Cisco Archives

Cisco ASA 5505 DMZ with Private VLAN Configuration

The ASA 5505 is the only model that has an 8-port switch embedded in the device. All interfaces of the ASA5505 are Layer2 switch ports and thus they support some features that you can find on Cisco switches. One of these features is called “Private Vlan”.

The concept of “Private VLAN” is very useful in DMZ environments. Here is how it can be used: Let’s say you have a firewall with an Outside interface connected to Internet, an Inside interface connected to the secure LAN, and a DMZ Interface connected to a subnet which is hosting several publicly accessible servers (e.g Web Server, Email server etc). The DMZ servers are all on the same network subnet. Thus, if one of the DMZ servers gets compromised, then the attacker can easily use this hacked server as a “stepping-stone” to access the other servers in the DMZ.

The above situation can be mitigated by using “Private VLANs”. Although the DMZ Layer2 VLAN number and Layer3 subnet will be the same for all servers, by designating each switch port of the DMZ as “Private VLAN” then the servers in the DMZ will not be allowed to communicate with each other.

Let’s see a diagram below to explain this concept.

asa5505 dmz with private vlan

Let’s say we have an ASA5505 with three security Zones:

  • Outside Zone: Interface E0/0 in VLAN 10
  • Inside Zone: Interface E0/1 in VLAN 20
  • DMZ Zone: Interfaces E0/2, E0/3 in VLAN 30

Notice that in DMZ we have 2 publicly accessible servers (Web and Email Server) that they both belong in the same Layer2 vlan (VLAN30) and the same Layer3 network subnet (10.0.0.0/24).

If we don’t configure “Private Vlans”, then if the Web or Email server gets hacked, the attacker can access the other DMZ server as well. With Private VLANs, the Web and Email Servers can NOT communicate with each other although they are on the same Vlan and subnet. However, all other zones (outside and inside) are able to access the DMZ zone (and vice-versa) with no problems.

Configuration:

We are not going to see the complete config here, just the part that has to do with Private Vlan setup.

ASA5505(config)# interface ethernet 0/0
ASA5505(config-if)# switchport access vlan 10
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/1
ASA5505(config-if)# switchport access vlan 20
ASA5505(config-if)# no shutdown

ASA5505(config-if)# interface ethernet 0/2
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

ASA5505(config-if)# interface ethernet 0/3
ASA5505(config-if)# switchport access vlan 30
ASA5505(config-if)# no shutdown
ASA5505(config-if)# switchport protected

The command “switchport protected“ configures the specific physical ports as “Private VLANs”. All ports that are configured as Private Vlans can not communicate with each other.

Cisco ASA Master PassPhrase

There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:

  • VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
  • AAA server secret key when communicating with a RADIUS server.
  • Routing Protocols keys (for OSPF, EIGRP).
  • Secret key for failover communication.
  • Password to communicate with a Log Server.
  • VPN Load Balancing key
  • Etc

All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file. For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.

Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.

If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.

Configuration

1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.

ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey

The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:

2) Enable Password Encryption and save the configuration

ASA(config)# password encryption aes
ASA(config)# write mem

NOTEs:

  • If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
  • If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.

How to Configure OSPF on Cisco ASA Firewall

Cisco Adaptive Security Appliance (ASA) is quite a versatile device integrating application-aware firewall, SSL and IPsec VPN, intrusion prevention system (IPS), antivirus, antispam, antiphishing, and web filtering services. Cisco ASA also supports routing protocols such as Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and last but not least, Open Shortest Path First (OSPF). In this tutorial, our focus will be OSPF configuration on Cisco ASA according to the figure below.

Figure 1 OSPF on Cisco ASA

asa ospf configuration

Please note that configuration on R1 is not relevant to this scenario and R1 is just shown for the sake of completeness. We will start by configuring OSPF on routers R2 and R3. We would also configure MD5 authentication for OSPF on Fa0/0 of R2 and R3, using cisco as the authentication key.

