Table of Contents Volume 4 Advanced NAT 4-4 Overview 14 Module Objectives 14 Applying NAT 0 and_ Policy NAT 1-3 Overview 13 Objectives 13 ACLs 14 NAT 1-13 Translation Behavior 1-29 NAT Exemption 1-32 Policy NAT 1-36 Verify and Troubleshoot 1-49 ‘Summary 1-66 Module Summary 1-67 Advanced Protocol Handling 24 Overview 24 Module Objectives 241 Applying the Cisco Modular Policy Framework 2-3 Overview 23 Objectives 23 Cisco Modular Policy Framework Overviow 24 Configuring the Cisco Modular Policy Framework 29 Configuring a Layer 7 Class Map 2-21 Configuring a Regular Expression Class Map. 2-26 Configuring a Layer 7 Policy Map 23 Verify ng the Cisco Modular Policy Fromework Configuration 2-43 Summary 245 Handling Advanced Protocols 2-47 ‘Overview 2-47 Objectives 247 Protocol Inspection Overview 2-48 FTP Inspection 2-55 HTTP Inspection 2-80 Instant Messaging Inspection (2-98 ESMTP Inspection 2-108 DNS Inspection 2120 ICMP Inspection 2-131 Verifying Protocol Inspection 2-133 Summary 2-137 Module Summary 2-138 Dynamic Routing and Switching 3-4 Overview 31 Module Objectives 34 ‘Switching with VLANs 33 Overview 3-3 Objectives: 33 ‘Cisco ASA VLAN Operations 34 VLAN Configuration 3-6 VLAN Configuration on the Cisco ASA 5505 Appliance 3-11 VIAN Verification ate Summary 3-23Routing with Dynamic Protocols. 3-25 Overview 3-25 Objectives 3-25 Dynamic versus Static Routing 3-26 RIP 3-28 OSPF 3.37 EIGRP 3-53 Redistribution 3-67 Verification and Troubleshooting 3-73 ‘Summary 3.91 Module Summary 3-92 ‘Securing Networks with ASA Advanced (SNAA) v1.0, © 2008 Cisco Systems, IncModule 1 | Advanced NAT Overview As the use of the Intemet has expanded, so has the complexity of the network security requirements of companies to meet the challenges of a dynamic security policy. As needs arise or threats grow, security managers, administrators, and engineers require more capabilities from the Cisco ASA adaptive security appliance. In this modile, we will examine the Cisco ASA security appliance advanced Network Address Translation (NAT) capabilities. These advanced NAT features give administrators the flexibility to configure the Cisco ASA security appliance to meet security requirements, Module Objectives Upon completing this module, you will be able to explain how the Cisco ASA security appliance performs NAT, the order of NAT matching, and policy-based NAT with the use of ACLs. This ability includes being able to meet these objectives: = Configure NAT exemption = Configure NAT based on traffic type1-2 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 ©2008 Cisco Systems, Inc.Lesson 1 Applying NAT 0 and Policy NAT Overview This lesson discusses the Cisco ASA adaptive security appliance advanced Network Address Translation (NAT) features of NAT 0 und policy NAT, It begins with a general discussion of access contro! lists (ACLs) and NAT. It then describes how to configure NAT 0 and policy NAT. It ends with the commands to verify NAT configuration and troubleshoot NAT operations. Objectives Upon completing this lesson, you will be able to describe how to configure NAT based on traffic type and the appropriate policy. This ability includes being able to meet these objectives: = Describe how to configure ACLs for the Cisco ASA security appliance = Describe the function of NAT and how to implement basic NAT Describe NAT 0 function and the steps necessary to implement NAT 0 = Describe policy NAT und the steps necessary (o implement policy NAT = Explain how to verify and troubleshoot NAT configuration and operationACLs This topic describes access control lists and how they are configured What Are ACLs? Accass control lists (ACLs) * Define or identity traffic + Has at least one access control entry (ACE) + Types ‘Standard: Specifies source and destination address ~ Extended: Specifies source and destination address and service ~ Webtype: Specifies URL permitted or denied for Cisco 10S WebVPN connections ~ Ethertype: Specifies Layer 2 traffic allowed while in Transparent mode ACL are used by the Cisco ASA security appliance to identify interesting traffic. Fach ACL has at least one access control entry (ACE), and cach ACE within an ACL describes the action taken on the traffic that the ACE identifies. The action that the security appliance can take on identified traffic is either permit or deny. The Cisco ASA security appliance supports four types of ACLs, which are described in the following table CC ACL Type | Description 5 Z ; Standard _| Identifies trafic based on IP address or IP network address Extended | Identifies trafic based on source IP aridress and service and destination IP addroce and service Webtype _| Identifies URL for Cisco IOS WebVPN tratfic Ethertype | Identiios vate based on tho Ethernet type dofined inthe Ethernet frame of Layer 2 afc 1-4 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, Inc.Security Appliance ACL Configuration Inteot Host 1. 492.168.1011 Internet Host {fife 192.168.133 192.168.1004 The Cisco ASA adaptive security appliance uses ACLs to identity traffic that is: ~ Allowed or denied on an interface ~ Translated by NAT rules ~ Placed into @ VPN tunnel ~ Controlled by modular policy framework ~ Subjected to authentication, authorization, and accounting (AAA) rules The Cisco ASA security appliance uses ACLs to identify traffic. Once trafic is identified the security appliance can take the appropriate action. One of the most common uses of ACLs on the security »ppliance is to allow or deny trailic on an interface, However, ACLs can be used in many other ways. ACLs can define which traffic is translated when NAT control is enabled. ACLs also can define what traffic flows through a virtual private network (\’PN) tunnel or what traffic has modular policy framework rules applied to it In the figure, «wo hosts are attempting to access a web server on the inside of a security appliance. An ACL applied to the outside interface of the security appliance is allowing the host at 192.168.10.11 to make the connection to the web server, but it is denying access to the host at 192.168.100.4, Note ‘The IP addressing schemes used in this course are not legally routable on the Internet. They are RFC 1918 addresses that are used in the lab exercises for this course. (© 2008 Cisco Systems, Inc. ‘Advanced NAT 1-5To configure an access rule, complete the following steps: Step 1 Stop2 Step 3 Step 4 Click the Configuration button on the toolbar Choose Firewall from the navigation pane. Choose Access Rules from the Firewl! menu. The Access Rules pane! is displayed. The {eure shows the implicit access sles for each configured inter icc. The implicit rules shown here are graphical representations of the default behavior of the security appliance. Higher security levels can access lower security levels but not vice versa; lower security levels need an ACL to access higher security levels. Although you can add new access rules for an interface, you cannot edit the implicit rules themselves. Click Add and choose Add Access Rule. The Add Access Rule window opens. 148 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Access List Configuration (Cont.) ‘Acme Transport Item Hos i ee r Web Server 192,168.10.11 Intemet Host et 192.168.1004 To create an inbound access rule to permit only HTTP traffic from an outside host to @ host on the inside of the security appliance: Step 5 Step 6 Step 7 Step 8 Step 9 Choose the interface to which the rule applies from the Interface drop-down list. In the figure, the network security administrator for Acme Transport has chosen the outside interface because the goal is to permit HTTP traffic fron an outside host toa host on the inside of the security appliance. Choose the action that applies to the rule by clicking the Permit radio button or the Deny radio button, In the figure, Permit is chosen. Enter the source IP address from which traffic is permitted or denied. You also can click the “...” button to choose an address from a predefined list of known objects. To specify a host address, you can enter /32 for the subnet mask, or you can enter the IP address without a subnet mask. To specify a network address, enter the subnet ‘mask in slash notation after the IP address. For example, to specify the network 192.168.1.0 255.255.255.0, enter 192.168.1,0/24. In the figure, the IP address 192.168.10.11 1s entered as the source IP address to specify that the host at this IP address outside of the security appliance is permitted by the rule. Specify the destination IP address to which traffic is permitted or denied. You also can click the “...” button to choose an address from a pre-defined list. To specify a host address, you can enter /32 for the subnet mask, or you can enter the IP address without a subnet mask. To specify a network address, enter the subnet mask in slash notation after the IP address. In the figure, the destination address is 192.168.1.33. Specify the service or protocol for the rule in the Service field. You can click the ...” button to choose a service from a pre-defined list. Or, you can begin typing the acronym for the protocol; a window list will pop up with the matching letters. In the figure, tep/http is entered. (©2008 Cisco Systems, nc. ‘Advanced NAT 1-7Note Ifthe ACL is for restricting outbound traffic (more secure interface to less secure interface), the source address is the address before NAT has been performed. For inbound connections, the destination address is the global, translated address if NAT is used. Access List Configuration (Cont.) Internet Host ‘Acme Transport a 192.168.10.11 - - os tot ees ome 192.168.1004 ‘These steps continue the configuration of the ACI. to allow inbound access from an Internet host to a host on the inside of the firewall. Step 10 Step 11 Stop 12 Step 13 Step 14 Stop 15 (Optional) You can specify a descriptive comment about the ACE. When you add or edit an access rule, you can use the Description field shown in the figure to add a description, or remark, to the rule. You can use remarks to make the access rule casier to scan and interpret. The remark text can be up to 100 characters long, including spaces and punctuation. It always a good rule of thumb to include a description of the configuration because it can be referenced ata later point to understand the changes that were made. In the figure, the description “Allow external host 192.168.10.11 to inside host 192.168.1.33 web server” is configured for the access rule that permits HTTP access to the Acme Transport internal host. (Optional) You can disable the logging function, which is enabled by default, The logging option and its configuration are covered later in this lesson. Click the More Options double arrow to configure additional settings for the rule. Verify that the Enable Rule check box is checked. Choose the In or Out radio button from the Traffic Direction arca to specify the direction of traffic to which the rule should be applied. The rule is applied to traffic ‘on an interface in the direction you specify, inbound or outbound. You can apply ‘only one access list to each direction of an interface. In the figure, the In radio button is chosen because the ACL is applied to the inbound traffic on the outside interface. Click OK. 18 ‘Securing Networks with Cisco ASA Advanced (SNA) v1.0 ‘©2008 Cisco Systems, Inc.This step continues the configuration of the ACL to allow inbound access from an Internet host to a host on the inside of the firewall. Step 16 Click Apply in the Access Rules panel The figure shows the Aecess Rule that was just created highlighted on line | under the outside interface section of the window. It also shows a diagram of the access rule ‘o sive the user a graphical representation. (© 2008 Cisco Systems, Inc.Access List Logging iene 192.168.10.11 The security apolance generates syslog message 106100 when a Packet matches the ACL. ‘The security appliance logs message 106100 at level 7, debugging. ‘The security appliance waits 300 seconds before sending the flow Statistics to the syslog server. The security appliance waits 300 seconds before