Chapter 15
Configuring the Firewall on an ASA

CISCO CCNA SECURITY EXAM OBJECTIVES COVERED IN THIS CHAPTER:

  • images5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x
    • Configure ASA access management
    • Configure security access policies
    • Configure Cisco ASA interface security levels
    • Configure default Cisco Modular Policy Framework (MPF)
    • Describe modes of deployment (routed firewall, transparent firewall)
    • Describe methods of implementing high availability
    • Describe security contexts
    • Describe firewall services

images There are many additional firewall concepts you also should understand beyond configuring zone-based firewalling and network address translation. In this chapter we’ll look at some other firewall services as well as discuss the difference between a routed and a transparent firewall. Moreover, we’ll cover security contexts and configuring ASA management access. Finally, toward the end of this chapter the Modular Policy Framework approach to configuration will be covered.

In this chapter, you will learn the following:

  • Configuring ASA access management
  • Configuring security access policies
  • Configuring Cisco ASA interface security levels
  • Configuring the default Cisco Modular Policy Framework (MPF)
  • Modes of deployment (routed firewall, transparent firewall)
  • Methods of implementing high availability
  • Security contexts
  • Firewall services

Understanding Firewall Services

The Cisco ASA 9.x firewall series (which is the firewall tested in the CCNA Security exam) has a rich set of features to offer. While it certainly can perform the firewall duties we have come to expect from any enterprise-level firewall, such as traffic filtering and control, it also offers many other functions. Among these are:

Application Inspection Control (AIC)—Also called application protocol control, this feature verifies the conformance of major application layer protocol operations to RFC standards. It can help prevent many of the tunneling attempts and application layer attacks that violate protocol specifications.

Network Address Translation (NAT)—As you learned in Chapter 14, the ASA supports many implementations of NAT including policy NAT, inside and outside NAT, one-to-one and one-to-many NAT, and port forwarding (static NAT)

IP Routing—The ASA has routing capabilities including static and dynamic routing with support for all major routing protocols such as EIGRP, RIP, OSPF, and BGP.

IPv6 support—The ASA supports IPv6 networking natively and can control access between IPv6 security domains.

DHCP—The ASA can be integrated as either a DHCP server or a DHCP client.

Multicast support—The ASA natively integrates with multicast networks supporting Internet Group Management Protocol (IGMP) and both Protocol Independent Multicast Sparse Mode (PIM-SM) and bidirectional Protocol Independent Multicast (PIM).

Understanding Modes of Deployment

The ASA can be deployed in one of two modes, routed and transparent. The mode you choose will depend on requirements and needs. In this section, we differentiate these two modes of operation.

Routed Firewall

In router mode, the ASA is serving as a router and thus each of its interfaces will reside in a separate IP subnet. It can use all major routing protocols including RIP, EIGRP, OSPF, and BGP. In environments where static routing is in use, it can use IP SLA to perform static route tracking to detect when one static route is unavailable and therefore switch to a second static route.

Transparent Firewall

In transparent mode, the ASA is not acting as a router and assumes a layer 2 identity much as a switch does. This makes the ASA transparent to devices on either side (from a layer 3 perspective); thus the name transparent mode. As with a switch, however, it is possible to configure the ASA with a management IP address for connecting to and managing the ASA.

Understanding Methods of Implementing High Availability

Regardless of whether the ASA is operating in routed or transparent mode, it is providing valuable services to the network. Therefore, providing high availability for the ASA and thus for the services it provides is highly desirable. The ASA has several redundancy options available to satisfy this need. In this section we’ll cover three ways that multiple ASAs can be deployed to provide this redundancy.

Active/Standby Failover

In Active/Standby failover two security appliances are deployed with only one of the appliances processing traffic while the second one serves as a hot standby. This deployment model is shown in Figure 15.1 .

Diagram shows Internet is connected to computer and two devices labeled secondary/standby and primary/active.

