Firewall Core for CCIE

Candidates
By Rafael Leiva-Ochoa
BRKCCIE-3203

2013 Cisco Systems, Inc.

Introduction
Rafael Leiva-Ochoa
@Cisco since Oct 2000
Works in the TS Training Group (Part of Learning@Cisco)
Delivers courses on Security to Global TAC Centers
CCIE 19322 Security since 2007

2013 Cisco Systems, Inc.

 Participate in session polling and Q&A
Step 1: Download the Mobile App Step 2: Access the session
Get all the information you need at your Log into the app using your Cisco Live login
fingertips! & find your session

http://bit.ly/clus2015
 CCIE Security Program
Overview

2013 Cisco Systems, Inc.

 Firewall Topics Covered in CCIE Security
CCIE Security Topics
Configure EtherChannel Cisco ASA firewalls
High availability and redundancy
Basic firewall Initialization
Layer 2 transparent firewall
Device management
Security contexts (virtual firewall)
Cisco Modular Policy Framework Address translation
Identity firewall services ACLs
Configure Cisco ASA with ASDM
IP routing and route tracking
Context-aware services
Object groups
IPS capabilities
QoS capabilities VLANs

2013 Cisco Systems, Inc.

Cisco Gear Used on CCIE Security
Cisco 3800 Series Integrated Services Routers (ISR)

Cisco 1800 Series Integrated Services Routers (ISR)

Cisco 2900 Series Integrated Services Routers (ISR G2)

Cisco Catalyst 3560-24TS Series Switches

Cisco Catalyst 3750-X Series Switches

Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances

Cisco IPS Series 4200 Intrusion Prevention System sensors

Cisco S-series Web Security Appliance

Cisco ISE 3300 Series Identity Services Engine

Cisco WLC 2500 Series Wireless LAN Controller

Cisco Aironet 1200 Series Wireless Access Point

Cisco IP Phone 7900 Series*

Cisco Secure Access Control System

*Device Authentication only, provisioning of IP phones is NOT required.

Cisco Code Used on CCIE Security
Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T

Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software

Release 12.2SE/15.0(x)SE

Cisco ASA 5500 Series Adaptive Security Appliances OS Software

Versions 8.2x, 8.4x, 8.6x

Cisco IPS Software Release 7.x

Cisco VPN Client Software for Windows, Release 5.x

Cisco Secure ACS System software version 5.3x

Cisco WLC 2500 Series software 7.2x

Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)

Cisco WSA S-series software version 7.1x

Cisco ISE 3300 series software version 1.1x

Cisco NAC Posture Agent v4.X

Cisco AnyConnect Client v3.0X

Cisco ASA GUI tools may or may not be available, therefore candidates are
expected to configure Cisco ASA appliances using CLI.
ASA Code Versions Covered in CCIE Security

Cisco ASA 5500, and 5500-X Series Adaptive Security

Appliances OS Software Versions 8.2x, 8.4x, 8.6x

2013 Cisco Systems, Inc.

 Agenda

Introduction
ASA 5500 and 5500-X Platform
Stateful Features
NAT
MPF
Failover
Conclusion

2013 Cisco Systems, Inc.

CCIE Security Practice
Labs
 209.165.300.0/24
Internet
.57 .2
.2
209.165.200.0/24
.1

.1
10.0.1.0/24

.2 .3
11.0.0.0/24
Primary/Active Secondary/Standby

.2 .3
Guests .4
DHCP

10.0.2.0/24
.1

10.0.4.0/24 .1 .1
10.0.3.0/24
.2
.3 DHCP
.2
HTTP DHCP
HTTPS Server
SMTP
 ASA 5500, and 5500-X
Platform

2013 Cisco Systems, Inc.

 Cisco ASA 5500 Series Adaptive Security
Appliances
Performance and Scalability

Cisco ASA 5500 Platforms

ASA5585-S60P60

ASA5585-S40P40

ASA5585-S20P20
ASA5585-S10P10
ASA-5550
ASA-5540
ASA-5520
ASA-5510
ASA-5505

Teleworker Branch Internet Campus Data

Office Edge Center
Cisco ASA 5500-X Series Next-Generation Firewalls
Supports Cisco ASA Software Release 8.6.1 and later images; four times the
firewall throughput of Cisco ASA 5500 Series platforms.

