Professional Documents
Culture Documents
Lab 8: Firewalls - ASA Firewall Device: 8.1 Details
Lab 8: Firewalls - ASA Firewall Device: 8.1 Details
8.1 Details
Aim: The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its
stateful firewalling functionality, and the creation of a DMZ network and associated
firewall rulesets.
8.2 Activities
9.2.1 Create Virtual Topology
Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client.
Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be
assigned a group folder to work with which contains the 4 VMs needed for the lab (check Moodle for
the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a
Windows2003 VM and 2 Linux Ubuntu VMs running network services.
Power on your Windows7-GNS3 VM, open a console window, login to the Windows7-GNS3 VM, and
run the GNS3 network simulator AS ADMINISTRATOR
You can create a new project for Lab8, or a preconfigured starting project should be in the Projects
folder. If you wish to start with that just click Recent Projects button and select lab8_start, then
save as a project called lab8 or suchlike (save as, before you power on devices).
The topology, shown below, mimics an organisation with an ASA firewall at its perimeter. It is
connected via the untrusted Internet via the 10.1.Y.0/24 network. The ASA will be configured to
provide security for the organisation from the network policy.
Starting Topology
You will be assigned networks to address the hosts and ASA gateway interfaces to – from Moodle:
192.168.X.0/24, 10.1.Y.0/24 and 192.168.Z.0/24
THE CORRECT NETWORKS MUST BE USED BY EACH STUDENT AS WE ARE SHARING VIRTUAL
NETWORKS. ANNOTATE YOUR DIAGRAM/TAKE NOTE OF THE ADDRESS RANGES FOR YOUR GRP.
PLEASE ONLY USE GROUP VMs AND NETWORK IP ADDRESSES ASSIGNED TO YOUR GROUP.
(For Windows versions up to and including Windows 7, BES can be used to limit the percentage CPU
usage for applications. It can be download from http://mion.faireal.net/BES/)
The following document has a section on setting the Windows IP and default gateway:
www.dcs.napier.ac.uk/~cs342/CSN11111/GNSAddVM.pdf
Using a similar CLI to a router, the ASA uses the same command modes structure, starting in User
Exec Mode with the ciscoasa> prompt. Use ? to see the available commands for the current
command mode. Even less commands are available than on a router in this mode:
Change from User Exec Mode to Privileged Exec command mode, the password should not be set so
just press <RETURN>. Use the show version command to check the device setup.
Questions
The Cisco PIX and ASA firewall devices are hardware devices built specifically for firewalling, unlike
the firewall software running on routers which we have encountered in previous labs. The device (or
being simulated) in this lab is a PIX 525, a medium to large enterprise device, with up to eight 10/100
Fast Ethernet interfaces, or three Gigabit interfaces.
Questions
Q: Compared to a router, which extra attributes can be defined for each interface of the ASA?
By default, the ASA allows traffic to flow from a higher security level to a lower one, and between
levels with the same value, but blocks traffic flowing from a lower level to a higher one, as shown in
the figure below.
Trust
Trusted
Level 0
PIX Internal Network
DMZ
Trust
ASA Level 50
Trust
Level
Public Facing
100 Servers
Set up the inside interface, which is connected to the trusted internal network:
ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.X.254 255.255.255.0
ciscoasa(config-if)# mac-address 000p.pppp.qq0r
ciscoasa(config-if)# no shutdown
Annotate your diagram/notes with the security trust levels for each interaface/connected network.
Questions
Network Security ASA Firewall – Rich Macfarlane 4
Q: Why did we only set the security level on the dmz interface, and not the inside or outside
interfaces?
Check the addressing has been set up correctly on the right interfaces, by viewing the running
configuration, and by using the show ip address command, as shown.
For detail on the interfaces status, use the show interface ip brief command:
For detail on the interfaces, use the show interface detail command, as shown below.
Save the firewall configuration using copy run start.
Switch on the ICMP debugging trace logging, using the following command:
ciscoasa(config)# debug icmp trace
From the two VM’s connectivity can be checked using ping from console windows.
Limit the ping packets to a max of 3 with –n3 –c3 or CTRL+C to stop the ping. DO NOT LEAVE
PINGS RUNNING AS WE ARE WORKING ON SHARED VIRTUAL NETWORKS!
Linux: ping –c3 dest_adddress Windows: ping –n3 dest_adddress
Questions
The ICMP ping traffic and traceroute traffic on the ASA are handled differently to a router by default.
ICMP to an interface is replied to, but inbound ICMP through the ASA is blocked by default, as traffic
is not allowed to go from an interface with a lower security level to an interface with a higher level
(outside 0 to inside 100 is not allowed). Outbound ICMP is permitted (inside 100 to ouside 0 is
allowed), but the reply is blocked by default.
Create an ACL Rule. Note the command is access-list , not ip access-list, as on a router, the
syntax is slightly different, having to enter the ruleset name for every rule.
ciscoasa(config)# access-list ICMP_REPLY extended permit icmp any any echo-
reply
Apply the ACL to the outside interface. Note that the syntax is again slightly different from a router.
ciscoasa(config)# access-group ICMP_REPLY in interface outside
The show run command can be used with filters to only config lines of interest:
show run | include ICMP_REPLY
Questions
Q: What filter might be used to show all access list config lines?
Questions
There should be an Apache server running on the Linux VM. This is on the inside network (behind
the perimeter firewall).
From the Linux VM, check the local web server is running correctly, using the web browser:
From the Outside Windows VM, use a web browser to test if the PIX firewall allows the web traffic
through to the Inside network. (Use CTRL+F5 to refresh the web page from the server, and make use
the page is not from the local cache).
