SlideShare a Scribd company logo

Cisco asa firewall command line technical guide

M
MDEMARCOCCIE

Cisco ASA Firewall

Technology
1 of 35
Download to read offline
See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303518237 Cisco ASA firewall command line Technical Guide Working Paper · May 2016 DOI: 10.13140/RG.2.1.1157.4649 CITATIONS 0 READS 2,380 1 author: Some of the authors of this publication are also working on these related projects: Blocking peer to peer traffic on Cisco ASA Firewall and other Intrusion prevention systems View project CTF 2017 Solutions View project Motasem Hamdan American University of Science and Technology 14 PUBLICATIONS 0 CITATIONS SEE PROFILE All content following this page was uploaded by Motasem Hamdan on 25 May 2016. The user has requested enhancement of the downloaded file.
1 Cisco ASA firewall command line technical Guide Streamlined and simple to use Author: Eng. Motasem Hamdan Category: Network Security Academy: Cisco Networking Academy
2 Abstract This guide is intended to streamline the most used commands by network security engineers when managing Cisco ASA firewall. It covers the very basic common commands to manage, administer, secure, and providing connectivity operations to devices connected to Cisco ASA firewall. This guide is neither comprehensive nor reference document for commands in Cisco ASA and the main reference for command line syntaxes is refered at the end of this document. This paper is handy for network security engineers to manage command line for most common aspects in cisco ASA while other operations such as Virtual firewalls and VPN remote access could be done seamlessly using ASDM. This guide assumes you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.
3 Basic IP Connectivity and routing protocols Configuring trunk link and sub-interfaces between ASA and Switch On the outside physical interface of switch1: Interface f0/10 Switchport mode trunk No shutdown On the inside interface of ASA firewall: Interface f0/3 Switchport mode trunk Switchport trunk allowed vlan 20,10 No shutdown Interface f0/3.1 Vlan 20 [ or use encapsulation command] No shutdown Interface f0/3.2 Vlan 10 [ or use encapsulation command] No shutdown Note: the command used to create trunk link between two networking devices should be used once between router and switch and must be used twice between firewall and switch on each opposite interface Configure an ASA interface Interface eth0/0 Nameif outside [ or inside] Ip address ip-address [subnet-mask] Speed [ auto | 10 | 100 | 1000] Duplex [ auto | full | half] Ip address dhcp [setroute]
4 Security-level [level:0-100] When configuring interfaces with same security level, a command must be explicitly configured to allow traffic between them Same-security-traffic permit inter-interface Configuring and changing MTU size for each interface to carry larger packets Mtu if_name bytes Enabling Jumbo frame processing. This applicable only on ASA 5580 Jumbo-frame reservation Verifying the status of an interface Show interface if_name Verifying the status of all interfaces Show interface ip brief The ASA does not forward DHCP requests by default so it needs to be configured to use dhcp relay agent Dhcprelay server ip-address interface Dhcprelay enable interface Note that in the first command, the refered interface is the one connected to the DHCP Server or gateway while the second interface in the second command is the one facing the clients Enabling DHCP Server on ASA to assign IP addresses to clients Dhcp enable interface Dhcp address ip1-ip2 interface [address pool] Delivering DNS addresses to clients Dhcp dns ip1 ip2 Delivering the domain name to the clients Dhcp domain your-domain Configuring default and static routes Route [ inside – outside ] [ dest ] [ dest-subnet mask ] [next hop gateway ] Route [ inside – outside ] 0.0.0.0 0.0.0.0 [next hop gateway ] Configuring RIPV2 to Exchange routing information with other RIPv2 routers.
5 Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ] Router rip Version 2 No auto-summary Default-information orginiate [ to advertise static routes ] Network [ the IP of the intended network to be advertised ] Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside] Exit İnterface eth0/2 Rip authentication mode md5 Rip authentication key [ your key ] key_id [id] Configuring EIGRP routing on ASA Router eigrp [AS number] Network ip-addr [mask] İnterface [interface] Summary-address eigrp [AS number] [ip-addr] [ mask] [AD] Redistribute routes that are learned through RIPv2, Static routes or Directly connected routes Redistribute [ rip | static | connected ] [metric : bandwidth | delay | reliability | load | mtu ] [ route-map map_name] Define default metric for redistribution withh different routes Default-metric bandwidth delay reliability loading mtu Securing EIGRP routes İnterface interface Authentication mode eigrp AS number md5 Authentication key eigrp AS number key-string key_id key_id Filtering routing updates Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ] Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside]
6 Configure OSPF on ASA Router ospf pid Router-id ip_addr Network ip_addr netmask area area_id Area area_id authentication md5 İnterface interface Ospf message-digest-key key_id md5 key Ospf authentication –message-digest Prefix-list list_name [permit | deny ] network_ip ge min_bit le max_bit Area area_id filter-list prefix list_name [in | out ] Configuring host name and domain name to create FQDN for the ASA: Hostname hostname Domain-name domain_name Note 1: configuring the above parameters is optional but it’s compulsory to create and generate CA for SSH, HTTPS and VPN connections Configuring DNS client on ASA Dns domain-lookup inside Dns server-group DefaultDNS Name-server primary_dns_srv_ip Name-server secondary_dns_srv_ip Debug dns all Note 2: the DNS client must be enabled on an interface which can reach the DNS server on your network otherwise if you do not have separate dns server then enable it on all interfaces and assign global dns server like google Note 2.1: the last command in dns client configuration is used to troubleshoot dns issues Management and secure access Configuring Secure SSH access or management purposes Crypto key generate rsa general-keys label 1st-key-pair modulus [size:512,768,1024,2048] Ssh version 2
7 Ssh ip_addr subnet_mask Ssh disconnect Note 3: the ip address in the second command is the network address for allowed hosts to perform ssh sessions or could be single ip used to manage ASA through SSH Note 3.1: the last command used to terminate a designated SSH session Creating local users for managements access Username admin password password encrypted privilege 15 Note 4: privileges configured with each user are in range between 0-15 with 0 dictating the lowest privilege and 15 for the highest privilege Configure maximum login attempts into CLI or ASDM Aaa local authentication attempts max-fail 3 Recovering lost or forgotten passwords to get access back to asa  Reboot the ASA  Press “ESC” button when it prompts you to use “Break”  It’s supposed that you are in ROMMON mode now  Type: “confreg 0x41”  Type: “boot”  This will get the ASA to bypass the startup config file and gets you in use mode  Type: “enable” to enable the privileged mode  Press enter  Then you’re free to configure new password  Reset the configuration register back by typing: “config-register 0x1 Note 5: The commands above could not be configured unless the connection is made through serial console Note 5.1: you could disable password recovery by typing: “no service password-recovery” Configure and Enable logging on ASA Logging enable Logging ftp-bufferwrap Logging ftp-server ftp_srv_ip dest_directory ftp_username ftp_pass Logging timestamp
8 Note 6: The second and third command used to send syslog messages and debugging messages from internal buffer memory into an ftp server Troubleshooting event log and logging issues Show logging queue Logging queue 7000 Show logging Note 7: The allowed values for increasing the size of queue value are between [0-8192] Configuring and enabling http server on ASA http server enable http ip-addr subnet-mask outside OR inside Configuring storage disks and image booting Dir disk0: Boot config disk0:/img_name Configure factory-default Clear configure all Clear configure [keyword] Note 7: in the first command “disk0” might be “disk1” or “Flash” Note 7.1: The second command instructs the ASA to boot from the specified image in the command Note 7.3: the third command will return the ASA back to its factory settings Note 7.4: The “keyword” in the last command could be anything the administrator wants to remove the configuration that belong to. Configure redundant interfaces as a failover connectivity Interface redundant 1 Member-interface eth0/0 Member-interface eth0/1 No shutdown
9 NAT and PAT procedures Configuring Dynamic NAT Nat inside 1 network_ip subnet_mask Global outside 1 pool_translated_ip netmask netmask Timeout xlate 1:00:00 A must – read note: Dynamic Nat is a type of nat where a pool of public ip addresses are assigned to local host every time they initiate an outbound connection to the outside world but for hosts in DMZ the connection back from the client will not happen because of the dynamic ip address assignment. Note 1: The first commands specify the inside interface and every local host connected to it which will be subjected to Dynamic NAT Note 1.1: The second command specifies the outside interface in which the translation will take place along with the pool of the selected ip addresses and their netmask Note 1.2: the third command specifies the lease time for each local host before a new assignment of public ip addresses occur Configuring Dynamic PAT Nat DMZ 2 dmz_network_ip subnet_mask tcp 0 0 udp 0 Nat inside 2 inside_network_ip subnet_mask tcp 0 0 udp 0 Global outside 2 interface Global DMZ 2 global_ip_addr netmask 255.255.255.255 A must-read note: Dynamic PAT is a type of address translation where group of local hosts either on the DMZ or the client hosts are translated to single ip address or limited pool of ip addresses along with port used in each session initiated to the outside world Note 2: the first command specifies the DMZ interface to be subject to PAT along with the ip addresses that exist in this space Note 2.1: the second command specifies the inside interface with its local hosts ip addresses to be subject to PAT along with the ports
10 Note 2.2: the third command specifies the outside interface in which PAT occurs Note 2.3: the fourth command specifies the global ip address that will be used for the DMZ hosts in order to initiate connections to the internet and receive back. Note 2.4: in the fourth command, a pool of ip addresses can be specified and so the subnet mask must be accordingly changed. Verifying Dynamic PAT and NAT Show xlate Note 3: the commands are used to show the table designated for translation entries Configure Host-Static Nat Static DMZ public_ip local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: Host-static NAT is a type of translation where single local host ip address is subject to translation into single public ip address Note 4: the command above used DMZ for translation of local host on the DMZ into public ip address Configure network – static NAT: Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0 A must-read note: in Network-static NAT, a group of local hosts either on the DMZ or client hosts are subject to translation into one single public ip address and this type is ideal for client hosts that do not need to receive connection back from the internet Note 5: The command above used the network ip of the local hosts instead of single ip as used in Note 4 Configure static PAT static DMZ tcp public_ip translated_port server_private_ip original_port netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: Static PAT is type of address translation where single or group of local ip addresses more commonly in DMZ are translated into one single public ip address along with their port numbers and that is the ideal type for servers receiving connection back from clients Note 6: The command above specifies a public ip, translated port (the port used to allow clients from outside to connect back to the server) and the original port
