Documente Academic
Documente Profesional
Documente Cultură
Implementing Cisco
the Adaptive Security
Appliance
CCNA Security
Presentation_ID
Cisco Confidential
Chapter 9
9.0 Introduction
9.1 Introduction to the ASA
9.2 ASA Firewall Configuration
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
ASA Models
There are six ASA models, ranging from the basic 5505
branch office model to the 5585 data center version.
All provide advanced stateful firewall features and VPN
functionality.
ASA models meet a range of requirements and network sizes.
Cisco Confidential
ASA Models
Multi-Service
(Firewall/VPN and IPS)
ASA 5540
(650 Mbps,25K cps)
ASA 5520
(450 Mbps,12K cps)
ASA 5510
(300 Mbps, 9K cps)
ASA 5505
(150 Mbps, 4000 cps)
ASA 5550
(1.2 Gbps, 36K cps)
SOHO
Branch Office
Internet Edge
Presentation_ID
ASA SM
(16 Gbps, 300K cps)
Campus
Data Center
Cisco Confidential
ASA Features
Feature
Description
Stateful
firewall
An ASA provides stateful firewall services tracking the TCP or UDP network
connections traversing it.
Only packets matching a known active connection will be allowed by the firewall;
others will be rejected.
VPN
concentrator
The ASA supports IPsec and SSL remote access and IPsec site-to-site VPN
features.
Intrusion
Prevention
Presentation_ID
Cisco Confidential
Description
Virtualization
A single ASA can be partitioned into multiple virtual devices called security
contexts.
Each context is an independent device, with its own security policy, interfaces,
and administrators.
Most IPS features are supported, except VPN and dynamic routing protocols.
High
availability
Two ASAs can be paired into an active / standby failover configuration to provide
device redundancy.
One ASA is the primary (active) device while the other is the secondary
(standby) device.
Both ASAs must have identical software, licensing, memory, and interfaces.
Identity firewall
The ASA can provide access control using Windows Active Directory login
information.
Identity-based firewall services allow users or groups to be specified instead of
being restricted by traditional IP address-based rules.
Threat control
Presentation_ID
Cisco Confidential
Security Context A
Customer A
Security Context B
Customer B
Security Context C
Customer C
Internet
Presentation_ID
Cisco Confidential
10
.1
192.168.1.0/24
.1
.1
Internet
.3
10.2.2.0/30
.2
.2
PC-A
.2
ASA-2
Secondary/Standby
Presentation_ID
Cisco Confidential
11
Server
Client
Microsoft
Active Directory
Presentation_ID
AD Agent
Cisco Confidential
12
Presentation_ID
Cisco Confidential
13
Networks on a Firewall
Inside network - Network that is protected and behind the
firewall.
DMZ - Demilitarized zone, while protected by the firewall,
limited access is allowed to outside users.
Outside network - Network that is outside the protection of
the firewall.
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
Presentation_ID
Cisco Confidential
16
Cisco Confidential
17
ASA Licenses
ASA appliances come pre-installed with either a:
Base license
Only one permanent license key can be installed and once it is installed, it is
referred to as the running license.
show version
show activation-key
Presentation_ID
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
perpetual
DMZ Restricted
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
perpetual
Cisco Confidential
20
ASA 5505
The Cisco ASA 5505 is a full-featured security appliance for
small businesses, branch offices, and enterprise teleworker
environments.
Presentation_ID
Cisco Confidential
21
Presentation_ID
Active LED
VPN LED
Power LED
Status LED
Cisco Confidential
22
4 Status LED
Solid green indicates that the system tests passed and the system
is operational.
Active LED
VPN LED
Solid green LED indicates that this Cisco ASA is configured for
failover.
Solid green indicates that one or more VPN tunnels are active.
Presentation_ID
Solid green indicates that an SSC card is present in the SSC slot.
2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Presentation_ID
Reset button
SSC slot
Lock slot
Cisco Confidential
24
USB ports (front and back) can be used to enable additional services and
6
capabilities.
