A

ERROR Invalid input detected at ,AI marker. Firewall The carat points to the keyword type, starting at the y, where the syntax error begins. Command History The firewall keeps a history of the last 19 commands that were issued in each interactive session. You can see the entire history list for your current session with the show history command. You can use the command history to recall a previous command that you want to use again. This can save you time in entering repetitive commands while...

A i i p w M V v v

15 42 30 1& W3 15 47 00 15 40-30 15 60*10 TfffltflQ View Real-time. data eveiy 10 set 3 Finally, the firewall performance itself affects the stateful failover operation. As stateful messages are generated, they are put into 256-byte memory blocks and placed in a queue before being sent to the failover peer. If the firewall cannot generate and send the stateful messages as fast as they are needed, more memory blocks are used. Although the firewall can allocate more 256-byte blocks as needed,...

A2 ICMP Message Types

Internet Control Message Protocol (ICMP) is used to transport error or control messages between routers and other devices. An ICMP message is encapsulated as the payload in an IP packet, as shown in Figure A-2. This information appears immediately following the IP header. Many of the ICMP message types also have a code number that can be used. The code field further specifies how the message type should be applied when it is received. Cisco firewalls cannot use the code field in access lists,...

A3 IP Port Numbers

Transport layer protocols identify higher-layer traffic with 16-bit fields called port numbers. A connection between two devices uses a source port and a destination port, both contained in the protocol data unit. Figure A-3 shows the User Datagram Protocol (UDP) header format, with the source and destination port fields shaded. Figure A-4 shows the Transmission Control Protocol (TCP) header format, with the source and destination port fields shaded. Figure A-3. UDP Datagram Format Showing Port...

AAA Cut Through Proxy Configuration Examples

In a sample network, user authentication is used on a firewall to require users on the inside to authenticate before initiating outbound connections. Users located on the 192.168.128.0 27 subnet should have all traffic except outbound DNS requests subject to authentication. The DNS traffic should be allowed without authentication so that users can resolve host names. Three TACACS+ servers are available on the inside network These are tried in succession until a responsive server is found. User...

Access List Activity Logging

By default, logging message 106023 (default severity level 4, warnings) is generated when a deny access list entry is matched with a traffic flow. Only the overall ACL is listed in the message, with no reference to the actual denying ACL entry, as in the following example ASA-4-106023 Deny tcp src outside 220.163.33.180 18909 dst inside 10.10.95.23 8039 by access-group acl_outside You can log messages when specific access control entries (ACEs, or individual permit deny statements within an...

Access List Examples

A firewall connects an inside network (192.168.17.0 24) to an outside network. Inside hosts include a DNS server, a mail server, and two other servers that support extranet services. Assume that the inside hosts have a NAT exemption to the outside, such that they maintain their same IP addresses. The outside hosts include two extranet servers on the 172.22.10.0 24 network. The following rules should be configured on the firewall, as shown by the actual configuration commands ICMP traffic from...

Accounting of Local User Activity

With local user authentication and authorization, user accounting can be performed only through the logging function. You should make sure that the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses 611101 (6) Successful user authentication 611102 (6) Failed user authentication 502103 (5) User changed privilege levels 111008 (5) User executed the command text 111009 (7) User executed the command show text...

Active Active Failover Requirements

In active-active failover, the two firewalls are assigned the customary primary and secondary roles. You can give the primary or secondary unit priority for becoming the active unit on a per-context basis. This applies to the admin and any user contexts. Because only two firewalls are permitted in a failover pair, there can be only two combinations of primary and secondary Each of these combinations is called a failover group. Therefore, the contexts are assigned membership in one of the two...

Address Translation

Cisco firewalls provide security policies and traffic inspection using two basic principles Address translation When a host on one firewall interface initiates a connection to a host on a different interface, the firewall must provide a way to translate the IP addresses across itself appropriately. Even if the IP addresses should appear identically on both sides of the firewall, a translation must still occur. One exception to this is when the same-security-traffic command is used to allow...

Appendix A Well Known Protocol and Port Numbers

This appendix presents tables of well-known TCP IP information that can be used in firewall configuration. Only the protocol and port numbers that have corresponding Cisco firewall configuration keywords are shown. These tables should provide a quick reference when you need a keyword or when you need to decipher other information from a keyword given by the firewall. All well-known or assigned TCP IP information is registered with the Internet Assigned Numbers Authority (IANA). For the most...

Asa

Firewall(config) interface hardware-id Firewall(config-if) speed auto 10 100 nonegotiate Firewall(config-if) duplex auto full half Firewall(config-if) no shutdown The interface is referenced by its hardware-id. For example, this could be gb-ethernet1 in PIX 6.3 or GigabitEthernet1 on an ASA. In PIX 6.3, the interface medium's speed and duplex mode are given by one of the following hardware-speed values Gigabit Ethernet autonegotiation, advertising full duplex Gigabit Ethernet full duplex with...

