Iewb Sc Vol i sdfew.Section.1.Asa.firewall.007

8/11/2019 Iewb Sc Vol i sdfew.Section.1.Asa.firewall.007

1/243

Accessed by [email protected] from 115.240.81.217 at 20:23:48 Nov 23,2009

CCIE Security Lab Workbook Volume I Version 5.0 ASA Firewall

Copyright 2009 Internetwork Expert www.INE.comi

Copyright Information

Copyright 2009 Internetwork Expert, Inc. All rights reserved.

The following publication, CCIE Security Lab Workbook Volume I Version 5.0, was developed byInternetwork Expert, Inc. All rights reserved. No part of this publication may be reproduced or distributed inany form or by any means without the prior written permission of Internetwork Expert, Inc.

Cisco, Cisco Systems, CCIE, and Cisco Certified Internetwork Expert, are registered trademarks ofCisco Systems, Inc. and/or its affiliates in the U.S. and certain countries.

All other products and company names are the trademarks, registered trademarks, and service marks of therespective owners. Throughout this manual, Internetwork Expert, Inc. has used its best efforts to distinguishproprietary trademarks from descriptive names by following the capitalization styles used by themanufacturer.


2/243



Copyright 2009 Internetwork Expert www.INE.comii

Disclaimer

The following publication, CCIE Security Lab Workbook Volume I Version 5.0, is designed to assistcandidates in the preparation for Cisco Systems CCIE Security Lab Exam. While every effort has beenmade to ensure that all material is as complete and accurate as possible, the enclosed material is presentedon an as is basis. Neither the authors nor Internetwork Expert, Inc. assume any liability or responsibility to

any person or entity with respect to loss or damages incurred from the information contained in thisworkbook.

This workbook was developed by Internetwork Expert, Inc. and is an original work of the aforementionedauthors. Any similarities between material presented in this workbook and actual CCIE lab material iscompletely coincidental.


3/243


4/243



Copyright 2009 Internetwork Expert www.INE.comiv

1.43 Ethertype Access-Lists..................................................................151.44 Transparent Firewall NAT..............................................................151.45

Firewall Contexts ...........................................................................16

1.46

Firewall Contexts Routing..............................................................16

1.47

Firewall Contexts Classification .....................................................16

1.48

Resource Management .................................................................161.49 Active/Standby Failover.................................................................18

1.50 Active/Active Failover ....................................................................191.51

ASA Redundant Interface..............................................................20

1.52

ASA Enhanced Object Groups ......................................................20

ASA Firewall Solutions ..................................................................... 211.1

VLANs and IP Addressing .............................................................21

1.2

Configuring RIPv2 .........................................................................26

1.3

Configuring OSPF .........................................................................30

1.4 EIGRP ...........................................................................................351.5 Advanced Routing .........................................................................381.6

IP Access-Lists ..............................................................................44

1.7

Object Groups ...............................................................................51

1.8

Administrative Access ...................................................................54

1.9

ICMP Traffic ..................................................................................58

1.10 URL Filtering .................................................................................621.11 Dynamic NAT and PAT .................................................................661.12

Static NAT and PAT ......................................................................72

1.13

Dynamic Policy NAT......................................................................79

1.14

Static Policy NAT and PAT............................................................82

1.15

Identity NAT and NAT Exemption..................................................86

1.16 Outside Dynamic NAT ...................................................................911.17

DNS Doctoring using Alias..........................................................95

1.18

DNS Doctoring using Static.......................................................100

1.19

Fragmented Traffic ......................................................................103

1.20

Handling IDENT Issues ...............................................................106

1.21

BGP across the Firewall ..............................................................109

1.22

Stub Multicast Routing.................................................................113

1.23

PIM Multicast Routing..................................................................117

1.24

Network Time Protocol ................................................................123

1.25

System Logging...........................................................................125

1.26

Filtering System Logs ..................................................................129

1.27

SNMP Monitoring ........................................................................132

1.28

DHCP Server...............................................................................135

1.29

HTTP Traffic Inspection...............................................................139

1.30

FTP Traffic Inspection .................................................................145

1.31

SMTP Traffic Inspection ..............................................................151

1.32

TCP Inspection............................................................................154

1.33

Management Traffic Inspection ...................................................157

1.34

ICMP Traffic Inspection ...............................................................160


5/243



Copyright 2009 Internetwork Expert www.INE.comv

1.35 Threat Detection..........................................................................1631.36 Un-Stealthing the Firewall ...........................................................1671.37

Traffic Policing.............................................................................170

1.38

Low Latency Queuing..................................................................173

1.39

Traffic Shaping ............................................................................176

1.40

Hierarchical Queuing ...................................................................1801.41 Transparent Firewall....................................................................183

1.42 ARP Inspection............................................................................1891.43

Ethertype Access-Lists................................................................191

1.44

Transparent Firewall NAT............................................................195

1.45

Firewall Contexts .........................................................................198

1.46 Firewall Contexts Routing............................................................2031.47 Firewall Contexts Classification ...................................................2061.48 Resource Management ...............................................................2121.49

Active/Standby Failover...............................................................218

1.50

Active/Active Failover ..................................................................225

1.51

ASA Redundant Interfaces ..........................................................2331.52 ASA Enhanced Object Groups ....................................................237


6/243



Copyright 2009 Internetwork Expert www.INE.com1

ASA Firewall

Note

Load theASA Routing files to initialize your rack. Use the following diagram asyour reference when working with the tasks below.

121

.0/24VLAN1

21

0.0

/24VLAN1

00


7/243




1.1 VLANs and IP Addressing

Configure ASA1s interface Ethernet 0/0 using the nameif outside andthe security level of zero.

Configure ASA1s interface Ethernet 0/1 using the nameif inside and thesecurity level value of 100.

Create new subinterface Ethernet 0/2.120 using the VLAN number 120,nameif dmz1 and the security-level of 75.


Configure interface IP addressing per the diagram.

1.2 RIPv2

Enable RIPv2 in ASA1 for networks 10.0.0.0/8 and 136.1.0.0/16.

Ensure routing summaries are not generated automatically on the classful

subnets boundaries. Do not send RIPv2 updates out of any interfaces with except to Inside

and DMZ1.

Configure RIPv2 on R1 using the network 136.1.0.0/16.

Authenticate RIPv2 updates sent/received to/from R1 using the key-stringCISCO.

Use the most secure form of authentication.

1.3 OSPF

Create OSPF routing process in the ASA firewall using the OSPF processID 1 and the OSPF router-ID of 150.X.12.12.2. Assign interfaces to OSPF areas per the diagram provided. Ensure the ASA is never elected as DR on both segments. Authenticate the OSPF adjacency across DMZ2 interface using

interface-level commands only. Use the password of CISCO and mostsecure form of authentication.

Configure the less secure for of OSPF authentication on the interfaceOutside. Use only process-level commands for this along with thepassword of CISCO.


8/243




1.4 EIGRP

Disable OSPF on the connection to R4 and configure EIGRP instead. Authenticate the EIGRP adjacency using the password value of CISCO.

1.5 Advanced Routing

Redistribute RIP and EIGRP routes into OSPF.

Implement a reliable default route towards R2 in the firewall. Track R2sLoopback0 reachability for that.

Use R3 as the backup default gateway.

Originate the default route into RIPv2 and EIGRP.


9/243




Note

At this point, erase running configurations on all devices in the racks. Load theASA Access Controlinitial configurations. Refer to the following diagram whenworking with the scenarios below.

1.6 IP Access-Lists

Implement the access policy outlined below.

Permit the following incoming traffic:

o Incoming ping requests and replied to pings from the insie.o FTP/HTTP/NTP traffic to AAA/CA servero Returning traffic for the UNIX-style traceroute command.

Permit the following types of outgoing traffic:

o Pings and replies to the pings sent from the outside.o Outgoing packets for the UNIX-style traceroute command.o Outgoing telnet, FTP, HTTP traffic

. Use just two access-list named OUTSIDE_IN and OUTSIDE_OUTapplied ingress and egress to the Outside interface.


10/243




1.7 Object Groups

Create the following object groups:

o SERVERS containing the host 10.0.0.100.o ROUTERS containing network 136.X.121.0/24 to it.o COMMON_ICMP containing the ICMP types corresponding to the

ping and UNIX-style traceroute commands.o TRC_PORTS containing the range of UDP ports 33434-33464.o SERVER_PORTS containing TCP ports for HTTP and FTP.o ROUTER_PORTS and add TCP ports corresponding to

Telnet/SSH in addition to port 7001 to the group.

Reduce the size of the previously created access-lists using the objectgroups just created.

1.8 Administ rative Access Permit telnet access to the ASA unit from the inside subnet

(136.X.121.0/24).

Permit ssh access to the ASA unit from the outside subnet(136.X.122.0/24).

Permit users to access the ASDM feature from host 10.0.0.100.

