P. 1
Cisco ASA Firewall Best Practices for Firewall Deployment

Cisco ASA Firewall Best Practices for Firewall Deployment

|Views: 593|Likes:
Published by michoco911

More info:

Published by: michoco911 on Sep 12, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Cisco ASA Firewall Best Practices for Firewall Deployment - Check The Network

Page 1 of 10

Check the Network


What's my IP Address?
Your request has come from IP Address:


Cisco ASA Firewall and Security Appliance Configuration - Best Practices
Network Security Compliance standards like PCI, SOX and HIPPA require accurate network documentation.

New ! IP Tools for Excel
Ping DNS Tracert SSH Telnet

Instant Ping and NsLookup For Excel

Format results your way from the GUI

Hard Disk Drive Desk Clock

High Tech Gift Only Available Here

http://www.checkthenetwork.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi... 8/9/2011

do not use .e.cisco. The following interface naming conventions are accepted for use:   inside – Refers to the side/port of the firewall where the network is considered trusted and protected. The desire is to obtain a consistent.nat-control versus no nat-control Bypassing Nat when nat-control is enabled Access-List versus Inspection Rules Enabling ICMP to Firewall Interfaces Enabling ICMP through the Firewall Traceroute and Enabling Cisco IOS traceroute Reverse Route Verification Interfaces – Types and Naming When defining names use all lowercase letters. controlled access to remote users or a remote site. Consistency is the key.2(4)9 The link to the configuration file is here: Link: Cisco ASA Firewall Best Practices Configuration for Firewall Deployment 1 . More examples: dmz986_partner1_access.Check The Network Page 2 of 10 Cisco ASA Firewall Best Practices for Firewall Deployment General The document provides a baseline security reference point for those who will install. It is a firewall security best practices guideline. The interface’s name is set with the following command: failover lan interface failover+stateful Ethernet0/3    Interface configuration example trunk on g0/2: interface GigabitEthernet0/2 speed 1000 duplex full no shutdown Interface GigabitEthernet0/2. most often a locally owned and managed network. In the case of a nonVLAN interface xxx is replaced with the interface designator i. dmzXXX_organization_purpose – Refers to the resource where access is being controlled to / from.65 http://www.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi. The present equipment standard for firewalls is the Cisco ASA line of firewalls Cisco model comparison chart: http://www. The document highlights best practice for firewall deployment in a secure network. Several have undesired interactions that are often not noticed. Several areas and commands that affect the overall security architecture of the ASA series firewall are called out.L2 and L3 Device Access – ACS Configuration Redundant Pair / Failover Setup Routing – Protocols and Static Routes Enable Traffic without NAT -. These are the commands and settings that will build a base line configuration in a Cisco ASA firewall. deploy and maintain Cisco ASA firewalls.. There will be many Cisco ASA firewalls deployed to support the network security architecture. 8/9/2011 . usually in a b2b (business to business) environment. It describes the hows and whys of the way things are done. Several of the commands are disabled by default. management – Refers to the management port of the ASA failover+stateful – Refers to the interface used in a failover pair of ASA’s. XXX is replaced with the VLAN number of the L2 network supporting the DMZ. An extranet firewall will normally be deployed in a two leg design and have not additional DMZ’s defined. An extranet net example allows limited. outside – Refers to the side/port of the firewall that is connected to the Internet or extranet. dmzg02_our_applications.Check The Network Contents Interfaces – Types and Naming Interfaces – Security Level and inter / intra interface Connections to the ASA .com/en/US/products/ps6120/prod_models_comparison.Cisco ASA Firewall Best Practices for Firewall Deployment . Throughout this document references to firewall and a set of particular attributes will be relevant to the Cisco ASA series operating firmware code version ASA 7. dmzg03_b2b_access.(dash) but do use _ (under bar).html.. effective security architecture. Included within is a documented baseline configuration script. These settings also implement the best practices described herein.checkthenetwork.

