Introduction to Cisco PIX and

ASA

© 2006 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Network Security - Firewalls
Firewall
 A firewall is a system or group of systems that manages access between
two networks. It provides the first line of perimeter defense.

 It prevents unauthorized access to a network.

 It protects the trusted network from attacks.

 It manages the information flow and restrict dangerous free access.

 It can permit, deny, encrypt, decrypt or proxy the traffic.

 Provides ability to expose internet services in a limited ability to the outside

world via a DMZ.
Cisco PIX
PIX – Private Internet Exchange
Users Adaptive Security Algorithm
Not a UTM , stateful firewall, NAT , VPN
PIX OS, similar to IOS, but there are some
differences
Have GUI of PDM – PIX Device Manager
Starts with 500 series
EOL
Cisco ASA
ASA – Adaptive Security Appliance
With Add on Module can be used as a UTM
Had add on modules, for Anti-Virus, VPN, IPS
More similar to that of a IOS
HasGUI – ASDM Adaptive Security Device
Manager
Starts with 5500 series
Cisco ASA Different Editions
Cisco PIX 501
PIX 501
Processor: 133 MHz AMD SC520
Memory: 16MB
Ethernet: 2
Flash: 8 MB
Connections: 3500
Clear Text
Throughput: 10Mbps
VPN Peers: 5
Cisco PIX 506
PIX 506
Processor: 300 MHz Intel Celeron
Memory: 32MB
Ethernet: 2
Flash: 8 MB
Clear Text
Throughput: 20Mbps
VPN Peers: 25
Cisco PIX 515
• PIX 515

• Processor: 200 MHz Pentium Pro

• Memory: 32 MB (515-R)
64 MB (515-UR)
• Ethernet: 2 (515-R)
6 (515-UR)
• Flash: 8 MB (515-R)
16 MB (515-UR)
• Connections: 50,000 (515-R)
100,000 (515-UR)
Cisco PIX 525

PIX-525
Processor: 600 MHz Pentium III
Memory: 128 MB SDRAM
Ethernet: 6 Configurable
Token Ring 4 configurable
FDDI 2 configurable
Ethernet/TR 6 total
Flash: 16 MB
Connections: 256,000+
VPN Tunnels : 2000
Cisco PIX 535

PIX-535
Processor: 1GhzPentium III
Memory: 512 MB SDRAM
Ethernet: 4/6 Configurable
Flash: 16 MB
Connections: 500,000
VPN Tunnels : 2000
PIX Firewall Models
Model 501 506e 515e 525 535

Intel Intel Intel P

CPU type AMD Celeron Celeron III Intel P III
133 433 600
CPU speed MHz 300 MHz MHz MHz 1 GHz
Default RAM
(MB) 16 32 64 128 512
Default flash 8 MB 8 MB 16 MB 16 MB 16 MB
Interfaces 2 2 6 (M) 6(M) 8(M)
VPN accelerator
supported No No Yes Yes Yes
Failover
Supported No No Yes Yes Yes
Cisco ASA Models
Cisco ASA Models
Cisco ASA Models
Cisco ASA Models
ASA 5510/5520/5540

Status Flash
Power Active VPN
Compact Flash
Security Service Module
(SSM) Monitoring Port 10/100 Out of Band Console
Management Port Port

Four 10/100/1000 AUX Ports

Copper Gigabit Ports
Two USB 2.0 Ports
Cisco ASA – Security Services Module

High Performance Module

for Additional Services
Gigabit Ethernet Port for
Out-of-Band Management, etc.
 Failover—Hot Standby
DMZ
Web
Server
Failover Internet
Internal Cable DNS
LAN Server

