In site to site access-list are always from inside to inside and tunnel-group is from outside to outside
How to generate a key
crypto key generate rss label dogcart.key modulus 2048
show crypto key mypubkey rsa
Difference between RADIUS And TACACS+
Transport Protocol
Radius use UDP ports: 1812/1645 (authentication) and 1813/1646(Accounting)
TACACS+ use TCP port 49
Encryption:
Radius only encrypts password
TACACS+ encrypts full payload of each packet
Observations:
Radius is open standard, robust accounting features, less granular authorisation control.
TACACS+ is proprietary to cisco, very granular control of authorisation AAA separated.
What is certificate?
Electronic document that contains information
-who issued the certificate
-who the certificate is issued to
-valid to
-public key
-Digital signature == comes from valid source. Also used to check if something is altered.
What is Digital Signature
- Hash is a mathematical value for that certificate
Now hash value is put through the mathematical function using private key to generate Digital Signature. This digital signature is then added to the certificate. This can be later used to check that certificate is not altered or damaged
To verify this:
The digital signature is put through the mathematical function using public key which should produce the same hash as the original one.
The hash function is one way process means u cannot generate original certificate using hash
Digital signature
-checks identity
What is Certificate Hierarchy :
If a computer has root CA installed, it will trust any certificate that are downloaded from any level of certificate authority.
If root CA is trusted by client, then any child CA will be trusted automatically.
How to check content scanning and threat enabled.
show run url-server
show run filter
show run threat
Are the interfaces running clean?
show int | inc error
How to identify what is causing high CPU?
show local | i host|count/limit
Basic Eight commands for ASA config:
-interface
-nameif
-security-level
-ip address
-switchport access
-object network
-nat
-route
To check vlan in ASA
show switch vlan
Symmetric Key
-same key used to encrypt and decrypt
-faster compared to public key encryption
-key needs to be stored securely
-secure channel required to transfer the key
Public Key Encryption
-uses a public key and private key
-Here private key is never need to be transferred since encryption is done with public key and private key is used to decrypt
-slower compared with Symmetric key
Combining the two (for good trade-off)
Public key encryption
-used to exchange keys
-can be used to encrypt communication
-protect symmetric keys (e.g. EFS)
Symmetric key encryption
-used when performance is required
Certificate Authority (CA)
-responsible for issuing, revoking, and distributing certificates
-Often a trusted third-party organization. e.g.
Digicert and VeriSign
-Companies or organisations can have an in-house CA
-stores the public key in a directory that is available to anyone that wants to verify your certificate
Note : key pair can be created locally or CA can create it for you . Both ways it is same
Registration Authorities (RA)
-The front end entity that you actually interact with
-You provide the RA with your information (and payment)
-Verifies identity documentation before confirming that the CA can issue the certificate
-Does not sign the certificate.
Certificate Revocation Lists (CRL)
-The CA publishes a list of certificates that can no longer be used
-Reasons a cert might be on the CRL
-certificate expiration
-certificate revocation (permanent)
=compromised private key
=human resources rasons
=company changes names, physical address, DNS
=Any reason prior to expiration
-certificate suspended
=will say “certification hold” as the reason for revocation
-Certificate owner/admin can request the cert be revoked.
Key Terms:
PKI : is a framework for encryption that associates a public key with a verified person/system
Public Key : part of the key pair that is available and distributed to the public
Private Key : The part of the key pair that is secret and used only by the owner
Certificate Authority: CAs are responsible for issuing, revoking, and distributing digital certificates
Digital Certificates: A certificate that verifies whom the public key belongs to.
Registration Authority: The RA verifies the prospective key owner’s identity and send it to the CA to issue a certificate.
Certificate Revocation Lists: A list of certificates that are no longer useable. The list is frequently published.
Recovery Agent: A person who is authorised to recover lost private keys
Key Escrow: Keeping secured copies of private keys for law enforcement purposes.
PKI Hierarchy
Single-Tier Hierarchy
-is a network that has one certificate authority
-suited for small organisations
-since it is only CA on network it needs to be always online.
-This can cause issue as private keys used to generate certificate are on the server. If server is compromised, an attacker may gain access to keys
-less administration
-no redundancy
Two-tier hierarchy
-Once 2nd level CA have their certificate, root CA is usually taken offline until it is needed again.
-redundancy/ more functionality
-You can use as many as CA as you want in 2nd level
Three-tier hierarchy
-more secure and flexible.
-Generally the first two level CA’s are made offline when not required. When they have issued their certificates to sub-ordinates they are not required to be online. They need to be online only when new CA need to be added or certificate need to be issued to sub-ordinate.
Validity Period:
Parent should be twice that of the subordinate
-otherwise CA expires first
For eg :
Root CA 20 yrs — 2nd level 10 yrs — client certificate 5 yrs
Lightweight Directory Access Protocol (LDAP)
-Protocol for reading and writing directories over an IP network
An organised set of records, like a phone directory
-X.500 specification was written by the international Telecommunications Union(ITU)
They know directories
-DAP ran on the OSI protocol stack
LDAP is lightweight, and uses TCP/IP (tcp/389 and udp/389)
-LDAP is the protocol used to query and update an X.500 directory
used in windows Active Directory, Apple OpenDirectory, Novell Directory, etc
LDAP user access and security
-Simple authentication and security layer (SASL) in LDAP v3
Usually two levels of access
-read-only (query) and read-write (update)
3DES
Triple data encryption standard
Block size : 64 bit and key length : 168 bit
used for
-data confidentiality
How it works
-uses three round of DES
Either three different keys or two alternating keys
-3 times slower than DES
-still in use but less secure than AES
RC4 Rivest Cipher 4
Key length : 40 to 204 bit
used for
-data confidentiality
-SSL and WEP
How it works
-stream cipher
Developed by Ron Rivest in 1987
RC4 has been the most widely used stream cipher.