Asdm

The Adaptive Security Device Manager (ASDM) default view shows several useful throughput calculations. Figure 11-1 shows a sample ASDM display, where you can determine the following throughput measures Current interface throughput, in kbps, is shown in the upper-right portion of the display. This is the aggregate or total of input and output rates. (You can select an interface to see the current input and output throughput values.) UDP and TCP connections per second, in the middle-right portion...

Authenticating Users Passing Through

You can use the following steps to configure AAA authentication for cut-through proxy users 1. (Optional) List protocols that trigger authentication Firewall(config) aaa authentication include exclude service if name local ip local mask foreign ip foreign mask server tag To trigger user authentication, use the include keyword and identify the triggering protocol as service. This usually is a protocol that can support native authentication, where a username and password exchange is possible....

Authenticating with Local Usernames

You can use the following configuration steps to define usernames locally on the firewall. Firewall(config) username username nopassword password password encrypted privilege level The user identified as username (a text string of up to 15 characters) can have a password configured with the password keyword. After password is entered, it is encrypted automatically so that the cleartext string is never displayed in the configuration. If this command is copied and pasted from one firewall to...

Authorizing User Activity with Tacacs Servers

You can follow these steps to configure traffic authorization using AAA and TACACS+ servers 1. List protocols that require authorization Firewall(config) aaa authorization include exclude service if name local ip local mask foreign ip foreign mask server tag The protocol that must be authorized for a user is identified as service with the include keyword. The protocol can be telnet, ftp, http, any, or protocol port (decimal IP protocol number and decimal port number). Connections using this...

Authorizing Users to Access Firewall Commands

Users are authorized to execute firewall commands based on a comparison of their current privilege level and each command's privilege level. If the user's level is greater than or equal to the command's level, the user is allowed to use the command. If not, an error is returned. By default, only a simple authorization test is used. Users at privilege level 1 can use only commands that are set at level 1. If a user can move to any level greater than 1, he or she can access any other command even...

Automatically Updating AIP Image and Signature Files

Manually updating files on one AIP can be somewhat tedious, but updating files on many AIP modules can get out of hand. You can make use of the Auto Update feature to configure one or more AIPs to leverage a more automatic process. An AIP can poll an FTP or SCP server at regular intervals to see if new files are available. If so, the AIP downloads the new files and begins using them. In ASDM, select the Configure tab and then IPS, followed by the Auto Update link in the scrolling list. You...

Automatically Upgrading a Failover Pair

In Chapter 4, Firewall Management, in Section 4-4 Firewall Management, in Section Automatic Updates with an Auto Update Server, firewalls can be configured to automatically poll and download updated image files from an Auto Updates Server (AUS). Normally, these are standalone firewalls, ones not operating as part of a failover pair. Beginning with ASA 8.G(1), you can configure a failover pair of firewalls to work with AUS so that they both receive an updated image automatically. The firewalls...

Begin Certificate

MBEGA1UEChMKTXkgQ2 MBgGA1UEAxMRd3d3Lm15Y2 9tcGFueS5jb2 0wHhcNMDcwMzIwMDM0OTU2WhcNMDgw EAYDVQQHEwlMZXhpbmd0b2 9tMIGf 9lrQUHt42SC uoV8 6TsWzPTJ8waR0Y+n fIKb9in1Et8DdFRBOKejhCnGflw8 57HHFvXFqI5KBAzFyZ2 8FeGnnt7SP3Wlwfo5 -----END CERTIFICATE----- The SSL software can run as a service so that it is always available to incoming tunnel requests. On a Windows platform, the software can also run as a regular application that you start manually. 2. Configure secure logging on the firewall. By default,...

C

Config-slb-fw) real 192.168.100. config-slb-fw-real) probe FW-C config-slb-fw-real) inservice CatalystA(config-slb-fw-real) exit This section covers the configuration for the inside load-balancing device (Catalyst B). First, here are the commands to define VLANs and connectivity Switch(config) hostname CatalystB Define the VLANs CatalystB(config) vlan 200 CatalystB(config-vlan) name FW-inside CatalystB(config-vlan) vlan 400 CatalystB(config-vlan) name Internal-Network CatalystB(config-vlan)...

Firewall Overview

Refer to the following sections for information about these topics 1-1 Overview of Firewall Operation Discusses the mechanisms a Cisco firewall uses to inspect and control traffic passing through it. The firewall inspection engines and algorithms are responsible for enforcing any security policies configured into the firewall. 1-2 Inspection Engines for ICMP, UDP, and TCP Describes how a firewall reacts to traffic of different IP protocols. The inspection mechanisms for the ICMP, UDP, and TCP...

Firewall Logging

Refer to the following sections for information about these topics 10-1 Managing the Firewall Clock Discusses ways to set and maintain the firewall's internal clock so that events and messages can have accurate time stamps. 10-2 Generating Logging Messages Explains how firewalls generate logging messages and how you can configure them to do that. 10-3 Fine-Tuning Logging Message Generation Covers the configuration steps that can be used to enable or disable specific logging messages or change...

Verifying Firewall Operation

Refer to the following sections for information about these topics 11-1 Checking Firewall Vital Signs Discusses methods you can use to diagnose a firewall's health. System resources, logging output, throughput, failover, interface operation, and packet queuing are all covered. 11-2 Watching Data Pass Through a Firewall Covers ways that packets can be logged or captured as they pass through a firewall or through its interfaces. 11-3 Verifying Firewall Connectivity Provides a set of basic...

