Académique Documents
Professionnel Documents
Culture Documents
Andrew Ossipov
Technical Marketing Engineer
Cisco Security Business Group
Agenda
Introduction to ASA
Cisco Public
ASA Functionality
Adaptive Security (more-than-an-)Appliance
Stateful architecture is about flows or connections, not packets
Most effective with TCP, UDP, and ICMP
TCP is the main reason for deploying a stateful firewall
High-speed NAT
Identity-based Access Control
High Availability and Scalability
Application Inspection
NGIPS with FirePOWER services
Introduction to ASA
Cisco Public
ASA 5555-X
(2 Gbps,
50K conn/sec)
Multiservice
ASA 5545-X
(1.5 Gbps,
30K conn/s)
ASA 5515-X
(750 Mbps,
15K conn/s)
ASA 5512-X
(500 Mbps,
10K conn/s)
ASA 5525-X
(1 Gbps,
20K conn/s)
(7-10 Gbps,
140K conn/s)
ASA 5540
ASA 5505
(150 Mbps,
4K conn/s)
ASA 5520
(450 Mbps,
12K conn/s)
(650 Mbps,
25K conn/s)
ASA 5510
(300 Mbps,
9K conn/s)
ASA 5580-40
(10-20 Gbps,
Branch
Office
ASA 5550
(1.2 Gbps,
36K conn/s)
ASAv
(1-2Gbps,
10-20K conn/s)
Internet
Edge
2014 Cisco and/or its affiliates. All rights reserved.
ASA 5580-20
ASA SM
(16-20 Gbps,
300K conn/s)
150K conn/s)
(5-10 Gbps,
90K conn/s)
Data Center
Campus
Cisco Public
ASA5500-X Appliances
Hard Disk Drive
(CX/SFR only)
ASA5512-X
ASA5515-X
ASA5525-X
Integrated
Power Supply
ASA5545-X
ASA5555-X
Dual independent
Power Supplies
ASA/IPS Management
interface
Cisco Public
IPS/CX/SFR CPU
Firewall RAM
Firewall CPU
Management0/0
1GE
System Bus
Bus 1
Bus 0
IPS
Accelerator**
Expansion Card
Crypto
Engine
Ethernet
External NICs
6x1Gbps* or
8x1Gbps**
6x1Gbps
External Interfaces
6x1GE
On-board Interfaces
6x1GE* or 8x1GE**
Cisco Public
Firewall expansion
interfaces (IPS/CX/SFR)
CX/IPS/SFR Management
1GE interfaces
Dual independent
Firewall SSPs or
Firewall + IPS or
Firewall + CX or
Firewall + SFR
Fiber 10GE
interfaces (2 or 4)
Copper 1GE
interfaces (6 or 8)
ASA Management
1GE interfaces
Reserved USB
ports
Dual independent
Power Supplies or
Power Supply + Fan
Introduction to ASA
Cisco Public
RAM
MAC 2
SSP-40/60
MAC 1
2x10Gbps
Crypto
Complex
Management
2x1GE
System Bus
Ethernet
2x10Gbps
10Gbps
On-board 1GE
interfaces
6x10Gbps
Expansion Slot
SSP
Cisco Public
Introduction to ASA
Interim
Maintenance
x.y(z)a
Minor
Train
Major
Version:
8.4(4)5
Train:
8.4
5th Interim of 8.4(4)
Cisco Public
10
Introduction to ASA
Cisco Public
11
Configuration Basics
Interfaces
Physical interfaces are externally visible Ethernet ports
Virtual interfaces may share or bundle physical interfaces
IEEE 802.1Q VLAN trunks
interface GigabitEthernet0/1.10
vlan 10
Less overhead with a Redundant interface, but more capacity with Etherchannel
interface Redundant 1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
interface GigabitEthernet0/0
channel-group 1 mode active
interface GigabitEthernet0/1
channel-group 1 mode active
interface Port-Channel 1
Introduction to ASA
Cisco Public
13
Logical Interfaces
All policies and operations use logical (named) interfaces
interface GigabitEthernet0/0.10
vlan 10
nameif outside
security-level 0
ip address 172.16.164.120 255.255.255.224 standby 172.16.164.121
Introduction to ASA
Cisco Public
14
Introduction to ASA
Cisco Public
15
Packet Processing
Interface Controller moves packets from Ethernet to memory
Data Path CPU process checks all inbound packets sequentially
Multiple parallel threads on all modern platforms
Stateful checks are applied to every single packet
Fastpath, Slowpath, Control Plane
Introduction to ASA
Cisco Public
16
Introduction to ASA
Cisco Public
17
Unified Objects
Useful to refer to IP addresses, subnets, or ranges by name
object network INSIDE_NETWORK
subnet 192.168.0.0 255.255.0.0
object network PAYROLL
range 2001:DB8::10 2001:DB8::15
Introduction to ASA
Cisco Public
18
Object Groups
Tie multiple similar objects into a single policy entity
Network addresses, transport protocols, identity attributes
Significantly simplify policy management
Unified Object
object-group network INSIDE_NETWORKS
network-object object ACCOUNTING
network-object 2001:DB8::/64
network-object 192.168.2.0 255.255.255.0
group-object BRANCH_NETWORKS
Nested Object
Group
Introduction to ASA
Cisco Public
19
Introduction to ASA
Cisco Public
21
Introduction to ASA
Cisco Public
22
Network entity to
translate (real)
Introduction to ASA
Cisco Public
23
Introduction to ASA
Cisco Public
24
Old way to define a PAT pool is an Object Group with multiple single IP objects
Introduction to ASA
Cisco Public
25
192.168.1.35198.51.100.50
192.168.1.36198.51.100.51
