ABOUT THE AUTHOR For over ten years, Richard Deal has operated his own company, The Deal Group Inc., in Oviedo, Florida, east of Orlando. Richard has over 20 years of experience in the com- puting and networking industry including networking, training, systems administra- tion, and programming. In addition to a BS in Mathematics from Grove City College, he holds many certifications from Cisco and has taught many beginning and advanced Cisco classes. This book replaces Richard’s Cisco PIX Firewalls (2002), an in-depth book on Cisco’s PIX firewalls and their implementation, published by McGraw-Hill Profes- sional. Richard has also written two revisions for the CCNA certification for McGraw- Hill, CCNA Cisco Certified Network Associate Study Guide (2008) and will be finishing his book for the CCNA Security certification in mid-2009: CCNA Cisco Certified Network As- sociate Security Study Guide. Richard is also the author of two books with Cisco Press: The Complete Cisco VPN Configuration Guide (2005) and Cisco Router Firewall Security (2004), named a Cisco CCIE Security recommended reading. In all, Richard has more than ten books under his belt. Richard also periodically holds boot-camp classes on the CCNA and CCSP, which provide hands-on configuration of Cisco routers, switches, and security devices.About the Technical Editor Ryan Lindfield has worked in IT since 1996 and is currently teaching Cisco certifica- tion courses at Boson Training and consulting for Westchase Technologies. Ryan holds several certifications including CCSP, CISSP, CEH, GCFA, CCSI, and MCSE and enjoys vulnerability research and exploring the latest trends in security technologies. He lives in Tampa, Florida, with his wife, Desiree, and his dog, Logan.
Cisco ASA ®Configuration RICHARD A. DEAL New York Chicago San Francisco Lisbon London Madrid Mexico City MilanNew Delhi San Juan Seoul Singapore Sydney Toronto
FOREWORDO ver the past decade computer networks as well as the attacks against them have become increasingly complex. As information technol- ogy professionals we are faced with overcoming challenges everyday, and learning new security concepts should not be one of them. I haveknown Richard, the author of this book, during this same time, and hisgift of making difficult technology concepts understandable has remainedconstant. Whether he is presenting to a room of information technologyprofessionals or writing books, Richard’s communication skills are unsur-passed. As the importance of networks continues to grow, security becomes ever morevital. The Cisco Adaptive Security Appliances intelligent threat defense offers theneeded protection for businesses today as well as for the future. Technologies anddevices based on Internet protocol continually touch every aspect of our lives—weneed to be confident that our data is safe. Cisco ASA Configuration is a great refer-ence and tool for answering our challenges. Steve Marcinek, CCIE 7225 Systems Engineer, Cisco Systems xxiii
PREFACEO ver the last several years we have seen a rise in the number of attacks launched against our networks. These attacks are not only more plen- tiful, but also becoming more sophisticated. The complexities of ournetworks grow at an equal rate, while IT departments and budgets shrink.The number of protocols on our networks is also rising, and the number ofclients is increasing. Meanwhile there is the demand to keep services avail-able and to keep data from being leaked. While there is no single technology that can guarantee a secure network, oneof the most critical components in your infrastructure is the firewall. Possessing asolid understanding of firewall capabilities is a critical prerequisite to fortify yourdefenses. The Cisco ASA 5500 series products and the latest revisions of Cisco’s firewallsoftware have introduced some awesome new features. Topics discussed withinthis book include Modular Policy Framework, transparent firewalls, deep packetinspection, contexts, failover, WebVPN, and more. A plethora of capabilities onyour firewalls is waiting to be unleashed; the key is knowing what these featuresare, understanding how the technology works, and then how to configure them.Richard has put together an excellent reference with over 20 chapters of technolo-gies, explanations, and configuration examples. xxv
xxvi Cisco ASA Configuration Richard has been recognized as an expert on the Cisco firewall for many years, and this book is an excellent follow-up to his Cisco PIX Firewalls book from 2002. This book does a great job of walking you step-by-step through the technologies and configuration behind the ASA 5500. Cisco ASA Configuration is an excellent resource for both the novice and seasoned Cisco PIX administrator. Ryan Lindfield Senior Technical Instructor Boson Training
ACKNOWLEDGMENTS I would like to thank the following people: ▼ This book would not have been possible without the support of family. A book of this size is very time-consuming, especially when you have to balance a book, a job, and, most importantly, a family. My two girls are the love of my life. ■ A special thanks to Ryan Lindfield for providing excellent feedback and encouragement on the technical content of this book. I’ve worked with Ryan for quite some years, and I’ve always been impressed with his security and, especially, his hacking skills. And congratulations to him for getting married! ▲ The team at McGraw-Hill, especially Jane Brownlow, Joya Anthony, Carly Stapleton, Vipra Fauzdar, Janet Walden, and Jan Jue. I owe a debt of grati- tude to this team, especially in pulling all of the pieces together for the final proofing—thanks for your help! Best wishes to all! And cheers! xxvii
