Upload
others
View
28
Download
0
Embed Size (px)
Citation preview
1/72
Adaptive Security ApplianceCCNA Security Lab5505 vs 5506-X
Nico [email protected] 20, 2018Diegem, Belgium
2/72
Agenda: What will happen in this session?
ASA Overview
Basic Interface/Firewall Config
ASA Firewall Rules
ASA 8.3+ NAT
Modular Policy Framework
CLI config lab
this session focusses on ASA 5505/5506-X ONLY (!)
3/72
Agenda: What won’t happen in this session?
ASDM Configuration
IPsec site-to-site or remote access VPN
SSL remote access VPN (requires ASDM)
ASDM config session
Dynamic Routing with ASA
Linking ASA with AD
4/72
ASA Overview
5/72
ASA (Adaptive Security Appliance)
Proven Firewall technology
Intrusion Prevention capabilities
VPN Solution
Failover
Virtualization
ASA 5505 / 5506-X
new bundleshave a 5506-X
Next Generation FirewallNext Generation IPSAdvanced Malware Protection“FirePower”
6/72
ASA Security Contexts
Virtualisation
Separate Policy
Separate Interfaces
Separate admin
7/72
ASA High Availability (failover)
Active/Standby
Active/Active
depends on model
8/72
ASA Identity Firewall
9/72
ASA Threat Containment
Advanced Intrusion Prevention
AIP-SSM for rack-based models
AIP-SSC-5 for ASA-5505
software module on ASA-5506-X
10/72
Routed vs Transparent Mode
“Router” with filtering
Different networks
Switch” with filtering
Single network
1 IP-address for management
11/72
ASA 5505 Licensing
12/72
ASA 5506-X Licensing
more power
more possibilities (VLANs, connections, VPN Sessions, …)
...
13/72
ASA 5505/5506-X Licensing
5505 VLANs with Base License
– 3 VLANs are supported
– 1 restricted VLAN that can ONLY initiate traffic to one 1 other VLAN (return traffic is allowed)
5506-X with Base License
– 5 VLANS are supported (on trunks)
NO support for Security Contexts
Stateless Active/Passive failover ONLY in Security Plus License
Not an HQ firewall, but SOHO, Small Branch, ...
14/72
Any questions so far???
15/72
Basic Interface / Firewall Config
16/72
Permitted Traffic
Security level(aka Trust-Level)
Defaults
Inside: 100
Outside: 0
Typical
DMZ: 50
5505 Base Lic.
1 VLAN can only initiate traffic to
one other VLAN
DMZ does not initiate traffic to
inside
17/72
Denied Traffic
return traffic is allowed (inspection)
no lower to higher security level traffic
exception: ACLs
18/72
Security Levels
Measure of trustworthiness
0 (not trusted) to 100 (trusted)
Traffic can flow freely from higher valued to lower valued interfaces
Return Traffic is automatically allowed
ACLs are needed to allow flow from low to high
19/72
“Return traffic is automatically allowed”
Requires “inspection”
CONN & XLATE internal tables
to “allow” return traffic
depending on protocol up to layer 7
20/72
ASA 5505 vs 5506-X
max ASA OS 9.2
8 layer 2 ports, 0-7
Interface names do not include speed (Ethernet0/1)
to be divided over 3 (Base License) VLANs
1 VLAN cannot initiate traffic to the others
VLAN interfaces get the layer 3 configuration
ASA OS 9.7+
8 layer 3 ports, 1-8
Interface names include speed (GigabitEthernet1/1)
1 management port
Bridging between interfaces must be configured – similar to IOS Bridge-Group Virtual Interfaces (BVI)
BVI interface gets the layer 3 configuration
21/72
IOS vs ASA commands
enable secret password
line vty 0 4 password password login
ip route
show ip interfaces brief
show ip route
show vlan
show ip nat translations
copy running-config startup-config
erase startup-config
enable password password
passwd password
route intname
show interfaces ip brief
show route
show switch vlan
show xlate
write [memory]
write erase
22/72
IOS vs ASA commands
Privileged EXEC commands can be given in any mode (no need for do)
The help command can HELP
To interrupt the “more” output, press Q, not Ctrl-C
There is a “setup” wizard…
some things can only be configured from within ASDM...
