Professional Documents
Culture Documents
Asa Essentials Part 2
Asa Essentials Part 2
Asa Essentials Part 2
Bogdan Doinea
Technical Manager CEE&RCIS
Cisco Networking Academy
bdoinea@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Translations and Connections
Technical Demo
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• NAT defines the way that we translate private addresses into public
ones and vice-versa
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• In relation to the direction of the translation:
Inside NAT – addresses from the LAN are translated to addresses in the WAN
(space)
Outside NAT – addresses from the WAN are translated to addresses in the
WAN(space)
• Inside NAT
192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000 141.85.99.10 80
192.168.10.10 141.85.99.10
192.168.10.1 209.100.65.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• Outside NAT
It’s actually bidirectional NAT
The source address of packets coming from the Internet gets translated
192.168.10.10 141.85.99.10
192.168.10.1 209.100.65.1
• Used in cases where hosts on the outside want to appear like they
are on the inside of the Network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• “NAT conserves addresses”
The private-public translation is done at a 1-to-1 ratio
PAT conserves addresses
• “NAT is a security mechanism”
The security functionality that NAT brings is a consequence of the
design, not an objective
It is not a good practice to rely on NAT for inside-outside security
There is another device that does the same thing as NAT from the
security of connections point of view: stateful firewall
Plus, a stateful firewall has other extra functionality (Application
Inspection etc.)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Be careful, the NAT terminology is pretty diverse
What is SNAT?
Inside NAT
What is DNAT?
A concept called port forwarding/port redirection, not Outside NAT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• Port address translation
Allows the translation of multiple private addresses, using a single
public IP address
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• For the translated address, we can use:
The address of the outgoing interface
A public IP address that hasn’t been asigned to any interface
192.168.10.0 /24
.10
141.85.99.10
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Be careful, the two words are different concepts for a firewall
• Scenario: a user downloads a web pave, transmits an IM and
downloads his email with an email client
• How many connections does the firewall have in memory?
A minimum of 3 (can depend on the way the protocols work)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Advanced Firewall
Configuration
The insides of Application Inspection
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Why do we need application inspection?
(1) Scenarios in which applications run over non-standard ports
192.168.10.10 141.85.99.10
192.168.10.1 209.100.65.1
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
• Why do we need application inspection?
(2) Applications that need to open dynamic ports in order to work
The dynamically opened ports are negociated by the application usually
on the control communication channel
Examples: Active FTP, multimedia streaming, VoIP
• Case study:
Active FTP vs. Passive FTP
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Client 1 Server
N+1 N 2 21 20
Data Cmd Cmd Data
3
1. The client initiates a connection to port 21 on the server using a random source port N >
1023.
2. The server responds with an ACK from its port 21 to the N port of the client
3. The client sends the command “PORT N+1” over the control channel and opens port N+1
for receive. By this, the client is telling the server the port it wants to use for data transfer
4. The server tried to open(initiate) a connection from its port nr 20(default data port) to
the N+1 port on the client
5. The firewall block the connection at bullet 4, because it does not have a state object for it
in RAM memory
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Client 1 Server
N+1 N 2 21 X
Data Cmd Cmd Data
3
1. The client initiates a connection the the port nr. 21 of the server from a random source
port, N>1023. The client opens port N+1 for data transfer
2. The server sends an ACK from its port nr 21 to the N port on the client
4. The server opens a random port X >1024 for data transfer and sends the command
“Port X” to the client
5. The client initiates the data connection from its N+1 port to the X port on the server
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• Conclusions:
Active FTP does not work by default if the client is behind a Firewall
Because of the stateful inspection
Because of NAT
Passive FTP should always work
At least if the FTP server lies in a DMZ type of area and access is granted from
the outside
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
• Why do we need application inspection?
(3) Aplications that embed the IP address in the control channel
messaging and, thus, conflict with NAT
As a result, the IP address in the layer 3 header will not be the same
with the one embedded at layer 7
The Application tries to open sockets to the private IP address and
cannot succeed
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• What is MPF?
A set of structures and commands in ASA OS
A way of making logical connections between the various theoretical
concepts and their practical implementations
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• MPF is defined through 3 basic structures
Class-map
Used to identify traffic flows using different strategies
We have generic class-maps that identify traffic at layer 3 and 4 and
inspection class-maps that can identify traffic at layer 7
Policy-map
Used to associate one or more actions to packets identified by the class-map
We have generic policy-maps that apply standard actions (inspect, police, set
connection etc) and inspection policy-maps that can specifically control
application layer information
Service-policy (comandă)
Used to apply a policy at a global or interface level
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IP telephony
System Enginners
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• Defining a class-map (L3/L4)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
• What criteria can the match command used to identify data?
access-list: uses an ACL for classification
any
dscp: matches the ToS field using the IETF DSCP standard
precedence: matches the ToS field using the IP Precedence standard
tunnel-group: match traffic going into a tunnel. This can only be used
for QoS purposes.
flow ip destination-address: used for identifying a destionation IP
inside a tunnel-group. Can only be used together with tunnel-group
port: identifies a UDP or TCP port
default-inspection-traffic: match on a series of protocols that work
over their standard, well-known ports
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
• A class-map supports a single match command
the exception lies in the tunnel-group and the default-inspection-traffic
that let the admin specify another match statement
when we have 2 match commands, the firewall applies a logical AND
between them
ciscoasa# sh run
....
class-map inspection_default
match default-inspection-traffic
....
