Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Network Security (Part 2)Professional Certification
NetworkSims
PIX/ASA Configuration· Interfaces.
· Fixup.
· Static Routes.
· Access-lists.
· Failover.
· VPN.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
CIA and AAA
Applications
(Integrated Security)
Application Communications
(TCP, IP, and so on)
Services
(Integrated Security)
Network Infrastructure
(Firewalls, Proxies, and so on)
Integration between the levels
often causes the most problems
Co
nfid
en
tia
lity
Inte
grity
Assu
ran
ce
Au
the
ntic
atio
n
Au
tho
riza
tion
Acco
un
ting
CIA AAA
Eve
Bob Alice
Eve
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
Firewall
Internet
Switch
Router
Proxy
server
server
Web
server
FTP
server
Switch
Bob Alice
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Intrusion
Detection
System
Firewall (Packet
filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
serverDMZ
FTP
server
Firewall
(Statefull)
Bob
Alice
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Intrusion
Detection
System
Cisco
PIX
Cisco
Firewall
Internet
Cisco
Switch
Router
(NAT)
Proxy
server
server
Web
serverDMZ
FTP
server
Cisco
ASA 5500
Alice
Bob
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Physical security requires restricted
areas and padlocked equipment
Bob
VLAN 1 VLAN 2Restricted
areas
Restricted
areas
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Different VLANs cannot communication
directly, and need to go through a router
to communicate
Bob
VLAN 1 VLAN 2
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Different VLANs cannot communication
directly, and need to go through a router
to communicate
Bob
VLAN 1 VLAN 2
VLAN 1
802.1q
Trunk
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Screening Firewalls
filter for IP and TCP packet details, such
as addresses and TCP ports, for
incoming/outgoing traffic
Bob
Alice
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
Stateful Firewalls
filter for Application, IP and TCP packet
details. They remember previous data
packets, and keep track of connections
Alice
Bob
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Author: Prof Bill Buchanan
Example Infrastructure
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
(Packet filter)
Internet
Switch
Router (NAT)
Proxy
server
server
Web
server
DMZ
FTP
server
Firewall
(Stateful)
All Application-layer traffic goes
through the Proxy (eg FTP,
Telnet, and so on) – aka
Application Gateways
Application
(FTP, Telnet, etc)
L4. Transport
(TCP)
L3. Internet (IP)
L2. Network
(Ethernet)
Alice
Bob
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Intr
od
uctio
nN
etw
ork
Se
cu
rity
Firewalls
Runs within:
Windows Server,
VMWare
LINUX
CheckPoint
firewall
(software)
Host-based:
Zone alarm
CheckPoint firewall
(dedicated)
Nokia
LINUX
iptables
Software firewallHardware firewall
Cisco PIX/ASA
(stateful)
Cisco router
With firewall
(non-stateful)
Software firewall:
· Easy to reconfigure
· Slower
· Less expensive
· Can be used with a range of computers/OSs
Hardware firewall:
· Optimized engine/architecture
· Copes better with large traffic conditions
· Improved failover
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
Firewall rules. These are contained within ACLs
(using the access-list and access-group
commands), and block or permit traffic. A key feature
of this is the usage of URL filtering which defines
the Web pages which are allowed and which are not.
Port blocking. These use the fixup command to
change, enable or disable network services.
Intrusion detection.
These use the ip audit
command to detect
intrusions.
Shunning. This, along
with intrusion detection,
allows a defined
response to an
intrusion.
Encryption. This allows the PIX firewall to
support enhanced encryption, such as
being a server for VPN connections,
typically with IPSec and tunnelling
techniques such as PPTP.
Cut-through proxy. This allows the definition of the
users who are allowed services such as HTTP, Telnet
and FTP. This authentication is a single initial
authentication, which differs from the normal proxy
operation which checks every single packet.Bob
Failover. This allows other
devices to detect that a PIX
device has crashed, and that
another device needs to take its
place.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
Remote office – PIX 506E. This
has a 300MHz processor with
32MB RAM, and handles a
throughput of 20Mbps for a
maximum of 25,000
connections. It does not
support failover, and has two
connections.
515E – R
515E – U
· Integrated accelerator
· Failover support.
· More LAN.
· VPN acceleration.
Medium-sized office – PIX 515E. This has a
433MHz processor with 32/64MB RAM, and
handles a throughput of 188Mbps for a
maximum of 130,000 connections. It supports
failover, and has the support for up to six
connections.Max throughput: 188Mbps, 3-DES Throughput: 22Mbps
AES Throughput: 63Mbps (100Mbps - accell)
Access: VPN Accellerator (DES/3DES), Failover cable, 4-
port FE (PCI), 1-port GE (PCI).
