Difference between revisions of "Cisco ASA"

From HackerNet
Jump to: navigation, search
m
Line 5: Line 5:
 
Grunder
 
Grunder
 
  conf t
 
  conf t
hostname ASA
+
  hostname ASA
 
IP adress
 
IP adress
 
  int e0/0
 
  int e0/0
mac-address 0011.2233.4455
+
  mac-address 0011.2233.4455
security-level 100
+
  security-level 100
nameif inside
+
  nameif inside
ip address 10.0.0.1 255.255.255.0
+
  ip address 10.0.0.1 255.255.255.0
no shut
+
  no shut
exit
 
 
Default route och DNS
 
Default route och DNS
 
  route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
 
  route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
Line 42: Line 41:
 
Man kan sedan 9.5 lägga management-interface i en egen routingtabell.
 
Man kan sedan 9.5 lägga management-interface i en egen routingtabell.
 
  int gi0/1
 
  int gi0/1
management-only
+
  management-only
 
  show route management-only
 
  show route management-only
 
  show asp table routing management-only
 
  show asp table routing management-only
Line 69: Line 68:
 
Alternativt
 
Alternativt
 
  policy-map global_policy
 
  policy-map global_policy
class inspection_default
+
  class inspection_default
inspect icmp
+
  inspect icmp
  
 
===Traceroute===
 
===Traceroute===
Line 132: Line 131:
  
 
==DHCP==
 
==DHCP==
 +
[[Cisco DHCP]]
 
===Klient===
 
===Klient===
 
  int e0/0
 
  int e0/0
ip address dhcp setroute
+
  ip address dhcp setroute
 
  exit
 
  exit
 
  dhcp-client client-id interface outside
 
  dhcp-client client-id interface outside
 +
 
===Server===
 
===Server===
 
  dhcpd address 10.0.0.50-10.0.0.60 inside
 
  dhcpd address 10.0.0.50-10.0.0.60 inside
 
  dhcpd enable inside
 
  dhcpd enable inside
 
  dhcpd dns 8.8.8.8 interface inside
 
  dhcpd dns 8.8.8.8 interface inside
''OBS ASA don't repond to unicast dhcp requests''
+
''OBS ASA doesn't respond to unicast dhcp requests''
  
 
==NAT==
 
==NAT==
 
===PAT===
 
===PAT===
 
  nat (inside,outside) 1 source dynamic any interface
 
  nat (inside,outside) 1 source dynamic any interface
 +
 
===Dynamic===
 
===Dynamic===
object network inside_10
 
subnet 10.0.0.0 255.255.255.0
 
 
  object network outside-pool
 
  object network outside-pool
range 193.10.161.190 193.10.161.199
+
  range 193.10.161.190 193.10.161.199
 
  object network inside_10
 
  object network inside_10
nat (inside,any) dynamic outside-pool
+
  subnet 10.0.0.0 255.255.255.0
 +
  nat (inside,any) dynamic outside-pool
 +
 
 
===Static===
 
===Static===
object network dmz_server
 
host 172.16.0.5
 
 
  object network dmz_global
 
  object network dmz_global
host 193.10.161.31
+
  host 193.10.161.31
 
  object network dmz_server
 
  object network dmz_server
nat (dmz,outside) static dmz_global
+
  host 172.16.0.5
 +
  nat (dmz,outside) static dmz_global
 +
 
 
===Exempt===
 
===Exempt===
 
  object network LAN1
 
  object network LAN1
Line 167: Line 169:
 
  nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
 
  nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
 
''1an är viktig så att regeln hamnar först''
 
''1an är viktig så att regeln hamnar först''
===Show===
+
 
 +
===Verify===
 
  show run nat
 
  show run nat
  
 
==Port Forwarding==
 
==Port Forwarding==
 
  object network websrv  
 
  object network websrv  
host 10.1.1.3
+
  host 10.1.1.3
nat (inside,outside) static interface service tcp 80 80
+
  nat (inside,outside) static interface service tcp 80 80
 
  exit
 
  exit
 
  access-list outside_access_in permit tcp any object websrv eq http
 
  access-list outside_access_in permit tcp any object websrv eq http
Line 192: Line 195:
 
===OSPF===
 
===OSPF===
 
  router ospf 1
 
  router ospf 1
area 1
+
  area 1
network 10.0.0.0 255.255.255.0 area 1
+
  network 10.0.0.0 255.255.255.0 area 1
  
