Escolar Documentos
Profissional Documentos
Cultura Documentos
What is a Firewall?
Firewall is a system which is being use for prevent unauthorized access from or to a
secure network. It’s a software, or dedicated hardware or combination of both.
According to the policies it examines all the traffic leaving and entering in a secure
network and it blocks all the packets which unable to follow the policy.
Software Firewall
It designed for home and small office computers to have internet access. It detects
suspicious activities from outside.
Hardware Firewall
All the Cisco routers and multilayer switches support IOS based firewall capabilities.
Even though Cisco has fully dedicated security Appliances too such as:-
It works on layer 2 and 3 i.e. network and transport layer in OSI model. Its first
generation of firewall and it works on analyzing IP address and port no.
3. Application Firewall
It’s the third generation firewall. It operates at levels 3,4,5,6 and 7 (network,
transport, session, presentation and application layers) of the OSI model. This type of
firewall is more secure but offers lowest performance.
ASA Firewall
ASA perform different tasks on arriving packets depending upon whether it’s a new
packet or an existing packet.
1. IP checksum verification
2. Session lookup
b) Multiple mode (it doesn’t support dynamic routing only static or default routing)
2. Transparent mode
Cisco ASA firewall is basically a stateful firewall and there is a concept called Security
levels which is an integral part of such firewall. There are basically three zones:-
Note: - Higher the security level more the secure zone. By default any packet from
lower security level to higher security level is denied. And packet from same security
levels is dropped.
Basic ASA Configuration,NAT in ASA Firewall
Configuration on ASA
Interface f0/0
Nameif outside
No shutdown
Exit
Interface f0/1
Nameif inside
No shutdown
Exit
Interface f0/2
Nameif DMZ
Security-level 50
No shutdown
Exit
Router configuration
R1:-
Int f0/0
No shutdown
Int f0/1
No shutdown
R2:-
Int f0/0
No shutdown
Int f0/1
No shutdown
R3:-
Int f0/0
No shutdown
Int f0/1
No shutdown
ASA
Route inside 10.20.20.0 255.255.255.0 10.10.10.2 (next hop is R1’s f0/0
interface)
R1:-
R3:-
After that we will have a full connectivity between all the devices in the
whole network. We can check that by pinging to any destination
ASA(config)# show interface ip brief (as like in router show ip interface brief)
1. Dynamic NAT
2. Static NAT
3. NAT control
4. NAT overload (PAT)
5. Static PAT
1. Dynamic NAT
Through this NAT a group of real addresses are translated from a pool of
mapped addresses that are routable on the destination network. The pool
might have fewer addresses than the real group. When a host wants to
communicates with the outside network the ASA assigns an IP address from
this pool. The translation is possible only when the real host initiates the
connection. The translation prevails till the connection exists and that user
can’t retain the same IP after the translation times out.
Syntax
2. Static NAT
Its one to one translation and that’s why we need the equal no of mapped
addresses as the real addresses. A persistent translation exists because the
mapped address is same for each consecutive connection. Due to this
feature host on the destination network can initiate connection to a
translated host if access list is applied and allowed it.
Syntax
3. NAT control
When the NAT is enabled then inside host must match the NAT rule to access outside network.
But in some special cases we don’t need NAT to perform, in such case we can bypass NAT for
such host or disable NAT completely.
a) NAT Exemption:-
Its bidirectional i.e. it allows both translated and remote host can initiate connection. We must
use NAT exemption for connection through all interfaces ie its not limited to specific interface.
Here we are are using real source and destination address. It doesn’t consider port in the access
list and it also doesn’t support connection setting such as Maximum TCP connection.
Syntax
b) Identity NAT:-
It is similar to dynamic NAT but we can’t limit translation for one host ie we must have to use
identity NAT for all the interfaces. Even though here the mapped address is the same as the real
IP, we can’t initiate a connection from outside to inside even though access-list is applied. We
can apply this to any host or network.
Syntax
Nat (inside) 0 <network address/host IP><subnet mask>
Its 1 to 1 translation means it allows an interface to be appearing in the real address. We can also
apply static identity NAT in one interface and regular NAT in other interfaces.
