|
0:00:13
|
Now, our first technical topic for the class
|
|
0:00:16
|
is going to focus on the ASA firewall
|
|
0:00:19
|
and there is another different overall sections that we are going to be covering here
|
|
0:00:25
|
where, first, we are going to start with the, just the general overview of how the ASA works
|
|
0:00:31
|
to what are its filtering capabilities, what are its VPN capabilities
|
|
0:00:36
|
I will talk about the basic initialization, how we configure the
|
|
0:00:40
|
interfaces, IP addresses just a basic
|
|
0:00:44
|
traffic flowing through the device
|
|
0:00:46
|
we will look at the routing protocols built with standard routing, dynamic routing and then
|
|
0:00:53
|
we will look at using Access lists and object routes
|
|
0:00:56
|
as exceptions to the firewall filtering engine
|
|
0:01:00
|
which is the marginal policy framework or MPF
|
|
0:01:03
|
so the MPF we are look at using for application level inspection
|
|
0:01:07
|
like controlling how web traffick is forwarded differently than FTP or VNS
|
|
0:01:12
|
also how this can be used for Quality of Service
|
|
0:01:15
|
for either policing shaping or prioritization
|
|
0:01:19
|
how the Network Address Translation features work
|
|
0:01:23
|
both with static and dynamic
|
|
0:01:25
|
Networking Address Translation or Port Address Translation
|
|
0:01:29
|
The Layer 2 transparent firewall mode
|
|
0:01:32
|
where we are going to be bridging between interfaces as opposed to routing
|
|
0:01:36
|
the multiple contacts mode for virtual firewalls
|
|
0:01:41
|
high availability with failover and with redundant interfaces
|
|
0:01:45
|
and at last the system management
|
|
0:01:47
|
for things like telnet access, SSH access, SNMP
|
|
0:01:51
|
into the ASA
|
|
0:01:56
|
specifically in this module
|
|
0:01:59
|
we are going to look at the overview of the
|
|
0:02:02
|
ASA, what are the different features that it supports
|
|
0:02:04
|
how the statefull filtering works
|
|
0:02:08
|
whats the difference between the single mode and the multiple contacts mode?
|
|
0:02:14
|
whats the difference between the routed firewall mode and the transparent firewall mode?
|
|
0:02:19
|
and some of the basic VPN features that the ASA supports
|
|
0:02:27
|
Now the ASA is statefull firewall
|
|
0:02:30
|
which means that its going to support not only basic
|
|
0:02:33
|
inspections of TCP, UDP or ICMP traffic
|
|
0:02:37
|
its also going to support application level inspections
|
|
0:02:42
|
that are particular to non support applications
|
|
0:02:46
|
so things like HTTP,
|
|
0:02:48
|
or SIP or IP Phones or IPSec whatever running
|
|
0:02:52
|
authentication header or ESP
|
|
0:02:55
|
is not only a statefull firewall
|
|
0:02:57
|
but its an application aware statefull firewall
|
|
0:03:01
|
we will see when we get into the VPNs
|
|
0:03:04
|
for VPN termination it does support both IPSec and SSL VPN variations
|
|
0:03:11
|
so we will look at the LAN-to-LAN configurations for the IPSec
|
|
0:03:15
|
and the remote access variations of both IPSec and SSL VPNs
|
|
0:03:21
|
it also does support the intrusion prevention system
|
|
0:03:26
|
same is the standalone IPS Sensor
|
|
0:03:28
|
for this you will need the AIPSSM which is the Advanced Inspection in Prevention Security Services Module
|
|
0:03:35
|
which is essentially is just the IPS sensor like the 4200
|
|
0:03:40
|
on a module that you plug into the ASA
|
|
0:03:43
|
but the interface is going to be similar
|
|
0:03:45
|
to the standalone sensor versus the
|
|
0:03:48
|
the module that was in the ASA
|
|
0:03:50
|
the other one it also supports is the content filtering
|
|
0:03:54
|
security services module or the cscssn content security control
|
|
0:03:59
|
which is going to be for application of the filtering
|
|
0:04:02
|
of things like your email traffic or
|
|
0:04:05
|
virus and worm and spyware type prevention
|
|
0:04:12
|
now mainly here going to be focussing on
|
|
0:04:15
|
the statefull firewall features
|
|
0:04:17
|
and the VPN features of the ASA
|
|
0:04:20
|
where statefull firewall we are going to talk about in these sections
|
|
0:04:23
|
and then VPN will get into this later
|
|
0:04:26
|
when we get to the IOS VPN and also the ASA VPNs
|
|
0:04:34
|
so being that it is a statefull firewall