2013 Cisco Systems, Inc.

 ASA Stateful Features

2013 Cisco Systems, Inc.

Connection Table
 Basic Connection States
Flag Meaning Flag Meaning
a Awaiting outside ACK to SYN O Outbound data
A Awaiting inside ACK to SYN r Inside acknowledged FIN
B Initial SYN from outside R Outside acknowledged FIN
f Inside FIN s Awaiting outside SYN
F Outside FIN S Awaiting inside SYN
I Inbound data U Up

ASA1#show conn
TCP outside 172.16.3.9:2230 dmz 192.168.1.4:25, idle 0:00:00, bytes 0, flags saA
TCP outside 172.16.1.7:80 inside 10.1.1.2:4685, idle 0:00:06, bytes 11911, flags UfFrRIO
TCP dmz 192.168.1.6:22 inside 10.1.1.2:1474, idle 0:02:40, bytes 2580590, flags UIO

Note: There are also other connection states that indicate application-awareness.
Connection States Flags
Example Connection States (TCP 3Way
Handshake)
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags SaAB

Outside Inside
8.7.23.4 10.0.0.100
SYN
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags aB

Outside Inside
8.7.23.4 10.0.0.100
SYN-ACK
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB

Outside Inside
8.7.23.4 10.0.0.100
ACK
Example Connection States (TCP Data
Transmission)
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIB

Outside Inside
8.7.23.4 10.0.0.100
TCP PUSH
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB

Outside Inside
8.7.23.4 10.0.0.100
TCP PUSH
Example Connection States (TCP Close)
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBF

Outside Inside
8.7.23.4 10.0.0.100
FIN
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFr

Outside Inside
8.7.23.4 10.0.0.100
FIN-ACK
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr

Outside Inside
8.7.23.4 10.0.0.100
ACK
Troubleshooting Common
Stateful Issues
 Packets are not coming back
ASA1#show conn
TCP outside 8.7.23.4:25 inside 10.0.0.100:1072, idle 0:00:00, bytes 0, flags saA

ASA1#show logging
%ASA-6-302013: Built outbound TCP connection 11 for inside:10.0.0.100:1072(10.0.0.100/1072)to outside:8.7.23.4/25 (8.7.23.4/25)
%ASA-6-302014: Teardown TCP connection 11 for inside:10.0.0.100/1072 to outside:8.7.23.4/25 duration 0:00:30 bytes 0 SYN Timeout

ASA1

Inside
ASA2
Outside
Asymmetric Traffic
You have two ASAs connected to the same ISP.
The ISP has loaded balanced traffic to each ASA.
ASA1

Inside

Outside ASA2

Drop
 Asymmetric Traffic
ASA2#show conn
UDP outside 40.1.2.30:53 inside 10.0.0.10:51132, idle 0:01:41, bytes 1739, flags -
TCP outside 30.2.4.5:22 inside 10.0.0.25:1474, idle 0:02:40, bytes 2580590, flags UIO

ASA2#show logging
%ASA-6-106015: Deny TCP (no connection) from 8.7.23.4:25 to 10.0.0.100:1072 flags SYN ACK on interface outside

ASA1

Inside

Outside ASA2

Drop
Addressing Issue
Call the IPS to stop load balancing traffic between the two ASAs
Configure TCP State Bypass on ASA 2