ASA Modules

Refer to the following sections for information about these topics 12-1 Initially Configuring an ASA SSM Explains how to provide a bootstrap configuration so that a Security Services Module (SSM) can be used in an Adaptive Security Appliance (ASA) chassis. 12-2 Configuring the CSC SSM Discusses the steps needed to configure and use a Content Security and Control (CSC) module for content inspection features. 12-3 Configuring the AIP SSM Describes the steps needed to configure and use an Advanced...

Configuration Fundamentals

Refer to the following sections for information about these topics 2-1 User Interface Discusses the command-line interface (CLI) methods that an administrative user can use to connect to and interact with a firewall. 2-2 Firewall Features and Licenses Covers the license activation keys that can be used to unlock firewall functions. 2-3 Initial Firewall Configuration Presents a brief overview of the methods that can be used to start configuring a firewall.

Firewall Management

Refer to the following sections for information about these topics 4-1 Using Security Contexts to Make Virtual Firewalls Presents the configuration steps needed to make one physical firewall platform emulate multiple virtual firewalls. 4-2 Managing the Flash File System Explains the types of images that are stored in nonvolatile firewall memory and how to work with them. 4-3 Managing Configuration Files Presents the methods you can use to configure firewalls and manage their configuration...

Managing Firewall Users

Refer to the following sections for information about these topics 5-1 Managing Generic Users Covers how default generic or ambiguous users can be allowed to connect to a firewall and execute commands or make configuration changes. 5-2 Managing Users with a Local Database Presents methods to configure unique usernames locally on the firewall. You can then manage these users' privileges and monitor their activity. 5-3 Defining AAA Servers for User Management Discusses external servers that can...

Controlling Access Through the Firewall

Refer to the following sections for configuration information about these topics 6-1 Routed and Transparent Firewall Modes Discusses the two modes of firewall operation. Routed mode (the default) operates at Layer 3, while transparent mode operates at Layer 2. This section also covers the steps needed to configure transparent mode. 6-2 Address Translation Presents the underlying Layer 3 address translation methods that occur during traffic inspection. This section covers the configuration steps...

Inspecting Traffic

Refer to the following sections for information about these topics 7-1 Filtering Content Covers third-party web content-filtering applications you can use to control outbound access through a firewall. 7-2 Defining Security Policies in a Modular Policy Framework Explains the modular approach to configuring and enforcing security policies. Traffic can be matched with one type of policy module and acted on within another policy module. The whole hierarchy of policies is then applied to firewall...

Increasing Firewall Availability with Failover

Refer to the following sections for information about these topics 8-1 Firewall Failover Overview Provides a concise reference of information about how Cisco firewall failover works. 8-2 Configuring Firewall Failover Covers the steps needed to configure and use firewalls as a failover pair. 8-3 Firewall Failover Configuration Examples Presents several complete examples of different types of failover configurations. 8-4 Managing Firewall Failover Explains the commands you can use to verify...

Checking Firewall Throughput

Many of the firewall statistics that you might display are based on incrementing counters or snapshot values. These give you an idea of the volume of activity over a long period of time, but not of the rate. For example, to gauge your firewall's throughput, you might want to see the number of bytes per second being forwarded on an interface or the number of TCP connections per second that are being inspected. A Cisco firewall keeps several running statistics that you can display. You also can...

Checking Inspection Engine and Service Policy Activity

In ASA and FWSM, application inspection is performed by independent inspection engines that are referenced in service policies. You can get information about the activity of the various inspection engines by displaying the active service policies. One service policy can be applied to a firewall interface to define the actions to take on matching traffic in the inbound and outbound directions. A default service policy also is configured by default and is applied to all firewall interfaces. Any...

Classifying Layers 3 and 4 Traffic

As traffic moves through the firewall, it can be identified or classified according to the matching conditions defined in a class map. You can configure multiple class maps to identify several different classes of traffic, if needed. Then a different policy can be applied to each traffic class. The following sections discuss how you can configure a class map for identifying a specific type of traffic according to parameters found in Layers 3 and 4, or the IP and UDP or TCP packet headers,...

Classifying Management Traffic

Beginning with ASA 8.0(1), you can define a special mananagement class map type to match specific traffic that terminates on the firewall itself. For example, you might want to match against HTTP traffic so that you can limit the number of ASDM connections users can attempt to start. By classifying management traffic as a special case, you can configure specific policies to help prevent denial-of-service attacks on the firewall itself. Otherwise, once you enable the firewall's HTTP server to...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands manually by the user (such as a show command). Italics indicates arguments for which you supply actual values. Vertical bars separate...

Compiling Access Lists

Access lists are normally evaluated in sequential order, as they appear in the firewall configuration. As access lists grow in length, the amount of time needed to evaluate the ACEs in sequence can also grow. Fortunately, the ASA and FWSM platforms compile access lists into a more efficient Turbo ACL format. On a PIX platform, you can compile ACLs beginning with release 6.2. Once compiled, access lists can be evaluated in a deterministic fashion, without the need to work through each ACE in...

