Difference between revisions of "Cisco ASA"

From HackerNet
Jump to: navigation, search
Line 21: Line 21:
  
 
===ASDM===
 
===ASDM===
ASDM är en javamjukvara man kan använda för GUI till ASA. Slå på det och vitlista IP/nät.
+
ASDM är en javamjukvara man kan använda för GUI till ASA.  
 +
asdm image disk0:/asdm-752.bin
 +
show asdm image
 +
Slå på det och vitlista IP/nät som får ansluta.
 
  http server enable
 
  http server enable
 
  http 10.0.0.0 255.255.255.0 inside
 
  http 10.0.0.0 255.255.255.0 inside
Line 46: Line 49:
 
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
 
Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:
 
  management-access inside
 
  management-access inside
 +
 +
===Upgrade===
 +
copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/
 +
boot system disk0:/asa952-smp-k8.bin
 +
show bootvar
 +
wr
 +
reload
 +
 +
===Reset===
 +
clear configure all
 +
crypto key zeroize rsa
 +
Setup basic firewall
 +
configure factory-default
  
 
==Diverse==
 
==Diverse==
Line 55: Line 71:
 
  class inspection_default
 
  class inspection_default
 
  inspect icmp
 
  inspect icmp
 +
 +
===Traceroute===
 +
Tillåt traceroute genom en ASA
 +
access-list ACL extended permit icmp any any time-exceeded
 +
access-list ACL extended permit icmp any any unreachable
 +
 +
===Accelerated Security Path===
 +
show asp drop
 +
capture asp-drop type asp-drop all
 +
show capture asp-drop
  
 
===ARP Inspection===
 
===ARP Inspection===
 
  arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
 
  arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
 
  ---
 
  ---
 
===Upgrade===
 
copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/
 
boot system disk0:/asa952-smp-k8.bin
 
wr
 
reload
 
  
 
===Botnet Filtering===
 
===Botnet Filtering===
Line 78: Line 98:
 
===uRPF===
 
===uRPF===
 
  ip verify reverse-path interface outside
 
  ip verify reverse-path interface outside
 +
show run ip verify reverse-path
  
 
===Logging===
 
===Logging===
Line 161: Line 182:
 
  access-group ACL1 in interface outside
 
  access-group ACL1 in interface outside
 
  show access-list ACL1
 
  show access-list ACL1
 +
Matcha på DNS-namn
 +
object network hackernet.se
 +
  fqdn v4 hackernet.se
  
 
==Routing==
 
==Routing==
Line 354: Line 378:
 
  allocate-interface e0/4
 
  allocate-interface e0/4
 
  config-url disk0:/newcontext.cfg
 
  config-url disk0:/newcontext.cfg
 +
Save in all contexts
 +
wr mem all
  
 
===Active/Active Failover===
 
===Active/Active Failover===

Revision as of 19:15, 26 March 2016

Adaptive Security Appliance är Ciscos VPN- och brandväggsenhet. Detta är skrivet för 8.4 och senare.
Hårdvara och mjukvara kompatibilitet

Konfiguration

Grunder

conf t
hostname ASA

IP adress

int e0/0
mac-address 0011.2233.4455
security-level 100
nameif inside
ip address 10.0.0.1 255.255.255.0
no shut
exit

Default route och DNS

route outside 0.0.0.0 0.0.0.0 190.10.160.1 1
same-security-traffic permit inter-interface
dns domain-lookup outside
dns name-server 8.8.8.8

ASDM

ASDM är en javamjukvara man kan använda för GUI till ASA.

asdm image disk0:/asdm-752.bin
show asdm image

Slå på det och vitlista IP/nät som får ansluta.

http server enable
http 10.0.0.0 255.255.255.0 inside

Skapa användare så att det går att logga in. Peka autentisering mot lokal databas.

username admin password cisco privilege 15
aaa authentication http console LOCAL

SSH

ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
aaa authentication ssh console LOCAL
domain-name inhouse.local
crypto key generate rsa modulus 2048

Mgmt VRF

Man kan sedan 9.5 lägga management-interface i en egen routingtabell.

int gi0/1
management-only
show route management-only
show asp table routing management-only

Management access

Vill man managera sin brandvägg genom en VPN-tunnel måste man komplettera ssh/http-kommandon med:

management-access inside

Upgrade

copy http://<webbserver.se>/filer/asa952-smp-k8.bin disk0:/
boot system disk0:/asa952-smp-k8.bin
show bootvar
wr
reload

