Vous êtes sur la page 1sur 93

Firewall Core for CCIE

Candidates

Firewall Core for CCIE Candidates © 2013 Cisco Systems, Inc. By Rafael Leiva-Ochoa BRKCCIE-3203

© 2013 Cisco Systems, Inc.

By Rafael Leiva-Ochoa

BRKCCIE-3203

Introduction

Rafael Leiva-Ochoa

@Cisco since Oct 2000

Works in the TS Training Group (Part of Learning@Cisco)

Delivers courses on Security to Global TAC Centers

CCIE 19322 Security since 2007

• Delivers courses on Security to Global TAC Centers • CCIE 19322 Security since 2007 ©
• Delivers courses on Security to Global TAC Centers • CCIE 19322 Security since 2007 ©
• Delivers courses on Security to Global TAC Centers • CCIE 19322 Security since 2007 ©
• Delivers courses on Security to Global TAC Centers • CCIE 19322 Security since 2007 ©

© 2013 Cisco Systems, Inc.

Participate in session polling and Q&A

Step 1: Download the Mobile App

Get all the information you need at your fingertips!

App Get all the information you need at your fingertips! http://bit.ly/clus2015 Step 2: Access the session

http://bit.ly/clus2015

you need at your fingertips! http://bit.ly/clus2015 Step 2: Access the session Log into the app using

Step 2: Access the session Log into the app using your Cisco Live login & find your session

http://bit.ly/clus2015 Step 2: Access the session Log into the app using your Cisco Live login &
http://bit.ly/clus2015 Step 2: Access the session Log into the app using your Cisco Live login &
http://bit.ly/clus2015 Step 2: Access the session Log into the app using your Cisco Live login &

CCIE Security Program

CCIE Security Program © 2013 Cisco Systems, Inc. Overview

© 2013 Cisco Systems, Inc.

Overview

CCIE Security Program © 2013 Cisco Systems, Inc. Overview

Firewall Topics Covered in CCIE Security

CCIE Security Topics

Configure EtherChannel

High availability and redundancy

Layer 2 transparent firewall

Security contexts (virtual firewall)

Cisco Modular Policy Framework

Identity firewall services

Configure Cisco ASA with ASDM

Context-aware services

IPS capabilities

QoS capabilities

services • IPS capabilities • QoS capabilities © 2013 Cisco Systems, Inc. • Cisco ASA firewalls

© 2013 Cisco Systems, Inc.

Cisco ASA firewalls

Basic firewall Initialization

Device management

Address translation

ACLs

IP routing and route tracking

Object groups

VLANs

• Device management • Address translation • ACLs • IP routing and route tracking • Object

Cisco Gear Used on CCIE Security

Cisco 3800 Series Integrated Services Routers (ISR)

Cisco 1800 Series Integrated Services Routers (ISR)

• Cisco 1800 Series Integrated Services Routers (ISR) • Cisco 2900 Series Integrated Services Routers (ISR

Cisco 2900 Series Integrated Services Routers (ISR G2)

Cisco Catalyst 3560-24TS Series Switches

Cisco Catalyst 3750-X Series Switches

Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances

Cisco IPS Series 4200 Intrusion Prevention System sensors

Cisco S-series Web Security Appliance

Cisco ISE 3300 Series Identity Services Engine

Cisco WLC 2500 Series Wireless LAN Controller

Cisco Aironet 1200 Series Wireless Access Point

Cisco IP Phone 7900 Series*

Cisco Secure Access Control System

Phone 7900 Series* • Cisco Secure Access Control System *Device Authentication only, provisioning of IP phones

*Device Authentication only, provisioning of IP phones is NOT required.

Series* • Cisco Secure Access Control System *Device Authentication only, provisioning of IP phones is NOT

Cisco Code Used on CCIE Security

Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T

Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE

Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x

Cisco IPS Software Release 7.x

Cisco VPN Client Software for Windows, Release 5.x

Cisco Secure ACS System software version 5.3x

Cisco WLC 2500 Series software 7.2x

Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)

Cisco WSA S-series software version 7.1x

Cisco ISE 3300 series software version 1.1x

Cisco NAC Posture Agent v4.X

Cisco AnyConnect Client v3.0X

NAC Posture Agent v4.X • Cisco AnyConnect Client v3.0X Cisco ASA GUI tools may or may
NAC Posture Agent v4.X • Cisco AnyConnect Client v3.0X Cisco ASA GUI tools may or may

Cisco ASA GUI tools may or may not be available, therefore candidates are expected to configure Cisco ASA appliances using CLI.

ASA GUI tools may or may not be available, therefore candidates are expected to configure Cisco

ASA Code Versions Covered in CCIE Security

Cisco ASA 5500, and 5500-X Series Adaptive Security

Appliances OS Software Versions 8.2x, 8.4x, 8.6x

5500, and 5500-X Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x © 2013 Cisco

© 2013 Cisco Systems, Inc.

5500, and 5500-X Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x © 2013 Cisco

Agenda

Introduction

ASA 5500 and 5500-X Platform

Stateful Features

NAT

MPF

Failover

Conclusion

and 5500-X Platform • Stateful Features • NAT • MPF • Failover • Conclusion © 2013

© 2013 Cisco Systems, Inc.

and 5500-X Platform • Stateful Features • NAT • MPF • Failover • Conclusion © 2013

CCIE Security Practice

Labs

CCIE Security Practice Labs
CCIE Security Practice Labs
209.165.300.0/24 Internet .57 .2 .2 209.165.200.0/24 .1
209.165.300.0/24
Internet
.57
.2
.2
209.165.200.0/24
.1
.1 10.0.1.0/24 .2 .3 11.0.0.0/24
.1
10.0.1.0/24
.2
.3
11.0.0.0/24

Primary/Active

Secondary/Standby

.2 .3 Guests .4 DHCP 10.0.2.0/24 .1
.2
.3
Guests
.4
DHCP
10.0.2.0/24 .1
Secondary/ Standby .2 .3 Guests .4 DHCP 10.0.2.0/24 .1 10.0.4.0/24 .1 .2 .3 HTTP HTTPS SMTP
Secondary/ Standby .2 .3 Guests .4 DHCP 10.0.2.0/24 .1 10.0.4.0/24 .1 .2 .3 HTTP HTTPS SMTP
10.0.4.0/24 .1 .2 .3 HTTP HTTPS SMTP
10.0.4.0/24
.1
.2
.3
HTTP
HTTPS
SMTP
.1 10.0.3.0/24 DHCP .2 DHCP Server
.1 10.0.3.0/24
DHCP
.2
DHCP
Server
.2 .3 Guests .4 DHCP 10.0.2.0/24 .1 10.0.4.0/24 .1 .2 .3 HTTP HTTPS SMTP .1 10.0.3.0/24
.2 .3 Guests .4 DHCP 10.0.2.0/24 .1 10.0.4.0/24 .1 .2 .3 HTTP HTTPS SMTP .1 10.0.3.0/24
.2 .3 Guests .4 DHCP 10.0.2.0/24 .1 10.0.4.0/24 .1 .2 .3 HTTP HTTPS SMTP .1 10.0.3.0/24

ASA 5500, and 5500-X

Platform

ASA 5500, and 5500-X Platform © 2013 Cisco Systems, Inc.