 
===RIP===
 
===RIP===
 
  router rip
 
  router rip
no auto-summary
+
  no auto-summary
version 2
+
  version 2
network 10.0.0.0
+
  network 10.0.0.0
  
 
===EIGRP===
 
===EIGRP===
 
  router eigrp 1
 
  router eigrp 1
network 10.0.0.0 255.255.255.0
+
  network 10.0.0.0 255.255.255.0
 +
 
 +
===BGP===
 +
Ska man köra BGP genom en ASA måste man stänga av att TCP option 19 strippas vilket det gör default. Samt måste TCP sequence number randomization stängas av.
 +
 
 +
access-list BGP extended permit tcp any eq bgp any
 +
access-list BGP extended permit tcp any any eq bgp
 +
tcp-map BGP
 +
tcp-options range 19 19 allow
 +
  class-map BGP
 +
  match access-list BGP
 +
policy-map global_policy
 +
  class BGP
 +
  set connection advanced-options BGP
 +
  set connection random-sequence-number disable
  
 
==Modular Policy Framework==
 
==Modular Policy Framework==
Line 272: Line 289:
 
==EtherChannel==
 
==EtherChannel==
 
  interface e0/2
 
  interface e0/2
channel-group mode Active
+
  channel-group mode Active
 
  interface e0/3
 
  interface e0/3
channel-group mode Active
+
  channel-group mode Active
 
  interface port-channel1
 
  interface port-channel1
port-channel load-balance src-port
+
  port-channel load-balance src-port
port-channel min-bundle 1
+
  port-channel min-bundle 1
lacp max-bundle 8
+
  lacp max-bundle 8
duplex auto
+
  duplex auto
speed auto
+
  speed auto
nameif DMZ
+
  nameif DMZ
security-level 50
+
  security-level 50
ip add 10.0.10.1 255.255.255.0
+
  ip add 10.0.10.1 255.255.255.0
no shut
+
  no shut
exit
 
  
 
===Redundancy===
 
===Redundancy===
 
Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan [[Arista_MLAG|MLAG]] (t.ex. [[Nexus_vPC|vPC]]).
 
Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan [[Arista_MLAG|MLAG]] (t.ex. [[Nexus_vPC|vPC]]).
 
  interface e0/4
 
  interface e0/4
no shut
+
  no shut
 
  interface e0/5
 
  interface e0/5
no shut
+
  no shut
 
  interface redundant1
 
  interface redundant1
member interface e0/4
+
  member interface e0/4
member interface e0/5
+
  member interface e0/5
nameif outside
+
  nameif outside
security-level
+
  security-level
ip address 193.10.161.31
+
  ip address 193.10.161.31
no shut
+
  no shut
exit
 
  
 
==Transparent - 5505==
 
==Transparent - 5505==
Line 327: Line 342:
 
  aaa-server OUR-GROUP protocol radius
 
  aaa-server OUR-GROUP protocol radius
 
  aaa-server OUR-GROUP (inside) host 10.0.0.50
 
  aaa-server OUR-GROUP (inside) host 10.0.0.50
key ********
+
  key ********
radius-common-pw *********
+
  radius-common-pw *********
exit
+
  exit
  
 
===Cut-through User AAA===
 
===Cut-through User AAA===

Revision as of 12:21, 18 April 2016

Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.
Hårdvara och mjukvara kompatibilitet

Konfiguration

Grunder

conf t
 hostname ASA

IP adress

int e0/0
 mac-address 0011.2233.4455
 security-level 100
 nameif inside
 ip address 10.0.0.1 255.255.255.0
 no shut

Default route och DNS

route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
same-security-traffic permit inter-interface
dns domain-lookup outside
dns name-server 8.8.8.8

ASDM

ASDM är en javamjukvara man kan använda för GUI till ASA.

asdm image disk0:/asdm-752.bin
show asdm image

Slå på det och vitlista IP/nät som får ansluta.

http server enable
http 10.0.0.0 255.255.255.0 inside

Skapa användare så att det går att logga in. Peka autentisering mot lokal databas.

username admin password cisco privilege 15
aaa authentication http console LOCAL

SSH

ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
aaa authentication ssh console LOCAL
domain-name inhouse.local
crypto key generate rsa modulus 2048

Mgmt VRF

Man kan sedan 9.5 lägga management-interface i en egen routingtabell.

int gi0/1
 management-only
show route management-only
show asp table routing management-only

