Cisco Archives

The Cisco Adaptive Security Appliance is an integrated security equipment that can perform a variety of functions like firewall, intrusion prevention, VPN, content security, unified communications, and remote access. Among these functions, the ASA can also perform routing using popular routing protocol like Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), Open Shortest Path First (OSPF)  or static routes.

In this tutorial, we are going to focus on configuring EIGRP. We will take the steps on how to configure the Adaptive Security Appliance to perform routing functions, exchange routing updates and redistribute a static route.

In our example scenario, we will refer to the diagram below.

ASA EIGRP

In this particular scenario, the routers R1 and R2 and the ASA all participate in the EIGRP process. R1 is in the internal network and R2 in the DMZ. A static default route to the Internet outside interface of ASA will be configured and redistributed into the EIGRP process.

We will start by configuring IP addressing and EIGRP on the two routers R1 and R2.

Router R1 Configuration:

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface FastEthernet1/0
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#router eigrp 10
R1(config-router)#network 10.0.0.0 0.0.0.255
R1(config-router)#network 192.168.1.0 0.0.0.255
R1(config-router)#no auto-summary
R1(config-router)#end

Router R2 Configuration:

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.2.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface FastEthernet1/0
R2(config-if)#ip address 10.1.1.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#router eigrp 10
R2(config-router)# network 10.1.1.0 0.0.0.255
R2(config-router)#network 192.168.2.0 0.0.0.255
R2(config-router)#no auto-summary
R2(config-router)#end

Now, we will configure the ASA, this being the core of our tutorial here. The ASA will be separating the three zones in the network: Inside network, DMZ and Outside network. This appliance is designed primarily to work at the boundary between internal and external networks. Accordingly, the ASA uses different security levels that are associated with each interface. The security level is a number that varies between 0 and 100. This value signifies the level of trust for the network that the interface is connected to.

For the interface that will be configured inside, it will be assigned a default maximum trust level of 100 and for the outside interface the default value is 0, minimum trust. We can change that level any time, but for the scope of this tutorial we will leave the default values. Also, we will configure an additional interface “DMZ”, assigning a security level of 50.

Cisco ASA Configuration:

ASA1# configure terminal
ASA1(config)# interface GigabitEthernet0
ASA1(config-if)# description outside interface connected to Internet
ASA1(config-if)# nameif outside
ASA1(config-if)# security-level 0
ASA1(config-if)# ip address 50.50.50.1 255.255.255.0
ASA1(config-if)# exit

ASA1(config)# interface GigabitEthernet1
ASA1(config-if)# description Inside interface connected to R1
ASA1(config-if)# nameif inside
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# exit

ASA1(config)# interface GigabitEthernet2
ASA1(config-if)# description DMZ interface connected to R2
ASA1(config-if)# nameif dmz
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 192.168.2.2 255.255.255.0
ASA1(config-if)# exit

The outside interface of ASA1 will be connected to the internet and for the scope of this lab we will use it just to have a default route and we will assign IP address 50.50.50.1 with default gateway next hop 50.50.50.2. This default route will be redistributed from ASA1 to the rest of the EIGRP domain.

Next, we will configure EIGRP on ASA1, add a default static route and redistribute it into the EIGRP process.

ASA1(config)# router eigrp 10
ASA1(config-router)# network 192.168.1.0 255.255.255.0
ASA1(config-router)# network 192.168.2.0 255.255.255.0
ASA1(config-router)# no auto-summary
ASA1(config-router)# redistribute static
ASA1(config-router)#end

ASA1# route outside 0.0.0.0 0.0.0.0 50.50.50.2

Once the EIGRP is configured we can now verify that it has established neighbor relationships with the peers and that it redistributed the default static route:

Verification Commands:

ASA1# show eigrp neighbors

EIGRP-IPv4 neighbors for process 10
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq (sec) (ms) Cnt Num

1   192.168.2.1             Gi2              13  00:16:28 27   200   0   3
0   192.168.1.1             Gi1              11  00:16:28 13   200   0   5