INTRODUCTIONF or those of you who have kept asking me when the replacement for my PIX book would be out, I appreciate your long patience. Over the past five years I have focused my business solely on security, spend-ing most of my time with Cisco’s security products like the ASAs and PIXs,and with VPN technologies. Firewalls, as a technology, have been around for over a decade. However, itwasn’t until the explosion of the Internet that the use of firewalls has become com-monplace in corporate and small offices, and even in home environments. (I usean ASA 5505 for my home office and Eset on my laptop.) I’m continually amazedat the number of times curious people and hackers on the Internet have attemptedto scan and probe my home office network. Because of the large number of products available, I have limited the focus of thisbook primarily to Cisco’s ASA security appliance family. Most of what I discuss inthis book also applies to Cisco’s end-of-sale PIX security appliances, and where thereare differences I point them out. Many of the readers of my previous book on thePIXs have constantly asked me to update it; having a family life has slowed downmy writing, but I’m back in the groove. So many critical changes have occurred sinceversion 6 of the security appliances that I have finally succumbed to my faithfulreaders. Most medium-to-enterprise companies I’ve consulted for use Cisco’s secu-rity appliances, so having a good background in understanding their capabilities xxix
xxx Cisco ASA Configuration and configuring their features makes you more marketable as a consultant and more valuable as an employee. I have written this book for the following reasons: ▼ To bring you up to date on the large number of very important changes in the security appliance operating system since version 6 of the PIXs. ■ To explore network security, a hot topic because of increasing levels of threats and damage, as well as the explosive growth of Internet services. ■ To familiarize you with ASA and PIX security appliances. You are likely to run into them in your job because Cisco is the market share leader in enterprise net- working solutions. ■ To fill the need for a really good, focused book on Cisco’s security appliance products. ▲ To make you more aware of the product technology and intelligence Cisco brings to the security arena, because I have never seen a networking company offer a bet- ter set of enterprise products and top-notch technical support. THE INTENDED AUDIENCE The concepts and configurations provided in this book are not for people thinking about a career in computer networking, but for people who are using ASAs (and PIXs) to se- cure their internal networks. This book can easily be read by not only network adminis- trators, engineers, and technicians, but also by networking salespersons and managers. The objective of this book is to provide you with an understanding of the functions of a firewall; an overview of Cisco’s ASA security appliance family; the features available on the ASAs, including those in the most recent operating system versions (version 8.0); and the configuration of the ASAs. WHAT THIS BOOK COVERS I make no assumptions about your skill level with ASAs, and I have attempted to pres- ent every subject in a clear and easy-to-understand layout. I’ve separated the book into different sections in order to make the presentation of the material easier to understand, and to provide a step-by-step progression in setting up your security appliance. This book contains six parts, with a total of 27 chapters. I assume that you have never seen the command-line interface (CLI) or graphical-user interface (GUI) of a Cisco security appliance. Part I introduces you to the ASA product family, the CLI interface, and basic configura- tion tasks, like setting up interfaces and routing. Part II discusses controlling traffic through the security appliances, including address translation, access control lists (ACLs), object groups, filtering web content, filtering connections using AAA (called Cut-through Proxy),
Introduction xxxi and IPv6. Part III covers the implementation of policies for protocols, data applications, voice, and multimedia through the use of the Modular Policy Framework (MPF). Part IV introduces the configuration of VPN implementations, including IPSec site-to-site, IPSec remote access, and Cisco’s implementation of SSL VPNs, called WebVPN. Part V intro- duces the advanced features of the security appliances, including the layer 2 transparent firewall, security contexts, failover, network attack prevention features, and the AIP-SSM and CSC-SSM cards for the ASAs. The end of the book, Part VI, introduces you to the management of the appliances, including basic administrative tasks you perform from the CLI and Cisco’s GUI-based product to manage the appliances: Adaptive Security Device Manager (ASDM).FINAL WORDS Even though I discuss many of the components and configurations of the security ap- pliances, it is impossible to cover every type of configuration and network scenario in a single book. I highly recommend that you use Cisco’s web site (http://www.cisco.com) as well as various Usenet newsgroups as additional resources. I cannot begin to count the number of times that I have found the answer to a question in either of these two places. Because of the value of this information, I’ve rarely had to call TAC (Technical Assistance Center) at Cisco for help with a security appliance configuration issue, except for the occasional bugs that I’ve discovered. I wish you the best in your networking endeavors and hope that this book helps make your job easier when it comes to using Cisco’s security appliances, especially the ASAs. I love to hear from my readers, so any and all feedback is appreciated! Cheers!