Management access

Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:

management-access inside

Upgrade

copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/
boot system disk0:/asa952-smp-k8.bin
show bootvar
wr
reload

Reset

clear configure all
crypto key zeroize rsa

Setup basic firewall

configure factory-default

Diverse

ICMP-inspection

Default så är inte icmp-inspection påslaget.

fixup protocol icmp

Alternativt

policy-map global_policy
 class inspection_default
  inspect icmp

Traceroute

Tillåt traceroute genom en ASA

access-list ACL extended permit icmp any any time-exceeded
access-list ACL extended permit icmp any any unreachable

Accelerated Security Path

show asp drop
capture asp-drop type asp-drop all
show capture asp-drop

ARP Inspection

arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
---

Botnet Filtering

#köp licens
#Enable DNS Client

NTP

clock timezone CEST 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60
ntp server 94.199.180.200 source outside
show ntp status

uRPF

ip verify reverse-path interface outside
show run ip verify reverse-path

Logging

logging enable
logging console 4

Certificate Management

show crypto ca certificate
(config) crypto ca export
show crypto key mypubkey rsa

Jumbo Frames

jumbo frame-reservation
mtu inside 9000
mtu outside 9000

Global Timeouts

timeout xlate 10:00:00
timeout uauth 10:00:00 absolute
timeout uauth 09:00:00 inactivity

Permanent Self-Signed Certificate

crypto ca trustpoint ASDM_TrustPoint0
id-usage ssl-ipsec
no fqdn
subject-name CN=ASA
enrollment self
crypto ca enroll ASDM_TrustPoint0 noconfirm

SNMP

snmp-server host inside 10.0.0.50 community PUBLIC version 2c
show snmp-server oidlist   #"hidden command"

DHCP

Cisco DHCP

Klient

int e0/0
 ip address dhcp setroute
exit
dhcp-client client-id interface outside

Server

dhcpd address 10.0.0.50-10.0.0.60 inside
dhcpd enable inside
dhcpd dns 8.8.8.8 interface inside

OBS ASA doesn't respond to unicast dhcp requests

NAT

PAT

nat (inside,outside) 1 source dynamic any interface

Dynamic

object network outside-pool
 range 193.10.161.190 193.10.161.199
object network inside_10
 subnet 10.0.0.0 255.255.255.0
 nat (inside,any) dynamic outside-pool

Static

object network dmz_global
 host 193.10.161.31
object network dmz_server
 host 172.16.0.5
 nat (dmz,outside) static dmz_global

Exempt

object network LAN1
 subnet 1.1.1.0 255.255.255.0
object network LAN2
 subnet 2.2.2.0 255.255.255.0
nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2

1an är viktig så att regeln hamnar först

Verify

show run nat

Port Forwarding

object network websrv 
 host 10.1.1.3
 nat (inside,outside) static interface service tcp 80 80
exit
access-list outside_access_in permit tcp any object websrv eq http

ACL

access-list ACL1 permit tcp any object dmz_server eq http
access-list ACL1 line 15 permit tcp any object dmz_server eq https
access-group ACL1 in interface outside
show access-list ACL1

Matcha på DNS-namn

object network hackernet.se
 fqdn v4 hackernet.se

Routing

Static

route inside 10.0.1.0 255.255.255.0 {next hop address} 10

OSPF

router ospf 1
 area 1
 network 10.0.0.0 255.255.255.0 area 1

RIP

router rip
 no auto-summary
 version 2
 network 10.0.0.0

EIGRP

router eigrp 1
 network 10.0.0.0 255.255.255.0

BGP

Ska man köra BGP genom en ASA måste man stänga av att TCP option 19 strippas vilket det gör default. Samt måste TCP sequence number randomization stängas av.

access-list BGP extended permit tcp any eq bgp any
access-list BGP extended permit tcp any any eq bgp
tcp-map BGP
tcp-options range 19 19 allow
 class-map BGP
  match access-list BGP
policy-map global_policy
 class BGP
  set connection advanced-options BGP
  set connection random-sequence-number disable