1.9 ICMP Traff ic

Configure the firewall such that no one could ping it. However, make sure

firewall itself is able to ping anyone. Additionally, make sure that pMTU discovery and traceroute work

successfully from the firewall. All other ICMP messages terminating on firewall interfaces should be

discarded.

1.10 URL Filtering

Filter ActiveX and JavaScript from all HTTP requests on port 80. Configure the ASA to use Websense URL filtering server at 10.0.0.100. Filter HTTP URL from 136.X.121.0/24 network on ports 80 and 8080.

Block proxy-requests going on port 8080. Additionally, configure FTP filtering on port 21 for network 136.X.121.0/24.

Deny interactive FTP connections. In case of the URL server failure, HTTP/FTP requests should be allowed.


11/243




Note

At this point, enable NAT-control in the firewall and make RIPv2 passive on the

outside interface of the ASA firewall:

ASA1:nat - cont r ol!r out er r i ppassi ve- i nt er f ace out si de

1.11 Dynamic NAT and PAT

Configure NAT such that hosts on the inside going to outside havetheir addresses translated into address pool 136.X.122.100-110. Useinterface IP address as PAT backup.

Configure NAT such that hosts on the DMZ going to outside havetheir addresses translated into address pool 136.X.122.200-210. Use thelast IP address in the range as PAT backup.

Configure NAT such that hosts on the inside going into DMZ have theiraddresses translated into interface IP address via PAT.

1.12 Static NAT and PAT

Clear any previous NAT rules if needed. Map the DMZ IP address 10.0.0.100 to the outside 136.X.122.100.

Configure Static PAT such that telnet sessions to the outside interface areredirected to R1.

Configure Static PAT such that DNS requests sent to the ASA insideinterface are redirected to R2. Make sure inside hosts are translated whenthey go outside.

1.13 Dynamic Policy NAT

Clear any previous NAT rules if needed. Telnet connections going outside should be PAT translated using the IP

address 136.X.122.100

ICMP packets going outside should be PAT translated using the IPaddress 136.X.122.101

Use the access-lists TELNET and ICMP to distinguish two types of traffic.

Everything else should be PAT translated using the outside interface IP.


12/243




1.14 Static Policy NAT and PAT

Clear any previous NAT rules if needed.

Redirect telnet connections going from 136.X.122.0/24 to the firewall

outside interface to R1. Redirect HTTP connections going from 150.X.2.0/24 subnet of R2 to the

firewall outside interface to AAA/CA server.

Create and apply the necessary access-group to the outside interface.

1.15 Identity NAT and NAT Exemption

Clear any previous NAT rules if needed and re-enable RIPv2 announceson the outside interface of the firewall.

Configure the firewall such that the network 136.X.121.0/24 is translated

to itself. Configure the firewall so that no NAT translation is performed for the

AAA/CA server 10.0.0.100.

1.16 Outside Dynamic NAT

Prevent R1 from learning about the outside destinations via RIP.

Hosts from the outside with the source IP addresses from the subnet136.X.122.0/24 accessing the hosts on the inside should have their IPaddresses translated using the inside interface IP address.

Ensure that hosts on the inside are still able to access the AAA/CA serveron the DMZ interface.

1.17 DNS Doctoring using Alias

Clear any previously configured address translation rules.

Configure R2 to act as DNS server. Create a new host entry for the nameWWW with address 136.X.122.100.

Hosts on the DMZ subnet using R2 as their DNS server should see thename WWW resolved to the IP address of the AAA/CA server.

Use the alias command in the ASA to accomplish this.


13/243




1.18 DNS Doctoring using Static

Modify the solution of the previous task to use the static commandinstead of the legacy alias.

1.19 Fragmented Traffic Permit ICMP traffic through the firewall. Disable the fragmented packets on all interfaces.

1.20 IDENT Issues

Configure the firewall to quickly terminate the IDENT lookup sessionsgoing from outside for TCP sessions initiated by inside users.

Consider both users translated to NAT pools and the outside interface IPaddress.

1.21 BGP across the Firewall

Ensure the ASA firewall runs in NAT controlled mode and RIPv2 is activeon all interfaces.

R1 and R2 are pre-configured to peer eBGP across the firewall. Both routers use their Loopback0 interfaces to source the BGP session. Authenticate the BGP session using the password of CISCO.

Ensure that R2 is allowed to initiate a BGP sessions to R1.

1.22 Stub Multicast Routing

The ASA firewall connects stub multicast area on the Inside interface tothe multicast-capable network behind R2.

Configure the appliance to act as a proxy agent for IGMP join/leavemessages sent from R2.

Ensure the RPF interface for unknown destinations is the outsideinterface.

On R1, join the Ethernet interface to group 239.0.0.1 and make sure R2can ping it.


14/243




1.23 PIM Multicast Routing

Remove the stub multicast routing configuration and enable PIM on theoutside interface.

The ASA should use R2 as the RP. Limit the number of IGMP states on inside interface to 100 participants

maximum. Enable multicast routing in R2 and configure its Loopback0 as the RP

address. Ensure R2 establishes PIM adjacency with the firewall. Join R1s Ethernet interface to group 239.0.0.1 and make sure R2 can

ping it.

1.24 Network Time Protocol

Configure the ASA for time synchronization via NTP with R1. For added security authenticate NTP updates using the MD5 based on the

key of CISCO.

1.25 System Logging

Configure the firewall to generate system logging messages. Everymessage should have a time stamp on it.

Collect the debugging messages in the system memory buffer. Limit thebuffer size to 65536 bytes.

Save the memory buffer contents when it wraps to the FTP server10.0.0.100 using the username anonymous and the [email protected].

Send informational and higher priority messages to the syslog server at10.0.0.100 using the numerical facility value of 23. The console port should receive only the alerts and higher messages.

1.26 Filtering System Logs

Configure the firewall to generate system logging messages. Everymessage should have a time stamp on it.

Collect the debugging messages in the system memory buffer. Limit thebuffer size to 65536 bytes.

Save the memory buffer contents when it wraps to the FTP server

10.0.0.100 using the username anonymous and the [email protected]. Send informational and higher priority messages to the syslog server at

10.0.0.100 using the UNIX syslog facility local7. The console port should receive only the alerts and higher messages.


15/243




1.27 SNMP Monitoring

Configure SNMP settings as follows:

o Deny SNMP version 1 request. Do not use the command snmpdenyto accomplish this.

o Send all SNMP traps to DMZ host 10.0.0.100.o Use SNMP server community to CISCO.o Set SNMP server location to Reno,NV.

Ensure the VPN messages of critical or higher level are also delivered asSNMP traps.

1.28 DHCP Server

Configure the ASA firewall to act as a DHCP server on the Insideinterface.

Use the IP address range 136.X.121.100-136.X.121.254. Assign the domain-name ine.com to the DHCP clients. Lease the IP addresses for 30 minutes. Verify by configuring R1 for DHCP address allocation on its Ethernet

interface.

1.29 HTTP Traffic Inspection

Ensure that the AAA/CA server is accessible from the outside using the IPaddress 136.X.122.100.

The ASA should spoof the HTTP server headers to pretend that it is

Apache/2.2.0 (Unix). Additionally, the firewall should reset the TCP connection upon any HTTP

protocol violations for extra security. For the HTTP connections from the inside, restrict the number of half-open

connections to 100 and the total number of connections to the HTTPserver to 200.

Since DoS attacks are more expected from the outside, ensure the firewallallows no more than 500 embryonic connections from the outside and limitthe total number of outside connections to 100.


16/243




1.30 FTP Traffic Inspection

Allow the hosts from outside to access the FTP server at the IP 10.0.0.100using the outside IP address 136.X.122.100.

Disallow the use of commands RMD, SITE and DELETE. Deny the download of the IOS images files with names that start with

c26, c36 and c28. In order to prevent hackers from using the known exploits, mask the FTP

server banner and the system information reply. The restrictions should only apply to the users accessing from the outside.

1.31 SMTP Traffic Inspection

The outside users should be able to send mail using the server at the IPaddress 136.X.122.100 mapped to the DMZ IP 10.0.0.100.

Configure the ASA to reject email sent from the e-mail addressescontaining any of the strings cyberspam.org or nullroute.com.

The firewall should perform SMTP banner obfuscation in order to preventthe SMTP server identification.

The firewall should only accept emails addresses to domain cisco.com. Reject the emails that have more that 3 recipients. In order to protect against TCP SYN flooding, limit the number of half-

open connections to 50 and the maximum number of connections to 100.

1.32 TCP Inspect ion

Enforce additional security checks for TCP connections establishedacross the firewall.

o Ensure the firewall checks retransmitted TCP packets.o The firewall should also validate TCP checksums.o Additionally, clear all reserved bits in TCP headers.

The policy should apply all telnet connections crossing the firewallappliance.

Limit the concurrent number of open Telnet session to 3 per user.


17/243




1.33 Management Traffic Inspection

There is a RADIUS server with the IP address 10.0.0.100 on the DMZinterface.

