DFWCUG IntrodIntroduction - To - ASAuction To ASA

Introduction to Cisco ASA
Andrew Ossipov
Technical Marketing Engineer
Cisco Security Business Group
Agenda
ASA Hardware and Software

Configuration Basics
Network Address Translation (NAT)
Access Control Lists (ACL)
Packet Flow
Troubleshooting Tools
Troubleshooting Case Study
Q&A
Useful Links
Introduction to ASA
2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
ASA Hardware and Software
ASA Functionality
Adaptive Security (more-than-an-)Appliance
Stateful architecture is about flows or connections, not packets
Most effective with TCP, UDP, and ICMP
TCP is the main reason for deploying a stateful firewall
A multitude of benefits beyond traditional security
High-speed NAT
Identity-based Access Control
High Availability and Scalability
Application Inspection
NGIPS with FirePOWER services
Introduction to ASA
Cisco Public
ASA Firewall Family

ASA 5585 SSP60
(20-40 Gbps,
350K conn/s)
ASA 5555-X
(2 Gbps,
50K conn/sec)
Multiservice
ASA 5585 SSP40

(12-20 Gbps,
240K conn/s)
ASA 5545-X
(1.5 Gbps,
30K conn/s)
ASA 5515-X
(750 Mbps,
15K conn/s)
ASA 5512-X
(500 Mbps,
10K conn/s)
ASA 5585 SSP20
ASA 5525-X
(1 Gbps,
20K conn/s)
(7-10 Gbps,
140K conn/s)
ASA 5585 SSP10

(3-4 Gbps,
65K conn/s)
ASA 5540
ASA 5505
(150 Mbps,
4K conn/s)
ASA 5520
(450 Mbps,
12K conn/s)
(650 Mbps,
25K conn/s)
ASA 5510
(300 Mbps,
9K conn/s)
ASA 5580-40
(10-20 Gbps,
Firewall and VPN

Teleworker
Introduction to ASA
Branch
Office
ASA 5550
(1.2 Gbps,
36K conn/s)
ASAv
(1-2Gbps,
10-20K conn/s)
Internet
Edge
ASA 5580-20
ASA SM
(16-20 Gbps,
300K conn/s)
150K conn/s)
(5-10 Gbps,
90K conn/s)
Data Center
Campus
Cisco Public
ASA5500-X Appliances
Hard Disk Drive
(CX/SFR only)
ASA5512-X
ASA5515-X
ASA5525-X
Integrated
Power Supply
USB 2.0 ports for

external flash memory
Copper 1GE interfaces

(6 or 8)
Redundant Hard Disk

Drives (CX/SFR only)
ASA5545-X
ASA5555-X
Dual independent
Power Supplies
1GE Copper or Fiber

interface expansion slot (6)
Introduction to ASA
ASA/IPS Management
interface
Cisco Public
ASA 5500-X Block Diagram

IPS/CX/SFR
RAM
IPS/CX/SFR CPU
Firewall RAM
Firewall CPU
Management0/0
1GE
System Bus
Bus 1
Bus 0
IPS
Accelerator**
Expansion Card
Crypto
Engine
Ethernet
External NICs
6x1Gbps* or
8x1Gbps**
6x1Gbps
External Interfaces
6x1GE
On-board Interfaces
6x1GE* or 8x1GE**
*ASA5512-X and ASA5515-X

** ASA5525-X and higher
Introduction to ASA
Cisco Public
ASA5585-X Chassis and SSP

Hard Disk Drives
(CX/SFR only)
Firewall expansion
interfaces (IPS/CX/SFR)
CX/IPS/SFR Management
1GE interfaces
Dual independent
Firewall SSPs or
Firewall + IPS or
Firewall + CX or
Firewall + SFR
Fiber 10GE
interfaces (2 or 4)
Copper 1GE
interfaces (6 or 8)
ASA Management
1GE interfaces
Reserved USB
ports
Dual independent
Power Supplies or
Power Supply + Fan
Introduction to ASA
Cisco Public
ASA5585-X Block Diagram

CPU Complex
SSP-10: 1 CPU, 4 cores
SSP-20: 1 CPU, 8 cores
SSP-40: 2 CPUs, 16 cores
SSP-60: 2 CPUs, 24 cores
RAM
MAC 2
SSP-40/60
MAC 1
2x10Gbps
Crypto
Complex
Management
2x1GE
System Bus
Ethernet
2x10Gbps
Internal Switch Fabric

4x10Gbps
On-board 10GE
interfaces*
10Gbps
On-board 1GE
interfaces
6x10Gbps
Expansion Slot
SSP
*2 on SSP-10/20 and 4 on SSP-40/60

Introduction to ASA
Cisco Public
ASA Software Builds

Version
asa# show version

[]
Cisco Adaptive Security Appliance Software Version 8.4(4)5
Introduction to ASA
Interim
Limited testing, so only provided for specific problems