Small office – PIX 501. This
has a 133MHz processor with
16MB RAM, and handles a
throughput of 10Mbps for a
maximum of 7,500 connections.
It does not support failover, and
has one external connection,
and a switch for inside
connections.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
Enterprise – PIX 525. This has
a 600MHz processor with
256MB RAM, and handles a
throughput of 360Mbps for a
maximum of 280,000
connections. It supports
failover, and has the support for
up to eight connections.
ASA 5520
Intel Pentium 4, 2GHz
512MB RAM
PIX 7.x, ASA 8.x IOS
8 interfaces
Integrated VPN
SSL VPN
Throughput: 450Mbps
3DES: 225Mbps
Max conn: 280,000
VPN peers: 750
Enterprise – PIX 535. This has
a 1GHz processor with 1GB
RAM, and handles a throughput
of 1Gbps for a maximum of
500,000 connections. It
supports failover, and has the
support for up to ten network
interfaces.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA Configuration
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall
Intrusion
Detection System
Cisco
PIX
Gateway
Proxy
server
server
Web
server
DMZ
FTP
server
E0 –
Name: outside
Security = 0
E1
Name: inside
Security: 100E2 – inf2
Name: inf2
Security: 50
Trusted
Untrusted
Eve
By default:
Traffic on a lower
security level cannot flow
from a lower level to a
higher one
Traffic from Inside to
DMZ: not allowed
Traffic from Inside to
DMZ: allowed
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall
Intrusion
Detection System
Cisco
PIX
(192.168.0.1/24)
Proxy
server
server
Web
server
DMZ
FTP
server
(10.0.0.1/16)
(172.16.0.1/24)
Trusted
Untrusted
(192.168.0.2/24)
(10.0.0.2/16)
(172.16.0.2/24)
Global pool
192.168.0.20-
192.168.0.254
Hosts in the DMZ are
accessed from addresses
from a global pool.
NAT mapping:
192.168.0.20 -> 172.16.0.2
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall (ASDM)
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall (ASDM)
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall
E0 (outside)
E1 (inside)
E2 (inf2)
# config t (config)# hostname freds(config)# domain-name fred.com(config)# ip address outside 192.168.1.1 255.255.255.0(config)# interface e0 auto
PIX 6.x
(config)# hostname freds(config)# domain-name fred.com(config)# int e0(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# no shutdown(config-if)# exit
PIX/ASA 7.x/8.x
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall
E0 (outside)
E1 (inside)
E2 (inf2)
# config t (config)# hostname freds(config)# domain-name fred.com(config)# ip address outside 192.168.1.1 255.255.255.0(config)# interface e0 auto
PIX 6.x
(config)# hostname freds(config)# domain-name fred.com(config)# int e0(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# no shutdown(config-if)# exit
PIX/ASA 7.x/8.x
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall
E0 (outside) E1 (inside)
E2 (inf2)
> enable# nameif# config t (config)# nameif e0 mars security0(config)# nameif e1 pluto security100(config)# nameif e2 jupiter security50(config)# username fred password bert(config)# exit
PIX 6.x
(config)# int e0(config-if)# nameif mars(config-if)# security 0(config-if)# no shutdown(config)# int e1(config-if)# nameif inf2(config-if)# security 100(config-if)# no shutdown
PIX/ASA 7.x/8.x
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Configuring the interfaces
E0 (outside) E1 (inside)
E2 (inf2)
myPIX (config)# nameif e0 gretna security0myPIX (config)# nameif e1 alabama security100myPIX (config)# nameif e2 uranus security50myPIX (config)# show nameifmyPIX (config)# interface e0 auto shutmyPIX (config)# interface e1 auto shutmyPIX (config)# interface e2 auto shutmyPIX (config)# show intmyPIX (config)# show int e0myPIX (config)# show int e1myPIX (config)# show int e2
PIX 6.x
(config)# int e0(config-if)# nameif gretna (config-if)# security 0(config-if)# shutdown(config)# int e1(config-if)# nameif alabama (config-if)# security 100(config-if)# shutdown
PIX/ASA 7.x/8.x
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA firewall
E0 (outside)
E1 (inside)
E2 (inf2)
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting the default route
E0 (outside) E1 (inside)
E2 (inf2)
myPIX (config)# banner motd admin devicemyPIX (config)# banner login personal devicemyPIX (config)# banner exec main device
Author: Prof Bill Buchanan
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA Routes
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting the default route
E0 (outside) E1 (inside)
E2 (inf2)
myPIX (config)# route outside 10.0.0.0 255.255.0.0 10.1.1.254
Author: Prof Bill Buchanan
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting routes
E0
E1E2
(config)# route outside 10.0.0.0 255.255.0.0 10.1.1.254 1(config)# interface Ethernet0(config-if)# nameif outside(config-if)# security-level 0(config-if)# ip address 10.1.1.1 255.255.255.0(config-if)# interface Ethernet1(config-if)# nameif inside(config-if)# security-level 100(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# interface Ethernet2(config-if)# nameif dmz(config-if)# security-level 50(config-if)# ip address 172.10.10.1 255.255.255.0# sh routeS 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 192.168.1.0 255.255.255.0 is directly connected, managementC 172.10.10.0 255.255.255.0 is directly connected, dmzC 192.168.2.0 255.255.255.0 is directly connected, inside