Consists of an 8-port 10/100 Fast Ethernet switch. Each port can be dynamically
7
Ports 6 and 7 are Power over Ethernet (PoE) ports to simplify the deployment of
8
Cisco IP phones and external wireless access points.
Note: The default DRAM memory is 256 MB (upgradable to 512 MB) and the default internal
flash memory is 128 MB for the Cisco ASA 5505.
Presentation_ID
Cisco Confidential
25
Security Levels
The ASA assigns security levels to distinguish between
Inside and Outside networks.
Security levels define the level of trustworthiness of an
interface.
The higher the level, the more trusted the interface.
Security levels range between 0 (untrustworthy) to 100 (very
trustworthy).
Presentation_ID
Cisco Confidential
26
Presentation_ID
Cisco Confidential
27
Presentation_ID
Cisco Confidential
28
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
3
1
8
6
Presentation_ID
Auxiliary port
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32
Using the help key (?) after a command to view additional syntax.
Can execute any ASA CLI command regardless of the current configuration
mode prompt and does not require or recognize the do IOS CLI command.
Can provide additional help listing a brief command description and syntax
by using the help EXEC mode command, followed by the CLI command.
(e.g., help reload).
Interrupts show command output by simply using the letter Q (unlike the
Ctrl+C (^C) IOS CLI key sequence.).
Presentation_ID
Cisco Confidential
33
erase startup-config
write erase
line con 0
password password
login
passwd password
ip route
route outside
show ip route
show route
show vlan
show xlate
write [memory]
Presentation_ID
Cisco Confidential
34
<Output omitted>
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
<Output Omitted>
object network obj_any
nat (inside,outside) dynamic interface
<Output Omitted>
http server enable
http 192.168.1.0 255.255.255.0 inside
<Output Omitted>
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
<Output Omitted>
Presentation_ID
Cisco Confidential
35
Note: The ASA does not recognize the erase startupconfig command.
Once rebooted, the CLI Setup Initialization wizard prompts to
pre-configure the firewall appliance using interactive prompts.
Entering no cancels the wizard and the ASA displays its
default prompt.
The Setup Initialization wizard is an optional method for
initially configuring an ASA. It also provides most of the
settings needed to access the ASA using ASDM.
Presentation_ID
Cisco Confidential
36
Presentation_ID
Cisco Confidential
37
Presentation_ID
Cisco Confidential
38
Presentation_ID
Cisco Confidential
39
Presentation_ID
Cisco Confidential
40
Presentation_ID
Cisco Confidential
41
Presentation_ID
Cisco Confidential
42
Cisco Confidential
43
Cisco Confidential
44
Presentation_ID
Cisco Confidential
45
The new SVI must also be named, and assigned a security level value,
and IP address.
Presentation_ID
Cisco Confidential
46
Presentation_ID
Cisco Confidential
47
Presentation_ID
Cisco Confidential
48
Cisco Confidential
49
Cisco Confidential
50
Presentation_ID
Cisco Confidential
51
Presentation_ID
Cisco Confidential
52
To verify the NTP configuration and status, use the show ntp status
and show ntp associations commands.
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
Presentation_ID
ntp
ntp
ntp
ntp
server 10.10.10.1
authentication-key 1 md5 cisco123
trusted-key 1
authenticate
Cisco Confidential
53
Presentation_ID
Cisco Confidential
54
Presentation_ID
Cisco Confidential
55
CCNAS-ASA# conf t
CCNAS-ASA(config)#
Warning, DHCP pool
192.168.1.41
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
Presentation_ID
Cisco Confidential
56
Client Identifier
Lease expiration
Type
1
0
0
0
Message
BOOTREQUEST
DHCPDISCOVER
DHCPREQUEST
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
Received
0
0
0
0
0
0
Message
BOOTREPLY
DHCPOFFER
DHCPACK
DHCPNAK
Sent
0
0
0
0
Presentation_ID
Cisco Confidential
57
Introduction to ASDM
Cisco ASDM
Cisco ASA Security Device Manager (ASDM) is a Javabased GUI tool that facilitates the setup, configuration,
monitoring, and troubleshooting of Cisco ASAs.