Some are posted on cisco.com after more testing
Maintenance
Interim images are usually internal
x.y(z)a
Minor
Concentrate on bug fixes, avoid new features
Train
Major
New trains introduce new features

Maintenance images undergo the most testing
Version:
8.4(4)5
Train:
8.4
5th Interim of 8.4(4)
Cisco Public
10
New Software Release Model

Predictability and serviceability are the main drivers
Even minor releases retain the original feature set for life
9.0(x), 9.2(x), 9.4(x),

Feature Stability train
Maintenance releases only deliver bug fixes
Longer life cycle
Odd minor releases add features in maintenance images

9.1(x), 9.3(x), 9.5(x),
Feature Velocity train
Shorter life cycle to transform into the next even minor release
Introduction to ASA
Cisco Public
11
Configuration Basics
Interfaces
Physical interfaces are externally visible Ethernet ports
Virtual interfaces may share or bundle physical interfaces
IEEE 802.1Q VLAN trunks
interface GigabitEthernet0/1.10
vlan 10
Less overhead with a Redundant interface, but more capacity with Etherchannel
interface Redundant 1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
interface GigabitEthernet0/0
channel-group 1 mode active
channel-group 1 mode active
interface Port-Channel 1
Introduction to ASA
Cisco Public
13
Logical Interfaces
All policies and operations use logical (named) interfaces
interface GigabitEthernet0/0.10
vlan 10
nameif outside
security-level 0
ip address 172.16.164.120 255.255.255.224 standby 172.16.164.121
Security levels define inter-interface traffic policies
Most trusted security level is 100 (inside), least trusted is 0 (outside)

The only thing that matters is relativity
Traffic from higher- to lower-security interface is allowed by default
Traffic from lower- to higher-security interface requires an explicit policy
same-security-traffic permit inter-interface
Introduction to ASA
Cisco Public
14
Connection and Xlate Tables

Conn(ection) table stores the state of every single active flow
asa# show conn
1 in use, 48 most used
TCP outside 172.16.164.216:5620 inside
192.168.1.150:50141, idle 0:00:00, bytes 0, flags saA
Every incoming packet is checked against the table

Biggest memory consumer (maximum count is limited by platform)
Xlate table stores active NAT mappings

asa(config)# show xlate
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside:192.168.1.150 to outside:172.16.164.116
flags sT idle 0:00:01 timeout 0:00:00
Independent of the conn table

Maximum size is only limited by available memory
Introduction to ASA
Cisco Public
15
Packet Processing
Interface Controller moves packets from Ethernet to memory
Data Path CPU process checks all inbound packets sequentially
Multiple parallel threads on all modern platforms
Stateful checks are applied to every single packet
Fastpath, Slowpath, Control Plane
New connection requests are directed to Slowpath

Access Control List check, NAT xlate creation, conn creation, logging
Existing connections are processed in Fastpath

Bypass ACL check, find egress interface, apply NAT, transmit packet
Control Plane performs Application Inspection and management
Introduction to ASA
Cisco Public
16
Security Policy Basics

NAT policies define address translation
Independent source and destination NAT policy for every connection
Should not be used to control access
ACLs permit or deny new connections

NAT and ACLs are based on IP addresses and TCP/UDP ports
Logical abstraction is needed for better usability
Introduction to ASA
Cisco Public
17
Unified Objects
Useful to refer to IP addresses, subnets, or ranges by name
object network INSIDE_NETWORK
subnet 192.168.0.0 255.255.0.0
object network PAYROLL
range 2001:DB8::10 2001:DB8::15
Can be used with TCP, UDP, and ICMP as well

object service MSSQL_ADMIN
service tcp destination eq 1434
object service ICMP_ADMIN_PROHIBITED
service icmp unreachable 9
Match only the

destination TCP port
object service RTP_PORTS

service udp source range 16384 32767 destination range 16384 32767
Both source and destination

UDP ports must match
Introduction to ASA
Cisco Public
18
Object Groups
Tie multiple similar objects into a single policy entity
Network addresses, transport protocols, identity attributes
Significantly simplify policy management
Unified Object
object-group network INSIDE_NETWORKS
network-object object ACCOUNTING
network-object 2001:DB8::/64
network-object 192.168.2.0 255.255.255.0
group-object BRANCH_NETWORKS
IPv4 and IPv6

addresses
Nested Object
Group
object-group network BRANCH_NETWORKS

network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
Introduction to ASA
Cisco Public
19
Network Address Translation (NAT)
NAT Power of ASA

Configured network IP is real, translated is mapped
Predictable bidirectional one-to-one IP translation with Static NAT
Static PAT at TCP/UDP/ICMP level with limited IP space
Outbound connectivity with many-to-few Dynamic NAT

One-to-one Dynamic NAT at IP level to preserve full range of ports
Dynamic PAT at TCP/UDP/ICMP level to maximize pool efficiency
Introduction to ASA
Cisco Public
21
Legacy NAT Challenges