ASA1

Inside

Outside ASA2

Drop
 TCP State Bypass
You can bypass Cisco ASA security Deny
appliance stateful inspection unidirectional
algorithms for some flows. TCP flow.
TCP SYN
Is configurable through Cisco MPF
traffic classes.
Causes the appliance to treat these
flows similarly to Cisco IOS Software
stateless ACLs.
Also disables Cisco AIC, Cisco ASA
AIP-SSM, Cisco SSC-SSM,* cut- TCP SYN-ACK
through proxy, and TCP normalizer for (synchronization
these flows. and acknowledgment)
Is used only for trusted flows.
TCP State Bypass: CLI Configuration
access-list STATE-BYPASS-ACL permit tcp host 10.0.0.100 host 8.7.23.4 eq 25
access-list STATE-BYPASS-ACL permit tcp host 8.7.23.4 eq 25 host 10.0.0.100
!
class-map STATE-BYPASS Create ACLs that match
match access-group STATE-BYPASS-ACL traffic to bypass SFT.
!
! Create a class map and
! specify matching criteria.
! Edit the policy map
policy-map global_policy and apply actions to
class STATE-BYPASS traffic classes.
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global Default service-
policy already
applying globally.
TCP Normalizer and
Fragmentation
TCP Normalizer Overview
The Cisco ASA security appliance TCP normalizer feature does the following:
Verifies adherence to the TCP protocol and prevents evasion attacks
Minimizes TCP features by default
Performs TCP sequence number randomization for protected hosts
Provides the reassembled byte stream to upper-layer inspectors

Reassembled Stream

Incoming TCP Segments Normalized TCP Segments

Sequence Number Randomization
Only happens on communication from high to low security interfaces
Only done to the initial SYC packet
Tracked in the Stateful Table
0 100

Outside Inside
Server Client

SYN = Seq 236745 SYN = Seq 0

Hacker
Cisco ASA Security Appliance IP Fragment Handling
The appliance performs virtual IP reassembly:
Buffers fragments of a packet until all have been received
Verifies that fragments are properly fragmented
Reassembles IP fragments internally, to perform TCP normalization and application
inspection
Forwards fragments as they are received

Reassembled Packet

Incoming IP Fragments Outgoing IP Fragments

 Fragment size, chain, and time
Fragmentation is controlled per interface
The fragment size controls how many fragments the database can hold for reassembly.
The fragment chain controls how much a signal packet can be fragmented.
Note: The fragment size will only wait for 5 seconds by default for all the fragments to arrive. If all
fragments of the packet do not arrive by the number of seconds configured, all fragments of the
packet that were already received will be discarded.
!
fragment size 1000 inside
fragment size 1000 outside
!
!
fragment chain 250 inside
fragment chain 250 outside
!
fragment timeout 10 inside
fragment timeout 10 outside
CCIE Security
Example
 209.165.300.0/24
Internet Normalizer
.57 .2 Tuning (Increase
Conn Timeout)
.2
209.165.200.0/24
.1 BGP Peering
(Disable SNR,
BGP Peer and Keep
.1 Options)
10.0.1.0/24

Fragmentation
.2 VPN .3 (Increase
Tunnel fragmentation
11.0.0.0/24
Primary/Active Secondary/Standby chain)

.2 .3
Guests .4
DHCP

10.0.2.0/24
.1
BGP Peer
10.0.4.0/24 .1 .1
10.0.3.0/24
.2
.3 DHCP
.2
HTTP DHCP
HTTPS Server
SMTP
Timout Extention, BGP Peering, and Fragment
Tuning
CCIE Security Lab
access-list SSH-TO-HOST permit tcp 209.165.200.0 255.255.255.0 host 10.0.4.3 eq 22
access-list BGP-PEERING permit tcp host 10.0.1.1 host 10.0.2.1 eq 179
access-list BGP-PEERING permit tcp host 10.0.2.1 host 10.0.1.1 eq 179
!
class-map BGP-PEERING
match access-group BGP-PEERING
!
tcp-map TCP-BGP-AUTH
tcp-options range 19 19 allow
!
class-map HOST-TIMEOUT
match access-group SSH-TO-HOST
!
policy-map CUSTOM_MPF_POLICY
class HOST-TIMEOUT
set connection timeout idle 4:00:00 reset
class BGP-PEERING
set connection advanced-options TCP-BGP-AUTH
set connection random-sequence-number disable
!
service-policy CUSTOM_MPF_POLICY global

fragment chain 30 inside

fragment chain 30 outside
 Network Address
Translation (NAT)