The server expects the firewall to authenticate itself using the passwordvalue of CISCO.

The firewall should inspect RADIUS accounting packets going to the IETFdefault RADIUS ports.

Validate the RADIUS attribute number 26 and send accounting responses. Apply the inspection rule globally.

1.34 ICMP Traffic Inspection

Ensure that R1s address 136.X.121.1 translate to the IP 136.X.122.1 onthe outside.

Ensure R1s Loopback0 is advertised into RIP and reachable to R2. Configure the firewall to allow the UNIX-style traceroute operation from the

outside. When someone traces from R2 to the Loopback0 interface of R1 he

should not see the inside IP address of R2 in reply packets. Additionally, users from the inside should be able to ping outside without

an explicit permit entry in the outside ingress ACL.

1.35 Threat Detection

Enable basic threat detection the in firewall. Set additional monitoring intervals for ACL drop event so that a message

is generated every time there are more than 10000 drops per two hours or

more than 1000 drops per 20 seconds. Enable advanced scanning attack detection and automatic shunning of the

attackers. Configure the firewall to shun the attackers for 10 minutes but never clear

any connections originated from the 10.0.0.100 host.

1.36 Un-Stealthing the Firewall

Configure the firewall so that anyone can ping it. Additionally, ensure that the firewall shows up in the traceroute command

output

Account for both the UNIX and Windows Traceroute commands. Add access-list entries if needed to accomplish this task.


18/243




1.37 Traffic Policing

Ensure the ICMP traffic is permitted from the outside. In order to reduce the risk of outside users flooding the internal networks

with ICMP packets, limit the traffic-rate to 64Kbps Ensure both ingress and egress traffic flows conform to this restriction.

1.38 Low Latency Queuing

Provide priority queue service to VoIP traffic going through the firewall. Classify the VoIP packets based on RTP port range 16384 32767. Set priority queue depth to 5 packets on both inside and outside

interfaces.

1.39 Traffic Shaping

The outside interface of the firewall connects to the ISP that provides only

512Kbps of guaranteed traffic rate (CIR). Configure the firewall to conform to this requirement, provided that the ISP

sets measurement interval to 100ms. Permit ICMP echo-responses from the outside and test your configuration

using the ping flood from the inside.


19/243




1.40 Hierarchical Queuing

Allow priority queuing for shaped VoIP bearer and VPN signaling traffic. VPN signaling is defined as IKE/ISAKMP exchange on the default port. VoIP bearer traffic is marked with the DSCP value of EF. All other traffic should receive best-effort service. Adjust traffic-shaping interval to provide minimum delay for VoIP traffic.

Note

At this point reset the configuration of all devices and load theASA TransparentFirewallinitial configuration.

E0/1(Inside) E0/0(Outside)

136.X.100.0/24 VLAN100

OSPF Area 0

Lo0: 150.X.3.3/24

Lo0: 150.X.4.4/24

.12

Fa0/0

Fa0/1

ASA1R3

R4

1.41 Transparent Firewall Use the subnet 136.X.12.0/24 for IP addressing on the segment. Configure the IP address 136.X.12.12/24 for the transparent firewall. Permit telnet and pings from the lower to higher security zone. Ensure the authenticated BGP session between R3 and R4 could be

established across the firewall. Allow R3 and R4 to establish OSPF and PIM neighbor adjacencies.

.

1.42 ARP Inspect ion

The firewall should enforce consistency in ARP requests and responses. Manually configure the IP to MAC address mappings for R1 and R2

Ethernet interfaces to accomplish this. Do not flood unmatched ARP requests between the security levels.


20/243




1.43 Ethertype Access-Lists

Block spanning-tree BPDUs going across the firewall. Ensure there are no redundant links in VLAN 100 to avoid STP loops.

1.44 Transparent Firewall NAT Create new Loopback in R3 with the IP subnet 192.168.0.3/24. The firewall should translate this subnet using the PAT IP address of

136.X.200.100. Make sure you can ping R4 using the IP address 192.168.0.3 as the

source.

Note

Erase the running configuration of all devices in the rack at this point. Load the

ASA Multiple Contextsinitial configurations. Use the following diagram as yourreference for the tasks below.

Mgmt

10.0.0.0/24 VLAN120

E0/2(DMZ)

136.X.124.0/24 VLAN124

A: .121

B: .122

E0/1.121(InsideA) E0/1.122(InsideB)

E0/0(Outside)

136.X.0.0/24 VLAN122136.X.0.0/24 VLAN121

136.X.123.0/24 VLAN123

A: .121

B: .122

o0: 150.X.4.4/24

.100

AAA/CA

Server

R3

R4

R1 R2

ASA1


21/243


22/243




The context CustomerA should be allowed to have no more than 1000host and NAT translation entries. The number of concurrent connectionsshould be limited to 10000.

The context CustomerB should be limited to no more than 500 host andxlate entries, and no more than 5000 connections.

The admin context should use the default resource limits.


23/243




Note

At this point, erase all running configurations and load theASA Firewall A/S

Failoverinitial configurations.

RIPv2

E0/1(Inside)

E0/0(Outside)

136.X.120.0/24 VLAN120

136.X.110.0/24 VLAN110

.12

.13

.12

.13

E0/2 (Failover)100.0.0.0/24 VLAN 100

Fa0/0 Fa0/0

ASA1

ASA2

R1 R2

1.49 Act ive/Standby Failover

Configure ASA1 and ASA2 into standby failover pair, with ASA1 as theactive unit. Use the hostname ASA for the pair.

Configure the IP addressing in the primary unit per the diagram, andenable RIP as the routing protocol on the inside interface.

Make the configurations necessary to allow the inside hosts to ping theoutside destinations.

Configure statefulfailover using E0/2 as the failover link with the nameFailover and the IP subnet 100.0.0.0/24.

Assign the IP addresses to the firewall appliances per the diagram.

Use the last octet of .254 as for the virtual IP address on both Inside andOutside segments.

The units should monitor each other across both interfaces using the

minimum poll times.


24/243




Note

At this point, erase all running configurations and load theASA Firewall A/A

Failoverinitial configurations.

1.50 Act ive/Act ive Failover

Implement stateful failover for firewall contexts CustomerA andCustomerB using two ASA units.

ASA1 should be active for CustomerA and standby for CustomerB. ASA2should be active for CustomerB and standby for CustomerA.

Designate CustomerA as the admin context in your configuration.

Ensure R1 and R2 can ping R3. Apply NAT configurations and staticrouting to accomplish this.

Use interface Ethernet 0/2 as the stateful failover link with the IPaddresses assigned per the diagram.

Disable outside interface monitoring and configure the firewall to monitorthe inside sub-interfaces. Reduce the interface polling timers to theminimum.


25/243




Note

Load theASA Access Controlinitial configuration prior to starting with the

following tasks. Use the diagram as your reference:

AAA/CA

Server

DMZ

.100

136.X.122.0/24 VLAN122

136.X.121.0/24 VLAN121

Fa0/0

Fa0/0

10.0.0.0/24 VLAN120

RIPv2

R2

R1

OutsideInside

1.51 ASA Redundant Interface

Configure the firewall so that E0/2 and E0/0 interface represent a singlelogical interface.

If the E0/0 interface fails, the E0/2 should take over its place.

The new interface should be used for DMZ and Outside logical interface

Use the VLAN numbers and the IP addressing per the diagram toaccomplish this.

1.52 ASA Enhanced Object Groups

Configure the firewall to permit telnet, ping and syslog traffic from R2 toR1.

Use only a single access-list statement to accomplish this.


26/243




ASA Firewall Solutions

1.1 VLANs and IP Addressing

Configure ASA1s interface Ethernet 0/0 using the nameif outside andthe security level of zero.

Configure ASA1s interface Ethernet 0/1 using the nameif inside and thesecurity level value of 100.



Configure interface IP addressing per the diagram.

Configuration

Note

Since version 7.0 of the ASA code, configuring interfaces in the firewall applianceis very similar to configuring interfaces in IOS-based platforms. If the firewallconnection to the switch is a dot1q trunk (the ASA supports 802.1q only, no ISL),you can create sub-interfaces, corresponding to the VLANs carried on the trunk.Do not forget to assign a VLAN number to the sub-interface. The native(untagged) VLAN on the trunk connection maps to the physical interface.

When configuring the firewall interfaces do not forget to no shutdown them (asthey are down by default) and assign a nameif/security-level. The defaultnameifs, such as inside and outside have security levels of 100 and 0assigned automatically.

In our scenario, interface Ethernet 0/2 is split in two sub-interfaces using theVLANs 120 and 124 to create two logical DMZ interfaces, for the AAA/CA serverand R4 respectively.


