmatchedCiscoIOSCommandsheading,clicktheDenyradio button.
5. C lickthecheckboxtotheleftofthe“Command”reference,andenterthe connectiontypeallowedtotherightofthereference:thiscanbethenameof theconnection,liketelnet,http,orftp,oritcanincludetheprotocoland portreference(protocol_name_or_#/port_name_or_#).Anexampleofa protocolandportreferenceforTFTPwouldbeudp/69.
6. I fyouwanttorestrictaccesstocertaindestinations,entertheIPaddressesin thetextboxbelowtheArgumentsheading,andclickthePermitradiobutton belowthis.Toallowalldestinations,don’tenterIPaddressesinthisbox,and thenclickthePermitradiobutton.
7. ClicktheSubmitbuttonatthebottomofthepage.
8. Repeatsteps1through6foreachadditionalapplication.
9. C licktheSubmit+Restartbuttonatthebottomofthepageonceyouhaveadded alltheconnectionsforthegroup.
ApplianceAuthorizationConfiguration TosetupCTPauthorizationonyourappliance,useoneofthetwofollowingconfigurations: ciscoasa(config)#aaaauthorization{include|exclude} application_name {inbound|outbound|interface_name} internal_IP_addressinternal_subnet_mask external_IP_addressexternal_subnet_mask group_tag -or- ciscoasa(config)#aaaauthorizationmatchACL_IDlogical_if_name group_tag
Asyoucansee,thesyntaxofthesecommandsisalmostthesameasthe aaaauthen-
ticationcommands.
Acoupleofitemsneedtobepointedoutconcerningauthorization.First,theapplianceonlysupportsTACACS+fortheclassicCTPauthorizationmethod.Second,ifthe appliancedoesn’tfindamatchinanyofitsauthorizationstatements,itwillimplicitly permit the user’s connection, assuming anACL entry doesn’t deny it. Third, besides specifyinganapplicationname(any,http,ftp,ortelnet),youcanalsolistanIPprotocol number or name as well as a port number or range. When you specify a range, separatethebeginningandendingportnumbersbyahyphen.Forexample,yourweb serversmightnotberunningonport80,butonports8080–8081.Tocatchthisportnumber,usethefollowingsyntaxfortheapplication_nameparameter:tcp/8080-8081.
227
228
Cisco ASA Configuration
Withthe aaa authorization matchcommand,youlistalltheconnectionsthat mustbelookedupforauthenticatedusersinthespecifiedACLbeforetheyareallowed throughtheappliance.Anythingthatmatchesa denyorimplicitdenystatementisexemptedfromauthorizationandisimplicitlyallowed.
DownloadableACLConfiguration TheconfigurationofdownloadableACLsisdoneontheAAAserver.However,tomake surethattheyareused,youmustconfigureatleastonecommandontheappliance.The followingtwosectionswilldiscusstheseitems.
CSACSDownloadableACLConfiguration ConfiguringandusingdownloadableACLsonCSACSisathree-stepprocess:enabling them,creatingthem,andreferencingthemforagrouporuser.Thefollowingthreesectionswilldiscussthesesteps. EnablingDownloadableACLsonCSACS DownloadableACLsarenotenabled,bydefault, withinCSACS.Toenablethem,gotoInterfaceConfiguration|AdvancedOptions.Click oneorbothofthefollowingcheckboxes:
▼ U ser-LevelDownloadableACLs
▲ G roup-LevelDownloadableACLs
ThefirstoptionenablesdownloadableACLsonaper-userbasis.Thesecondoptionenablesthemonaper-groupbasis.Whenyou’redone,clicktheSubmitbutton. CreatingDownloadableACLsonCSACS OncedownloadableACLshavebeenenabled,you needtocreatethem.TocreateanameddownloadableACLforauserorgroup,goto SharedProfileComponents|DownloadableIPACLsandclicktheAddbutton.Inthe DownloadableACLsection,you’llseealistofanynamedACLsalreadycreated.Givea nametothedescriptionofACLs. ToaddanACL,clicktheAddbutton.Youarethentakentoascreenwhereyoucan assignanametoyourACLandentertheactualACLstatements.Makesureyouusethe keywordanyforthesourceaddress—whenthisisdownloadedtotheappliance,theappliancewillusetheactualIPaddressoftheauthenticateduser(s)asthesourceIPaddress inthedownloadedACL.Here’sthegeneralsyntaxforanACLstatementinCSACS: {permit|deny}protocol_name_or_#anydst_IP_addrsubnet_mask [protocol_info][log] {permit|deny}protocol_name_or_#anyhostdst_IP_addr [protocol_info][log]
Asyoucanseefromtheprecedingsyntax,thisissimilartocreatingACLsontheapplianceitself.Whenyou’redonecreatingtheACL,clicktheSubmitbutton.
Chapter 8:
CTP
Here’sasimpleexampleofaconfigureddownloadableACLinCSACS: permittcpanyhost192.168.1.1eq25 permittcpanyhost192.168.1.2eq21
Inthisexample,oncetheuserhasauthenticatedandtheACLhasbeendownloaded,the usercanaccessthee-mailandFTPserverlisted—everythingelseisdeniedfortheuser. ReferencingDownloadableACLsinUsersandGroups To apply a downloadableACL to a userorgroupinCSACS,gototheGroupSetuporUserSetupsection(intheleftwindow pane,clicktheGroupSetuporUserSetupbuttonsrespectively).Selectagrouporuser toedit,andthenintheDownloadableACLssection,clicktheAssignIPACLcheckbox, andusethedrop-downselectortochoosethenamedACLtobeappliedtothegroupor user.Whendone,clicktheSubmit+Restartbutton.
ApplianceDownloadableACLConfigurationandVerification OnceyouhavesetupyourdownloadableACLsinCSACS,whenauserauthenticates, ontheappliance,thedefaultistoignorethedownloadedACLandusetheoneonthe inboundinterface.Tooverridethisbehavior,reapplytheexistingACLtotheappliance interface,butaddtheper-user-overrideparameter,likethis: ciscoasa(config)#access-groupACL_IDininterfacelogical_if_name per-user-override
Executingthiscommandistheonlyrequirementontheappliance.Onceyouhavedone this,anydownloadedACLsarethenappliedtotheuser’strafficontheinboundinterfaceinsteadofusingtheACLappliedtotheinterface. ToseewhatACLanauthenticateduserwilluse,executetheshowuauthcommand discussedearlierinthe“ViewingAuthenticatedUsers”section.Here’sanexample: ciscoasa#showuauth CurrentMostSeen AuthenticatedUsers11 AuthenInProgress11 user'MasterChief'at192.168.2.1,authenticated access-list#ACSACL#-IP-DATABASEACL-438d7411(*) absolutetimeout:0:05:00 inactivitytimeout:0:00:00
In this example, the MasterChief user has a downloadedACL associated with him. Notice the ACL name: #ACSACL#-IP-DATABASEACL-438d7411. The “#ACSACL#” partindicatestheACLwasdownloadedfromCSACS.The“IP”partindicatesthatthis isanIPACL.The“DATABASEACL”isthenameyougavetheACLwhencreatingit inACS.The“438d7411”partisaversionidentifierandhelpstheappliancedetermine ifanychangesweremadetotheACLsinceitwaslastdownloaded.Everytimeyou updatetheACLinACS,thisvaluechanges.Thishelpstheappliancedeterminewhen
229
230
Cisco ASA Configuration
a previously downloaded ACL has changed, and there is an updated version that shouldbedownloadedinsteadofusingtheonethatwaspreviouslydownloaded. To view the actualACL that was downloaded, use the show access-list command.Here’sanexample: ciscoasa#showaccess-list access-list#ACSACL#-IP-APPLIANCEACL-438d7411;4elements(dynamic) access-list#ACSACL#-IP-APPLIANCEACL-438d7411line1extended permittcpanyhost192.168.100.253eqtelnet(hitcnt=1) access-list#ACSACL#-IP-APPLIANCEACL-438d7411line2extended permittcpanyhost192.168.100.253eqwww(hitcnt=0) access-list#ACSACL#-IP-APPLIANCEACL-438d7411line3extended permittcpanyhost192.168.100.253eqftp(hitcnt=0) access-list#ACSACL#-IP-APPLIANCEACL-438d7411line4extended denyipanyany(hitcnt=0)
As you can see in the preceding example, the downloadedACL has four statements, includingthehitcountsonthestatements. NOTE Any downloaded ACL is not saved to flash when you execute the write memory command.
CTPACCOUNTING ThelastfunctionofAAAisaccounting.Accountingallowsyoutokeeparecordofthe actions of your users, like when they successfully or unsuccessfully authenticate, what servicestheyareaccessing,orwhatcommandstheyareexecuting.TouseAAAaccounting forCTP,youneedanAAAserver—syslogisnotsupported.
ApplianceConfigurationforAccounting ThecommandsforconfiguringAAAaccountingontheapplianceareaaaaccounting: ciscoasa(config)#aaaaccounting{include|exclude}accounting_service {inbound|outbound|logical_if_name internal_IP_addressinternal_subnet_mask external_IP_addressexternal_subnet_mask group_tag -or- ciscoasa(config)#aaaaccountingmatchACL_IDlogical_if_name group_tag
Chapter 8:
CTP
Thelayoutofthiscommandisalmostthesameasthe aaa authenticationand aaa authorizationcommands.Inthefirststatement,the includeparameterspeci-
fieswhatconnectionsaccountingwillbeenabledfor—iftheconnectionisn’tincluded, theappliancewillnotcaptureaccountinginformationforit.Theaccounting_service parameter specifies the type of connection, like any, ftp, http, telnet, or even by protocolandport,likeudp/69.Forthelattersyntax,youcanspecifyarangeofportsby separatingthebeginningandendingportnumberswithahyphen(tcp/8080-8090). YoucanoptionallyuseanACLwiththe matchparametertospecifytheconnectionsto gatherinformationfrom. Hereisanexamplewhereallconnectionswillhaveaccountingenabledforthem: ciscoasa(config)#aaaaccountingincludeanyinbound 0000TACSRV ciscoasa(config)#aaaaccountingincludeanyoutbound 0000TACSRV
Onceyouhavesetupaccounting,makesurethatyoursecurityserverisreceivingthe accountinginformationfromtheappliance.
CiscoSecureACSReports ItisimportanttopointoutsomeitemsconcerningaccountingontheapplianceandusinganAAAserver.First,whenusingauthentication,accountingwillrecordwhowasauthenticatedandwhentheybecameunauthenticated,soyoucanseehowlongtheywere loggedin.Second,whenyouareusingAAAauthorization,onlytheclassicmethodof authorizationwillkeeparecordofwhatconnectionstheuseropenedthatmatchedthe aaaauthorizationcommand(s)andwhethertheCSACSserverallowedthem.Tosee thesereports,intheleftwindowpaneofCSACS,clicktheReportsAndActivitybutton. IfyouareusingdownloadableACLsinsteadoftheclassicmethodofauthorization, anymatchesontheACLstatementsarenotsenttotheAAAserver.Ifyouwantarecord of what connections were opened by a user with downloadableACLs, you’ll need to addthelogkeywordtoyourdownloadableACLstatementsonyourAAAserver.Then you’llneedtoforwardtheselogmessageseithertoanexternalsyslogserverortoan SNMPmanagementstation.ThisprocessisdiscussedinChapter26.
231
This page intentionally left blank
9 IPv6
233
234
Cisco ASA Configuration
T
hischapterwillintroduceyoutotheTCP/IPversion6(IPv6)capabilitiesofthe appliances.IPv6isafairlynewfeaturetotheappliances,introducedinversion7 with the addition of the ASA security appliances. Because IPv6 is new to the appliances, its IPv6 capabilities are limited; however, Cisco will be greatly expanding theminfutureoperatingsystemreleases.Thetopicscoveredinthischapterinclude
▼ I Pv6introductionandtheapplianceIPv6features
■ IPv6addressesoninterfaces
■ RoutingIPv6traffic
■ Neighborandroutersolicitationandadvertisementmessages
▲ I Pv6trafficfiltering
IPv6OVERVIEW IPv6willeventuallyreplaceIPv4,whichisthemostcommonnetworkingprotocoldeployed today. Because of the poor scalability and the deficiencies found in IPv4, IPv6 wascreated.IPv6addressestherapidgrowthofcompanies,oftechnologyincountries likeIndiaandChina,andoftheInternet.Basically,IPv6quadruplesthesizeofbitsinIP addressesfrom32bitsinIPv4to128bitsinIPv6:thisgivesusapproximately3.4×1038 addressablenodes,whichprovidesmorethanenoughgloballyuniqueIPaddressesfor everynetworkdeviceontheplanet. ThefollowingtwosectionswilldiscusstheIPv6capabilitiesoftheappliancesand theirlimitationswhenitcomestoIPv6.Subsequentsectionswillbrieflycoverhowto configureIPv6ontheappliances.
IPv6CapabilitiesoftheAppliances ThesecurityapplianceshavesomesupportforpassingIPv6trafficbetweeninterfaces; however,theyarenotfull-functioningIPv6devices.TheappliancessupportabasicIPv6 configuration:
▼ AssigningIPv6addressestointerfaces
■ FilteringIPv6trafficwithACLs
▲ BasicroutingcapabilitiesforIPv6viastaticroutes
Someoftheappliances’managementandtroubleshootingcommandsalsosupport IPv6:
▼ c opy Copyinginformationto/fromtheapplianceusingIPv6
■ ping Testingconnectivity
■ ssh RestrictingremoteaccesstotheapplianceusingSSH
Chapter 9:
IPv6
■ telnet RestrictingremoteaccesstotheapplianceusingSSH
■ debug Troubleshootingconnectivityproblems
▲ icmp RestrictingICMPtraffictoanapplianceinterface(ipv6icmpcommand)
Therearemanyothercommands,buttheprecedingarethemostcommonmanagement andtroubleshootingcommandsconfiguredorexecutedontheappliance. When executing a command that includes an IPv6 address, use the standard nomenclatureforIPv6addresses.Forexample,ifyouwanttopingadevicewithanIPv6 address,thepingcommandwouldlooksomethinglikethis: ciscoasa#pingfe80::2e11:eeff:aaaa:13cd
Whenusingthecopycommandorwhenneedingtoreferencetheportnumberalong withtheaddress,you’llneedtoenclosetheIPv6addressinbrackets(“[]”)andseparate theaddressandfollowinginformationwithacolon(:).Forexample,ifyouwantedto backuptherunning-configfiletoanFTPserverusingIPv6addresses,the copycommandwouldlooksomethinglikethis: ciscoasa#copyrunning-config ftp://[fe80::2e11:eeff:aaaa:13cd]:/directory/backup.cfg
NOTE My book CCNA Cisco Certified Network Associate Study Guide (Exam 640-802) (The McGraw-HillCompanies,2008)introducesIPv6,theaddressingused,andabasicconfigurationof Ciscorouters. Theappliancesalsohavetheabilitytoexaminethepayloadinformation(theapplicationlayer)ofcertaintypesofIPv6packets:FTP,HTTP,ICMP,SIP,SMTP,TCP,andUDP. Otherapplicationsandprotocolsarenotcurrentlysupported.Applicationinspectionof payloadinformationisdiscussedinmoredepthinPartIII.
IPv6LimitationsoftheAppliances Understandthatasoftoday,theIPv6supportincludedwiththesecurityappliancesis very limited. Basically you can assign IPv6 addresses to interfaces, set up static IPv6 routes,filterIPv6trafficwithACLs,andaddIPv6connectionstothestatetable. Many, many features are lacking, but I would expect at least the following to be addedinthenearfuture:
▼ T ranslatingbetweenIPv6andIPv4addressesandviceversa,aswellasIPv6to IPv6addresses
■ DynamicallyroutingIPv6traffic
■ InspectingthesameapplicationlayerpayloadsthatIPv4supports
■ FailoversupportwithIPv6(currentlyonlyIPv4issupported)
▲ I Pv6anycastaddresses
235
236
Cisco ASA Configuration
IPv6INTERFACECONFIGURATION WhensettingupprocessingofIPv6addresses,eachinterfacethatwillhandleIPv6traffic minimally needs a link-local address; optionally you can add a global address on theinterface.ThefollowingthreesectionscoverthethreemethodsofassigninganIPv6 addresstoaninterface:autoconfigurationofIPv6addresses,manuallink-localIPv6addresses,andmanualglobalIPv6addresses. NOTE Thesecurityappliancessupportdual-stacking:youcanhavebothIPv6andIPv4addressing configuredonthesameinterface.Notethatyou’llneedroutingconfiguredforbothprotocolstoreach subnetsandnetworkstheapplianceisnotconnectedto.
StatelessAutoconfiguration Stateless autoconfiguration of IPv6 addresses on an interface allows the appliance tolearnthe64-bitprefixaddressfromarouteradvertisementmessageandtousethe EUI-64methodtoobtainthelast64bitsoftheaddress,whichincludetheMACaddress oftheinterfaceintheEUI-64portion.Autoconfigurationcreatesalink-localaddresson thespecifiedinterface.Tousetheautoconfigurationmethodonaninterface,usethefollowingconfiguration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6addressautoconfig
NOTE Autoconfiguration is the simplest method of assigning an IPv6 address on an appliance interface.
DuplicateIPv6AddressDetection Whenusingstatelessautoconfiguration,theapplianceshavetheabilitytodetectduplicate IPv6 addresses: an address that is configured on the appliance interface conflicts withanotherdeviceconnectedtothesameinterface.Duringtheduplicate-address-detection process, any configured IPv6 address on the interface is placed in a tentative state.Theappliancewillfirstverifyanylink-localaddressconfiguredonaninterface; thenanyotherIPv6addressesontheinterface,likeglobaladdresses,areverified.When beingverified,anIPv6addressismarkedas“TENTATIVE”untilverified. Iftheappliancedetectsaduplicateaddress,theaddressisnotused,andyou’llsee thefollowinglogmessagedisplayed: %PIX|ASA-4-325002:DuplicateaddressIPv6_address/MAC_address oninterface
WhenaninterfaceIPv6addressisseenasaduplicate,itisplacedina“DUPLICATE” state.Ifthesamelink-localaddressisseenconnectedtothesameinterface,processingof
Chapter 9:
IPv6
allIPv6packetsontheinterfaceisdisabled.However,ifthesameglobaladdressisseen connectedtothesameinterface,theconfiguredglobaladdressisnotused,butotherIPv6 addressesontheinterfaceareused,andprocessingofIPv6packetsisallowed. The appliance uses neighbor solicitation messages to detect a duplicate address. (Neighborsolicitationmessagesarediscussedlaterinthe“IPv6Neighbors”section.)By defaulttheduplicateaddresscheckisonlyperformedoncewhentheinterfacegoesactive (isbroughtup).Youcanchangethenumberoftimeswiththefollowingconfiguration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6nddadattempts#_of_attempts ciscoasa(config-if)#ipv6ndns-interval#_of_milliseconds
Thenumberofattemptscanbe0to600intheipv6nddadattemptscommand;setting itto0disablesduplicateaddressdetectiononthespecifiedinterface.The ipv6 nd nsinterval command specifies the interval in which the duplicate address probes are generated—bydefaultthisis1,000millisecondsifomitted.Thisvaluecanrangefrom 1,000to3,600,000milliseconds. NOTE The ipv6 nd ns-interval command changes the interval for not just duplicate addresschecks,butforallneighborsolicitationmessagesontheinterface.
Link-LocalAddressConfiguration Besides using stateless autoconfiguration, you can manually assign an IPv6 link-local addressusingthefollowingconfiguration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6addressIPv6_addresslink-local
AhexadecimalformatisusedwhenenteringtheIPv6address.
GlobalAddressConfiguration GlobalIPv6addressesaretheequivalentofapublicIPv4address.Normallyyouarenotassigningglobaladdressestotheapplianceunlesstheapplianceisdirectlyconnectedtothe Internet,whichisunlikely.Toassignaglobaladdress,usethefollowingconfiguration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6addressIPv6_address/prefix_length[eui-64]
Youmustenterthehexadecimaladdress,alongwiththeprefixlength.The eui-64parameterallowsyoutospecifythenetworkprefixonlyfortheIPv6addressandhavethe appliance generate the lower 64 bits of the address automatically, using the interface MACaddressaspartofthisaddress.Whenyouassignaglobaladdresstotheinterface, theapplianceautomaticallycreatesalink-localaddressalso.
237
238
Cisco ASA Configuration
NOTE Whenyou’reenablingIPv6onaninterface,theipv6addresscommandenablesIPv6, alleviatingtheneedtoexecutethe ipv6 enablecommandontheinterface.Also,theinterface needsalink-localaddress;however,youcanhavebothalink-localandglobaladdressonthesame interface.
IPv6InterfaceConfigurationVerification OnceyouhaveconfiguredtheIPv6addressingonyourappliance,youcanverifyyour configurationwiththefollowingcommand: ciscoasa#showipv6interface[brief][logical_if_name]
NOTE IfyouwanttoseeIPv4addressesassignedtointerfaces,usetheshowipaddressor showinterfacecommands. Listing9-1showsanexampleofusingtheshowipv6interfacecommand. Listing9-1.IPv6interfaceinformation ciscoasa#showipv6interface ipv6interfaceisdown,lineprotocolisdown IPv6isenabled,link-localaddressisfe80::20d:88ff:feee:abde [TENTATIVE] Noglobalunicastaddressisconfigured Joinedgroupaddress(es): ff02::1 ff02::1:ffee:6a82 ICMPerrormessageslimitedtooneevery100milliseconds ICMPredirectsareenabled NDDADisenabled,numberofDADattempts:1 NDreachabletimeis30000milliseconds
Inthisexample,youcanseethenameandstatusoftheinterface,thelink-localaddress (fe80::20d:88ff:feee:abde),thataglobaladdresshasn’tbeenassigned,themulticastaddressestheinterfacebelongsto(twointheprecedingexample),andtheneighbor discoveryinformation.AlsonoticethattheaddressisinaTENTATIVEstate.
IPv6ROUTING WithoutIPv6routingenabled,thesecurityapplianceswillswitchIPv6trafficbetween directlyconnectedIPv6hostsoninterfacesthathaveIPv6addresses.CurrentlytheappliancesdonotsupportanyIPv6dynamicroutingprotocols,unlikeIPv4:toreachsubnetsandnetworksbeyondtheconnectedroutesoftheappliance,you’llneedtosetup
Chapter 9:
IPv6
static IPv6 routing.You can configure static and default IPv6 routes on the appliance withthefollowingcommand: ciscoasa(config)#ipv6routelogical_if_name destination_IPv6_network/prefix next_hop_IPv6_addr[admin_distance]
YoumustfirstenterthelogicalnameoftheinterfacethattheIPv6networkresidesoffof. ThisisfollowedbytheIPv6destinationnetwork,includingtheprefix(thenumberofbits inthenetworknumber).Foradefaultroute,use ::/0astheaddressandprefix.After thedestinationnetworkisthenext-hopIPv6addressoftheneighboringroutertheIPv6 packetsshouldberoutedto.Last,youcanoptionallychangetheadministrativedistance ofthestaticroute.Theadministrativedistanceisusedwhentherearetwopathstothe samedestination,butyoupreferonepathoveranother—thelowerthevalue,themore preferredtheroute. ToviewtheIPv6routingtableontheappliance,usethe show ipv6 routecommand.Here’sanexampleofthiscommand: ciscoasa#showipv6route IPv6RoutingTable-7entries Codes:C-Connected,L-Local,S–Static Lfe80::/10[0/0] via::,inside Lfec0::a:0:0:a0a:a70/128[0/0] via::,inside Cfec0:0:0:a::/64[0/0] via::,inside Lff00::/8[0/0] via::,inside
Atthetopofthelisting,youcanseethenumberofentriesinthetable,alongwithacode tablethatexplainsthelettersfoundintheleftcolumnoftheroutes.Forexample, Lisa localrouteand Cisaconnectedroute.Totherightofthenetwork/routearetwonumbersinbrackets:theleftnumberisthemetricoftheroute,andtherightnumberisthe administrativedistance.Aftertheviatagisthenext-hoprouteraddress(thiswillbenull forlocalandconnectedroutes),followedbythelocalinterfacetheappliancewilluseto reachtheIPv6destination.
IPv6NEIGHBORS WithIPv6,theapplianceusesICMPv6messageswithasolicitednodemulticastaddress todiscoverIPv6neighbors:thelink-layeraddressofneighborsonthesamelocallink,the reachabilityoftheneighbors,andthetrackingoftheneighbors.Thissectionwilldiscuss
239
240
Cisco ASA Configuration
twokindsofmessagessharedwithIPv6neighbors:neighborsolicitationandrouteradvertisementmessages.
NeighborSolicitationMessages Theapplianceusesneighborsolicitationmessages,viaICMPv6,onlocallinks(connectednetworks)todiscoverthelink-layer(datalinklayer)addresses,likeMACaddresses, ofotherneighborsonthesamelocallink.Thesearesenttothesolicitednodemulticast address,whereallneighborsonthelocallinkwillrespondwithaneighboradvertisementmessage,viaICMPv6.Thisisaunicastresponsethatcontainsthesourceaddressof theneighborandadestinationaddressoftheapplianceinterface.Thepayloadcontains theresponderlink-layeraddress.Oncetheappliancereceivestheresponse,itcancontact theneighbordirectly.ThisprocessissimilartowhatIPv4doesbyusingARP,exceptthat IPv6isusingICMPv6forthisprocess.Youcanusethe clearipv6neighborscommandtoremovethedynamicallylearnedneighborinformation. Besidesbeingusedtodiscoveraneighbor,neighborsolicitationmessagesareused forthesetworeasons:
▼ T heyverifythereachabilityofanexistingneighbor.
▲ T heyaresentwhenalink-layeraddressonadevice,likeaMACaddress, changes.ThemessagesareusedtoupdatetheIPv6-to-link-layeraddresstables onalltheconnectedneighborsonthelocallink.
NeighborSolicitationMessageTuning Ontheappliance,youcanchangetheintervalthattheapplianceusestosendoutthe neighborsolicitationmessagesandcanchangehowlongtowaittoconsideraneighbor deadwhensolicitationmessagesarenolongerseenfromaneighbor.Usethefollowing commandstoconfiguretheseparametersonanapplianceinterface: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6ndns-intervalmilliseconds ciscoasa(config-if)#ipv6ndreachable-timemilliseconds
The ipv6 nd ns-interval command specifies, in milliseconds, the amount of time betweenthetransmissionofneighborsolicitationmessagesontheinterface.Ifyoudon’t changethevalue,thedefaultis1,000milliseconds(1second).Thisvaluecanrangefrom 1,000to3,600,000milliseconds.The ipv6 nd reachable-timecommandspecifiesthe deadintervalperiod—ifaneighbor’ssolicitationmessageisn’tseenduringthisperiod,the neighborisconsidereddead.Thisvaluecanrangefrom0to3,600,000milliseconds,where 0isthedefault.Whensetto0,itisleftuptothereceivingdevicetosetandtrackthedead period.Toseewhatthisvalueisontheappliances,usetheshowipv6interfacecommand.InListing9-1,thereachabletimeis30,000milliseconds(thelastlineoftheoutput). NOTE Don’tdefineshortdeadintervalstodiscoverdeadneighbors,sincetooshortatimemight causetheappliancetoincorrectlyassumethataneighborisdead.
Chapter 9:
IPv6
StaticNeighborDefinition Forsecuritypurposes,youcanstaticallydefineyourIPv6neighbors’IPv6addressesto MACaddressesinsteadofhavingtheappliancedynamicallylearnthisvianeighborsolicitationmessages.Todefineastaticneighbor’smapping,usethefollowingcommand: ciscoasa(config)#ipv6neighborIPv6_addresslogical_if_name MAC_address
Whencreatingastaticdefinition,youmustdefinetheneighbor’sIPv6address,thelogical interfacetheneighborisconnectedto,andtheMACaddressoftheneighbor.Staticdefinitionsoverrideanyinformationlearnedvianeighborsolicitationmessages.Ifyouexecute the clear ipv6 neighborscommand,staticentriesarenotremoved—onlydynamicallylearnedonesfromneighborsolicitationmessages.However,youcanremoveastatic entrybyprefacingtheipv6neighborcommandwiththenoparameter.
RouterAdvertisementMessages Router solicitation messages are sent by IPv6 clients during an interface initialization thatisconfiguredforautoconfiguration.ThesearesentusingICMPv6totheall-nodes multicastaddress.Arouter,liketheappliance,canrespondwitharouteradvertisement (RA)message.Thesemessagescontainthefollowinginformation:
▼ I Pv6prefixorprefixesofthelocallink
■ Thelifetimeoftheprefixes
■ Thetypeofautoconfigurationthatcanbeused(statelessorstateful)
■ Thedefaultrouteraddress
■ Theneighbordiscoverytransmissionandreachableintervalvalues
▲ T heMTUsizeofthelocallinkandthemaximumhopcountallowed
RASuppression Normally,IPv6routersgenerateperiodicRAmessagesthatanIPv6clientcanlistento andthenusetogenerateitslinklocaladdresswithstatelessautoconfiguration;however, whentheIPv6clientisbootingup,waitingfortheRAmighttakeawhile.Inthissituation,theclientwillgeneratearoutersolicitationmessage,askingtheIPv6routertoreply withanRAsotheclientcangenerateitsinterfaceaddress.Basicallytheclientisrequestingthefirst64bitsofthe128-bitIPv6address. Bydefault,whenaclientthatisconnectedtoanIPv6interfaceontheappliancegeneratesanIPv6routeradvertisementmessage,theappliancewillactasarouterandrespondwithanRAmessagethatincludesthefirst64bitsoftheIPv6address.Youmight wanttodisablethisfunctionandletarealrouterhandlethis;or,iftheapplianceisdirectlyconnectedtotheInternet,youwillprobablywanttodisabletheRAprocessonthe
241
242
Cisco ASA Configuration
externalinterface.SuppressingRAmessagesontheapplianceisdoneonaninterface-byinterfacebasisbyusingthefollowingconfiguration: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6ndsuppress-ra
RAParameters If you want the appliance to respond to router solicitation messages, you can define somecommandstocontroltheprocess,shownhere: ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#ipv6ndra-interval[msec]seconds ciscoasa(config-if)#ipv6ndra-lifetimeseconds ciscoasa(config-if)#ipv6ndprefixIPv6_prefix/prefix_length
These commands are configured on an interface-by-interface basis. The ipv6 nd ra-intervalcommandspecifiesthenumberofseconds(ormilliseconds—msec)betweenRAmessages.Thedefaultis200seconds,butcanrangefrom3to1,800seconds or500to1,800,000milliseconds.Notethatthisintervalshouldbeshorterthantheone definedwiththeipv6ndra-lifetimecommand.Thelattercommandspecifieshow longclientsonthelocallinkshouldassumethattheapplianceisthedefaultrouteronthe locallink.Thisdefaultsto1,800seconds,butcanrangefrom0to9,000seconds.Theipv6 ndprefixcommandconfigurestheprefixthatisincludedintheRAmessages;youcan configuremorethanoneprefixtoinclude.Notethatforstatelessautoconfigurationto workforclients,thedefineprefixmustbe64bitsinlength.
IPv6ACLs BesidesbeingabletofilterIPv4traffic,theappliancescanalsofilterIPv6packets.Actually you can simultaneously filter both types of traffic on the appliance, on the same interfaces.ThefollowingtwosectionswilldiscusstheconfigurationofIPv6ACLsand anexampleconfiguration.
IPv6ACLConfiguration ConfiguringanIPv6ACLisverysimilartoconfiguringanIPv4ACL.Youcanusetwo basiccommands:oneforICMPv6trafficandoneforallothertypesofIPv6traffic.
FilteringICMPv6Packets ThefollowingACLcommandisusedtofilterICMPv6traffic: ciscoasa(config)#ipv6access-listACL_ID[lineline_#] {deny|permit}icmp6 {src_IPv6_prefix/prefix_length|any|host
Chapter 9:
IPv6
src_IPv6_addr|object-group network_obj_grp_id} {dst_IPv6_prefix/prefix_length|any|host dst_IPv6_addr|object-group network_obj_grp_id} [icmp_type|object-group icmp_type_obj_grp_id] [log[[level][intervalseconds]|disable| default]]
Asyoucansee,thesyntaxisverysimilartoanIPv4ACL.Noticethatyoucanuseobject groupswithyourIPv6ACLs.Themaindifferenceistheaddressingused:thereisnoaddressandsubnetmaskformat.Instead,youcanspecifythekeywordany,thekeyword hostfollowedbyanIPv6address(all128-bits),anobjectgroup,oranetworkprefixand theprefixlength(inbits). ForICMPv6messagetypes,youcanentereitherthenameornumberofthemessage type.CurrentICMPv6messagenamesincludethefollowing:destination-unreachable, echo-reply, echo-request, membership-query, membership-reduction, membership-report, neighbor-advertisement, neighbor-redirect, neighborsolicitation, packet-too-big, parameter-problem, router-advertisement, router-renumbering,router-solicitation,andtime-exceeded. NOTE RefertoChapter6foranoverviewofIPv4ACLsandtheirsyntax.
FilteringOtherTypesofIPv6Packets TofilterothertypesofIPv6packets,usethefollowingACLcommand: ciscoasa(config)#ipv6access-listACL_ID[lineline_#] {deny|permit}{protocol_name_or_#| object-groupprotocol_obj_grp_id} {src_IPv6_prefix/prefix_length|any|host src_IPv6_addr|object-group network_obj_grp_id}[operator {port[port]| object-groupservice_obj_grp_id}] {dst_IPv6_prefix/prefix_length|any|host dst_IPv6_addr|object-group network_obj_grp_id}[{operator port[port]| object-groupservice_obj_grp_id}] [log[[level_#][intervalseconds]| disable|default]]
243
244
Cisco ASA Configuration
Asyoucanseefromtheprecedingsyntax,theconfigurationofanIPv6ACLcommandis almostthesameasthatofanIPv4command,withtheexceptionofmatchingonarange ofIPv6addresseswithanIPv6prefixandprefixlength.
ActivatingandVerifyingIPv6ACLs Activating an IPv6ACL is the same as activating an IPv4ACL: you use the access-
groupcommand.Here’sthesyntax:
ciscoasa(config)#access-groupACL_ID{in|out}interface logical_if_name
OnceyouhavecreatedandactivatedyourACLs,youcanusetheshowipv6accesslistcommandtoseeyourstatements,alongwiththehitcountsforthestatements.Here’s thefullsyntaxofthecommand:
ciscoasa#showipv6access-list[ACL_ID [src_IPv6_prefix/prefix_length| any|hostsrc_IPv6_addr]]
Without any parameters, the appliance will display all theACLs: you can qualify the outputbyprovidingadditionalparameters.
IPv6ACLExample NowthatyouhaveabasicunderstandingofconfiguringIPv6ACLs,let’slookatasimpleexampletohelpillustratetheuseofthecommands.Here’sashortconfiguration: ciscoasa(config)#ipv6access-listacl_outpermittcpany host3001:1::213:A12F:FAB6:126Deq80 ciscoasa(config)#ipv6access-listacl_outdenytcpany host3001:1::213:A12F:FAB6:126Deq21 ciscoasa(config)#access-groupacl_outininterfaceoutside
Inthisexample,outsidewebandFTPIPv6connectionsareallowedtoaninternal server(3001:1::213:A12F:FAB6:126D).
III Policy Implementation
245
This page intentionally left blank
10 Modular Policy Framework
247
248
Cisco ASA Configuration
T
his chapter will introduce you to the Cisco Modular Policy Framework (MPF) featureonthesecurityappliances.MPFwasactuallyportedfromtheCiscoIOS routersandswitchesandaddedtoversion7.0oftheappliances.Obviouslymany similaritiesexistintheoperationanduseofMPFonbothplatforms;however,thereare differences:MPFisprimarilyusedtoimplementsecurityfunctionsontheappliance.The topicsincludedinthischapterare
▼ A nintroductiontoMPFontheappliances
■ Howclassmapsareusedtoclassifytraffic
■ Howpolicymapsareusedtoassociatepoliciestoclassmaps
▲ H owservicepoliciesareusedtoactivatepolicymaps
ThischapterfocusesonanoverviewofMPFandongenerallyhowMPFisimplemented. SubsequentchaptersinPartIIIwillfocusontheparticularsofhowMPFisimplemented fordifferentprotocolsandapplicationsandonsomeoftheenhancedsecuritycapabilitiesthatMPFprovidesyou.
MPFOVERVIEW MPFisafeatureportedfromtheIOStomakeiteasiertoimplementconsistentandflexiblepoliciesonthesecurityappliances.Oneormorepoliciescanbeappliedtotraffic flowingthroughtheappliance.Thefollowingtwosectionswilldiscussthepoliciesthe appliancessupportandthecomponentsusedtoimplementMPF.
MPFPolicies MPFallowsyoutoassignoneormorepoliciestoaclassoftraffic.Thepoliciesyoucan applytotrafficincludethefollowing:
▼ I nspectionofconnections Youcancontrolwhattrafficisaddedtothestate tabletoallowreturningtrafficbacktothesource,aswellasexaminethepayloads ofinspectedapplicationsforconnection,translation,andsecurityissues.
■ � Connectionrestrictions Youcanlimitthenumberofcompletedandhalf-open (embryonic)connectionsonaper-group,per-user,orper-hostbasis;controlthe idletimeoutsforconnectionsinthestatetable;andcontrolotherparametersfor connections.
■ Trafficprioritization Youcanimplementlow-latencyqueuing(LLQ)toprioritize delay-sensitiveandhigh-prioritytraffic,likevoice,overnormaldatatraffic.
■ Trafficpolicing Youcanrate-limittrafficinboththeinboundandoutbound directionsonaninterfacetoensurethatexcessivebandwidthneedsofonetype oftrafficorapplicationdoesn’taffectothertrafficflowingthroughtheappliance.
Chapter 10:
Modular Policy Framework
■ Intrusionpreventionsystem(IPS) IfyouhavetheAIP-SSMcardinstalledin anASA,youcandefinepoliciestocopypacketstoortoredirectpacketsinto theAIP-SSMcardtolookforandpreventattacks.
▲ A nti-X IfyouhavetheCSC-SSMcardinstalledinanASA,youcandefine policiestohavetrafficredirectedthroughthecardtolookforviruses,malware, spyware,phishing,andothertypesofissueswithweb,FTP,ande-mail applications.
WhyMPFIsNecessary YouhavealreadyseenmanyreasonsinthelastsectionwhyyoumightwanttouseMPF. However,Ineedtoexpandononeoftheseitems,applicationinspection,toseesomeof themorehiddenadvantagesthatMPFprovides.Thefollowingthreesectionswilldiscussproblemsthatcertainapplicationsand/orprotocolsmighthaveandwhatMPFcan dowithapplicationinspectiontosolvetheseproblems.TheremainderofPartIIIwill delveintomanyoftheapplicationsandprotocolsthatCiscocanperforminspectionon; thenextsectionswillfocusonlyonsomesimpleexamples. TIP I’m always asked when consulting or teaching Cisco security classes what’s the difference betweenbuyingaSOHOfirewalllikeaLinksys,Belkin,orD-Linkcomparedwithasecurityappliance like an ASA 5505. Low-end firewall products don’t perform application inspection, and therefore theydon’tnecessarilyadequatelyprotecttheresourcesthatsitbehindthem.I’vealwayssaidthat innetworking,youtypicallygetwhatyoupayfor:spendinglittlemoneygetsyoulittleinthefeature department.
SecurityWeaknessesinApplications Manyapplicationshavebecomefamousfortheirsecurityweaknesses.E-mailandweb applicationsaresomeofthemorewell-knownones,likeMicrosoftExchangeandIIS, Apachewebserver,andSendmail.SendmailandExchangeusetheSMTPprotocolto implementTCP/IPe-mailsolutions.Manyofthesecurityweaknessesrelatedtoe-mail havetodowiththesupportedcommandsusedbySMTPtointeractbetweendevices. You’llwanttoeitherconfigureyourSMTP-basede-mailpackagetoremoveunnecessary commands,oruseanalternative,morecentralizedsolution,likethesecurityappliances, tofilteroutunnecessaryandundesirablecommandsandbehaviors.Somee-mailcommands that are undesirable are debug and wiz. Likewise, even legitimate commands canposeproblemsfore-mail—forexample,youwouldn’twantsomeoneusinglegitimate e-mail commands to harvest your e-mail directory and then to use the learned addressesforaspamattack.
ApplicationswithMultipleConnections Manyapplications,especiallythoserelatedtomultimedia,haveissueswithhowtheydeal withportnumbers.Asanexample,astandardapplicationliketelnetusesawell-known
249
250
Cisco ASA Configuration
destinationportnumberforcommunications:23.Anytimeadevicewantstoconnectto atelnetserver,itopensanunusedportabove1023asthesourceportanduses23asthe destinationport. Otherapplications,however,mightusemorethanoneconnectiontotransmitdata. Amultimediaapplication,forinstance,mighthavetheclientopenacontrolconnection onawell-knownportnumber,butadditionalconnectionsmightbeopenedonarange ofdynamicportnumberstodelivertheactualmultimediacontent.Thisprocessmakes securefilteringamorecomplicatedtask.Forexample,ifthedataconnectionsusecompletelyrandomports,howwouldthefirewalldeviceknowwhatconnectionstoallow? Figure10-1illustratesthisissue. Basicallyyoucouldusetwosolutionstosolvethisproblem:
▼ Y oucouldconfigureverypromiscuousACLstoallowalargerangeofports throughyourfirewall.This,ofcourse,isn’tverydesirablesincewhetherornot someoneisusingtheapplication,theACLwouldalwaysallowtheconnections.
▲ Y oucoulduseanintelligentfirewallthatexaminesthecontrolconnectionof theapplicationtodeterminewhentheadditionalconnectionorconnections areneededandtheportnumbersnegotiatedbetweentheuserandserver;then youcouldhavethefirewalladdthisinformationtoitsstatetabletoallowthe connectionsandremovethemwhentheyaredone.
Obviously,ofthetwosolutions,thelatteristhepreferredapproach.Ciscosupportsthis featureformanyapplicationsthatflowthroughtheappliance.Thisapplicationinspectionprocessisenabledbydefaultformanyapplications;however,forothersyoumust manuallyenableapplicationinspection.
ConnectionswithEmbeddedAddressingInformation Another problem with some applications is that they may embed IP addresses, and possibly port numbers, in the actual payload and expect the remote peer to use this
Outside Data Server
Inside User
Control Connection Port = 52831 Port = 58183
Data Connection 1 Data Connection 2
Figure10-1. Anapplicationwithmultipleconnections
Port = 38987 Port = 38995
Chapter 10:
Modular Policy Framework
information for an additional connection that should be established. This can create problems with address translation devices, where they are only performing address translationatthenetworkandtransportlayer,notatthesession/applicationlayer.The addressingorportinformationrequestedmightconflictwithwhatisalreadyintheaddresstranslationtable. LookatFigure10-2,whichillustratesthisproblem.Onthecontrolconnection,UserB notifiesthedataservertoconnecttoport38995forthedataconnection;however,port 38995isalreadyusedbyanotheruser(UserA)inthetranslationtable. Youhavetwosolutionstothisproblem:Assumingyoucouldcontrolwhatsource portnumbertheuserwasgoingtosendtotheserver,youcoulddefinedifferentports fordifferentusers,andthensetupastaticPATtranslationforeachuser.Obviouslythis isn’tscalable,andontopofthisissue,theapplicationmightnotletyouspecifytheport numbertheusersendstotheserver. A better solution would have the translation device examine the application payloadsofcontrolconnectionstofindanyembeddedaddressinginformationandperform addresstranslationonthelayer3andlayer4headersaswellastheembeddedaddresses intheapplication-layerpayloads.Again,Ciscosecurityappliancescandealwithmany applications that embed addressing information in the application-layer payload and canperformaddresstranslationonthisembeddedinformation. NOTE Ciscodoesn’tsupportapplication-layerinspectionforallapplications—onlytheonesmore commonlyusedbyacompanynetwork.However,thelistisquiteextensive.Theremainingchapters inPartIIIwillcovermanyoftheapplicationsthattheappliancessupportfortheapplicationinspection process.
Translation Table Device IP Address User A 192.168.1.1
Source Port 38995
Data Server
Port = 500 Port = 58183
Inside User B
Control Connection Data Connection
Port = 38987 Port = 38995
Figure10-2. Anapplicationwithembeddedaddressinginformation
251
252
Cisco ASA Configuration
Class Map
Policy Map
Service Policy
Internet users Sales IPSec RA users Voice traffic Normal data traffic
IPS and inspect Police Prioritize Inspect
Outside interface Outside interface Inside interface All interfaces
Figure10-3. MPFandanexamplepolicyimplementationonanappliance
MPFComponents NowthatyouunderstandsomeofthepoliciesthatMPFcanimplementandwhyMPFis needed,let’sdiscussthecomponentsthatcompriseMPF.ImplementingMPFhasthree components:
▼ C � lassmaps Classifyand/oridentifytrafficthatyouwanttoassociateoneor morepoliciesto
■ Policymaps Associateoneormorepoliciestoaclassoftrafficinyourclassmaps
▲ S � ervicepolicies Activatethepoliciesinyourpolicymapseitheronaspecific interfaceoronallinterfacesoftheappliance
TohelpunderstandtheMPFcomponentsandhowtheyinteractwitheachother,examineFigure10-3.Inthisexample,fourpolicieswereimplemented.First,allInternettraffic enteringtheoutsideinterfaceoftheappliancewillhavetheIPScardprocessitand,assumingtheIPScarddoesn’tdropit,thetrafficcomesbackoutofthecard,andtheappliance performsapplication-layerinspectiononit—forvalidconnections;thesewillbeaddedto thestatetable.Second,theSalesIPSecremoteaccess(RA)userswillhaverate-limiting(policing)appliedtotheirtrafficontheoutsideinterface.Third,voicetrafficwillbeprioritized andforwardedouttheinsideinterfacebeforeothertypesoftraffic.Fourth,normaldata trafficwillbeinspectedonallinterfacesandaddedtothestatetableasnecessary.
CLASSMAPS Classmapsidentifythetrafficthatyouwanttoassignoneormorepoliciesto.Ciscosupportsdifferentkindsofclassmaps:
▼ L ayer3/4 Youclassifytrafficbasedoninformationtheapplianceseesinthe layer3and/orlayer4packetheaders,likewebtraffic(TCPport80)senttoa DMZwebserverwithanIPaddressof192.1.1.1.
■ Inspection(layer7) Youclassifytrafficbasedoninformationintheapplication payloadofapacket,likesomeoneexecutingtheputcommandonanFTP
Chapter 10:
Modular Policy Framework
controlconnection,oraURLthatexceedsacertainsizeonawebconnection: thesekindsofclassificationsrequiretheappliancetoexaminethepayload informationindepth.
■ Regularexpressions Youclassifytrafficbasedonregularexpressionstrings foundinthelayer7applicationpayloadsofpackets.Forexample,youmight wanttolookforaURLthatbeginswith“http://”andcontains“.cisco.com/”.
▲ M anagement Wheretheotherclassmaptypesareusedforidentifyinguser trafficflowingthroughtheappliance,themanagementclassmapisusedto classifymanagementtraffictoorfromtheappliance.
Whenusingclassmaps,youarerequiredtousealayer3/4classmaptoidentifythe devicesandorservices,likeaparticularFTPserver.Optionally,youcanqualifyyour trafficbyusingotherclassmaps,likeaninspectionclassmaptoalsolookinthepayload foraparticularregularexpressionstringofafilenameorforanFTPcommandthatis beingexecuted. NOTE Thischapterwillprimarilyfocusonlayer3/4classandpolicymaps.Inspectionclassmaps willbediscussedinmoredepthinsubsequentchapterswherethevariousapplicationsarecovered withMPF.
Layer3/4ClassMaps Hereisthesyntaxtocreatealayer3/4classmap: ciscoasa(config)#class-mapclass_map_name ciscoasa(config-cmap)#descriptionclass_map_description ciscoasa(config-cmap)#matchany ciscoasa(config-cmap)#matchaccess-listACL_ID ciscoasa(config-cmap)#matchport{tcp|udp}{eqport_#| rangeport_#port_#} ciscoasa(config-cmap)#matchdefault-inspection-traffic ciscoasa(config-cmap)#matchdscpvalue1[value2][...][value8] ciscoasa(config-cmap)#matchprecedencevalue1[value2][...][value8] ciscoasa(config-cmap)#matchrtpstart_port_#end_port_# ciscoasa(config-cmap)#matchtunnel-grouptunnel_group_name ciscoasa(config-cmap)#matchflowipdestination-address ciscoasa#showrunclass-map[class_map_name]
Use the class-map command to assign a unique name to the class map. The match commandspecifiesthetraffictoincludeintheclassmap,whereTable10-1explainsthe parametersforthiscommand.
253
254
Cisco ASA Configuration
MatchParameter
Description
any
Includesalltraffic.
access-list
Includesanytrafficthatmatchesthepermitparametersin thespecifiedACL.
port
Includesanytrafficthatmatchesthespecifiedport number(s).
defaultinspectiontraffic
Includesalldefaultapplicationinspectiontraffic,whichis aboutadozen-and-a-halfprotocols.
dscp
MatchesonthespecifiedDSCPvaluesintheIPheaderused forQoS.
precedence
MatchesonthespecifiedTOSvaluesintheIPheaderusedfor QoS.
rtp
MatchesontherangeofportnumbersusedbyRTP,which isaprotocolcommonlyusedinmultimediaapplicationslike CiscoIP/TVandSIP.
tunnel-group Matchesonaparticularsite-to-siteconnectionorona WebVPNorIPSecremoteaccessgroup. flow
Furtherqualifiesthematchingprocesswhentheconfigured policyispolicing:forexample,whenyou’rerate-limiting remoteaccessusers,withoutthiscommand,alltraffic associatedwiththeuserwouldberate-limitedwiththe definedpolicy;withthiscommand,thepolicyisappliedto auseronaper-destinationbasis.
Table10-1. ThematchCommandParameters
NOTE Whenyou’relookingforamatch,mostmatchcommandsareXOR(Ored),soifanytraffic matchesa matchcommandinaclassmap,itisincludedintheclassification.However,incertain cases,itusesanXAND(Anded)process,likematchdscpandmatchtunnel-groupwould allowyoutolookfordifferentQoSsettingsforaparticularVPNtunnelinasingleclassmap.
DefaultClassMap When you boot up an appliance with no configuration, you will find certain default configurationsonit.OnedefaultconfigurationisforMPF,whereadefaultclassmapis alreadyconfigured,shownhere:
Chapter 10:
Modular Policy Framework
ciscoasa#showrunclass-map class-mapinspection_default matchdefault-inspection-traffic
Table10-2liststhedefaultinspectionprotocols/applications,protocols,andsourceand destinationportstheapplianceisexpectingandinspectingthemon.N/Aindicatesany port.Forexample,bydefaulttheapplianceisexpectingtheFTPcontrolconnectiontobe
Application/Protocol
Protocol
SourcePort
DestinationPort
CTIQBE
TCP
N/A
1748
DCERPC
TCP
N/A
135
DNS
UDP
53
53
FTP
TCP
N/A
21
GTP
UDP
2123and3386
2123and3386
H323H225
TCP
N/A
1720
H323RAS
UDP
N/A
1718and1719
HTTP
TCP
N/A
80
ICMP
ICMP
N/A
N/A
ILS
TCP
N/A
389
IM
TCP
N/A
1–65539
IPSecPass-Thru
UDP
N/A
500
NetBIOS
UDP
137–138
N/A
RPC
UDP
111
111
RSH
TCP
N/A
514
RTSP
TCP
N/A
554
SIP
TCP/UDP
N/A
5060
Skinny(SCCP)
TCP
N/A
2000
SMTP
TCP
N/A
25
SQL*Net
TCP
N/A
1521
TFTP
UDP
N/A
69
XDMCP
UDP
177
177
Table10-2. DefaultTrafficInspectionforthematchdefault-traffic-inspection Command
255
256
Cisco ASA Configuration
usingTCPwherethedestinationserverportis21.Ciscocreatedapredefinedlistforthe mostcommonlyusedapplications.IfyouhaveanFTPserverusingadifferentdestinationport,like2121,theappliancedoesn’tknowthisbydefault—youwouldeitherhave tocreateaspecificlayer3/4classmapandincludethisinformation,oraddthisinformationtothedefaultclassmap.
ClassMapConfigurationExample Tohelpillustratetheuseoflayer3/4classmaps,let’slookatthefollowingconfiguration example: ciscoasa(config)#access-listDMZ_Server_ACLpermittcpany host192.168.1.1eq8080 ciscoasa(config)#class-mapDMZ_Web_Server ciscoasa(config-cmap)#matchaccess-listDMZ_Server_ACL ciscoasa(config)#class-mapL2L_Orlando ciscoasa(config-cmap)#matchtunnel-groupL2L_Orlando_VPN ciscoasa(config-cmap)#matchdscpcs5
The first class map, DMZ_Web_Server, includes the DMZ web server listening on port8080.Icouldeasilyhaveusedthematchporttcp8080commandinsteadofusinganACL;however,theproblemwiththematchportcommandisthatitincludesall port8080connections.Inthisexample,ImighthaveawebserverrunningonTCPport 8080,butadifferentservermighthaveadifferentapplicationrunningonport8080.UsingACLs,IcanbeveryspecificaboutwhattrafficI’mclassifyingandidentifying. Thesecondclassmapincludesvoicetraffic(DSCPcodeCS5)onaparticularIPSec site-to-site(LAN-to-LANorL2L)connection.L2Lconnectionsaredefinedusingatunnel group(thisisdiscussedinChapter15),wherethistunnelgroupspecifiestheOrlando L2Lconnection.
ApplicationLayerClassMaps Applicationlayerclassmapsareusedtolookforcertainthingsintheapplication-layer payload;theycanbeusedtoqualifyalayer3/4classmap,whichidentifiesthelayer3 addresses, the protocol, and possibly the port numbers of the application involved. Applicationlayerclassmapsfallundertwocategories:regularexpressionsandinspectionclassmaps.Thefollowingtwosectionswilldiscusswhattheseare,howtheyare used,andintroducehowtheyareconfigured.
RegularExpressionsandClassMaps Regular expressions are used to match on a string of characters or variations of characters,likelookingfor“richard”ineitherlowercase,uppercase,ormixedcase.Special characterscanbeusedtocreatewildcardpatterns,lookforinformationincertainparts ofastring,andformanyotheruses.Actually,Ciscodidn’tinventitsownspecialcharactersforregularexpressionpatternmatching;instead,itusesthesameonesthatmany UNIXprogramsuse,likegrep,awk,andsed.
Chapter 10:
Modular Policy Framework
Regularexpressionscanbeusedinlayer7classandlayer7policymapsforinformationembeddedinthepayloadofaconnection.Forexample,alayer3/4classmapallows youtolookforanFTPconnectiontotheserverat192.1.1.1.However,aregularexpression allowsyoutoqualifythisinformation,likelookingforaparticularuseraccounttheuser usestologintotheserver,oraparticularfilenameordirectorytheuseraccessesonthe server.Thefollowingsectionswilldiscusshowtocreateregularexpressions,howtotest them,andhowtogroupthem(usingaregularexpressionclassmap)ontheappliance. Creating a Regular Expression Creating a regular expression is done with the regex command: ciscoasa(config)#regexregex_nameregular_expression
First,youmustgivetheregularexpressionanamethatdescribeswhatyouarematching on.Followingthisistheregularexpressionpatternyouwanttosearchforinastring. Table10-3hasalistofregularexpressionspecialcharactersyoucanusetomatchona stringoftext.
SpecialCharacter
Explanation
.
The“.”matchesanysinglecharacter.Forexample,“d.g” matches“dog”,“dig”,“dug”,andanywordthatcontains thosecharacters,like“daggonnit”.
(exp)
The“()”segregatescharactersfromthesurroundingcharacters, sothatyoucanuseothermetacharactersonthesubexpression. Forexample,“d(o|i)g”matches“dog”and“dig”,but“do|ig” matches“do”and“ig”.Asubexpressioncanalsobeusedwith repeatedquantifierstodifferentiatethecharactersmeantfor repetition.Forexample,“12(34){3}5”matches“123434345”.
|
The“|”matcheseitherexpressionitseparates.Forexample, “dog|cat”matches“dog”or“cat”.
?