2013 Cisco Systems, Inc.

ASA NAT on 8.2 and Earlier vs. 8.3 and Later
NAT Changes
8.2 and Earlier
Very strict order of processing NAT
ACL for Server access needs to reflect the
MAPPED IP (NATED IP)
None Objected Oriented, and hard to follow, and
hard to structure
NAT Control
Interfaces needed to be named for NAT to work
8.3 and Later
NAT Processed from the TOP/DOWN
ACL for Server access needs to reflect the REAL
IP (SERVER IP)
Objected Oriented, very structured, and scalable
NAT Control Removed
ANY command can now be used to save time,
and lines of configuration
Twice NAT Support
Global ACL Support (Input Traffic Only)
Static NAT
 Static NAT
Static NAT is used to link to two interfaces that need access to the outside world.
It is used for a server to communicate on a low-security interface using a routable IP,
but still maintaining its private IP.

Local Address
dmz outside
172.16.1.20 Internet
Translate
209.165.200.230
Static NAT (Cont.)
Static NAT Examples
Real Mapped
Interface Interface

ASA1(config)#static (dmz,outside) 209.165.200.230 172.16.1.20

Mapped IP Private IP

8.2 and Earlier

Object
8.3 and Later Name
Private IP
NAT
ASA1(config)# object network DMZ-Server Type
Mapped IP
ASA1(config-network-object)# host 172.16.1.20
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230
Dynamic NAT
Dynamic NAT
Dynamic NAT allows many internal clients to translate to a range of public IPs.
Note: The range of public IPs limits how many clients can reach the internet at the
same time.

Local Addresses
10.0.1.0/24 inside outside
Internet
Translate to
209.165.230-235
Dynamic NAT (Cont.)
Dynamic NAT Examples
Private IP Subnet

ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0

ASA1(config)#global (outside) 1 209.165.200.230-209.165.200.235

8.2 and Earlier Mapped IP

Range

8.3 and Later Mapped IP

Range
ASA1(config)# object network Public_Pool
ASA1(config-network-object)# range 209.165.200.230-209.165.200.235
Private IP
Subnet Mapped IP
ASA1(config)# object network Inside_Network Range Applied
ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic Public_Pool
Dynamic PAT
Dynamic PAT
Dynamic PAT allows many internal clients to translate to a signal public address.

Local Addresses
10.0.1.0/24 inside outside
Internet

Translate to
209.165.230
outside interface IP
Dynamic PAT (Cont.)
Dynamic PAT Examples
Private IP Subnet

ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0

ASA1(config)#global (outside) 1 interface

8.2 and Earlier

8.3 and Later Private IP

Subnet
ASA1(config)# object network Inside_Network
ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
Static PAT
 Static PAT
Static PAT is used to link one public IP to more then one server regardless of interface.

Local Address
172.16.1.20 FTP
Server

dmz outside
Internet
Translate
Local Address 209.165.200.230
172.16.1.21 HTTP
Server
 Static PAT (Cont.)
Static PAT Examples
Mapped Real
Port Port