AES : Advanced Encryption Standard
Block Size : 128 bit and Key length : 128 bit, 192 bit and 256 bit
Used for :
-data confidentiality
-WPA2
-can be used in low processing power implementations
How it works
- The 128 bit block is broken into 4 parts
- Uses iterative rounds instead of Festal rounds
- Number of rounds depends in the key size
Diffie-Hellman
Key length : Variable
Named for Whitfield Diffie and Martin Hellman
Used for
-Key exchange
Lets two or more parties that don’t know each other to establish a jointly shared secret key
How it works
Easy to compute but hard to reverse
History
The original public/private concept
SHA : Secure Hash Algorithm
SHA -256 Block size : 512 bit Hash length : 256 bit
SHA-512 Block size : 1024 bit Hash length : 512 bit
Used for : Digital signatures
How it works
-breaks the messages into words and groups the words into blocks before processing for 64 or 80 rounds
-SHA-2 is the current version that is family of four functions
SHA-256 and SHA-512
SHA-224 and SHA-384 are truncated versions
-The longer has length versions (SHA-512) accept larger puts and process larger block sizes.
Transparent mode config:
#—inside——firewall —outside
#firewall’s inside and outside address are the same: 192.168.0.2/24
#firewall transparent
#show firewall
Config
ip address 192.168.1.6
int e0/0
switch port access vlan 2
no shut
int e0/1
switch port access vlan 1
no shut
int vlan 2
nameif outside
int vlan 1
nameif inside
http server enable
http 192.168.1.0 255.255.255.0 inside
How to do password recovery in ASA?
- Power cycle the device
-Use BREAK or ESC to interrupt boot
-This will bring to rommon mode . Type confreg. This will display current config register
-Type confreg 0x41 . This will tell device to ignore saved configuration on boot
-Verify confer by typing confreg . Type n for prompt
-type boot
-copy start run
-conf t -> enable password pa@123
-username don password p@123
- wr mem
-config-register 0x1
-reload noconfirm
Username : don
p@123
asa01>en
pa@123
How to stop sync flood attack
create a ACL to identify TCP traffic to the server
access-list to-server permit tcp any host 172.16.0.5
create a class-map that calls on the ACL
class-map Traffic-to-dmz-server
match access-list to-server
Create a policy map that says: if traffic matches the class-map, then set the 1/2 formed TCP session limit to 5
policy-map global_policy
class Traffic-to-dmz-server
set connection embryonic-conn-max 5
Now 1/2 formed sessions will be limited to 5 and the ASA will intercept and verify any 1/2 forced sessions above the threshold.
Negotiating IPsec’s v1 IKE Phase 1:
HAGLE to remember
Hasing MD5 SHA
Authentication preshared keys, digital cert
Group : DH to generate secret keys for encrypt and decrypt
Lifetime : how long keys will be valid . default is 24 hrs
Encryption: AES, 3DES
VPN Split-tunneling :
Send traffic destined to the particular destination say 10.0.0.0/24 on inside network through the tunnel. All other traffic forward normally, outside of the tunnel.
This will reduce the overhead and bandwidth utilisation.
SSL session keys
client server
syn ->
syn,ack ack ->
client SSL hello, list of ciphers ->
server SSL Hello, Certificate, Done ack ->
client key exchange, change cipher spec (begin to encrypt) ->
Change Cipher Spec (begin to encrypt) -> encrypted SSL session
Types of VPN
Remote Access VPN (RA)
-SSL No Client s/w (Clientless SSL VPN)
-SSL full tunnel with Anyconnect client s/w
-IPsec RA full tunnel VPN Client or Anyconnect
Site to Site VPNs
IPsec site to site VPN Peer to Peer Gateways.
Can I use the management0/0 interface on the ASA in order to pass traffic like any other interface?
A. Yes.
What does Security Context in Security Appliance mean?
A. You can partition a single hardware PIX into multiple virtual devices, known as Security Contexts. Each context becomes an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode and include routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.
How does an ASA learn about the MAC address of the host?
A. An ASA issues an ARP request for the host in a directly connected subnet even if it issues a SYN packet to the ASA, which has the ARP information in the layer 2 header. The firewall does not learn the MAC address of the host from the SYN packet and has to issue an ARP request for it. If the host is not replying for the ARP request, then the ASA drops the packet.
Can I configure NAT/PAT between same security interfaces of the Cisco ASA?
A. Yes. This is possible from Cisco ASA software release 8.3.
Does ASA support ISP load balancing?
A. No. Load balancing must be handled by a router that passes traffic to the security appliance.
Does PIX/ASA support EtherChannel/PortChannel interfaces?
A. Yes, support for EtherChannel is introduced in ASA software version 8.4. You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
Can Anyconnect and Cisco VPN Client work together on ASA?
A. Yes, because they are not interrelated. Anyconnect works on SSL and Cisco VPN Client works on IPSEC.
Does ASA support SNMPv3?
A. Yes. Cisco ASA Software Release 8.2 supports Simple Network Management Protocol (SNMP) version 3, the newest version of SNMP, and adds authentication and privacy options in order to secure protocol operations.
Which IPsec transforms (ESP, AH) are supported on the ASA/PIX versions 7.0 and later?
A. Only IPsec Encapsulating Security Payload (ESP) encryption and authentication is supported. Authentication Header (AH) transforms are not supported on the ASA/PIX versions 7.0 and later.
Does ASA allow Broadcast traffic to pass through its interface?
A. No.
Does the ASA support the NetFlow configuration?
A. Yes, this feature is supported in Cisco ASA version 8.1.x and later.
What is the maximum number of ACLs that can be configured on the ASA?