23/72
ASA Default Configuration
HTTP Access for ASDM (ASA Device Manager) is configured for access from 192.168.1.0/24 via “inside” VLAN/BVI
A DHCP-server is configured for the “inside” VLAN/BVI, with addresses 192.168.1.5-192.168.1.36 (5505) or 192.168.1.5-192.168.1.254 (5506-X)
Default information (DNS-info, and DNS-server) from “outside” DHCP-server
Default: empty passwords
The ASA works “out of the box”
To reset an ASA:
– (config)# configure factory-default
24/72
ASA 5505 Defaults
hostname is “ciscoasa”
E0/0 is configured in VLAN 2 (outside)
Other interfaces are in VLAN 1 (inside)
VLAN 1 is configured as “inside”, with security-level 100 and IP 192.168.1.1/24
VLAN 2 is configured as “outside”, with security-level 0, and IP and default gateway via DHCP
PAT is automatically configured
25/72
ASA 5506-X Defaults
hostname is “ciscoasa”
GigE1/1 is configured as outside interface
Other interfaces are in bridge-group 1
BVI1 is configured as “inside”, with security-level 100 and IP 192.168.1.1/24
GigE1/1 is configured as “outside”, with security-level 0, and IP and default gateway via DHCP
PAT is automatically configured
Dedicated management Ethernet interface
26/72
ASA 9.7+ Default Configuration (ASDM/NAT/MGMT)
Management 1/1 interface up but unconfigured, used for ASA FirePower module
ASDM Access– from inside hosts– from wifi hosts
NAT, interface PAT configured for– wifi > outside – inside > outside – management > outside
27/72
Let’s take a (more or less) deep dive in the ASA CLI
28/72
ASA 5505 Default Configuration
ASA Version 9.1(1) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address dhcp setroute !
ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0pager lines 24logging asdm informationalmtu outside 1500mtu inside 1500no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnected!object network obj_any nat (inside,outside) dynamic interfacetimeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.1.0 255.255.255.0 inside
29/72
ASA 5505 Default Configuration
no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh timeout 5console timeout 0
dhcpd auto_config outside! dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn anyconnect-essentials!
class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:d5da6714509c82bc97629f33075459a2: end
30/72
ASA 5506-X Default Configuration
ASA Version 9.8(1) !hostname ciscoasaenable password $sha512$5000$9JNFlM2inkuNUhQjKQHfnA==$wT70e2xMZSZjwgKJVQAu0Q== pbkdf2names
!interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute !interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100!interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100!interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100!interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100!
interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100!interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100!interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100!interface Management1/1 management-only no nameif no security-level no ip address!interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !ftp mode passivesame-security-traffic permit inter-interface
31/72
ASA 5506-X Default Configuration
object network obj_any1 subnet 0.0.0.0 0.0.0.0object network obj_any2 subnet 0.0.0.0 0.0.0.0object network obj_any3 subnet 0.0.0.0 0.0.0.0object network obj_any4 subnet 0.0.0.0 0.0.0.0object network obj_any5 subnet 0.0.0.0 0.0.0.0object network obj_any6 subnet 0.0.0.0 0.0.0.0object network obj_any7 subnet 0.0.0.0 0.0.0.0pager lines 24logging asdm informationalmtu outside 1500mtu inside_1 1500mtu inside_2 1500mtu inside_3 1500mtu inside_4 1500mtu inside_5 1500mtu inside_6 1500mtu inside_7 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectedarp rate-limit 16384
object network obj_any1 nat (inside_1,outside) dynamic interfaceobject network obj_any2 nat (inside_2,outside) dynamic interfaceobject network obj_any3 nat (inside_3,outside) dynamic interfaceobject network obj_any4 nat (inside_4,outside) dynamic interfaceobject network obj_any5 nat (inside_5,outside) dynamic interfaceobject network obj_any6 nat (inside_6,outside) dynamic interfaceobject network obj_any7 nat (inside_7,outside) dynamic interfacetimeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00timeout conn-holddown 0:00:15timeout igp stale-route 0:01:10user-identity default-domain LOCALaaa authentication login-history
32/72
ASA 5506-X Default Configuration
http server enablehttp 192.168.1.0 255.255.255.0 inside_1http 192.168.1.0 255.255.255.0 inside_2http 192.168.1.0 255.255.255.0 inside_3http 192.168.1.0 255.255.255.0 inside_4http 192.168.1.0 255.255.255.0 inside_5http 192.168.1.0 255.255.255.0 inside_6http 192.168.1.0 255.255.255.0 inside_7no snmp-server locationno snmp-server contactservice sw-reset-buttoncrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh stricthostkeycheckssh timeout 5ssh key-exchange group dh-group1-sha1console timeout 0
dhcpd auto_config outside!dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd enable inside! threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptdynamic-access-policy-record DfltAccessPolicy!
