Cisco ASA
Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.
Hårdvara och mjukvara kompabilitet
Contents
Konfiguration
Grunder
conf t hostname ASA
IP adress
int e0/0 mac-address 0011.2233.4455 security-level 100 nameif inside ip address 10.0.0.1 255.255.255.0 no shut exit
Default route och DNS
route outside 0.0.0.0 0.0.0.0 190.10.160.1 1 same-security-traffic permit inter-interface dns domain-lookup outside dns name-server 8.8.8.8
ASDM
ASDM är en javamjukvara man kan använda för GUI till ASA. Slå på det och vitlista IP/nät.
http server enable http 10.0.0.0 255.255.255.0 inside
Skapa användare så att det går att logga in. Peka autentisering mot lokal databas.
username admin password cisco privilege 15 aaa authentication http console LOCAL
SSH
ssh 10.0.0.0 255.255.255.0 inside ssh timeout 60 ssh version 2 aaa authentication ssh console LOCAL domain-name inhouse.local crypto key generate rsa modulus 2048
Mgmt VRF
Man kan sedan 9.5 lägga management-interface i en egen routingtabell.
int gi0/1 management-only show route management-only
Diverse
ICMP-inspection
Default så är inte icmp-inspection påslaget.
fixup protocol icmp
Alternativt
policy-map global_policy class inspection_default inspect icmp
ARP Inspection
arp inside 193.10.161.37 0c0c.0c0c.0c03 alias ---
Management access
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
management-access inside
Botnet Filtering
#köp licens #Enable DNS Client
NTP
clock timezone CEST 1 0 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60 ntp server 94.199.180.200 source outside
uRPF
ip verify reverse-path interface outside
Logging
logging enable logging console 4
Certificate Management
show crypto ca certificate (config) crypto ca export show crypto key mypubkey rsa
Jumbo Frames
jumbo frame-reservation mtu inside 9000 mtu outside 9000
Global Timeouts
timeout xlate 10:00:00 timeout uauth 10:00:00 absolute timeout uauth 09:00:00 inactivity
Permanent Self-Signed Certificate
crypto ca trustpoint ASDM_TrustPoint0 id-usage ssl-ipsec no fqdn subject-name CN=ASA enrollment self crypto ca enroll ASDM_TrustPoint0 noconfirm
SNMP
snmp-server host inside 10.0.0.50 community PUBLIC version 2c show snmp-server oidlist #"hidden command"
DHCP
Klient
int e0/0 ip address dhcp setroute exit dhcp-client client-id interface outside
Server
dhcpd address 10.0.0.50-10.0.0.60 inside dhcpd enable inside dhcpd dns 8.8.8.8 interface inside
OBS ASA don't repond to unicast dhcp requests
NAT
PAT
nat (inside,outside) 1 source dynamic any interface
Dynamic
object network inside_10 subnet 10.0.0.0 255.255.255.0 object network outside-pool range 193.10.161.190 193.10.161.199 object network inside_10 nat (inside,any) dynamic outside-pool
Static
object network dmz_server host 172.16.0.5 object network dmz_global host 193.10.161.31 object network dmz_server nat (dmz,outside) static dmz_global
Exempt
object network LAN1 subnet 1.1.1.0 255.255.255.0 object network LAN2 subnet 2.2.2.0 255.255.255.0 nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
1an är viktig så att regeln hamnar först
Show
show run nat
Port Forwarding
object network websrv host 10.1.1.3 nat (inside,outside) static interface service tcp 80 80 exit access-list outside_access_in permit tcp any object websrv eq http
ACL
access-list ACL1 permit tcp any object dmz_server eq http access-group ACL1 in interface outside
Routing
Static
route inside 10.0.1.0 255.255.255.0 {next hop address} 10
OSPF
router ospf 1 area 1 network 10.0.0.0 255.255.255.0 area 1
RIP
router rip no auto-summary version 2 network 10.0.0.0
EIGRP
router eigrp 1 network 10.0.0.0 255.255.255.0
Modular Policy Framework
Application Inspection
access-list dmz_ftp permit tcp any any eq ftp
Class Map
class-map FTP-class-MAP match access-list dmz_ftp
Policy Map
policy-map FTP-policy-MAP class FTP-class-MAP inspect ftp
Service Policy
service-policy FTP-policy-MAP interface dmz
QoS
priority-queue inside
Class Map
class-map VOIP match dscp 46
Policy Map
policy-map inside-policy class VOIP priority
Service Policy
service-policy inside-policy interface inside
Tweaking Connections
access-list ACL1 permit tcp any object dmz_server eq http class-map TCP-Sessions match access-list ACL1 policy-map Conn-Limits class TCP-Sessions set connection conn-max 500 embryonic-conn-max 50 set connection timeout embryonic 0:05:00 half-closed 0:10:00 service-policy Conn-Limits interface outside
TCP Intercept
access-list ACL1 permit tcp any object dmz_server eq http class-map no-syn-flood-class match access-list ACL1 policy-map NO-SYN-FLOOD class no syn-flood-class set connection embryonic-conn-max 50 service-policy NO-SYN-FLOOD interface outside
Advanced Application Inspection - HTTP
policy-map type inspect http http-inspect-pmap parameters protocol-violation action dropconnection log match req-resp content-type mismatch drop-connection log policy-map global_policy class inspection_default inspect http http-inspect-pmap