Complicated order of operation for many varieties of NAT
Identity, Exemption, Static, Dynamic, Policy, and so on
Poor scalability of Policy NAT and performance impact on changes

Inability to apply source and destination translation simultaneously
Possible through separate policies, but had to be creative
ASA 8.3 introduced new NAT paradigm

Just two varieties: Network Object and Twice NAT
Way more powerful, but may seem complicated at first
Introduction to ASA
Cisco Public
22
Network Object NAT

Simplest form of defining translation policy for Unified Objects
Only one translation rule per object
Applies to all traffic to or from the object, use interfaces names to limit scope
object network MAIL_SERVER
host 2001:DB8::10
nat (inside_v6,outside) static MAIL_SERVER_MAPPED
Network entity to
translate (real)
object network HTTP_SERVER

host 192.168.1.200
nat (inside,any) static HTTP_SERVER_MAPPED
subnet 192.168.0.0 255.255.0.0
nat static INSIDE_NETWORK_MAPPED
Translation applies to specific

(real,mapped) interfaces
Translation may apply to any

real or mapped interface
Translation applies to all traffic

with no interfaces specified
Introduction to ASA
Cisco Public
23
Dynamic NAT and PAT

Dynamic NAT maps hosts to a pool of IP addresses (one-to-one)
Temporal by nature and unpredictable mapping, so not for inbound connections
Once the mapped pool is exhausted, new translations fail (first come, first serve)
object network NAT_POOL
range 198.51.100.100 198.51.100.199
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic NAT_POOL
Mapped pool can be a Unified

Object or Object Group
Dynamic PAT can map multiple real hosts to one IP address

Interface PAT can be used to back up a dynamic NAT pool
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic NAT_POOL interface
Introduction to ASA
When NAT pool is exhausted, apply

PAT using egress interface IP
Cisco Public
24
Dynamic PAT Pools

Multiple addresses in the mapped Object imply NAT, not PAT
object network PAT_ADDRESS
host 198.51.100.90
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic PAT_ADDRESS
Single address is required for PAT

in this configuration
(or specify the mapped IP in-line)
Old way to define a PAT pool is an Object Group with multiple single IP objects
ASA 8.4(3) introduces an easier way to define PAT pools

By default, exhaust ports for each mapped address before moving to next one
With Round Robin, use next pool address to pick a port for each new real host
object network PAT_POOL
range 198.51.100.200 198.51.100.240
subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic pat-pool PAT_POOL round-robin
Introduction to ASA
Use pat-pool keyword to

differentiate NAT and PAT pools
Move to next pool IP for each
connection from a new host
Cisco Public
25
Static NAT and PAT

Always on one-to-one bidirectional IP mapping with Static NAT
Sizes of real and mapped objects must match
object network STATIC_MAPPING
range 198.51.100.50 198.51.100.60
object network INSIDE_SERVERS
range 192.168.1.35 192.168.1.45
nat (inside,outside) static STATIC_MAPPING
192.168.1.35198.51.100.50
192.168.1.36198.51.100.51
192.168.1.45198.51.100.60
Static PAT hairpins a certain port with limited mapped IP space

Also useful for changing default service ports for inbound connections
object network INSIDE_SMTP_SERVER
host 192.168.1.56
nat (inside,outside) static 198.51.100.75 service tcp 25 25
object network INSIDE_WEB_SERVER
host 192.168.1.55
nat (inside,outside) static 198.51.100.75 service tcp 80 8080
Introduction to ASA
192.168.1.56/25198.51.100.75/25
192.168.1.55/80198.51.100.75/8080
Cisco Public
26
DNS Doctoring
ASA can rewrite IP in transit DNS responses per NAT rules
Modifies A (IPv4) or AAAA (IPv6) record when crossing mapped interface
Should only be used with Static NAT
192.168.1.57
object network HTTP_SERVER

host 192.168.1.57
nat (inside,outside) static 198.51.100.170 dns
DNS
4. Access
192.168.1.57
3. Rewrite 198.51.100.170
192.168.1.57
2. www.abcd.com is
198.51.100.170
1. Who is
www.abcd.com ?
Introduction to ASA
Cisco Public
27
Twice NAT
Match and translate packets on source and destination together
Similar to Network Object NAT, but cannot use in-line IP or DNS Doctoring
A dynamic translation can only pair with a static one
object network A
host 192.168.1.102
object network B
host 198.51.100.150
object network A_MAP
host 203.0.113.102
object network B_MAP
host 192.168.1.200
Real host IP addresses on inside

(192.168.1.102) and outside (198.51.100.150)
How inside host would map to outside
(192.168.1.102203.0.113.102)
How outside host would map to inside
(198.51.100.150192.168.1.200)
object service PORTS

service tcp source eq 10001 destination eq 10002
object service PORTS_MAP
service tcp source eq 20001 destination eq 20002
Translate port TCP/10001 on inside host to

TCP/20001 when going outside
Remap port TCP/10002 on outside host to
TCP/20002 when coming from inside
nat (inside,outside) source static A A_MAP destination static B_MAP B service PORTS PORTS_MAP
Translation applies to these

