Cisco Archives

Site to Site VPN between Cisco ASA and Router

In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let’s start our LAB example and we’ll see how it’s done.

Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall (any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must have the proper IOS software type in order to support encrypted VPN tunnels.

Equipment Used in this LAB:

  • ASA 5510 – Cisco Adaptive Security Appliance Software Version 8.0(3)
  • Cisco Router 2801 – C2801-ADVIPSERVICESK9-M Version 12.4(9)T4

Scenario:

LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usual scenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between the two LAN networks over the Internet.

First of all we shall make sure that the outside interfaces of ASA and router must be reachable over the WAN. Now let’s start IPSEC VPN configuration.

Cisco ASA Configuration

First I started ASA configuration.

I’ve created an Access list, which will match the interesting traffic which is the traffic to be encrypted. If source is 192.168.3.0/24 and destination is 192.168.4.0/24, then traffic will be matched by the access list as “interesting traffic” and will be encrypted and pass through the tunnel.

ASA(config)# access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0

!IKE PHASE #1
! I’ve created a phase1 policy. This policy provides secured process of exchanging Keys.

ASA(config)# crypto isakmp policy 1

! For authentication I used Pre-shared. This method is most frequently used today.
ASA(config)# authentication pre-share

!For encryption I used 3des.
ASA(config)# encryption 3des

! Hashing md5.
ASA(config)# hash md5

! I used second group of diffie-hellman. Group1 is used by default. The most secured is Group5.
ASA(config)# group 2

! configure crypto key. The keys must match to each other between peers. Otherwise Phase1 will not be completed.
ASA(config)# crypto isakmp secretsharedkey address 192.168.2.2

NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown in following way.
tunnel-group 192.168.2.2 ipsec-attributes
pre-shared-key *

! Activate policy on Outside interface.
ASA(config)# crypto isakmp enable outside

! IKE PHASE #2- VPN Tunnel is established during this phase and the traffic between VPN Peers is encrypted according to the security parameters of this phase.

! I created Transform-set, by which the traffic will be encrypted and hashed between VPN peers.
ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac

! Apply the access list created earlier for matching the interesting traffic.
ASA(config)# crypto map vpn 10 match address vpn

! I indicated address of Remote2 peer public outside interface.
ASA(config)# crypto map vpn 10 set peer 192.168.2.2

! Apply also the transform-set.
ASA(config)# crypto map vpn 10 set transform-set ts

! Attach the already created Crypto-map and VPN to outside interface.
ASA(config)# crypto map vpn interface outside

ASA configuration is completed here (regarding the VPN config of course). Now let’s start Router Configuration below.

Cisco Router Configuration

ISAKMP Phase 1

! Enter crypto-isakmp policy configuration mode for configuring crypto isakmp policy.
Router(config)# crypto isakmp policy 10

! Turn on 3des as an encryption type.
Router(config)# encr 3des

! I indicated MD5 as a hashing type.
Router(config)# hash md5

! I indicated pre-share authentication.
Router(config)# authentication pre-share

! I used second group of diffie-hellman. group1 is used by default.
Router(config)# group 2

! I defined peer key same as ASA site.
Router(config)# crypto isakmp secretsharedkey address 192.168.1.2

It’s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful.

! Access list for matching interesting traffic.
Router(config)# ip access-list extended vpn
Router(config)# permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

ISAKMP PHASE 2
!
! Create IPSEC transform-set, by which the mechanism of hashing and encryption is determined, by which the traffic will be hashed/encrypted in VPN tunnel later.
Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac

! Enter into crypto-map configuration mode.
Router(config)# crypto map vpn 10 ipsec-isakmp

! Indicate IP address of peer.
Router(config)# set peer 192.168.1.2

! Indicate IPsec transform-set created above.
Router(config)# set transform-set ts

! Apply access list created above.
Router(config)# match address vpn

! Apply crypto-map to interface.
Router(config)# interface FastEthernet0/0
Router(config)# crypto map vpn

With this, VPN configuration is completed so let’s start verification.

! In the output below it is shown that ISAKMP PHASE1 is active, which means that negotiation of PHASE1 is completed successfully.

ASA# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.2.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Router# show crypto isakmp sa
dst src state conn-id slot
192.168.1.2 192.168.2.2 MM_ACTIVE 1 0

! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting traffic flows in VPN Tunnel.

ASA# show crypto ipsec sa
interface: outside
Crypto map tag: vpn, seq num: 10, local addr: 192.168.1.2

access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer: 192.168.2.2

#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #framents created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

Router# show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpn, local addr 192.168.2.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 192.168.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

VPN Tunnel is established and works.

