Scribd
Upload
61 views23 pages

Advanced PIX & ASA: CCIE Security Advanced Technologies Class

ASA

Uploaded by

faraz ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
61 views23 pages

Advanced PIX & ASA: CCIE Security Advanced Technologies Class

ASA

Uploaded by

faraz ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

CCIE Security

Advanced Technologies Class

Advanced PIX & ASA

http://www.InternetworkExpert.com
PIX & ASA Failover

• Supports two types of failover


– Active/Standby
• Active unit passes traffic
• Standby unit waits
– Active/Active
• Both units forward traffic
• Only supported in multiple context mode (more later)
• Stateless failover
– All connections dropped and must be reestablished
• Stateful failover
– Active unit constantly replicates state table to standby
unit
• NAT / TCP / UDP / IKE & IPsec SA / ARP / etc.

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Active / Standby Failover

• Standby tracks active unit


• When active fails roles are reversed
– Active becomes standby
– Standby becomes active
• Standby assumes MAC and IP address of
previous active unit
• Make sure to save active config in
notepad first – order of operations
problem can overwrite your config with
a blank one!
Copyright © 2007 Internetwork Expert, Inc
www.InternetworkExpert.com
Active / Standby Primary Config

• Configure active / standby IPs


– ip address [active_addr] [netmask]
standby standby_addr
• Designate primary unit
– failover lan unit primary
• Specify failover interface
– failover lan interface…
• Assign IP to failover link
– failover interface ip [name] [active_addr]
[netmask] standby standby_addr

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Active / Standby Primary Config (cont.)

• Stateful failover
– failover link…
• Define monitoring policy
– monitor-interface
– failover interface-policy
• Enable failover
– failover

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Active / Standby Secondary Config

• Specify failover interface


– failover lan interface…
• Assign IP to failover link
– failover interface ip [name] [active_addr]
[netmask] standby standby_addr
• Designate primary unit
– failover lan unit secondary
• Stateful failover
– failover link…
• Enable failover
– failover

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Virtual Firewalls

• ASA supports security “contexts” which


separates device into multiple virtual
firewalls
• Similar to VRF operation on router
– Behaves as multiple physical devices
• Allows multiple managed service offerings
from single physical box
• Multiple context mode does not support
routing protocols or VPN
Copyright © 2007 Internetwork Expert, Inc
www.InternetworkExpert.com
Context Overview

• Context mode is enabled with the “mode multiple” global


command
– Reboots device
– Blank config
• Switching contexts
– changeto…
• System context
– Underlying context that controls physical interface parameters
• Admin context
– Default context when single mode converts to multi mode
– Users logged into admin context can access all other contexts

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
System Context

• System context used to create new contexts and


defines interface parameters
• Configure physical interfaces
• Define contexts
– context…
• Assign interfaces to context
– allocate-interface…
• Specify config storage
– config-url…
• “changeto” context to configure it
Copyright © 2007 Internetwork Expert, Inc
www.InternetworkExpert.com
User Defined Contexts

• User defined context are allowed to


configure interfaces per system context
config
• Overlapping interfaces should use unique
IP addresses and either
– Unique MAC addresses
– Unique NAT mappings
• Management connections to user defined
contexts can only access themselves
Copyright © 2007 Internetwork Expert, Inc
www.InternetworkExpert.com
Context Resources

• Resources can be limited on a per context


basis
– conns / xlates / management sessions
• Define “class” in system context
• Make context a “member” of class in
context subconfiguration mode

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Context Example
AAA/CA
Server

DMZ
Context ASA1
E0/1.10 Outside
Inside128 Inside128 E0/0 R2
E0/0
E0/1.128 ASA1
Inside125
SW2 E0/1.125

E0/1 Context
Inside125

R5

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Active / Active Failover

• In multiple context mode one unit can be


active for contextA and second unit can be
active for contextB
• Enabled in system context mode
failover group 1
primary
preempt
failover group 2
secondary
preempt
context contextA
join-failover-group 1
context contextB
join-failover-group 2

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Modular Policy Framework (MPF)

• MQC-like configuration that replaces “fixup” commands


– Define class-map
– Define policy-map
– Apply service policy
• No in/out direction like MQC, just interface application
• MPF defaults
– policy-map global_policy
• Applies to all interfaces
• Matches “default-inspection-traffic”
• New interface policy overrides global_policy

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
MPF L3/L4 Class-Maps

• Can categorize traffic based on


– Access-list
– TCP / UDP ports
– DSCP
– IP precedence
– RTP ports
– IP flow
– Tunnel-group

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Regular Expression Class-Maps

• Used for application level inspection


– http URL / FTP filenames / etc.
• Uses IOS regular expression syntax
– Cisco Security Appliance Command Line
Configuration Guide, Version 7.2
• Configuring the Firewall
– Using Modular Policy Framework
» Creating a Regular Expression
• Example
– regex UNIVERCD "univercd“
– class-map type regex match-any DOCCD
• match regex UNIVERCD

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Application Inspection Maps

• Used to match application specific information


– i.e. specific DNS query / HTTP URL / FTP filename
• Define traffic in inspection class-map
– class-map type inspect…
• Define actions in inspection policy-map
– policy-map type inspect…
• Call class
• Define action (i.e. reset)
• Create normal class-map
• Create normal policy-map
• Call inspection policy from class-map policy-map
subconfiguration mode
• Apply service-policy to interface

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
TCP Maps

• Enables or disables TCP specific


inspections
– Maximum segment size (mss)
– Checksum verification
– Urgent flag
– TCP options
• Option 19 dropped by default, required for BGP
MD5 authentication
• tcp-map TCPMAP1…

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
MPF QoS

• MPF supports output LLQ and input / output


policing
• Low Latency Queue
– No bandwidth cap like MQC, only queue-limit
policy-map LLQ
class LLQ_CLASS
priority
!
priority-queue outside

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
MPF QoS (cont.)

• Policing can be inbound and outbound


• Example:
– Police LAN-to-LAN tunnel to 1.2.3.4 to 1Mbps
outbound
tunnel-group 1.2.3.4 type ipsec-l2l
!
class-map TUNNEL1
match flow ip destination-address
match tunnel-group 1.2.3.4
!
policy-map OUTSIDE
class TUNNEL1
police output 1000000
!
service-policy OUTSIDE interface outside

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
Transparent Firewall

• Layer 3 routed firewall has inside and outside


interfaces on separate subnets
• Traffic between interfaces is routed based on
IPv4 header
• Transparent firewall has inside and outside
interfaces on same subnet
• Traffic bridged based on CAM table
• Same outside to inside traffic filtering policy
• Exceptions with ACLs and MPF
• firewall transparent command
• Global management IP should be in same
subnet as inside/outside interfaces

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
ARP Spoofing

• PIX / ASA in transparent mode forwards all ARP


by default
• Network attack can occur by host impersonating
another’s MAC address “ARP Spoofing”
• ARP inspection allows static ARP to be checked
as ARP transits
– If static match and wrong address, drop
– If no static match drop or forward
• Configuration
– arp dmz 1.2.3.4 1234.5678.9abc
– arp-inspection inside enable [flood | no-flood]

Copyright © 2007 Internetwork Expert, Inc


www.InternetworkExpert.com
MAC Learning

• In transparent mode PIX / ASA learns


MAC addresses like a normal transparent
bridge
• MAC learning can be disabled and
replaced with static entries
• Prevents unauthorized hosts on the
segment
• Configuration
– mac-address-table static…
– mac-learn [inside|outside] disable
Copyright © 2007 Internetwork Expert, Inc
www.InternetworkExpert.com

You might also like