ccna security ch14 configuring basic firewall policies cisco asa

8/9/2019 Ccna Security Ch14 Configuring Basic Firewall Policies Cisco Asa

1/38

Chapter 14: Configuring Basic Firewall Policies on CiscoASA

I. The ASA Appliance Family an Features1. !eet the ASA Family

Ta"le 14#$ASA Models

!oel %escription

ASA 5505 This is the entry-level device. It is relatively small compared to the otherappliances, and is not large enough (that is, not wide enough) to e rac!mounted in a "#-inch-wide rac!. It comes with a uilt-in switch that has $ports, and % o& them support 'o. y de&ault, all the inter&aces on the switchport elong to *+A ", and the method used to connect this device tomultiple networ!s is to assign the switch ports to at least % separate *+Asand then create S*Is, which are logical +ayer inter&aces ust li!e on amanagement inter&ace &or a switch, &or each logical +ayer inter&ace youwant the ASA to use. This is the only ASA 55// series appliance with a uilt-

in switch and with this ehavior. This device has a single slot allowing theaddition o& a compatile module

ASA 55"0 This &irewall has uilt-in routale inter&aces, and a management thernetinter&ace that can e used as a dedicated inter&ace &or management only or cane converted to e a &i&th routale inter&ace on the ASA. This &irewall has anoption slot that supports a compatile module, such as an I'S module, whichis li!e having an I'S appliance (i& installed) that lives inside the ASA

ASA 55%0, 550, 5550 These &irewalls are li!e the 55"0, with the e/ception that they have morecapacity

ASA 55$5 1igh-per&ormance, high-capacity &irewall devices that support multiple add-

ons, such as modules compatile with these appliances. These appliancesta!e more vertical space in a rac! compared to the 55"0 to 5550

2irewall Services3odule (24S3) andthe ASA Services3odule

These are lade &irewalls that &it into a compatile switch, such as a 500.They support many o& the same &eatures o& the standalone ASA appliances inthe 55// &amily

$. ASA Features an Ser&ices". Pac'et filtering6 Simple pac!et &iltering normally represents an access list. It is also

true with regard to this &eature that the ASA provides. The ASA supports oth standard

and e/tended access lists. The most signi&icant di&&erence etween an access list on anASA versus an access list on a router is that the ASA never ever uses a wildcard mas!.Instead, i& it needs to represent a mas! related to a permit or eny statement in anA7+, it ust uses the real mas! in the A7+.

%. Stateful filtering ( y de&ault, the ASA enters state&ul trac!ing in&ormation aoutpac!ets that have een initially allowed through the &irewall. There&ore, i& you have anA7+ applied inound on the outside inter&ace o& the &irewall that says deny everything,ut a user &rom the inside ma!es a re8uest to a server on the outside, the return tra&&ic isallowed ac! in through the &irewall (in spite o& the A7+ that stops initial tra&&ic &romthe outside) ecause o& the state&ul inspection that is done y de&ault on the initialtra&&ic &rom the client out to the server, which is now dynamically allowing the return

tra&&ic to come ac! in. This is proaly the most signi&icant and most used &eature on


2/38

the ASA. 9ne way o& thin!ing aout state&ul &iltering is to imagine that the ASA isgoing to uild a dynamic permit entry in a virtual A7+ that will permit the returntra&&ic. Suppose that you are sending a pac!et to a we server. :our source address is..., and your source T7' port is . The destination I' address o& the server is5.5.5.5, and the destination port is T7' 0 (we;http). The ASA will (virtually, as thisis ust a way to consider it) rememer this outound session and e/pect to see a returnpac!et &rom 5.5.5.5 destined to ... (the client), and the source port is T7'


3/38

layer inspection and state&ul &iltering.$. /P* support ( The ASA can operate as either the head-end or remote-end device &or

*' tunnels. 4hen using I'sec, the ASA can support remote-access *' users andsite-to-site *' tunnels. 4hen supporting SS+, it can support the clientless SS+ *'and the &ull Any7onnect SS+ *' tunnels (which hand out I' addresses to remote*' users, similar to the I'sec remote *' users). SS+ is a very upcoming andpopular option &or *'s and is only used &or remote access, not &or site-to-site *'s.

#. 0"ect groups ( An oect group is a con&iguration item on the ASA that re&ers to oneor more items. In the case o& a networ! oect group, it re&ers to one or more I'addresses or networ! address ranges. The ene&it o& an oect group is that a singleentry in an access list could re&er to an oect group as the source I' or destination I'address in an individual A7, and the ASA logically applies that entry against all the I'addresses that are currently in the oect group. I& an oect group has &our I'addresses in it, and we use that oect group in a single entry o& an A7+ that permitsT7' tra&&ic to the oect group, in e&&ect we are allowing T7' tra&&ic to each o& those&our I' addresses that are in the group. I& we change the contents o& the group, thedynamics o& what that A7+ permits or denies also change.

"0. Botnet traffic filtering ( A otnet is a collection o& computers that have eencompromised and are willing to &ollow the instructions o& someone who is attemptingto centrally control them (&or e/ample, "0,000 machines all willing Eor so commandedFto send a &lood o& ping re8uests to the I' address dictated y the person controllingthese devices). 9&ten, users o& these computers have no idea that their computers areparticipating in this coordinated attac!. The ASA wor!s with an e/ternal system at7isco that provides in&ormation aout the otnet Tra&&ic 2ilter @ataase and so canprotect against this.

"". +igh a&aila"ility ( y using two &irewalls in a high-availaility &ailover comination,you can implement protection against a single system &ailure.

"%. AAA support ( The use o& AAA services, either locally or &rom an e/ternal serversuch as A7S, is supported.

II.ASA Firewall Funamentals1. ASA Security -e&els

". ASA has security levels 6 0 to "00. The higher the numer the more itGs trusted. Theinside inter&ace will most li!ely e assigned a security level o& "00 while the outsideinter&ace should e assigned 0.

%. 3a!ing ASA inter&aces operational

ccna security ch14 configuring basic firewall policies cisco asa

Documents