Here’s the configuration for R2:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 202.49.12.2 255.255.255.0
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco
R2(config-if)#exit


R2(config)#interface Loopback0
R2(config-if)#ip address 10.10.2.2 255.255.255.0
R2(config-if)#exit


R2(config)#router ospf 1
R2(config-router)#network 202.49.12.0 0.0.0.255 area 0
R2(config-router)#network 10.10.2.0 0.0.0.255 area 0
R2(config-router)#end

Here goes the configuration for R3:

R3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet0/0
R3(config-if)#ip address 202.49.13.3 255.255.255.0
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 1 md5 cisco
R3(config-if)#exit


R3(config)#interface Loopback0
R3(config-if)#ip address 10.10.3.3 255.255.255.0
R3(config-if)#exit


R3(config)#router ospf 1
R3(config-router)#network 202.49.13.0 0.0.0.255 area 1
R3(config-router)#network 10.10.3.0 0.0.0.255 area 1
R3(config-router)#end

Let’s now move to the interesting part where we configure Cisco ASA. We will first configure interface IP addresses, at the same time assigning Ethernet0/0, Ethernet0/1, and Ethernet 0/2 to outside, inside, and DMZ (de-militarized zone) zones, respectively. Inside and outside interfaces are assigned default security levels of 100 and 0 automatically. The higher the security level, the more secure an interface is. Therefore, the most secured network is placed behind an interface with a security level of 100, whereas the least secured network is placed behind an interface with a security level of 0. A DMZ interface can be assigned a security level between 0 and 100.

We assign a security level of 50 to the DMZ interface using the security-level command. We also configure MD5 authentication for OSPF on the outside and DMZ interfaces choosing cisco as the authentication key. Toward the end of configuration given below, both outside and DMZ interfaces are assigned to the appropriate OSPF area using network command.

ASA1# configure terminal
ASA1(config)# interface Ethernet0/0
ASA1(config-if)# ip address 202.49.12.1 255.255.255.0
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/1
ASA1(config-if)# ip address 192.168.1.1 255.255.255.0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/2
ASA1(config-if)# ip address 202.49.13.1 255.255.255.0
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# router ospf 1
ASA1(config-router)# network 202.49.12.0 255.255.255.0 area 0
ASA1(config-router)# network 202.49.13.0 255.255.255.0 area 1
ASA1(config-router)#end
ASA1#

Let’s now verify that ASA1 has indeed established OSPF adjacency with R2 and R3 using show ospf neighbor command.

ASA1# show ospf neighbor

Neighbor ID    Pri   State        Dead Time   Address         Interface

10.10.2.2        1   FULL/DR      0:00:32     202.49.12.2     outside
10.10.3.3        1   FULL/BDR     0:00:38     202.49.13.3     DMZ

The above output indicates that OSPF neighbor relationships have been succesfully established with both R2 and R3. You can use show ospf interface command to find out more details such as OSPF neighbor authentication status.

ASA1# show ospf interface

outside is up, line protocol is up
Internet Address 202.49.12.1 mask 255.255.255.0, Area 0
Process ID 1, Router ID 202.49.13.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 10.10.2.2, Interface address 202.49.12.2
Backup Designated router (ID) 202.49.13.1, Interface address 202.49.12.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:00
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.10.2.2  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

 

You can also use show ip ospf interface brief and show ip ospf neighbor commands on R2 and/or R3. We are showing the output of these two commands for R2 here.

R2#show ip ospf neighbor

Neighbor ID  Pri  State     Dead Time   Address         Interface
202.49.13.1  1    FULL/BDR  00:00:30    202.49.12.1     FastEthernet0/0

R2#show ip ospf interface brief

Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C

Lo0          1     0               10.10.2.2/24       1     LOOP  0/0
Fa0/0        1     0               202.49.12.2/24     1     DR    1/1

We can expect that R2, R3, and ASA1 may also have learned some OSPF routes by now. Let’s verify that by using show ip route command on R2 first.