© 2013 Cisco Systems, Inc.

ASA 5500, and 5500-X Platform © 2013 Cisco Systems, Inc.

Cisco ASA 5500 Series Adaptive Security

Appliances

ASA5585-S60P60 ASA5585-S40P40 ASA5585-S20P20 ASA5585-S10P10 ASA-5550 ASA-5540 ASA-5520 ASA-5510 ASA-5505 Branch
ASA5585-S60P60
ASA5585-S40P40
ASA5585-S20P20
ASA5585-S10P10
ASA-5550
ASA-5540
ASA-5520
ASA-5510
ASA-5505
Branch
Internet
Data
Teleworker
Campus
Office
Edge
Center
ScalabilityandPerformance
ASA 5500 PlatformsCisco

Cisco ASA 5500-X Series Next-Generation Firewalls

Supports Cisco ASA Software Release 8.6.1 and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms.

8.6.1 and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms. ©

© 2013 Cisco Systems, Inc.

ASA Stateful Features

ASA Stateful Features © 2013 Cisco Systems, Inc.

© 2013 Cisco Systems, Inc.

ASA Stateful Features © 2013 Cisco Systems, Inc.

Connection Table

Connection Table
Connection Table

Basic Connection States

Flag

Meaning

Flag

Meaning

a

Awaiting outside ACK to SYN

O

Outbound data

A

Awaiting inside ACK to SYN

r

Inside acknowledged FIN

B

Initial SYN from outside

R

Outside acknowledged FIN

f

Inside FIN

s

Awaiting outside SYN

F

Outside FIN

S

Awaiting inside SYN

I

Inbound data

U

Up

ASA1#show conn

TCP outside 172.16.3.9:2230 dmz 192.168.1.4:25, idle 0:00:00, bytes 0,

TCP outside 172.16.1.7:80 inside 10.1.1.2:4685, idle 0:00:06, bytes 11911, flags UfFrRIO TCP dmz 192.168.1.6:22 inside 10.1.1.2:1474, idle 0:02:40, bytes 2580590, flags UIO

flags saA

Note: There are also other connection states that indicate application-awareness.

2580590, flags UIO flags saA • Note: There are also other connection states that indicate application-awareness.
2580590, flags UIO flags saA • Note: There are also other connection states that indicate application-awareness.

Connection States Flags

Connection States Flags

Example Connection States (TCP 3Way

Handshake)

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags SaAB

Outside Inside 8.7.23.4 10.0.0.100
Outside
Inside
8.7.23.4
10.0.0.100

SYN

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags aB

Outside Inside 8.7.23.4 10.0.0.100
Outside
Inside
8.7.23.4
10.0.0.100

SYN-ACK

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB Outside Inside 8.7.23.4 10.0.0.100 ACK
Outside Inside 8.7.23.4 10.0.0.100 ACK
Outside
Inside
8.7.23.4
10.0.0.100
ACK
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB Outside Inside 8.7.23.4 10.0.0.100 ACK
TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UB Outside Inside 8.7.23.4 10.0.0.100 ACK

Example Connection States (TCP Data

Transmission)

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIB

Outside Inside 8.7.23.4 10.0.0.100
Outside
Inside
8.7.23.4
10.0.0.100

TCP PUSH

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB

Outside Inside 8.7.23.4 10.0.0.100
Outside
Inside
8.7.23.4
10.0.0.100
8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB Outside Inside 8.7.23.4 10.0.0.100 TCP PUSH

TCP PUSH

8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB Outside Inside 8.7.23.4 10.0.0.100 TCP PUSH
8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UIOB Outside Inside 8.7.23.4 10.0.0.100 TCP PUSH

Example Connection States (TCP Close)

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBF

Outside Inside 8.7.23.4 10.0.0.100
Outside
Inside
8.7.23.4
10.0.0.100

FIN

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFr

Outside Inside 8.7.23.4 10.0.0.100
Outside
Inside
8.7.23.4
10.0.0.100

FIN-ACK

TCP outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr

outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr Outside Inside 8.7.23.4 10.0.0.100 ACK
Outside Inside 8.7.23.4 10.0.0.100 ACK
Outside
Inside
8.7.23.4
10.0.0.100
ACK
outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr Outside Inside 8.7.23.4 10.0.0.100 ACK
outside 8.7.23.4:2230 inside 10.0.0.100:25, idle 0:00:00, bytes 0, flags UBfFRr Outside Inside 8.7.23.4 10.0.0.100 ACK

Troubleshooting Common Stateful Issues

Troubleshooting Common Stateful Issues
Troubleshooting Common Stateful Issues

Packets are not coming back

ASA1#show conn

TCP outside 8.7.23.4:25 inside 10.0.0.100:1072, idle 0:00:00, bytes 0, flags saA

ASA1#show logging

%ASA-6-302013: Built outbound TCP connection 11 for inside:10.0.0.100:1072(10.0.0.100/1072)to outside:8.7.23.4/25 (8.7.23.4/25) %ASA-6-302014: Teardown TCP connection 11 for inside:10.0.0.100/1072 to outside:8.7.23.4/25 duration 0:00:30 bytes 0 SYN Timeout

ASA1

Inside ASA2 Outside
Inside
ASA2
Outside

Asymmetric Traffic

You have two ASA’s connected to the same ISP.

The ISP has loaded balanced traffic to each ASA.

ASA1

Inside ASA2 Outside Drop
Inside
ASA2
Outside
Drop

Asymmetric Traffic

ASA2#show conn

UDP outside 40.1.2.30:53 inside 10.0.0.10:51132, idle 0:01:41, bytes 1739, flags -

TCP outside 30.2.4.5:22 inside 10.0.0.25:1474, idle 0:02:40, bytes 2580590, flags UIO

ASA2#show logging

%ASA-6-106015: Deny TCP (no connection) from 8.7.23.4:25 to 10.0.0.100:1072 flags SYN ACK on interface outside

ASA1

Inside ASA2 Outside Drop
Inside
ASA2
Outside
Drop

Addressing Issue

Call the IPS to stop load balancing traffic between the two ASA’s

Configure TCP State Bypass on ASA 2

ASA1

Inside ASA2 Outside Drop
Inside
ASA2
Outside
Drop

TCP State Bypass

You can bypass Cisco ASA security appliance stateful inspection algorithms for some flows.

Is configurable through Cisco MPF traffic classes.

Causes the appliance to treat these

flows similarly to Cisco IOS Software

stateless ACLs.