deleting @ low if no Packets match the access rue. By default, when traffic is denied by an extended access rule, the security appliance generates system message 106023 for each denied packet. If the security appliance is attacked, the number of systeiss anessuges or denied packets can be very large. Therefore, enabling logging using syslog message 106100 is recommended instead. This message provides statistics for each access rule and lets you limit the number of system messages produced. A liernately, you can disable all logging, Syslog message 106100 is generated for every matching permit or deny access rule flow that passes through the security appliance. The first-match flow is cached, Subsequent matches increment the hit count for the access rule. New 106100 messages are generated at the end of the interval you specify, if the hit count for the flow is not 0. When you add an access rule in the Cisco Adaptive Security Device Manager (ASDM), the Enable Logging check box is checked, and the word “Default” is displayed in the Logging Level drop-down list. These default settings indicate that syslog message 106023 is generated when an IP packet is denied by this access rule. To enable logging through syslog message 106100, choose one of the otlier uptious frum the drop-down list. The other options are the logging levels, 0 through 7, which are as follows: 4-10 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Level Number | Level Keyword 5 pee 0 [emergencies | Systemumsable ‘i alert Immediate action needed 2 critical Critical condition 3 error Error condition 4 warning Warning condition 5 notification ‘Significant condition but normal 6 informational Informational only message 7 debugging Present only during debugging You also can use the Logging Interval field to specify the amount of time in seconds that the security appliance waits before sending the flow statistics to the syslog server. This setting also serves as the timeout value for deleting a flow if no packets match the access rule. The default is 300 seconds, and valid values are I 10 600. The figure shows the Cisco ASA security appliance being configured for ACL logging based ‘on the previous configuration example. Because a logging level rather than the “Default” option was chosen from the Logging Level drop-down list, the security appliance generates syslog message 106100 rather than messaze 106023 when a packet matches the ACL. The security appliance logs message 106100 at level 7, which is debugging, and waits 300 seconds before sending the tlow statistics to the sysiog server. The security appliarice also waits 300 seconds before deleting a flow if no packets match the access rule. (© 2008 Cisco Systems, inc. ‘Advanced NAT 1-11Access List Configuration it | on Hema ‘21001010 ati i 192.168.1004 + Inbound web connections from 192.168.10.11 to 192.168.1.33 are allowed * Allother inbound web connections are implicitly denied to 192.168.1.33, The figure shows the command-line interface (CLI) commands passed to the Cisco ASA security appliance as a result of the Cisco ASD M configuration changes. The commands allow web connections only from the host 192,168.10. 1 to 192,168.13. All other connections are implicitly denied by the access rule. 1412 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.SNAA Securing Networks with Cisco ASA Advanced Volume 1 Version 1.0 Student Guide ber: 97-2729.01oe oe aoe omedteatan bees toe stiles Seine tthe ‘oraern o10 cisco, Fa. Bees Cisco tae mare than 200 tices weiawide Adaresses shone nubers. ond fax rumba a ste onthe Cleco Wade a wwweleea compo/otces, 08 Ons yn te Ag aed COW BCs nt Gs en nen Sena we nsomrege tr oma ese COE SEO Cee a aes ft: rn an onto Suen Casio Seats are espa ones yma Enc inter fst aca eng oem pre Spon aon senate Ce he deentan Pee “het Scns ny perm npn kay tg Pe Para Sara or ha Seats Pa ‘Aner tceama ran ceinvte bea ney mena ante ta ea nga yar ey [DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN | CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF [THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED |WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This leering product may contain early release [content and while Cisco believes ito be accurate, it fills subject to the disclaimer above Printed in CanadaNAT This topic describes the configuration of NAT on the Cisco ASA security appliance using Cisco ASDM. Addressing Scenarios ree ig ee eo y = oe « NAT was created to overcome addressing problems that occurred with the expansion of the Internet: ~ Mitigates global address depletion ~ Allows use of reserved addresses internally from RFC 1918 Internal address space not dictated by external addresses + NAT also has @ secondary benefit ~ Increases security by hiding the internal topology NAT was invented in May 1994 by Paul Francis and Kjeld Borch Egevan. It soon became a popular technique for saving registered network addresses and hiding network topology from the Internet. Francis and Egevang wrote Ri'C 1631, The IP Network Address Translator (NAT), as well as several other RFCs about NAT. With the explosive growth of the Internet and the limited number of IP version 4 addresses, NAT is critical to the mitigation of global Internet address depletion. NAT allows a company to use RFC 1918 private address space internally. By doing this, the internal address schemes of companies are not solely dependent on their external address space. NAT has a secondary benefit in that it masks or hides the intemal network addresses, which can result in an increase in network security posture. In the figure, the private network is using private IP addressing, 10.0.1.0/24. Before a packet can be sent to the Internet, it must be translated into a public, routable address. In this example, the security appliance translates IP address 10.0.1.11 into routable IP address 192.168.1.10. Note The IP addressing schemes used in this course are not legally routable on the Internet. They are RFC 1918 addresses that are used in the lab exercises for this course. (©2008 Cisco Systems, nc ‘Advanced NAT 1-13Access Through the Security Appliance (implicty) ‘Allowed Less Secure «~~ More Secure gor2 Dvz Security Level 50 fs urty Level 0 Less Secure —————» More Secure Denied (mplicity) (nt sowed with an exzbe NAT an ACL ‘When multiple interfaces are configured, the security level designates whether an interface is inside (trusted) or outside (untrusted) relative to another interface. The higher the security level the more trust the networks that are associated with tat i cefave have, Thhe lower the security level the less trust the networks that are associated with that interface have. An interface is considered to be inside in relation to another interface if its security level is higher than the security level of te other interface, and an interface is considered to be outside in relation to another interface it its security level is lower th» the security level of the ot! interface An interface with a higher security level can access an interface with a lower security level. Connections are implicitly allowed unless they are explicitly denied. An interface with a lower security level is implicitly denied access to an interface with a higher security level unless you specifically allow it by implementing an access list and a static (if NAT control is enabled) command If you enable NAT control, all packets traversing the Cisco ASA security appliance require a translation rule. The nat and global commands work together to create these translation rules, which enable your nctwork to use any IP addressing scheme and to remain external network. iden fiom the 4-14 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.NAT Control NAT Control Enabled ig ae gi -eo=3— 3 oo NAT Control ia Disabled + NAT control requires the Cisco ASA security appliance to perform translations when it is enabled. = NAT control is disabled by default ~ Introduced in version 7.0 and later NAT control requires that packets traversing from a higher security interface to a lower security interface match a NAT rule. For a host on the inside network to access a host on the outside network, a NAT translation must be configuied for the inside host address. The nat-control ‘command was introduced in Cisco ASA security appliance version 7.0 and later software. With NAT control disabled, the security appliance forwards the packet without translation unless there is a NAT rule that matches it. !f'= NAT rule matches outbound icaffic, the security appliance performs the translation and forwards the packet. The security appliance has NAT control disabled by default (©2008 Cisco Systems, Inc. ‘Advanced NAT 1-15Static vs. Dynamic Translation ‘Outside global Dynamic | jpaddress poo! Translation | 192.168.120.264 ~ Outside Global tate IP Address Translation 192,168.1.10 | —+—+ [10.0.1.11 Inside NAT translates the addresses of hosts on a higher security level to a less secure interface: * Dynamic translation - one IP address to an IP address within a pool * Static translation — one IP address to anather exact IP address ‘The security appliance supports the following types of address translations: = Dynamic translation: Translates host addresses on more secure interfaces to a range or pool of 1? addresses on a less secure interface. This allows an intemal address to be translated (o an address on an interface thot has a lower security level, obscuring the internal adress from being viewed | Static translation: Provides a static, one-to-one mapping between an IP «ress on a more secure intcrface and an IP address on a less sccure interface. With the appropriate ACLs in place, a static translation can allow users on a less secure interface to access a host on a more secure interface without exposing the actual IP address of the host on the more secure interface. In this example, the configuration can allow Internet users to access the web server without exposing the actual IP address of the web server. 116 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.To configure NAT control for the Cisco ASA security appliance, complcte the following steps: Stop 4 Step 2 Step 3 Step 4 Step 5 Click the Configuration bution on the toolbar. Choose Firewall from the navigation pane. Choose NAT Rules from the Firewall menu, The NAT Rules panel opens. The re shows the NAT Rules j ic! and any NAT rules that 9: configured. In this example, there are no NAT ruics configured. Check the Enable traffic through the firewall without address translation check box to enable NAT control, Click Apply in the NAT Rules panel. (© 2008 Cisco Systems, Inc. Advanced NAT 1-17NAT Control Configuration (Cont.) NAT Required ————— sacl ee Nie” roy * With NAT control enabled, NAT translations are required for packets traversing the security appliance from a higher security level to lower secu. + IP address 10.0.1.11 must be translated ‘The figure shows the commands that Cisco ASDM will send to the security appliance based on the configuration. In this figure, the security appliance is requiring NAT translations, so the naf-control command has been configured, wich requires a translation for thc IP address 10.0.1.11. In this example, it is translated to 192.168.1.10. 