Reset

clear configure all
crypto key zeroize rsa

Setup basic firewall

configure factory-default

Diverse

ICMP-inspection

Default så är inte icmp-inspection påslaget.

fixup protocol icmp

Alternativt

policy-map global_policy
class inspection_default
inspect icmp

Traceroute

Tillåt traceroute genom en ASA

access-list ACL extended permit icmp any any time-exceeded
access-list ACL extended permit icmp any any unreachable

Accelerated Security Path

show asp drop
capture asp-drop type asp-drop all
show capture asp-drop

ARP Inspection

arp inside 193.10.161.37 0c0c.0c0c.0c03 alias
---

Botnet Filtering

#köp licens
#Enable DNS Client

NTP

clock timezone CEST 1 0
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 60
ntp server 94.199.180.200 source outside
show ntp status

uRPF

ip verify reverse-path interface outside
show run ip verify reverse-path

Logging

logging enable
logging console 4

Certificate Management

show crypto ca certificate
(config) crypto ca export
show crypto key mypubkey rsa

Jumbo Frames

jumbo frame-reservation
mtu inside 9000
mtu outside 9000

Global Timeouts

timeout xlate 10:00:00
timeout uauth 10:00:00 absolute
timeout uauth 09:00:00 inactivity

Permanent Self-Signed Certificate

crypto ca trustpoint ASDM_TrustPoint0
id-usage ssl-ipsec
no fqdn
subject-name CN=ASA
enrollment self
crypto ca enroll ASDM_TrustPoint0 noconfirm

SNMP

snmp-server host inside 10.0.0.50 community PUBLIC version 2c
show snmp-server oidlist   #"hidden command"

DHCP

Klient

int e0/0
ip address dhcp setroute
exit
dhcp-client client-id interface outside

Server

dhcpd address 10.0.0.50-10.0.0.60 inside
dhcpd enable inside
dhcpd dns 8.8.8.8 interface inside

OBS ASA don't repond to unicast dhcp requests

NAT

PAT

nat (inside,outside) 1 source dynamic any interface

Dynamic

object network inside_10
subnet 10.0.0.0 255.255.255.0
object network outside-pool
range 193.10.161.190 193.10.161.199
object network inside_10
nat (inside,any) dynamic outside-pool

Static

object network dmz_server
host 172.16.0.5
object network dmz_global
host 193.10.161.31
object network dmz_server
nat (dmz,outside) static dmz_global

Exempt

object network LAN1
 subnet 1.1.1.0 255.255.255.0
object network LAN2
 subnet 2.2.2.0 255.255.255.0
nat (inside,outside) 1 source static LAN1 LAN1 destination static LAN2 LAN2

1an är viktig så att regeln hamnar först

Show

show run nat

Port Forwarding

object network websrv 
host 10.1.1.3
nat (inside,outside) static interface service tcp 80 80
exit
access-list outside_access_in permit tcp any object websrv eq http

ACL

access-list ACL1 permit tcp any object dmz_server eq http
access-list ACL1 line 15 permit tcp any object dmz_server eq https
access-group ACL1 in interface outside
show access-list ACL1

Matcha på DNS-namn

object network hackernet.se
 fqdn v4 hackernet.se

Routing

Static

route inside 10.0.1.0 255.255.255.0 {next hop address} 10

OSPF

router ospf 1
area 1
network 10.0.0.0 255.255.255.0 area 1

RIP

router rip
no auto-summary
version 2
network 10.0.0.0

EIGRP

router eigrp 1
network 10.0.0.0 255.255.255.0

Modular Policy Framework

Application Inspection

access-list dmz_ftp permit tcp any any eq ftp

Class Map

class-map FTP-class-MAP
match access-list dmz_ftp

Policy Map

policy-map FTP-policy-MAP
class FTP-class-MAP
inspect ftp

Service Policy

service-policy FTP-policy-MAP interface dmz

QoS

priority-queue inside

Class Map

class-map VOIP
match dscp 46

Policy Map

policy-map inside-policy
class VOIP
priority

Service Policy

service-policy inside-policy interface inside

Tweaking Connections

access-list ACL1 permit tcp any object dmz_server eq http
class-map TCP-Sessions
match access-list ACL1
policy-map Conn-Limits
class TCP-Sessions
set connection conn-max 500 embryonic-conn-max 50
set connection timeout embryonic 0:05:00 half-closed 0:10:00
service-policy Conn-Limits interface outside

