Cisco ASA Configuration Archives

How to Configure OSPF on Cisco ASA Firewall

Cisco Adaptive Security Appliance (ASA) is quite a versatile device integrating application-aware firewall, SSL and IPsec VPN, intrusion prevention system (IPS), antivirus, antispam, antiphishing, and web filtering services. Cisco ASA also supports routing protocols such as Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and last but not least, Open Shortest Path First (OSPF). In this tutorial, our focus will be OSPF configuration on Cisco ASA according to the figure below.

Figure 1 OSPF on Cisco ASA

asa ospf configuration

Please note that configuration on R1 is not relevant to this scenario and R1 is just shown for the sake of completeness. We will start by configuring OSPF on routers R2 and R3. We would also configure MD5 authentication for OSPF on Fa0/0 of R2 and R3, using cisco as the authentication key.

Here’s the configuration for R2:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 202.49.12.2 255.255.255.0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#exit


R2(config)#interface Loopback0
R2(config-if)#ip address 10.10.2.2 255.255.255.0
R2(config-if)#exit


R2(config)#router ospf 1
R2(config-router)#network 202.49.12.0 0.0.0.255 area 0
R2(config-router)#network 10.10.2.0 0.0.0.255 area 0
R2(config-router)#end

Here goes the configuration for R3:

R3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet0/0
R3(config-if)#ip address 202.49.13.3 255.255.255.0
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 1 md5 cisco
R3(config-if)#exit


R3(config)#interface Loopback0
R3(config-if)#ip address 10.10.3.3 255.255.255.0
R3(config-if)#exit


R3(config)#router ospf 1
R3(config-router)#network 202.49.13.0 0.0.0.255 area 1
R3(config-router)#network 10.10.3.0 0.0.0.255 area 1
R3(config-router)#end

Let’s now move to the interesting part where we configure Cisco ASA. We will first configure interface IP addresses, at the same time assigning Ethernet0/0, Ethernet0/1, and Ethernet 0/2 to outside, inside, and DMZ (de-militarized zone) zones, respectively. Inside and outside interfaces are assigned default security levels of 100 and 0 automatically. The higher the security level, the more secure an interface is. Therefore, the most secured network is placed behind an interface with a security level of 100, whereas the least secured network is placed behind an interface with a security level of 0. A DMZ interface can be assigned a security level between 0 and 100.

We assign a security level of 50 to the DMZ interface using the security-level command. We also configure MD5 authentication for OSPF on the outside and DMZ interfaces choosing cisco as the authentication key. Toward the end of configuration given below, both outside and DMZ interfaces are assigned to the appropriate OSPF area using network command.

ASA1# configure terminal
ASA1(config)# interface Ethernet0/0
ASA1(config-if)# ip address 202.49.12.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/1
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/2
ASA1(config-if)# ip address 202.49.13.1 255.255.255.0
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# router ospf 1
ASA1(config-router)# network 202.49.12.0 255.255.255.0 area 0
ASA1(config-router)# network 202.49.13.0 255.255.255.0 area 1
ASA1(config-router)#end
ASA1#

Let’s now verify that ASA1 has indeed established OSPF adjacency with R2 and R3 using show ospf neighbor command.

ASA1# show ospf neighbor

Neighbor ID    Pri   State        Dead Time   Address         Interface

10.10.2.2        1   FULL/DR      0:00:32     202.49.12.2     outside
10.10.3.3        1   FULL/BDR     0:00:38     202.49.13.3     DMZ

The above output indicates that OSPF neighbor relationships have been succesfully established with both R2 and R3. You can use show ospf interface command to find out more details such as OSPF neighbor authentication status.

ASA1# show ospf interface

outside is up, line protocol is up
Internet Address 202.49.12.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 202.49.13.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.10.2.2, Interface address 202.49.12.2
Backup Designated router (ID) 202.49.13.1, Interface address 202.49.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:00
Index 1/1, flood queue length 0
Next 0×0(0)/0×0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.2.2  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

 

You can also use show ip ospf interface brief and show ip ospf neighbor commands on R2 and/or R3. We are showing the output of these two commands for R2 here.