4-18 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncTo configure static translations in Cisco ASDM, complete the following: steps: Stop 1 Step2 Choose Configuration > Firewall > NAT Rules. Choose Add Static NAT Rule {rom the Add drop-down menu. The Add Static NAT Rule dialog box opens. (© 2008 Cisco Systems, Inc.Static NAT Configuration (Cont.) Static NAT a Static NAT To continue configuring static translations in Cisco ASDM, complete the following steps: Step 3 Step 4 Step 5 Step 6 In the Original area, choose the orivinating interface that is connected to the host with real addresses that are to be translated. In this example, the host resides on the “inside” interface. Enter the real addresses in the Source field. In the example in the figure, the real IP address of the Acme Transport web server, 10.0.1.11, is entered in tis field. In the Translated area, choose the interface where you want to use the translated address. In the example in the figure, the translated address will be used on the Choose the Use IP Address radio button, and enter the mapped IP address in the corresponding field. In this example, the mapped IP address is 192.168.1.10. Note Do not use a mapped address that is also defined in a global pool for the same mapped interface. Step 7 Step 8 Click Conneetion Settings. The Add Static NAT Rule pop-up window expands. (Optional) Check the Translate the DNS replies that match the translation rule check box. This option rewrites the address record (A record) in DNS replies that match this static NAT rule. For DNS replies traversing the security appliance from a translated interface to any other interface, the address record is rewritten from the translated value to the real value. Inversely, for DNS replies traversing from any interface to a translated interface, the address record is rewritten from the real value to the mapped value. Note DNS inspection must be enabled to support this functionality. 4-20 Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, IncStep 9 Stop 10 Step 11 (Optional) Randomize sequence numbers. Each TCP connection between a client and server has two initial sequence numbers (ISNs): one generated by the client and ‘one generated by the server. By default, the Cisco ASA security appliance randomizes the ISN of the TCP synchronization (SYN) request passing in both the inbound and outbound directions. Randomizing the ISNs helps prevent an attacker from predicting or guessing the sequence numbers during TCP session hijacking. There are some instances where you may want to disable this, such as if Cisco Wide Area Application Services (WAAS) is deployed, or if there is another firewall performing the task within the connection stream, To disable this feature, uncheck the check box. (Optional) Maximum TCP Connections and Maximum UDP Connections: Specifies the maximum number of simultaneous TCP or User Datagram Protocol (UDP) connections for the static connection. The default is 0, meaning unlimited connections. (Optional) Maximum Embryonic Connections: Specifies the maximum number of embryonic connections per host. The default is 0, meaning unlimited embryonic connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Limiting the number of embryonic connections protects against denial of service (DoS) attacks. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. Click OK. The Add Static NAT Rule window closes. Click Apply in the NAT Rules window. (© 2008 Cisco Systems, nc. ‘Advanced NAT 1-21Static NAT Configuration (Cont.) Static NAT a git wh geal SS Nie? sr IP adéress 10.0.1.11 is translated to 192.168.1.10 for outbound and inbound connections. NS replies are translated to and from mapped interfaces. Maximum TCP, UDP, and embryonic connections are set to unimited ‘The figure shows the commands that Cisco ASDM will send to the security appliance based on the configuration. In this figure, the security appliance is configured to perform a static NAT lwanslativn for 1 address 10.0.1.11 t0 IP address 192.168.1.10, The DNS replies will be translated bases! on the translated interface. The maximum TCP, UDP, and ciibryonic connections are set to unlimited by default. 4-22 Securing Networks with Cisco ASA Advanced (SNA) v1.0. (© 2008 Cisco Systems, Inc.With dynamic NAT, you must first define which hosts are eligible for translation and then define an address pool to be used for the translations. For example, dynamic inside source address translations are used for outboun: connections from the inside hosts; for these translations, the pool for address allocation is chosen on the outgoing interface based on the NAT identifier (NAT ID). The NAT ID is a number that is assigned by the administrator to logically group the dynamic NAT and the global pool of addresses that dynamic NAT will use. To configure dynamic translations in Cisco ASDM, complete the follow ing steps: Step 1 Choose Configuration > Firewall > NAT Rules, ‘Step 2 Choose Add Dynamic NAT Rule from the Add drop-down menu. The Add Dynamic NAT Rule dialog box opens. (©2008 Cisco Systems, Inc. ‘Advanced NAT 1-23poor Toons In this Cisco ASDM figure, the administrator is defining the real IP addresses to be translated and the associated interface. Step3 In the Original area, choose the interface that is connected to the hosts with real addresses that you want to translate. For this example, hosts on the “inside” interface are cligible for translation, Step4 Enter the real addresses in the Source field, or use the “...” button io choose an IP address that you already defined in Cisco ASDM. If you enter the addresses manually, specify the address and subnet mask using prefix and length notation, such as 10.0.1.0/24. If you enter an IP address without a mask, Cisco ASDM recognizes it as a host address, even if it ends with a 0 in the last octet. In the example in the figure, the drop-down menu was used to choose the inside network, which was previously defined in Cisco ASDM. Step5 Click Manage to begin configuring the address pool to be used for these translations. The Manage Global Pool window opens. The Manage Global Pool window allows you to choose an existing global pool, edit an existing global pool, or add a new global pool. If you choose Add to create a new global pool, the Add Global Address Poo! window opens. 4-24 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 ‘© 2008 Cisco Systems, Inc.ing a Global Pool namic NAT —) — Tors Global Poo! 192.168.1.50-223, a In this figure, the administrator is defining the pool of addresses that the real IP addresses will use for translation, Step 6 Step7 Step 8 Step 9 Step 10 Choose the interface where the translated addresses will be used. In this example, the translated addresses will be used on the outside interface. In the Pool ID (or NAT ID) fie! enter a number between | ani 2147483647 to Jentify the address pool, When you create a dynamic NAT ule, Cisco ASDM uses this number to pair the real or original addresses you entered with the global pool of addresses containing the same number. In this example, the Pool ID is 1 Choose the Range radio button from the IP Addresses to Add panel. The other options in this panel use a single IP address for NAT overloading or Port Address, Translation (PAT). Starting IP Address: Enter the first IP address for the range. In this example, the starting address is 192.168.1.50. Ending IP Address: Enter the last IP address for the range. The mapped pool can include fewer addresses than the real group. In this example, the ending address is 192.168.1.223, making the mapped pool of addresses 192.168. 1.50 through 192.168.1.223 and enabling up to 174 individual IP addresses. When this pool of 174 IP addresses is exhausted by NAT, no further translations will be possible. ‘Netmask (optional): Enter the netmask for the address range in the field. Click Add to move the address range you created to the Addresses Pool list. Click OK. (©2008 Cisco Systems, Inc. ‘Advanced NAT 1-25Dynamic NAT Connection Settings mami NAT Global Poo! 192.168.1,50-223 roo In this figure, the administrator is choosing the global address pool that was just created and configuring more options under the Connection Settings part of the window Step 14 Click OK in the Manage Global Poo! window. Step 12 Click Connection Settings. The Acid Dynamic NAT Rule pop-up vindow expands. Step 13. (Op! cual) Check the Translate t)) DNS replies that match the (:suslation rule check box to allow the security appliance to translate DNS replies. This option rewrites the address record (A record) in DNS replies that match this static NAT rule, For DNS replies traversing the security appliance from a translated interface to any other interface, the address record is rewritten from the translated value to the real value. Inversely, for DNS replies traversing from any interface to a translated interface, the address record is rewritten from the real value to the mapped value. In this example, the administrator has chosen to translate the DNS replies. Note DNS inepection must be enabled to cupport this functionality. Step 14 (Optional) Randomize sequence numbers. Each TCP connection between a client and server has two ISNs: one generated by the client and one generated by the server. By default, the Cisco ASA security appliance randomizes the ISN of the TCP SYN request passing in both the inbound and outbound directions. Randomizing the ISNs helps prevent an attacker from predicting or guessing the sequence numbers during TCP session hijacking. There are some instances where you may want to disable this, such as if Cisco WAAS is deployed, or if there is another firewall performing the task within the connection stream. To disable this feature, uncheck the check box. (Optional) Maximum TCP Connections and Maximum UDP Connections: Specifies the maximum number of simultaneous TCP or UDP connections for the static connection. The default is 0, meaning unlimited connections. 4-28 Securing Networks with Cisco ASA Advanced (SNA) v1.0, (© 2008 Cisco Systems, Inc(Optional) Maximum Embryonic Connections: Specifies the maximum number of embryonic connections per host. The default is 0, meaning unlimited embryonic connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Limiting the number of embryonic connections protects against DoS attacks. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. Step 15 Click OK in the Add Dynamic NAT Rule window. Step 16 Click Apply. (© 2008 Cisco Systems, Inc ‘Advanced NAT 1-27Dynamic NAT Graphical Representation eB orem Ose On 2 The figure shows the dynamic NAT rule chosen in the NAT Rules panel. It also shows a graphical representation of the dynamic NAT rule as well. a Ay Dynamic NAT Commar by aia ; Firewall > NAT Rules. The NAT Rules panel is clisplayed. Step2 Choose Add > Add NAT Exemption Rule from the NAT Rules panel. The Add NAT Exemption Rule window appears. (©2008 Cisco Systems, Inc. ‘Advanced NAT 1-33NAT Exemption Configuration (Cont.) eC Corporate Office ‘The figure shows an administrator configuring a NAT exemption rule Step 3 Step 4 Step 5 Step 6 Step7 Step 8 Stop 9 Choose the Action to take, Exempt or Do Not Exempt. In this exsmple, the NAT is configured to be exempt. Choose the interface that originates ‘lic traffic. In this example, “inside” is the chosen interface. Choose the source address or source network address of the traffic (hat is not to have NAT applied on it. In this example, it is the network address of the inside network, 10.0.1.0/24. Choose the destination address or destination network address of the traffic that is not to have NAT applied on it. In this example, it is the network address of the remote office network, 10.0.5.0/24. Choose the NAT exemption direction. Choose the direction the traffic is going in relationship to the Original Interface. In this example, outbound traffic from the “inside” is chosen. (Optional) Enter a description for the NAT exemption rule in the Description field. Click OK. Step 10 Click Apply. 4-34 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.NAT Exemption Commands Remote Offce Conporate fice Gm) ‘The figure shows the CLI commands that were sent to the security appliance based on the NAT exemption configuration that was performed by the administrator. In this example, an ACL was configured to identify the designed traffic. rhis ACL also 1s called a crypto ACL because it designates the traffic to be encrypted for 1? Security (IPsec) VPNs. The ACL is applied within the NAT 0 command to excluded network traffic from 10.0.1.0/24 to 10.