|
|
0:04:37
|
is actually what this means is that its going to trap or watch traffic
|
|
0:04:41
|
as it moves from the trusted network to the untrusted network
|
|
0:04:46
|
where typically the trusted network would be our inside
|
|
0:04:49
|
and the untrusted network will be our outside
|
|
0:04:52
|
so if we are using the ASA as our last hop device connecting to the internet
|
|
0:04:57
|
the link to the service provider would be the outside untrusted network
|
|
0:05:01
|
the link into our LAN will be the inside trusted network
|
|
0:05:05
|
to the ASA as watching the traffic as it goes from inside to out
|
|
0:05:09
|
Now, when it does this
|
|
0:05:12
|
it creates a entry and will be called the safe table
|
|
0:05:15
|
or the connection table in order to keep track of the actual traffic flow
|
|
0:05:21
|
this traffic flow is going to particular to the individual source and destination
|
|
0:05:26
|
any protocol and port pairs
|
|
0:05:28
|
so just like we will think of traffic flow in the case of net flow
|
|
0:05:33
|
that whats the ASA is looking at here
|
|
0:05:35
|
so an example of flow would be web browsing at regular HTTP port 80
|
|
0:05:40
|
from client A to server B
|
|
0:05:43
|
so the ASA is going to listen for the client to send the TCP sin
|
|
0:05:48
|
which is the first portion of the 3 way handshake
|
|
0:05:50
|
then is the traffic returns back in
|
|
0:05:54
|
from the untrusted network to the trusted network
|
|
0:05:57
|
this is going to be allowed back in bound
|
|
0:06:00
|
only if the state already exists in the table
|
|
0:06:04
|
so the ASA knows based on how TCP works and based on how HTTP works
|
|
0:06:10
|
that the client first is going to send the sin as part of the first portion of the three way handshake
|
|
0:06:17
|
now if the traffic returns back inbound
|
|
0:06:20
|
the second portion of the handshake that it would expect
|
|
0:06:23
|
is the return traffic from the server
|
|
0:06:25
|
back to the client that is a sin and an act
|
|
0:06:29
|
so not only is it looking at the
|
|
0:06:32
|
basic things like the establish flag and the TCP header
|
|
0:06:36
|
its application were
|
|
0:06:38
|
it is understands that for this individual inspection HTTP
|
|
0:06:42
|
that the traffic should be going out
|
|
0:06:44
|
to port 80 destination as a send
|
|
0:06:47
|
it should be returning with TCP source
|
|
0:06:50
|
port 80 with a send ack
|
|
0:06:52
|
then the third portion would be the TCP ack
|
|
0:06:55
|
the final portion of the three way handshake
|
|
0:06:57
|
from the client back to the server
|
|
0:07:01
|
now if traffic tries to enter from the untrusted network and there is not already a state
|
|
0:07:06
|
then the traffic is going to be denied
|
|
0:07:09
|
and we will consider this any type of unsolicit request from the
|
|
0:07:13
|
outward network for the untrusted network
|
|
0:07:16
|
so for example a port scan from NMAP
|
|
0:07:19
|
if someones trying to figure out what are the services open in our network
|
|
0:07:23
|
the ASA by default is going to deny
|
|
0:07:26
|
any of the traffic to come in on the oustide interface
|
|
0:07:31
|
will deny from coming in on the untrusted interface
|
|
0:07:35
|
now the way that we actually define this what the level of trust is
|
|
0:07:38
|
is based on what the ASA says is the security level
|
|
0:07:42
|
and the security level is going to be arranged of 0 to 100
|
|
0:07:46
|
where 100 is the most trusted of all the interfaces
|
|
0:07:50
|
and this by default is going to be assigned
|
|
0:07:53
|
to our inside interface
|
|
0:07:56
|
so if I configure interface ethernet 0/0
|
|
0:08:00
|
and specify this my inside interface
|
|
0:08:03
|
security level by default is going to be 100
|
|
0:08:07
|
for any other interface
|
|
0:08:09
|
its going to get 0 by default
|
|
0:08:11
|
which is the most untrusted interface
|
|
0:08:15
|
now we will see that we can manually change this
|
|
0:08:18
|
the security level number
|
|
0:08:20
|
if I trying to use some sort complex policy with 3 or more interfaces
|
|
0:08:25
|
or may be we have multiple outside links
|
|
0:08:28
|
we have multiple inside links
|
|
0:08:30
|
we have inside, outside and a DMZ
|
|
0:08:33
|
where we have our public web server public mail server etc.