class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspectionpolicy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:d59032ee5b05b5a1791caaa0aa416df8: end
33/72
ASA Commands
hostname hostname
domain-name name
banner motd message (multiple lines = multiple banner motd commands, NO delimiter)
enable password password
key config-key password-encryption newpassword [ oldpassword ]
password encryption aes
show password encryption
34/72
ASA Interface Commands
interface Ethernet0 (PIX/ASA)
interface vlan 1 (ASA5505)
nameif if_name
– Not case sensitive
– “no”-form removes ALL references
– For names “inside” and “outside”, security-levels 100 or 0 are automatically used
security-level value
ASA 5505: LIMITED 3rd VLAN: can only initiate traffic to one (of 2) other VLANs
– no forward interface vlan 1
35/72
ASA Interface Commands
ip address IP SNM
ip address dhcp
ip address dhcp setroute
– (also ask external DHCP-server for default gateway)
ip address ppoe
ip address ppoe setroute
36/72
ASA 5505 Interface Commands
interface ethernet0/0
switchport access vlan 2
no shutdown
show switch vlan (ports to VLAN/ifname mapping)
show interface
show interface ip brief (physical/logical interfaces and status)
show ip address
37/72
ASA BVI-interface configuration
Bridge-group Virtual Interface
connected with bridge-group-command on physical interface
names and securitylevel per interfaceare required (!)
Layer 3 configuration on BVI
interface GigabitEthernet1/2 bridge-group 1 nameif Private_1 security-level 100
interface GigabitEthernet1/3 bridge-group 1 nameif Private_2 security-level 100
interface BVI1 nameif Private security-level 100 ip address 10.0.0.1 255.255.255.0
38/72
Configure a (Default) Static Route
Syntax:route int_name NWA SNM Next-Hop-IP
Example:route outside 0.0.0.0 0.0.0.0 192.0.2.1
dynamic routing is not within the scope of this session
39/72
Configure Telnet Access
passwd password
Define subnet and interface for telnet-clients:– telnet NWA SNM if_name (IPv4)– telnet PF/PFL if_name (IPv6)– (multiple statements are allowed)
telnet timeout minutes
aaa authentication telnet console LOCAL (LOCAL is predefined and case sensitive)
clear configure telnet (remove all telnet config from running-config)
show run telnet (shows only telnet configuration)
40/72
Configure SSH Access
Create user DB:username name password password
aaa authentication ssh console LOCAL (LOCAL is predefined and case sensitive)
crypto key generate rsa modulus modulus (2048 recommended)
ssh version { 1 | 2 } ssh timeout minutes Define subnet and interface for SSH-clients:
– ssh NWA SNM if_name (IPv4)– ssh PF/PFL if_name (IPv6)– (multiple statements are allowed)
clear configure ssh (remove all SSH config from running-config)
41/72
Configure Clock
Manual: clock set ?