Also disables Cisco AIC, Cisco ASA AIP-SSM, Cisco SSC-SSM,* cut-

through proxy, and TCP normalizer for

these flows.

Is used only for trusted flows.

for these flows. • Is used only for trusted flows. TCP SYN Deny unidirectional TCP flow.
TCP SYN
TCP SYN
these flows. • Is used only for trusted flows. TCP SYN Deny unidirectional TCP flow. TCP
Deny unidirectional TCP flow. TCP SYN-ACK
Deny
unidirectional
TCP flow.
TCP SYN-ACK
Is used only for trusted flows. TCP SYN Deny unidirectional TCP flow. TCP SYN-ACK (synchronization and

(synchronization and acknowledgment)

Is used only for trusted flows. TCP SYN Deny unidirectional TCP flow. TCP SYN-ACK (synchronization and

TCP State Bypass: CLI Configuration

access-list STATE-BYPASS-ACL permit tcp host 10.0.0.100 host 8.7.23.4 eq 25

access-list STATE-BYPASS-ACL permit tcp host 8.7.23.4 eq 25 host 10.0.0.100

Create ACL’s that match traffic to bypass SFT. Create a class map and specify matching
Create ACL’s that match
traffic to bypass SFT.
Create a class map and
specify matching criteria.
Edit the policy map
and apply actions to
traffic classes.

!

class-map STATE-BYPASS match access-group STATE-BYPASS-ACL

!

!

!

!

policy-map global_policy

class STATE-BYPASS

set connection advanced-options tcp-state-bypass

!

service-policy global_policy global

Default service- policy already applying globally.
Default service-
policy already
applying globally.
tcp-state-bypass ! service-policy global_policy global Default service- policy already applying globally.
tcp-state-bypass ! service-policy global_policy global Default service- policy already applying globally.

TCP Normalizer and Fragmentation

TCP Normalizer and Fragmentation
TCP Normalizer and Fragmentation

TCP Normalizer Overview

The Cisco ASA security appliance TCP normalizer feature does the following:

Verifies adherence to the TCP protocol and prevents evasion attacks

Minimizes TCP features by default

Performs TCP sequence number randomization for protected hosts

Provides the reassembled byte stream to upper-layer inspectors

Incoming TCP Segments

the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments

Reassembled Stream

the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments

Normalized TCP Segments

the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments
the reassembled byte stream to upper-layer inspectors Incoming TCP Segments Reassembled Stream Normalized TCP Segments

Sequence Number Randomization

Only happens on communication from high to low security interfaces

Only done to the initial SYC packet Tracked in the Stateful Table

the initial SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client

Server

0 100 Outside Inside
0
100
Outside
Inside
SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client SYN =
SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client SYN =
SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client SYN =

Client

SYN = Seq 236745

SYN = Seq 0

SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client SYN =

Hacker

SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client SYN =
SYC packet • Tracked in the Stateful Table Server 0 100 Outside Inside Client SYN =

Cisco ASA Security Appliance IP Fragment Handling

The appliance performs virtual IP reassembly:

Buffers fragments of a packet until all have been received

Verifies that fragments are properly fragmented

Reassembles IP fragments internally, to perform TCP normalization and application

inspection

Forwards fragments as they are received

Incoming IP Fragments

inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments
inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments
inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments
inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments

Reassembled Packet

inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments

Outgoing IP Fragments

inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments
inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments
inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments
inspection • Forwards fragments as they are received Incoming IP Fragments Reassembled Packet Outgoing IP Fragments

Fragment size, chain, and time

Fragmentation is controlled per interface

The fragment size controls how many fragments the database can hold for reassembly.

The fragment chain controls how much a signal packet can be fragmented.

Note: The fragment size will only wait for 5 seconds by default for all the fragments to arrive. If all fragments of the packet do not arrive by the number of seconds configured, all fragments of the packet that were already received will be discarded.

of the packet that were already received will be discarded. ! fragment size 1000 inside fragment

!

fragment size 1000 inside

fragment size 1000 outside

!

!

fragment chain 250 inside

fragment chain 250 outside

!

fragment timeout 10 inside fragment timeout 10 outside

outside ! ! fragment chain 250 inside fragment chain 250 outside ! fragment timeout 10 inside
! fragment chain 250 inside fragment chain 250 outside ! fragment timeout 10 inside fragment timeout

CCIE Security

CCIE Security Example

Example

CCIE Security Example
209.165.300.0/24 Internet Normalizer .57 .2 Tuning (Increase Conn Timeout) .2 209.165.200.0/24 .1 BGP Peering
209.165.300.0/24
Internet
Normalizer
.57
.2
Tuning (Increase
Conn Timeout)
.2
209.165.200.0/24
.1
BGP Peering
(Disable SNR,
BGP Peer
and Keep
.1
Options)
10.0.1.0/24
Fragmentation
.2
.3
(Increase
VPN
fragmentation
Tunnel
11.0.0.0/24
chain)
Primary/Active
Secondary/Standby
.2
.3
Guests
.4
DHCP
10.0.2.0/24 .1
BGP Peer
10.0.4.0/24
.1
.1 10.0.3.0/24
.2
DHCP
.3
.2
HTTP
DHCP
HTTPS
Server
SMTP

Timout Extention, BGP Peering, and Fragment

Tuning

CCIE Security Lab

access-list SSH-TO-HOST permit tcp 209.165.200.0 255.255.255.0 host 10.0.4.3 eq 22 access-list BGP-PEERING permit tcp
access-list SSH-TO-HOST permit tcp 209.165.200.0 255.255.255.0 host 10.0.4.3 eq 22
access-list BGP-PEERING permit tcp host 10.0.1.1 host 10.0.2.1 eq 179
access-list BGP-PEERING permit tcp host 10.0.2.1 host 10.0.1.1 eq 179
!
class-map BGP-PEERING
match access-group BGP-PEERING
!
tcp-map TCP-BGP-AUTH
tcp-options range 19 19 allow
!

class-map HOST-TIMEOUT match access-group SSH-TO-HOST

!

policy-map CUSTOM_MPF_POLICY class HOST-TIMEOUT set connection timeout idle 4:00:00 reset class BGP-PEERING set connection advanced-options TCP-BGP-AUTH set connection random-sequence-number disable

!

service-policy CUSTOM_MPF_POLICY global

fragment chain 30 inside fragment chain 30 outside

disable ! service-policy CUSTOM_MPF_POLICY global fragment chain 30 inside fragment chain 30 outside
disable ! service-policy CUSTOM_MPF_POLICY global fragment chain 30 inside fragment chain 30 outside
disable ! service-policy CUSTOM_MPF_POLICY global fragment chain 30 inside fragment chain 30 outside
disable ! service-policy CUSTOM_MPF_POLICY global fragment chain 30 inside fragment chain 30 outside
disable ! service-policy CUSTOM_MPF_POLICY global fragment chain 30 inside fragment chain 30 outside

Network Address

Translation (NAT)

Network Address Translation (NAT) © 2013 Cisco Systems, Inc.

