********************************
ASA Firewall
********************************
****************************************************
Understanding the Traffic Flow
****************************************************
=====================
High - To - Low
=====================
- By default, all traffic is allowed to go from an interface with a higher security level towards an interface with a lower security level.
- Although all traffic is allowed, only TCP and UDP traffic is inspected by default. This is known as Implicit Inspection. Based on this, ICMP will not work by default.
=====================
Low - To - High
=====================
- By default, all traffic is blocked that is coming from an Interface with a Lower Security towards an Interface with higher security.
- Return traffic that was inspected on the way out is allowed to return as it will have an entry in the Connection Table (AKA The State Table).
- If you would like traffic initiated from a Lower Security level interface towards a Higher Security Level interface to be allowed, you need to create a permit entry in an ACL.
================================================
Same Security Level - To - Same Security Level
================================================
- By default, all traffic is blocked between 2 interfaces with the same security level. This type of setup is used when you never want 2 interfaces to talk to each other.
- Even an ACL will not override this setup.
- You do have the ability to reverse this.
- If your configuration requires "No firewalling" to be done between 2 or more L3 Interface, you can use the global command "Same-security-traffic permit inter-interface" to allow all traffic to traverse between 2 interfaces with the same security level.
- You either block all or allow all.
- In case you have a situation in which traffic is coming in and going out of the same interface, it is treated as if the flow is between 2 interfaces with the same security level.
- By default, this traffic is blocked.
- If you would like the flow to come in and go out of the same interface ("U Turn traffic" or "Hairpinning"), you can enable the flow by using the "Same-security-traffic permit intra-interface" command.
****************************************************
Access-list on the ASA
****************************************************
- Access-list on the ASA is a Named ACL.
- It does not use an inverse mask. It uses a normal mask.
- It is an Extended ACL.
- The Name of the ACL is case-sensitive (And Exam-sensitive :-D)
- The ACL on the ASA only applies to "THRU" traffic.
- If you would like to control traffic destined to the Firewall (Pings, Management Traffic), you do it by using the Services for that traffic.
access-list [NAME] [Permit / Deny] [Protocol] [Source] [Source Mask] [Dest.] [Dest. Mask] port/type
Examples:
****************************************************
TO -Traffic
****************************************************
- TO traffic is controlled by the Service.
- It is done on a per-interface basis.
- The only service that is enabled by default is ICMP.
- Any interface will be pingable from the same side of the interface by default.
============================================================
Remote Management of Firewall using Telnet
============================================================
- You need to enable the Service on the interface.
- Specify the Password for the Service
Note: Telnet is not allowed from an interface with a Security level set to 0 even if you enable it.
Setting a Local Authentication Database for individual Users
- Create the Local Authentication Database
- Point Telnet to authenticate based on the Local Database
aaa authentication telnet console LOCAL
============================================================
Remote Management of Firewall using SSH
============================================================
- You need to enable the Service on the interface.
Note: SSH requires a username and password. It also requires a RSA Key pair.
- Generate a RSA Key Pair
Setting a Local Authentication Database for individual Users
- Create the Local Authentication Database
- Point ssh to authenticate based on the Local Database
================================================
Controlling ICMP to the ASA
================================================
- By default, ICMP traffic to the ASA is allowed. This is the only TO traffic that is allowed by default.
- If you want to control ICMP to the firewall, it can be done by using the ICMP Command.
- This command is implemented on a Per-interface basis.
- If you put one ICMP command in, it automatically applies an implicit deny for the rest of ICMP traffic.
Requirement:
- Block anyone from the Outside pinging the outside interface.
- Allow the ASA to ping outside and get a respone.
- Allow R2 to ping the ASA Outside
==========================
Basic Configuration
==========================
----
R1
----
----
R2
----
----
R3
----
----
R4
----
----
ASA
----
------------------------------------------------------------------
Allowing ICMP to Come back in
------------------------------------------------------------------
------------------------------------------------------------------
Allowing Ping & Telnet from a specific network to come in
------------------------------------------------------------------
Requirement: Allow the network 199.1.1.0/24 to ping the 10.11.11.1 Host (R1). Also, allow R2 to Telnet to R1 using the same flow.
ASA Firewall
********************************
****************************************************
Understanding the Traffic Flow
****************************************************
=====================
High - To - Low
=====================
- By default, all traffic is allowed to go from an interface with a higher security level towards an interface with a lower security level.
- Although all traffic is allowed, only TCP and UDP traffic is inspected by default. This is known as Implicit Inspection. Based on this, ICMP will not work by default.