Configuration Files and Security Contexts

The firewall's flash memory file system is accessible only from the system execution space. This is because Flash is considered a controlled resource, available only to the physical firewall's administrators. If an individual user context is given over to be managed by a third party, it would not make sense to allow that third party to make changes to or allocate all of the firewall flash for his or her own use. Where, then, are the firewall image and configuration files stored for a user...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at...

Configuration Steps

Each feature that is covered in a section includes the required and optional commands used for common configuration. The difference is that the configuration steps are presented in an outline format. If you follow the outline, you can configure a complex feature or technology. If you find that you do not need a certain feature option, skip over that level in the outline. In some sections, you will also find that each step in a configuration outline presents the commands from multiple firewall...

Configuring a New Context

All contexts must be defined from a firewall's system execution space. Make sure you position your session in the system space with the following command before continuing The firewall also needs an admin context to be able to communicate beyond itself. The admin context is usually built automatically when the firewall is configured for multiple-context mode. As well, each time the firewall boots up, you should see console messages indicating that the admin context has been rebuilt. To see a...

Configuring AAA for End User Cut Through Proxy

A firewall can be configured to require users to authenticate before connections are permitted. As soon as an authentication is successful, it is cached and used to permit subsequent connections from the same user. The firewall functions as an authentication proxy, because cached authentication information is used in place of repeated authentication credentials entered by the user. Connections simply cut through the firewall in a very efficient fashion. Devices that initiate connections but...

Configuring AAA to Manage Administrative Users

You can use external AAA servers to manage users who connect to the firewall for administrative purposes. Usernames and passwords are created or deleted on one or more centralized AAA servers. The firewall can query the servers when users connect and need to be authenticated. Firewall command authorization can also be used when various users must be limited to specific privilege levels and sets of commands. A firewall can also generate user accounting information that is collected by the...

Configuring an Interface Priority Queue

In Cisco firewall releases before ASA 7.0, packets are inspected and forwarded in a best-effort fashion. Firewall interfaces have input and output queues or buffers that store inbound or outbound packets temporarily as they arrive at or leave an interface. Sometimes, packets cannot be processed quickly enough to keep up with the flow, so they are buffered until they can be serviced. A simple queue structure like this makes for simple interface operation. For example, consider the output queue....

Configuring Automatic Updates

The CSC SSM must be able to retrieve periodic updates from Trend Micro so that it can stay up to date with current spam, spyware, and virus definitions. You should configure the update parameters next. From ASDM, select Configuration and then the Trend Micro Content Security button. Log in to the CSC by entering the password at the prompt. In the list of configuration tasks, click on the Updates entry, which shows a summary of the scheduled updates, as shown in Figure 12-13. Figure 12-13....

Configuring CSC Inspection Policies

You can configure the CSC SSM to inspect any of the following types of interesting traffic Web Specific URLs and known phishing sites can be blocked, access to websites can be restricted based on a category, file types can be blocked from downloading, and web page content and webmail content can be scanned for undesirable content. Mail Incoming and outgoing SMTP traffic, as well as inbound POP3 traffic, can be scanned for undesirable content. Both SMTP and POP3 can be scanned for spam content...

Configuring File Transfer FTP Inspection Policies

If you plan to have the CSC SSM inspect FTP traffic for suspicious or unwanted content, you should configure the inspection policies discussed in the following steps. 1. Configure inspection policies for file scanning. The CSC can scan files to detect undesirable content as the files are downloaded by FTP. This process and its configuration are very similar to HTTP scanning. To configure FTP file scanning, select the Target tab under the File Transfer (FTP) > Scanning link, as shown in Figure...

Configuring Firewall Failover

To configure failover on a pair of Cisco firewalls, you can use the configuration steps listed in this section. Before failover is configured and enabled, you need to enter the configuration commands on each firewall. After failover is enabled, all configuration commands should be entered only on the active firewall. This is because the active unit replicates the configuration commands to the standby unit automatically. The only exception is any command related to failover itself. For...

Configuring Mail SMTP and POP3 Inspection Policies

If you plan to have the CSC SSM inspect e-mail traffic for suspicious or unwanted content, you should configure the inspection policies discussed in the sections that follow. The CSC can scan inbound traffic destined for SMTP servers, outbound traffic destined for SMTP servers, and inbound POP3 traffic destined for clients. Also, the CSC can filter the content of e-mail messages, based on the file type and content of attachments. You can also configure the CSC to scan for spam e-mail and take...

Configuring OSPF to Exchange Routing Information

OSPF is a link-state routing protocol. The routing domain is partitioned into areas. Area 0 is always considered the backbone area of the OSPF domain or autonomous system. When an OSPF router connects to two or more different areas, it is called an Area Border Router (ABR). When an OSPF router connects an area to a non-OSPF domain and it imports routing information from other sources into OSPF, it is called an Autonomous System Boundary Router (ASBR). OSPF routers build a common database of the...