11 Configure No-Translation or NAT exempt Nat inside network_ip subnet_mask 0 0 tcp 0 0 udp 0 A must-read note: NAT exempt states that no translation takes place for local hosts and this type is used for connections in the internal space only. Note 7: the command above specifies that a network of local hosts ip addresses will not be subject to translation kind Configure Identity static NAT: Static inside local_host_ip same_local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: this type of NAT is the most preferred for connections between DMZ and client’s hosts and vice versa. It uses the same ip as the translated ip address Note 8: the commands above could be specified for inside of DMZ interface on the ASA with the host ip address remains the same after translation Access control lists Examine real time connections through looking in the connection table Show conn Show conn detail Clear conn address ip_addr Note 1: The connection table displays information and details about the connections initiated by hosts in the internal network with the outside world. Note 1.2: Every session established from internal hosts to public hosts is stated and written in the connection table so the incoming connection for the same session does not need to be permitted by an ACL to serve back the internal hosts Note 1.3: The third command is used to clear all the connections initiated by the specified ip address Configuring real scenario access lists for small network  Allowing internal clients or hosts to communicate and browser the internet Access-list INSIDE line 1 extended permit tcp src_ip subnet_mask any eq http
12 Access-list INSIDE line 2 extended permit tcp src_ip subnet_mask any eq smtp Access-list INSIDE line 3 extended permit tcp src_ip subnet_mask any eq ftp Access-list INSIDE line 4 extended permit tcp src_ip subnet_mask any eq sftp  Allowing incoming connection to the web server on the DMZ Access-list OUTSIDE line 1 extended permit tcp any host web_srv_addr eq http  Allow incoming connections to the smtp, ftp and sftp server for “in” and “out” direction Access-list OUTSIDE line 2 extended permit tcp any host smtp_srv_ip eq smtp Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp Access-list OUTSIDE line 4 extended permit tcp any host sftp_srv_ip eq sftp Access-list DMZ line 1 extended permit tcp host smtp_srv_ip any eq smtp Access-list DMZ line 2 extended permit tcp host ftp_srv_ip any eq ftp Access-list DMZ line 3 extended permit tcp host tftp_srv_ip any eq tftp Access-list DMZ line 4 extended permit tcp host http_srv_ip any eq http  Logging denied packets by stating explicit deny access list Access-list OUTSIDE line 3 remark explicit deny all to change log message to 106100 Access-list OUTSIDE line 4 extended deny ip any any log 4 interval 300  Allowing packets between same security level interfaces Same-security-traffic permit inter-interface  Applying access lists to the related interfaces Access-group INSIDE in interface inside Access-group OUTSIDE in interface outside Access-group DMZ in interface DMZ Note 2: The last section or last two commands are specified to log the denied packets with 106100 log message to be appeared in syslog server Note 2.1: We could disable any access list above by appending the word “inactive” to the end of the access list Configuring time range access lists or attach time range to access lists
13 Time-range temporary-FTP-access-workhours ( for employees ) Periodic weekdays 09:00 to 06:00 Time-range ftp-hosting Absolute start 00:00:01 May 2015 end 00:00:01 May 2016 Note 3: Every access list needs a time range to be appended to it so a time range must be named and settled to related range Applying time ranges to existed access lists Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp Time-range temporary-FTP-access-workhours Access-list INSIDE line 5 extended permit tcp src_ip subnet_mask host ftp_srv eq ftp Time-range temporary-FTP-access-workhours Note 4: the time range for limiting access to ftp server beyond the working hours was applied to the access lists the permit connection from outside and from the internal clients to the ftp server so that they are only given access remotely or locally during working hours Verifying access lists configuration Show access-list OUTSIDE Show access-list INSIDE Show access-list DMZ Configuring network- object groups and service-object groups for enterprise access list implementation Name 10.0.10.0 Internal-clients Name 10.0.30.0 DMZ-servers Name 10.0.40.0 LA-Internal-clients Name 10.0.50.0 LA-DMZ servers Object-group network US-Offices Network-object 10.0.10.0 255.0.255.0
14 Network-object 10.0.30.0 255.0.255.0 Network-object 10.0.40.0 255.0.255.0 Network-object 10.0.50.0 255.0.255.0 Object-group network internal-clients-offices Network-object 10.0.10.0 255.0.255.0 Network-object 10.0.40.0 255.0.255.0 Object-group network DMZ-offices Network-object 10.0.30.0 255.0.255.0 Network-object 10.0.50.0 255.0.255.0 Object-group service Allowed-services-ext-clients-DMZ Description external services allowed for inside clients an DMZ servers Port-object eq ftp Port-object eq stp Port-object eq http Port-object eq smtp Port-object eq pop3 Access-list INSIDE line 1 extended permit tcp object-group US-Offices any object-group Allowed-services-ext-clients-DMZ Access-list DMZ line 1 extended permit tcp object-group US-Offices any object-group Allowed-services-ext-clients-DMZ Access-list INSIDE line 2 extended permit tcp object-group internal-clients-offices object- group DMZ-offices eq ftp Time-range temporary-FTP-access-workhours Access-list DMZ line 2 extended permit tcp object-group DMZ-offices object-group internal-clients-offices eq any Access-list OUTSIDE line 1 extended permit tcp any object-group DMZ-offices object- group Allowed-services-ext-clients-DMZ Note 6: the specified ACLs are to provide full connectivity to the DMZ server and internal client server using object groups for network and services
15 Configure protection against spoofed ip packets towards the ASA Ip verify reverse-path interface outside Note 7: the specified command enables the unicast reverse path forwarding feature that if it’s enabled on specific interface, it will examine every incoming connection whether exists in the connection table or not and if not it will extract the source ip address to determine whether it’s reachable or not based on the ASA’s routing table. Note 7.1: Do not enable this feature on the outside interface in case a default route exists on your network architecture to avoid the process overhead Block packets from specific ip address using a feature called “shunning” Shun malicious_ip_addr Packet inspection and traffic filtering Defining a service policy, policy map and class map Service-policy srv1 Policy-map pmap1 Class-map cmap1 Action Class-map cmap1 Match…. Service-policy policy-map-name interface outside Note 1: to inspect traffic passes through the ASA, a service policy that contains policy map and class map must be created Note 1.1: the policy map is responsible for taking an action when a specified traffic is matched by class map. The action the could be taken by the policy map ranges from setting connection timeouts, connection volumes, TCP parameters, http parameters, FTP parameters, DNS parameters, ESMTP parameters, management traffic, sending the matched traffic to inspection engines and Intrusion prevention systems, providing priority handling and limiting bandwidth.
16 Note 1.2: the class map matches the traffic whether all traffic, defined set of traffic, traffic destined for specific destination, destined for specific port, matches against specific access list, matches against VPN traffic or Qos values. Note 1.3: in table 92 above, a list of all available commands that can be typed and specified in class map to match against specific 3-4 OSI layer traffic. Most of these match commands will be used on the outside interface to inspect traffic incoming to our network.
17 Table 2 - policy map action commands Note 1.4: table 2 lists all actions that could be taken when a specified criterion matched in the class map. Note 1.5: the last command above binds the policy map inside a service policy and applies it to the outside interface Table 3 - traffic direction by policy map actions Note 1.6: table 3 lists the directions in which the actions of policy map could be applied. For example, setting connection’s volume and limits, adjusting tcp parameters and sending the traffic to an inspection engine and IPS could be applied and implemented on an interface in both direction for traffic destined to the internet and for inbound traffic.
18 Note1.7: applying Quality of service, limiting bandwidth and shaping the traffic could be only on an egress direction meaning that for outbound traffic only. Essential and Important: the service policy which contains policy map and class map could be applied for 3-4 OSI traffic or 5-7 OSI traffic while the former is used to examine, analyze and inspect TCP and UDP traffic for connection parameters, connection volumes, connection timeouts , protocol inspection , traffic analyzation using IPS module and for Qos of service purposes and the latter which is 5-7 OSI traffic is used to examine and inspect application layer traffic destined for DMZ servers. Configuring TCP connection parameters to prevent TCP SYN attack By using policy map with class map to set connection timeouts for embryonic connections and limiting the number of simultaneous connections by setting connection volume. Table 4 tcp connection timeouts Table 4 lists parameters for use in the “set connection timeouts” command when defining an action to be taken by the policy map. set connection timeout [embryonic {hh:mm:ss | 0}] [half-closed {hh:mm:ss | 0}] [tcp {hh:mm:ss | 0} [dcd [retry_interval [max_retries]]
19 Table 5 tcp connection volume Table 5 lists the parameters to be used in “set connection “command to control tcp connection volume. set connection [conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] To prevent TCP SYN attack the ASA must set a maximum number of simultaneous embryonic connections which are half open or half closed. If the maximum number is reached the ASA triggers the TCP Intercept feature and begins to act as proxy and send TCP handshake on target host behalf to determine if the source address which communicates with the target host is legitimate or not so it drops the connection is not. Assuming that internal clients are under object-group (see previous sheet about object-groups) “Internal- clients” and DMZ servers are under object-group “DMZ-Servers”. Let’s apply a connection limit for embryonic connections initiated by these object groups. Access-list INSIDE line 1 extended permit tcp Internal-clients any eq any Access-list INSIDE line 2 extended permit udp Internal-clients any eq any Service-policy SYN-Attack-protect Class-map cmap1 Match access-list INSIDE Policy-map pmap1 Class-map cmap1 Set connection embryonic-conn-max 65000 Access-list DMZ line 1 extended permit tcp any DMZ-Servers eq http Access-list DMZ line 2 extended permit tcp DMZ-Servers any eq http Service-policy SYN-Attack-protect