4 Cisco ASA Configuration T his chapter introduces the features and hardware of Cisco’s Adaptive Security Appliance (ASA) product line. The topics include ▼ Features of the ASA, including the operating system, security algorithm, redundancy, and others ▲ The hardware of the ASA product line, including the models, supported hardware modules (cards), and licensing ASA FEATURES Cisco’s ASA is a set of stateful security appliances ranging from the model 5505, which is designed for Small Office, Home Office (SOHO) environments, to the 5580, which is designed for large enterprise networks and ISP sites. All of these products use the same operating system and management tools, easing your implementation and monitoring tasks. Because all the security appliances use the same operating system, the major dif- ferences between the models primarily concern scalability and performance. The ASA family of products (and their older siblings, the PIX products) can best be described as hybrid firewalls. Cisco, however, does not like to use the term “firewall” to describe the ASA and PIX product family. Instead, Cisco prefers using the term “security appliance,” mainly because the ASA products and the products they replaced, the PIX products, are not just stateful firewalls; they also support many other security features, including ▼ Secure, real-time, proprietary operating system ■ Stateful firewall using the Cisco Security Algorithm (SA) ■ Sequence Number Randomization (SNR) to secure TCP connections ■ Cut-through Proxy (CTP) for authenticating telnet, HTTP, and FTP connections ■ Default security policies to ensure maximum protection, as well as the ability to customize these policies and build your own policies ■ Virtual private network (VPN) abilities: IPSec, SSL, and L2TP ■ Intrusion detection and prevention systems (IDS and IPS) ■ Address translation using dynamic and static network and port address translation ■ Stateful redundancy of connections and VPNs between two security appliances ▲ Virtualization of policies using contexts This is just a small list of some major features of the security appliances. The fol- lowing sections provide an overview of some of these features. The features that I don’t briefly cover in this chapter are covered in subsequent chapters.
Chapter 1: ASA Product Family 5 NOTE Throughout the book, whenever the terms “security appliance” or “appliance” are used, they refer to both the ASA and PIX products unless otherwise noted.Operating System The operating system (version 7 and later) you currently see on the ASA appliances and on the PIX 515 and higher appliances is based on the PIX Finesse Operating System (FOS). The FOS is a proprietary, stand-alone operating system. It implements the ac- tual security functions that the security appliance hardware performs. In this sense, it is somewhat similar to the Internetwork Operating System (IOS) of Cisco routers and switches, or what the Microsoft Windows XP or Linux operating systems are to PCs. Cisco no longer uses the term FOS to describe the operating system, though. Starting in version 7 and later, Cisco refers to the security appliance operating system as just the “operating system.” NOTE Even though Cisco’s PIX appliances are no longer for sale, which Cisco denotes as end- of-sale (EOS), the PIX 515s and higher support the same operating system as the ASAs. The main difference between the PIXs and ASAs is that the lower-end PIX 501 and 506E do not support version 7 and later of the OS, and none of the PIXs supports SSL VPNs. This book focuses on the use of the ASAs; however, the topics discussed can be equally applied to the PIXs in most situations. Firewall Applications Some firewall products run on top of an operating system; these solutions are commonly called firewall applications. One disadvantage that firewall applications have compared with a proprietary operating system is that the firewall vendor must deal with two soft- ware products in creating a firewall: the operating system and the firewall application. This process can often lead to a less secure system. This is especially true when you con- sider all the security threats that have been directed specifically at UNIX and Microsoft operating systems. An example of a firewall product that uses firewall applications is Check Point. This is not to say that Check Point’s firewall is a worse solution than a firewall product that uses a proprietary operating system. However, a firewall vendor like Check Point will have to do many more things to ensure that the firewall application and operating system provide a secure solution. (Note that Check Point’s next-generation product, SecurePlatform 1, is moving away from this approach and moving toward an integrated solution.) The main problem with a firewall application solution is that the vendor not only has to provide a secure firewall application, but must also secure the operating system it runs on. However, firewall applications do provide two advantages: ▼ They tend to be easy to install and maintain. ▲ They run on a wide variety of PC/server platforms.