A. There is no defined limit for the number of ACLs that can be configured on the ASA. It depends on the memory present in the ASA.
Does Cisco ASA support multicast traffic to be sent on an IPsec VPN tunnel?
A. No. It is not possible because this is not supported by Cisco ASA. As a workaround, you can have the multicast traffic encapsulated using GRE before that gets encrypted. Initially, the multicast packet has to be encapsulated using GRE on a Cisco router, then this GRE packet will be forwarded further to the Cisco ASA for IPSec encryption.
Cisco ASA is running in Active/Active mode. I want to configure the Cisco ASA as a VPN gateway. Is this possible?
A. This is not possible because multiple contexts and VPN cannot run simultaneously. Cisco ASA can be configured for VPN when only in Active/Standby mode.
Is it possible to configure ASA to act as Certification Authority (CA) and issue a certificate to VPN clients?
A. Yes, with ASA 8.x and later you can configure the ASA to act as a local CA. Currently, ASA only allows authentication for the SSL VPN clients with the certificates issued by this CA. IPsec clients are not supported yet. Refer to The Local CA for more information.
Note: The Local CA feature is not supported if you use active/active failover or VPN load balancing. The Local CA cannot be subordinate to another CA; it can act only as the Root CA.
ASA Notes:
You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only.
The copy running-config startup-config command is equivalent to the write memory command.
In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running.
If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context.
For management traffic destined for an interface, the interface IP address is used for classification
Subinterfaces are not available for the ASA 5505 adaptive security appliance.
The ASA 5505 adaptive security appliance supports Active/Standby failover, but not Stateful failover.
If you enable NAT control, you do not need to configure NAT between same security level interfaces.
If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Although this context name does not exist yet in your configuration, you can subsequently enter the context name command to match the specified name to continue the admin context configuration.
The management interface for transparent mode does not flood a packet out the interface when that packet is not in the MAC address table.
Enter the allocate-interface command(s) before you enter the config-url command. The security appliance must assign interfaces to the context before it loads the context configuration; the context configuration might include commands that refer to interfaces (interface, nat, global...). If you enter the config-url command first, the security appliance loads the context configuration immediately. If the context contains any commands that refer to interfaces, those commands fail.
The admin context file must be stored on the internal Flash memory.
If you use failover, there is a delay between when you remove the context on the active unit and when the context is removed on the standby unit. You might see an error message indicating that the number of interfaces on the active and standby units are not consistent; this error is temporary and can be ignored. Use the following commands for removing contexts: • To remove a single context, enter the following command in the system execution space: hostname(config)# no context name All context commands are also removed. • To remove all contexts (including the admin context), enter the following command in the system execution space:
hostname(config)# clear context
A few system commands, including ntp server, identify an interface name that belongs to the admin context. If you change the admin context, and that interface name does not exist in the new admin context, be sure to update any system commands that refer to the interface.
If you create a static route with an administrative distance greater than the administrative distance of the routing protocol running on the security appliance, then a route to the specified destination discovered by the routing protocol takes precedence over the static route. The static route is used only if the dynamically discovered route is removed from the routing table.
You must use the setroute argument with the ip address dhcp command to obtain the default route using DHCP.
Logging must be enabled for the the neighbor up/down messages to be sent.
Failover does not support IPv6. The ipv6 address command does not support setting standby addresses for failover configurations. The failover interface ip command does not support using IPv6 addresses on the failover and Stateful Failover interfaces.
The security appliance does not support IPv6 anycast addresses.
The ipv6 route command works like the route command used to define IPv4 static routes.
The clear ipv6 neighbors command does not remove static entries from the IPv6 neighbor discovery cache; it only clears the dynamic entries.
The show interface command only displays the IPv4 settings for an interface. To see the IPv6 configuration on an interface, you need to use the show ipv6 interface command. The show ipv6 interface command does not display any IPv4 settings for the interface (if both types of addresses are configured on the interface).
To use the attribute mapping features correctly, you need to understand the Cisco LDAP attribute names and values as well as the user-defined attribute names and values.
The command to create an attribute map (ldap attribute-map) and the command to bind it to an LDAP server (ldap-attribute-map) differ only by a hyphen and the mode.
VPN failover is not supported on units running in multiple context mode. VPN failover available for Active/Standby failover configurations only.
The two units do not have to have the same size Flash memory. If using units with different Flash memory sizes in your failover configuration, make sure the unit with the smaller Flash memory has enough space to accommodate the software image files and the configuration files. If it does not, configuration synchronization from the unit with the larger Flash memory to the unit with the smaller Flash memory will fail.
The FO license does not support Active/Active failover.
Using a data interface as the Stateful Failover interface is only supported in single context, routed mode.
The IP address and MAC address for the Stateful Failover link does not change at failover unless the Stateful Failover link is configured on a regular data interface.
For multiple context mode, the security appliance can fail over the entire unit (including all contexts) but cannot fail over individual contexts separately.
Changes made on the standby unit are not replicated to the active unit. If you enter a command on the standby unit, the security appliance displays the message **** WARNING **** Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. This message displays even when you enter many commands that do not affect the configuration. If you enter the write standby command on the active unit, the standby unit clears its running configuration (except for the failover commands used to communicate with the active unit), and the active unit sends its entire configuration to the standby unit.
Active/Active failover generates virtual MAC addresses for the interfaces in each failover group. If you have more than one Active/Active failover pair on the same network, it is possible to have the same default virtual MAC addresses assigned to the interfaces on one pair as are assigned to the interfaces of the other pairs because of the way the default virtual MAC addresses are determined. To avoid having duplicate MAC addresses on your network, make sure you assign each physical interface a virtual active and standby MAC address.