Configuring PIM

Use the following steps to configure PIM multicast routing on a firewall running ASA 7.0 or later, or a FWSM running 3.1(1) or later. Keep in mind that you have to configure explicit access list rules to permit multicast host access through a firewall. All multicast traffic is subject to normal firewall inspection, with the exception of IGMP, PIM, OSPF, and RIPv2. You do not have to configure address translation for the multicast group addresses, however. The firewall automatically creates an...

Configuring Routing

A firewall is a Layer 3 device, even though it inspects packets at many layers. Packets are forwarded based on their Layer 3 destination IP addresses, so the firewall must know how to reach the various destination IP networks. (This is true unless a firewall is configured for transparent firewall mode, where it operates only on Layer 2 information.) A firewall knows about the subnets directly connected to each of its interfaces. These are shown as routes with a CONNECT (PIX 6.3) or directly...

Configuring Stub Multicast Routing SMR

A firewall can be configured to participate as a stub multicast router. In this case, it acts as a proxy between fully functional PIM routers and multicast participants. Only IGMP messages are relayed between firewall interfaces PIM routing is not used. In fact, as soon as SMR is configured, any existing pim rp-address commands for multicast routing are automatically removed from the configuration. This is the only multicast function available in PIX release 6.3. It is optional in ASA releases...

Configuring the Aip Ssm

The Advanced Inspection and Prevention (AIP) SSM was introduced with ASA release 7.0(1). The AIP is used as a single Intrusion Protection System (IPS) in conjunction with the ASA to provide robust intrusion inspection functions based on a set of signatures. Beginning with ASA release 8.0(1), and Cisco IPS 6.0 running on the AIP, you can configure more than one virtual sensor. The ASA can take advantage of the virtual sensors to inspect traffic on different interfaces, in different security...

Configuring the ASA to Divert Traffic to the Csc Ssm

As you work through initially installing and configuring your CSC SSM, keep in mind that the ASA and CSC SSM are essentially two independent pieces of hardware. Even though the CSC lives in an SSM slot on the ASA chassis, the two communicate over an out-of-band connection only for basic setup and status information. Even though the CSC SSM is installed and the ASA sees it as an active module, the ASA does not send any traffic to the CSC until you configure it to do so. Any type of traffic...

Configuring the Csc Ssm

The Content Security and Control (CSC) SSM was introduced with ASA release 7.1(1). The CSC is used in conjunction with the ASA to provide a variety of inspections and defenses based on traffic content. The CSC communicates with the ASA over an internal backplane connection. Figure 12-3 shows how traffic is passed between the ASA and CSC. The ASA diverts traffic classified by a class map to the CSC module over the internal connection. The CSC inspects the traffic in both the forward and return...

Connecting and Configuring the SSM Management Interface

As soon as the module is installed in the ASA chassis, you need to connect its management port to either of the following An unprotected VLAN, along with the ASA outside interface An ASA demilitarized zone (DMZ) interface by using a crossover cable or an external switch The most straightforward way to bring up the management interface is to connect it to the outside or public side of the ASA, as shown in Figure 12-1. This allows the module to communicate with outside resources such as ASDM...

Connecting to the CSC Management Interface

After the CSC SSM has received its initial network configuration, you can connect to it through ASDM. When you select the Configuration tab and the Trend Micro Content Security button, ASDM announces that it is getting ready to connect to the CSC, as indicated by the window shown in Figure 12-12. Figure 12-12. Getting Ready to Connect to the CSC Management Interface By default, the last known IP address for the CSC management interface is used. In Figure lili, this address is 192.168.110.10,...

Content Filtering Examples

A corporation has two Websense servers located on the firewall's DMZ interface at 192.168.199.10 and 192.168.199.11. The firewall intercepts every HTTP request and relays them to the Websense servers. If neither server responds within the default 5-second period (for each server), the firewall allows the request. The only exceptions to this policy are with all hosts on the 192.168.4.0 24 subnet, which are allowed to request any URL with no Websense intervention. Inside host 192.168.7.33 is...

Controlling Access with Access Lists

On a Cisco firewall, you can use access lists to filter traffic coming into or out of a firewall interface. Access lists that are applied to interfaces become an integral part of the traffic inspection mechanism. Access lists can be defined using the familiar Cisco IOS Software ACL format. However, one important difference exists between the firewall and IOS ACL formats Firewalls use real subnet masks (a 1-bit matches, a 0-bit ignores), while IOS platforms use a wildcard mask (a 0-bit matches,...

Controlling Traffic

A host on one firewall interface is allowed to create any type of connection to a host on a different firewall interface as long as an address translation can be made (if required) and any relevant interface access lists permit it. As soon as address translation methods have been configured between pairs of firewall interfaces, you must also configure and apply access lists to the appropriate interfaces. You can configure and use an access list to limit the types of traffic in a specific...

Copyright

Cisco ASA, PIX, and FWSM Firewall Handbook David Hucaby Copyright 2008 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com. For sales outside the United States please contact International Sales international pearsoned.com

CSM Firewall Load Balancing Example

The network from the example in Section 9-2 is reused here so that you can get a feel for the difference between IOS FWLB and CSM configurations. To perform firewall load balancing, you need two load-balancing devices One located externally with respect to the firewall farm One located internally with respect to the firewall farm Figure 9-6 shows a network diagram for this example using CSMs as FWLB devices. Remember that in the case of CSMs, you have the flexibility to use two separate modules...