192.168.1.45198.51.100.60
Introduction to ASA
192.168.1.56/25198.51.100.75/25
192.168.1.55/80198.51.100.75/8080
Cisco Public
26
DNS Doctoring
ASA can rewrite IP in transit DNS responses per NAT rules
Modifies A (IPv4) or AAAA (IPv6) record when crossing mapped interface
Should only be used with Static NAT
192.168.1.57
DNS
4. Access
192.168.1.57
3. Rewrite 198.51.100.170
192.168.1.57
2. www.abcd.com is
198.51.100.170
1. Who is
www.abcd.com ?
Introduction to ASA
Cisco Public
27
Twice NAT
Match and translate packets on source and destination together
Similar to Network Object NAT, but cannot use in-line IP or DNS Doctoring
A dynamic translation can only pair with a static one
object network A
host 192.168.1.102
object network B
host 198.51.100.150
object network A_MAP
host 203.0.113.102
object network B_MAP
host 192.168.1.200
nat (inside,outside) source static A A_MAP destination static B_MAP B service PORTS PORTS_MAP
Cisco Public
28
The show nat command will display the NAT table in order
NAT Table
Static NAT
Longest Prefix
Shortest Prefix
Dynamic NAT
First Match
(in config)
Longest Prefix
Shortest Prefix
Introduction to ASA
First Match
(in config)
Cisco Public
29
ACL Basics
Extended ACLs must be used for most features
New connection establishment, traffic classification, and so on
Standard ACLs can be used by some features (Route Maps, Capture)
Introduction to ASA
Cisco Public
31
Unified ACLs
Legacy software used separate IPv4 and IPv6 interface ACLs
Any depends on
the ACL type
Any IPv4
ASA 9.0 uses a single ACL for all IPv4 and IPv6
access-list
access-list
access-list
access-list
IN
IN
IN
IN
extended
extended
extended
extended
permit
permit
permit
permit
ip
ip
ip
ip
Any IPv6
Cisco Public
32
10 source IP
addresses
21 destination IP
addresses
33 TCP ports
6930 rules
Introduction to ASA
Cisco Public
33
Introduction to ASA
Cisco Public
34
Packet Flow
172.16.164.216:5620 inside
Introduction to ASA
Cisco Public
36
Ingress
Interface
Existing
Conn
No
ACL
Permit
NAT
Untranslate
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
Egress
Interface
No
DROP
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Cisco Public
37
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
Yes
L2
Addr
TX
Pkt
No
DROP
If no existing connection
TCP SYN or UDP packet, pass to ACL and other policy checks in Session Manager
TCP non-SYN packet, drop and log
ASA-6-106015: Deny TCP (no connection) from 10.1.1.9/11031 to 198.133.219.25/80 flags PSH ACK
interface inside
Introduction to ASA
Cisco Public
on
38
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Introduction to ASA
Cisco Public
39
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
Yes
Yes
Stateful
Inspection
No
DROP
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Introduction to ASA
Cisco Public
40
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Introduction to ASA
Cisco Public
41
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Introduction to ASA
Cisco Public
42
Existing
Conn
Ingress
Interface
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Packet is virtually forwarded to egress interface (not forwarded to the Ethernet NIC yet)
Egress interface is determined first by translation rules or existing conn entry, only then
the routing table
If NAT does not divert to the egress interface, the global routing table is consulted to
determine egress interface
Inside
DMZ
172.16.0.0/16
Outside
172.16.12.0/24
172.16.12.4
Introduction to ASA
Cisco Public
43
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Remember: NAT rule can forward the packet to the egress interface, even though the
routing table may point to a different interface
If the destination is not routable out of the identified egress interface, the packet is dropped
%ASA-6-110003: Routing failed to locate next hop for TCP from inside:192.168.103.220/59138
to dmz:172.15.124.76/23
Introduction to ASA
Cisco Public
44
Ingress
Interface
Existing
Conn
No
ACL
Permit
NAT
Untranslate
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Once a Layer 3 route has been found, and next hop IP address identified, Layer 2
resolution is performed
Layer 2 rewrite of MAC header
Introduction to ASA
Cisco Public
45
Ingress
Interface
Existing
Conn
No
ACL
Permit
NAT
Untranslate
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Introduction to ASA
Cisco Public
46
Introduction to ASA
interface GigabitEthernet0/0
nameif inside
bridge-group 1
interface GigabitEthernet0/1
nameif outside
bridge-group 1
Management IP is
very important!