If there are security contexts in the active state on the peer unit, the write standby command causes active connections through those contexts to be terminated. Use the failover active command on the unit providing the configuration to make sure all contexts are active on that unit before entering the write standby command.
When configuring Active/Active failover, make sure that the combined traffic for both units is within the capacity of each unit.
If a failed unit does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the unit will fail again.
A network object group supports IPv4 and IPv6 addresses, depending on the type of access list
You cannot remove an object group or make an object group empty if it is used in an access list.
In transparent firewall mode, the security appliance does not support NAT.
All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to identify the real addresses, but differs from policy NAT in that the ports are not considered.
You use ACLs to control network access in both routed and transparent firewall modes. In transparent mode, you can use both extended ACLs (for Layer 3 traffic) and EtherType ACLs (for Layer 2 traffic).
You can specify multiple class or match commands in the policy map.
QoS is only available in single context mode.
You cannot configure traffic shaping in the global policy.
The AnyConnect VPN client and the SSL VPN Client do not support split DNS.
Two colons (::) can be used only once in an IPv6 address to represent successive fields of zeros.
There are no broadcast addresses in IPv6. Multicast addresses provide the broadcast functionality
Flash file system CLI
CD - Change the current working directory to the one specified. delete
DELETE - Deletes a file. if a path is not specified the file would be
deleted from the current working directory.
When deleting files the user would be prompted with the
filename and asked to confirm the delete.
The /recursive option would delete files recursively.
DIR - Displays the content of the current directory.
FORMAT – Formats the Disk using FAT
MKDIR - Create a new directory
MORE – Displays the contents of a specified file.
more [/ascii] [/binary] [disk:][]
RENAME – Renames a specified file
RMDIR – Removes a specified directory. Use will be prompt.
PWD - Display the current Directory.
COPY – Copy a file from flash:, ftp, http, https, running & startup config
->->->->
Transparent Firewall New CLI
[no] firewall transparent - change mode
show firewall - will show the current mode.
[no] mac-address-table static - remove particular static entry.
clear mac-address-table - remove all dynamic entries.
clear mac-address-table - remove all dynamic entries for particular interface.
show mac-address-table - display the entire bridge table including static as well as dynamic entries.
show mac-address-table - display the static & dynamic entries for particular interface
Show mac-address-count –display the mac address-count
[no] mac-address-table aging-time - set aging timeout to default value 5 minutes. Configurable from 5-720 min.
[no] mac-learn disable - enable layer 2 learning on that interface.
clear mac-learn - set mac learning to default (enable) on all interfaces.
show mac-learn - display whether layer 2 learning is enabled or disabled on all interfaces
[no] arp-inspection enable - disable arp inspection on that interface.
clear arp-inspection - set arp-inspection to default (disable) on all interfaces.
show arp-inspection - display whether arp inspection is enabled or disabled on all interfaces.
State Table – conn & xlate Tables
conn(ection) table stores the state of every single active flow
Every incoming packet is checked against the table
Biggest memory consumer (maximum count is limited by platform)
xlate table stores active NAT mappings
Independent of the conn table
Maximum size is only limited by available memory
Interfaces & Security Levels
By default, firewalls allow traffic to pass from higher security interfaces to lower security interfaces, and in the case of TCP and UDP connections, it allows the return traffic back TCP and UDP are stateful
The same does not apply for ICMP, as ICMP return traffic is denied by default ICMP is stateless
Inside to Outside (Outbound) Connections
Inside to outside connections mean traffic from higher security level interface to a lower security level interface, for this to happen there is a condition, which is to have a NAT/PAT statement, i.e. translation statement or this traffic.
Outside to Inside (Inbound) Connections
The static NAT and access-list are needed to allow connections from a lower security interface to a higher security interface
The static NAT is used to create a permanent mapping between an local IP address and a global IP address
The access-list command is an exception in the firewall’s inbound security policy for a given host
DHCP Assigned Address
fw1(config)# interface GigabitEthernet0/0
fw1(config-if)# nameif outside
fw1(config-if)# ip address dhcp
Enables the DHCP client feature on the outside interface
Configuring the DNS Server
Enable the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands.
Specify the DNS server group that the ASA uses for outgoing requests.
Specify one or more DNS servers.
dns domain-lookup interface_name dns server-group DefaultDNS name-server ip_address [ip_address2] [...] [ip_address6]
hostname(config)# dns domain-lookup inside
hostname(config)# dns server-group DefaultDNS
hostname(config-dns-server-group)# name-server 10.1.1.5 192.168.1.67 209.165.201.6
Assign Static Routes
The ASA can act as a default gateway for inside hosts/routers.
We can have only one default route configured per interface. Only one default route active at a time.
route route outside 0.0.0.0 0.0.0.0 171.11.23.1 1 route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
Management Interfaces
Management interfaces do not forward traffic by default
Use “no management-only” to use it as data interface
The exception is in ASAs 5512-X 5555-X
We cannot use the management interface as data interface at all (no through traffic support)
interface Management0/0 nameif management security-level 0 ip address 10.48.67.231 255.255.254.0 management-only ASA# show int m0/0 … Management-only interface. Blocked 0 through-the-device packets
Sub-Interfaces
ASA supports 802.1q trunking
No Dynamic Trunking Protocol (DTP) support
The physical interface is in the Native (Un-Tagged) VLAN
While not required, it is a best practice that the sub-interface number matches the VLAN ID.
interface GigabitEthernet0/0 no nameif security-level 0 no ip address ! interface GigabitEthernet0/0.10 vlan 10 nameif outside security-level 0 ip address 10.10.10.2 255.255.255.0 ! interface GigabitEthernet0/0.15 vlan 15 nameif inside security-level 100 ip address 10.15.15.2 255.255.255.0
EtherChannel – ASA 8.4(1)
LACP or ON, PAgP not supported
Port-channel inherits MAC from 1st member interface
Use “show port-channel …” to verify
interface GigabitEthernet0/0
channel-group mode {active | passive | on}
lacp port-priority
!