(source,destination) interfaces
Introduction to ASA
Translate inside IP and port and outside IP and port

together only when a connection fully matches
Cisco Public
28
NAT Order of Operation In ASA 8.3+

The ASA configuration is compiled into the NAT table
Twice NAT rules always match and translate both source and destination
Network object NAT translates destination first, then source (separate rules)
The show nat command will display the NAT table in order
NAT Table
Static NAT
Longest Prefix
Shortest Prefix
Dynamic NAT
Twice NAT Policies

(Section 1)
First Match
(in config)
Network Object NAT Policies

(Section 2)
Longest Prefix
Shortest Prefix
Introduction to ASA
Twice NAT [after auto] Policies

(Section 3)
First Match
(in config)
Cisco Public
29
Access Control Lists (ACLs)
ACL Basics
Extended ACLs must be used for most features
New connection establishment, traffic classification, and so on
Standard ACLs can be used by some features (Route Maps, Capture)
All ACL checks apply to new connections only

Real IP addresses should be used in ASA 8.3 and later
Per-interface ACLs apply at ingress or egress or both first
Global ACL applies ingress to all interfaces after per-interface ACL
Introduction to ASA
Cisco Public
31
Unified ACLs
Legacy software used separate IPv4 and IPv6 interface ACLs
Any depends on
the ACL type
access-list INSIDE_IPV4 extended permit ip host 10.1.1.1 any

ipv6 access-list INSIDE_IPV6 permit ip host 2001:DB8:1 any
access-group INSIDE_IPV4 in interface inside
access-group INSIDE_IPV6 in interface inside
Any IPv4
ASA 9.0 uses a single ACL for all IPv4 and IPv6
access-list
access-list
access-list
access-list
IN
IN
IN
IN
extended
extended
extended
extended
permit
permit
permit
permit
ip
ip
ip
ip
host 10.1.1.1 any4

host 2001::1 any6
host 10.1.1.1 host 2001:DB8::10
any any
Configuration migration from earlier releases
Mixed IPv4 and

IPv6 (Need NAT)
Any IPv4 or IPv6
Dual interface ACLs are merged

Contextual any conversion applies to ACLs only
Introduction to ASA
Any IPv6
Cisco Public
32
ACE Explosion with Object Groups

All configured ACLs are expanded before programming
access-list IN permit tcp object-group INSIDE object-group DMZ_SERVERS object-group TCP_SERVICES
10 source IP
addresses
21 destination IP
addresses
33 TCP ports
6930 rules
Nested Object Groups magnify the impact

Add a new source Object Group with 25 additional objects
Result: (10+25) x 21 x 33 = 24,255 rules (ACEs)
ACL Optimization prevents the Object Group expansion

Significant reduction in memory utilization, not so much on CPU
asa(config)# object-group-search access-control
Cisco Security Manager (CSM) offers many ACL optimization tools
Introduction to ASA
Cisco Public
33
Identity Based Access Control

Outbound access is difficult to control with IP-based ACLs
Inside users move around and IP addresses change all the time
ASA 8.4(2)+ can learn IPuser mapping from Active Directory

ASA resolves user- and group-based ACL entries to IP addresses
External AD Agent or Context Directory Agent to interface between ASA and AD
Pushes LOCAL domain mappings for VPN and Cut-Through Proxy users
Policy enforcement with Security Group Tags (SGTs) in ASA 9.0+
Devices map IPSGT with Security tag eXchange Protocol (SXP)

Unique 16-bit value assigned to a certain role (SG Name)
Authenticated and mapped at edge switch, enforced on ASA in transit
Abstraction from IP address or specific identity schemes
Introduction to ASA
Cisco Public
34
Packet Flow
Understanding Packet Flow

To effectively troubleshoot a connectivity problem, one must first understand
the packet path through the network
Attempt to isolate the problem down to a single device
Then perform a systematic walk of the packet path through the device to
determine where the problem could be
For problems relating to the Cisco ASA, always
Determine the flow: Protocol, Source IP, Destination IP, Source Port, Destination Port
Determine the logical (named) interfaces through which the flow passes
TCP outside
172.16.164.216:5620 inside
192.168.1.150:50141, idle 0:00:00, bytes 0, flags saA
All firewall connectivity issues can be simplified to two

interfaces (ingress and egress) and the policies tied to both
Introduction to ASA
Cisco Public
36
Packet Processing: Ingress Interface

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
ACL
Permit
NAT
Untranslate
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
Egress
Interface
No
DROP
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Packet arrives on ingress interface

Input counters incremented by NIC and periodically retrieved by CPU
Software input queue (RX ring) is an indicator of packet load
Overrun counter indicates packet drops (usually packet bursts)
asa# show interface outside
Interface GigabitEthernet0/3 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0026.0b31.36d5, MTU 1500
IP address 148.167.254.24, subnet mask 255.255.255.128
54365986 packets input, 19026041545 bytes, 0 no buffer
Received 158602 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
[]
input queue (blocks free curr/low): hardware (255/230)
output queue (blocks free curr/low): hardware (254/65)
Introduction to ASA
Cisco Public
37
Packet Processing: Locate Connection