20 Class-map cmap2 Match access-list DMZ Policy-map pmap2 Class-map cmap2 Set connection embryonic-conn-max 65000 Configuring and enabling the protection from TCP sequence number brute force set connection random-sequence-number {enable | disable} Configuring TCP connection options using TCP normalizer TCP normalizer used to manipulate the tcp connection content like tcp checksum, tcp flags, tcp options. TCP normalizer used change or alter the content of tcp packet content to render it compatible with some protocol or connection requirements. In addition, it can be leveraged to protect DMZ hosts against packets that are crafted to evade stateful inspection like information gathering packets or reconnaissance packets. Table 6 -TCP normalizer actions
21 Table 6 tcp normalizer actions Table 7 tcp options table Tcp-map TCP-Protect invalid-ack drop synack-data drop ttl-evasion-protection seq-past-window drop exit class-map cmap1 match access-list Internal-clients exit class-map cmap2 match access-list DMZ-Servers exit
22 policy-map pmap3 class cmap1 set connection advanced-options TCP-Protect exit class cmap2 match access-list DMZ-Servers set connection advanced-options TCP-Protect exit service-policy pmap3 interface outside Note 4: The commands above matches against traffic inbound to internal clients and internal DMZ servers and check for certain TCP parameters to protect internal hosts from TCP SYN attack, reconnaissance packets and SYN flood attack by limiting the number or embryonic connections, dropping invalid handshake packets or that contains invalid payload, dropping packets with invalid sequence number and dropping values above maximum segment size in TCP window packet Configuring ICMP Inspection Policy-map global_policy Class inspection_default Inspect icmp Inspect icmp error Exit Note 5: the ICMP inspection feature is enabled when an access list that permits incoming ping request is enabled. ICMP inspection used to allow only one response per ICMP request and inspect ICMP packet for invalid sequence number. Configuring Inspection for 5-7 OSI layer traffic  Inspecting HTTP Http inspection policy is implemented to examine and analyze traffic destined to protected servers or clients. It’s main core to minimize http content to the minimal set of requirements and to look deeply in the application signature for known bad cues mainly using regular expressions. A class map that matches specific conditions in the http traffic should be defined along with a policy map used to apply the appropriate action.
23 Table 7 - http match commands Let’s say we want to configure a http policy map to allow only GET and POLL request to be passed to the protected server. class-map type inspect http match-all MY_HTTP_CLASS match [not] request method get
24 match [not] request method poll policy-map type inspect http http_map_name parameters protocol-violation drop-connection log class MY_HTTP_CLASS drop-connection log exit Now to match against regular expression we should use the following table
25 Table 8 regular expression match commands For example, let’s suppose we want to filter incoming http traffic and take away any embedded link within the http content regex Embedded-link https?:// policy-map type inspect http HTTP_MAP_1 match request args regex Embedded-link drop-connection exit in case of a multiple regular expressions we could use class map with match-any to apply OR operation on the match commands or use match-all to apply AND operation on the match commands regex Embedded-link-1 https?:// regex Embedded-link-2 http?:// class-map type regex match-any embedded-link match regex Embedded-link-1 match regex Embedded-link-2 now applying the http inspection map using the following command
26 inspect http http-map-name the activation command must be applied inside a policy map  Inspecting FTP Inspecting FTP traffic includes masking FTP banner, masking reply message, prevent uploading “exe” files to the server unless it’s stated in the security policy and restricting request methods to GET and PUT Table 9 -ftp traffic matching commands policy-map type inspect ftp FTP_MAP_1 parameters mask-banner mask-syst-reply exit regex FTP_BADNAMES .exe policy-map type inspect ftp FTP_MAP_1 match not request-command get put help reset match filename regex FTP_BADNAMES inspect ftp FTP_MAP_1
27 The commands above create a policy map to inspect FTP. Banner information and system reply information are masked to prevent malicious users from conducting vulnerability assessment using the FTP server information. Also, the commands filters request to the server to only accept GET and PULL request as well as prevent EXE file names to be uploaded.  Inspecting DNS traffic DNS inspection includes applying NAT rules to the DNS packets, randomizing DNS ID values so to protect from DNS Spoofing attacks, DNS protocol verification, Guarding DNS connection by closing DNS UDP connection after successful receipt of reply packet Table 10 dns inspection commands match policy-map type inspect dns DNS_MAP_1 parameters protocol-enforcement dns-guard id-randomization nat-rewrite
28 exit The ASA has a default dns inspection policy map called “preset_dns_map” which limits the size of dns packets to 512 bytes Quality of service, Bandwidth control, Transparent firewall mode and Integrating SSM-IPS Configuring mtu size for more control of fragmented traffic Suppose we will configure the mtu size on the outside interface to control the incoming packets to our network so to reduce the percentage of packets fragmentation to enable more inspection on the traffic by our ASA so we need to increase the size of mtu to maximum size Mtu outside 65535 Knowing that the least value of mtu is 64 Byte. To verify the mtu size on an interface, we use the command Show fragment outside Configuring QOS and prioritizing packets Every packet arrives to the ASA or comes to the ASA is stored first in the Best-effort queue which is used to store packets in a buffer and then retransmitting them respectively. Suppose we have critical packets such as audio streaming or video, we need to create a Low-latency queue which is a buffer stores packets so to transmit them ahead of other packets in BEQ. We need to enable LLQ on an interface and specify a policy map and class map to match the traffic. Priority-queue outside Class-map Qos Match rtp 5060-65 Policy-map RTP Class-map Qos Priority Exit Service-policy RTP interface outside
29 Configuring traffic policing and traffic shaping Controlling bandwidth limits is essential when it comes to Qos and prioritizing packets over other ones. Controlling packets is performed either by dropping the packet which surpasses the bandwidth threshold or by re-shaping it so it conforms to the bandwidth limits. Traffic policing Suppose we want to configure a policy map to match all traffic and drop every packet that consumes more than 2Mbps. To achieve so we need a policy map with a class map to match all traffic therefore we need the following commands Class-map Policing Match any Exit Policy-map mine Class-map policing Police output 200000000 conform-action transmit exceed-action drop Exit Exit Service-policy mine interface outside Traffic shaping Traffic shaping is the act of placing the packets inside a buffer and then pulling out the traffic with a bandwidth limits beneath the threshold. This type of bandwidth control is applicable and permissible only to all traffic or bulk. Policy-map outside-policy Class class-default Shape average 200000000 Exit Exit Service-policy outside-policy interface outside Using Transparent firewall mode
30 Deploying transparent mode has some challenges and restrictions so this mode should not be applied until you specify your network requirements and recognize the limitations imposed by this mode  IPsec protocol and VPN tunnels  Dynamic routing protocols  Broadcast and multicast packets  DHCP relay  QOS and bandwidth control Before implementing transparent mode be sure to back up the current configuration in case you want to revert back to routed mode. Use the following command to switch to transparent mode Firewall transparent Configuring interfaces one as outside and the another as inside with the same ip address for both. Interface eth0/0 Namif outside Security-level 0 No shutdown Exit Interface eth0/1 Nameif inside Security-level 100 No shutdown Exit Ip address 192.168.1.100 255.255.255.0 Because this mode does not support dynamic routing, a static route or default route must be configured Route [inside interface or outside] network-ip subnet-mask next-hop ip Permitting ospf or eigrp packets through transparent mode Access-list permit-ospf extended permit ospf [source] [dest] Access-group permit-ospf [ in | out ] interface [ outside | inside ] Protection from ARP Spoofing attack and ARP flooding attack The protection from ARP spoofing attack includes the creation of static ARP entries in the firewall MAC address table stating the ip address and the associated mac address so that the firewall can compare and
31 match the incoming packet with the information in the ARP table so to drop the packet or allow it to pass based on the match conditions. Arp interface ip_address mac_address Arp-inspection interface enable Show arp-inspection Now coming to prevent MAC address denial of service by disabling mac address learning feature in transparent mode and here the administrator must create MAC address table just like above and maintain it regularly. Mac-learn interface disable Mac-address-table static interface mac_address Integrating Security service module, Intrusion prevention system and content security control After inserting the card module in the specified slot, create a vlan and upload the IPS software to the modules through the commands Interface vlan 10 Allow-ssc-mgmt Ip address ip_address subnet_mask Nameif inside Interface eth0/10 Switchport mode access vlan 10 No shutdown Hw-module 1 recover configure Hw-module 1 recover boot Hw-module 1 password-rest : resets to “cisco” Hw-module 1 reload Hw-module 1 reset Hw-module 1 shutdown : used to shutdown the module Now coming to initialization knowing that the IPS could work in an inline mode [ drop the packets as it violates or determined a malicious] or in a promiscuous mode [ allow the packet to pass to the intended destination while sending the packet for analysis]. Session 1
32 Setup Policy-map IPS Class class-default Ips inline fail-open Service-policy IPS interface outside Conclusion Virtual firewalls and many other aspects and configurations related to Cisco ASA were not mentioned here because it’s easier to manage it using ASDM and this guide documented the most common tasks related to command line in Cisco ASA firewall. References Cisco CCNP Security Firewall Certification Guide CCNP Certification Guide
33
34 View publication statsView publication stats

