Cisco Archives

In order to be able to monitor and troubleshoot your Cisco ASA firewall, you need to understand the difference between connections and translations.

Refer to the diagram above for an explanation about Connections and Translations.

A Connection works at the Transport Layer and includes the Source IP/Source Port and the Destination IP/Destination Port. Connections are subsets of Translations. You can have many connections open that are all using the same Translation. For example, a connection shown above is originated from Internal source host 192.168.1.1 with source port 1030 towards a Destination host (public Web Server) 100.100.100.1 on Destination Port 80.

A Translation works at the IP Layer and includes the Real IP Address and the Mapped (Translated) IP Address. Using NAT or PAT, a Real IP address is translated to a Mapped IP address and vice-versa. From the diagram above, the Real IP address 192.168.1.1 is translated to a Mapped IP address 20.20.20.1.

Connection Related Commands

ASA# show conn
ASA# show conn details
ASA# show local-host

The above commands will display the current active connections and information details about each connection. An example output is the following:

TCP outside:100.100.100.1/80 inside:192.168.1.1/1030 idle 0:00:05 bytes 1965 flags UIO

Translation Related Commands

ASA# show xlate
ASA# show xlate detail
ASA# clear xlate

The commands above enable you to display or clear the contents of the translation table. An example output is the following:

NAT from inside:192.168.1.1 to outside:20.20.20.1 flags i

A single Cisco ASA appliance can be partitioned into multiple virtual firewalls known also as “Security Contexts”. Each security context acts as a separate firewall with its own security policy, interfaces and configuration. However, some features are not available for virtual firewalls, such as IPSEC and SSL VPN, Dynamic Routing Protocols, Multicast and Threat Detection.

All firewall models (except ASA 5505) support multiple security contexts. By default, all models support 2 security contexts without a license upgrade (except the ASA 5510 which requires the security plus license).

[ad#embedded-square]

Each security context that you create on the appliance includes its own configuration file (filename.cfg) stored on local flash memory. This configuration file contains the security policy, the included interfaces and the virtual firewall configuration of the specific security context. By default, an admin context is always created having a configuration file “admin.cfg“. This is just like any other security context except that when a user logs in the admin context then he has full administrator access to all other security contexts.

When you convert the appliance from single context mode to multiple context mode (using the command “mode multiple“) the firewall converts the current running configuration into two files: a new startup configuration that comprises the system configuration, and “admin.cfg” that comprises the admin context (stored in the root directory of the internal Flash memory). The original running configuration is saved as “old_running.cfg” (in the root directory of the internal Flash memory).

Configuring Security Contexts

! Enable multiple context mode
ASA(config)# mode multiple

! Then reboot the appliance.

! Configure the administrator context
ASA(config)# admin-context administrator
ASA(config)# context administrator
ASA(config-ctx)# allocate-interface gigabitethernet0/1.10
ASA(config-ctx)# allocate-interface gigabitethernet0/1.11
ASA(config-ctx)# config-url flash:/admin.cfg

! Configure other contexts as required
ASA(config)# context customerA
ASA(config-ctx)# allocate-interface gigabitethernet0/2.100
ASA(config-ctx)# allocate-interface gigabitethernet0/2.200
ASA(config-ctx)# config-url flash:/customerA.cfg

! Configure other contexts as required
ASA(config)# context customerB
ASA(config-ctx)# allocate-interface gigabitethernet0/2.111
ASA(config-ctx)# allocate-interface gigabitethernet0/2.222
ASA(config-ctx)# config-url flash:/customerB.cfg

Changing between contexts and the system execution space:

When you connect with a console cable on the appliance, you will log in the system configuration (or the system execution space). The “system execution space” is the global appliance space from where you can then enter into specific security contexts. If you are logged in the “system execution space” and issue a “show run” command, this will ONLY show you the global system configuration and NOT the various security contexts configurations. You will need to log into a specific security context in order to change or see its configuration.

To change between the system execution space and a context, or between contexts, see the following commands:

! To change to a context named CustomerA, enter the following command:
ASA# changeto context CustomerA

! The prompt changes to the following:
ASA/CustomerA#

! To change back to the system execution space, enter the following command:
ASA/CustomerA# changeto system

! The prompt changes to the following:
ASA#

In addition to device-level failover, you can also configure interface redundancy on the same chassis of a Cisco ASA firewall. Basically you create a logical interface pair bundle (called “interface redundant“) in which you include two physical interfaces. If one of the interfaces fail, the second one in the redundancy pair takes over and starts passing traffic. You can configure up to 8 redundant interface pairs. After you configure the redundant interface pair, all security appliance configuration refers to this logical redundant pair instead of the member physical interfaces.
 