ntp server IP-address [ key keyid ]
ntp authenticate
ntp trusted-key keyid
ntp authentication-key keyid md5 key
clock timezone zone-name {+ | -}hours [ minutes ]
clock summer-time CEST last sunday March 02:00 last sunday October 03:00
42/72
Configure DHCP Server
Only 1 “pool” is possible:dhcpd address IP_from[-IP_to] if_name
Default lease length is 1 hour (3600 seconds)dhcpd lease-length seconds
Optionally give DNS-info:dhcpd dns dnsIP1 [ dnsIP2 ]dhcpd domain domainname
dhcpd enable if_name
Depending on license a number of DHCP-clients are supported:
– ASA Base License: 32 (for 10 concurrent users)– with 50 concurrent users: 128 DHCP-clients– with “unlimited” users: 256 DHCP-clients
43/72
Configure DHCP Server
To give information that was learned through external DHCP (outside interface) to internal DHCP-clients:dhcpd auto_config outside
show dhcpd state (state for inside/outside/... interfaces)
show dhcpd binding
show dhcpd statistics
clear dhcpd binding
clear dhcpd statistics
44/72
Local User Database
username admin1 password class
username admin2 password class privilege 15
The local userdatabase is known as “LOCAL” (case sensitive) in AAA method lists
45/72
Define AAA Servers
aaa-server SRVLIST protocol { radius | tacacs+ | ...}
aaa-server SRVLIST (inside) host 10.1.1.2 shared-secret
The shared secret is not shown in the running-config (!)
There are more authentication protocols available than RADIUS/TACACS+
Define a method-list:– aaa authentication { enable | serial | telnet | ssh | http
} console SRVLIST LOCAL– Only two methods can be used.
46/72
No questions yet?
47/72
ASA Firewall Rules
48/72
Acces Control Lists
Standard or extended, but only named ACLs No WCM, but SNM Also possible to specify source/destination interface Multiple access-list statements make one ACL
ASA(config)# access-list ACL1 extended permit ?configure mode commands/options: <0-255> Enter protocol number (0 – 255) ip object Specify a service object after this keyword object-group Specify a service or protocol object-group after this keyword tcp udp
<output ommited>
(config)# access-group access-list {in|out} interface if_name [ control-plane ]
49/72
Filtering
Automatic filtering with system of security-levels
What with interfaces on the same level?(config)# same-security-traffic permit ?configure mode commands/options: inter-interface Permit communication between different interfaces with the same security level intra-interface Permit communication between peers connected to the same interface
ASA-5505: intra-interface for members of same VLAN
ASA-5506-X: inter-interface for members of same bridge-group
Objects and Object Groups
ACL's
50/72
Objects / Object-Groups
1 namespace Objects
– Network objects: hosts, subnets, range– Service objects: L4 protocols with source or destination port
numbers Object-Groups
– Network: hosts, subnets, range or other network objects/object-groups
– Service objects: L4 protocols with source or destination port numbers or other service objects/object-groups
– ICMP-type-object groups– Protocol object-groups: protocols carried by IP– User Object-Groups (no CCNA Security topic)– Security Object-Groups (no CCNA Security topic)
51/72
Network Object-Groups
(config)# object-group network NWG(config-network)# ? description Specify description text group-object Configure an object group as an object help Help for network object-group configuration commands network-object Configure a network object no Remove an object or description from object-group
(config-network)# network-object ?network-object-group mode commands/options: Hostname or A.B.C.D Enter an IPv4 network address X:X:X:X::X/<0-128> Enter an IPv6 prefix host Enter this keyword to specify a single host object
52/72
Service Object-Groups
(config)# object-group service SRV(config-service)# ? description Specify description text group-object Configure an object group as an object help Help for service object-group configuration commands no Remove an object or description from object-group service-object Configure a service object(config-service)# service-object ?dual-service-object-group mode commands/options: <0-255> Enter protocol number (0 - 255) icmp icmp6 ip tcp tcp-udp Both TCP & UDP udp <output ommited>
53/72
Service Object-Groups
service-object tcp [ operator ] <dstport or name>service-object tcp source [ operator ] <srcport or name>
operator:
eq
neq
gt
lt
range
54/72
Other Object-Groups / Objects
ICMP-type object groups
Protocol object groups (allows for protocol selection: 6, 17, 47, 50, 51, 88, 89, …)
There are also Network Objects / Service Objects (NOT GROUPS)
– to define addresses in some way (subnet, ...)– to define services in some way (port number, ...)