|
|
0:08:37
|
we can define the security levels
|
|
0:08:40
|
so that there is a hierarchy to control
|
|
0:08:43
|
what traffic is going to be allowed between the interfaces
|
|
0:08:48
|
now the second portion of this
|
|
0:08:50
|
is based on a logic that ASA says that traffic from a higher security level interface
|
|
0:08:56
|
to a lower security level interface
|
|
0:08:58
|
is permitted by default
|
|
0:09:02
|
where the most basic example of this would be traffic from inside going out
|
|
0:09:06
|
so some internal to our network is trying to hit a public web server on the internet
|
|
0:09:11
|
so its reading it from our inside network towards out
|
|
0:09:14
|
when tries to return back in
|
|
0:09:16
|
its now trying to move from lower security to a higher security level
|
|
0:09:23
|
so in the case of moving from inside outside its moving to 100 to 0
|
|
0:09:28
|
as a move from outside back inside is trying to move from 0 to 100
|
|
0:09:33
|
so from the lower to higher
|
|
0:09:36
|
this will be permitted but only if a state already exists in the table
|
|
0:09:42
|
if there is no state then the traffic is going to be denied
|
|
0:09:45
|
which again would be like our outside to inside flux
|
|
0:09:51
|
now in the case that there are multiple interfaces that have the same security level
|
|
0:09:56
|
these are going to be denied by default
|
|
0:09:59
|
to have traffic flows move between them
|
|
0:10:03
|
now the typical case would be to have this
|
|
0:10:05
|
these if you have multiple inside interfaces
|
|
0:10:08
|
or multiple outside interfaces
|
|
0:10:12
|
for multiple inside interfaces you may want the ASA to actually route the traffic
|
|
0:10:17
|
in which case you can tell it that for
|
|
0:10:20
|
traffic moving between the same security level intefaces we want to permit that
|
|
0:10:25
|
so that would be the same - security - traffic permit inter - interface
|
|
0:10:30
|
the exception
|
|
0:10:32
|
for intra interface
|
|
0:10:37
|
this is going to be if you want to do a redirect on the same length
|
|
0:10:41
|
where most of the time you typically would not do this
|
|
0:10:44
|
but there can be various specific cases based on your layer 2 design
|
|
0:10:48
|
that i want the traffic to route to the ASAs inside interface
|
|
0:10:52
|
and then route back out that same length
|
|
0:10:56
|
but again by default that you have two interfaces that same the security level
|
|
0:11:00
|
so lets say they both have 100 for multiple insides
|
|
0:11:03
|
traffic between them is going to denied
|
|
0:11:06
|
there we can permit but we need to use that command same- security- traffic
|
|
0:11:10
|
permit inter interface
|
|
0:11:15
|
now the actual traffic inspection
|
|
0:11:18
|
as the state is created and as the traffic is moving from the higher security level
|
|
0:11:23
|
to the lower security level
|
|
0:11:25
|
goes through what is known as the MODULAR POLICY FAMEWORK or the MPF
|
|
0:11:30
|
now the MPF is used to control
|
|
0:11:32
|
what particular application engine
|
|
0:11:35
|
the traffics flow is going to be matched by
|
|
0:11:38
|
because the ASA knows that from a protocol point of view at layer 7
|
|
0:11:43
|
there is a difference between a DNS main resolution
|
|
0:11:46
|
versus a web browsing request
|
|
0:11:48
|
or a phone call that is using SIP
|
|
0:11:50
|
or a phone call thats using H3G trick
|
|
0:11:54
|
so the much of the policy framework is what is giving us the Application Level Gateway the ALG awareness
|
|
0:12:00
|
or the application level inspection
|
|
0:12:04
|
now syntax wise the much of the policy framework
|
|
0:12:07
|
takes its logic from the IOS modular QLS command line interface or the MQC
|
|
0:12:14
|
which means configuration wise we are going to be using
|
|
0:12:17
|
three steps, the class map, the policy map and the service policy
|
|
0:12:23
|
now the MPF is mainly going to control three things
|
|
0:12:27
|
first thing it controls is what particular traffic is going to be inspected
|
|
0:12:32
|
so whichever is going through the stateful tracking
|
|
0:12:36
|
which is not going to keep state or what is going to be simple denied
|
|
0:12:40
|
and we can do this two separate ways
|
|