().5.0/24 networks. (© 2008 Cisco Systems, Inc. ‘Advanced NAT 1-35Policy NAT ‘This topic describes policy NAT and how it is configured. Static PAT Port Redirection: Overview Parner Ch. 192.168.1.33, ae 192.168.10.11 Le pave a Sees ea ats 192.168.1004 a i = Used to create a permanent translation between a mapped IP address and port number and the specific real IP address and port number — 192.168.1.33/F TP redirected to 10.0.1.15/FTP ~ 192.168.1.33!www redirected to 10.0.1.16/www ‘The Cisco ASA security appliance provides staiic PAT capability. This enables outside users to connect to a porticular IP address and port, The security appliance redirects | tothe appropriate insicie server and port number. This capability can be used to sei! multiple inbound TCP or UDP services to different internal hosis through a single global address. ‘The shared address can be a unique address, or it can be shared with the external interface. For example, if you want to provide a single address for global users to access the FTP and web servers, but these are all actually different servers on the local network, you can create two static translations, one for each of the following: = Mapped HTTP IP address to real IP address: 192.168.1.33/www to 10.0.1.16/www © Mapped FTP IP address ta real IP address: 192.168.1.33/ftp to 10.0.1.15/ftp In the example in the figure, if a web packet is sent to 192.168.1.33, it is redirected to the web server at IP address 10.0.1.16, If an FTP packet is sent to 192.168.1.33, itis redirected to the FTP server at IP address 10.0.1.15. ‘You also can use this feature to translate a well-known port to a lesser-known port or vice versa. For example, if the inside web server uses port 80, you can allow outside users to connect to port 8080 and then translate them to the correct port. Similarly, if you want to provide extra security, you can tell your web users to connect to lesser-known port 6785 and then translate them to port 80 on the local network. With static PAT, all requests are mapped to the same real IP address and port number. There is no mechanism to apply policy to the static PAT because the destination or client side of the connection is not apart of its configuration, 4-38 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Static Policy NAT Pare 192.168:133 o— a BU TCPIEO pall boe 192.168.10.11 a" Z aa 9 porwer2 GE<=o= ae 192.168.1.33 192.168.1004 www TCPIBO i static (inside, outside) top 192.168.1.33 60 10.0.1.15 8060 Sa" ‘can be an accossiist such as: STATIC_POLICY_NAT ‘ecosslist STATIC_POLICY_NAT extended pormi ep host 10.01.15 ag 8080 host 192.168.10.11 Static policy NAT allows an administrator to specify the address used in NAT translation based ‘on source and destination IP addresses and services. It does this through the use of an extended ACL, In te figure, when host 192.168.10.11 attempts a web connection (0 192.168.1.33 and TCP port $0, the connection is translated \o a real IP address of 10.0.1.15 and real TCP port 8080. When host 192.168.100.4 attempts « web connection to 192.168.1.33 and TCP port 80, it is denied access because no translation exists for it. Static policy NAT gives an administrator tighter convo! over the translated IP addresses and ports based on the inbound connection; static PAT does not offer this level of control All types of NAT support policy NAT except NAT exemption. NAT exemption is not supported because it does not consider source or destination services when applied to NAT rules. Policy NAT also does not support time-based ACLs. (© 2008 Cisco Systems, Inc ‘Advanced NAT 1-37Static Policy NAT Configuration NENG we Z i To configure siatic policy NAT, follow these steps: Step 1 Choose Configuration > Firewall ~ NAT Rules. The NAT Rules panel is displayed. Step2 Choose Add > Add Static Policy NAT Rule from the NAT Rules panel. The Add Static Policy NAT Rule window appears. 1-38 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (©2008 Cisco Systems, inc.Static iBolley) NAT sienianalion (Cont.) ene os a The figure shows an administrator confivuring a static policy NAT rule Step 3 Step 5 Step 6 Step 7 Step 8 Stop 9 Step 10 Step 14 In the Original arca, click the Interface drop-down list to choose where the real IP address is located. In this example, the interface is configured for “inside” because the web server is on the inside interface. Click the Source drop-down |ist to choose the source IP address of the address that 1s to be translated, In this exariple, the IP address is 10.0.1. Click the Destination drop-down list to choose the destination address. This is actually the address of the host originating the connection. In this example, the destination address is 192.168.1011. In the Translated area, click the Interface drop-down list to choose the translated interface for the static policy NAT. This is the interface onto which the originating IP address will be translated. In this example, “outside” is the translated interface. Enter the translated IP address for this static policy NAT rule. In the example, IP address 192.168.1.33 is chosen. Check the Enable Port Address Translation check box to enable PAT for the static policy NAT. In this example, the check box is chosen. Choose the protocol from the radio buttons. This is either TCP or UDP. In this example, TCP is chosen because web traffic is being sent to the source IP address. Enter the original port. This is the port the source IP address is listening on. In this example, the original port is set to 8080. This is the port that the web server for the partner connection is listening on. Enter the translated port. This is the port that will be visible to the partners. In this example, TCP port 80 is entered (©2008 Cisco Systems, Inc. ‘Advanced NAT 1-39Stop 12 Click OK. Stop 13 Click Apply. Static Policy NAT Commands 0.18 014 i 093 35 xem atc econ pr pes 10.01.1899 a en 192.158.1081 $3 ose ep 182 1681398 acest nade ot sae ep Oe 9 The figure shows the CLI commands that were sent to the Cisco ASA security appliance based on the static policy NAT configuration that was performed by the administrator. In this example, the ACL was configured to identify the designed traffic web traffic froin 192.168.10.11 ACL is reflexive because © the static command is used. | he static commands list ( inslated IP address for the static policy NAT. The inside host, 10.0.1.15, is statically translated to 192.168.1.33 when web connections are made from Partner 1, and its ‘web server that is running on TCP port 8080 is translated to TCP port 80. Access to this web server is denied to the Partner 2 host at IP address 192.168.100.4 because no translation can be built. 4-40 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Dynamic Policy NAT 192.168.100.240 192.168.100.241 B Bsr serves 10.0.1.0724 ‘Acme Transport 5, Pool -192.168,1.225-254 192.168.110.10 vee Ss Poo! - 192.168.1,50-223, With NAT control enabled: * Identifies address for translation through an extended ACL * ACL lists source addresses and destination addresses and service * Aids in application inspection when secondary channels are required for communication as in VoIP and FTP Dynamic policy NAT allows administrators to specify the addresses usc«! for translation based ‘on source and destination IP addresses ancl services. This is accomplishes with an extended ACL. Italso aids in application inspection when the application requires more than one channel for communication, as in VoIP and FTP. In this example, SIP connections to external SIP servers are translated to an address in the 192.168.1.225-192.168.1.254 vlobal address pool associated with dynamic policy NAT, while all other connections are translated to an address in the 192.169. 1 50-192.168.1.223 global «:'lress pool associated with reg :!ar NAT. (© 2008 Cisco Systems, ne ‘Advanced NAT 1-4144 Dynamic Poy AT Rete Windom To configure dynamic translations in Cisco ASDM, complete the following steps: Step 1 Choose Configuration > Firewall ~ NAT Rulles. The Nat Rules psnel is displayed. Step 2 Choose Add Dynamic Policy NAT Rule from the Add drop-down menu. The Add Dynainic Policy NAT Rule dialog box opens. 4-42 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Dynamic Policy NAT Configuration (Cont.) In this fi associated service for Step 3 Step 4 Step 5 Step 6 ure, the administrator is defining the real IP addresses to be translated and the interface. The administrator also is defining the destination a«idresses and destination this dynamic policy NAT rule From the Interface drop-down list within the Original area, choose the interface that 's connected to the hosts with real addresses that you want to translate. For this example, hosts on the inside nctwork are eligible for transla Enter the real addresses in the Source field, or use the “.,.” button to choose an IP address that you already defined in Cisco ASDM. If you enter the addresses manually, specify the address and subnet mask using prefix and length notation, such as 10.0.1,224/27. If you enter an IP address without a mask, Cisco ASDM recognizes it as a host address, even if it ends with a 0 in the last octet. In the example in the figure, the drop-down menu was used to choose the subnet of the inside network that contains IP phones. Enter the destination IP address or IP addresses. This is the IP address that the originating hosts are connecting to on the designated service, In this example, the IP addresses of the extemal Session Initiated Protocol (SIP) servers are chosen. They are 192.168.100.240 and 192.168.100.241. In the input box, the addresses are separated by a comma Enter the Service that the internal hosts are connecting to on the destination IP address. Begin typing the acronym for the service with the field; a drop-down menu will appear with services that begin with the letters you typed. Choose the “...” button, and a new pop-up window will appear; you can choose the service from within this window. In this example, SIP is chosen because this is the protocol used in order for the IP phones to communicate with the SIP servers. ‘© 2008 Cisco Systems, nc. ‘Advanced NAT 1-43,Step7 Click Manage to begin configuring the address pool to be used for these translations. The Manage Global Pool window opens. The Manage Global Pool window allows you to choose a global pool that has already been defined, edit a global pool that has already been defined, or add a new global pool. If you choose ‘Add to create a new global pool, the Add Global Address Pool window opens. 1-44 Securing Networks with Cisco ASA Advanced (SNA) vi.0 (© 2008 Cisco Systems, IncDynamic Policy NAT Configuration (Cont.) Shey Ace In this figure, the administrator is defining the pool of addresses that the “real” IP addresses will use for this dynamic policy NAT. Step8 From the drop-down menu, choose the interface where the travislated addresses will be used. In this example, the translated addresses will be used on the outside interface. Step9 In the Pool ID (or NAT ID) ficid, enter a number between | svcd 2147483647 to identify the address pool. When you create a dynamic NAT rule, Cisco ASDM uses this number to pair the real or original addresses you entered with the global poo! of addresses containing the same number. In this example, the Poo! ID is 2 because Pool ID 1 exists for the dynamic NAT rule. ‘Step 10 Choose the Range radio button from the IP Addresses to Add panel. The other options in this panel use a single IP address for NAT overloading or PAT. Starting IP Address: Enter the first IP address for the range. In this example, the starting address is 192.168.1.225, Ending IP Address: Enter the last IP address for the range in the field. The mapped pool can include fewer addresses than the real group. In this example, the ending address is 192.168.1.254, making the mapped pool of addresses 192.168.1.225 through 192.168.1.254 and enabling up to 30 individual IP addresses. When this pool of 204 IP addresses is exhausted by NAT, no further translations will be possible. Netmask: Enter the netmask for the address range in the field. Step 11 Click Add to move the address range you created to the Addresses Pool list. (© 2008 Cisco Systems, Inc. ‘Advanced NAT 1-45Step 12 Click OK. Step 13 In the Manage Global Pool window, ensure the correct address pool is chosen, and click OK. Dynamic Policy NAT Configuration (Cont.) In this figure, the administrator is choosing the elobal address pool that was just created and configuring more options under the Connection Scttings part of the window Step 14 (Optional) Enter a Description for t! “Dynamic Policy NAT for IP Phones namic policy NAT. In the example, is typed into the field. Step 15 (Optional) Click Connection Settings. The Add Dynamic Policy NAT Rule pop-up window expands. Step 16 (Optional) Check the Translate the DNS replies that match the translation rule check box. This option rewrites the A record in DNS replies that match this static NAT tule. For DNS replies traversing the Cisco ASA security appliance from a translated interface to any other interface, the address record ig rewritten from the translated value to the real value. Inversely, for DNS replies traversing from any interface to a translated interface, the address record is rewritten from the real value to the mapped value. In this example, the administrator has chosen to translate the DNS replies. Note DNS inspection must be enabled to support this functionality. 