ASA1# show eigrp topology

EIGRP-IPv4 Topology Table for AS(10)/ID(192.168.2.2)
Codes: P – Passive, A – Active, U – Update, Q – Query, R – Reply,
r – reply Status, s – sia Status
P 0.0.0.0 0.0.0.0, 1 successors, FD is 28160
via Rstatic (28160/0)
P 10.0.0.0 255.255.255.0, 1 successors, FD is 30720
via 192.168.1.1 (30720/28160), GigabitEthernet1
P 10.1.1.0 255.255.255.0, 1 successors, FD is 30720
via 192.168.2.1 (30720/28160), GigabitEthernet2
P 192.168.1.0 255.255.255.0, 1 successors, FD is 28160
via Connected, GigabitEthernet1
P 192.168.2.0 255.255.255.0, 1 successors, FD is 28160
via Connected, GigabitEthernet2

ASA1# show eigrp interfaces

EIGRP-IPv4 interfaces for process 10
Xmit Queue   Mean   Pacing Time   Multicast    Pending
Interface        Peers  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
inside             1        0/0        13       0/1          105           0
dmz                1        0/0        27       0/1           89           0

ASA1# show route

Codes: C – connected, S – static, I – IGRP, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2, E – EGP
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area
* – candidate default, U – per-user static route, o – ODR
P – periodic downloaded static route

Gateway of last resort is 50.50.50.2 to network 0.0.0.0
C    50.50.50.0 255.255.255.0 is directly connected, outside
D    10.0.0.0 255.255.255.0 [90/30720] via 192.168.1.1, 0:19:52, inside
D    10.1.1.0 255.255.255.0 [90/30720] via 192.168.2.1, 0:19:53, dmz
C    192.168.1.0 255.255.255.0 is directly connected, inside
C    192.168.2.0 255.255.255.0 is directly connected, dmz
S*   0.0.0.0 0.0.0.0 [1/0] via 50.50.50.2, outside

Let’s also verify the routing updates received by the routers. They should see the other networks attached to ASA1 and the injected static default route:

R1#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
D       10.1.1.0 [90/33280] via 192.168.1.2, 00:20:44, FastEthernet0/0
C       10.0.0.0 is directly connected, FastEthernet1/0
C    192.168.1.0/24 is directly connected, FastEthernet0/0
D    192.168.2.0/24 [90/30720] via 192.168.1.2, 00:20:45, FastEthernet0/0
D*EX 0.0.0.0/0 [170/30720] via 192.168.1.2, 00:20:45, FastEthernet0/0

R2#show ip route

Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route

Gateway of last resort is 192.168.2.2 to network 0.0.0.0

10.0.0.0/24 is subnetted, 2 subnets
C       10.1.1.0 is directly connected, FastEthernet1/0
D       10.0.0.0 [90/33280] via 192.168.2.2, 00:22:21, FastEthernet0/0
D    192.168.1.0/24 [90/30720] via 192.168.2.2, 00:22:21, FastEthernet0/0
C    192.168.2.0/24 is directly connected, FastEthernet0/0
D*EX 0.0.0.0/0 [170/30720] via 192.168.2.2, 00:22:21, FastEthernet0/0

We now have in place the three networks separated by ASA1, with different security levels assigned, that exchange routing information. The ASA will perform stateful inspection by default , so access lists must be configured in order to have connectivity between the various security zones.

Cisco ASA 5505 DMZ with Private VLAN Configuration

The ASA 5505 is the only model that has an 8-port switch embedded in the device. All interfaces of the ASA5505 are Layer2 switch ports and thus they support some features that you can find on Cisco switches. One of these features is called “Private Vlan”.

The concept of “Private VLAN” is very useful in DMZ environments. Here is how it can be used: Let’s say you have a firewall with an Outside interface connected to Internet, an Inside interface connected to the secure LAN, and a DMZ Interface connected to a subnet which is hosting several publicly accessible servers (e.g Web Server, Email server etc). The DMZ servers are all on the same network subnet. Thus, if one of the DMZ servers gets compromised, then the attacker can easily use this hacked server as a “stepping-stone” to access the other servers in the DMZ.

The above situation can be mitigated by using “Private VLANs”. Although the DMZ Layer2 VLAN number and Layer3 subnet will be the same for all servers, by designating each switch port of the DMZ as “Private VLAN” then the servers in the DMZ will not be allowed to communicate with each other.

Let’s see a diagram below to explain this concept.

asa5505 dmz with private vlan

Let’s say we have an ASA5505 with three security Zones:

  • Outside Zone: Interface E0/0 in VLAN 10
  • Inside Zone: Interface E0/1 in VLAN 20
  • DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30

Notice that in DMZ we have 2 publicly accessible servers (Web and Email Server) that they both belong in the same Layer2 vlan (VLAN30) and the same Layer3 network subnet (10.0.0.0/24).