© 2013 Cisco Systems, Inc.

Network Address Translation (NAT) © 2013 Cisco Systems, Inc.

ASA NAT on 8.2 and Earlier vs. 8.3 and Later

NAT Changes

8.2 and Earlier

Very strict order of processing NAT

ACL for Server access needs to reflect the MAPPED IP (NATED IP)

None Objected Oriented, and hard to follow, and hard to structure

NAT Control

Interfaces needed to be named for NAT to work

Control Interfaces needed to be named for NAT to work 8.3 and Later NAT Processed from

8.3 and Later

NAT Processed from the TOP/DOWN

ACL for Server access needs to reflect the REAL IP (SERVER IP)

Objected Oriented, very structured, and scalable

NAT Control Removed

ANY command can now be used to save time, and lines of configuration

Twice NAT Support

Global ACL Support (Input Traffic Only)

can now be used to save time, and lines of configuration Twice NAT Support Global ACL
Static NAT

Static NAT

Static NAT

Static NAT

Static NAT is used to link to two interfaces that need access to the outside world.

It is used for a server to communicate on a low-security interface using a routable IP,

but still maintaining its private IP.

Internet
Internet

Local Address

172.16.1.20

still maintaining its private IP. Internet Local Address 172.16.1.20 d m z o u t s
still maintaining its private IP. Internet Local Address 172.16.1.20 d m z o u t s

dmz

outside

still maintaining its private IP. Internet Local Address 172.16.1.20 d m z o u t s
still maintaining its private IP. Internet Local Address 172.16.1.20 d m z o u t s

Translate

209.165.200.230

still maintaining its private IP. Internet Local Address 172.16.1.20 d m z o u t s
still maintaining its private IP. Internet Local Address 172.16.1.20 d m z o u t s

Static NAT (Cont.)

Static NAT Examples

Real Mapped Interface Interface ASA1(config)#static (dmz,outside) 209.165.200.230 172.16.1.20 Mapped IP Private IP
Real
Mapped
Interface
Interface
ASA1(config)#static (dmz,outside) 209.165.200.230 172.16.1.20
Mapped IP
Private IP
8.2 and Earlier
Object
8.3 and Later
Name
Private IP
NAT
ASA1(config)# object network DMZ-Server
Mapped IP
Type
ASA1(config-network-object)# host 172.16.1.20
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230
Dynamic NAT

Dynamic NAT

Dynamic NAT

Dynamic NAT

Dynamic NAT allows many internal clients to translate to a range of public IP’s.

Note: The range of public IP’s limits how many clients can reach the internet at the same time.

Internet
Internet

Local Addresses

can reach the internet at the same time. Internet Local Addresses inside outside 10.0.1.0/24 Translate to
inside
inside

outside

can reach the internet at the same time. Internet Local Addresses inside outside 10.0.1.0/24 Translate to

10.0.1.0/24

can reach the internet at the same time. Internet Local Addresses inside outside 10.0.1.0/24 Translate to

Translate to

209.165.230-235

can reach the internet at the same time. Internet Local Addresses inside outside 10.0.1.0/24 Translate to
can reach the internet at the same time. Internet Local Addresses inside outside 10.0.1.0/24 Translate to

Dynamic NAT (Cont.)

Dynamic NAT Examples

Private IP Subnet ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0 ASA1(config)#global (outside) 1
Private IP Subnet
ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0
ASA1(config)#global (outside) 1 209.165.200.230-209.165.200.235
8.2 and Earlier
Mapped IP
Range
8.3 and Later
Mapped IP
Range
ASA1(config)# object network Public_Pool
ASA1(config-network-object)# range 209.165.200.230-209.165.200.235
Private IP
Subnet
Mapped IP
ASA1(config)# object network Inside_Network
Range Applied
ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic Public_Pool
Dynamic PAT

Dynamic PAT

Dynamic PAT

Dynamic PAT

Dynamic PAT allows many internal clients to translate to a signal public address.

Internet
Internet

Local Addresses

to a signal public address. Internet Local Addresses inside outside 10.0.1.0/24 Translate to 209.165.230 outside
inside
inside

outside

a signal public address. Internet Local Addresses inside outside 10.0.1.0/24 Translate to 209.165.230 outside interface IP

10.0.1.0/24

a signal public address. Internet Local Addresses inside outside 10.0.1.0/24 Translate to 209.165.230 outside interface IP

Translate to

209.165.230

outside interface IP

a signal public address. Internet Local Addresses inside outside 10.0.1.0/24 Translate to 209.165.230 outside interface IP
a signal public address. Internet Local Addresses inside outside 10.0.1.0/24 Translate to 209.165.230 outside interface IP

Dynamic PAT (Cont.)

Dynamic PAT Examples

Private IP Subnet ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0 ASA1(config)#global (outside) 1 interface 8.2 and
Private IP Subnet
ASA1(config)#nat (inside) 1 10.0.1.0 255.255.255.0
ASA1(config)#global (outside) 1 interface
8.2 and Earlier
8.3 and Later
Private IP
Subnet
ASA1(config)# object network Inside_Network
ASA1(config-network-object)# subnet 10.0.1.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface
Static PAT

Static PAT

Static PAT

Static PAT

Static PAT is used to link one public IP to more then one server regardless of interface.

Local Address

172.16.1.20

server regardless of interface. Local Address 172.16.1.20 FTP Server Internet d m z outside Translate

FTP

Server

Internet
Internet
of interface. Local Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address
of interface. Local Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address

dmz

outside

Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address 172.16.1.21 HTTP
Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address 172.16.1.21 HTTP

Translate

209.165.200.230

Local Address

172.16.1.21

Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address 172.16.1.21 HTTP Server

HTTP

Server

Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address 172.16.1.21 HTTP Server
Address 172.16.1.20 FTP Server Internet d m z outside Translate 209.165.200.230 Local Address 172.16.1.21 HTTP Server

Static PAT (Cont.)

Static PAT Examples

Mapped Real Port Port ASA1(config)#static (dmz,outside) tcp 209.165.200.230 ftp 172.16.1.20 ftp 8.2 and Earlier Real
Mapped
Real
Port
Port
ASA1(config)#static (dmz,outside) tcp 209.165.200.230 ftp 172.16.1.20 ftp
8.2 and Earlier
Real
Port Mapped Port
Port
Mapped
Port

8.3 and Later

ASA1(config)# object network DMZ-Server

ASA1(config-network-object)# host 172.16.1.20 ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230 tcp ftp ftp

host 172.16.1.20 ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230 tcp ftp ftp
host 172.16.1.20 ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.230 tcp ftp ftp

Troubleshooting NAT

Troubleshooting NAT
Troubleshooting NAT

NAT Table Changes: Cisco ASA Software Version

8.3 and Later

NAT configuration builds entries in the NAT table.

