ASA Essentials (Part 2)

ASA Essentials Part 2
NAT, Advanced Firewall, VPN

October , 2012
Bogdan Doinea
Technical Manager CEE&RCIS
Cisco Networking Academy
bdoinea@cisco.com
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Translations and Connections
Advanced Firewall Configurations

A look at VPNs on the ASA
Technical Demo
Cisco Confidential
NAT defines the way that we translate private addresses into public
ones and vice-versa
What are the private address spaces?

Class A: 10.0.0.0/8: 16,777,214 hosts
Class B: 172.16.0.0/12: 1,048,574 hosts
Class C: 192.168.0.0/16: 65,534 hosts
Private addresses are defined in RFC 1918
.......
In relation to how many hosts must be translated and how many
public IP addresses we have, there are 2 types of translations:

NAT (Network Address Translation) layer 3
PAT (Port Address Translation) layer 4
Cisco Confidential
In relation to the direction of the translation:

Inside NAT addresses from the LAN are translated to addresses in the WAN
(space)
Outside NAT addresses from the WAN are translated to addresses in the
WAN(space)
192.168.10.10
Inside NAT
24000
141.85.99.10
80
209.100.65.10
24000
192.168.10.1
80
80
141.85.99.10
192.168.10.10
141.85.99.10
141.85.99.10
192.168.10.10
24000
209.100.65.1
141.85.99.10
80
209.100.65.10
24000
The FW only modifies the layer 3 header to do NAT
Cisco Confidential
Outside NAT
Its actually bidirectional NAT
The source address of packets coming from the Internet gets translated
192.168.10.30
24000
192.168.10.10
80
141.85.99.10
24000
192.168.10.1
80
80
141.85.99.10
192.168.10.10
192.168.10.10
209.100.65.10
192.168.10.30
24000
209.100.65.1
209.100.65.10
80
141.85.99.10
24000
Used in cases where hosts on the outside want to appear like they
are on the inside of the Network

Cisco Confidential
NAT conserves addresses

The private-public translation is done at a 1-to-1 ratio
PAT conserves addresses
NAT is a security mechanism

The security functionality that NAT brings is a consequence of the
design, not an objective
It is not a good practice to rely on NAT for inside-outside security
There is another device that does the same thing as NAT from the
security of connections point of view: stateful firewall
Plus, a stateful firewall has other extra functionality (Application

Inspection etc.)
Cisco Confidential
Be careful, the NAT terminology is pretty diverse

What is SNAT?
Inside NAT
What is DNAT?
A concept called port forwarding/port redirection, not Outside NAT
Cisco Confidential
Port address translation

Allows the translation of multiple private addresses, using a single
public IP address
Because 1-to-1 mapping cannot be done at level 3 anymore,
its done at level 4 by mapping ports

Each private pair (IP_intern, port_intern) is mapped to a public
pair (IP_extern, port_extern)

By default, PAT will try to map the internal port to the same
external port
The PAT translations are saved to the RAM of the FW
Cisco Confidential
For the translated address, we can use:

The address of the outgoing interface
A public IP address that hasnt been asigned to any interface
192.168.10.10
24000
141.85.99.10
80
209.100.65.1
24000
141.85.99.10
80
192.168.10.0 /24
.10
141.85.99.10
192.168.10.1
.20
192.168.10.20
24000
141.85.99.10
80
209.100.65.1
209.100.65.1
30000
141.85.99.10
80
For connection-oriented protocol, the FW erases the translated
entry from RAM once the connection is terminated (FIN)
For connectionless protocols, each communication has a timeout

Cisco Confidential
Be careful, the two words are different concepts for a firewall

Scenario: a user downloads a web pave, transmits an IM and
downloads his email with an email client

How many connections does the firewall have in memory?
A minimum of 3 (can depend on the way the protocols work)
How many layer 3 NAT translations does the firewall have in
memory?
1
Cisco Confidential
10
Advanced Firewall
Configuration
The insides of Application Inspection
Cisco Confidential
11
Why do we need application inspection?