Perimeter
gateway
Author: Prof Bill Buchanan
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting routes
E0
E1E2
(config)# route outside 10.0.0.0 255.255.0.0 10.1.1.254 1(config)# interface Ethernet0(config-if)# nameif outside(config-if)# security-level 0(config-if)# ip address 10.1.1.1 255.255.255.0(config-if)# interface Ethernet1(config-if)# nameif inside(config-if)# security-level 100(config-if)# ip address 192.168.2.1 255.255.255.0(config-if)# interface Ethernet2(config-if)# nameif dmz(config-if)# security-level 50(config-if)# ip address 172.10.10.1 255.255.255.0# sh routeS 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 192.168.1.0 255.255.255.0 is directly connected, managementC 172.10.10.0 255.255.255.0 is directly connected, dmzC 192.168.2.0 255.255.255.0 is directly connected, inside
Perimeter
gateway
Author: Prof Bill Buchanan
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting routes
(config)# route inside 176.10.1.0 255.255.255.0 192.168.2.3 1# sh route
S 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 172.10.10.0 255.255.255.0 is directly connected, dmzS 176.10.1.0 255.255.255.0 [1/0] via 192.168.2.3, insideC 192.168.1.0 255.255.255.0 is directly connected, managementC 192.168.2.0 255.255.255.0 is directly connected, inside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting routes
(config)# route inside 176.10.1.0 255.255.255.0 192.168.2.3 1(config)# show route# sh route
S 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 172.10.10.0 255.255.255.0 is directly connected, dmzS 176.10.1.0 255.255.255.0 [1/0] via 192.168.2.3, insideC 192.168.1.0 255.255.255.0 is directly connected, managementC 192.168.2.0 255.255.255.0 is directly connected, inside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting routes
(config)# route inside 176.10.1.0 255.255.255.0 192.168.1.3 1(config)# show route# sh route
S 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 172.10.10.0 255.255.255.0 is directly connected, dmzS 176.10.1.0 255.255.255.0 [1/0] via 192.168.1.3, insideC 192.168.1.0 255.255.255.0 is directly connected, managementC 192.168.2.0 255.255.255.0 is directly connected, inside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Setting routes
(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.254# sh routeS 0.0.0.0 0.0.0.0 [1/0] via 10.1.1.254, outsideS 10.0.0.0 255.255.0.0 [1/0] via 10.1.1.254, outsideC 10.1.1.0 255.255.255.0 is directly connected, outsideC 172.10.10.0 255.255.255.0 is directly connected, dmzS 176.10.1.0 255.255.255.0 [1/0] via 192.168.1.3, insideC 192.168.1.0 255.255.255.0 is directly connected, managementC 192.168.2.0 255.255.255.0 is directly connected, inside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA Fixup
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A F
ixu
pN
etw
ork
Se
cu
rity
Fixup
(config)# show fixupfixup protocol ftp 21fixup protocol h323 h225 1720fixup protocol h323 ras 1718-1719fixup protocol http 80fixup protocol ils 389fixup protocol rsh 514fixup protocol rtsp 554fixup protocol sip 5060fixup protocol sip udp 5060fixup protocol skinny 2000fixup protocol smtp 25fixup protocol sqlnet 1521(config)# fixup protocol http 161(config)# fixup protocol ftp 60(config)# fixup protocol smtp 84
Author: Prof Bill Buchanan
E0 (outside) E1 (inside)
E2 (inf2)
FTP requires a
server
port on the
initiator.
SQL*Net requires
a negiotation on
the
connected port.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA NAT
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
NAT
(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 2 172.10.10.0 255.255.255.0(config)# global (outside) 1 10.1.1.2-10.1.1.200 netmask
255.255.255.0(config)# global (outside) 2 10.1.1.201-10.1.1.254 netmask 255.255.255.0
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
NAT
(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 2 172.10.10.0 255.255.255.0(config)# global (outside) 1 10.1.1.2-10.1.1.200 netmask
255.255.255.0(config)# global (outside) 2 10.1.1.201-10.1.1.254 netmask 255.255.255.0
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA PAT
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PAT
(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 1 172.10.10.0 255.255.255.0(config)# global (outside) 1 interface
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PAT
(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 1 172.10.10.0 255.255.255.0(config)# global (outside) 1 interface
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PAT
(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 0 172.10.10.0 255.255.255.0(config)# global (outside) 1 interface
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Do not NAT!