=====================
Low - To - High
=====================
- By default, all traffic is blocked that is coming from an Interface with a Lower Security towards an Interface with higher security.
- Return traffic that was inspected on the way out is allowed to return as it will have an entry in the Connection Table (AKA The State Table).
- If you would like traffic initiated from a Lower Security level interface towards a Higher Security Level interface to be allowed, you need to create a permit entry in an ACL.
================================================
Same Security Level - To - Same Security Level
================================================
- By default, all traffic is blocked between 2 interfaces with the same security level. This type of setup is used when you never want 2 interfaces to talk to each other.
- Even an ACL will not override this setup.
- You do have the ability to reverse this.
- If your configuration requires "No firewalling" to be done between 2 or more L3 Interface, you can use the global command "Same-security-traffic permit inter-interface" to allow all traffic to traverse between 2 interfaces with the same security level.
- You either block all or allow all.
- In case you have a situation in which traffic is coming in and going out of the same interface, it is treated as if the flow is between 2 interfaces with the same security level.
- By default, this traffic is blocked.
- If you would like the flow to come in and go out of the same interface ("U Turn traffic" or "Hairpinning"), you can enable the flow by using the "Same-security-traffic permit intra-interface" command.
****************************************************
Access-list on the ASA
****************************************************
- Access-list on the ASA is a Named ACL.
- It does not use an inverse mask. It uses a normal mask.
- It is an Extended ACL.
- The Name of the ACL is case-sensitive (And Exam-sensitive :-D)
- The ACL on the ASA only applies to "THRU" traffic.
- If you would like to control traffic destined to the Firewall (Pings, Management Traffic), you do it by using the Services for that traffic.
access-list [NAME] [Permit / Deny] [Protocol] [Source] [Source Mask] [Dest.] [Dest. Mask] port/type
Examples:
access-list OUTSIDE permit tcp any 10.11.11.0 255.255.255.0 echo-reply
access-list OUTSIDE permit tcp host 192.1.20.2 host 10.11.11.1 eq 23
access-list OUTSIDE permit icmp host 192.1.20.2 host 10.11.11.1 echo
!
access-group OUTSIDE in interface Outside
****************************************************
TO -Traffic
****************************************************
- TO traffic is controlled by the Service.
- It is done on a per-interface basis.
- The only service that is enabled by default is ICMP.
- Any interface will be pingable from the same side of the interface by default.
============================================================
Remote Management of Firewall using Telnet
============================================================
- You need to enable the Service on the interface.
Telnet 10.11.11.0 255.255.255.0 inside
Telnet 192.168.3.0 255.255.255.0 dmz-3
- Specify the Password for the Service
passwd cisco123
Note: Telnet is not allowed from an interface with a Security level set to 0 even if you enable it.
Setting a Local Authentication Database for individual Users
- Create the Local Authentication Database
username Hasnain password cisco123
username Zaidi password cisco123
- Point Telnet to authenticate based on the Local Database
aaa authentication telnet console LOCAL
============================================================
Remote Management of Firewall using SSH
============================================================
- You need to enable the Service on the interface.
ssh 10.11.11.0 255.255.255.0 inside
ssh 192.168.3.0 255.255.255.0 dmz-3
ssh 192.1.20.2 255.255.255.255 outside
Note: SSH requires a username and password. It also requires a RSA Key pair.
- Generate a RSA Key Pair
domain-name hasnainzaidi.com
crypto key generate rsa modulus 1024
Setting a Local Authentication Database for individual Users
- Create the Local Authentication Database
username Hasnain password cisco123
username Zaidi password cisco123
- Point ssh to authenticate based on the Local Database
aaa authentication ssh console LOCAL
================================================
Controlling ICMP to the ASA
================================================
- By default, ICMP traffic to the ASA is allowed. This is the only TO traffic that is allowed by default.
- If you want to control ICMP to the firewall, it can be done by using the ICMP Command.
- This command is implemented on a Per-interface basis.
- If you put one ICMP command in, it automatically applies an implicit deny for the rest of ICMP traffic.
icmp deny any outside
Requirement:
- Block anyone from the Outside pinging the outside interface.
- Allow the ASA to ping outside and get a respone.
- Allow R2 to ping the ASA Outside
icmp permit any echo-reply outside
icmp permit host 192.1.20.2 echo outside
==========================
Basic Configuration
==========================
----
R1
----
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
host R1
!
int e0/0
ip add 10.11.11.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 11 md5 Cisco123
!
no shut
!