(1) Scenarios in which applications run over non-standard ports
By default, all firewalls identify applications using their
standardly assigned port

Ex: if HTTP work over port 8080, all firewalls are going to
implicitly drop the HTTP packets

141.85.99.10
192.168.10.10
192.168.10.1
209.100.65.1
HTTP: port 8080
Cisco Confidential
12

(2) Applications that need to open dynamic ports in order to work
The dynamically opened ports are negociated by the application usually
on the control communication channel
Examples: Active FTP, multimedia streaming, VoIP
Case study:
Active FTP vs. Passive FTP
Cisco Confidential
13
Client
N+1
Data
N
Cmd
1
2
Server
21
Cmd
20
Data
1. The client initiates a connection to port 21 on the server using a random source port N >
1023.
2. The server responds with an ACK from its port 21 to the N port of the client
3. The client sends the command PORT N+1 over the control channel and opens port N+1
for receive. By this, the client is telling the server the port it wants to use for data transfer
4. The server tried to open(initiate) a connection from its port nr 20(default data port) to
the N+1 port on the client
5. The firewall block the connection at bullet 4, because it does not have a state object for it
in RAM memory
Cisco Confidential
14
Client
N+1
Data
N
Cmd
1
2
Server
21
Cmd
X
Data
4
5
1. The client initiates a connection the the port nr. 21 of the server from a random source
port, N>1023. The client opens port N+1 for data transfer
2. The server sends an ACK from its port nr 21 to the N port on the client
3. The client sends the PASV command to the server
4. The server opens a random port X >1024 for data transfer and sends the command
Port X to the client

5. The client initiates the data connection from its N+1 port to the X port on the server
Cisco Confidential
15
Conclusions:
Active FTP does not work by default if the client is behind a Firewall
Because of the stateful inspection
Because of NAT
Passive FTP should always work

At least if the FTP server lies in a DMZ type of area and access is granted from
the outside
Why do we want to use Active FTP?

Because it opens fewer sockets on the server:
http://www.faqs.org/rfcs/rfc1579.html
With Application Inspection:

The Firewall can read commands sent on the Control Channel of FTP
When the Firewall sees the Port N+1 command, it opens port N+1 for
data transfer between the 2 IP addresses(client and server)
Cisco Confidential
16

(3) Aplications that embed the IP address in the control channel
messaging and, thus, conflict with NAT
As a result, the IP address in the layer 3 header will not be the same
with the one embedded at layer 7
The Application tries to open sockets to the private IP address and

cannot succeed
Application Inspection to the rescue!

The Firewall inspects the IP address in the control
channel and rewrites it with the one in the xlate
table
Cisco Confidential
17
What is MPF?
A set of structures and commands in ASA OS
A way of making logical connections between the various theoretical
concepts and their practical implementations
What does MPF offer?

The possibility to control and configure the below features, using the
same commands and OS structures
Application Inspection
IPS (AIP-SSM)
Anti {virus | spam | spyware} (CSC SSM)
Setting connection limits
Traffic policing
Cisco Confidential
18
MPF is defined through 3 basic structures

Class-map
Used to identify traffic flows using different strategies
We have generic class-maps that identify traffic at layer 3 and 4 and
inspection class-maps that can identify traffic at layer 7
Policy-map
Used to associate one or more actions to packets identified by the class-map
We have generic policy-maps that apply standard actions (inspect, police, set
connection etc) and inspection policy-maps that can specifically control
application layer information
Service-policy (comand)
Used to apply a policy at a global or interface level
Cisco Confidential
19
IP telephony
System Enginners
Class-map
Internet
SE
IP telephony
Policy-map
Inspect
Police
Prioritize
Service-policy
Outside
Cisco Confidential
20
Defining a class-map (L3/L4)
ciscoasa(config)# class-map identify_by_L3_or_L4

ciscoasa(config-cmap)# ?
MPF class-map configuration commands:
description Specify class-map description
exit
Exit from MPF class-map configuration mode
help
Help for MPF class-map configuration commands
match
Configure classification criteria
no
Negate or set default values of a command
rename
Rename this class-map
The match command is used to identify traffic
Cisco Confidential
21
What criteria can the match command used to identify data?

access-list: uses an ACL for classification
any
dscp: matches the ToS field using the IETF DSCP standard
precedence: matches the ToS field using the IP Precedence standard
tunnel-group: match traffic going into a tunnel. This can only be used
for QoS purposes.
flow ip destination-address: used for identifying a destionation IP

inside a tunnel-group. Can only be used together with tunnel-group
port: identifies a UDP or TCP port
default-inspection-traffic: match on a series of protocols that work
over their standard, well-known ports
Cisco Confidential
22
A class-map supports a single match command