The“?”indicatesthatthereare0or1oftheprevious character.Forexample,“ra?ise”matcheson“raise”or“rise”. NotethatyoumustenterCtrl+Vandthenthequestionmark, orelsetheASACLIhelpfunctionisperformedinstead.
*
The“*”indicatesthatthereare0,1,oranynumberofthe previouscharacter.Forexample,“mo*se”matcheson“mse”, “mose”,“moose”,andsoon. Continues...
Table10-3. RegularExpressionSpecialCharacters
257
258
Cisco ASA Configuration
SpecialCharacter
Explanation
+
The“+”indicatesthatthereisatleast1oftheprevious character.Forexample,“mo+se”matcheson“mose”and “moose”,butnot“mse”.
{x}or{x,}
The“{}”,withanumberbetweenthebraces,indicatesthe previousexpressionisrepeatedatleast“x”times.Forexample, “ab(fd){2,}e”matches“abfdfde”,“abfdfdfde”,andsoon.
[abc]
The“[]”matchesanycharacterinthebrackets.Forexample, “[Rr]”matcheson“R”or“r”.
[^abc]
The“[^]”matchesasinglecharacterthatisnotcontained withinthebrackets.Forexample,“[^abc]”matchesany characterotherthan“a”,“b”,or“c”;or“[^A-Z]”matches anysinglecharacterthatisnotanuppercaseletter.
[a-c]
The“[-]”matchesanycharacterintherange.Forexample, “[A-Z]”matchesanyuppercaseletter.Youcanalsomix charactersandranges:“[abcq-z]”matches“a”,“b”,“c”,and “q”through“z”.Youcouldalsowritethisas“[a-cq-z]”.
"abc"
The“""”preservestrailingorleadingspacesinthestring.For example,"secret"preservestheleadingspacewhenitlooks foramatch.
^
The“^”specifiesthebeginningofaline.
\
The“\”,whenusedwitharegularexpressionmetacharacter, matchesaliteralcharacter.Forexample,“\.”matchesaperiod (“.”).Thisisusedwhenyouwanttomatchonacharacterthat isitselfametacharacter.
\r
The“\r”matchesonacarriagereturn.
\n
The“\n”matchesonanewline.
\t
The“\t”matchesonatab.
\f
The“\f”matchesonaformfeed(newpage).
\xNN
The“\x”matchesonanASCIIcharacterspecifiedbythetwo hexadecimaldigits(NN).
\NNN
The“\”matchesonanyASCIIcharacterspecifiedasoctal (thethreedigitslisted).
Table10-3. RegularExpressionSpecialCharacters(Continued)
Chapter 10:
Modular Policy Framework
Tohelpyouwithcreatingregularexpressions,herearetwoexamples: ciscoasa(config)#regexMy_string1[Rr][email protected] ciscoasa(config)#regexMy_string2".+\.[Jj][Pp][Gg]"
The My_string1 regular expression matches on either “[email protected]” or “[email protected]”.TheMy_string2regularexpressionmatchesonanystringthathas atleastonecharacterbefore“.jpg”inanycase(upper-,lower-,ormixedcase).Forexample,thiswouldinclude“a.jpg”,“B.JPG”,and“anyfile.JpG”,butnot“.jpg”. TestingRegularExpressions Ifyouareunsurehowtocreatearegularexpression,Cisco supportsa testcommandthatyoucanusetotestastringofinputagainstaregular expression: ciscoasa#testregexinput_textregular_expression
Herearesomeexamplesandtheresultingoutputofthetest: ciscoasa#testregexdog"[Dd][Oo][Gg]" INFO:Regularexpressionmatchsucceeded. ciscoasa#testregexcat"[Dd][Oo][Gg]" INFO:Regularexpressionmatchfailed. ciscoasa#testregexfilename.gif".+\.[Jj][Pp][Gg]" INFO:Regularexpressionmatchfailed. ciscoasa#testregexfilename.jpg".+\.[Jj][Pp][Gg]" INFO:Regularexpressionmatchsucceeded. ciscoasa#testregex.jpg".+\.[Jj][Pp][Gg]" INFO:Regularexpressionmatchfailed.
Grouping RegularExpressions You can group regular expressions together in a regular expression class map. For example, you might want to look for a handful of regular expressionsinthepayloadofapacket.Regularexpressionclassmapscanbeusedfor this.Hereisthesyntaxtogroupyourregularexpressionstogetherintoaset: ciscoasa(config)#class-maptyperegexmatch-anyclass_map_name ciscoasa(config-cmap)#matchregexregex_name
Hereisanexampleofconfiguringregularexpressionsandincludingtheminaregularexpressionclassmap: ciscoasa(config)#regexMy_string1[Rr][email protected] ciscoasa(config)#regexMy_string2[Aa][email protected] ciscoasa(config)#class-maptyperegexmatch-anyEmail_Class ciscoasa(config-cmap)#matchregexMy_string1 ciscoasa(config-cmap)#matchregexMy_string2
In the preceding example, a regular expression class map includes the two e-mail addresses,wherethenamesofthee-mailaddressescanbeginwitheitheralower-or uppercasecharacter.
259
260
Cisco ASA Configuration
NOTE Ifyouareonlyinterestedinlookingforoneregularexpression,thenyouusuallydon’tneedto createaregularexpressionclassmap.Theregularexpressionclassmapsaretypicallyonlyneeded whenyouwanttolookformultipleregularexpressionsinapacketpayload.
InspectionClassMaps Ciscosupportsahandfulofclassmapsthatcanbeusedtoqualifywhat,intheapplicationlayerpayload,youwanttolookforandthenapplyapolicyto.Theseclassmapsare commonlyreferredtoasinspectorinspectionclassmaps.Thegeneralsyntaxofcreating aninspectionclassmapisasfollows: ciscoasa(config)#class-maptypeinspectapplication [match-all|match-any]class_map_name ciscoasa(config-cmap)#
For the application parameter, the following applications are currently supported: dns,ftp,h323,http,im,andsip.Thematch-allparameterspecifiesthatallthematch
commandsmustbematchedoninordertoclassifythetrafficandassociateapolicytoit; thematch-anyparameterspecifiesthatonlyonematchcommandhastobematchedon toassociateapolicytothetraffic;ifyouomitit,theparameterdefaultstomatch-any. Onceyoucreatetheinspectionclassmap,youaretakenintoasubcommandmode. Some of the match commands are the same between different application types, but manyofthemaredifferent.Thesecommandswillbediscussedwiththeapplicationsin theremainingchaptersinPartIII.Justtogiveyouanideawhataninspectionclassmap lookslike,here’sanexampleforwebtraffic: ciscoasa(config)#class-maptypeinspecthttpmatch-any examine-put-and-post ciscoasa(config-cmap)#matchrequestmethodput ciscoasa(config-cmap)#matchrequestmethodpost
Inthisexample,iftheuser’swebbrowsersendsa putor postcommand(noticethe match-anyparameterfortheclassmap),thenthiswouldqualifyasamatch.
POLICYMAPS Policymapsareusedtoimplementpoliciesfortrafficthatmatchesmatchcommandsin classmaps.Therearetwokindsofpolicymaps:
▼ L ayer3/4policymap Specifiespoliciesforlayer3/4classmaps,whichare basicallytrafficflowsbasedonIPaddressesandprotocolinformation;an examplelayer3/4policywouldbewhereyouwanttheIPScardinanASAto processTCPport80trafficasitcomesintotheoutsideinterface.
Chapter 10:
Modular Policy Framework
▲ L ayer7policymap Specifiespoliciesfordatafoundinthepacketpayload, likeaURLawebbrowsersendstoawebserver.Anexamplelayer7policy wouldbeperformingaTCPresetonanFTPconnectionwhensomeone executestheputcommandontheFTPcontrolconnection.Layer7policiesare sometimesreferredtoasapplicationorinspectionpolicies.
Toimplementpolicies,youmustminimallyusealayer3/4policymap.Optionallyyou canqualifythelayer3/4policywithalayer7policy.Thefollowingsectionswilldiscuss theuseandconfigurationofthesetwopolicymaps.
Layer3/4PolicyMap Layer 3/4 policy maps associate one or more policies to traffic that matches a match commandinalayer3/4classmap.Whenmorethanonepolicyisassociatedwiththe classmap,thepoliciesareenforcedintheorderlistednext:
1. Connectionlimits,connectiontimeouts,andTCPsequencenumberrandomization
2. CSCcard
3. Statefulandapplicationinspection
4. IPScard
5. Inputpolicing
6. Outputpolicing
7. Priorityqueuing
Thefollowingsectionswilldiscusshowtocreatelayer3/4policymapsandhowtoassociatepolicieswithlayer3/4classmaps.
GeneralLayer3/4PolicyMapSyntax Creatingalayer3/4policymapisdonewiththepolicy-mapcommand: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#
Thepolicy-mapcommandtakesyouintoasubcommandmodewhereyoureferenceyour layer-3/4classmapnameornameswiththe classcommand.Whenreferencingaclass map,youaretakenintoasecondsubcommandmode.Inthissecondmode,youreference theactualpoliciesfortheclassoftraffic.Notethatyoucanspecifymorethanonepolicyfor aclassoftraffic.Thefollowingsectionswilldiscusshowtosetupthespecificpolicies.
ConnectionLimits Connectionlimitsarecommonlyusedtopreventconnectionandfloodattacks.Youcan havedifferentconnectionpoliciesfordifferentapplications,servers,users,oracombinationofthethree.Thesecanincludenumberofconnections,timeouts,andrandomization
261
262
Cisco ASA Configuration
of TCP sequence numbers. The following two sections show you how to configure a connectionlimitpolicy. TIP I’veusedconnectionlimitstopreventusersfromspawninghundredsofconnectionsfromtheir bit-torrentandpeer-to-peerclients.Inonecase,threeproblemusershadover500UDPconnections each,alltransferringdataviabittorrent.Connectionlimitscanalsopreventnetworkhardwarefrom beingoverwhelmedwithattacktrafficifanewwormshouldhitthenetwork.Ialwaystellmycustomers toimplementsometypeoflimitation,between1connectionandbelowthepointwheretheappliance conntablefillsuporitsCPUbecomespeggedat100percent.Rememberthatbydefaultasingle usercancreateanunlimitednumberofconnectionsandthattheapplianceshaveafinitenumberof connectionsthattheycansupport;thereforeputsomeconnectionlimitationinplace.Askyourself, shouldauserhave500UDPsessionsatonce?No?Howabout100?No?Howabout50?Notsure? Then50mightbeaniceplacetostartinsteadof“untilthefirewallchokes”becauseofafloodof connections. ConnectionLimitConfiguration Thefollowingconfigurationallowsyoutodefineconnection limitsaswellasenablingordisablingtherandomizationofTCPsequencenumbers: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#setconnectionconn-maxmax_#_conns ciscoasa(config-pmap-c)#setconnectionper-client-maxmax_#_user_conns ciscoasa(config-pmap-c)#setconnectionembyronic-conn-max max_#_embryonic_conns ciscoasa(config-pmap-c)#setconnectionper-client-embryonic-max max_#_user_embryonic_conns ciscoasa(config-pmap-c)#setconnectionrandom-sequence-number {enable|disable} ciscoasa(config-pmap-c)#setconnectiontimeouttcpHH:MM:SS[reset] ciscoasa(config-pmap-c)#setconnectiontimeoutembryonicHH:MM:SS ciscoasa(config-pmap-c)#setconnectiontimeouthalf-closeHH:MM:SS ciscoasa(config-pmap-c)#setconnectiontimeoutdcdretry_interval [max_tries]
Theconn-maxparameterlimitsthemaximumnumberofsimultaneousconnectionsfor alltrafficthatmatchestheclassmap.Theper-client-maxparameterlimitsthemaximum numberofconnections(open)foreachuserwithintheclassmap.Theembyronic-conn- max parameter limits the maximum number of embryonic connections (half-open) for alltrafficthatmatchestheclassmap.Theper-client-embryonic-maxparameterlimitsthemaximumnumberofembryonicconnections(half-open)foreachuserwithinthe classmap. NOTE Ifyoudon’tdefineanyconnectionlimits,whatevertheappliancecanfitinitsstatetable(the licensedlimit)iswhattheappliancewillallow.
Chapter 10:
Modular Policy Framework
Therandom-sequence-numberparameterenablesordisablestherandomizationof TCPsequencenumbersfortrafficthatmatchestheclassmap.Bydefaultthisisenabled. Youshouldonlydisableitifsomeotherdeviceisalreadydoingthisprocess(likeasecondappliance),orifaTCPapplicationisusingsometypeofsignatureprocess,likeMD5, wheretherandomizationfeaturewouldcorruptthesignature.Forexample,ifyouhave BGProutersusingMD5ondifferentsidesoftheappliance,youwillneedtodisablethe TCPsequencenumberrandomizationforthetworouters. Theremainingcommandsallowyoutodefinetimeoutsforconnectionsintheconn table.LimitsyoucanspecifyareforidleTCPconnections.Thetimeouttcpparameter specifiesatimeoutforidleTCPsessions(thisdefaultsto1hour).Theresetparameter inthiscommandspecifiesthatwhenyou’reremovingtheidleTCPconnectionfromthe conntable,youalsosendaTCPRST(reset)toboththesourceanddestinationdevices. The timeout embryonic parameter specifies the timeout for half-open (embryonic TCP)connections(thisdefaultsto30seconds).The timeout half-closeparameter specifiesthetimeoutforconnectionsthatareclosing—goingthroughtheFIN/FIN-ACK (this defaults to 5 seconds). The timeout dcd parameter specifies that when a TCP sessiontimesoutfromthe set connection timeout tcpcommand,theappliance shouldsendaDeadConnectionDetection(DCD)probeontheconnectiontobothdevices associated with the connection to determine if the connection is valid. If one of theenddevicesdoesn’trespondafterthemaximumnumberoftries(defaultsto5),the applianceremovestheconnection.Ifbothenddevicesrespondtotheprobe,theconnectionisconsideredvalid,andtheapplianceresetstheidletimer.Betweeneachprobethe appliancewaits15secondsbydefault. Connection Limit Example To understand the use of connection limits, examine the followingexampleconfiguration: ciscoasa(config)#access-listDMZ_webpermittcpany host192.168.1.10eq80 ciscoasa(config)#access-listDMZ_webpermittcpany host192.1.1.1eq80 ciscoasa(config)#class-mapDMZ_web_server_class ciscoasa(config-cmap)#matchaccess-listDMZ_web ciscoasa(config)#policy-mapoutside_policy ciscoasa(config-pmap)#classDMZ_web_server_class ciscoasa(config-pmap-c)#setconnectionconn-max2000 ciscoasa(config-pmap-c)#setconnectionembyronic-conn-max1000 ciscoasa(config-pmap-c)#setconnectionper-client-max150 ciscoasa(config-pmap-c)#setconnectionper-client-embryonic-max100 ciscoasa(config-pmap-c)#setconnectiontimeouttcp00:00:30reset ciscoasa(config-pmap-c)#setconnectiontimeoutembryonic00:00:10
Inthisexample,connectionlimitsareplacedontheDMZwebserver.Theserverislisted twiceintheACL:oncewithitslocaladdressandonceforitsglobaladdress.Thisisnecessaryifyouwanttoapplyapolicyforbothinternalandexternalusers.Forthispolicy,
263
264
Cisco ASA Configuration
nomorethan2,000totalwebconnectionstothewebserverareallowed,or150peruser; oftheseconnections,nomorethan1,000ofthesecanbeinahalf-openstate,withalimit of100half-openconnectionsperuser.TheTCPidletimeoutwaschangedfrom1hourto 30seconds,andtheembryonictimeoutfrom30to10seconds. NOTE RememberthatyoucanalsodefineconnectionlimitsanddisableTCPsequencenumber randomization in your address translation commands: static and nat.This was discussed in Chapter 5. If you’ve configured both, the MPF configuration takes precedence over the address translationcommands.
CSC-SSMCard TheCSC-SSMcard,commonlycalledtheAnti-Xcard,canlookforavarietyofattacks aswellassetupmanypoliciesthatapplytoFTP,web,ande-mailtraffic.However,by defaultnotrafficisforwardedtothecard:youmustsetupapolicytohavetrafficprocessedbythecard.FortrafficthatshouldbeprocessedbytheCSC-SSMcard,thetrafficis forwardedfromthebackplaneoftheASAintotheCSCcard,processedbythecard,and thenforwardedbacktothebackplaneoftheASAforfurtherprocessing(assumingthat thetrafficisn’tdroppedbytheCSCcardbecauseofapolicyviolation).Youcanseethe trafficflowinFigure10-4.TrafficthatthecardcanprocessincludesFTP,HTTP,HTTPS, SMTP,andPOP3.Itisnotrecommendedtoforwardothertypesoftraffic,becausethe cardwillprobablydropthese.Thefollowingtwosectionswilldiscusshowtosetupa policytohavetheCSC-SSMcardprocesstraffic. CSC-SSMConfiguration Afteryou’veidentifiedwhattrafficyouwantthecardtoprocess withalayer3/4classmap,youcanassociatetheCSC-SSMpolicytoitwiththefollowing configuration: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#csc{fail-open|fail-close}
CSC SSM Outbound Interface
Inbound Interface ASA Backplane
Figure10-4. CSC-SSMandprocessingoftraffic
Chapter 10:
Modular Policy Framework
The csccommandspecifiesthatthespecifiedtrafficshouldbeforwardedtotheCSCSSMcardforfurtherprocessing.Optionsfortrafficthatshouldbeprocessedbythecard include
▼ f ail-open Ifcardisnotoperational,trafficbypassesthepolicy.
▲ fail-close Ifcardisnotoperational,trafficisdropped. NOTE The CSC-SSM card might not be operational because it is dead, missing its operating system,orisintheprocessofbootinguporrebooting.
CSC-SSM Example Here’s a simple example that will redirect traffic to the CSC-SSM card: ciscoasa(config)#access-listCSCACLpermittcpanyanyeq80 ciscoasa(config)#access-listCSCACLpermittcpanyanyeq443 ciscoasa(config)#access-listCSCACLpermittcpanyanyeq25 ciscoasa(config)#access-listCSCACLpermittcpanyanyeq110 ciscoasa(config)#class-mapCSC_map ciscoasa(config-cmap)#matchaccess-listCSCACL ciscoasa(config)#policy-mapinside_user_policy ciscoasa(config-pmap)#classCSC_map ciscoasa(config-pmap-c)#cscfail-open
Intheprecedingexample,allweb(HTTPandHTTPS),SMTP,andPOP3trafficwillbe processedbytheCSC-SSMcard.Ifthecardisnotoperational,thetrafficintheACLis allowedtobypassthepolicyuntilthecardbecomesoperationalagain,atwhichpointthe cardwillprocessthetraffic.ThispolicyallowstheuserstoaccesstheInternetande-mail whenthecardisbootinguporrebooting—yoursecuritypolicywilldetermineifyouuse fail-openorfail-closeasyourcardpolicy. NOTE TypicallytheAnti-Xcardisusedtoprotecttheend-users,whiletheIPScardisbestusedto protectthenetworksthemselvesandservers,likethoseonaDMZsegment.
AIP-SSMCard TheAIP-SSMcard,commonlycalledtheIPScard,canlookforavarietyofattacksagainst applications,protocols,operatingsystems,andnetworks.However,bydefaultnotraffic isprocessedbythecard:youmustsetupapolicyfirst.FortrafficthatshouldbeprocessedbytheAIP-SSMcard,youcanconfigureinlineorpromiscuousmodes.Theseare showninFigure10-5.Withinlinemode,amatchingpacketforapolicyisforwardedinto thecard,processedbythecard,andreturnedtothebackplaneoftheASAforfurther processing.Whenthepolicyisininlinemode,theIPScardcandroppacketsitself.In promiscuousmode,apacketmatchinganIPSpolicyiscopiedtothecard:theoriginal
265
266
Cisco ASA Configuration
Promiscuous Mode
Inline Mode
IPS SSM
IPS SSM Outbound Interface
Inbound Interface ASA Backplane
Outbound Interface
Inbound Interface ASA Backplane
Figure10-5. AIP-SSMandprocessingoftraffic
packetstaysonthebackplaneoftheASAandisprocessedfurtherbytheASA.Whenthe policyisinpromiscuousmode,theIPScarditselfcannotdropattacks;however,itcan resetTCPconnections,anditcanlogintotheASAandsetupashun(commonlycalled ablock)toblockoffendingtraffic. Inlinemodehasthecardbeproactive,allowingittodropoffendingpackets,while promiscuous mode has the card be reactive, where it can’t drop the initial offending packets.Bothhaveadvantagesanddisadvantages.Whiletrafficmatchingapolicyisin inlinemode,thetrafficmustgothroughthecard,causingdelay;plusiftrafficissentto thecardthatexceedsitsprocessingcapabilities,thecardcanbeoverwhelmedanddrop packets.Theupsideofpromiscuousmodeisthatifthecardisoverwhelmed,itdoesn’t affecttrafficbecausetheoriginalpacketsstayonthebackplaneoftheASA.Plus,you’ll getahigherMbpsperformanceratebyusingpromiscuousmode.However,theproblem with promiscuous mode is that it can’t effectively deal with atomic (single-packet) or Trojanhorseattacks,sinceitsreactiontotheattackwouldtypicallybetoolittle,toolate. AIP-SSMConfiguration Afteryou’veidentifiedwhattrafficyouwantthecardtoprocess withalayer3/4classmap,youcanassociatetheAIP-SSMpolicytoitwiththefollowing configuration: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#ips{promiscuous|inline} {fail-open|fail-close}
First,withthe ipscommand,youmustspecifythemodeofoperation—promiscuous orinline—fortheclassoftraffic.AndaswiththeCSC-SSMcard,youcanchoosefrom twooptionstoconfigurethatyoucanhavetheASAperformiftheIPScardisnotoperational:fail-openorfail-close. NOTE TheAIP-SSMcardcansimultaneouslydoinlineandpromiscuousmodes:foroneclassof traffic,youcanusepromiscuousmode,andforanotherclassoftraffic,inlinemode.
Chapter 10:
Modular Policy Framework
AIP-SSMExample Here’sasimpleexamplethatusesanAIP-SSMpolicy: ciscoasa(config)#access-listIPSACL1permittcpanyany ciscoasa(config)#access-listIDSACL2permitudpanyany ciscoasa(config)#class-mapIPS_map1 ciscoasa(config-cmap)#matchaccess-listIPSACL1 ciscoasa(config)#class-mapIDS_map2 ciscoasa(config-cmap)#matchaccess-listIDSACL2 ciscoasa(config)#policy-mapoutside_policy ciscoasa(config-pmap)#classIPS_map1 ciscoasa(config-pmap-c)#ipsinlinefail-open ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classIDS_map2 ciscoasa(config-pmap-c)#ipspromiscuousfail-open ciscoasa(config-pmap-c)#exit
Intheprecedingexample,twoAIP-SSMpoliciesareconfigured:TCPtrafficisprocessed bytheIPScardusinginlinemode,andallUDPtrafficisprocessedusingpromiscuous mode.
RateLimiting:Policing Arate-limitingpolicy,commonlycalledapolicingpolicy,canbeconfiguredtoaffecttraffic asitenters(ingress)and/orleaves(egress)aninterface.Theparametersusedtoenforce thepolicyaresimilartohowCIR(committedinformationrate)andBC(committedburst rate)areusedinframerelay,usingtheleakybucketalgorithmtohandlesmallburstsof traffic.Thefollowingtwosectionswilldiscusshowtoconfigureapolicingpolicy. PolicingConfiguration Afteryou’veidentifiedwhattrafficyouwantthecardtoprocess with a layer 3/4 class map, you can associate the rate-limiting policy to it with the followingconfiguration: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#police{input|output} conform-rate-bps[burst-size-bytes| conform-action{drop|transmit}| exceed-action{drop|transmit}]
Thepolicecommandassignsarate-limitingpolicytotheassociateclassmap.Theinput parameterisusedtosetuparate-limitingtrafficpolicyastrafficenterstheinterface,and outputisusedastrafficleavestheinterface.Theconformingrate,inbitspersecond(bps), issimilartoaframerelayCIRvalue—whentrafficrunsatthisrateorslower,itisconsideredconforming.Theburstsize,inbytes,allowsthefirstxbytesabovetheconformingrate beforeitisconsiderednonconforming.TheASAusestheleakybucketalgorithmtoimplementthisfunction:oncethenumberofbytesspecifiedabovetheconformingratehasbeen
267
268
Cisco ASA Configuration
sent,thebucketisemptyandtrafficcontinuingtobesentabovethisrateisnonconforming. Thebucketcanbefilledbackupbytrafficgoingslowerthantheconformingrate.Sobasicallytheburstsizeistoallowforsmallburstsindatatraffic.Thelastpartofthecommand iswhereyouspecifythepolicywhenthetrafficisconformingorexceedingtheconfigured policingrate:droportransmit. PolicingExample Here’sasimpleexamplethatusesapolicingpolicy: ciscoasa(config)#class-mapRemote_Access_Users ciscoasa(config-cmap)#matchtunnel-groupsales ciscoasa(config-cmap)#matchtunnel-grouphumanresources ciscoasa(config)#policy-mapoutside_policy ciscoasa(config-pmap)#classRemote_Access_Users ciscoasa(config-pmap-c)#policeinput5600010800 conform-actiontransmitexceed-actiondrop ciscoasa(config-pmap-c)#policeoutput5600010800 conform-actiontransmitexceed-actiondrop
Theprecedingexamplesetsuparate-limitingpolicyfortwoIPSecremoteaccessuser groups—each user is allowed a traffic rate of 56 Kbps with a burst of about 10 Kbps ineitherdirectiononaninterface.IPSecremoteaccesstunnelgroupsarediscussedin Chapter17.
PrioritizationandQueuing Packetprioritizationisusedontheegressofaninterfacetoprioritizetraffic—beforetrafficexitsaninterface.Prioritizationisnormallyusedfordelay-sensitivetraffic,likevoice, orpossiblyvideo.Currentlyonlylow-latencyqueuing(LLQ)issupportedforprioritization.Thefollowingtwosectionswilldiscusshowtoconfigureprioritizationforyour delay-sensitivetraffic. NOTE YoucanfindaverygoodoverviewofLLQatthiswebsite:http://www.netqos.com/resourceroom/ articles/06_bandwidth_sharing.html. Priority Configuration To implement a prioritization policy, you must do two things: configureapolicythatcontainsprioritization,andenableLLQonanegressinterface. Hereisthesyntaxtoaccomplishboth: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#priority ciscoasa(config-pmap-c)#exit ciscoasa(config)#priority-queuelogical_if_name
Chapter 10:
Modular Policy Framework
First,prioritizationmustbeenabledwithinalayer3/4policymapwiththe priority command.Second,oneachegressinterfacewhereyouwanttouseprioritization,you mustenableLLQwiththepriority-queuecommand. PriorityExample Here’sasimpleexamplethatusesaprioritizationpolicy: ciscoasa(config)#class-mapL2L_Orlando_Tunnel ciscoasa(config-cmap)#matchtunnel-groupL2L_Orlando_Tunnel ciscoasa(config-cmap)#matchdscpcs5 ciscoasa(config)#policy-mapoutside_policy ciscoasa(config-pmap)#classL2L_Orlando_Tunnel ciscoasa(config-pmap-c)#priority ciscoasa(config-pmap-c)#exit ciscoasa(config)#priority-queueoutside
In the preceding example, the site-to-site IPSec tunnel connection to Orlando has its voicetraffic(dscpcodecs5)prioritizedoverothertypesofIPSectunneltrafficonthe outsideinterface.Inotherwords,thevoicetraffichaspriorityoverthedatatrafficthatis sentacrosstheIPSectunnel.
TrafficInspection TheappliancesperformstatefulfunctionsbydefaultonallTCPandUDPtrafficthatis allowedbetweeninterfaces.Inotherwords,assumingthatTCPandUDPconnections areallowedthroughtheapplianceviaACLs,theconnectionsareaddedtothestatetable sothattheirreturningtrafficcancomebackthroughtheappliance. Ifyouwanttoperformapplicationlayerinspection(examiningthepayloadsofconnections),thisneedstobeenabledontheappliance.Quiteafewapplicationsareenabledby defaultforapplicationlayerinspection,whichisdiscussedinthe“DefaultLayer3/4Policy Map”sectionlaterinthechapter.However,additionalinspectionpoliciesaredisabledfor mostprotocolsandapplications—youhavetoenablethembycreatingapolicy.Thefollowingtwosectionswilldiscusshowtoconfigureinspectionpoliciesforyourappliances. Traffic Inspection Configuration To have the appliances perform application payload inspectionortoinspectICMPtraffic,youneedtocreatealayer3/4inspectionpolicy. Hereisthesyntaxtoaccomplishthis: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#inspectapplication_or_protocol[parameters]
Theinspectcommandsetsupaninspectionpolicyforaclassoftrafficinapolicymap. ProtocolsandapplicationsyoureferencewillhavetheappliancelookatalimitednumberofthingsintheapplicationlayerpayloadbasedoncodeCiscohaswritten.Applicationsandprotocolsyoucanspecifyincludethefollowing:ctiqbe,dcerpc,dns,esmtp, ftp,gtp,h323,http,icmp,icmperror,ils,im,ipsec-pass-thru,mgcp,netbios, pptp, radius-accounting, rsh, rtsp, sip, skinny, sqlnet, snmp, sqlnet, sunrpc, tftp,and xdmcp.Whichapplicationorprotocolisusedwillaffectwhetheradditional
269
270
Cisco ASA Configuration
parameterscanbeconfiguredfortheinspectcommand.Theadditionalparametersare discussedintheremainingchaptersofPartIIIwhereIdiscussthespecificprotocolsand applicationslistedearlier. Wheninspectionisenabledforaprotocol,besidesaddingtheassociatedconnections totheconntable,theappliancecandothefollowing:
▼ L ookforadditionaldataconnectionsthatmightbeopenedviathecontrol connection,andaddthesetotheconntable.
■ Whenperformingaddresstranslation,lookforembeddedaddressing informationandaddthistothexlatetable,andfixanyaddressingconflicts withexistingtranslationsinthexlatetable.
▲ D ependingontheapplicationorprotocol,lookforcommonsecurityissuesand preventthem.
Optionallyyoucansometimesqualifyalayer3/4policywithalayer7(application)policy,whereyoucanspecifypoliciesonmanythingsfoundinthepayload,creatingmuch morespecificandflexiblepolicies.Forexample,youcoulddefineapolicyforFTPtraffic thatlimitswhatFTPcommandscanbeexecutedonthecontrolconnection.Thelayer7 policytopicisintroducedinthe“Layer7PolicyMap”sectionlaterinthechapter. TrafficInspectionExample Here’sasimpleexamplethatusesaninspectionpolicy: ciscoasa(config)#access-listINS1permittcpany host192.168.1.10eqftp ciscoasa(config)#class-mapFTP_server ciscoasa(config-cmap)#matchaccess-listINS1 ciscoasa(config)#policy-mapoutside_policy ciscoasa(config-pmap)#classFTP_Server ciscoasa(config-pmap-c)#inspectftp ciscoasa(config-pmap-c)#exit
Intheprecedingexample,aminimalamountofapplicationlayerinspectionisperformed fortheFTPserver.Besidesaddingthecontrolconnectiontotheconntable,theappliance looks for additional data connections being negotiated on the control connection and addsthesetotheconntable,aswellasaddingandfixingembeddedaddressinginformationandaddingthistothexlatetable(iftranslationisconfigured).ThetopicofFTP inspectionwillbediscussedinmoredepthinChapter12.
DefaultLayer3/4PolicyMap The appliance has a default policy configuration when the appliance boots up with clearedconfiguration.Youcanviewthiswiththeshowrunpolicy-mapcommand: ciscoasa#showrunpolicy-map policy-maptypeinspectdnspreset_dns_map parameters message-lengthmaximum512
Chapter 10:
Modular Policy Framework
policy-mapglobal_policy classinspection_default inspectdnspreset_dns_map inspectftp inspecth323h225 inspecth323ras inspectrsh inspectrtsp inspectesmtp inspectsqlnet inspectskinny inspectsunrpc inspectxdmcp inspectsip inspectnetbios inspecttftp
Thepreset_dns_mapisalayer7policymap,discussedinthenextsection.Thedefault layer3/4policymapiscalled global_policyandhasinspectionenabledforovera dozenapplicationsandprotocols. NOTE Youcanmodifythepoliciesinthedefaultpolicymapbyreferencinglayer7policymapsfor anapplication,addingadditionalinspectionrules,orbyremovinganinspectionrulebyprefacingit withthenocommand.
Layer7PolicyMap Ifyouwanttoperformadditionalinspectionsattheapplicationlayer,youcanassociate alayer7policywithyourlayer3/4policymapconfiguration.Notallapplicationssupportlayer7policies,butCiscodoessupportquiteafew.Thissectionwillbrieflycover an overview of layer 7 policy maps and how they are used. However, the remainder chaptersinPartIIIwilldiscussmanyoftheseapplicationsandtheirapplication-layer inspectionfeaturesinmuchmoredepth.
ConfiguringaLayer7PolicyMap Manyapplicationssupportlayer7policymaps,commonlycalledinspectionpolicymaps. These maps allow you to define policies you want the appliance to enforce based on what’s inside the payload of certain packets. To create a layer 7 policy map, use the policy-maptypeinspectcommand,shownhere: ciscoasa(config)#policy-maptypeinspectapplicationpolicy_map_name ciscoasa(config-pmap)#
271
272
Cisco ASA Configuration
Theapplicationnamesyoucanspecifyincludethefollowing:dcerpc,dns,esmtp,ftp, gtp, h323, http, im, mgcp, netbios, radius-accounting, rtsp, sip, skinny, and snmp.Thepolicymapnamecanbeupto40characters,butcannotbeginwith“_internal”
or“_default”,whicharereservednames. Whenexecutingthe policy-map type inspectcommand,youaretakenintoa subcommandmode,whereyoucanconfigureyourpolicies.Thebasiccommandsyou canincludehereareasfollows:
▼ match Thiscommandspecifiesmatchingcriteriaforwhatyouwantto examineinthepayloadandapplyapolicyto.Youcanmatchonregular expressionstringsand/orregularexpressionclassmaps,commands,and manyotherthings.Forexample,youcouldmatchonspecificFTPcommands oronaparticularHTTPURL.Thepoliciesyoucanassignaredrop,log,and reset(thelatterappliesonlytoTCPconnections).
■ � class Thiscommandidentifiesalayer7classmap(class-maptype inspect)andthepoliciesthatshouldbeassociatedwiththeclassmap.The differencebetweenamatchcommandandaclassmapinalayer7policymap isthataclassmapcanincludemultiplematches,andclassmapscanbeused multipletimesindifferentpolicies,simplifyingyourconfiguration.However, notallapplicationsthatsupportlayer7policymapssupportlayer7class maps.
▲ p � arameter Thiscommandaffectshowtheinspectionengineworks;the parametersthatyouconfiguredependontheapplicationyou’resettingupthe policyfor.
Bydefaultthematchandclasscommandsareprocessedintheorderthatyouenter theminthelayer7policymap.Ifanactionistodropthepacket/connectionorresetthe connection,thennofurtherprocessingofthepolicymaptakesplace.Ifanactionistolog thetransaction,further matchcommandsorclassmapscanbeprocessedinthelayer7 policymap.Ifamatchcommandhasmorethanoneactiondefined,likelogandreset, bothareperformed.Here’sasimpleexamplethatillustratesthisprocess: ciscsoasa(config-pmap)#matchrequestheaderlengthgt500 ciscoasa(config-pmap-c)#log ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#matchrequestheaderlengthgt1000 ciscoasa(config-pmap-c)#reset
Don’t be concerned about the actual syntax of the preceding commands, since I’ll be coveringthesecommandsinmoredepthintheotherchaptersinPartIII.Thepreceding exampleappliestoHTTPconnections.IfanHTTPrequestheaderwere1,100byteslong, itwouldmatchbothoftheprecedingmatchcommands.Inthissituation,sincethecommandsareprocessedinorder,theappliancewouldbothlogandresettheconnection. However,ifyouweretoreversetheorderofthetwocommands,onlytheresetwould beperformed.
Chapter 10:
Modular Policy Framework
TIP Basedontheprocessingofmatchandclasscommandsinalayer7policymap,yourlog policiesshouldappearbeforeyourdropandresetpolicies. Theremainderchaptersinthispartwillcoverthesecomponentsinmuchmoredepth foreachoftheapplicationsthatsupportedadvancedprotocolinspection.
UsingaLayer7PolicyMap Tousealayer7policymap,youmustreferenceitinyourinspectionrulethat’sdefined inalayer3/4policymap,likethis: ciscoasa(config)#policy-maplayer_3/4_policy_map_name ciscoasa(config-pmap)#classlayer_3/4_class_map_name ciscoasa(config-pmap-c)#inspectapplication_name layer_7_policy_map_name
Layer7PolicyMapExample Togiveyouabasicideahowlayer7andlayer3/4policymapsareused,examinethe followingexample: ciscoasa(config)#regexurl_cisco1cisco1\.com ciscoasa(config)#regexurl_cisco2cisco2\.com ciscoasa(config)#class-maptyperegexmatch-anyMYURLs ciscoasa(config-cmap)#matchregexcisco1 ciscoasa(config-cmap)#matchregexcisco2 ciscoasa(config-cmap)#exit ciscoasa(config)#class-maptypeinspecthttpmatch-allL7-http-class ciscoasa(config-cmap)#matchreq-respcontent-typemismatch ciscoasa(config-cmap)#matchrequestbodylengthgt1100 ciscoasa(config-cmap)#matchnotrequesturiregexclassMYURLs ciscoasa(config-cmap)#exit ciscoasa(config)#policy-maptypeinspecthttpL7-http-map ciscoasa(config-pmap)#classL7-http-class ciscoasa(config-pmap-c)#drop-connectionlog ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#matchreq-respcontent-typemismatch ciscoasa(config-pmap-c)#resetlog ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#protocol-violationactionlog ciscoasa(config-pmap-p)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#access-listWeb_Server_ACLpermittcpany host192.1.1.1eq80
273
274
Cisco ASA Configuration ciscoasa(config)#class-mapL3_Web_Server ciscoasa(config-cmap)#matchaccess-listWeb_Server_ACL ciscoasa(config-cmap)#exit ciscoasa(config)#policy-mapL3-web-policy-map ciscoasa(config-pmap)#classL3_Web_Server ciscoasa(config-pmap-c)#inspecthttpL7-http-map
Again, I don’t want to focus on the complete preceding configuration and all the specificcommands,sincemanyofthesearediscussedinChapter12forlayer7policies. InsteadIwanttofocusonhowallclassandpolicymapsworktogetherandhowthey’re referenced.Inthisexample,itisprobablyeasiertoworkthroughtheexampleinreverse, startingatthebottom.I’vehighlightedthemapnamesandhowtheyarereferencedto makeitalittlebiteasiertounderstandhowallthesecomponentsworktogether. Alayer3/4policymapcalled L3-web-policy-mapincludesalayer3/4classmap calledL3_Web_Server,whichincludesTCPport80trafficbeingsenttothewebserver (192.1.1.1).Noticethatthepolicyforthistrafficistoperformapplicationlayerinspection forHTTP,buttheinspectionruleisqualifiedwithalayer7policymap,L7-http-map. Thislayer7policymapincludesalayer7classmapcalled L7-http-class,which islookingforcertainthingsinthepayload,that,ifseen,willdropandlogtheconnections.Noticethattheclassmapreferencesaregularexpressionclassmap,MYURLs,which includes two regular expressions (a URL that contains “cisco1.com” or “cisco2.com”). Anadditional matchand parametercommanddefinesmorepoliciesforinformation foundinthepayloadofHTTPconnections. TIP Asyoucanseefromthisexample,configuringpoliciescanbeaverycomplexprocess.Ifyouare anovicewiththeappliances,IrecommendthatyoudonotusetheCLItoconfigurepolicies.Instead useASDM,sinceithasawizard-drivenprocesstosetthisup.Youcanthenlookatthecommandsthe appliancecreatestohelpyoulearnhowitisconfiguredfromtheCLI.ASDMisdiscussedinChapter27.
SERVICEPOLICIES Aservicepolicyisbasicallytheactivationofyourlayer3/4policymaps.Thefollowing sectionswillshowyouhowtoactivateandverifythepoliciesonyourappliance.
ActivatingaLayer3/4PolicyMap Youcanactivatealayer3/4policymapglobally(allinterfaces)oronaspecificinterface; however,youcanonlyhaveonepolicymapappliedperlocation.Inthecasewherethere isaglobalpolicyandaninterfacepolicy,theinterfacepolicyoverridestheglobalpolicy settings. Hereisthesyntaxtoactivatealayer3/4policymap: ciscoasa(config)#service-policylayer_3/4_policy_map_name {global|interfacelogical_if_name}
Chapter 10:
Modular Policy Framework
Thedefaultpolicy,global_policy(discussedpreviouslyinthe“DefaultLayer3/4 PolicyMap”section),hasalreadybeenactivatedglobally.Youcanverifythiswiththe showruncommand: ciscoasa(config)#showrunservice-policy service-policyglobal_policyglobal
Onlyonepolicymapcanbeactivatedglobally;however,youcanaddto,change,or removethedefaultpolicies.Likewise,youcanonlyhaveonelayer3/4policymapappliedtoaninterface.However,thiscanincludeallthepoliciesyouneed(classmaps,and soon)toaffecttrafficonthespecifiedinterface.
ServicePolicyVerification Toverifythatyourpoliciesarebeingenforced,usetheshowservice-policycommand: ciscoasa#showservice-policy[global|interfacelogical_if_name]
Hereisanabbreviatedexampleoftheuseofthiscommand: ciscoasa#showservice-policy Globalpolicy: Service-policy:global_policy Class-map:inspection_default Inspect:dnspreset_dns_map,packet0,drop0,reset-drop0 Inspect:ftp,packet0,drop0,reset-drop0 Interfaceoutside: Service-policy:Outside_Interface_Policy Class-map:Traffic_From_Internet IPS:card-statusUp,modeinlinefail-close packetinput0,packetoutput0,drop0,reset-drop0
Theprecedingexamplehastwolayer3/4policies:theglobalpolicy(global_policy) and the one for the outside interface (Outside_Interface_Policy). For the global policy,noticethatapplicationlayerinspectionforDNSandFTPisenabled,aswellas othersthatarenotshown.Foreachapplication,noticethatthereisapacket,drop,and reset-dropcount—aspacketsmatchonthepolicyandtheactionsforthepolicy,youcan seethesecountersincrement.Theoutsideinterfacepolicyincludesalayer3/4classmap called Traffic_From_Internet that has an IPS policy associated with it, where the trafficthatmatchestheclassmapwillberedirectedintotheAIP-SSMcard.Again,you canseecountersforthepolicytoverifythatitisfunctioning.FortheIPSpolicy,thereis aninputandoutputpacketcount—youcanseethenumberofpacketsthatenterthecard andleavethecardtoreturntotheASAbackplane.
275
This page intentionally left blank
11 Protocols and Policies
277
278
Cisco ASA Configuration
T
hischapterwillprimarilyfocusoninspectionofprotocolsontheappliance,building upontheMPFtopicsdiscussedinChapter10.Chapters12,13,and14willfocuson differentapplicationsandhowtheapplianceperformsapplicationinspectionfor them.Thetopicsinthischapterincludeinspectionofthefollowingprotocols:
▼ I CMP
■ DCE/RPCs
■ SunRPCs
■ ILSandLDAP
■ NetBIOS
■ IPSecPass-Thru
■ PPTP
▲ X DMCP NOTE GeneralPacketRadioService(GPRS)TunnelingProtocol(GTP)isnotdiscussedinthisbook becauseitisusedinveryfewnetworks:GTPisusedtobridgecellulardatanetworksandtraditional networks,andthusistypicallyfoundonlyincarriernetworks.TheappliancessupportGTPinspection; however,GTPrequiresaspeciallicense.RADIUSaccountinginspectionisalsonotdiscussed,since thisfeaturegoeshand-in-handwithGTPtopreventoverbillingattacksagainstcarriercustomers.
ICMPINSPECTIONPOLICIES ICMPisusedinIPtoprovidefeedbackaboutcommunicationproblemsandinformation relatedtoIPconnectivity.ItusesIPasatransportandisdesignatedwithaprotocolnumberof1intheprotocolfieldoftheIPheader.Inversion6andearlier,thePIXshadlimited abilitiesininspectingICMPtraffic,basicallyfixingembeddedaddressinginformationin payloadsfortranslationpurposes.Startinginversion7,theappliancescandomuchmore sincestatefultrackingofICMPissupported.Thefollowingtwosectionswilldiscussboth ofthesefeatures,wherebothICMPv4andICMPv6inspectionsaresupported.
ICMPIssues OneoftheissueswithICMPisthatitembedsaddressinginformationinthepacketpayload.ItcopiesthefirstpartoftheIPheaderandembedsthisinformationintheICMP payload.Thisprocesscancauseproblemswithaddresstranslationdeviceswherethese devicesaretypicallylookingatjusttheIPheaderwhenperformingtranslation. Todealwiththisproblem,anaddresstranslationdevicewillhavetolookintothe ICMPpayloadforthisaddressinginformationandtranslateitaswellastheaddressesin theIPpacketheader.Theappliancesapplicationinspectionwillperformthisfunctionfor ICMPpackets—thishasbeenaroundsinceversion6oftheOS.Theappliancessupport
Chapter 11:
Protocols and Policies
bothNATandPAT,wheretheICMPsequencenumbersareusedinsteadofTCP/UDP portnumberstodifferentiatebetweendifferentICMPconnections.Applicationinspectionwillensurethatthefollowinginformationischangedtosupportatransparentaddresstranslationprocess:
▼ I PaddressandchecksumintheIPheader
■ ICMPheaderchecksum
▲ I PaddressandchecksumembeddedintheICMPpayload
Inversion6andearlierofICMP,applicationinspectionwasautomaticallyenabled onthePIX,andtherewasnowaytodisableit.Startinginversion7,ICMPinspectionis disabledbydefault.Toenabletheequivalentofwhatwasdoneautomaticallyinversion 6,youneedtoenableICMPerrorinspection,whichexaminesICMPreplymessagesand performsitsfix-upofaddressingissuesinICMPerrormessages. Startinginversion7,theappliancescanaddICMPconnectionstotheconntableas wellasfixembeddedaddressinginformationinICMPechomessages.Theappliances keeptrackofICMPconnectionsintheconntablebyexaminingthesourceanddestinationIPaddressesaswellastheICMPsequencenumberintheICMPheader:eachICMP echorequestisconsideredaseparateconnection.Bydefault,statetrackingofICMPis disabled,butcanbeeasilyenabledwithaninspectionpolicy. SECURITY ALERT! Care should be taken, however, to ensure that a flood of spoofed ICMP messagesdoesn’tunnecessarilyfillupthestatetablewhenICMPstatetrackingisenabled.Inother words,useACLswithyourlayer3/4classmapstocontrolforwhichdevicesICMPstatetracking should be enabled. I also highly recommend that you not useACLs on interfaces to allow ICMP returningtraffic(youhadnochoiceinversion6),sinceICMPtrafficisveryeasilyspoofed,andthis cancreatebandwidthissuesinyournetworkandCPUissuesonyourappliances.
ICMPInspectionConfiguration ToenableICMPinspectionoftraffic,youneedtocreatealayer3/4inspectionpolicy: ciscoasa(config)#policy-mappolicy_map_name ciscoasa(config-pmap)#classclass_map_name ciscoasa(config-pmap-c)#inspecticmperror ciscoasa(config-pmap-c)#inspecticmp
The inspecticmperrorcommandfixesandtranslates(ifnecessary)embeddedaddressing information in ICMP error messages. The inspect icmp command allows ICMPconnectionstobeaddedtotheconntableandfixesembeddedaddressinginformationinthepayloadsofICMPechomessages.BoththesecommandsapplytoIPv4and IPv6ICMPtraffic.
279
280
Cisco ASA Configuration
Here’saconfigurationexamplethatenablesICMPinspectionontheinsideinterface ofanappliance: ciscoasa(config)#class-mapicmp-class-map ciscoasa(config-cmap)#matchdefault-inspection-traffic ciscoasa(config-cmap)#exit ciscoasa(config)#policy-mapicmp_policy_map ciscoasa(config-pmap)#classicmp-class-map ciscoasa(config-pmap-c)#inspecticmp ciscoasa(config-pmap-c)#inspecticmperror ciscoasa(config-pmap-c)#exit ciscoasa(config)#service-policyicmp_policy_mapinterfaceinside
Again,inreallife,IwouldcontrolforwhichinternaldevicesICMPinspectionwasenabledbyusinganACLwiththelayer3/4classmapanddenyingICMPtrafficforall otherdevices.
DCE/RPCINSPECTIONPOLICIES DistributedComputingEnvironment/RemoteProcedureCalls(DCE/RPC)isaprotocolthatallowssoftwaretoworkacrossmultiplecomputers,makingitappearasifthe softwarewereonasinglecomputer.Thisallowsprogrammerstocreatedistributedcode withouthavingtoworryabouttheunderlyingnetworkthecomputersareconnectedto. Microsoft is an example of a company that commonly uses DCE/RPCs to implement distributedclient/serverapplications...allowinglocaluserstoeasilyaccessapplication resourcesonremoteservers. DCE/RPCsinvolveaclientsendingaquerytoanEndpointMapper(EPM)program/ servicethatlistensonawell-knownportnumber.Theclientusesthisconnectiontolearn andaccessthedynamicallyallocatednetworkinformationoftheapplicationorservice. BasedontheinformationnegotiatedfortheDCE/RPCconnectionorconnections,the appliance,usingitsinspectionfeatureforDCE/RPC,canaddthedynamicconnections totheconntableandperformaddresstranslation,fixinganyembeddedaddressinginformationthatconflictswithanexistingentryinthexlatetable.ForMicrosoft,theusers connectusingTCPtoport135ontheEPMservice.
DCE/RPCPolicyConfiguration Bydefault,DCE/RPCinspectionisdisabledontheappliances;youmustcreateaninspectionpolicytoenableit.Youarerequiredtocreateaninspectionpolicyinalayer3/4 policymap;optionallyyoucanqualifyyourpolicywithalayer7policymap.Hereare thecommandstosetupaninspectionforaDCE/RPCpolicy: ciscoasa(config)#policy-maptypeinspectdcerpcL7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#parameters
Chapter 11:
Protocols and Policies
ciscoasa(config-pmap-p)#timeoutpinholehh:mm:ss ciscoasa(config-pmap-p)#endpoint-mapper[epm-service-only] {[lookup-operation[timeouthh:mm:ss]]} ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#inspectdcerpc[L7_policy_map_name]
Tocreatealayer7policymapforDCE/RPCs,usethepolicy-mapinspectdcerpc command.Besidesassigningadescriptiontothemap,youronlyotheroptionistoconfigureparametersforitbyexecutingtheparameterscommand,whichtakesyouintoa secondsubcommandmode.Thetimeoutpinholecommandspecifiesthetimeoutfor pinholes(connections)generatedfromtheclientlookuptotheEPM.Thedefaulttimeis 2minutes.Theepm-service-onlyparameterenforcestheclienttousetheEPMservice duringbindinginordertocontroltheservicetrafficthatisprocessed.Thelookup-operationparameterallowsyoutocontrollookupsfortheEPMserviceandoptionally thetimeoutofthelookups.
DCE/RPCExampleConfiguration Here’sasimpleexampleshowingyouhowtosetupaDCE/RPCinspectionpolicy: ciscoasa(config)#policy-maptypeinspectdcerpcL7_dcerpc_map ciscoasa(config-pmap)#timeoutpinhole00:08:00 ciscoasa(config)#class-mapL3_dcerpc ciscoasa(config-cmap)#matchporttcpeq135 ciscoasa(config)#policy-mapglobal-policy ciscoasa(config-pmap)#classL3_dcerpc ciscoasa(config-pmap-c)#inspectdcerpcL7_dcerpc_map ciscoasa(config)#service-policyglobal-policyglobal
Inthisexample,I’veassociatedalayer7DCE/RPCpolicymapwithalayer3/4policy. I’vechangedthepinholetimeoutfortheRPCserviceconnectionsfrom2to8minutes. I’vecreatedalayer3/4classmapthatdesignatestheDCE/RPCEPMconnection—note thatthisisunnecessaryinthisexamplesincetheapplianceisexpectingDCE/RPCon TCPport135.However,ifyouchangedthisontheEPMserver,youwouldneedtomatch uptheportinalayer3/4classmap.Noticethattheinspectionpolicyisenabledinthe globalpolicy,whichaffectsDCE/RPCconnectionsonallinterfaces.
SUNRPCINSPECTIONPOLICIES SunRPC(RemoteProcedureCall)isusedintheNFS(NetworkFileSystem)andNIS (NetworkInformationServices)services.UnlikeMicrosoftDCE/RPCimplementation, SunRPCservicescanrunonanyport.Whenaclientaccessestheportmapper(rpcbind) programonTCPport111,theclientwilllearntheportnumbersoftheotherRPCservices
281
282
Cisco ASA Configuration
ontheserver.TheclientaccomplishesthisbysendingtheRPCprogramnumberofthe servicetheclientwantstoconnectto,andtheportmapperprogramrespondswiththe portnumber.Sincetheportnumbercanbeanynumberdefinedbytheadministratorof theserver,anintelligentinspectionprocessisneededtoexaminetheportmapperconnectiontolearnwhatadditionalconnectionsneedtobeaddedtotheconntableonthe appliance. NOTE Sincetheprotocol(TCPorUDP)isnotsharedontheportmapperconnectionbetweenthe clientandserver,theappliancemustaddtwoconnectionstotheconntable—TCPandUDP—inorder toallowtheconnectiontotheRPCservice.
SunRPCPolicyConfiguration BydefaulttheinspectionofSunRPCconnectionsisdisabledontheappliance.Thefollowingtwosectionswilldiscusshowtocreatealayer3/4SunRPCpolicyaswellashow tocontroltheSunRPCservicesallowedthroughtheappliance.
ConfiguringaLayer3/4SunRPCPolicy TocreateaSunRPCinspectionpolicy,usethefollowingconfiguration: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#inspectsunrpc
Theinspectionprocessontheappliancedoesn’tsupportlayer7classandpolicymaps forSunRPCs. NOTE The appliances currently do not support the fixing of embedded addresses in Sun RPC payloadswhentheyconflictwithcurrententriesinthexlatetable.
ControllingSunRPCServices Eventhoughtheappliancesdon’tsupportlayer7classandpolicymaps,theydosupportanadditionalcontrolfunctionforSunRPCservices:youcanrestricthowlongthe pinholeconnectionsforTCPandUDPwillremaininthestatetable.Thisisaccomplished withthefollowingcommand: ciscoasa(config)#sunrpc-serverlogical_if_name server_IP_addrsubnet_mask serviceRPC_program_# protocol{tcp|udp}port[-port] timeouthh:mm:ss
Chapter 11:
Protocols and Policies
The sunrpc-server command defines the port mapper server and the interface the serverisconnectedtoontheappliance.WiththiscommandyoucancontroltheRPC programnumberstheappliancewillperforminspectionforandaddtotheconntable. Theprotocolandportaretheconnectionusedtoinitiallyconnecttotheportmapper programontheserver:inmostinstancesthisisTCPport111.The timeoutparameter controlshowlongtokeeptheadditionalconnectionsaddedintheconntable,commonly calledpinholeconnections. NOTE TodeterminetheSunRPCprogramnumbers,ontheUNIXboxusethe sunrpcinfo command,whichwilllisttheprogramnumbersregisteredintheportmapperservice. TodisplaytheSunRPCpinholeconnectionsaddedtotheconntable,usethe show sunrpc-serveractivecommand.Here’sanexampleoftheuseofthiscommand: ciscoasa#showsunrpc-serveractive LOCALFOREIGNSERVICETIMEOUT ------------------------------------------------------- 1192.168.200.25/0192.168.150.3/20491000030:30:00 2192.168.200.25/0192.168.150.3/20491000030:30:00 3192.168.200.25/0192.168.150.3/6471000060:30:00 4192.168.200.25/0192.168.150.3/6501000060:30:00
Inthisexample,theclient(192.168.200.25)isconnectingtotheserver(192.168.150.3)for twoRPCprograms(100003and100006). To remove the pinhole connections from the conn table, use the clear sunrpcserver activecommand.NotethatyoucannotcontrolwhichSunRPCconnections areremoved:theyareallremovedfromtheconntable.
