Documente Academic
Documente Profesional
Documente Cultură
BRKSEC-2021
@mason_harris
Cisco ASA Sessions: Building Blocks
BRKSEC-2020 BRKSEC-2021 BRKSEC-3032
Firewall Firewall ASA Clustering
Deployment Architectures Deep Dive
(Mon 10:00) (Wed 08:00) (Th 10:00)
BRKSEC-3021 BRKSEC-2028
Maximizing Firewall Deploying NG
Performance Firewall
(Tue 08:00) (Mon 08:00)
(Th 13:00)
Agenda
Introduction
Deployment Modes
Routing on the ASA
Firewall Virtualization
ASA High Availability
Advanced ASA Deployments
Summary
INTRODUCTION
Introduction What is Firewall Architecture?
Deploying any firewall means a consideration of the surrounding
network and the reasons for deploying a firewall
This session will focus on different ways Cisco firewalls are deployed
Cisco firewalls can be physical or virtual or a combination of both
Best practices and gotchas/caveats will be shared and discussed
This session does not cover IOS firewall, Firewall Services Module
(FWSM) or ASA Next Generation Firewall (FirePOWER services)
Please ask questions, well be moving fast
PHYSICAL FIREWALLS
Physical Firewalls: Service Modules and Appliances
Cisco currently only has one service module firewall, the ASA SM for the
Catalyst 6500-E
SM firewalls have no physical interfaces and rely entirely on the existing
switching infrastructure for packet flow
Uses VLANs to redirect which packets are inspected or bypassed
Appliance firewalls can be deployed in more places in the network but require
physical cabling
Additional services are available (e.g. remote access VPN) on physical firewalls
that dont exist on blade firewalls
ASA SM and ASA appliances run same code and have same features (mostly)
Physical Firewalls: ASA Service Module
Supported on Catalyst 6500-E and 7600
Treat as an external firewall on a stick
Critical design around SVI placement for L3
Up to 4 modules in one chassis
Completely based on ASA5585-X architecture with full feature parity
VPN is supported with ASA 9.0(1)+, ASA clustering is not supported
Physical Firewalls: ASA 5585 Appliances
2 slots (2 RU): FW+FW, FW+NGIPS (FirePOWER on ASA), or I/O Expansion card
Top end 5585s provide 4 10GE ports (SFP)
I/O card(s) can add up to 20 10GE ports
20 GBps multiprotocol per appliance (5585-60)
10 million connections per appliance (5585-60)
Same security-level 0
bridge-group 1
subnet BVI 1: 10.1.1.100 /24
(Bridge Virtual Interface) !
1
on interface GigabitEthernet0/1
both! vlan 10
nameif inside
security-level 100
bridge-group 1
!
10.1.1.0 /24 vlan 10 interface BVI1
ip address 10.1.1.100 255.255.255.0
Firewall - Routed Mode
hostname ciscoasa
10.99.1.0 /24 !
interface GigabitEthernet0/0
nameif outside
security-level 0
10.99.1.1 - outside ip address 10.99.1.1 /24
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 /24
!