the exception lies in the tunnel-group and the default-inspection-traffic
that let the admin specify another match statement
when we have 2 match commands, the firewall applies a logical AND
between them
By default, the class map inspection_default is activated
ciscoasa# sh run
....
class-map inspection_default
match default-inspection-traffic
....
Cisco Confidential
23
What does default-inspection-traffic contain?
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list
Match an Access List
any
Match any packet
default-inspection-traffic Match default inspection
ctiqbe----tcp--2748
ftp-------tcp--21
h323-h225-tcp--1720
http------tcp--80
ils-------tcp--389
netbios---udp--137-138
rpc-------udp--111
rtsp------tcp--554
sip-------udp--5060
smtp------tcp--25
tftp------udp--69
traffic:
dns-------udp--53
gtp-------udp--2123,3386
h323-ras--udp--1718-1719
icmp------icmp
mgcp------udp--2427,2727
radius-acct---udp--1646
rsh-------tcp--514
sip-------tcp--5060
skinny----tcp--2000
sqlnet----tcp--1521
waas------tcp--1-65535
Cisco Confidential
24
The policy-map determines the action the Firewall will take on
inspection
Step1: we give the policy map a name
Step2: we make an association with a class-map
Step3: we specify the action
ciscoasa(config)# policy-map test_policy

ciscoasa(config-pmap)# class major_protocols
ciscoasa(config-pmap-c)# inspect ftp
ciscoasa(config-pmap-c)# inspect icmp
Cisco Confidential
25
One policy-map can have multiple actions and of different categories
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:
csc
Content Security and Control service module
exit
Exit from MPF class action configuration mode
flow-export
Configure filters for NetFlow events
help
Help for MPF policy-map class/match submode commands
inspect
Protocol inspection services
ips
Intrusion prevention services
no
Negate or set default values of a command
police
Rate limit traffic for this class
priority
Strict scheduling priority for this class
quit
Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set
Set connection values
shape
Traffic Shaping
Cisco Confidential
26
ciscoasa# sh run
..........
!
class-map example
match port tcp eq www
!
policy-map http_policy
class http_map
inspect http
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
!
..........
Cisco Confidential
27
A policy can be applied globally, or at an interface level

The globally applied policy applies to all the traffic entering the ASA, on
any interface, but only the ingress direction

The interface-level applied policy applies to all the traffic on the interface,
ingress and egress
# applied on the interface

ciscoasa(config)# service-policy inspect_http interface inside
# applied globally
ciscoasa(config)# service-policy inspect_http global
Cisco Confidential
28
If the policy-maps actions are different, the packets can match multiple
times inside a policy-map, as long as the same class-map is reffered.

If the policy-maps actions are different, the packets can match multiple
times inside a policy-map, as long as the class-maps identify the traffic

class-map example
match port tcp eq www
policy-map http_policy
class example
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
class inspection_default
inspect http
If the action is the same, the packets only match one class-map
Cisco Confidential
29
Virtual Private Networks

A look at types of VPNs supported on the ASA
Cisco Confidential
30
A solution to create an end-to-end private connection over an
unsafe, open network like the Internet

There are leased solutions that achieve the same end result:
leased lines
Whats the difference between having a leased line and a VPN?
The cost
Cisco Confidential
31
Relative to the ISP:

Overlay
Point-to-point
ISP
The overlay model makes the ISP network invisible to the client
The ISP routers do not get to know the client networks
Types of overlay VPNs: L2TP, PPTP, IPSec
Cisco Confidential
32
In this model, the ISP participates in the routing decision

The routing adjacency is done between the ISP and the client
ISP
Overlay VPN models were dominating 90% of the market before the
popularity of MPLS
Still, MPLS does not provide any confidentiality or authentication
scheme
Cisco Confidential
33
Relative to the topology:
Headquarters
Site-to-Site
Remote-access
Remote office
Remote office
A Site-to-Site ties together many fixed locations in the Internet

Configurations only have to be made on the firewalls/routers
There is no need to have a VPN client on the laptop/computer
Cisco Confidential
34
Most VPN technologies are based on
tunneling
Tunneling means an extra header is
added at the layer where the tunnel is

built
Example: IPIP tunnel
Used when the end-to-end source or destination network is not known

in the routing table of an intermediate router
Antet IP tunel
Antet IP original
Antet nivel 4
Date
The original, end-to-end header is hidden to all the routers

that are traversed between the tunnel endpoints
Cisco Confidential
35
IPSec is a security protocol framework
Cisco Confidential
36
IPSec: Confidentiality
Lungimea
cheii: 56 bii
Lungimea
cheii: 168
bii
Lungimea
cheii:
DH7256
bii
Lungimea
cheii: 160
bii
Cisco Confidential
37
IPSec: Integrity
Lungimea
cheii: 128
bii
Lungimea
cheii: 160
bii
DH7
Cisco Confidential
38
IPSec: authentication with non-repudation
DH7
Cisco Confidential
39
Telecommuting is increasing more and more as an option for
working
The risk of passing company information over the Internet is very great
Remote access VPN