Today I have stumbled upon an interesting technique from the Cisco Blog and Cisco Support Forum which is about defending an SQL injection using IPS, ASA or IOS firewall. I will concentrate on the ASA here to show you what you can do with this great device. Ofcourse what I will show works only for specific SQL attacks and is not an “ALL IN ONE” mechanism for preventing all SQL attacks. You should have a web application firewall in addition to ASA in my opinion if you want to have a full blown SQL and Web Application protection.

So basically the ASA uses regular expressions (regex) together with Modular Policy Framework to inspect specific HTTP data patterns in order to detect the SQL injection attack. It will basically check for the SQL command “UNION ALL SELECT”.

Below is the configuration as described on the Cisco support forum:

regex SQL_regex_1 “[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]”
regex SQL_regex_2 “[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)”
!
class-map WebServers
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2
!
policy-map type inspect http drop-SQL
parameters
body-match-maximum 3000
class SQL-map
drop-connection log
policy-map SQL-traffic
class WebServers
inspect http drop-SQL
!
service-policy SQL-traffic interface outside

We assume that our webserver is protected on a DMZ zone on the ASA. Traffic is coming from the outside so the service policy (SQL-traffic) is applied on the outside. Upon a regular expression match, the ASA will drop the HTTP connection and generate a log. The above is a just a starting point for SQL attack protection and can not defend against all attacks. For example if the SQL statement is Hex encoded or url encoded by the attacker, the regex will not detect it. Here is the link from Cisco forum for more information:

https://supportforums.cisco.com/docs/DOC-14890

Upgrading Memory of Cisco ASA Firewall

After the introduction of Cisco ASA software version 8.3 last year, the device’s memory requirements for low-end models have been doubled. Many firewall administrators have been discouraged from this move from Cisco because they had to upgrade their firewalls RAM memory in order to upgrade to the newest versions. Upgrading the memory not only costs money but it imposes an operational hassle as well (network downtime, need to open-up the chassis etc). I get many questions from my readers about memory upgrade guides, so the links below might be helpful for some of you.

The following table shows the new memory requirements for all Cisco ASA 5500 models for software version 8.3 and later:

Cisco ASA Memory Requirements

The following video from Cisco shows you how to upgrade the memory chip on a Cisco ASA 5510 Firewall.

Upgrade Memory on Cisco ASA 5510 – Video

The following post from ccsplab shows some information for upgrading both the RAM and Flash memory on a Cisco ASA 5505 model.

Upgrade RAM and Flash on Cisco ASA 5505

The ASA 5500 series firewall can work as DHCP relay agent which means that it receives DHCP requests from clients on one interface and forwards the requests to a DHCP server on another interface. Usually the DHCP server is located in the same layer 3 subnet with its clients. There are situations however where we have only one DHCP server but several layer 3 networks exist (on different security zones on a Cisco ASA) and dynamic IP allocation is required for those networks as well. With the DHCP relay feature, we can connect the DHCP server on one network zone and have the firewall forward all DHCP requests from the other network zones to the DHCP server.

[ad#embedded-square]

The diagram below illustrates a simple network scenario with three security zones (network interfaces) and a single DHCP server. The three network zones are inside, outside and DMZ. The DHCP clients are connected to the inside network and the DHCP server on the DMZ network. The DHCP requests from the clients on the inside network will be relayed to the server on the DMZ network. The server will assign IP addresses in the range 192.168.1.0/24 to the clients.

Configuration

!First identify the DHCP server and the interface it Is connected to
ciscoasa# conf t
ciscoasa(config)# dhcprelay server 10.1.1.100 DMZ
ciscoasa(config)# dhcprelay timeout 90

!Now enable the DHCP relay on the inside interface
ciscoasa(config)# dhcprelay enable inside

!Assign the ASA inside interface IP as default gateway for the clients
ciscoasa(config)# dhcprelay setroute inside

Usage Guidelines

You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA Firewall configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

You cannot enable DHCP relay under the following conditions:
• You cannot enable DHCP relay and the DHCP relay server on the same interface.
• You cannot enable DCHP relay and a DHCP server (dhcpd enable) on the same interface.

This article describes the user interface and access modes and commands associated with the operation of Cisco ASA 5500 firewall appliances. We assume that you know how to connect to the appliance using a console cable (the blue flat cable with RJ-45 on one end, and DB-9 Serial on the other end) and a Terminal Emulation software (e.g HyperTerminal), and how to use basic Command Line Interface.