Recommended

Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Netgate
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Netgate
 
Users and groups
Users and groupsUsers and groups
Users and groupsVarnnit Jain
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptxmasbulosoke
 
Linux booting process
Linux booting processLinux booting process
Linux booting processPrashant Hegde
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
VLAN and its implementation
VLAN and its implementation VLAN and its implementation
VLAN and its implementation Mohit Kumar
 
EMEA Airheads ClearPass guest with MAC- caching using Time Source
EMEA Airheads ClearPass guest with MAC- caching using Time SourceEMEA Airheads ClearPass guest with MAC- caching using Time Source
EMEA Airheads ClearPass guest with MAC- caching using Time SourceAruba, a Hewlett Packard Enterprise company
 

Recommended

Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Netgate
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Netgate
 
Users and groups
Users and groupsUsers and groups
Users and groupsVarnnit Jain
 
Windows Server 2019.pptx
Windows Server 2019.pptxWindows Server 2019.pptx
Windows Server 2019.pptxmasbulosoke
 
Linux booting process
Linux booting processLinux booting process
Linux booting processPrashant Hegde
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
VLAN and its implementation
VLAN and its implementation VLAN and its implementation
VLAN and its implementation Mohit Kumar
 
EMEA Airheads ClearPass guest with MAC- caching using Time Source
EMEA Airheads ClearPass guest with MAC- caching using Time SourceEMEA Airheads ClearPass guest with MAC- caching using Time Source
EMEA Airheads ClearPass guest with MAC- caching using Time SourceAruba, a Hewlett Packard Enterprise company
 
Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingteknetir
 
Network Automation: Ansible 101
Network Automation: Ansible 101Network Automation: Ansible 101
Network Automation: Ansible 101APNIC
 
ISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureWahyu Nasution
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a DefenderBangladesh Network Operators Group
 
User Administration in Linux
User Administration in LinuxUser Administration in Linux
User Administration in LinuxSAMUEL OJO
 
Active Directory
Active Directory Active Directory
Active Directory Sandeep Kapadane
 
Group policy Best Practices
Group policy Best PracticesGroup policy Best Practices
Group policy Best PracticesRob Dunn
 
Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.abhishek bhandare
 
Active directory
Active directory Active directory
Active directory deshvikas
 
Arp protokolu ve guvenlik zafiyeti
Arp protokolu ve guvenlik zafiyetiArp protokolu ve guvenlik zafiyeti
Arp protokolu ve guvenlik zafiyetiBGA Cyber Security
 
CloudInit Introduction
CloudInit IntroductionCloudInit Introduction
CloudInit IntroductionPublicis Sapient Engineering
 
Cloudstack vs Openstack
Cloudstack vs OpenstackCloudstack vs Openstack
Cloudstack vs OpenstackHuzefa Husain
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018Netgate
 
DOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriDOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriBGA Cyber Security
 
Ams operations
Ams operationsAms operations
Ams operationsWahyu Nasution
 
IPTABLES y SQUID‏
IPTABLES y SQUID‏IPTABLES y SQUID‏
IPTABLES y SQUID‏ingpuma
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStackVictor Zhang
 
Install active directory on windows server 2016 step by step
Install active directory on windows server 2016 step by stepInstall active directory on windows server 2016 step by step
Install active directory on windows server 2016 step by stepAhmed Abdelwahed
 
6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instructionMostafa El Lathy
 
DNS server configuration
DNS server configurationDNS server configuration
DNS server configurationSanguine_Eva
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 

More Related Content

What's hot

Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingteknetir
 
Network Automation: Ansible 101
Network Automation: Ansible 101Network Automation: Ansible 101
Network Automation: Ansible 101APNIC
 
ISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureWahyu Nasution
 
User Administration in Linux
User Administration in LinuxUser Administration in Linux
User Administration in LinuxSAMUEL OJO
 
Group policy Best Practices
Group policy Best PracticesGroup policy Best Practices
Group policy Best PracticesRob Dunn
 
Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.abhishek bhandare
 
Active directory
Active directory Active directory
Active directory deshvikas
 
Arp protokolu ve guvenlik zafiyeti
Arp protokolu ve guvenlik zafiyetiArp protokolu ve guvenlik zafiyeti
Arp protokolu ve guvenlik zafiyetiBGA Cyber Security
 