IPSec
SSL
Remote office
Cisco Confidential
40
IPSec
SSL
Aplications
Any IP-based app
WEB, e-mail, file sharing

in native mode
(clientless)
Encryption power
Very strong key lengths

from 56 to 256 bii
Moderate key lengths

from 40 to 128 de bits
Authentication
Strong two-way
authentication
Moderate one-way or
two-way authentication
Ease of use
Moderate can be
challenging for a nontechnical user
Very easy
Options for connecting
A preconfigured client is
necessary
No client is needed, only

a working browser
As remote access solutions, the 2 options do not exclud each other
IPSec = security
SSL = mobility, flexibility
Cisco Confidential
41
The SSL VPN architecture will presume:

A SSL VPN server at the company headquarters
The SSL VPN client installed on the teleworkers laptop
The SSL VPN client has 3 operating modes

Clientless
Thin client
Full client
Remote office
Cisco Confidential
42
For both modes, the browser is the client

Clientless does not allow anything else except HTTP
and HTTPS
The user authenticates on the SSL portal to get access to
internal company web resources
Thin client
In this mode, the user downloads JAVA applets from the portal
The Applets behave like TCP Proxies for applications
The user connections to several applications through the TCP Proxy
(POP3, SMTP, IMAP, Telnet, SSH, CIFS)
The Applet makes a HTTP connection to the SSL Server that contains the
addressing information in the payload to reach another service
The SSL Server makes the connection to the end service inside the
company network
Cisco Confidential
43
The full client can usually be downloaded from the SSL portal
after the user authenticates

Depending on the vendor, the client could install seamlessly or
manually, with user intervention
Cisco Confidential
44
Utilizatorul face o conexiune

TCP ctre portul 443
Firewall-ul rspunde cu o
cheie public semnat cu
certificat
Software-ul client genereaz o

cheie secret
Clientul transmite cheia

secret criptat cu cheia
public
Se face bulk encryption

folosind cheia secret
Cisco Confidential
45
R1
ASA
Fa0/1
Fa 0/0
Fa 0/2
Fa0/1
R2
outside
inside
Cisco Confidential
46
Thank you.

ASA Essentials (Part 2)

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ASA Essentials (Part 2)

Transféré par

Droits d'auteur :

Formats disponibles

ASA Essentials Part 2

NAT, Advanced Firewall, VPN

Translations and Connections

Advanced Firewall Configurations

2011 Cisco and/or its affiliates. All rights reserved.

ones and vice-versa

What are the private address spaces?

In relation to how many hosts must be translated and how many

public IP addresses we have, there are 2 types of translations:

In relation to the direction of the translation:

The FW only modifies the layer 3 header to do NAT

2011 Cisco and/or its affiliates. All rights reserved.

are on the inside of the Network

NAT conserves addresses

PAT conserves addresses

NAT is a security mechanism

Plus, a stateful firewall has other extra functionality (Application

2011 Cisco and/or its affiliates. All rights reserved.

Be careful, the NAT terminology is pretty diverse

2011 Cisco and/or its affiliates. All rights reserved.

Port address translation

Because 1-to-1 mapping cannot be done at level 3 anymore,

its done at level 4 by mapping ports

pair (IP_extern, port_extern)

2011 Cisco and/or its affiliates. All rights reserved.

For the translated address, we can use:

For connection-oriented protocol, the FW erases the translated

entry from RAM once the connection is terminated (FIN)

For connectionless protocols, each communication has a timeout

Be careful, the two words are different concepts for a firewall

downloads his email with an email client

How many layer 3 NAT translations does the firewall have in

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Why do we need application inspection?

By default, all firewalls identify applications using their

standardly assigned port

implicitly drop the HTTP packets

HTTP: port 8080

2011 Cisco and/or its affiliates. All rights reserved.

Why do we need application inspection?

2011 Cisco and/or its affiliates. All rights reserved.

Port X to the client

Passive FTP should always work

Why do we want to use Active FTP?

With Application Inspection:

2011 Cisco and/or its affiliates. All rights reserved.

Why do we need application inspection?

The Application tries to open sockets to the private IP address and

Application Inspection to the rescue!

2011 Cisco and/or its affiliates. All rights reserved.

What does MPF offer?

2011 Cisco and/or its affiliates. All rights reserved.

MPF is defined through 3 basic structures

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Defining a class-map (L3/L4)

ciscoasa(config)# class-map identify_by_L3_or_L4

The match command is used to identify traffic

2011 Cisco and/or its affiliates. All rights reserved.

What criteria can the match command used to identify data?

flow ip destination-address: used for identifying a destionation IP

2011 Cisco and/or its affiliates. All rights reserved.

A class-map supports a single match command