ASA1(config)#static (dmz,outside) tcp 209.165.200.230 ftp 172.16.1.20 ftp

8.2 and Earlier

Real
Port

8.3 and Later

Mapped
ASA1(config)# object network DMZ-Server Port
ASA1(config-network-object)# host 172.16.1.20
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230 tcp ftp ftp
Troubleshooting NAT
NAT Table Changes: Cisco ASA Software Version
8.3 and Later
NAT configuration builds entries in the NAT table.
The new NAT table in Cisco ASA Software Version 8.3 and later has
three parts:
- Manual NAT (first section)
Default location for manual NAT statements
- Auto NAT (second section)
Also called object NAT
Default location for auto NAT statements
- Manual NAT after auto NAT(third section)
Manual NAT entries that are specified with the after-auto keyword
NAT 8.3 and Later Order
ASA1(config)# show run nat
nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination
static DNS-Server1 DNS-Server2
nat (inside,outside) source static smtp_access interface service smtp_port smtp_port
nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static
No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static
No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
!
Manual NAT
object network inside-192.168.1.0
nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup
object network All_Networks
nat (any,outside) dynamic interface
object network http_access
nat (inside,outside) static interface service tcp www www
object network https_access
nat (inside,outside) static interface service tcp www www Auto NAT
NAT 8.3 and Later Order
ASA1(config)# show nat
Manual NAT Policies (Section 1)
1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2
translate_hits = 319, untranslate_hits = 320
2 (inside) to (outside) source static smtp_access interface service smtp_port smtp_port
translate_hits = 9780, untranslate_hits = 11515
3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface
translate_hits = 34, untranslate_hits = 163
4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT
no-proxy-arp route-lookup
translate_hits = 12, untranslate_hits = 0
5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-
proxy-arp route-lookup
translate_hits = 714, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static http_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static https_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
translate_hits = 175, untranslate_hits = 31834
4 (any) to (outside) source dynamic All_Networks interface
translate_hits = 1098827, untranslate_hits = 161280
NAT 8.3 and Later Order
Manual NAT Sections 1, and 3
Applied on a first match basis, in the order they appear in the configuration. By
default, twice NAT rules are added to section 1.

Outside Inside
172.16.1.254 10.0.0.100
NAT 8.3 and Later Order
ASA1(config)# show run nat
<input omitted>
!
nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2
nat (inside,outside) source static smtp_access interface service smtp_port smtp_port
nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-
lookup
nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
!
!
ASA1(config)# show nat
Manual NAT Policies (Section 1)
1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2
translate_hits = 319, untranslate_hits = 320
2 (inside) to (outside) source static smtp_access interface service smtp_port smtp_port
translate_hits = 9780, untranslate_hits = 11515
3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface
translate_hits = 34, untranslate_hits = 163
4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp
route-lookup
translate_hits = 12, untranslate_hits = 0
5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-
lookup
translate_hits = 714, untranslate_hits = 0
NAT 8.3 and Later Order
Auto NAT Section 2
Section 2 rules are applied in the following order, as automatically determined by the ASA:
1. Static rules.
2. Dynamic rules.
Within each rule type, the following ordering guidelines are used:
a. Quantity of real IP addressesFrom smallest to largest. For example, an object with one address will
be assessed before an object with 10 addresses.
b. For quantities that are the same, then the IP address number is used, from lowest to highest. For
example, 10.1.1.0 is assessed before 11.1.1.0.
c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For
example, abracadabra is assessed before catwoman.
NAT 8.3 and Later Order
ASA1(config)# show run nat
<input omitted>
!
object network inside-192.168.1.0
nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup
object network All_Networks
nat (any,outside) dynamic interface
object network http_access
nat (inside,outside) static interface service tcp www www
object network https_access
nat (inside,outside) static interface service tcp www www
!
ASA1(config)# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static http_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static https_access interface service tcp www www
translate_hits = 0, untranslate_hits = 0
3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 no-proxy-arp route-lookup
translate_hits = 175, untranslate_hits = 31834
4 (any) to (outside) source dynamic All_Networks interface
translate_hits = 1098827, untranslate_hits = 161280
CCIE Security
Example
 209.165.300.0/24
Internet Static NAT
.57 .2
.2
209.165.200.0/24 Dynamic PAT
.1