Syntax
Static (zone, zone) <host IP> <host IP> (here both IP are same)
E.g.:-
PAT can overcome what are the limitations dynamic NAT facing i.e. in dynamic NAT the
mapped IP pool can be out of available IP if the traffic is higher than expected. Here PAT
translates multiple real addresses to a single mapped address, so there is no shortage of ip in the
pool. ASA translates real IP and source port to a mapped address and a unique source port above
1024eg:- 100.1.1.1:1025 and 100.1.1.1:1026. Source port always differs from each connection.
So the mapped address always becomes unique. Users on the outside network can’t initiate
connection to inside with this mapped address.
Syntax
5. Static PAT
Static PAT is almost similar to static NAT but the difference is its lets you to use the protocol
(TCP/UDP) and the port for real and mapped address. The advantage of this feature is that we
can use the same mapped IP for many real IP with different port which is not possible in static
NAT.
For example- if we want to provide single IP to access SMTP,HTTP and FTP even though these
are all different servers on the network. Through static PAT we can define all three servers with
same mapped IP but different ports.
Syntax
Static (inside, outside) tcp 192.168.1.1 smtp 10.1.1.1 smtp netmask 255.255.255.255
Static (inside, outside) tcp 192.168.1.1 ftp 10.1.1.2 ftp netmask 255.255.255.255
Static (inside, outside) tcp 192.168.1.1 http 10.1.1.3 http netmask 255.255.255.255
The topology is similar to the previous one except we added few loopback on all three
routers.
Task 1:- ASA should translate all internal including DMZ networks to outside using a
pool 192.20.20.151 – 192.20.20.200. Use backup translation as PAT.
ASA:-
ASA:-
Task 3:- Configure on ASA such that whenever it receives packet destined for port 25
to the outside, it should be redirect towards 192.10.10.10.If a packet destined for
port 23 to outside interface it should be redirect to 192.10.10.11.
ASA:-
Note: - We have to configure static or default route for all unknown network on ASA
and all the routers for total communication.
1. System Context
2. Admin Context
3. Logical Context
System Context
Unlike other context it doesn’t have any layer 2 or 3 interfaces or any network
settings. It mainly used for defining attributes of other security context. Here we can
define following attributes for each context
Context name
Interface allocation
To define banner
To define mode i.e. either single or multiple mode
To set failover parameters
Note: - System context configuration saves in NVRAM of the ASA and configuration of
the ASA firewall saves in flash memory.
2. Admin Context
It is as like regular context except that the user has to log into its context then that
user has system administration right and can access system context and logical
context. The admin context must be created before creating other contexts.
Note: - When ASA is converted from single mode to multiple mode, all the network
related configuration is saved as admin context. We can’t change the name admin
context.
3. Logical Context
It similar to having multiple standalone firewalls. It has its own set of security
features such as NAT, Access list, routing, interfaces etc.
1. QOS
2. Addressing Support QOS
Doesn’t support QOS
Doesn’t support overlapping of
networks Support overlapping of networks
between networks
ASA:-
Mode multiple
Interface e0/0
No shutdown
Interface e0/1
No shutdown
Interface e0/1.2
Interface e0/1.3
Interface e0/1.4
Task 2:- Configure two contexts on ASA as ASA-C1 and ASA-C2.Configure them with
configuration file ASAC1.cfg and ASAC2.cfg. Allocate interface according to the diagram
above.
ASA:-
Context ASA-C1
Allocate-interface e0/0
Allocate-interface e0/1.2
Allocate-interface e0/1.4
Config-url ASAC1.cfg
Exit
Context ASA-C2
Allocate-interface e0/0
Allocate-interface e0/1.3
Config-url ASAC2.cfg
ASA:-
Interface e0/0
Nameif outside
Exit
Interface e0/1.2
Nameif Inside
Exit
Interface e0/1.4
Nameif DMZ
Security-level 50
Interface e0/0
Nameif outside
Exit
Ip address e0/1.3
Nameif inside
Task 4:-Configure ASA-C1 to allow inside network to access outside network using dynamic
NAT with a pool 192.1.100.51 – 192.1.100.69.Bachup with PAT using ip address
192.1.100.70.R2 should be seen as 192.1.100.2.