interface BVI1
ip address 192.168.1.1 255.255.255.0
Cisco Public
48
192.168.1.0/24
192.168.1.1
192.168.1.100
192.168.1.1
192.168.1.3
192.168.1.100
Introduction to ASA
Cisco Public
49
Multiple-Context Mode
Multiple virtual firewalls operate concurrently on a single physical device
ASA
Introduction to ASA
Cisco Public
50
Introduction to ASA
Cisco Public
51
Introduction to ASA
Cisco Public
52
Troubleshooting Tools
53
Packet Capture
Inside Capture
Outside Capture
1: 10:51:26.139046
2: 10:51:26.139503
3: 10:51:27.140739
4: 10:51:27.141182
4 packets shown
asa# no capture IN
Introduction to ASA
802.1Q
802.1Q
802.1Q
802.1Q
vlan#10
vlan#10
vlan#10
vlan#10
P0
P0
P0
P0
icmp:
icmp:
icmp:
icmp:
echo
echo
echo
echo
request
reply
request
reply
Cisco Public
54
Packet Capture
Capture buffer maintained in RAM (512KB by default)
Stops capturing when full by default, circular option available
Introduction to ASA
Cisco Public
55
Packet Tracer
Unique capability to record the path of a specially tagged packet through ASA
Best way to understand the packet path in the specific software version
Introduction to ASA
Packet information as it
enters the ingress interface
Cisco Public
56
Associated
configuration
Introduction to ASA
Cisco Public
57
S
S
.
P
.
ack
ack
ack
Ack
Cisco Public
58
Problem Summary
After reloading the ASA, wireless mobility traffic (UDP and IP Protocol 93) from
inside WLC to DMZ WLC fails
Other traffic (TCP) recovers successfully
The problem is mitigated by running clear local-host on the ASA
1. Standalone ASA
is reloaded
10.0.0.0/8
10.10.1.2
inside
2. UDP/16666 and
IP/93 connections fail
outside
DMZ
10.10.9.0/28
10.10.9.3
Introduction to ASA
Cisco Public
60
Introduction to ASA
Cisco Public
61
asa# capture IN interface inside match udp host 10.10.1.2 host 10.10.9.3
asa# capture OUT interface dmz
match udp host 10.10.1.2 host 10.10.9.3
000c.29d7.82ab
0023.0424.ab30
000c.29d7.82ab
0023.0424.ab30
10.10.1.2.23124
10.10.1.2.23124
10.10.1.2.23124
10.10.1.2.23124
>
>
>
>
10.10.9.3.16666:
10.10.9.3.16666:
10.10.9.3.16666:
10.10.9.3.16666:
udp
udp
udp
udp
334
334
334
334
Cisco Public
62
U-Turn Connection
Traffic is looping back out the inside interface towards the sender
10.0.0.0/8
outside
inside
DMZ
10.10.1.2
10.10.9.0/28
10.10.9.3
asa# sh run | include same-security
same-security-traffic permit intra-interface
Introduction to ASA
Cisco Public
63
Cisco Public
64
Root Cause
When conn entry was created, route lookup for 10.10.9.3 resolved to inside
If DMZ interface was not up, the route to 10.10.9.0/28 was not present
1. Standalone ASA
is reloaded
10.0.0.0/8
inside
outside
DMZ
10.10.1.2
10.10.9.0/28
Introduction to ASA
Cisco Public
65
Introduction to ASA
Cisco Public
66
Q&A
Useful Links
Cisco Live BRKSEC-3021 : Maximizing Firewall Performance
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78719&tcla
ss=popup
Introduction to ASA
Cisco Public