.1
10.0.1.0/24

.2 .3
11.0.0.0/24
Primary/Active Secondary/Standby

.2 .3
Guests .4
DHCP

10.0.2.0/24
.1

10.0.4.0/24 .1 .1
10.0.3.0/24
.3 .2
DHCP
.2
HTTP DHCP
HTTPS Server
SMTP
Dynamic PAT Solution
CCIE Security Lab

ASA1(config)#nat (inside) 1 10.0.3.0 255.255.255.0

ASA1(config)#global (outside) 1 interface

8.2 and Earlier

8.3 and Later

ASA1(config)# object network Client_Network
ASA1(config-network-object)# subnet 10.0.3.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
Static NAT
CCIE Security Lab

ASA1(config)#static (dmz,outside) 209.165.200.3 10.0.4.3

8.2 and Earlier

8.3 and Later

ASA1(config)# object network Server
ASA1(config-network-object)# host 10.0.4.3
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.3
 Modular Policy
Framework (MPF)
Cisco ASA Security Appliance Cisco MPF Overview
Different traffic flows may require different network policies.
Cisco MPF provides granularity and flexibility when you implement network policies for
traffic flows:
Defines traffic flows that require access control beyond ACLs
Associates network policies with traffic flows
Enables network policies on specific interface or globally

Send traffic from the Branch Office

Internet to the Cisco
ASA CSC-SSM.
Prioritize VoIP traffic.

Headquarters
Internet
Enable data loss Allow only safe
prevention for HTTP, HTTP methods.
FTP, and SMTP traffic.
 OSI Layer 3 and Layer 4 Class Maps
To identify traffic for IP Phone:

Branch Office

To identify VoIP traffic,

match DSCP EF.
Configure OSI Layer 3 and Layer 4 Policies:
CLI Commands

Create a class map and

class-map VoIP specify matching attribute.
match dscp ef
! Create a policy map.
policy-map outside-policy
class VoIP Refer to the class map.
priority
! Specify an action for the traffic class.
service-policy outside-policy interface outside Apply policy map to
the interface using
the service policy.
Verify OSI Layer 3 and Layer 4 Policies
ASA1#show service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
<...part of the output omitted...>

Interface outside:
Service-policy: outside-policy
Class-map: VoIP
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
Class-map: class-default
Regular Expressions
Regular expressions are a computer language that is used to describe patterns.
Used to describe a set of strings without describing individual elements
Used by the security appliance to match custom application layer content

Drop HTTP requests containing CMD.EXE,

/bin/sh, /bin/bash, /bin/ksh, /bin/tcsh...

Allow only HTTP requests

to cisco.com domain.
 OSI Layer 3 and Layer 4 Class Maps
To identify traffic for IP Phone:

IS
P

Block: bad.com, and

iamverybad.com.
 Configure OSI Layers 5 to 7 Policies
CLI Commands
Create regular expressions.
regex SECRET_PAGES "[Bb][Aa][Dd]\.[Cc][Oo][Mm]"
regex GAMES_PAGES [Ii][Aa][Mm][Vv][Ee][Rr][Yy][Bb][Aa][Dd]\.[Cc][Oo][Mm]
!
class-map type regex match-any BAD_PAGES Create regular expression
match regex BAD_PAGES class map.
match regex VERYBAD_PAGES
! Create Layers 5 to 7 class map
class-map type inspect http match-any BAD_HTTP_TRAFFIC for HTTP traffic.
match request header host regex class BAD_PAGES
! Specify match attributes
policy-map type inspect http INSPECT_HTTP inside HTTP traffic.
class BAD_HTTP_TRAFFIC
reset log Refer to Layers 5 to 7 Create Layers 5 to 7 policy map
! class map, and apply for HTTP traffic.
policy-map global_policy actions
class inspection_default
inspect http INSPECT_HTTP
Apply a Layers 5 to 7
policy map in a Layers 3
and 4 policy map.
Verify OSI Layers 5 to 7 Policies
CLI Commands
ASA1#show service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
<output omitted>
Inspect: http INSPECT_HTTP, packet 484, drop 6, reset-drop 6
Inspect: icmp, packet 38, drop 0, reset-drop 0