Presentation_ID
Cisco Confidential
58
Introduction to ASDM
Starting ASDM
1. Verify connectivity to the ASA.
2. Open a browser and establish a HHTP connecting to the
ASA.
3. Choose to:
Install ASDM Launcher and Run ASDM.
Run ASDM.
Presentation_ID
Cisco Confidential
59
Introduction to ASDM
Presentation_ID
Cisco Confidential
60
Introduction to ASDM
Presentation_ID
Cisco Confidential
61
Introduction to ASDM
Run ASDM:
Run ASDM as a Java Web Start
application.
Cisco Confidential
62
Introduction to ASDM
Presentation_ID
Cisco Confidential
63
Introduction to ASDM
Presentation_ID
Cisco Confidential
64
Introduction to ASDM
Presentation_ID
Cisco Confidential
65
Introduction to ASDM
Navigation Pane
Status Bar
Presentation_ID
Cisco Confidential
66
Introduction to ASDM
Navigation Pane
Status Bar
Presentation_ID
Cisco Confidential
67
Introduction to ASDM
Presentation_ID
Cisco Confidential
68
Introduction to ASDM
Interfaces
Configuration > Device Setup > Interfaces > Interfaces
Presentation_ID
Cisco Confidential
69
Introduction to ASDM
Presentation_ID
Cisco Confidential
70
Introduction to ASDM
Presentation_ID
Cisco Confidential
71
Introduction to ASDM
Presentation_ID
Cisco Confidential
72
Introduction to ASDM
Presentation_ID
Cisco Confidential
73
Introduction to ASDM
Presentation_ID
Cisco Confidential
74
Introduction to ASDM
Presentation_ID
Cisco Confidential
75
Introduction to ASDM
Presentation_ID
Cisco Confidential
76
ASDM Wizards
ASDM Wizards
ASDM has five wizards to
choose from:
Startup Wizard
VPN Wizards
High-Availability and
Scalability Wizard
Unified Communication
Wizard
Packet Capture Wizard
Presentation_ID
Cisco Confidential
77
ASDM Wizards
Presentation_ID
Cisco Confidential
78
ASDM Wizards
Presentation_ID
Cisco Confidential
79
ASDM Wizards
Presentation_ID
Cisco Confidential
80
ASDM Wizards
A hostname
Domain name
Presentation_ID
Cisco Confidential
81
ASDM Wizards
Presentation_ID
Cisco Confidential
82
ASDM Wizards
Presentation_ID
Cisco Confidential
83
ASDM Wizards
Presentation_ID
Cisco Confidential
84
ASDM Wizards
Presentation_ID
Cisco Confidential
85
ASDM Wizards
Presentation_ID
Cisco Confidential
86
ASDM Wizards
Presentation_ID
Cisco Confidential
87
ASDM Wizards
Presentation_ID
Cisco Confidential
88
ASDM Wizards
Presentation_ID
Cisco Confidential
89
ASDM Wizards
Presentation_ID
Cisco Confidential
90
ASDM Wizards
Presentation_ID
Cisco Confidential
91
Object Groups
Presentation_ID
Cisco Confidential
92
Object Groups
Objects
The ASA supports two types of objects.
Network object:
Contains a single IP address/mask pair.
CCNAS-ASA(config)# object ?
configure mode commands/options:
network Specifies a host, subnet or range IP addresses
service Specifies a protocol/port
CCNAS-ASA(config)#
Presentation_ID
Cisco Confidential
93
Object Groups
A network object can contain only one IP address and mask pair. Entering
a second IP address/mask pair replaces the existing configuration.