Questions
From the Windows VM, check the local web server is running correctly, using the web browser:
Questions
Questions
Monitor Traffic
On Windows, run Wireshark and resize to the width to width of the window. Start a capture on the
ethernet interface, and then use a display filter to monitor only packets on the Outside network.
Try the nmap scan again, and you should see some traffic:
The ASA firewall device implements a closed firewall on the outside interface, by default. (based on
the security level settings)
Try from WINDOWS VM, scanning the firewalls inside interface.
Questions
PIX
The sessions/connections currently stored in the conn table can be viewed using:
ciscoasa(config)# show conn
Details on the states of connections can be viewed using show conn detail as shown below.
On the Linux VM, refresh the web page from the Outside Windows VM server.
Questions
Q: How many connections are in the PIX firewalls connections state table?
Q: What are the services, and their source and destination IP Addresses and Port Numbers?
Q: Compare to how this type of stateful firewalling would be implemented on a Cisco Router
Would similar functionality take more of less complex configuration on a router?
Wait for a period, and check the connections being stored again.
Questions
Q: How many connections are in the PIX firewalls connections state table?
Log out of the Telnet session from the Linux VM to the Windows Server, and check the connections
being stored again.
Questions
Q: How many connections are in the PIX firewalls connections state table?
When the connection is terminated, for example with a teardown handshake, the connection
information is removed from the firewalls state connection table. Also timeouts are used to remove
idle connections.
Questions
Q: What is the default time out (in minutes), for standard TCP connections?
In the new Linux DMZ Server, navigate to the /var/www directory. Use the ls command to list the
contents of the directory. Edit the index.html file using vi or a GUI-based editor such as gedit.
Change the text to indicate this is the DMZ Web Server:
Saves the changes and exit the editor (:wq command in vi). Test the webserver locally from the
Linux DMZ Server using the loopback IP address, as shown below.
Test the DMZ Web Server from the Inside network Linux VM
From the Linux VM on theinside network, use a web browser to connect to the Apache web server
running on the Linux VM DMZ Server (CTRL+F5 to refresh the cache)
Questions
The security levels should allow traffic moving from a higher security level to a lower one, and the
stateful firewall functionality allows the return traffic
The web page should be accessible from the inside network:
Q: Why?
The Internet system should not be able to connect, as the outside interface has a lower security trust
level than the DMZ.
Create an Ingress ACL Rule. Earlier we added a ICMP_REPLY ACL to the outside interface, so first
remove that, and we can incorporate into the new ACL.
Create the new INGRESS ACL. Allow only Web traffic to the single DMZ Web server.
ciscoasa(config)# access-list INGRESS extended permit tcp any host 192.168.Z.10
eq 80
Apply the new ruleset to the outside interface for Ingress traffic.
pix(config# access-group INGRESS in interface outside
E0
Trusted, Internal
E1 Untrusted
Network
Internet
Use the show run access-list command to check the ruleset is configured correctly.
Use show run access-group and show run access-list to check the ruleset has been
applied correctly to the ouside interface for ingress traffic. (another way of filtering out parts of the
running config)
Use the show access-list command to check if the rules have been matched on yet (hitcnt=??).
Questions
Q: Can the Internet VM connect to the Linux Web Server on the DMZ now?
Q: Can you see the HTTP connection in the ASA state table (be quick before it times out)
Use the show access-list command to check the the ACL passed the web traffic.
Questions
The server should be available to the DMZ VM currently as the higher trust level can initiate
connections and receive return traffic.
Questions
Q: Do we have connectivity?
Now try the same using the hping tool. Use hping –h |more to check the help for the format of the
command.
Send 3 ICMP packets, using –c 3 and -1 (ICMP):
Q: Can you see the packets arriving at the Outside server? (wireshark)
NOTE: Be VERY VERY careful when using tools such as hping, to only send a limited number of
packets, and do not use random source or destination addresses as this can cause unexpected
results.
Before applying the rule, check you can ping the Outside VM from the DMZ VM.
Apply the new ruleset to the dmz interface for Egress traffic.
pix(config# access-group EGRESS in interface dmz
Use the show access-list command to check that the rules have not been matched yet (hitcnt).
Questions
Q: Reflect on the type of threats which may be mitigated by blocking traffic originating on the DMZ
out to the Internet?
Test the DMZ Web Server from the Linux VM Outside the Firewall
From the Linux Internet VM, check the VM DMZ Server is still accessible (CTRL+F5 to refresh the
cache). Back to the question from before:
Questions
Q: Why is DMZ return traffic still being passed back to the Internet Linux VM, even though we have
blocked all traffic from the DMZ?
Questions
Q: Draw on the figure below should the ACL firewall rules be applied, and in which direction?
Questions
Q: Could the Linux Web server, FTP server, and Telnet server be accessed?
Now create the ACL(s) and apply to interface(s). Test the services again.
Questions
Q: Are the Linux FTP server, and Telnet server being blocked?
Questions
Q: Draw on the figure below should the ACL firewall rules be applied, and in which direction?
Questions
To test the ACL is only allowing access from the administrators system, change the IP Address of the
WINDOWS VM to 192.168.5.11 and test the telnet server again.
Questions
Start GNS3, as Administrator. Select Edit>Preferences, and QEMU VMs. Then new, and select ASA.
Add the files in the Advanced tab, and leave everything else to default.
PIX
PIX Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface gigabitEthernet0
nameif outside
security-level 0
ip address 10.1.Y.254 255.255.255.0
!
interface gigabitEthernet 1
nameif inside
security-level 100
ip address 192.168.X.254 255.255.255.0
!
interface gigabitEthernet 2
nameif dmz
security-level 50
ip address 192.168.Z.254 255.255.255.0
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list INGRESS extended permit tcp any host 192.168.Z.10 eq www
access-list INGRESS extended permit icmp any any echo-reply
access-list EGRESS extended deny ip any any