10.1.1.1 - inside
Routed mode has a routing
table, ASA operates at L3
10.1.1.0 /24
ASA can use routing protocols
ROUTING ON THE ASA
Routing and the ASA
ASA IOS router, but has evolved over time to add more routing functions
Understanding the Next Hop selection process on ASA is critical
ASA supports EIGRP, OSPFv2/v3, RIP, BGP and PIM-SM
Separate management routing table in 9.5(1) (July 2015)
ASA supports floating static routes
ASA Failover synchronizes routing table as part of state sync process
ASA Clustering also syncs routing table but process depends on deployment
Routing is supported in multi context mode; EIGRP and BGP can only have
one instance per context while OSPF v2 can have up to two
Routing and the ASA Continued Proxy ARP
Proxy ARP is used when a device responds to an ARP request with its own
MAC address despite not owning that MAC address
ASA has it on by default but requires show run all to see in configuration
no sysopt noproxyarp <interface>
Useful for NAT translations and other things where ASA is hiding the true
identity of a service
Many networks have suffered due to a misunderstanding of this command
Excellent summary blog post by Paul Stewart:
http://www.packetu.com/2011/11/07/the-asas-arp-behavior/
Non-Stop Forwarding (NSF) aka Graceful Restart
Traditionally when a network device restarts, all routing peers associated with
that device will remove the routes from that peer and update their routing table
At scale this could create an unstable routing environment across multiple
routing domains which is detrimental to overall network performance
Modern dual processor systems solve this problem by restarting the control
plane on one processor while continuing to forward traffic on the other
For devices that support NSF, route removal and insertion caused by restarts is
no longer necessary thus adding network stability
Uses protcol extensions to allow network device a grace period in which traffic
will continue to be forwarded via existing routes
Non-Stop Forwarding (NSF) on ASA (9.3)+
Pre 9.3: Routing Information Base is replicated in A/S failover and Spanned
Etherchannel clustering
Active unit or master establish dynamic routing adjacencies and keep standby and slaves up-
to-date
When the active unit or master fails, the failover pair or cluster continue traffic forwarding
based on RIB
New active unit or master re-establish the dynamic routing adjacencies and update the RIB
Adjacent routers flush routes upon adjacency re-establishment and cause momentary traffic
black holing
9.3 and after: Non Stop Forwarding (NSF) / Graceful Restart (GR)
Cisco or IETF compatible for OSPFv2, OSPF3; RFC 4724 for BGPv4
ASA notifies compatible peer routers after a switchover in failover or Spanned Etherchannel
clustering
ASA acts as a helper to support a graceful or unexpected restart of a peer router in all modes
Legacy Equal Cost Multi Path (ECMP) on ASA
Supports up to 3 Equal Cost Multi Path
(ECMP) routes on same interface 10.1.1.1 10.1.1.2 10.1.1.3
inside 1 inside 2
Seamless connection switchover to another egress
interface in the same zone on failure butNAT/PAT Zone-In
sessions will need to be re-established
Helpful with assymetric routing and load-balancing
deployments, Not supported for VPN, BTF,
management or failover
http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html
Legacy Static Route Tracking via SLA
Static routes areum..static
192.168.1.100
ASA has had a tracking feature for many years
GW-A - Primary GW-B - Backup
to ensure that a next hop is up
Does NOT load-balance; uses an active-
standby model 10.1.1.1 10.2.2.1
Vlan 20 Vlan 10
(Untrusted/Outside) (Trusted/Inside)
FW Outside FW Inside
vlan 20 vlan 10
Virtual
Hosts
10.199.199.1 10.199.199.2
Server GW
ISP-A
ISP A
Transparent
L3 Routed ASA
Internal placement provides ACL
Network Core inspection
and stateful Fully
Meshed
without disturbingBGP
existing
Layer 3 services
ISP-B
ISP B
ISP A
Active ASA
Standby ASA
ISP B
L3 Switch/Router L3 Switch/Router
Case Study: Transparent Firewall Traffic Flow
3. Connection passes
back through the switch at
Layer 2 toward the next Outside
routed hop on outside VLAN 101
1. Outbound
connection comes 192.168.0.3/29
in through inside
VLAN to SVI 100
Internal
VLAN 200 Inside VLAN 100
Single
Physical
VFW VFW VFW VFW ASA
1 2 3 4
North - South
typically flows to and from Aggregation
Access layer to
Aggregation Layer and
Core
East-West (E-W) flows Access
typically stay either within a Virtual Virtual Virtual
zone or between zones and Hosts Hosts Hosts
often server to server traffic
Web Database App
East - West
Where to Place the Firewall?
Centralized firewalls are the traditional
approach to virtualized host security
Often a transitional architecture
Firewalls in the core, aggregation or edge?