L3 connection on a /28 network – No 802. The security policies defined here will override some of the defaults to create a more secure environment. Example: By default. Reference Cisco ASA Command same-security-traffic ( 7.255. outside – Security 0 least trusted..86. the VLAN assignments should be the same at each location if possible. This command: same-security-traffic permit interinterface will allow communication between same security level interfaces additionally.34 Where ASA’s will be deployed in multiple locations supporting ACTIVE/ACTIVE or DR.30. Connections to the ASA .failover+stateful – Direct cable. Reference Cisco ASA Command security-level ( 7. We want this command: (reference ASDM GUI location below) no same-security-traffic permit intra-interface Disabled by default Best practice – Apply the keep it simple theory here. This will simplify the security policy assignments. interfaces at the same security level are not required to use NAT to communicate. This is much like a router forwarding a packet and sending ICMP redirects.Check The Network vlan 65 no shutdown description our applications production only nameif dmz65_our_applications security-level 55 ip address 10. dmzXXX – Security 50 organization-purpose dmzXXX – Security 50 organization-purpose (No default communication between same security) We make a design / security choice here: dmzXXX – Security 60 organization-purpose dmzXXX – Security 70 organization-purpose (communication possible between security levels) Note we are using same security levels for DMZ’s. access. An example case being in a Vendor-DMZ firewall. If same-security-traffic permit inter-interface is enabled bank A would see bank B without access-lists. Unless this is a VPN device. better protected. do not bounce traffic off of the firewall.1q for scalability G0/3 .255. Enabling this feature allows traffic entering an interface to exit the same interface. there is an implicit permit from a higher security interface to a lower security interface (outbound).240 standby 10.1q G0/1 – inside . no crossover Management Interface 0/0 – Direct to management network only if it exists.com easyCMDB Config.1q Normally connected to a L3 buffer switch such as a Cisco 4948 G0/2 – dmz – L2 or L3 – 802. When the firewall has a large L2 VLAN attached and hosts are using the firewall interface as a Default route. without the need for accesslists.com Interfaces – Security Level and inter / intra interface Higher numbers are treated as higher security.       HARD CODE Speed and duplex G0/0 – outside – L2 or L3 – No 802. setting security 50 on both interfaces. the following connection practices are in use. In the ASA security levels are use to determine how many of firewall functions are applied: NAT. Page 3 of 10 Complete CCIE Training Over 80 hours of R&S CCIE Training Videos for only $299. Best practice – Do not use the firewall for router functions. For security. 2 banks connected to our network on different DMZs.86.networkmining.. Download Now. www. This opens other considerations.easycmdb. We use access-list rules to supersede this behavior and provide more control. Best practice – Avoid a difficult configuration and allows firewall log entries to reflect true meaning with reference to intra-interface.2 ) We generally do not want this feature enabled. We want this command: (reference ASDM GUI location below) no same-security-traffic permit inter-interface Disabled by default Security levels to be applied:        inside – Security 100 most trusted. more trust. the firewall can allow this traffic under other correct configuration conditions (NAT and ACL).Cisco ASA Firewall Best Practices for Firewall Deployment . filtering. Change & Incident Mgmt .checkthenetwork.L2 and L3 In consideration of the core network. Normally. 8/9/2011 . interfaces on the same security level cannot communicate without access-list entries.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi.30. we always want to use access lists.Your ITIL-based ITSM Solution www. inspection engines.33 255. and further it has routes to networks via the same connected interface. http://www.com/cisco_training Network Intelligence Understand better yr telco network efficiency & prepare migration plan www.2 ).INE. most useful for VPN and hairpinning. leave the hair-pinning to L3 devices.