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
Yes
L2
Addr
TX
Pkt
No
DROP
Check first for existing connection in conn table

If conn entry exists, bypass ACL check and process in Fastpath
asa# show conn
TCP out 198.133.219.25:80 in 10.1.1.9:11030 idle 0:00:04 Bytes 1293 flags UIO
If no existing connection
TCP SYN or UDP packet, pass to ACL and other policy checks in Session Manager
TCP non-SYN packet, drop and log
ASA-6-106015: Deny TCP (no connection) from 10.1.1.9/11031 to 198.133.219.25/80 flags PSH ACK
interface inside
Introduction to ASA
Cisco Public
on
38
Packet Processing: NAT Un-Translate

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Incoming packet is checked against NAT rules

Packet is un-translated first, before ACL check
In ASA 8.2 and below, incoming packet was subjected to ACL check prior to untranslation
NAT rules can determine the egress interface at this stage
Introduction to ASA
Cisco Public
39
Packet Processing: ACL Check

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
Yes
Yes
Stateful
Inspection
No
DROP
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
First packet in flow is processed through ACL checks

ACLs are first configured match
First packet in flow matches ACE, incrementing hit count by one
asa# show access-list inside
access-list inside line 10 permit ip 10.1.1.0 255.255.255.0 any (hitcnt=1)
Denied packets are dropped and logged

ASA-4-106023: Deny tcp src inside:10.1.1.9/11034 dst outside:198.133.219.25/80 by access-group "inside"
Introduction to ASA
Cisco Public
40
Packet Processing: Stateful Inspection

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Stateful inspection ensures protocol compliance at TCP/UDP/ICMP level

(Optional) Customizable application inspection up to Layer 7 (FTP, SIP, and so on)
Rewrite embedded IP addresses, open up ACL pinholes for secondary connections
Additional security checks are applied to the application payload
ASA-4-406002: FTP port command different address: 10.2.252.21(192.168.1.21) to
209.165.202.130 on interface inside
ASA-4-405104: H225 message received from outside_address/outside_port to
inside_address/inside_port before SETUP
Introduction to ASA
Cisco Public
41
Packet Processing: NAT IP Header

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Translate the source and destination IP addresses in the IP header

Translate the port if performing PAT
Update header checksums
(Optional) Following the above, pass packet to IPS or SFR module
Real (pre-NAT) IP address information is supplied as meta data
Introduction to ASA
Cisco Public
42
Packet Processing: Egress Interface

IPS/CX/SFR
Yes
RX
Pkt
Existing
Conn
Ingress
Interface
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Packet is virtually forwarded to egress interface (not forwarded to the Ethernet NIC yet)
Egress interface is determined first by translation rules or existing conn entry, only then
the routing table
If NAT does not divert to the egress interface, the global routing table is consulted to
determine egress interface
Inside
DMZ
172.16.0.0/16
Outside
172.16.12.0/24
172.16.12.4
Introduction to ASA
Packets received on outside and destined to

192.168.12.4 get routed to 172.16.12.4 on
inside based on NAT configuration.
nat (inside,outside) source static 172.16.0.0-net 192.168.0.0-net

nat (dmz,outside) source static 172.16.12.0-net 192.168.12.0-net
Cisco Public
43
Packet Processing: L3 Route Lookup

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
NAT
Untranslate
ACL
Permit
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Once at egress interface, an interface route lookup is performed

Only routes pointing out the egress interface are eligible
Remember: NAT rule can forward the packet to the egress interface, even though the
routing table may point to a different interface
If the destination is not routable out of the identified egress interface, the packet is dropped
%ASA-6-110003: Routing failed to locate next hop for TCP from inside:192.168.103.220/59138
to dmz:172.15.124.76/23
Introduction to ASA
Cisco Public
44
Packet Processing: L2 Address Lookup

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
ACL
Permit
NAT
Untranslate
Yes
Yes
Stateful
Inspection
No
DROP
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Once a Layer 3 route has been found, and next hop IP address identified, Layer 2
resolution is performed
Layer 2 rewrite of MAC header
If Layer 2 resolution fails no syslog

show arp will not display an entry for the L3 next hop
debug arp will indicate if we are not receiving an ARP reply
arp-req: generating request for 10.1.2.33 at interface outside
arp-req: request for 10.1.2.33 still pending
Introduction to ASA
Cisco Public
45
Packet Processing: Transmit Packet

IPS/CX/SFR
Yes
RX
Pkt
Ingress
Interface
Existing
Conn
No
ACL
Permit
NAT
Untranslate
No
DROP
Yes
Yes
Stateful
Inspection
NAT IP
Header
No
DROP
Egress
Interface
L3
Route
No
No
DROP
DROP
Yes
L2
Addr
Yes
TX
Pkt
No
DROP
Packet is transmitted on wire