FTP
Server

failover active
− Minimizes single point of failure
− Maximizes reliability of network
− Transparent to users behind firewall
− Failover units must be identical model of PIX/ASA
Context Firewall
• Cisco feature for Cisco 5500 Series Adaptive Security Appliance with
software version 7.2 and later.
− Note: The multiple context feature is not supported on the ASA 5505
Series Adaptive Security Appliance. ASA 5510 supports maximum of 5
contexts even if it adds an additional 4Eth card.
• Partition a single device into multiple virtual deices. Each context is an
independent device with its own configuration.
• Supports routing tables, firewall features, IPS, and standalone devices etc…
• Multiple context mode does not support the following features:
− Dynamic routing protocols (Security contexts support only static routes.
You cannot enable OSPF or RIP in multiple context mode).
− VPN
− Multicast
• System administrator rights is mandatory when a user logs into admin
context.
• Admin context is not counted in the context license. For example, if you get
the default license, you are allowed to have one admin context and two
other contexts.
− when buying a new ASA5500 with a default license, we can run ‘three’
firewalls contexts

19 15 July 2018 Company confidential

 Sample Network
10.10.10.0/24 200.200.200.1/30

E E0
1 Internet
Internal
Inside Outside
LAN
E
2

DMZ

172.16.30.0/27
Basic Configuration – Interface
interface Ethernet0
description "Outside Interface-Conn to Internet Router"
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.252
interface Ethernet1
description "Inside Interface - Conn to Core Switch
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Ethernet2
description "DMZ Interface towards DMZ1 servers"
nameif DMZ
security-level 50
ip address 172.16.30.1 255.255.255.224
!
Basic Configuration - DNS
• dns domain-lookup outside
• dns server-group DefaultDNS
• name-server 3.3.3.3
• name-server 4.4.4.4
• dns server-group DefaultDNS
• domain-name xyz.net
Basic Configuration - Time
• clock timezone IST 5 30
• ntp server 1.1.1.1
• ntp server 2.2.2.2
Basic Configuration - Logging
• logging enable
• logging timestamp
• logging monitor informational
• logging buffered informational
• logging trap informational
• logging asdm informational
• logging host <interface> <syslogger IP>
• Ex: logging host inside 10.10.10.1

•
Basic Configuration - SNMP
• snmp-server host <interface> 6.6.6.6 poll community "snmp-rostring"
• snmp-server host <interface> 7.7.7.7 poll community "snmp-rostring“
• snmp-server location "<location>"
• snmp-server contact "XYZ,Phone +91 123456789"
• ---------------------------------------------------------------------------------------------
---------------------------------------------------------

• snmp-server host inside 6.6.6.6 poll community Cisco

• snmp-server host inside 7.7.7.7 community Procurve
• snmp-server location Bangalore
• snmp-server contact "XYZ,Phone +91 123456789"
Basic Configuration - AAA
• aaa-server admin protocol tacacs+
• aaa-server admin (<interface>) host 1.2.3.4
• timeout 5
• key "tacacs-key"
• aaa-server admin (<interface>) host 3.4.5.6
• timeout 5
• key "tacacs-key"
• aaa authentication telnet console admin LOCAL
• aaa authentication ssh console admin LOCAL
• aaa authentication enable console admin LOCAL
• aaa authentication serial console admin LOCAL
Failover Configuration
• failover
• failover lan unit primary
• failover lan interface failover Ethernet0/3
• failover key 123456
• failover link failover Ethernet0/3
• failover interface ip failover 20.20.20.1
255.255.255.0 standby 20.20.20.2
Access-List and Access-Groups
• access-list acl_inside
• access-list acl_dmz
• access-list acl_outside

• access-group acl_inside in interface inside

• access-group acl_outside in interface outside
• access-group acl_dmz in interface DMZ
ACL
Inside ACL
access-list acl_inside extended permit ip 10.10.10.0 255.255.255.0 172.16.30.0
255.255.255.224
Outside ACL
access-list acl_outside extended permit tcp any host 200.200.200.5 eq smtp
DMZ ACL
access-list acl_dmz extended permit tcp host 172.16.30.10 any eq smtp

NAT
Static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (dmz,outside) 200.200.200.5 172.16.30.10 netmask 255.255.255.255
Commands
• Show ip address
• Show int ip brief
• Show failover
• Show interface
• Object-group
• Names
IPSEC - Recap
IKE Phase 1 Parameters
 IKE encryption algorithm (DES, 3DES, or AES)
 IKE authentication algorithm (MD5 or SHA-1)
 IKE key (preshare, RSA signatures)
 Diffie-Hellman version (1, 2, or 5)
 IKE tunnel lifetime (time and/or byte count)