com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi.  Telnet is not allowed but several commands make reference to it by default. We are replicating over our failover interface and must consider bandwidth utilization. either the primary or secondary may be the active device. 8/9/2011 .failover+stateful.  We allow connections for SSH and HTTPS for the  ASDM web interface.2 failover key hex 123456789abcdef00fedcba987654321 failover polltime unit 1 holdtime 10 ! the below command specifies hello’s sent every 2 seconds hold time ! is 5x polltime failover polltime interface 2 no failover replication http ! prompt redundant pair .  AAA is implemented via the ACS server. Stateful failover will be used but not to include http traffic.252 standby 1. You may find Cisco documentation that indicates connecting via L2 switches is preferred / mandatory. The static routing required for the management network(s) could interfere with production traffic..1 255. G0/3 . Normally we connect to the active device during normal maintenance and testing. non routed management network. Management of further devices past acl ruleset could also be upset. Typically.255. ! Primary Unit ! We failover in 10 seconds failover failover lan unit primary failover lan interface failover+stateful Ethernet0/3 failover link failover+stateful Ethernet0/3 failover interface ip failover+stateful 1.  ACS and  TACACS+ configuration details are described in an external document. Since the assignment remains local to the device.1. Per Standard DNS naming conventions..x days but is not required / recommended now.252 standby 1.1. a host name may be odc-asa5520-b2b.Cisco ASA Firewall Best Practices for Firewall Deployment .255. http connections are very short lived and are quickly re-established if needed. We have standardized the failover link on interface G0/3.1.1.Check The Network  L2 additional port settings on connecting switches o o spanning-tree portfast Spanning-tree bpduguard enable Page 4 of 10 If there is not a dedicated security management network in place.1. The sticky label applied to the unit would be odc-asa5520-b2b-PRI or odc-asa5520-b2b-SEC While the pair is in operation. HTTP replication can generate a lot of traffic.03 documentation is wrong. the other SECONDARY or SEC for short It is best to adjust the device external label or host name tag with the prefix PRI or SEC.primary secondary unit/active or stand/hostname prompt priority state hostname ! Secondary Unit ! We failover in 10 seconds failover failover lan unit secondary failover lan interface failover+stateful Ethernet0/3 failover link failover+stateful Ethernet0/3 failover interface ip failover+stateful 1. In the configuration file use the following statement: prompt priority state hostname. the Management interface is not in use.1 255. One unit will be designated PRIMARY or PRI for short. this is direct cabled.255. Device Access – ACS Configuration Secure access to the ASA is implemented via commands in the default ASA configuration script. The above prompt setting will result in the prompt displaying primary-secondary / activestandby status / hostname.255. Do you have time to have a look at our Hard Disk Drive Clock? Redundant Pair / Failover Setup When building a redundant pair the host name will be the same for both units. This port can presently support a truly isolated.2 failover key hex 123456789abcdef00fedcba987654321 failover polltime unit 1 holdtime 10 ! the below command specifies hello’s sent every 2 seconds hold time ! is 5x polltime failover polltime interface 2 hold time 10 no failover replication http ! prompt redundant pair .2(4) code revision does not support a vrf environement. network 1.checkthenetwork. It requires a network assignment and address.1.0/30 has been chosen for ASA firewalls. Some of the new ASA secondary unit/active or stand/hostname prompt priority state hostname http://www. The 7. Http traffic is left out for performance reasons.1. This was true in Pix 6.