R2#show ip route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0/24 is directly connected, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O IA   10.10.3.3/32 [110/12] via 202.49.12.1, 02:01:57, FastEthernet0/0
C      10.10.2.0/24 is directly connected, Loopback0
O IA 202.49.13.0/24 [110/11] via 202.49.12.1, 02:02:01, FastEthernet0/0

 

Please feel free at this point to use show ip route command on R3 as well. We can use show route command on ASA1 to find out which routes it has learned over OSPF.

ASA1# show route

<Some output omitted for brevity>

Gateway of last resort is not set

C    202.49.12.0 255.255.255.0 is directly connected, outside
O    10.10.3.3 255.255.255.255 [110/11] via 202.49.13.3, 2:03:52, DMZ
O    10.10.2.2 255.255.255.255 [110/11] via 202.49.12.2, 2:11:30, outside
C    202.49.13.0 255.255.255.0 is directly connected, DMZ
C    192.168.1.0 255.255.255.0 is directly connected, inside

Though OSPF routing is looking good at this stage, we may not yet be able to ping from R2 to R3 or vice versa. On Cisco ASA, you do not need to define an ACL to permit traffic from a high security level interface to a low security level interface by default. However, an ACL must explicitly permit traffic from a low security level interface (such as outside with security level 0) to a high security level interface (such as DMZ with security level 50). Here is how we configure an ACL and apply it inbound to the outside interface to allow incoming traffic. Just for example purposes, we will allow icmp traffic from outside to IP 10.10.3.3 in DMZ.

access-list OUTSIDE-IN extended permit icmp any host 10.10.3.3
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside

Let’s try to ping from R2 to Loopback0 on R3 and vice versa, in order to seal the deal.

R2#ping 10.10.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/40 ms

R3#ping 10.10.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms

Comparison of Cisco ASA Software Versions

With the expansion of Cisco ASA models and the addition of new types of devices, it is inevitable to have also a confusion about which software version is supported for each model. A few years ago we had only the Cisco PIX series which were replaced by the successful Cisco ASA 5500 series firewalls. Now we have also the next generation 5500-X series and also we have ASA running on 6500 as service module and also the ASA 1000V cloud firewall. Each type has its own software version as shown below:

 

ASA Type/Model

ASA Software Version

Cisco ASA 5500 Series (5505, 5510, 5520, 5540, 5550, 5580) ASA Version 8.4(x)
Cisco Catalyst 6500 Series ASA Services Module ASA Version 8.5(x)
Cisco ASA 5500-X Series (ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X) ASA Version 8.6(x)
ASA 1000V cloud and virtual firewall ASA Version 8.7(x)
All product series ASA 5500, ASA 5500-X and 6500 Service Module ASA Version 9.0(x)

 

How to block HTTP DDoS Attack with Cisco ASA Firewall

Denial of Service attacks (DoS) are very common these days. Especially Distributed DoS attacks (called also DDoS) can be executed quite easily by attackers who own large networks of BotNets. Thousands of malware-infected computers (which comprise the so called “BotNets”) are controlled by attackers and can be instructed to start attacks at any target.

Usually WebSites are targeted more frequently. Bringing down a website can have a negative effect to the image (in addition to any financial loss) of the company owing the site. A DDoS attack can be purely “volumetric”, which means that the attacker just sends high volume of packets as quickly as possible to flood the bandwidth of the “pipe” connecting the website to the Internet. Also, DDoS attacks can be “Application Resource Exhaustion” which means that the attacking computers create thousands of application requests (e.g HTTP Requests) to a server, thus consuming the application resources.

A Cisco ASA Firewall can not help much in a “volumetric” DDoS attack. In such an attack, a dedicated DDoS device is needed or your ISP must do some kind of rate limiting to mitigate the attack. However, for “Application Exhaustion” attacks a Cisco ASA can help to some extend with HTTP inspection using the Modular Policy Framework mechanism of ASA. This is what we are going to describe in this article.