Cloudstack vs Openstack
Cloudstack vs OpenstackCloudstack vs Openstack
Cloudstack vs OpenstackHuzefa Husain
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018Netgate
 
DOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriDOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriBGA Cyber Security
 
IPTABLES y SQUID‏
IPTABLES y SQUID‏IPTABLES y SQUID‏
IPTABLES y SQUID‏ingpuma
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStackVictor Zhang
 
Install active directory on windows server 2016 step by step
Install active directory on windows server 2016 step by stepInstall active directory on windows server 2016 step by step
Install active directory on windows server 2016 step by stepAhmed Abdelwahed
 
6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instructionMostafa El Lathy
 
DNS server configuration
DNS server configurationDNS server configuration
DNS server configurationSanguine_Eva
 

What's hot (20)

Chapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routingChapter 16 : inter-vlan routing
Chapter 16 : inter-vlan routing
 
Network Automation: Ansible 101
Network Automation: Ansible 101Network Automation: Ansible 101
Network Automation: Ansible 101
 
ISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedure
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
User Administration in Linux
User Administration in LinuxUser Administration in Linux
User Administration in Linux
 
Active Directory
Active Directory Active Directory
Active Directory
 
Group policy Best Practices
Group policy Best PracticesGroup policy Best Practices
Group policy Best Practices
 
Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.Basics about IP address, DNS and DHCP.
Basics about IP address, DNS and DHCP.
 
Active directory
Active directory Active directory
Active directory
 
Arp protokolu ve guvenlik zafiyeti
Arp protokolu ve guvenlik zafiyetiArp protokolu ve guvenlik zafiyeti
Arp protokolu ve guvenlik zafiyeti
 
CloudInit Introduction
CloudInit IntroductionCloudInit Introduction
CloudInit Introduction
 
Cloudstack vs Openstack
Cloudstack vs OpenstackCloudstack vs Openstack
Cloudstack vs Openstack
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
 
DOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma YöntemleriDOS, DDOS Atakları ve Korunma Yöntemleri
DOS, DDOS Atakları ve Korunma Yöntemleri
 
Ams operations
Ams operationsAms operations
Ams operations
 
IPTABLES y SQUID‏
IPTABLES y SQUID‏IPTABLES y SQUID‏
IPTABLES y SQUID‏
 
CloudStack vs OpenStack
CloudStack vs OpenStackCloudStack vs OpenStack
CloudStack vs OpenStack
 
Install active directory on windows server 2016 step by step
Install active directory on windows server 2016 step by stepInstall active directory on windows server 2016 step by step
Install active directory on windows server 2016 step by step
 
6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction6 pan-os software update & downgrade instruction
6 pan-os software update & downgrade instruction
 
DNS server configuration
DNS server configurationDNS server configuration
DNS server configuration
 

Similar to Cisco asa firewall command line technical guide

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkRiyaj Shamsudeen
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntaxguestcc37e8c
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxcarliotwaycave
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu theviper0308
 
Air Live Rs 1200
Air Live Rs 1200Air Live Rs 1200
Air Live Rs 1200guest52b3f5
 
Integrated server
Integrated serverIntegrated server
Integrated serverfebru
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideChristian Petrou
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusDashamir Hoxha
 
Multiple instances second method
Multiple instances second methodMultiple instances second method
Multiple instances second methodVasudeva Rao
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rulesFreddy Buenaño
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 

Similar to Cisco asa firewall command line technical guide (20)

Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
 
Rhel4
Rhel4Rhel4
Rhel4
 
Arp Dan Ipconfig Syntax
Arp Dan Ipconfig SyntaxArp Dan Ipconfig Syntax
Arp Dan Ipconfig Syntax
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docxINFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Air Live Rs 1200
Air Live Rs 1200Air Live Rs 1200
Air Live Rs 1200
 
Integrated server
Integrated serverIntegrated server
Integrated server
 
DirectShare Quick Start Setup Guide
DirectShare Quick Start Setup GuideDirectShare Quick Start Setup Guide
DirectShare Quick Start Setup Guide
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Lan to lan vpn
Lan to lan vpnLan to lan vpn
Lan to lan vpn
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and Radius
 
Multiple instances second method
Multiple instances second methodMultiple instances second method
Multiple instances second method
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Firebird
FirebirdFirebird
Firebird
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Samba
SambaSamba
Samba
 

Recently uploaded

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 

Recently uploaded (20)