4-46 Securing Networks with Cisco ASA Advanced (SNA) vi.0 (© 2008 Cisco Systems, Inc.Step 17 Step 18 Step 19 (Optional) Randomize sequence numbers. Each TCP connection between a client and server has two ISNs: one generated by the client and one generated by the server. By default, the security appliance randomizes the ISN of the TCP SYN request passing in both the inbound and outbound directions. Randomizing the ISNs helps prevent an attacker from predicting or guessing the sequence numbers during TCP session hijacking, There are some instances where you may want to disable this, such as if Cisco WAAS is deployed, or if there is another firewall performing the task within the connection stream, To disable this feature, uncheck the check box. (Optional) Maximum TCP Connections and Maximum UDP Connections: Specifies the maximum number of simultaneous TCP or UDP connections for the static connection. The default is 0, meaning unlimited connections, (Optional) Maximum Embryonic Connections: Specifies the maximum number of embryonic connections per host. The default is 0, meaning unlimited embryonic connections. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Limiting the number of embryonic connections protects against DoS attacks. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. Click OK in the Add Dynamic Policy NAT Rule window. Click Apply. (©2008 Cisco Systems, Inc. ‘Advanced NAT 1-47Dynamic Policy NAT Commands 192.168.100.240 192.168.100.241 Sew ten mrtg 2c de HPO GON 2 282828 24 ee DME NETO (alias wens vase na ossomeshe eoO ae t r —“~ ” oeono sitar Sotho teas ome 0 ‘The figure show's the CLI commands that were sent to the Cisco ASA security appliance based on the dynamic policy NAT configuration that was performed by the administrator. In this cxample, the object group, DM_INLINE_NET\VYORK_1, is defined for the two IP addresses, 192.168.100.240) and 192.168.100.241. An ACI. using this object group is created to identify SIP traffic coming from IP phones on the internal network of 10.0.1.224/27 going to the external SIP servers defined by the object group. This ACL and a global address pool with ID 2 defined by the ¢!obal command are applied t command with the NA’ £2. 1-48 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Verify and Troubleshoot This topic describes how to verify and troubleshoot ACLs and NAT configurations. show access-list Command 10.0.1.15 ‘TCP/8080 ‘The show access-list command lists all the configured ACLs, the ACEs for each ACL, the counters for cach ACE, and a unique hex:ecimal identifier (hash code) for each ACE. Syslog messages triggered by the matching ACE will have this hash code within the Syslog message. This hash code also is used when Cisco Security Manager queries Cisco Security Monitoring Analysis and Response System (MARS) to determine which matching Cisco Security MARS event is caused by the security appliance ACE. In the figure, there are three ACLs: inside_nat0_outbound, inside_nat_statie, and inside_mat_static_1. Within each ACL there are one or more ACES. Each ACE is denoted by a line number. Note The hexadecimal value that follows the hit count in the show access-list command output is a unique identifier for the ACE. If object groups are used in the access list, there is an \Gentifier for the object-group ACE and one for each expanded ACE. These identifiers are Used by the security appliance to minimize CPU usage by the show access-list command, which is processor intensive (© 2008 Cisco Systems, Ine ‘Advanced NAT 1-49clear access-list counters Command wat =~ . 2 +_side_nat state a ae 192.168.10.11 10.0.1.15 ‘TCP/6080 ‘The network aiiministrator can use the elear sceess-list counters command (0 troubleshoot network access. In the example, static policy NAT is being used for web connections from a user at 192.168.10.11 to a web server at 10.0.1. 15 TCP port 8080. The adminstrator ean use the show access-list command to view the access-list counters and determine whether the source packet passed through the Cisco ASA security appliance. If the access-list inside_nat_static hit count is incrementing, then the traffic is being translated and traveling through the security appliance as expected. To check progress of the trouble ing, the administrator cn clear the ACL counters, or hit counts, The clear access-list counters command cleats the counters for the specified ACL. If no ACL is specified, all the access-list counters are cleared. 4-50 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (©2008 Cisco Systems, Inc.show conn Command NAT Spas 192.168.10.11 TCPI80 10.0.1.15 TCP/8080 asal# show conn 2 in use, 9 most used TCP out 192.168.10.11:2824 in 10.0.1.15: 0:00:03 bytes 2320 flags UI0 TCP out 192.168.10.11:2823 in 10.0.1.15: 0:00:03 bytes 3236 flags UIO The show conn command displays the number of active connections anc! information about them. In the figure, there are two connections between host 10.0.1.15 and web server 192.168.1011, Connections are addressed (0 TCP port 8080 on the web server. The replies are addressed to host 192.168.10.11, ports 2824 and 2823, ‘The syntax [or the show conn command is as follows: now conn [all | count] [state state type] | |( (foreign | tocat) ip [-ip2] netmask mask)] | (long | detail) | [{(1port | fport} porti} [-port2]] | [protocol {tep | udp}] Syntax Description all Keyword for displaying connections that are to the device or from the device. count Displays only the number of used connections. The precision of the displayed Gout san very depending on Wai wokume andthe fype of tretic passing trough detail Displays connections in detail, including translation types and interface information, foreign Keyword for displaying active connections by the foreign IP address. fport Keyword for displaying foreign active connections by port. ip IP address or beginning address in a range of IP addresses, ip2 Ending IP address in a range of IP addresses. local Keyword for displaying active connections by the local IP address. Iport Keyword for displaying local active connections by port. ong Displays connections in long format. netmask Keyword for specifying a netmask. (© 2008 Cisco Systems, nc. ‘Advanced NAT 151ae ae = ‘Syntax Description mask Netmask for ip, ip2, or both. port Port number or beginning port number in a range of port numbers, port2 Ending port number in a range of port numbers. protocol Keyword for displaying active connections by protocol type. state Keyword for specifying a connection state state_type Connection state. You can specify the following connection state types = up: Connections in the up state ‘= finin: FIN inbound connections ‘= finout: FIN outbound connections = http_get: HTTP get connections = smtp_data: SMTP mail data connections = nojava: Connections that deny access to Java applets = data_in: Inbound data connections = data_out: Outbound data connections = rpc: Remote procedure call (RPC) connections 225: H.225 connections = 323: H.923 connections = sqinet_fixup_data: SOL“Nct data inspection engine connections = conn_inbound: Inbound connections sip: SIP connections = _mgep: Media Gateway Control Protocol (MGCP) connections . 3: Computer Telephony Interface Quick Butler Encoding (CTIQBE) ‘connections = skinny: Skinny Client Control Protocol (SCP) connections = _service_module: Connections being scanned by a Security Services Module tep Keyword for displaying TCP connections. udp Keyword for displaying UDP connections. 4-52 ‘Secuting Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.show conn detail Command “a aes aa I ——_9 192.168.10.11 TcP/80 10.0.1.15 ‘TCP/8080 ‘arait ehow conn detail 2'tn ute, 9 mont used 5 7 righ media." ons, aap, é ~"smbound data, i eo Skinny mea % ound date, P= inside back conn, > Sguenet cate, R- outside acknowledged Fi, % _ UDP nic, + - inside sckoowledged FIN, 8 - avaiting inside sym, iting outside sym, 7 iP, € - SIP transient, 0 ap 210.30/00 insige:i0.0.1.15/2024 flags VIO 218,90/00 insige:10.0.1,15/2623 flage VIO When you use the show conn detail command option, the system displays information about the translation type, interface information, the IP address and port number, and connection flags. In the figure, he two connections display a flag value of UIO; this means that the connections are up with inbound and outbound data, (©2008 Cisco Systems, inc. ‘Advanced NAT 1-63show local-host Command NAT ax. 8 =a 10.0.1.15 TCP/8080 Gis olestos nyces fa‘ tage oro The show loca-host command enables you to display the network states of local hosts. A local host is created {or any host that forwards traffic to or through the security appliance. This command lets you show the translation and Conuection slots for the local hosis. In the figure, the host 192.168.10.11 establishes two web connections with server 10.0.1.15. The output of show local-host is displayed This comman’ «lso displays the connection |ivnit values. In the figure, the cv::cnt TCP flow count for local }yost 10.0.1.15 is 2 with a limit of 300. If a connection limit is not set, the value displays as “unlimited.” In the event of a SYN attack (with SYN cookies configured), the show local-host command output includes the TCP embryonic count to host and the TCP Intercept watermark. In the figure, the embryonic threshold is set for local host 10.0.1.15 at 25, and the current number of embryonic connections is 0. ‘You can use the command clear local-host [ip_address] to clear the network state of all local hosts or of a specific IP address. It stops all connections and translations that are associated with the local hosts or with the specific IP address specified in the command, The syntax for the local-host command is as follows: clear local-host [ip_address] show local-host [ip address] (Optional) Local host IP address 4-54 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (©2008 Cisco Systems, Incshow xlate Command NAT — “ = Ss as ‘ee 192.168.1.33 of 192.168.10.11 4004.18 asalfshow xlate 1 in use, 2 most used Global _192.168.1.33 Local 10.0.1.15 # show xlate detail 1 in use, 3 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r'- portmap, s - static NAT from inaide:10.0.1.15 to outaide:192.168.1.33 flags i The xlate command enables you to show or clear the contents of the translation slots. Always use clear slate or reload after adding, changing, or removing aceess-lis', global, nat, route, or state commands in your configuration. In the figure, Global IP address |.2.168.1.33 18 translated (0 an IP address of 10.0.1.15 by the Cisco ASA security appliance. The syntax for the xlate command is as follows: ear xlate (mapped_ip (1ocal_ip]] show xlate [mapped_ip [local_ip]] I Syntax Description mapped ip ‘The registered IP address to be used from the mapped pool local_ip The local IP address from the inside network The show running-config timeout command displays the idle time limit for connection and translation slots. Ifthe slot has not been used for the idle time specified, the resource is returned to the free pool. TCP connection slots are freed approximately 60 seconds after a normal connection close