Wednesday, 28 December 2016

ASA IMPLEMENTATION

ASA IMPLEMENTATION



!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 20.0.0.12 255.255.255.0
!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 10.0.0.12 255.255.255.0
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
After adding the inspect icmp in the class map ping from inside to outside is working but
still ping from outside to inside is not working .

 Deny inbound icmp src outside:20.0.0.1 dst inside:10.0.0.1 (type 8, code 0)

!
to allow that you have to add this

ASA# sh run access-list
access-list OUTSIDE_IN_ICMP extended permit icmp any any echo
access-list OUTSIDE_IN_ICMP extended permit icmp any any echo-reply

ASA# sh run access-group
access-group OUTSIDE_IN_ICMP in interface outside
ASA#
!

How to allow traceroute traffic:
!
The traceroute how it works,
it sends udp packet in return it expects icmp error packet i.e icmp unreachble and icmp time-exceeded
!
to allow tracerouter we can to this acl .
access-list OUTSIDE_IN_ICMP extended permit icmp any any time-exceeded
access-list OUTSIDE_IN_ICMP extended permit icmp any any unreachable
!
if packet coming from outside: to inside:
ASA# PACket-tracer input outside icmp 20.0.0.1 8 0 10.0.0.1

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_IN_ICMP in interface outside
access-list OUTSIDE_IN_ICMP extended permit icmp any any echo
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8678, packet dispatched to next module

Phase: 7
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.1 using egress ifc inside
adjacency Active
next-hop mac address c000.5930.0000 hits 1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
!
ASA# packet-tracer input inside icmp 10.0.0.1 8 0 20.0.0.1

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   20.0.0.0        255.255.255.0   outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8679, packet dispatched to next module

Phase: 7
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 20.0.0.1 using egress ifc outside
adjacency Active
next-hop mac address c001.5930.0000 hits 8717

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

TRANSPARENT FIREWALL


Transpert Firewall:
They are in same subnet but in different vlans , asa is rewritting the frames as they bridging the different vlans.

ASA(config)# firewall transparent

ciscoasa(config)# sh firewall
Firewall mode: Transparent

!
in ios 9.0 we can mix the context either routed mode or contex mode.
in case of routed mode :
you have to inspect outbound in inspection but in case of
transparent mode:
you have to deal with inbound in as well as outbound in : as they see control
plan traffic differently.

to allow controll plan traffic we can use these acls :
access-list INSIDE_IN permit ip any any
access-list OUTSIDE_IN permit ospf any any
access-list OUTSIDE_IN permit udp any any eq 646
access-list OUTSIDE_IN permit tcp any any eq 646
-----
APPLY:
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
!

The transparent mode FWSM does not pass CDP packets, or any packets that do not have a valid EtherType
greater than or equal to 0x600. For example, you cannot pass IS-IS packets.
An exception is made for BPDUs, which are supported.
!


ASA Virtual/Context Mode




Virtual/context Firewalls:
!

mode multiple
! it needs reboot
sh firewall
!
sh run

 admin-context admin
 context admin
config-url disk0:admin.cfg
!

ASA# changeto context CONTEXT1
ASA/CONTEXT1# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
ASA/CONTEXT1# sh int
ASA/CONTEXT1# sh interface
Interface Ethernet0/0 "", is down, line protocol is down
        Available but not configured via nameif
Interface Ethernet0/1 "", is down, line protocol is down
        Available but not configured via nameif


ASA/CONTEXT1(config)# int e0/0
ASA/CONTEXT1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA/CONTEXT1(config-if)# ip add 10.0.0.12 255.255.255.0
ASA/CONTEXT1(config-if)# int e0/1
ASA/CONTEXT1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA/CONTEXT1(config-if)# ip add 20.0.0.12 255.255.255.0
ASA/CONTEXT1(config-if)# ch
ASA/CONTEXT1(config-if)# changeto sy
ASA/CONTEXT1(config-if)# changeto system
ASA(config)# int e0/0
ASA(config-if)# no sh
ASA(config-if)# int e0/1
ASA(config-if)# no sh


How asa knows which context I have to return the traffic
Three ways we can do this:
1. unique interfaces
2. separate mac add
3. Nat Configuration

R2#ping 20.0.0.12

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.12, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 12/19/36 ms

R2#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  20.0.0.1                -   c000.5168.0000  ARPA   FastEthernet0/0
Internet  20.0.0.12              18   1200.0100.0200  ARPA   FastEthernet0/0
Internet  20.0.0.13              12   1200.0100.0300  ARPA   FastEthernet0/0


ASA/CONTEXT2(config-if)# changeto system

ASA(config)# mac-address auto

Note: in the new code we can run Crypto commands as vpn termination.
in the individual context mix transparent or router mode.
we can't do dynamic routing in old os.
!

in the user context we cann't do any modification in the other context.
for this purpose we are using admin context. Generally admin context in used for
management of all the other contexts.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)