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• What does default-inspection-traffic contain?
ciscoasa(config-cmap)# match ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• The policy-map determines the action the Firewall will take on
inspection
• Step1: we give the policy map a name
• Step2: we make an association with a class-map
• Step3: we specify the action
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• One policy-map can have multiple actions and of different categories
ciscoasa(config-pmap-c)# ?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
ciscoasa# sh run
..........
!
class-map example
match port tcp eq www
!
policy-map http_policy
class http_map
inspect http
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
!
..........
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• A policy can be applied globally, or at an interface level
• The globally applied policy applies to all the traffic entering the ASA, on
any interface, but only the ingress direction
• The interface-level applied policy applies to all the traffic on the interface,
ingress and egress
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
• If the policy-maps actions are different, the packets can match multiple
times inside a policy-map, as long as the same class-map is reffered.
• If the policy-maps actions are different, the packets can match multiple
times inside a policy-map, as long as the class-maps identify the traffic
class-map example
match port tcp eq www
policy-map http_policy
class example
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
class inspection_default
inspect http
• If the action is the same, the packets only match one class-map
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Virtual Private Networks
A look at types of VPNs supported on the ASA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• A solution to create an end-to-end private connection over an
unsafe, open network like the Internet
• There are leased solutions that achieve the same end result:
leased lines
• What’s the difference between having a leased line and a VPN?
The cost
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
• Relative to the ISP:
Overlay
Point-to-point
ISP
• The overlay model makes the ISP network invisible to the client
• The ISP routers do not get to know the client networks
• Types of overlay VPNs: L2TP, PPTP, IPSec
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• In this model, the ISP participates in the routing decision
• The routing adjacency is done between the ISP and the client
ISP
• Overlay VPN models were dominating 90% of the market before the
popularity of MPLS
………
• Still, MPLS does not provide any confidentiality or authentication
scheme
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• Relative to the topology: Headquarters
Site-to-Site
Remote-access
Remote office Remote office
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
• Most VPN technologies are based on
tunneling
• Tunneling means an extra header is
added at the layer where the tunnel is
built
Example: IPIP tunnel
Used when the end-to-end source or destination network is not known
in the routing table of an intermediate router
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
• IPSec is a security protocol framework
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• IPSec: Confidentiality
Lungimea
cheii: 56 biți
Lungimea
cheii: 168
biți
Lungimea
cheii:
DH7256 Lungimea
biți
cheii: 160
biți
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• IPSec: Integrity
Lungimea Lungimea
cheii: 128 cheii: 160
biți biți
DH7
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• IPSec: authentication with non-repudation
DH7
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
• Telecommuting is increasing more and more as an option for
working
The risk of passing company information over the Internet is very great
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
IPSec SSL
Aplications Any IP-based app WEB, e-mail, file sharing
in native mode
(clientless)
Encryption power Very strong– key lengths Moderate– key lengths
from 56 to 256 biți from 40 to 128 de bits
Authentication Strong – two-way Moderate– one-way or
authentication two-way authentication
Ease of use Moderate – can be Very easy
challenging for a non-
technical user
Options for connecting A preconfigured client is No client is needed, only
necessary a working browser
Remote office
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
• For both modes, the browser is the client
• Clientless does not allow anything else except HTTP
and HTTPS
The user authenticates on the SSL portal to get access to
internal company web resources
Thin client
In this mode, the user downloads JAVA applets from the portal
The Applets behave like TCP Proxies for applications
The user connections to several applications through the TCP Proxy
(POP3, SMTP, IMAP, Telnet, SSH, CIFS)
The Applet makes a HTTP connection to the SSL Server that contains the
addressing information in the payload to reach another service
The SSL Server makes the connection to the end service inside the
company network
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
• The full client can usually be downloaded from the SSL portal
after the user authenticates
• Depending on the vendor, the client could install seamlessly or
manually, with user intervention
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Utilizatorul face o conexiune
1
TCP către portul 443
Firewall-ul răspunde cu o
2 cheie publică semnată cu
certificat
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
ASA
R1 R2
Fa0/1 Fa 0/0 Fa 0/2 Fa0/1
outside
inside
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Thank you.