27/243




ASA1:host name Rack1ASA1!i nt er f ace Et her net 0/ 0namei f out si desecur i t y- l evel 0

i p addr ess 136. 1. 0. 12 255. 255. 255. 0no shutdown!i nt er f ace Et her net 0/ 1namei f i nsi desecur i t y- l evel 100i p addr ess 136. 1. 121. 12 255. 255. 255. 0no shutdown

!i nt er f ace Et her net 0/ 2no namei fno secur i t y- l evelno i p addr essno shutdown

!i nt er f ace Et her net 0/ 2. 120vl an 120namei f dmz1secur i t y- l evel 75i p addr ess 10. 0. 0. 12 255. 255. 255. 0no shutdown

!i nt er f ace Et her net 0/ 2. 124vl an 124namei f dmz2secur i t y- l evel 50i p addr ess 136. 1. 124. 12 255. 255. 255. 0

no shutdown


28/243




Verification

Note

The verifications consist of two parts. First, we verify the proper VLANassignment in the switches. You should resort to that basically if you have anyconnectivity issues, but it never hurts to start with verifying L2 settings.

Then we verify trunking status to make sure L2 traffic may traverse between thetwo switches. The trunks should show as trunking and listing our VLANs amongthe active VLANs.

Rack1SW1#show vlan brief | exclude unsup

VLAN Name St at us Por t s- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -100 VLAN0100 act i ve Fa0/ 2, Fa0/ 3120 VLAN0120 act i ve Fa0/ 20121 VLAN0121 act i ve Fa0/ 1, Fa0/ 13124 VLAN0124 act i ve Fa0/ 4

Rack1SW1#show interfaces trunk

Por t Mode Encapsul at i on St atus Nat i ve vl anFa0/ 21 desi r abl e 802. 1q t r unki ng 1Fa0/ 22 desi r abl e 802. 1q t r unki ng 1

Fa0/ 23 desi r abl e 802. 1q t r unki ng 1

Por t Vl ans al l owed on t r unkFa0/ 21 1- 4094Fa0/ 22 1- 4094Fa0/ 23 1- 4094

Port Vl ans al l owed and act i ve i n management domai nFa0/ 21 1, 100, 120- 121, 124Fa0/ 22 1, 100, 120- 121, 124Fa0/ 23 1, 100, 120- 121, 124

Por t Vl ans i n spanni ng t r ee f orwardi ng st ate and not pr unedFa0/ 21 1, 100, 120- 121, 124

Fa0/ 22 1, 100, 120- 121, 124Fa0/ 23 1, 100, 120- 121, 124


29/243




Note

There is an additional trunk in SW2 connected to ASA1, that is needed to carryVLANs information to the ASA unit.

Rack1SW2#show interfaces trunk

Por t Mode Encapsul at i on St atus Nat i ve vl anFa0/ 13 on 802. 1q t r unki ng 1Fa0/ 21 aut o 802. 1q t r unki ng 1Fa0/ 22 aut o 802. 1q t r unki ng 1Fa0/ 23 aut o 802. 1q t r unki ng 1

Note

Next we verify nameifs in the ASA unit and try pinging the directly connectedsubnets. Note that with version 7.x of the code, the ASA unit will accept echo-reply ICMP messages by default, so you dont have to enable it like you did inPIX 6.x.

If you were able to successfully ping all directly connected node, the connectivityis fine.

Rack1ASA1# show nameifI nt erf ace Name Secur i t yEt hernet 0/ 0 out si de 0Et hernet 0/ 1 i nsi de 100Ether net 0/ 2. 120 dmz1 75Ether net 0/ 2. 124 dmz2 50

Rack1ASA1# ping 136.1.121.1Type escape sequence t o abort .Sendi ng 5, 100- byt e I CMP Echos t o 136. 1. 121. 1, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 percent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 1/ 2/ 10 ms

Rack1ASA1# ping 10.0.0.100Type escape sequence t o abort .Sendi ng 5, 100- byt e I CMP Echos t o 10. 0. 0. 100, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 1/ 1/ 1 ms


30/243




Rack1ASA1# ping 136.1.0.2Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 136. 1. 0. 2, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 percent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 1/ 2/ 10 ms

Rack1ASA1# ping 136.1.0.3Type escape sequence t o abort .Sendi ng 5, 100- byte I CMP Echos t o 136. 1. 0. 3, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 percent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 1/ 2/ 10 ms

Rack1ASA1# ping 136.1.124.4Type escape sequence t o abort .Sendi ng 5, 100- byt e I CMP Echos t o 136. 1. 124. 4, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 1/ 1/ 1 ms


31/243


32/243




updates. However, with MD5 mode, other keys are used to accept incomingupdates with a matching key.

While routing has been pre-configured in routers, you still need to know how toauthenticate RIPv2 packets in an IOS router. The process is a bit different from

the ASA. First, you create a key-chain in global configuration mode, which maycontain one or more authentication keys. You then apply the key-chain to aninterface, configured for proper RIPv2 authentication mode (MD5 or plain-text).The router will use the first key to authenticate the incoming/outgoing updates.Other keys are used with MD5 authentication mode to accept the matchingincoming updates.

ASA1:!! RIP process configuration!r out er r i pnet work 10. 0. 0. 0network 136. 1. 0. 0passi ve- i nt er f ace def aul tno passi ve- i nt er f ace i nsi deno passi ve- i nterf ace dmz1ver si on 2no aut o- summar y

!! MD5 Authentication on the Inside interface!i nt er f ace Et her net 0/ 1r i p authent i cat i on mode md5

r i p aut hent i cat i on key CI SCO key_i d 1

R1:!! Key-chain configuration!key chai n RI Pkey 1key- st r i ng CI SCO

!! Applying the key-chain and setting the mode!i nt er f ace Fast Et her net 0/ 0

i p r i p aut hent i cat i on mode md5i p r i p aut hent i cat i on key- chai n RI P


33/243




Verification

Note

For verification, you first need to check the protocol configuration, using the show

ip protocol command in the IOS router. It will reveal you the interfaces configuredfor RIPv2 authentication along with the respective key-chains.

Rack1R1#show ip protocolsRout i ng Pr ot ocol i s "r i p"

Sendi ng updates every 30 secondsI nval i d af t er 180 seconds, hol d down 180, f l ushed af t er 240Out goi ng updat e f i l t er l i st f or al l i nt er f aces i s not setI ncomi ng updat e f i l t er l i st f or al l i nt er f aces i s not setRedi str i but i ng: r i pDef aul t ver si on cont r ol : send ver si on 2, r ecei ve ver si on 2

I nt er f ace Send Recv Tri gger ed RI P Key- chai nFast Et her net 0/ 0 2 2 RI P

Aut omat i c network summari zat i on i s not i n ef f ectMaxi mum pat h: 4Rout i ng f or Net works:

136. 1. 0. 0Rout i ng I nf ormat i on Sour ces:

Gat eway Di st ance Last Updat eDi st ance: ( def aul t i s 120)

Note

The next useful command is debug ip rip, which is available in both IOS and ASAplatforms. It will show you the contents of RIPv2 updates send on all interfacesenabled for RIP. It will also show you if the incoming packets are authenticatedand pass the security checks.

Rack1ASA1# debug ripRack1ASA1#RI P: sendi ng v2 updat e to 224. 0. 0. 9 vi a i nsi de (136. 1. 121. 12)RI P: bui l d updat e ent r i es

10. 0. 0. 0 255. 255. 255. 0 vi a 0. 0. 0. 0, met r i c 1, t ag 0136. 1. 0. 0 255. 255. 255. 0 vi a 0. 0. 0. 0, met r i c 1, t ag 0

136. 1. 124. 0 255. 255. 255. 0 vi a 0. 0. 0. 0, met r i c 1, t ag 0RI P: Update cont ai ns 3 rout esRI P: Updat e queuedRI P: sendi ng v2 update to 224. 0. 0. 9 vi a dmz1 (10. 0. 0. 12)RI P: bui l d updat e ent r i es

136. 1. 0. 0 255. 255. 255. 0 vi a 0. 0. 0. 0, met r i c 1, t ag 0136. 1. 121. 0 255. 255. 255. 0 vi a 0. 0. 0. 0, met r i c 1, t ag 0136. 1. 124. 0 255. 255. 255. 0 vi a 0. 0. 0. 0, met r i c 1, t ag 0

RI P: Update cont ai ns 3 rout es


34/243




RI P: Updat e queuedRI P: Updat e sent vi a i nsi de ri p- l en: 112RI P: Update sent vi a dmz1 r i p- l en: 72

Rack1R1#debug ip ripRI P pr otocol debuggi ng i s on

Rack1R1#RI P: sendi ng v2 update t o 224. 0. 0. 9 vi a Fast Et her net 0/ 0 ( 136. 1. 121. 1)RI P: bui l d updat e ent r i es - suppr essi ng nul l updat eRI P: r ecei ved packet wi t h MD5 aut hent i cat i onRI P: r ecei ved v2 update f r om 136. 1. 121. 12 on Fast Et her net 0/ 0

10. 0. 0. 0/ 24 vi a 0. 0. 0. 0 i n 1 hops136. 1. 0. 0/ 24 vi a 0. 0. 0. 0 i n 1 hops136. 1. 124. 0/ 24 vi a 0. 0. 0. 0 i n 1 hops

Note

Finally, if everything has been authenticated successfully, you should be able to

see RIP route in the routing tables.