sequence. The following is sample output from the show running-config timeout command: show running-config timeout timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 When you use the show xlate detail option, the system displays information about the translation, interface information, the IP address, and the type of translation. In the figure, the translation displays a flag value of “i.” This means that the translation is a dynamic translation, (© 2008 Cisco Systems, Inc ‘Advanced NAT 1-55Packet Tracer ee ¥ 168, a 10.0.1.15 NAT Fe 1.50, * Identifies configuration issues with the Cisco ASA security appliance * Enables packet tracing capabilities for packet sniffing and network fault isolation * CLlor Cisco ASDM The Packet Tracer tool provides packet-traciny capabilities for packet sniffing and network fault isolation. |t provides detailed information about the packets traversing your network and how they are processed by the sceurity applioucc. This greatly simplifies wuubleshooting regardless of the complexity of your network design. The Packet Tracer tool provides information about the cause of dropped packe's in an easily readable manner. or example, if a packet was ropped because of an invalid leader, the following messove is displayed: packet dropped due to bad IP header (reason) Packet Tracer provides more information than syslogs with far less overhead than debugs. It is especially useful if you have many ACL and NAT rules configured and need to find out exactly which rule packets are matching. Packet Tracer enables you to do the following: Debug all packet drops in a production network and associate them configuration. the relevant Verify that your configuration is working as intended. ‘View all rules applicable to a packet along with the CLI lines that caused the rule addition, View a timeline of packet changes in a data path, Inject tracer packets into a data path. Capture packets. Trace the lifespan of a packet through the security appliance to see if it is behaving as. expected, 1-56 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.To run the Packet Tracer tool, follow these steps: Step 1 Choose the Tools drop-down menu. Step 2 Choose Packet Tracer from the drop-down menu, The Cisco ASDM Packet Tracer window appears. © 2008 Cisco Systems, Inc. Advanced NAT = 1-57.oon In this figure, the administrator has configured the Packet Tracer for a run. Follow these steps: Step3 Click the Interface drop-down arrow to choose the interface from the list. In this example, the “outside” interface was chosen. Step4 Click the radio button that is the paclct type for the trace. In this example, the packet type was TCP. Step Enter the source IP address of the packet for the trace. In this example, the IP address of an inside host, 192.168.10.11, was chosen. Step6 Enter the source port for the packet. This can be any number from 1 to 65535, but it is recommended that you choose a port higher than 1024 unless a specific source port is needed for the trace. In this example, the source port of 10000 was chosen. Step7 Enter the destination IP address for the packet trace. In this example, an extemal web server, 10.0.1.15, was chosen, Step 8 Enter the destination port for the packet trace, The port can be chosen from the drop- down menu, or you can type the numerical port number or port acronym. In this example, port 8080 was chosen Step9 Click Start to trace the packet. The Packet Tracer tool displays detailed messages about the packet trace and a graphical representation of the trace. Once you start the packet trace, the screen will refresh and provide animation with the results if you have chosen it; if you have not chosen animation, the results will be displayed at once. In the figure, the administrator has run a packet trace with an external IP address, 192.168.10.11, connecting to the web server on host 10.0.1.15 on port 8080. Animation was chosen and the animation and results show that the packet was allowed to traverse the Cisco ASA security appliance successfully. 4-58 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncScenario: NAT 192.168.200.240 192.188.200.241 Pool -192.168.1.225-254 192.168.110.10 Web Server <= e Pool - 192.168. 1.50-223 * Acme Transport has reallocated IP address space, * Internal Telecom Support reconfigured servers and phone, and connectivity is up. * SIP Servers IP addresses change to 192.168.200.240 and 192.168.200.241 * Some users are complaining that Internet connectivity is down, but other users are saying they are not having any problems. In this troubleshooting scenario, network connectivity to external hosts and servers has been effected by « recent IP address migration. ‘The Network IT Department for Acme Transport has migrated the external IP address scheme of the company to enable more effective I? address management and to be able to handle future growth. The migration changed the IP addresses of extemal devices; internal devices were not affected. || of the internal IP phones h: ¢ reconfigured with the 1 dress of the VoIP servers anid xateways (from 192.168.100.240 and .241 to 192.168.200.240) and .241). The IP address migration happened during a weekend when network user traffic would be minimally interrupted. On the next business day, as users arrived at a branch office, intemal IT support started receiving calls from these users about Internet connectivity. There were some users who could reach the Internet and some users who could not. All routing and switching configurations were verified, and no problems were found. The internal IT support contacted the Cisco ASA security appliance administrators to ask them to help with verification and troubleshooting of the problem. (©2008 Cisco Systems, inc. ‘Advanced NAT 1-59Tiapzeor qeaeto__LocalEvariO013 Nov 19 thal UTC: SASK gem 30m pormap ttasiaton centr oui 18 Seong “oe.to ‘New 13 1348-14 UTC" SASA-eason-7-0n001 Bult i etter "8: Ceca ifo 199.1 Nov 3 1246-1 UTC: MASA session 6.20500; Bult dynamic ‘1 UTC: WASA-session7-50001 Bult eal host ‘estan tataa ec 081 9 4807 UG: HAsAwlon $01: Ba ubeand TCP amet 187 fr outa fsHeb Youu (924681 uy tonic 3007 ate LE N68 SOT) StTFGear iezecs Local Debug 16041 Nov 49 1946:07 UTC. aBhvevion £0001: Bull loca Nost uni 12 4681100 * Error code 305006 ~ A protocol (UDP, TCP, or ICMP) failed to create a translation through the security appliance. ~ Usual cause is that NAT has exhausted the global address pool. The figure shows syslog output from the security appliance. The administrators noticed an error that started to appear in the log file at about the same time that IT support called for help in troubleshooting. The error code was researches! on the www.cisey.com website. The description of the error code was that a protocol UDP, TCP, or Intemet Control Message Protocol (ICMP) —failed to create a translation through the security appliance. This is usually caused when NAT has exhausted the available addresses in the global address pool associated with it The exhausted global address pool explains why some users cannot make connections to external hosts. Only users that made external connections before it became exhausted would be able to connect to external hosts through the security appliance, which explains why there are some users not affected by the problem. This did not explain the overall problem or provide resolution to it, so the administrators continued with more troubleshooting. 1-80 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (©2008 Cisco Systems, Inc.pacers aarmereer se TEcctesedaateasimomactaa tire oS, Sete ‘+ show connection detail command shows 174 NAT translations being used. * Connections from IP phones to SIP servers are working, In this figure, administrators reviewed the show conn detail output in their troubleshooting ‘The output also shows that the IP phones have connections to the SIP servers, so voice communications are working. The output shows 174 NAT connections in use. The administrators noticed that the available addresses for use should be 204. including the address pools for user traffic and IP phones, so the security appliance is not using all of the available global addresses. (© 2008 Cisco Systems, Inc. ‘Advanced NAT — 1-61Scenario: show xlate detail IP Phone Addresses a 3 isomaeiginees + show xlate detail command shows that IP phones are using the global address poo! that is for computers, The figures show the output of the show xlate letail command from the security appliance. The administrators reviewing the output notice that the IP phones are using acdresses from the global address pool that are for user traffic, This explains why the IP addresses from the global address pool for user traffic were exhausted, but it coes not explain why the IP phones are using this global address pool and not the global address pool associated with the po!'-y NAT rule for IP phones. 4-62 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (©2008 Cisco Systems, Inc.The figure shows the output of a packet truce for the SIP connections from an IP phone IP address to {he SIP servers. The administrators reviewing the results noticed that the NAT hit count for the policy NAT rule for IP phones was not incremented and tht the NAT rule for user traffic was incremented. These results reveal a configuration problem with the policy NAT rule for IP phones. (© 2008 Cisco Systems, nc. ‘Advanced NAT 1-63,Scenario: Dynamic Policy NAT Configuration Se Sif a SIP servers are not srerececrt ere Sura es migration. IP phones were configured correctly, The figure shows the dynamic policy NAT rule for the IP phones. The administrators noticed that the Destination addresses for the SIP servers are not correct because they were not changed during the external IP address migration. This is the cause of the Internet connectivity problems with users, Scenorio: Dynamic Po! Configuration (Cont.) SIP servers updated within policy NAT. This figure shows the dynamic policy NAT rule for IP phones having been updated with the correct SIP server addresses, 192.168.200.240 and 192.168.200.241. The rule is applied to the security appliance, and the translations are cleared. 4-64 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, Inc.Scenario: Packet Tracer After Configuration Change ‘This figure shows the output of a packet tr:ce for a connection from an IP phone IP address to the IP address of the SIP servers. The packe! trace was run with the confivuration changes to the policy \.