R2#show ip ospf neighbor

Neighbor ID  Pri  State     Dead Time   Address         Interface
202.49.13.1  1    FULL/BDR  00:00:30    202.49.12.1     FastEthernet0/0

R2#show ip ospf interface brief

Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C

Lo0          1     0               10.10.2.2/24       1     LOOP  0/0
Fa0/0        1     0               202.49.12.2/24     1     DR    1/1

We can expect that R2, R3, and ASA1 may also have learned some OSPF routes by now. Let’s verify that by using show ip route command on R2 first.

R2#show ip route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0/24 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O IA   10.10.3.3/32 [110/12] via 202.49.12.1, 02:01:57, FastEthernet0/0
C      10.10.2.0/24 is directly connected, Loopback0
O IA 202.49.13.0/24 [110/11] via 202.49.12.1, 02:02:01, FastEthernet0/0

 

Please feel free at this point to use show ip route command on R3 as well. We can use show route command on ASA1 to find out which routes it has learned over OSPF.

ASA1# show route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0 255.255.255.0 is directly connected, outside
O    10.10.3.3 255.255.255.255 [110/11] via 202.49.13.3, 2:03:52, DMZ
O    10.10.2.2 255.255.255.255 [110/11] via 202.49.12.2, 2:11:30, outside
C    202.49.13.0 255.255.255.0 is directly connected, DMZ
C    192.168.1.0 255.255.255.0 is directly connected, inside

Though OSPF routing is looking good at this stage, we may not yet be able to ping from R2 to R3 or vice versa. On Cisco ASA, you do not need to define an ACL to permit traffic from a high security level interface to a low security level interface by default. However, an ACL must explicitly permit traffic from a low security level interface (such as outside with security level 0) to a high security level interface (such as DMZ with security level 50). Here is how we configure an ACL and apply it inbound to the outside interface to allow incoming traffic. Just for example purposes, we will allow icmp traffic from outside to IP 10.10.3.3 in DMZ.

access-list OUTSIDE-IN extended permit icmp any host 10.10.3.3
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside

Let’s try to ping from R2 to Loopback0 on R3 and vice versa, in order to seal the deal.

R2#ping 10.10.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/40 ms

R3#ping 10.10.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms

In this first Video Tutorial I will show you how to enable initial access to the ASA device in order to connect with ASDM graphical interface or with SSH. The network topology is shown below:

Cisco ASA ASDM Configuration

First we need to have console access (with a serial console cable) to the device in order to configure some initial settings to allow user access with ASDM or with SSH. We will configure Interface GigabitEthernet 5 as a management interface with IP address 10.10.10.1/24. Also, on the same subnet we have our management PC with IP address 10.10.10.10/24. The management PC is running also a TFTP server software (tftp32) which will be used to transfer the ASDM image to the ASA.

Below is the CLI configuration used in this initial setup (see video below also for more information):

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
! Configure an “enable password” which is the administrator password of the device
enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
! Configure IP address to Interface GigEth5 and put a high security level (90 is good).
! name also the interface as “management”
interface GigabitEthernet5
nameif management
security-level 90
ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1

! Tell the appliance where the asdm image is located.
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

! SSH access will use the LOCAL username/password for authentication
aaa authentication ssh console LOCAL
! enable the HTTP service on the device so that you can connect to it for ASDM access
http server enable
! Tell the device which IP addresses are allowed to connect for HTTP (ASDM) access and from which interface
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
! Tell the device which IP addresses are allowed to connect for SSH access and from which interface.
ssh 10.10.10.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
! Configure a LOCAL username/password to be used for authentication.
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:0760c72b39dd8d7a479d517a65758f33
: end
ciscoasa#

NOTE:

To enable SSH access, we need to generate also SSH keys as following:

ciscoasa(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait…
ciscoasa(config)#

And here is the video:

Site to Site VPN between Cisco ASA and Router

In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let’s start our LAB example and we’ll see how it’s done.

Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall (any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must have the proper IOS software type in order to support encrypted VPN tunnels.

Equipment Used in this LAB:

  • ASA 5510 – Cisco Adaptive Security Appliance Software Version 8.0(3)
  • Cisco Router 2801 – C2801-ADVIPSERVICESK9-M Version 12.4(9)T4

Scenario:

LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usual scenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between the two LAN networks over the Internet.

First of all we shall make sure that the outside interfaces of ASA and router must be reachable over the WAN. Now let’s start IPSEC VPN configuration.

Cisco ASA Configuration

First I started ASA configuration.

I’ve created an Access list, which will match the interesting traffic which is the traffic to be encrypted. If source is 192.168.3.0/24 and destination is 192.168.4.0/24, then traffic will be matched by the access list as “interesting traffic” and will be encrypted and pass through the tunnel.

ASA(config)# access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

!IKE PHASE #1
! I’ve created a phase1 policy. This policy provides secured process of exchanging Keys.

ASA(config)# crypto isakmp policy 1

! For authentication I used Pre-shared. This method is most frequently used today.
ASA(config)# authentication pre-share

!For encryption I used 3des.
ASA(config)# encryption 3des

! Hashing md5.
ASA(config)# hash md5

! I used second group of diffie-hellman. Group1 is used by default. The most secured is Group5.
ASA(config)# group 2

! configure crypto key. The keys must match to each other between peers. Otherwise Phase1 will not be completed.
ASA(config)# crypto isakmp secretsharedkey address 192.168.2.2

NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown in following way.
tunnel-group 192.168.2.2 ipsec-attributes
pre-shared-key *

! Activate policy on Outside interface.
ASA(config)# crypto isakmp enable outside

! IKE PHASE #2- VPN Tunnel is established during this phase and the traffic between VPN Peers is encrypted according to the security parameters of this phase.

! I created Transform-set, by which the traffic will be encrypted and hashed between VPN peers.
ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac

! Apply the access list created earlier for matching the interesting traffic.
ASA(config)# crypto map vpn 10 match address vpn

! I indicated address of Remote2 peer public outside interface.
ASA(config)# crypto map vpn 10 set peer 192.168.2.2

! Apply also the transform-set.
ASA(config)# crypto map vpn 10 set transform-set ts

! Attach the already created Crypto-map and VPN to outside interface.
ASA(config)# crypto map vpn interface outside

ASA configuration is completed here (regarding the VPN config of course). Now let’s start Router Configuration below.

Cisco Router Configuration

ISAKMP Phase 1

! Enter crypto-isakmp policy configuration mode for configuring crypto isakmp policy.
Router(config)# crypto isakmp policy 10

! Turn on 3des as an encryption type.
Router(config)# encr 3des

! I indicated MD5 as a hashing type.
Router(config)# hash md5

! I indicated pre-share authentication.
Router(config)# authentication pre-share

! I used second group of diffie-hellman. group1 is used by default.
Router(config)# group 2

! I defined peer key same as ASA site.
Router(config)# crypto isakmp secretsharedkey address 192.168.1.2

It’s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful.

! Access list for matching interesting traffic.
Router(config)# ip access-list extended vpn
Router(config)# permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

ISAKMP PHASE 2
!
! Create IPSEC transform-set, by which the mechanism of hashing and encryption is determined, by which the traffic will be hashed/encrypted in VPN tunnel later.
Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac

! Enter into crypto-map configuration mode.
Router(config)# crypto map vpn 10 ipsec-isakmp

! Indicate IP address of peer.
Router(config)# set peer 192.168.1.2

! Indicate IPsec transform-set created above.
Router(config)# set transform-set ts

! Apply access list created above.
Router(config)# match address vpn

! Apply crypto-map to interface.
Router(config)# interface FastEthernet0/0
Router(config)# crypto map vpn

With this, VPN configuration is completed so let’s start verification.