Csm Fwlb Configuration

Because firewall load balancing with CSMs requires several different server farms and virtual servers, it is easy to forget what pieces need to be configured. Configure the inside and outside CSMs one at a time, and keep track of your progress in each by following the virtual servers and server farms that are shown in Figure 9-5. You need to repeat this configuration process for the inside and outside CSM. 1. Enter CSM server load-balancing mode A Catalyst 6500 switch can support SLB...

Css Fwlb Configuration

You can use the following steps to configure FWLB on one CSS device. Remember that FWLB requires a load-balancing device on each side of the firewall farm. Be sure to repeat the entire configuration process for the outside and inside CSS FWLB platforms. 1. Configure each CSS physical interface. b. Configure trunking mode (one or multiple VLANs) To carry only one VLAN on the interface, use the bridge vlan vlan-id command. The interface is assigned to VLAN number vlan-id (1 to 4094 the default is...

CustomerB

To enhance the availability of the firewall contexts, a second firewall is added to form a failover pair. Active-active failover is used so that one firewall has the active role for some contexts and the other firewall is active for a different set of contexts. Figure 8-8 shows a basic diagram for this arrangement. The primary and secondary firewalls use LAN-based failover communication over their Ethernet0 0 interfaces. The firewalls send failover hello messages once every second and wait for...

Default Policy Definitions

An ASA running release 7.0(1) or later, or a FWSM running 3.1(1) or later, automatically configures a default class map and a default policy map. The default policy map is referenced by a service policy that is applied globally to all firewall interfaces. Figure 7-4 shows the default modular policies. Figure 7-4. Default Modular Policy Definitions View full size image Figure 7-4. Default Modular Policy Definitions View full size image The default class map is named inspection_default. It...

Defining a Layer 34 Policy

After Layer 3 or 4 traffic has been identified or classified, the firewall can take some action on it. You can define a policy map that contains one or more class maps, followed by an action for each. The entire policy map is then applied to one or all firewall interfaces, where the classifications and actions are carried out. You can follow these steps to configure a policy map and apply it to a firewall interface Firewall(config) policy-map policy map name The policy map is named...

Defining AAA Servers for User Management

A firewall can interface with external user management servers to offload any authentication, authorization, or accounting (AAA) functions. This provides a very scalable solution, because all user identities, privileges, and activity logs can be centralized. You can use the following steps to configure AAA servers and server groups for all AAA-related firewall functions 1. Define the AAA server group and protocol ASA, FWSM Firewall(config) aaa-server server tag protocol tacacs+ radius PIX 6.3...

Defining Access Directions

A firewall differentiates its interfaces by providing more security to some and less security to others. Therefore, it is important to understand how the interfaces relate to each other and how access is provided as traffic moves through a firewall. By default, all firewall interfaces must be assigned a unique security level value, causing some interfaces to have more security while others have less. Beginning with ASA 7.2(1) and FWSM 2.2(1), you can use the same-security-traffic permit...

Defining Security Policies in a Modular Policy Framework

Traditionally, Cisco firewalls have supported security policies that are applied to all traffic passing through them. Although that does offer a common level of security to all the protected networks and hosts, it does not offer a way to fine-tune or vary the policies according to differing requirements. Beginning with ASA 7.0(1) and FWSM 3.1(1), a Cisco firewall can be configured to provide security policies that are tailored for various traffic types, quality of service (QoS), or inspection...

Detecting a Firewall Failure

Each interface of one firewall must connect to the same network as the corresponding interface of the other firewall. Each firewall can then monitor every active interface of its failover peer. The active and standby firewalls determine a failure by sending hello messages to each other at regular intervals (every 15 seconds by default). These messages are sent over the failover cable (if present) or the LAN-based failover interface to detect failures of an entire firewall. The hellos are also...

DHCP Server Functions

A firewall can act as a DHCP server, assigning IP addresses dynamically to requesting clients. A firewall DHCP server returns its own interface address as the client's default gateway. The interface subnet mask is returned for the client to use as well. Cisco firewalls support up to 256 active clients at any one time. (The Cisco PIX 501 supports either 32, 128, or 256 clients, depending on the user license.) No provisions are available for configuring static address assignments. A firewall can...