SunRPCExampleConfiguration Here’sasimpleexampleshowingyouhowtosetupaSunRPCinspectionpolicy: ciscoasa(config)#sunrpc-serverinside192.168.150.3255.255.255.255 service100003protocoltcp111 timeout30:00:00 ciscoasa(config)#sunrpc-serverinside192.168.150.3255.255.255.255 service100006protocoltcp111 timeout30:00:00 ciscoasa(config)#class-mapL3_sunrpc ciscoasa(config-cmap)#matchporttcpeq111 ciscoasa(config)#policy-mapglobal-policy ciscoasa(config-pmap)#classL3_sunrpc ciscoasa(config-pmap-c)#inspectsunrpc ciscoasa(config)#service-policyglobal-policyglobal
283
284
Cisco ASA Configuration
Inthisexample,inspectionofSunRPCservicesisenabledglobally;however,I’vecontrolledtheinspectionprocesstoonlyincludetheoneportmapperserver(192.168.150.3) ontheinsideinterfaceforthetwoRPCprograms(100003and100006).Notethattheclass mapforSunRPCsisn’tnecessaryinthisexample,sincetheapplianceexpectsSunRPC portmapperconnectionstobeusingTCP111—however,ifthisisdifferent,youwould needtouseaclassmaptoindicatetheportmapperconnectionparameters.
ILS/LDAPINSPECTIONPOLICIES TheInternetLocatorService(ILS)wasdevelopedbyMicrosofttobeusedbytheirActive Directory,NetMeeting,andSiteServerproducts.ILSisbasedontheLightweightDirectoryAccessProtocol(LDAP).BasicallyILSallowsausertofindtheinformationthatis necessarytoconnecttoanothercomputer.TheinformationthatILScanstoreincludesIP addressesofdevices,e-mailaddressesofindividuals,andusernamesofaccounts. ILS allows the Microsoft SiteServer product to create a dynamic directory of NetMeetingusers.ThisinformationisthenusedbyNetMeetinguserstoinitiatecallsandto setupmeetingsviathedirectoryserver.UserscreateaconnectiontotheILSserverand registertheiraddressinginformation.TheuseofILSsimplifiesissueswhereclientsmay beusingDHCPtoacquiretheiraddresses,wheretheirIPaddressmaybedifferenteach timetheybootup.
MechanicsofILS/LDAPConnections BeforeIbegintalkingabouthowtheapplianceapplicationinspectionfeaturedealswith connectivityissuesbetweenclientsandanILSserver,let’sfirsttakealookathowconnectionsgetsetupbetweenthesetwosetsofdevices.ILS/LDAPusesaclient/server modelwithsessionsbeinghandledoverasingleTCPconnection:AclientopensaTCP connectiontotheILSserveratport389.Onthisconnection,theclientwillregisterits addressinginformation.Oncetheconnectionisestablished,theclientcanlearntheIP addressesofpeersthatitmightwanttocommunicatewithviaNetMeetingoranother H.323application.Asyoucansee,thesetupofthisconnectionisstraightforward. The only issues with ILS connections that the appliance deals with are embedded addressinginformationinthepayloadsofpackets.Themainfunctionoftheapplication inspectionfeatureforILSistolocateembeddedaddressesintheTCP389connectionand fixthem;PATisnotsupportedsinceLDAPonlystoresIPaddresses.ILSinspectiondoes havesomeadditionallimitations:
▼ I LSinspectioncannothandlereferralrequestsbytheclientandthe correspondingresponsesfromtheILSserver.
■ ILSinspectioncannotdealwithuserslistedinmultipledirectories.
▲ A usercannothavemultipleidentitiesinmultipledirectories—iftheydo,ILS inspectionwillnotfunctionproperly.
Chapter 11:
Protocols and Policies
TIP If you are not using address translation, or if the addresses involved with ILS connections areusingNAT0,thenILSinspectionisunneededandshouldnotbeused,inordertoimprovethe performanceoftheappliance.
ILS/LDAPPolicyConfiguration InspectionofILSwasaddedinversion6.2oftheOS.TocreateanILS/LDAPinspection policy,usethefollowingconfiguration: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#inspectils
Theinspectionprocessontheappliancedoesn’tsupportlayer7classandpolicymaps forILS/LDAP.
ILS/LDAPExampleConfiguration Here’sasimpleexampleshowingyouhowtosetupanILS/LDAPinspectionpolicy: ciscoasa(config)#class-mapL3_ilsldap ciscoasa(config-cmap)#matchporttcpeq389 ciscoasa(config)#policy-mapglobal-policy ciscoasa(config-pmap)#classL3_ilsldap ciscoasa(config-pmap-c)#inspectils ciscoasa(config)#service-policyglobal-policyglobal
NotethattheclassmapforILS/LDAPisunnecessaryinthisexample,sincetheapplianceexpectsILS/LDAPconnectionstobeusingTCP389—however,ifthisweredifferent,youwouldneedtouseaclassmaptoindicatethecorrectconnectionparameters.
NetBIOSINSPECTIONPOLICIES NetBIOS(NetworkBasicInput/OutputSystem)isasessionlayerprotocolusedinolder operatingsystemstoresolvenamestoaddressesinsmallnetworks.Itcanusemanyprotocolstotransportitsinformation,includingTCP/IPandIPX/SPX.Userscanstatically definearesolutiontableusingtheLMHOSTSfile,oruseaWINSserverforregistering namesandaddressesaswellasperformingnamelookups.ForTCP/IP,NetBIOScanuse eitherTCPorUDP,buteveryimplementationI’veseenusesUDP,andthedestination portnumberoftheWINSserveris137. TheapplianceinspectionrolewithNetBIOSistwofold:
▼ T heappliancecanlookforembeddedIPaddressesandfixthemiftheyconflict withcurrenttranslationsinthexlatetable.(Thiswon’tworkwithPAT,since NetBIOSisbasedonIPaddresses.)
285
286
Cisco ASA Configuration
▲ T heappliancecanlookforNetBIOSprotocolviolationsanddropand/orlog them.
ThefollowingtwosectionswilldiscusshowtoconfigureNetBIOSinspectionontheappliance.
NetBIOSPolicyConfiguration NetBIOSinspectionisenabledbydefaultintheglobalpolicyoftheapplianceforallinterfaces.However,thisinspectiononlylooksforandfixesembeddedIPaddressesinthe payloadsofNetBIOSpackets.YoucanoptionallyhavetheappliancelookforNetBIOS protocolviolationsbycreatingalayer7policymap.Here’stheconfigurationforinspectionofNetBIOStraffic: ciscoasa(config)#policy-maptypeinspectnetbiosL7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#protocolviolationaction {drop[log]|log} ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#inspectnetbios[L7_policy_map_name]
There’sonlytwopoliciesyoucandefineinthelayer7policymapforNetBIOS:dropand logorjustlogprotocolviolations.Withoutalayer7policymap,theappliancewillonly lookforandfixembeddedaddressinginformation.
NetBIOSExampleConfiguration Here’sasimpleexampleshowingyouhowtosetupaNetBIOSinspectionpolicy: ciscoasa(config)#policy-maptypeinspectnetbiosL7_netbios ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#protocolviolationactiondroplog ciscoasa(config)#class-mapL3_netbios ciscoasa(config-cmap)#matchportudpeq137 ciscoasa(config)#policy-mapglobal-policy ciscoasa(config-pmap)#classL3_netbios ciscoasa(config-pmap-c)#inspectnetbiosL7_netbios ciscoasa(config)#service-policyglobal-policyglobal
NotethattheclassmapforNetBIOSisunnecessaryinthisexample,sincetheappliance expectsNetBIOSconnectionstobeusingUDP137—however,ifthisweredifferent,you wouldneedtouseaclassmaptoindicatethecorrectconnectionparameters.I’vealso addedinspectionforprotocolviolationsinNetBIOSpackets.
Chapter 11:
Protocols and Policies
TIP NetBIOShasbeensupplantedprimarilybyDNS.Onlyifyouhaveolderapplicationsthatrequire theuseofNetBIOS,thenyoushouldleaveitenabled;otherwise,ifallyourapplicationsuseDNS, thendisableNetBIOSinspectionintheglobalpolicymap.
IPSecPASS-THRUINSPECTIONPOLICIES IPSec Pass-Thru is a feature Cisco added to the appliances in version 7 and is really meantforSOHOnetworks.AsyouwillseeinPartIV,anIPSectunnelorsessioninvolves threeconnections:
▼ A managementconnectionusesUDPport500.Thisconnectionisusedto exchangeIPSec-relatedinformation.
▲ T wodataconnectionsusetheESPand/orAHprotocols.
TheissueiswhenyouhaveanIPSecremoteaccessclientorsite-to-siterouterbehind the appliance and want it to be able to establish an IPSec tunnel to a corporate IPSec server.Assumingtheclientdoesn’tsupportNAT-T(seeChapter15),theuserwillexperienceafewissueswithCiscoappliances:
▼ E SPandAHconnectionsarenotaddedtotheconntableoftheappliance:the IPSecPass-Thruinspectionfeatureautomaticallyallowstheseconnections, assumingthecorrespondingUDP500managementconnectionhasbeen established.ThisgreatlyreducesyourACLconfiguration,sinceyoudon’tneed toconfigureACLentriesfortheESPorAHconnections.
▲ I ftheend-userdeviceisusingESPforencapsulatingdataandtheappliance isperformingPAT,thefirstend-userdevicethatgoesoutcanhavetheESP connectionsredirectedtoit;however,subsequentdeviceswon’tbeabletoget aroundthisproblemunlesstheyuseNAT-T.Inotherwords,thefirstuser’s ESPconnectionworks,andsubsequentusers’ESPconnectionswon’t.
AHbreakswhenusinganytypeofaddresstranslation.Becauseofthis,mostIPSecVPNs useESP.
IPSecPass-ThruPolicyConfiguration RememberthatsincetheIPSecconnectionsareprotectedandencrypted,onlyminimal inspectionissupportedforIPSec:basically,besidestheprecedingbulletpoints,youcan limitthenumberofconnectionsallowedbyaclientandwhattheirtimeoutis.Bydefault, IPSecPass-Thruinspectionisdisabled.Herearethecommandstoenableit: ciscoasa(config)#policy-maptypeinspectipsec-pass-thru L7_policy_map_name ciscoasa(config-pmap)#descriptionstring
287
288
Cisco ASA Configuration ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#{esp|ah}{[per-client-max#_of_conns] [timeouthh:mm:ss]} ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#inspectipsec-pass-thru[L7_policy_map_name]
TheuseofAHisveryuncommonwithIPSecimplementations;soifyou’regoingto implementalayer7policyforIPSec,you’llprobablybespecifying espastheprotocol parameter.Youcanplacealimitonthenumberofdataconnectionsforadevice,likea user’sPC,aswellasplaceatimeoutfortheESP/AHconnectionsassociatedwiththeallowedUDP500managementconnection.
IPSecPass-ThruExampleConfiguration Here’sasimpleexampleshowingyouhowtosetupanIPSecPass-Thruinspectionpolicy: ciscoasa(config)#policy-maptypeinspectipsec-pass-thruL7_passmap ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#espper-client-max5timeout0:15:00 ciscoasa(config)#access-listpassthru_ACLpermitudpanyanyeq500 ciscoasa(config)#class-mapL3-passthru-map ciscoasa(config-cmap)#matchaccess-listpassthru_ACL ciscoasa(config)#policy-mapoutside_policy ciscoasa(config-pmap)#classL3-passthru-map ciscoasa(config-pmap-c)#inspectipsec-pass-thruL7_passmap ciscoasa(config)#service-policyoutside_policyinterfaceoutside
Inthisexample,I’velimitedthenumberofVPNsessionsto5,wherethetimeoutforthe ESPconnectionsis15minutes.
PPTPINSPECTIONPOLICIES PPTPisoneoftheVPNremoteaccesssolutionsdevelopedoriginallybyMicrosoft;however,itisanopenstandard.PPTPusesaTCPcontrolchannel(TCPport1723)andtypicallytwoPPTPGREtunnelsfortransmittingdata.Thecontrolconnectionisusedtonegotiateandmanagethedataconnections.Toprotectthedata,itisencryptedandplaced inaPPPpacket,whichanouterGREheaderisaddedto,andthenplacedinanouterIP header.GREisanIPprotocol. Theapplianceinspectionfeatureisbasicallyusedtodealwithaddresstranslation and connection issues. When inspection is enabled, only PPTP version 1 is inspected ontheTCPcontrolchannel.Theappliancekeepstrackoftheoutgoingcallrequestand replysequences,andaddsxlatesandconnectionsasnecessaryforthedataconnections. NATworkswithoutanyissues;however,ifyouwanttousePAT,thePPTPdevicesmust
Chapter 11:
Protocols and Policies
support a modified version of GRE defined in RFC 2637, and the PPTP devices must negotiatethisovertheTCPcontrolconnection.Ifthisoccurs,thentheappliancecanfix embeddedaddressinginformationforPATtranslations.IfthemodifiedversionofGRE isnotsupportedbythedevicesorisnotnegotiated,thentheappliancecannotperform PATinspection.
PPTPPolicyConfiguration PPTPinspectionisdisabledbydefaultontheappliances.Toenableit,usethefollowing configuration: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#inspectpptp
Pleasenotethatlayer7classandpolicymapsarenotsupportedforPPTPinspection.
PPTPExampleConfiguration Here’sasimpleexampleshowingyouhowtosetupaPPTPinspectionpolicy: ciscoasa(config)#class-mapL3_pptp_ports ciscoasa(config-cmap)#matchporttcpeq1723 ciscoasa(config)#policy-mapL3_pptp_policy ciscoasa(config-pmap)#classL3_pptp_ports ciscoasa(config-pmap-c)#inspectpptp ciscoasa(config)#service-policyL3_pptp_policyinterfaceinside
ToenablePPTPinspectionforallinterfaces,enablethepolicyinthedefaultglobalpolicy ontheappliance.
XDMCPINSPECTIONPOLICIES XDMCP(XDisplayManagerControlProtocol)isaprotocolthatprovidesauthenticated access for remote X-windows clients requesting display services from an X-windows server. X-windows is a desktop solution that has been around for more than two decades.Oneoftheissuesinthemid-1980swasthecostofdesktops.IntheUNIXworld, a solution was developed to reduce the cost of the desktop: X-windows. Basically, Xwindows allows a desktop to only need a LAN NIC, a boot flash, a graphics card, a keyboardandmouse,andamonitor.Asyoucansee,thisisafarcryfromtoday’sPCs. However,costbeinganissue,theX-windowsclientwasstrippedofeverypossibleitem. TheX-windowsclientwoulddynamicallyacquireanIPaddressandthensetupasessionwithanX-windowsserverwhereitwouldgetagraphicaldisplaytoaccessanduse resourcesontheX-windowsserver.Basically,anX-windowsclientisadisklessclientin itssimplestform.
289
290
Cisco ASA Configuration
MechanicsofXDMCPConnections TohelpillustratehowXDMCPconnectionsareestablishedbetweenanX-windowsclient andanX-windowsserver,I’llusetheexampleshowninFigure11-1.Whensettingup anXDCMPconnection(whichusesUDP),theclientdevicewillchooseaportnumber greaterthan1023thatisnotcurrentlybeingusedbyanothernetworkapplication.The destination port number is the well-known port 177. This connection is a management connectionandisusedtoperformauthenticationaswellastonegotiatetheportparametertouseforthedisplayconnection. Oncethemanagementconnectionisestablished,theX-windowsclientwillacquirea portnumberfromtheX-windowsservertosetupthedisplayconnection.Thisconnection, whichusesTCP,isthepipethattheserverusestosendalldisplayinformationtotheclient aswellasanyinteractionoftheclientwiththisdisplaytobesenttotheserver.Sincethe X-windowsservermighthavemanyX-windowsclientsconnectingtoit,theX-windows serverwilltypicallystartatport6000,assignthattothefirstX-windowsclient,andthen workitswayupfrom6000foreachsuccessiveclient;however,anadministratorcancontroltherangeofportsused.Oncetheserverassignstheportnumbertotheclient,theclient thensetsuptheTCPdisplayconnectiontothisport.Asyoucanseefromthesetupofthese twoXDMCPconnections,thisprocessisverysimilartopassivemodeFTP,discussedin Chapter12.
ClientontheInsideoftheAppliance WhentheclientisontheinsideofthenetworkandinitiatesanX-windowsconnectionto anX-windowsserverontheoutsideofthenetwork,theappliancewillbydefaultallow theUDPconnection,sincetheconnectionistravelingfromahighersecuritylevelinterfacetoalowerone.Thisisalsotrueforthedisplayconnection.Therefore,bothofthese connectionswillbeabletobeestablishedunlessyouarefilteringwithACLs.
ClientontheOutsideoftheAppliance Let’sassumethattheclientinthisexampleisactuallyontheoutsideofyournetwork, and the X-windows server is on the inside. For the initial client connection to work, you’llneedtoconfigureanACLentrythatwillallowtrafficheadingtotheX-windows serverforUDPport177—withoutthis,notypeofX-windowsconnectioncanbemade.
XDMCP UDP Port => 1024
UDP Port = 177
TCP Port => 1024
TCP Port => 6000
X-windows Client
Figure11-1. ThisishowanXDMCPsessionisestablished.
X-windows Server
Chapter 11:
Protocols and Policies
Oncethemanagementconnectionhasbeenestablished,theclientattemptstosetup thedisplayconnectionusingtheassignedTCPportnumberfromtheX-windowsserver (6000andhigher).Onethingthatapplicationinspectionontheapplianceswon’tdowith XDMCPisdynamicallyaddthesecondconnectioncominginboundfromtheclient.AssumingthatapplicationinspectionisenabledforXDMCP,theappliancewillautomaticallybelookingattheXDMCPmanagementconnectionforthenegotiatedportsofthe displayconnectionandwillperformanyaddresstranslationthatisnecessary,butwon’t addthesecondTCPconnection—you’llneedtousetheestablishedcommandtoallow this.(ThisisnotthesamethingastheestablishedparameterinanACLstatementon anIOSdevicelikearouter.)PleasenotethattheappliancecanfixembeddedIPaddresses inthepayload,butnotportnumbers;therefore,XDMCPwillbreakforconnectionsthat theappliancehasaPATpolicyconfiguredfor.Thefollowingsectionswillcoverhowto setupapplicationinspectionofXDMCPontheappliance. SECURITYALERT! Asawordofwarning,itishighlyadvisednottoallowX-windowsconnections throughaperimeterappliance,sinceX-windowshasbeenknowntohavebeenexploitedinthepast andisnotasecureprotocol.IfyoumusthaveexternalX-windowsconnections,itispreferredthat theybetransmittedthroughaVPN.
XDMCPPolicyConfiguration XDMCPapplicationinspectionisenabledbydefaultontheappliancesintheglobalpolicy; youmightwanttodisableitgloballyandthenenableitforonlycertaininterfaces.To enableordisableXDMCPinspection,usethefollowingconfiguration: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-p)#[no]inspectxdmcp
Pleasenotethatlayer7classandpolicymapsarenotsupportedforXDMCPinspection. TIP Remember that XDMCP inspection is only needed for connections going from a lower to a highersecuritylevelinterfacebydefault;youonlyneeditforoutboundconnectionsifyouhavean ACLrestrictingoutboundtraffic.
EstablishedCommandConfiguration AsImentionedintheintroductionofXDMCP,the inspectxdmcpcommandhasthe applianceexaminetheXDMCPmanagementconnection(UDP177)forthenegotiated portsofthedisplayconnectionandwillperformanyaddresstranslationthatisnecessary.However,thiscommanddoesn’taddthesecondTCPconnection(thedisplayconnection)totheconntable.Tosolvethisproblem,you’llneedtousethe established command.
291
292
Cisco ASA Configuration
The establishedcommandwasoriginallydesignedforoddballapplicationsthat opened multiple connections for which the PIXs originally didn’t support application inspection.XDMCPisoneoftheapplicationsthatmustusethisprocess.WithXDMCP, whenapplicationinspectionisenabledinapolicyandtheapplianceseesamanagement connectionbeingestablishedthatmatchesthepolicy,theappliancecomparesthisconnectionwiththeconfigured establishedcommands,whichwilldeterminewhatadditionalconnectionsareallowedtoand/orfromtheuser. Youcanalmostlookattheestablishedcommandasapoorman’simplementation ofastatefulfirewall:ifconnectionAisseen,thenautomaticallyallowconnectionB,and possiblyadditionalconnectionslikeCandD.Theadditionalconnectionsareautomaticallyaddedtotheconntableoncethecorrespondingmanagementconnectionisseen. Giventhisbehavior,youcanusethe establishedcommandforotherapplicationsor protocolsthatopenmultipleconnectionsthroughtheappliance,butwhereCiscodoesn’t haveapplicationinspectionthatwilllookfortheadditionalconnectionsandautomaticallyaddthemtothestatetable. Thetrickwiththeestablishedcommandconfigurationisthatyouhavetounderstandhowanapplicationworksandtheportnumberornumbersitusesforadditional connectionsinordertoconfiguretheestablishedcommandcorrectly.Thesyntaxofthe establishedcommandisasfollows: ciscoasa(config)#established{tcp|udp}dst_port[src_port] [permittoprotocolport[-port]] [permitfromprotocolport[-port]]
Youmustfirstspecifythenameoftheprotocolfortheestablishedconnection.Inthe caseofXDMCP,thisisthemanagementconnection,whichusesUDP.Followingthisyou needtospecifythedestinationandsourceport(notethattheorderisreversed)forthe establishedconnection.Enteringa0indicatesanyport.ForXDMCP,thedestinationport wouldbe177andthesourceport0(anyport).Actually,youcanomitthesourceport, sinceitisoptional. NOTE Theestablishedcommanddoesn’tworkwithconnectionsthatwillhavePATperformed onthem. The permitto parameter specifies the source information of the additional connection(s)thatshouldbeallowed.Forexample,withXDMCP,theprotocolwouldbe tcpandtheport6000andhigher,dependingonthenumberofdisplaysauserneedsto support.Youcanfindtheconfigurednumberintheserverconfigurationfile.Justlook forthislineofcodeinthefile,wherenrepresentstheconnectionnumber: setenvDISPLAYXserver:n
ForXDMCP,thedestinationportnumberwouldbe6000+n. The permitfromparameterspecifiesthedestinationinformationoftheadditional connections.ForXDMCP,theclientopenstheTCPconnectionwithaportnumbergreater than1023,sotherangeofportsyouwouldspecifywouldbefrom1024to65535.
Chapter 11:
Protocols and Policies
Basicallytheestablishedcommandiscontrollingorlimitingwhatadditionalconnectionsareallowed.First,theappliancemustseetheinitialconnection,andthenconnectionsthatmatchthe permitfromforthesourceportand permittoforthedestination portofthespecifiedprotocolareallowed.Youcanhavemultiple establishedcommandsbasedontherangeofportsyouneedtodynamicallyaddtotheconntablefora specificapplication. TIP Pleaserememberthattheestablishedcommandcanbeusedforotherapplicationsthat openadditionalconnectionswheretheappliancesdon’tcurrentlysupportapplicationinspectionfor theadditionalconnections.
XDMCPExampleConfiguration Here’s an example of setting up a global inspection policy for XDMCP and using the establishedcommandtoallowthedisplayconnections: ciscoasa(config)#class-mapinspection_default ciscoasa(config-cmap)#matchdefault-inspection-traffic ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#inspectxdmcp ciscoasa(config)#establishedudp1770 permittotcp6000permitfromtcp1024-65535
In this example, XDMCP inspection is enabled globally. With the established command,ifaUDPconnectionhasbeenestablishedfromtheexternalclienttoport177on theX-windowsserver,asubsequentdisplayconnectionfromthisexternalclientisallowedforTCPifthesourceportisfrom1024to65,535andthedestinationisport6000.
293
This page intentionally left blank
12 Data Applications and Policies
295
296
Cisco ASA Configuration
T
hischapterwillintroduceyoutotheinspectioncapabilitiesoftheappliancesas inspectionrelatestocommonlyuseddataapplications.Theapplicationinspections coveredinclude
▼ D NS
■ SMTPandESMTP
■ FTP
■ TFTP
■ HTTP
■ Instantmessaging(IM)
■ RSH
■ SNMP
▲ S QL*Net
DNSINSPECTION DNSinspection,commonlycalledDNSDoctoring,hasbeensupportedontheappliances foralongtime.ThefollowingsectionswilldiscusstheapplicationlayerinspectioncapabilitiesoftheappliancesforDNStraffic,aswellashowtoconfigureinspectionpolicies forDNS.
DNSInspectionFeatures CiscocurrentlysupportsfourinspectionfeaturesforDNS:
▼ D NSGuard
■ DNSpacketlengthverification
■ DNSA-recordtranslation
▲ D NSapplicationlayerpolicies
Thefollowingsectionswilldiscussthesefeaturesinmoredepth.
DNSGuard DNSGuardensuresthatonlyasingleDNSresponsetoaDNSqueryispermittedback into your network. When a DNS client generates a DNS query, it uses UDP. The DNS serverusesUDPtoreply.WhensomeattackersareeavesdroppingandseetheDNSrequestorreply,theygeneratetheirownDNSreplytosendbacktotheclient,possiblywith abogusaddressoramisdirectedaddress.Iftheattackershavegivenoneoftheirown addressesinthereply,theattackerscaneasilyhijackthesessionthattheclientwilltryto establish.DNSGuardalsopreventsDNSDoSattacks,stoppingafloodofDNSreplies
Chapter 12:
Data Applications and Policies
fromcomingbackintoyournetwork,sinceafloodofUDPtrafficontheconnectionwill keepitintheconntable. WithDNSGuardtheapplianceaddsanentryintheconntablewhenitseestheclient DNSquery,whichisusedtopermittheDNSreplyfromtheserver.AssoonastheapplianceseesthefirstDNSreplyforthesession,itimmediatelyremovestheconntableentry, preventinganyotherrepliesfromcomingin.DNSusesanapplicationID(appID)inthe payloadtotracktheDNSqueriesandresponses.Iftheclientgeneratesthreerequests, theappliancewillallowthreereplies,sincetheseareseenasthreeconnections. NOTE DNSGuardistheexceptiontousinganidletimerforUDPconnectionstodetermineifthey aredone.Also,inversion6andearlier,youcouldnotdisableDNSGuard.Inversion7,itisenabled bydefault,butyoucandisableit.
DNSPacketLengthVerification Startinginversion7oftheOS,theapplianceschecktomakesurethattheDNSpacket lengthdoesn’texceed512bytesbydefault.AccordingtotheRFC,512bytesshouldbe themaximum.Ifpacketswerelargerthanthis,thentheymightbenon-DNSpackets, andtheappliancewoulddropthembydefault.However,someDNSimplementations bendtherulesandcanhavepacketsizesgreaterthan512—ifyourunintothissituation, youcanincreasethemaximumpacketsizeforDNSontheappliance. Someothercheckstheapplianceperformsbydefault:
▼ M akessurethedomainnamelengthdoesn’texceed255bytesandthelabel 63bytes
■ Verifiestheintegrityofadomainnameifitisreferencedbyacompressionpointer
▲ V erifiesifacompressionpointerloopexists,whichwouldcauseaninfinite numberoflookupsontheDNSserver
DNSA-RecordTranslation Ifyourapplianceisperformingtranslation,youmighthaveissueswithDNSA-recordresponsesfromDNSserverswithincorrectaddressinginformation.I’lluseFigure12-1toillustratetheproblemandsolutions.Inthisexample,ifInternetuserswanttoaccesswww.abc .com,theexternalDNSserverrepliesbackwith192.1.1.1,whichtheappliancethentranslates to10.0.1.12whentheconnectionentersthenetwork,allowingtheInternetuserstoaccessthe server.However,ifaninternalusertriestodothesamething,theDNSserverrespondsback with192.1.1.1,buttheinternaluserneedsthelocalIPaddressoftheserver:10.0.1.12. Thisproblemhasthreesolutions:
▼ H avetheuseruseIPaddressesinsteadoffullyqualifieddomainnames.
■ SetupasplitscopeontheDNSserver—forinternalusers,sendbackthelocal address,andforexternalusers,sendbacktheglobaladdress.
▲ U setheapplianceA-recordtranslationfeature.
297
298
Cisco ASA Configuration
Outside DNS Server
A-Record: www.abc.com 192.1.1.1
Insider Server: www.abc.com 10.0.1.12
Insider User: 10.0.1.11
Figure12-1. DNSA-recordtranslationappliancesolution
Theproblemwiththefirstsolutionisthatitisnotscalableormanageable—names are easier to deal with than addresses. The second solution is a viable option if you controltheDNSserver—ifit’stheISP,you’reprobablyoutofluck.Thethirdsolution, theA-recordtranslationfeature(DNSDoctoring)allowstheapplianceto“doctor”the DNSreplybeingsentbacktotheinternaluser.Configuringthisiseasy:allyouneedto doistoaddthe dnsparametertothe staticcommandfortheserver.Thisparameter isalsoavailablewiththe natcommandifyouareimplementingdynamicDNS.Given the network in Figure 12-1, here is the corresponding static command to use DNS Doctoring: ciscoasa(config)#static(inside,outside)192.1.1.110.0.1.12dns
ThesyntaxofthiscommandwasdiscussedinChapter5.YoucandisabletheDNSDoctoringfeaturewiththenonat-rewriteapplicationlayerpolicydiscussedlaterinthe “DNSPolicyConfiguration”section. NOTE Inversion6.1andearlier,the aliascommandwasusedtoimplementDNSDoctoring. Thednsparameterforthestaticandnatcommandswasintroducedinversion6.2.Thelatter approachisthepreferredsolutiontoday.
DNSApplicationLayerPolicies Startinginversion7,theappliancessupportmanyDNSapplicationlayerpoliciesyou canimplement,including
▼ P rotectagainstDNSspoofingandcachepoisoning.
■ FilterpacketsbasedonDNSheaderinformation,domainnames,resource recordtypes,andrecordclasses.
■ MasktheRecursionDesired(RD)andRecursionAvailable(RA)flagsinthe DNSheadertoprotectaserverifitsupportsoneormoreinternalzones.
Chapter 12:
Data Applications and Policies
■ LookforandpreventamismatchinthenumberofDNSresponseswhen comparedwithqueries,whichcouldindicateacachepoisoningattack.
▲ E nsurethataTransactionSignature(TS)isincludedinallDNSmessages.
Thenextsectionwilldiscusstheseinmoredepth.
DNSPolicyConfiguration ThefollowingsectionswilldiscusstheconfigurationofDNSinspection.Forin-depth inspectionpolicies,youmightneedtocreatealayer7policymapand,possibly,alayer7 classmap.Thefollowingsectionswilldiscusshowtocreatethese,aswellashowtoenableDNSinspectioninalayer3/4policymap.
DNSLayer7ClassMaps Herearethecommandstocreatealayer7classmapforDNSinspection: ciscoasa(config)#class-maptypeinspectdns[match-all] L7_class_map_name ciscoasa(config-cmap)#match[not]dns-class{eq|range} {0-65535|IN} ciscoasa(config-cmap)#match[not]dns-type{eq|range}{0-65535|A| AXFR|CNAME|IXFR|NS|SOA|TSIG} ciscoasa(config-cmap)#match[not]domain-nameregex{class regex_classmap_name|regex_name} ciscoasa(config-cmap)#match[not]header-flag{0x0-0xffff|AA|QR| RA|RD|TC} ciscoasa(config-cmap)#match[not]question ciscoasa(config-cmap)#match[not]resource-record{additional| answer|authority}
The dns-classparameterallowsyoutomatchaDNSqueryorresourcerecordclass. The notparameternegatesthecorrespondingmatchresult.The dns-typeparameter allowsyoutomatchaDNSqueryorresourcerecordtype.Thedomain-nameparameter allowsyoutomatchadomainnameornamesfromaDNSqueryorresourcerecord. (Youneedtoreferencearegularexpressionoraregularexpressionclassmapthatcontains the actual domain names.) The header-flag allows you to match a particular DNSflaginaheader.The questionparametermatchesaDNSquestion(query).The resource-recordparametermatchesthespecifiedDNSresourcerecord.
DNSLayer7PolicyMaps Herearethecommandstocreatealayer7policymapforDNSinspection: ciscoasa(config)#policy-maptypeinspectdnsL7_policy_map_name ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#dns-guard
299
300
Cisco ASA Configuration ciscoasa(config-pmap-p)#id-mismatch[count#_of_times] [durationseconds][actionlog] ciscoasa(config-pmap-p)#id-randomization ciscoasa(config-pmap-p)#message-lengthmaximum{[client|server] {auto|512-65535}} ciscoasa(config-pmap-p)#nat-rewrite ciscoasa(config-pmap-p)#protocol-enforcement ciscoasa(config-pmap-p)#tsigenforced{action[drop][log]} ciscoasa(config-pmap-p)#exit ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#[enforce-tsig]{[drop|drop-connection]} [log] ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#[enforce-tsig]{[drop[send-protocol-error]]| drop-connection[send-protocol-error]]| [reset]}|[rate-limit#_of_messages]| [mask]}[log]
Thefollowingarethecommandsyoucanconfigureunderthesubcommandmode for parameters.The dns-guardcommandenforcesoneDNSresponseperquery,implementingDNSGuard(enabledbydefault).Prefacethisorothercommandswiththe noparametertonegateordisablethem.Theid-mismatchcommandreportsexcessive instancesofDNSidentifiermismatches.Theid-randomizationcommandrandomizes theDNSidentifier(appID)inDNSquerymessages.The message-lengthcommand definesthemaximumDNSmessagelengthallowed(bydefaultthisis512bytes).The nat-rewritecommandtranslatesDNSDoctoring(enabledbydefault).Theprotocol- enforcementcommandcheckstheformatofDNSmessages.ThetsigparametervalidatestheTSIGresourcerecordinformation. Intheprecedinglistofcommands,youhavetwooptionsonspecifyingwhatyou needtomatchoninordertoimplementpolicies:youcanuseindividual matchcommandsorreferencealayer7DNSclassmapwiththe classcommand.Ineithercase, youaretakenintoasecondsubcommandmodewhereyouspecifythepolicyfortheapplicationlayerinformation:dropthepacket(drop,withtheoptionofsendingaprotocol errormessagetothesource),droptheconnection(drop-connection),generatealog message(log),requireTSIGresourcerecordsinaDNSmessage(enforce-tsig),send aTCPreset(reset),ormaskoutmatchingportionsoftheDNSpayload(mask).
DNSLayer3/4PolicyConfiguration If all you are interested in is implementing DNS Doctoring, DNS Guard, and/or preventingexcessiveDNSrepliestocorrespondingDNSqueries,thenyoudonotneedto
Chapter 12:
Data Applications and Policies
implementalayer7policyforDNSinspection.However,ifyouneedtoimplementalayer 7DNSpolicy,youmusthaveacorrespondinglayer3/4policymapthatreferencesit: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectdns[L7_policy_map_name]
DefaultDNSInspectionConfiguration HereisthedefaultDNSinspectionpolicyenabledontheappliances: ciscoasa#showrunpolicy-map policy-maptypeinspectdnspreset_dns_map parameters message-lengthmaximum512 policy-mapglobal_policy classinspection_default inspectdnspreset_dns_map
Inthisconfiguration,DNSisgloballyenabled,wheremessagesbiggerthan512bytes willbedropped,andDNSDoctoringandDNSGuardareenabled.
DNSExampleConfiguration Let’slookataconfigurationexamplethatimplementsDNSinspection: ciscoasa(config)#regexDOMAIN1abc\.com ciscoasa(config)#regexDOMAIN2def\.com ciscoasa(config)#class-maptyperegexmatch-anyPERMITTED_DOMAINS ciscoasa(config-cmap)#matchregexDOMAIN1 ciscoasa(config-cmap)#matchregexDOMAIN2 ciscoasa(config)#class-maptypeinspectdnsmatch-allL7_BAD_DNS_CLASS ciscoasa(config-cmap)#matchnotheader-flagQR ciscoasa(config-cmap)#matchquestion ciscoasa(config-cmap)#matchnotdomain-nameregex classPERMITTED_DOMAINS ciscoasa(config)#policy-maptypeinspectdnsL7_DNS_POLICY ciscoasa(config-pmap)#matchheader-flagRD ciscoasa(config-pmap-c)#masklog ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_BAD_DNS_CLASS ciscoasa(config-pmap-c)#droplog ciscoasa(config)#access-listDNSpermitudpanyanyeq53
301
302
Cisco ASA Configuration ciscoasa(config)#class-mapL3_dns_class_map ciscoasa(config-cmap)#matchaccess-listDNS ciscoasa(config)#policy-mapL3_outside_policy ciscoasa(config-pmap)#classL3_dns_class_map ciscoasa(config-pmap-c)#inspectdnsL7_DNS_POLICY ciscoasa(config)#service-policyL3_outside_policyinterfaceoutside
TheprecedingexamplepreventsDNScachepoisoningforanydomainnamewiththe exceptionofthetwodomains“abc.com”and“def.com.”Workingbackwardsinthisexample,thelayer3policyisappliedtotrafficenteringtheoutsideinterface.Thisincludes allDNStraffic.Theinspectionrule(inspectdns)referencesalayer7policymap.Ifthe DNSheadercontainstheRDflag,itismaskedoutandlogged.Basedonthelayer7class mapandregularexpressionclassmap,ifthedomainnamesbeingqueriedarenot“abc .com”and“def.com”andtheDNSheaderdoesn’tcontaintheQRflag,thenthesepacketsaredroppedandlogged.
SMTPANDESMTPINSPECTION Internet-basede-mailsystemshavebeenwidelyknowntobeaneasywayofhacking intoyournetwork.Thereasonisthatthesee-mailsystemsarebasedonSMTP(Simple Mail Transport Protocol) and ESMTP (extended SMTP), which are well documented. However,manyextensionshavebeenadded,includingproprietaryextensionsbycertainvendors.SendmailisoneofthemorepopularUNIXSMTPe-mailsystems,andits source code is open to the public, which means that hackers have spent a lot of time figuringouttheweaknessesinthisapplication.
SMTPandESMTPInspectionFeatures Toprevente-mailattacks,appliancesimplementESMTPinspectionbydefault.Priorto version7,onlytheSMTPprotocolwassupported.Staringinversion7,ESMTPwasadded. This feature only allows certain SMTP commands or messages, defined in RFC 821, section .4.5.1, and certain ESMTP commands on an e-mail connection.All other commands in SMTP connections are changed to Xs, which the internal e-mail server will reject.SupportedSMTPcommandsincludeDATA,HELO,MAIL,NOOP,QUIT,RCPT, andRSET.SupportedESMTPcommandsincludeAUTH,EHLO,ETRN,HELP,SAML, SEND,SOML,andVRFY. Othersecurityfeaturesarealsoimplementedtoprotectthee-mailserver,including thefollowing:
▼ M askthee-mailserverbannertoasterisks(“*”)tohide/obfuscatethebanner, whichmightgiveinformationtothehackeraboutthetypeofe-mailserveryou areusing.
■ Monitore-mailcommandsandresponsesandthesequencetheyoccurinto makesurethatthee-mailconnectionisactingaccordingtotheRFCs.
Chapter 12:
Data Applications and Policies
■ Lookforapipe(“|”)inaMAILorRCPTcommandandclosethee-mail session.(Thiswasabuginsomee-mailimplementationsthatallowedhackers tohavethee-mailserverexecuteprogramsandredirecttheoutput.)
▲ C reateanaudittrailofspecifiedactionsagainstthee-mail. NOTE SMTPandESMTPinspectiononlyappliestoinbound(lowertohigherlevel)traffic.
SMTPandESMTPPolicyConfiguration Layer7policymapsallowyoutodefinepoliciesaboutwhatyouwanttoallowfore-mail connectionsbasedonwhatisintheSMTPand/orESTMPpayload.Layer7classmaps areunsupportedforfurtherclassification.Whencreatingalayer7policymapfore-mail inspection,youhavethefollowingcommandsavailabletoyou: ciscoasa(config)#policy-maptypeinspectesmtpL7_policy_map_name ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#mail-relaydomain_nameaction [drop-connection][log] ciscoasa(config-pmap-p)#mask-banner ciscoasa(config-pmap-p)#exit ciscoasa(config-pmap)#matchbodylengthgtbytes ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchbodylinelengthgtbytes ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchcmdRCPTcountgt#_of_recipients ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchcmdlinelengthgtbytes ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchcmdverbcommand1[…commandX] ciscoasa(config-pmap-c)#[rate-limit#_per_second| drop-connection|reset][log] ciscoasa(config-pmap)#matchehlo-reply-parameterparameter ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchheaderlengthgtbytes ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchheaderlinelengthgtbytes ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchheaderto-fieldscountgt#_of_recipients ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchinvalid-recipientscount gt#_of_recipients ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#match[not]mimeencodingtype
303
304
Cisco ASA Configuration ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#match[not]mimefilenamelengthgtbytes ciscoasa(config-pmap)#match[not]mimefiletyperegex {classregex_class_name|regex_name} ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#matchsender-addresslengthgtbytes ciscoasa(config-pmap-c)#[drop-connection|reset][log] ciscoasa(config-pmap)#match[not]sender-addressregex classregex_class_name ciscoasa(config-pmap-c)#[drop-connection|reset][log]
Twooptionsareundertheparameterssubcommandmode.Themail-relaycommandallowsyoutorestrictwhatdomainnameyou’llallowforyoure-mailservers— thisisusedtopreventrelayingofmailviaarogueserver.Themask-bannercommand obfuscates(changes)theservere-mailbanner,therebymakingitharderforanattacker tolearninformationaboutyourserver. Theremainingpoliciesareconfiguredwiththematchcommand.Whenexecutingthis command,youaretakenintoasecondsubcommandmodewhereyoucanspecifyyour policy:droptheconnection,logthematch,resettheTCPconnection,and,withcertain matchcommands,rate-limitthee-mailcommandssentontheconnection.Table12-1has asummaryofwhateachofthesecommandslooksforinane-mailmessage.
matchCommand
Description
matchbodylengthgt
Specifiesthelengthofthebodyofa message
matchbodylinelengthgt
Specifiesthelengthofalineinthebody ofamessage
matchcmdRCPTcountgt
Specifiesthenumberofrecipients
matchcmdlinelengthgt
Specifiesthelengthofacommandline
matchcmdverb
Specifiesthee-mailcommandtomatchon
matchehlo-reply-parameter
SpecifiestheEHLOreplyparameterto lookfor,likeAUTH
matchheaderlengthgt
Specifiesthelengthoftheheaderofa message
matchheaderlinelength
Specifiesthelengthofalineintheheader ofamessage
Table12-1. E-mailPolicyParametersforthematchCommand
Chapter 12:
Data Applications and Policies
matchCommand
Description
matchheaderto-fields countgt
Specifiesthenumberof“To:”fieldsto matchon
matchinvalid-recipients countgt
Specifiesthenumberofinvalide-mail recipients(nonexistente-mailaddresses) tomatchon
match[not]mimeencoding
Specifiestheencodingschemetomatch onforattachedfiles(7bit,8bit,base64, binary,others,quoted-printable)
match[not]mimefilename length
Specifiesthenumberofbytestomatchon foranattachedfile
match[not]mime filetyperegex
Specifiesaregularexpressiontouse tomatchonanattachedfilenameor extension
matchsender-address lengthgt
Specifiesthelengthofane-mailsender’s addresstomatchon
match[not]sender-address Specifiesaregularexpressionorregular regex expressionclassmaptousetomatchon ane-mailsender’saddress
Table12-1. E-mailPolicyParametersforthematchCommand(Continued)
Once you are done with your layer 7 policies, you must associate them with an
inspectesmtpcommandinalayer3/4policymap:
ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectesmtp[L7_policy_map_name]
SMTPandESMTPExampleConfiguration Let’slookatanexampletoillustratehowtouselayer7policymapswithe-mailinspection. I’llusethefollowingexample: ciscoasa(config)#regexBAD_SENDER1@abc\.com ciscoasa(config)#class-maptyperegexmatch-anyBAD_SENDERS ciscoasa(config-cmap)#matchregexBAD_SENDER1 ciscoasa(config)#policy-maptypeinspectesmtpL7_EMAIL_MAP
305
306
Cisco ASA Configuration ciscoasa(config-pmap)#matchbodylengthgt35000 ciscoasa(config-pmap-c)#drop-connectionlog ciscoasa(config-pmap)#matchsender-addressregexclassBAD_SENDERS ciscoasa(config-pmap-c)#drop-connection ciscoasa(config)#access-listemailpermittcpanyanyeq25 ciscoasa(config)#class-mapL3_email_class_map ciscoasa(config-cmap)#matchaccess-listemail ciscoasa(config)#policy-mapL3_outside_policy ciscoasa(config-pmap)#classL3_email_class_map ciscoasa(config-pmap-c)#inspectesmtpL7_EMAIL_MAP ciscoasa(config)#service-policyL3_outside_policyinterfaceoutside
Inthisexample,aregularexpression(“abc.com”)isreferencedinaregularexpression classmap.Thelayer7ESMTPpolicymap(L7_EMAIL_MAP)willdropanye-mailsthat haveabodygreaterthan35,000charactersorane-mailcomingfrom“abc.com.”Alayer 3/4classmap(L3_email_class_map)wascreatedthatlooksforanyinboundTCPport 25connection.Alayer3/4policymap(L3_outside_policy)iscreatedtodoinspectionofESMTP,qualifyingitwiththelayer7policymap.Thisisactivatedontheoutside interfaceoftheappliance.
FTPINSPECTION FTPisoneoftheoldestTCP/IPapplicationsandwasdesignedtomovefilesbetween different networked computers. The following sections will discuss how FTP connectionsarebuiltbetweencomputers,whyapplicationinspectionisnecessaryforFTP,the inspectionfeaturesforFTP,andhowtoconfigureapplicationlayerinspectionforFTP.
FTPOperation FTP,interestinglyenough,isunlikenormalconnectionssuchastelnetande-mail.FTP actuallyusestwoconnections—oneisacommandconnection(sometimescalledacontrolconnection)thattheuserusestoaccesstheserverandenterFTPcommands,andthe otherconnectionisusedfortheactualtransferofdata,includingfiles.FTPsupportstwo differentmodes—standard(oractive)andpassive—andbasedonthemode,thesetupof twoconnectionsandtransferofdataisslightlydifferent.Thenexttwosectionsexplain thesetwoFTPmodes.
StandardMode TobetterhelpyouunderstandhowconnectionsaresetupwithstandardFTP,let’suse thetoppartofFigure12-2.WhenauserwantstoinitiateanFTPconnection,theuser setsupacontrolconnectionfirst.Theuserusesthecontrolconnectiontoexecutecommands,like getand put.Whentheuserdeviceopensacontrolconnection,itchooses afreesourceportnumbergreaterthan1023andusesadestinationportnumberof21.
Chapter 12:
Data Applications and Policies
Standard FTP TCP Port => 1024
TCP Port = 21
TCP Port => 1024
TCP Port = 20
Standard FTP Client
FTP Server
Passive FTP TCP Port => 1024
TCP Port = 21
TCP Port => 1024
TCP Port => 1024
Passive FTP Client
FTP Server
Figure12-2. StandardandPassiveModeFTP
Whenevertheuserexecutesacommandonthecontrolconnection,theFTPserveropens asecondconnection,calledadataconnection,whichisusedforthetransferofinformation,likeuploadingordownloadingafile.Fromtheclient(viathecontrolconnection), theservergetsaportnumbergreaterthan1023thatisnotbeingusedontheclient,and theserverusesthatportasthedestinationandasourceportof20. Tobetterhelpyouunderstandsomeoftheissueswithstandard-modeFTP,let’stake alookatsituationswhereasecurityapplianceisbetweentheclientandFTPserver.The nexttwosectionsexplaintheconnectivityissueswhentheclientisontheinsideofthe networkversustheoutsideofthenetwork. ClientontheInsideoftheAppliance Whentheclientisontheinsideofthenetworkand initiatesanFTPconnectiontoanFTPserverontheoutsideofthenetwork,theappliance allows the control connection by default because the connection is traveling from a higher-levelinterfacetoalower-levelone.Aproblemexists,however,whentheclient executesanFTPcommandandtheservertriestoinitiateadataconnectionbacktothe insideclient. Withtheapplicationinspectionfeature,theapplianceexpectsthisdataconnectionto bebuiltandlooksforanFTPcommandwiththeassociatedclientsourceportnumber within the control connection. When the appliance sees the command, it dynamically addstheconnectionentryintheconntablewiththeappropriateinformation—thisincludestheclientportnumberthatitsharedwiththeFTPserver.Therefore,youdon’t havetoworryabouttheinboundconnectioncomingfromtheFTPserver. Withouttheapplicationinspectionfeature,youwouldhavetoconfigureanACLto specificallyallowthissecondconnection.Theproblemwiththisisthatyoudon’treally knowwhichclient,orpossiblyevenwhichservertoallow—youwouldbasicallyhaveto
307
308
Cisco ASA Configuration
permittrafficfromanydevice(theFTPserver)headingtoanywhere(theclients),ifthe sourceportnumberis20.Obviously,thisopensafairlylargeholeinyourappliance.If youdisableapplicationinspectionforFTP,you’llhavetomanuallyconfigurethistype ofACLentrytoallowstandardmodeFTPconnections.Ofcourse,disablingapplication inspectionforFTPwouldpreventdatatransfersforinternaluserswherestandardmode wasemployed. ClientontheOutsideoftheAppliance Inthisexample,let’sassumethattheclientisonthe outsideofyournetworkandthattheFTPserverisontheinside.Fortheinitialclient connectiontowork,youneedtoconfigureanACLthatwillallowtrafficheadingtothe FTPserverforTCPport21—withoutthis,notypeofFTPconnectioncanbemade.Once thecontrolconnectionhasbeenestablished,whentheclientexecutesacommand,the serverinitiatesthedataconnectionbacktotheclient. Inthissituation,becausethedataconnectioniscomingfromahigher-levelinterface andisexitingalower-levelinterface,theappliancepermitsitbydefault,unlessyouhave anACLthatprohibitsthisconnection.Therefore,inthisexample,applicationinspection doesn’tcomeintoplay.
PassiveMode Just as in standard mode for FTP, passive mode has two connections: control and data. ThebottompartofFigure12-2showsanexampleofthesetupofthesetwoconnections. Thecontrolconnectioninpassivemodeisestablishedinthesamemannerasstandard FTP:theuserdevicechoosesanopenportgreaterthan1023asasourceportandusesa destinationportof21.Wheneveradataconnectionisneeded,theuserestablishesthe connectiontotheserver—thisistheoppositeofstandard-modeFTP.Forthisdataconnection,theuserdeviceagainchoosesanopenportnumbergreaterthan1023asasource port,butacquiresfromtheFTPserverwhatportnumbertouseforthedestinationport, anumbergreaterthan1023.Thisnumberisnegotiatedonthecontrolconnection. ClientontheInsideoftheAppliance Whentheclientisontheinsideofthenetworkand initiatesanFTPconnectiontoanFTPserverontheoutsideofthenetwork,theappliance allowstheconnectionbydefaultbecausetheconnectionistravelingfromahigher-level interfacetoalower-levelone.Thisisalsotrueforthedataconnection.Therefore,both connectionscanbeestablishedunlessyouarefilteringwithACLs. Client on the Outside of theAppliance In this example, assume that the client is on the outsideofyournetworkandthattheFTPserverisontheinside.Fortheinitialclient connectiontowork,youneedtoconfigureanACLthatwillallowtrafficheadingtothe FTPserverforTCPport21—withoutthis,notypeofFTPconnectionispossible. Once the command connection has been established, when the client attempts to retrieveorsendafile,theclientwillattempttoestablishadataconnectiontotheserver. Assuming that application inspection is enabled for FTP, the appliance automatically looks at the FTP commands that the user is entering on the command connection, as wellastheconnectioninformationbeingnegotiated,anddynamicallycreatesanentry
Chapter 12:
Data Applications and Policies
intheconnectiontableforthedataconnection.However,ifyou’vedisabledapplication inspectionforFTP,youwillhavetomanuallyaddanACLtoallowtraffictoyourFTP serveratTCPportsgreaterthan1023aswellasthefirstfilterstatementforport21that Ialreadymentioned.
FTPInspectionFeatures Asyousawinthelasthandfulofsections,oneapplicationinspectionfeatureistoadd theadditionalTCPdataconnectiondynamicallytotheconntableasneeded.Anotherissuetheappliancewillhandleisiftheapplianceisperformingaddresstranslationonthe embeddedaddressinginformationifitconflictswithanexistingPATentryinthexlate table—ifthisisthecase,theappliancewillchangetheembeddedportinformationinthe payloadandcreateanewtranslationentryinthexlatetablefortheconnection.Theapplianceshavesupportedbothfeaturesformanyyears. Newinversion7isin-depthapplicationlayerinspectionofFTP,whereyoucanset upadditionalpoliciesaboutwhatcommandscanbeexecutedonthecontrolconnection, alongwiththeuseraccountsusedandthedirectoriesandfilesaccessed,amongmany otherthings.
FTPPolicyConfiguration Thefollowingsectionswilldiscusshowtoconfigurelayer7classandpolicymapsand howtoassociatethesewithalayer3/4inspectionpolicyforFTP.
FTPLayer7ClassMaps Layer7classmapsforFTPallowyoutomatchonadditionalcriteriafoundinFTPpayloads,liketheserversthatusersarelogginginto,theuseraccountsloggedinto,thefiles (andtheirtypes)beingaccessed,andthecommandsbeingexecuted.Thesecanthenbe referencedinalayer7policymapwhereyoucandefineyourapplicationlayerpolicies. Hereisthesyntaxforsettingupalayer7classmapforFTP: ciscoasa(config)#class-maptypeinspectftp[match-all] L7_class_map_name ciscoasa(config-cmap)#match[not]filenameregex{class regex_class_map_name|regex_name} ciscoasa(config-cmap)#match[not]filetyperegex{class regex_class_map_name|regex_name} ciscoasa(config-cmap)#match[not]request-commandFTP_command [...FTP_command] ciscoasa(config-cmap)#match[not]serverregex{class regex_class_map_name|regex_name} ciscoasa(config-cmap)#match[not]usernameregex{class regex_class_map_name|regex_name}
309
310
Cisco ASA Configuration
The filename parameter allows you to match on a filename for FTP access—you can specify a particular regular expression or a regular expression class map. This is also trueofmostofthe matchcommandsforanFTPclassmapwhenmatchingonaregularexpression(s).The filetypeparametermatchesonafiletypeforFTPtransfer.The request-commandparametermatchesonaFTPrequestcommandorlistofcommands (separated by spaces). The commands you can match on include the following: appe (append to a file), cdup (change to the parent of the current directory), dele (delete a file), get(downloadafile), help(displayhelpinformationontheserver), mkd(createa directory), put(uploadafile), rmd(deleteadirectory), rnfr(renameafilefrom), rnto (renameafileto), site(specifyserver-specificcommand),and stou(storeafilewitha uniquename).TheserverparametermatchesononeormoreFTPs.TheusernameparametermatchesonanFTPusernameornames.
FTPLayer7PolicyMaps Thefollowingisthesyntaxforcreatingalayer7policymapforFTP: ciscoasa(config)#policy-maptypeinspectftpL7_policy_map_name ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#[reset][log] ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#[reset][log] ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#mask-banner ciscoasa(config-pmap-p)#mask-syst-reply
Insteadofcreatinganapplicationlayerclassmap,youcanalsoreferencethesevalues withinthelayer7policymapwiththematchcommand.Theadvantageofusinglayer7 classmapsisthatyoucanapplydifferentpoliciestodifferentclasses(classmaps).You canhavetheapplianceresettheconnection,logthematch,ordobothforamatching classmapormatchcommand.Withintheparameterssectioninalayer7policymap, youcanmaskthegreetingbannertheFTPserversendsduringlogin(themask-banner command)andalsomasktheserverreplytothesystcommand(themask-syst-reply command).
