Cisco Firewall Service Module – FWSM

The Cisco Firewall Service Module (FWSM) is a module card installed on 6500 switches or 7600 routers and is based on the Cisco PIX/ASA security software. It integrates security services in the popular 6500/7600 network devices, providing one of the fastest firewall data rates in the industry. With 5 Gbps firewall throughput per module, and four modules per chassis, you can scale your firewall performance to a maximum 20 Gbps throughput in a single chassis. This is an excellent choice for service providers or for large data center environments, since you can integrate firewall security inside your network infrastructure without loosing performance.

As it is installed as a module inside the 6500/7600 platforms, it basically works on the backplane of the switch/router allowing any port of the network device to operate as a firewall port. VLANs of the switch can be assigned as “interface legs” of the FWSM, thus forcing traffic between VLANs to pass through the firewall which applies statefull inspection and control in the traffic flow. Having also an integrated firewall box inside your network infrastructure makes administration easier and lowers your total cost of ownership.

Password Recovery for the Cisco ASA 5500 Firewall

If you have lost the administrator password to access the security appliance you can recover the password with the following steps:

Step1: Connect to the firewall using a console cable

Step2: Power cycle the appliance (power off and then on)

Step3: Press the Escape key to enter ROMMON mode

Step4: Use confreg command to change the configuration register to 0×41

rommon #1> confreg 0×41

Step5:  Configure the security appliance to ignore the startup configuration.

rommon #2> confreg

The ASA firewall will display the current configuration register value and boot parameters and ask you if you want to change them

Current Configuration Register: 0×00000041

Configuration Summary:

  boot default image from Flash

  ignore system configuration 

Do you wish to change this configuration? y/n [n]: y

Step6: At the prompt enter Y to change the parameters.

Step7: Accept the default values for all settings (at the prompt enter Y)

Step8: Reload the ASA appliance by entering the following command

rommon #3> boot

The firewall will reboot and load the default configuration instead of the startup configuration.

Step9:   Enter into EXEC mode

hostname> enable

When prompted for the password, press Enter (the password in blank now)

Step 10: Access the global configuration mode and change the passwords as required:

hostname# configure terminal
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password

Step 11: Load the default configuration register value (0×1) by entering the following command:

hostname(config)# no config-register

Step 12: Save the new passwords to the startup configuration by entering the following command:

hostname(config)# copy running-config startup-config

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP. Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0
 

The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)

An Intrusion Detection system as we know can either work in Inline Mode (IPS) or in promiscuous mode (IDS). In inline mode, the IPS sensor can detect and block attacks by itself since all traffic passes through the sensor. However, in promiscuous mode, the IDS sensor can not block attacks by itself, but has to instruct the firewall to block the attack. This is depicted in the diagram below.

The IDS sensor in our example is connected in “parallel” (not inline) with the ASA firewall. The “Sensing Interface” of the IDS appliance is connected on the outside (Internet) network zone and is continuously monitoring traffic to detect attacks. The “Control Interface” of the IDS appliance is connected on the inside network zone and is used to communicate with the ASA firewall. If an attack is detected (e.g Attacker at address 100.100.100.1 is sending malicious traffic to Victim address 200.200.200.1), the IDS sensor instructs the ASA firewall (using the “Control Interface”) to block the attacking connection. This is done by the IDS sensor by asking the firewall to use the “shun” command to block the connection.

What is a “shun” command:

The shun command on the ASA Firewall appliance is used to block connections from an attacking host. Packets matching the values in the command are dropped and logged until the blocking function is removed manually or by the Cisco IDS sensor.

The format of the command is as following:

ASA# shun [source IP] [destination IP] 

In our example scenario above, the IDS sensor will instruct the firewall to apply the following shun command:

shun 100.100.100.1 200.200.200.1

The above will block all communication from the attacker to the victim. Cisco IPS/IDS sensors have a timer with which you define how long the command will be active. After that time, the command is removed.

Access To Hosts from Outside a Cisco ASA

Question:

Hello,

I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)

My config (only relevant lines):

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2
!
interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2
.
.
access-list Inside_access_in extended permit ip 192.168.100.30 any
access-list Inside_access_in extended deny ip any any
.
.
access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh
access-list Outside_access_in extended deny ip any any
.
.
global (Outside) 1 172.146.147.11 netmask 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.1.33.0 255.255.255.0
nat (Inside) 1 10.1.34.0 255.255.255.0
nat (Inside) 1 10.1.35.0 255.255.255.0
nat (Inside) 1 10.1.36.0 255.255.255.0
nat (Inside) 1 10.1.39.0 255.255.255.0
nat (Inside) 1 10.1.41.0 255.255.255.0
nat (Inside) 1 10.1.42.0 255.255.255.0
nat (Inside) 1 10.1.44.0 255.255.255.0
nat (Inside) 1 10.1.99.0 255.255.255.0
nat (Inside) 1 10.40.2.0 255.255.255.0
nat (Inside) 1 10.40.24.0 255.255.255.0
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 192.168.250.0 255.255.255.0
nat (Inside) 1 192.168.96.0 255.255.248.0
static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1
route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1
route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1
route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1
.
.

When i type telnet 172.146.147.15 22 from public internet i cant open port 22….so i dont know – is something missing or wrong?

Thanks.

Solution:

below is your outside interface config

interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won’t be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

 Page 43 of 47  « First  ... « 41  42  43  44  45 » ...  Last »