\T rule for the IP phones. The results show that the hit coun {or the correct NAT rule was incremented and that the IP phones will use the global address poo! that was assigned to the policy NAT rule. © 2008 Cisco Systems, inc. Advanced NAT 1-65Summary s topic summarizes the key points that were discussed in this lesson. Summary The Cisco ASA security appliance manages traffic through the use of a translation table (for NAT sessions) and a connection table (for TCP and UDP sessions). Mapping between local and global address pools is done dynamically with the nat command, The nat and global commands work together to hide internal IP addresses. NAT exemption designates IP addresses that are exempt from NAT via an ACL. Policy NAT allows NAT translation based on the destination address and service via an extended ACL. 1-66 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Module Summary This topic summarizes the key points that were discussed in this module. Module Summary * The Cisco ASA security appliance has many advanced hardware ‘and software features based on the model types and the licensing = NAT can be applied to many different types of traffic and applied in many different ways to effectively manage IP addresses and connections through the security appliance. (© 2008 Cisco Systems, Inc. ‘Advanced NAT 1-671-68 Securing Networks with Cisco ASA Advanced (SNA) vi.0 ‘© 2008 Cisco Systems, Inc.Module 2 Advanced Protocol Handling Overview As the number of available Internet-ready application grows, so to does the complexity of the network security posture of the company. These new applications introduce new security risks and new vulnerabilities into the network (hat could lead to potential attacks or compromises. The Cisco ASA adaptive security appliance Modular Policy Framework «!lows administrators to examine applications and their protocols. The administrators can apply rules to applications based on what is allowed or acceptable and what is not allowed based on the network security policy of the company. Module Objectives Upon completing this module, you will be able to describe Cisco Modular Policy Framework for the security appliance and how it is configured as it applies to Layer 7 application inspection. This ability includes being able to meet these objectives: Describe the Layer 7 Modular Policy Framework for the security appliance and how it is configured ™ Describe the Layer 7 advanced protocol handling capabilities of Modular Policy Framework and how itis configured22 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, © 2008 Cisco Systems, ncLesson 1 Applying the Cisco Modular Policy Framework Overview This lesson explains how to configure a Layer 7 modular policy, includins how to define inspection class maps and inspection policy maps. Objectives Upon con ig this lesson, you will b: ‘0 describe and configur. er7 modular policy. This ability includes being able to mect these objectives: ™ Describe the Modular Policy Framework capabilities of the Cisco ASA security appliance = Configure a modular policy on the security appliance using Cisco ASDM = Create a Layer 7 class map = Create a regular expression class map Create a Layer 7 policy map Describe the commands used to verify a Cisco Modular Policy Framework configurationCisco Modular Policy Framework Overview This topic describes the Modular Policy Framework capabilities of the Cisco ASA adaptive security applianc Flow-Specific Policies System Engineers Class + Action Policy PolicyMap ‘Service Policy Passo op IPS to ener ‘AP-SSM INTERNET rtf ‘OUTSIDE POLICY —* outside interface Prcetize val Inspect defautlobel pocy ‘lbally inspection atic The Cisco Modular Policy Framework enables you {o create granular, flexible n-twork policies. With this framework, you can identify specific flows of traffic and have the security appliance take a different action on each traffic flow. Class maps are used to identify traitic flows, and policy maps are used to associate each traffic flow with a policy action. Service policies simply apply policy maps to security appliance interfaces. The figure illustrates use of the Cisco Modular Policy Framework to perform Intrusion Prevention System (IPS) inspection on the Internet traffic flow, rate-limit traffic from telecommuting system engineers, and prioritize voice traffic from headquarters to the branch office. The policy map named OUTSIDE_POLICY enables the Cisco ASA security appliance to perform these actions on its outside interface, where it is applied. Modular policies can be applied globally or to a specific interface. 24 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, © 2008 Cisco Systems, Inc.Supported Features The Cisco Modular Policy Framework supports the following features, which constitute the actions that can be applied to a traffic flow: ‘TCP normalization: Drops abnormal TOP packets TCP and UDP connection limits and timeouts: Sets and enforces maximum TCP ‘and UDP connections, maximum embryonic connections, maximum per-client connections, and connection timeouts TCP sequence number randomization: Prevents atackers from predicting TCP sequence numbers Cisco CSC: Provides protection against unwanted traffic such as viruses, spyware, ‘and spam ‘Application inspection: Inspects packets for signs of malicious application misuse Cisco IPS: Stops malicious trafic, including worrs and network viuses QoS input policing: Applies rate mits to inbound traffic QoS output policing: Applies rate limits to outbound traffic QoS priority queuing: Gives priority to network trafic that cannot tolerate long latency times The Cisco Modular Policy Framework supports the following features, which constitute the policy actions that can be applied to a trafiic flow: = TCP normalization: Helps prevent nctwork attacks by identifying and dropping abnormal TCP packets. Packets that contain unusual TCP flags or options are considered abnormal. = TCP and UDP connection limits and (imeouts: Help prevent Denia! of Service (DoS) attacks. You can specify maximum TC? ond User Datagram Protoco! (UDP) connections, maximum embryonic connections, maximum per-client connections, nd connection timeouts. = TCP sequence number randomization: Helps prevent attackers from predicting TCP sequence numbers and thereby hijacking TCP sessions. = Cisco Content Security and Control (CSC): Provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP, Post Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) packets. = Application inspection: Protects your network from the latest threats by inspecting packets for signs of malicious application misuse. = Cisco IPS: Provides full-featured intrusion prevention services to stop malicious traffic, including worms and network viruses. = Quality of service (QoS) input policing: Prevents any one user oF site-to-site connection from consuming more than its fair share of bandwidth. QoS input policing applies rate limits to inbound traffic. © QoS output policing: Prevents any one user or site-to-site connection from consuming ‘more than its fair share of bandwidth. QoS output policing applies rate limits to outbound traffic, ™ QoS priority queuing: Enables you to give priority to network traffic that cannot tolerate Jong latency times, such as voice and streaming video. (© 2008 Cisco Systems, Inc. ‘Advanced Protocol Handing 25,Note QoS refers to the capability of a network to provide better service to selected network traffic over various technologies for the best overall services with limited bandwidth of the underlying technologies. Global and Interface-Specific Policies [eta voter a2 dobal_poliey 330 aon OUTSIDE POLICY ‘lobal_poliey Cte a — Eerie ‘OUTSIDE_POLICY Policy: Anely PS {oINTERNET vate se Policy: Rate mit SE wate Policy: Prioritize VOICE tate Inspection default + ‘soba pe Inepect inepocton INTERNET. —e The default global poliey matches all default application inspection traffic and applies certain inspections to the (safTic on all interfaces. Not al! inspections are enabled by defiili. You can only apply one gicbal policy, so if you want to alter the global policy, you neei!\o cither edit the default policy or disable it and apply a new one. An interface policy overrides the global policy. ‘The following output from the show running-config policy-map global_policy command displays the default global policy: policy-map global_policy class inspection_ default inspect dns preset_dns_map inspect ftp inspect 323 h225 inspect h323 ras inspect rsh inspect rtep inspect esmtp inspect sqinet inspect skinny inspect sunrpe inspect xdmep inepect cip 26 Securing Networks with Cisco ASA Advanced (SNA) v1.0 {© 2008 Cisco Systems, Inc.inspect netbios inspect tftp Note Only one service policy can be applied per interface. The service policy includes all policy, class maps, and class map inspection maps. Policy Directionality and Order of Application slobal_policy Inspect default inspection vate oe ‘Aoply PS to INTERNET ato Rate lit Inte Sate gam sleds potcy Proce inapecton aie VOICE trac Io biertce emp Outinterface C= oe Actions ate applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions. When you use a global policy, all features are unidirectional; features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the poliey is applied in both directions; therefore, bidirectionality in this case is redundant. In the figure, the policy-map OUTSIDE_POLICY containe three policies and is applied to the outside interface of the Cisco ASA security appliance. The policy for the Internet traffic flow is applied bidirectionally. All traffic that is identified as “Internet” traffic in the INTERNET class map is sent to the Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module (AIP-SSM) for inspection whether entering or exiting the outside interface. The default global policy is applied to traffic entering each interface; however, the interface-specific policy, OUTSIDE_POLICY, overrides the default global policy on the outside interface. (© 2008 Cisco Systems, Inc. ‘Advanced Protocol Handling 2-7The following table shows the directionality of each feature, or action, that can be applied to a traffic flow. Feature : Single Interface _| Global Direction Direction ‘TCP normalization, TCP and UDP connection | gigirectional Ingress limits and timeouts, and TCP sequence ‘number randomization Cisco CSC Bidirectional Ingress Application inspection Bidirectional Ingress Cisco IPS Bidirectional Ingress Qo8 input policing Ingress Ingress QoS output policing Egress Egress QoS priority queue Egress Egress 28 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, In.Configuring the Cisco Modular Policy Framework This topic explains how to use the Cisco Adaptive Security Device Manager (ASDM) to configure a modular policy on the Cisco ASA security appliance. Modular Policy Framework Components ‘Amodular policy consists of the following components: * Class maps, which identily traffic flows ~ Layer 3/4 class map Layer 7 class map * Policy maps, which associate actions with traffic lows — Layer 3/4 policy map Layer 7 policy map * Service policies, which activate policy maps Internet tafe flow HTTP trafic from any host to network 192.168 1.0/24 eat ‘outside interface Cisco Moda" Policy Framework consists of three main components = The class map, which identifies traffic flows = The policy map, which associates actions with traffic flows m= The service policy, which activates policy maps As shown in the figure, there are two different class map types—the Layer 3/4 class map and the Layer 7 class map. There are also two different policy map types—the Layer 3/4 policy map and the Layer 7 policy map. ‘© 2008 Cisco Systems, Inc ‘Advanced Protocol Handling 2-9Class Maps * Layer 3/4 class map: Used to identify Layer 3/4 trafic to which you want to apply actions class-map INTERNET Match access-list ACLOUT access-list ACLOUT permit tep 0.0.0.0 0.0.0.0 192.168.1.0 _255.255.255.0 eg 80 ‘= Identifies vate by the layer 3 and 4 information inthe AGL (Optional) Layer 7 class map: Used to ~ Identify Layer 7 traffic to which you want to apply actions (using match criteria that is specific to an application) ~ Classify traffic for inspection policies only = Group multiple matches ‘class-map type inspect http watch-all BLOCK NEW _P2P match request header user-agent regex NEW_CLIENT match request _nethod post * Identifies tratfic by text in a specific HTTP field and by the HTTP request method A class map is used to identify a traffic flow. A traffic flow is a set of traffic that is identifiable by its packet content. For example, voice traffic fiom the company headquarters io a branch office ean be defini as one traffic flow. Class maps are assigned to policy maps. Ihe Cisco Modular Policy Framework enables you to create (hie following types of class maps: = Layer 3/4 class maps: Used to identify Layer 3/4 traffic. The following is an example of a Layer 3/4 class map, in which traffic is identified by the Layer 3 and 4 information in access list ACL OUT, class-map INTERNET match access-list ACLOUT access-list ACLOUT permit tep 0.0.0.0 0.0.0.0 192.168.1.0 255.255.255.0 eq 80 = Layer 7 class maps: Used to identify Layer 7 traffic to which you want to apply actions (using match criteria that is specific to an application). These class maps, which are also known as inspection class maps, classify traffic for inspection policies only. In Layer 7 class maps, you can group multiple match eriteria and specify whether traffic must match all the criteria in the group or any of the criteria in the group to match the class map. The following is an example of a Layer 7 class map, in which traffic is identified by text in