FTPLayer3/4PolicyMaps ToenableinspectionofFTP,youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectftp[strict][L7_policy_map_name]
Chapter 12:
Data Applications and Policies
FTPinspectionsupportsa strictoptionwhenenablingFTPinspectioninalayer3/4 policymap.Thisoptionperformsthefollowingfunctions:
▼ T rackstheFTPcommandandresponsesequencesforinvalidbehavior
■ StopswebbrowsersfromsendingembeddedFTPcommands
■ DropsconnectionswithembeddedFTPcommands
■ RequiresacknowledgmentofanFTPcommandbeforeanewonecanbesent
▲ C heckstoseeifthe227andportcommandsdon’tappearinanerrorstring
Youcanalsoperformin-depthapplicationlayerinspectionofFTPtrafficbycreatingand thenreferencingalayer7policymapwiththeinspectftpcommand. NOTE BydefaultFTPinspectionisenabledintheglobalpolicyontheapplianceonallinterfaces; youcanchangethispolicyorsetupinterface-specificpoliciesthatoverridetheglobalpolicy.
FTPExampleConfiguration TohelpillustratehowtoconfigureFTPinspectionwithlayer7policies,examinethefollowingconfiguration: ciscoasa(config)#regexFTP_USER"admin" ciscoasa(config)#regexFTP_DIR"\/private" ciscoasa(config)#class-maptypeinspectftpL7_CLASS_MAP ciscoasa(config-cmap)#matchnotusernameregexFTP_USER ciscoasa(config-cmap)#matchfilenameregexFTP_DIR ciscoasa(config)#policy-maptypeinspectftpL7_POLICY_MAP ciscoasa(config-pmap)#classL7_CLASS_MAP ciscoasa(config-pmap-c)#resetlog ciscoasa(config)#class-mapL3_FTP_TRAFFIC ciscoasa(config-cmap)#matchporttcpeqftp ciscoasa(config)#policy-mapL3_OUTSIDE_POLICY ciscoasa(config-pmap)#classL3_FTP_TRAFFIC ciscoasa(config-pmap-c)#inspectftpstrictL7_POLICY_MAP ciscoasa(config)#service-policyL3_OUTSIDE_POLICYinterfaceoutside
Atthetop,tworegularexpressionstringsarecreated:oneforauseraccountandone foradirectoryname.ThesearethenreferencedintheFTPapplicationlayerclassmap (L7_CLASS_MAP),wheretheclassmapisbasicallylookingforsomeoneotherthan“admin”accessingthe“/private”directory.Thelayer7policymap(L7_POLICY_MAP)then setsupthepolicyforthiskindofaccess:resetandlogtheconnection.Thelayer3/4class map(L3_FTP_TRAFIC)ismatchingonanyport21connection.Thelayer3/4policymap (L3_OUTSIDE_POLICY)referencesthisclassmapandenablesinspectionwiththestrict optionforFTP.Additionallythelayer7policymapisassociatedwiththelayer3/4inspectionpolicy.Thispolicyisthenactivatedontheoutsideinterface.
311
312
Cisco ASA Configuration
TFTPINSPECTION LikeFTP,TFTPcanbeusedforsharingfiles;however,itusesamuchsimplerinteractive processthatlacksauthentication.Thefollowingtwosectionswilldiscusstheoperation ofaTFTPsessionandhowtoconfigureaninspectionpolicyforTFTP.
TFTPOperation TFTPisdefinedinRFC1350andusesUDPasatransport.Theserverlistensonport69 forclientconnections.Youcan’tlistfilesinadirectory,movearounddirectories,delete files,orevenrenamefiles:theonlytwooperationsthatTFTPsupportsarereadingand writingoffiles.(TheRFCstandardalsosupportsmailfunctions,butnoserverproduct hasyetimplementedthisfeature.) TFTPisalittlebitsimilartopassivemodeFTP.WhentheclientconnectstotheTFTP server,itchoosesarandomsourceportabove1023andsendsitsfirstmessagetoUDP port 69 on the server. The server then replies with a destination port, typically above 1023,thattheclientwilluse.Allsubsequentpacketsarethensentusingtheclientoriginalportnumberandthedestinationnewlyassignedportnumber.Onesideoftheconnectionisthereceiverandtheotherthesender,wheretheroledependsuponwhethera fileisbeingreadontheserverorcopiedtotheserver.Dataissentinblocksof512bytes, whereapacketthatissmallerthan512bytesindicatestheterminationoftheconnection. Also,everypacketsentisacknowledged—ifanacknowledgmenttimesout,thesource resendsthemissingpacket.Aspecialerrormessagecanbeanyofthefollowing:
▼ T herequestcannotbesatisfied(likethefilecannotbefound,oranaccess violationoccurswhentryingtoaccessthefile).
■ Receivingaduplicatedpacketoranincorrectlyformattedpacket.
▲ T heresourceisnolongeravailable(likethediskdrivewasfilleduponthe server,orthefilepermissionswerechangedduringtransferandtheuserno longerhasaccesstothefile).
Errorsarenotacknowledgedandwillautomaticallyterminatetheconnection.Theone exceptiontothisruleisifthesourceportnumberinthereceivedpacketisincorrect:in thiscase,anerrorpacketissentbacktothesender. Iftheuserisonahigher-levelinterfaceandtheserverisonalower-levelinterface, inspectionfortheserverportnumberchangeisnotrequiredunlessyouhaveanACLrestrictingtraffic.However,forinboundTFTPconnections,you’llneedtouseTFTPinspectiontoallowthesecondconnection(subsequentpacketsbetweentheclientandserver). Whenperforminginspection,iftheapplianceisalsoperformingaddresstranslation, anyembeddedaddressinginformationthatconflictswithanentryinthexlatetablewill bechangedinthepayloadandappropriatelyupdatedinthexlatetable.
Chapter 12:
Data Applications and Policies
TFTPPolicyConfiguration TFTPinspectionisenabledbydefaultintheglobalpolicyappliedtoallinterfacesofthe appliance.Youcandisableitgloballyandenableitonaninterface-by-interfacebasis,or youcancontrolforwhichserver(s)inspectionshouldbeperformed.Toenableinspection ofTFTP,youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#[no]inspecttftp
TFTPonlysupportslayer3/4inspection. The following example modifies the global policy to control when inspection for TFTPisdone(onlythespecifiedserverintheACL,192.168.1.1): ciscoasa(config)#access-listtftppermitudpany host192.168.1.1eq69 ciscoasa(config)#class-mapL3_tftp_class_map ciscoasa(config-cmap)#matchaccess-listtftp ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#noinspecttftp ciscoasa(config-pmap)#classL3_tftp_class_map ciscoasa(config-pmap-c)#inspecttftp ciscoasa(config)#service-policyglobal_policyglobal
HTTPINSPECTION HTTPisoneofthemostcommonInternetprotocolsusedtodayandisusedtodisplay elementsinawebbrowserwindow.Thefollowingsectionswilldiscusstheinspection featuresforHTTPandhowtoconfigureapplicationlayerinspectionforHTTP.
HTTPInspectionFeatures Inversion6andearlieroftheoperatingsystem,theapplicationinspectionfeaturesfor HTTPwereveryminimal.BasicallyyoucouldcopyURLstoWebsenseorSmartFilter tofilterreturningwebtraffic,oryoucouldfilterHTTPconnectionsthataccessedJava orActiveXcontent(seeChapter7onthesetopics).Startinginversion7,Ciscogreatly enhanced the application layer inspection features for HTTP. Besides the items I just mentioned,theappliancessupporttheseadditionalinspectionfeaturesforHTTP,among manyothersthatwillbediscussedinthenextsection:
▼ C anlookforandpreventtunneledtrafficonwebconnections,likepeer-to-peer (P2P),instantmessaging(IM),andothers
■ CanlookforandpreventHTTPRFCmethodsandextensions(commands)that aresent
313
314
Cisco ASA Configuration
■ CanfilteroninformationfoundintheURL
■ CanspooftheHTTPserverheadingresponsefromthewebservertohidethe server’sidentity(likethekindofproductbeingusedanditsversion)
■ CanspecifysizeandcountlimitsfortheHTTPelementsinuserrequestsand serverresponses
■ CanlookforandfilterspecificMIMEtypes
▲ C anlookforandfilteronnon-ASCIIcharactersinrequestsandresponses
HTTPPolicyConfiguration Thefollowingsectionswilldiscusshowtoconfigurelayer7classandpolicymapsand howtoassociatethesewithalayer3/4inspectionpolicyforHTTP.
HTTPLayer7ClassMaps Layer7classmapsforHTTPallowyoutomatchonadditionalcriteriafoundinHTTP payloads,liketherequestssentbytheusersandtheresponsesfromtheservers,theURLs beingaccessed,thesizeandcontentsofthebodyofthemessage,andmanyotherthings. Thesecanthenbereferencedinalayer7policymapwhereyoucandefineyourapplicationlayerpolicies.Hereisthesyntaxforsettingupalayer7classmapforHTTP: ciscoasa(config)#class-maptypeinspecthttp[match-all] L7_class_map_name ciscoasa(config-cmap)#match[not]req-respcontent-typemismatch ciscoasa(config-cmap)#match[not]requestargsregex{class regex_class_name|regex_name} ciscoasa(config-cmap)#match[not]requestbodylengthgtbytes ciscoasa(config-cmap)#match[not]requestbodyregex{class regex_class_name|regex_name} ciscoasa(config-cmap)#match[not]requestheaderheader_options ciscoasa(config-cmap)#match[not]requestmethodmethods ciscoasa(config-cmap)#match[not]requesturilengthgtbytes ciscoasa(config-cmap)#match[not]requesturiregex{class regex_class_name|regex_name} ciscoasa(config-cmap)#match[not]responsebodyactive-x ciscoasa(config-cmap)#match[not]responsebodyjava-applet ciscoasa(config-cmap)#match[not]responsebodylengthgtbytes ciscoasa(config-cmap)#match[not]responsebodyregex{class regex_class_name|regex_name} ciscoasa(config-cmap)#match[not]responseheaderheader_options ciscoasa(config-cmap)#match[not]responsestatus-lineregex{class regex_class_name|regex_name}
Table12-2explainsthedifferent matchcommandsyoucanincludeinyourHTTPclass map.Requestsarefromusersandresponsesarefromwebservers.
Chapter 12:
matchCommand
Data Applications and Policies
Description
matchreq-resp Checkstheheadercontenttypevalueagainstalist content-typemismatch ofsupportedcontenttypesforamismatch,verifies
thattheheadercontenttypematchesthecontentin thebody(data),andthatthecontenttypefieldin theresponsematchestheacceptfieldvalueinthe requestmessage
matchrequestargs regex
Looksforamatchwitharegularexpression(s)in theargumentsofarequest
matchrequestbody lengthgt
Looksforabodysizethatexceedsthisnumberof bytesinarequestmessage
matchrequestbody regex
Looksforamatchwithregularexpression(s)inthe bodyofarequest
matchrequestheader
Looksforthespecifiedfieldintheheaderofa request(seetheprecedingparagraphaboutheader optionsyoucanspecify)
matchrequestmethod
LooksforthespecifiedRFCorextendedmethod inarequestmessage(seetheprecedingparagraph aboutmethodsyoucanspecify)
matchrequesturi lengthgt
LooksfortheURIportionofarequestthatexceeds thespecifiednumberofbytes(basicallyalongURL)
matchrequesturi regex
Looksforaregularexpression(s)intheURIportion ofarequestmessage
matchresponsebody active-x
LooksforanActiveXscripttaginthebodyofa response
matchresponsebody LooksforaJavascripttaginthebodyofaresponse java-applet matchresponsebody Looksfortheresponsebodythatexceedsthis lengthgt numberofbytes matchresponsebody Looksforaregularexpression(s)inthebodyofa regex response matchresponseheader Looksforthespecifiedfieldintheheaderofa
request(seetheprecedingparagraphaboutheader optionsyoucanspecify)
matchresponsestatus- Looksforaregularexpression(s)inthestatuslineof lineregex aresponsemessage
Table12-2. HTTPPolicyParametersforthematchCommand
315
316
Cisco ASA Configuration
HTTP header options you can match on include accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encodng, content-language, content-length, contentlocation, content-md5, content-range, content-type, cookie, count, date, expect,expires,from,host,if-match,if-modified-since,if-none-match,ifrange,if-unmodified-since,last-modified,length,max-forwards,non-ascii, pragma, proxy-authorization, range, referer, regex, te, trailer, transferencoding,upgrade,user-agent,via,andwarning.
HTTPrequestmethods(boththosedefinedintheRFCandtheextendedones)includethefollowing:bcopy,bdelete,bmove,bpropfind,bproppatch,connect,copy, delete,edit,get,getattribute,getattributenames,getproperties,head,index,lock,mkcol,mkdir,move,notify,options,poll,post,propfind,proppatch, put, regex, revadd, revlabel, revlog, revnum, save, setattribute, startrev, stoprev,subscribe,trace,unedit,unlock,andunsubscribe.
HTTPLayer7PolicyMaps Thefollowingisthesyntaxforcreatingalayer7policymapforHTTP: ciscoasa(config)#policy-maptypeinspecthttpL7_policy_map_name ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#{log|drop-connection[log]|reset[log]} ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#{log|drop-connection[log]|reset[log]} ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#protocol-violationaction{[{drop-connection| reset}][log]} ciscoasa(config-pmap-p)#spoof-serverserver_message
Insteadofcreatinganapplicationlayerclassmap,youcanalsoreferencethesevalues withinthelayer7policymapwiththematchcommand.Theadvantageofusinglayer7 classmapsisthatyoucanapplydifferentpoliciestodifferentclasses(classmaps).You canhavetheapplianceresetand/orlogtheconnectionordropand/orlogtheconnectionforamatchingclassmaporamatchcommand.Withintheparameterssectionin a layer 7 policy map, the protocol-violation command looks and defines actions forprotocolviolationsinHTTPrequestsandresponses.The spoof-servercommand replacestheserverinformationintheHTTPheaderwiththemessageyoudefine—itcan beupto82charactersinlength. TIP Irecommendusingalistofasterisks(“*”)fortheheaderorcreatingafakeheaderthatincorrectly definesthetypeandversionofproductthatyouareusing—thismakesitalittlebitmoredifficultfor anattackertoidentifywhatyouareusingandthentohome-inonspecificvulnerabilitiesthataweb servermighthave.
Chapter 12:
Data Applications and Policies
HTTPLayer3/4PolicyMaps ToenableinspectionofHTTP,youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspecthttp[L7_policy_map_name]
Youcanalsoperformin-depthapplicationlayerinspectionofHTTPtrafficbycreating andthenreferencingalayer7policymapwiththeinspecthttpcommand. NOTE BydefaultHTTPinspectionisenabledintheglobalpolicyontheapplianceonallinterfaces; youcanchangethispolicyorsetupinterface-specificpoliciesthatoverridetheglobalpolicy.
HTTPExampleConfiguration TohelpillustratehowtoconfigureHTTPinspectionwithlayer7policies,examinethe followingconfiguration: ciscoasa(config)#regexurl_example1abc1\.com ciscoasa(config)#regexurl_example2abc2\.com ciscoasa(config)#class-maptyperegexmatch-anyURL_List ciscoasa(config-cmap)#matchregexexample1 ciscoasa(config-cmap)#matchregexexample2 ciscoasa(config)#class-maptypeinspecthttpmatch-allL7_HTTP_class ciscoasa(config-cmap)#matchreq-respcontent-typemismatch ciscoasa(config-cmap)#matchrequestbodylengthgt1000 ciscoasa(config-cmap)#matchnotrequesturiregexclassURL_List ciscoasa(config)#policy-maptypeinspecthttpL7_HTTP_policy ciscoasa(config-pmap)#matchreq-respcontent-typemismatch ciscoasa(config-pmap-c)#resetlog ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_HTTP_class ciscoasa(config-pmap-c)#drop-connectionlog ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#protocol-violationactionlog ciscoasa(config-pmap-p)#spoof-server*************** ciscoasa(config)#class-mapL3_HTTP_TRAFFIC ciscoasa(config-cmap)#matchporttcpeq80 ciscoasa(config)#policy-mapL3_outside_policy ciscoasa(config-pmap)#classL3_HTTP_TRAFFIC ciscoasa(config-pmap-c)#inspecthttpL7_HTTP_policy ciscoasa(config)#service-policyL3_outside_policy interfaceoutside
317
318
Cisco ASA Configuration
Intheprecedingexample,aregularexpressionclassmapincludestworegularexpressions:“abc1.com”and“abc2.com”.I’llassumethatthesearemycompanydomain names.Followingthisisalayer7classmap(L7_HTTP_class)forHTTPthatislooking forallofthefollowing:
▼ I neitherarequestoraresponse,acontenttypemismatchinarequestora responsemessage(likeatagthatsaysbutthefilereferenceddoesn’t endinanextensionassociatedwithapicture/image).
■ Arequestbodylengthisgreaterthan1,000bytes.
▲ A URIpartoftherequestdoesn’tcontainthetworegularexpressions.
Belowthelayer7classmap,alayer7policymap(L7_HTTP_policy)isconfigured for HTTP.A global policy is defined for content type mismatches (match req-resp content-type mismatch):resetandlogtheconnection.Forinformationmatchingin thelayer-7classmap,theconnectionsaredroppedandlogged.Protocolviolationsare logged, but allowed. Likewise, I’m spoofing the server information in response messages,replacingtheserverinformationwithalistofasterisks. Alayer3/4classmap(L3_HTTP_TRAFFIC)iscreatedthatincludesport80traffic. Alayer3/4policymap(L3_outside_policy)iscreatedthatreferencesthelayer3/4 class map and performs application layer inspection of HTTP traffic, qualifying the inspectionbyusingthelayer-7policymappolicies.
INSTANTMESSAGINGINSPECTION Userscantakeadvantageofthemultifunctioncapabilitiesofinstantmessaging(IM)applications:chatting,video,voice,games,filetransfers,andothers.Manyorallofthese cancreateproductivityproblemsandsecurityissuesintheworkplace.InspectionofIM becameavailableinversion7,allowingyoutocontrolthesefunctions. InspectionfeaturescurrentlysupportYahooMessengerandMSNMessengerIMclientsontheirnativeports.WiththeseIMclients,youcancontrolwhatusernamesthe users use to log in, the user and server addresses allowed to communicate with each other,theservicestheclientscanusewithintheIMclient,andmanyotherthings.The followingsectionswilldiscusshowtoconfigureanIMinspectionpolicy.
IMPolicyConfiguration Thefollowingsectionswilldiscusshowtoconfigurelayer7classandpolicymapsand howtoassociatethesewithalayer3/4inspectionpolicyforIMtraffic.
IMLayer7ClassMaps Layer7classmapsforIMallowyoutomatchonadditionalcriteriafoundinIMconnections,likethetypeofclientbeingused,theservicestheuserisusingwithintheclient,
Chapter 12:
Data Applications and Policies
theIPaddressesinvolvedintheconnection,andmanyotherthings.Hereisthesyntax forsettingupalayer7classmapforIM: ciscoasa(config)#class-maptypeinspectim[match-all] L7_class_map_name ciscoasa(config-cmap)#match[not]protocol{[msn-im][yahoo-im]} ciscoasa(config-cmap)#match[not]service{[chat][conference] [file-transfer][games][voice-chat] [webcam]} ciscoasa(config-cmap)#match[not]filenameregex{class regex_class_name|regex_name} ciscoasa(config-cmap)#match[not]ip-addressIP_address[subnet_mask] ciscoasa(config-cmap)#match[not]peer-ip-addressIP_address [subnet_mask] ciscoasa(config-cmap)#match[not]login-nameregex{class regex_class_name|regex_name ciscoasa(config-cmap)#match[not]peer-login-nameregex{class regex_class_name|regex_name} ciscoasa(config-cmap)#match[not]versionregex{class regex_class_name|regex_name}
TheprotocolparameterallowsyoutomatchoneitherorbothoftheIMclients:MSN Messengerand/orYahooMessenger.Theserviceparameterallowsyoutomatchonthe typeof servicetheuserisattemptingtousewithintheIMclient,likeplayinggames, running video, transferring files, and others. The filename parameter allows you to matchonafilenamelistedinaregularexpressionorexpressionsthatarebeingtransferredbetweentwoclients(thisissupportedcurrentlyonlyfortheYahooclient).TheipaddressparameterallowsyoutomatchonaclientIPaddress(orsubnet).The peerip-addressparameterallowsyoutomatchontheremotepeerorserverIPaddress(or subnet).The login-nameparameterallowsyoutomatchontheuser’snameinitiating theconnection,andthe peer-login-nameparameterallowsyoutomatchonapeer namethatauserwantstoconnectto.Theversionparameterallowsyoutousearegularexpression(s)tomatchontheversioninformationsharedbetweenthetwoclients.
IMLayer7PolicyMaps Tousethelayer7IMclassmap,youmustreferenceitinalayer7policymapforIM: ciscoasa(config)#policy-maptypeinspectimL7_policy_map_name ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#{[drop-connection|reset]}[log] ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#{[drop-connection|reset]}[log]
Insteadofcreatinganapplicationlayerclassmap,youcanalsoreferencethesevalues withinthelayer7policymapwiththematchcommand.Theadvantageofusinglayer7
319
320
Cisco ASA Configuration
classmapsisthatyoucanapplydifferentpoliciestodifferentclasses(classmaps).You canhavetheapplianceresetand/orlogtheconnectionordropand/orlogtheconnectionforamatchingclassmapormatchcommand.
IMLayer3/4PolicyMaps InspectionofIMtrafficisdisabledontheappliance.Toenableit,createyourlayer7class and/orpolicymaps,andassociatethelayer7policymapwithalayer3/4inspection policy: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectimL7_policy_map_name
IMExampleConfiguration TohelpillustratehowtoconfigureIMinspectionwithlayer7policies,examinethefollowingconfiguration: ciscoasa(config)#class-maptypeinspectimmatch-allL7_IM_class_map ciscoasa(config-cmap)#matchnotip-address10.0.0.0255.0.0.0 ciscoasa(config-cmap)#matchnotpeer-ip-address10.0.0.0255.0.0.0 ciscoasa(config-cmap)#matchprotocolnotmsn-im ciscoasa(config-cmap)#matchnotservicechat ciscoasa(config)#policy-maptypeinspectimL7_IM_policy_map ciscoasa(config-pmap)#classL7_IM_class_map ciscoasa(config-pmap-c)#resetlog ciscoasa(config)#class-mapim_inspect_class_map ciscoasa(config-cmap)#matchdefault-inspection-traffic ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classim_inspection_class_map ciscoasa(config-pmap-c)#inspectimL7_IM_policy_map ciscoasa(config)#service-policyglobal_policyglobal
Intheprecedingexample,alayer7classmap(L7_IM_class_map)isincludingeverything excepttheinternalIMclients(10.0.0.0/8),theIMpeers/servers(10.0.0.0/8),chatting,and theMSNclient.Soifit’sanythingelse,thelayer7policymap(L7_IM_policy_map)will resetandlogit.Forexample:
▼ A nyoneusingtheYahooclientwouldbereset.
■ AnyMSNclientaccessingaservernotin10.0.0.0/8wouldbereset.
▲ A nyMSNclienttryingtousewebcamwouldbereset.
Alayer3/4classmap(im_inspect_class_map)hasbeencreatedthatincludesIMon itsnativeports.Thisisreferencedinthegloballayer3/4policymapwithapplication inspectionofIMusingthelayer7policymap,whichisappliedonallinterfacesofthe appliance.
Chapter 12:
Data Applications and Policies
RSHINSPECTION RSH (remote shell) was designed for UNIX systems to alleviate the hassles of having toauthenticateeverytimeyouloggedintoanothersystem.Oneproblemwithtelnetis thatyoumustalwaysenterausernameandpasswordwhenaccessingaremotesystem. WithRSH,youlogintoonemachine,andthenyoucanremotelystartupashellprocess onadifferentmachinewithouthavingtoagainenterausernameandpassword.Onthe remoteUNIXsystem,a“.rhosts”filecontainsalistofIPaddressesofdevicesthatareallowedtoperformRSH.Thisgreatlysimplifiesaccessingremoteresources. Todaymostpeopledon’tuseRSHbecauseitisveryinsecure—alltrafficgoingacross theconnectionissusceptibletoeavesdropping,anditisveryeasytoexecuteaspoofing attacktostartupashellonaremotesystemwiththisprocessenabled.Becauseofthese inherentsecurityproblemswithRSH,mostpeopleuseSSH(secureshell),whichIdiscussedinChapter3. SECURITY ALERT! You should not allow RSH traffic through your appliance, because it is susceptibletospoofingattacks.Ifyoumustallowit,restrictitsusewithACLs.
MechanicsofRSHConnections TohelpillustratehowRSHconnectionsareestablishedbetweenaclientandaserver, I’llusetheexampleshowninFigure12-3.WhensettingupanRSHconnection(which usesTCP),theclientdevicechoosesasourceportnumbergreaterthan1023thatisnot currentlybeingused.Thedestinationportnumberisthewell-knownport514.ThisconnectionisknownasacommandconnectionandisusedtoemulatetheCLIoftheshell. Oncethecommandconnectionisestablished,theRSHserversetsupanotherTCP connection,calledanerrorconnection,backtotheclient.Theerrorconnectionisusedto transmiterrorsrelatedtotheshell.Theserveraskstheclientonthecommandconnection whichfreeportnumber(greaterthan1023)theclientisassigningtothisconnectionfor thedestinationportnumber,andtheserverchoosesaportnumbergreaterthan1023asa sourceportnumber.Theserverthenbuildsthisconnectiontotheclient.Asyoucansee, thisprocessisverysimilartostandard-modeFTP.
RSH TCP Port => 1024
TCP Port = 514
TCP Port => 1024
TCP Port => 1024
RSH Client
Figure12-3. SettingupanRSHconnection
RSH Server
321
322
Cisco ASA Configuration
The function of application inspection on the appliance is to dynamically add the error connection to the conn table as needed. Likewise if the appliance is performing address translation, and the port numbers negotiated conflict with what is already in thexlatetable,theappliancewillfixthenumbersinthepayloadandaddthenecessary entryinthexlatetable.
RSHPolicyConfiguration RSHinspectionisenabledbydefaultontheapplianceinthe global_policy.RSHinspectiondoesn’tsupportlayer7classandpolicymaps.YoucangloballydisableRSH inspection and/or enable it on an interface-by-interface basis by using the following commands: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#[no]inspectrsh
SNMPINSPECTION SNMPusesUDPconnectionstoports161and162tocommunicatebetweendevices.Applicationinspectionontheappliancesdoesn’tdoanythingfancy,sincetheseconnections don’trequireany“fixingup”tofunctionthroughtheappliance. SNMP versions 1, 2, and 2c have security issues, however, since they contain the communitystrings(theequivalentofapassword)incleartextintheSNMPpayloadand thusaresusceptibletoeavesdroppingandspoofingattacks.Version3supportsencryptionandHMACfunctions(fordigitalsignatures),makingitmoresecurethantheolder SNMPversions.Applicationinspectionontheappliances,therefore,isusedtorestrict whatversionsofSNMPyou’llallowthroughtheappliance.
SNMPPolicyConfiguration SNMPinspectionwasaddedinversion7.0oftheappliance.Unlikewithmanyotherapplicationsandprotocols,therearenolayer7classorpolicymaps.However,todefinethe SNMPversionsyouwanttodeny,youmustcreatewhatiscalledanSNMPmap: ciscoasa(config)#snmp-mapsnmp_map_name ciscoasa(config-snmp-map)#denyversionversion
Theversionnumbercanbe1,2,2c,or3.Todenymultipleversions,listtheminseparate denycommands. SNMPinspectionisdisabledbydefault.Onceyou’vecreatedyourSNMPmap,you needtoreferenceitinalayer3/4policy: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#[no]inspectsnmpsnmp_map_name
Chapter 12:
Data Applications and Policies
SNMPExampleConfiguration TohelpillustratehowtoconfigureSNMPinspectionwithSNMPmaps,examinethefollowingconfiguration: ciscoasa(config)#access-listsnmpACLpermittcpanyanyeq161 ciscoasa(config)#access-listsnmpACLpermittcpanyanyeq162 ciscoasa(config)#class-mapL3_snmp ciscoasa(config-cmap)#matchaccess-listsnmpACL ciscoasa(config)#snmp-mapdeny_snmp_map ciscoasa(config-snmp-map)#denyversion1 ciscoasa(config-snmp-map)#denyversion2 ciscoasa(config-snmp-map)#denyversion2c ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classL3_SNMP ciscoasa(config-pmap-c)#inspectsnmpdeny_snmp_map ciscoasa(config)#service-policyglobal_policyglobal
Intheprecedingconfiguration,anSNMPpolicyisenabledglobally,whereonlySNMP version3isallowed.
SQL*NETINSPECTION Oracle developed a protocol called SQL*Net, which allows remote users to access an Oracledatabaseinclient/serverapplications.TherearetwoversionofSQL*Net:version 1and2.TheCiscoapplicationinspectionfeatureiscompatiblewithboth.Inthefollowingsections,IwilldiscusshowtheapplicationinspectionfeatureforSQL*Networksand howtoenableSQL*Netapplicationinspection.
MechanicsofSQL*NetConnections BeforeIbegintalkingabouthowtheapplianceapplicationinspectionfeaturedealswith connectivityissuesbetweenOracleclientsandOracledatabaseserver(s),let’sfirstlook athowconnectionsgetsetupbetweenthesetwosetsofdevices.Basicallytwodifferent scenarioscanoccurwhenanOracleclientrequestsaconnectiontoanOracledatabase server:
▼ T heconnectionwillbecreatedtothespecifieddatabaseserver.
▲ T hedatabaseserverwillredirecttheclienttoadatabaseonadifferentserver.
I’llusetheexampleshowninFigure12-4toassistwithmyexplanationofthefirst type of connection. In this example, the Oracle client opens a TCP connection to the Oracledatabaseserver.Thesourceportnumberisgreaterthan1023,andthedestination portnumberis1521.IfthedatabaseserverisIANAcompliant,thenthedestinationport
323
324
Cisco ASA Configuration
SQL*Net Connection to the Same Server TCP Port => 1024
TCP Port = 1521
TCP Port => 1024
TCP Port => 1024
Oracle Client
Oracle Database Server
Figure12-4. ThisishowaSQL*Netconnectionissetuptothesamedatabaseserver.
numbershouldbe66.Thedatabaseserver,uponreceivingtheconnectionsetuprequest, completestheconnectionandthennotifiestheclientthattoestablishadataconnection todoatablequery,theclientshouldusetheTCPportnumberassignedbytheserver. TheclientthenopensasecondTCPconnectiontotheserver:thesourceportnumberis above1023,andthedestinationportnumberistheoneassignedbytheOracleserver. Aninterestingsituationarises,however,whentheactualdataresourcesthattheclient wantsarenotonthesameOracledatabaseserver,orwhenloadbalancingissetupamong multiple database servers. In this instance, the client connects to its configured server onTCPport1521(or66),asshowninFigure12-5.Oncethisconnectionisestablished,
SQL*Net Connection to a Different Server
P
TC
t Por
=>
1
152
Oracle Database Server #1
4
102
P TC TCP Port => 1024 TCP Port => 1024 Oracle Client
t= Por
TCP Port = 1521 TCP Port => 1024 Oracle Database Server #2
Figure12-5. ThisishowaSQL*Netconnectionissetuptoadifferentdatabaseserver.
Chapter 12:
Data Applications and Policies
ifthisdatabaseserverwillnotbehandlingthedatarequests,itwillforwardtheIPaddress ofanotherdatabaseserverbacktotheSQL*Netclient.Theclientwillthenteardownthe connectiontothefirstserverandwillusetheIPaddressgiventoitbythefirstserverto setupanotherTCPport1521(or66)connection—thisistheconnectiontotheredirected databaseserver.ThissecondserverwillthennegotiatetheTCPportnumbersforthedata connection,whichtheclientwillthenusetoestablishthedataconnection. Thefunctionofapplicationinspectionontheapplianceistodynamicallyaddthese connections to the conn table as needed, including any connections to other database servers.Likewise,iftheapplianceisperformingaddresstranslationandtheportnumbers(oraddresses)negotiatedconflictwithwhatisalreadyinthexlatetable,theappliancewillfixthenumbersinthepayloadandaddthenecessaryentryinthexlatetable. If the port number being passed back matches a static command between the two interfaces,theappliancewillalsofixthisinthepayload.
SQL*NetPolicyConfiguration SQL*Netapplicationinspectionisenabled,bydefault,intheglobal_policy.SQL*Netinspectiondoesn’tsupportlayer7classandpolicymaps.YoucangloballydisableSQL*Net inspection and/or enable it on an interface-by-interface basis by using the following commands: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#[no]inspectsqlnet
Ifthedatabaseserverisrunningonaportotherthan1521or66(iftheadministratoris implementinganIANAsolution),thenyou’llneedtocreatealayer3/4classmapthat referencesthecorrectprotocolandport(oruseanACL)andthenreferencetheclassmap inalayer3/4policywithSQL*Netinspection.
325
This page intentionally left blank
13 Voice and Policies
327
328
Cisco ASA Configuration
T
his chapter will introduce you to the application inspection features for voice connections. Like FTP and other applications, Voice over IP (VoIP) applications usemultipleconnectionstosetupandtransmitvoiceconversations.Thetopics discussedinthischapterinclude
▼ S IP
■ SCCP
■ CTIQBE
▲ M GCP
SIPINSPECTION The Session Initiation Protocol (SIP), specified in RFC 2543, is used by VoIP to set up audioconnectionsandissupportedbymanyVoIPvendors,includingCisco.SIPisresponsibleforhandlingthesessionsorthesetupofthevoiceconnections.TheSession Description Protocol (SDP), specified in RFC 2327, is responsible for the assignment oftheportsfortheactualvoiceconnections.Thesignalingforthesetupofvoiceconnectionshappensoverawell-knownconnection,port5060.Theappliancewillinspect thisinformationtofigureoutthedynamicportsthatthetwosideswilluseforsetting uptheaudioconnectionandlettingthevoicetrafficin,byaddingthenecessaryUDP connection(s)tothestatetable.ThefollowingsectionswilldiscusshowaSIPsessionis established,issueswithSIP,theapplicationlayerinspectionfeaturesoftheappliances, andhowtoconfiguretheinspectionfeatures.
SIPConnectionsandApplicationInspection The following sections will discuss how SIP connections are established between the VoIPclients(phones)andtheVoIPgateway,alongwiththeapplicationlayerinspection featuresoftheappliances.
SetupofSIPVoIPConnections TohelpillustratehowSIPconnectionsareestablishedbetweenaVoIPclientandaVoIP gateway,aswellassettingupphoneconnectionsbetweenSIPVoIPclients,I’llusethe exampleshowninFigure13-1. Whensettingupthefirstconnection(whichcanuseeitherTCPorUDP),theclient devicewillchooseasourceportnumbergreaterthan1023thatisnotcurrentlybeing used.Thechoiceofprotocolsisbasedontheconfigurationandimplementationofthe VoIP solution; typically UDP is used. The destination port number is the well-known port5060.ThisconnectionisasignalingconnectionandisusedbytheVoIPclienttosend signalinginformation,likeacallsetuporteardownrequestofaudiophoneconnections, totheVoIPgatewaydevice.ThesignalingconnectionisalsousedforVoIPclientstoregistertheirphonenumbersandIPaddresses—basicallytheVoIPgatewayactsasaphone
Chapter 13:
Voice and Policies
SIP TCP/UDP Port => 1024
TCP/UDP Port = 5060
UDP Port => 1024 VoIP Client
VoIP Gateway
UDP Port => 1024 UDP Port => 1024
UDP Port => 1024
VoIP Client
Figure13-1. SetupofaSIPsession
directorytoresolvephonenumberstoIPaddressesandtoassistclientsinestablishing phoneconnectionsamongthemselves. Oncethesignalingconnectionisestablished,theVoIPclientcanmakephonecalls. When making a phone call, the client will use the signaling connection to signal the VoIPgatewayofthecallsetuprequesttoadestinationphone.Twoconnectionswillbe establishedtothedestinationVoIPphone:onefortheaudioandoneforsynchronization. Actually,theRTPprotocol,discussedinthenextchapter,isusedtoimplementtheseconnections.ThesourceclientwillchooseunusedUDPportnumbers(greaterthan1023)for theaudioandsynchronizationconnectionandwillnotifythegatewayofitschoice.The VoIPgatewaywillthencontactthedestinationVoIPphone,acquirethedestinationUDP portnumbers(greaterthan1023)thataretobeusedfortheincomingcallsessionfrom thesource,alongwiththedestinationIPaddress,andthennotifythesourceclientofthis connectioninformationsothatthesourcecannowcompletetheaudioandsynchronizationconnectionstothedestinationphone.
ApplicationLayerInspectionFeaturesforSIP ApplicationinspectionforSIPisnewasofversion6.0oftheOS.Whenthisfeaturewas introduced,theappliancesecurelyallowedtheadditionalUDPconnectionsbyadding themtothestatetableandfixingembeddedaddressinginformationinthepayload. DealingwiththeAdditionalUDPConnectionsforSIP IftheVoIPclientestablishingthevoice session is connected to a lower-level interface than the VoIP gateway interface, you’ll needaninboundACLentrytoallowtheconnection.Inadditiontothis,ifthedestination VoIPclientisconnectedtoahigher-levelinterfacethanthesourceinterface,you’llneed applicationlayerinspectionenabledforSIPsotheappliancecanexaminethesignaling connection,determinethatthetwoRTPconnectionsarebeingnegotiated,dynamically
329
330
Cisco ASA Configuration
addthesetothestatetable,and,ifaddresstranslationisusedandthenewconnections conflictwithanexistingPATtranslation(s),canchangetheembeddedportnumbersin thesignalingconnectionandcreatethenecessaryPATtranslation(s)inthexlatetable.If theIPaddressesarebeingNATed,thesearealsofixedinthesignalingconnection. The following restrictions apply to the appliance when a remote VoIP client (connectedtoalower-levelinterface)attemptstoregisterwithaSIPgateway(connectedto ahigher-levelinterface):
▼ T heclientwon’tbeabletoregisteritsIPaddressiftheclientisbeingPATed.
■ TheadditionalRTPconnectionswon’tbeaddediftheSIPproxy/gatewayfails toincludetheportnumbersinthesignalingmessagesbetweentheclients.
■ WhensettinguptheUDPsessions,theappliancemustbeabletoseethe signalingconnectionbetweentheclientandgateway:ifbothofthese areconnectedtoalower-levelinterfaceandtheVoIPdestinationclientis connectedtoahigher-levelinterface,theRTPconnectionswillfail.Therefore,it isrecommendtolocatethegatewayoffaninterfacewithasecuritylevelhigher thanalltheVoIPclients.
▲ I ftheVoIPclienthastwodifferentIPaddresses,andoneaddressappearsin theowner(“o”)fieldoftheSDPportionofthepacketandtheotherappears intheconnection(“c”)field,theappliancewillfailtofixbothaddresseswhen addresstranslationisenabled. NOTE If the VoIP client establishing the voice session is connected to a higher-level interface comparedwiththedestinationclient,applicationinspectionisn’tnecessarytoaddthetwoadditional UDPsessionsunlessyouarefilteringtrafficoutboundwithanACL.However,tohandleinboundcalls tothehigher-levelclient,you’llneedapplicationlayerinspectionofSIP.
Additional Application Layer Inspection Features for SIP Starting in version 7, additional applicationinspectionfeatureswereaddedforSIP.Besidesfixingembeddedaddressing information in the signaling connection and adding the RTP connections to the state table,theappliancescanperformthefollowingapplicationlayerinspectionfunctions, aswellasmanyothers:
▼ F ilterphonenumbersthatarecalled
■ InspectchatconnectionsfortheWindowsMessengerRTCclient
■ Restrictthedurationofphonecallsmade
■ Lookforprotocolviolationsinthesetupofphoneconnections
▲ R estrictthemethods(commands)theVoIPclientcansendtothegateway
The following sections will discuss how to configure application inspection of SIP sessions.
Chapter 13:
Voice and Policies
SIPPolicyConfiguration ThenextsectionswilldiscusstheconfigurationofSIPinspection.Forin-depthinspectionpolicies,youmightneedtocreatealayer7policymapand,possibly,alayer7class map.Thefollowingsectionswilldiscusshowtocreatethese,aswellashowtoenable SIPinspectioninalayer3/4policymap.
SIPLayer7ClassMaps Herearethecommandstocreatealayer7classmapforSIPinspection: ciscoasa(config)#class-maptypeinspectsip[match-all] L7_class_map_name ciscoasa(config-cmap)#descriptiondescription ciscoasa(config-cmap)#match[not]{called-party|calling-party} regex{classclass_name|regex_name} ciscoasa(config-cmap)#match[not]contentlengthgtlength ciscoasa(config-cmap)#match[not]contenttype{sdp|regex {classclass_name|regex_name}} ciscoasa(config-cmap)#match[not]im-subscriberregex {classclass_name|regex_name} ciscoasa(config-cmap)#match[not]message-pathregex {classclass_name|regex_name} ciscoasa(config-cmap)#match[not]request-methodmethod ciscoasa(config-cmap)#match[not]third-party-registrationregex {classclass_name|regex_name} ciscoasa(config-cmap)#match[not]uri{sip|tel}lengthgtlength
Thecalled-partyandcalling-partyparametersallowyoutomatchonthephone numbersofthedestinationandsource,respectively,usingaregularexpressionorregularexpressionclassmap.The contentlengthparameterallowsyoutomatchonthe length of the SIP header, and the content type parameter allows you to match on whethertheSIPpacketcontainsSDP,oryoucanmatchonaregularexpression(s).The im-subscriberparameterallowsyoutomatchonthenameoftheuserwhoisusing theMicrosoftMessengerIMclientusingaregularexpression(s).Tomatchoninformationinthe“Via”fieldofaSIPheader,usethemessage-pathparameter.TherequestmethodcommandallowsyoutomatchontheSIPcommandssenttothevoicegateway in the SIP header; these include ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, and update. The thirdparty-registrationparameterallowsyoutomatchauser(s)whocanregisterother VoIPclientswithaVoIPgatewayorproxy(takenfromthe“From”fieldina register message).TheuriparameterallowsyoutomatchonthelengthoftheSIPorTEL(telephonenumbers)informationintheURIportionoftheheader.
331
332
Cisco ASA Configuration
SIPLayer7PolicyMaps Herearethecommandstocreatealayer7policymapforSIPinspection: ciscoasa(config)#policy-maptypeinspectsipL7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#{[drop[send-protocol-error]| drop-connection[send-protocol-error]| mask|reset][log]| rate-limitmessage_rate} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#{[drop[send-protocol-error]| drop-connection[send-protocol-error]| mask|reset][log]| rate-limitmessage_rate} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#[no]im ciscoasa(config-pmap-p)#[no]ip-address-privacy ciscoasa(config-pmap-p)#max-forwards-validationaction[drop| drop-connection|reset][log] ciscoasa(config-pmap-p)#rtp-conformance[enforce-payloadtype] ciscoasa(config-pmap-p)#software-versionaction[mask][log] ciscoasa(config-pmap-p)#state-checkingaction[drop| drop-connection|reset][log] ciscoasa(config-pmap-p)#strict-header-validationaction[drop| drop-connection|reset][log] ciscoasa(config-pmap-p)#[no]traffic-non-sip ciscoasa(config-pmap-p)#uri-non-sipaction[mask][log]
Insteadofcreatinganapplicationlayerclassmap,youcanalsoreferencethesevalues withinthelayer7policymapwiththematchcommand.Theadvantageofusinglayer7 classmapsisthatyoucanapplydifferentpoliciestodifferentclasses(classmaps).You can have the appliance drop the packet or connection (along with sending a protocol error),mask(obfuscate)partoftheheaderinformation,resettheconnection(onlyapplicableifthesignalingconnectionisusingTCP),logthematch,orrate-limitthenumber ofSIPmessagespersecond. The im command enables or disables the use of IM via SIP—by default this is disabled.Theip-address-privacycommandenablesordisablesIPaddressprivacy— bydefaultthisisdisabled.Themax-forwards-validationcommand,whenenabled, checkswhetherthe“max-forwards”fieldintheheaderissetto0,whichitshouldn’tbe beforeitreachesthedestination.Ifaviolationisdetected,youcandropthepacket,drop theconnection,resetthesignalingconnection(ifTCPisused),and/orlogtheviolation.
Chapter 13:
Voice and Policies
Thertp-conformancecommandcheckstheRTPpacketsthatweredynamicallyadded to the conn table for conforming to the RTP standard. The enforce-payloadtype enforces the payload type to be audio or video based on the signaling exchange on the signaling connection. The software-version command, when enabled, masks (obfuscates) the software version of the server and clients in the “server” and “useragent”fieldsoftheSIPheader.The state-checkingcommandenablesstatetracking, wheretheappliancecanensurethattherequestsandresponsesbetweentheVoIPclient andgatewayappearinthecorrectorder.The strict-header-validationcommand hastheappliancevalidatetheheaderfieldsintheSIPmessagestoensurethattheyfollow theRFC3261standard.The traffic-non-sipcommand,whenenabled,validatesthe informationontheSIPsignalingporttodetermineifthetrafficisSIPorsomethingelse. Theuri-non-sipcommand,whenenabled,identifiesnon-SIPURIspresentinthe“alertinfo”and“call-info”headerfieldsandcanmaskand/orlogthisinformation.
SIPLayer3/4PolicyMaps ToenableinspectionofSIP,youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectsip[L7_policy_map_name] [tls-proxyTLS_proxy_name]
Withoutalayer7policymap,theappliancewillonlyfixembeddedaddressinginformationandaddtheRTPvoiceconnectionstotheconntable.OptionallyyoucanenableTLS proxyingwithSIP.TLSproxyingiswherethesignalingconnectionisencryptedbetween theVoIPclientandthegateway,andtheapplianceproxiestheconnectionbetweenthe twoendpoints.Thisfeatureallowstheappliancetodecryptinformationfromoneendpoint,inspectit,andre-encryptitbeforesendingittotheotherendpoint.TLSproxying forvoiceconnectionsisbeyondthescopeofthisbook. NOTE SIPinspectionisbydefaultenabledintheglobalpolicyontheappliance.Youcanqualifyitwith alayer7policymap,however,ordisableitgloballyandenableitonlyonaparticularinterface(s).
SIPConnectionTimeout Bydefault,thefollowingtimersareusedtoteardownSIPconnectionsfromtheconn table:
▼ A TCPsignalingconnectionisremovedfromtheconntableiftheconnectionis closed,anRSTisseen,oriftheconnectionisidleformorethan1hourbydefault.
▲ T heRTPconnectionsareremovedfromtheconntableafter2minutesofidle timehaveexpired. TochangetheidletimeoutfortheSIPsignalingconnection,usethiscommand:
ciscoasa(config)#timeoutsiphh:mm:ss
333
334
Cisco ASA Configuration
TochangetheidletimeoutfortheRTPUDPconnections,usethiscommand: ciscoasa(config)#timeoutsip_mediahh:mm:ss
TIP Becausesomecompressionmethodsdon’tsendpacketswhenpeoplearequietonthephone connection,longperiodsofquietmightbemisconstruedbytheappliancetomeanthatthephone conversationisover,basedontheidletimeryou’veconfigured;therefore,don’tsettheidletimerto toolowavalue.
SIPConnectionVerification Youcanusethe show sipand debug sipcommandstoviewandtroubleshootSIP inspectionissues.Here’sanexampleoftheformercommand: ciscoasa#showsip Total:2 call-id[email protected] stateCallinit,idle0:00:01 call-id[email protected] stateActive,idle0:00:05
Inthisexample,youcanseetwoactiveSIPsessions,whereeach call-idrepresentsa separatephonesession.Thefirstsessionisina Call initstate,whichindicatesthat thecallisstillbeingestablished(thecallersenttheINVITEmessageandhasn’tseethe 200OKfinalresponse).Thesecondsessionisinanactivestate,whichmeansthatthe callhasbeenestablished(theRTPconnectionshavebeennegotiated).Thissessionhas beenidlefor5seconds.
SIPExampleConfiguration Here’sasimpleexampleofaninspectionpolicyforSIP: ciscoasa(config)#policy-maptypeinspectsipL7_sip_policy ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#noim ciscoasa(config-pmap-p)#rtp-conformanceenforce-payloadtype ciscoasa(config-pmap-p)#software-versionactionmasklog ciscoasa(config-pmap-p)#state-checkingactiondroplog ciscoasa(config-pmap-p)#strict-header-validationactiondroplog ciscoasa(config-pmap-p)#traffic-non-sip ciscoasa(config-pmap-p)#uri-non-sipactionmasklog ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#inspectsipL7_sip_policy ciscoasa(config)#service-policyglobal_policyglobal
Chapter 13:
Voice and Policies
Inthisexample,alayer7policymapisconfigured(L7_sip_policy).Inthispolicy,IM isnotallowed.RTPisvalidatedforconformancetotheRFC,andtheRTPconnections mustbevoiceorvideo,basedonwhatwasnegotiated.Thesoftwareversioninformation ismasked;statecheckingisenabled,andifthereisaviolation,thepacketisdropped. Theheaderinformationisvalidated,andifitdoesn’tfollowthestandard,thepacketis dropped.Non-SIPtrafficonthesignalingconnectionisdropped;andtheURIportionofa SIPpacket,ifitdoesn’tconformtoURIinformation,ismasked.Thedefaultlayer3/4class mapinthedefaultlayer3/4policymapenablesstatefulinspectionforSIP,referencingthe additionalinspectionprocessesthatwillbeperformedinthelayer7map.
SCCPINSPECTION SCCP(SkinnyClientControlProtocol),or“Skinny”forshort,isaCisco-simplifiedprotocolforimplementingVoIPwithCiscoIPPhonesandtheCiscoCallManagerserver. SkinnyisinteroperablewithotherH.323devices(H.323isdiscussedinthenextchapter).SupportforapplicationinspectionofSkinnywasintroducedinversion6.0ofthe PIXsoftware.WhentheapplianceisperformingitsapplicationinspectionofSkinny,it examinesSkinnysignalstodetermineifthereareembeddedaddresses.Itchangesconflictingaddressesandupdatesthexlatetableaswellaslookingforthecallsetupofaudio connections, and will dynamically add these connections to the appliance conn table. Additionalapplicationlayerinspectionfeatureswereaddedinversion7.
SCCPConnectionsandApplicationInspection ThefollowingsectionswilldiscusshowSCCPconnectionsareestablishedbetweenthe VoIPclients(phones)andtheVoIPgateway,alongwiththeapplicationlayerinspection featuresoftheappliances.
SetupofSCCPVoIPConnections TohelpillustratehowSCCPconnectionsareestablishedbetweenaCiscoIPPhoneclient andtheCiscoCallManagerserver(VoIPgateway),aswellashowconnectionsbetween IP Phone clients are established, I’ll use the example shown in Figure 13-2. When an IPPhonefirstbootsup,itwilluseDHCPtolearnitsIPaddressinginformation,which includesitsIPaddressandsubnetmask,adefaultgateway,aDNSserveraddress,and aTFTPserveraddress.Withversion6.2,theappliancessupportDHCPoptions150and 166,whichallowthemtosendtheTFTPserveraddresstoDHCPclients,includingCisco IPPhones.IwilldiscussDHCPserverfeaturesoftheappliancesinChapter26.TheIP Phone client will use TFTP to download its configuration instructions from the TFTP server, which usually resides on the CallManager server. This will include its phone number.NormallyCallManagerwillusetheMACaddressofthephonetodeterminethe configurationfiletoassociatewiththephone.
335
336
Cisco ASA Configuration
SCCP UDP Port => 1024
UDP Port = 69
TCP Port => 1024
TCP Port = 2000
UDP Port => 1024 IP Phone Client
Cisco CallManager
UDP Port => 1024
UDP Port => 1024
UDP Port => 1024
IP Phone Client
Figure13-2. SetupofanSCCPsession
NOTE Ifthephoneisconnectedtoalower-levelinterfacethanCallManager,you’llneedanACL entrytoallowtheTFTPconnection(andenableprotocolinspectionorTFTP).Also,ifaDHCPserver doesn’tresideintheVLANthephoneresidesin,andtheapplianceisnotaDHCPserver,you’llneed toconfigureaDHCPrelayfunctionontheappliancetoforwardtheDHCPrequesttoaDHCPserver onadifferentsegment(discussedinChapter26). Whensettingupthefirstconnection(whichusesTCP)totheCallManagerserver, theclientdevicewillchooseaportnumbergreaterthan1023thatisnotcurrentlybeing used. The destination port number is the well-known port 2000. This connection is a signalingconnectionandisusedbytheclienttosendsignalinginformation,likeacall setuporteardownrequestofphoneconnections.Acrossthissignalingconnection,the clientwillindicatewhichUDPportitwillusetohandletheprocessingofvoicepackets (phoneconnections). Once the signaling connection is established and the IP Phone registers its phone numberandIPaddress,thephonecanmakephonecalls.Whenmakingaphonecall,the clientwillusethesignalingconnectiontosignaltheCallManagerserverofthecallsetup requesttoadestinationphone.LikeSIP,RTPisusedtoestablishthephonesessiontoa remotephone:oneUDPconnectionisfortheaudio,andthesecondoneforsynchronizationoftheaudio(RTPisdiscussedinthenextchapter). ThesourcephonewillselecttwounusedUDPportnumbers(greaterthan1023)for thesetwoconnections.TheCallManagerwillthencontactthedestinationparty,acquire thedestinationUDPportnumbersfortheconnections(greaterthan1023)fromthedestination,alongwiththedestinationIPaddress,andthennotifythesourcephoneofthe connectioninformationsothatthesourcecannowcompletethephoneconnectiontothe destination.
Chapter 13:
Voice and Policies
ApplicationLayerInspectionFeaturesforSCCP ApplicationinspectionforSCCPisnewasofversion6.0oftheOS.BasicallytheappliancesecurelyallowstheadditionalUDPconnectionsbyaddingthemtothestatetableand fixingembeddedaddressinginformationinthepayload.Currentlytherearefiveversions ofSCCP:2.4,3.04,3.1.1,3.2,and3.3.2—theappliancessupportapplicationinspectionof allversionsthrough3.3.2. DealingwiththeAdditionalUDPConnectionsforSCCP IftheVoIPclientestablishingthevoice sessionisconnectedtoalower-levelinterfacecomparedwiththeVoIPgateway,you’ll need anACL to allow the signaling connection. In addition to this, if the destination VoIPclientisconnectedtoahigher-levelinterfacecomparedwiththesource,you’llneed applicationlayerinspectionenabledforSCCPinorderfortheappliancetoexaminethe signaling connection, determine that the two RTP connections are being negotiated, dynamicallyaddthesetothestatetable,and,ifaddresstranslationisusedandthenew connectionscreateaconflictwithanexistingPATtranslation(s),tochangetheembedded portnumbersinthesignalingconnectionandcreatethenecessaryPATtranslation(s)in thexlatetable.IftheIPaddressesarebeingNATed,thesearealsofixedinthesignaling connection. Thefollowingrestrictionsapplytotheapplianceperformingapplicationinspection ofSCCPtraffic:
▼ I nsideNATandPATaresupported,butoutsideNATandPATarenot: therefore,ifyouhaveoverlappingaddressesbetweentwonetworks,theIP Phonesinthetwonetworkswillnotbeabletocommunicatewitheachother.
▲ S tatefulfailover(discussedinChapter23)issupported;however,phonecalls inthemiddleofbeingestablishedarenotreplicated,andtheuserwillhaveto redialthenumberafterafailoverhasoccurred.
AdditionalApplicationLayerInspectionFeaturesforSCCP Startinginversion7,additional applicationinspectionfeatureswereaddedforinspectionofSCCPconnections.Besides fixing embedded addressing information in the signaling connection and adding the RTPconnectionstothestatetable,theappliancescanperformthefollowingapplication layerinspectionfunctions,aswellasmanyothers:
▼ F iltermessageidentifiers
■ Limitthelengthofmessageidentifiers
■ RequireregistrationwithCallManagerbeforephonecallscanbemade
■ Lookforprotocolviolationsinthesetupofphoneconnections
▲ L imitthesizeoftheSCCPprefixintheheader
SCCPPolicyConfiguration The following sections will discuss the configuration of SCCP inspection. For indepthinspectionpolicies,youmightneedtocreatealayer7policymap;unlikeSIP,
337
338
Cisco ASA Configuration
SCCPdoesn’tsupportlayer7classmaps.Thefollowingsectionswilldiscusshowto createtheoptionallayer7policymap,aswellasenableSCCPinspectioninalayer 3/4policymap.