If we don’t configure “Private Vlans”, then if the Web or Email server gets hacked, the attacker can access the other DMZ server as well. With Private VLANs, the Web and Email Servers can NOT communicate with each other although they are on the same Vlan and subnet. However, all other zones (outside and inside) are able to access the DMZ zone (and vice-versa) with no problems.

Configuration:

We are not going to see the complete config here, just the part that has to do with Private Vlan setup.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 10
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 20
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

ASA5505(config-if)# interface ethernet 0/3
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

The command “switchport protected“ configures the specific physical ports as “Private VLANs”. All ports that are configured as Private Vlans can not communicate with each other.

Cisco ASA Master PassPhrase

There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:

  • VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
  • AAA server secret key when communicating with a RADIUS server.
  • Routing Protocols keys (for OSPF, EIGRP).
  • Secret key for failover communication.
  • Password to communicate with a Log Server.
  • VPN Load Balancing key
  • Etc

All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file. For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.

Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.

If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.

Configuration

1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.

ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey

The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:

2) Enable Password Encryption and save the configuration

ASA(config)# password encryption aes
ASA(config)# write mem

NOTEs:

  • If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
  • If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.

How to Configure OSPF on Cisco ASA Firewall

Cisco Adaptive Security Appliance (ASA) is quite a versatile device integrating application-aware firewall, SSL and IPsec VPN, intrusion prevention system (IPS), antivirus, antispam, antiphishing, and web filtering services. Cisco ASA also supports routing protocols such as Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and last but not least, Open Shortest Path First (OSPF). In this tutorial, our focus will be OSPF configuration on Cisco ASA according to the figure below.

Figure 1 OSPF on Cisco ASA

asa ospf configuration

Please note that configuration on R1 is not relevant to this scenario and R1 is just shown for the sake of completeness. We will start by configuring OSPF on routers R2 and R3. We would also configure MD5 authentication for OSPF on Fa0/0 of R2 and R3, using cisco as the authentication key.

Here’s the configuration for R2:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 202.49.12.2 255.255.255.0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#exit


R2(config)#interface Loopback0
R2(config-if)#ip address 10.10.2.2 255.255.255.0
R2(config-if)#exit


R2(config)#router ospf 1
R2(config-router)#network 202.49.12.0 0.0.0.255 area 0
R2(config-router)#network 10.10.2.0 0.0.0.255 area 0
R2(config-router)#end

Here goes the configuration for R3:

R3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet0/0
R3(config-if)#ip address 202.49.13.3 255.255.255.0
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 1 md5 cisco
R3(config-if)#exit


R3(config)#interface Loopback0
R3(config-if)#ip address 10.10.3.3 255.255.255.0
R3(config-if)#exit


R3(config)#router ospf 1
R3(config-router)#network 202.49.13.0 0.0.0.255 area 1
R3(config-router)#network 10.10.3.0 0.0.0.255 area 1
R3(config-router)#end

Let’s now move to the interesting part where we configure Cisco ASA. We will first configure interface IP addresses, at the same time assigning Ethernet0/0, Ethernet0/1, and Ethernet 0/2 to outside, inside, and DMZ (de-militarized zone) zones, respectively. Inside and outside interfaces are assigned default security levels of 100 and 0 automatically. The higher the security level, the more secure an interface is. Therefore, the most secured network is placed behind an interface with a security level of 100, whereas the least secured network is placed behind an interface with a security level of 0. A DMZ interface can be assigned a security level between 0 and 100.

We assign a security level of 50 to the DMZ interface using the security-level command. We also configure MD5 authentication for OSPF on the outside and DMZ interfaces choosing cisco as the authentication key. Toward the end of configuration given below, both outside and DMZ interfaces are assigned to the appropriate OSPF area using network command.

ASA1# configure terminal
ASA1(config)# interface Ethernet0/0
ASA1(config-if)# ip address 202.49.12.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/1
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/2
ASA1(config-if)# ip address 202.49.13.1 255.255.255.0
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# router ospf 1
ASA1(config-router)# network 202.49.12.0 255.255.255.0 area 0
ASA1(config-router)# network 202.49.13.0 255.255.255.0 area 1
ASA1(config-router)#end
ASA1#

Let’s now verify that ASA1 has indeed established OSPF adjacency with R2 and R3 using show ospf neighbor command.