Rack1R1#show ip route rip136. 1. 0. 0/ 24 i s subnet t ed, 3 subnet s

R 136. 1. 0. 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 23, Fast Et her net 0/ 0R 136. 1. 124. 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 23, Fast Et her net 0/ 0

10. 0. 0. 0/ 24 i s subnet t ed, 2 subnet sR 10. 0. 0. 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 23, Fast Et her net 0/ 0


35/243




1.3 Configuring OSPF

Create OSPF routing process in the ASA firewall using the OSPF processID 1 and the OSPF router-ID of 150.X.12.12.2.

Assign interfaces to OSPF areas per the diagram provided. Ensure the ASA is never elected as DR on both segments. Authenticate the OSPF adjacency across DMZ2 interface using

interface-level commands only. Use the password of CISCO and mostsecure form of authentication.

Configure the less secure for of OSPF authentication on the interfaceOutside. Use only process-level commands for this along with thepassword of CISCO..

Configuration

Note

OSPF is a complicated link-state routing protocol. The ASA firewall supportsmany OSPF features found in regular IOS routers. For the purpose of the CCIEsecurity exam, you should probably need to know the following OSPFconfiguration steps:

1) (Mandatory). Enabling OSPF process with a certain process-ID (there couldbe multiple OSPF process in a single box) and assigning a router-ID, whichidentifies the box in the OSPF topology. If you do not assign a router-ID the ASA

will pick it up for you automatically. However, it is generally a good practice toassign it manually, to ease the troubleshooting.

2) (Mandatory). Configuring the networkstatements to identify the interfaceswhere OSPF should establish adjacencies. The syntax is network

and is different from the syntax used in the IOS routers, where

you use the wildcardmask. Every interface that has the IP address matching theconfigured network statement is selected for establishing OSPF adjacencies. Inaddition to that, the subnets for those interfaces are advertised as OSPF linksand become accessible to the other OSPF routers. Note that OSPF configurationdoes not support thepassive-interfacestatement, but accepts various

network scopes.

3) (Optional). Designate some interfaces as passive for OSPF. Unlike RIPv2,however, passive OSPF cannot establish OSPF adjacency and exchange linkstats. Thus, a passive interface is advertised into OSPF but not used for anyrouting information exchange.


36/243




4) (Optional). Configure the ASA unit as designated or non-designated router onthe active OSPF interfaces. Designated OSPF routers (DRs) are used on sharedinterfaces, like Ethernet, to centralize routing information exchange. Commonly,a DR is the most powerful and stable router on the segment. By default, the firstrouter to boot up and initialize is elected as DR. If there are many routers

conquering for the DR role, the one with highest OSPF interface priority isselected as the DR. If the priorities match, the router with the highest Router-ID iselected as the DR. If you set the OSPF priority to zero on a given interface, the

ASA will not even attemptto become a DR. Note that the router might be a DRon one segment and non-DR on another. Manipulating priorities might beneeded, as the default value is one, which might result in non-deterministic DRelections.

And the most important thing of OSPF configuration from the security standpointis protocol authentication. OSPF authenticates allOSPF packets (authenticationis a part of OSPF header, and OSPF has the IP protocol number of 89) supports

threetypes of authentication: null (empty), plain-text (clear text password) andsecure MD5 hash over the packet contents. Note that OSPF authenticates thepacket exchange on a given segment connection. You may define variousauthentication types on different interfaces. First, look at the authentication types:

1) NULL explicitly states that the packet is not authentication.2) Plain-text carries a password in the header. Only one password is allowed.3) MD5-hash carries a key ID along with the corresponding hash value in theheader. There could be different key IDs, and the receiving router selects theappropriate local key based on the key ID in the header. You can configuremultiple keys on a single interface, and the router will send packets authenticated

with every active key.

You can enable OSPF authentication on the interface using the commands ospf

authenticationfor the ASA or ip ospf authenticationfor the IOS

routers. To set the MD5 keys, use the commands ospf message-digest-keyand ip ospf message-digest-keyrespectively. Using this command you

set the mode and the respective keys on the particular interface. Alternatively,you can use the process-level command area X authentication[message-digest]to enable authentication on all interfaces that are members

of the particular area. You still need to configure the keys at interface levelhowever.


37/243




ASA1:!! OSPF routing process!r out er ospf 1network 136. 1. 0. 0 255. 255. 255. 0 ar ea 0

network 136. 1. 124. 0 255. 255. 255. 0 ar ea 1r out er - i d 150. 1. 12. 12ar ea 0 aut hent i cat i on

!! Authentication for area 1 is configured solely on interface!i nt er f ace Et her net 0/ 2. 124ospf message- di gest - key 1 md5 CI SCOospf aut hent i cat i on message- di gestospf pr i or i t y 0

!! Only the auth key is configured at interface level!i nt er f ace Et her net 0/ 0

ospf aut hent i cat i on- key CI SCOospf pr i or i t y 0

R2:r out er ospf 1ar ea 0 aut hent i cat i on

!i nt er f ace Fast Et her net 0/ 0i p ospf aut hent i cat i on- key CI SCO

R3:r out er ospf 1ar ea 0 aut hent i cat i on

!i nt er f ace Fast Et her net 0/ 0i p ospf aut hent i cat i on- key CI SCO

R4:i nt er f ace Fast Et her net 0/ 0i p ospf aut hent i cat i on message- di gesti p ospf message- di gest - key 1 md5 CI SCO


38/243


39/243




Desi gnated Rout er ( I D) 150. 1. 4. 4, I nt er f ace addr ess 136. 1. 124. 4No backup desi gnat ed r out er on t hi s networkFl ush t i mer f or ol d DR LSA due i n 0: 00: 31Ti mer i nt er val s conf i gur ed, Hel l o 10, Dead 40, Wai t 40, Ret r ansmi t 5

Hel l o due i n 0: 00: 01I ndex 1/ 2, f l ood queue l engt h 0Next 0x0( 0) / 0x0( 0)Last f l ood scan l engt h i s 1, maxi mum i s 3Last f l ood scan t i me i s 0 msec, maxi mum i s 0 msecNei ghbor Count i s 1, Adj acent nei ghbor count i s 1

Adj acent wi t h nei ghbor 150. 1. 4. 4 ( Desi gnated Rout er)Suppr ess hel l o f or 0 nei ghbor ( s)Message di gest aut hent i cat i on enabl ed

Youngest key i d i s 1


40/243




1.4 EIGRP

Disable OSPF on the connection to R4 and configure EIGRP AS 1instead. Authenticate the EIGRP adjacency using the password value of CISCO.

Configuration

Note

EIGRP is a recent addition to the ASA code. This routing protocol is Ciscosproprietary and you may need it in purely Cisco environment. Per itself EIGRP isa sophisticated distributed (diffused) computations-based and scalable protocol.However, EIGRP configuration is relatively simple and requires just a few steps.

1) Enable EIGRP routing process on the firewall. You will need to know theAutonomous System number used by neighboring routers, to enter the command

router eigrp . If the AS numbers mismatch, the routers will not forman adjacency.

2) Activate EIGRP on selected interfaces, using the command network . This is similar to OSPF configuration, though this time you dont specify

the area number. EIGRP will start sending HELLO packets out of all matchinginterfaces as well as advertising the matching subnets to its neighbors. Disableautomatic route summarization (not needed in modern networks) using thecommand no auto-summary.

3) Authenticate EIGRP adjacency on the interfaces where this is required.

EIGRP supports only secure MD5-hash based authentication. You may enable itat the interface level using the commands:

authentication mode eigrp X md5

authentication key eigrp X key-id N

4) Configure the opposing IOS router for EIGRP authentication as well. The IOSsyntax is a bit different and requires you creating a key chain first:

key chain

key N

key-string

interface FastEthernet X/Y

ip authentication mode eigrp X md5

ip authentication key eigrp X

Ensure the key identifiers match at both sides for authentication to succeed.


41/243




ASA1:r out er ospf 1no net work 136. 1. 124. 0 255. 255. 255. 0

!r out er ei gr p 1no aut o- summar y

network 136. 1. 124. 0 255. 255. 255. 0!i nt er f ace Et her net 0/ 2. 124aut hent i cat i on key ei gr p 1 CI SCO key- i d 1aut hent i cat i on mode ei grp 1 md5

R4:r out er ei gr p 1net work 136. 1. 124. 0 0. 0. 0. 255

!key chai n EI GRPkey 1key- st r i ng CI SCO

!

i nt er f ace Fast Et her net 0/ 0i p authent i cat i on mode ei gr 1 md5i p aut hent i cat i on key ei gr p 1 EI GRP


42/243




Verification

Note

Start you verifications by checking EIGRP adjacency state. Note that SRTT valueshould be reasonably small (this is the average time to reach the neighbor overthe segment) and the Q field (outstanding queries) should be zero in a stablenetwork. If the authentication keys mismatch, the adjacency will never come up.