interface port-channel
lacp max-bundle
port-channel min-bundle
port-channel load-balance …
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
1-8>1-8>1-65535>
ASA Routing
Configuration is similar to IOS
Metric and Admin Distance are supported
PBR is not implemented until 9.4(1)
null0 and loopback interfaces are not implemented null0 introduced in 9.4(1)
ASA# show run route
route outside 0.0.0.0 0.0.0.0 192.0.2.1 1
ASA# show route
…
Gateway of last resort is 192.0.2.1 to network 0.0.0.0
C 10.1.1.0 255.255.255.0 is directly connected, inside
C 10.48.66.0 255.255.254.0 is directly connected, management
C 192.168.1.0 255.255.255.0 is directly connected, dmz
C 192.0.2.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.0.2.1, outside
Dynamic Routing
ASA Supports most IGP routing protocols
OSPF v2 & OSPF v3 (IPv6)
oEIGRP
oRIP v1/v2
oBGPv4 (9.2.1) & BGPv6 (9.3.2)
ASA5555(config)# router ? configure mode commands/options: eigrp Enhanced Interior Gateway Routing Protocol (EIGRP) ospf Open Shortest Path First (OSPF) rip Routing Information Protocol (RIP)
Unified Objects
First introduced in 8.3
Useful to refer to IP addresses, subnets, ranges or services by name easier management
Types of objects:
Network Object is a named container which holds An IP (host, network, range, or FQDN)
Service Object is used with TCP, UDP, and ICMP as well
object network CISCO
fqdn www.cisco.com object service MSSQL_ADMIN service tcp destination eq 1434 object service ICMP_ADMIN_PROHIBITED service icmp unreachable 9 object service RTP_PORTS service udp source range 16384 32767 destination range 16384 32767
object network Server
host 192.168.1.2
object network LAN
subnet 10.1.0.0 255.255.0.0
object network Pool
range 10.1.1.1 10.1.1.254
object network CISCO
fqdn www.cisco.com
Unified Objects (cont.) object-group network ServerFarm
network-object object WebServer
network-object object ServerNet
Objects can be applied in:
Object-groups
Access-lists
NAT Rules (8.3 & later)
access-list outside permit tcp any object WebServer eq 80
nat (inside,outside) source static WebServer PublicWebServer
Object Groups
object-group network INSIDE_NETWORKS
network-object object ACCOUNTING
network-object 2001:DB8::/64
network-object 192.168.2.0 255.255.255.0
group-object BRANCH_NETWORKS
object-group network BRANCH_NETWORKS
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
Tie multiple similar objects into a single policy entity:
Significantly simplify policy management
Types of object groups:
Network - group of host or subnet IP addresses
Protocol - group of protocols, such as TCP, etc
Service - group of TCP/UDP ports/services
ICMP type - group of ICMP types, such as echo
User - single identity user, local or import user group
Can be used in:
ACLs
NAT (8.3 & later)
object-group network INSIDE_NETWORKS
network-object object ACCOUNTING
network-object 2001:DB8::/64
network-object 192.168.2.0 255.255.255.0
group-object BRANCH_NETWORKS
object-group network BRANCH_NETWORKS
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
Access Control Lists (ACL)
access-lists are used mainly to block or permit traffic into an interface.
As in IOS we have standard ACL as well as extended ACL.
The access-group command binds an access-list to an interface either inbound or outbound.
Each interface can have only one access list applied per each direction.
access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr dest_mask operator port
access-list acl_name [deny | permit] icmp src_addr src_mask dest_addr dest_mask icmp_type [ icmp_code ] access-group acl_name in/out interface interface-name
Access Control Lists (ACL)
The access-list command is identical to the one in IOS, except subnet masks are used to specify networks/hosts instead of wildcard bits (inverse masks) as is done in IOS.
An important note that there is an implicit deny ip any any at the end of each access-list as there is in IOS.
Global ACLs
Starting from ASA 8.3, a global ACL can be applied.
Interface independent policy
Global ACL is applied inbound on all interfaces.
Global ACLs are only for transient traffic, not traffic destined to-the-ASA
Best used for new installations, or migration from other vendor products
access-group [global]
Access Control Lists (ACL) Usage
1.Interface ACLs
2.NAT (8.2 & earlier only)
3.VPN
4.Matching traffic for inspection, QoS & connection settings
5.Sending traffic to modules
Permitting Inbound Access
If an access-list is bound to the outside interface, permitting traffic in, then inbound traffic that matches the access-list is allowed from lower to higher security interfaces.
The following allows anyone to access 171.11.23.2 on port 80 (web). *(assuming there is a corresponding static nat)
access-list 100 permit tcp any 171.11.23.2 255.255.255.255 eq 80
access-group 100 in interface outside
ICMP (to/from the ASA)
By default:
User can only ping the local interface of the firewall (the facing interface)
User cannot ping remote (far) interface of the firewall (by design).
The ASA does not respond to ICMP echo requests directed to a broadcast address.
ICMP Access Rules
To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to particular hosts, networks, or ICMP types.
ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action.
If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior.
You must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.
Configure ICMP Rules
If you do not specify an icmp_type, the rule applies to all types.
To control ping, specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA).
icmp {permit | deny} {host ip_address | ip_address mask | any} [icmp_type] interface_name
hostname(config)# icmp deny host 10.1.1.15 inside
hostname(config)# icmp permit any inside hostname(config)# icmp permit host 10.1.1.15 inside hostname(config)# icmp deny any echo-reply outside hostname(config)# icmp permit any packet-too-big outside
connections vs. Translations
Translations - xlate table
IP address to IP address translation
Independent of the conn table
Maximum size is only limited by available memory
Connections - conn table
Mapping of L4 information from an internal to external addresses.
