Escolar Documentos
Profissional Documentos
Cultura Documentos
The Cisco ASA 5505 Firewall is the smallest model in the new 5500 Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (5510, 5520, 5540 etc). The Adaptive Security technology of the ASA firewalls offers solid and reliable firewall protection, advanced application aware security, denial of service attack protection and much more. Moreover, the performance of the ASA 5505 appliance supports 150Mbps firewall throughput and 4000 firewall connections per second, which is more than enough for small networks. In this article I will explain the basic configuration steps needed to setup a Cisco 5505 ASA firewall for connecting a small network to the Internet. We assume that our ISP has assigned us a static public IP address (e.g 200.200.200.1 as an example) and that our internal network range is 192.168.1.0/24. We will use Port Address Translation (PAT) to translate our internal IP addresses to the public address of the outside interface. The difference of the 5505 model from the bigger ASA models is that it has an 8-port 10/100 switch which acts as Layer 2 only. That is, you can not configure the physical ports as Layer 3 ports, rather you have to create interface Vlans and assign the Layer 2 interfaces in each VLAN. By default, interface Ethernet0/0 is assigned to VLAN 2 and it's the outside interface (the one which connects to the Internet), and the other 7 interfaces (Ethernet0/1 to 0/7) are assigned by default to VLAN 1 and are used for connecting to the internal network. Let's see the basic configuration setup of the most important steps that you need to configure.
Step 6: Configure default route towards the ISP (assume default gateway is 200.200.200.2)
--------------------------------------------------------------------------------------ASA5505(config)# route outside 0.0.0.0 0.0.0.0 200.200.200.2 1 The above steps are the absolutely necessary steps you need to configure for making the appliance operational. Of course there are much more configuration details that you need to implement in order to enhance the security and functionality of your appliance, such as Access Control Lists, Static NAT, DHCP, DMZ zones, authentication etc.
Cisco ASA 5500 Firewall Configuration User Interface and Access Modes
This article describes the user interface and access modes and commands associated with the operation of Cisco ASA 5500 firewall appliances. We assume that you know how to connect to the appliance using a console cable (the blue flat cable with RJ-45 on one end, and DB-9 Serial on the other end) and a Terminal Emulation software (e.g HyperTerminal), and how to use basic Command Line Interface. A Cisco ASA security appliance has four main administrative access modes:
Monitor Mode: Displays the monitor> prompt. A special mode that enables you to update the image over the network or to perform password recovery. While in the monitor mode, you can enter commands to specify the location of a TFTP server and the location of the software image or password recovery binary image file to download. You access this mode by pressing the "Break" or "ESC" keys immediately after powering up the appliance. Unprivileged Mode: Displays the > prompt. Available when you first access the appliance. If the appliance
2
is a Cisco PIX 500 series, the prompt for unprivileged mode is pixfirewall> and if the appliance is the new Cisco ASA 5500 Series, the prompt is ciscoasa>
Ads by Google
Wireless Telemetry
Easy, Affordable Wireless Telemetry License-free, bi-directional I/O www.pribusin.com
Bosch 7301
Bosch Industrial Spark Plug Half Price Sale www.splugs.com
This mode provides restricted view of the security appliance. You cannot configure anything from this mode. To get started with configuration, the first command you need to know is the enable command. Type enable and hit Enter. The initial password is empty, so hit Enter again to move on the next access mode (Privileged Mode). ciscoasa> enable <-- Unprivileged Mode password: <-- Enter a password here (initially its blank) ciscoasa# <-- Privileged Mode
Privileged Mode: Displays the # prompt. Enables you to change the current settings. Any unprivileged command also works in this mode. From this mode you can see the current configuration by using show running-config. Still, you cannot configure anything yet until you go to Configuration Mode. You access the Configuration Mode using the "configure terminal" command from the Privileged Mode. Configuration Mode: This mode displays the (config)# prompt. Enables you to change all system configuration settings. Use exit from each mode to return to the previous mode.
ciscoasa> enable <-- Unprivileged Mode password: <-- Enter a password here (initially its blank) ciscoasa# configure terminal <-- Privileged Mode ciscoasa(config)# <-- Configuration Mode ciscoasa(config)# exit ciscoasa# exit <-- Back to Privileged Mode ciscoasa> <-- Back to Unprivileged Mode The (config)# mode is sometimes called Global Configuration Mode. Some configuration commands from this mode enter a command-specific mode and the prompt changes accordingly. For example the interface command enters interface configuration mode as shown below: ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# <-- Configure Interface specific parameters
Configure IP Spoofing and IPS Protection with a Cisco ASA 5500 Firewall
The Cisco ASA firewall appliance provides great security protection out-of-the box with its default configuration. However, to increase the security protection even further, there are several configuration enhancements that can be used to implement additional security features. Two of these features are IP Spoofing protection and basic Intrusion Prevention (IPS) support. IP Spoofing Protection IP spoofing attacks are those that change the actual source IP address of packets to obscure their true origin. This means that packets arriving at a particular interface (e.g inside) must have a valid source IP address that matches the correct source interface according to the firewall routing table. Normally the firewall only looks at the destination address of a packet in order to forward it accordingly. If you enable the IP Spoofing mechanism, the firewall checks also the source address of the packets. If for example our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving at the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they will be dropped (if IP Spoofing is configured). The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address.