FIGURE 15.1 Active/Standby failover

Active/Active Failover

In Active/Active failover two security appliances are deployed with both appliances processing traffic with the ability to survive a single device failure. This deployment model is shown in Figure 15.2 .

Diagram shows DMZ server, inside PC, and Internet connected to two devices labeled ASA1 and ASA2 with markings for active/active failover, shared outside interface, LAN failover interface, and state failover interface.

FIGURE 15.2 Active/Active failover

Clustering

In Clustering, three or more security appliances are deployed as a single logical device. This allows for the management of the multiple ASAs as a unit. It provides increased throughput and redundancy. This deployment model is shown in Figure 15.3 .

Diagram shows ASA cluster where spanned EtherChannel is divided into four icons labeled master and slave which together lead to cluster control link.

FIGURE 15.3 Clustering

Understanding Security Contexts

The ASA can be partitioned into multiple virtual firewalls or security contexts. Each context can have its own interfaces, policies, and administrators. This results functionally in multiple virtual firewalls as shown in Figure 15.4 , where multiple contexts are being used to support multiple customers.

Diagram shows Internet connected to customer A, customer B, and customer C via security context A, security context B, and security context C, respectively.

FIGURE 15.4 Security contexts

Configuring ASA Management Access

While many administrators choose to manage and configure the ASA using the Adaptive Security Device Manager (ASDM), when you deploy a new ASA you will have to begin by setting up the ASA using the CLI. Only after an interface with an IP configuration is enabled will you be able to connect to the device using the ASDM. We will first cover this initial configuration and will then follow with the commands required to allow connections for the ASDM.

Initial Configuration

To perform the initial configuration of the ASA, connect to the device from the console port and perform the operations covered in the next procedure.

Configuring Cisco ASA Interface Security Levels

Before we get into interface configuration we need to discuss a concept that may be new to you if you have only configured routers. In the ASA interfaces have security levels. These security levels are one of the ways the ASA controls access from one interface to another. Security levels define the trustworthiness of the interface. The higher the level the more trusted the interface.

Security Levels

The most common configuration is to set the exterior interface (Internet) to a level of zero (or something very low in relation to the other interfaces) and the interior interface (LAN) to a very high security level value. Any other interfaces (such as a DMZ) can be set to a level that properly reflects the trust placed in that interface. With this configuration in place the typical traffic flows in your network will be as follows:

  • Inbound traffic will flow from a low-security interface to a high-security interface. Another way of saying this is that it will flow from a less trusted interface to a more trusted interface.
  • Outbound traffic will flow from a high-security interface to a low-security interface. Another way of saying this is that it will flow from a more trusted interface to a less trusted interface.

By default, the ASA uses these rules to control traffic between interfaces:

  • There is an implicit permit for traffic flowing from a high-security interface to a low-security interface.
  • There is an implicit deny for traffic flowing from a low-security interface to a high-security interface.
  • There is an implicit deny for traffic flowing between two interfaces with the same security level.

Of course, these defaults can be changed and often are changed. Figure 15.5 shows how this would work using security level values 0, 50, and 100. Green lines represent allowed traffic while the red lines represent denied traffic.

Diagram shows Internet connected to G0/0, G0/2, and G0/1 with markings for DMZ network (GigabitEthernet0/2), outside network (GigabitEthernet0/0), and inside network (GigabitEthernet0/1).

FIGURE 15.5 Security levels in action

Configuring Security Access Policies

In its role as a firewall the ASA uses security access policies to control traffic types allowed to flow from one interface to another. These access policies can be configured as interface access rules (much like the ACLs you may have experience with on a router) or by creating and linking object groups. In this section, we’ll discuss both methods.

Interface Access Rules

If you apply no interface access rules on the ASA the default rules (as covered earlier) are:

  • There is an implicit permit for traffic flowing from a high-security interface to a low-security interface.
  • There is an implicit deny for traffic flowing from a low-security interface to a high-security interface.
  • There is an implicit deny for traffic flowing between two interfaces with the same security level.