Presentation_ID
Cisco Confidential
94
Object Groups
Presentation_ID
Cisco Confidential
95
Object Groups
Presentation_ID
Cisco Confidential
96
Object Groups
Service Objects
There are five service options:
service protocol [source [operator port]] [destination
[operator port]]
Specifies an IP protocol name or number.
service tcp [source [operator port]] [destination
[operator port]]
Specifies that the service object is for TCP.
service udp [source [operator port]] [destination
[operator port]]
Specifies that the service object is for UDP.
service icmp icmp-type
Specifies that the service object is for ICMP.
service icmp6 icmp6-type
Specifies that the service object is for ICMPv6.
Presentation_ID
Cisco Confidential
97
Object Groups
Presentation_ID
Cisco Confidential
98
Object Groups
Object Groups
Object groups are used to group objects. Objects can be
attached or detached from multiple object groups.
Objects can be attached or detached from one or more object
groups when needed, ensuring that the objects are not
duplicated but can be re-used wherever needed.
You can create network, protocol, and ICMP-type objects
groups created using the object-group {network |
protocol | icmp-type} group-name command.
You can also create service objects groups by using
object-group service group-name [tcp | udp |
tcp-udp].
Presentation_ID
Cisco Confidential
99
Object Groups
Description
Specifies a list of IP host, subnet, or network addresses.
Combines IP protocols (such as TCP, UDP, and ICMP) into one object.
Protocol
ICMP
For example, to add both TCP and UDP services of DNS, create an object group and add TCP and
UDP protocols into that group.
ICMP uses unique types to send control messages (RFC 792).
The ICMP-type object group can group the necessary types for security needs.
Used to group TCP, UDP, or TCP and UDP ports into an object.
Service
It can contain a mix of TCP services, UDP services, ICMP-type services, and any protocol such as
ESP, GRE, and TCP.
CCNAS-ASA(config)# object-group ?
configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network
Specifies a group of host or subnet IP addresses
protocol
Specifies a group of protocols, such as TCP, etc
service
Specifies a group of TCP/UDP ports/services
user
Specifies single user, local or import user group
CCNAS-ASA(config)# object-group
Presentation_ID
Cisco Confidential
100
Object Groups
Cisco Confidential
101
Object Groups
Presentation_ID
Cisco Confidential
102
Object Groups
Cisco Confidential
103
Object Groups
Presentation_ID
Cisco Confidential
104
Object Groups
SERVICES-1
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq ntp
exit
SERVICES-2 tcp
port-object eq pop3
port-object eq smtp
exit
SERVICES-3 tcp
group-object SERVICES-2
port-object eq ftp
port-object range 2000 2005
exit
Cisco Confidential
105
Object Groups
Presentation_ID
Cisco Confidential
106
ACLs
Presentation_ID
Cisco Confidential
107
ACLs
Presentation_ID
Cisco Confidential
108
ACLs
ACL Function
ACLs on a security appliance can be used:
Through-traffic packet filtering:
Traffic is passing through the appliance from one interface to
another interface.
The configuration requires an ACL to be defined and then applied to
an interface.
Presentation_ID
Cisco Confidential
109
ACLs
ACL Type
Description
Extended
Standard
IPv6
Presentation_ID
Webtype
Ethertype
Cisco Confidential
110
ACLs
ACL Applications
ACL Use
ACL Type
Description
Provide through-traffic
network access
Extended
Extended
Extended
Extended
Extended
Standard
IPv6
Cisco Confidential
111
ACLs
<Output omitted>
Presentation_ID
Cisco Confidential
112
ACLs
Condensed ACL
ACL name.
It could also be a number.
Presentation_ID
Cisco Confidential
113
ACLs
Access-group Syntax
To provide through-traffic network access, the ACL must be applied to an
interface.
access-group acl-id {in | out} interface interface-name
[per-user-override | control-plane]
Syntax
access-group
acl-id
in
out
interface
interface-name
per-user-override
control-plane
Presentation_ID
Description
Optional. Allows downloadable ACLs to override the entries on the interface ACL.
