Cisco ASA General Archives

Traffic Rate Limiting on Cisco ASA

With the new modular policy framework (MPF) introduced in ASA versions 7.x and 8.x, the firewall administrator is now able to apply policing and rate limiting to traffic passing through the ASA appliance. I got a few questions from people how this functionality works and decided to throw in a quick example below which you can easily modify accordingly to match your needs.

Scenario:

We want to rate limit a local internal host when accessing a specific external public server. The local host is 192.168.1.10 and the external public server is 100.100.100.1. We need to limit the traffic to 100kbps and burst size 8000.

Configuration Snippet:

ASA(config)#access-list rate-limit-acl extended permit ip host 192.168.1.10 host 100.100.100.1

ASA(config)#class-map rate-limit
ASA(config-cmap)#match access-list rate-limit-acl

ASA(config)#policy-map limit-policy
ASA(config-pmap)#class rate-limit
ASA(config-pmap-c)#police output 100000 8000

ASA(config)#service-policy limit-policy interface outside

In order to be able to monitor and troubleshoot your Cisco ASA firewall, you need to understand the difference between connections and translations.

Refer to the diagram above for an explanation about Connections and Translations.

A Connection works at the Transport Layer and includes the Source IP/Source Port and the Destination IP/Destination Port. Connections are subsets of Translations. You can have many connections open that are all using the same Translation. For example, a connection shown above is originated from Internal source host 192.168.1.1 with source port 1030 towards a Destination host (public Web Server) 100.100.100.1 on Destination Port 80.

A Translation works at the IP Layer and includes the Real IP Address and the Mapped (Translated) IP Address. Using NAT or PAT, a Real IP address is translated to a Mapped IP address and vice-versa. From the diagram above, the Real IP address 192.168.1.1 is translated to a Mapped IP address 20.20.20.1.

Connection Related Commands

ASA# show conn
ASA# show conn details
ASA# show local-host

The above commands will display the current active connections and information details about each connection. An example output is the following:

TCP outside:100.100.100.1/80 inside:192.168.1.1/1030 idle 0:00:05 bytes 1965 flags UIO

Translation Related Commands

ASA# show xlate
ASA# show xlate detail
ASA# clear xlate

The commands above enable you to display or clear the contents of the translation table. An example output is the following:

NAT from inside:192.168.1.1 to outside:20.20.20.1 flags i

A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as “Security Contexts”. Each security context acts as a separate firewall with its own security policy, interfaces and configuration. However, some features are not available for virtual firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.

All firewall models (except ASA 5505) support multiple security contexts. By default, all models support 2 security contexts without a license upgrade (except the ASA 5510 which requires the security plus license).

[ad#embedded-square]

Each security context that you create on the appliance includes its own configuration file (filename.cfg) stored on local flash memory. This configuration file contains the security policy, the included interfaces and the virtual firewall configuration of the specific security context. By default, an admin context is always created having a configuration file “admin.cfg“. This is just like any other security context except that when a user logs in the admin context then he has full administrator access to all other security contexts.

When you convert the appliance from single context mode to multiple context mode (using the command “mode multiple“) the firewall converts the current running configuration into two files: a new startup configuration that comprises the system configuration, and “admin.cfg” that comprises the admin context (stored in the root directory of the internal Flash memory). The original running configuration is saved as “old_running.cfg” (in the root directory of the internal Flash memory).

Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg

! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg

Changing between contexts and the system execution space:

When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space). The “system execution space” is the global appliance space from where you can then enter into specific security contexts. If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations. You will need to log into a specific security context in order to change or see its configuration.

To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:
ASA/CustomerA#

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:
ASA#

Password Recovery for the Cisco ASA 5500 Firewall

If you have lost the administrator password to access the security appliance you can recover the password with the following steps:

Step1: Connect to the firewall using a console cable

Step2: Power cycle the appliance (power off and then on)

Step3: Press the Escape key to enter ROMMON mode

Step4: Use confreg command to change the configuration register to 0x41

rommon #1> confreg 0x41

Step5:  Configure the security appliance to ignore the startup configuration.

rommon #2> confreg

The ASA firewall will display the current configuration register value and boot parameters and ask you if you want to change them

Current Configuration Register: 0x00000041

Configuration Summary:

  boot default image from Flash

  ignore system configuration 

Do you wish to change this configuration? y/n [n]: y

Step6: At the prompt enter Y to change the parameters.