This means that you will need to create an access rule to allow traffic in each of the following scenarios:

  • Between interfaces of the same security level
  • Traffic from a lower-security interface to a higher-security interface

While interface rules operate like ACLs you may (depending on your CLI experience with the ASA) find it easier to create these rules in the ASDM rather than at the command line. In the next procedure, you will see how this is done in the ASDM.

Object Groups

While the previous procedure used the keyword ANY to select source and destination and HTTP for service, not very many configurations are that simple. In many cases we need to allow only a select group of devices rather than all devices, or we need only allow devices on a specific network to send traffic on an interface when there are multiple networks that might be traversing that interface. To make the creation and application of rules easier, the ASA can also use an object-based model for certain rules.

Objects can be created to represent any of the following:

  • Networks
  • Individual hosts
  • Groups of services
  • Resources

Once these objects have been created, they can be linked together to create rules as we did in the previous procedure and simply use the browse button next to each of the drop-down boxes in the Add Access Rule dialog box to link them together. In the next procedure, you will create objects and then use them in an access rule.

Configuring Default Cisco Modular Policy Framework (MPF)

In Chapters 4 and 14 you learned about the Cisco Modular Policy Framework (MPF). As review, there are three components that are used as building blocks to implement policies in this framework:

  • Class maps are used to categorize traffic types into classes. ACLs are typically used to define the traffic and then the ACL is referenced in the class map.
  • Policy maps are used to define the action to be taken for a particular class. Actions that can be specified are allow, block, and rate-limit.
  • Service policies are used to specify where the policy-map should be implemented.

In the next procedure, you will use this framework to create a new policy by creating a class map that identifies Telnet as the traffic and a policy map that identifies an action of deny and apply the two to all interfaces with a service policy.

Summary

In this chapter, you learned how to set up the ASA so you can remotely administer it using the ASDM. You also learned the default security policies that are in place and how the default global policy interacts with configured policies. You also learned about interface security levels and the effect they have on traffic flows. The chapter reviewed the Cisco Modular Policy framework and how it is used to create policies. It also discussed the difference between a transparent and routed firewall. Finally, high-availability solutions were introduced including active-active, active-passive, and clustering approaches.

Exam Essentials

Identify firewall services provided by the ASA. These include Application Inspection Control (AIC), Network Address Translation (NAT), IP Routing, IPv6 support, DHCP, and Multicast support.

Describe the two modes of deploying the ASA. The ASA can be deployed in one of two modes, routed and transparent. In router mode, the ASA is serving as a router and thus each of its interfaces will reside in a separate IP subnet. In transparent mode, the ASA is not acting as a router and assumes a layer 2 identity much as a switch does.

Identify ASA high-availability methods. These include Active/Standby failover, Active/Active failover, and clustering.

Define security contexts in the ASA. The ASA can be partitioned into multiple virtual firewalls or security contexts. Each context can have its own interfaces, policies, and administrators.

Describe the steps required for initial setup of the ASA. These steps include assigning an IP address and mask to interfaces, enabling interfaces, and enabling the HTTP server. They also include permitting the remote management traffic generated when connecting with the ASDM.

List the default traffic rules in the ASA. By default, the ASA uses these rules to control traffic between interfaces: there is an implicit permit for traffic flowing from a high-security interface to a low-security interface, there is an implicit deny for traffic flowing from a low-security interface to a high-security interface, and there is an implicit deny for traffic flowing between two interfaces with the same security level.

Identify examples of items for which objects can be created in the ASA. Objects can be created to represent any of the following: networks, individual hosts, groups of services, or resources.

Describe the components of the Cisco Modular Policy Framework (MPF). There are three components that are used as building blocks to implement policies in this framework: class maps, used to categorize traffic types into classes (ACLs are typically used to define the traffic and then the ACL is referenced in the class map); policy maps, used to define the action to be taken for a particular class (actions that can be specified are allow, block, and rate-limit); and service policies, used to specify where the policy map should be implemented.