Every incoming packet is checked against the table
Building conn; When a SYN packet arrives for TCP, or when the first packet arrives for UDP.
Tearing down conn; Receiving the final ACK packet for TCP, or when the timeout expires for the UDP session.
Biggest memory consumer (maximum count is limited by platform)
Control Connections & Translations
•The show xlate command displays the contents of the translation slots
•The clear xlate command clears the contents of the translation slots
clear xlate [global_ip [local_ip]]
show xlate [global_ip [local_ip]]
•The show conn command displays the contents of the connection table
•The clear xlate command clears the contents of the translation slots
clear conn
IPv4 Addressing Problem
NAT was created to overcome several addressing problems that occurred with the expansion of the Internet:
To mitigate global address depletion
To use RFC 1918 addresses internally
To conserve internal address plan
•NAT also increases security by hiding the internal topology.
NAT Evolution within ASA Software
•Pre 7.0 (PIX Family): nat-control was the only model. You always have to provide an explicit answer regarding NAT (even “no NAT”)
•From 7.0 to 8.2.X: no nat-control is the default operation mode. NAT is optional but can be made mandatory if you configure nat-control explicitly.
•Starting on 8.3: New NAT Model
No concept of nat-control anymore
Brand new syntax
NAT Table divided in 3 Sections
Easier to define Dual NAT rules
When NAT is in place, permissions on ACLs refer to the Real Address (as opposed to previous models which considered the Translated Address)
ASA NAT Types
•ASA mainly has the following NAT types:
1)Dynamic NAT - nat & global commands
2)PAT - nat and global commands
3)Static NAT - static command
4)Static PAT - static command
NAT-Control
•Nat-Control means that all the traffic passing the firewall must be controlled by NAT, in different words, if the traffic don’t have a translation it will be denied from passing through.
•If Nat-control is disabled, traffic are allowed to pass without a translation entry, however if there is a translation statement configured it will still be applied.
•NAT-Control was enabled by default on old PIX versions and disabled by default on versions 7.0 – 8.2 on both PIX and ASA.
•This feature is no more exist starting ASA 8.3
•We will assume that nat-control enabled for the coming slides
ASA1# show running-config nat-control
nat-control
ASA1# show nat dmz out
match ip dmz any out any
no translation group, implicit deny
policy_hits = 0
Dynamic Translation
•If NAT-control is enabled, no traffic can pass through the ASA until a translation can be built.
•Dynamic translations are built using:
1)Network Address Translation (NAT) one-to-one mapping
OR
2)Port Address Translation (PAT) many-to-one mapping
Dynamic Translation
The nat command is used to specify which networks (or hosts) and source interface which are allowed to be translated to access networks (or hosts) on another interface.
•The global command is used to define which destination interface you want users to access from the source interface defined by the nat command.
•One or more global statements are coupled to one or more nat statements depending on the nat_ID.
•The nat_ID can be any number greater than 0, and it corresponds to the complementary global statement
Network Address Translation (NAT)
•Network Address Translation (NAT) creates a one-to-one mapping between a local IP and another global IP (i.e. changing the source IP)
•For outbound traffic, the source IP address of the packet on the higher level security interface is translated to an IP address that is available in the a global pool of IP’s. The source port remains the same, it’s just IP translation.
•The return packet’s destination IP address is translated again as the packet traverses from the lower security level interface to the higher security level interface, the firewall does that by checking the xlate table to match translated IP’s
nat (inside) 1 0 0
global (outside) 1 192.150.50.9 – 192.150.50.254 netmask 255.255.255.0
NAT Configuration Example
•Creates a global pool of IP addresses for connections to the outside
•All inside addresses will be address translated to global addresses
•ASA assigns addresses from global pool starting at the low end to the high end of the range specified in global command
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 172.16.1.128-172.16.1.254 netmask 255.255.255.0
NAT Configuration Example
nat (inside) 3 10.1.0.0 255.255.255.0
nat (inside) 3 10.1.1.0 255.255.255.0
nat (inside) 3 10.1.2.0 255.255.255.0
nat (inside) 3 10.1.3.0 255.255.255.0
global (outside) 3 172.16.1.10-172.16.1.115 nat (inside) 3 10.1.0.0 255.255.252.0 global (outside) 3 172.16.1.10-172.16.1.115
or
•Translates inside IP addresses to addresses specified in global command
•Still maintains firewall security for connection
Two Interfaces with NAT (Multiple Internal Networks)
All hosts on the inside networks can start outbound connections.
•A separate global pool is used for each internal network.
Inside network 10.0.0.0 /24
Global Pool
192.168.0.1-14
Inside network 10.1.0.0/24
Global Pool
192.168.0.17-30
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
ASAfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0
ASAfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
ASAfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240
Identity NAT (nat 0)
•Identity NAT using nat 0 is used to translate the IP address to itself (self translation)
•This is still considered as a translation
•Creates a dynamic translation in the xlate table.
•nat 0 still maintains firewall security for all connections
•Does not need a global command
•Applies on all egress interfaces
•Identity NAT is unidirectional in nature and is not suited for “publishing” a server address
nat (inside) 0 0.0.0.0 0.0.0.0
nat (inside) 0 192.168.1.0 255.255.255.0
Port Address Translation (PAT)
•The translation entry is a combination of the IP address and the source port number.
•Same IP address is used for all the packets but with different source port for each session.