Rack1ASA1# show eigrp neighborsEI GRP- I Pv4 nei ghbors f or pr ocess 1H Addr ess I nter f ace Hol d Upt i me SRTT RTO QSeq

( sec) ( ms)Cnt Num0 136. 1. 124. 4 Et0/ 2. 124 12 00: 29: 12 1 200 0

9

Note

Verify EIGRP interface settings. You may see that authentication is actuallyenabled using this commands output. If you need to check the authenticationkeys, use the command:more system:running-config.

Rack1ASA1# show eigrp interfaces detail dmz2EI GRP- I Pv4 i nt er f aces f or pr ocess 1

Xmi t Queue Mean Paci ng Ti me Mul t i castPendi ngI nt erf ace Peer s Un/ Rel i abl e SRTT Un/ Rel i abl e Fl ow Ti merRout esdmz2 1 0/ 0 1 0/ 1 500

Hel l o i nt er val i s 5 secNext xmi t ser i al Un/ r el i abl e mcast s: 0/ 0 Un/ r el i abl e ucast s: 5/ 9Mcast except i ons: 0 CR packets: 0 ACKs suppressed: 3Retr ansmi ssi ons sent : 0 Out - of - sequence r cvd: 0Topol ogy- i ds on i nt er f ace - 0

Authent i cat i on mode i s md5, key i s " key- i d 1"


43/243




1.5 Advanced Routing

Implement a reliable default route towards R2 in the firewall. Track R2sLoopback0 reachability for that.

Use R3 as the backup default gateway.

Redistribute RIP and EIGRP routes into OSPF. Originate the default route into RIPv2 and EIGRP.

Configuration

Note

The CCIE Security lab most likely will not require you to perform advancedrouting protocols tuning. However, some basic routing features should be knownby every candidate. This task requires you to redistribute between the routing

protocols. That means you should inject other protocols routing information intoanother routing protocol. This is needed to obtain full reachability between therouting domains connected by the firewall.

The main command you need to know is the one entered within the routingprotocol context: redistribute metric . For example:

r out er r i pr edi st r i but e ospf 1 met r i c 1redi str i but e stat i c

Pay attention to the . This metric is needed practically all the

time, if only you are not redistributing connected or static routes. It specifiesthe initial metric to be assigned to the redistributed routes. The metric is in theunits understood by the target routing protocol. Also, note that using theredistribute connected is another way of advertising the locally connectedinterfaces into a routing protocol.

Instead of redistributing routing information into a protocol, you may simplyoriginate a default route into the protocol. To do that with RIPv2 or OSPF, usethe command default-information originate. This command will always

advertise a default route into RIPv2; however it will advertise the default routeinto OSPF if this route exists in the local routing table. If you want the route to bealways advertised into OSPF, use the command default-information

originate always. As for EIGRP, there is no special command to originate a

default route there. However, you may use the command redistribute

staticto advertise the local static default route into EIGRP as well.


44/243




Another important routing feature is static reliable routing. It allows you creating aspecial tracker that pings a destination and reports the reachability state. Thetracker could be associated with the static route, making the route active onlywhen the tracker is up. This might be very helpful with static routes, as you cantrack the actual reachability of the next hop. For example, you may configure a

primary route via a route, and track the next-hop reachability. If the tracker wouldfail, the secondary static route will preempt the primary one, and the traffic willflow via the backup path.

You configure a tracker in two steps:

1) Creating a new SLA monitor operation (SLA = Service Level Agreement)which constantly pings a destination and reports the reachability. You may tunethe following two parameters: timeout(the time to expire every probe, in ms)and frequency(how often to send the probes). The more often you ping, the

faster you will detect the loss of connectivity. However, this might cause frequent

flaps in case of unstable network.

2) Creating a tracking object using the trackcommand and attach it to a static

route. The tracking object will reference the SLA operation number, and the staticroute will reference the tracking object number.

The backup static route should point to the same destination by have numericallyhigher distance, signaling its lower preference. E.g.

route outside 0 0 .The default value is

1 and it is assigned to the primary static route.

ASA1:sl a moni t or 1t ype echo pr otocol i pI cmpEcho 150. 1. 2. 2 i nt er f ace out si det i meout 1000f r equency 1

sl a moni t or schedul e 1 l i f e f or ever st ar t - t i me now!t r ack 1 r t r 1 r eachabi l i t y!r out e out si de 0 0 136. 1. 0. 2 t r ack 1

r out e out si de 0 0 136. 1. 0. 3 100!r out er ospf 1r edi st r i but e ri p subnet sr edi st r i but e ei gr p 1 subnet s

!r out er r i pdef aul t - i nf or mat i on or i gi nat e

!


45/243




r out er ei gr p 1redi str i but e stat i c


46/243




Verification

Note

First, make sure that R2 learns redistributed routes via OSPF. Notice thatexternal OSPF routes are marked as O E2 or O E1.

Rack1R2#show ip route ospf136. 1. 0. 0/ 24 i s subnet t ed, 4 subnet s

O 136. 1. 100. 0 [ 110/ 2] vi a 136. 1. 0. 3, 01: 47: 47, Fast Et her net 0/ 0O E2 136. 1. 121. 0 [ 110/ 20] vi a 136. 1. 0. 12, 00: 09: 07, Fast Et her net 0/ 0O I A 136. 1. 124. 0 [ 110/ 11] vi a 136. 1. 0. 12, 00: 09: 07, Fast Et her net 0/ 0

10. 0. 0. 0/ 24 i s subnet t ed, 1 subnet sO E2 10. 0. 0. 0 [ 110/ 20] vi a 136. 1. 0. 12, 00: 09: 07, Fast Et her net 0/ 0

150. 1. 0. 0/ 16 i s var i abl y subnet t ed, 3 subnet s, 2 masksO E2 150. 1. 1. 0/ 24 [ 110/ 20] vi a 136. 1. 0. 12, 00: 09: 07, Fast Et her net 0/ 0O I A 150. 1. 4. 4/ 32 [ 110/ 12] vi a 136. 1. 0. 12, 00: 09: 07, Fast Et her net 0/ 0O 150. 1. 3. 3/ 32 [ 110/ 2] vi a 136. 1. 0. 3, 01: 47: 47, Fast Et her net 0/ 0

Note

Now test the reliable static default route. First, check the tracking object state,and check the next-hop for the default route in the ASA routing table. If the objectis up, the next-hop is R2.

Rack1ASA1# show trackTr ack 1

Response Ti me Report er 1 r eachabi l i t yReachabi l i t y i s Up3 changes, l ast change 00: 05: 32Latest oper at i on r et ur n code: OKLat est RTT ( mi l l i secs) 1Tr acked by:

STATI C- I P- ROUTI NG 0

Rack1ASA1# show route

Codes: C - connected, S - st at i c, I - I GRP, R - RI P, M - mobi l e, B -BGP

D - EI GRP, EX - EI GRP external , O - OSPF, I A - OSPF i nt er area

N1 - OSPF NSSA ext ernal t ype 1, N2 - OSPF NSSA ext ernal t ype 2E1 - OSPF ext ernal t ype 1, E2 - OSPF ext ernal t ype 2, E - EGPi - I S- I S, L1 - I S- I S l evel - 1, L2 - I S- I S l evel - 2, i a - I S- I S

i nt er ar ea* - candi dat e def aul t , U - per - user st at i c r out e, o - ODRP - per i odi c downl oaded st at i c r out e

Gat eway of l ast r esort i s 136. 1. 0. 2 t o net wor k 0. 0. 0. 0

C 136. 1. 0. 0 255. 255. 255. 0 i s di r ect l y connect ed, out si de


47/243




O 136. 1. 100. 0 255. 255. 255. 0 [ 110/ 11] vi a 136. 1. 0. 3, 0: 00: 57, out si deC 136. 1. 121. 0 255. 255. 255. 0 i s di r ect l y connect ed, i nsi deC 136. 1. 124. 0 255. 255. 255. 0 i s di r ect l y connect ed, dmz2C 10. 0. 0. 0 255. 255. 255. 0 i s di r ect l y connect ed, dmz1R 150. 1. 1. 0 255. 255. 255. 0 [ 120/ 1] vi a 136. 1. 121. 1, 0: 00: 13, i nsi deO 150. 1. 3. 3 255. 255. 255. 255 [ 110/ 11] vi a 136. 1. 0. 3, 0: 00: 57, out si deO 150. 1. 4. 4 255. 255. 255. 255 [ 110/ 11] vi a 136. 1. 124. 4, 0: 00: 57, dmz2S* 0. 0. 0. 0 0. 0. 0. 0 [ 1/ 0] vi a 136. 1. 0. 2, out si deRack1ASA1#