Review Questions

  1. Which firewall feature can help prevent many tunneling attempts and application layer attacks?

    1. AIC
    2. NAT
    3. DHCP
    4. PIM-SIM

  2. In which mode does the ASA assume a layer 2 identity?

    1. Switch
    2. Transparent
    3. Active/Standby
    4. Routed

  3. In which high-availability approach are three or more security appliances deployed as a single logical device?

    1. Active/Active
    2. Stackwise
    3. Clustering
    4. Active/Standby

  4. What is it called when the ASA is partitioned into multiple virtual firewalls?

    1. security contexts
    2. security domains
    3. security realms
    4. security areas

  5. Which command is used to apply the name outside to an interface on the ASA?

    1. asa70(config-if)#name outside
    2. asa70(config-if)#nameif outside
    3. asa70(config-if)#outside
    4. asa70(config)#nameif outside

  6. Which command is required to connect to the device using the ASDM?

    1. asa70(config)#http server
    2. asa70(config)#http enable
    3. asa70(config)#http server enable
    4. asa70(config)#enable http server

  7. Which command defines an IP address on the inside network that will be allowed to connect to the ASA using HTTP to manage the ASA?

    1. asa70(config)#http 192.168.5.20 255.555.255.255
    2. asa70(config)#http 192.168.5.20/32 inside
    3. asa70(config)#http 192.168.5.20 inside
    4. asa70(config)#http 192.168.5.20 255.555.255.255 inside

  8. What value is used to determine the allowed traffic flows between the interfaces in the ASA?

    1. security level
    2. IP address
    3. MAC address
    4. name

  9. There is an implicit permit for traffic flowing from a _______ security interface to a security ________ interface.

    1. low, low
    2. high, low
    3. high, high
    4. low, high

  10. Which command assigns the security level 100 to an interface?

    1. asa70(config)#security 100
    2. asa70(config)#100 security-level
    3. asa70(config)#security-level 100
    4. asa70(config)#level 100

  11. In which of the following scenarios will you need to create an access rule to allow traffic?

    1. between interfaces of the same security level
    2. traffic to the self-zone
    3. traffic from a higher-security interface to a lower-security interface
    4. in all scenarios

  12. Which of the following is used to represent a select group of devices rather than all devices in a network?

    1. service policy
    2. object group
    3. policy map
    4. security group

  13. Which of the following is used to categorize traffic types in the MPF?

    1. zone pairs
    2. zones
    3. policy maps
    4. class maps

  14. You would like to apply a service policy to all interfaces of the ASA. What radio button do you choose for this in the ASDM?

    1. global
    2. composite
    3. self
    4. all

  15. You need to allow HTTP traffic from the 192.168.5.0/24 network inside the LAN to a web server with the IP address of 201.3.3.3 in the DMZ. What type of object do you create to represent the HTTP traffic?

    1. network object
    2. service object
    3. host object
    4. resource object

  16. Which of the following is used to specify where a policy map should be implemented in the MPF?

    1. zone pairs
    2. zones
    3. service policy
    4. class maps

  17. The ASA you manage has three interfaces that you have labeled inside (LAN), outside (Internet), and dmz. The security levels you have assigned are 100, 0, and 50 respectively. Currently the only rules in place are the global default rules. Which traffic is allowed?

    1. inside to outside
    2. outside to dmz
    3. dmz to outside
    4. inside to dmz

  18. In the following command output what does inside represent?

    asa70(config)#ssh 192.168.5.20 255.555.255.255 inside

    1. ACL name
    2. security level
    3. interface IP address
    4. traffic direction

  19. Which of the following is used to define the action to be taken for a traffic type in the MPF?

    1. zone pairs
    2. zones
    3. policy maps
    4. class maps

  20. There is an implicit deny for traffic flowing from a ________ security interface to a ________ interface.

    1. low, low
    2. high, low
    3. high, high
    4. low, high
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.255.24