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PAT
(config)# nat (inside) 1 192.168.2.0 255.255.255.0(config)# nat (dmz) 0 172.10.10.0 255.255.255.0(config)# global (outside) 1 interface
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Do not NAT!
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA Static Mapping
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Static mappings
static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255static (inside,outside) 10.1.1.202 192.168.1.5 netmask 255.255.255.255
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Static mappings
static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255static (inside,outside) 10.1.1.202 192.168.1.5 netmask 255.255.255.255
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA ACLs
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Static mappings
static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255access-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq telnetaccess-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq wwwaccess-list uranus deny ip any anyaccess-group uranus in interface outside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Static mappings
access-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq telnetaccess-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq wwwaccess-list uranus deny ip any anyaccess-group uranus in interface outside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Static mappings
access-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq telnetaccess-list uranus permit tcp any 10.1.1.201 255.255.255.255 eq wwwaccess-list uranus deny ip any anyaccess-group uranus in interface outside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
ACL
static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255access-list mars permit ip host 10.1.1.200 host 10.1.1.201access-list mars deny ip any anyaccess-group mars in interface outside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
ACL
static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255access-list mars permit ip host 10.1.1.200 host 10.1.1.201access-list mars deny ip any anyaccess-group mars in interface outside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Static mappings
static (dmz,outside) 10.1.1.201 172.10.10.2 netmask 255.255.255.255access-list mars permit ip host 10.1.1.200 host 10.1.1.201access-list mars deny ip any anyaccess-group mars in interface outside
Author: Prof Bill Buchanan
E0
E1E2
Perimeter
gateway
192.168.2.1
192.168.2.5
192.168.2.3
176.10.1.1
176.10.1.2
10.1.1.1
10.1.1.254
172.10.10.2
172.10.10.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
PIX/ASA Failover
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
Fa
ilove
rN
etw
ork
Se
cu
rity
Failure
Author: Prof Bill Buchanan
Power supply failures,
Primary reboot.
Interface problems
Memory Overflow.
40 U
1 U
5 U
1 U
UPS 1
UPS 2
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
Failover
Author: Prof Bill Buchanan
Same PIX type
Same RAM
Same Flash memory.
Same type and interfaces.
Same software version.
Same activation keys for DES or
3DES
E0
(outside)
E1
(inside)
E2
(inf2)
Failover
cable
STANDBY
MAIN
· UR – Unrestricted licence
(must be used for primary).
· FO – Failover licence (for
secondary).
· R – Restricted licence
(cannot be used).
Either
Prim (UR)/Sec (UR)
Or:
Prim (UR)/Sec (FO)
Activation key is required!
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
Fa
ilove
rN
etw
ork
Se
cu
rity
Failover
Author: Prof Bill Buchanan
· Hello messages are sent every 1-15 seconds on every interface. Hello time. (PIX default
15 second, ASA default 1 second)
· If messages are not received with the holdtime Holdtime (PIX default: 45 seconds – 3
times hello time, ASA default: 15 seconds), failover happens.
· If secondary doesn’t work, primary assumes control, and no failover.
Sent on ALL interfaces, including failover connection.
E0
(outside)
E1
(inside)
E2
(inf2)
Failover
cable “Hello”“Hello”
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
e0 e1
e2
outside inside
inf2
Failover cable
Or Ethernet
(LAN-based)
Standby
Tests:
Test 1. NIC status test. Up/down status of interface.
Test 2. Network activity. Monitor for 5 seconds. If detected, cancel tests.
Test 3. ARP test. Requests last 10 IP addresses in the ARP table.
Test 4. Ping test. Broadcast ping of 255.255.255.255. If any replies the test
is quit.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
e0 e1
e2
outside inside
inf2
Failover cable
Or Ethernet
(LAN-based)
Standby
On start-up config is automated copied over.
All new commands are replicated.
The write startby command sends the config to the
secondary.
Either
Prim (UR)
Sec (UR)
Or
Prim (UR)
Sec (FO)
Activation key
is required!
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Stateful – Restores everything. ARP table, Xlate, Fixup tables,
ARP, routing information, IPSec/ISAKMP tables, MAC addresses,
Hello messages.
Secondary
Inherits: IP addresses and MAC addresses of the primary.
Primary
Inherits: IP addresses and MAC addresses of the secondary.
e0 e1
e2
outside inside
inf2
Stateful
connection Failover
cable
e3
e3
Require an additional Ethernet connection
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
e0 e1
e2
outside inside
inf2
Failover cable
Or Ethernet
(LAN-based)
Standby
Non-stateful – Only RAM config and session details.