SCCPLayer7PolicyMaps Herearethecommandstocreatealayer7policymapforSIPinspection: ciscoasa(config)#policy-maptypeinspectskinnyL7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#match[not]messageid{message_ID| rangelower_ID_rangeupper_ID_range} ciscoasa(config-pmap-c)#{drop[log]} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#enforce-registration ciscoasa(config-pmap-p)#message-idmaxhex_value ciscoasa(config-pmap-p)#rtp-conformance[enforce-payloadtype] ciscoasa(config-pmap-p)#sccp-prefix-len{max|min}value_length ciscoasa(config-pmap-p)#timeout{signaling|media}hh:mm:ss
There is currently only one match command supported for a layer 7 SCCP policy map:matchmessageid.Thiscommandmatchesononeorarangeofstationmessage identifiers (specified in hexadecimal) in an SCCP message. The actions you can take whenthereis(orisn’t)amatchincludedroppingthepacketand/orloggingthematch. In the parameters section of the policy map, the enforce-registration commandrequiresaVoIPphonetoregistertoCallManagerbeforecallscanbeplaced.The message-id maxcommandspecifiesthehighestSCCPstationmessageIDallowed. The rtp-conformance command checks the RTP packets that were dynamically addedtotheconntableforconformingtotheRTPstandard.Theenforce-payloadtype commandenforcesthepayloadtypetobeaudioorvideobasedonthesignalingexchangeonthesignalingconnection.The sccp-prefix-lencommandsetstheminimumormaximumSCCPprefixlengthallowed.The timeoutcommandsetstheidle timeoutforthesignalingandRTPaudioconnections.Ifyoudon’tconfigureatimeout, theglobaltimeoutsforidleTCPandUDPconnectionsareused.
SCCPLayer3/4PolicyMaps ToenableinspectionofSCCP,youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectskinny[L7_policy_map_name] [tls-proxyTLS_proxy_name]
Chapter 13:
Voice and Policies
Withoutalayer7policymap,theappliancewillonlyfixembeddedaddressinginformation and add the RTP voice connections to the conn table. Optionally you can enable TLSproxyingwithSCCP.TLSproxyingiswherethesignalingconnectionisencrypted betweentheVoIPclientandthegateway,andtheapplianceproxiestheconnectionbetweenthetwoendpoints.Thisfeatureallowstheappliancetodecryptinformationfrom oneendpoint,inspectit,andre-encryptitbeforesendingittotheotherendpoint.TLS proxyingforvoiceconnectionsisbeyondthescopeofthisbook. NOTE SCCP inspection is by default enabled in the global policy on the appliance. You can qualifyitwithalayer7policymap,however,ordisableitgloballyandenableitonlyonaparticular interface(s).
SCCPConnectionVerification Youcanusethe show skinnycommandtotroubleshootproblemswiththeSCCPinspectionprocess.Here’sanexampleofthiscommand: ciscoasa#showskinny LOCALFOREIGNSTATE -------------------------------------------------- 110.0.1.10/5123710.0.3.1/20001 MEDIA10.0.1.10/2294810.0.2.21/32798 210.0.1.12/5123110.0.3.1/20001 MEDIA10.0.1.12/3279810.0.2.10/32948
This example has two connections from phones (10.0.1.10 and 10.0.1.12) to CallManager(10.0.3.1)—theseareconnections1and2.BeloweachphoneentryisaMEDIAentry, whichrepresentsaphonecallusingRTP.Eachofthetwophoneshasanactivephone call:thefirstphonehasaconnectionto10.0.2.21andthesecondphoneto10.0.2.10.
SCCPExampleConfiguration Here’sasimpleexampleofaninspectionpolicyforSIP: ciscoasa(config)#policy-maptypeinspectskinnyL7-skinny-map ciscoasa(config-pmap)#matchmessage-idrange0x2000x300 ciscoasa(config-pmap-c)#droplog ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#enforce-registration ciscoasa(config)#class-mapinspection_default ciscoasa(config-cmap)#matchdefault-inspection-traffic ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#inspectskinnyL7-skinny-map ciscoasa(config)#service-policyglobal_policyglobal
339
340
Cisco ASA Configuration
Inthisexample,alayer7SCCPpolicymapwasusedtodropandlogpacketsthathave astationmessageIDfrom0x200to0x300.RegistrationtoCallManagerisrequiredbefore phonecallscanbeplaced.Thedefaultclassmapandglobalpolicymapareused,where theSCCPinspectionhasbeenqualifiedtousethelayer7policymap.
CTIQBEINSPECTION CTIQBEinspectionallowsCisco’sIPSoftPhone(softwareonaPC)andotherCiscoTelephoneApplicationProgrammingInterface(TAPI)andJavaTAPI(JTAPI)PC-basedapplicationstosuccessfullycommunicatewithaCiscoCallManagerandotherVoIPphones connected to a different interface of an appliance. The following sections will discuss howCTIQBEsessionsareestablished,whyapplicationinspectionisneeded,howapplicationinspectionworks,howtoconfigureit,andhowtoexamineCTIQBEsessions flowingthroughtheappliance.
CTIQBEConnectionsandApplicationInspection ThefollowingsectionswilldiscusshowCTIQBEconnectionsareestablishedbetween theCiscoSoftPhonesandCallManager,alongwiththeapplicationlayerinspectionfeaturesoftheappliances.
SetupofCTIQBEVoIPConnections To help illustrate how CTIQBE connections are established between a Cisco IP SoftPhoneclientandCiscoCallManagerserver(VoIPgateway),aswellasconnectionsbetween IP Phone clients, I’ll use the example shown in Figure 13-3. The call setup is
CTIQBE TCP Port => 1024
TCP Port = 2748
UDP Port => 1024 Cisco IP SoftPhone
Cisco CallManager
UDP Port => 1024
UDP Port => 1024
UDP Port => 1024
IP Phone Client
Figure13-3. SetupofaCTIQBEsession
Chapter 13:
Voice and Policies
similartothatofSIPandSkinny.Whensettingupthefirstconnection(whichusesTCP) totheCallManagerserver,theclientdevicewillchooseaportnumbergreaterthan1023 thatisnotcurrentlybeingused.Thedestinationportnumberisthewell-knownport 2748(thisportcannotbechangedonCallManager).ThisconnectionisasignalingconnectionandisusedbytheSoftPhonetosendsignalinginformation,likeacallsetupor teardownrequestofphoneconnections.Acrossthissignalingconnection,theclientwill indicatewhichUDPportsitwillusetohandletheprocessingofvoicepackets(phone connections). Once the signaling connection is established and the SoftPhone registers its phone numberandIPaddress,theSoftPhonecanmakephonecalls.Whenmakingaphonecall, theclientwillusethesignalingconnectiontosignaltheCallManagerserverofthecall setup request to a destination phone. Like SIP and SCCP, RTP is used to establish the phonesessiontoaremotephone:oneUDPconnectionisfortheaudio,andthesecond oneforsynchronizationoftheaudio(RTPisdiscussedinthenextchapter). ThesourcephonewillselecttwounusedUDPportnumbers(greaterthan1023)for thesetwoconnections.TheCallManagerwillthencontactthedestinationparty,acquire thedestinationUDPportnumbersfortheconnections(greaterthan1023)fromthedestination,alongwiththedestinationIPaddress,andthennotifythesourcephoneofthe connectioninformationsothatthesourcecannowcompletethephoneconnectiontothe destination.
ApplicationLayerInspectionFeaturesforCTIQBE ApplicationinspectionforCTIQBEisnewasofversion6.3oftheOS.Basically,theappliancesecurelyallowstheadditionalUDPconnectionsbyaddingthemtothestatetable andfixesembeddedaddressinginformationinthepayloadifitconflictswithanyexistingtranslationsinthexlatetable.Beyondthis,noadditionalapplicationlayerinspection isperformedonCTIQBEconnections.Theappliancedoeshavethefollowinglimitations andrestrictionswhenperformingCTIQBEinspection:
▼ P honecallsmadeusingCTIQBEarenotreplicatedtoaredundantappliance whenstatefulfailoverisconfigured.(CTIQBEphonecallsarelostwhen failoveroccurs.)
■ IfdifferentSoftPhonesareregisteredtodifferentCallManagers,whichare connectedtodifferentapplianceinterfaces,callsbetweentheSoftPhonesof differentCallManagerswillfail.
▲ S taticNATmustbeusedwhenCallManagerislocatedonahigher-level interfaceandNATcontrolisenabled.Also,theinboundcontrolconnection (port2748)wouldhavetobeallowedwithanACL.
CTIQBEPolicyConfiguration ThefollowingsectionswilldiscusstheconfigurationinspectionofCTIQBEtraffic.UnlikeSIP,CTIQBEdoesn’tsupportlayer7classandpolicymapsforin-depthinspection: onlylayer3/4policiesaresupported.
341
342
Cisco ASA Configuration
CTIQBELayer3/4PolicyMaps ToenableinspectionofCTIQBE,youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectctiqbe
Nolayer7classorpolicymapsforCTIQBEexist.Bydefault,CTIQBEinspectionisdisabledintheglobalpolicyontheappliance.Youcanenabletheinspectionpolicyforan interface(s)orglobally.NotethatCallManagerdoesn’tsupportaportotherthan2748,so usingthedefaultclassmapissufficientwhensettingupalayer3/4policyforCTIQBE.
CTIQBEConnectionVerification You can use the show ctiqbe command to troubleshoot problems with the setup of CTIQBEsessions.Here’sanexampleofthiscommand: ciscoasa#showctiqbe Total:1 LOCALFOREIGNSTATEHEARTBEAT --------------------------------------------------------------- 110.0.1.97/1117172.30.1.1/27481120 --------------------------------------------- RTP/RTCP:PATxlates:mappedto172.30.1.97(1028-1029) ---------------------------------------------- MEDIA:DeviceID27CallID0 Foreign172.30.1.97(1028-1029) Local172.30.1.88(26822-26823) ----------------------------------------------
CurrentlyonlyoneactiveCTIQBEsessionisestablishedtoCallManager:aSoftPhone withanIPaddressof10.0.1.97isconnectedtoCallManagerat172.30.1.1.TheSoftPhone IP address is being translated to 172.30.1.97 via PAT, where one phone connection is establishedto172.30.1.88.ThetwoUDPconnectionsforRTPareusingsourceanddestination port numbers of 1028/26822 for the audio connection and 1029/26823 for the synchronizationconnection.
MGCPINSPECTION TheMediaGatewayControlProtocol(MGCP)isusedinVoIPnetworkstobridgethe traditionalanaloganddigitalphoneservicesconnectedtoPBXsandothertypesoftraditionalvoicedevicestoaVoIPgatewaylikeCiscoCallManager.MGCPsupportsboth H.323andSIP.ThreedevicescanparticipateinMGCP:
▼ C � allagent ProvidescallcontrolintelligenceforphonedevicesthathaveIP addresses,liketheCiscoCallManagerVoIPgatewayproduct
Chapter 13:
Voice and Policies
■ � Mediagateway Convertssignalsbetweencircuits(digitaland/oranalog)to packets(thisistraditionallyaPBXwithaVoIPcard)
▲ S ignalinggateway ConnectstothePSTN(PublicSwitchedTelephone Network),whichcanbeamediagatewayoracallagent,dependingonthe networkdesign NOTE Traditionally, the media and signaling gateway functions are found in the same physical device.
ThefollowingsectionswilldiscusshowMGCPconnectionsareestablishedbetween gatewaysandcallagents,whyapplicationinspectionisneeded,andhowtoconfigure applicationinspectiononthesecurityappliances.
MGCPConnectionsandApplicationInspection MGCPisusedtosendmessagesbetweenthegatewaysandcallagents.Interactionbetweenthegatewaysandcallagentsisneededwhenphonesbehindtherespectivedevicesneedtoestablishphonecalls,whichuseRTP.Messagesaremadeupofcommands andamandatoryresponse.TherearetwoUDPconnections:onefromthegatewaytothe callagent,connectingtoport2727,andonefromthecallagenttothegateway,connectingtoport2427.YoucanseeanexampleofthisinFigure13-4. Application inspection is needed when the gateway(s) and call agent(s) reside off of different interfaces on the appliance where the security levels are different. Inspectionisn’treallynecessaryfortheport2727and2427connections,sincetheseareeasily allowed usingACLs; however, the RTP UDP audio and synchronization connections, whichusedynamicportnumbers,arealmostimpossibletodealwithunlessapplication inspectionisused.TheRTPportnumbersaresentacrosstheUDPconnectionsbetween thegatewayandcallagent,whichtheapplianceexaminesandthendynamicallyadds theRTPconnectionstotheconntable.Ifaddresstranslationisbeingperformed,andthe addressinginformationintheMGCPpayloadconflictswithentriesalreadyinthexlate table,thesearefixedinthepayloadandaddedtothexlatetable.
MGCP UDP Port => 1024
UDP Port = 2427
UDP Port = 2727
UDP Port => 1024
Call Agent
Figure13-4. SetupofMGCPconnections
Gateway
343
344
Cisco ASA Configuration
NOTE Forinspectiontofunctioncorrectly,theIPaddressoftheMGCPsignalingconnectionmust be the same as the RTP addresses—Cisco recommends using a loopback or virtual address to ensurethatthesameaddressisalwaysseenforagateway.
MGCPPolicyConfiguration The following sections will discuss the configuration of MGCP inspection. To control what call agents and gateways can interact with each other, you can create a layer 7 policy map; MGCP inspection doesn’t support layer 7 class maps. The following sectionswilldiscusshowtocreatetheoptionallayer7policymap,aswellashowtoenable MGCPinspectioninalayer3/4policymap.
MGCPLayer7PolicyMaps Ifyouwanttocontrolwhichgatewaysandcallagentsinteractwitheachotherinsetting up the connections between phones, create a layer 7 MGCP policy map. Here are the commandstocreatealayer7policymapforMGCPinspection: ciscoasa(config)#policy-maptypeinspectmgcpL7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#call-agentIP_addressgroup_ID ciscoasa(config-pmap-p)#gatewayIP_addressgroup_ID ciscoasa(config-pmap-p)#command-queue#_of_commands
Unlikewithotherlayer7policymaps,youcannotreferenceanylayer7classmapsor matchcommandsforactionpolicies. Intheparameterssubcommandmode,however,youcanrestrictwhichdevicescan communicatewitheachother,andestablishRTPconnectionsforassociatedphones.The call-agent command restricts the call agents, based on their IP addresses, that will beassociatedwithothercallagentsandgateways—thisisaccomplishedbyspecifying a group identifier number, which allows agents and gateways with the same number to interact with each other. The group identifier can range from 0 to 4294967295. The gateway command specifies the gateway that will be included in a particular group identifier.Agatewaycanonlybelongtoonegroup;however,callagentscanbelongto multiplegroups. The command-queuecommandrestrictsthenumberofMGCPcommandsthatare queuedupwhilewaitingforanappropriateresponse.Thedefaultis200commands.
MGCPLayer3/4PolicyMaps BydefaultMGCPinspectionisdisabledontheappliance.ToenableinspectionofMGCP, youneedtoreferenceitinalayer3/4policymap: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectmgcp[L7_policy_map_name]
Chapter 13:
Voice and Policies
Ifyouwanttocontrolwhichgatewaysandcallagentsinteractwitheachotherinsetting up the connections between phones, reference a layer 7 MGCP policy map in your inspectmgcpcommand.
MGCPTimeouts YoucanconfiguretwotimeoutsforMGCPconnections: ciscoasa(config)#timeoutmgcphh:mm:ss ciscoasa(config)#timeoutmgcp-pathh:mm:ss
The timeout mgcpcommandspecifiesanidleinterval,whichifexceeded,causesthe MGCPmediaconnectiontoclose(thedefaultis5minutes).The timeout mgcp-pat commandspecifiesanidleintervalforPATxlatesassociatedwithRTPconnectionestablishedviatheMGCPsignalingconnections(thedefaultis30seconds).
MGCPVerification ToviewinformationconcerningtheconfigurationofMGCPandMGCPsessioninformation,usetheshowmgcpcommand: ciscoasa#showmgcp{commands|sessions}[detail]
ThecommandsparameterliststhenumberofMGCPcommandsinthecommandqueue. The sessions parameter lists the number of existing MGCP sessions. The optional detailparameterlistsadditionalinformationabouteachcommandorsessioninthe displayoutput. Here’sanexampleofviewingtheMGCPsessions: ciscoasa#showmgcpsessionsdetail 1inuse,1mostused Sessionactive0:00:14 GatewayIPgateway-1 CallID0123456789fedcba ConnectionID6789fa459c Endpointnamebbln/1 Medialclport6168 MediarmtIP192.168.1.71 Mediarmtport6059
MGCPExampleConfiguration Here’sasimpleexampleofaninspectionpolicyforMGCP: ciscoasa(config)#policy-maptypeinspectmgcpL7_mgcp_map ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#call-agent10.0.21.311
345
346
Cisco ASA Configuration ciscoasa(config-pmap-p)#call-agent10.0.21.321 ciscoasa(config-pmap-p)#gateway10.0.20.1011 ciscoasa(config-pmap-p)#call-agent10.0.21.332 ciscoasa(config-pmap-p)#call-agent10.0.21.342 ciscoasa(config-pmap-p)#gateway10.0.20.1022 ciscoasa(config-pmap-p)#gateway10.0.20.1032 ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#inspectmgcpL7_mgcp_map ciscoasa(config)#service-policyglobal_policyglobal
Inthisconfiguration,thelayer7policymap(L7_mgcp_map)createstwodifferentgroups. Group1hastwocallagents(10.0.21.31and10.0.21.32)andonegateway(10.0.20.101). Group 2 has two call agents and two gateways. Because two groups were set up, the applianceiscontrollingwhatphoneconnectionscanbemadebetweencallagentsand gatewaysinteractingthroughtheappliance.Thisisenabledinthedefaultglobalpolicy, usingthedefaultlayer3/4classmap.Thedefaultclassmapalreadyassociatesthetwo UDPconnections(2427and2727)toMGCP.
14 Multimedia and Policies
347
348
Cisco ASA Configuration
T
hischapterwillintroduceyoutotheapplicationinspectionfeaturesformultimedia applications.LikeFTP,VoIP,andotherapplications,multimediaapplicationsuse multiple connections to set up and transmit video streams, voice connections, and/ormultimediacapabilities.MostmultimediaapplicationsfolloweithertheRTSPor H.323standards.Thetopicsdiscussedinthischapterinclude
▼ A noverviewofmultimediaapplications
■ RTSP
▲ H .323
MULTIMEDIAOVERVIEW MultimediaapplicationsposemanyofthesameproblemsforfirewallsandsecurityappliancesthatIhavesofardiscussedinPartIII.Oneofthemainreasonsthatmultimedia applications are difficult to deal with is that no single unifying standard defines how theyshouldbeimplemented.Eachvendor,instead,hasdevelopeditsownimplementationmethodforitsmultimediaapplicationswithahandfulofexistingstandards.
CommonProblemswithMultimediaApplicationsandFirewalls Thefollowingaresomeoftheproblemsthatyouhavetodealwithconcerningmultimediaapplicationsandstatefulfirewalls:
▼ S omemultimediaapplicationsembedIPaddressesandsometimesport numbersinthepayload,whichcancauseproblemswithenvironmentsthat havedeployedNATand/orPAT.
■ Somemultimediaapplicationsusethesameportnumberforboththesource anddestination,whichmakesitmoredifficulttodeterminewhoisinitiatinga session.
■ SomemultimediaapplicationsuseTCPforconnectionswhileothersuseUDP, orsomeapplicationsuseacombinationofprotocolsfortheirconnections.
▲ S omemultimediaapplicationsusedynamicportnumbersfortheiradditional connections,whichcreatesfilteringproblemssincetheactualportnumberscan comefromaverylargerangeofnumbers.
FirewallSolutionsforMultimediaApplications Asyoucanseefromtheprecedinglistofproblems,dealingwithmultimediaapplicationsinafirewallenvironmentisnotaneasytask.Thebestsolutiontouseindealing withmultimediaapplicationsistheCiscoapplicationinspectionfeaturefortheirsecurity appliances.Theapplicationinspectionfeatureoftheapplianceswillhandlethetranslationofembeddedaddressinginformationaswellasaddentriesintheconntableforjust thespecificconnectionsbetweentheclientsandservers—nomoreandnofewer.
Chapter 14:
Multimedia and Policies
Twomainstandardsarecommonlyusedformultimediaapplications:theReal-Time StreamingProtocol(RTSP)andH.323.Bothstandards(especiallythelatter)definethe framework for implementing multimedia applications, which might use voice, video, andordata.Theproblemwithbothstandardsisthattheydon’tcoverallaspectsofwhat avendormightwanttoprovideforinanapplication.Therefore,whendealingwiththe application inspection feature of the appliances, even though a vendor application is usingRTSPorH.323,thatdoesnotmeanthatCiscosupportsitforapplicationinspection. Cisco has a list of applications that it officially supports for each protocol; other multimediaapplicationsmayormaynotworkwiththeappliances,dependingontheir implementation.Thefollowingsectionswillfurtherdiscussthetwoprotocolsandthe applicationinspectionfeaturessupportedbytheappliances. TIP For nonsupported applications, you can always use ACL entries, GRE tunnels, or, more preferably,theestablishedcommand(discussedinChapter11),toallowthistrafficthroughthe appliance.
RTSPINSPECTION ManyapplicationsuseRTSPtoimplementthecommunicationinfrastructuretotransmit informationbetweenmultimediadevices.RTSPisdefinedinRFC2326.RTSPisusedby many multimedia applications to control the delivery of information, which includes video,audio,aswellasdatainareal-timefashion.ItsupportsbothTCPandUDPfor controlandinformationstreamingprocesses. Thesecurityapplianceapplicationinspectionfeaturewillnotworkwitheverymultimediaapplication.Ifyourecallfromthelastsection,noteveryvendorimplementsthese multimediaapplicationsinthesamemanner.CurrentlyCiscoofficiallysupportsthefollowingmultimediaapplicationsforRTSP:
▼ A ppleQuickTime
■ CiscoIP/TV
▲ R ealNetworksRealAudio,RealPlayer,andRealServer
Besidesthemultimediaapplicationsintheprecedinglist,othermultimediaapplicationsmaywork,dependingonhowthevendorimplementedthem.Aworkaroundfor thoseapplicationsnotsupportedbytheapplicationinspectionfeaturewouldbetouse ACLentries,GREtunnels(tunnelthemultimediaconnectionsthroughasingleunicast GREconnection),ortheestablishedcommandtoopenthenecessaryholesinyourappliancetoallowconnectivity.Asyouwillseeinthenextfewsections,theholesthatyou needtoopenontheappliancemightbeverylarge—theadvantageoftheapplicationinspectionfeatureforsupportedmultimediaapplicationsisthattheapplianceonlyopens holesfortheconnectionsrequestedbetweenthecommunicatingdevicesandmaintains theseconnectionsintheconntableuntilthey’recompleted.
349
350
Cisco ASA Configuration
RTSPConnectionsandApplicationInspection ThefollowingsectionswilldiscusstheconnectionusedinestablishinganRTSPsession aswellaswhyapplicationinspectionisneeded.
TypesofRTSPConnections Typically three connections are established between a client and a server when RTSP isused:
▼ C ontrolconnection Thischannel,whichisbi-directional,allowstheclient andservertocommunicatewitheachotherconcerningthesettingupand tearingdownofmultimediaconnections.RTSPdefinesthemechanicsas tohowthisconnectionissetupandthemessagesthattraverseit.Inmost instances,theconnectionusesTCPandconnectstoport554or8554onthe server.
■ Multimediaconnection(s) Thisisaunidirectionalconnectionfromtheserver totheclient.Theactualcontentinformation,likeaudioorvideo,issentacross thisconnectiontotheclient.InalmostallcasesthisisaUDPconnection.One problemwiththisconnectionisthatnorealstandardsexistasfarashowport numbersshouldbechosen.Twoprotocolsdefinethesetupanddeliveryof informationacrossthisconnection:RTP(Real-TimeTransportProtocol)and RDT(RealDataTransport)protocol.RTPisbasedonastandardandRDTwas developedbyRealNetworks.I’lldiscusstheseprotocolsinafewmoments.
▲ E rrorconnection ThisisaUDPconnectionthatcanbeunidirectionalor bi-directional.Itisusedbytheclienttorequesttheresendingofmissing informationtotheserver.Sometimesitisalsousedforsynchronization purposestoensurethatvideoandaudiostreamsdon’texperiencejitter problems.
DependingonwhetheryouareusingRTPorRDTforthemultimediaconnection(s), theconnectionsetupprocessisdifferent.Therefore,I’veincludedthenexttwosections tohelpdescribetheconnectionsetupprocessforeach.AsImentionedunderthe“Multimediaconnection(s)”bulleteditemintheprecedinglist,theuseofUDPportnumbers isapplication-specific.
StandardRTPMode Inthissection,IwilluseanexampletoshowyouhowRTSP,usingRTP,setsupconnections between a client and a multimedia server. I’ll use the illustration shown in Figure14-1toillustrateourexample;thetoppartshowsanexampleofRTP.Thefirst connectionthatissetupbetweentheclientandserveristhecontrolconnection.Every multimediaapplicationthatI’vedealtwiththatusesRTSPusesTCPforthecontrolconnection,eventhoughRFC2326supportsbothTCPandUDP.Thiscontrolconnection allowstheclientandservertocommunicatewitheachotherandestablishparameters forthemultimediaconnections—noactualmultimediatraffictraversesthisconnection.
Chapter 14:
Multimedia and Policies
RTSP TCP Port => 1024
TCP Port = 554
UDP Port = 6970
UDP Port = 6970
UDP Port = 6971
UDP Port = 6971
Client Using RTP
Server TCP Port => 1024
TCP Port = 554
UDP Port = 6970
UDP Port = 6970
UDP Port = 6970
UDP Port = 6970
Client Using RDT
Server
TCP Port => 1024 Client Using TCP
TCP Port = 554 Server
Figure14-1. RTSPconnectionestablishment
Theclientchoosesanunusedportnumbergreaterthan1023,andtheserverlistenson 554(definedinRFC2326). Whentheclientrequestsamultimediastream,theserverandclientwillnegotiate the port numbers for this multimedia UDP connection. For example, in a RealPlayer configuration,thedefaultportnumbersrangefrom6970to7170;however,youcaneasilychangethisintheclientconfiguration.RTPplacestworestrictionsonthissourceport number:
▼ T heportnumbermustbeaneven(notodd)number,like6002,6004,andsoon.
▲ T heportnumbercannotbeawell-knownportnumber—itmustbegreater than1023.
Thisisaunidirectionalconnection—onlytheservercansendthemultimediainformationonthisconnectionbacktotheclient.Theserverbuildsthisconnectiontotheclient. ThesecondUDPconnectionsetupusesRTCP(Real-TimeControlProtocol).Thisisa bi-directionalconnectionthattheclientusestosynchronizethemultimediaconnection aswellastorequestanymissingUDPsegmentsfromthemultimediaserver.TherestrictiononthisportnumberisthatitmustbeonenumbergreaterthanthatusedbytheRTP multimediaconnection;therefore,itwillalwaysbeanoddnumber.AswiththelastUDP connection,theserverbuildsthisconnectiontotheclient.
351
352
Cisco ASA Configuration
WhentheRTSPclientisontheinsideofthenetworkandinitiatesasignalingconnectiontoanRTSPserverontheoutsideofthenetwork,theappliancewillbydefault allowthesignalingTCP(orUDP)connectionatport554or8554sincetheconnectionis travelingfromahighersecuritylevelinterfacetoalowerone. ThetwoRTPUDPconnectionsareinitiatedbytheservertotheclient.WiththeRTSP application inspection feature of the appliance, the appliance will examine the RTSP controlmessagesonports554or8554todeterminetheportnumbersbeingusedonthe twosidesandwilldynamicallyaddthisconnectiontotheconntable.Onerestriction withtheapplicationinspectionfeatureforRTSPisthattheappliancecanhandleneitheranybi-directionalNAT(insideandoutside)norPATaddressinginformationinthe controlmessagesoftheRTSPTCPconnection;onlyunidirectionalNATissupported, likeinsideNAT. Let’sassumethattheRTSPclient,inthisexample,isactuallyontheoutsideofyour network,andtheRTSPserverisontheinside.Fortheinitialclientsignalingconnection towork,you’llneedtoconfigureanACLentrythatwillallowtrafficheadingtoTCP(or UDP)port554(or8554)—withoutthis,notypeofRTSPconnectioncanbemade. SincetheRTSPserverissettinguptheRTPandRTCPUDPconnections,andthese connectionsaregoingfromahighertoalowersecuritylevelinterface,youdon’tneed todoanythingspecialontheapplianceunlessyouarefilteringtrafficoutbound—then you’llneedapplicationinspectiontoaddthetwoUDPconnectionstotheconntable.
RealNetworksRDTMode InthissectionIwilluseanexampletoshowyouhowRTSP,usingRDT,setsupconnections between a RealPlayer client and a RealServer. I’ll use the previously shown Figure 14-1 toillustrateourexample.RDTisshowninthemiddleofthisfigure. Thefirstconnectionthatissetupbetweentheclientandserveristhecontrolconnection(RealNetworksclientsonlysupportTCP).Thiscontrolconnectionallowstheclient andservertocommunicatewitheachotherandtoestablishparametersforthemultimedia connections—no actual multimedia traffic traverses this connection. The client choosesaportnumbergreaterthan1023,andtheserverislisteningon554,whichisdefinedinRFC2326.Thisconnectionisthesameconnectiondiscussedinthelastsection. Whentheclientrequestsamultimediastream,theserverandclientwillnegotiate port numbers for two simplex UDP connections.A simplex connection is a unidirectionalconnection—youcaneithersendorreceive,butnotboth.Onesimplexconnection theserverbuildstotheclient,andtheothersimplexconnectiontheclientbuildstothe server.Eventhoughthesearetwodistinctconnections,thesameportnumberscanbe usedforbothconnections(rememberthatthey’resimplexconnections),ordifferentport numberscanbeused.IntheexampleshowninFigure14-1,Iusedthesameportnumber forthesesimplexUDPconnections. Whethertheclientisontheinsideandtheserverontheoutside,orviceversa,you willneedapplicationinspectioninordertoaddthetwoUDPsimplexconnectionstothe conntable.ThisisbecausetheserveropensthemultimediaRTPUDPconnection,and theclientopenstheUDPerrorconnection.
Chapter 14:
Multimedia and Policies
TCPMode As you saw in the last two sections, RTP and RDT use UDP for the multimedia connections.You have an option of using TCP for the multimedia connections instead of UDP.OneoftheadvantagesofusingTCPisthatthereisonlyasingleconnectionused totransmitalldata—bothcontrolinformationandmultimediadata.Therefore,pushing thisconnectionthroughafirewallorapplianceisfairlysimple.However,becauseTCP addsdelayinthemultimediastream,thistypeofconnectionisnotcommonlyusedfor real-timeconnections. ThebottompartofFigure14-1illustratesRTSPusingTCP.Thefirst,andonly,connectionthatissetupbetweentheclientandserveristhecontrol/dataconnection.This controlconnectionallowstheclientandservertocommunicatewitheachotheraswell as to transmit multimedia data across it—this is unlike RTP and RDT mode, where a separateconnectionisusedforthemultimediadata. TIP Ofcourse,usingTCPislessefficientbecauseofitslargerheaderandtheuseofwindowing, especiallyformultimedia.However,itcansometimesbeusedasa“fix-all”formakingapplications workthroughstatefulfirewallsandtranslationdevices,whichmightdeploylowidletimersforUDP, causingthemultimediaUDPconnectionstotimeoutoftheirtablesandbreakingtheconnections. TCPtypicallyhashigheridletimeoutsonthesedevicesandthuscreatesfewerconnectionproblems ...atthecostofsomeefficiencyinthetransmissionofthedata.
RTSPPolicyConfiguration ThefollowingsectionswilldiscusstheconfigurationofRTSPinspection.Forin-depth inspectionpolicies,youmightneedtocreatealayer7policymapand,possibly,alayer7 classmap.Thefollowingsectionswilldiscusshowtocreatethese,aswellashowtoenableRTSPinspectioninalayer3/4policymap.
RTSPLayer7ClassMaps Herearethecommandstocreatealayer7classmapforRTSPinspection: ciscoasa(config)#class-maptypeinspectrtsp[match-all] L7_class_map_name ciscoasa(config-cmap)#descriptionstring ciscoasa(config-cmap)#match[not]request-methodmethod_name ciscoasa(config-cmap)#match[not]url-filterregex{class regex_class_name|regex_name}
The request-method parameter allows you to match on commands seen or unseen within the signaling connection (port 554). The commands you can include are announce, describe, get_parameter, options, pause, play, record, redirect, setup, set_parameter, and teardown. The url-filter parameter allows you to matchononeormoreURLsinRTSPcontrolmessages.
353
354
Cisco ASA Configuration
RTSPLayer7PolicyMaps Herearethecommandstocreatealayer7policymapforRTSPinspection: ciscoasa(config)#policy-maptypeinspectrtspL7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#{[drop-connection[log]| rate-limit#_of_messages} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#{[drop-connection[log]| rate-limit#_of_messages} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#reserve-port-protect ciscoasa(config-pmap-p)#url-length-limitlength
Insteadofcreatinganapplicationlayerclassmap,youcanalsoreferencethesevalues withinthelayer7policymapwiththematchcommand.Theadvantageofusinglayer7 classmapsisthatyoucanapplydifferentpoliciestodifferentclasses(classmaps).Either youcanhavetheappliancedroptheconnectionand/orlogthematchifyouarematchingonaURL,oryoucanrate-limittheRTSPcommandsdependinguponwhatyouare matchingoninanassociatedclassmapormatchcommand. Withinthe parameterssectioninalayer7policymap,youcanrestrictusageon thereserveportwhenperformingmultimedianegotiations(reserve-port-protect command) and restrict the limit of URLs, in bytes, in RTSP control messages (urllength-limitcommand).Thelengthcanbefrom0to6,000bytes.
RTSPLayer3/4PolicyMaps IfallyouareinterestedinisdynamicallyaddingthetwoUDPmultimediaconnectionsto theconntableandfixingembeddedaddressinginformation,thenyoudonotneedtoimplementalayer7policyforRTSPinspection.However,ifyouneedtoimplementalayer 7RTSPpolicy,youmusthaveacorrespondinglayer3/4policymapthatreferencesit: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspectrtsp[L7_policy_map_name]
NOTE BydefaultRTSPinspectionisenabledintheglobalpolicy,whichisactivatedonallinterfaces ontheappliance.
Chapter 14:
Multimedia and Policies
RTSPExampleConfiguration Let’slookataconfigurationexamplethatimplementsRTSPinspection: ciscoasa(config)#regexbadurl_1".+\.[Aa][Vv][Ii]" ciscoasa(config)#regexbadurl_2".+\.[Rr][Mm]" ciscoasa(config)#regexbadurl_3".+\.[Aa][Ss][Pp]" ciscoasa(config)#class-maptyperegexbadurls ciscoasa(config-cmap)#matchregexbadurl_1 ciscoasa(config-cmap)#matchregexbadurl_2 ciscoasa(config-cmap)#matchregexbadurl_3 ciscoasa(config)#policy-maptypeinspectrtspL7-rtsp-policy ciscoasa(config-pmap)#matchurl-filterregexclassbadurls ciscoasa(config-pmap-p)#drop-connectionlog ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#inspectrtspL7-rtsp-policy ciscoasa(config)#service-policyglobal_policyglobal
Atthetopoftheexample,threeregularexpressionsarelookingforURLsthatendin “.avi”,“.rm”,or“.asp”,inupper-orlowercase.Theseareincludedinaregularexpressionclassmap.Thelayer7policymap(L7-rtsp-policy)willdropandloganyRTSP connections that reference the URLs in the regular expression class map. This layer 7 policy is then referenced in the default layer 3/4 class and policy map configuration acrossallapplianceinterfaces.
H.323INSPECTION H.323 is an ITU-T standard for the bi-directional exchange of voice, video, and data. H.323issomewhatofahybridprotocolinthatitsupportsbothvideoandaudioconnections.Asyouwillseeinthefollowingsections,H.323,likemostmultimediaapplications,isamoredifficultprotocoltodealwiththansimpleVoIPconnections,oreven RTSP.UnlikeSIP,Skinny,RTSP,orFTP,anH.323applicationcanhavemanyconnections thataresetupbetweentwodevices.Thefollowingsectionswillcoverthecomponentsof H.323,howconnectionsaresetup,howtheapplicationinspectionfeatureforH.323on theappliancesfunctions,andhowtoconfigureapplicationinspection. NOTE H.323wasactuallythefirstVoIPprotocoltouseRTP(whicheveryonenowuses).Allother VoIPprotocolsarebasicallyacollectionofotherprotocols,buttypicallyrelyonRTPfortheactual voiceconnections.
355
356
Cisco ASA Configuration
H.323Overview Actually,H.323isagroupofstandardsthatdefinesthecommunicationprocessbetween twoH.323endpoints.H.323includesthefollowingstandards:
▼ H .225 Registration,admission,andstatus
■ H.235 Callsignalingtoestablishphonecalls
■ H.245 Controlsignaling,whichdescribesthemessagesandproceduresused tosharethecapabilitiesoftheendpoints,openingandclosingphone,video, and/ordataconnections
■ Q.931 Messagingtoactuallyestablishthephonecalls
■ TPKT Packetheaders
▲ A SN.1 Describesdatastructuresforrepresenting,encoding,transmitting, anddecodingdata(includingphonesignalinginformation)
Forcallsetupandcontrol,twoTCPconnectionsareused;fortheaudioand/orvideo connections,UDPconnectionsareused.Asyoucansee,thisissimilartoRTSP.Unlike RTSP, H.323 uses one or more TCP connections and one or more UDP connections to transmittheactualcontent. ThefirstconnectionisaTCPconnectiontothewell-knownport1720(thesignaling connection).TheremainingconnectionsuseUDPand/orTCP,buttheportnumbersare typicallyrandom(above1023).Thisobviouslycausesproblemsinenvironmentsthatuse firewallsandfilters.H.323alsousesASN.1(AbstractSyntaxNotationOne)toencode itspackets,whichmakesapplicationinspectiondifficultwhendecipheringthepacket information.
SupportedApplications BecauseeachvendoraddsitsownmechanismsaboveandbeyondH.323,letalonebecauseofthecomplexitiesofH.323itself,thesecurityappliancesdonotsupportevery H.323multimediaapplication.However,hereisalistofsomeofthemorecommonly usedH.323applicationsthattheappliancesdosupport:
▼ C iscoMultimediaConferenceManagerandCallManager
■ CUseeMeMeetingPointandCUseeMePro
■ IntelVideoPhone
■ MicrosoftNetMeeting
▲ V ocalTecInternetPhoneandGatekeeper
TypesofH.323Devices Before I begin discussing the setup of connections with H.323, let’s first discuss the twotypesofdevicesthatcanbeinvolvedinthesetupofaconnection:terminalsand gatekeepers.AnH.323terminalisanendpointintheH.323connection.Itisaclientthat
Chapter 14:
Multimedia and Policies
is responsible for making connections. This can be something as simple as software runningonaPCoronadedicatedhardwareappliancelikeanIPphoneorvoiceconferencingstation.OnerequirementofallH.323terminalsisthattheymustsupportvoice communications—othertypesofcommunications,likevideoordata,areoptional. AnH.323gatekeeperisacentralpointforallmultimediacallsandprovidescallcontrolservicestotheterminalsthatregisterwithit.Itstwomainfunctionsaretoperform addresstranslation(canbeNATaswellastelephonenumbertoIPaddresstranslation) andbandwidthmanagement.Notethatthegatekeeperisnotnecessarytosetupconnectionsdirectlybetweentwoterminals—ifthetwoterminalswishingtocommunicate knoweachother’saddressinginformation,theycansetuptheconnectiondirectly.This isdifferentfromSkinnyandSIP. AsIjustmentioned,agatekeeperisunnecessary.However,agatekeeperdoesmake iteasiertodeploymultimediaservicesonalargescale.Agatekeeperisthecentralrepository for addressing information—terminals register their addressing information withthegatekeeper,andthegatekeepergivesthisinformationtoqueryingterminals.In thissense,itfunctionssomethinglikeahybridPBX/DNSserver.H.225definestheRAS (Registration,Admission,andStatus)protocolthattheterminalsandgatekeepersuseto communicatewitheachother.
H.323ConnectionsandApplicationInspection Therearethreebasicwaysthataconnectioncanbemadebetweentwoterminals:
▼ A terminalcancontactagatekeeperforaddresstranslationinformationand thensetuptheconnectiondirectlytothedestinationterminal—thisrequires bothterminalstoberegisteredwiththegatekeeper.
■ Aterminalcancontactagatekeeperandhavethegatekeeperhandlethecall signalingandcontrolinformationbetweenthetwoterminals—thisrequires bothterminalstoberegisteredwiththegatekeeper.
▲ A terminal,knowingthedestinationterminaladdress,cansetupthe connectiondirectlytothedestinationwithouttheassistanceofagatekeeper.
Thenextfewsectionswillcovertheinteractionoftheterminalwiththegatekeeperas wellasbetweenthetwoterminals.
FindingandConnectingtoaGatekeeper AsImentionedpreviously,agatekeeperisunnecessarytoestablishamultimediaconnectionbetweentwoterminals;however,itdoeshelpcentralizeandsimplifyyourmultimedia deployment.Therearetwobasicmethodsofcontactingagatekeeper:
▼ T heterminalusesanautodiscoveryprocesstofindthegatekeeper.
▲ T heterminalhasthegatekeeper’sIPaddresshard-codedinitslocal configuration.
357
358
Cisco ASA Configuration
H.323 Gatekeeper UDP Port => 1024
UDP Port = 1718
UDP Port => 1024
UDP Port = 1719
H.323 Terminal
H.323 Gatekeeper Server
Figure14-2. TheinitialconnectionstotheH.323gatekeeper
I’lluseFigure14-2todemonstratethetwoconnectionsthatmightbeusedtoinitiatea connectiontothegatekeeper. Iftheterminaldoesn’tknowthegatekeeperIPaddress,itwillsendamulticastto 224.0.1.41 (well-known multicast address). This is a UDP multicast with a destination portnumberof1718.Obviouslyiftheterminalisononesideofanapplianceandthe gatekeeperisontheotherside,thisprocesswillfail—theappliancewon’tforwardthe multicastpacketsbydefault.Therefore,youwouldhavetousethesecondsolution— hard-codetheIPaddressofthegatekeeperontheclient. Once the terminal knows the IP address of the gatekeeper, the terminal will set upadirectUDPconnectiontothegatekeeper—thisisthesecondconnectionlistedin Figure14-2.Thesourceportoftheterminalisarandomportabove1023,andthedestinationportis1719.ThisiscommonlyreferredtoastheRASconnection.Whenthis connectionisestablished,theterminalwillthenregisteritsinformationwiththegatekeeper.Thisinformationwillincludetheidentityoftheterminal(likeanID,name,E.164 phone number, or some other type of alias) as well as the IP address of the terminal. Therefore,whenotherterminalswanttocontactthisterminal,theycanusethedestinationterminalalias(whichisstatic)tofindthedestinationIPaddressinordertosetupa multimediaconnection(s).Inthissense,theregistrationprocessissomewhatlikeMicrosoftWINSordynamicDNS. NOTE Ifthegatewayisconnectedtoahigher-levelinterfaceontheapplianceandtheterminalison alower-levelinterface,you’llneedanACLtoallowtheUDPport1719connection.
UsingOnlyTerminalstoEstablishConnections Let’sstartoutsimpleandexaminetheconnectionsetupbetweentwoterminalswithout agatekeeperinvolvedintheprocess.Inthissituation,thesourceterminalmustknow theaddressofthedestinationterminal.I’llusetheillustrationshowninFigure14-3as anexample. ThesourceterminalwillfirstopenaTCPconnectionwhereitssourceportnumber is greater than 1023 and the destination port number is 1720. This connection is used
Chapter 14:
Multimedia and Policies
H.323 Terminals Only
H.323 Terminal
TCP Port => 1024
Signaling—H.225
TCP Port = 1720
TCP Port => 1024
Control—H.245
TCP Port => 1024
UPD Port => 1024
Audio—RTP
UDP Port => 1024
UPD Port => 1024
Video—RTP
UDP Port => 1024
UPD Port => 1024
Control—RTCP
UDP Port => 1024
H.323 Terminal
Figure14-3. AnH.323connectionexamplewithonlyterminals
forcallsetupandsignalingbetweenthetwoterminals(thisisdefinedintheH.225and H.235standards).Thisconnection,calledthesignalingconnection,isusedtonegotiate thesettingupofthemultimediaconnectionsbetweenthetwoterminals.TheQ.931ITU-T standardisusedtoimplementthesignalingofsettingupandtearingdownconnections onthisconnection(alsousedbyISDN).Onthesignalingconnectionthetwopartieswill negotiatetheportnumberstouseforthesecondTCPconnection. Thecalledparty(destinationterminal)willinitiateasecondTCPconnectionbackto thesource.Bothoftheportnumbersforthisconnectionaredynamicallychosenabove 1023bybothparties.Thisconnectioniscalledthecallcontrolconnection,anditsmechanicsaredefinedinH.245.Thisconnectionhandlesthemultimediaconnectionsthatwill beestablished,includingwhichaudioandvideocompressor-decompressors(CODECs) willbeused. UptothreeUDPconnectionswillbeestablishedfromthesourceterminaltothedestination,assumingthatthisisavideo-conferencecall:
▼ A udiousingRTP
■ VideousingRTP
▲ C ontrolusingRTCP
ThesourceterminalopensallthreeoftheseUDPconnections—theactualportnumbers arenegotiatedbetweenthetwosidesacrossthesignalingconnection.Theseportnumbersarerandomnumbersgreaterthan1023.Thesourcethensetsuptheseconnections tothedestination.NotethattheprotocolsusedfortheseUDPconnectionsarethesame onesthatRTSPsupportsinstandardRTPmode. NOTE Theprecedingexampleonlyappliestovideoconferencing.AdditionalUDPconnectionsand TCPconnectionscanbesetupbetweenthemultimediadevices—eachapplicationisuniqueinthis regard.
359
360
Cisco ASA Configuration
As you can see from Figure 14-3, the setup of a multimedia session between two terminalsisnotasimpleprocess.Whetherornotthesourceisconnectedtoalower-or higher-levelinterfaceontheappliance,you’llneedapplicationinspectiontosecurelyadd thenecessaryconnectionstotheconntableandtofixembeddedaddressinginformation inthesignalingconnection.Ifthesourceisconnectedtothehigher-levelinterface,applicationinspectionisnecessarytodynamicallyaddtheH.245controlconnection.Ifthe sourceisconnectedtoalower-levelinterface,you’llneedanACLtoallowtheTCPport 1720connectionandapplicationinspectiontodealwiththeUDPconnections.
UsingaGatekeeperforAddressTranslation OnlyforTerminalConnections Let’scomplicatetheprocessbythrowingagatekeeperintoanetworkscenario.Inthis situation,theterminalswillusethegatekeeperforregistrationonlyandwillsetupany otherconnectionsdirectlybetweenthemselves.Thisprocessiscommonlyreferredtoas Directmode.I’lluseFigure14-4asanexample. EachterminalwillsetupadirectUDPconnectiontothegatekeeper—thisisthefirst connectionlistedinFigure14-4.Thesourceportoftheterminalisarandomportabove 1023,andthedestinationportis1719.Whenthisconnectionisestablished,theterminal willthenregisteritsinformationwiththegatekeeper.Theterminalswillusethisconnectiontoperformaddresstranslation(resolvingaliasestoIPaddresses).Inthissituation, thesourceterminalonlyneedstoknowthealiasofthedestinationterminalinorderto buildaconnectiontoit.
H.323 Terminals and Gatekeeper with Address Translation UDP Port => 1024
UDP Port = 1719 H.323 Gatekeeper Server
H.323 Terminal
TCP Port => 1024
Signaling—H.225
TCP Port = 1720
TCP Port => 1024
Control—H.245
TCP Port => 1024
UPD Port => 1024
Audio—RTP
UDP Port => 1024
UPD Port => 1024
Video—RTP
UDP Port => 1024
UPD Port => 1024
Control—RTCP
UDP Port => 1024
H.323 Terminal
Figure14-4. ConnectionwithH.323terminalsandagatekeeperforaddresstranslation
Chapter 14:
Multimedia and Policies
ThesourceterminalwillthenopenaTCPconnectiontothedestinationterminal(not thegatekeeper)wherethesourceterminalsourceportnumberisgreaterthan1023and thedestinationportnumberis1720.Thisconnectionisusedforcallsetupandsignaling betweenthetwoterminals(thisisdefinedinstandardH.225).Onthisconnectionthe twopartieswillnegotiatetheportnumberstouseforthesecondTCPconnection.This connectionisthesignalingconnectionandisusedtosetupmultimediaconnectionsbetweentwoterminals. Therestoftheconnectionsareestablishedinexactlythesamemannerasdescribedin thelastsectiononbuildingconnectionsdirectlybetweentwoterminals.Alloftheissues mentionedinthe“FindingandConnectingtoaGatekeeper”and“UsingOnlyTerminals toEstablishConnections”sectionsapplytotheconnectionsbeingsetupinthissection.
UsingaGatekeeperforAddressTranslationand SignalingandControlforTerminalConnections Thelastmodethatcanbeusedforsettingupmultimediaconnectionsbetweenterminals involvesagatekeeper,asinthelastsection;butinthisinstance,thegatekeeperplaysa moreinvolvedrole.Inthisconfiguration,boththesignaling(H.225)andcontrol(H.245) fromtheterminalsaresetupbetweentheterminalsandthegatekeeper—notbetween theterminalsthemselves.ThisscenarioisoftenreferredtoasRoutingmodeandissomewhat similar to the process SIP and Skinny use. I’ll use Figure 14-5 to help with the explanationofthesettingupoftheconnections.
H.323 Terminals and Gatekeeper with Signaling and Control UDP Port => 1024
H.323 Terminal
UDP Port = 1719
TCP Port => 1024
Signaling—H.225
TCP Port = 1720
TCP Port => 1024
Control—H.245
TCP Port => 1024
UDP Port => 1024
Audio—RTP
UDP Port => 1024
UDP Port => 1024
Video—RTP
UDP Port => 1024
UDP Port => 1024
Control—RTCP
UDP Port => 1024
H.323 Gatekeeper Server
H.323 Terminal
Figure14-5. ThisisanH.323examplewithterminalsandagatekeeperhandlingsignalingandcontrol.
361
362
Cisco ASA Configuration
EachterminalwillsetupadirectUDPconnectiontothegatekeeper—thisisthefirst connectionlistedinFigure14-5.Thesourceportoftheterminalisarandomportabove 1023,andthedestinationportis1719.Whenthisconnectionisestablished,theterminal willthenregisteritsinformationwiththegatekeeper.Theterminalswillusethisconnectiontoperformaddresstranslation(resolvingaliasestoIPaddresses).Inthissituation, thesourceterminalonlyneedstoknowthealiasofthedestinationterminalinorderto buildaconnectiontoit. EachterminalwillthenopenaTCPconnectiontothegatekeeper(notthedestination terminal)wherethesourceterminalsourceportnumberisgreaterthan1023andthedestinationportnumberis1720.Thisconnectionisusedforcallsetupandsignaling—the gatekeeperwillactasago-between(thisisdefinedinstandardH.225).Onthisconnection eachterminal/gatewaypairwillnegotiatetheportnumbersfortheH.245controlconnection.ThegatekeeperwillthenbuildthisTCPconnectionbacktotheterminal.Remember thatthesourceanddestinationportnumbersforthisarerandomnumbersabove1023for theH.245controlconnection. OncetheseconnectionshavebeenestablishedbetweenthetworespectiveH.323terminalsandthegatekeeper,theterminalscannowrequestconnectionstobesetup.These UDPmultimediaconnections,unlikethelasttwoTCPconnections,willnotbebuiltto thegatekeeper,butinsteadwillbebuiltdirectlybetweentheterminalsthemselves.This portinformationisnegotiatedontheTCPconnectionsviathegatekeeper,andthenthe UDPconnectionsarecreatedfromthecallingparty(sourceterminal)tothecalledparty (destinationterminal).
H.323ApplicationInspectionFeaturesoftheAppliances Asyoucanseefromtheprecedingdescription,thesetupoftheseconnectionsisnota simpleprocess.Anddependingonwhereallofthesedevicesarerelativetotheappliance,applicationinspectionisnotasimpleprocessforCiscotoimplementinitssecurity appliances. There are also four versions of H.323—v1, v2, v3, and v4; the appliances supportallfourversions.I’mjustgladthatI’mnotresponsibleforwritingtheH.323applicationinspectioncodeforCiscofortheirappliances! Asanexample,ifthesourceterminalwereontheinsideoftheapplianceandthe gatewayanddestinationterminalontheoutside,hereiswhatwouldhappenwithapplicationinspectionenabled:
1. T hetwoinitialconnectionstothegatekeeperarepermitted(1719and1720) sincetheyoriginatedontheinside.
2. T heH.245TCPconnectionfromthegatekeeperisallowedviaapplication inspection—theapplianceexaminestheTCP1720signalingconnectionforthe portnumbersanddynamicallyaddsthisconnectiontotheconnectiontable.
3. T heUDPmultimediaconnectionsarepermittedsincetheyoriginatefromthe insideofthenetwork.
Chapter 14:
Multimedia and Policies
Ifthesourceterminalisontheoutsideofthenetworkandthegatekeeperanddestinationterminalareontheinsideofthenetwork,hereiswhatwouldhappenwithapplicationinspectionenabled:
1. Y ouwillneedanACLtoallowtheUDP1719andTCP1720connectionssince theseconnectionsoriginateontheoutside.
2. T heH.245TCPconnectionfromthegatekeepertotheoutsideterminalis allowedbydefault.
3. A pplicationinspectionwouldexaminethesignalingconnectiontodetermine thatacallisbeingsetupbetweentheoutsideandinsideterminals,andwould dynamicallyaddtheUDPconnectionstotheconnectiontable.
Icouldcovermanymorescenarioshere,butIthinkthatyounowunderstandthisis notasimpleprocesstheappliancesarehandlingwhendealingwithapplicationinspectionforH.323.Table14-1summarizestheconnectiontypesandportnumbersusedby H.323applications. Asasummary,rememberthattheappliancesapplicationinspectionforH.323providesthefollowingtwomainfunctions:
▼ H andlinganyembeddedaddressesandportsintheH.225TCPsignaling connectionthatconflictwithcurrententriesinthexlatetable.
▲ D ynamicallyaddingH.245TCP,RTPUDP,andRTCPUDPconnectionsbased oninspectionoftheH.225TCPsignalingconnection.
Protocol
Port(s)
Description
UDP
1718
Multicasttodiscoverthegatekeepersonasegment
TCP
1719
RASconnectionusedtoregisterterminal informationwiththegatekeeper
TCP
1720
H.225signalingconnectionusedtosetupandtear downconnections
TCP
1024–65535
H.245controlconnection
UDP
1024–65535
RTPaudioconnection
UDP
1024–65535
RTPvideoconnection
UDP
1024–65535
RTCPsynchronizationconnection
Table14-1. ConnectionsUsedbyH.323
363
364
Cisco ASA Configuration
HerearesomelimitationsofapplicationinspectionforH.323ontheappliances:
▼ Y oumightexperienceproblemswithstaticPATtranslations.
■ Fixingtranslationissuesisunsupportedonsame-security-levelinterfaces.
▲ Y oumighthaveissueswithnetstaticsiftheyoverlaptheaddressesusedbythe terminalsorgateways. TIP IfyouhaveanH.323applicationthatCiscodoesn’tsupportwithapplicationinspection,Iwould firsttryusingtheestablishedcommand(seeChapter11)togettrafficflowingbetweenthetwo endpointsthroughtheappliance.Ifthisdidn’twork,IwouldthenplaceaCiscorouteratbothlocations anduseaGREtunneltotunneltheH.323traffic—sinceGREisnotstatefulontheappliances,you wouldneedanACLentryonthelower-levelinterfacetopermitit.
H.323PolicyConfiguration ThefollowingsectionswilldiscusstheconfigurationofH.323inspection.Forin-depth inspectionpolicies,youmightneedtocreatealayer7policymapand,possibly,alayer7 classmap.Thefollowingsectionswilldiscusshowtocreatethese,aswellashowto enableH.323inspectioninalayer3/4policymap.