The following guidelines should be followed for redundant interface and its members:
 

  • You must first remove the name of the physical interface (using the no nameif command) before adding it to the logical redundant interface.
  • Both member interfaces must be of the same physical type. That is they must be both GigabitEthernet or both Ethernet.
  • The only configuration available to physical interfaces that are part of a redundant interface pair are physical parameters (i.e the shutdown command and the description command).

Configuration Example:
 
ASA(config)# interface redundant 1
ASA(config-if)# member-interface gigabitethernet 0/0
ASA(config-if)# member-interface gigabitethernet 0/1

From now on, all interface related commands must refer to “interface redundant 1“.

Configure Static Routing on Cisco ASA Firewall

Although the Cisco ASA appliance does not act as a router in the network, it still has a routing table and it is essential to configure static or dynamic routing in order for the appliance to know where to send packets. When a packet arrives to a network interface on the ASA firewall, the packet undergoes several security controls, such as ACL filtering, NAT, deep-packet inspection etc. After the packet passes all firewall controls, the security appliance needs to send the packet to its destination address. It therefore checks its routing table to determine the outgoing interface where the packet will be sent.

Cisco ASA firewalls support both static and dynamic routing. For dynamic routing, the ASA supports RIPv2 and OSPF. I recommend not to use dynamic routing though and stick with just static routes. The reason is that one of the purposes of a firewall is to hide your internal trusted network addressing and topology. By configuring dynamic routing support, you might be advertising routes to untrusted networks thus exposing your network to threats.

The scenario in the diagram above will help us understand how to configure static routing. The ASA connects to the internet on the outside and also has a DMZ and Internal zones. The default gateway towards the ISP is 200.1.1.1. The DMZ network is 10.0.0.0/24 and the internal LAN1 network is 192.168.1.0/24. LAN1 is directly connected to the Inside interface of the firewall. Additionally, there is another internal network, namely LAN2, with network 192.168.2.0/24. LAN2 is not directly connected to the firewall. Rather, there is an internal router with address 192.168.1.1 through which we can reach LAN2. Therefore, in order for the ASA to reach network LAN2, we need to configure a static route to tell the firewall that network 192.168.2.0/24 can be reached via 192.168.1.1.

So we need to configure two static routes. One Default Static route for Internet access, and one internal static route to reach network LAN2. For directly connected networks (DMZ and LAN1) we don’t need to configure a static route since the firewall already knows about these networks as they are directly connected to its interfaces.

Configuration:

The format of the static route command is:

ASA(config)# route [interface name] [destination address] [netmask] [gateway]

! First configure a default static route towards the default gateway
ASA(config)# route outside 0.0.0.0 0.0.0.0 200.1.1.1

! Then configure an internal static route to reach network LAN2
ASA(config)# route inside 192.168.2.0 255.255.255.0 192.168.1.1

Cisco CCNA Security Certification

As information security threats are exploding, the network security certifications are getting more and more attention and demand. The Cisco CCNA Security Certification is an excellent choice for a starting network professional since enterprises started to seek professionals with security skills. The Cisco CCNA security leads also to two other popular and hot certifications, the CCSP (Cisco Certified Security Professional) and the CCIE Security.

At the time of this writing, the CCNA Security requires candidates to pass a single exam, the 640-553 IINS ( Implementing Cisco IOS Network Security ). This exam is 90 minutes and consists of 55-65 questions. The exam tests candidates their ability to secure Cisco Routers and switches, and their associated networks. Exam topics include security threats facing modern network infrastructures, securing cisco routers and switches, implementing AAA on cisco routers, mitigating threats using Access Control Lists, mitigating common layer 2 attacks, implementing the cisco ios firewall and IPS features etc.

If you are planning to pursue a professional certification, then the Cisco CCNA security is a great starting step for your professional career. For CCNA Security training, Trainsignal offers a complete exam coverage with Video Training for IINS 640-553.

Cisco Firewall Service Module – FWSM

The Cisco Firewall Service Module (FWSM) is a module card installed on 6500 switches or 7600 routers and is based on the Cisco PIX/ASA security software. It integrates security services in the popular 6500/7600 network devices, providing one of the fastest firewall data rates in the industry. With 5 Gbps firewall throughput per module, and four modules per chassis, you can scale your firewall performance to a maximum 20 Gbps throughput in a single chassis. This is an excellent choice for service providers or for large data center environments, since you can integrate firewall security inside your network infrastructure without loosing performance.

As it is installed as a module inside the 6500/7600 platforms, it basically works on the backplane of the switch/router allowing any port of the network device to operate as a firewall port. VLANs of the switch can be assigned as “interface legs” of the FWSM, thus forcing traffic between VLANs to pass through the firewall which applies statefull inspection and control in the traffic flow. Having also an integrated firewall box inside your network infrastructure makes administration easier and lowers your total cost of ownership.

 Page 9 of 13  « First  ... « 7  8  9  10  11 » ...  Last »