Secondary
Inherits: IP addresses and MAC addresses of the primary.
Primary
Inherits: IP addresses and MAC addresses of the secondary.
Lost: NAT translations and connections.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
e0 e1
e2
outside inside
Standby
.
e2
Dedicated
switch/hub
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
e0 e1
e2
outside inside
inf2
Failover
cable
e3
e3
Non-stateful – Only RAM config and session details.
Secondary
Inherits: IP addresses and MAC addresses of the primary.
Primary
Inherits: IP addresses and MAC addresses of the secondary.
Lost: NAT translations and connections.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)# show failover
myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.11 myPIX (config)# failover ip address inf2 166.209.230.11 myPIX (config)# failover poll 2 myPIX (config)# show failover
e0 e1
e2
outside inside
inf2
Stateful
connection Failover
cable
e3
e3
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
LAN-based Failover myPIX (config)# ip address outside 157.202.212.1 myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit primary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable
myPIX (config)# ip address outside 157.202.212.1 myPIX (config)# ip address inside 73.105.56.1 myPIX (config)# ip address inf2 166.209.230.1 myPIX (config)# failover active myPIX (config)# failover ip address outside 157.202.212.2 myPIX (config)# failover ip address inside 73.105.56.2 myPIX (config)# failover ip address inf2 166.209.230.2 myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit primary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable
e0 e1 outside inside
Stateful
connection
e2
e2
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
LAN-based Failover myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# failover active myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit secondary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable
myPIX (config)# ip address inf2 166.209.230.2 myPIX (config)# failover active myPIX (config)# failover lan key mypix myPIX (config)# failover lan unit secondary myPIX (config)# failover lan interface inf2 myPIX (config)# failover lan enable
e0 e1 outside inside
Stateful
connection
e2
e2
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Ne
two
rk S
ec
uri
ty
VPN
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Issues involved
Bob Alice
Eve could
eavesdrop on the
public
communications
Eve
Gateway Gateway
Eve
Eve could
change the
data packets
What is required is:
· Encryption.
· Authentication of
devices (to
overcome
spoofing)
· Authentication of
packets (for
integrity)
Untrusted network
Gateway
Eve
Eve could
setup an
alternative
gateway
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Tunnelling methods
Bob Alice
Eve
Gateway Gateway
What is required is:
· Encryption.
· Authentication of
devices (to
overcome
spoofing)
· Authentication of
packets (for
integrity)
Untrusted network
PPTP (Point-to-point Tunneling Protocol). Created by
Microsoft and is routable. It uses MPPE (Microsoft
Point-to-point Encryption) and user authentication.
L2TP (Layer 2 Tunneling Protocol). Works at Layer 2 to
Forward IP, IPX and AppleTalk (RFC2661). Cisco,
Microsoft, Ascent and 3Com developed it. User and
machine authentication, but no encryption (but can be used
with L2TP over IPSec).
IPSec. An open standard. Includes both encryption and
Authentication.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Tunnelling mode or transport mode
Bob Alice
Tunelling mode (over
untrusted connections)
Traffic is encrypted
over the untrusted
network.
Bob Alice
Transport mode.
End-to-end (host-to-
host) tunnelling
Unencrypted traffic
Encrypted traffic
Unencrypted traffic
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
VPN types
Bob@
home
VPN
Remote
Access VPN
VPN
Intranet
VPN
VPN
VPN
Extranet
VPN
VPN
Alice Co.
Bob Co.
Bob Co.
Bob Co.
Bob Co.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Tunnelling mode or transport mode
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
Firewall
Internet
Switch
Router
Proxy
server
server
Web
server
FTP
server
Switch
Bob Alice
Traffic
only
encrypted
over the
public
channel
Traffic is encrypted
and cannot be
checked by firewalls,
IDS, and so on
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Blocking end-to-end encryption
Intrusion
Detection
System
Intrusion
Detection
System
Firewall
Firewall
Internet
Switch
Router
Proxy
server
server
Web
server
FTP
server
Switch
Bob Alice
Traffic
only
encrypted
over the
public
channel
Firewall blocks all
encrypted content
and any negation of
a tunnel
For IPSec (one of the most popular tunnelling
methods):
· UDP Port 500 is the key exchange port. If it is
blocked there can be no tunnel.
· TCP Port 50 for IPSec ESP (Encapsulated Security
Protocol).
· TCP Port 51 for IPSec AH (Authentication Header)
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
IPSec
ESP
Auth.