ASA:-
Nat-control
Exit
Exit
Task 5:- Configure ASA-C2 to allow inside network to access outside network using dynamic
pool with a pool 192.1.100.71-192.1.100.8.Backup with PAT using ip address
ASA:-
Exit
Exit
Task 6:-Configure Static route on ASA-C1 and ASA-C2 to R2 and R3 network. Configure a
default route on ASA-C1 and ASA-C2 towards R1.
ASA:-
Exit
ASA Failover
1. Stateless(regular) Failover
2. Stateful Failover
o All the failover information for each connection information is
passed to failover
o End user no need to reconnect
o State data include global data pool information or states,
connection, translation, PAT etc is passed.
o Provided by lan base failover
1. DHCP client
2. PPPoE (Point to point protocol over Ethernet)
3. IPv6
Note: - Failover hello messages are generated on the failover link in every
15 seconds by default.
Transparent Firewall
Transparent Firewall
1. Dynamic DNS
2. HDCP relay
3. Dynamic routing protocol
4. Multicast ip routing
5. QOS (no investigation on layer 3)
6. VPN termination
7. Before 8.2 it doesn’t support
Task 2:
Configure e0/0 as outside with security level 0 and e0/1 as inside with
security level 100.
ASA:
Interface e0/0
Nameif outside
No shutdown
Exit
Interface e0/1
Nameif inside
No shutdown
Task 3:
ASA:
Exit
Task 4:
ASA:
Exit
Task 5:
Configure ASA such a way that it examines all the arp packets. It should
forward all the packets those exist in the arp table otherwise it should drop.
ASA:
One of a way to deduct cost is to eliminate the need of having expensive long distance leased
line. For VPN to work we just need an internet connection. In other way it also reduces the cost
long distance telephone charges.
There is limitation too i.e. internet dependency. We have to fully dependent on internet.
There are so many important topics involve in VPN. We will discuss every topic in the following
discussion.
IPSec:
1. Confidentiality
It means encrypt the data. No one can read that data ie it provide data privacy via encryption
techniques.
2. Data integrity
3. Authentication
4. Anti-replay
1. Symmetric key:
Here both sender and receiver use the same key for encryption and decryption. The sender uses
the key to encrypt the plain text to cipher text and receiver uses that same key to decrypt the
cipher text to plain text. That key should be kept secretly because if anyone knows that key then
he can easily decrypt. One of the advantages is that it doesn’t consume much computing power.
Example - DES (data encryption standard), 3DES, AES (advance encryption standard), Blowfish
etc.
2. Asymmetric key:
Here we are dealing with two keys. One key for encrypt the plain text and other for decrypt the
cipher text. Encryption key is sometime called public key because it given to everyone who want
to send encrypted data. On the other hand decryption key is called private key because it kept
secretly. Compare to symmetric key asymmetric key is more secure. Examples of asymmetric
key are RSA, DSA etc.
Data Integrity | Hash | Data Integrity |
Protect data from interception and possible modification. Hashing guarantees message integrity.
Transmitted hash should match the receiving hash value. Example HMAC (hash message
authentication code) - MD5, HMAC-SHA.
Hash:
It mainly used to provide a digital footprint of any type of data to ensure that the information has
not been altered during transmission.
1. It’s a one way mathematically generated unique number from sequence of text by
applying a mathematical formula.
2. The unique number is calculated based on original plain text data.
3. The original message can’t be reconstructed using this unique number even the
knowledge of algorithm.
4. The unique number is acts like a finger print of the message.
1. Data encryption process is used of an algorithmic process using secret key to transfer
plain text into cipher text. In order to prevent anyone except the intended recipient from
accessing the information.
2. Encryption is the process to convert information to make unreadable to unauthorized user.
3. Encryption provides means of secure communication over insecure medium.
4. It provides data confidentiality and privacy.
3DES - uses three DES keys on each block data to create 168 bit keys
DH – used commonly on VPN connection to allow secure transfer of shared secret key and
helps generate shared secret key. 768 bit key.