a specific HTTP ficld and by the HTTP request method. class-map type inspect http match-all BLOCK_NEW_P2P match request header user-agent regex NEW_CLIENT match request method post Note Use of the match-all keyword in this example class map means that only traffic that meets both of the match conditions will match this class map, 240 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, Inc.Policy Maps * Layer 3/4 policy map: Used to apply actions to Layer 3/4 traffic ‘policy-nap HTTP_INSPECTION class INTERNET inspect http + Associates HTTP inspection with the INTERNET class of traffic (Optional) Layer 7 policy map: Used to define special actions (such as drop, reset, and log) for inspection application traffic policy-map type inapect heep HTTP_DEEP_PACKET_INSPECTION class BLOCK_NEW_P2P drop-comnection log * Associates the drop connection and log actions withthe BLOCK. NEW._P2P lass of trac A policy map is used to associate one or more policy actions with a class of traffic. For example, all voice traffic from the company headquarters to a branch office can be associated with low latency queuing, which 1s also known as priority queuing. ‘To associate an action with a specific class of traffie, create a policy ms and assign a class map to the poliey map. Policy maps are applied to and activated by service policies. The Cisco Modular Policy Framework enables you to create the following types of policy maps: | Layer 3/4 policy maps: Used to apply octions to Layer 3 and 4 traffic. The following is an example of a Layer 3/4 policy map. This policy map associates an inspection policy action (inspect HTTP) with the INTERNET class of traffic defined in the previous example. When this policy is activated by a service policy, HTTP inspection will be performed on the traffic identified by the INTERNET class map. policy-map HTTP_INSPECTION class INTERNET inspect http = Layer 7 policy maps: Used to define special actions for inspection application traffic. The following is an example of a Layer 7 policy map. This policy map associates the special actions “drop connection” and “log” with the BLOCK_NEW_P2P class of traffic defined in the previous example. When this policy is activated, traffic that matches the BLOCK_NEW_P2P class of traffic will be dropped, and a log will be generated. policy-map type inspect http HITP_DEEP_PACKET_INSPECTION class BLOCK _NEW_P2P drop-connection log (© 2008 Cisco Systems, Inc. ‘Advanced Protocol Handing 2-11Service Policies * Service policy: Used to activate the Layer 3/4 policy map on an interface or globally + -Ativates paley map HTTP INSP Service policies are used to activate policies. A service policy is not actually a policy at all; instead, it activates « policy map on a targeted interface or globally on all interfaces. An interface can be a VLAN interface or a physical interface. For example, the voice priority queuing policy can be applied to the outside interface Earlier, a Layer 3/4 class map was used to identify Layer 3/4 traffic. The traffic is identified by the layer 3 and 4 in‘>rmation in access list ACLOUT class-nap INTERNET match access-list ACLOUT access-list ACLOUT permit tcp 0.0.0.0 0.0.0.0 192.168.1.0 255.255.255.0 eq 80 Earlier, a Layer 3/4 policy map was used to apply actions to Layer 3/4 traffic. This policy map associates an inspection policy action (inspect HTTP) with the class of traffic defined by the class-map INTERNET. policy-map HTTP_INSPECTION class INTERNET inspect http The service policy in the figure activates a Layer 3/4 policy map named HTTP_INSPECTION on the outside interface of the Cisco ASA security appliance, When this policy is activated by the service policy, HTTP inspection will be performed on the traffic identified by the INTERNET class map. 22 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.Tasks for Creating a Layer 3/4 Policy 1. Create a Layer 3/4 class map to identify trafic by matching: + AMACL + TCP or UDP ports ‘Any packet + IP precedence ‘The defaut inspection tratfic + RTP ports ‘ADSCP value + Atunnel-group ‘A destination IP address 2. Create a Layer 3/4 policy map to associate one of the following policy actions with traffic defined in a Layer 3/4 class map: + TCP normalization + Cisco IFS: + TCP and UDP connection limits and timeouts * QoS policing ‘+ TCP sequence number randomization + 0608 priority queuing + Application inspection + Cisco csc 3. Use a service policy to activate the Layer 3/4 policy, To use the Cisco Modular Policy Framework: to configure a Layer 3/4 policy, complete the following tasks m= Create a Layer 3/4 class map to identify traffic at Layer 3 or 4. To identily a set of Layer 3/4 through traffic, you can choose from ie following matchable eriteris — access list: An entry in an access control list (ACL). — any: Any packet. — default inspection traffic: The default TCP and UDP ports used by all applications that the Cisco ASA security appliance can inspect. You can specify an ACL-based class along with the default inspection traffic class to narrow the matched traffic. Because the default inspection traffic class specifies the ports to match, any ports in the ACL are ignored. — sep: The Internet Engineering Task Force (IETF)-defined differentiated services code point (DSCP) value in the IP header. This criterion allows you to define classes based on the DSCP values that are defined within the type of service (ToS) byte in the IP header. — flow: All traffic going to a unique IP destination address. This criterion enables flow-based policy actions on a tunnel group. Policy action is applied to each flow instead of the entire class of traffic. — port: Traffic using the TCP or UDP destination port or a contiguous range of ports — precedence: The precedence value represented by the ToS byte in the IP header. This criterion allows the user to define classes based on the precedence defined within the ToS byte in the IP header. — rtp: Real-Time Transport Protocol (RTP) destination port. This criterion allows you to match a UDP port number within the specified range. The allowed range is targeted at capturing applications that are likely to be using RTP. The packet matches the defined class only if the UDP port falls within the specified range. inclusive, and the port number is an even number. ‘© 2008 Cisco Systems, nc. ‘Advanced Protocol Handing 2-13— tunnel-group: Virtual private network (VPN) tunnel traffic. If you use this criterion, you also can configure the class to match a specific destination IP address within the tunnel group. = Create a Layer 3/4 policy map to associate actions with traffic flows. Reference one or more previously defined class maps in the policy map, and associate each class map with one of the following actions: - TCP normalization — TCP and UDP connection limits and timeouts — TCP sequence number randomization — Application inspection — Forwarding the traffic flow to the Cisco Content Security and Control Security Services Module (CSC-SSM) for content security and control services — Forwarding the traffic flow to the Cisco ASA AIP-SSM for intrusion prevention services — Policing the bandwidth used by the specified flow — Directing the flow to the low-latency queue = Use a service policy to activate the Layer 3/4 policy map on a specific interface or globally. 2:44 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc.Layer 3/4 Policy Example Headquarters, ‘Apply Connection limit of 1000 to all TCP port 25 talc entering ur eating Us ier asai(contig)# class-map TELNET-TRAFFIC asa (config-cmap)# match port tep eq 23 asa (config)# policy-map CONNS sal (config-pmap)# class TELNET-TRAFFIC asal(config-pmap-c)# set connection conn-max 1000 sal (config)# service-policy CONNS interface outside * Limits Telnet Connections through the outside interface to 1000 In the example in the figure, the TELNET-TRAFFIC class map identifies TCP traffic on port 23. The CONN policy map associates a con» cetion limit of 1000 with the TELNET- TRAFFIC class of traffic, and the service policy activates the policy map on the outside interface of the security appliance. With this | ayer 3/4 policy, any Telnet connection that enters or exits the security appliance through the outside interface is subject to the connection limit. (© 2008 Cisco Systems, Inc. ‘Advanced Protocol Handling 2-15Layer 3/4 Policy Example (Cont.) Hesqverers tens ‘Apply HTTP inspection to all TCP port 80 tate entenng exiting tis terface ‘1 (config)# class-map HTTP-TRAFFIC L(config-cnap)# match port tep eq 80 (config)# policy-map HTTP-POLICY 1 (config-pmap) # class HTTP-TRAFFIC * Configures the secuny appliance to Inspect al HTTP Wale entering or exing ts outside inertace NOTE: You can perform additional actions on the inspected traffic by adding {an inspection policy map (Layer 7 policy map) to this configuration, In the example in the figure, the HTTP-TRAFFIC class map identifies TCP traftic on port 80. The HTTP-POLICY policy map associates HTTP inspection with the HTTP-TRAFFIC class of traffic, and the servic policy activates the policy 1p on the outside interface of the security appliance. With this | ayer 3/4 policy, all HTTP tra‘iic that enters or exits the security appliance through the outside interface is inspected. You can perform s«!i\/onal actions on this inspected traffic by creating an inspection policy ‘map, also known as « Layer 7 policy map. For example, you might want to drop «!) HTTP requests with a body length greater than 1000 bytes. 246 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, Inc.Tasks for Creating a Layer 7 (Inspection) Policy Layer? ——— (Optional) Create a Layer 7 class map to identify the protocol attributes you Want ine Cisco ASA secunty appitance to locate. Create a Layer 7 policy map to specity the actions to apply to traffic defined in the layer 7 class map. Create a Layer 3/4 class map to identity trafic to be inspected. Create a Layer 3/4 policy map to associate policy actions with trafic defined ing Layer 3/4 class map, Apply the Layer 7 policy map to a Layer 3/4 policy map. Use a service policy to activate the Layer 3/4 policy. Creating a Service Policy Rue in Cisco ASDM incluces the creation of the Layer 3/4 class map and policy map, Layer 7 policies enable the security appliance to inspect specific attributes of a given protocol and to take an action based on that inspection. For example, you might want (o configure a Layer / HTP policy that allows safe HI'TV access methods but denies unsaie HITP access methods. The HTTP RFC allows a restricted set of HTTP methods. However. even some of the standard methods are considered unsafe because they can be used to exploit vulnerabilities on a web server; many of the non-standard methou's are used frequently for malicious activity. To use the Cisco Modular Policy Framework ‘o configure a Layer 7 policy, complete the following tasks = (Optional) Create a Layer 7 class map to identify the protocol attributes you want the Cisco ASA security appliance to locate. For example, you might want the security appliance to look for the POST request method in an HTTP packet. = Create a Layer 7 policy map to specify the actions to apply to traffic defined in the Layer 7 class map. For example, you might want the security appliance to block a POST request in an HTTP packet, specified in a Layer 7 class map. A Layer 7 policy map consists of one or more of the following elements, The exact options available for an inspection policy map depends on the application, — Parameters: Affect the behavior of the inspection engine. The configurable parameters depend upon the application. — Traffic matching: If you do not want to use a Layer 7 class map, you can specify a traffic flow directly in the Layer 7 policy map to match application traffic to criteria specific to the application, such as a URL string. You can then enable actions for the traffic flow. Some traffic-matching conditions can use regular expressions to match text inside a packet. The available match conditions depend upon the application. © 2008 Cisco Systems, nc. ‘Advanced Protocol Handing 2417