0:12:42
|
the first way is with a basic layer 3
|
|
0:12:45
|
or layer 4 inspection
|
|
0:12:48
|
this is going to be for any standard
|
|
0:12:50
|
TCP or UDP application
|
|
0:12:52
|
or possible ICMP like a ping
|
|
0:12:56
|
that for a telnet session
|
|
0:12:59
|
the MPF knows that when a packet goes out
|
|
0:13:02
|
going to port 23
|
|
0:13:05
|
when if it turns back in
|
|
0:13:06
|
it will be coming from source port 23
|
|
0:13:09
|
and destination port should be the random port value
|
|
0:13:13
|
that came from the original
|
|
0:13:14
|
first portion of the 3 way handshake
|
|
0:13:18
|
so we don't need to know what are the particular commands that are being used inside the telnet session
|
|
0:13:23
|
we just want to know, is the layer 4 header
|
|
0:13:27
|
conforming toward TCP specification says on normal applications
|
|
0:13:33
|
now for anything that is a non-standard application
|
|
0:13:37
|
whether we want to look into more details of exactly whats going on
|
|
0:13:42
|
we support the application aware inspections
|
|
0:13:45
|
where the layer7
|
|
0:13:47
|
class maps and layer 7 policy maps
|
|
0:13:50
|
depending on what particular application we are talking about
|
|
0:13:54
|
we have different inspection engines
|
|
0:13:58
|
now we will see later when we get into the zone based policy firewall on the IOS
|
|
0:14:02
|
its the same type of logic that the
|
|
0:14:05
|
zone firewalls have, that we have different class maps, different policy maps
|
|
0:14:09
|
that are particular to http inspections
|
|
0:14:12
|
versus mail, versus DNS, versus FTP etc
|
|
0:14:18
|
so similar things that you can do with this
|
|
0:14:21
|
if we were to inspect http
|
|
0:14:23
|
I would say look in the http header
|
|
0:14:27
|
and look for the url that the client is trying to get
|
|
0:14:31
|
if there is an http get
|
|
0:14:33
|
and its going to, lets say
|
|
0:14:36
|
google.com and I want to deny that
|
|
0:14:39
|
I would tell the ASA to look for that particular string - www.google.com
|
|
0:14:44
|
and then reset the TCP session or to drop the connection
|
|
0:14:49
|
so not only are we looking at the TCP port 80
|
|
0:14:53
|
whethe it conforms to the normal send, send-ack, ack of the three way handshake
|
|
0:14:58
|
we will also look at things like the TCP sequence number to make sure that those are valid
|
|
0:15:04
|
and then we have different connection limits
|
|
0:15:08
|
there going to be applied on to
|
|
0:15:10
|
TCP connections for preventing things like denial of service attack
|
|
0:15:13
|
or distributed denial of Service attack
|
|
0:15:16
|
So its more than just a basic layer3 and layer4 match
|
|
0:15:23
|
So, we will take a look at these examples later at these applications as examples
|
|
0:15:25
|
and there going to be different depending on what the particular application is
|
|
0:15:32
|
I can control what are the total number of receipients
|
|
0:15:36
|
that can be in an individual mail message
|
|
0:15:38
|
like look for the to header or the CC header
|
|
0:15:41
|
So, I would prevent some one from sending spam
|
|
0:15:44
|
like I am trying to send a mail to 10,000 people at the same time
|
|
0:15:50
|
So, again three portions of the MPF, first one here is what traffic is going to be inspected
|
|
0:15:55
|
this is what we are going to do with the class map
|
|
0:15:59
|
Second portion is how is the traffic actually going to be inspected
|
|
0:16:04
|
this is where we would specify things like the number of open sessions
|
|
0:16:09
|
the number of total open sessions on a pro host basis
|
|
0:16:12
|
how long we would wait for the timers of the send to come back
|
|
0:16:17
|
when the ready acknowledgement to come back when we see the initial send
|
|
0:16:21
|
different types of QoS parmeters
|
|
0:16:23
|
what are the IP option numbers or TCP option numbers that are going to allowed in the header
|
|
0:16:28
|
So, specific things to that individual protocol
|
|
0:16:33
|
like a TCP inspection would be different than UDP
|
|
0:16:37
|
this is what we control in
|
|
0:16:40
|
the policy map so how is the traffic actually being inspected
|
|
0:16:45
|
then lastly once we have the policy defined
|
|
0:16:48
|
