Documente Academic
Documente Profesional
Documente Cultură
Agenda
Copyright www.INE.com
Copyright www.INE.com
ASA Overview
Stateful Firewall Filtering
Supports Application Aware Inspection
VPN Termination
Supports both IKEv1/IKEv2 IPsec and SSL VPNs
Track traffic that tries to enter from the untrusted network to the
trusted network
If an entry exists in the state table, permit it
E.g. the return HTTP flow from server B to client A
Direction of inspection
E.g. Inside to Outside vs. Inside to DMZ vs. Outside to DMZ, etc.
Copyright www.INE.com
Routed Firewall
Interfaces are in different subnets and different VLANs
Traffic is routed between interfaces
Implies the need for static or dynamic routing protocols
Transparent firewall
Copyright www.INE.com
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
ASA Management Methods
Basic ASA Initialization
Copyright www.INE.com
ASA Management
ASA supports two methods of management
Command Line Interface (CLI)
Cisco Adaptive Security Device Manager (ASDM)
Both supported in the current CCIE SCv4 Blueprint
CLI Management
Local via Console port
Remote via Telnet or SSH
ASDM Management
Remote via HTTPS
There are certain tasks which can only be completed using the GUI
(SSL VPN Bookmarks, AnyConnect Client Profiles, DAP Policies)
Copyright www.INE.com
Assign IP Addressing
ip address ip_address [mask] standby ip_address
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
Copyright www.INE.com
Route Tracking
Multicast Routing
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
ASA Access Control Lists (ACLs)
ASA Object Groups & Objects
Copyright www.INE.com
Access-Lists (ACLs)
By default ASA allows
Traffic from higher security to lower security
Traffic from lower security to higher security if state already
exists
Not all traffic is actually inspected by default
Access-Lists (ACLs)
Order of processing is:
Inbound ACL
Global ACL
Outbound ACL
When global ACL is configured, the implicit deny from the inbound
ACL is automatically removed
When both inbound ACL and global ACLs are used we can say
that:
Copyright www.INE.com
Access-Lists (ACLs)
Like in IOS, ASA ACLs match traffic based on
Source IP Address
Destination IP Address
IP Protocol Number
TCP & UDP Ports
ICMP Type Codes
Time Range
Access-Lists (ACLs)
Like in IOS, ASA ACLs can be
Standard
Matches only on source IP addresses
Extended
Matches on any combination of src, dst, port, etc.
Object Groups
Object Groups simplify ACL management by
grouping similar objects together
E.g. PUBLIC_WEB_SERVERS grouping
Copyright www.INE.com
Object Groups
Four types of Object Groups
Protocol
E.g. TCP, UDP, ESP, GRE, etc.
Network
IP address, subnet address, etc.
Service
TCP & UDP port numbers
ICMP type
Echo, Echo-Reply, Unreachable, etc.
Copyright www.INE.com
1
1
1
1
1
1
1
1
1
1
1
1
extended
extended
extended
extended
extended
extended
extended
extended
extended
extended
extended
extended
Copyright www.INE.com
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
permit
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
host
host
host
host
host
host
host
host
host
host
host
host
200.0.0.1
200.0.0.1
200.0.0.1
200.0.0.1
200.0.0.1
200.0.0.1
200.0.0.2
200.0.0.2
200.0.0.2
200.0.0.2
200.0.0.2
200.0.0.2
host
host
host
host
host
host
host
host
host
host
host
host
10.0.0.100
10.0.0.100
10.0.0.100
10.0.0.101
10.0.0.101
10.0.0.101
10.0.0.100
10.0.0.100
10.0.0.100
10.0.0.101
10.0.0.101
10.0.0.101
eq
eq
eq
eq
eq
eq
eq
eq
eq
eq
eq
eq
www
https
smtp
www
https
smtp
www
https
smtp
www
https
smtp
Objects
Added along with NAT changes in 8.3
Different than object-groups
Required for Object-NAT
More on this later
Service
Protocol, TCP/UDP source/destination ports
TCP/UDP ports can only be used in Twice NAT
Copyright www.INE.com
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
ASA High Availability Overview
Redundant Interfaces
Failover
Copyright www.INE.com
Redundant Interfaces
Binding multiple physical interfaces
Redundant Interfaces
Groups multiple physical interfaces into one
logical interface
interface Redundant [num]
member-interface [physical-interface]
Redundant Interfaces
Physical interfaces should only have physical
parameters
Speed, duplex, no shutdown, etc.
Active/Active
Both units forward traffic
Only supported in multiple context mode
Different contexts active in same or different units
Copyright www.INE.com
Active/Active supports
Multiple Context Mode Routed Firewall
Multiple Context Mode Transparent Firewall
Copyright www.INE.com
Interface monitoring
Stateful failover
Active unit constantly replicates state table
xlates, TCP, UDP, IKE & IPsec SA, ARP, etc.
Active/Standby Failover
Uses designated failover interface
Requires a dedicated physical LAN link
Standby polls the active firewall
Configuration replicated from active to standby
State tables not replicated by default
Upon failover
Units change roles
Standby unit assumes IPs and MACs of primary
Enable failover
failover
Copyright www.INE.com
Enable failover
failover
Health Monitoring
Failover polling detects unit failure
Timeout via failover polltime
Stateful Failover
Configured separately from LAN failover
Uses stateful failover link for replication
Could be shared with LAN failover link
Normally recommended to be separate
State information may generate excessive amount of
traffic
Active/Active Failover
One unit is active for a group of contexts
Another unit is active for a different group of
contexts
Uses the concept of failover groups
Defined in system context
There are only 2 failover groups, it makes no
sense to have more
Admin context is always member of failover
group 1, and its non-configurable
Copyright www.INE.com
HA Commands
failover exec [active|mate|standby]
<command>
E.g. failover exec mate show version
show
show
show
show
failover
failover history
failover group only in A/A mode
monitor-interface only in A/A mode
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
Copyright www.INE.com
Copyright www.INE.com
Resource limits
Number of connections, hosts, xlates, etc.
Firewall policy
MPF Inspections, ACLs, NAT, etc.
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
System Context
Used to create new contexts and define context
parameters
Interface to context assignments
Resource allocation
Configuration file location
Admin Context
Used for remote access to system context
Only context that remotely supports changeto system
command
Copyright www.INE.com
Copyright www.INE.com
Copyright www.INE.com
Identity NAT
Inside and outside addresses must be unique per
context
Copyright www.INE.com
Context Resources
Resources can be limited on a per context basis
Connections
Translations (xlates)
MAC Addresses
Management sessions
Context Routing
Only static routes supported
Even for connected prefixes in other contexts
Define contexts
ASA(config)# context ABC
Questions?
Copyright www.INE.com
Agenda
ASA Transparent Firewall
Copyright www.INE.com
Transparent firewall
Interfaces are in the same subnet but different VLANs
Traffic is layer 2 bridged between interfaces based on
CAM table
Copyright www.INE.com
Multicast IP routing
Multicast traffic can be allowed through ACL
Before 8.4
After 8.4
Copyright www.INE.com
Enable Interfaces
interface mgmt0/0
nameif [name]
management-only
ip address <active_addr> <netmask> standby <standby_addr>
Copyright www.INE.com
Enable Interfaces
Assign names
nameif [name]
interface mgmt0/0
management-only
nameif [name]
ip address <active_addr> <netmask> standby <standby_addr>
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
ASA Transparent Firewall & ARP Filtering
Copyright www.INE.com
Copyright www.INE.com
Questions?
Copyright www.INE.com
Agenda
Active/Standby Transparent Failover
Active/Active Transparent Failover
Copyright www.INE.com