Cisco ASA Firewall Best Practices for Firewall Deployment .com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi. 8/9/2011 . Best practice – Start with nat-control and avoid the potential of breaking existing data flows by entering a NAT command. required ASA originated routes will be static routes at the inside firewall buffer switches. We make a design / security choice here:   NAT many to one and loose event logging granularity Use a Network pool and NAT one to one Enable Traffic without NAT -. For added network engineering safety. A single point of administration is then defined. receiving internal routes. For example if you are operating with no nat-control and need to add a dynamic nat or pat. The ASA will not advertise its networks into OSPF directly. We will default our configurations to enforcing nat-control.checkthenetwork. In some situations it would appear that no nat-control is handy and is the way to go.. Note the NAME tag on this sample route entry at   odc-4948-fwbuff-a/b: ip route 192. There are several configuration interactions that will negate the no nat-control. Provision and route NAT pool(s) at turn-up time. If an additional network or service is added to the firewall later. consistency and security.nat-control versus no nat-control A feature in the ASA that can be chosen is No NAT-Control We want this command: (reference ASDM GUI location below) nat-control Default no nat-control By default.0 255. Source address routes from Extranets should not be routed through the entire network.0 10. we know how to handle and add the required route to the network and can do so in a controlled manner. NAT control is disabled. These routes will be filtered and redistributed into OSPF as appropriate using a route-map and ip-prefix lists. Where a firewall supports Extranet access.Check The Network You can now PING and nsLookup from within Microsoft Excel Also consider IP Tools for Excel Instant Productivity: IP Tools for Excel Page 5 of 10 Routing – Protocols and Static Routes The Cisco ASA supports the OSPF routing protocol while being used in single context mode. careful consideration must be given before injecting those foreign network numbers into route tables. If new networks or locations come onto the network and require service from an ASA protected resources.168. It will be a receive only neighbor.255. The pool addresses are routed internally as built during installation or added independently as required. the process for allowing access would simply be access-list modifications. The ASA must receive internal routes via OSPF.0/24 Best practice – Single point of route administration A single point of administration allows for building the ASA firewall and injecting its required routes one time. so you do not need to perform NAT on any networks unless you choose to perform NAT Reference: Cisco ASA Command nat-control ( 7. you must configure NAT to translate the inside host address.. the ASA’s will join the OSPF routing domain at the inside firewall buffer switches.2 ) NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule. Choose a NAT pool for growth if possible. for any host on the inside network to access a host on the outside network.255. Often we will sacrifice event logging granularity when we NAT many to one. Best practice in the environment is for a 1 time setup Supporting improvements in static route maintenance.10.14 Name odc-asa5540-dmz995-our_app1 ip prefix-list allowed-static-to-ospf permit 192.90.11. the no nat-control is negated and the data flows that used to work will no longer work until you add the appropriate NATs. The ASA should NAT the source addresses to predetermined pool addresses as policy requires.90.168. Best practice – Avoid route table additions and maintenance by the use of source address NAT. http://www.

Check The Network Page 6 of 10 Once you enable any sort of dynamic NAT / PAT.. now all traffic between this zone and any other zone either requires NAT rules or NAT exemption.Cisco ASA Firewall Best Practices for Firewall Deployment .com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi. 8/9/2011 . 'no nat-control' rule no longer applies for that zone.checkthenetwork.. http://www.