•The IP used for PAT can be either the interface IP or a dedicated IP used to translate outgoing packets.
nat (inside) 1 0 0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 170.1.1.10
PAT Configuration Example – Using Single Global Address
ASAfirewall(config)# global (outside) 1 2.2.2.2
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.0.0.0
•Assign single IP address (2.2.2.2) to global statement.
•Source addresses of hosts in network 10.0.0.0 are translated to 2.2.2.2 for outgoing access
•Source port changed to a unique number greater that 1024
PAT Configuration Example – Using interface Address
ASAfirewall(config)# global (outside) 1 interface
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
•Use the interface option to enable use of the outside interface as the PAT address
•Source addresses of hosts in network 10.0.0.0 are translated to outside interface address for outgoing access
Using a Global NAT Pool with PAT
•PAT and NAT can be used together.
•PAT is used only when NAT is not available.
•First NAT will take place, after the exhaustion of the global pool, PAT will take place.
•PAT statements will take place respectively.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 170.1.1.1-170.1.1.9
global (outside) 1 170.1.1.10
global (outside) 1 170.1.1.11
Using a Global NAT Pool with PAT
•When hosts on the 10.0.0.0 network access the outside network through the firewall, they are assigned public addresses from the 192.168.0.20-192.168.0.254 range
•When the addresses from the global pool are exhausted, PAT begins
Static NAT .
•The static statement is usually used to permanently associate a host address (or network address) on a higher security level interface with a host address (or network address) on a lower security level interface.
•Static NAT is a bi-directional NAT
•Static NAT creates a permanent xlate entry in the xlate table never expires
•The following statically NATs host 10.10.10.1 on the inside to 5.5.5.5 on the outside.
static (real_if_name,mapped_if_name) mapped_ip real_ip [netmask network_mask] [max_conns [em_limit]] [norandomseq]
ASAfirewall(config)# static (inside, outside) 5.5.5.5 10.10.10.1
Static NAT
•To allow hosts on a lower security level interface to access hosts on a higher security level interface the static statement should be coupled with an access-list statement.
•Example: say we have 10.10.10.10 as a web server in the DMZ and we want to publish it as 5.5.5.5 and allow access to it from the outside:
static (DMZ,outside) 5.5.5.5 10.10.10.10
access-list permit_web_access permit tcp any host 5.5.5.5 eq 80
access-group permit_web_access in interface outside
AD
administrative domain. A group of hosts, routers, and networks operated and
managed by a single organization.
CA
1. certification authority. Entity that issues digital certificates (especially X.509
certificates) and vouches for the binding between the data items in a certificate.
2. Telecommunications: call appearance.
CA certificate
[Digital] certificate for one CA issued by another CA.
Cipher
Cryptographic algorithm for encryption and decryption.
ciphertext
Data that has been transformed by encryption so that its semantic information content
(that is, its meaning) is no longer intelligible or directly available.
CRL
certificate revocation list. Data structure that enumerates digital certificates that have
been invalidated by their issuer prior to when they were scheduled to expire.
cryptographic algorithm
Algorithm that employs the science of cryptography, including encryption
algorithms, cryptographic hash algorithms, digital signature algorithms, and key
agreement algorithms.
cryptographic key
Usually shortened to just “key.” Input parameter that varies the transformation
performed by a cryptographic algorithm.
Diffie-Hellman key exchange
A public key cryptography protocol that allows two parties to establish a shared secret
over insecure communications channels. Diffie-Hellman is used within Internet Key
Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley
key exchange. Cisco IOS software supports 768-bit and 1024-bit Diffie-Hellman
groups.
digital certificate
Certificate document in the form of a digital data object (a data object used by a
computer) to which is appended a computed digital signature value that depends on
the data object.
digital signature
Value computed with a cryptographic algorithm and appended to a data object in such
a way that any recipient of the data can use the signature to verify the data’s origin
and integrity.
DOI
domain of interpretation. In IPSec, an ISAKMP/IKE DOI defines payload formats,
exchange types, and conventions for naming security-relevant information such as
security policies or cryptographic algorithms and modes.
domain
1. On the Internet, a portion of the naming hierarchy tree that refers to general
groupings of networks based on organization type or geography.
2. In SNA, an SSCP and the resources it controls.
3. In IS-IS, a logical set of networks.
4. In security, an environment or context that is defined by a security policy, a security
model, or a security architecture to include a set of system resources and the set of
system entities that have the right to access the resources.
encryption
Application of a specific algorithm to data so as to alter the appearance of the data
making it incomprehensible to those who are not authorized to see the information.
Public-key certificate that contains a public key that is intended to be used for
encrypting data, rather than for verifying digital signatures or performing other
cryptographic functions.
firewall
Router or access server, or several routers or access servers, designated as a
buffer between any connected public networks and a private network. A firewall
router uses access lists and other methods to ensure the security of the private
network.
HMAC
Hash-based Message Authentication Code. HMAC is a mechanism for message
authentication using cryptographic hash functions. HMAC can be used with any
iterative cryptographic hash function, for example, MD5, SHA-1, in combination
with a secret shared key. The cryptographic strength of HMAC depends on the
properties of the underlying hash function.
HMAC-MD5
Hashed Message Authentication Codes with MD5 (RFC 2104). A keyed version of
MD5 that enables two parties to validate transmitted information using a shared
secret.
ICMP flood
Denial of service attack that sends a host more ICMP echo request (“ping”) packets
than the protocol implementation can handle.
IKE
Internet Key Exchange. IKE establishes a shared security policy and authenticates
keys for services (such as IPSec) that require keys. Before any IPSec traffic can be
passed, each router/firewall/host must verify the identity of its peer. This can be done
by manually entering pre-shared keys into both hosts or by a CA service.