VLAN - !5505
int e0/2 no shut int e0/2.10 vlan 10 security-level 100 nameif VLAN10 ip add 10.0.10.1 255.255.255.0 no shut exit
EtherChannel
interface e0/2 channel-group mode Active interface e0/3 channel-group mode Active interface port-channel1 port-channel load-balance src-port port-channel min-bundle 1 lacp max-bundle 8 duplex auto speed auto nameif DMZ security-level 50 ip add 10.0.10.1 255.255.255.0 no shut exit
Redundancy
interface e0/4 no shut interface e0/5 no shut interface redundant1 member interface e0/4 member interface e0/5 nameif outside security-level ip address 193.10.161.31 no shut exit
Transparent - 5505
firewall transparent int BVI 1 ip add 193.10.161.38 255.255.255.0 exit int e0/0 switchport access vlan 1 no shut int e0/1 switchport access vlan 2 no shut interface vlan 1 security-level 100 nameif inside bridge-group 1 no shut interface vlan 2 security-level 0 nameif outside bridge-group 1 no shut
AAA
aaa-server OUR-GROUP protocol radius aaa-server OUR-GROUP (inside) host 10.0.0.50 key ******** radius-common-pw ********* exit
Cut-through User AAA
access-list outside_authentication permit tcp any object dmz-server eq http username bob password cisco priv 2 username bob attributes service-type remote-access exit aaa authentication match outside_authentication outside LOCAL
Failover
#Criteria ASA1 int e0/0 ip address 193.10.161.38 255.255.254.0 standby 193.10.161.39 int e0/1 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2 failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover key cisco failover link Fail-2 e0/4 failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2 failover replication http failover lan unit primary failover mac address e0/0 0000.1111.2222 0000.3333.4444 failover ASA2 int e0/3 no shut exit failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover key cisco failover lan unit secondary failover
Virtual Firewall
mode multiple changeto context admin changeto system mac-address auto class silver limit resource asdm 3 context newcontext member silver allocate-interface e0/3 allocate-interface e0/4 config-url disk0:/newcontext.cfg
Active/Active Failover
changeto system prompt hostname priority failover group 1 primary preempt 120 exit failover group 2 secondary preempt 120 exit context Ctx-1 join-failover-group 1 exit context Ctx-2 join-failover-group 2 exit int e0/4 no shut int e0/5 no shut exit failover lan unit primary failover lan interface Fail-1 e0/4 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover link Fail-2 e0/4 failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2 failover int e0/3 no shut exit failover lan unit secondary failover lan interface Fail-1 e0/3 failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2 failover
SLA
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1 sla monitor 10 type echo protocol ipIcmpEcho 1.1.1.1 interface outside num-packets 3 frequency 5 sla monitor schedule 10 life forever start-time now track 1 rtr 10 reachability
VPN
Förutsättningar för att sätta upp VPN-tunnlar är att klocka måste gå rätt och att NAT-regler måste ligga i rätt ordning.
Kolla hur man gör på aktuell version
vpnsetup site-to-site steps vpnsetup ipsec-remote-access steps
IKEv2 behåller inte riktigt nomenklaturen med faser men ändå.
Fas 1
crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha lifetime 28800 group 2
PSK
tunnel-group <other-side> type ipsec-l2l tunnel-group <other-side> ipsec-attributes ikev1 pre-shared-key ***** crypto map VPNMAP 10 set peer <other-side>
Fas 2
crypto ipsec ikev1 transform-set SITE2-FAS2 esp-aes-256 esp-sha-hmac crypto map VPNMAP 10 set transform-set SITE2-FAS2 access-list CRYPTO-to-SITE2 extended permit ip 172.16.20.0 255.255.255.0 172.16.40.0 255.255.255.0 crypto map VPNMAP 10 match address CRYPTO-to-SITE2 crypto map VPNMAP 10 set security-association lifetime seconds 3600
NAT Exempt
object network LAN1 subnet 172.16.20.0 255.255.255.0 object network LAN2 subnet 172.16.40.0 255.255.255.0 nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2
Övrigt
Tillåt trafik in från andra sidan.
access-list OUTSIDE-IN extended permit ip object LAN2 object LAN1
Behöver endast göras vid första VPN-tunneluppsättningen.
crypto map VPNMAP interface OUTSIDE crypto isakmp enable OUTSIDE
Troubleshoot
show crypto isakmp sa detail show vpn-sessiondb detail l2l
REST API
Man kan lägga till en agent så att ASAn får stöd för REST API.
copy http://<webbserver>/asa-restapi-122-lfbff-k8.SPA disk0: rest-api image disk0:/asa-restapi-122-lfbff-k8.SPA rest-api agent
Sedan behöver webbservern konfigureras om inte det är gjort, ASDM
Använd en REST-klient (Firefox/Chrome)
https:<asa-ip>/api/objects/networkobjects
Docs
Följer med agenten
https://<asa-ip>/doc/