SYN-ACK » Vendor Specific

Cisco ASA Interface Configuration

Ian — Mon, 14 Dec 2009 14:52:11 +0000

The Cisco ASA Firewall provides us with flexible and scalable choices for connecting our appliance into the network. This post will provide elements of the ASA configuration specific to the interfaces for an ASA operating in Routed / Single Mode with no failover commands.

Cisco ASA5520

The number and speed of the interfaces installed in your ASA is dependent on the model and license. They are as follows:

ASA5505

8 x 10/100 switchports (two of which provide PoE).

ASA5510

Base License – 5x 10/100 Ports

Security Plus License – 2x 10/100/100 & 3x 10/100 Ports

ASA5520 & ASA5540

4x 10/100/1000 & 1x 10/100 Ports

ASA5550

8x 10/100/1000, 4x SFP & 1x 10/100

ASA5580

The ASA5580 interfaces are dependant on the modules purchased for it.

www.syn-ack.co.uk

Additional Interfaces

The 5510, 5520 & 5540 support the 4GE SSM which hosts four additional copper or SFP interfaces

For basic interface connectivity we must enter interface configuration mode:

ASA (config)# interface gi0/1

*we are now working under interface configuration mode and can configure our IP Address, Nameif, Security Level, Speed & Duplex.

www.syn-ack.co.uk

ASA (config-if)# ip address 10.0.0.1 255.255.255.0

ASA (config-if)# nameif SERVER_DMZ

ASA (config-if)# security-level 50

ASA (config-if)# speed 1000

ASA (config-if)# duplex full

ASA (config-if)# no shut (physical ports shutdown by default)

www.syn-ack.co.uk

IP Addressing

The IP Address can be assigned statically (as above) or it can be assigned dynamically via DHCP:

ASA (config-if)# ip address dhcp

If you wanted the default route for the ASA to be provided by the DHCP server you would configure:

ASA (config-if)# ip address dhcp setroute

www.syn-ack.co.uk

Nameif Command

The nameif command allocates the ASA a friendly name that is thereafter used in the configuration instead of the interface type and ID such as Gi0/1. Be careful when renaming an interface making sure to overwrite it by simply typing “nameif new-name” and allowing the ASA to correct all related configuration elements. If you do “no nameif” followed by ”nameif new-name” you may find a lot of your configuration relating to the old interface name has disappeared! *Your ASA will not pass traffic on an interface until the nameif command has been configured.

www.syn-ack.co.uk

Security Levels

Security Levels allow us to define how trusted an interface is. The higher the number, the more trusted an interface is classed. If no access lists are applied to an interface the ASA will permit traffic travelling from an interface with a higher security level to a lower security level. i.e. If the INSIDE is set to 100 and the OUTSIDE set to 0 then users connected to the inside interface could access hosts on the outside. Users on the outside however would not be able to access resources on the inside interface. The ASA would allow return traffic to hosts on the inside by tracking connections in the state table. Usually, the INSIDE interface has a security level of 100 and the OUTSIDE a security level of 0.

www.syn-ack.co.uk

If two interfaces have the same security level configured and you want traffic to flow between them or you want traffic to exit the same interface it entered, you must enter the following commands under global configuration:

www.syn-ack.co.uk

same-security-traffic permit inter-interface (for traffic traversing physical interfaces).

same-security-traffic permit intra-interface (for traffic traversing logical interfaces on the same physical interface).

www.syn-ack.co.uk

The “intra-interface” switch is also used when routing on a stick. ie, VPN traffic that terminates on the outside interface but then goes back out that interface to get to the internet would need the “same-security-traffic permit intra-interface” command.

www.syn-ack.co.uk

Speed & Duplex

The speed and duplex settings are alywas configured on the physical interface even when sub-interfaces are defined. The interfaces on an ASA are set by default to auto-negotiate speed and duplex settings. In this mode the interface will also be capable of auto-MDI/MDIX eliminating the need for a crossover cable. As long as either the speed or duplex is set to auto-negotiate then the interface will be capable of Auto-MDI/MDIX. Gigabit Ethernet will always auto-negotiate when set to auto or 1000/full.

www.syn-ack.co.uk

ICMP Control Lists for ASA

ICMP for traffic that terminates on the ASA interfaces can be turned on and off using the ICMP command, ICMP permit any echo OUTSIDE (for example)

The ASA interface will respond to ICMP requests by default but once you begin using the ICMP control list you have to make sure all required traffic is permitted explicitly. It is recommended that if you are restricting ICMP traffic with a control list that you enable the ICMP unreachable message type (type 3) so as not to interfere with MTU path discovery as this may cause problems with IPsec and PPtP traffic.