TCP Intercept

access-list ACL1 permit tcp any object dmz_server eq http
class-map no-syn-flood-class
match access-list ACL1
policy-map NO-SYN-FLOOD
class no syn-flood-class
set connection embryonic-conn-max 50
service-policy NO-SYN-FLOOD interface outside 

Advanced Application Inspection - HTTP

policy-map type inspect http http-inspect-pmap
parameters
protocol-violation action dropconnection log
match req-resp content-type mismatch
drop-connection log
policy-map global_policy
class inspection_default
inspect http http-inspect-pmap

VLAN - !5505

int e0/2
no shut
int e0/2.10
vlan 10
security-level 100
nameif VLAN10
ip add 10.0.10.1 255.255.255.0
no shut
exit

EtherChannel

interface e0/2
channel-group mode Active
interface e0/3
channel-group mode Active
interface port-channel1
port-channel load-balance src-port
port-channel min-bundle 1
lacp max-bundle 8
duplex auto
speed auto
nameif DMZ
security-level 50
ip add 10.0.10.1 255.255.255.0
no shut
exit

Redundancy

Samma som etherchannel fast endast ett ben är aktivt i taget. Användbart om asan är kopplad till 2 switchar utan MLAG (t.ex. vPC).

interface e0/4
no shut
interface e0/5
no shut
interface redundant1
member interface e0/4
member interface e0/5
nameif outside
security-level
ip address 193.10.161.31
no shut
exit

Transparent - 5505

firewall transparent
int BVI 1
ip add 193.10.161.38 255.255.255.0
exit
int e0/0
switchport access vlan 1
no shut
int e0/1
switchport access vlan 2
no shut
interface vlan 1
security-level 100
nameif inside
bridge-group 1
no shut
interface vlan 2
security-level 0
nameif outside
bridge-group 1
no shut

AAA

aaa-server OUR-GROUP protocol radius
aaa-server OUR-GROUP (inside) host 10.0.0.50
key ********
radius-common-pw *********
exit

Cut-through User AAA

access-list outside_authentication permit tcp any object dmz-server eq http
username bob password cisco priv 2
username bob attributes
service-type remote-access
exit
aaa authentication match outside_authentication outside LOCAL

Failover

#Criteria
ASA1
int e0/0
ip address 193.10.161.38 255.255.254.0 standby 193.10.161.39
int e0/1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover link Fail-2 e0/4
failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
failover replication http
failover lan unit primary
failover mac address e0/0 0000.1111.2222 0000.3333.4444
failover

ASA2
int e0/3
no shut
exit
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover key cisco
failover lan unit secondary
failover

Virtual Firewall

mode multiple
changeto context admin
changeto system
mac-address auto
class silver
limit resource asdm 3
context newcontext
member silver
allocate-interface e0/3
allocate-interface e0/4
config-url disk0:/newcontext.cfg

Save in all contexts

wr mem all

Active/Active Failover

changeto system
prompt hostname priority
failover group 1
primary
preempt 120
exit
failover group 2
secondary
preempt 120
exit
context Ctx-1
join-failover-group 1
exit
context Ctx-2
join-failover-group 2
exit
int e0/4
no shut
int e0/5
no shut
exit
failover lan unit primary
failover lan interface Fail-1 e0/4
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover link Fail-2 e0/4
failover interface ip Fail-2 10.2.2.1 255.255.255.252 standby 10.2.2.2
failover

int e0/3
no shut
exit
failover lan unit secondary
failover lan interface Fail-1 e0/3
failover interface ip Fail-1 10.1.1.1 255.255.255.252 standby 10.1.1.2
failover

SLA

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1
sla monitor 10
 type echo protocol ipIcmpEcho 1.1.1.1 interface outside
 num-packets 3
 frequency 5
sla monitor schedule 10 life forever start-time now
track 1 rtr 10 reachability

VPN

Se ASA VPN

REST API

Man kan lägga till en agent så att ASAn får ett REST API.

copy http://<webbserver>/asa-restapi-122-lfbff-k8.SPA disk0:
rest-api image disk0:/asa-restapi-122-lfbff-k8.SPA
rest-api agent

Sedan behöver webbservern konfigureras om inte det är gjort, se ASDM

Använd en REST-klient (Firefox/Chrome)

https:<asa-ip>/api/objects/networkobjects

Docs

Följer med agenten

https://<asa-ip>/doc/