Ads by Google
To enable IP Spoofing protection, enter the following command: CiscoASA5500(config)# ip verify reverse-path interface "interface_name" For example, to enable IP spoofing on the inside interface, use the following command: CiscoASA5500(config)# ip verify reverse-path interface inside Basic IPS Protection Although the ASA Firewall supports full IPS functionality with an extra IPS hardware
4
module (AIP-SSM), it supports also basic IPS protection which is built-in by default without using an extra hardware module. The built-in IPS feature supports a basic list of signatures and you can configure the security appliance to perform one or more actions on traffic that matches a signature. The command that implements the basic IPS feature is called "ip audit". There are two signature groups embedded in the firewall software: "Informational" and "Attack" signatures. You can define an IP audit policy for each signature group as following: For informational signatures: CiscoASA5500 (config)# ip audit name "name" info [action [alarm] [drop] [reset]] For attack signatures: CiscoASA5500 (config)# ip audit name "name" attack [action [alarm] [drop] [reset]] The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of the signatures. [alarm] generates a system message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection. After defining an IP audit policy (IPS policy) as shown above, we need to attach the policy to a specific interface: CiscoASA5500(config)# ip audit interface "interface_name" " policy_name" Let's see an actual example: CiscoASA5500 (config)# ip audit name dropattacks attack action drop CiscoASA5500 (config)# ip audit interface outside dropattacks
ASA5505(config-if)# nameif backup-isp ASA5505(config-if)# security-level 1 ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0 ASA5505(config-if)# no shutdown ASA5505(config)# route primary-isp 0.0.0.0 0.0.0.0 100.100.100.2 1 ASA5505(config)# route backup-isp 0.0.0.0 0.0.0.0 200.200.200.2 2
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252 ASA5510(config-if)# no shut Step3: Configure the trusted internal interface ASA5510(config)# interface Ethernet0/1 ASA5510(config-if)# nameif inside ASA5510(config-if)# security-level 100 ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0 ASA5510(config-if)# no shut Step 4: Configure PAT on the outside interface ASA5510(config)# global (outside) 1 interface ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0 Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2) ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1 Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP ASA5510(config)# dhcpd dns 200.200.200.10 ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside ASA5510(config)# dhcpd enable inside The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc.
higher security levels. Security levels range from 0 to 100. The default security level for an outside interface is 0. For an inside interface, the default security level is 100. In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it.
ciscoasa(config)# interface vlan1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# interface vlan2 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)#interface vlan3 ciscoasa(config-if)# nameif dmz ciscoasa(config-if)# security-level 50 **ip address** The ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, but otherwise, it's not necessary. In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.
The switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on) through the use of the "no shutdown" statement.
ciscoasa(config-if)# interface ethernet 0/0 ciscoasa(config-if)# switchport access vlan 2 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# interface ethernet 0/1 ciscoasa(config-if)# switchport access vlan 1 ciscoasa(config-if)# no shutdown
**nat** The nat command enables network address translation on the specified interface for the specified subnet. In this sample, configuration, NAT is enabled on the inside interface for hosts on the 192.168.1.0/24 subnet. The number "1" is the NAT I.D. which will be used by the global
9
command to associate a global address or pool with the inside addresses. (Note: NAT 0 is used to prevent the specified group of addresses from being translated.) ciscoasa(config)# nat (inside) 1 192.168.1.0 255.255.255.0
**global** The global command works in tandem with the nat command. It identifies the interface (usually outside) through which traffic from nat'ed hosts (usually inside hosts) must flow. It also identifies the global address which nat'ed hosts will use to connect to the outside world. In the following sample, the hosts associated with NAT I.D. 1 will use the global address 12.3.4.5 on the outside interface. ciscoasa(config)# global (outside) 1 12.3.4.5 In this additional example of the use of the "global" command, the interface statement tells the firewall that hosts associated with NAT I.D. 1 will use the DHCP-assigned global address on the outside interface. ciscoasa(config)# global (outside) 1 interface
**route** The route command, in its most basic form, assigns a default route for traffic, typically to an ISP's router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets. In this sample configuration, the route command is used to configure a default route to the ISP's router at 12.3.4.6. The two zeroes before the ISP's router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0. The statement outside identifies the interface through which traffic will flow to reach the default route. ciscoasa(config-if)# route outside 0 0 12.3.4.6 The above commands create a very basic firewall, but frankly, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill. Other commands to use include hostname to identify the firewall, telnet or SSH to allow remote administration, DHCPD commands to allow the firewall to assign IP addresses to inside hosts, and static route and access-list commands to allow internal hosts such as DMZ Web servers or DMZ mail servers to be accessible to Internet hosts.
10