Redundant Interfaces

Redundant interfaces can be used to group physical interfaces into one logical interface for resiliency. Redundant interfaces operate in active/standby mode. To enable this feature both interfaces must be of the same physical specification. The MAC address listed first in the config is the one used for the logical redundant interface. When the ASA fails over to the standby interface the same MAC address is used. It is however possible to define a MAC address statically.

interface redundant 1

(config-if) member-interface gi 0/1

(config-if) member-interface gi 0/2

www.syn-ack.co.uk

You just manually define the redundant interface for failover (similar to VLAN sub-interfaces).

monitor-interface redundant 1

www.syn-ack.co.uk

VLAN Sub-interfaces

VLAN sub-interfaces allows us to divide a physical interface into multiple logical interfaces tp provide us with more interfaces on the firewall. The physical link automatically becomes a trunk when VLAN interfaces are used and the switchport that the firewall interface connects to must be configured as an 802.1q trunk and allow all vlans or specifically allow all VLAN’s used by sub-interfaces on that physical interface.

www.syn-ack.co.uk

To prevent the physical interface passing untagged traffic ensure that “no nameif” is configured on the physical interface. A VLAN ID must be assigned to sub-interfaces and until it is the interface will not pass traffic. Spanning-tree portfast may be used on the switchport to allow the switchport to move to the forwarding state quicker. The Speed and Duplex settings are configured on the physical link.

www.syn-ack.co.uk

The different ASA models support varying levels of VLANs

www.syn-ack.co.uk

ASA5505

Base License – 3 VLANs (trunking is disabled)

Security Plus License – 20 VLANs (trunking enabled)

ASA5510

Base License – 50 VLANs

Security Plus License – 100 VLANs

ASA5520

150 VLANs

ASA5540

200 VLANs

ASA5550

250 VLANs

ASA5580

250 VLANs

www.syn-ack.co.uk

To configure a VLAN sub-interface do the following:

(config)#interface gi 0/1.100

(config-subif)#vlan 100 *I prefer to make the sub-interface number the same as the vlan-id for simplicity.

-carry out interface configuration the sub interface such as nameif, ip address, security level, no shut, description.

*remember to perform a “no shut” on the physical interface and leave it blank with no nameif configured to prevent it passing traffic.

www.syn-ack.co.uk

VLAN Sub-interfaces can also be configured on redundant interfaces in a similar manner:

(config)#interface redundant 1.100

www.syn-ack.co.uk

Performance versus TCO – Cisco dominate security market

Ian — Tue, 18 Nov 2008 14:24:16 +0000

I thought I’d post up a reference to an interesting article posted on Network World about Cisco’s place in the security market. It seems that customers now care less about appliance performance and more about overall strategy and product integration. The data gathered by the IDC shows that customers do not rate Cisco as a “best of breed” vendor” but that they are keen to use Cisco products because of the manner in which they integrate into their network.

If security is of the utmost concern then in my opinion the best solution to the problem should be applied – end of story. However, with overworked staff and a lack of multi-vendor skills it is easy to see why companies choose Cisco with the similar looking administration GUI’s, CLI’s and the ability to expand appliance capability by using software modules.

I believe that Cisco are making huge strides in the security market and feel that that although some products may not offer the same performance as others in a certain environment, their products for the most part integrate well into organisations with less administrative overhead if the customer is already a Cisco customer. I’m trying to stay neutral here and not show a preference either way but I will say that I think Cisco’s layered approach to security is very good. It is because they have such a wide range of products that slot together well that customers are keen to choose Cisco, in my opinion. UTM solutions are good for the SMB market but offer little in way of tiered defence. That said, if I was recommending an appliance for a customer who specified strong security was the priority then performance has to be the deciding factor regardless of vendor.

Anyway, here’s the article -> http://www.networkworld.com/news/2008/111708-cisco-sec.html

CS-MARS attacks!

Ian — Wed, 15 Oct 2008 14:06:07 +0000

Cisco’s new(ish) flagship security event management platform is beginning to make its mark but I wanted to know what it brought to the table that made it different from the rest of the solutions available.

Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to. Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network. SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting. Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices. The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.

The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM. An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.

As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors. CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked. CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it. STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories. Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds. MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.

In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to. Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.

CCNP at last!

Ian — Fri, 25 Jul 2008 19:27:17 +0000

I finally passed the damned thing! I sat the ISCW exam today and walked away with the CCNP – woohoo! I’m more happy that I can get back to doing what I enjoy now without having to do any more routing/switching stuff for a while. The ISCW course focused mainly on VPN technology, ADSL, Cable and secure configuration management. It was a bit more enjoyable than the other exams but because it’s locked into Cisco products I sometimes feel like the certification track is more like an ongoing advertisement for the vendor.

I’m not sure what I’ll focus on now, I’ve got to keep my skills sharp and my certifications current because I’m self employed and the industry can be a bit fickle I suppose – make no mistake, hands on experience is what counts. Whatever it is I intend to do something fun alongside it. I really fancy doing Remote Exploits Offensive Security course although I may warm up with the BackTrack WiFu course first – the Remote Exploit team are superb -> http://www.remote-exploit.org/

It’s been a few months since I’ve done any meaty Checkpoint stuff so I may just recertify my CCSA in NGX at the same time. Decisions decisions! For now I’m just happy that this ones out of the way!

Ian