The new NAT table in Cisco ASA Software Version 8.3 and later has three parts:

- Manual NAT (first section)

Default location for manual NAT statements

- Auto NAT (second section)

Also called object NAT

Default location for auto NAT statements - Manual NAT after auto NAT(third section)

Manual NAT entries that are specified with the after-auto keyword

- Manual NAT after auto NAT(third section) • Manual NAT entries that are specified with the
- Manual NAT after auto NAT(third section) • Manual NAT entries that are specified with the

NAT 8.3 and Later Order

ASA1(config)# show run nat nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2 nat (inside,outside) source static smtp_access interface service smtp_port smtp_port

nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface nat (dmz-wireless,outside) source static
nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface
nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static
No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static
No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup
Manual NAT
!
object network inside-192.168.1.0
nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup
object network All_Networks
nat (any,outside) dynamic interface
object network http_access
nat (inside,outside) static interface service tcp www www
object network https_access
nat (inside,outside) static interface service tcp www www
Auto NAT

NAT 8.3 and Later Order

ASA1(config)# show nat Manual NAT Policies (Section 1)

1

(dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface translate_hits = 319, untranslate_hits = 320

(inside) to (outside) source static smtp_access interface

destination static DNS-Server1 DNS-Server2

2

service smtp_port smtp_port

translate_hits = 9780, untranslate_hits = 11515

3

(outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface translate_hits = 34, untranslate_hits = 163

(dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ no-proxy-arp route-lookup translate_hits = 12, untranslate_hits = 0

4

destination static No_Nat_Dst_OUT No_Nat_Dst_OUT

(inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN proxy-arp route-lookup translate_hits = 714, untranslate_hits = 0

5

destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-

Auto NAT Policies (Section 2)

1

(inside) to (outside) source static http_access interface translate_hits = 0, untranslate_hits = 0

(inside) to (outside) source static https_access interface

2

service tcp www www

service tcp www www

3

4

translate_hits = 0, untranslate_hits = 0

(inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 translate_hits = 175, untranslate_hits = 31834

(any) to (outside) source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280

no-proxy-arp route-lookup

source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280 no-proxy-arp route-lookup
source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280 no-proxy-arp route-lookup
source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280 no-proxy-arp route-lookup
source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280 no-proxy-arp route-lookup

NAT 8.3 and Later Order

Manual NAT Sections 1, and 3

Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section 1.

in the configuration . By default, twice NAT rules are added to section 1. Outside Inside
Outside Inside 172.16.1.254 10.0.0.100
Outside
Inside
172.16.1.254
10.0.0.100

NAT 8.3 and Later Order

ASA1(config)# show run nat <input omitted>

!

nat (dmz-wireless,outside) source dynamic dmz-wireless-172.16.1.0 interface destination static DNS-Server1 DNS-Server2

nat (inside,outside) source static smtp_access interface service smtp_port smtp_port nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route- lookup nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup

!

!

ASA1(config)# show nat

Manual NAT Policies (Section 1)

1 (dmz-wireless) to (outside) source dynamic dmz-wireless-172.16.1.0 interface translate_hits = 319, untranslate_hits = 320

2 (inside) to (outside) source static smtp_access interface

destination static DNS-Server1 DNS-Server2

service smtp_port smtp_port

translate_hits = 9780, untranslate_hits = 11515

3 (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface translate_hits = 34, untranslate_hits = 163

4 (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ route-lookup

destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp

translate_hits = 12, untranslate_hits = 0

5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN lookup translate_hits = 714, untranslate_hits = 0

destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-

lookup translate_hits = 714, untranslate_hits = 0 destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-
lookup translate_hits = 714, untranslate_hits = 0 destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-

NAT 8.3 and Later Order

Auto NAT Section 2

Section 2 rules are applied in the following order, as automatically determined by the ASA:

1. Static rules.

2. Dynamic rules.

Within each rule type, the following ordering guidelines are used:

a. Quantity of real IP addressesFrom smallest to largest. For example, an object with one address will

be assessed before an object with 10 addresses.

b. For quantities that are the same, then the IP address number is used, from lowest to highest. For

example, 10.1.1.0 is assessed before 11.1.1.0.

c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For

example, abracadabra is assessed before catwoman.

the name of the network object is used, in alphabetical order . For example, abracadabra is
the name of the network object is used, in alphabetical order . For example, abracadabra is

NAT 8.3 and Later Order

ASA1(config)# show run nat <input omitted>

!

object network inside-192.168.1.0

nat (inside,dmz-wireless) static 192.168.1.0 no-proxy-arp route-lookup object network All_Networks nat (any,outside) dynamic interface object network http_access nat (inside,outside) static interface service tcp www www

object network https_access

nat (inside,outside) static interface service tcp www www

!

ASA1(config)# show nat Auto NAT Policies (Section 2)

1 (inside) to (outside) source static http_access interface translate_hits = 0, untranslate_hits = 0

2 (inside) to (outside) source static https_access interface

service tcp www www

service tcp www www

translate_hits = 0, untranslate_hits = 0

3 (inside) to (dmz-wireless) source static inside-192.168.1.0 192.168.1.0 translate_hits = 175, untranslate_hits = 31834

4 (any) to (outside) source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280

no-proxy-arp route-lookup

source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280 no-proxy-arp route-lookup
source dynamic All_Networks interface translate_hits = 1098827, untranslate_hits = 161280 no-proxy-arp route-lookup

CCIE Security

CCIE Security Example

Example

CCIE Security Example
209.165.300.0/24 Internet .57 .2 .2 209.165.200.0/24 .1 .1 10.0.1.0/24 .2 .3 11.0.0.0/24 Primary/Active
209.165.300.0/24
Internet
.57
.2
.2
209.165.200.0/24
.1
.1
10.0.1.0/24
.2
.3
11.0.0.0/24
Primary/Active
Secondary/Standby
.2
.3
.4
DHCP
10.0.2.0/24 .1
10.0.4.0/24
.1
.1 10.0.3.0/24
.2
.3
DHCP
.2
HTTP
DHCP
HTTPS
Server
SMTP
.1 10.0.4.0/24 .1 .1 10.0.3.0/24 .2 .3 DHCP .2 HTTP DHCP HTTPS Server SMTP Static NAT

Static NAT

.1 10.0.4.0/24 .1 .1 10.0.3.0/24 .2 .3 DHCP .2 HTTP DHCP HTTPS Server SMTP Static NAT

Dynamic PAT

Guests
Guests
.1 10.0.4.0/24 .1 .1 10.0.3.0/24 .2 .3 DHCP .2 HTTP DHCP HTTPS Server SMTP Static NAT

Dynamic PAT Solution

CCIE Security Lab

ASA1(config)#nat (inside) 1 10.0.3.0 255.255.255.0 ASA1(config)#global (outside) 1 interface 8.2 and Earlier 8.3 and
ASA1(config)#nat (inside) 1 10.0.3.0 255.255.255.0
ASA1(config)#global (outside) 1 interface
8.2 and Earlier
8.3 and Later
ASA1(config)# object network Client_Network
ASA1(config-network-object)# subnet 10.0.3.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface

Static NAT

CCIE Security Lab

ASA1(config)#static (dmz,outside) 209.165.200.3 10.0.4.3 8.2 and Earlier 8.3 and Later ASA1(config)# object network
ASA1(config)#static (dmz,outside) 209.165.200.3 10.0.4.3
8.2 and Earlier
8.3 and Later
ASA1(config)# object network Server
ASA1(config-network-object)# host 10.0.4.3
ASA1(config-network-object)# nat (dmz,outside) static 209.165.200.3

Modular Policy

Framework (MPF)

Modular Policy Framework (MPF)
Modular Policy Framework (MPF)

Cisco ASA Security Appliance Cisco MPF Overview

Different traffic flows may require different network policies.