Interface Branch_Net:
Service-policy: Branch_Net-policy
Class-map: VoIP1
Priority:
Interface Branch_Net: aggregate drop 0, aggregate transmit 0
Class-map: class-default
CCIE Security
Example
 209.165.300.0/24
Internet Server
.57 .2 Protections
(Embryonic)
.2
209.165.200.0/24
.1 Server
Protections
(Conn Limit)
.1
10.0.1.0/24
FTP Server
(FTP
.2 .3 Inspection)

11.0.0.0/24
Primary/Active Secondary/Standby

.2 .3
Guests .4
DHCP

10.0.2.0/24
.1

10.0.4.0/24 .1 .1
10.0.3.0/24
.2
.3 DHCP
.2
FTP DHCP
Server Server
Embryonic Conn, Conn Limits and FTP Inspection
CCIE Security Lab
access-list SERVER_EMB_LIMITS permit ip any host 209.165.300.57
!
access-list SERVER_TRAFFIC_LIMITS permit ip any host 209.165.300.57
!
access-list FTP_TRAFFIC permit tcp any host 10.4.0.3 eq 21
!
class-map FTP_TRAFFIC_PASS
match access-list FTP_TRAFFIC
!
class-map CONN_MAX
match access-list SERVER_TRAFFIC_LIMITS
!
class-map EMBRYONIC_CONN_MAX
match access-list SERVER_EMB_LIMITS
!
policy-map SERVER_POLICY
class EMBRYONIC_CONN_MAX
set connection embryonic-conn-max 90 per-client-embryonic-max 10
class CONN_MAX
set connection conn-max 10000 per-client-max 50
class FTP_TRAFFIC_PASS
inspect ftp
!
service-policy SERVER_POLICY interface outside
Failover Active/Standby
Cisco ASA Adaptive Security Appliance
Active/Standby Failover Overview
Two Cisco ASA security appliances can be paired into an active/standby failover to
provide device redundancy.
One physical device is permanently designated as primary, the other device as
secondary.
One of the pair is elected to be in active state (forwarding traffic), and the other in hot
standby state (waiting).
The health of devices is monitored over the LAN failover interface.
Secondary/Standby

192.168.1.0/24 10.0.1.0/24
.3 .3
.3
Internet 10.1.1.0/29
.1
.2 .1

Primary/Active
Failover Deployment Options
Stateless failover:
Provides hardware redundancy only.
All established statefully tracked connections are dropped after switchover.
Users may have to re-establish connections.
Stateful failover extends stateless failover:
Provides hardware and state table redundancy.
Connections remain active during the failover.
Users do not have to re-establish connections.
Requires a stateful link between devices (in addition to the LAN-based
failover link).
 Stateful Failover Support
State Information Passed to Standby Unit State Information Not Passed to Standby Unit

NAT table HTTP connection table (unless HTTP replication is enabled)

TCP connection states User authentication table
UDP connection states State information for Cisco AIP-SSM
ARP table
MAC address table (applies to transparent mode only) DHCP server leases
ISAKMP SAs, IPsec SAs, SSL sessions Phone proxy sessions
GTP PDP connection database
SIP signaling sessions
Dynamic routing table entries

Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version 8.2(2).
Verify Active/Standby Failover
Displays information about the failover status of the unit
ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 02:59:27 UTC Aug 1 2011
This host: Primary - Active
Active time: 930 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)
Interface outside (192.168.1.2): Normal
Interface inside (10.0.1.1): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 495 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)
Interface outside (192.168.1.3): Normal
Interface inside (10.0.1.3): Normal
<output omitted>
Troubleshooting Failover
Active/Standby
Troubleshooting Typical Failover Problems