Interface counters will increment on interface
Underrun counter indicates drops due to egress interface oversubscription

TX ring is full
asa# show interface outside
Interface GigabitEthernet0/1 "outside", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
MAC address 503d.e59d.90ab, MTU 1500
IP address 172.18.124.149, subnet mask 255.255.255.0
273399 packets output, 115316725 bytes, 80 underruns
input queue (blocks free curr/low): hardware (485/441)

output queue (blocks free curr/low): hardware (463/0)
Introduction to ASA
Cisco Public
46
Firewall Deployment Modes
Routed and Transparent Firewall

Transparent Mode transforms ASA into a bump in the wire
Easy to drop into an existing network and pass non-IP traffic

Pass-through dynamic and multicast routing, no VPN support
Trunk interfaces are supported for VLAN bridging
Multiple Bridge Groups with up to 4 (sub)interfaces each in ASA 8.4(1)+
External router is required for inter-Bridge Group communication
Policies still apply to

named interfaces
Introduction to ASA
nameif inside
bridge-group 1
nameif outside
bridge-group 1
All traffic is bridged

within Bridge Group
Management IP is
very important!
interface BVI1
ip address 192.168.1.1 255.255.255.0
Cisco Public
48
Deploying Transparent Firewall

All bridged segments and the BVI must be in the same IP subnet
arp permit-nonconnected is required with secondary subnets in ASA 8.4(3)+
ASA typically separates hosts and their default gateway or routers

ASA needs routes to remote subnets for management, application inspection, NAT
Any external routes must be pointed through the ASA, never to the BVI IP
192.168.1.2
192.168.1.0/24
192.168.1.1
192.168.1.100
192.168.1.1
192.168.1.3
192.168.1.100
Introduction to ASA
Cisco Public
49
Multiple-Context Mode
Multiple virtual firewalls operate concurrently on a single physical device
Each such firewall is called a security context, up to 250 contexts total

Independent interface sets, policies, routing tables, management, and so on
Inter-context routing via shared interfaces with virtual MAC addresses on ASA
Commonly deployed in VRF environments at intersection points
Mix routed and transparent contexts
Internet
All contexts share limited hardware resources

Some resources can be limited on per-context basis
No VPN support except LAN-to-LAN tunnels in ASA 9.0
ASA
PCI Vendor Corp
Introduction to ASA
Cisco Public
50
High Availability with Failover

A pair of identical ASA devices can be configured in Failover
Licensed features are aggregated except 3DES in ASA 8.3+

Data interface connections must be mirrored between the units with L2 adjacency
Primary and Secondary designations are statically assigned
Unit in Active role is processing all transit traffic, Standby takes over when needed
Virtual IP and MAC addresses on data interfaces move with the active unit
Centralized management from the active unit or context
Optional Stateful failover mirrors stateful conn table between peers

Most connections survive a switchover seamlessly to the endpoints
Short-lived ICMP and HTTP connections are not replicated by default
Introduction to ASA
Cisco Public
51
High Scalability with Clustering

Preserves all benefits of failover
Combine identical ASA appliances in one traffic processing system
Up to 16 ASA 5585-X in ASA 9.2(1)+ for 640Gbps UDP and 320Gbps EMIX
Up to 2 ASA5500-X (ASA5512-X requires Security Plus) in ASA 9.1(4)+
Centralized configuration mirrored to all members
Stateless load-balancing via IP routing or Clustered Etherchannel with LACP

Cluster survives a single unit failure with minimal impact (much like failover)
All units should be connected to the same subnet on each logical interface
Introduction to ASA
Cisco Public
52
Troubleshooting Tools
53
Packet Capture
Inside Capture
Outside Capture
In-line capability to record packets passing through ASA

Inside
Outside
Two key steps in troubleshooting with captures
Capture IN
Capture OUT
Apply capture under unique name to ingress and egress interfaces
Define the traffic that you want to capture, use pre-NAT on the wire information
Tcpdump-like format for displaying captured packets on the box
Unlike ACL, match covers
both directions of the flow
asa# capture OUT interface outside match ip any host 172.18.124.1

asa# capture IN interface inside match ip any host 172.18.124.1
asa# show capture IN
4 packets captured
1: 10:51:26.139046
2: 10:51:26.139503
3: 10:51:27.140739
4: 10:51:27.141182
4 packets shown
asa# no capture IN
Introduction to ASA
802.1Q
802.1Q
802.1Q
802.1Q
vlan#10
vlan#10
vlan#10
vlan#10
P0
P0
P0
P0
172.18.254.46 > 172.18.124.1:

172.18.124.1 > 172.18.254.46:
172.18.254.46 > 172.18.124.1:
172.18.124.1 > 172.18.254.46:
icmp:
icmp:
icmp:
icmp:
echo
echo
echo
echo
request
reply
request
reply
Remember to remove the captures

when done with troubleshooting
Cisco Public
54
Packet Capture
Capture buffer maintained in RAM (512KB by default)
Stops capturing when full by default, circular option available
Default recorded packet length is 1518 bytes

Copy captures off via TFTP or retrieve through HTTPS with your web browser
Do this before removing the capture with no capture
https://x.x.x.x/admin/capture/OUT/pcap/outsidecapture.pcap
Configured capture name
Save capture file under this name
Download binary PCAP to

open in your favorite packet
analyzer (such as Wireshark)
Introduction to ASA
Cisco Public
55
Packet Tracer
Unique capability to record the path of a specially tagged packet through ASA
Best way to understand the packet path in the specific software version
Inject a simulated packet to analyse the behaviour and validate configuration

Feature order
and name
asa# packet-tracer input inside tcp 192.168.1.101 23121 172.16.171.125 23 detailed

Phase: 1
Type: CAPTURE
Ingress interface
Subtype:
Result: ALLOW
Config:
Additional Information:
[]
Introduction to ASA
Packet information as it
enters the ingress interface
Include detailed internal flow and

policy structure information
Cisco Public
56
Packet Tracer in ASDM

Launch from Tools >
Packet Tracer
Define simulated packet
Feature type and

resulting action
Direct link to edit policy
Associated
configuration
Final outcome (allowed or

dropped) and egress
interface information
Introduction to ASA
Cisco Public
57
Packet Tracer: Tracing Captured Packet

Enable packet tracer within an internal packet capture
asa# capture IN interface inside trace trace-count 20 match tcp any any eq
Trace inbound
packets only
Traced packet count per

capture (50 by default)
Find the packet that you want to trace in the capture

asa#
68
1:
2:
3:
4:
5:
show capture inside

packets captured
15:22:47.581116 10.1.1.2.31746 > 198.133.219.25.80:
15:22:47.583465 198.133.219.25.80 > 10.1.1.2.31746:
15:22:47.585052 10.1.1.2.31746 > 198.133.219.25.80:
15:22:49.223728 10.1.1.2.31746 > 198.133.219.25.80:
15:22:49.223758 198.133.219.25.80 > 10.1.1.2.31746:
...
S
S
.
P
.
ack
ack
ack
Ack
Select that packet to show the tracer results

asa# show capture inside trace packet-number 4
Introduction to ASA
Cisco Public
58
Troubleshooting Case Study

59
Problem Summary
After reloading the ASA, wireless mobility traffic (UDP and IP Protocol 93) from
inside WLC to DMZ WLC fails
Other traffic (TCP) recovers successfully
The problem is mitigated by running clear local-host on the ASA
1. Standalone ASA
is reloaded
10.0.0.0/8
10.10.1.2
inside
2. UDP/16666 and
IP/93 connections fail
outside
DMZ
10.10.9.0/28
10.10.9.3
Introduction to ASA
Cisco Public
60
Checking Connection Table and Drops

Connections are built and passing traffic through the ASA
asa# show conn address 10.10.1.2
97 inside 10.10.9.3 inside 10.10.1.2, idle 0:00:00, bytes 32210
UDP inside 10.10.9.3:16666 inside 10.10.1.2:23124, idle 0:00:00, bytes 4338, flags 97 inside 10.10.9.3 inside 10.10.1.2, idle 0:00:00, bytes 157240
No packets dropped in ASP and no syslogs of interest

asa# capture asp type asp-drop all buffer 1000000
asa# show capture asp | include 10.10.1.2
asa#
asa# show log | include 10.10.1.2
Introduction to ASA
Cisco Public
61
Reviewing Packet Captures

Configure separate captures on
ingress and egress interfaces
Match the interesting flow

bi-directionally
asa# capture IN interface inside match udp host 10.10.1.2 host 10.10.9.3
asa# capture OUT interface dmz
match udp host 10.10.1.2 host 10.10.9.3
asa# show capture DMZ

0 packet captured
0 packet shown
Egress interface capture

shows no matching packets
Use detail option to display MAC
address information for each frame
asa# show capture IN detail

1: 19:35:01.371318 0023.0424.ab30
2: 19:35:01.374766 000c.29d7.82ab
3: 19:35:02.371128 0023.0424.ab30
4: 19:35:02.374536 000c.29d7.82ab
000c.29d7.82ab
0023.0424.ab30
000c.29d7.82ab
0023.0424.ab30
10.10.1.2.23124
10.10.1.2.23124
10.10.1.2.23124
10.10.1.2.23124
>
>
>
>
10.10.9.3.16666:
10.10.9.3.16666:
10.10.9.3.16666:
10.10.9.3.16666:
udp
udp
udp
udp
334
334
334
334
Incoming packet from 10.10.1.2 is sent

back out of the inside interface
Introduction to ASA
Cisco Public
62
U-Turn Connection
Traffic is looping back out the inside interface towards the sender
10.0.0.0/8
outside
inside
DMZ
10.10.1.2
10.10.9.0/28
10.10.9.3
asa# sh run | include same-security
same-security-traffic permit intra-interface
Introduction to ASA
Allow connections to establish between two

endpoints behind the same ASA interface (U-turn)
Cisco Public
63
Checking Packet Tracer