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 

Cisco asa firewall command line technical guide

  • 2. 1 Cisco ASA firewall command line technical Guide Streamlined and simple to use Author: Eng. Motasem Hamdan Category: Network Security Academy: Cisco Networking Academy
  • 3. 2 Abstract This guide is intended to streamline the most used commands by network security engineers when managing Cisco ASA firewall. It covers the very basic common commands to manage, administer, secure, and providing connectivity operations to devices connected to Cisco ASA firewall. This guide is neither comprehensive nor reference document for commands in Cisco ASA and the main reference for command line syntaxes is refered at the end of this document. This paper is handy for network security engineers to manage command line for most common aspects in cisco ASA while other operations such as Virtual firewalls and VPN remote access could be done seamlessly using ASDM. This guide assumes you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.
  • 4. 3 Basic IP Connectivity and routing protocols Configuring trunk link and sub-interfaces between ASA and Switch On the outside physical interface of switch1: Interface f0/10 Switchport mode trunk No shutdown On the inside interface of ASA firewall: Interface f0/3 Switchport mode trunk Switchport trunk allowed vlan 20,10 No shutdown Interface f0/3.1 Vlan 20 [ or use encapsulation command] No shutdown Interface f0/3.2 Vlan 10 [ or use encapsulation command] No shutdown Note: the command used to create trunk link between two networking devices should be used once between router and switch and must be used twice between firewall and switch on each opposite interface Configure an ASA interface Interface eth0/0 Nameif outside [ or inside] Ip address ip-address [subnet-mask] Speed [ auto | 10 | 100 | 1000] Duplex [ auto | full | half] Ip address dhcp [setroute]
  • 5. 4 Security-level [level:0-100] When configuring interfaces with same security level, a command must be explicitly configured to allow traffic between them Same-security-traffic permit inter-interface Configuring and changing MTU size for each interface to carry larger packets Mtu if_name bytes Enabling Jumbo frame processing. This applicable only on ASA 5580 Jumbo-frame reservation Verifying the status of an interface Show interface if_name Verifying the status of all interfaces Show interface ip brief The ASA does not forward DHCP requests by default so it needs to be configured to use dhcp relay agent Dhcprelay server ip-address interface Dhcprelay enable interface Note that in the first command, the refered interface is the one connected to the DHCP Server or gateway while the second interface in the second command is the one facing the clients Enabling DHCP Server on ASA to assign IP addresses to clients Dhcp enable interface Dhcp address ip1-ip2 interface [address pool] Delivering DNS addresses to clients Dhcp dns ip1 ip2 Delivering the domain name to the clients Dhcp domain your-domain Configuring default and static routes Route [ inside – outside ] [ dest ] [ dest-subnet mask ] [next hop gateway ] Route [ inside – outside ] 0.0.0.0 0.0.0.0 [next hop gateway ] Configuring RIPV2 to Exchange routing information with other RIPv2 routers.
  • 6. 5 Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ] Router rip Version 2 No auto-summary Default-information orginiate [ to advertise static routes ] Network [ the IP of the intended network to be advertised ] Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside] Exit İnterface eth0/2 Rip authentication mode md5 Rip authentication key [ your key ] key_id [id] Configuring EIGRP routing on ASA Router eigrp [AS number] Network ip-addr [mask] İnterface [interface] Summary-address eigrp [AS number] [ip-addr] [ mask] [AD] Redistribute routes that are learned through RIPv2, Static routes or Directly connected routes Redistribute [ rip | static | connected ] [metric : bandwidth | delay | reliability | load | mtu ] [ route-map map_name] Define default metric for redistribution withh different routes Default-metric bandwidth delay reliability loading mtu Securing EIGRP routes İnterface interface Authentication mode eigrp AS number md5 Authentication key eigrp AS number key-string key_id key_id Filtering routing updates Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ] Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside]
  • 7. 6 Configure OSPF on ASA Router ospf pid Router-id ip_addr Network ip_addr netmask area area_id Area area_id authentication md5 İnterface interface Ospf message-digest-key key_id md5 key Ospf authentication –message-digest Prefix-list list_name [permit | deny ] network_ip ge min_bit le max_bit Area area_id filter-list prefix list_name [in | out ] Configuring host name and domain name to create FQDN for the ASA: Hostname hostname Domain-name domain_name Note 1: configuring the above parameters is optional but it’s compulsory to create and generate CA for SSH, HTTPS and VPN connections Configuring DNS client on ASA Dns domain-lookup inside Dns server-group DefaultDNS Name-server primary_dns_srv_ip Name-server secondary_dns_srv_ip Debug dns all Note 2: the DNS client must be enabled on an interface which can reach the DNS server on your network otherwise if you do not have separate dns server then enable it on all interfaces and assign global dns server like google Note 2.1: the last command in dns client configuration is used to troubleshoot dns issues Management and secure access Configuring Secure SSH access or management purposes Crypto key generate rsa general-keys label 1st-key-pair modulus [size:512,768,1024,2048] Ssh version 2
  • 8. 7 Ssh ip_addr subnet_mask Ssh disconnect Note 3: the ip address in the second command is the network address for allowed hosts to perform ssh sessions or could be single ip used to manage ASA through SSH Note 3.1: the last command used to terminate a designated SSH session Creating local users for managements access Username admin password password encrypted privilege 15 Note 4: privileges configured with each user are in range between 0-15 with 0 dictating the lowest privilege and 15 for the highest privilege Configure maximum login attempts into CLI or ASDM Aaa local authentication attempts max-fail 3 Recovering lost or forgotten passwords to get access back to asa  Reboot the ASA  Press “ESC” button when it prompts you to use “Break”  It’s supposed that you are in ROMMON mode now  Type: “confreg 0x41”  Type: “boot”  This will get the ASA to bypass the startup config file and gets you in use mode  Type: “enable” to enable the privileged mode  Press enter  Then you’re free to configure new password  Reset the configuration register back by typing: “config-register 0x1 Note 5: The commands above could not be configured unless the connection is made through serial console Note 5.1: you could disable password recovery by typing: “no service password-recovery” Configure and Enable logging on ASA Logging enable Logging ftp-bufferwrap Logging ftp-server ftp_srv_ip dest_directory ftp_username ftp_pass Logging timestamp
  • 9. 8 Note 6: The second and third command used to send syslog messages and debugging messages from internal buffer memory into an ftp server Troubleshooting event log and logging issues Show logging queue Logging queue 7000 Show logging Note 7: The allowed values for increasing the size of queue value are between [0-8192] Configuring and enabling http server on ASA http server enable http ip-addr subnet-mask outside OR inside Configuring storage disks and image booting Dir disk0: Boot config disk0:/img_name Configure factory-default Clear configure all Clear configure [keyword] Note 7: in the first command “disk0” might be “disk1” or “Flash” Note 7.1: The second command instructs the ASA to boot from the specified image in the command Note 7.3: the third command will return the ASA back to its factory settings Note 7.4: The “keyword” in the last command could be anything the administrator wants to remove the configuration that belong to. Configure redundant interfaces as a failover connectivity Interface redundant 1 Member-interface eth0/0 Member-interface eth0/1 No shutdown
  • 10. 9 NAT and PAT procedures Configuring Dynamic NAT Nat inside 1 network_ip subnet_mask Global outside 1 pool_translated_ip netmask netmask Timeout xlate 1:00:00 A must – read note: Dynamic Nat is a type of nat where a pool of public ip addresses are assigned to local host every time they initiate an outbound connection to the outside world but for hosts in DMZ the connection back from the client will not happen because of the dynamic ip address assignment. Note 1: The first commands specify the inside interface and every local host connected to it which will be subjected to Dynamic NAT Note 1.1: The second command specifies the outside interface in which the translation will take place along with the pool of the selected ip addresses and their netmask Note 1.2: the third command specifies the lease time for each local host before a new assignment of public ip addresses occur Configuring Dynamic PAT Nat DMZ 2 dmz_network_ip subnet_mask tcp 0 0 udp 0 Nat inside 2 inside_network_ip subnet_mask tcp 0 0 udp 0 Global outside 2 interface Global DMZ 2 global_ip_addr netmask 255.255.255.255 A must-read note: Dynamic PAT is a type of address translation where group of local hosts either on the DMZ or the client hosts are translated to single ip address or limited pool of ip addresses along with port used in each session initiated to the outside world Note 2: the first command specifies the DMZ interface to be subject to PAT along with the ip addresses that exist in this space Note 2.1: the second command specifies the inside interface with its local hosts ip addresses to be subject to PAT along with the ports
  • 11. 10 Note 2.2: the third command specifies the outside interface in which PAT occurs Note 2.3: the fourth command specifies the global ip address that will be used for the DMZ hosts in order to initiate connections to the internet and receive back. Note 2.4: in the fourth command, a pool of ip addresses can be specified and so the subnet mask must be accordingly changed. Verifying Dynamic PAT and NAT Show xlate Note 3: the commands are used to show the table designated for translation entries Configure Host-Static Nat Static DMZ public_ip local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: Host-static NAT is a type of translation where single local host ip address is subject to translation into single public ip address Note 4: the command above used DMZ for translation of local host on the DMZ into public ip address Configure network – static NAT: Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0 A must-read note: in Network-static NAT, a group of local hosts either on the DMZ or client hosts are subject to translation into one single public ip address and this type is ideal for client hosts that do not need to receive connection back from the internet Note 5: The command above used the network ip of the local hosts instead of single ip as used in Note 4 Configure static PAT static DMZ tcp public_ip translated_port server_private_ip original_port netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: Static PAT is type of address translation where single or group of local ip addresses more commonly in DMZ are translated into one single public ip address along with their port numbers and that is the ideal type for servers receiving connection back from clients Note 6: The command above specifies a public ip, translated port (the port used to allow clients from outside to connect back to the server) and the original port