IP packet contents
ESP
trailer
IP packet contents IP header
IP packet
(encrypted)
ESP
headerIP header
ESP transport mode method
(Weakness: Replay attack)
IP packet contents IP header
AH
header
New
IP header
AH transport method
(Provides complete
authentication for the packet)
Authentication scope
Authentication scope
The IPSec protocol has:
· ESP (Encapsulated Security Protocol).
ESP takes the original data packet, and
breaks off the IP header. The rest of the
packet is encrypted, with the original header
added at the start, along with a new ESP
field at the start, and one at the end. It is
important that the IP header is not encrypted
as the data packet must still be read by
routers as it travels over the Internet. Only
the host at the other end of the IPSec tunnel
can decrypt the contents of the IPSec data
packet.
· AH (Authentication Header). This encrypts
the complete contents of the IP data packet,
and adds a new packet header. ESP has the
weakness that an intruder can replay
previously sent data, whereas AH provides a
mechanism of sequence numbers to reduce
this problem.
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
IPSec
IPIP TCPTCP Higher-level protocol/dataHigher-level protocol/data
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
1 ICMP Internet Control Message [RFC792]
6 TCP Transmission Control [RFC793]
8 EGP Exterior Gateway Protocol [RFC888]
9 IGP any private interior gateway [IANA]
47 GRE General Routing Encapsulation
(PPTP)
50 ESP Encap Security Payload [RFC2406]
51 AH Authentication Header [RFC2402]
55 MOBILE IP Mobility
88 EIGRP EIGRP [CISCO]
89 OSPFIGP OSPFIGP [RFC1583]
115 L2TP Layer Two Tunneling Protocol
VP
NN
etw
ork
Se
cu
rity
IPSec
IPIP TCPTCP Higher-level protocol/dataHigher-level protocol/data
VersionVersion Header lengthHeader length Type of serviceType of service
Total lengthTotal length
IdentificationIdentification
00 DD MM Fragment OffsetFragment Offset
Time-to-LiveTime-to-Live ProtocolProtocol
Header ChecksumHeader Checksum
Source IP AddressSource IP Address
Destination IP AddressDestination IP Address
1 ICMP Internet Control Message [RFC792]
6 TCP Transmission Control [RFC793]
8 EGP Exterior Gateway Protocol [RFC888]
9 IGP any private interior gateway [IANA]
47 GRE General Routing Encapsulation
(PPTP)
50 ESP Encap Security Payload [RFC2406]
51 AH Authentication Header [RFC2402]
55 MOBILE IP Mobility
88 EIGRP EIGRP [CISCO]
89 OSPFIGP OSPFIGP [RFC1583]
115 L2TP Layer Two Tunneling Protocol
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
IPSec
Bob@
home
VPN
Remote
Access VPN
Bob Co.
Phase 1 (IKE – Internet Key Exchange)UDP port 500 is used for IKE
Define the policies between the peers
IKE Policies · Hashing algorithm (SHA/MD5)
· Encryption (DES/3DES)
· Diffie-Hellman agreements
· Authentication (pre-share, RSA nonces, RSA sig).
Phase 2Defines the policies for transform sets, peer IP
addresses/hostnames and lifetime settings.
Crypto maps are exchanged
· AH, ESP (or both)
· Encryption (DES, 3DES)
· ESP (tunnel or transport)
· Authentication (SHA/MD5)
· SA lifetimes defined
· Define the traffic of interest
isakmp enable outsideisakmp key ABC&FDD address 176.16.0.2 netmask 255.255.255.255isakmp identity addressisakmp policy 5 authen pre-shareisakmp policy 5 encrypt desisakmp policy 5 hash shaisakmp policy 5 group 1isakmp policy 5 lifetime 86400sysopt connection permit-ipsec
crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmaccrypto map MYIPSEC 10 ipsec-isakmpaccess-list 111 permit ip 10.0.0.0 255.255.255.0 176.16.0.0 255.255.255.0 crypto map MYIPSEC 10 match address 111crypto map MYIPSEC 10 set peer 176.16.0.2crypto map MYIPSEC 10 set transform-set MYIPSECFORMATcrypto map MYIPSEC interface outside
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Blocking end-to-end encryption
Result
Challenge?
