Cisco ASA firewall command line technical Guide

Cisco ASA firewall command line technical Guide Streamlined and simple to use

Author: Eng. Motasem Hamdan Category: Network Security Academy: Cisco Networking Academy

1

Abstract This guide is intended to streamline the most used commands by network security engineers when managing Cisco ASA firewall. It covers the very basic common commands to manage, administer, secure, and providing connectivity operations to devices connected to Cisco ASA firewall. This guide is neither comprehensive nor reference document for commands in Cisco ASA and the main reference for command line syntaxes is refered at the end of this document. This paper is handy for network security engineers to manage command line for most common aspects in cisco ASA while other operations such as Virtual firewalls and VPN remote access could be done seamlessly using ASDM. This guide assumes you have the required knowledge of CCNA, CCNA Security, CCNP and could be handy if you’re already enrolled in CCNP Security pathway.

2

Basic IP Connectivity and routing protocols Configuring trunk link and sub-interfaces between ASA and Switch On the outside physical interface of switch1: Interface f0/10 Switchport mode trunk No shutdown On the inside interface of ASA firewall: Interface f0/3 Switchport mode trunk Switchport trunk allowed vlan 20,10 No shutdown Interface f0/3.1 Vlan 20 [ or use encapsulation command] No shutdown Interface f0/3.2 Vlan 10 [ or use encapsulation command] No shutdown Note: the command used to create trunk link between two networking devices should be used once between router and switch and must be used twice between firewall and switch on each opposite interface

Configure an ASA interface Interface eth0/0 Nameif outside [ or inside] Ip address ip-address [subnet-mask] Speed [ auto | 10 | 100 | 1000] Duplex [ auto | full | half] Ip address dhcp [setroute]

3

Security-level [level:0-100] When configuring interfaces with same security level, a command must be explicitly configured to allow traffic between them Same-security-traffic permit inter-interface

Configuring and changing MTU size for each interface to carry larger packets Mtu if_name bytes

Enabling Jumbo frame processing. This applicable only on ASA 5580 Jumbo-frame reservation

Verifying the status of an interface Show interface if_name

Verifying the status of all interfaces Show interface ip brief

The ASA does not forward DHCP requests by default so it needs to be configured to use dhcp relay agent Dhcprelay server ip-address interface Dhcprelay enable interface Note that in the first command, the refered interface is the one connected to the DHCP Server or gateway while the second interface in the second command is the one facing the clients

Enabling DHCP Server on ASA to assign IP addresses to clients Dhcp enable interface Dhcp address ip1-ip2 interface

[address pool]

Delivering DNS addresses to clients Dhcp dns ip1 ip2

Delivering the domain name to the clients Dhcp domain your-domain

Configuring default and static routes Route [ inside – outside ] [ dest ] [ dest-subnet mask ] [next hop gateway ] Route [ inside – outside ] 0.0.0.0 0.0.0.0 [next hop gateway ]

Configuring RIPV2 to Exchange routing information with other RIPv2 routers.

4

Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ] Router rip Version 2 No auto-summary Default-information orginiate [ to advertise static routes ] Network [ the IP of the intended network to be advertised ] Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside] Exit İnterface eth0/2 Rip authentication mode md5 Rip authentication key [ your key ] key_id [id]

Configuring EIGRP routing on ASA Router eigrp [AS number] Network ip-addr [mask] İnterface [interface] Summary-address eigrp [AS number] [ip-addr] [ mask] [AD]

Redistribute routes that are learned through RIPv2, Static routes or Directly connected routes Redistribute [ rip | static | connected ] [metric : bandwidth | delay | reliability | load | mtu ] [ route-map map_name]

Define default metric for redistribution withh different routes Default-metric bandwidth delay reliability loading mtu

Securing EIGRP routes İnterface interface Authentication mode eigrp AS number md5 Authentication key eigrp AS number key-string key_id key_id

Filtering routing updates Access-list [Access-list name ] standard [ permi tor deny ] [ network ip ] [ subnet mask ] Distribute-list [Access-list name used above ] [ in or out ]] interface [ inside or outside]

5

Configure OSPF on ASA Router ospf pid Router-id ip_addr Network ip_addr netmask area area_id Area area_id authentication md5 İnterface interface Ospf message-digest-key key_id md5 key Ospf authentication –message-digest Prefix-list list_name [permit | deny ] network_ip ge min_bit le max_bit Area area_id filter-list prefix list_name [in | out ]