  • 12. 11 Configure No-Translation or NAT exempt Nat inside network_ip subnet_mask 0 0 tcp 0 0 udp 0 A must-read note: NAT exempt states that no translation takes place for local hosts and this type is used for connections in the internal space only. Note 7: the command above specifies that a network of local hosts ip addresses will not be subject to translation kind Configure Identity static NAT: Static inside local_host_ip same_local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: this type of NAT is the most preferred for connections between DMZ and client’s hosts and vice versa. It uses the same ip as the translated ip address Note 8: the commands above could be specified for inside of DMZ interface on the ASA with the host ip address remains the same after translation Access control lists Examine real time connections through looking in the connection table Show conn Show conn detail Clear conn address ip_addr Note 1: The connection table displays information and details about the connections initiated by hosts in the internal network with the outside world. Note 1.2: Every session established from internal hosts to public hosts is stated and written in the connection table so the incoming connection for the same session does not need to be permitted by an ACL to serve back the internal hosts Note 1.3: The third command is used to clear all the connections initiated by the specified ip address Configuring real scenario access lists for small network  Allowing internal clients or hosts to communicate and browser the internet Access-list INSIDE line 1 extended permit tcp src_ip subnet_mask any eq http
  • 13. 12 Access-list INSIDE line 2 extended permit tcp src_ip subnet_mask any eq smtp Access-list INSIDE line 3 extended permit tcp src_ip subnet_mask any eq ftp Access-list INSIDE line 4 extended permit tcp src_ip subnet_mask any eq sftp  Allowing incoming connection to the web server on the DMZ Access-list OUTSIDE line 1 extended permit tcp any host web_srv_addr eq http  Allow incoming connections to the smtp, ftp and sftp server for “in” and “out” direction Access-list OUTSIDE line 2 extended permit tcp any host smtp_srv_ip eq smtp Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp Access-list OUTSIDE line 4 extended permit tcp any host sftp_srv_ip eq sftp Access-list DMZ line 1 extended permit tcp host smtp_srv_ip any eq smtp Access-list DMZ line 2 extended permit tcp host ftp_srv_ip any eq ftp Access-list DMZ line 3 extended permit tcp host tftp_srv_ip any eq tftp Access-list DMZ line 4 extended permit tcp host http_srv_ip any eq http  Logging denied packets by stating explicit deny access list Access-list OUTSIDE line 3 remark explicit deny all to change log message to 106100 Access-list OUTSIDE line 4 extended deny ip any any log 4 interval 300  Allowing packets between same security level interfaces Same-security-traffic permit inter-interface  Applying access lists to the related interfaces Access-group INSIDE in interface inside Access-group OUTSIDE in interface outside Access-group DMZ in interface DMZ Note 2: The last section or last two commands are specified to log the denied packets with 106100 log message to be appeared in syslog server Note 2.1: We could disable any access list above by appending the word “inactive” to the end of the access list Configuring time range access lists or attach time range to access lists
  • 14. 13 Time-range temporary-FTP-access-workhours ( for employees ) Periodic weekdays 09:00 to 06:00 Time-range ftp-hosting Absolute start 00:00:01 May 2015 end 00:00:01 May 2016 Note 3: Every access list needs a time range to be appended to it so a time range must be named and settled to related range Applying time ranges to existed access lists Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp Time-range temporary-FTP-access-workhours Access-list INSIDE line 5 extended permit tcp src_ip subnet_mask host ftp_srv eq ftp Time-range temporary-FTP-access-workhours Note 4: the time range for limiting access to ftp server beyond the working hours was applied to the access lists the permit connection from outside and from the internal clients to the ftp server so that they are only given access remotely or locally during working hours Verifying access lists configuration Show access-list OUTSIDE Show access-list INSIDE Show access-list DMZ Configuring network- object groups and service-object groups for enterprise access list implementation Name 10.0.10.0 Internal-clients Name 10.0.30.0 DMZ-servers Name 10.0.40.0 LA-Internal-clients Name 10.0.50.0 LA-DMZ servers Object-group network US-Offices Network-object 10.0.10.0 255.0.255.0
  • 15. 14 Network-object 10.0.30.0 255.0.255.0 Network-object 10.0.40.0 255.0.255.0 Network-object 10.0.50.0 255.0.255.0 Object-group network internal-clients-offices Network-object 10.0.10.0 255.0.255.0 Network-object 10.0.40.0 255.0.255.0 Object-group network DMZ-offices Network-object 10.0.30.0 255.0.255.0 Network-object 10.0.50.0 255.0.255.0 Object-group service Allowed-services-ext-clients-DMZ Description external services allowed for inside clients an DMZ servers Port-object eq ftp Port-object eq stp Port-object eq http Port-object eq smtp Port-object eq pop3 Access-list INSIDE line 1 extended permit tcp object-group US-Offices any object-group Allowed-services-ext-clients-DMZ Access-list DMZ line 1 extended permit tcp object-group US-Offices any object-group Allowed-services-ext-clients-DMZ Access-list INSIDE line 2 extended permit tcp object-group internal-clients-offices object- group DMZ-offices eq ftp Time-range temporary-FTP-access-workhours Access-list DMZ line 2 extended permit tcp object-group DMZ-offices object-group internal-clients-offices eq any Access-list OUTSIDE line 1 extended permit tcp any object-group DMZ-offices object- group Allowed-services-ext-clients-DMZ Note 6: the specified ACLs are to provide full connectivity to the DMZ server and internal client server using object groups for network and services
  • 16. 15 Configure protection against spoofed ip packets towards the ASA Ip verify reverse-path interface outside Note 7: the specified command enables the unicast reverse path forwarding feature that if it’s enabled on specific interface, it will examine every incoming connection whether exists in the connection table or not and if not it will extract the source ip address to determine whether it’s reachable or not based on the ASA’s routing table. Note 7.1: Do not enable this feature on the outside interface in case a default route exists on your network architecture to avoid the process overhead Block packets from specific ip address using a feature called “shunning” Shun malicious_ip_addr Packet inspection and traffic filtering Defining a service policy, policy map and class map Service-policy srv1 Policy-map pmap1 Class-map cmap1 Action Class-map cmap1 Match…. Service-policy policy-map-name interface outside Note 1: to inspect traffic passes through the ASA, a service policy that contains policy map and class map must be created Note 1.1: the policy map is responsible for taking an action when a specified traffic is matched by class map. The action the could be taken by the policy map ranges from setting connection timeouts, connection volumes, TCP parameters, http parameters, FTP parameters, DNS parameters, ESMTP parameters, management traffic, sending the matched traffic to inspection engines and Intrusion prevention systems, providing priority handling and limiting bandwidth.
  • 17. 16 Note 1.2: the class map matches the traffic whether all traffic, defined set of traffic, traffic destined for specific destination, destined for specific port, matches against specific access list, matches against VPN traffic or Qos values. Note 1.3: in table 92 above, a list of all available commands that can be typed and specified in class map to match against specific 3-4 OSI layer traffic. Most of these match commands will be used on the outside interface to inspect traffic incoming to our network.
  • 18. 17 Table 2 - policy map action commands Note 1.4: table 2 lists all actions that could be taken when a specified criterion matched in the class map. Note 1.5: the last command above binds the policy map inside a service policy and applies it to the outside interface Table 3 - traffic direction by policy map actions Note 1.6: table 3 lists the directions in which the actions of policy map could be applied. For example, setting connection’s volume and limits, adjusting tcp parameters and sending the traffic to an inspection engine and IPS could be applied and implemented on an interface in both direction for traffic destined to the internet and for inbound traffic.
  • 19. 18 Note1.7: applying Quality of service, limiting bandwidth and shaping the traffic could be only on an egress direction meaning that for outbound traffic only. Essential and Important: the service policy which contains policy map and class map could be applied for 3-4 OSI traffic or 5-7 OSI traffic while the former is used to examine, analyze and inspect TCP and UDP traffic for connection parameters, connection volumes, connection timeouts , protocol inspection , traffic analyzation using IPS module and for Qos of service purposes and the latter which is 5-7 OSI traffic is used to examine and inspect application layer traffic destined for DMZ servers. Configuring TCP connection parameters to prevent TCP SYN attack By using policy map with class map to set connection timeouts for embryonic connections and limiting the number of simultaneous connections by setting connection volume. Table 4 tcp connection timeouts Table 4 lists parameters for use in the “set connection timeouts” command when defining an action to be taken by the policy map. set connection timeout [embryonic {hh:mm:ss | 0}] [half-closed {hh:mm:ss | 0}] [tcp {hh:mm:ss | 0} [dcd [retry_interval [max_retries]]
  • 20. 19 Table 5 tcp connection volume Table 5 lists the parameters to be used in “set connection “command to control tcp connection volume. set connection [conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] To prevent TCP SYN attack the ASA must set a maximum number of simultaneous embryonic connections which are half open or half closed. If the maximum number is reached the ASA triggers the TCP Intercept feature and begins to act as proxy and send TCP handshake on target host behalf to determine if the source address which communicates with the target host is legitimate or not so it drops the connection is not. Assuming that internal clients are under object-group (see previous sheet about object-groups) “Internal- clients” and DMZ servers are under object-group “DMZ-Servers”. Let’s apply a connection limit for embryonic connections initiated by these object groups. Access-list INSIDE line 1 extended permit tcp Internal-clients any eq any Access-list INSIDE line 2 extended permit udp Internal-clients any eq any Service-policy SYN-Attack-protect Class-map cmap1 Match access-list INSIDE Policy-map pmap1 Class-map cmap1 Set connection embryonic-conn-max 65000 Access-list DMZ line 1 extended permit tcp any DMZ-Servers eq http Access-list DMZ line 2 extended permit tcp DMZ-Servers any eq http Service-policy SYN-Attack-protect