Cisco Networking Database Administration. Any HTTP flow not adhering to the basic checks is dropped by default. While ICMP is required.3. We can change the action from dropped to log.0. We would do this when we are ready to interrogate the contents of the log for purposes of learning about our applications and applying inspection as appropriate.0..0.255. Many of the inspection engines are not enable by default.0 0.0.0 0.Check The Network Page 7 of 10 Bypassing Nat when nat-control is enabled When our inside hosts communicate with our protected DMZ resources we will require a NAT statement because we are enforcing NAT control. its use should be better controlled and inspected per above.0 Reference: Bypassing NAT when nat-control is enabled Throughout the firewall’s configuration we will employ many of the available types of NAT as appropriate. www. we recommend that you do not allow ICMP through the security appliance in an ACL.0 unreachable outside icmp deny A good discussion on Cisco’s implementation of NAT in the ASA is found here: Cisco ASA NAT Implementation Access-List versus Inspection Rules An access-list is a filter that will permit or deny traffic.0 0.0.0.newhorizons. in ASDM see Configuration > Properties > Device Administration > ICMP Rules.2. we will actually NAT to the source IP address with the Static identity NAT command. Without the ICMP inspection engine.inside) 1.com Computer Training Courses Microsoft. They should be applied as required per system under a controlled environment.0.0 1. The ICMP inspection engine allows ICMP traffic to be inspected like TCP and UDP traffic.Cisco ASA Firewall Best Practices for Firewall Deployment .0. and that the sequence number is correct.0 unreachable          dmzg02_our_applications http://www. These settings are not made with access lists entries.0. Best practice: TURN IT ON. Cisco ASA5540-SSL2500-K9 Cisco 5540 Adaptive Security Appl.0 netmask 255. In most cases.netechinc.0.0 0. They support ICMP Path MTU discovery.0.0 echo                       dmzg02_our_applications                    icmp permit 0. The ASA provides application inspection services through its Modular Policy Framework.0 echo‐reply              dmzg02_our_applications                    icmp permit 0. CompTIA A+ www. This effectively looks like a no NAT. static (DMZxxx.riorey.0                                 dmzg02_our_applications                    icmp permit 0. The ICMP inspection engine ensures that there is only one response for each request.0.0 outside ICMP configurations can be allowed as required on Inside and DMZ.net The DDOS Specialist Identify and block DDOS attacks automatically and in real time.0.com/dubai Enabling ICMP to Firewall Interfaces ICMP is often found to be generously enabled.0. ICMP ping is usually disabled so the firewall is invisible to the casual user.0.0. Best practice – Enable Inspection for ICMP Two inspection engines that should be enabled during installation are ICMP and ICMP Error inspection. We will enable HTTP inspection according to our needs with policy maps. 8/9/2011 . but only for the accepted ICMP types echo-reply unreachable echo time-exceeded 0 3 8 11 Example: ! For each named interface name ‐   no icmp permit 0. The HTTP inspection engine is disabled by default. W/ 2500 Web SSL VPN Lic. ICMP can be used to attack your network.. on an outside interface. Without stateful inspection.0. Two of the basic checks of this engine ensure conformance to RFC 2616 and the use of RFC-defined methods only. With reference to firewall interfaces and not flows through the firewall.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi. We do need to allow ICMP unreachable messages.0 0.0 0. An acceptable configuration for outside ICMP would be: icmp permit 0.995 www. Commands to enable ICMP inspection: policy-map global_policy class inspection_default inspect icmp inspect icmp error WANT TO LEARN A LITTLE BIT MORE YOU MAY NOT HAVE KNOWN? SEE BELOW FOR NEW INFORMATION. Problem is that many HTTP applications do not conform.3. even internal applications.0. $14.0.255.checkthenetwork. which is needed for IPSec and PPTP operation.2.0.

Cisco ASA Firewall Best Practices for Firewall Deployment .0 0.0. 8/9/2011 ..0.0.Check The Network                    icmp permit 0.0.checkthenetwork.0.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi.0                                dmzg02_our_applications Page 8 of 10 http://www.0.0.0 0.0 time‐exceeded      dmzg02_our_applications                    icmp deny    0..0.