IKE Phase 2 Parameters

 IPsec protocol (ESP or AH)
 IPsec encryption type (DES, 3DES, or AES)
 IPsec authentication (MD5 or SHA-1)
 IPsec mode (tunnel or transport)
 IPsec SA lifetime (seconds or kilobytes)
 IPSEC VPN
Command Purpose

crypto isakmp policy 1 This creates a new isakmp policy, the number here usually doesn't matter

encr 3des Sets encryption to triple-DES

hash sha Sets hash algorithm to SHA-1

authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers

group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)

crypto isakmp key [Shared-key] address [Remote-

External-IP] This sets the pre-shared key for a specific IPSEC peer

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-

hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha- This defines a list of common preset algorithms. The preset name is the word
hmac right after "transform-set". Most of the newer IOS software images will support
crypto ipsec transform-set 3DES-SHA-compression esp- compression and AES encryption. Older ones will only support 3DES encryption.
3des esp-sha-hmac comp-lzs Some of the images will only support DES.
crypto ipsec transform-set AES-SHA-compression esp-aes
esp-sha-hmac comp-lzs
IPSEC VPN
Creates an access list that defines what goes into the
ip access-list extended Crypto-list tunnel
permit ip [Local-Int-NetID] [Local-Int-RMask] [Remote-Int- You can create multiple lists of source, destination, and
NetID] [Remote-Int-RMask] services

crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels per
interface by incrementing the "10" on the next map with the
same name "VPN-Map-1".

set peer [Remote-External-IP] Defines the IP address of the remote peer

set transform-set [Algorithm-preset] Sets the algorithm preset we defined above
set pfs group2 Enables perfect forwarding secret
Defines the access list we created earlier of what goes into
match address Crypto-list the tunnel

interface [External-Interface] Enters the external interface configuration

Attaches map "VPN-Map-1" to this interface. Only one
crypto map VPN-Map-1 map per interface allowed.

Enters the external firewall policy for controlling inbound

ip access-list extended [Firewall-policy-name] traffic
permit udp host [Remote-External-IP] any eq isakmp Permits IPSEC IKE setup from the peer
permit esp host [Remote-External-IP] any Permits IPSEC payload from the peer
IPSEC VPN
Command Purpose
This creates a new isakmp policy, the number here usually doesn't
crypto isakmp policy 1 matter
encr 3des Sets encryption to triple-DES
hash sha Sets hash algorithm to SHA-1

authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers

group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)

crypto isakmp key test123 address 100.100.100.100 This sets the pre-shared key for a specific IPSEC peer

crypto ipsec transform-set 3DES-SHA esp-3des esp-

sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-
sha-hmac
crypto ipsec transform-set 3DES-SHA-compression
esp-3des esp-sha-hmac comp-lzs
This defines a list of common preset algorithms. The preset name is
the word right after "transform-set". Most of the newer IOS software
images will support compression and AES encryption. Older ones will
only support 3DES encryption. Some of the images will only support
DES.

crypto ipsec transform-set AES-SHA-compression

esp-aes esp-sha-hmac comp-lzs
IPSEC VPN
ip access-list extended Crypto-list Creates an access list that defines what goes into the tunnel
You can create multiple lists of source, destination, and
permit ip 10.10.10.0 0.0.0.255 10.0.20.0 0.0.0.255 services

crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels per
interface by incrementing the "10" on the next map with the
same name "VPN-Map-1".

set peer 100.100.100.100 Defines the IP address of the remote peer

set transform-set AES-SHA-compression Sets the algorithm preset we defined above
set pfs group2 Enables perfect forwarding secret
Defines the access list we created earlier of what goes into
match address Crypto-list the tunnel

interface Ethernet0 Enters the external interface configuration

Attaches map "VPN-Map-1" to this interface. Only one map
crypto map VPN-Map-1 per interface allowed.

Enters the external firewall policy for controlling inbound

ip access-list extended Internet-inbound-ACL traffic

permit udp host 100.100.100.100 any eq isakmp Permits IPSEC IKE setup from the peer
permit esp host 100.100.100.100 any Permits IPSEC payload from the peer