Kpv1
Public
Key (Kpb1) Public
Key (Kpb2)
Hashed
value
Shared key passed (Diffie-
Hellman) – used to encrypt all
the data
Hashed
value
Public key is used
to authenticate the
device
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
IPSec (PIX)
isakmp enable outsideisakmp key ABC&FDD address 176.16.0.2 netmask 255.255.255.255isakmp identity addressisakmp policy 5 authen pre-shareisakmp policy 5 encrypt desisakmp policy 5 hash shaisakmp policy 5 group 1isakmp policy 5 lifetime 86400sysopt connection permit-ipsec
crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmacaccess-list 111 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 crypto map MYIPSEC 10 ipsec-isakmpcrypto map MYIPSEC 10 match address 111crypto map MYIPSEC 10 set peer 176.16.0.2crypto map MYIPSEC 10 set transform-set MYIPSECFORMATcrypto map MYIPSEC interface outside
isakmp enable outsideisakmp key ABC&FDD address 176.16.0.1 netmask 255.255.255.255isakmp identity addressisakmp policy 5 authen pre-shareisakmp policy 5 encrypt desisakmp policy 5 hash shaisakmp policy 5 group 1isakmp policy 5 lifetime 86400sysopt connection permit-ipsec
crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmacaccess-list 111 permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0 crypto map MYIPSEC 10 ipsec-isakmpcrypto map MYIPSEC 10 match address 111crypto map MYIPSEC 10 set peer 176.16.0.1crypto map MYIPSEC 10 set transform-set MYIPSECFORMATcrypto map MYIPSEC interface outside
10.0.0.1172.16.0.1 172.16.0.2 192.168.0.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
IPSec (PIX and Router)
isakmp enable outsideisakmp key ABC&FDD address 176.16.0.2 netmask 255.255.255.255isakmp identity addressisakmp policy 5 authen pre-shareisakmp policy 5 encrypt desisakmp policy 5 hash shaisakmp policy 5 group 1isakmp policy 5 lifetime 86400sysopt connection permit-ipsec
crypto ipsec transform-set MYIPSECFORMAT esp-des esp-sha-hmacaccess-list 111 permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 crypto map MYIPSEC 10 ipsec-isakmpcrypto map MYIPSEC 10 match address 111crypto map MYIPSEC 10 set peer 176.16.0.2crypto map MYIPSEC 10 set transform-set MYIPSECFORMATcrypto map MYIPSEC interface outside
crypto isakmp policy 1 hash sha authentication pre-share group 1 lifetime 86400 encryption descrypto isakmp key ABC&FDD address 172.16.0.1 crypto ipsec transform-set rtpset esp-des esp-md5-hmac crypto identity address
crypto map mymap 1 ipsec-isakmp set peer 172.16.0.1 set transform-set rtpset match address 115
interface FastEthernet0/0 ip address 172.16.0.2 255.255.255.0 crypto map mymap
access-list 115 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
10.0.0.1172.16.0.1 172.16.0.2 192.168.0.1
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
IPSec (PIX and Router)
10.0.0.1172.16.0.1 172.16.0.2 192.168.0.1
No. Time Source Destination Protocol Info81 5.237402 192.168.0.3 146.176.210.2 ISAKMP Aggressive
Frame 81 (918 bytes on wire, 918 bytes captured)Ethernet II, Src: IntelCor_34:02:f0 (00:15:20:34:62:f0), Dst: Netgear_b0:d6:8c (00:18:4d:b0:d6:8c)Internet Protocol, Src: 192.168.0.3 (192.168.0.3), Dst: 146.176.210.2 (146.176.210.2)User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Source port: isakmp (500) Destination port: isakmp (500) Length: 884 Checksum: 0xd89d [correct]Internet Security Association and Key Management Protocol Initiator cookie: 5ABABE2D49A2D42A Responder cookie: 0000000000000000 Next payload: Security Association (1) Version: 1.0 Exchange type: Aggressive (4) Flags: 0x00 Message ID: 0x00000000 Length: 860 Security Association payload Next payload: Key Exchange (4) Payload length: 556 Domain of interpretation: IPSEC (1) Situation: IDENTITY (1) Proposal payload # 1 Next payload: NONE (0) Payload length: 544 Proposal number: 1 Protocol ID: ISAKMP (1) SPI Size: 0 Proposal transforms: 14 Transform payload # 1 Next payload: Transform (3) Payload length: 40 Transform number: 1 Transform ID: KEY_IKE (1) Encryption-Algorithm (1): AES-CBC (7) Hash-Algorithm (2): SHA (2) Group-Description (4): Alternate 1024-bit MODP group (2) Authentication-Method (3): XAUTHInitPreShared (65001) Life-Type (11): Seconds (1) Life-Duration (12): Duration-Value (2147483) Key-Length (14): Key-Length (256)
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Before connecting to the VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:\>route print===========================================================================Interface List 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connection
1 ........................... Software Loopback Interface 1===========================================================================
IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.3 281 192.168.0.3 255.255.255.255 On-link 192.168.0.3 281 192.168.0.255 255.255.255.255 On-link 192.168.0.3 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281===========================================================================Persistent Routes: None