  • 21. 20 Class-map cmap2 Match access-list DMZ Policy-map pmap2 Class-map cmap2 Set connection embryonic-conn-max 65000 Configuring and enabling the protection from TCP sequence number brute force set connection random-sequence-number {enable | disable} Configuring TCP connection options using TCP normalizer TCP normalizer used to manipulate the tcp connection content like tcp checksum, tcp flags, tcp options. TCP normalizer used change or alter the content of tcp packet content to render it compatible with some protocol or connection requirements. In addition, it can be leveraged to protect DMZ hosts against packets that are crafted to evade stateful inspection like information gathering packets or reconnaissance packets. Table 6 -TCP normalizer actions
  • 22. 21 Table 6 tcp normalizer actions Table 7 tcp options table Tcp-map TCP-Protect invalid-ack drop synack-data drop ttl-evasion-protection seq-past-window drop exit class-map cmap1 match access-list Internal-clients exit class-map cmap2 match access-list DMZ-Servers exit
  • 23. 22 policy-map pmap3 class cmap1 set connection advanced-options TCP-Protect exit class cmap2 match access-list DMZ-Servers set connection advanced-options TCP-Protect exit service-policy pmap3 interface outside Note 4: The commands above matches against traffic inbound to internal clients and internal DMZ servers and check for certain TCP parameters to protect internal hosts from TCP SYN attack, reconnaissance packets and SYN flood attack by limiting the number or embryonic connections, dropping invalid handshake packets or that contains invalid payload, dropping packets with invalid sequence number and dropping values above maximum segment size in TCP window packet Configuring ICMP Inspection Policy-map global_policy Class inspection_default Inspect icmp Inspect icmp error Exit Note 5: the ICMP inspection feature is enabled when an access list that permits incoming ping request is enabled. ICMP inspection used to allow only one response per ICMP request and inspect ICMP packet for invalid sequence number. Configuring Inspection for 5-7 OSI layer traffic  Inspecting HTTP Http inspection policy is implemented to examine and analyze traffic destined to protected servers or clients. It’s main core to minimize http content to the minimal set of requirements and to look deeply in the application signature for known bad cues mainly using regular expressions. A class map that matches specific conditions in the http traffic should be defined along with a policy map used to apply the appropriate action.
  • 24. 23 Table 7 - http match commands Let’s say we want to configure a http policy map to allow only GET and POLL request to be passed to the protected server. class-map type inspect http match-all MY_HTTP_CLASS match [not] request method get
  • 25. 24 match [not] request method poll policy-map type inspect http http_map_name parameters protocol-violation drop-connection log class MY_HTTP_CLASS drop-connection log exit Now to match against regular expression we should use the following table
  • 26. 25 Table 8 regular expression match commands For example, let’s suppose we want to filter incoming http traffic and take away any embedded link within the http content regex Embedded-link https?:// policy-map type inspect http HTTP_MAP_1 match request args regex Embedded-link drop-connection exit in case of a multiple regular expressions we could use class map with match-any to apply OR operation on the match commands or use match-all to apply AND operation on the match commands regex Embedded-link-1 https?:// regex Embedded-link-2 http?:// class-map type regex match-any embedded-link match regex Embedded-link-1 match regex Embedded-link-2 now applying the http inspection map using the following command
  • 27. 26 inspect http http-map-name the activation command must be applied inside a policy map  Inspecting FTP Inspecting FTP traffic includes masking FTP banner, masking reply message, prevent uploading “exe” files to the server unless it’s stated in the security policy and restricting request methods to GET and PUT Table 9 -ftp traffic matching commands policy-map type inspect ftp FTP_MAP_1 parameters mask-banner mask-syst-reply exit regex FTP_BADNAMES .exe policy-map type inspect ftp FTP_MAP_1 match not request-command get put help reset match filename regex FTP_BADNAMES inspect ftp FTP_MAP_1
  • 28. 27 The commands above create a policy map to inspect FTP. Banner information and system reply information are masked to prevent malicious users from conducting vulnerability assessment using the FTP server information. Also, the commands filters request to the server to only accept GET and PULL request as well as prevent EXE file names to be uploaded.  Inspecting DNS traffic DNS inspection includes applying NAT rules to the DNS packets, randomizing DNS ID values so to protect from DNS Spoofing attacks, DNS protocol verification, Guarding DNS connection by closing DNS UDP connection after successful receipt of reply packet Table 10 dns inspection commands match policy-map type inspect dns DNS_MAP_1 parameters protocol-enforcement dns-guard id-randomization nat-rewrite
  • 29. 28 exit The ASA has a default dns inspection policy map called “preset_dns_map” which limits the size of dns packets to 512 bytes Quality of service, Bandwidth control, Transparent firewall mode and Integrating SSM-IPS Configuring mtu size for more control of fragmented traffic Suppose we will configure the mtu size on the outside interface to control the incoming packets to our network so to reduce the percentage of packets fragmentation to enable more inspection on the traffic by our ASA so we need to increase the size of mtu to maximum size Mtu outside 65535 Knowing that the least value of mtu is 64 Byte. To verify the mtu size on an interface, we use the command Show fragment outside Configuring QOS and prioritizing packets Every packet arrives to the ASA or comes to the ASA is stored first in the Best-effort queue which is used to store packets in a buffer and then retransmitting them respectively. Suppose we have critical packets such as audio streaming or video, we need to create a Low-latency queue which is a buffer stores packets so to transmit them ahead of other packets in BEQ. We need to enable LLQ on an interface and specify a policy map and class map to match the traffic. Priority-queue outside Class-map Qos Match rtp 5060-65 Policy-map RTP Class-map Qos Priority Exit Service-policy RTP interface outside
  • 30. 29 Configuring traffic policing and traffic shaping Controlling bandwidth limits is essential when it comes to Qos and prioritizing packets over other ones. Controlling packets is performed either by dropping the packet which surpasses the bandwidth threshold or by re-shaping it so it conforms to the bandwidth limits. Traffic policing Suppose we want to configure a policy map to match all traffic and drop every packet that consumes more than 2Mbps. To achieve so we need a policy map with a class map to match all traffic therefore we need the following commands Class-map Policing Match any Exit Policy-map mine Class-map policing Police output 200000000 conform-action transmit exceed-action drop Exit Exit Service-policy mine interface outside Traffic shaping Traffic shaping is the act of placing the packets inside a buffer and then pulling out the traffic with a bandwidth limits beneath the threshold. This type of bandwidth control is applicable and permissible only to all traffic or bulk. Policy-map outside-policy Class class-default Shape average 200000000 Exit Exit Service-policy outside-policy interface outside Using Transparent firewall mode
  • 31. 30 Deploying transparent mode has some challenges and restrictions so this mode should not be applied until you specify your network requirements and recognize the limitations imposed by this mode  IPsec protocol and VPN tunnels  Dynamic routing protocols  Broadcast and multicast packets  DHCP relay  QOS and bandwidth control Before implementing transparent mode be sure to back up the current configuration in case you want to revert back to routed mode. Use the following command to switch to transparent mode Firewall transparent Configuring interfaces one as outside and the another as inside with the same ip address for both. Interface eth0/0 Namif outside Security-level 0 No shutdown Exit Interface eth0/1 Nameif inside Security-level 100 No shutdown Exit Ip address 192.168.1.100 255.255.255.0 Because this mode does not support dynamic routing, a static route or default route must be configured Route [inside interface or outside] network-ip subnet-mask next-hop ip Permitting ospf or eigrp packets through transparent mode Access-list permit-ospf extended permit ospf [source] [dest] Access-group permit-ospf [ in | out ] interface [ outside | inside ] Protection from ARP Spoofing attack and ARP flooding attack The protection from ARP spoofing attack includes the creation of static ARP entries in the firewall MAC address table stating the ip address and the associated mac address so that the firewall can compare and
  • 32. 31 match the incoming packet with the information in the ARP table so to drop the packet or allow it to pass based on the match conditions. Arp interface ip_address mac_address Arp-inspection interface enable Show arp-inspection Now coming to prevent MAC address denial of service by disabling mac address learning feature in transparent mode and here the administrator must create MAC address table just like above and maintain it regularly. Mac-learn interface disable Mac-address-table static interface mac_address Integrating Security service module, Intrusion prevention system and content security control After inserting the card module in the specified slot, create a vlan and upload the IPS software to the modules through the commands Interface vlan 10 Allow-ssc-mgmt Ip address ip_address subnet_mask Nameif inside Interface eth0/10 Switchport mode access vlan 10 No shutdown Hw-module 1 recover configure Hw-module 1 recover boot Hw-module 1 password-rest : resets to “cisco” Hw-module 1 reload Hw-module 1 reset Hw-module 1 shutdown : used to shutdown the module Now coming to initialization knowing that the IPS could work in an inline mode [ drop the packets as it violates or determined a malicious] or in a promiscuous mode [ allow the packet to pass to the intended destination while sending the packet for analysis]. Session 1
  • 33. 32 Setup Policy-map IPS Class class-default Ips inline fail-open Service-policy IPS interface outside Conclusion Virtual firewalls and many other aspects and configurations related to Cisco ASA were not mentioned here because it’s easier to manage it using ASDM and this guide documented the most common tasks related to command line in Cisco ASA firewall. References Cisco CCNP Security Firewall Certification Guide CCNP Certification Guide
  • 34. 33
  • 35. 34 View publication statsView publication stats