Big challenge is scalability
Usually the limiting factor is connections
not bandwidth
How to handle a requirement for L2
(micro)segmentation of hosts?
How to address virtual host mobility? Hosts Hosts Hosts
Ciscos Legacy Virtual Firewalls: VSG and
ASA1000V
Cisco has two legacy virtual firewalls: the ASA 1000V and the Virtual Security
Gateway (VSG)
Each runs as a virtual machine in VMWare
Both are managed via Virtual Network Management Center (VNMC)
Both are licensed per CPU socket
They are complementary to each other and require the Nexus1000V Distributed
Virtual Switch and utilize a new forwarding plane, vPath
ASA 1000V
End-of-Sale
March 2015
Virtual Security Gateway ASA 1000V
What is the Virtual Security Gateway?
VSG is a L2 firewall that runs as a virtual
machine bump in the wire
It provides stateful inspection between L2
adjacent hosts (same subnet or VLAN)
It can use VMware attributes for policy
Provides benefits of L2 separation for East-
West traffic flows
Virtual Virtual Virtual
One or more VSGs are deployed per tenant Hosts Hosts Hosts
Requires Nexus 1000V dVS
VSG Deployment Guide: http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11208/deployment_guide_c07-647435.html
ASA Evolution
2005 - Present 2012 2015
ASA 1000V
ASAv
Unique ASA
Codebase Same
Physical ASA codebase as
ASA 5500 and Physical ASA
5500-X family No L2 mode
No RA VPN
No Routing Protocols Clustering and
Limited Features Multiple Contexts
Introducing the Virtualized ASA (ASAv)
Introduced with ASA 9.2 code release (April 2014)
No Nexus1000V requirement
Currently supported on Vmware vSphere (5.x) and KVM
Has all ASA features with some exceptions
No support for:
1. ASA clustering
2. Multi context mode (cant virtualize a vm) ASAv Firewall
3. Etherchannel interfaces
(Virtualized ASA)
4. Active/Active Failover (requires multi context mode)
Active/Standby Failover
Single- or multiple-context mode Inside Outside
Active/Active Failover
A
Requires multiple-context mode Inside A
Switchover based on context groups B Outside A
Both units are passing traffic
Design caveats exist Inside B
A
Outside B
B
Secondary
ASA Clustering For Scalable High Availability
ASA Clustering was introduced in the 9.0 release (October 2012) to solve the
problem of redundancy with scalability
Allows for N+1 redundancy with a backup firewall for every active flow
An ASA cluster is treated by the network as one logical firewall
Configuration is synchronized among cluster members
Three reasons to consider ASA Clustering:
1. Redundancy no single point of failure, actively using all cluster members
2. Scalability cluster can grow as requirements increase over time
3. Asymmetric flow reassembly the cluster maintains symmetry for all conns
ASA Clustering System Requirements
All cluster members must have identical hardware configuration
Up to 8 ASA5580/5585-X in ASA 9.0 and 9.1; up to 16 ASA5585-X in ASA 9.2(1)+
Up to 2 ASA5500-X in ASA 9.1(4)+
SSP types, application modules, and interface cards must exactly match
Te0/6 Te0/8
Te0/7 Te0/9
.1 .1
Te0/6 Te0/8
Te0/7 Te0/9
Individual Data Interface Mode
Routed firewall contexts only
Master owns virtual IPs on data interfaces for management purposes only
Use ECMP/PBR or dynamic routing protocols to load-balance traffic
Members get data interface IPs from configured pools in the order of joining
Per-unit Etherchannels support up to 16 members in ASA 9.2(1)+
inside outside
192.168.1.0/24 ASA Cluster 172.16.125.0/24
VPC
Te0/6 Te0/8 .1
.1 .2 .2
Te0/7 Te0/9
Master
Te0/6 Te0/8
.3 .3
Te0/7 Te0/9
Slave