Step7: Accept the default values for all settings (at the prompt enter Y)

Step8: Reload the ASA appliance by entering the following command

rommon #3> boot

The firewall will reboot and load the default configuration instead of the startup configuration.

Step9:   Enter into EXEC mode

hostname> enable

When prompted for the password, press Enter (the password in blank now)

Step 10: Access the global configuration mode and change the passwords as required:

hostname# configure terminal
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password

Step 11: Load the default configuration register value (0x1) by entering the following command:

hostname(config)# no config-register

Step 12: Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP. Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0
 

The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)

An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack. This is depicted in the diagram below.

The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:

ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

ASA 5505,5510 Base Vs Security Plus License

Cisco ASA 5505 Image Cisco ASA 5510 Image
CISCO ASA 5505 CISCO ASA 5510

The two smallest ASA Firewall models, the 5505 and the 5510, are the only ones that have two types of licenses. They can be ordered either with a Base License or a Security Plus License. Many customers of mine are always asking me what the difference is between the two licenses (except from the price of course), so I thought it would be useful to summarize below the differences between the two license types:

Cisco ASA 5505

Base License

Security Plus License

10,000 Maximum Firewall Connections 25,000 Maximum Firewall Connections
10 Maximum VPN Sessions (site-to-site and remote access) 25 Maximum VPN Sessions (site-to-site and remote access)
3 Maximum VLANs (Trunking Disabled)(2 regular zones and 1 restricted zone that can only communicate with 1 other zone) 20 Maximum VLANs (Trunking enabled)(No restrictions of traffic flow between zones)
No High Availability (failover) supported Supports Stateless Active/Standby failover

Cisco ASA 5510

Base License

Security Plus License

50,000 Maximum Firewall Connections 130,000 Maximum Firewall Connections
5×10/100Integrated Network Interfaces 2×10/100/1000 and3×10/100

Integrated Network Interfaces

50 Maximum VLANs 100 Maximum VLANs
No High Availability (failover) supported Supports Active/Active andActive/Standby failover
No Security Contexts (Virtual Firewalls) Supports 2 Virtual Firewalls (included) and 5 maximum.
No Support for VPN Clustering and VPN Load Balancing Supports VPN Clustering and VPN Load Balancing

License Upgrade on Cisco ASA 5505 (or 5500)

There are several license options for the Cisco ASA 5505 firewall as shown below:

Description Performance Part Number
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-BUN-K9
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Data Encryption Standard (DES) license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-K8
Cisco ASA 5505 50 User Firewall Edition Bundle
Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-50-BUN-K9
Cisco ASA 5505 Unlimited User Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-UL-BUN-K9
Cisco ASA 5505 Security Plus Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, Stateless Active/Standby high availability, Dual ISP support, 3DES/AES license
• 150 Mbps Firewall
• 100 Mbps IPsec VPN
ASA5505-SEC-BUN-K9

A very common scenario for a small business is to initially order a 10 user license and then upgrade to 50 users as the company expands. You need to order via your local Cisco representative a 10-to-50 user license upgrade. The Cisco reseller will request to have the ASA 5505 serial number of your firewall which you can find by executing the “show version” command. After that, the Cisco reseller will provide you with a license key which is a long hexadecimal string (e.g e02888da 4ba7bed6 f1c123ae ffd8624e). To configure the new license key use the following command:

Cisco-ASA(config)# activation-key Hex-activation-key
Cisco-ASA(config)# exit
Cisco-ASA# wr mem
Cisco-ASA# reload

After the firewall reboots, run the “show version” command to verify that the license features have been upgraded. The same procedure works also for the other Cisco ASA models.

 Page 2 of 3 « 1  2  3 »