SECURITY APPLIANCE ACCESS MODES
A Cisco ASA security appliance has four main administrative access modes:

Monitor Mode: Displays the monitor> prompt. A special mode that enables you to update the image over the network or to perform password recovery. While in the monitor mode, you can enter commands to specify the location of a TFTP server and the location of the software image or password recovery binary image file to download. You access this mode by pressing the “Break” or “ESC” keys immediately after powering up the appliance.
Unprivileged Mode: Displays the > prompt. Available when you first access the appliance. If the appliance is a Cisco PIX 500 series, the prompt for unprivileged mode is pixfirewall> and if the appliance is the new Cisco ASA 5500 Series, the prompt is ciscoasa>

This mode provides restricted view of the security appliance. You cannot configure anything from this mode. To get started with configuration, the first command you need to know is the enable command. Type enable and hit Enter. The initial password is empty, so hit Enter again to move on the next access mode (Privileged Mode).

ciscoasa> enable <–Unprivileged Mode
password: <– Enter a password here (initially its blank)
ciscoasa# <– Privileged Mode
[ad#embedded-square]

Privileged Mode: Displays the # prompt. Enables you to change the current settings. Any unprivileged command also works in this mode. From this mode you can see the current configuration by using “show running-config”. Still, you cannot configure anything yet until you go to Configuration Mode. You access the Configuration Mode using the configure terminal command from the Privileged Mode.

Configuration Mode: This mode displays the (config)# prompt. Enables you to change all system configuration settings. Use exit from each mode to return to the previous mode.

ciscoasa> enable <– Unprivileged Mode
password: <– Enter a password here (initially its blank)
ciscoasa# configure terminal <– Privileged Mode
ciscoasa(config)# <– Configuration Mode
ciscoasa(config)# exit
ciscoasa# exit <– Back to Privileged Mode
ciscoasa> <– Back to Unprivileged Mode

The (config)# mode is sometimes called Global Configuration Mode. Some configuration commands from this mode enter a command-specific mode and the prompt changes accordingly. For example the interface command enters interface configuration mode as shown below:

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# <– Configure Interface specific parameters

Traditionally, a network firewall is a routed hop that acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall (or Layer 2 firewall), on the other hand, acts like a “stealth firewall” and is not seen as a Layer 3 hop to connected devices. The appliance connects the same Layer 3 network subnet on its inside and outside ports, but each interface of the firewall resides in a different Layer 2 Vlan. The Cisco ASA firewall can operate both in Routed Firewall Mode (default mode) or in Transparent Firewall Mode.

Routed Firewall Mode:

See the diagram below for a common network topology of a Cisco ASA firewall working in Routed Mode.

As you can see, there are two different network subnets. Inside network (10.20.20.0/24) and Outside Network (10.10.10.0/24). There must be also two different layer2 vlans (Vlan20 for inside network and Vlan10 for outside network). All hosts residing in internal network must belong to subnet 10.20.20.0 and must have default gateway the internal IP of the ASA (10.20.20.1).

Transparent Firewall Mode:

The diagram below shows an example topology using a Cisco ASA in Layer 2 transparent mode.

As you can see, there is only one Layer 3 network (10.10.10.0/24) BUT there MUST be two different Layer 2 Vlans (Vlan20 for inside zone and Vlan10 for outside zone). All hosts must reside in network range 10.10.10.0 and the devices must have as default gateway the IP address of the outside router (10.10.10.2). Also, a management IP address MUST be configured on the ASA firewall (again within the range of 10.10.10.0). DO NOT specify the management IP address of the ASA as the default gateway for connected devices.

[ad#embedded-square]

Characteristics of Transparent Mode

• Transparent firewall mode supports only two interfaces (inside and outside)
• The firewall bridges packets from one VLAN to the other instead of routing them.
• MAC lookups are performed instead of routing table lookups.
• Can run in single firewall context or in multiple firewall contexts.
• A management IP address is required on the ASA.
• The management IP address must be in the same subnet as the connected network.
• Each interface of the ASA must be a different VLAN interface.
• Even though the appliance acts as a Layer 2 bridge, Layer 3 traffic cannot pass through the security appliance from a lower security level to a higher security level interface.
• The firewall can allow any traffic through by using normal extended Access Control Lists (ACL).

Initial Configuration

Asa(config)# firewall transparent

!Configure management IP below
Asa(config)# ip address 10.10.10.1 255.255.255.0

Asa(config)# interface Ethernet0/0
Asa(config-if)# nameif outside
Asa(config-if)# security-level 0
!
Asa(config)# interface Ethernet0/1
Asa(config-if)# nameif inside
Asa(config-if)# security-level 100

The Cisco ASA 5500 is the new Cisco firewall model series which followed the successful Cisco PIX firewall appliance. Cisco calls the ASA 5500 a “security appliance” instead of just a “hardware firewall”, because the ASA is not just a firewall. This device combines several security functionalities, such as Intrusion Detection, Intrusion Prevention, Content Inspection, Botnet Inspection, in addition to the firewall functionality.