Displaying Information About Csm Fwlb

You can use the switch commands listed in Table 9-3 to display helpful information about a CSM FWLB configuration and its status. Table 9-3. Commands to Display CSM FWLB Configuration and Status Table 9-3. Commands to Display CSM FWLB Configuration and Status Switch show module csm slot serverfarms name serverfarm-name detail Switch show module csm slot vserver detail Table 9-3. Commands to Display CSM FWLB Configuration and Status

Displaying Information About Css Fwlb

Table 9-4 lists the CSS commands that you can use to display helpful information about CSS FWLB configuration and status. Table 9-4. Commands to Display CSS FWLB Configuration and Status Table 9-4. Commands to Display CSS FWLB Configuration and Status Table 9-4. Commands to Display CSS FWLB Configuration and Status Table 9-4. Commands to Display CSS FWLB Configuration and Status show flows source address destination address Load-balancing connections to firewalls

Displaying Information About Failover

When you connect to a firewall remotely, it is not always apparent which unit is the active one. Because the active unit configuration is replicated to the standby unit, the command-line prompt (and the underlying host name) is identical on both units. This can make interacting with the correct firewall very difficult. After you connect to a firewall, use the show failover command to determine the state of that unit, as shown in the following example Firewall show failover Failover On Cable...

Dly

The interface delay, measured in microseconds (10 isec in this case.) The delay is one component in the metric calculation for routes in EIGRP. The current mode can be full or half. If autonegotiation is configured, this appears as Auto-Duplex(Full-duplex). This is configured with the interface (PIX 6.3) or duplex (ASA) command. The autonegotiated speed is 1 Gbps. This is configured with the interface (PIX 6.3) or speed (ASA) command. The interface bandwidth or speed shown should match that of...

Dynamic Address Translation NAT or PAT

Dynamic address translation can be used to allow hosts with real addresses to share or hide behind one or more common mapped addresses. Address translation occurs on a many-to-one basis, in a dynamic fashion. This can be accomplished in two ways Dynamic NAT Inside host addresses are translated to values pulled from a pool of mapped addresses. Each inside address gets exclusive use of the mapped address it is assigned, for the duration of any active connections. As soon as all of a host's...

Enabling AAA Command Accounting

In PIX 6.3 or FWSM prior to 3.1(1), AAA command accounting can be performed only through the logging function. In that case, you should make sure the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses 611101 (6) Successful user authentication 611102 (6) Failed user authentication 502103 (5) User changed privilege levels 111008 (5) User executed the command text 111009 (7) User executed the command show...

Enabling AAA User Authentication

Follow these steps to configure administrative user authentication with AAA servers 1. Authenticate with a AAA server group Firewall(config) aaa authentication serial telnet ssh http console The AAA server group named server_tag is used to handle authentication requests. The server group must be configured as a separate step, as described in section 5-3, Defining AAA Servers for User Management. Each server defined in the group is tried in succession in case some are unreachable or unavailable....

End Certificate

INFO Certificate has the following attributes Fingerprint 4097e286 8f4425db 36ddae78 f750d6d8 Do you accept this certificate yes no yes Trustpoint CA certificate accepted. Certificate successfully imported Firewall(config) Firewall(config) ssl trust-point name if name So, the CA trustpoint named name is used as the trusted CA for the firewall's SSL connection. The trustpoint (secure Syslog server) can be found on the firewall interface named if_name. For example, if your secure Syslog server is...

Failover Communication

Firewall pairs can support several different types of failover, depending on how they are configured. Each type allows the firewalls to communicate with each other in a slightly different manner Stateless failover The state of UDP and TCP connections is not kept when the standby firewall becomes active. All active connections are dropped and must be reestablished. Stateful failover The state of UDP and TCP connections, as well as address translations (xlates), H.323, Serial Interface Protocol...

Fine Tuning Logging Message Generation

After you have chosen and configured severity levels for logging destinations, you should make sure you are receiving only necessary messages. In other words, do not choose a severity level that can produce an abundance of messages that will be ignored. Always keep in mind that a Syslog server must receive and archive every message sent to it. Storage space is at a premium, especially when logs continuously grow over time. Here are rules of thumb to follow when choosing a severity level If only...

Firewall DuHid I rw

A Ris Fake EmbstJed Tag 19 U9 d Malicious P Kfcflt Now Monj VLtHHO in VLAN 200 The trunk link has been configured with VLAN 100 as its native VLAN. This might have been done as an oversight, with the assumption that no other switch or host would ever connect to VLAN 100 on the inside network. However, that native VLAN is used as the springboard to get inside the secure network. A malicious user on the outside (VLAN 100) sends a packet toward the inside. The packet is carefully crafted such that...

Firewall Failover Overview

When a single firewall is used in a network, the security it provides generally has the following attributes Lower cost Only one hardware platform and a software license are needed. Single point of failure If the firewall hardware or software fails, no traffic can be forwarded from one side to the other. Performance is limited The total throughput of the stateful inspection process is limited to the firewall's maximum performance. If one firewall is potentially a single point of failure, it is...

Firewall Failover Roles

A failover pair of firewalls can be located together if needed. A pair of Catalyst 6500 FWSMs can even be located in a single switch chassis. However, if the firewalls are geographically separated, they are less vulnerable to power or network outages or other disasters. Cisco firewalls can be separated and still function as a failover pair. Two FWSMs can also be split across a pair of switches. The active unit performs all the firewall functions, whereas the standby only waits for the active...

Firewall Features and Licenses

When a Cisco firewall runs an image of the operating system, it must have the proper license activation keys to unlock the required features. To see a list of features and their current availability on a firewall, you can use the following EXEC command Example 2-1 shows some sample output from a PIX Firewall. The show version command displays the current version of the firewall operating system (6.3(4) in this case), the firewall's elapsed uptime, and some information about the hardware. You...