Cisco MPF provides granularity and flexibility when you implement network policies for traffic flows:

Defines traffic flows that require access control beyond ACLs

Associates network policies with traffic flows

Enables network policies on specific interface or globally

Branch Office Send traffic from the Internet to the Cisco ASA CSC-SSM. Prioritize VoIP traffic.
Branch Office
Send traffic from the
Internet to the Cisco
ASA CSC-SSM.
Prioritize VoIP traffic.
to the Cisco ASA CSC-SSM. Prioritize VoIP traffic. Enable data loss prevention for HTTP, FTP, and
Enable data loss prevention for HTTP, FTP, and SMTP traffic.
Enable data loss
prevention for HTTP,
FTP, and SMTP traffic.
Allow only safe HTTP methods.
Allow only safe
HTTP methods.
Internet
Internet
Headquarters
Headquarters
Enable data loss prevention for HTTP, FTP, and SMTP traffic. Allow only safe HTTP methods. Internet

OSI Layer 3 and Layer 4 Class Maps

To identify traffic for IP Phone:

3 and Layer 4 Class Maps • To identify traffic for IP Phone: Branch Office To
Branch Office To identify VoIP traffic, match DSCP EF.
Branch Office
To identify VoIP traffic,
match DSCP EF.

Configure OSI Layer 3 and Layer 4 Policies:

CLI Commands

Create a class map and
Create a class map and

class-map VoIP match dscp ef

!

specify matching attribute.

Create a policy map.
Create a policy map.

policy-map outside-policy

class VoIP priority

!

Refer to the class map.
Refer to the class map.
Specify an action for the traffic class.
Specify an action for the traffic class.

service-policy outside-policy interface outside

Apply policy map to the interface using the service policy.

interface outside A p p l y p o l i c y m a p
interface outside A p p l y p o l i c y m a p
interface outside A p p l y p o l i c y m a p

Verify OSI Layer 3 and Layer 4 Policies

ASA1#show service-policy

Global policy:

Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 tcp-proxy: bytes in buffer 0, bytes dropped 0

part <

of the output omitted

>

Interface outside:

Interface outside:

Interface outside: Service-policy: outside-policy

Service-policy: outside-policy

Service-policy: outside-policy
Interface outside: Service-policy: outside-policy

Class-map: VoIP Priority:

Interface outside: aggregate drop 0, aggregate transmit 0 Class-map: class-default

Class-map: VoIP Priority: Interface outside: aggregate drop 0, aggregate transmit 0 Class-map: class-default
Class-map: VoIP Priority: Interface outside: aggregate drop 0, aggregate transmit 0 Class-map: class-default

Regular Expressions

Regular expressions are a computer language that is used to describe patterns.

Used to describe a set of strings without describing individual elements

Used by the security appliance to match custom application layer content

security appliance to match custom application layer content Drop HTTP requests containing “CMD.EXE,” “/bin/sh,”
Drop HTTP requests containing “CMD.EXE,” “/bin/sh,” “/bin/bash,” “/bin/ksh,” “/bin/tcsh” Allow only
Drop HTTP requests containing “CMD.EXE,”
“/bin/sh,” “/bin/bash,” “/bin/ksh,” “/bin/tcsh”
Allow only HTTP requests
to “cisco.com” domain.

OSI Layer 3 and Layer 4 Class Maps

To identify traffic for IP Phone:

OSI Layer 3 and Layer 4 Class Maps • To identify traffic for IP Phone: IS
IS P Block: bad.com, and iamverybad.com.
IS
P
Block: bad.com, and
iamverybad.com.

Configure OSI Layers 5 to 7 Policies

CLI Commands

Create regular expressions.
Create regular expressions.

regex SECRET_PAGES "[Bb][Aa][Dd]\.[Cc][Oo][Mm]" regex GAMES_PAGES ”[Ii][Aa][Mm][Vv][Ee][Rr][Yy][Bb][Aa][Dd]\.[Cc][Oo][Mm]“

!

class-map type regex match-any BAD_PAGES

Create regular expression class map.
Create regular expression
class map.

match regex BAD_PAGES

match regex VERYBAD_PAGES

!

class-map type inspect http match-any BAD_HTTP_TRAFFIC match request header host regex class BAD_PAGES

!

policy-map type inspect http INSPECT_HTTP

class BAD_HTTP_TRAFFIC reset log

!

policy-map global_policy class inspection_default inspect http INSPECT_HTTP

Create Layers 5 to 7 class map for HTTP traffic.
Create Layers 5 to 7 class map
for HTTP traffic.
Specify match attributes inside HTTP traffic. Refer to Layers 5 to 7 class map, and
Specify match attributes
inside HTTP traffic.
Refer to Layers 5 to 7
class map, and apply
actions
Create Layers 5 to 7 policy map
for HTTP traffic.

Apply a Layers 5 to 7 policy map in a Layers 3

Create Layers 5 to 7 policy map for HTTP traffic. Apply a Layers 5 to 7
and 4 policy map.
and 4 policy map.
Create Layers 5 to 7 policy map for HTTP traffic. Apply a Layers 5 to 7

Verify OSI Layers 5 to 7 Policies

CLI Commands

ASA1#show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 <…output omitted…> Inspect: http INSPECT_HTTP, packet 484, drop 6, reset-drop 6

Inspect: icmp, packet 38, drop 0, reset-drop 0

Interface Branch_Net:

Service-policy: Branch_Net-policy Class-map: VoIP1 Priority:

Interface Branch_Net: aggregate drop 0, aggregate transmit 0 Class-map: class-default

Class-map: VoIP1 Priority: Interface Branch_Net: aggregate drop 0, aggregate transmit 0 Class-map: class-default
Class-map: VoIP1 Priority: Interface Branch_Net: aggregate drop 0, aggregate transmit 0 Class-map: class-default