ip verify reverse‐path interface inside              ip verify reverse‐path interface management              ip verify reverse‐path interface outside IP Audit One of the main functions of a firewall is to protect the network from bad things. ip audit name thisnet_audit_outside_attack attack ip audit name thisnet_audit_outside_info ip audit name thisnet_audit_inside_attack ip audit name thisnet_audit_inside_info ip audit name thisnet_audit_dmz_attack ip audit name thisnet_audit_dmz_info info attack info attack info action alarm drop action alarm action alarm drop reset action alarm action alarm drop reset action alarm ip audit interface outside ip audit interface outside ip audit interface inside ip audit interface inside thisnet_audit_outside_info thisnet_audit_outside_attack thisnet_audit_inside_info thisnet_audit_inside_attack http://www. Traceroute and Enabling Cisco IOS traceroute By default you do not want most users to see traceroute through the network. Reverse Route Verification IP verify reverse‐path guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets  have a source IP address that matches the correct source interface according to the routing table. We create policies that are strict to start with. Reference: Cisco Ping and Traceroute TechNote.com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi.. we will see permit any any svc_ICMP_types_allowed.checkthenetwork. 8/9/2011 . the default 3 x 30 possible hops. The ASA will perform basic intrusion protection even when the advanced IPS system is not installed in the system. In the ASDM Configuration > Global Objects > Service Groups the allowed ICMP types should be defined as a service object group and where ICMP is allowed in an access-list the service object group should be selected: object-group icmp-type svc_ICMP_types_allowed description Security . Example Rule: access-list dmz432_access_in extended permit udp object-group srvr-svc_ dmz432_network_devices any object -group svc_UDP_cisco_IOS_traceroute The recommended UDP object group allows for 90 probes. It may be desirable to enable it to selected devices. object-group service svc_UDP_cisco_IOS_traceroute udp description Cisco IOS uses a udp traceroute starting at 33434 . Eliminating ping is not normally a favorable option.we will allow 90 probes (3x30)-default udp timeout=2minutes port-object range 33434 33524 Per this document. This aids in keeping us invisible. Basic intrusion and protection must be configured and enabled. The best practice is to TURN IT ON. Note that on the outside interface we do not send a reset on attack.  The best practice is to TURN IT ON. the ASA is configured to be invisible in a traceroute and to provide translation for inside hosts along the traceroute via the service‐ policy inspect icmp‐error mechanism.ICMP types allowed in this network icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object unreachable Best practice for ICMP is to allow only the minimum required however there is a critical tradeoff with ease of troubleshooting. They will need to be tuned. Each time you begin a traceroute IOS starts at UDP port 33434 by default. Cisco devices use a UDP probe in their traceroute routine. by default they will have a two minute timeout.  Exceptions will  be made where connections are L3 only and it is known that the L3 device is already performing reverse‐path verification and has an accurate route  table and we are not the default route. To allow a traceroute originated from a Cisco IOS device beyond a firewall. Internet users will be denied traceroute to any. Although not a recommended best practice. We will not allow all ICMP message types. an access list entry is required.Check The Network Page 9 of 10 Enabling ICMP through the Firewall Allowing ICMP flows through the firewall to protected hosts is often required and implemented via the access lists. but doing so does increase security. Since these are UDP connections. The alarms will be reported via SYSLOG and can be should be interrogated on an ongoing basis.. At a minimum.Cisco ASA Firewall Best Practices for Firewall Deployment . We find that it is usually enabled end to end for troubleshooting purposes.

Copyright © 1996-2011 All rights reserved The Productive Solutions Logo and How well do you communicate? are Trade Marks Other company names and products may be their respective trademarks.Cisco ASA Firewall Best Practices for Firewall Deployment .Check The Network ! Set per configured dmz ip audit interface dmzXXXX ip audit interface dmzXXXX thisnet_audit_dmz_info thisnet_audit_dmz_attack Page 10 of 10 ! The below commands disable a few inspections we are not worried about ip audit signature 1002 disable ! Timestamp considered DOS but needed ! for RFC1323 support ip audit signature 2000 disable ip audit signature 2001 disable ip audit signature 2004 disable ip audit signature 2005 disable ip audit signature 6051 disable ! ICMP echo reply ! ICMP unreachable ! ICMP echo request ! ICMP time exceeded ! DNS zone transfer .com/networksecurity%20Cisco%20ASA%20Firewall%20Best%20Practi.we are likely doing ! these and do not want to drop Be sure to enable the rest of the inspection signatures per the ASA Defaults configuration script.. They are disabled by default.checkthenetwork. http://www. no ip audit signature 2008 (guess it means -..no ip audit signature 2008 disable) home products search checkout sitemap contact Published by Productive Solutions Inc. The command looks kind of backward but DOES enable the signature identified. 8/9/2011 .

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->