Configuring host name and domain name to create FQDN for the ASA: Hostname hostname Domain-name domain_name Note 1: configuring the above parameters is optional but it’s compulsory to create and generate CA for SSH, HTTPS and VPN connections

Configuring DNS client on ASA Dns domain-lookup inside Dns server-group DefaultDNS Name-server primary_dns_srv_ip Name-server secondary_dns_srv_ip Debug dns all Note 2: the DNS client must be enabled on an interface which can reach the DNS server on your network otherwise if you do not have separate dns server then enable it on all interfaces and assign global dns server like google Note 2.1: the last command in dns client configuration is used to troubleshoot dns issues

Management and secure access Configuring Secure SSH access or management purposes Crypto key generate rsa general-keys label 1st-key-pair modulus [size:512,768,1024,2048] Ssh version 2

6

Ssh ip_addr subnet_mask Ssh disconnect Note 3: the ip address in the second command is the network address for allowed hosts to perform ssh sessions or could be single ip used to manage ASA through SSH Note 3.1: the last command used to terminate a designated SSH session

Creating local users for managements access Username admin password password encrypted privilege 15 Note 4: privileges configured with each user are in range between 0-15 with 0 dictating the lowest privilege and 15 for the highest privilege

Configure maximum login attempts into CLI or ASDM Aaa local authentication attempts max-fail 3

Recovering lost or forgotten passwords to get access back to asa          

Reboot the ASA Press “ESC” button when it prompts you to use “Break” It’s supposed that you are in ROMMON mode now Type: “confreg 0x41” Type: “boot” This will get the ASA to bypass the startup config file and gets you in use mode Type: “enable” to enable the privileged mode Press enter Then you’re free to configure new password Reset the configuration register back by typing: “config-register 0x1

Note 5: The commands above could not be configured unless the connection is made through serial console Note 5.1: you could disable password recovery by typing: “no service password-recovery”

Configure and Enable logging on ASA Logging enable Logging ftp-bufferwrap Logging ftp-server ftp_srv_ip dest_directory ftp_username ftp_pass Logging timestamp

7

Note 6: The second and third command used to send syslog messages and debugging messages from internal buffer memory into an ftp server

Troubleshooting event log and logging issues Show logging queue Logging queue 7000 Show logging Note 7: The allowed values for increasing the size of queue value are between [0-8192]

Configuring and enabling http server on ASA http server enable http ip-addr subnet-mask outside OR inside

Configuring storage disks and image booting Dir disk0: Boot config disk0:/img_name Configure factory-default Clear configure all Clear configure [keyword]

Note 7: in the first command “disk0” might be “disk1” or “Flash” Note 7.1: The second command instructs the ASA to boot from the specified image in the command Note 7.3: the third command will return the ASA back to its factory settings Note 7.4: The “keyword” in the last command could be anything the administrator wants to remove the configuration that belong to.

Configure redundant interfaces as a failover connectivity Interface redundant 1 Member-interface eth0/0 Member-interface eth0/1 No shutdown

8

NAT and PAT procedures Configuring Dynamic NAT Nat inside 1 network_ip subnet_mask Global outside 1 pool_translated_ip netmask netmask Timeout xlate 1:00:00 A must – read note: Dynamic Nat is a type of nat where a pool of public ip addresses are assigned to local host every time they initiate an outbound connection to the outside world but for hosts in DMZ the connection back from the client will not happen because of the dynamic ip address assignment.

Note 1: The first commands specify the inside interface and every local host connected to it which will be subjected to Dynamic NAT Note 1.1: The second command specifies the outside interface in which the translation will take place along with the pool of the selected ip addresses and their netmask Note 1.2: the third command specifies the lease time for each local host before a new assignment of public ip addresses occur

Configuring Dynamic PAT Nat DMZ 2 dmz_network_ip subnet_mask tcp 0 0 udp 0 Nat inside 2 inside_network_ip subnet_mask tcp 0 0 udp 0 Global outside 2 interface Global DMZ 2 global_ip_addr netmask 255.255.255.255 A must-read note: Dynamic PAT is a type of address translation where group of local hosts either on the DMZ or the client hosts are translated to single ip address or limited pool of ip addresses along with port used in each session initiated to the outside world