However, the core ASA functionality is to work as a high performance firewall. All the other security features are just complimentary services on top of the firewall functionality. Having said that, the purpose of a network firewall is to protect computer and IT resources from malicious sources by blocking and controlling traffic flow. The Cisco ASA firewall achieves this traffic control using Access Control Lists (ACL).

[ad#embedded-square]

An ACL is a list of rules with permit or deny statements. Basically an Access Control List enforces the security policy on the network. The ACL (list of policy rules) is then applied to a firewall interface, either on the inbound or on the outbound traffic direction. If the ACL is applied on the inbound traffic direction (in), then the ACL is applied to traffic entering a firewall interface. The opposite happens for ACL applied to the outbound (out) direction.

The ACL permit or deny statements basically consist of source and destination IP addresses and ports. A permit ACL statement allows the specified source IP address/network to access the specified destination IP address/network. The opposite happens for deny ACL statements. At the end of the ACL, the firewall inserts by default an implicit DENY ALL statement rule which is not visible in the configuration.

Enough theory so far. Let us see some examples below to clarify what we have said above.

The basic command format of the Access Control List is the following:

ciscoasa(config)# access-list “access_list_name” extended {deny | permit} protocol “source_address” “mask” [source_port] “dest_address” “mask” [ dest_port]

To apply the ACL on a specific interface use the access-group command as below:

ciscoasa(config)# access-group “access_list_name” [in|out] interface “interface_name”

Example1:

Allow only http traffic from inside network 10.0.0.0/24 to outside internet

ciscoasa(config)# access-list HTTP-ONLY extended permit tcp 10.0.0.0 255.255.255.0 any eq 80

ciscoasa(config)# access-group HTTP-ONLY in interface inside

The name “HTTP-ONLY” is the Access Control List itself, which in our example contains only one permit rule statement. Remember that there is an implicit DENY ALL rule at the end of the ACL which is not shown by default.

Example2:

Deny telnet traffic from host 10.1.1.1 to host 10.2.2.2 and allow everything else.


ciscoasa(config)# access-list DENY-TELNET extended deny tcp host 10.1.1.1 host 10.2.2.2 eq 23

ciscoasa(config)# access-list DENY-TELNET extended permit ip host 10.1.1.1 host 10.2.2.2

ciscoasa(config)# access-group DENY-TELNET in interface inside

The above example ACL (DENY-TELNET) contains two rule statements, one deny and one permit. As we mentioned above, the “access-group” command applies the ACL to an interface (either to an inbound or to an outbound direction).

Example3:

The example below will deny ALL TCP traffic from our internal network 192.168.1.0/24 towards the external network 200.1.1.0/24. Also, it will deny HTTP traffic (port 80) from our internal network to the external host 210.1.1.1. All other traffic will be permitted from inside.


ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 200.1.1.0 255.255.255.0

ciscoasa(config)# access-list INSIDE_IN extended deny tcp 192.168.1.0 255.255.255.0 host 210.1.1.1 eq 80

ciscoasa(config)# access-list INSIDE_IN extended permit ip any any

ciscoasa(config)# access-group INSIDE_IN in interface inside

Using Object Groups with Cisco ASA

The usage of object groups (network objects, service object etc) is becoming more popular on Cisco ASA firewalls especially with the new OS version 8.3(x). In this version, network object groups are used extensively for the configuration of NAT mechanisms in addition to other uses. In this post I will show a quick example of using network objects with access lists. In another post I will expand this to show how object groups are used with NAT as well.

Suppose we have a few Web servers located on a DMZ which are accessed from the Internet. We want to enable http (80) and https (443) access from internet towards these web servers.

Assume that we have configured static NAT for those web servers and translated their real private IP addresses to the following Public IP addresses:

Web Server1: 50.50.50.1
Web Server2: 50.50.50.2
Web Server3: 50.50.50.3

Configuration of access list using object groups:

! create a service group for the http and https protocols
object-group service http-protocols tcp
port-object eq 80
port-object eq 443

! create a network object group for the web servers
object-group network webservers
network-object host 50.50.50.1
network-object host 50.50.50.2
network-object host 50.50.50.3

! create the access list applied inbound on the outside interface
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols

access-group OUTSIDE-IN in interface outside

EDIT (ASA Versions after 8.3):

In newer ASA versions after 8.3, the access list must always reference the Real IP address of a host and NOT the translated IP address. So, in our example above, the “webservers” object-group must include the Real (private) IP addresses of the servers and not the translated public IP.

! create a network object group for the web servers with their Real private IP
object-group network webservers
network-object host 192.168.1.1
network-object host 192.168.1.2
network-object host 192.168.1.3

! create the access list applied inbound on the outside interface
access-list OUTSIDE-IN extended permit tcp any object-group webservers object-group http-protocols

access-group OUTSIDE-IN in interface outside

 Page 3 of 10 « 1  2  3  4  5 » ...  Last »