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
After connecting to the VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:\>route print===========================================================================Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio
1 ........................... Software Loopback Interface 1===========================================================================
IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100... 146.176.210.2 255.255.255.255 192.168.0.1 192.168.0.3 100 146.176.211.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.212.218 255.255.255.255 On-link 146.176.212.218 281... 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.0.3 281 255.255.255.255 255.255.255.255 On-link 146.176.212.218 281===========================================================================Persist
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
After connecting to the VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:\>route print===========================================================================Interface List 21 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter 10 ...00 1d 09 3f 49 8d ...... Broadcom NetLink (TM) Fast Ethernet 7 ...00 1f 3c 4f 30 1d ...... Intel(R) PRO/Wireless 3945ABG Network Connectio
1 ........................... Software Loopback Interface 1===========================================================================
IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 146.176.0.0 255.255.0.0 On-link 146.176.212.218 281 146.176.1.0 255.255.255.0 146.176.0.1 146.176.212.218 100 146.176.2.0 255.255.255.0 146.176.0.1 146.176.212.218 100...===========================================================================Persist
146.176.212.218
192.168.0.3
146.176.0.1VPN connection
All other traffic goes
not on 146.176.0.0
network goes through
non-VPN connection
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Traceroute for VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:\>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174]over a maximum of 30 hops:
1 57 ms 58 ms 57 ms 146.176.210.2 2 58 ms 56 ms 57 ms www.napier.ac.uk [146.176.222.174] 3 58 ms 59 ms 56 ms www.napier.ac.uk [146.176.222.174]
146.176.212.218 146.176.0.1VPN connection
C:\>tracert www.napier.ac.uk
Tracing route to www.napier.ac.uk [146.176.222.174]over a maximum of 30 hops:
1 2 ms 2 ms 6 ms 192.168.0.1 2 36 ms 38 ms 38 ms cr0.escra.uk.easynet.net [87.87.249.224] 3 31 ms 31 ms 30 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129] 4 43 ms 43 ms 43 ms be2.er10.thlon.ov.easynet.net [195.66.224.43] 5 48 ms 45 ms 45 ms linx-gw1.ja.net [195.66.224.15] 6 45 ms 44 ms 45 ms so-0-1-0.lond-sbr4.ja.net [146.97.35.129] 7 49 ms 79 ms 49 ms so-2-1-0.leed-sbr1.ja.net [146.97.33.29] 8 58 ms 56 ms 56 ms EastMAN-E1.site.ja.net [146.97.42.46] 9 59 ms 57 ms 57 ms vlan16.s-pop2.eastman.net.uk [194.81.56.66] 10 57 ms 59 ms 58 ms gi0-1.napier-pop.eastman.net.uk [194.81.56.46] 11
Before VPN connection
After VPN connection
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
VP
NN
etw
ork
Se
cu
rity
Traceroute for VPN
Bob@
home
VPN
Remote
Access VPN
Bob Co.
C:\>tracert www.intel.com
Tracing route to a961.g.akamai.net [90.223.246.33]over a maximum of 30 hops:
1 3 ms 1 ms 1 ms 192.168.0.1 2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224] 3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129] 4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]
146.176.212.218 146.176.0.1VPN connection
C:\>tracert www.intel.com
Tracing route to a961.g.akamai.net [90.223.246.33]over a maximum of 30 hops:
1 3 ms 1 ms 1 ms 192.168.0.1 2 35 ms 43 ms 36 ms cr0.escra.uk.easynet.net [87.87.249.224] 3 32 ms 31 ms 32 ms ip-87-87-146-129.easynet.co.uk [87.87.146.129] 4 46 ms 45 ms 45 ms te7-0-0.sr0.enlcs.ov.easynet.net [89.200.132.109] 5 46 ms 47 ms 47 ms 5adff621.bb.sky.com [90.223.246.33]
Before VPN connection
After VPN connection
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill BuchananAuthor: Prof Bill Buchanan
Network Security (Part 2)Professional Certification
NetworkSims
PIX/ASA Configuration· Interfaces.
· Fixup.
· Static Routes.
· Access-lists.
· Failover.
· VPN.
Prof Bill Buchanan, Leader, Centre for Distributed
Computing and Security
http://www.dcs.napier.ac.uk/~bill
Room: C.63
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Au
tho
r:
Bill
Buchanan
A
uth
or:
B
ill B
uchanan
Sta
tefu
l fire
wa
llN
etw
ork
Se
cu
rity
Stateful firewall
PIX
/AS
A C
on
fig
Ne
two
rk S
ecu
rity
PIX/ASA
Author: Prof Bill Buchanan
Academic
Element
On-line test:
40%
.NET Security
On-line test:
20%
Network Security
On-line test:
20%
Coursework: Agent-based IDS
Web-CT submission:
40%
We
ek
1-8
We
ek
8-1
3
MCQ
Test
Web-CT
submission
On-line
test