1/72

Adaptive Security ApplianceCCNA Security Lab5505 vs 5506-X

Nico Declercknico.declerck@biasc.beApril 20, 2018Diegem, Belgium

2/72

Agenda: What will happen in this session?

ASA Overview

Basic Interface/Firewall Config

ASA Firewall Rules

ASA 8.3+ NAT

Modular Policy Framework

CLI config lab

this session focusses on ASA 5505/5506-X ONLY (!)

3/72

Agenda: What won’t happen in this session?

ASDM Configuration

IPsec site-to-site or remote access VPN

SSL remote access VPN (requires ASDM)

ASDM config session

Dynamic Routing with ASA

Linking ASA with AD

4/72

ASA Overview

5/72

ASA (Adaptive Security Appliance)

Proven Firewall technology

Intrusion Prevention capabilities

VPN Solution

Failover

Virtualization

ASA 5505 / 5506-X

new bundleshave a 5506-X

Next Generation FirewallNext Generation IPSAdvanced Malware Protection“FirePower”

6/72

ASA Security Contexts

Virtualisation

Separate Policy

Separate Interfaces

Separate admin

7/72

ASA High Availability (failover)

Active/Standby

Active/Active

depends on model

8/72

ASA Identity Firewall

9/72

ASA Threat Containment

Advanced Intrusion Prevention

AIP-SSM for rack-based models

AIP-SSC-5 for ASA-5505

software module on ASA-5506-X

10/72

Routed vs Transparent Mode

“Router” with filtering

Different networks

Switch” with filtering

Single network

1 IP-address for management

11/72

ASA 5505 Licensing

12/72

ASA 5506-X Licensing

more power

more possibilities (VLANs, connections, VPN Sessions, …)

...

13/72

ASA 5505/5506-X Licensing

5505 VLANs with Base License

– 3 VLANs are supported

– 1 restricted VLAN that can ONLY initiate traffic to one 1 other VLAN (return traffic is allowed)

5506-X with Base License

– 5 VLANS are supported (on trunks)

NO support for Security Contexts

Stateless Active/Passive failover ONLY in Security Plus License

Not an HQ firewall, but SOHO, Small Branch, ...

14/72

Any questions so far???

15/72

Basic Interface / Firewall Config

16/72

Permitted Traffic

Security level(aka Trust-Level)

Defaults

Inside: 100

Outside: 0

Typical

DMZ: 50

5505 Base Lic.

1 VLAN can only initiate traffic to

one other VLAN

DMZ does not initiate traffic to

inside

17/72

Denied Traffic

return traffic is allowed (inspection)

no lower to higher security level traffic

exception: ACLs

18/72

Security Levels

Measure of trustworthiness

0 (not trusted) to 100 (trusted)

Traffic can flow freely from higher valued to lower valued interfaces

Return Traffic is automatically allowed

ACLs are needed to allow flow from low to high

19/72

“Return traffic is automatically allowed”

Requires “inspection”

CONN & XLATE internal tables

to “allow” return traffic

depending on protocol up to layer 7

20/72

ASA 5505 vs 5506-X

max ASA OS 9.2

8 layer 2 ports, 0-7

Interface names do not include speed (Ethernet0/1)

to be divided over 3 (Base License) VLANs

1 VLAN cannot initiate traffic to the others

VLAN interfaces get the layer 3 configuration

ASA OS 9.7+

8 layer 3 ports, 1-8

Interface names include speed (GigabitEthernet1/1)

1 management port

Bridging between interfaces must be configured – similar to IOS Bridge-Group Virtual Interfaces (BVI)

BVI interface gets the layer 3 configuration

21/72

IOS vs ASA commands

enable secret password

line vty 0 4 password password login

ip route

show ip interfaces brief

show ip route

show vlan

show ip nat translations

copy running-config startup-config

erase startup-config

enable password password

passwd password

route intname

show interfaces ip brief

show route

show switch vlan

show xlate

write [memory]

write erase

22/72

IOS vs ASA commands

Privileged EXEC commands can be given in any mode (no need for do)

The help command can HELP

To interrupt the “more” output, press Q, not Ctrl-C

There is a “setup” wizard…

some things can only be configured from within ASDM...