Optional. Specifies if the rule is for to-the-box traffic.
Cisco Confidential
114
ACLs
ACL Examples
ACL Examples
access-list ACL-IN-1 extended permit ip any any
access-group ACL-IN-1 in interface inside
ACL allows all hosts on the inside network to go through the ASA.
By default, all other traffic is denied.
Presentation_ID
Cisco Confidential
115
ACLs
Useful for VPN traffic that enters an interface, but is then routed out
the same interface.
Use the same-security-traffic permit interinterface command to enable interfaces on the same
security level so that they can communicate with each other.
Use the same-security-traffic permit intrainterface command to enable communication between
hosts connected to the same interface.
Presentation_ID
Cisco Confidential
116
ACLs
Verifying ACLs
To verify the ACL syntax, use the following commands:
show running-config access-list
show access-list
Presentation_ID
Cisco Confidential
117
ACLs
ACL - Example 1
PC-A and PC-B are external hosts that require access to the two internal
servers.
Each server provides web and email services.
Presentation_ID
Cisco Confidential
118
ACLs
ACL - Example 1
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-A -> Server A for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.131 eq smtp
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-A -> Server B for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.1 host
209.165.202.132 eq smtp
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-B -> Server A for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.131 eq smtp
CCNAS-ASA(config)# access-list ACL-IN remark Permit PC-B -> Server B for HTTP / SMTP
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq http
CCNAS-ASA(config)# access-list ACL-IN extended permit tcp host 209.165.201.2 host
209.165.202.132 eq smtp
CCNAS-ASA(config)# access-list ACL-IN extended deny ip any any log
CCNAS-ASA(config)#
CCNAS-ASA(config)# access-group ACL-IN in interface outside
CCNAS-ASA(config)#
Presentation_ID
Cisco Confidential
119
ACLs
ACL - Example 1
Verify the configuration.
Notice that there are nine elements (nine ACEs), excluding the remarks,
that must be processed by the ASA.
CCNAS-ASA(config)# show running-config access-list
access-list ACL-IN remark Permit PC-A -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.131
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.131
access-list ACL-IN remark Permit PC-A -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.132
access-list ACL-IN extended permit tcp host 209.165.201.1 host 209.165.202.132
access-list ACL-IN remark Permit PC-B -> Server A for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.131
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.131
access-list ACL-IN remark Permit PC-B -> Server B for HTTP / SMTP
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.132
access-list ACL-IN extended permit tcp host 209.165.201.2 host 209.165.202.132
access-list ACL-IN extended deny ip any any log
CCNAS-ASA(config)#
CCNAS-ASA(config)# show access-list ACL-IN brief
access-list ACL-IN; 9 elements; name hash: 0x44d1c580
CCNAS-ASA(config)#
Presentation_ID
eq www
eq smtp
eq www
eq smtp
eq www
eq smtp
eq www
eq smtp
Cisco Confidential
120
ACLs
Cisco Confidential
121
ACLs
Presentation_ID
Cisco Confidential
122
ACLs
Presentation_ID
Cisco Confidential
123
ACLs
Cisco Confidential
eq
eq
eq
eq
eq
eq
eq
eq
124
ACLs
Firewall
Presentation_ID
Cisco Confidential
125
ACLs
ACL Example
Presentation_ID
Cisco Confidential
126
ACLs
Presentation_ID
Cisco Confidential
127
Inside NAT
Typical NAT deployment method when the ASA translates the internal
host address to a global address.
The ASA restores return traffic the original inside IP address.
Outside NAT
Bidirectional NAT
Presentation_ID
Cisco Confidential
128
Presentation_ID
Cisco Confidential
129
Auto NAT
Introduced in ASA version 8.3, the Auto NAT feature has
simplified the NAT configuration as follows:
1. Create a network object.
Notes:
Prior to ASA version 8.3, NAT was configured using the nat,
global, and static commands.