H.323Layer7ClassMaps Herearethecommandstocreatealayer7classmapforH.323inspection: ciscoasa(config)#class-maptypeinspecth323[match-all] L7_class_map_name ciscoasa(config-cmap)#descriptionstring ciscoasa(config-cmap)#match[not]called-partyregex {classclass_name|regex_name} ciscoasa(config-cmap)#match[not]calling-partyregex {classclass_name|regex_name} ciscoasa(config-cmap)#match[not]media-type{audio|data|video}
The called-party and calling-party parameters allow you to match on phone number(s)someoneisdialingoronthephonenumberofthesourceofthecallrespectively. Themedia-typeparameterallowsyoumatchonaparticulartypeofsessionthatisbeing established.
H.323Layer7PolicyMaps Herearethecommandstocreatealayer7policymapforH.323inspection: ciscoasa(config)#policy-maptypeinspecth323L7_policy_map_name ciscoasa(config-pmap)#descriptionstring ciscoasa(config-pmap)#matchL7_class_map_parameters ciscoasa(config-pmap-c)#{[drop[send-protocol-error]|
Chapter 14:
Multimedia and Policies
drop-connection[send-protocol-error]| |reset][log]} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#classL7_class_map_name ciscoasa(config-pmap-c)#{[drop|drop-connection| |reset][log]} ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#parameters ciscoasa(config-pmap-p)#call-duration-limithh:mm:ss ciscoasa(config-pmap-p)#call-party-numbers ciscoasa(config-pmap-p)#h245-tunnel-blockaction {drop-connection|log} ciscoasa(config-pmap-p)#hsi-groupgroup_id ciscoasa(config-h225-map-hsi-grp)#hsiIP_address ciscoasa(config-h225-map-hsi-grp)#endpointIP_addresslogical_if_name ciscoasa(config-h225-map-hsi-grp)#exit ciscoasa(config-pmap-p)#rtp-conformance[enforce-payloadtype] ciscoasa(config-pmap-p)#state-checking{h225|ras}
Insteadofcreatinganapplicationlayerclassmap,youcanalsoreferencethesevalues withinthelayer7policymapwiththematchcommand.Theadvantageofusinglayer7 classmapsisthatyoucanapplydifferentpoliciestodifferentclasses(classmaps).You canhavetheappliancedropthepacketorconnection,resettheTCPconnection,and/or logtheconnectiondependinguponwhatyouarematchingoninanassociatedclassmap ormatchcommand. Withintheparameterssectioninalayer7policymap,youhavemanyoptionsyou candefineforpolicies.Thecall-duration-limitcommandallowsyoutoplacetime limitsontheRTPconnections—bydefaulttherearenotimelimits.Torequirethesending of call party numbers during an H.323 call setup, use the call-party-numbers command. H245 tunneling allows endpoints to only use a single TCP connection for bothH.225/235andH.245.IfyouwanttorequiretheuseoftwoTCPconnections(orto logviolations),usetheh245-tunnel-blockcommand. H.323signalinginterface(HSI)providestheinterfacebetweentheH.323andPSTN networks.You can set up restrictions of the devices allowed to connect to the HSI by creatinganHSIgroupwiththe hsi-groupcommand—thegroupidentifiercanrange from0to2147483647.Thiswilltakeyouintoasubcommandmode.The hsicommand specifiestheIPaddressofthedevicebridgingtheH.323andPSTNnetworks—youcan define up to five HSI devices. The endpoint command specifies the devices that are allowedtointeractwiththeHSI(normallythesearegateways).Youcanspecifyuptoten endpointspergroup. Thertp-conformancecommandcheckstheRTPUDPconnectionsthatweredynamicallyaddedtotheconntableforconformingtotheRTPstandard.Thestate-checking commandhastheapplianceensurethatthesignaling(h225)and/orRAS(ras)connections followthestandardinthewaythatmessagesareexchangedbetweendevices.
365
366
Cisco ASA Configuration
H.323Layer3/4PolicyMaps If all you are interested in is dynamically adding the TCP control and the two or moreUDPmultimediaconnectionstotheconntableandfixingembeddedaddressing information,thenyoudonotneedtoimplementalayer7policyforH.323inspection. However, if you need to implement a layer 7 H.323 policy, you must have a correspondinglayer3/4policymapthatreferencesit: ciscoasa(config)#policy-mapL3/4_policy_map_name ciscoasa(config-pmap)#classL3/4_class_map_name ciscoasa(config-pmap-c)#inspecth323[L7_policy_map_name]
NOTE Bydefault,H.323inspectionisenabledintheglobalpolicy,whichisactivatedonallinterfaces ontheappliance.
H.323andH.225Timeouts ToconfigureidletimeoutsforH.323connections,usethefollowingcommands: ciscoasa(config)#timeouth225hh:mm:ss ciscoasa(config)#timeouth323hh:mm:ss
The h225parameterspecifiesanidletimeoutfortheTCPsignalingconnection(bydefaultthisis1hour).Theh323parameterspecifiesanidletimeoutfortheH.245andthe mediaconnections(bydefaultthisis5minutes).
H.323MonitoringandVerification TomonitorandverifyyourH.323connections,youhavevariousshowanddebugcommandsyoucanuse:
▼ s howh225 ViewtheH.225signalingconnectionsestablishedthroughthe appliance.
■ showh245 ViewtheH.245controlconnectionsestablishedthroughthe appliance.
■ showh323-ras ViewtheRASconnectionsestablishedthroughthe appliance.
▲ debugh323{h225|h245|ras}event Troubleshootproblemswith theestablishmentofH.323sessions.
H.323ExampleConfiguration Let’slookataconfigurationexamplethatimplementsH.323inspection: ciscoasa(config)#regexphone1"5551237890" ciscoasa(config)#regexphone2"5554561234"
Chapter 14:
Multimedia and Policies
ciscoasa(config)#class-maptypeinspecth323match-allL7_h323_class ciscoasa(config-pmap-c)#matchcalling-partyregexphone1 ciscoasa(config-pmap-c)#matchcalled-partyregexphone2 ciscoasa(config)#policy-maptypeinspecth323L7_h323_policy ciscoasa(config-pmap)#classL7_h323_class ciscoasa(config-pmap-c)#drop-connection ciscoasa(config)#policy-mapglobal_policy ciscoasa(config-pmap)#classinspection_default ciscoasa(config-pmap-c)#inspecth323L7_h323_policy ciscoasa(config)#service-policyglobal_policyglobal
In the preceding example, if phone1 were to attempt to call phone2, the connection wouldbedropped;however,aphonecallfromphone2tophone1wouldbeallowed.If youdon’twantanyphonecallsbetweenthetwoparties,youalsowouldneedtospecify phone1asacalledpartyandphone2asacallingparty.
367
This page intentionally left blank
IV Virtual Private Networks (VPNs)
369
This page intentionally left blank
15 IPSec Phase 1
371
372
Cisco ASA Configuration
T
his chapter will introduce you to using IPSec on your appliance, focusing on the configuration of IPSec Phase 1 and its components. The information in this chapterappliestobothsite-to-site(Chapter16)andremoteaccessIPSecsessions (Chapters17and18)andlaysthefoundationforconfiguringIPSecsite-to-siteandremote accessconnections.Thetopicsincludedinthischapterare
▼ I PSecintroduction
■ ISAKMPconfiguration
■ Tunnelgroups
▲ C ertificateauthorities ThesetopicswillreappearinsubsequentchaptersonIPSec. NOTE Becauseofspaceconstraints,thischapterwillnotprovideyouanoverviewofVPNs,IPSec, its components, and how they work together, like my previous book did on the PIXs. For a more thoroughdiscussionofVPNs,pleasereadmybookTheCompleteCiscoVPNConfigurationGuide (CiscoPress,2005)—thewholefirstpartofthebook(170pages!)discussesVPNs.
IPSecINTRODUCTION TheVPNssupportedbytheappliancesincludeIPSec,SSL(calledWebVPN),PPTP,and L2TP.ForIPSec,theappliancessupportbothsite-to-siteandremoteaccessVPNs.With IPSec site-to-site connections, you can connect your appliance to other appliances and firewalls, other routers, and VPN concentrators or gateways. For remote access, Cisco supportstheCiscoVPNclient,butothersoftwareandhardwareclientsaresupported, includingformobiledevices.IfthedeviceyouwanttoconnecttoyourapplianceisIPSeccompliant,thenitshouldn’tbeanissuegettingaVPNupandrunning.Chapter16focusesonsite-to-siteIPSecconnections,commonlycalledLAN-to-LAN(L2L)connections; Chapters17and18discussIPSecremoteaccess,andChapters19and20WebVPN.
IPSecPreparations You’llperformsixbasictaskstosetupanIPSecconnectiontoaremoteIPSecpeer:
1. Handledesignandpolicyissues.
2. AllowinboundIPSectraffic.
3. ConfigurethepoliciesforISAKMP/IKEPhase1.
4. ConfigurethepoliciesforISAKMP/IKEPhase2.
5. Verifyyourconfiguration.
6. ChecktheIPSecconnection.
Chapter 15:
IPSec Phase 1
Theprecedingstepsdetailthetasksthatyou’llhavetocompletetosuccessfullysetup yourIPSecconnection.
SameInterfaceTraffic Onemainlimitationoftheappliancewasthatitcouldnotbethehubdeviceinahub-andspokeVPNtopologythroughversion6oftheOS.Thereasonisthattheappliancewillnot allowtraffictotravelbetweeninterfacesofthesamesecuritylevelbydefault.Forexample, assumeyouhaveaPIXconnectedtotwospokes,PeerAandPeerB.PeerAsendstraffic acrosstheVPNconnectiontothePIX,whichinturnneedstoforwardittoPeerB.ThePIX wouldnotallowthis(inversion6)sincetheoriginaltrafficcamefromtheoutsideinterface andthenneededtobeforwardedbackoutoftheoutsideinterface.Recallthatsincethisis thesameinterface,thesecuritylevelsoftheentryandexitinterfacesarethesame,andthe appliancedeniesthistraffic.Therefore,ifyouhadahub-and-spokedesign,youcouldn’t usethePIXasthehubinversion6andearlier.TheCiscosolutiontothisprobleminversion 6andearlieristousearouterasthehubinthehub-and-spokedesign. Inversion7,the same-security-trafficcommandisusedtoallowVPNtraffic comingintoandoutofthesameinterface(physicalorlogical): ciscoasa(config)#same-security-trafficpermitintra-interface
Bydefaultthisfeatureisdisabled.
ISAKMPCONFIGURATION TheISAKMPandIKEprotocolsdefinehowtoestablishanIPSecsessionbetweentwo peers.Threeconnectionsmakeupthesession:onemanagementandtwodataconnections.Theconnectionsarebuiltacrosstwophases:inPhase1,themanagementconnectionisbuilt,andinPhase2,thedataconnectionsarebuilt.Themanagementconnection isusedtoshareIPSec-relatedinformationbetweenthepeers.Thedataconnectionsare usedtoprotectactualusertrafficbetweenthepeers.Thedataconnectionsareunidirectional,whichiswhytherearetwo,andareprotectedwitheithertheAHand/orESP protocols.Ofthetwo,ESPisbyfarthemostcommononeusedforanIPSecsession. TheremainderofthischapterwillfocusonglobalandPhase1propertiesthatyou canorneedtoconfigureonyoursecurityappliance.Mostofthecommandstoconfigure IPSeconanapplianceareverysimilartothoseusedonCiscoIOSrouters.Some,especiallythoserelatingtotunnelgroups,areverydifferent,though.Someofthecommands introducedherewillbemorethoroughlycoveredinsubsequentchapters.
GlobalISAKMPProperties ThissectionwilldiscusstheuseandconfigurationofglobalpropertiesforISAKMPand IKE, like how to enable them, specify the identity type, send disconnect notices, and configurethemodetouse.
373
374
Cisco ASA Configuration
EnablingISAKMP ISAKMPandIKEaredisabledbydefaultontheappliancein7.2andlater—theyneedto beenabledoneachinterfaceyou’llterminateIPSectunnelson.Usethefollowingcommandtoenablethem: ciscoasa(config)#[no]cryptoisakmpenablelogical_if_name
NOTE YouneedatleastaDESencryptionkeytosetupVPNsonyourappliance.
ISAKMPIdentity TheISAKMPidentitytypeisusedwithIPSecL2Lsessionsanddefineshowyouwill refertoremotepeers:basedontheirIPaddressortheirname.Theidentitytypeiscontrolledbythecryptoisakmpidentitycommand: ciscoasa(config)#cryptoisakmpidentity{address|hostname| keystring|auto}
TheconfigurationofthiscommandwillaffectthesyntaxofotherIPSeccommandson theappliance.Bydefaulttheidentitytypeisaddressforpeers,whichistheIPaddress of the peers. The hostname parameter specifies that the fully qualified domain name will be used to identify remote peers. The key parameter specifies a custom string valuetouniquelyidentifypeers.TheautoparameterspecifiesthatIPaddressesidentify peersthatusepre-sharedkeysforauthenticationandthatfullyqualifieddomainnames identifypeersthatusedigitalcertificates.
Phase1Modes:AggressiveandMain ISAKMPandIKEgothroughtwophasesinsettingupanIPSecsession.DuringPhase1, themanagementconnectionisbuilt.Twomodescanbeusedtoestablishthemanagementconnection:aggressiveandmain.Aggressivemodeisfasterinthesetupprocess, butlesssecure;mainmodeisslower,butmoresecure.Theauthenticationmethodchosenwilldependonthemodeused.Bydefaultaggressivemodeisusedwhenpre-shared keys are configured for authentication, and main mode is used when certificates are configured.Thefollowingcommanddisablesaggressivemodeandforcestheappliance tousemainmodeforthePhase1connection: ciscoasa(config)#cryptoisakmpam-disable
DisconnectNotice WhentearingdownIPSectunnels,youcanhavetheappliancesendadisconnectnotificationwiththefollowingcommand: ciscoasa(config)#cryptoisakmpdisconnect-notify
Chapter 15:
IPSec Phase 1
ISAKMPPolicies Phase1policiesdefinehowthemanagementconnectioncanbeprotected.DuringPhase1, thepoliciesaresharedbetweenthetwopeers,whereamatchingpolicymustbefoundin orderforthetwopeerstocontinuebuildingthemanagementconnection.Thenegotiated policiesarethenusedtosecurethemanagementconnection. The configuration of a Phase 1 policy on the appliance is the same as on an IOS router: ciscoasa(config)#cryptoisakmppolicypolicy_number ciscoasa(config-isakmp-policy)#authentication{pre-share|rsa-sig| crack} ciscoasa(config-isakmp-policy)#encryption{3des|aes|aes-192| aes-256|des} ciscoasa(config-isakmp-policy)#group{1|2|5|7} ciscoasa(config-isakmp-policy)#hash{md5|sha} ciscoasa(config-isakmp-policy)#lifetime{seconds|none}
Whensettingupapolicy,ifyoudon’tspecifyacommandinthepolicy,theappliancewill useadefault:pre-sharedkeysforauthentication,3DESforencryption,Diffie-Hellman (DH)group2keys,SHAHMACfunction,andalifetimeofoneday(86,400seconds). Thepolicynumberranksthepoliciesontheappliance:youmightneedmorethan one policy if you have different peers with different capabilities. The policy with the lowestnumber(1)isthehighest-prioritypolicy,andthepolicywiththehighestnumber (65,535) is the lowest-priority policy. You can choose from three authentication methods:pre-sharedkeys,certificates(RSAsignatures),andtheChallenge/ResponseforAuthenticatedCryptographicKeys(CRACK).CRACKiscommonlyusedwithmobileand smartphonedevices.IfyouwillbeusingDHgroup5,youmustuseAESasanencryptionalgorithm.The lifetimecommandspecifieshowlongtheparametersshouldbe usedforthenegotiatedmanagementconnectionbeforeeithertheyshouldbechangedor themanagementconnectiontorndown;ifyouspecifynoneforthelifetime,themanagementconnectionwillnevertimeout,andthuswon’tberekeyed.ToviewyourISAKMP policies,usetheshowruncryptoisakmppolicycommand.
NATTraversalandIPSecoverTCP Themanagementconnection,whichisprotectedbythenegotiatedpolicy,isencapsulatedinUDPandsenttoport500.ThetwodataconnectionsinPhase2useESPand/or AH to encapsulate the data for users. These latter protocols, however, pose problems whengoingthroughaddresstranslationorstatefulfirewalldevices.
AHandESPIssues Whengoingthroughanaddresstranslationdevice,AHbreaks,sincetheinputforthe digitalsignatureitcreatesincludesthesourceanddestinationIPaddressesintheouter IPheader.Ontopofthis,AHisalayer3protocolandthuslacksportsneededwhenPAT
375
376
Cisco ASA Configuration
isperformed.Therefore,AHisunsupportedwhengoingthroughanytypeofaddress translation.Also, I know of no stateful firewall that supportsAH—for example, with Ciscoappliances,youmustuseanACLtoallowreturningAHtraffic. ESPalsosupportsdigitalsignatures,butexcludestheouterIPheaderwhengeneratingitsdigitalsignature;therefore,ESPdoesn’tbreakwhenNATisperformed.However, likeAH,ESPisalsoalayer3protocolandthusisnotsupportedbyPATormoststateful firewallproducts.Thefollowingtwosectionsdiscusstwosolutionstothisproblemfor ESP—therearenosolutionsforAH. TIP If the management and data connections are established, but data can’t be successfully transmitted between the two peers, a translation or stateful firewall device might be causing the problem. Remember that during Phase 2, even though the data connection parameters can be successfullynegotiated,thisdoesnotmeanthatthedevicescansuccessfullytransmitdataacross theseconnections.
NATTraversal NAT Traversal, sometimes called NAT Transparency (or NAT-T for short), is an IPSec standardthatinsertsaUDPheaderbetweentheouterIPheaderandtheESPheader.The destinationportforNAT-Tis4500.IntelligenceisusedwithNAT-T:adiscoveryphase takesplaceduringPhase1todetermineifthetwopeerssupportNAT-T,andiftheydo supportit,whetherinsertingaUDPheaderisnecessaryforthedataconnectionstobe successfulinprotectingandtransmittingdata.Thisisadynamicprocess:ifinsertinga UDPheaderisneeded,thenitisdone;ifitisunneeded,thenitisnotinserted(inserting aUDPaddsanadditional8bytesofoverhead). NAT-Tisgloballyenabledbydefault.Oneofitsfeaturesisthatkeepalivesaresent acrossthedataconnectionstoensurethataddresstranslationorstatefulfirewalldevices don’tremoveanyidledataconnections.Thedefaultidleperiodis20seconds.Tochange thekeepalivetimerinterval,usethefollowingcommand: ciscoasa(config)#cryptoisakmpnat-traversal[seconds]
Theperiodcanrangefrom10to3600seconds.
IPSecoverTCP TherearetwoproblemswithNAT-T,however:
▼ I tusesUDP,whichtypicallyhasamuchsmalleridletimeoutthanTCP connectionsfortranslationandstatefulfirewalldevices.
▲ Y ouareforcedintousingdestinationUDPport4500(itcannotbechanged), whichmightbefilteredbyanintermediatedevice.
Ciscocreatedaproprietaryencapsulationmethod,calledIPSecoverTCP,toovercomethesetwoproblems.WithIPSecoverTCP,aTCPheaderisinsertedbetweenthe
Chapter 15:
IPSec Phase 1
outerIPheaderandtheESPheader.IPSecoverTCPisdisabled,butcanbeenabledwith thefollowingcommand: ciscoasa(config)#cryptoisakmpipsec-over-tcp{[portprt_#]…[prt_#]}
OneadvantagethatIPSecoverTCPhasoverNAT-Tisthatyoucancontrolwhatportor ports(upto10)canbeused;bydefaultport10000isused. NOTE There are two problems with IPSec over TCP: it is Cisco-proprietary, which means the endpointsmustbeCiscodevices,andIPSecoverTCPinsertsa20-byteheader,almostthreetimes asmuchasNAT-Tinserts.Also,NAT-TandIPSecoverTCParecommonlyusedforremoteaccess connections,whereintermediatefirewallsandtranslationdevicesaremorelikelytobeencountered.
VPNTrafficandACLs The following two sections will discuss how to deal with IPSec traffic flowing to or throughtheappliance.
IPSecSessionsTerminatedontheAppliance IfyourappliancehasIPSecsessionsterminatedonit,youhavetwooptionstoallowthe traffictoflowfromalower-tohigher-levelinterface:
▼ A CLs
▲ A CLbypassfeature
Forthefirstoption,you’llneedtoaddACLstatementsforthedecryptedIPSectraffic ontheexternalinterfaceACL:oncethetrafficisdecrypted,itispassedthroughtheexternalinterfaceACLandmustmatchapermitstatement,oritisdropped. ThesecondoptionexemptsthedecryptedVPNtrafficfrombeingprocessedbythe externalinterfaceACL,assumingthattheVPNsessionisterminatedontheappliance. ToconfiguretheACLbypassfeature,usethiscommand: ciscoasa(config)#sysoptconnectionpermit-vpn
The problem with this command is that any traffic coming out of the VPN tunnel is permitted;asyouwillseeinsubsequentchapters,youcancontrolwhichtrafficusesthe VPNtunnel.
IPSecSessionsTerminatedBehindtheAppliance IfIPSecsessionsareterminatedondevicesbehindtheappliance,you’llneedACLentries onyourexternalinterfacetoallowthemanagementanddataconnectionsthroughthe appliancetotheinternalIPSecendpoint: ciscoasa(config)#access-listACL_IDpermitudpsrc_IPsrc_mask dst_IPdst_maskeqisakmp
377
378
Cisco ASA Configuration ciscoasa(config)#access-listACL_IDpermitespsrc_IPsrc_mask dst_IPdst_mask ciscoasa(config)#access-listACL_IDpermitudpsrc_IPsrc_mask dst_IPdst_maskeqnon-isakmp ciscoasa(config)#access-listACL_IDpermittcpsrc_IPsrc_mask dst_IPdst_maskeqIPSec_over_TCP_port
Thefirstcommandallowsthemanagementconnection.Thefollowingthreeconnections allowthedataconnections:thesecondallowstheESPprotocol,thethirdallowsNAT-T, andthefourthallowsIPSecoverTCP.You’llneedtoconfiguretheentriesappropriatefor yournetworkanditsconfiguration.
TUNNELGROUPS Tunnelgroupswereintroducedinversion7oftheapplianceandareuniquetoCisco appliances—Cisco routers and concentrators don’t support this type of functionality. TunnelgroupsareusedtoidentifyinformationthatshouldbeusedforaparticularVPN typeandpeer,likeanIPSecL2LconnectionoranIPSecorWebVPNremoteaccessgroup ofusers. Tunnelgroupshavetwobasicattributes:
▼ G eneral
▲ V PN-specific
Generalattributesarenon-VPN-specificandcanspecifythingsliketheAAAserverstouse,wherethepoliciesarestored(localtotheapplianceoronanAAAserver), where to find the usernames and passwords to authenticate remote access users, and other information. VPN-specific attributes define properties for the tunnel group that arespecifictoaparticularVPNtype,likeapre-sharedkeyordigitalcertificatetousefor anIPSecL2Lconnection,theuseofDeadPeerDetection(DPD)forIPSecconnections,or whatthehomepagelookslikeforclientlessWebVPNsessions. Thefollowingsectionswillintroduceyoutotunnelgroups:howtocreatethem,and howgeneralandVPN-specificpropertiesareassociatedwithtunnelgroups.Subsequent chaptersinPartIVwilldiscusstunnelgroupsinmuchmoredepth,coveringthecommandsandparametersthatapplytoaparticularVPNtype.
TunnelGroupCreation A tunnel group, as I mentioned in the last section, represents a particular IPSec L2L connection or a remote access group. To create a tunnel group, use the following command: ciscoasa(config)#tunnel-grouptunnel_group_IDtypevpn_type
Chapter 15:
IPSec Phase 1
The tunnel_group_ID uniquely identifies the tunnel group. For example, if the identityforL2Lconnectionswere“address,”thenthetunnelgroupIDwouldbetheIP addressofthepeer;iftheidentitytypewere“hostname,”thenthegroupIDwouldbe thefullyqualifieddomainnameofthepeer.ForIPSecandWebVPNremoteaccessusers,thetunnelgroupIDrepresentsthenameofthegroup,like“sales”,“engineers”,or “programmers”. FollowingthetunnelgroupIDisthetypeofVPNthatrepresentsthegroup.Inversion8,youcanspecifyonlytwoparameters:
▼ i psec-l2l The“l2l”partisreally“L-2-L,”not“one-two-one”:this representsIPSecsite-to-siteorL2Lconnections.
▲ remote-access ThisrepresentsIPSecandWebVPNremoteaccessuser groupings. NOTE In prior appliance versions, instead of remote-access, you had ipsec-ra and webvpn-ra,wherethesetwoVPNtypeswererepresentedbydifferentgroups.Inversion8,these arenolongersupported(they’vebeendeprecated):bothtypesarerepresentedbythe remoteaccesstype.
GeneralTunnelGroupAttributes AsImentionedpreviouslyintheintroductiontotunnelgroupssection,generaltunnel group attributes are parameters associated with a tunnel group that have no bearing onthetypeofVPNthatisbeingused.Forexample,ifyouhadaremoteaccesstunnel groupcalled“engineers,”generalpropertiesforthegroupwouldincludewhetheran AAAserverwasused,wheretheuseraccountswerelocatedforuserauthentication,and wheretheVPN-specificattributesofthegroupwerefound. Onceyou’vecreatedyourtunnelgroup,youcanassignthegeneralattributestothe tunnelgroupwiththefollowingconfiguration: ciscoasa(config)#tunnel-grouptunnel_group_IDgeneral-attributes ciscoasa(config-tunnel-general)#? group_policyconfigurationcommands: accounting-server-groupEnternameoftheaccountingserver group address-poolEnteralistofaddresspoolstoassign addressesfrom annotationSpecifyannotationtext-tobeusedby ASDMonly authentication-server-groupEnternameoftheauthenticationserver group authorization-dn-attributesTheDNofthepeercertificateusedas usernameforauthorization
379
380
Cisco ASA Configuration authorization-requiredRequireuserstoauthorizesuccessfully inordertoconnect authorization-server-groupEnternameoftheauthorizationserver group default-group-policyEnternameofthedefaultgrouppolicy dhcp-serverEnterIPaddressornameoftheDHCP server exitExitfromtunnel-groupgeneralattribute configurationmode helpHelpfortunnelgroupconfiguration commands ipv6-address-poolEnteralistofIPv6addresspoolsto assignaddressesfrom noRemoveanattributevaluepair override-account-disableOverrideaccountdisabledfromAAA server password-managementEnablepasswordmanagement strip-groupEnablestrip-groupprocessing strip-realmEnablestrip-realmprocessing
Noticethatyouaretakenintoasubcommandmodewhereyoucanconfigureyourgeneralattributes.I’llbediscussingtheseattributesinsubsequentchaptersofPartIV.
VPN-SpecificTunnelGroupAttributes Onceyou’vecreatedyourtunnelgroup,toassociateVPN-specificattributestoit,usethe followingcommand: ciscoasa(config)#tunnel-grouptunnel_group_ID {ipsec-attributes|webvpn-attributes} ciscoasa(config-tunnel-{ipsec|webvpn})#
Youhavetwooptionsforthetypeofattributes,dependingonthetypeoftunnelgroup: IPSecattributesorWebVPNattributes.You’llbetakenintoasubcommandmodewhere youcanspecifytheVPN-specificattributes.I’llbediscussingtheseattributesinsubsequentchaptersofPartIV.
CERTIFICATEAUTHORITIES CertificatesarethemostscalablesolutiontoperformdeviceauthenticationwithVPNs. Certificatesmustbecreatedbyaneutralthird-party,calledacertificateauthority(CA). TheappliancessupportmanyCAs,includingRSA,VeriSign,Netscape,Baltimore,Microsoft,Entrust,CiscoIOSrouters,andthesecurityappliancesthemselves(notdiscussed inthisbook).Theremainderofthischapterwillintroducetheuseofcertificates,howto obtaincertificatesforappliances,andhowtousecertificatestoauthenticatedevicesfor IPSecsessions.
Chapter 15:
IPSec Phase 1
IntroducingCertificates Therearetwotypesofcertificates:rootandidentity.Everydeviceparticipatinginthe certificate process must have a certificate, including the CA itself. The certificate for the CA is called a root certificate, and certificates for other devices are called identity certificates. Obtaining an identity certificate can be done either out-of-band using the file-basedapproachorin-bandusingtheSimpleCertificateEnrollmentProtocol(SCEP), whichusesHTTP. To use certificates, the peers must have an ISAKMP Phase 1 policy that supports certificates(RSAsignatures).Duringauthentication,twoitemsarechecked,andathird isoptional.Forthetworequireditems,thepeersvalidatethedigitalsignatureonthecertificateandthenmakesurethecertificatehasn’texpired.Withthethirditem,anoption existsforcheckingifapeercertificatehasbeenrevoked:theuseofCertificateRevocation Lists(CRLs)orOnlineCertificateStatusProtocol(OCSP)issupported.ACRLcontains alistofallthecertificatesthathavebeenrevoked.CRLscanbedownloadedwhenthey areneeded,whichcanbebandwidth-intensiveandintroducedelayintheVPNsetup process,ortheycanbedownloadedperiodicallyandcached,whichcancreateproblems ofnothavingthemostup-to-datelistwhenauthenticatingapeer.OCSP,ontheother hand,hasthedeviceperformaquery,withtheremotepeerserialnumberontheidentity certificate,totheOCSPserverinordertodetermineifthecertificatehasbeenrevoked. UsingOCSPisthepreferredmethod.
ObtainingCertificates ThefollowingsectionswilldiscusshowtoobtaintherootcertificateoftheCAandhow togeneratethecertificateinformation,definedbythePublicKeyCryptographyStandards(PKCS)#10standard,whichtheCAneedstocreateanidentitycertificateforthe appliance.
IdentityInformationontheCertificate When generating your PKCS #10 certificate information, by default the appliance associatesacommonname(CN)oftheappliancehostnameanddomainnameconfigured ontheappliance.Youcanoverridethisbehaviorandassignyourownkeylabelwhen generatingthekeypair,asyou’llseeinthe“BasicTrustpointConfiguration”section. Toassignanameanddomainnametoyourappliance,usethefollowingconfiguration: ciscoasa(config)#hostnamename_of_your_appliance ciscoasa(config)#domain-nameyour_appliance’s_domain_name
ThesecommandswerediscussedinChapter3.
KeyPairs CiscosupportsboththeRSAandDSAalgorithmsforgeneratingpublic/privatekeys; theseareusedtosignthePKCS#10information.DSAisquickeringeneratingitskeys, butislesssecure;andnotallCAproductssupportDSA.Becauseoftheselimitations,this bookonlyfocusesontheuseofRSAkeys.
381
382
Cisco ASA Configuration
GeneratingRSAkeyswasdiscussedinChapter3;however,thenIdidn’tdiscussall theoptionsavailablewiththecommand.Here’sthefullsyntaxofthecommand: ciscoasa(config)#cryptokeygeneratersa[usage-keys|general-keys] [labelkey_pair_label][moduluskey_size] [noconfirm]
The usage-keys parameter generates two sets of keys, while the general-keys parameter generates one key pair; the default is general-keys if you omit it, which is whatyouneedforcertificatepurposes.Useusage-keysifyouneedtwoidentitycertificatesfromthesameCA,whichisuncommon.Ifyoudon’tspecifyalabelforthekeypair, itdefaultsto“Default-RSA-Key.”Ifyoudon’tspecifyamodulus(thesizeofthekeys, inbits),itdefaultsto1024:othervalidsizesinclude512,768,and2048.Thenoconfirm parameter,whenconfigured,willexecutethecommandwithoutanyinteractiononyour part—thedefaultistopromptyouforverification.Usethe showcryptokeymypub keycommandtoviewthepublickeysonyourappliance. TIP YoumightwantmorethanoneRSAkeypair.SSHusesthedefaultkeypairlabel;butyoumight wanttouseadifferentkeypair(withadifferentmodulus)forcertificates. Here’sanexampleofgeneratinganRSAkeypair: ciscoasa(config)#cryptokeygeneratersalabelmykeys INFO:Thenameforthekeyswillbe:mykeys Keypairgenerationprocess ciscoasa(config)#
Inthisexample,akeypairlabelof“mykeys”isusedtonamethekeypair. NOTE IftheRSAkeypairalreadyexists,youarepromptedtooverwritetheexistingkeypair.Also,to deleteanRSAkeypair,usethecryptokeyzeroizersa[labelkey_pair_label] command.
DateandTime Itemsvalidatedonthecertificatearetwodates:whenthecertificatebecomesvalidand whenitisnolongervalid.Thedevicewillcompareitslocaldateandtimewiththedates andtimesthatappearonthecertificate,ensuringthatthedevicetimefallsbetweenthe twoperiods.Youcanhard-codethedateandtimeontheappliancewiththeclockset command: ciscoasa#clocksethh:mm:ss{monthday|daymonth}year
ThisisthesamecommandusedonCiscoIOSdevices.
Chapter 15:
IPSec Phase 1
NOTE IrecommendusingNTPtosynchronizethetimeonyourdevices.Theappliancessupport NTP,whichIdiscussinChapter26.
BasicTrustpointConfiguration TheCA,commonlycalledatrustpoint,configurationontheappliancedefinesthepropertiesusedtointeractwithaCAaswellastoobtaincertificates—rootandidentity.You mustconfigurethetrustpointpropertiesontheappliancebeforeyoucanobtainthetwo certificates.Thissectionwilldiscusssomebasictrustpointconfigurationcommands,and subsequentsectionswillcoverhowtoobtaincertificatesandCRLs(CertificateRevocationLists). Herearethebasictrustpointconfigurationcommands: ciscoasa(config)#cryptocatrustpointtrustpoint_name ciscoasa(config-ca-trustpoint)#subject-nameX.500_info ciscoasa(config-ca-trustpoint)#emailemail_address ciscoasa(config-ca-trustpoint)#fqdnfully_qualified_domain_name ciscoasa(config-ca-trustpoint)#ip-addressIP_address ciscoasa(config-ca-trustpoint)#serial-number ciscoasa(config-ca-trustpoint)#keypairkey_pair_label ciscoasa(config-ca-trustpoint)#keysize{512|768|1024|2048} ciscoasa(config-ca-trustpoint)#id-usagessl-ipsec ciscoasa(config-ca-trustpoint)#client-types{ipsec|ssl} ciscoasa(config-ca-trustpoint)#accept-subordinates
Settingupatrustpointissimilartohowit’sdoneonaCiscoIOSrouter.First,you specifythenameofthetrustpoint,whichtakesyouintoasubcommandmode.Thename oftheCAisalocallysignificantnameanddoesn’thavetomatchtheactualnameofthe serverunlessspecifiedbytheadministratoroftheCA. NOTE WithCiscoIOSroutersandMicrosoftserversasCAs,I’veneverhadtomatchupthenames oftheserverswiththenameinthecryptcatrustpointcommand. OptionallyyoucanspecifytheX.500informationthatwillappearontherequested X.509v3 identity certificate with the subject-name command. If you don’t configure thisvalue,thecommonname(CN)defaultstothefullyqualifieddomainname(FQDN) oftheappliance.Ifyouwanttochangeit,youhavetoknowthefieldvaluestousefor thecertificateinformation.Here’sanexample: ciscoasa(config-ca-trustpoint)#subject-name cn=asa1.cisco.com,ou=mydepartment,o=cisco
Inthisexample,theidentitynameonthecertificateis“asa1.cisco.com”,theorganizationalunit(OU)ordepartmentvalueis“mydepartment”,andtheorganizationalvalue (O)is“cisco”.
383
384
Cisco ASA Configuration
OptionallyyoucanhavetheCAincludeane-mailaddressintheSubjectAlternative Name(SAN)extensionfieldofthecertificatewiththe emailcommand;however,this isnotrequired.Insteadofane-mailaddress,youcanincludeanFQDNofyourchoice intheSANfieldwiththe fqdncommand.ThelasttwooptionsyouhaveforinformationthatappearsonthecertificatearetoincludeanIPaddress(associatedwiththeappliance)withthe ip-addresscommandand/ortheapplianceserialnumberwiththe serial-numbercommand. Thekey-paircommandspecifieseitheranexistingkey-pairlabeltouseorthename ofonethatwillbecreated.The key-sizecommandspecifiesthelengthofthekeysto createwhentheydon’texist.Thesetwocommands,whenusedtogether,willgeneratea newkeypairwhenobtaininganidentitycertificateversususinganexistingkeypairon theappliance. The id-usage command specifies how the identity certificate associated with the trustpointcanbeused.Withthessl-ipsecparameter,theidentitycertificatecanbeused forSSLVPNandIPSecVPNauthenticationwhentheapplianceisactingastheserver/ gateway,whichisthedefaultbehavior.Youcandisablethisbyprefacingthecommand withthe noparameter.The client-typecommandcontrolswhattypeofVPNremote clientsthecertificatecanbeusedfor.Thereisnodefaultvalue. The accept-subordinates command specifies whether subordinate CA certificates(inaCAhierarchicalimplementation)areacceptedbyapeerduringISAKMP/IKE Phase1authenticationwhenthelocalappliancecurrentlydoesn’thavethesecertificates installed.Thedefaultisthatthiscommandisenabled. NOTE Allofthecommandsdiscussedinthissectionareoptional.
NetworkEnrollment:SCEP There are two methods to obtain the CA (root) certificate and the appliance identity certificate:
▼ N etworkenrollmentusingtheSimpleCertificateEnrollmentProtocol(SCEP)
▲ F ileenrollmentusinganout-of-bandapproach
Thissectionwilldiscusstheformer,andthenextsectionwilldiscussthelatter. NOTE Network enrollment is most commonly used in environments where you are setting up yourownCA.SCEPusesHTTPtoaccesscertificateinformationontheCA.Fileenrollmentismost commonlyusedinenvironmentswhereyouareeitherusingapublicCA,likeVeriSign,oranexternal CAfromadifferentcompany.Ofthetwo,Imuchprefertheformer,sincenetworkenrollmentiseasier andmuchquickeratdeployingcertificatesonalargernumberofdevices.
Chapter 15:
IPSec Phase 1
Configuring SCEP Enrollment Parameters To configure network enrollment using SCEP, thefollowingcommands(andpossiblythecommandsdiscussedinthelastsection)are used: ciscoasa(config)#cryptocatrustpointtrustpoint_name ciscoasa(config-ca-trustpoint)#enrollmenturlURL ciscoasa(config-ca-trustpoint)#passwordchallenge_password ciscoasa(config-ca-trustpoint)#enrollmentretrycount#_of_attempts ciscoasa(config-ca-trustpoint)#enrollmentretryperiod#_of_minutes
Youhavetofirstdefinethenameofthetrustpoint,whichwasdiscussedinthelast section. This takes you into the trustpoint subcommand mode.You then specify how you’llobtainacertificate:theenrollmenturlcommandspecifiestheuseofSCEP.The URLisHTTP-based,andtheactualsyntaxdependsontheCAproductyou’llinterface with.Here’sanexampleusingaMicrosoftCA: ciscoasa(config)#cryptocatrustpointcaserver ciscoasa(config-ca-trustpoint)#enrollmenturl http://172.26.26.151:80/certsrv/mscep/mscep.dll
NOTE WhenusingaCiscoIOSrouterasaCA,yourlocalASAneedstousethisURL:http:// IP_address_of_Cisco_IOS_router.
Thepasswordcommandspecifiesthechallengepasswordtouseduringthecertificaterequestprocess.Thepasswordishashedwiththecertificateinformation,whichis validatedbytheCAusingthesamepassword.Ifyouareusingchallengepasswords, whichIhighlyrecommend,theCAadministratorwillhavetocreateoneforyou.Dependingontheadministrator’ssetupoftheCA,thepasswordmightbetime-sensitive (onlyvalidforaspecificamountoftime). The enrollmentretrycountspecifiesamaximumnumberofpermittedretries for SCEP enrollment before giving up. The enrollment retry period command specifiesaretryperiod,inminutes,betweenSCEPenrollmentrequestswhentheCAis unreachable. NOTE Of the four trustpoint commands just listed, only the enrollment url command is requiredforSCEP. ObtainingCertificatesUsingSCEP OnceyouhavespecifiedyourCAandyourenrollment command(s),youneedtofirstdownloadtheCArootcertificateandvalidateitwiththe cryptocaauthenticatecommand: ciscoasa(config)#cryptocaauthenticatetrustpoint_name
385
386
Cisco ASA Configuration
WhenyougetthefingerprintbackfromtheCAontherootcertificate—thisistheselfsignedsignaturetheCAplacedonitsowncertificate—verifythefingerprintbycalling theCAadministratorandmanuallycomparingthetwovalues.Thisistheonlypartof thecertificateprocessthatissusceptibletoaman-in-the-middleattack. Here’sanexampleofobtainingtheCArootcertificate: ciscoasa(config)#cryptocaauthenticatecaserver INFO:Certificatehasthefollowingattributes: Fingerprint:3736ffc2243ecf050c40f2fa26820675 Doyouacceptthiscertificate?[yes/no]:yes Trustpoint'caserver'isasubordinateCAandholdsanonselfsigned cert. TrustpointCAcertificateaccepted.
Makesureyouvalidatethefingerprint/signaturethatisontherootcertificate,sincethis certificateisusedtovalidateanyothercertificateassociatedwiththisCA. Onceyouhavetherootcertificate,youcanobtainyouridentitycertificatewiththe followingcommand: ciscoasa(config)#cryptocaenrolltrustpoint_name ciscoasa(config)#cryptocaenrollcaserver %Startcertificateenrollment.. %Createachallengepassword.Youwillneedtoverballyprovidethis %passwordtotheCAAdministratorinordertorevokeyourcertificate. %Forsecurityreasonsyourpasswordwillnotbesavedinthe %configuration. %Pleasemakeanoteofit. Password:abc123 Re-enterpassword:abc123 %Thesubjectnameinthecertificatewillbe:asa.example.com %Thefully-qualifieddomainnameinthecertificatewillbe: securityappliance.example.com %Includethedeviceserialnumberinthesubjectname?[yes/no]:no RequestcertificatefromCA[yes/no]:yes %CertificaterequestsenttoCertificateauthority. ThecertificatehasbeengrantedbyCA!
Asyoucanseeintheprecedingexample,youarepromptedforachallengepassword— youmustentersomethinghereeveniftheCAisnotusingchallengepasswords.You havetheoptionofincludingtheserialnumberoftheapplianceonthecertificate,and thentheappliancerequeststhecertificate.
Chapter 15:
IPSec Phase 1
FileEnrollment:Manual Once you have configured the basic trustpoint commands from the “Basic Trustpoint Configuration”section,youcanusetheenrollmentterminalcommandinthetrustpointsubcommandmodetoenablethefile-basedapproachtoobtaincertificates: ciscoasa(config)#cryptocatrustpointtrustpoint_name ciscoasa(config-ca-trustpoint)#enrollmentterminal
Theenrollmentterminalcommandenablesfile-basedenrollment. Onceyouhaveconfiguredthetrustpoint,youcanthengenerateyourPKCS#10certificateinformationfortheCAwiththecryptocaenrollcommand,discussedinthe lastsection.Here’sanexample: ciscoasa(config)#cryptocaenrollcaserver %Startcertificateenrollment.. %Thefully-qualifieddomainnameinthecertificatewillbe:asa5505-1 %Includethedeviceserialnumberinthesubjectname?[yes/no]:no DisplayCertificateRequesttoterminal?[yes/no]:yes CertificateRequestfollows: MIIBjTCB9wIBADAaMRgwFgYJKoZIhvcNAQkCFglhc2E1NTA1LTEwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAK04Czj3ZY9GJ1o4m5wDWdYwvGOSbrlgRp782k8H ---End-Thislinenotpartofthecertificaterequest--- Redisplayenrollmentrequest?[yes/no]:no
Makesurethecertificateinformationbetweenthe“CertificateRequestfollows” and“--End-Thisline”linesisincluded—copyandpastethisintoafile,andgive thefiletotheCAadministrator. TheCAadministratorwillthenusethisinformationtocreateanidentitycertificate fortheappliance.Theadministratorwillthensendbacktwofiles:onecontainstheroot certificate,andonecontainstheidentitycertificate.You’llneedtoloadtheseontothe applianceinthelistedorder. Use the crypto ca authenticate command to import the CA root certificate. Here’sanexample: ciscoasa(config)#cryptocaauthenticatecaserver Enterthebase64encodedCAcertificate. Endwithablanklineortheword"quit"onalinebyitself interface[number] monitor>addressPIX's_IP_address monitor>gatewayrouter's_IP_address monitor>server[IP_address_of_TFTP_server]
Chapter 26:
Basic Management from the CLI
monitor>fileBIN_file_name monitor>pingIP_address monitor>tftp
TheinterfacecommandsetstheinterfacewheretheTFTPserveris.Enterthenumber, notthenameoftheinterface:forethernet1,thiswouldbe1.Thisdefaultstotheoutside interfaceifomitted,whichis0.The addresscommandsetstheIPaddressofthePIX selected interface. Note that you don’t configure a subnet mask value. The gateway commandspecifiesthedefaultgatewayaddress—thisisonlyneedediftheTFTPserver isnotonthesamesegmentasthePIXselectedinterface.Theservercommanddefines theIPaddressoftheTFTPserver—ifyouomitthis,itdefaultsto255.255.255.255.The filecommanddefinesthenameoftheBINfileontheTFTPserverthatwillbeused forthepasswordrecoveryprocedure.Optionallyyoucanusethepingcommandtotest connectivity.Onceyou’vedefinedtheconnectivityparameters,executingthetftpcommandstartsthedownloadoftheBINfileandthepasswordrecoveryprocess. NOTE IfyouhaveaPIX535,yourTFTPservercannotbelocatedoffaFastEthernetportina64-bit slotsincemonitormodedoesn’trecognizethecardsintheseslots.
ExecutingthePasswordRecoveryFile Afteryouperformthemonitormodeconfiguration,executingthe tftpcommandwill performtheTFTPdownloadoftheBINfile,executeit,anderasetheauthenticationinformationusedforpasswordchecking.ThepasswordrecoveryprocessonthePIXserases thePrivilegeEXECenablepasswordcommandandanyaaaauthenticationcommands:you’llneedtoreconfiguretheseoncetheappliancebootsup.Duringthepassword recoveryprocesstheappliancewilldisplaythe aaacommandsthatitwillerase...copy thesedownsothatitwillbeeasytoreconfigurethemuponrebooting.Therestofthe configurationwillbeexecutedwhenthePIXbootsup.
ExamplePIXPasswordRecovery Here’sanexampleofconfiguringaPIXtoobtaintheBINfilefromitsethernet1(inside) interface: monitor>interface1 monitor>address10.0.1.1 monitor>server10.0.1.11 monitor>filenp70.bin monitor>tftp Doyouwishtoerasethepasswords?[yn]y Passwordshavebeenerased. Rebooting...
637
638
Cisco ASA Configuration
PerformingtheASAPasswordRecoveryProcess TheASApasswordrecoveryprocessisbasicallythesameasthatusedonCiscoIOSdevices:fromROMMONmode,youchangetheconfigurationregistersothattheASAbootsup withoutitsconfigurationfile,therebybypassinganypasswordchecks.AswiththepasswordrecoveryonthePIXs,youneedconsoleaccesstoperformtherecoveryprocess.
ChangingtheConfigurationRegisterontheASA Useeitherthe BREAKorthe ESCkeystrokesequencewhentheASAisbootingupwhen prompted for accessing ROMMON mode. You have 10 seconds to do this when prompted. AttheROMMONmodeprompt,usethe confregcommandtochangethedefault bootupprocess: rommon>confreg[config_register]
ThisisthesamecommandusedbyIOSdevices.Withoutanyparameters,youareled through a script that asks you questions about the bootup process: when you get the question“disablesystemconfiguration?”answer ytoperformthepasswordrecovery process.Here’sanexampleofrunningthescript: rommon>confreg CurrentConfigurationRegister:0x00000001 ConfigurationSummary: bootdefaultimagefromFlash Doyouwishtochangethisconfiguration?y/n[n]:y enableboottoROMMONprompt?y/n[n]: enableTFTPnetboot?y/n[n]: enableFlashboot?y/n[n]:y selectspecificFlashimageindex?y/n[n]: disablesystemconfiguration?y/n[n]:y gotoROMMONpromptifnetbootfails?y/n[n]: enablepassingNVRAMfilespecsinauto-bootmode?y/n[n]: disabledisplayofBREAKorESCkeypromptduringauto-boot?y/n[n]: CurrentConfigurationRegister:0x00000041 ConfigurationSummary: bootdefaultimagefromFlash ignoresystemconfiguration UpdateConfigRegister(0x41)inNVRAM... rommon>boot
Attheendofthescript,usethebootcommandtoboottheapplianceintoitsOS. Insteadofansweringquestionsaskedbythescript,youcanspecifytheconfiguration registervaluewiththeconfregcommand,likethis: rommon>confreg0x41
Chapter 26:
Basic Management from the CLI
Thedefaultconfigurationregistervalueis0x1;settingitto0x41causestheASAtoboot upinanormalfashion,butdoesn’tloadthestartup-configfileinflash.Notethatthe configurationregistervaluesthattheASAsusearedifferentfromIOSdevices.
AftertheASAPasswordRecoveryProcess RememberthatonceyouhavebooteduptheASA,noconfigurationhasbeenloaded.To fixyourpasswordproblem,performthefollowing:
1. EnterPrivilegemode—there’snoconfigurationloaded,andthusnopassword.
2. Executethecopystartup-configrunning-configcommand.
3. Reconfiguretheenablepasswordcommand.
4. Changetheconfigurationregisterbackto0x1:config-register0x1.
5. Re-enablethedatainterfaceswiththenoshutdowncommand.
6. Saveyourconfiguration:writememory.
AAA AAAwasintroducedinChapter8whenIdiscussedCut-throughProxy(CTP).Asabrief overview,thethreeAsin“AAA”standforauthentication,authorization,andaccounting.Authenticationspecifieswhocanaccessadevice;authorizationdefineswhatauser is allowed to do once the user is authenticated; and accounting keeps track of when someonedoessomethingandwhattheydo.FortheapplianceandAAA,theappliance supportsbothTACACS+andRADIUSforexternalauthentication,aswellasusingalocalauthenticationdatabaseontheapplianceitself. ThissectionwillfocusonusingAAAtolockdownadministrativeaccesstotheapplianceitself.Authenticationcontrolsanadministrator’sinitialaccess,includingthetypeof access,likeconsoleorSSH.Authorizationcontrolswhattheadministratorscandoonce theyareloggedin(thecommandstheycanexecute).Accountingcankeeparecordofwho loggedin,howlongtheywereloggedin,andwhatcommandstheyexecuted.Ofthethree As,onlyauthenticationisrequired:authorizationand/oraccountingareoptional.
RestrictingCLIAccess Controllingaccesstotheapplianceitselfisreferredtoasconsoleauthentication.Theterm “console”isverymisleading,sincethisreferstoaccesstotheappliance,whichincludes theseaccessmethods:
▼ S erial Consoleandauxiliaryports
■ telnet
■ SSH
■ HTTP ASDMandCSM
▲ E nable PrivilegeEXECmode
639
640
Cisco ASA Configuration
Tocontrolaccesstotheapplianceitselfbypromptinganadministratorwithausernameandpassword,usethefollowingcommand: ciscoasa(config)#aaaauthentication{serial|enable|telnet| ssh|http}console{AAA_group_tag|[LOCAL]}
The AAA_group_tag parameter specifies whichAAA security protocol and server to use(aaa-servercommandswerediscussedinChapter8).IfyouarehavingtheappliancelookonanAAAserverspecifiedinthegrouptagvalue,theTACACS+protocolis preferredoverRADIUSsinceTACACS+supportscommandauthorizationandRADIUS doesn’t.Ifyouwanttousetheusernamesdefinedontheapplianceasabackuptothe AAAserver(s),usetheLOCALkeywordafterthenameofthegrouptag.IfbothanAAA tagandthelocaluseraccountsaredefined,thelocaluseraccountsareabackup—they areonlyusediftheAAAserver(s)areunreachable. NOTE IftheAAAserverisunavailableandnolocalaccountsaredefinedontheappliance,you canstillgainaccesstotheappliancebyusingtheusernamepix(onbothPIXsandASAs)andthe PrivilegeEXECpasswordasabackdoor.However,ifyoudon’tknowwhatthesevaluesare,you’ll havetousethepasswordrecoveryproceduretobreakintotheappliancediscussedintheprevious section.
LocalAuthenticationDatabase Theusernamecommandisusedtocreatealocaldatabaseofusernamesandpasswords associatedwithaparticularprivilegelevel: ciscoasa(config)#usernameusername{nopassword|password}password [encrypted][privilegeprivilege_level]
Ifyouomittheprivilegelevel,itdefaultsto15.Privilegelevelscanrangefrom0to15.The usernamecommandcanthenbeusedtoauthenticate/authorizeuseraccesstotheapplianceitself.Thesecommandsareusedwhenthegrouptagintheaaaauthentication commandisspecifiedasLOCAL. NOTE Please note that all passwords and keys on the appliance are automatically encrypted, unlikewithCiscoIOSdevices. Ifyou’llbeusingthelocaluserdatabase,thenthereisnolimit,bydefault,astothe numberoffailedauthenticationattemptsausercanmake.Thiscanberestrictedwiththe aaalocalauthenticationattemptsmax-failcommand: ciscoasa(config)#aaalocalauthenticationattempts max-fail#_attempts
Chapter 26:
Basic Management from the CLI
Youcanspecifythenumberoffailedattemptsfrom1to16.Ifyouconfigurethiscommandandauserexceedsthelimit,theuser’saccountislockedoutandcanonlybereactivatedwiththeclearaaalocaluserlockoutcommand: ciscoasa(config)#clearaaalocaluser{fail-attempts|lockout} {all|usernameusername}
NOTE Please note that the lockout feature doesn’t apply to (work with) administrator accounts (level15). Usetheshowaaalocalusercommandtoseethenumberoffailedattemptson anaccountandwhetheritislocked: ciscoasa(config)#showaaalocaluser
TIP WhenusingCiscoSecureACStoauthenticateadministratorstoappliances,youmustallow EXECaccessforthegrouptheadministratorbelongsto.Optionallyyoucanenablethisonaper-user basis.Ineitherthegrouporuserconfigurationfortheadministrator,selecttheShell(EXEC)check boxunderTACACS+Settings.Ifyoudon’tdothis,you’llexperienceauthorizationfailure:thename andpasswordtheadministratorenterscanbeauthenticated,butwithouthavingshellaccessenabled, theadministratorfailsauthorization.
AAAAuthenticationExample Here’s an example of securing access to the appliance itself by implementing AAA authentication: ciscoasa(config)#usernamerichardpasswordmysecret ciscoasa(config)#aaa-serverAAATACprotocoltacacs+ ciscoasa(config)#aaa-serverAAATAC(inside)host10.0.1.11 keycisco123 ciscoasa(config)#aaaauthenticationserialconsoleAAATACLOCAL ciscoasa(config)#aaaauthenticationenableconsoleAAATACLOCAL ciscoasa(config)#aaaauthenticationsshconsoleAAATAC ciscoasa(config)#aaaauthenticationhttpconsoleAAATAC ciscoasa(config)#ssh10.0.1.0255.255.255.0inside ciscoasa(config)#http10.0.1.0255.255.255.0inside
Intheprecedingexample,abackupaccount(richard)isdefinedforserial(consoleand auxiliary ports) and enable access, where the primary authentication method is using TACACS+toanAAAserver.RememberthatforSSH,telnet,andHTTPaccess,youalso needtospecifywhichdevicesareallowedtoconnectwiththeseprotocols.Thistopicwas discussedinChapter3.
641
642
Cisco ASA Configuration
CommandAuthorization Commandauthorizationisusedtorestrictwhatcommandsanauthenticatedusercan execute.BydefaultthisiscontrolledbasedontheEXECmodeyouarein:UserorPrivilege. Few commands are associated with level 1 (User EXEC), while most commands requirelevel15access(PrivilegeEXEC). Youcanusethreetypesofauthorizationtorestrictwhatcommandsanadministrator executesonanappliance:
▼ U singtheenablecommandandspecifyingalevelofaccessandsupplyingthe appropriatepassword
■ Usingalocallydefinedusernameandpasswordthatarerestrictedtoexecuting commandsatacertainlevelandlower
▲ U singanAAAdefinedusernameandpasswordthatarerestrictedtoexecuting commandswithinthegrouporsharedprofilecomponentonanAAAserver
Thenextsectionswillcoverallthreemethods.