Note

Now shut down R2s Loopback0 interface, and see that the tracking object goesdown. At the same time, the default route in the ASA now points to R3:

Rack1R2#conf t

Ent er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Rack1R2( conf i g) #interface loopback 0

Rack1R2( conf i g- i f ) #shutdownRack1R2( conf i g- i f ) #

Rack1ASA1# show trackTr ack 1

Response Ti me Report er 1 r eachabi l i t yReachabi l i t y i s Down4 changes, l ast change 00: 00: 12Latest oper at i on r et ur n code: Ti meoutTr acked by:

STATI C- I P- ROUTI NG 0

Rack1ASA1# show route

Codes: C - connected, S - st at i c, I - I GRP, R - RI P, M - mobi l e, B -BGP

D - EI GRP, EX - EI GRP external , O - OSPF, I A - OSPF i nt er areaN1 - OSPF NSSA ext ernal t ype 1, N2 - OSPF NSSA ext ernal t ype 2E1 - OSPF ext ernal t ype 1, E2 - OSPF ext ernal t ype 2, E - EGPi - I S- I S, L1 - I S- I S l evel - 1, L2 - I S- I S l evel - 2, i a - I S- I S

i nt er ar ea* - candi dat e def aul t , U - per - user st at i c r out e, o - ODRP - per i odi c downl oaded st at i c r out e

Gat eway of l ast r esort i s 136. 1. 0. 3 t o net wor k 0. 0. 0. 0

C 136. 1. 0. 0 255. 255. 255. 0 i s di r ect l y connect ed, out si deO 136. 1. 100. 0 255. 255. 255. 0 [ 110/ 11] vi a 136. 1. 0. 3, 0: 01: 34, out si deC 136. 1. 121. 0 255. 255. 255. 0 i s di r ect l y connect ed, i nsi deC 136. 1. 124. 0 255. 255. 255. 0 i s di r ect l y connect ed, dmz2C 10. 0. 0. 0 255. 255. 255. 0 i s di r ect l y connect ed, dmz1R 150. 1. 1. 0 255. 255. 255. 0 [ 120/ 1] vi a 136. 1. 121. 1, 0: 00: 23, i nsi deO 150. 1. 3. 3 255. 255. 255. 255 [ 110/ 11] vi a 136. 1. 0. 3, 0: 01: 34, out si deO 150. 1. 4. 4 255. 255. 255. 255 [ 110/ 11] vi a 136. 1. 124. 4, 0: 01: 34, dmz2


48/243




S* 0. 0. 0. 0 0. 0. 0. 0 [ 100/ 0] vi a 136. 1. 0. 3, out si de

Note

Finally check the routing table of R1 and R4 to see that they actually receive the

default route from the ASA firewall:

Rack1R1#show ip route rip136. 1. 0. 0/ 24 i s subnet t ed, 3 subnet s

R 136. 1. 0. 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 05, Fast Et her net 0/ 0R 136. 1. 124. 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 05, Fast Et her net 0/ 0

10. 0. 0. 0/ 24 i s subnet t ed, 1 subnet sR 10. 0. 0. 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 05, Fast Et her net 0/ 0R* 0. 0. 0. 0/ 0 [ 120/ 1] vi a 136. 1. 121. 12, 00: 00: 05, Fast Et her net 0/ 0Rack1R1#

Rack1R4#show ip route eigrpD*EX 0. 0. 0. 0/ 0 [ 170/ 28416] vi a 136. 1. 124. 12, 00: 01: 50, Fast Et her net 0/ 0


49/243


50/243




outside) you may prevent the automatically inspected traffic to flow across thefirewall. This is because every access-list has an implicit deny all statement inthe end. Most of the times you just need to apply the access-list ingress on thelower security level interfaces to permit inbound traffic, and let the statefulinspection engine do the rest of the work for you. In our example we use both

outgoing and incoming access-list for the sake of completeness.

To properly craft an access-list you need to know your protocol mechanics indepth. For example you should know the default service ports (e.g. for FTP,STMP, WWW) and know how complicated commands like traceroute works.Many protocols, like NTP or WWW use a single port number, which you couldlearn by browsing the command-line help when configuring the access-list andpressing the ? key. Note that IOS routers usually give you more information onport numbers in this manner than the ASA firewall does.

In our task, we permit inbound NTP, FTP and WWW sessions. Note that for FTP

we only open port 21. The inspection engine will automatically open holes for thepassive FTP connections if needed. Note that we enable inbound ICMP echo-replies, to allow the inside hosts to ping the hosts outside. By default they cannotdo this, as ICMP is not inspected. Alternatively, you may enable ICMPinspection, as we will see later in the MPF tasks.

Note the amount of work needed to permit the traceroute command (UNIX-style)which uses UDP probes. You need to allow the returning ICMP unreachablesalong with the outgoing UDP packets for the default traceroute port range. Notethat if you dont apply an outgoing ACL, there is no need to permit the outgoingUDP packets, as those are inspected by default.


51/243




ASA1:!! Ingress ACL: Allow accessing the server!access- l i st OUTSI DE_I N ext ended per mi t t cp any host 10. 0. 0. 100 eq wwwaccess- l i st OUTSI DE_I N extended per mi t t cp any host 10. 0. 0. 100 eq f t p

access- l i st OUTSI DE_I N ext ended per mi t udp any host 10. 0. 0. 100 eq nt p

!! Allow pings across the firewall!access- l i st OUTSI DE_I N ext ended per mi t i cmp any any echoaccess- l i st OUTSI DE_I N ext ended per mi t i cmp any any echo- r epl y

!! Allow traceroute return packets!access- l i st OUTSI DE_I N ext ended per mi t i cmp any any t i me- exceededaccess- l i st OUTSI DE_I N ext ended per mi t i cmp any any unr eachabl e

!! Egress ACL: permit ping packets!access- l i st OUTSI DE_OUT ext ended per mi t i cmp any any echoaccess- l i st OUTSI DE_OUT ext ended permi t i cmp any any echo- r epl y

!! Permit outgoing traceroute packets!access- l i st OUTSI DE_OUT ext ended per mi t udp any any range 33434 33464access- l i st OUTSI DE_OUT ext ended per mi t t cp any any eq f t p

!

! Permit telnet and HTTP access!access- l i st OUTSI DE_OUT ext ended permi t t cp any any eq t el netaccess- l i st OUTSI DE_OUT ext ended per mi t t cp any any eq www

!! Apply the access-lists!access- gr oup OUTSI DE_I N i n i nt er f ace out si deaccess- gr oup OUTSI DE_OUT out i nt er f ace out si de


52/243




Verification

Note

Verification consists of simulating the required traffic types and seeing if it passes

across the firewall. Note that you can use debug icmp traceto see if theICMP packets get across the firewall, but we dont use the command here.

Rack1R2#ping 10.0.0.100

Type escape sequence t o abort .Sendi ng 5, 100- byt e I CMP Echos t o 10. 0. 0. 100, t i meout i s 2 seconds:! ! ! ! !Success r ate i s 100 per cent ( 5/ 5) , r ound- t r i p mi n/ avg/ max = 1/ 3/ 8 ms

Rack1R2#ping 136.1.121.1


Note

For HTTP, simulate a GET request by connection on port 80 using the telnetcommand. Terminate the connection by pressing Ctrl-Shift-6-x and then typingdisconnect 1. You can also telnet on port 21 to see if the FTP banner

appears.

Rack1R2#telnet 10.0.0.100 80Tr yi ng 10. 0. 0. 100, 80 . . . Openget / ht t p/ 1. 1

HTTP/ 1. 1 400 Bad RequestSer ver : Mi crosof t - I I S/ 5. 0Dat e: Sat , 06 J an 2007 11: 22: 27 GMTCont ent - Type: t ext/ ht mlCont ent - Lengt h: 87

Err or The par amet er i si ncor r ect .

[ Connect i on to 10. 0. 0. 100 cl osed by f orei gn host ]

Rack1R2#telnet 10.0.0.100 21Tr yi ng 10. 0. 0. 100, 21 . . . Open220 I ESERVER1 Mi cr osof t FTP Ser vi ce ( Ver si on 5. 0) .

Rack1R2#disc 1


53/243




Cl osi ng connect i on t o 10. 0. 0. 100 [ conf i r m]

Note

Try connecting to the AAA/CA server on any port not opened in the ACLs andsee that the connection times out (the firewall simply drops the packets). Ensurethat telnet to R2 works still.

Rack1R2#telnet 10.0.0.100 25Tr yi ng 10. 0. 0. 100, 25 . . .% Connect i on t i med out ; r emot e host not r espondi ng

Rack1R1#telnet 136.1.122.2Tr yi ng 136. 1. 122. 2 . . . Open

User Access Ver i f i cat i on

Password: ci scoRack1R2>

Note

Repeat the verifications from R1:

Rack1R1#ping 136.1.122.2


Rack1R1#ping 10.0.0.100

Type escape sequence t o abort .Sendi ng 5, 100- byt e I CMP Echos t o 10. 0. 0. 100, t i meout i s 2 seconds:. . . . .Success r at e i s 0 per cent ( 0/ 5)

Rack1R1#telnet 10.0.0.100 80

Tr yi ng 10. 0. 0. 100, 80 . . . Openget / http/1.1.