CCIE Security

CCIE Security Example

Example

CCIE Security Example
209.165.300.0/24 Internet .57 .2 .2 209.165.200.0/24 .1 .1 10.0.1.0/24 .2 .3 11.0.0.0/24 Primary/Active
209.165.300.0/24
Internet
.57
.2
.2
209.165.200.0/24
.1
.1
10.0.1.0/24
.2
.3
11.0.0.0/24
Primary/Active
Secondary/Standby
.2
.3
Guests
.4
DHCP
10.0.2.0/24 .1
10.0.4.0/24
.1
.1 10.0.3.0/24
.2
DHCP
.3
.2
FTP
DHCP
Server
Server
.1 10.0.3.0/24 .2 DHCP .3 .2 FTP DHCP Server Server Server Protections (Embryonic) Server Protections (Conn

Server

Protections

(Embryonic)

.2 FTP DHCP Server Server Server Protections (Embryonic) Server Protections (Conn Limit) FTP Server (FTP Inspection)

Server

Protections

(Conn Limit)

.2 FTP DHCP Server Server Server Protections (Embryonic) Server Protections (Conn Limit) FTP Server (FTP Inspection)

FTP Server

(FTP

Inspection)

.2 FTP DHCP Server Server Server Protections (Embryonic) Server Protections (Conn Limit) FTP Server (FTP Inspection)

Embryonic Conn, Conn Limits and FTP Inspection

CCIE Security Lab

access-list SERVER_EMB_LIMITS permit ip any host 209.165.300.57 ! access-list SERVER_TRAFFIC_LIMITS permit ip any host
access-list SERVER_EMB_LIMITS permit ip any host 209.165.300.57
!
access-list SERVER_TRAFFIC_LIMITS permit ip any host 209.165.300.57
!

access-list FTP_TRAFFIC permit tcp any host 10.4.0.3 eq 21

!

class-map FTP_TRAFFIC_PASS match access-list FTP_TRAFFIC

!

class-map CONN_MAX match access-list SERVER_TRAFFIC_LIMITS

!

class-map EMBRYONIC_CONN_MAX match access-list SERVER_EMB_LIMITS

!

policy-map SERVER_POLICY class EMBRYONIC_CONN_MAX set connection embryonic-conn-max 90 per-client-embryonic-max 10 class CONN_MAX

set connection conn-max 10000 per-client-max 50

class FTP_TRAFFIC_PASS inspect ftp

!

service-policy SERVER_POLICY interface outside

conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside
conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside
conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside
conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside
conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside
conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside
conn-max 10000 per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp ! service-policy SERVER_POLICY interface outside

Failover Active/Standby

Failover Active/Standby
Failover Active/Standby

Cisco ASA Adaptive Security Appliance

Active/Standby Failover Overview

Two Cisco ASA security appliances can be paired into an active/standby failover to provide device redundancy.

One physical device is permanently designated as primary, the other device as secondary.

One of the pair is elected to be in active state (forwarding traffic), and the other in hot standby state (waiting).

The health of devices is monitored over the LAN failover interface.

Secondary/Standby

over the LAN failover interface. Secondary/ Standby 192.168.1.0/24 10.0.1.0/24 .3 .3 .3 Internet 10.1.1.0/29

192.168.1.0/24

10.0.1.0/24

.3 .3 .3 Internet 10.1.1.0/29 .1 .2 .1
.3
.3
.3
Internet
10.1.1.0/29
.1
.2
.1
interface. Secondary/ Standby 192.168.1.0/24 10.0.1.0/24 .3 .3 .3 Internet 10.1.1.0/29 .1 .2 .1 Primary/ Active
interface. Secondary/ Standby 192.168.1.0/24 10.0.1.0/24 .3 .3 .3 Internet 10.1.1.0/29 .1 .2 .1 Primary/ Active

Primary/Active

interface. Secondary/ Standby 192.168.1.0/24 10.0.1.0/24 .3 .3 .3 Internet 10.1.1.0/29 .1 .2 .1 Primary/ Active

Failover Deployment Options

Stateless failover:

Provides hardware redundancy only.

All established statefully tracked connections are dropped after switchover. Users may have to re-establish connections.

Stateful failover extends stateless failover:

Provides hardware and state table redundancy.

Connections remain active during the failover.

Users do not have to re-establish connections.

Requires a stateful link between devices (in addition to the LAN-based failover link).

to re-establish connections. • Requires a stateful link between devices (in addition to the LAN-based failover
to re-establish connections. • Requires a stateful link between devices (in addition to the LAN-based failover

Stateful Failover Support

State Information Passed to Standby Unit

State Information Not Passed to Standby Unit

NAT table

HTTP connection table (unless HTTP replication is enabled)

TCP connection states

User authentication table

UDP connection states

State information for Cisco AIP-SSM

ARP table

MAC address table (applies to transparent mode only)

DHCP server leases

ISAKMP SAs, IPsec SAs, SSL sessions

Phone proxy sessions

GTP PDP connection database

SIP signaling sessions

Dynamic routing table entries

Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version 8.2(2).

table entries • Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version
table entries • Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version

Verify Active/Standby Failover

Displays information about the failover status of the unit

ASA1/pri/act# show failover Failover On

 

Failover unit Primary

Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 160 maximum failover replication http Version: Ours 8.4(1), Mate 8.4(1) Last Failover at: 02:59:27 UTC Aug 1 2011

 
 

This host: Primary - Active

 
 

Active time: 930 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys)

Interface outside (192.168.1.2): Normal Interface inside (10.0.1.1): Normal

 

slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up) IPS, 6.0(3)E1, Up

 

Other host: Secondary - Standby Ready

 
 

Active time: 495 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)

 

Interface outside (192.168.1.3): Normal Interface inside (10.0.1.3): Normal

<…output omitted…>

 
Interface outside (192.168.1.3): Normal Interface inside (10.0.1.3): Normal <…output omitted…>  
Interface outside (192.168.1.3): Normal Interface inside (10.0.1.3): Normal <…output omitted…>  

Troubleshooting Failover

Active/Standby

Troubleshooting Failover Active/Standby
Troubleshooting Failover Active/Standby

Troubleshooting Typical Failover Problems

ASA are not Like-for-Like

The secondary is not able to talk to the Primary (Failover Cable Issues)

The monitoring interface policy was changed

The secondary has failed

talk to the Primary (Failover Cable Issues) • The monitoring interface policy was changed • The
talk to the Primary (Failover Cable Issues) • The monitoring interface policy was changed • The

Cisco ASA Security Appliance

Failover Requirements

Hardware requirements for both devices:

Same hardware model

Same number and type of interfaces

Same SSM software installed (if any)

Same amount of RAM is recommended

Software requirements for both devices:

Same major and minor software version

Same licensed features (8.2 and earlier)

License includes active/standby failover feature

Same operating mode (transparent or routed, multiple- or single-context)

includes active/standby failover feature • Same operating mode (transparent or routed, multiple- or single-context)
includes active/standby failover feature • Same operating mode (transparent or routed, multiple- or single-context)

Verify Failover Peer

ASA1/act/pri# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up) <…output omitted…> Last Failover at: 02:59:27 UTC Aug 1 2011 This host: Primary - Active Active time: 930 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys) Interface outside (192.168.1.2): Normal (Waiting) Interface inside (10.0.1.1): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up) IPS, 6.0(3)E1, Up

Other host: Secondary - Not Detected

Active time: 0 (sec) slot 0: empty Interface outside (192.168.1.3): Unknown (Waiting) Interface inside (0.0.0.0): Unknown (Waiting) slot 1: empty

Peer device has not been detected and failover cannot occur.