Modular Policy Framework

Application Inspection

access-list dmz_ftp permit tcp any any eq ftp

Class Map

class-map FTP-class-MAP
match access-list dmz_ftp

Policy Map

policy-map FTP-policy-MAP
class FTP-class-MAP
inspect ftp

Service Policy

service-policy FTP-policy-MAP interface dmz

QoS

priority-queue inside

Class Map

class-map VOIP
match dscp 46

Policy Map

policy-map inside-policy
class VOIP
priority

Service Policy

service-policy inside-policy interface inside

Tweaking Connections

access-list ACL1 permit tcp any object dmz_server eq http
class-map TCP-Sessions
match access-list ACL1
policy-map Conn-Limits
class TCP-Sessions
set connection conn-max 500 embryonic-conn-max 50
set connection timeout embryonic 0:05:00 half-closed 0:10:00
service-policy Conn-Limits interface outside

TCP Intercept

access-list ACL1 permit tcp any object dmz_server eq http
class-map no-syn-flood-class
match access-list ACL1
policy-map NO-SYN-FLOOD
class no syn-flood-class
set connection embryonic-conn-max 50
service-policy NO-SYN-FLOOD interface outside 

Advanced Application Inspection - HTTP

policy-map type inspect http http-inspect-pmap
parameters
protocol-violation action dropconnection log
match req-resp content-type mismatch
drop-connection log
policy-map global_policy
class inspection_default
inspect http http-inspect-pmap

VLAN - !5505

int e0/2
no shut
int e0/2.10
vlan 10
security-level 100
nameif VLAN10
ip add 10.0.10.1 255.255.255.0
no shut
exit

EtherChannel

interface e0/2
 channel-group mode Active
interface e0/3
 channel-group mode Active
interface port-channel1
 port-channel load-balance src-port
 port-channel min-bundle 1
 lacp max-bundle 8
 duplex auto
 speed auto
 nameif DMZ
 security-level 50
 ip add 10.0.10.1 255.255.255.0
 no shut

Redundancy

Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan MLAG (t.ex. vPC).

interface e0/4
 no shut
interface e0/5
 no shut
interface redundant1
 member interface e0/4
 member interface e0/5
 nameif outside
 security-level
 ip address 193.10.161.31
 no shut

Transparent - 5505

firewall transparent
int BVI 1
ip add 193.10.161.38 255.255.255.0
exit
int e0/0
switchport access vlan 1
no shut
int e0/1
switchport access vlan 2
no shut
interface vlan 1
security-level 100
nameif inside
bridge-group 1
no shut
interface vlan 2
security-level 0
nameif outside
bridge-group 1
no shut

AAA

aaa-server OUR-GROUP protocol radius
aaa-server OUR-GROUP (inside) host 10.0.0.50
 key ********
 radius-common-pw *********
 exit

Cut-through User AAA

access-list outside_authentication permit tcp any object dmz-server eq http
username bob password cisco priv 2
username bob attributes
service-type remote-access
exit
aaa authentication match outside_authentication outside LOCAL

Failover

#Criteria
ASA1
int e0/0
ip address 193.10.161.38 255.255.254.0 standby 193.10.161.39
int e0/1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover link Fail-2 e0/4
failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
failover replication http
failover lan unit primary
failover mac address e0/0 0000.1111.2222 0000.3333.4444
failover

ASA2
int e0/3
no shut
exit
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover lan unit secondary
failover

Virtual Firewall

mode multiple
changeto context admin
changeto system
mac-address auto
class silver
limit resource asdm 3
context newcontext
member silver
allocate-interface e0/3
allocate-interface e0/4
config-url disk0:/newcontext.cfg

Save in all contexts

wr mem all

Active/Active Failover

changeto system
prompt hostname priority
failover group 1
primary
preempt 120
exit
failover group 2
secondary
preempt 120
exit
context Ctx-1
join-failover-group 1
exit
context Ctx-2
join-failover-group 2
exit
int e0/4
no shut
int e0/5
no shut
exit
failover lan unit primary
failover lan interface Fail-1 e0/4
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover link Fail-2 e0/4
failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
failover

int e0/3
no shut
exit
failover lan unit secondary
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover

SLA

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
sla monitor 10
 type echo protocol ipIcmpEcho 1.1.1.1 interface outside
 num-packets 3
 frequency 5
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability

VPN

Se ASA VPN

REST API

Man kan lägga till en agent så att ASAn får ett REST API.

copy http://<webbserver>/asa-restapi-122-lfbff-k8.SPA disk0:
rest-api image disk0:/asa-restapi-122-lfbff-k8.SPA
rest-api agent

Sedan behöver webbservern konfigureras om inte det är gjort, se ASDM

Använd en REST-klient (Firefox/Chrome)

https:<asa-ip>/api/objects/networkobjects

Docs

Följer med agenten

https://<asa-ip>/doc/