Usually, HTTP Application DDoS attacks have a pattern or string which helps you distinguish the attacking HTTP requests from other legitimate requests. For example, HTTP attacking packets might have a common parameter or string, which can be for example the same “User-Agent” used by the attacking script, a common POST or GET URI request, some other HTTP header parameters etc. With the ASA HTTP inspection feature you can match on this common pattern in the HTTP packet thus filter-out the attacking packets and drop them.

Recently I was engaged to help mitigate a DDoS attack on a webserver. I observed from the Apache logs that the attacking HTTP requests were all targeting the website on the same URL string, such as http://www.website.com/xyz123.  The string “xyz123” was the common pattern for all malicious HTTP requests. Thus with a policy on ASA you can match on the unique string above and drop the packets that have this string in the HTTP URI.

Lets see a diagram and configuration below:

asa ddos http protection

ASA Configuration:

!First create a regular expression with the unique attack string
regex attackstring xyz123

!Create an ACL to match the HTTP traffic towards the target server
access-list HTTPTRAFFIC extended permit tcp any host 1.1.1.1 eq www

!Create a regular L3/L4 class to match the traffic above
class-map attackingtraffic
 match access-list HTTPTRAFFIC

!Now create an HTTP inspection policy to match on the unique attacking string
policy-map type inspect http HTTPDOS
 parameters
 match request uri regex attackstring
  drop-connection
 match request args regex attackstring
  drop-connection

!The following policy-map will include the L3/L4 class which will include the HTTP inspection policy
policy-map BLOCKDOS
 class attackingtraffic
  inspect http HTTPDOS

!Now attach the policy-map to the ASA outside interface to inspect Inbound traffic.
service-policy BLOCKDOS interface outside

If you enable logging on the drop-connection command (use “drop-connection log“), then you will start seeing logs that the ASA is dropping packets with the matched attacking HTTP string.

In this first Video Tutorial I will show you how to enable initial access to the ASA device in order to connect with ASDM graphical interface or with SSH. The network topology is shown below:

Cisco ASA ASDM Configuration

First we need to have console access (with a serial console cable) to the device in order to configure some initial settings to allow user access with ASDM or with SSH. We will configure Interface GigabitEthernet 5 as a management interface with IP address 10.10.10.1/24. Also, on the same subnet we have our management PC with IP address 10.10.10.10/24. The management PC is running also a TFTP server software (tftp32) which will be used to transfer the ASDM image to the ASA.

Below is the CLI configuration used in this initial setup (see video below also for more information):

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
! Configure an “enable password” which is the administrator password of the device
enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
! Configure IP address to Interface GigEth5 and put a high security level (90 is good).
! name also the interface as “management”
interface GigabitEthernet5
nameif management
security-level 90
ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1

! Tell the appliance where the asdm image is located.
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

! SSH access will use the LOCAL username/password for authentication
aaa authentication ssh console LOCAL
! enable the HTTP service on the device so that you can connect to it for ASDM access
http server enable
! Tell the device which IP addresses are allowed to connect for HTTP (ASDM) access and from which interface
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
! Tell the device which IP addresses are allowed to connect for SSH access and from which interface.
ssh 10.10.10.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
! Configure a LOCAL username/password to be used for authentication.
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:0760c72b39dd8d7a479d517a65758f33
: end
ciscoasa#

NOTE:

To enable SSH access, we need to generate also SSH keys as following:

ciscoasa(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait…
ciscoasa(config)#

And here is the video:

I have found the following informative video which shows how to physically install a Content Security Services (CSC) Module in a Cisco ASA 5510 firewall appliance, and also how to create the initial setup configuration of this module using the graphical ASDM GUI of ASA firewall.

The CSC module provides protection against Viruses, Spam, Spyware and other unwanted traffic that can be found in data flowing in and out of your network, so I think its one of the useful security controls that you can put in place to protect your network and data.

 Page 2 of 12 « 1  2  3  4  5 » ...  Last »