HTTP/ 1. 1 400 Bad RequestSer ver : Mi crosof t - I I S/ 5. 0Dat e: Sat , 06 J an 2007 11: 25: 59 GMTCont ent - Type: t ext/ ht mlCont ent - Lengt h: 87


54/243




Err or The paramet er i si ncor r ect . [ Connect i on to 10. 0. 0. 100 cl osed by f or ei gn host]

Note

Now test the traceroute command from R1 and see that it works:

Rack1R1#traceroute 136.1.122.2

Type escape sequence t o abort .Tr aci ng t he r out e t o 136. 1. 122. 2

1 136. 1. 122. 2 0 msec * 0 msec

Note

Finally, check the access-list counters in the ASA firewall (look for hitcnt)

Rack1ASA1# show access-listaccess- l i st cached ACL l og f l ows: t ot al 0, deni ed 0 (deny- f l ow- max4096)

al er t - i nt er val 300access- l i st OUTSI DE_I N; 7 el ement saccess- l i st OUTSI DE_I N l i ne 1 ext ended per mi t t cp any host 10. 0. 0. 100eq www ( hi t cnt =1) 0x59f 08b76access- l i st OUTSI DE_I N l i ne 2 ext ended per mi t t cp any host 10. 0. 0. 100eq f t p ( hi t cnt =1) 0x8997bedfaccess- l i st OUTSI DE_I N l i ne 3 ext ended permi t udp any host 10. 0. 0. 100eq ntp ( hi t cnt =0) 0x8189f 120access- l i st OUTSI DE_I N l i ne 4 ext ended permi t i cmp any any echo- r epl y( hi t cnt=10) 0xc857b49eaccess- l i st OUTSI DE_I N l i ne 5 ext ended permi t i cmp any any t i me-exceeded ( hi t cnt =0) 0xc3b80daccess- l i st OUTSI DE_I N l i ne 6 ext ended permi t i cmp any any unr eachabl e( hi t cnt =5) 0xec6c9a23access- l i st OUTSI DE_I N l i ne 7 ext ended permi t i cmp any any echo( hi t cnt =70) 0x869bdf 05access- l i st OUTSI DE_OUT; 6 el ement saccess- l i st OUTSI DE_OUT l i ne 1 ext ended permi t i cmp any any echo( hi t cnt =10) 0x4006da3f

access- l i st OUTSI DE_OUT l i ne 2 ext ended permi t udp any any r ange 3343433464 ( hi t cnt=7) 0xde5f 72eeaccess- l i st OUTSI DE_OUT l i ne 3 ext ended permi t t cp any any eq f t p( hi t cnt =0) 0xf 47b788access- l i st OUTSI DE_OUT l i ne 4 ext ended permi t t cp any any eq t el net( hi t cnt =3) 0x2be5bbf eaccess- l i st OUTSI DE_OUT l i ne 5 ext ended per mi t t cp any any eq www( hi t cnt=0) 0x8a4b160e


55/243




access- l i st OUTSI DE_OUT l i ne 6 ext ended permi t i cmp any any echo- r epl y( hi t cnt=15) 0xd6d9967


56/243




1.7 Object Groups

Create the following object groups:

o SERVERS containing the host 10.0.0.100.

o ROUTERS containing network 136.X.121.0/24 to it.o COMMON_ICMP containing the ICMP types corresponding to theping and UNIX-style traceroute commands.

o TRC_PORTS containing the range of UDP ports 33434-33464.o SERVER_PORTS containing TCP ports for HTTP and FTP.o ROUTER_PORTS and add TCP ports corresponding to

Telnet/SSH in addition to port 7001 to the group.

Reduce the size of the previously created access-lists using the objectgroups just created.

Configuration

Note

Objects groups allow simplifying large access-list configuration. You can groupobjects of similar nature (e.g. a group networks and host, a collection of TCPports, a bunch of ICMP message types) and then reference them in access-lists.Thus, instead of working with addresses and port number you can work withhigher level objects that reflect the logical structure of your network. For exampleyou may have object groups PUBLIC_HOSTING listing the publically accessibleservers and MANAGEMENT_SEGMENT listing the management stations along

with PUBLIC_PORTS group, listing the FTP, WWW, HTTPS ports. By buildingyour access-list out of objects groups, you make them more readable andmanageable, as you dont need to add new ACL entries for every new publicserver.

Object groups are very intuitive to use, and most time you will not face anyproblems creating and configuring access-list using the object groups. However,remember that object-groups are good for use with interface access-list, not theaccess-lists used to building VPN proxy identities, such as split ACLs.


57/243




ASA1:!! Define object groups!obj ect - group net wor k ROUTERSnet work- obj ect 136. 1. 121. 0 255. 255. 255. 0

!obj ect - group net wor k SERVERSnet work- obj ect host 10. 0. 0. 100

!obj ect - group i cmp- t ype COMMON_I CMPi cmp- obj ect echoi cmp- obj ect echo- r epl yi cmp- obj ect t i me- exceededi cmp- obj ect unr eachabl e

!obj ect - group servi ce TRC_PORTS udppor t - obj ect r ange 33434 33464

!obj ect - group servi ce SERVER_PORTS t cp

por t - obj ect eq wwwpor t - obj ect eq f t p

!obj ect - group ser vi ce ROUTER_PORTS t cppor t - obj ect eq t el netpor t - obj ect eq sshport - obj ect eq 7001

!cl ear conf i gur e access- l i st OUTSI DE_I N

!! Define access-lists!

access- l i st OUTSI DE_I N per mi t i cmp any any obj COMMON_I CMPaccess- l i st OUTSI DE_I N per mi t udp any any obj TRC_PORTSaccess- l i st OUTSI DE_I N per mi t t cp any obj SERVERS obj SERVER_PORTSaccess- l i st OUTSI DE_I N per mi t t cp any obj ROUTERS obj ROUTER_PORTS!access- l i st OUTSI DE_OUT permi t i cmp any any obj COMMON_I CMPaccess- l i st OUTSI DE_OUT per mi t udp any any obj TRC_PORTSaccess- l i st OUTSI DE_I N per mi t t cp any any obj SERVER_PORTSaccess- l i st OUTSI DE_I N per mi t t cp any any obj ROUTER_PORTS

!! Apply the access-lists!access- gr oup OUTSI DE_I N i n i nt er f ace out si de

access- gr oup OUTSI DE_OUT out i nt er f ace out si de


58/243




Verification

Note

Use the same verifications that you have done in the previous task. Only theoutput of the show access-list command has changed, reflecting the object

groups. It now displays the object group and all the access-list entries resultingfrom the application of the object groups.

Rack1ASA1# show access-listaccess- l i st cached ACL l og f l ows: t ot al 0, deni ed 0 (deny- f l ow- max4096)

al er t - i nt er val 300access- l i st OUTSI DE_I N; 15 el ement saccess- l i st OUTSI DE_I N l i ne 1 ext ended permi t i cmp any any obj ect - groupCOMMON_I CMP 0x8ced5a

access- l i st OUTSI DE_I N l i ne 1 ext ended permi t i cmp any any echo( hi t cnt =10) 0x869bdf 05access- l i st OUTSI DE_I N l i ne 1 ext ended permi t i cmp any any echo- r epl y( hi t cnt=5) 0xc857b49eaccess- l i st OUTSI DE_I N l i ne 1 ext ended permi t i cmp any any t i me-exceeded ( hi t cnt =0) 0xc3b80daccess- l i st OUTSI DE_I N l i ne 1 ext ended permi t i cmp any any unr eachabl e( hi t cnt =2) 0xec6c9a23access- l i st OUTSI DE_I N l i ne 2 ext ended permi t udp any any obj ect - gr oupTRC_PORTS 0x2a19bcf faccess- l i st OUTSI DE_I N l i ne 2 ext ended permi t udp any any r ange 3343433464 ( hi t cnt =3) 0x61e01ad


59/243




1.8 Administ rative Access

Permit telnet access to the ASA unit from the inside subnet(136.X.121.0/24).

Permit ssh access to the ASA unit from the outside subnet

(136.X.122.0/24). Permit users to access the ASDM feature from host 10.0.0.100.

Configuration

Note

You can access the ASA firewall unit remotely using three main access paths:SSH (secure shell), telnet (unencrypted connection) and accessing ASDM viaHTTPs (the firewall does not support

Iewb Sc Vol i sdfew.Section.1.Asa.firewall.007

Documents

Transcript of Iewb Sc Vol i sdfew.Section.1.Asa.firewall.007