The global and static commands are no longer recognized.
Presentation_ID
Cisco Confidential
130
Configuring NAT
The ASA divides the NAT configuration into two sections:
The first section defines the network to be translated using a network object.
The second section defines the actual nat command parameters.
Cisco Confidential
131
Many-to-many translation.
Dynamic PAT
Many-to-one translation.
Static NAT
A one-to-one translation.
Twice-NAT
ASA version 8.3 NAT feature that identifies both the source and destination address in
a single rule (nat command).
Presentation_ID
Cisco Confidential
132
Names the network object that identifies the pool of public addresses.
range ip-addr-1 ip-addr-n
Presentation_ID
Names the NAT object to bind the Inside subnet with the public pool network
object.
Traffic going from the real-ifc and going to the mapped-ifc will be
dynamically assigned addresses from the public pool of addresses.
2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
133
Presentation_ID
PUBLIC-IP
range 209.165.200.240 255.255.255.240
exit
INSIDE-NET
subnet 192.168.1.0 255.255.255.224
nat (inside,outside) dynamic PUBLIC-IP
end
Cisco Confidential
134
Presentation_ID
Cisco Confidential
135
Presentation_ID
INSIDE-NET
subnet 192.168.1.0 255.255.255.224
nat (inside,outside) dynamic interface
end
Cisco Confidential
136
INSIDE-NET
subnet 192.168.1.0 255.255.255.224
nat (inside,outside) dynamic 209.165.200.229
end
Presentation_ID
Cisco Confidential
137
host ip-addr
Note that the any keyword could be used instead of the interface names to
allow the translation of an object between multiple interfaces using one CLI
command.
Note: Static NAT also requires that an ACE be added to the outside interface ACL.
Presentation_ID
Cisco Confidential
138
Presentation_ID
Cisco Confidential
139
Presentation_ID
Cisco Confidential
140
Add Network
Objects
Network Objects
Firewall
Presentation_ID
Cisco Confidential
141
Dynamic PAT
Configuration > Firewall > Objects > Network Objects/Groups
Presentation_ID
Cisco Confidential
142
Static NAT
Configuration > Firewall > Objects > Network Objects/Groups
Presentation_ID
Cisco Confidential
143
Verifying NAT
Configuration > Firewall > NAT Rules
Presentation_ID
Cisco Confidential
144
ASA in ASDM
Presentation_ID
Cisco Confidential
145
ASA in ASDM
ASA AAA
Unlike the ISR, ASA devices do not support local
authentication without using AAA.
Cisco ASA can be configured to authenticate using:
A local user database
An external server for authentication
Both
Presentation_ID
Cisco Confidential
146
ASA in ASDM
Local AAA is ideal for small networks that do not need a dedicated server.
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
CCNAS-ASA(config)#
Presentation_ID
authentication
authentication
authentication
authentication
Cisco Confidential
147
ASA in ASDM
Presentation_ID
Cisco Confidential
148
ASA in ASDM
Cisco Confidential
149
ASA in ASDM
Logoff
Username: admin
Password: *****
Type help or '?' for a list of available commands.
CCNAS-ASA>
Presentation_ID
Cisco Confidential
150
ASA in ASDM
Presentation_ID
Cisco Confidential
151
ASA in ASDM
Adding a User
Click Add and enter the user detail.
Presentation_ID
Cisco Confidential
152
ASA in ASDM
Presentation_ID
Cisco Confidential
153
ASA in ASDM
Presentation_ID
Cisco Confidential
154
ASA in ASDM
Presentation_ID
Cisco Confidential
155
ASA in ASDM
Presentation_ID
Cisco Confidential
156
Cisco MPF uses these three configuration objects to define modular, objectoriented, hierarchical policies:
Class maps:
Policy maps:
Service policies:
Class Maps
Presentation_ID
Policy Maps
Service Policy
Cisco Confidential
157
Presentation_ID
Cisco Confidential
158
Cisco Confidential
159
Class Maps
Class maps are configured to identify Layer 3/4 traffic.