Verify connectivity between devices and failover configuration on the secondary device.

and failover cannot occur. • Verify connectivity between devices and failover configuration on the secondary device.
and failover cannot occur. • Verify connectivity between devices and failover configuration on the secondary device.

Verify Active/Standby Failover Interface Policy

Displays information about the failover status of the unit

ASA1/pri/act# show failover Failover On

Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 160 maximum failover replication http Version: Ours 8.4(1), Mate 8.4(1)

Last Failover at: 02:59:27 UTC Aug 1 2011 This host: Primary - Active

Active time: 930 (sec)

slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys) Interface outside (192.168.1.2): Normal

Interface inside (10.0.1.1): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up) IPS, 6.0(3)E1, Up Other host: Secondary - Standby Ready Active time: 495 (sec)

slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys)

Interface outside (192.168.1.3): Normal Interface inside (10.0.1.3): Normal

<…output omitted…>

(Up Sys) Interface outside (192.168.1.3): Normal Interface inside (10.0.1.3): Normal <…output omitted…>
(Up Sys) Interface outside (192.168.1.3): Normal Interface inside (10.0.1.3): Normal <…output omitted…>

Failover Health Monitoring

Unit health monitoring

The Cisco ASA security appliance determines the health of the other unit by monitoring the failover link.

Devices exchange hello messages(sent every 1sec) over the failover interface.

When there is no response from the active device, switchover occurs.

Interface health monitoring

Each network interface can be monitored.

Devices exchange hello messages(sent every 5sec) over monitored (1 Interface policy) interfaces.

When a specified number of monitored interfaces fail on the active device, switchover occurs.

policy ) interfaces. • When a specified number of monitored interfaces fail on the active device,
policy ) interfaces. • When a specified number of monitored interfaces fail on the active device,

CCIE Security

CCIE Security Example

Example

CCIE Security Example
209.165.300.0/24 .57 . 2 Internet .2 .1 209.165.200.0/24 Guests Gig0/1 .2 Primary/Active .2 Gig0/0 DHCP

209.165.300.0/24

.57

.2

Internet
Internet

.2

.1

209.165.200.0/24

Guests
Guests
Gig0/1 .2 Primary/Active .2 Gig0/0 DHCP
Gig0/1
.2
Primary/Active
.2
Gig0/0
DHCP
Guests Gig0/1 .2 Primary/Active .2 Gig0/0 DHCP .3 10.0.4.0/24 .2 .1 10.0.1.0/24 Gig0/1 .3 11.0.1.0/24

.3

10.0.4.0/24

Gig0/1 .2 Primary/Active .2 Gig0/0 DHCP .3 10.0.4.0/24 .2 .1 10.0.1.0/24 Gig0/1 .3 11.0.1.0/24 Gig0/3 .3
.2
.2
.2 Primary/Active .2 Gig0/0 DHCP .3 10.0.4.0/24 .2 .1 10.0.1.0/24 Gig0/1 .3 11.0.1.0/24 Gig0/3 .3 Gig0/0
.1 10.0.1.0/24 Gig0/1 .3 11.0.1.0/24 Gig0/3 .3 Gig0/0 .4 10.0.2.0/24 .1
.1
10.0.1.0/24
Gig0/1
.3
11.0.1.0/24
Gig0/3
.3
Gig0/0
.4
10.0.2.0/24
.1
.2
.2

.1 10.0.3.0/24

.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS

DHCP

Secondary/Standby

.1

.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS
.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS
.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS

HTTP

HTTPS

SMTP

.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS
.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS

DHCP

Server

.3 Gig0/0 .4 10.0.2.0/24 .1 .2 . 1 10.0.3.0/24 DHCP Secondary/ Standby . 1 HTTP HTTPS

Primary Security Appliance

Configure active/standby failover on the primary Cisco ASA security appliance.

Enable the interface interface GigabitEthernet0/3 no shutdown used for failover. Specify interface used as the
Enable the interface
interface GigabitEthernet0/3
no shutdown
used for failover.
Specify interface used as the
failover interface.
!
Specify unit as
failover lan unit primary
primary.
Assign active and standby
IP addresses to the
failover link.

failover lan interface FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2 failover link FAILOVER

Specify key for the failover link. Specify the interface used as the stateful failover link.
Specify key for the
failover link.
Specify the interface used
as the stateful failover
link.
Enable failover.

failover key 6X9vLuFt983d8FltTf7 failover

!

interface GigabitEthernet0/1 ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2

!

Specify active and standby IP addresses.
Specify active and standby
IP addresses.

interface GigabitEthernet0/0 ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2

Specify active and standby IP addresses.
Specify active and standby
IP addresses.
interface GigabitEthernet0/0 ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2 Specify active and standby IP addresses.
interface GigabitEthernet0/0 ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2 Specify active and standby IP addresses.

Secondary Security Appliance

Configure active/standby failover on the secondary Cisco ASA security appliance.

Enable interface used for failover. interface GigabitEthernet0/3 no shutdown Specify interface used as the failover
Enable interface
used for failover.
interface GigabitEthernet0/3
no shutdown
Specify interface used as the
failover interface.
!
Specify unit as
secondary.
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
Assign active and standby IP
addresses to the failover link.
failover interface ip FAILOVER 11.0.1.1 255.255.255.0 standby 11.0.1.2
failover link FAILOVER
Specify the interface used as the stateful failover link.
failover key 6X9vLuFt983d8FltTf7
failover
Specify key for the failover link.
Enable HTTP replication.
Enable failover.

Complete Your Online Session Evaluation

Give us your feedback to be entered into a Daily Survey Drawing. A daily winner

will receive a $750 Amazon

gift card.

Complete your session surveys

though the Cisco Live mobile

app or your computer on Cisco Live Connect.

Live mobile app or your computer on Cisco Live Connect. Don’t forget: Cisco Live sessions will
Live mobile app or your computer on Cisco Live Connect. Don’t forget: Cisco Live sessions will

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

Continue Your Education

Demos in the Cisco campus

Walk-in Self-Paced Labs Table Topics

Meet the Engineer 1:1 meetings

Related sessions

the Cisco campus • Walk-in Self-Paced Labs • Table Topics • Meet the Engineer 1:1 meetings
the Cisco campus • Walk-in Self-Paced Labs • Table Topics • Meet the Engineer 1:1 meetings
Thank you

Thank you

Thank you