Note 2: the first command specifies the DMZ interface to be subject to PAT along with the ip addresses that exist in this space Note 2.1: the second command specifies the inside interface with its local hosts ip addresses to be subject to PAT along with the ports

9

Note 2.2: the third command specifies the outside interface in which PAT occurs Note 2.3: the fourth command specifies the global ip address that will be used for the DMZ hosts in order to initiate connections to the internet and receive back. Note 2.4: in the fourth command, a pool of ip addresses can be specified and so the subnet mask must be accordingly changed.

Verifying Dynamic PAT and NAT Show xlate Note 3: the commands are used to show the table designated for translation entries

Configure Host-Static Nat Static DMZ public_ip local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: Host-static NAT is a type of translation where single local host ip address is subject to translation into single public ip address Note 4: the command above used DMZ for translation of local host on the DMZ into public ip address Configure network – static NAT: Static DMZ public_ip network_ip_local_hosts netmask netmask tcp 0 0 udp 0 A must-read note: in Network-static NAT, a group of local hosts either on the DMZ or client hosts are subject to translation into one single public ip address and this type is ideal for client hosts that do not need to receive connection back from the internet Note 5: The command above used the network ip of the local hosts instead of single ip as used in Note 4

Configure static PAT static DMZ tcp public_ip translated_port server_private_ip original_port netmask 255.255.255.255 tcp 0 0 udp 0 A must-read note: Static PAT is type of address translation where single or group of local ip addresses more commonly in DMZ are translated into one single public ip address along with their port numbers and that is the ideal type for servers receiving connection back from clients Note 6: The command above specifies a public ip, translated port (the port used to allow clients from outside to connect back to the server) and the original port

10

Configure No-Translation or NAT exempt Nat inside network_ip subnet_mask 0 0 tcp 0 0 udp 0 A must-read note: NAT exempt states that no translation takes place for local hosts and this type is used for connections in the internal space only. Note 7: the command above specifies that a network of local hosts ip addresses will not be subject to translation kind

Configure Identity static NAT: Static inside local_host_ip same_local_host_ip netmask 255.255.255.255 tcp 0 0 udp 0

A must-read note: this type of NAT is the most preferred for connections between DMZ and client’s hosts and vice versa. It uses the same ip as the translated ip address Note 8: the commands above could be specified for inside of DMZ interface on the ASA with the host ip address remains the same after translation

Access control lists Examine real time connections through looking in the connection table Show conn Show conn detail Clear conn address

ip_addr

Note 1: The connection table displays information and details about the connections initiated by hosts in the internal network with the outside world. Note 1.2: Every session established from internal hosts to public hosts is stated and written in the connection table so the incoming connection for the same session does not need to be permitted by an ACL to serve back the internal hosts Note 1.3: The third command is used to clear all the connections initiated by the specified ip address

Configuring real scenario access lists for small network

 Allowing internal clients or hosts to communicate and browser the internet Access-list INSIDE line 1 extended permit tcp src_ip subnet_mask any eq http

11

Access-list INSIDE line 2 extended permit tcp src_ip subnet_mask any eq smtp Access-list INSIDE line 3 extended permit tcp src_ip subnet_mask any eq ftp Access-list INSIDE line 4 extended permit tcp src_ip subnet_mask any eq sftp

 Allowing incoming connection to the web server on the DMZ Access-list OUTSIDE line 1 extended permit tcp any host web_srv_addr eq http

 Allow incoming connections to the smtp, ftp and sftp server for “in” and “out” direction Access-list OUTSIDE line 2 extended permit tcp any host smtp_srv_ip eq smtp Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp Access-list OUTSIDE line 4 extended permit tcp any host sftp_srv_ip eq sftp Access-list DMZ line 1 extended permit tcp host smtp_srv_ip any eq smtp Access-list DMZ line 2 extended permit tcp host ftp_srv_ip any eq ftp Access-list DMZ line 3 extended permit tcp host tftp_srv_ip any eq tftp Access-list DMZ line 4 extended permit tcp host http_srv_ip any eq http

 Logging denied packets by stating explicit deny access list Access-list OUTSIDE line 3 remark explicit deny all to change log message to 106100 Access-list OUTSIDE line 4 extended deny ip any any log 4 interval 300