To create a class map and enter class-map configuration mode, use the
class-map class-map-name global configuration mode command.
The class-default names and any name that begins with _internal or
_default are reserved.
The class map name must be unique and can be up to 40 characters in
length.
The name should also be descriptive.
Note: For management traffic destined to the ASA, configure the classmap type management class-map-name command.
Presentation_ID
Cisco Confidential
160
Presentation_ID
Cisco Confidential
161
Policy Maps
Policy maps are used to bind class maps with these steps :
1. Use the policy-map policy-map-name global configuration mode
command.
The policy map name must be unique and up to 40 characters in length.
Presentation_ID
Cisco Confidential
162
Presentation_ID
Cisco Confidential
163
Service Policy
To activate a policy map globally on all interfaces or on a
targeted interface, use the service-policy global
configuration mode command.
service-policy policy-map-name [global | interface intf]
Presentation_ID
Cisco Confidential
164
Presentation_ID
Cisco Confidential
165
Presentation_ID
Cisco Confidential
166
Presentation_ID
Cisco Confidential
167
Presentation_ID
Cisco Confidential
168
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
<Output omitted>
Presentation_ID
Cisco Confidential
169
Presentation_ID
Cisco Confidential
170
Presentation_ID
Cisco Confidential
171
Presentation_ID
Cisco Confidential
172
Presentation_ID
Cisco Confidential
173
Presentation_ID
Cisco Confidential
174
After authentication, users access a portal page and can access specific,
supported internal resources.
Provides full tunnel SSL VPN connection but requires a VPN client
application to be installed on the remote host.
Presentation_ID
Cisco Confidential
175
Presentation_ID
Cisco Confidential
176
Presentation_ID
Cisco Confidential
177
Consumerization
To support IT consumerization, the Cisco AnyConnect client is available for
free for:
iOS devices (iPhone, iPad, and iPod Touch)
Android OS (select models)
BlackBerry
Windows Mobile 6.1
HP webOS
Nokia Symbian
Presentation_ID
Cisco Confidential
178
ASDM Assistant
Clientless SSL VPN can be configured using the ASDM Assistant to guide
an administrator through the SSL VPN configuration.
Presentation_ID
Cisco Confidential
179
Presentation_ID
Cisco Confidential
180
Presentation_ID
Cisco Confidential
181
Presentation_ID
Cisco Confidential
182
Presentation_ID
Cisco Confidential
183
Presentation_ID
Cisco Confidential
184
Presentation_ID
Cisco Confidential
185
3 - User Authentication
Presentation_ID
Cisco Confidential
186
4 - Group Policy
Presentation_ID
Cisco Confidential
187
5 - Bookmark Lists
Presentation_ID
Cisco Confidential
188
6 - Summary
Presentation_ID
Cisco Confidential
189
Presentation_ID
Cisco Confidential
190
Presentation_ID
Cisco Confidential
191
Presentation_ID
Cisco Confidential
192
Presentation_ID
Cisco Confidential
193
enable outside
group-policy Clientless-SSL-Policy internal
vpn-group-policy Clientless-SSL-Policy
tunnel-group Clientless-SSL-VPN type remote-access
tunnel-group Clientless-SSL-VPN general-attributes
default-group-policy Clientless-SSL-Policy
Presentation_ID
Cisco Confidential
194
ASDM Assistant
Configurations > Remote-Access VPN > Introduction
Presentation_ID
Cisco Confidential
195
Presentation_ID
Cisco Confidential
196
Presentation_ID
Cisco Confidential
197
Once installed, the host can exchange traffic with the ASA using a full
tunnel SSL VPN connection.