5 Phases of IPSec:
2. IKE phase 1
Creates the first tunnel, which protects later ISAKMP negotiation message.
1. IKE phase 2
2. Transfer data
1. Tunnel Mode
This mode protects data in network to network or site to site scenario (use in lan to lan VPN). It’s
the default mode on Cisco routers. Here the original source and destination IP and along with the
data is encrypted with an ESP header and a new ip header is added. The new IP header has the
source and destination IP from the tunnel interfaces.
|<------Encrypted----------à
1. 2. Transparent Mode
This mode protects data in host to host or end to end scenario (using remote access VPN). Here
only data is encrypted and original IP header is added in front of ESP header.
|<-Encrypted->|
1. 1. Main Mode:
This mode uses total of 6 messages between initiator and responder during tunnel negotiation.
This mode is more secure than aggressive mode because it provides Dos protection. But we can’t
use this in VPN which uses NAT because it uses the IP address as part of exchange for
identification.
2. Aggressive Mode:
This mode uses total of 3 messages which results elimination uses of IP address for
identification. This mode is very useful in client to gateway tunnel because the client IP is known
ahead of time. We can use this mode where Nat is configured.
Site to Site VPN using IPSec tunnel is a way to perform secure transmission
of data between two sites. The tunnel is created via internet using various
encryption algorithms. Here we are going to discuss how to create site to
site VPN using IPSec protocol.
Here we are using static ip on both sides. In case of if we are using dynamic
ip then connection initiation should be stated from the client side because
only the client side knows about the destination ip. Another solution is GRE
(Generic Routing Encapsulation) tunnel with IPSec. Remember GRE is a
tunneling protocol where as IPSec protocol. IPSec doesn’t support multicast
so we can’t use in a network which uses any dynamic routing protocol i.e.
EIGRP, OSPF, and RIP etc. But GRE support multicast, so it’s the perfect
solution for such situation. In this article we are going to discuss only IPSec
not GRE.
Phase 1:
Creates the first tunnel, through which it protects later ISAKMP negotiation
messages.
Phase 2:
1. Configure ISAKMP(phase 1)
2. Configure IPSec (phase 2,access control list, crypto map)
Crypto map: It selects data flows that need security. It also defines the
policy for these flows and peer that need to receive. It applied to an
interface.
The head office has the network of 10.10.10.0/24 network. Brach office 2
and Branch office 3 has networks 20.20.20.0/24 and 30.30.30.0/24
respectively.
Goal: To achieve full connectivity between head office to the both branch
offices.
ISAKMP phase 1
1. ISAKMP phase 1
R1
Encryption 3des
Hash md5
Authentication pre-share
Group 2
Lifetime 50000
Description:
R1
3. Configure IPSec
a) In the example above we want first tunnel that will allow traffic from
head office 10.10.10.0/24 to remote site 20.20.20.0/24 and second VPN
tunnel between 10.10.10.0/24 to remote site 30.30.30.0/24.these are two
different tunnels so we need to create two different access list.
b) This transform set is to protect our data. We named our transform set
as TS.
First we create a crypto map named CM which will be use later on in the
public interface of our head office router and connect it with dynamic crypto
map named ho-vpn.
Set transform-set TS
Exit
Set transform-set TS
d) interface fa0/1
Crypto map CM
Encryption 3des
Hash md5
Authentication pre-share
Group 2
Lifetime 50000
Exit
Exit
Exit
Exit
Set transform-set TS
Match address AL
Exit
Interface f0/1
Crypto map RS
R3:
Hash md5
Authentication pre-share
Group 2
Lifetime 50000
Exit
Exit
Exit
Exit
Set transform-set TS
Match address AL
Exit
Interface f0/1
Crypto map RS
Here we have completed our configuration and VPN tunnel is ready to bring up.
Remember here in site to site VPN with dynamic remote public ip can be brought up
by the remote site. We can check that by pinging 10.10.10.1 form R2 and R3.