23/72

ASA Default Configuration

HTTP Access for ASDM (ASA Device Manager) is configured for access from 192.168.1.0/24 via “inside” VLAN/BVI

A DHCP-server is configured for the “inside” VLAN/BVI, with addresses 192.168.1.5-192.168.1.36 (5505) or 192.168.1.5-192.168.1.254 (5506-X)

Default information (DNS-info, and DNS-server) from “outside” DHCP-server

Default: empty passwords

The ASA works “out of the box”

To reset an ASA:

– (config)# configure factory-default

24/72

ASA 5505 Defaults

hostname is “ciscoasa”

E0/0 is configured in VLAN 2 (outside)

Other interfaces are in VLAN 1 (inside)

VLAN 1 is configured as “inside”, with security-level 100 and IP 192.168.1.1/24

VLAN 2 is configured as “outside”, with security-level 0, and IP and default gateway via DHCP

PAT is automatically configured

25/72

ASA 5506-X Defaults

hostname is “ciscoasa”

GigE1/1 is configured as outside interface

Other interfaces are in bridge-group 1

BVI1 is configured as “inside”, with security-level 100 and IP 192.168.1.1/24

GigE1/1 is configured as “outside”, with security-level 0, and IP and default gateway via DHCP

PAT is automatically configured

Dedicated management Ethernet interface

26/72

ASA 9.7+ Default Configuration (ASDM/NAT/MGMT)

Management 1/1 interface up but unconfigured, used for ASA FirePower module

ASDM Access– from inside hosts– from wifi hosts

NAT, interface PAT configured for– wifi > outside – inside > outside – management > outside

27/72

Let’s take a (more or less) deep dive in the ASA CLI

28/72

ASA 5505 Default Configuration

ASA Version 9.1(1) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address dhcp setroute !

ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0pager lines 24logging asdm informationalmtu outside 1500mtu inside 1500no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnected!object network obj_any nat (inside,outside) dynamic interfacetimeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.1.0 255.255.255.0 inside

29/72

ASA 5505 Default Configuration

no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh timeout 5console timeout 0

dhcpd auto_config outside! dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn anyconnect-essentials!

class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:d5da6714509c82bc97629f33075459a2: end

30/72

ASA 5506-X Default Configuration

ASA Version 9.8(1) !hostname ciscoasaenable password $sha512$5000$9JNFlM2inkuNUhQjKQHfnA==$wT70e2xMZSZjwgKJVQAu0Q== pbkdf2names

!interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute !interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100!interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100!interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100!interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100!

interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100!interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100!interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100!interface Management1/1 management-only no nameif no security-level no ip address!interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !ftp mode passivesame-security-traffic permit inter-interface

31/72

ASA 5506-X Default Configuration

object network obj_any1 subnet 0.0.0.0 0.0.0.0object network obj_any2 subnet 0.0.0.0 0.0.0.0object network obj_any3 subnet 0.0.0.0 0.0.0.0object network obj_any4 subnet 0.0.0.0 0.0.0.0object network obj_any5 subnet 0.0.0.0 0.0.0.0object network obj_any6 subnet 0.0.0.0 0.0.0.0object network obj_any7 subnet 0.0.0.0 0.0.0.0pager lines 24logging asdm informationalmtu outside 1500mtu inside_1 1500mtu inside_2 1500mtu inside_3 1500mtu inside_4 1500mtu inside_5 1500mtu inside_6 1500mtu inside_7 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectedarp rate-limit 16384

object network obj_any1 nat (inside_1,outside) dynamic interfaceobject network obj_any2 nat (inside_2,outside) dynamic interfaceobject network obj_any3 nat (inside_3,outside) dynamic interfaceobject network obj_any4 nat (inside_4,outside) dynamic interfaceobject network obj_any5 nat (inside_5,outside) dynamic interfaceobject network obj_any6 nat (inside_6,outside) dynamic interfaceobject network obj_any7 nat (inside_7,outside) dynamic interfacetimeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00timeout conn-holddown 0:00:15timeout igp stale-route 0:01:10user-identity default-domain LOCALaaa authentication login-history