 Allowing packets between same security level interfaces Same-security-traffic permit inter-interface

 Applying access lists to the related interfaces Access-group INSIDE in interface inside Access-group OUTSIDE in interface outside Access-group DMZ in interface DMZ

Note 2: The last section or last two commands are specified to log the denied packets with 106100 log message to be appeared in syslog server Note 2.1: We could disable any access list above by appending the word “inactive” to the end of the access list

Configuring time range access lists or attach time range to access lists

12

Time-range temporary-FTP-access-workhours ( for employees ) Periodic weekdays 09:00 to 06:00 Time-range ftp-hosting Absolute start 00:00:01 May 2015 end 00:00:01 May 2016 Note 3: Every access list needs a time range to be appended to it so a time range must be named and settled to related range

Applying time ranges to existed access lists Access-list OUTSIDE line 3 extended permit tcp any host ftp_srv_ip eq ftp

Time-range temporary-FTP-access-workhours Access-list INSIDE line 5 extended permit tcp src_ip subnet_mask host ftp_srv eq ftp

Time-range temporary-FTP-access-workhours Note 4: the time range for limiting access to ftp server beyond the working hours was applied to the access lists the permit connection from outside and from the internal clients to the ftp server so that they are only given access remotely or locally during working hours

Verifying access lists configuration Show access-list OUTSIDE Show access-list INSIDE Show access-list DMZ

Configuring network- object groups and service-object groups for enterprise access list implementation Name 10.0.10.0 Internal-clients Name 10.0.30.0 DMZ-servers Name 10.0.40.0 LA-Internal-clients Name 10.0.50.0 LA-DMZ servers Object-group network US-Offices Network-object 10.0.10.0 255.0.255.0

13

Network-object 10.0.30.0 255.0.255.0 Network-object 10.0.40.0 255.0.255.0 Network-object 10.0.50.0 255.0.255.0 Object-group network internal-clients-offices Network-object 10.0.10.0 255.0.255.0 Network-object 10.0.40.0 255.0.255.0 Object-group network DMZ-offices Network-object 10.0.30.0 255.0.255.0 Network-object 10.0.50.0 255.0.255.0 Object-group service Allowed-services-ext-clients-DMZ Description external services allowed for inside clients an DMZ servers Port-object eq ftp Port-object eq stp Port-object eq http Port-object eq smtp Port-object eq pop3 Access-list INSIDE line 1 extended permit tcp object-group US-Offices any object-group Allowed-services-ext-clients-DMZ Access-list DMZ line 1 extended permit tcp object-group US-Offices any object-group Allowed-services-ext-clients-DMZ Access-list INSIDE line 2 extended permit tcp object-group internal-clients-offices group DMZ-offices eq ftp

object-

Time-range temporary-FTP-access-workhours Access-list DMZ line 2 extended permit tcp object-group DMZ-offices object-group internal-clients-offices eq any Access-list OUTSIDE line 1 extended permit tcp any object-group DMZ-offices group Allowed-services-ext-clients-DMZ

object-

Note 6: the specified ACLs are to provide full connectivity to the DMZ server and internal client server using object groups for network and services

14

Configure protection against spoofed ip packets towards the ASA Ip verify reverse-path interface outside Note 7: the specified command enables the unicast reverse path forwarding feature that if it’s enabled on specific interface, it will examine every incoming connection whether exists in the connection table or not and if not it will extract the source ip address to determine whether it’s reachable or not based on the ASA’s routing table. Note 7.1: Do not enable this feature on the outside interface in case a default route exists on your network architecture to avoid the process overhead

Block packets from specific ip address using a feature called “shunning” Shun malicious_ip_addr

Packet inspection and traffic filtering Defining a service policy, policy map and class map Service-policy srv1 Policy-map pmap1 Class-map cmap1 Action Class-map cmap1 Match…. Service-policy policy-map-name interface outside Note 1: to inspect traffic passes through the ASA, a service policy that contains policy map and class map must be created Note 1.1: the policy map is responsible for taking an action when a specified traffic is matched by class map. The action the could be taken by the policy map ranges from setting connection timeouts, connection volumes, TCP parameters, http parameters, FTP parameters, DNS parameters, ESMTP parameters, management traffic, sending the matched traffic to inspection engines and Intrusion prevention systems, providing priority handling and limiting bandwidth.