! In the output below it is shown that ISAKMP PHASE1 is active, which means that negotiation of PHASE1 is completed successfully.

ASA# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.2.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Router# show crypto isakmp sa
dst src state conn-id slot
192.168.1.2 192.168.2.2 MM_ACTIVE 1 0

! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting traffic flows in VPN Tunnel.

ASA# show crypto ipsec sa
interface: outside
Crypto map tag: vpn, seq num: 10, local addr: 192.168.1.2

access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 192.168.2.2

#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #framents created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

Router# show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpn, local addr 192.168.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

VPN Tunnel is established and works.

Today I have stumbled upon an interesting technique from the Cisco Blog and Cisco Support Forum which is about defending an SQL injection using IPS, ASA or IOS firewall. I will concentrate on the ASA here to show you what you can do with this great device. Ofcourse what I will show works only for specific SQL attacks and is not an “ALL IN ONE” mechanism for preventing all SQL attacks. You should have a web application firewall in addition to ASA in my opinion if you want to have a full blown SQL and Web Application protection.

So basically the ASA uses regular expressions (regex) together with Modular Policy Framework to inspect specific HTTP data patterns in order to detect the SQL injection attack. It will basically check for the SQL command “UNION ALL SELECT”.

Below is the configuration as described on the Cisco support forum:

regex SQL_regex_1 “[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]“
regex SQL_regex_2 “[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)”
!
class-map WebServers
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2
!
policy-map type inspect http drop-SQL
parameters
body-match-maximum 3000
class SQL-map
drop-connection log
policy-map SQL-traffic
class WebServers
inspect http drop-SQL
!
service-policy SQL-traffic interface outside

We assume that our webserver is protected on a DMZ zone on the ASA. Traffic is coming from the outside so the service policy (SQL-traffic) is applied on the outside. Upon a regular expression match, the ASA will drop the HTTP connection and generate a log. The above is a just a starting point for SQL attack protection and can not defend against all attacks. For example if the SQL statement is Hex encoded or url encoded by the attacker, the regex will not detect it. Here is the link from Cisco forum for more information:

https://supportforums.cisco.com/docs/DOC-14890

The ASA 5500 series firewall can work as DHCP relay agent which means that it receives DHCP requests from clients on one interface and forwards the requests to a DHCP server on another interface. Usually the DHCP server is located in the same layer 3 subnet with its clients. There are situations however where we have only one DHCP server but several layer 3 networks exist (on different security zones on a Cisco ASA) and dynamic IP allocation is required for those networks as well. With the DHCP relay feature, we can connect the DHCP server on one network zone and have the firewall forward all DHCP requests from the other network zones to the DHCP server.

[ad#embedded-square]

The diagram below illustrates a simple network scenario with three security zones (network interfaces) and a single DHCP server. The three network zones are inside, outside and DMZ. The DHCP clients are connected to the inside network and the DHCP server on the DMZ network. The DHCP requests from the clients on the inside network will be relayed to the server on the DMZ network. The server will assign IP addresses in the range 192.168.1.0/24 to the clients.

Configuration

!First identify the DHCP server and the interface it Is connected to
ciscoasa# conf t
ciscoasa(config)# dhcprelay server 10.1.1.100 DMZ
ciscoasa(config)# dhcprelay timeout 90

!Now enable the DHCP relay on the inside interface
ciscoasa(config)# dhcprelay enable inside

!Assign the ASA inside interface IP as default gateway for the clients
ciscoasa(config)# dhcprelay setroute inside

Usage Guidelines

You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA Firewall configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

You cannot enable DHCP relay under the following conditions:
• You cannot enable DHCP relay and the DHCP relay server on the same interface.
• You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.

 Page 2 of 9 « 1  2  3  4  5 » ...  Last »