32/72

ASA 5506-X Default Configuration

http server enablehttp 192.168.1.0 255.255.255.0 inside_1http 192.168.1.0 255.255.255.0 inside_2http 192.168.1.0 255.255.255.0 inside_3http 192.168.1.0 255.255.255.0 inside_4http 192.168.1.0 255.255.255.0 inside_5http 192.168.1.0 255.255.255.0 inside_6http 192.168.1.0 255.255.255.0 inside_7no snmp-server locationno snmp-server contactservice sw-reset-buttoncrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh stricthostkeycheckssh timeout 5ssh key-exchange group dh-group1-sha1console timeout 0

dhcpd auto_config outside!dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd enable inside! threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptdynamic-access-policy-record DfltAccessPolicy!

class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspectionpolicy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:d59032ee5b05b5a1791caaa0aa416df8: end

33/72

ASA Commands

hostname hostname

domain-name name

banner motd message (multiple lines = multiple banner motd commands, NO delimiter)

enable password password

key config-key password-encryption newpassword [ oldpassword ]

password encryption aes

show password encryption

34/72

ASA Interface Commands

interface Ethernet0 (PIX/ASA)

interface vlan 1 (ASA5505)

nameif if_name

– Not case sensitive

– “no”-form removes ALL references

– For names “inside” and “outside”, security-levels 100 or 0 are automatically used

security-level value

ASA 5505: LIMITED 3rd VLAN: can only initiate traffic to one (of 2) other VLANs

– no forward interface vlan 1

35/72

ASA Interface Commands

ip address IP SNM

ip address dhcp

ip address dhcp setroute

– (also ask external DHCP-server for default gateway)

ip address ppoe

ip address ppoe setroute

36/72

ASA 5505 Interface Commands

interface ethernet0/0

switchport access vlan 2

no shutdown

show switch vlan (ports to VLAN/ifname mapping)

show interface

show interface ip brief (physical/logical interfaces and status)

show ip address

37/72

ASA BVI-interface configuration

Bridge-group Virtual Interface

connected with bridge-group-command on physical interface

names and securitylevel per interfaceare required (!)

Layer 3 configuration on BVI

interface GigabitEthernet1/2 bridge-group 1 nameif Private_1 security-level 100

interface GigabitEthernet1/3 bridge-group 1 nameif Private_2 security-level 100

interface BVI1 nameif Private security-level 100 ip address 10.0.0.1 255.255.255.0

38/72

Configure a (Default) Static Route

Syntax:route int_name NWA SNM Next-Hop-IP

Example:route outside 0.0.0.0 0.0.0.0 192.0.2.1

dynamic routing is not within the scope of this session

39/72

Configure Telnet Access

passwd password

Define subnet and interface for telnet-clients:– telnet NWA SNM if_name (IPv4)– telnet PF/PFL if_name (IPv6)– (multiple statements are allowed)

telnet timeout minutes

aaa authentication telnet console LOCAL (LOCAL is predefined and case sensitive)

clear configure telnet (remove all telnet config from running-config)

show run telnet (shows only telnet configuration)

40/72

Configure SSH Access

Create user DB:username name password password

aaa authentication ssh console LOCAL (LOCAL is predefined and case sensitive)

crypto key generate rsa modulus modulus (2048 recommended)

ssh version { 1 | 2 } ssh timeout minutes Define subnet and interface for SSH-clients:

– ssh NWA SNM if_name (IPv4)– ssh PF/PFL if_name (IPv6)– (multiple statements are allowed)

clear configure ssh (remove all SSH config from running-config)

41/72

Configure Clock

Manual: clock set ?

ntp server IP-address [ key keyid ]

ntp authenticate

ntp trusted-key keyid

ntp authentication-key keyid md5 key

clock timezone zone-name {+ | -}hours [ minutes ]

clock summer-time CEST last sunday March 02:00 last sunday October 03:00

42/72

Configure DHCP Server

Only 1 “pool” is possible:dhcpd address IP_from[-IP_to] if_name

Default lease length is 1 hour (3600 seconds)dhcpd lease-length seconds

Optionally give DNS-info:dhcpd dns dnsIP1 [ dnsIP2 ]dhcpd domain domainname

dhcpd enable if_name

Depending on license a number of DHCP-clients are supported:

– ASA Base License: 32 (for 10 concurrent users)– with 50 concurrent users: 128 DHCP-clients– with “unlimited” users: 256 DHCP-clients

43/72

Configure DHCP Server

To give information that was learned through external DHCP (outside interface) to internal DHCP-clients:dhcpd auto_config outside

show dhcpd state (state for inside/outside/... interfaces)

show dhcpd binding

show dhcpd statistics

clear dhcpd binding

clear dhcpd statistics

44/72

Local User Database

username admin1 password class

username admin2 password class privilege 15

The local userdatabase is known as “LOCAL” (case sensitive) in AAA method lists

45/72

Define AAA Servers

aaa-server SRVLIST protocol { radius | tacacs+ | ...}

aaa-server SRVLIST (inside) host 10.1.1.2 shared-secret

The shared secret is not shown in the running-config (!)

There are more authentication protocols available than RADIUS/TACACS+

Define a method-list:– aaa authentication { enable | serial | telnet | ssh | http

} console SRVLIST LOCAL– Only two methods can be used.

46/72

No questions yet?

47/72

ASA Firewall Rules

48/72

Acces Control Lists

Standard or extended, but only named ACLs No WCM, but SNM Also possible to specify source/destination interface Multiple access-list statements make one ACL

ASA(config)# access-list ACL1 extended permit ?configure mode commands/options: <0-255> Enter protocol number (0 – 255) ip object Specify a service object after this keyword object-group Specify a service or protocol object-group after this keyword tcp udp

<output ommited>

(config)# access-group access-list {in|out} interface if_name [ control-plane ]

49/72

Filtering

Automatic filtering with system of security-levels

What with interfaces on the same level?(config)# same-security-traffic permit ?configure mode commands/options: inter-interface Permit communication between different interfaces with the same security level intra-interface Permit communication between peers connected to the same interface

ASA-5505: intra-interface for members of same VLAN

ASA-5506-X: inter-interface for members of same bridge-group

Objects and Object Groups

ACL's

50/72

Objects / Object-Groups

1 namespace Objects

– Network objects: hosts, subnets, range– Service objects: L4 protocols with source or destination port

numbers Object-Groups

– Network: hosts, subnets, range or other network objects/object-groups

– Service objects: L4 protocols with source or destination port numbers or other service objects/object-groups

– ICMP-type-object groups– Protocol object-groups: protocols carried by IP– User Object-Groups (no CCNA Security topic)– Security Object-Groups (no CCNA Security topic)

51/72

Network Object-Groups

(config)# object-group network NWG(config-network)# ? description Specify description text group-object Configure an object group as an object help Help for network object-group configuration commands network-object Configure a network object no Remove an object or description from object-group

(config-network)# network-object ?network-object-group mode commands/options: Hostname or A.B.C.D Enter an IPv4 network address X:X:X:X::X/<0-128> Enter an IPv6 prefix host Enter this keyword to specify a single host object

52/72

Service Object-Groups

(config)# object-group service SRV(config-service)# ? description Specify description text group-object Configure an object group as an object help Help for service object-group configuration commands no Remove an object or description from object-group service-object Configure a service object(config-service)# service-object ?dual-service-object-group mode commands/options: <0-255> Enter protocol number (0 - 255) icmp icmp6 ip tcp tcp-udp Both TCP & UDP udp <output ommited>

53/72

Service Object-Groups

service-object tcp [ operator ] <dstport or name>service-object tcp source [ operator ] <srcport or name>

operator:

eq

neq

gt

lt

range

54/72

Other Object-Groups / Objects

ICMP-type object groups

Protocol object groups (allows for protocol selection: 6, 17, 47, 50, 51, 88, 89, …)

There are also Network Objects / Service Objects (NOT GROUPS)

– to define addresses in some way (subnet, ...)– to define services in some way (port number, ...)