Interface Loo0
ip address 10.1.1.1 255.255.255.0
interface loo1
ip address 10.10.10.1 255.255.255.0
Interface Loo2
ip address 10.111.111.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.11.11.10
!
router ospf 1
router-id 0.0.0.1
network 10.0.0.0 0.255.255.255 area 0
!
line vty 0 4
password cisco
login
transport input all
!
ena secret cisco
do wr
----
R2
----
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
host R2
!
int e0/0
ip add 192.1.20.2 255.255.255.0
no shut
!
Interface Loo0
ip address 10.2.2.2 255.255.255.0
interface loo199
ip address 199.1.1.1 255.255.255.0
Interface Loo200
ip address 200.1.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.1.20.10
!
router bgp 200
network 199.1.1.0
network 200.1.1.0
network 10.2.2.0 mask 255.255.255.0
neighbor 192.1.20.10 remote-as 1000
neighbor 192.1.20.10 password Cisco123
!
line vty 0 4
password cisco
login
transport input all
!
ena secret cisco
do wr
----
R3
----
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
host R3
!
int e0/0
ip add 192.168.3.3 255.255.255.0
ip authentication mode eigrp 111 md5
ip authentication key-chain eigrp 111 ABC
no shut
!
Interface Loo0
ip address 10.3.3.3 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.3.10
!
line vty 0 4
password cisco
login
transport input all
!
key chain ABC
key 11
key-string Cisco123
!
router eigrp 111
network 192.168.3.0
network 10.0.0.0
!
ena secret cisco
do wr
----
R4
----
no ip domain-loo
line con 0
logg sync
no exec-timeout
!
host R4
!
int e0/0
ip add 192.168.4.4 255.255.255.0
ip rip authentication mode md5
ip rip authentication key-chain ABC
no shut
!
Interface Loo0
ip address 10.4.4.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.4.10
!
line vty 0 4
password cisco
login
transport input all
!
router rip
version 2
no auto-summary
network 10.0.0.0
network 192.168.4.0
!
key chain ABC
key 11
key-string Cisco123
!
ena secret cisco
do wr
----
ASA
----
hostname FW-1
!
int Gig 0/0
nameif Outside
Security-level 0
ip address 192.1.20.10 255.255.255.0
no shut
!
int Gig 0/1
nameif Inside
Security-level 100
ip address 10.11.11.10 255.255.255.0
ospf authentication message-digest
ospf message-digest-key 11 md5 Cisco123
no shut
!
int Gig 0/2
nameif DMZ-3
Security-level 50
ip address 192.168.3.10 255.255.255.0
authentication mode eigrp 111 md5
authentication key eigrp 111 Cisco123 key-id 11
no shut
!
int Gig 0/3
nameif DMZ-4
Security-level 50
ip address 192.168.4.10 255.255.255.0
rip authentication mode md5
rip authentication key Cisco123 key_id 11
no shut
!
route outside 0 0 192.1.20.2
!
router ospf 1
router-id 0.0.0.10
network 10.11.11.0 255.255.255.0 area 0
redistribute eigrp 111 subnets
redistribute rip subnets
redistribute bgp 1000 subnets
!
router eigrp 111
network 192.168.3.0
redistribute ospf 1
redistribute rip
redistribute bgp 1000
default-metric 10 10 10 10 10
!
router rip
ver 2
no auto-summary
network 192.168.4.0
network 10.0.0.0
redistribute ospf 1 metric 1
redistribute eigrp 111 metric 1
redistribute bgp 1000 metric 1
!
router bgp 1000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 192.1.20.2 remote-as 200
neighbor 192.1.20.2 password Cisco123
neighbor 192.1.20.2 activate
redistribute ospf 1
redistribute eigrp 111
redistribute rip
redistribute connected
------------------------------------------------------------------
Allowing ICMP to Come back in
------------------------------------------------------------------
access-list OUTSIDE permit icmp any any echo-reply
!
access-group OUTSIDE in interface outside
------------------------------------------------------------------
Allowing Ping & Telnet from a specific network to come in
------------------------------------------------------------------
Requirement: Allow the network 199.1.1.0/24 to ping the 10.11.11.1 Host (R1). Also, allow R2 to Telnet to R1 using the same flow.
access-list OUTSIDE permit icmp 199.1.1.0 255.255.255.0 host 10.11.11.1
access-list OUTSIDE permit tcp 199.1.1.0 255.255.255.0 host 10.11.11.1 eq 23