EnablePasswordCommandAuthorization Onemethodofauthorizationistohavetheusers,oncetheyhaveaccesstoUsermode, typeintheenablecommandfollowedbyaprivilegelevelofaccess,likethis: ciscoasa>enable[privilege_level]
Ifyouomittheprivilegelevel,itdefaultsto15.Ofcourse,mostcommandsareatlevel15, withafewatlevel1;therefore,totakeadvantageofthisapproach,you’llneedtochangethe privilegelevelofvariouscommandsandassignapasswordtoaccessthatprivilegelevel. Youneedtoconfigurethreecommandsinordertosetupcommandauthorization:
▼ p rivilege Specifieswhichcommandsareatwhichprivilegelevel.
■ aaaauthentication Specifieswheretofinduseraccountsand/or passwordforauthentication;thisisnotrequiredifusingenabledpasswordsfor PrivilegeEXECaccess.
▲ aaaauthorizationcommand Enablescommandauthorizationandtheuse oftheprivilegesdefinedintheprivilegecommand. Tochangetheprivilegelevelsofcommands,usetheprivilegecommand:
ciscoasa(config)#privilege[show|clear|configure]levellevel [modeenable|configure]commandcommand
Three parameters follow the privilege command: show, clear, and configure, which set the privilege level for this particular command type. The level parameter specifiestheprivilegelevelausermustbeatinordertoexecutethecommand.Thereare
Chapter 26:
Basic Management from the CLI
16privilegelevels:0–15.Level1isUserEXECaccess,andlevel15isPrivilegeEXECaccess.Afterthisistheoptionalmodeparameter,whereyoucanspecifyinwhichmodethe commandcanbeexecuted.Thelastpartiswhereyouspecifytheactualcommand. Hereisasimpleexample,wheretheshowaccess-listcommandisatlevel9,and theaccess-listcommandinConfigurationmodeislevel11: ciscoasa(config)#privilegeshowlevel9commandaccess-list ciscoasa(config)#privilegeconfigurelevel11commandaccess-list
Ofcourseyoumustfirstenterthepasswordsforeachprivilegelevelthatyouhave createdwiththe privilegecommands.Todothis,usethe enable passwordcommandwiththeoptionallevelparameter: ciscoasa(config)#enablepasswordpassword [levelprivilege_level][encrypted]
Last, you must enable command authorization, which specifies where to find the privilegelevelsforthecommand: ciscoasa(config)#aaaauthorizationcommand{LOCAL|AAA_group_tag}
TheLOCALkeywordspecifiestousetheprivilegecommandsontheapplianceitself;an AAAgrouptagspecifiesthattheapplianceshouldlookuptheansweronanAAAserver (onlyTACACS+ispermitted). NOTE You can create a PIX/ASA CommandAuthorization set in Cisco SecureACS under the SharedProfileComponentssection.Thisisbasicallyalistofcommandsthatcanbeexecutedon anapplianceorappliances.Enterallthecommandsinasetthatcan—orcan’t—beexecuted.Then associatethelistwitheitheragrouporuserthatwillbemanagingtheappliance(s). Onceyouhavesetupyourprivilegeconfiguration,usethe showrunprivilege commandtodisplayyour privilegecommands.The show curprivcommanddisplaystheuseraccountthatisloggedinaswellasitsprivilegelevels. Hereareexamplesofthesecommands: ciscoasa#showrunprivilege privilegeshowlevel15commandaaa privilegeclearlevel15commandaaa privilegeconfigurelevel15commandaaa ciscoasa#showcurpriv Username:asaguru Currentprivilegelevel:15 CurrentMode/s:P_PRIV
643
644
Cisco ASA Configuration
Here’sanexamplethatsetsuptwoPrivilegeEXECpasswordsforlevel9and11: ciscoasa(config)#enablepasswordsecret9level9 ciscoasa(config)#enablepasswordsecret11level11 ciscoasa(config)#privilegeshowlevel9commandaccess-list ciscoasa(config)#privilegeconfigurelevel11commandaccess-list ciscoasa(config)#privilegelevel11commandstatic ciscoasa(config)#aaaauthenticationenableconsoleLOCAL ciscoasa(config)#aaaauthorizationcommandLOCAL
Inthisexample,youmustbeatlevel9orhighertoviewACLs;however,youmustbeat level11orhighertoconfigureanACLortocreatestatictranslations.
LocalUserDatabaseCommandAuthorization Theproblemofusingenablepasswordstocontrolwhatcommandsanadministratorcan executeisthatifmultipleadministratorsneedthesamelevelofaccess,theymustuse thesamepassword,whichcreatesaccountabilityproblems.Abettersolutionistouse usernamesandpasswords.Oneoptionistousealocaldatabaseofaccounts,whereeach accountisassignedalevelofaccessthatrestrictswhatitcando. I’vealreadydiscussedthecommandsnecessarytoaccomplishthis,solet’slookatan examplethatillustratesauthenticationandauthorizationusingalocaldatabase: ciscoasa(config)#usernameadmin1passwordsecret1privilege9 ciscoasa(config)#usernameadmin2passwordsecret2privilege11 ciscoasa(config)#usernameadmin3passwordsecret3privilege15 ciscoasa(config)#privilegeshowlevel9commandaccess-list ciscoasa(config)#privilegeconfigurelevel11commandaccess-list ciscoasa(config)#privilegelevel11commandstatic ciscoasa(config)#aaaauthenticationsshconsoleLOCAL ciscoasa(config)#aaaauthenticationconsoleconsoleLOCAL ciscoasa(config)#aaaauthenticationenableconsoleLOCAL ciscoasa(config)#aaaauthenticationhttpconsoleLOCAL ciscoasa(config)#aaaauthorizationcommandLOCAL
Thisexampleusesthreeadministratoraccountsatprivilegelevels9,11,and15.I’veused thesameprivilegelevelsdiscussedinthelastexample.Onedifferencebetweenthisand thelastexampleisthe aaa authenticationcommands:theseareusedtoprompta userforausernameandpassword,basedonthemethodofaccesstheusermightuseto gainaccesstotheappliance.
AAAServerCommandAuthorization Themainproblemwithlocalcommandauthorizationisscalability:ifyouhaveoneappliance,youonlyhavetocreateyouruseraccountsandprivilegecommandsonce.However, ifyouhave30appliances,replicatingthisinformationandkeepingitinsynchwouldbe difficult.Giventhisscenario,Irecommendthatyoucentralizetheadministratoraccounts
Chapter 26:
Basic Management from the CLI
andthecommandstheycanexecuteonanAAAserver.Theonerestriction,however,is thatifyouwanttocontrolwhatcommandsanadministratorcanexecute,youmustuse theTACACS+protocol,whichreducestolessthanahandfulthenumberofproductsyou canpurchase. I’vealreadydiscussedAAAanditsconfigurationinChapter7.Here’sanexample thatemployscommandauthorization,whereboththeadministrativeaccountsandcommandprivilegesaredefinedonanAAAserver: ciscoasa(config)#usernamebackdoorpassworddoorbackprivilege15 ciscoasa(config)#aaa-serverAAATACprotocoltacacs+ ciscoasa(config)#aaa-serverAAATAC(inside)host10.0.1.11 keycisco123 ciscoasa(config)#aaaauthenticationserialconsoleAAATACLOCAL ciscoasa(config)#aaaauthenticationenableconsoleAAATACLOCAL ciscoasa(config)#aaaauthenticationsshconsoleAAATAC ciscoasa(config)#aaaauthenticationhttpconsoleAAATAC ciscoasa(config)#aaaauthorizationcommandAAATACLOCAL
OneitemtopointoutabouttheprecedingconfigurationisthatIcreatedabackuplevel 15accountincasetheAAAserverisunreachable.
ManagementAccounting Ifyouwanttohavearecordofwhologgedintotheapplianceandwhatcommandsthey executed,you’llneedtoconfigureAAAaccounting.Onerestrictionwithaccountingis thatyoumustrecordtheaccountingrecordsonanAAAserver(syslogandSNMPare unsupported);andforcommandsthatareexecuted,youmustbeusingTACACS+asthe AAAcommunicationsprotocol. HerearethecommandstoenableAAAaccountingforadministrativeaccesstothe appliances: ciscoasa(config)#aaaaccounting{serial|telnet|ssh|enable} consoleAAA_server_tag ciscoasa(config)#aaaaccountingcommand[privilegelevel] AAA_server_tag
Thefirstcommandcreatesanaccountingrecordwhensomeonelogsintooroutofthe appliancebasedontheaccessmethoddefined.Thesecondcommandcreatesanaccountingrecordforeachcommandexecutedatthespecifiedlevel.Ifyouhavecreatedmultipleprivilegelevelsandwanttohaveaccountrecordscreatedforcommandsexecutedat eachlevel,you’llneedaseparateaaaaccountingcommandforeachprivilegelevel.
645
This page intentionally left blank
27 ASDM
647
648
Cisco ASA Configuration
T
hischapterwillintroduceyoutotheAdaptiveSecurityDeviceManager(ASDM), which is an alternative to the command-line interface (CLI) for configuring the securityappliances.Thetopicscoveredinthischapterinclude
▼ I ntroducingASDMrequirementsandrestrictions
■ PreparingthesecurityappliancetouseASDM
■ AccessingASDMforthefirsttime
■ UnderstandingtheelementsontheASDMHomescreen
■ ConfiguringtheappliancewithASDM
■ MonitoringthestatusoftheapplianceusingASDM
▲ U singASDMwhentheapplianceisinmultiplemode(contexts)
ASDMOVERVIEW ASDMisthereplacementforthePIXDeviceManager(PDM).PDMisusedinversion6 oftheOS;ASDMisusedforversion7andlater.ASDMisaJava-basedGUIinterfaceto configureandmanagetheappliances.AllASAsthatshiptodayincludeASDMinflash. TouseASDM,youmusteitherrunthesetupscriptormanuallyenterthecorresponding commands. You can use both the CLI and ASDM simultaneously, since certain functionsmuststillbeperformedfromtheCLI,liketheinitialconfigurationoftheappliance. Whenyou’reusingASDM,HTTPS(SSL)isusedtoprotectthecommunicationsbetween yourdesktopandtheconfigurationssenttoorpulledfromtheappliance. NOTE ThischapterfocusesontheuseofASDMversion6.1.
ASDMRequirements ASDMwasintroducedinversion7.0ofthesecurityappliancesandissupportedonboth thePIXsandASAs.ASDMisJava-basedcodethatsitsinflashontheappliances.Table27-1 displaysthesecurityapplianceoperatingsystemsandtheircorrespondingASDMimages; whenupgradingfromoneversionoftheOStoanother,likeversion7.0to7.1,youwillalso havetoupgradeyourASDMimagetoitscorrespondingversion.ASDMtakesabout7–8MB of space in flash. For theASAs, this is not an issue, since they have large amounts of flash;however,forthePIXs,onlyoneoperatingsystemandoneASDMimagewillfit intoflash.SoupgradingaPIXwillrequireyoutofirstdeletetheolderimagesbefore performinganupgrade.
Chapter 27:
OperatingSystemVersion
ASDM
ASDMVersion
7.0
5.0
7.1
5.2
7.2
5.2
8.0
6.0
8.0or8.1
6.1
Table27-1. SecurityApplianceOperatingSystemsandASDMVersions
ASDMisaweb-based,Java-basedtool.TouseASDM,youmustbeusingoneofthe followingoperatingsystemsonyourPC:
▼ W indows2000,2003,XP,orVista
■ MacOSX
▲ R edHatLinux
YourinitialASDMaccesstotheapplianceisviaawebbrowserusingSSL.ASDMsupports Internet Explorer (IE) 6.0 and later as well as Firefox 1.5 and later. For the Java component,you’llneedSunJava1.4(2),5.0,or6.0. NOTE NotallJavaversionsarecompatiblewithASDM,sobecarefulwhenyouupdateJavaon yourdesktop.
ASDMRestrictions AlmostallconfigurationcommandsaresupportedwithinASDM.Whenyou’reusing ASDM,mostconfigurationsareperformedinaGUI-basedwindow.However,ASDM supportsaCLItoolthatallowsyoutotypeincommandsandsendthemtotheappliance(thisisdiscussedinthe“CLITool”section).Whenyou’reusingtheCLItool,however,certaincommandsareunsupported,forexample, access-list, ipv6,aswellas anyinteractivecommandthatrequiresadministratorinput,likesetupandcryptokey generatersa. Besidestheserestrictions,whentheapplianceisrunninginsinglemode,youcannot havemorethanfiveASDMactivesessions.Whentheapplianceisrunninginmultiple mode(usingcontexts),youcanhavenomorethanfiveASDMsessionspercontext;and acrossallcontexts,youcannothavemorethanatotalof32ASDMsessions.
649
650
Cisco ASA Configuration
ASDMCONFIGURATIONPREPARATIONS WiththeexceptionoftheASA5505,noneoftheASAsorPIXsincludesabaseconfigurationthatwillallowASDMaccess.Youhavetwooptionstoplacingabasicconfiguration ontheappliancetouseASDM:
▼ T hesetupscript
▲ C LIcommands
Thefollowingtwosectionswilldiscussbothoptions.
SetupScript TheuseofthesetupcommandwasdiscussedinChapter3,soI’lljustbrieflyreviewits usehere.Thisscriptplacesabasicconfigurationontheappliance,includingthesetup oftheinsideinterfaceandspecifyinganadministratorPCthatwillaccessASDMonthe appliance.Here’sanexampleofexecutingthescript,whichmustbedonefromConfigurationmode: ciscoasa(config)#setup Pre-configureFirewallnowthroughinteractiveprompts[yes]? FirewallMode[Routed]: Enablepassword[]: Allowpasswordrecovery[yes]? Clock(UTC): Year[1964]: Month[May]: Day[23]: Time[20:51:33]: InsideIPaddress[0.0.0.0]:10.0.1.1 Insidenetworkmask[0.0.0.0]:255.255.255.0 Hostname[ciscoasa]:asa Domainname:dealgroup.com IPaddressofhostrunningDeviceManager:10.0.1.11 Usethisconfigurationandwritetoflash?yes
NOTE ThescriptonlyallowsyoutospecifyasingleIPaddressforASDMaccess(10.0.1.11inthe precedingexample);however,youcanalwaysaddmoreaddressesafterthefactfromeitherASDM ortheCLI.Also,ifrunningthisscriptfromConfigurationmode,atleastoneinterfaceneedstobe configuredandenabled.
Chapter 27:
ASDM
BasicConfigurationCommands Ifyoudon’tusethesetupcommandtopreparetheapplianceforASDM,youcanmanuallyenterthecommands,whichfollow: ciscoasa(config)#asdmimage{disk0|disk1}:/ASDM_image_name ciscoasa(config)#hostnamename_of_your_appliance ciscoasa(config)#domain-nameyour_appliance’s_domain_name ciscoasa(config)#enablepasswordpassword ciscoasa(config)#interfacephysical_if_name ciscoasa(config-if)#nameiflogical_if_name ciscoasa(config-if)#ipaddressIP_address[subnet_mask] ciscoasa(config-if)#security-levelnumber ciscoasa(config-if)#speed{10|100|1000|auto|nonegotiate} ciscoasa(config-if)#duplex{auto|full|half} ciscoasa(config-if)#[no]shutdown ciscoasa(config)#httpserverenable[port_#] ciscoasa(config)#httpIP_address_or_networksubnet_mask logical_if_name
The asdm imagecommandspecifiestheASDMimagetouseinflash(ifmorethan one exists). You need to configure a name and domain name for the appliance, since theseareusedtogeneratetheRSAkeysforSSL.Youalsoneedtosetuptheinterfacethat yourPCwillconnectto—typicallythisistheinsideinterface,whichwillhaveasecurity levelof100. The http server enable command enablesASDM. By default the port number used is 443 (the SSL default port number); however, you can change this, as was discussed in Chapter 19, if you need to support both WebVPN andASDM on the same interface.Ifthisisthecase,letWebVPNuseport443,andspecifyadifferentportnumber forASDM.Bydefaultthehttpcommandspecifiestheaddressoraddressesallowedto connecttotheapplianceusingASDMonthespecifiedinterface—youcanexecutethis commandmultipletimesfordifferentadministratoraddressesornetworks. TIP Asyoucanseefromtheprecedingcommands,itisactuallymucheasiertorunthe setup commandinsteadoftypingintheindividualcommands.
ASDMACCESS OnceyouhaveputabasicconfigurationonyourappliancetoallowASDMaccess,you arereadytoaccesstheapplianceusingawebbrowser,andtodownloadandexecutethe Javacode.ThefollowingtwosectionswilldiscusshowtoaccessanddownloadASDM andhowtousetheStartupWizardtoputaninitialconfigurationontheappliancethat willallowoutboundaccessforusers,alongwithallowingthecorrespondingreturning trafficbacktotheusers.
651
652
Cisco ASA Configuration
WebBrowserAccess ToaccessASDM,startupasupportedwebbrowser,andtypeintheHTTPSURLtoaccessyourappliance,likethis: https://IP_address_of_the_appliance
Awindowwillpopupwhereyou’llhavetoaccepttheself-signedcertificateofthe appliance.Afteryouaccepttheself-signedcertificate,yourwebbrowsershoulddisplay thescreenshowninFigure27-1.Youhavethreeoptionsatthispoint:
▼ I nstallASDMLauncherandRunASDM ASDMwillbeinstalledonyourPCso thatyoudon’thavetouseawebbrowsertodownloaditagainthenexttime youwanttouseit.
■ RunASDM ASDMisdownloadedandexecutedonyourPC,butisnot installedonyourPC.
▲ R unStartupWizard ASDMisdownloadedandexecutedonyourPC,where theStartupWizardbegins,allowingyoutoputabasicconfigurationonyour appliance;ASDMisnotinstalledlocallyonyourPC.
Figure27-1. InitialASDMrunoptions
Chapter 27:
ASDM
Figure27-2. ASDMloginscreen
NOTE InthefigureswhereI’vecapturedscreenshotsforASDM,I’veusedport444,sinceIamalso usingWebVPNonthesameASAonexternalinterfaces. Onceyouclickoneofthethreeoptionsonthepreviousscreen,you’llbeprompted todownloadtheJavaScriptcodeforASDM.You’llhavetoaccepttheJavaScriptcode andlogintoASDM.IfyouhavenotconfiguredAAAforHTTPaccess(seeChapter26), thenyou’llneedtoenteronlythePrivilegedmodepasswordfromthe enable passwordcommand.(TheloginprocessisshowninFigure27-2.)Onceyouhavesuccessfully loggedin,you’lleitherbepresentedwiththeHomescreenortheHomescreenwitha pop-upwindowfortheStartupWizard. NOTE OnceASDMlaunches,youcanclosedownyourinitialwebbrowserwindow.
StartupWizard TheStartupWizardputsaminimalconfigurationontheappliance—basicallytoallow initialTCPandUDPconnectionsoutboundandthecorrespondingrepliesfortheseconnections back into the network. The initial screen of the Startup Wizard is shown in Figure27-3.Youcanmodifytheconfigurationyouhave,orstartfromscratch.Theappliancemodelyouareaccessingwilldeterminethenumberofscreensthewizardwill leadyouthrough.HereisabriefdescriptionofthescreensonanASA5505,whichisnot configuredasanEasyVPNremote:
▼ S creen1:Modifytheexistingconfiguration,orrestoretheappliancebacktothe factorydefaultsandconfigureitfromscratch.
■ Screen2:Assignahostname,domainname,andaPrivilegeEXECpassword.
■ Screen3:Enableandconfigureautoupdateparameters.
653
654
Cisco ASA Configuration
Figure27-3. StartupWizard
■ Screen4:OntheASA5505,setuptheVLANs.
■ Screen5:OntheASA5505,assignthephysicalinterfacestoVLANs.
■ Screen6:AssignIPaddressingandparameterstotheinterfaces.
■ Screen7:Createstaticroutes.
■ Screen8:SetupDHCPserverparameters.
■ Screen9:Configuredynamictranslationrulesforoutboundtraffic,ifnecessary (natandglobalcommands).
■ Screen10:ChangetheadministrativeaccessforusingASDM.
▲ S creen11:Displaysasummaryofthechangesthatwillbemade—clickthe FinishbuttontoacceptthechangesandbereturnedtotheHomescreen.
ASDMHOMESCREEN Figure 27-4 is the first screen you’re presented with when accessing theASDM GUI. Atthetopofthescreenarevariousmenuoptions.Belowthisarethetoolbarbuttons. Andthemainpartofthescreenhastwotabsthatcontroltheelementsdisplayedonthe screen:theDeviceDashboard,whichisintheforeground,andtheFirewallDashboard. ThefollowingsectionswilldiscusstheelementsfoundontheHomescreen.
Chapter 27:
ASDM
Figure27-4. ASDMHomescreenandtheDeviceDashboard
MenuItems AtthetopoftheASDMHomescreenarethemenuitems:File,View,Tools,Wizards, Window,andHelp.Thefollowingsectionswilldiscussthesemenuoptions.
FileMenuItems TheFilemenumanagestheapplianceconfigurationsandincludestheseitems:
▼ R efreshASDMwiththeRunningConfigurationontheDevice Loadsacopyofthe runningconfigurationintoASDM.
■ ResetDevicetotheFactoryDefaultConfiguration Restorestheappliance configurationtothefactorydefault.
■ ShowRunningConfigurationinNewWindow Displaysthecurrentrunning configurationoftheapplianceinapop-upwindow.
655
656
Cisco ASA Configuration
■ SaveRunningConfigurationtoFlash Savesacopyoftherunningconfiguration toflashmemory(executesthewritememorycommandontheappliance).
■ SaveRunningConfigurationtoTFTPServer Savesacopyofthecurrentrunning configurationfileonaTFTPserver.
■ SaveRunningConfigurationtoStandbyUnit Sendsacopyoftherunning configurationfileontheactivefailoverunittotherunningconfigurationofa failoverstandbyunit.
■ SaveInternalLogBuffertoFlash Savestheinternallogbuffertoflashmemory.
■ Print Printsthecurrentpage(Irecommendthatyouuselandscapeprintingto fitthescreenononepage).
■ ClearASDMCache RemoveslocalASDMimagesfromyourPC.
■ ClearInternalLogBuffer Emptiestheinternalsyslogmessagebufferonthe appliance.
▲ E xit ClosesASDMgracefully.
ViewMenuItems TheViewmenucontrolsthedisplayfunctionsfortheASDMGUIandincludesthefollowingitems:
▼ H ome DisplaystheHomescreen.
■ Configuration DisplaystheConfigurationscreen.
■ Monitoring DisplaystheMonitoringscreen.
■ DeviceList Showsandhidesalistofdevices(contexts)inadockablepane: contextsareaccessedusingthisapproach.
■ Navigation ShowsandhidesthedisplayoftheNavigationpaneinthe ConfigurationandMonitoringscreens.
■ ASDMAssistant Showsandhidesapanethatletsyousearchforinformation inASDM.
■ LatestASDMSyslogMessages ShowsandhidesthedisplayoftheLatest ASDMSyslogMessagespaneatthebottomoftheHomescreen.
■ Addresses ShowsandhidesthedisplayoftheAddressespane,whichisonly availablefortheAccessRules,NATRules,ServicePolicyRules,AAARules, andFilterRulespanesintheConfigurationscreen.
■ Services ShowsandhidesthedisplayoftheServicespane,whichisonly availablefortheAccessRules,NATRules,ServicePolicyRules,AAARules, andFilterRulespanesintheConfigurationscreen.
Chapter 27:
ASDM
■ TimeRanges ShowsandhidesthedisplayoftheTimeRangespane,whichis onlyavailablefortheAccessRules,ServicePolicyRules,AAARules,andFilter RulespanesintheConfigurationscreen.
■ GlobalPools ShowsandhidesthedisplayoftheGlobalPoolspane,whichis onlyavailablefortheNATRulespaneintheConfigurationscreen.
■ FindinASDM Locatesanitemforwhichyouaresearching.
■ Back Goesbacktothepreviousscreen.
■ Forward Movesforwardtoamorerecentscreen.
■ ResetLayout Returnsthelayouttothedefaultconfiguration.
▲ O fficeLookandFeel ChangesscreenfontsandcolorstotheMicrosoftOffice settings.
ToolsMenuItems ThethirdmenuiteminthemenubaratthetopoftheASDMGUIistheToolsmenuitem. TheToolsmenuitemincludesthefollowingoptions:
▼ C ommandLineInterface Providesatext-basedtoolforsendingactual commandstotheapplianceandviewingtheresultingoutputofthe commands.Theonlycommandsyoucannotsendtotheapplianceare interactivecommandsthatrequireuserinput,likesetup.
■ ShowCommandsIgnoredbyASDMonDevice Displaysunsupportedcommands thatareignoredbyASDM.
■ PacketTracer Letsyoutraceapacketfromaspecifiedsourceaddressand interfacetoadestination(thepacket-tracercommand).
■ Ping Letsyouhavetheapplianceexecutethepingcommandanddisplaythe resultingoutput.
■ Traceroute Letsyouhavetheapplianceexecutethetraceroutecommandand displaytheresultingoutput.
■ FileManagement Letsyouview,move,copy,anddeletefilesanddirectories storedinflash.
■ UpgradeSoftwarefromLocalComputer Letsyouchooseanapplianceimage, ASDMimage,oranotherimageonyourPC,anduploadthefiletoflash.
■ UpgradeSoftwarefromCisco.com Letsyouupgradetheapplianceoperating systemandASDMimagesthroughawizarddirectlyfromtheCiscosite (requiresaCCOaccountontheCiscowebsite).
■ SystemReload Letsyoureboottheapplianceorschedulearebootofthe appliance.
657
658
Cisco ASA Configuration
■ AdministratorAlertstoClientlessSSLVPNUsers Letsanadministratorsendan alertmessagetoclientlessWebVPNusers.
■ Preferences ChangesthebehaviorofspecifiedASDMfunctionsbetween administrativesessions.
■ ASDMJavaConsole ShowstheASDMJavaconsole.
■ BackupConfigurations Backsupconfigurations.
▲ R estoreConfigurations Restorespreviouslybackedupconfigurations.
Thefollowingsectionswillexpandonsomeofthemorecomplexoptions. PacketTracer ToaccessthePacketTracertool,gotoTools|PacketTracer,whichwill openapop-upwindowwhereyoucanusethePacketTracertool.Entertheinformation at the top of the window, like the source interface, protocol, addresses, and protocol information, and click the Start button. By default the animation at the top of the window displays each component of the appliance that is processing the “pretend” packet. Green checkmarks mean the process allows the packet. A red X means the processdeniedthepacket.Belowtheanimation,youcanexpandthespecificprocesses toseewhatishappeningwiththepacket,especiallyifitisbeingdenied.Figure27-5
Figure27-5. PacketTracertool
Chapter 27:
ASDM
showsanexampleofthistool,wheretestingatelnetconnectionpassedandwouldbe permittedifthepacketwerereal.FormoreinformationonusingthePacketTracertool, seeChapter6. CLITool OnereallyhandyfeatureofASDMisthatyoucansendactualcommandstothe applianceandhavetheresultsshownwithinASDMwiththeCLItool:Tools|Command Line Interface. You can send down a single command or multiple commands (many commands in one batch). Use the drop-down selector to choose a command, or type yourowncommandwithinthistextbox.Withonlyafewexceptions,youcanexecute any command here that you can execute from the appliance CLI. Figure 27-6 shows an example of sending the show xlate command to the appliance and the resulting output. TIP Youcanevenusethe ?inyourcommandsintheCLItool,whichwilldisplaythehelpforthe commandyousenttotheappliance.
Figure27-6. CLItool
659
660
Cisco ASA Configuration
Figure27-7. Preferencestool
PreferencesTool YoucanchangetheGUIoperationpreferencesforASDMbygoingto Tools|Preferences.Youcanseethepop-upwindowinFigure27-7.Onenicefeatureinthe Preferencespop-upwindowisthecommandpreviewoption(thefirstcheckbox):when thisisenabled,youseealistofcommandsinapop-upwindowthatwillbeexecutedon theappliancewhenyouclicktheApplybuttontosendanASDMconfigurationtothe appliance.Inthepop-upwindowwiththelistofcommands,clicktheDeliverbutton tosendthecommandsdowntotheappliance.Withoutthisfeature,theconfiguration is sent to the appliance, but you don’t see the corresponding commands thatASDM createdbasedontheGUIelementsyouconfigured.Usingthecommandpreviewoption isagreatwayoflearningthecommandsusedforcertainappliancefeatures.
WizardsMenuItems ASDM supports wizards to help you to easily configure complex appliance features. Wizardsleadyouthroughasetofscreenstoconfigureaparticularfeature.Byusinga wizard,youminimizemisconfigurations—whilefromtheCLI,youmightforgetacommandortwotocompletetheconfigurationofaparticularfeature.Wizardsshouldbe usedtoperformtheinitialconfigurationofafeature;tuningorchangingyourconfigurationshouldthenbedonefromtheConfigurationscreen.
Chapter 27:
ASDM
ASDMsupportsthefollowingwizardsfromtheWizardsmenu:
▼ S tartupWizard Thiswizardwalksyouthroughastep-by-stepprocessto placeaninitialconfigurationonyourappliance.
■ IPSecVPNWizard ThiswizardenablesyoutoconfigureanIPSecVPN site-to-siteorremoteaccess(EasyServerandRemote)configurationonyour appliance.
■ SSLVPNWizard ThiswizardenablesyoutoconfigureaWebVPNclientless ortunnelmodeconfiguration.
■ HighAvailabilityandScalabilityWizard Thiswizardallowsyouto configurefailoverandVPNclusteringonyourappliance.
▲ P acketCaptureWizard Thiswizardallowsyoutoconfigurepacketcaptures onyourappliance.
TheStartupWizardwasdiscussedpreviouslyinthe“StartupWizard”section.The IPSecVPN,SSLVPN,andHighAvailabilityandScalabilitywizardswillbediscussed laterinthechapter.ThePacketCaptureWizardallowsyoutocapturepacketsontheappliance.Youmustspecifytheingressinterface,optionallytheaddressesandprotocols involved(filteringwhatpacketsyouwanttocapture),theegressinterface,thelargest packetsizeofapacket,andthebuffersizeofthetotalnumberofpacketstocapture.The PacketCapturefeaturewasdiscussedinChapter6.
OtherMenuItems TheothertwomenuitemsareWindowandHelp.TheWindowitemisusedwhenyou havemorethanoneASDMwindowopen(perhapstomultiplecontextsortocomplete differentappliances),anditallowsyoutoquicklychangetoadifferentappliance.The HelpitemallowsyoutodisplaythehelptopicsforusingASDM,thereleasenotesfor thecurrentASDMimage,andhelpinformationabouttheelementsonthecurrentlydisplayedwindow.
ToolbarButtons Belowthemenuitemsarethetoolbarbuttonsoricons.Thetoolbarbuttonsallowyouto quicklyperformacommonfunctionwithinASDM.Hereisadescriptionofthetoolbar buttons:
▼ H ome DisplaystheHomescreen,whichletsyouviewimportantinformation aboutyoursecurityappliancesuchasthestatusofyourinterfaces,theversion ofcodeyouarerunning,licensinginformation,andperformanceinformation
■ Configuration DisplaystheConfigurationscreen,whichallowsyouto configurethefeaturesoftheappliance
661
662
Cisco ASA Configuration
■ Monitoring DisplaystheMonitorscreen,whichallowsyoutoviewthe applianceoperationandconfiguredfeatures
■ Save Savestherunningconfigurationtothestartupconfigurationinflash (writememory)
■ Refresh RefreshesASDMwiththecurrentrunningconfigurationofthe appliance
■ Back TakesyoubacktothelastpaneofASDMthatyouvisited
■ Forward TakesyouforwardtothemorepreviouspaneofASDMthatyou visited
■ LookFor LetsyousearchforafeatureinASDM
▲ H elp Showscontext-sensitivehelpforthewindoworpanethatiscurrently open
HomeScreenElements TwoHomescreenelementscontrolwhatyouseeinthemainpartofthehomepage:the DeviceDashboardandtheFirewallDashboard.Thefollowingtwosectionsdiscussthese elements.
DeviceDashboard TheDeviceDashboardontheHomescreen(shownpreviouslyinFigure27-4)isatabthat isintheforegroundbydefault.Hereyoucanseeversionandhardwareinformationabout the appliance (General tab), the status of the interfaces, the number of VPN tunnels thatareup,theCPUandmemoryutilization,thequicksnapshotofthetrafficstatistics, andlogmessages(bottomofthescreen).Notethatthisscreenautomaticallyrefreshes itselfevery10seconds.IfyouclicktheLicensetab,youcanseewhatfeaturesarecurrentlyunlockedbyyourapplianceactivation/licensekey.
FirewallDashboard ByclickingtheFirewallDashboardtab(belowthetoolbarbuttons),youcanseethefollowingupdatedstatistics(seeFigure27-8):
▼ S tateandxlatetableentriesbeingadded/removed
■ TopdroppedpacketsbyACLsandinspectionrules
■ PossiblescanandSYNattacks
▲ T op10statisticsforservices,sourceaddresses,anddestinations
Chapter 27:
ASDM
Figure27-8. ASDMHomescreenandtheFirewallDashboard
ASDMCONFIGURATIONSCREENS ToaccesstheConfigurationscreens,clicktheConfigurationbuttoninthetoolbar,shown inFigure27-9.Toaccessthevariousconfigurationelements,clicktheelementnamein the left pane. Configuration elements include Device Setup, Firewall, Remote Access VPN,Site-to-SiteVPN,andDeviceManagement.Clickinganelementwilldisplaythe configurationitemsatthetopoftheleftpane.ThefollowingsectionswillcovertheConfigurationscreens.
DeviceSetupTab WhenyouclicktheConfigurationbuttonatthetopofthescreen,thedefaultviewdisplayed istheDeviceSetupconfigurationelement—youcanalsoreachthisscreenwithintheconfigurationsectionbyclickingtheDeviceSetuptabintheleftpane(showninFigure27-9).
663
664
Cisco ASA Configuration
Figure27-9. DeviceSetuptab
ThedefaultconfigurationelementistheStartupWizard(discussedpreviouslyinthe“Startup Wizard” section). The Device Setup configuration section allows you to set up basic propertiesfortheappliance,likeitsname,domainname,password,routing(staticroutes anddynamicroutingprotocols),thedateandtime,anduseoftheStartupWizard. NOTE Whenyouaredonemakingchangesonaparticularscreen,clicktheApplybuttonatthe bottomtosendthechangestotheappliance.
FirewallTab ClickingtheFirewalltabintheleftpaneopensoptionsinthepaneaboveit.Hereyou canconfigureyourapplianceACLs,dynamicandstatictranslationrules,servicepolicies (includingclassandpolicymaps),Cut-throughProxy(CTP)rules,URLfilteringrules forWebsenseandSmartFilter,threatdetectionpolicies,objectgroups,andadvancedfeatures like antispoofing with reverse path forwarding (RPF) and others. The following
Chapter 27:
ASDM
sections will cover the three most commonly configured elements: access rules, NAT rules,andservicepolicyrules.
AccessRulesElement WhenyouclicktheFirewalltab,theAccessRuleselementisdisplayedbydefaultinthe middlepane.ThisscreencanbeseeninFigure27-10.ACLpoliciesarebrokenoutonan interface-by-interfacebasis.Figure27-10showsthreeinterfaces:dmz,inside,andoutside. Thedmzandinsideinterfaceshavetwoimplicitrules,whiletheoutsideinterfacehasone ACLstatementthatallowsICMPtrafficandanimplicitrulethatdropseverythingelse. NoticetheEnabledcolumnthatallowsyoutodisableaparticularstatement.Toadda statementtoanexistinginterfaceACL,selectastatementinthelist,andclicktheAddbuttonatthetop.(YoucanclickthedownarrowtotherightofAddtoaddastatementbefore orafteranexistingACLstatement.)Toeditordeleteastatement,firstselectitandthen click the corresponding button above theACL statements. To move anACL statement toadifferentpositionwithintheACL,firstselectthestatementandthenclicktheupor downarrowsabovethelistofACLstatements.YoucanalsocutaselectedACLstatement
Figure27-10. Firewalltab:AccessRuleselement
665
666
Cisco ASA Configuration
byclickingthescissorsicon;youcanthenpastethestatementbeforeorafteraselected ACLstatementbyclickingthepasteiconabovethelistofACLstatements.Thefindicon (magnifyingglass)allowsyoutosearchforaparticularACLstatementinthelist. TIP OnthefarrightsideofeachconfiguredACLstatementisaHitscolumn,whichdisplaysthe numberofmatchesonaparticularstatement(thehitcounts). Therightpanehasthreetabsatthebottom:Addresses(defaultstotheforeground), Services,andTimeRanges.TheAddressestaballowsyoutocreatenamestatementsand networkobjectgroupsthatyoucanuseinyourACLstatements;theServicestaballows youtocreateservice,ICMP,andprotocolobjectgroupsthatyoucanuseinyourACL statements;andtheTimeRangestaballowsyoutocreatetimerangesyoucanthenreferenceinyourACLstatements.
NATRulesElement ToaccesstheNATRuleselement,gotoConfiguration|Firewall|NATRules,asshown inFigure27-11.Youcanseestaticanddynamicaccessrulesinthemiddlepane.Tocreate
Figure27-11. Firewalltab:NATRuleselement
Chapter 27:
ASDM
aglobaladdresspoolusedindynamictranslations,clicktheGlobalPoolstabinthebottomoftherightpane,andthenclicktheAddbuttonatthetopoftherightpane.Adding atranslationruleisaseasyasclickingtheAddbuttonatthetopofthemiddlepaneand choosingthetypeoftranslationruleyouwanttocreate:staticrule,dynamicrule,NAT exemptionrule,staticpolicyrule,oradynamicpolicyrule.SeeChapter5formoreinformationontranslationrules. TIP Ifthecheckboxatthebottomofthepaneisnotchecked,thenthenat-controlcommand isenabled,requiringtheuseofaddresstranslationrules.
ServicePolicyRulesElement To access the Service Policy Rules element, go to Configuration | Firewall | Service PolicyRules,showninFigure27-12.Fromhereyoucancreateandmodifyyourservice policies:QoS,policing,applicationinspection,IPS,andCSC.Creatingyourpoliciesis donebyusingtheAddServicePolicyRuleWizard,accessedbyclickingtheAddbutton. Thewizardhasthreescreens:selectinganinterfaceoraglobalpolicy,creatingaclass
Figure27-12. Firewalltab:ServicePolicyRuleselement
667
668
Cisco ASA Configuration
Figure27-13. Firewalltab:AddServicePolicyRuleWizard
map,andcreatingapolicymapwiththepoliciesfortheclassmap.Thefirstscreenis showninFigure27-13. TIP TheObjectselementundertheFirewalltaballowsyoutocreatelayer7classandpolicymaps foryourservicepolicyrules.
RemoteAccessVPNTab WhenyouclicktheRemoteAccessVPNtabinthebottom-leftcornerpaneoftheConfigurationscreen,youcanconfigureyourVPNpoliciesforWebVPNclientlessandtunnel modeconnections,EasyVPNServer,EasyVPNRemote(ASA5505only),andL2TP/IPSec connections(seeFigure27-14).Youcanalsosetupcertificateservices.ThefollowingsectionswillcoverhowtouseASDMtosetupanEasyVPNserver,aWebVPNgateway,an AnyConnectgateway,andCiscoSecureDesktop(CSD).
Chapter 27:
ASDM
Figure27-14. RemoteAccessVPNtab
EasyVPNServer YoucaneasilysetupandmanageanEasyVPNServeronyourappliancewhenusing ASDM.Fortheinitialsetup,ASDMsupportsawizardforEasyVPNServerfunctions. Onceyou’veusedthewizard,changingEasyVPNpoliciesiseasywiththeASDMconfigurationscreens.Thefollowingtwosectionswillintroduceyoutothesetopics. IPSecWizardforEasyVPNServer ToaccesstheIPSecwizardtoinitializetheEasyVPN serverfeature,gotoWizards|IPSecVPNWizard,showninFigure27-15.Intheinitial pop-upwindow,youcaneithercreateasite-to-siteIPSecconnection,orsetuptheEasy VPNServerfeature.ChoosetheRemoteAccessoptionforthelatter.Youalsoneedto choosetheinterfacetheIPSecsessionswillbeterminatedon.Optionallychoosingthe checkboxatthebottomwillconfigurethesysoptconnectionpermit-vpncommand, whichallowsdecryptedVPNtraffictobeexemptedfromACLcheckswhengoingfrom alower-tohigher-levelinterface.
669
670
Cisco ASA Configuration
Figure27-15. IPSecVPNWizard
Herearethescreensyou’llgothroughwhenusingthewizardtosetupyourEasy VPNServer:
▼ S creen1:ChoosethetypeofIPSecVPN:Site-to-SiteorRemoteAccess(Easy VPNServer).
■ Screen2:Selectthetypeofclientsthatwillbesupported:CiscoVPNClient3.x andhigherorL2TP/IPSec.
■ Screen3:Choosethedeviceauthenticationmethod(pre-sharedkeysorcertificates) andthenameofthetunnelgroupforonegroupofremoteaccessusers.
■ Screen4:Specifythelocationofuseraccounts:thelocaldatabaseofusername commandsoranAAAservergroup.
■ Screen5:Ifyouchosethelocaldatabaseoption,you’llbeaskedtoadduser accountsonthisscreen.
Chapter 27:
ASDM
■ Screen6:Createorspecifyalocaladdresspoolthatwillbeusedtoassign internaladdressestoEasyVPNRemotes.
■ Screen7:SpecifyModeConfigproperties.(YoucanonlyspecifyDNSand WINSserveraddressesaswellasadomainnameinthewizard—otherpolicies mustbeassignedfromtheRemoteAccessVPNtabaftercompletingthe wizard.)
■ Screen8:CreateaPhase1policy.(Thedefaultpolicyuses3DES,SHA,andDH group2.)
■ Screen9:CreateaPhase2transformset.(ThedefaultpolicyusesESPwith 3DESandSHA.)
■ Screen10:Setupaddresstranslationexemption(nat0)oftheinternal addressestothecorporateofficenetworksaswellasasplittunnelingpolicy.
▲ S creen11:AcceptyourconfigurationbyclickingtheFinishbutton. NOTE Youcanaddonlyonetunnelgroupandonegrouppolicyusingthewizardduringthewizard process;however,youcaneitherusethewizardasecondtimetoaddanadditionalgroup,oreasilyadd tunnelgroupsandgrouppoliciesfromtheRemoteAccessVPNtabontheConfigurationscreen.
IPSecAttributes for Easy VPN Server Once you’ve set up at least one tunnel group and itspoliciesforEasyVPN,youcaneitherusethewizardtoaddadditionalgroupsand policies,orchangeanyEasyVPNpolicyorattributefromtheRemoteAccessVPNtab. I’llhighlightsomeofthescreenstotuneyourEasyVPNServerconfiguration. Toaddoredityourgrouppolicies,gotoConfiguration|RemoteAccessVPNtab| Network (Client)Access | Group Policies. I selected the “students” group policy in Figure27-16andclickedtheEditbutton.TheseattributeswerediscussedinChapter17. TochangegeneralpropertiesforIPSecremoteaccessconnections,gotoConfiguration| RemoteAccessVPNtab|Network(Client)Access|Advanced|IPSec(seeFigure27-17). Fromhere,youcaneditthecryptomaps,IKEPhase1policies,IKEparameters(likeNAT-T), Phase 2 transform sets, certificate matching rules, and specify auto update policies for softwareclients.
ClientlessWebVPN YoucaneasilysetupandmanageclientlessWebVPNsessionsonyourappliancewhen usingASDM. For the initial setup,ASDM supports a wizard for WebVPN functions. Onceyou’veusedthewizard,changingclientpolicieslikethelookandfeelofthehome/ portalpageorthinclientpoliciesiseasywithASDMConfigurationscreens.Thefollowingtwosectionswillintroduceyoutothesetopics. SSLVPNWizardforClientlessWebVPNConnections TheSSLVPNWizardallowsyoutoset upclientlessandAnyConnect/SVCclientconnections.ToaccesstheSSLVPNWizard
671
672
Cisco ASA Configuration
Figure27-16. EasyVPNServergrouppolicies
to initialize the WebVPN server feature, go to Wizards | SSL VPN Wizard, shown in Figure 27-18. In the initial pop-up window, you can create a clientless WebVPN configuration,anAnyConnectWebVPNconfiguration,orboth. Herearethescreensyou’llgothroughwhenusingthewizardtosetupyourclientlesspolicies:
▼ S creen1:ChoosethetypeofWebVPNsession—clientless,AnyConnect,orboth.
■ Screen2:Definethetunnelgroupname,thenameoftheinterfacethatuserswill connecttousingSSL,thecertificatetobeused(optional),thealiasnameforthe tunnelgroup,andifthelistofaliasnameswillappearontheloginscreen.
■ Screen3:Specifythelocationofuseraccounts:thelocaldatabaseofusername commands,oranAAAservergroup.Ifyouchosethelocaldatabaseoption, you’llbeaskedtoadduseraccountsonthisscreen.
■ Screen4:Chooseifyouwanttocreateanewgrouppolicyormodifyan existingone.
Chapter 27:
Figure27-17. GeneralEasyVPNIPSecproperties
Figure27-18. SSLVPNWizard
ASDM
673
674
Cisco ASA Configuration
■ Screen5:Createorreferenceabookmarklist(thelistofURLsthatwillappear onthehomeportal/page).
▲ S creen6:AcceptyourconfigurationbyclickingtheFinishbutton.
OtherpoliciesandconfigurationchangesmustbedoneafterthecompletionofthewizardfromtheRemoteAccesstabontheConfigurationscreen. ClientlessWebVPNAttributes Onceyou’vesetupatleastonetunnelgroupanditspolicies forclientlessWebVPN,youcaneitherusethewizardtoaddadditionalgroups,orchange anyclientlessWebVPNpolicyorattributefromtheRemoteAccessVPNtab.I’llhighlight someofthescreenstotuneyourclientlessconfiguration,showninFigure27-19:
▼ Y oucancreatebookmarksthatwillbeusedbyatunnelgroup;bookmarksare URLsthatwillappearonthehomeportal.
■ Youcaninstallplug-insforthinclientaccess.
Figure27-19. Clientlessproperties
Chapter 27:
ASDM
■ Youcancreateacustomizationprofile,whichcontrolsthelookandfeelofthe user’shomeportal.(ThisisanXMLdocumentandrequirestheuseofaweb browsertocreateit,similartoaWYSIWYG—whatyouseeiswhatyouget— GUIeditor.)
■ Youcancreateacustomizationhelpprofile,whichallowsyoutospecify additionallanguagestobeusedinthedisplayofthehomeportal.
■ Youcancreateportforwardingrulesforthinclientaccess.
■ Youcanspecifyapplicationsforsmarttunneling,whichareusedforthinclient access.
▲ Y oucanimportwebcontents,likeimages,thatwillbeusedonthehomeportal.
To create a bookmark (URL list) for the home page of a clientless connection, go toConfiguration|RemoteAccessVPN|ClientlessSSLVPNAccess|Portal|Bookmarks.ClicktheAddbutton.Givethebookmarklistaname,andclicktheAddbutton toaddtheindividualURLs.ThereareadvancedoptionsthatyoucanexpandforaURL, likeincludingathumbnailimagefortheURL. Forexample,tocreatethelookandfeelofthehomeportalforclientlessconnections, gotoConfiguration|RemoteAccessVPN|ClientlessSSLVPNAccess|Portal|Customization,andclickAdd(thiscanalsobedoneinthewizard).Givetheprofileaname, andthenselectitandclickApply. Tochangeaprofile,selectaprofilenameandclicktheEditbutton—awebbrowser window will open, allowing you to change the look and feel of the home page for a clientlessconnection.Clickthehyperlinksonthelefttochangethevariousproperties. ClickthePreviewbuttonontherighttoseewhatyourchangeswouldlooklike.Click theSavebuttoninthetoprighttosaveyourchangestotheappliance.Aftersavingyour changes,youcanclosethewebbrowserwindow. TIP Whenyou’reusingclientlessmode,theapplianceactsasawebproxy;inthissituation,you’ll needtodefineDNSserverstoresolvenamestoaddresses.I’msurprisedthisisnotpartofthewizard, butitcanbecompletedbygoingtoConfiguration|RemoteAccessVPN|DNS,showninFigure27-20.
AnyConnectClient You can easily set up and manageAnyConnect WebVPN sessions on your appliance whenusingASDM.Fortheinitialsetup,ASDMsupportsawizardforAnyConnectfunctions.Onceyou’veusedthewizard,installingadditionalAnyConnectsoftwareclients orprofiles,orchangingAnyConnectpolicies,iseasywithASDMConfigurationscreens. Thefollowingtwosectionswillintroduceyoutothesetopics. SSL VPN Wizard for AnyConnect WebVPN Connections As mentioned in the “SSL VPN WizardforClientlessWebVPNConnections”section,theSSLVPNWizardallowsyou tosetupclientlessand/orAnyConnect/SVCclientconnections.ToaccesstheSSLVPN WizardtoinitializetheWebVPNserverfeature,gotoWizards|SSLVPNWizard,shown
675
676
Cisco ASA Configuration
Figure27-20. DNSservers
previously in Figure 27-18. In the initial pop-up window, you can create a clientless WebVPNconfiguration,anAnyConnectWebVPNconfiguration,orboth. Herearethescreensyou’llgothroughwhenusingthewizardtosetupyourAnyConnectpolicies:
▼ S creen1:ChoosethetypeofWebVPNsession—clientless,AnyConnect,orboth.
■ Screen2:Definethetunnelgroupname,thenameoftheinterfacethatusers willconnecttousingSSL,thecertificatetobeused(optional),thealiasnameof thetunnelgroup,andifthelistofaliasnameswillappearontheloginscreen.
■ Screen3:Specifythelocationofuseraccounts:thelocaldatabaseofusername commandsoranAAAservergroup;ifyouchosethelocaldatabaseoption, you’llbeaskedtoadduseraccountsonthisscreen.
■ Screen4:Chooseifyouwanttocreateanewgrouppolicyormodifyan existingone.
■ Screen5:Selectanexistingaddresspool,orcreateanewaddresspoolforthe internaladdresses,andspecifytheAnyConnectimageinflashoftheappliance.
Chapter 27:
ASDM
(Ifonedoesn’texist,youhaveanoptiontodownloaditfromCiscousingaCCO account.)Notethatyou’llneedtomanuallyaddanat0policyconfiguration undertheConfiguration|Firewall|NATRulesscreen:you’reremindedofthis withapop-upwindow.
▲ S creen6:AcceptyourconfigurationbyclickingtheFinishbutton.
OtherpoliciesandconfigurationchangesmustbedoneafterthecompletionofthewizardfromtheRemoteAccesstabontheConfigurationscreen. AnyConnect WebVPN Attributes Once you’ve set up at least one tunnel group and its policiesforAnyConnectclientaccess,youcaneitherusethewizardtoaddadditional groups,orchangeanyAnyConnectpoliciesorattributesfromtheRemoteAccessVPN tab.I’llhighlightsomeofthescreenstotuneyourAnyConnectconfiguration. TochangethepoliciesforyourAnyConnectclientsessions,gotoNetwork(Client) Access|AnyConnectConnectionProfilesundertheRemoteAccessVPNtab(shownin Figure27-21).ToaddadditionalAnyConnectclientsthatexistinflash,gotoAdvanced| SSLVPN|ClientSettingsundertheRemoteAccessVPNtab(showninFigure27-22).
Figure27-21. AnyConnectconnectionprofiles
677
678
Cisco ASA Configuration
Figure27-22. AnyConnectsoftwareimages
NOTE InFigure27-22,thesoftwareislabeled“SSLVPNClient,”whichismisleading,becausethe screenreferstoboththeolderclient(SSLVPNClient)andthenewerone(AnyConnectClient).
CiscoSecureDesktop CiscoSecureDesktop(CSD)isaWebVPNenhancementthatprovidesadditionalsecuritytoyourWebVPNsessions—uponloggingin,duringthesession,andwhenending thesession.CSDisastand-aloneJava-basedsoftwarepackagethatprovidesadditional protection to a WebVPN session (clientless orAnyConnect). CSD is supported on the followingoperatingsystems:Windows2000,XP,andVista(thelatterinCSD3.3),Mac OSX,andLinux.
Chapter 27:
ASDM
NOTE CSDpoliciesmustbedefinedfromASDM—theCLIisunsupported.
CSDDynamicAccessPoliciesandPreloginAssessment TheapplianceintegratesCSDfeaturesintodynamicaccesspolicies(DAPs).Depending ontheapplianceconfiguration,thesecurityapplianceusesoneormoreuserattribute values,alongwithoptionalAAAattributevalues,asconditionsforassigningaDAPto auser.CSDfeaturessupportedbytheuserattributesofDAPsincludetheOSoftheuser PC,preloginpolicies,resultsofaBasicHostScan,andEndpointAssessment.TheDAP thenprovides(ordenies)networkaccesstoresourcesatthelevelthatisappropriatefor theend-pointAAAattributevalue. DAPsyoucandefineincludehostscansandpreloginassessments.Youcanhavethe CSDsoftwareperformthefollowing:
▼ B asichostscan IdentifiestheOSandpatches/servicepacksappliedonthe userPC.
■ End-pointassessment Looksforantivirus,antispyware,firewallsoftware,and theappropriatedefinitionupdates.
▲ A dvancedend-pointassessment Withtheappropriatelicense,CSDcanupdate therequiredsecuritysoftwareontheuser’sPC.
Thepreloginassessmentinstallsitselfaftertheuserconnectstotheappliance,but beforetheuserlogsintotheappliance.Thepreloginassessmentcancheckfordefined filesontheuser’sdesktop,certificatesthatareinstalled,theOSversioninstalledonthe userdesktop,theIPaddressontheuser’sNIC,andMSWindowsregistrykeyvalues.
ProtectionsProvidedbyCSD CSDcanprovidefourmainprotectiveservicesforauser’sdesktop:
▼ S ecureSession(commonlycalledSecureDesktop)
■ CacheCleaner
■ KeystrokeLogger
▲ H ostEmulationDetection
The secure session feature, commonly called the Secure Desktop or Secure Vault, isonlysupportedontheWindows2000,XP,andVistadesktop.TheSecureDesktop encryptsdataandfiles(locatedonthediskdriveonly—notmemory)associatedwith ordownloadedduringtheWebVPNsession—thesecanbeeitherclientlessortunnel mode (AnyConnect) connections. Basically the downloaded information is stored in a secure desktop partition that looks like a virtual PC desktop. Upon the WebVPN
679
680
Cisco ASA Configuration
sessiontermination,U.S.DepartmentofDefense(DoD)standardsarefollowedtosafelyandsecurelyremovethepartition. BecausetheSecureDesktopisonlysupportedoncertainWindowssystems,analternativetotheSecureVaultistheCacheCleaner:itsafelydeletesthebrowsercacheand informationassociatedwiththeWebVPNsessionandiscommonlyusedwithclientless connections,wheretheusercannotinstalladditionalsoftwareonthedesktop.TheCache CleanerissupportedonWindows2000,XP,andVista,MacOSX,andLinuxoperating systems. TheKeystrokeLoggerDetectionfeaturecanconfigureapreloginpolicytohaveCSD scanforkeystrokeloggingapplicationsontheuserdesktopandtodenyWebVPNaccess if this kind of application is detected.You can use an option to exempt specified applicationsfromtheexaminationifnecessary.TheKeystrokeLoggerDetectionfeature isdisabledbydefault;ifenabled,itisdownloadedwithSecureDesktop,CacheCleaner, orHostScanpolicies.LiketheSecureDesktopfeature,thisfeatureisonlysupportedon Windows2000,XP,andVistasystems. NOTE Itispossibletoenforceanon-screenkeyboard(OSK)forkeyloggeravoidance.Ausertypes herusername,andthenanOSKpopsupforherpassword,wheresheusesamousetoclickthe charactersinherpassword.ThatwillworkonanyGUIOS.Thisfeatureisactuallyrecommendedfor userswhoconnectfromkiosksorcomputersotherthantheirown. TheHostEmulationDetectionfeatureallowsyoutoconfigureapreloginpolicyto determineifWindows2000,XP,orVistaisrunningwithinvirtualizationsoftwarelike VMware. By default this feature is disabled; if enabled, it is downloaded with Secure Desktop,CacheCleaner,orHostScanpolicies.