55/72
Objects & Object Groups: When?
NAT-definition (on 8.3+) is only possible with “Network Objects”
Since the same namespace is used, you can choose
Network Object-Groups have no “range” or “subnet”-statement
IPv6 Object-Groups can NOT be nested
Perhaps it is easier to use – objects only for NAT – object groups for Access Control Lists
56/72
Still no questions?
57/72
ASA 8.3+ NAT
58/72
Network Address Translation
Inside NAT: addresses from higher security level have to be changed when transmitted through lower level interface (SNAT)
Outside NAT: addresses from lower security level have to be change before being transmitted through higher level interface (DNAT)
Bidirectional NAT: all of the above
59/72
Network Address Translation
Dynamic NAT: many-to-many
Dynamic PAT: many-to-one
Static NAT: one-to-one (mostly outside to inside)
Policy NAT: Not all traffic has to be NAT-ted the same way.
Twice NAT: used with Remote-Access VPNs (not CCNA Security)
60/72
Dynamic NAT
First, create a network object defining the outside address-range:(config)# object network NOUTSIDE(config-network-object)# range 192.0.2.1 192.0.2.6
Then, create a network object defining the inside addresses(config)# object network NINSIDE(config-network-object)# subnet 192.168.0.1 255.255.0.0
Within this object, define the NAT-rule(config-network-object)# nat(inside,outside) dynamic NOUTSIDE
61/72
Dynamic PAT
First, create a network object defining the inside addresses(config)# object network NINSIDE(config-network-object)# subnet 192.168.0.1 255.255.0.0
Within this object, define the NAT-rule, translating to the interface IP(config-network-object)# nat(inside,outside) dynamic interface
62/72
Static NAT
Mostly used to “publish” an internal server to the internet
Create a network object defining the inside server address(config)# object network SERVER(config-network-object)# host 192.168.0.17(config-network-object)# nat(inside,outside) static 192.0.2.85
The NAT-statement mentions the outside IP-address of the server.
You still have to make an ACL to allow the traffic IN from a lower to a higher security level!
63/72
Static PAT
If you want to add a port number (to allow for one external IP-address and multiple internal servers), the nat syntax is as follows:(config)# nat (in_if,out_if) static ext_ip service { tcp | udp } out_port in_port
Example:(config)# nat (inside,outside) static 100.200.100.100 service tcp 2222 22
64/72
NAT Troubleshooting
Actual NAT-definition:# show nat# show nat detail
Translations:# show xlate
65/72
Are you guys still with me?
66/72
Modular Policy Framework
67/72
Modular Policy Framework
Class Maps are used to identify the traffic– Default class map: inspection_default
Policy Maps are used to specify what to do with the traffic:– Inspect– Police/shape– Prepare for RADIUS accounting– Prepare for NetFlow export – …– Default policy-map: global_policy
Service-Policy: connects the Policy to an interface– If no other policies are defined, the default policy map is used
for all traffic on all interfaces– default: service-policy global_policy global
Related to IOS MQC and C3PL
68/72
Class-Maps
Default Class-Map(config)# class-map inspection_default(config-cmap)# match default-inspection-traffic
– Default inspection traffic: DNS, FTP, HTTP, ICMP, SMTP, TFTP (incomplete list) and TCP/UDP
Within a self-defined Class Map you can match on– Access-list– Any packet– DSCP/precedence-value– TCP/UDP Port (destination by default)– RTP Port numbers– …
show running-config class-map
class-map HTTPTRAFFIC match port tcp eq 80class-map SPECIALTRAFFIC match access-list MYACL
69/72
Policy-Map
Default Policy Map
TCP and UDP are automatically inspected
Note the default Policy Map has no inspection for ICMP!!!
Create Policy Map:(config)# policy map MYPOLICY(config-pmap)# class MYCLASS(config-pmap-c)# inspect protocol
Connect Policy Map to interface(config)# service-policy MYPOLICY { global | interface if_name }
The default is:(config)# service-policy global_policy global
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp
70/72
Q&A: shoot!
71/72
Friendly neighbourhood competition!
Let’s Play!
72/72