15

Note 1.2: the class map matches the traffic whether all traffic, defined set of traffic, traffic destined for specific destination, destined for specific port, matches against specific access list, matches against VPN traffic or Qos values.

Note 1.3: in table 92 above, a list of all available commands that can be typed and specified in class map to match against specific 3-4 OSI layer traffic. Most of these match commands will be used on the outside interface to inspect traffic incoming to our network.

16

Table 2 - policy map action commands Note 1.4: table 2 lists all actions that could be taken when a specified criterion matched in the class map. Note 1.5: the last command above binds the policy map inside a service policy and applies it to the outside interface

Table 3 - traffic direction by policy map actions

Note 1.6: table 3 lists the directions in which the actions of policy map could be applied. For example, setting connection’s volume and limits, adjusting tcp parameters and sending the traffic to an inspection engine and IPS could be applied and implemented on an interface in both direction for traffic destined to the internet and for inbound traffic.

17

Note1.7: applying Quality of service, limiting bandwidth and shaping the traffic could be only on an egress direction meaning that for outbound traffic only.

Essential and Important: the service policy which contains policy map and class map could be applied for 3-4 OSI traffic or 5-7 OSI traffic while the former is used to examine, analyze and inspect TCP and UDP traffic for connection parameters, connection volumes, connection timeouts , protocol inspection , traffic analyzation using IPS module and for Qos of service purposes and the latter which is 5-7 OSI traffic is used to examine and inspect application layer traffic destined for DMZ servers.

Configuring TCP connection parameters to prevent TCP SYN attack By using policy map with class map to set connection timeouts for embryonic connections and limiting the number of simultaneous connections by setting connection volume.

Table 4 tcp connection timeouts Table 4 lists parameters for use in the “set connection timeouts” command when defining an action to be taken by the policy map.

set connection timeout [embryonic {hh:mm:ss | 0}] [half-closed {hh:mm:ss | 0}] [tcp {hh:mm:ss | 0} [dcd [retry_interval [max_retries]]

18

Table 5 tcp connection volume Table 5 lists the parameters to be used in “set connection “command to control tcp connection volume. set connection [conn-max n] [embryonic-conn-max n] [per-client-embryonic-max n] [per-client-max n] To prevent TCP SYN attack the ASA must set a maximum number of simultaneous embryonic connections which are half open or half closed. If the maximum number is reached the ASA triggers the TCP Intercept feature and begins to act as proxy and send TCP handshake on target host behalf to determine if the source address which communicates with the target host is legitimate or not so it drops the connection is not. Assuming that internal clients are under object-group (see previous sheet about object-groups) “Internalclients” and DMZ servers are under object-group “DMZ-Servers”. Let’s apply a connection limit for embryonic connections initiated by these object groups. Access-list INSIDE line 1 extended permit tcp Internal-clients any eq any Access-list INSIDE line 2 extended permit udp Internal-clients any eq any Service-policy SYN-Attack-protect Class-map cmap1 Match access-list INSIDE Policy-map pmap1 Class-map cmap1 Set connection embryonic-conn-max 65000 Access-list DMZ line 1 extended permit tcp any DMZ-Servers eq http Access-list DMZ line 2 extended permit tcp DMZ-Servers any eq http Service-policy SYN-Attack-protect

19

Class-map cmap2 Match access-list DMZ Policy-map pmap2 Class-map cmap2 Set connection embryonic-conn-max 65000

Configuring and enabling the protection from TCP sequence number brute force set connection random-sequence-number {enable | disable}

Configuring TCP connection options using TCP normalizer TCP normalizer used to manipulate the tcp connection content like tcp checksum, tcp flags, tcp options. TCP normalizer used change or alter the content of tcp packet content to render it compatible with some protocol or connection requirements. In addition, it can be leveraged to protect DMZ hosts against packets that are crafted to evade stateful inspection like information gathering packets or reconnaissance packets.