ProcessingCSDComponents BecausemanypoliciescanbeconfiguredwithCSD,theyareprocessedinthefollowing orderonlywhenCSDisenabledforaWebVPNsession:
1. Theuserconnectsusingclientlessortunnelmode.
2. P relogindynamicassessmentpolicies(DAPs)cancheckforOStype,existence offiles,registrykeys,certificates,theIPaddressusedbytheuser,keylogging programs,andsoon.
3. Basedontheresultsofthepreloginassessment,eithertheuserwillseeaLogin Deniedmessage,orapreloginpolicynameisassignedtotheuser,andthe nameisreportedtotheappliance.
4. I fenabled,theHostScanisdownloadedandrunsSecureDesktoporCache Cleaner.
5. Theuserisallowedtoauthenticate.
Chapter 27:
ASDM
6. T heapplianceappliesaDAPtothesession,basedonthepreloginpolicy, thehostscanresults,andtheauthenticationdataoftheuser(liketheuser’s policiesorcertificateinformation).
7. U ponloggingoutoftheWebVPNsession,theHostScanterminates,andthe CacheCleanerorSecureDesktopperformsitsclean-upfunctions. NOTE IftheOSontheuserdesktopcannotbedetected,SecureDesktopisnotdownloaded—only CacheCleanercanbeused.
InstallingCSD ToaccessandsetupCSD,gotoConfiguration|RemoteAccessVPN|SecureDesktop Manager|Setup,showninFigure27-23.YoucancopytheCSDfile(“securedesktop_ asa-X.Y.Z.aaaaa-k9.pkg”) manually to flash, or download it via your ASDM session (clickingtheUploadbutton).Onceyouhaveselectedanimagetoinstall,selecttheEnableSecureDesktopcheckbox,andthenclicktheApplybutton.
Figure27-23. InstallingCSD
681
682
Cisco ASA Configuration
NOTE Youcan’tjustcopytheCSDimagetoflashanduseit;youmustalsoinstallit.CSDinformation isstoredinthe“cache:”locationontheASAflash.Toviewit,executedircache:/sdesktop. IfyouwillbeusingtheAnyConnectClientand/orCSDandyoualsoareusingthe CiscoSecurityAgent(CSA)ontheuser’sdesktop,you’llneedtoperformthefollowing additionaltasks:
1. G ototheCiscosite(www.cisco.com/cgi-bin/tablebuild.pl/asa)anddownload the“AnyConnect-CSA.zip”and“CSD-for-CSA.zip”filestotheCSAMC device.
2. ExtracttheEXPORTfilesfromtheZIPpackagefiles.
3. F indthecorrectversionofEXPORTfiletoimportinCSAMC.(Version5.2 EXPORTfilesworkwithCSAMC5.2andlater.)
4. InCSAMC,gotoMaintenance|Export/ImportandimporttheEXPORTfile.
5. AttachthenewrulemoduletoyourVPNpolicyandgenerateyournewrules.
PreloginPoliciesforCSD OnceyouhavecompletedtheCSDpreparationfromtheSetupscreen,younowhaveaccesstootherCSDscreens.WhenyouclicktheSecureDesktopManager|PreloginPolicy optionintheRemoteAccessVPNpane,youareshownthedefaultpolicy. ExplainingPreloginScreenElements Youcanseethefollowinginformationinthecenter pane:
▼ S tart Displayedinblue,thisiconprovidesavisualindicationofthebeginning ofthesequenceofcheckstobeperformedduringthepreloginassessment.You cannoteditthestartnodeicon.
■ Line Connectstwoiconnodestogether.
■ Plussign Clickthisicontoinsertaprelogincheckbetweenthetwoiconnodes oneithersideoftheline.Youcaninsertthefollowingtypesofpreloginchecks:
■
Registry Letsyoudetectthepresenceorabsenceofaregistrykey.
■
File Letsyouspecifythepresenceorabsenceofaparticularfile,its version,anditschecksum.
■
Certificate Letsyouspecifytheissuerofacertificate,andonecertificate attributeandvaluetomatch.(Foradditionalcertificateattributes,create additionalloginchecksforthose.)
■
OSCheck Letsyouconfigurechecksfortheuser’sOS:MicrosoftWindows 2000,WindowsXP,andWindowsVista;Win9x(forWindows98),Mac(for AppleMacOS10.4),andLinux.TheeditorinsertsaFailurelineandLogin DeniedendnodeforremoteconnectionsthatfailtheOSchecks.
Chapter 27:
■
ASDM
IPAddress LetsyouspecifyanIPaddressrangeornetworkaddressand subnetmask.
▲ D efault Thisiconisdisplayedingreenandistheendnodethatspecifiesa preloginpolicynamed“Default.”BydefaultCSDassignsthisprofiletoevery remotePCthatattemptsaVPNsession,ifyouenableCiscoSecureDesktop.You canaddprelogincheckstothispolicyoranyotherpreloginpolicytospecify criteriatomatchbeforeCSDassignsthepolicytoaremoteuser’ssession.
AddingaPreloginPolicy Toaddapolicy,clicktheplusicon,thecirclewithaplussign withinit;you’llbepresentedwithadrop-downselectorwhereyoucanchoosethetype of prelogin assessment that will be performed. In the example in Figure 27-24, an OS checkpolicywasadded,whereonlyWindows2000,XP,andVistaareallowed.Theplus iconwasclickedagain,wherethepolicychosenwasIPAddressCheck.TheAddbutton wasclicked,displayingtherangeorsubnetofaddressesthatareallowed.Youcansee thattheIPAddressCheckpolicywasaddedinFigure27-24.Whenyouaredonewith yourpreloginpolicyassessments,clicktheApplyAllbutton.
Figure27-24. PreloginPolicyexample
683
684
Cisco ASA Configuration
ConfiguringSecureDesktopFeatures WhenyouclicktheSecureDesktopManager|DefaultoptionintheleftpaneforRemoteAccessVPN,youcanchoosetoinstalltheSecureDesktoporCacheCleaner(see Figure27-25).Theformerhaspreference,butitifcan’tbeinstalled,thenCacheCleaner isinstalled.(RememberthatSecureDesktopisonlyavailableonWindows2000andlater platforms.) Configuring Keystroke Logging and Host Emulation The keystroke logging and host emulation check are disabled by default. To enable these checks, under the Remote AccessVPNtabgotoSecureDesktopManager|Default|KeystrokeLogger&Safety Checks(seeFigure27-26).Whenyouenablekeystrokelogging,youcandefinealistof programs/modulesthatareexempted.
Figure27-25. EnablingSecureDesktoporCacheCleaner
Chapter 27:
ASDM
Figure27-26. Enablingthekeystrokeloggingcheck
Configuring Cache Cleaner The Cache Cleaner functionality is enabled by default. To furtherrefineyourconfiguration,undertheRemoteAccessVPNtabgotoSecureDesktop Manager|Default|CacheCleaner(seeFigure27-27).Thisfigureshowstheoptions forconfiguringtheCacheCleanerfeature.TheLaunchHiddenURLAfterInstallation optionchecksforaURLforadministrativepurposesthatishiddenfromtheremoteuser. ThisisusedsothatyouknowthattheuserhastheCacheCleanerinstalled.Forexample, youcouldcreateacookiefileontheuser’sPCandthenlatercheckforthepresenceof theinstalledcookie.TheSecureDeleteoptionspecifiesthenumberofpassesofrandom writes over downloaded content (following DoD standards), ensuring that someone whotriestoexaminethediskspaceafterthefacthaslessofachancedecipheringwhat wasdownloaded. ConfiguringSecureDesktopGeneralAttributes To configure the general attributes for the SecureDesktop,undertheRemoteAccessVPNtab,gotoSecureDesktopManager|
685
686
Cisco ASA Configuration
Figure27-27. ConfiguringCacheCleaneroptions
Default | Secure Desktop General. The following options are available on the Secure DesktopGeneralscreen,showninFigure27-28:
▼ E nableswitchingbetweenSecureDesktopandLocalDesktop Ciscostrongly recommendsthatyouenablethistoletusersswitchbetweenSecureDesktop andtheuntrusteddesktop.Thisfeatureiscalleddesktopswitchingandprovides userswiththeflexibilitytheymightneedtorespondtoapromptfromanother applicationrequiringanokaytoletSecureSessioncontinueprocessing. Uncheckingthisoptionminimizesthepossibleriskwhereausermightleave tracesontheuntrusteddesktop.
■ EnableVaultReuse CheckingthisoptionallowsuserstocloseSecureSession andopenitagainlater,sortoflikeasavefeature.TheSecureSessionbecomes apersistentdesktopthatisavailablefromonesessiontothenext.Ifyouenable thisoption,usersmustenterapasswordtore-accessandrestarttheSecure Session.ThisoptionisusefulifusersarerunningSecureSessiononPCsthat
Chapter 27:
ASDM
Figure27-28. ConfiguringSecureDesktopGeneralsettings
arelikelytobereused,likeahomePC.WhenauserclosesSecureSession,it isnotdeleted.Ifyoudonotenablethisoption,SecureSessionautomatically deletesitself(securely)upontermination.
■
SuggestapplicationuninstalluponSecureDesktopclosing Checking thisoptionpromptstheuserandrecommendsthatSecureSessionbe uninstalledwhenitcloses.Incontrasttotheoptionbelowit,theuserhas thechoicetorefusetheuninstall.
■
ForceapplicationuninstalluponSecureDesktopclosing Checkthisoptionif youdonotwanttoleaveSecureSessiononuntrustedPCsafterusersare done;whenchecked,theSecureSessionuninstallsitselfwhenthesession closes.
■ EnableSecureDesktopinactivitytimeout CheckingthisoptionclosestheSecure Sessionautomaticallyafteraperiodofinactivity.Mousemovementand networktrafficacrosstheVPNrestartstheidletimer.
687
688
Cisco ASA Configuration
■ OpenfollowingwebpageafterSecureDesktopcloses Checkingthisboxand enteringaURLinthefieldensuresthattheSecureSessionautomaticallyopens awebpagewhenitcloses.
■ SecureDelete TheSecureSessionencryptsandwritesitselftotheremote PCdiskdrive.Upontermination,itexecutesaU.S.DepartmentofDefense (DoD)sanitationalgorithm,overwritingthesessioninformationwithrandom charactersXnumberoftimes(passes),wherethedefaultisthreepasses.
▲ L aunchthefollowingapplicationafterinstallation Launchesthespecified applicationafterSecureDesktopcloses.
ConfiguringSecureDesktopSettingsandBrowserScreens TheSecureDesktopSettingsscreen allowsyoutolimittheinteractiontheuserhaswiththedesktop,liketheapplications thatcanbeusedandthediskdrivesthatcanbeaccessed.TheSecureDesktopBrowser screenallowsyoutodefinebookmarksthatappearintheuser’swebbrowser. HereisadescriptionoftheSecureDesktopSettingsyoucanconfigure:
▼ R estrictapplicationusagetothewebbrowseronly Checkingthisletsonlythe originatingbrowserofthesessionandanybrowserhelpersthatyouspecify runwithintheSecureDesktop.Enablingthisoptionlimitstheuser’sabilityto useotherapplications,butincreasessecurity.Youcanaddadditionalprograms onceyouselectthisoptionbyaddingthemtoatextlist.
■ Disableaccesstonetworkdrivesandnetworkfolders Checkingthispreventsa userfromaccessingnetworkresourcesandnetworkdriveswhilerunningthe SecureDesktop.
■ Donotencryptfilesonnetworkdrives Checkingthisletstheusersavefilesto networkdrives.SecureSessiondoesnotencryptthefilesandleavesthefiles behindafterthesessionends.Ifyouuncheck“Disableaccesstonetworkdrives andnetworkfolders”andthisattribute,SecureDesktopencryptsthefilesthe usersavestonetworkdrives,andthenremovesthemuponSecureSession termination.
■ Disableaccesstoremovabledrivesandremovablefolders Checkingthisoption preventstheuserfromaccessingportabledrives,likeflashdrivesandCDs/ DVDswhilerunningSecureDesktop.(Thisoptiononlyappliestothedrives thatMicrosoftlabels“Removable”inWindowsExplorer.)
■ Donotencryptfilesonremovabledrives Checkingthisoptionletstheusersave filestoremovabledrives:theSecureDesktopdoesnotencryptthefilesand leavesthefilesafterthesessionends.
■ Disableregistrymodification Checkingthisoptionpreventstheuserfrom modifyingtheregistryfromwithintheSecureDesktop(recommendedto enablethis).
■ Disablecommandpromptaccess Checkingthisoptionpreventstheuser fromrunningtheDOScommandpromptfromwithintheSecureDesktop (recommendedtoenablethis).
Chapter 27:
ASDM
■ Disableprinting Checkingthisoptionpreventstheuserfromprintingwhile usingtheSecureDesktop.Whendealingwithanytypeofsensitivedata,itis recommendedtocheckthisoption.
▲ A llowemailapplicationstoworktransparently Checkingthisoptionletstheuser opene-mailwhilewithinaSecureDesktopandpreventitfromdeletinge-mail uponterminatingthesession.Whenenabled,theSecureDesktophandles e-mailthesamewaythelocaldesktopdoes.Thisfeatureworksonlywiththese e-mailapplications:MicrosoftOutlookExpress,MicrosoftOutlook,Eudora, andLotusNotes.Whenthisoptionisenabled,anyattachmentsdownloaded arevisiblewithinbothdesktops(SecureDesktop/Vaultandthelocaldesktop).
UsingSecureDesktop Figure27-29showsanexampleoftheSecureDesktop/Vault,orlogicaldesktop.Notice thebuttonsontherightthatallowyoutoswitchtothephysicalcomputerdesktopor closedowntheSecureSession.Noticethelockpictureinthemiddleofthescreen.In thetaskbar(notseeninthefigure),you’llseeayellowiconindicatingthattheSecure Desktopissecure.
Figure27-29. UsingtheSecureDesktop
689
690
Cisco ASA Configuration
Site-to-SiteVPNTab YoucaneasilysetupandmanageIPSecsite-to-site(LAN-to-LANorL2L)connections onyourappliancewhenusingASDM.Fortheinitialsetup,ASDMsupportsawizardfor L2Lconnections.Onceyou’veusedthewizard,changingtheL2Lpoliciesiseasywith ASDM configuration screens. The following two sections will introduce you to these topics. IPSecWizardforL2LConnections ToaccesstheIPSecwizardtosetuptheL2Lconnection, gotoWizards|IPSecVPNWizard,shownpreviouslyinFigure27-15.Intheinitialpopupwindow,youcaneithercreateanIPSecL2Lconnection,orsetuptheEasyVPNServer feature.ChoosetheSite-to-Siteradiobuttonfortheformer.Youalsoneedtochoosethe interfacetheIPSecsessionswillbeterminatedon.Optionallyselectingthecheckboxat thebottomwillconfigurethesysoptconnectionpermit-vpncommand,whichallows decryptedVPNtraffictobeexemptedfromACLcheckswhengoingfromalower-to higher-levelinterface. Herearethescreensyou’llgothroughwhenusingthewizardtosetupyourL2L connection:
▼ S creen1:ChoosethetypeofIPSecVPN:Site-to-SiteorRemoteAccess(Easy VPNServer).
■ Screen2:EnterthepublicIPaddressoftheremotepeer,thepre-sharedkeyor certificatetousefordeviceauthentication,andoptionallychangethetunnel groupname(defaultstotheIPaddressofthepeer).
■ Screen3:Createaphase1policy(thedefaultis3DES,SHA,andDHgroup2).
■ Screen4:Createatransformsetforphase2(thedefaultis3DESandSHA).
■ Screen5:Specifythetraffictoprotectbetweenthetwonetworks;inthe wizard,youcancreatenetworkobjectgroupsthatwillbeusedinyourcrypto ACLsASDMwillcreate.BydefaultASDMwillsetupanaddresstranslation exemptionpolicy(nat0)oftheinternaladdressesbetweenthetwolocations.
▲ S creen6:AcceptyourconfigurationbyclickingtheFinishbutton. TIP Add all your L2L connections using the wizard, since it’s a very quick and simple process; youcanmodifytheconfigurationafterthefactfromtheSite-to-SiteVPNtabontheConfiguration screen.
IPSecAttributesforL2LConnections Onceyou’vesetupatleastonetunnelgroupforan L2L connection, you can change the L2L connection parameters from the Site-to-Site VPNtab.I’llhighlightsomeofthescreenstotuneyourIPSecL2Lconfiguration. ToaddoredittheIPSecL2Lconnectionprofiles,gotoConfiguration|Site-to-SiteVPN tab|ConnectionProfiles,showninFigure27-30.Youcanchangethegeneralconnection propertiesofanL2Lconnectionfromhere,orevenaddanewonewithouthavingtouse
Chapter 27:
ASDM
Figure27-30. L2LIPSecConnectionProfiles
thewizards.TochangegeneralpropertiesforIPSecL2Lconnections,gotoConfiguration| Site-to-SiteVPNtab|Network(Client)Access|Advanced.Fromhere,youcaneditthe cryptomaps,IKEPhase1policies,IKEparameters(likeNAT-T),Phase2transformsets, cryptoACLs,andsoon.
DeviceManagementTab WhenyouclicktheDeviceManagementtabinthebottom-leftcorneroftheConfigurationpane,youcanconfigureotherpropertiesoftheappliancethatdidn’tfallunderany oftheotherConfigurationtabs.Figure27-31displaystheDeviceManagementtaboptions.Theseincluderestrictingmanagementaccesstotheappliance,theimagestoboot fromoruse,failover,logging,usernamesandAAA,obtainingandmanagingcertificates, DHCPsettings,DNSserversandsettings,andotherproperties.
691
692
Cisco ASA Configuration
Figure27-31. DeviceManagementtab
ASDMMONITORINGSCREENS TheMonitoringsectionofASDMallowsyoutoseeinformation,sometimesinanearreal-timefashion,forprocessesrunningontheappliance.Youcanviewgraphsofstatisticalinformation,likeinterfacestatistics,aswellasinformationaboutexistingconnections.YoucanaccessthemonitoringscreensbyclickingtheMonitoringbuttonatthetop ofASDM.WhenclickingtheMonitoringbutton,youcanseevariousmonitoringtabsin theleftpane:
▼ I nterfaces
■ VPN
■ Routing
■ Properties
Chapter 27:
■ Logging
▲ I PS/CSC(ifyouhaveeitherofthesemodulesinstalled)
ASDM
ThefollowingsectionswillbrieflydiscussthemonitoringscreensavailableinASDM.
InterfacesTab Toaccessinterfacestatistics,gotoMonitoring|Interfaces.Fromhereyoucanviewthe applianceARPtable,DHCPserverstatistics,interfacestatistics,andPPPoEclientinformation.Figure27-32showsanexampleofthedisplayingInterfacestatistics:fromthe Interfacestab,Ifirstselectedtheinterface(inside)intheInterfaceGraphspaneandthen selectedBitRatesinthemiddlepane.IthenclickedtheAddbuttontoaddtheinformationtothegraph,andclickedtheShowGraphsbuttonatthebottomofthescreen.Awindowpoppedup,displayingtheKbpsoftrafficenteringandleavingtheinsideinterface. NOTE The fastest that monitoring statistics can be updated is every 10 seconds in the pop-up window.
Figure27-32. Interfacestatistics
693
694
Cisco ASA Configuration
VPNTab WhenyouclicktheVPNtabintheleftpane,youcandisplaystatisticsrelatedtoVPN sessionsandtunnels:EasyVPNRemotes,L2Lconnections,L2TPsessions,andWebVPN (clientlessandAnyConnect)sessions.Asanexample(seeFigure27-33),IwenttoMonitoring|VPN|VPNStatistics|Sessions.AtthetopisasummaryoftheVPNsessions connected to the appliance. In the Filter By drop-down selector in the middle pane, I qualifiedtheoutputtojustWebVPNclientlesssessions,ofwhichcurrentlyonesession isactive.
RoutingTab WhenyouclicktheRoutingtabintheleftpane,youcanviewdynamicroutinginformationontheappliance(OSPFand/orEIGRP)andtheapplianceroutingtable.Figure27-34 displaystheapplianceroutingtable,whichwasaccessedbygoingtoMonitoring|Routing|Routes.Inthisexample,youcanseemultipleconnectedroutesaswellasonedefault (static)route.
Figure27-33. VPNsessions
Chapter 27:
ASDM
Figure27-34. Routingtable
PropertiesTab ThePropertiestabissortofacatchallfortheremainingstatisticalinformationonthe appliance.Fromthistabyoucanviewstatisticsonwho’sloggedintotheappliance,connectionsintheconnandxlatetables,failover,systemresources(likeCPUandmemory usage),andmanyothers.Asanexample(seeFigure27-35),IwenttoMonitoring|Properties|SystemResourcesGraphs|CPU,clickedCPUUtilizationundertheAvailable Graphscolumnintheadjoiningpane,clickedtheAddbutton,andthenclickedtheShow Graphsbutton.ThisdisplaystheCPUutilizationoftheapplianceinthepop-upwindow ontherightofFigure27-35.
LoggingTab YoucanviewthelogginginformationintheASAbufferwithinASDM—assumingyou’ve enabledthisfeature.ThisinformationcanbeviewedfromtheASDMhomepageorby
695
696
Cisco ASA Configuration
Figure27-35. CPUutilization
goingtoMonitoring|Logging.Theformershowsanear-real-timeupdateoflogmessages intheappliancememory(buffer).WhengoingtoMonitoring|Logging,youcanopena separatepop-upwindowwhereyoucanviewtheinformationinthecurrentbufferorina windowwhereyoucanviewanear-real-timeupdateoflogmessages.Figure27-36shows thelogmessagesintheappliancebuffer.Onehandyfeatureaboutlogginginthepop-up windowisthatyoucanclickaparticularlogmessageandseeanexplanationofitinthe bottompane. TIP Another nice feature ofASDM logging is that for certain log messages that deal withACL matches,youcanselectthelogmessage,andclicktheCreateRuletoolbarbuttonatthetopofthe middlepanetocreateanappropriateACLentrytopermit(ordeny)thetrafficinquestion.
Chapter 27:
ASDM
Figure27-36. Viewingloggingmessages
ASDMANDCONTEXTS YoucanalsouseASDMinmultiplemode.First,youswitchtomultiplemode,createyour contexts,allocatetheirinterfaces,andconfiguretheirconfigurationfileURLs.Thiswas discussed in Chapter 22. Then switch to the administrative context with the changeto contextcommand,andrunthesetupcommandfromwithintheadministrativecontext. Onceyouhavedonethis,youcanaccesstheapplianceusingASDMviatheadministrativecontext.Thefollowingsectionswilldiscussaccessingtheadministrativecontextand systemaswellassettingupfailover. NOTE When usingASDM to access the system area, you must first log into the administrative context.
697
698
Cisco ASA Configuration
InitialAccessandContextManipulation Onceyou’vecreatedyourcontextsfromthesystemareaandatleasthaverunthesetup commandintheadministrativecontext,youcanthenaccesstheapplianceusingASDM. TheinitialaccessisshowninFigure27-37,whereyoucanseetheDeviceListintheleft paneandthehomepagefortheadministrativecontext,calledadmin.TheDeviceList allowsyoutoswitchtodifferentcontextsortothesystemarea,oreventodifferentsecurityappliances.Eachcontext,aswellasthesystemarea,youcansecureindividually. Whenswitching,you’llneedtoprovidetheappropriateauthenticationcredentialstothe appliance,context,orsystemareathatyouareaccessing.ThereareConfigurationand Monitoringbuttonsavailableforeachcontextandsystemarea. Toswitchtothesystemarea,double-clicktheSystemiconintheDeviceList.Youcan seetheHomescreenofthesystemareainFigure27-38.Onthesystemareahomepage,
Figure27-37. Initialaccessviatheadministrativecontext
Chapter 27:
ASDM
Figure27-38. Systemareahomepage
youcanseetheinterfacesandthecontextstheyareassociatedwith,thetotalconnectionsacrossallthecontextsortheconnectionspercontext,andtheCPUandmemory usage.ClickingtheConfigurationbuttonwheninthesystemareaallowsyoutosetup theinterfaces,contexts,andsystemresourcesundertheContextManagementtab,seen inFigure27-39. TIP Wheninmultiple-contextmode,gotoFile|SaveAllRunningConfigurationsToFlashtosave thesystemareaandallothercontextconfigurationstoflashmemory.
699
700
Cisco ASA Configuration
Figure27-39. SystemareaContextManagementtab
Failover Failover can be set up in single or multiple mode...from the CLI and/orASDM. I’ll wrapupthischapterbybrieflydiscussingfailoverinmultiplemode(theprocessissimilarwhentheapplianceisrunninginsinglemode).TheHighAvailabilityandScalability Wizard allows you to set up active/active failover, active/standby failover, and VPN clustering(thelatterfeatureisonlyfortheASA5510sandhigher).Thewizardcanbe
Chapter 27:
ASDM
Figure27-40. HighAvailabilityandScalabilityWizard
accessedbyfirstaccessingthesystemareaandthengoingtoWizards|HighAvailability andScalabilityWizard.ThewizardisshowninFigure27-40.Youcantunethefailover processafterthefactfromtheConfigurationscreens(gotoConfiguration|DeviceManagement|HighAvailabilityinthesystemarea).
701
This page intentionally left blank
INDEX Referencestofiguresareinitalics. 4GESSM,28
▼
A
AAA,639 authenticationexample,641 components,208 example,208–209 localauthenticationdatabase, 640–641 overview,208 protocols,209–211 servercommandauthorization, 644–645 serverconfiguration,211–213 accesscontrollists.SeeACLs
accounting.SeeAAA;CTP ACLs,9–10,152 activation,160 applianceandIOSrouterACL comparison,152–153,154 appliancewiththreeinterfaces, 166–170 appliancewithtwointerfaces, 163–165 cryptoACLs,400 deleting,162 Ether-TypeACLs,518 extended,156–157 IPv6ACLs,242–244 logging,158–159 non-IPtrafficandEther-Type ACLs,518 processingof,153–155 remarks,157
703
704
Cisco ASA Configuration
ACLs(cont.) sequencedACLs,161 standardACLs,155–156 timedACLentries,153,159–160 andtrafficflow,515 updating,161–162 usingwithaddresstranslation policies,131 verification,160–161 webtypeACLs,464–465 activemode,110 active/activefailover,17–18,547–548 exampleconfiguration,570–576 LAN-basedfailover(LBF),566–569 optionalcommands,569–570 Seealsofailover active/standbyfailover,17,546 exampleconfiguration,561–566 LAN-basedfailover(LBF),558–560 optionalcommands,560–561 PIXsandtheserialcable,555–558 Seealsofailover ActiveX,190–191 configuringActiveXfilters,192 filteringsolutions,191 AdaptiveorApplianceSecurityDevice Manager.SeeASDM AdaptiveSecurityAlgorithm(ASA),7 AdaptiveSecurityDeviceManager. SeeASDM addressresolutionprotocol(ARP),70 addresstranslation,18–19 advantagesof,120–121 creatingglobaladdresspools, 130–131 disadvantagesof,121–122 findingamatchingtranslation policy,141–142 identifyinglocaladdressesfor translation,129–130 interfacePATexample,133 NATandPATexample,133 NATexample,123–125,132
needsfor,120 PATandIdentityNATexample, 134–135 PATexample,125–128 PATexamplewithtwoglobal pools,134 PolicyIdentityNATexample, 137–138 PolicyNATexample,136–137 privateaddresses,119–120 requiringaddresstranslation, 128–129 termsanddefinitions,122,123 three-interfaceNATexample, 135–136 usingACLswithaddress translationpolicies,131 Seealsodynamicaddress translation AdvancedInspectionandPrevention SSM.SeeAIP-SSM AH,issues,375–376 AIP-SSM,22 modules,29 AIP-SSMcards,265–267,598 accessingtheAIP-SSMCLI, 601–602 assigningvirtualsensorsto contexts,603–606 fail-openandfail-closepolicies,599 hardwaremodulecommands,614 inlinemode,599 promiscuousmode,599 setupscript,602–603 trafficand,599–600 trafficforwardingto,600–601 Anti-Xcard,21,264–265 AnyConnectclient AnyConnectclientusagepolicy, 493–494 ASApreparationfor,491–493 clientinstallationpolicies,494 clientprofiles,499–501
Index
connectingtoaWebVPNserver, 501–504 connections,489–490 copyingthePKGfiletoFlash, 491–492 DTLSasatransport,496–497 enabling,493 implementation,489 installing,501 modules,495 MTUsizeadjustment,496 overview,488,490–491 rekeyingtunnelsessions,496 specifyingtheuseof,492–493 temporaryorpermanentclient installation,494–495 using,502–503 viewingandmanagingconnected clients,504–505 WebVPNtunnelgroups,497–499 applicationproxy,193–194 applications andembeddedaddressing information,111–112,250–251 withmultipleconnections,110–111, 249–250 andsecurityissues,112–113 securityweaknessesin,249 AreYouThere(AYT),421 ARPinspection,519 configuration,519 verification,519–520 ASA cabling,550–551 configurationexample,73–74 features,4 management,6–7 ASA5505,18,24–25 configurationexample,449 interfaceconfiguration,59–61 remoteclient,445–448 ASA5510,25–26,27 ASA5520,25–26,27 ASA5540,25–26,27
ASA5550,25–26,27 ASA5580,26–28 ASAmodels,licenselimits,114 ASDM,7,35 AccessRuleselement,665–666 AnyConnectclient,675–678 basicconfigurationcommands,651 CiscoSecureDesktop,678–679 CLItool,659 ClientlessWebVPN,671–675 configurationscreens,663 andcontexts,697–700 DeviceDashboard,654,655,662 DeviceManagementtab,691–692 DeviceSetupconfiguration, 663–664 EasyVPNServersetup,669–671 failover,700–701 Filemenu,655–656 Firewallconfiguration,664–665 FirewallDashboard,654,662–663 Helpmenu,661 HighAvailabilityandScalability Wizard,661,700–701 homescreen,654–663 interfacestatistics,693 IPSecVPNWizard,661, 669–671,690 logginginformation,695–697 monitoringscreens,692–697 NATRuleselement,666–667 overview,648 PacketCaptureWizard,661 packettracer,658–659 Preferencestool,660 properties,695 RemoteAccessVPNconfiguration, 668–669 requirements,648–649 restrictions,649 routinginformation,694–695 ServicePolicyRuleselement, 667–668 setupscript,650
705
706
Cisco ASA Configuration
ASDM(cont.) Site-to-SiteVPNtab,690–691 SSLVPNWizard,661,671–678 StartupWizard,653–654,661 supportingbothWebVPNand, 456–457 toolbarbuttons,661–662 Toolsmenu,657–660 versions,649 Viewmenu,656–657 VPNstatistics,694 webbrowseraccess,652–653 Windowmenu,661 Wizardsmenu,660–661 asterisks,316 authentication.SeeAAA;CTP authorization.SeeAAA;CTP autoupdate,428–430,632–633
▼
B
banners,54 BaseandSecurityPluslicense,31 bi-directionalPIM,100,101 bootupsequence,36–37,633–634 bridges,vs.transparentmode,511–513 bufferingwebserverrepliesto users,199
▼
C
CallManager,335–336 CAs,380–381 certificategroupmatching,392–394 dateandtime,382 fileenrollment,387–388 identitycertificates,381 identityinformationonthe certificate,381 keypairs,381–382 networkenrollmentusingSCEP, 384–387
rootcertificates,381 savingcertificates,390 troubleshooting,391–392 trustpointconfiguration,383–384 andtunnelgroups,392 viewingcertificates,391 certificateauthorities.SeeCAs certificategroupmatching,470 CertificateRevocationLists(CRLs),381, 388–389 CheckPoint,5 CiscoIOSrouters,9–10 CiscoSecureAccessControlServer. SeeCSACS CiscoSecureDesktop.SeeCSD CiscoSecureManager.SeeCSM classmaps applicationlayer,256–260 configurationexample,256 default,254–256 inspection(layer7),252–253,260 layer3/4,252,253–254 management,253 regularexpressions,253,256–260 clearcommands,51–52 clearxlatecommand,148–149 clear-textURLs,processing,197 CLI,7,34,36,659 ASAandrouterIOSCLI comparison,41–43 commandabbreviation,42 Configurationmode,39–40 context-sensitivehelp,41–42 editingfeatures,43 historyrecall,42–43 levelsofaccessandpromptsthat gowiththem,38 packettracer,181–182 PrivilegeEXECmode,39 prompt,37 remoteaccess,65–68 restrictingaccessto,639–641 ROMMONmode(Monitormode), 40–41
Index
terminalemulationsettingsfor appliance’sconsoleaccess,35 upgrades,632 UserEXECmode,38–39 client-updatecommand,429–430 clustering,437–439 commandabbreviation,42 commandauthorization,642 enablingpasswordcommand authorization,642–644 localuserdatabasecommand authorization,644 command-lineinterface.SeeCLI commands clear,51–52 copy,49–50 fordevicenames,53 forhostanddomainnames, 52–53 write,51 companies,andcontexts,525 conduits,15 conntable,7,113,146 clearingentriesin,148–149 connectedroutes,77 connection-orientedprotocols,106 SeealsoTCP connections,113 embryonic,117 limits,113–114,261–264 removing,114–115 TCPconnectionexample, 115–118 troubleshooting,181–187 viewingactiveconnections, 146–147 connectivitytesting addressresolutionprotocol (ARP),70 ping,68–69 traceroute,69–70 consoleauthentication,639–640 contexts,20,31,524 chaining,526–527
andcompanies,525 creation,530–531 definingresourcelimits,533 designatingtheadministrative context,529–530 examples,536–540 andfailover,525 implementation,526–527 andISPs,525 andlicensing,524 MACaddressesand,530 properties,526 removing,536 restrictions,525 savingconfigurations,535 supportedresourcelimits,532 switchingbetween,535 switchingtomultiplemode, 528–529 systemarea,526,529 trafficclassification,527–528 uses,524 verification,531–532 viewingcontextresource allocations,533–534 context-sensitivehelp,41–42 controlplanefiltering,179 copycommands,49–50 CPUutilization,72–73 CRACK,375 cryptoACLs,400 cryptomaps,402–404 dynamiccryptomaps, 430–431 staticcryptomaps,431–432 CSACS,11,209 configuration,212–213 CSC-SSM,21 modules,29–30 CSC-SSMcards,264–265,606 forwardingtrafficto,607–609 hardwaremodulecommands,614 settingup,609–612 trafficand,606–607
707
708
Cisco ASA Configuration
CSD,678–679 CacheCleaner,684,685 configuringgeneralattributes, 685–689 configuringkeystrokeloggingand hostemulation,684–685 dynamicaccesspoliciesand preloginassessment,679 installingCSD,681–682 preloginpolicies,682–683 processingCSDcomponents, 680–681 protectionsprovidedby,679–680 using,689 CSM,7,35 CTIQBEinspection,340 applicationlayerinspection features,341 connectionverification,342 layer3/4policymaps,342 setupofCTIQBEVoIPconnections, 340–341 CTP,11–13 accounting,230–231 applianceauthorization configuration,227–228 applianceconfigurationfor accounting,230–231 appliancedownloadableACL configurationandverification, 229–230 authentication,213–224 authorization,224–230 changingauthentication parameters,216–217 classicmethodfor authorization,225 controllingaccessfornonsupported applications,219–222 controllingauthenticatedaccessto multipleservices,225 controllingauthentication,217–219 CSACSclassicauthorization configuration,226–227
CSACSdownloadableACL configuration,228–229 CSACSreports,231 downloadableACLauthorization method,226 overview,214–215 usersaccessingmultiple services,224 verifyingserverinteraction, 222–223 viewingauthenticatedusers, 223–224 Cut-throughProxy.SeeCTP
▼
D
dataconnections,110 DCE/RPC exampleconfiguration,281 inspectionpolicies,280–281 policyconfiguration,280–281 DeadPeerDetection(DPD),413,497 debugcommands,485–486 defaultroutes,77 definedstatemachines,107 densemode(DM),100 designatedrouters(DRs),102 devicenames,commands,53 DHCP,620 clients,62–63 relay,622–623 serverconfigurationand verification,620–622 DNSDoctoring.SeeDNSinspection DNSinspection,296 defaultconfiguration,301 DNSapplicationlayerpolicies, 298–299 DNSA-recordtranslation, 297–298 DNSGuard,109,296–297 DNSpacketlengthverification,297 exampleconfiguration,301–302
Index
layer3/4policyconfiguration, 300–301 layer7classmaps,299 layer7policymaps,299–300 DNSlookups,457–458 domainnames,commands,52–53 dynamicaccesspolicies(DAPs),679 dynamicaddresstranslation,configuring, 129–138 dynamicaddressing DHCPclients,62–63 dynamicDNS,65 PPPoverEthernet(PPPoE),63–65
▼
E
EasyVPN clientmode,442–444 connectionmodes,443 connectivity,413–414 EasyVPNremote,410 exampleserverconfiguration, 449–450 features,412–413 networkextensionmode,444–445 networkextensionplusmode,445 overview,410–411 products,411–412 supportedIPSecstandards,412 editing,controlsequencesfor,43 EIGRP,76,91 authentication,92 basicconfiguration,92 routefiltering,94 summarization,93 verification,94 embryonicconnections,117 ESMTPinspection,302 exampleconfiguration,305–306 features,302–303 policyconfiguration,303–305 ESP,issues,375–376 Ether-TypeACLs,518
▼
F
failover,15,542 active/active,17–18,547–548, 566–576 active/standby,17,546,555–566 addressingand,546–547 ASAcabling,550–551 communications,551–552 andcontexts,525 failoverlink,548 hardware,16,542 interfacemonitoring, 553–554 LAN-basedfailover cable,549 licenserequirements,544 linkmonitoring,553 PIXcabling,550 requirements,543–544 restrictions,545 serialcable,548–549 softwareupgrades,545 stateful,16–17,542–543 statefullink,549–550 supportedmodels,543 switchconnections,554 triggers,552–553 typesof,542–543 FinesseOperatingSystem (FOS),5 firewallapplications,5 firewalls,4 formultimediaapplications, 348–349 vs.securityappliances,249 Seealsostatefulfirewalls; transparentfirewalls;virtual firewalls flash,48 filesand,630–631 Seealsostartup-config fragmentationlimits,594–595
709
710
Cisco ASA Configuration
FTPinspection,306 controlconnection,306 dataconnections,307 exampleconfiguration,311 features,309 layer3/4policymaps, 310–311 layer7classmaps,309–310 layer7policymaps,310 passivemode,308–309 standardmode,306–308 FTPURLprocessing,198
▼
G
GigabitEthernetmodules,28–29 grouppolicies,417 attributes,418–424 configuring,460–465 external,418 filteringcontent,464–465 homepageelements, 461–464 internalpolicies,461 local,418 location,417–418 overridingonaper-userbasis, 465–467 restrictingdownloadsand uploads,465 supportedfirewallsandtheir parameters,421 Guard,144
▼
H
H.323inspection callcontrolconnection,359 connections,357 connectionswithterminalsand agatekeeperforaddress translation,360–361
connectionswithterminalsand agatekeeperforsignalingand control,361–362 Directmode,360 exampleconfiguration, 366–367 features,362–364 findingandconnectingto agatekeeper,357–358 H.323andH.225timeouts,366 H.323monitoringand verification,366 layer3/4policymaps,366 layer7classmaps,364 layer7policymaps,364–365 overview,355–356 Routingmode,361 signalingconnection,359,361 supportedapplications,356 typesofdevices,356–357 usingonlyterminalstoestablish connections,358–360 half-openconnections,22 hardware,23–28 hardwarefailover,16,542–543 Seealsofailover hardwaremodules,28–30 commands,614 hardwareremote,basicclient configuration,447–448 historyrecall,42–43 homeportal loginscreen,471 overview,471–473 tabs,473–475 hostnames,commands,52–53 HTTPinspection exampleconfiguration, 317–318 features,313–314 layer3/4policymaps,317 layer7classmaps,314–316 layer7policymaps,316 HTTPSURLprocessing,198
Index
▼
I
ICMP inspectionconfiguration,279–280 inspectionpolicies,278–280 issues,278–279 objectgroups,174 overview,109 ICMPfiltering,177 example,180–181 ICMPtrafficdirectedatappliances, 179–181 ICMPtrafficthroughappliances, 178–179 restrictingICMPtrafficdirectedat appliances,180 ICMPv6packets,filtering,242–243 IdentityNAT,129 andPATexample,134–135 IGMP interfaceconfiguration,97–98 limitingtheIGMPproxyprocess, 98–99 proxying,96–97 ILS/LDAP connections,284–285 exampleconfiguration,285 inspectionpolicies,284–285 policyconfiguration,285 IMinspection,318 exampleconfiguration,320 layer3/4policymaps,320 layer7classmaps,318–319 layer7policymaps,319–320 implicitdenystatements,153 inboundconnections,56 incomingconnectionrequests TCP,107–108 UDP,109 inspectionpolicies DCE/RPC,280–281 ICMP,278–280 ILS/LDAP,284–285
IPSecPass-Thru,287–288 NetBIOS,285–287 PPTP,288–289 SunRPC,281–284 XDMCP,289–293 instantmessaginginspection.SeeIM inspection InteractiveUnitAuthentication (IUA),446 interfacetests,553–554 interfaces ASA5505interfaceconfiguration, 59–61 logicalnames,56 physicalinterfaceconfiguration, 57–58 physicalnames,55–56 securitylevels,56–57 verification,61–62 VLANconfiguration,58–59 InternetControlManagementProtocol. SeeICMP InternetworkOperatingSystem (IOS),5 intrusiondetectionsystem(IDS),22 intrusionpreventionsystem(IPS),22 IPaudit,587 configuration,590 signatures,587–590 IPScard,265–267 IPSec overview,372 remoteaccessserver,434–436 sameinterfacetraffic,373 sessionsterminatedbehindthe appliance,377–378 sessionsterminatedonthe appliance,377 settingupanIPSecconnectionto aremoteIPSecpeer,372–373 IPSecoverTCP,376–377 IPSecoverUDP,422 IPSecPass-Thru,inspectionpolicies, 287–288
711
712
Cisco ASA Configuration
IPSecsite-to-siteconnection connectionlifetimes,401 cryptoACLs,400 cryptomaps,402–404 example,407–408 ISAKMPPhase1configuration,397 ISAKMPPhase2configuration, 399–404 preparation,396 transformsets,400–401 troubleshootingconnections,407 tunnelgroupconfiguration, 397–398 viewingandclearingconnections, 405–406 VPNtrafficandaddresstranslation, 398–399 IPv6 ACLs,242–244 capabilitiesoftheappliances, 234–235 duplicateaddressdetection, 236–237 filteringpackets,243–244 globaladdressconfiguration, 237–238 interfaceconfiguration verification,238 limitationsoftheappliances,235 link-localaddress configuration,237 neighborsolicitationmessages,237, 240–241 neighbors,239–242 overview,234 routeradvertisementmessages, 241–242 routing,238–239 statelessautoconfiguration,236–237 staticneighbordefinition,241 traffic,20 ISAKMP,373 aggressivemode,374 disconnectnotice,374
enabling,374 globalproperties,373–374 identity,374 mainmode,374 Phase1configuration,397, 416–417 Phase2configuration,399–404, 430–432 policies,375 ISPs,andcontexts,525
▼
J
Java,190–191 configuringJavafilters,191–192 filteringsolutions,191
▼
K
Kerberos,210
▼
L
L2Lconnections,690–691 layer2processing,510–515 LEAP,422 licensekeys,30–31,634–635 licensing,30–31 andcontexts,524 andfailover,544 licenselimitsofASAmodels,114 loadbalancing,436–439 localhostinformation,viewing, 147–148 logging,625 configuration,627–628 configurationexample,628 levels,626 messagecontents,626 verification,628 loginbanners,54
Index
▼
M
MACaddresses,contextsand,530 managementaccounting,645 matchcommand,253,254 e-mailpolicyparametersfor, 304–305 HTTPpolicyparameters for,315 memoryusage,72 MGCPinspection,342–343 callagent,342 connections,343–344 exampleconfiguration,345–346 layer3/4policymaps,344–345 layer7policymaps,344 mediagateway,343 signalinggateway,343 timeouts,345 verification,345 modifiedproxy,194–195 ModularPolicyFramework.SeeMPF monitormode,configuring,636–637 MPF,248 components,251 needsfor,249–251 policies,248–249 Seealsoclassmaps;policymaps; servicepolicies multicasting,19–20,95 multicastusage,96 stubmulticastrouting(SMR), 96–100 trafficandappliances,95 multimedia commonproblems,348 firewallsolutions,348–349
▼ NAT
N example,123–125,132 NATandPATexample,133
three-interfaceNATexample, 135–136 SeealsostaticNAT NATTraversal,SeeNAT-T NAT-T376 neighborsolicitationmessages,237, 240–241 NetBIOS,inspectionpolicies,285–287 networkattackprevention,22–23 networkobjectgroups,173 NetworkTimeProtocolSeeNTP not-so-stubbyareas.SeeNSSAs NSSAs,88 NTP,624–625
▼
O
objectgroups,19,171 advantagesof,171 configurationexample,176–177 creating,171–172 deleting,174–175 descriptions,172 displaying,174 ICMP,174 nesting,172–173 network,173 objecttypesfor,172 protocol,173 service,173 using,175–176 one-timepasswords(OTPs),13 OnlineCertificateStatusProtocol (OCSP),381,390 operatingsystems,5 proprietary,6 upgrades,631–633 OSPF,19,76,84–85 areastubs,87–88 authentication,86–87 basicconfiguration,85–86 interfaceparameters,86 not-so-stubbyareas(NSSAs),88
713
714
Cisco ASA Configuration
OSPF(cont.) routefiltering,89 routeredistribution,89–91 summarization,88–89 verification,91 outboundconnections,56 outboundfilters,15 outgoingconnectionrequests TCP,107 UDP,108–109
▼
P
packetcapture,184 copyingcapturedpackets,187 creatingapacketcaptureprocess, 184–186 managingpacketcapturing,187 parameters,184–185 viewingcapturedpackets,186 packetfilteringfirewalls,vs.stateful firewalls,9–10 packettracer,181–183,658–659 passiveRIP,19 passwordrecovery file,636,637 performingtheASApassword recoveryprocess,638–639 performingthePIXpassword recoveryprocess,636–637 restrictingtheprocess,635–636 passwords PrivilegeEXECpassword,54 UserEXECpassword,53–54 PAT example,125–128 examplewithtwoglobalpools,134 andIdentityNATexample, 134–135 interfacePATexample,133 NATandPATexample,133 SeealsostaticPAT per-userlicensing,31
PIMmulticastrouting,100 densemode(DM),100 sparsemode(SM),100 PIMroutingprotocol,100–101 designatedrouters(DRs),102 andinterfaces,101 staticRPs,101 PIM-SM,100,101 ping,68–69 PIX,18 cabling,550 PKCS#10,381 plug-ins,480 importing,480 using,480–481 policingpolicy,267–268 PolicyIdentityNAT,example,137–138 policyimplementation,13–15 policymaps activatingalayer3/4policymap, 274–275 AIP-SSMcard,265–267 connectionlimits,261–264 CSC-SSMcard,264–265 defaultlayer3/4,270–271 layer3/4,260,261–271 layer7,261,271–274 prioritizationandqueuing,268–269 rate-limitingpolicy,267–268 syntax,261 trafficinspection,269–270 Seealsoservicepolicies PolicyNAT,example,136–137 portaddressredirection(PAR). SeestaticPAT portforwarding,476–479 PPPoverEthernet(PPPoE),63–65 PPTP,inspectionpolicies,288–289 Preferencestool,660 prioritization,268–269 PrivateInternetExchange.SeePIX PrivilegeEXECpassword,54 proprietaryoperatingsystems,6 protocolobjectgroups,173
Index
protocols,110 AAA,209–211 Seealsoindividualprotocols proxyARP,136
▼
Q
queuing,268–269
▼
R
RA.Seerouteradvertisementmessages RADIUS,210 RAM,48 Seealsorunning-config rate-limitingpolicy,267–268 redundancy,15–18 regularexpressions,253,256–257 creating,257–259 grouping,259 specialcharacters,257–258 testing,259 re-imagingSSMcards,615–616 remoteaccess,65–68 disconnectingusers,434 IPSecserverexample,434–436 preparation,414–416 verification,432–434 viewingconnections,432–434 remotemanagement dateandtime,623–624 manualdateandtime,624 networktimeprotocol, 624–625 rendezvouspoints.SeeRPs reversepathforwarding.SeeRPF RFC1918,119 RIP,76,82 configurationexample,84 globalconfiguration,82 interfaceconfiguration,83 verification,83–84
routedmode,vs.transparentmode, 510–511 routeradvertisementmessages,241–242 routing,19–20 administrativedistance,76–77 recommendations,76 staticroutes,77–82 RPF,593–594 RPs,100 staticRPs,101 RSHinspection,321 connections,321–322 policyconfiguration,322 RTCP,351 RTSPinspection controlconnections,350 errorconnections,350 exampleconfiguration,355 layer3/4policymaps,354 layer7classmaps,353 layer7policymaps,354 multimediaconnections,350 overview,349 RealNetworksRDTmode,352 standardRTPmode,350–352 TCPmode,353 running-config,48 viewingpartialconfigurations,49
▼
S
SAs,399 SCCPinspection,335 applicationlayerinspection features,337 connectionverification,339 exampleconfiguration,339–340 layer3/4policymaps,338–339 layer7policymaps,338 setupofSCCPVoIPconnections, 335–336 SCEP,384–387 SecureDesktop.SeeCiscoSecureDesktop
715
716
Cisco ASA Configuration
secureshell.SeeSSH secureunitauthentication(SUA),446 securityalgorithm,7 securityappliances,4 vs.firewalls,249 securityassociations.SeeSAs SecurityPluslicense,31 SequenceNumberRandomization. SeeSNR sequencedACLs,161 serviceobjectgroups,173 servicepolicies activatingalayer3/4policymap, 274–275 verification,275 setupscript,46–48 showcommands,485 showconncommand,146–147 showlocal-hostcommand,147–148 showxlatecommand,144–145 shunnedhosts,584 signalingconnection,328–329 SimpleCertificateEnrollmentProtocol. SeeSCEP SIPinspection,328 applicationlayerinspection features,329–330 connectiontimeout,333–334 connectionverification,334 exampleconfiguration,334–335 layer3/4policymaps,333 layer7classmaps,331 layer7policymaps,332–333 setupofSIPVoIPconnections, 328–329 smarttunneling,481–485 smartcardsystems,13 SmartFilter,195 SMTPinspection,302 exampleconfiguration,305–306 features,302–303 policyconfiguration,303–305 SNMP,629 traps,630
SNMPinspection,322 exampleconfiguration,323 policyconfiguration,322 SNMPmaps,322 SNR,10–11 sparsemode(SM),100 splittunneling,413,423–424 SQL*Netinspection,323 connections,323–325 policyconfiguration,325 SSH,67–68 SSLVPNs,21 clientlessmode,453 overview,452 thinclientmode,453 tunnelmode,453–454 SeealsoAnyConnectclient SSMcards hardwaremodulecommands,614 re-imaging,615–616 verifyingoperationalstatus, 612–613 SeealsoAIP-SSMcards;CSC-SSM cards startup-config,48 viewing,49 statefulfailover,16–17,542–543 Seealsofailover statefulfirewalls,7–9 andapplicationswithmultiple connections,110–111 andembeddedaddressing information,111–112 vs.packetfilteringfirewalls,9–10 andsecurityissues,112–113 staticNAT example,139–140 syntax,138–139 staticPAT,140–141 staticroutes,77 configurationexample,80 configuration,78–79 routeverification,79 tracking,80–82
Index
staticRPs,101 stealthyappliances,179 stubmulticastrouting(SMR),96 configurationexample,99–100 IGMPprotocolandproxying,96–97 interfaceconfigurationforIGMP, 97–98 limitingtheIGMPproxyprocess, 98–99 stubs,87–88 subnetmasks,153 SunRPC configuringalayer3/4SunRPC policy,282 controllingSunRPCservices, 282–283 exampleconfiguration,283–284 inspectionpolicies,281–284 suppressingRAmessages,241–242
▼
T
TACACS+,210–211 TCP connectionexample,115–118 overview,106–108 TCPIntercept,143 withSYNcookies,143–144 TCPnormalization,22,590–591 configuringTCPnormalization maps,591–592 example,593 usingTCPnormalizationmaps, 592–593 TCPSYNfloodattacks,143–144 telnet,66 VirtualTelnet,219–221 TFTPinspection,312 policyconfiguration,313 threatdetection basicthreatdetection,578–579 basicthreatdetectionconfiguration, 579–581
basicthreatdetection thresholds,580 basicthreatdetectionverification, 581–582 scanningthreatdetection,582 scanningthreatdetection configuration,582–583 scanningthreatdetection verification,583 shunnedhosts,584 statistics,584–586 timedACLentries,153,159–160 timedranges,159–160 traceroute,69–70 TrafficAnomalyDetector,144 trafficfiltering,19 trafficflow,andACLs,515 transformsets,400–401 translations,113,115 viewingactivetranslations,144–145 TransmissionControlProtocol.SeeTCP transparentfirewalls,20–21 exampleconfiguration,520–521 Seealsotransparentmode transparentmode,515–516 vs.bridges,511–513 MACaddresstableandlearning, 517–518 managementIPaddress,516–517 vs.routedmode,510–511 supportedandunsupported features,513–515 switchingto,516 Seealsotransparentfirewalls troubleshooting,connections,181–187 trustpoints.SeeCAs tunnelgroups,425–426 attributes,379–380 andCAs,392 certificategroupmatching,470 configuration,397–398 creating,378–379 generalattributes,426–427,467 groupmatchingmethods,469–470
717
718
Cisco ASA Configuration
tunnelgroups(cont.) IPSec-specificattributes,428 lists,469–470 overview,378 VPN-specificattributes,380 forWebVPN,467,497–499 WebVPNattributes,468–469 tunnelmaintenance,448
▼
U
UDP,108–109 URLfilteringserver,195 bufferingwebserverrepliesto users,199 cachingURLinformation,198–199 filteringexample,202–203 policyexceptions,198 trafficfilteringpolicies,196–198 verification,200–202 Seealsowebcontentfiltering userauthentication,446–447 UserDatagramProtocol.SeeUDP UserEXECpassword,53–54
▼
V
versioninformation,71–72 VirtualClusterAgents(VCAs),438 virtualfirewalls,18,20 VirtualHTTP,221–222 virtualprivatenetworks.SeeVPNs virtualsensors,assigningtocontexts, 603–606 VirtualTelnet,219–221 VLANs,configuration,58–59 VPNs,21 loadbalancing,436–439 trafficandaddresstranslation, 398–399,415 tunnellimits,415–416 SeealsoEasyVPN;WebVPN
▼
W
WCCP configurationexample,206 definingaWCCPservergroup, 204–205 enablingWCCPredirectiononan interface,205 process,203–204 verification,205 WebCacheCommunicationsProtocol. SeeWCCP webcaching,203–206,459–460 webcontentfiltering,192 applicationproxy,193–194 modifiedproxy,194–195 SeealsoURLfilteringserver webfiltering.Seewebcontentfiltering webproxies,458–460 Websense,195 webtypeACLs,464–465 WebVPN,21,452 allowingWebVPNtraffic,455 clientlesshomeportal,470–475 controllingSSLencryption algorithmsused,455–456 defininggeneralproperties,460 enabling,456 grouppolicies,460–467 networkclients,488–489 overridinggrouppolicieson aper-userbasis,465–467 performingDNSlookups, 457–458 portforwarding,476–479 restrictions,454–455 supportingbothWebVPNand ASDM,456–457 userWebVPNattributes, 466–467 verificationandtroubleshooting, 485–486 webcaching,459–460
Index
webproxying,458–460 SeealsoAnyConnectclient;SSL VPNs writecommands,51
▼
X
XAUTH authenticationmethods,445–446 useraccountsandattributes, 424–425 userauthentication,446–447
XDMCP clientsontheinsideofthe appliance,290 clientsontheoutsideofthe appliance,290–291 connections,290 establishedcommand configuration,291–293 exampleconfiguration,293 inspectionpolicies,289–293 policyconfiguration,291 xlatetables,113 clearingentriesin,148–149
719