IPSec
IP Security. A framework of open standards that provides data confidentiality, data
integrity, and data authentication between participating peers. IPSec provides these
security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols
and algorithms based on local policy and to generate the encryption and
authentication keys to be used by IPSec. IPSec can protect one or more data flows
between a pair of hosts, between a pair of security gateways, or between a security
gateway and a host.
ISAKMP
Internet Security Association and Key Management Protocol. Internet IPSec protocol
[RFC 2408] that negotiates, establishes, modifies, and deletes security associations.
It also exchanges key generation and authentication data (independent of the details
of any specific key generation technique), key establishment protocol, encryption
algorithm, or authentication mechanism.
Kerberos
Developing standard for authenticating network users. Kerberos offers two key
benefits: it functions in a multivendor network, and it does not transmit passwords
over the network.
key pair
Set of mathematically related keys—a public key and a private key—that are used for
asymmetric cryptography and are generated in a way that makes it computationally
infeasible to derive the private key from knowledge of the public key.
NIC
1. network interface card. Board that provides network communication capabilities
to and from a computer system. Also called an adapter. See also AUI.
2. Network Information Center. Organization whose functions have been assumed by
the InterNIC
PFS
perfect forward secrecy. Cryptographic characteristic associated with a derived
shared secret value. With PFS, if one key is compromised, previous and subsequent
keys are not compromised because subsequent keys are not derived from previous
keys.
ping of death
Attack that sends an improperly large ICMP [R0792] echo request packet (a “ping”)
with the intent of overflowing the input buffers of the destination machine and
causing it to crash.
ping sweep
Attack that sends ICMP [RFC 0792] echo requests (“pings”) to a range of IP
addresses with the goal of finding hosts that can be probed for vulnerabilities.
PKI
public-key infrastructure. System of CAs (and, optionally, RAs and other supporting
servers and agents) that perform some set of certificate management, archive
management, key management, and token management functions for a community of
users in an application of asymmetric cryptography.
RADIUS
Remote Authentication Dial-In User Service. Database for authenticating modem and
ISDN connections and for tracking connection time.
root CA
Ultimate CA, which signs the certificates of the subordinate CAs. The root CA has a
self-signed certificate that contains its own public key.
root certificate
Certificate for which the subject is a root. Hierarchical PKI usage: The self-signed
public-key certificate at the top of a certification hierarchy.
root key
Public key for which the matching private key is held by a root.
RSA
Acronym stands for Rivest, Shamir, and Adelman, the inventors of the technique.
Public-key cryptographic system that can be used for encryption and authentication.
trusted certificate
Certificate upon which a certificate user relies as being valid without the need for
validation testing; especially a public-key certificate that is used to provide the first
public key in a certification path.
What type of ASA software image runs on the Cisco ASA 5585-X?
A. All firewall/VPN SSP’s will run SMP (symmetric multi-processor) enabled ASA 8.2.3 or higher images.
How many virtual contexts and VLAN’s are supported on the Cisco ASA 5585-X?
A. 250 virtual contexts and 1024 VLAN’s are supported.
Is a reboot required after AnyConnect is installed or upgraded ?
A. No. Unlike the IPSec VPN Client, a reboot is not required after an AnyConnect installation
or upgrade.
Note: This applies to the VPN module only.
What is the difference between the SSL−Tunnel and DTLS−Tunnel?
What type of traffic goes through each?
A. The SSL−Tunnel is the TCP tunnel that is first created to the ASA. When it is fully
established, the client will then try to negotiate a UDP DTLS−Tunnel. While the
DTLS−Tunnel is being established, data can pass over the SSL−Tunnel. When the
DTLS−Tunnel is fully established, all data now moves to the DTLS−tunnel and the
SSL−tunnel is only used for occasional control channel traffic. If something should happen to
UDP, the DTLS−Tunnel will be torn down and all data will pass through the SSL−Tunnel
again.
The decision of how to send the data is very dynamic. As each network bound data packet is
processed there is a point in the code where the decision is made to use either the SSL
connection or the DTLS connection. If the DTLS connection is healthy at that moment, the
The SSL connection is established first and data is passed over this connection while
attempting to establish a DTLS connection. Once the DTLS connection has been established,
the decision point in the code described above just starts sending the packets via the DTLS
connection instead of the SSL connection. Control packets, on the other hand, always go over
the SSL connection.
The key point is if the connection is considered healthy. If DTLS, an unreliable protocol, is in
use and the DTLS connection has gone bad for whatever reason, the client does not know this
until Dead Peer Detection (DPD) occurs. Therefore, data will be lost over the DTLS
connection during that short period of time because the connection is still considered healthy.
Once DPD occurs, data will immediately be set via the SSL connection and a DTLS
reconnect will happen.
The ASA will send data over the last connection it received data on. Therefore, if the client
has determined that the DTLS connection is not healthy, and starts sending data over the SSL
connection, the ASA will reply on the SSL connection. The ASA will resume use of the
DTLS connection when data is received on the DTLS connection.
Why am I unable to ping the inside interface of the ASA from a host connected to the outside interface of the ASA?
A. The default behavior of the ASA is to allow all ICMP traffic to the ASA interfaces.
However, the ASA denies ICMP messages received at the outside interface for destinations
on a protected interface.
What is Cisco Easy VPN?
A. Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances. It greatly simplifies VPN deployment for remote offices and mobile workers. Cisco Easy VPN is based on the Cisco Unity® Client Framework, which centralizes VPN management across all Cisco VPN devices, thus reducing the management complexity of VPN deployments. There are three components of the
Cisco Easy VPN solution: Easy VPN Client, Easy VPN Remote, and Easy VPN Server.
Does NAT occur before or after routing?
A. The order in which the transactions are processed using NAT is based on whether a packet
is going from the inside network to the outside network or from the outside network to the
inside network. Inside to outside translation occurs after routing, and outside to inside
translation occurs before routing