55/72

Objects & Object Groups: When?

NAT-definition (on 8.3+) is only possible with “Network Objects”

Since the same namespace is used, you can choose

Network Object-Groups have no “range” or “subnet”-statement

IPv6 Object-Groups can NOT be nested

Perhaps it is easier to use – objects only for NAT – object groups for Access Control Lists

56/72

Still no questions?

57/72

ASA 8.3+ NAT

58/72

Network Address Translation

Inside NAT: addresses from higher security level have to be changed when transmitted through lower level interface (SNAT)

Outside NAT: addresses from lower security level have to be change before being transmitted through higher level interface (DNAT)

Bidirectional NAT: all of the above

59/72

Network Address Translation

Dynamic NAT: many-to-many

Dynamic PAT: many-to-one

Static NAT: one-to-one (mostly outside to inside)

Policy NAT: Not all traffic has to be NAT-ted the same way.

Twice NAT: used with Remote-Access VPNs (not CCNA Security)

60/72

Dynamic NAT

First, create a network object defining the outside address-range:(config)# object network NOUTSIDE(config-network-object)# range 192.0.2.1 192.0.2.6

Then, create a network object defining the inside addresses(config)# object network NINSIDE(config-network-object)# subnet 192.168.0.1 255.255.0.0

Within this object, define the NAT-rule(config-network-object)# nat(inside,outside) dynamic NOUTSIDE

61/72

Dynamic PAT

First, create a network object defining the inside addresses(config)# object network NINSIDE(config-network-object)# subnet 192.168.0.1 255.255.0.0

Within this object, define the NAT-rule, translating to the interface IP(config-network-object)# nat(inside,outside) dynamic interface

62/72

Static NAT

Mostly used to “publish” an internal server to the internet

Create a network object defining the inside server address(config)# object network SERVER(config-network-object)# host 192.168.0.17(config-network-object)# nat(inside,outside) static 192.0.2.85

The NAT-statement mentions the outside IP-address of the server.

You still have to make an ACL to allow the traffic IN from a lower to a higher security level!

63/72

Static PAT

If you want to add a port number (to allow for one external IP-address and multiple internal servers), the nat syntax is as follows:(config)# nat (in_if,out_if) static ext_ip service { tcp | udp } out_port in_port

Example:(config)# nat (inside,outside) static 100.200.100.100 service tcp 2222 22

64/72

NAT Troubleshooting

Actual NAT-definition:# show nat# show nat detail

Translations:# show xlate

65/72

Are you guys still with me?

66/72

Modular Policy Framework

67/72

Modular Policy Framework

Class Maps are used to identify the traffic– Default class map: inspection_default

Policy Maps are used to specify what to do with the traffic:– Inspect– Police/shape– Prepare for RADIUS accounting– Prepare for NetFlow export – …– Default policy-map: global_policy

Service-Policy: connects the Policy to an interface– If no other policies are defined, the default policy map is used

for all traffic on all interfaces– default: service-policy global_policy global

Related to IOS MQC and C3PL

68/72

Class-Maps

Default Class-Map(config)# class-map inspection_default(config-cmap)# match default-inspection-traffic

– Default inspection traffic: DNS, FTP, HTTP, ICMP, SMTP, TFTP (incomplete list) and TCP/UDP

Within a self-defined Class Map you can match on– Access-list– Any packet– DSCP/precedence-value– TCP/UDP Port (destination by default)– RTP Port numbers– …

show running-config class-map

class-map HTTPTRAFFIC match port tcp eq 80class-map SPECIALTRAFFIC match access-list MYACL

69/72

Policy-Map

Default Policy Map

TCP and UDP are automatically inspected

Note the default Policy Map has no inspection for ICMP!!!

Create Policy Map:(config)# policy map MYPOLICY(config-pmap)# class MYCLASS(config-pmap-c)# inspect protocol

Connect Policy Map to interface(config)# service-policy MYPOLICY { global | interface if_name }

The default is:(config)# service-policy global_policy global

policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp

70/72

Q&A: shoot!

71/72

Friendly neighbourhood competition!

Let’s Play!

72/72