Table 6 -TCP normalizer actions

20

Table 6 tcp normalizer actions

Table 7 tcp options table

Tcp-map TCP-Protect invalid-ack drop synack-data drop ttl-evasion-protection seq-past-window drop exit class-map cmap1 match access-list Internal-clients exit class-map cmap2 match access-list DMZ-Servers exit

21

policy-map pmap3 class cmap1 set connection advanced-options TCP-Protect exit class cmap2 match access-list DMZ-Servers set connection advanced-options TCP-Protect exit service-policy pmap3 interface outside

Note 4: The commands above matches against traffic inbound to internal clients and internal DMZ servers and check for certain TCP parameters to protect internal hosts from TCP SYN attack, reconnaissance packets and SYN flood attack by limiting the number or embryonic connections, dropping invalid handshake packets or that contains invalid payload, dropping packets with invalid sequence number and dropping values above maximum segment size in TCP window packet

Configuring ICMP Inspection Policy-map global_policy Class inspection_default Inspect icmp Inspect icmp error Exit Note 5: the ICMP inspection feature is enabled when an access list that permits incoming ping request is enabled. ICMP inspection used to allow only one response per ICMP request and inspect ICMP packet for invalid sequence number.

Configuring Inspection for 5-7 OSI layer traffic  Inspecting HTTP Http inspection policy is implemented to examine and analyze traffic destined to protected servers or clients. It’s main core to minimize http content to the minimal set of requirements and to look deeply in the application signature for known bad cues mainly using regular expressions. A class map that matches specific conditions in the http traffic should be defined along with a policy map used to apply the appropriate action.

22

Table 7 - http match commands

Let’s say we want to configure a http policy map to allow only GET and POLL request to be passed to the protected server. class-map type inspect http match-all MY_HTTP_CLASS match [not] request method get

23

match [not] request method poll policy-map type inspect http http_map_name parameters protocol-violation drop-connection log class MY_HTTP_CLASS drop-connection log exit Now to match against regular expression we should use the following table

24

Table 8 regular expression match commands

For example, let’s suppose we want to filter incoming http traffic and take away any embedded link within the http content regex Embedded-link https?:// policy-map type inspect http HTTP_MAP_1 match request args regex Embedded-link drop-connection exit in case of a multiple regular expressions we could use class map with match-any to apply OR operation on the match commands or use match-all to apply AND operation on the match commands regex Embedded-link-1 https?:// regex Embedded-link-2 http?:// class-map type regex match-any embedded-link match regex Embedded-link-1 match regex Embedded-link-2 now applying the http inspection map using the following command

25

inspect http http-map-name the activation command must be applied inside a policy map

 Inspecting FTP

Inspecting FTP traffic includes masking FTP banner, masking reply message, prevent uploading “exe” files to the server unless it’s stated in the security policy and restricting request methods to GET and PUT

Table 9 -ftp traffic matching commands

policy-map type inspect ftp FTP_MAP_1 parameters mask-banner mask-syst-reply exit regex FTP_BADNAMES \.exe policy-map type inspect ftp FTP_MAP_1 match not request-command get put help reset match filename regex FTP_BADNAMES inspect ftp FTP_MAP_1

26

The commands above create a policy map to inspect FTP. Banner information and system reply information are masked to prevent malicious users from conducting vulnerability assessment using the FTP server information. Also, the commands filters request to the server to only accept GET and PULL request as well as prevent EXE file names to be uploaded.

 Inspecting DNS traffic DNS inspection includes applying NAT rules to the DNS packets, randomizing DNS ID values so to protect from DNS Spoofing attacks, DNS protocol verification, Guarding DNS connection by closing DNS UDP connection after successful receipt of reply packet

Table 10 dns inspection commands match

policy-map type inspect dns DNS_MAP_1 parameters protocol-enforcement dns-guard id-randomization nat-rewrite

27

exit The ASA has a default dns inspection policy map called “preset_dns_map” which limits the size of dns packets to 512 bytes

Quality of service, Bandwidth control, Transparent firewall mode and Integrating SSM-IPS Configuring mtu size for more control of fragmented traffic Suppose we will configure the mtu size on the outside interface to control the incoming packets to our network so to reduce the percentage of packets fragmentation to enable more inspection on the traffic by our ASA so we need to increase the size of mtu to maximum size Mtu outside 65535 Knowing that the least value of mtu is 64 Byte. To verify the mtu size on an interface, we use the command Show fragment outside Configuring QOS and prioritizing packets Every packet arrives to the ASA or comes to the ASA is stored first in the Best-effort queue which is used to store packets in a buffer and then retransmitting them respectively. Suppose we have critical packets such as audio streaming or video, we need to create a Low-latency queue which is a buffer stores packets so to transmit them ahead of other packets in BEQ. We need to enable LLQ on an interface and specify a policy map and class map to match the traffic. Priority-queue outside Class-map Qos Match rtp 5060-65 Policy-map RTP Class-map Qos Priority Exit Service-policy RTP interface outside