ASA1# show ospf neighbor

Neighbor ID    Pri   State        Dead Time   Address         Interface

10.10.2.2        1   FULL/DR      0:00:32     202.49.12.2     outside
10.10.3.3        1   FULL/BDR     0:00:38     202.49.13.3     DMZ

The above output indicates that OSPF neighbor relationships have been succesfully established with both R2 and R3. You can use show ospf interface command to find out more details such as OSPF neighbor authentication status.

ASA1# show ospf interface

outside is up, line protocol is up
Internet Address 202.49.12.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 202.49.13.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.10.2.2, Interface address 202.49.12.2
Backup Designated router (ID) 202.49.13.1, Interface address 202.49.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:00
Index 1/1, flood queue length 0
Next 0×0(0)/0×0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.2.2  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

 

You can also use show ip ospf interface brief and show ip ospf neighbor commands on R2 and/or R3. We are showing the output of these two commands for R2 here.

R2#show ip ospf neighbor

Neighbor ID  Pri  State     Dead Time   Address         Interface
202.49.13.1  1    FULL/BDR  00:00:30    202.49.12.1     FastEthernet0/0

R2#show ip ospf interface brief

Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C

Lo0          1     0               10.10.2.2/24       1     LOOP  0/0
Fa0/0        1     0               202.49.12.2/24     1     DR    1/1

We can expect that R2, R3, and ASA1 may also have learned some OSPF routes by now. Let’s verify that by using show ip route command on R2 first.

R2#show ip route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0/24 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O IA   10.10.3.3/32 [110/12] via 202.49.12.1, 02:01:57, FastEthernet0/0
C      10.10.2.0/24 is directly connected, Loopback0
O IA 202.49.13.0/24 [110/11] via 202.49.12.1, 02:02:01, FastEthernet0/0

 

Please feel free at this point to use show ip route command on R3 as well. We can use show route command on ASA1 to find out which routes it has learned over OSPF.

ASA1# show route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0 255.255.255.0 is directly connected, outside
O    10.10.3.3 255.255.255.255 [110/11] via 202.49.13.3, 2:03:52, DMZ
O    10.10.2.2 255.255.255.255 [110/11] via 202.49.12.2, 2:11:30, outside
C    202.49.13.0 255.255.255.0 is directly connected, DMZ
C    192.168.1.0 255.255.255.0 is directly connected, inside

Though OSPF routing is looking good at this stage, we may not yet be able to ping from R2 to R3 or vice versa. On Cisco ASA, you do not need to define an ACL to permit traffic from a high security level interface to a low security level interface by default. However, an ACL must explicitly permit traffic from a low security level interface (such as outside with security level 0) to a high security level interface (such as DMZ with security level 50). Here is how we configure an ACL and apply it inbound to the outside interface to allow incoming traffic. Just for example purposes, we will allow icmp traffic from outside to IP 10.10.3.3 in DMZ.

access-list OUTSIDE-IN extended permit icmp any host 10.10.3.3
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside

Let’s try to ping from R2 to Loopback0 on R3 and vice versa, in order to seal the deal.

R2#ping 10.10.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/40 ms

R3#ping 10.10.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms

Comparison of Cisco ASA Software Versions

With the expansion of Cisco ASA models and the addition of new types of devices, it is inevitable to have also a confusion about which software version is supported for each model. A few years ago we had only the Cisco PIX series which were replaced by the successful Cisco ASA 5500 series firewalls. Now we have also the next generation 5500-X series and also we have ASA running on 6500 as service module and also the ASA 1000V cloud firewall. Each type has its own software version as shown below:

 

ASA Type/Model

ASA Software Version

Cisco ASA 5500 Series (5505, 5510, 5520, 5540, 5550, 5580) ASA Version 8.4(x)
Cisco Catalyst 6500 Series ASA Services Module ASA Version 8.5(x)
Cisco ASA 5500-X Series (ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X) ASA Version 8.6(x)
ASA 1000V cloud and virtual firewall ASA Version 8.7(x)
All product series ASA 5500, ASA 5500-X and 6500 Service Module ASA Version 9.0(x)

 

 Page 2 of 16 « 1  2  3  4  5 » ...  Last »