6 Cisco ASA Configuration Proprietary Operating System Proprietary operating systems provide a security advantage over firewall applications—a proprietary operating system vendor has to be concerned about only one system, instead of two, in providing a secure firewall solution. Another huge advantage of proprietary operating systems is scalability. Because a proprietary operating system can be custom- ized to a specific hardware platform, this firewall system can provide extremely fast pack- et filtering abilities and security capabilities. Off-the-shelf operating systems like UNIX and Microsoft Windows are general- purpose operating systems that were developed to perform many tasks, not all of which are performed at an optimal level. Using a general operating system decreases the per- formance of the packet filtering and firewall functions of the firewall application. To provide for scalability, you must load your firewall application on very expensive server platforms. Using a proprietary operating system in a firewall solution also makes it much more difficult for hackers to penetrate the firewall. Attackers are familiar with the functions of common operating systems like UNIX and Microsoft products, which makes it a little bit easier for them to attack the firewall application. However, when vendors use a propri- etary operating system to implement their firewall solution, an attacker will have little or no knowledge about the functions and processes of the operating system, making it very difficult for the attacker to compromise the firewall solution. Using a proprietary operating system has some disadvantages. First, because the op- erating system is proprietary, your security personnel will have to learn the new system. Many of your personnel will already have experience with UNIX or Microsoft Windows, and thus their learning curve in implementing the solution will be shortened. NOTE When you are using an underlying proprietary operating system such as Cisco’s security appliances, the administrator is unable to interact with the underlying OS. Also, because firewall applications are developed for a specific operating system platform like UNIX or Microsoft Windows, your security personnel will already be fa- miliar with the interface that is employed by the firewall. A good example of this is Check Point’s firewall solution—it has a very good, intuitive GUI interface, which makes configuration easy and also reduces the likelihood of making mistakes and opening up unintended holes in your firewall system. Here are some of the main advantages of using proprietary OSs for firewalls: ▼ They tend to be more secure than firewall applications. ▲ They provide for better scalability and packet filtering speeds because the operating system is customized directly to work with specific hardware. ASA Management Because the security appliances use the same operating system, the configuration of Cisco’s ASAs and PIXs is simplified. You have a choice of three methods to configure your security appliance:
Chapter 1: ASA Product Family 7 ▼ Command-line interface (CLI) ■ Adaptive or Appliance Security Device Manager (ASDM) ▲ Cisco Secure Manager (CSM), which is the replacement for the Cisco Works product The CLI implemented on the security appliances is somewhat similar to Cisco’s IOS- based router CLI. As you will see in later chapters, however, the CLIs of both platforms differ in many ways. The ASDM interface is a Java-based graphical user interface (GUI) tool that allows you to remotely manage a security appliance with a web browser. CSM is a complete management package that allows you to manage the security policies and configurations for Cisco firewalls (ASAs, PIXs, and IOS-based routers), Cisco IPS devices (4200s, AIP-SSM cards, IDMS2 cards, and AIM-IPS cards), Cisco VPN devices (ASAs, PIXs, IOS-based routers, and the 3000 concentrators), and Cisco host IPS implementa- tions (Cisco Security Agent [CSA]). As you can see, you have many options available to configure your security appli- ance and to implement your security policies. This book primarily focuses on using the CLI, but Chapter 27 covers the ASDM GUI.Security Algorithm One main function the security appliances perform is a stateful firewall. A stateful fire- wall adds and maintains information about a user’s connection(s). In version 6 and ear- lier of the operating system, the Adaptive Security Algorithm (ASA) implemented the stateful function of the PIX firewall by maintaining connection information in a state table, referred to as a conn table. When Cisco introduced the ASA hardware platform in version 7, it dropped the term “adaptive” and now just refers to the process that handles the security functions as the “security algorithm.” The security appliances use the conn table to enforce the security policies for users’ connections. Here is some of the information that a stateful firewall keeps in its state table: ▼ Source IP address ■ Destination IP address ■ IP protocol (like TCP or UDP) ▲ IP protocol information, such as TCP/UDP port numbers, TCP sequence numbers, and TCP flags NOTE The security appliances provide a stateful process for TCP and UDP traffic only, by default. Starting in version 7, ICMP can also be treated statefully, but this is disabled by default. Stateful Firewall Explanation Figure 1-1 is a simple example that illustrates the stateful process performed by a stateful firewall. These are the steps shown in Figure 1-1: 1. A user (PC-A) inside your network performs an HTML request to a web server outside your network.
8 Cisco ASA Configuration Connection Table Inside IP Address IP Protocol Inside IP Port Outside IP Address Outside Port 184.108.40.206 TCP 11000 220.127.116.11 80 2 Internal Network Internet Stateful Firewall 1 3 PC-A 18.104.22.168 Web Server 22.214.171.124 Figure 1-1. A stateful firewall adds a connection to its connection table. 2. As the request reaches the stateful firewall, the firewall takes the user’s information, for example, the source and destination address, the IP protocol, and any protocol information (such as the source and destination port numbers for TCP), and places this data in the state or connection table. 3. The firewall forwards the user’s HTTP request to the destination web server. Figure 1-2 shows the returning traffic from the HTTP server. These are the steps as the traffic returns from the web server: 1. The destination web server sends the corresponding web page back to the user. 2. The firewall intercepts the connection response and compares it with the entries that it has in its state table. ■ If a match is found in the connection table, the returning packet(s) are permitted. ■ If a match is not found in the connection table, the returning packet(s) are dropped.