Presentation_ID
Cisco Confidential
198
Presentation_ID
Cisco Confidential
199
Presentation_ID
Cisco Confidential
200
Presentation_ID
Cisco Confidential
201
3 - VPN Protocols
Presentation_ID
Cisco Confidential
202
4 - Client Images
Presentation_ID
Cisco Confidential
203
5 - Authentication Method
Presentation_ID
Cisco Confidential
204
Presentation_ID
Cisco Confidential
205
7 - DNS Configuration
Presentation_ID
Cisco Confidential
206
8 - NAT Configuration
Presentation_ID
Cisco Confidential
207
Presentation_ID
Cisco Confidential
208
10 - Summary
Presentation_ID
Cisco Confidential
209
Presentation_ID
Cisco Confidential
210
Presentation_ID
Cisco Confidential
211
Presentation_ID
Cisco Confidential
212
Platform Detection
The ASA performs a series of compliance checks, platform detection, finally
selects or downloads the software package.
Presentation_ID
Cisco Confidential
213
Installing AnyConnect
A security warning displays if AnyConnect must be installed.
Presentation_ID
Cisco Confidential
214
Presentation_ID
Cisco Confidential
215
Presentation_ID
Cisco Confidential
216
Auto-Download Complete
After the client completes the auto-download, the web session automatically
launches the Cisco AnyConnect SSL VPN Client.
Presentation_ID
Cisco Confidential
217
Confirming Connectivity
Presentation_ID
Cisco Confidential
218
Cisco Confidential
219
Cisco Confidential
220
Cisco Confidential
221
Cisco Confidential
222
Cisco Confidential
223
9.4 Summary
Presentation_ID
Cisco Confidential
224
Summary
Summary
The Adaptive Security Appliance (ASA) is a standalone firewall device
that is a primary component of the Cisco SecureX technology.
The ASA protects Inside networks from unauthorized outside access by
combining firewall, VPN concentrator, and intrusion prevention
functionality into one device.
The ASA can also support advanced features, such as virtualization, high
availability with failover, identity firewall, and advanced threat control and
can be configured in routed mode or in transparent mode.
Cisco Confidential
225
Summary
Summary Cont.
ASA devices can be configured and managed using either the CLI or the
Adaptive Security Device Manager (ASDM) GUI.
The ASA CLI is a proprietary OS which has a similar look and feel to the
router IOS.
The ASA 5505 ships with a default configuration that is sufficient for
SOHO deployments. The configuration includes:
Two preconfigured VLAN networks
DHCP enabled for inside hosts
NAT for outside access
The Cisco ASDM facilitates the setup, configuration, monitoring, and
troubleshooting of Cisco ASAs.
ASDM provides several wizards to help simplify the configuration.
The Startup Wizard guides the administrator through the initial
configuration of the ASA.
Presentation_ID
Cisco Confidential
226
Summary
Summary Cont.
The VPN wizards allow an administrator to configure basic site-to-site and
remote access VPNs. ASDM also provides a High Availability and
Scalability Wizard, Unified Communication Wizard, and a Packet Capture
Wizard.
The ASA supports objects and object groups making it easier to maintain
configurations.
The ASA provides basic traffic filtering capabilities with ACLs.
It supports NAT and PAT, which can be static or dynamic.
The ASA can be configured to authenticate using a local user database or
an external server.
The ASA uses the MPF to define sets of rules for applying firewall
features.
Presentation_ID
Cisco Confidential
227
Summary
Summary Cont.
The ASA provides support for site-to-site IPsec VPNs. It can also support
the following remote access VPNs:
Clientless SSL VPN Remote Access (using a web browser)
SSL or IPsec (IKEv2) VPN Remote Access (using Cisco AnyConnect
client)
IPsec (IKEv1) VPN Remote Access (using Cisco VPN client)
With a clientless SSL VPN deployment, remote clients use an SSL web
portal interface. A client-based SSL VPN requires a client, such as the
Cisco AnyConnect VPN client, to be pre-installed on the host, or
downloaded on-demand via a browser.
Presentation_ID
Cisco Confidential
228
Presentation_ID
Cisco Confidential
229