28

Configuring traffic policing and traffic shaping Controlling bandwidth limits is essential when it comes to Qos and prioritizing packets over other ones. Controlling packets is performed either by dropping the packet which surpasses the bandwidth threshold or by re-shaping it so it conforms to the bandwidth limits.

Traffic policing Suppose we want to configure a policy map to match all traffic and drop every packet that consumes more than 2Mbps. To achieve so we need a policy map with a class map to match all traffic therefore we need the following commands Class-map Policing Match any Exit Policy-map mine Class-map policing Police output 200000000 conform-action transmit exceed-action drop Exit Exit Service-policy mine interface outside

Traffic shaping Traffic shaping is the act of placing the packets inside a buffer and then pulling out the traffic with a bandwidth limits beneath the threshold. This type of bandwidth control is applicable and permissible only to all traffic or bulk. Policy-map outside-policy Class class-default Shape average 200000000 Exit Exit Service-policy outside-policy interface outside

Using Transparent firewall mode

29

Deploying transparent mode has some challenges and restrictions so this mode should not be applied until you specify your network requirements and recognize the limitations imposed by this mode     

IPsec protocol and VPN tunnels Dynamic routing protocols Broadcast and multicast packets DHCP relay QOS and bandwidth control

Before implementing transparent mode be sure to back up the current configuration in case you want to revert back to routed mode. Use the following command to switch to transparent mode Firewall transparent Configuring interfaces one as outside and the another as inside with the same ip address for both. Interface eth0/0 Namif outside Security-level 0 No shutdown Exit Interface eth0/1 Nameif inside Security-level 100 No shutdown Exit Ip address 192.168.1.100 255.255.255.0 Because this mode does not support dynamic routing, a static route or default route must be configured Route [inside interface or outside]

network-ip subnet-mask next-hop ip

Permitting ospf or eigrp packets through transparent mode Access-list permit-ospf extended permit ospf [source] [dest] Access-group permit-ospf [ in | out ] interface [ outside | inside ]

Protection from ARP Spoofing attack and ARP flooding attack The protection from ARP spoofing attack includes the creation of static ARP entries in the firewall MAC address table stating the ip address and the associated mac address so that the firewall can compare and

30

match the incoming packet with the information in the ARP table so to drop the packet or allow it to pass based on the match conditions. Arp interface ip_address mac_address Arp-inspection interface enable Show arp-inspection Now coming to prevent MAC address denial of service by disabling mac address learning feature in transparent mode and here the administrator must create MAC address table just like above and maintain it regularly. Mac-learn

interface

Mac-address-table

disable

static interface

mac_address

Integrating Security service module, Intrusion prevention system and content security control After inserting the card module in the specified slot, create a vlan and upload the IPS software to the modules through the commands Interface vlan 10 Allow-ssc-mgmt Ip address ip_address subnet_mask Nameif inside Interface eth0/10 Switchport mode access vlan 10 No shutdown Hw-module 1 recover configure Hw-module 1 recover boot Hw-module 1 password-rest : resets to “cisco” Hw-module 1 reload Hw-module 1 reset Hw-module 1 shutdown : used to shutdown the module Now coming to initialization knowing that the IPS could work in an inline mode [ drop the packets as it violates or determined a malicious] or in a promiscuous mode [ allow the packet to pass to the intended destination while sending the packet for analysis]. Session 1

31

Setup Policy-map IPS Class class-default Ips inline fail-open Service-policy IPS interface outside

Conclusion Virtual firewalls and many other aspects and configurations related to Cisco ASA were not mentioned here because it’s easier to manage it using ASDM and this guide documented the most common tasks related to command line in Cisco ASA firewall.

References Cisco CCNP Security Firewall Certification Guide CCNP Certification Guide

32

33

34