ASA are not Like-for-Like

The secondary is not able to talk to the Primary (Failover Cable Issues)
The monitoring interface policy was changed
The secondary has failed
Cisco ASA Security Appliance
Failover Requirements
Hardware requirements for both devices:
Same hardware model
Same number and type of interfaces
Same SSM software installed (if any)
Same amount of RAM is recommended
Software requirements for both devices:
Same major and minor software version
Same licensed features (8.2 and earlier)
License includes active/standby failover feature
Same operating mode (transparent or routed, multiple- or single-context)
Verify Failover Peer
ASA1/act/pri# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
<output omitted>
Last Failover at: 02:59:27 UTC Aug 1 2011
This host: Primary - Active
Active time: 930 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)
Interface outside (192.168.1.2): Normal (Waiting)
Interface inside (10.0.1.1): Normal (Waiting)
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Not Detected
Active time: 0 (sec)
slot 0: empty
Interface outside (192.168.1.3): Unknown (Waiting)
Interface inside (0.0.0.0): Unknown (Waiting)
slot 1: empty

Peer device has not been detected and failover cannot occur.
Verify connectivity between devices and failover configuration on the secondary
device.
Verify Active/Standby Failover Interface Policy
Displays information about the failover status of the unit
ASA1/pri/act# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 2 of 160 maximum
failover replication http
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 02:59:27 UTC Aug 1 2011
This host: Primary - Active
Active time: 930 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)
Interface outside (192.168.1.2): Normal
Interface inside (10.0.1.1): Normal
slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 495 (sec)
slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)
Interface outside (192.168.1.3): Normal
Interface inside (10.0.1.3): Normal
<output omitted>
Failover Health Monitoring
Unit health monitoring
The Cisco ASA security appliance determines the health of the other unit by
monitoring the failover link.
Devices exchange hello messages(sent every 1sec) over the failover interface.
When there is no response from the active device, switchover occurs.
Interface health monitoring
Each network interface can be monitored.
Devices exchange hello messages(sent every 5sec) over monitored (1 Interface
policy) interfaces.
When a specified number of monitored interfaces fail on the active device, switchover
occurs.
CCIE Security
Example
 209.165.300.0/24
Internet
.57 .2
.2
209.165.200.0/24
.1

.1
10.0.1.0/24

Gig0/1 .2 .3
Gig0/1

11.0.1.0/24
Primary/Active Secondary/Standby
Gig0/3
.2 .3
Guests Gig0/0
.4
DHCP Gig0/0

10.0.2.0/24
.1

10.0.4.0/24 .1 .1
10.0.3.0/24
.2
.3 DHCP
.2
HTTP DHCP
HTTPS Server
SMTP
Primary Security Appliance
Configure active/standby failover on the primary Cisco ASA security appliance.
Enable the interface
interface GigabitEthernet0/3 used for failover.
no shutdown Specify interface used as the
failover interface.
! Specify unit as
failover lan unit primary primary. Assign active and standby
failover lan interface FAILOVER GigabitEthernet0/3 IP addresses to the
failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2 failover link.
failover link FAILOVER Specify the interface used
failover key 6X9vLuFt983d8FltTf7 as the stateful failover
Specify key for the
failover link.
Enable failover. failover link.
!
interface GigabitEthernet0/1
ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2
!
Specify active and standby
interface GigabitEthernet0/0
IP addresses.
ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2

Specify active and standby

IP addresses.
Secondary Security Appliance
Configure active/standby failover on the secondary Cisco ASA security appliance.

Enable interface
used for failover. Specify interface used as the
interface GigabitEthernet0/3 failover interface.
no shutdown Specify unit as
! secondary. Assign active and standby IP
failover lan unit secondary addresses to the failover link.
failover lan interface FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2
failover link FAILOVER Specify the interface used as the stateful failover link.
failover key 6X9vLuFt983d8FltTf7
Specify key for the failover link.
failover
Enable HTTP replication.
Enable failover.
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Related sessions
Thank you