Dynamic Routing and Clustering
Master unit runs dynamic routing in Spanned Etherchannel mode
RIP, EIGRP, OSPFv2, OSPFv3, BGP4 and PIM
Routing and ARP tables are synchronized to other members like in failover
Slower external convergence only on Master failure
Site A Site B
ASA Cluster
CCL is fully extended between
ASA 9.2+
DCs at L2 with <10ms of latency
VLANs were an early and still the most common tool to segment the
network into smaller units
ASA in transparent mode was designed for this purpose (VLAN
stitching), but L2 domains are still shared
Virtual Security Gateway (VSG) was designed for E-W traffic
(micro)segmentation within the same L2 domain
VxLAN and Security Group Tags (SGTs) provide segmentation options
VxLAN Overview
Standard ACE rules (both IPv4 and IPv6) and SGFW rules are all
combined in the same rules table
Data Center Segmentation with Security Group Tags
Web
Servers
Middleware
Storage
Servers ASA
SGFW
Database
Servers
IPv6
IPv6 and Cisco Firewalls
Virtual Security Gateway supports IPv6
ASA code has supported IPv6 for many years and 9.0 release augments IPv6
features (ASA and ASASM)
Very little performance hit with IPv6
AnyConnect IPSEC VPN also support IPv6
ASDM supports IPv6 addresses
NAT46 and 64 support on ASA
Works with Security Group Tags (IPv4 and IPv6)
Unified IPv4 and IPv6 ACLs
Older ASA software used separate IPv4 and IPv6 interface ACLs:
access-list INSIDE_IPV4 extended permit ip host 10.1.1.1 any
ipv6 access-list INSIDE_IPV6 permit ip host 2001:DB8:1 any Any depends on
access-group INSIDE_IPV4 in interface inside the ACL type
access-group INSIDE_IPV6 in interface inside
Any IPv4
ASA 9.0 and newer uses a single ACL for all IPv4 and IPv6
access-list IN extended permit ip host 10.1.1.1 any4 Any IPv6
access-list IN extended permit ip host 2001::1 any6
access-list IN extended permit ip host 10.1.1.1 host 2001:DB8::10 Mixed IPv4 and IPv6
access-list IN extended permit ip any any (Need NAT)
https://supportforums.cisco.com/docs/DOC-15973
SUMMARY AND
PARTING THOUGHTS
Summary and Parting Thoughts
Firewall deployment is not as simple as it used to be (to route or not to route?)
ASAv should be used where ASA1000V is present today
Virtualized firewalls (multi context mode) provide a nice option for segmented
networks (VRF Lite, MPLS, etc) and/or decentralized management
Firewall clustering offers advantages over the traditional A/S model especially if
interested in InterDC deployment
ASA L2 mode offers interesting opportunities for non-disruptive deployment
The ASA has robust IPv6 capabilities
Leverage Cisco Validated Designs (CVDs) as a best practice
Participate in the My Favorite Speaker Contest
Promote Your Favorite Speaker and You Could be a Winner
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle CiscoDCSecurity
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Dont forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco Campus
Walk-in Self-Paced Labs
Table Topics
Meet the Engineer 1:1 meetings
Thank you
ADDITIONAL SLIDES
Failover Interfaces
Failover Control Link is vital to the health of a Failover pair
failover lan interface FOVER_CONTROL GigabitEthernet0/0
Active virtual MAC address is inherited from the physical interface of the primary
ASAv and VSG Compared
ASAv with 4 vCPU Virtual Security Gateway
Throughput 1-2GB stateful vPath
Max Concurrent
Sessions
500,000 256,000
Web client
NAT pool
ASAv Policy: ASAv Policy: Block
Allow only any external web
tcp/80 to Web access to DB servers
Zone
Tenant 1
VM 1 VM 3 VM 1 VM 3 VM 1 VM 3
VM 2 VM 4 VM 2 VM 4 VM 2 VM 4