Packet Tracer shows that a new UDP flow will be correctly passed to DMZ
asa# packet-tracer input inside udp 10.10.1.2 23124 10.10.9.3 16666
[]
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
Correct routing
in
10.10.0.0
255.255.0.0
dmz
prefix selected
[]
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
Flow is allowed
Introduction to ASA
Cisco Public
64
Root Cause
When conn entry was created, route lookup for 10.10.9.3 resolved to inside
If DMZ interface was not up, the route to 10.10.9.0/28 was not present
1. Standalone ASA
is reloaded
10.0.0.0/8
inside
outside
DMZ
10.10.1.2
10.10.9.0/28
2. DMZ interface bring-up is delayed

due to Etherchannel negotiation,
directly connected route is missing
3. Connection to 10.10.9.3 is established

back out of the inside interface using
supernet route 10.0.0.0/8
10.10.9.3
Introduction to ASA
Cisco Public
65
Floating Connection Timeout

The bad connection never times out since the UDP traffic is constantly flowing
TCP is stateless, so the connection would terminate and re-establish on its own
ASA needs to tear the original connection down when the corresponding route changes
ASA 8.4(2)+ introduces timeout floating-conn to accomplish this goal
asa# show run timeout
timeout xlate 9:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 9:00:00 absolute uauth 0:01:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Schedule the conn entry for termination
asa#
in 1 minute if a matching packet yields a
asa# configure terminal
different egress interface on route lookup
asa(config)# timeout floating-conn 0:01:00
Introduction to ASA
Cisco Public
66
Q&A
Useful Links
Cisco Live BRKSEC-3021 : Maximizing Firewall Performance
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=78719&tcla
ss=popup
Cisco Live BRKSEC-3020 : Troubleshooting ASA Firewalls

ss=popup
Cisco Live BRKSEC-3032 : ASA Clustering Deep Dive

ss=popup
Introduction to ASA
Cisco Public

DFWCUG IntrodIntroduction - To - ASAuction To ASA

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

DFWCUG IntrodIntroduction - To - ASAuction To ASA

Transféré par

Droits d'auteur :

Formats disponibles

Introduction to Cisco ASA

ASA Hardware and Software

2014 Cisco and/or its affiliates. All rights reserved.

ASA Hardware and Software

A multitude of benefits beyond traditional security

2014 Cisco and/or its affiliates. All rights reserved.

ASA Firewall Family

ASA 5585 SSP40

ASA 5585 SSP20

ASA 5585 SSP10

Firewall and VPN

USB 2.0 ports for

Copper 1GE interfaces

Redundant Hard Disk

1GE Copper or Fiber

2014 Cisco and/or its affiliates. All rights reserved.

ASA 5500-X Block Diagram

*ASA5512-X and ASA5515-X

2014 Cisco and/or its affiliates. All rights reserved.

ASA5585-X Chassis and SSP

2014 Cisco and/or its affiliates. All rights reserved.

ASA5585-X Block Diagram

Internal Switch Fabric

*2 on SSP-10/20 and 4 on SSP-40/60

2014 Cisco and/or its affiliates. All rights reserved.

ASA Software Builds

asa# show version

2014 Cisco and/or its affiliates. All rights reserved.

Limited testing, so only provided for specific problems

Interim images are usually internal

Concentrate on bug fixes, avoid new features

New trains introduce new features

New Software Release Model

9.0(x), 9.2(x), 9.4(x),

Odd minor releases add features in maintenance images

2014 Cisco and/or its affiliates. All rights reserved.

2014 Cisco and/or its affiliates. All rights reserved.

Security levels define inter-interface traffic policies

Most trusted security level is 100 (inside), least trusted is 0 (outside)

2014 Cisco and/or its affiliates. All rights reserved.

Connection and Xlate Tables

192.168.1.150:50141, idle 0:00:00, bytes 0, flags saA

Every incoming packet is checked against the table

Xlate table stores active NAT mappings

Independent of the conn table

2014 Cisco and/or its affiliates. All rights reserved.

New connection requests are directed to Slowpath

Existing connections are processed in Fastpath

Control Plane performs Application Inspection and management

2014 Cisco and/or its affiliates. All rights reserved.

Security Policy Basics

ACLs permit or deny new connections

2014 Cisco and/or its affiliates. All rights reserved.

Can be used with TCP, UDP, and ICMP as well

Match only the

object service RTP_PORTS

Both source and destination

2014 Cisco and/or its affiliates. All rights reserved.

IPv4 and IPv6

object-group network BRANCH_NETWORKS

2014 Cisco and/or its affiliates. All rights reserved.

Network Address Translation (NAT)

NAT Power of ASA