Firewall Load Balancing Appliance

A Cisco CSS acts as a multilayer switch and performs FWLB as well as many other types of content processing. A CSS interface can carry a single VLAN or a trunk with multiple VLANs. A CSS unit must be placed on each side of a firewall farm so that connections are load-balanced to the firewalls in each direction. Firewalls are defined individually rather than as a distinct firewall farm. The CSS performs a route lookup on each inbound connection to determine the possible firewalls that can be...

Firewall Load Balancing in Hardware

FWLB is used to balance traffic flows to one or more firewall farms. A firewall farm is a group of firewalls that are connected in parallel or that have their inside (protected) and outside (unprotected) interfaces connected to common network segments. FWLB requires a load-balancing device to be connected to each side of the firewall farm. A firewall farm with inside and outside interfaces would then require two load-balancing devices each making sure that traffic flows are directed toward the...

Firewall Load Balancing in Software

Firewall Load Balancing (FWLB) is used to balance traffic flows to one or more firewall farms. A firewall farm is a group of firewalls that are connected in parallel or that have their inside (protected) and outside (unprotected) interfaces connected to common network segments. FWLB requires a load-balancing device to be connected to each side of the firewall farm. A firewall farm with inside and outside interfaces would then require two load-balancing devices each making sure that traffic...

Firewall Topology Considerations

The basic principle behind using a firewall is to isolate the inside (secure) network from the outside (unsecure) network. Only through careful inspection and tightly controlled security policies are packets allowed to pass through a firewall. Ideally, a firewall should be located between physically separate, isolated networking equipment. For example, if a firewall is used in a switched environment, its inside and outside interfaces should connect to two different switches the inside interface...

Forwarding Multicast Traffic

IP multicast traffic must be forwarded from one network interface to another, just like any other Layer 3 packets are handled. The difference is in knowing where to forward the packets. For example, unicast IP packets have only one destination interface on a router or firewall (even if multiple paths exist). Multicast IP packets, however, can have many destination interfaces, depending on where the recipients are located. Cisco firewalls running PIX 6.2 or 6.3 have a limited multicast...

Fwsm

Firewall(config) aaa-server server tag (if name) host PIX 6.3 Code View Scroll Show All Firewall(config) aaa-server server tag (if name) host The server located on the firewall interface named (if_name) (be sure to include the parentheses) at IP address server_ip is added to the server_tag group. If you do not specify the interface, the outside interface is assumed. The firewall can use the string key (a text string of up to 127 characters without spaces) for all exchanges with the server....

Guidelines for Multiple Context Configuration

You can configure and use several different types of contexts on a physical firewall or security appliance The system execution space Although this is not a true context itself, it is the foundation for all other contexts. The admin context A fully functional virtual firewall that can be used to administer the physical firewall platform. One or more arbitrarily named user contexts Each context operates as an independent virtual firewall. Each has a specific role within the firewall platform,...

Handling Connections Through an Address Translation

Once an address translation is set up across two firewall interfaces, hosts have the potential to open connections through the firewall. Hopefully, hosts that are permitted to traverse the firewall will be on their good behavior and attempt to open only the legitimate connections they need. But if one connection can be initiated, multitudes more might follow, especially if some malicious intent is involved. Fortunately, Cisco firewalls have the capability to enforce connection limits on hosts...

Hardware and Performance

Cisco offers firewall functionality in a variety of hardware platforms, many of which are network appliances, where the firewall is contained in a standalone chassis. These include the Cisco PIX Security Appliance and Cisco Adaptive Security Appliance (ASA) platforms. The FWSM is a blade or module that can be used in a Catalyst 6500 switch chassis. This moves the firewall presence into an infrastructure switch itself rather than an external appliance. Cisco also offers a firewall function as...

Hon

The CSC performs URL filtering based on a time schedule. All time is divided into work time and leisure time (not work time). Therefore, you should configure the CSC to have the correct concept of work time. Select the Schedule tab under Web (HTTP) > URL Filtering > Settings, as shown in Figure 12-21. By default, work time is defined as Monday through Friday, from 08 00 until 12 00, and then from 13 00 until 17 00. To change this, select the checkboxes for any days that contain work time....

How Failover Works

Firewall failover is currently available on the ASA platforms, PIX 515E, 525, and 535 models, and on the Catalyst 6500 FWSM. Failover can be configured only if the firewall licensing enables it. For active-standby failover, one firewall must have an unrestricted license, and the other has an unrestricted or failover-only license. The FWSM has active-standby failover enabled by default. For active-active failover, both firewalls must have an unrestricted license. This is because both can...

How This Book Is Organized

This book is meant to be used as a tool in your day-to-day tasks as a network or security administrator, engineer, consultant, or student. I have attempted to provide a thorough explanation of many of the more complex firewall features. When you better understand how a firewall works, you will find it much easier to configure and troubleshoot. This book is divided into chapters that present quick facts, configuration steps, and explanations of configuration options for each Cisco firewall...