which is how is it actually going to be applied
|
|
0:16:51
|
so what is the direction of the inspection
|
|
0:16:53
|
so is this going to apply as we are moving traffic from the inside to the outside
|
|
0:16:58
|
or the inside of the DMZ or outside of the DMZ etc
|
|
0:17:04
|
now we will see when we compare
|
|
0:17:05
|
the ASAs configuration of this
|
|
0:17:08
|
with the merger of the policy framework
|
|
0:17:10
|
versus the IOS with the zone based
|
|
0:17:13
|
policy firewall
|
|
0:17:14
|
the ASA is less flexible in this configuration
|
|
0:17:19
|
because we do not do explicit
|
|
0:17:21
|
pairings between the interfaces or the security level
|
|
0:17:26
|
now what i mean by this
|
|
0:17:28
|
lets say that we had
|
|
0:17:30
|
an ASA that had
|
|
0:17:32
|
three separate interfaces
|
|
0:17:35
|
we have ASA 1, it has an inside interface
|
|
0:17:40
|
an outside interface and DMZ
|
|
0:17:46
|
the DMZ is where we have for example, our web servers
|
|
0:17:52
|
we are not going to control
|
|
0:17:54
|
what exactly is the policy is traffic moves from my inside hosts to out
|
|
0:18:00
|
then separately as my outside hosts
|
|
0:18:04
|
so from the untrusted network
|
|
0:18:06
|
they are trying to hit my public web server
|
|
0:18:08
|
but want this policy to be different
|
|
0:18:10
|
to as the outside hosts are trying to access the inside network
|
|
0:18:16
|
so, when the case of the zone based policy firewall
|
|
0:18:19
|
on the regular IOS
|
|
0:18:21
|
this logic is very straight forward
|
|
0:18:23
|
because we create the individual zone pairings
|
|
0:18:27
|
lets say, I want to apply to an association as I am going in to out
|
|
0:18:33
|
versus an association of in to DMZ
|
|
0:18:37
|
or separate pairing that is from out to DMZ
|
|
0:18:42
|
or from out to in
|
|
0:18:45
|
so on IOS we can define whatever arbitrary pairings that we want
|
|
0:18:50
|
thats going to control how is exactly is the inspection happening based on the traffic
|
|
0:18:56
|
on with the ASA we only have two options for appliance
|
|
0:19:00
|
we can apply the policy globally
|
|
0:19:03
|
which is by default the default global inspection policy
|
|
0:19:07
|
or we can apply it to the interface either inbound or outbound
|
|
0:19:12
|
or we will see what are the limitations
|
|
0:19:15
|
and that makes it a little bit different how we need to approach this logic
|
|
0:19:18
|
is that we can apply a policy that says
|
|
0:19:21
|
traffic is going out the DMZ
|
|
0:19:24
|
where that means it is applying to traffic flows in to the DMZ and out to the DMZ
|
|
0:19:34
|
so in the case of three or more interfaces
|
|
0:19:37
|
the zone based policy firewall is actually more flexible
|
|
0:19:41
|
now the ASA can do better inspections and it can do much faster than the router can
|
|
0:19:47
|
but syntax-wise al least in the versions that we are working with
|
|
0:19:50
|
there is no exclusive way
|
|
0:19:52
|
to create the association directly to the two different security zones
|
|
0:19:57
|
so we will its not neccessarily a problem
|
|
0:20:00
|
its just something that we need to take into account when we are actually configuring our inspection
|
|
0:20:07
|
now in addition to the multiple policy framework
|
|
0:20:10
|
ASA just like an IOS router supports Access Control Lists or ACLs
|
|
0:20:14
|
that we can use for our exceptions
|
|
0:20:17
|
through the Marginal Policy Framework inspections
|
|
0:20:21
|
Now the reason that we will need this
|
|
0:20:24
|
is that for any non standard application
|
|
0:20:28
|
that we do not already have an inspection engine for
|
|
0:20:32
|
we will take a look at a couple cases this with things like case routes
|
|
0:20:37
|
where since the ASA does not have a specific
|
|
0:20:40
|
inspection for the unix variation of traceroute
|
|
0:20:43
|
we will need to use an Access List
|
|
0:20:45
|
in order to tell the Marginal Policy framework
|
|
0:20:48
|
then its okay
|
|
0:20:49
|
that the out bound flow is a little bit different that the inbound flow
|
|
0:20:54
|
so when we actually get to the configuration, we will talk about that in more detail
|
|
0:20:58
|
but the access lists
|
|
0:21:00
|
these going to an exception to the MPF
|
|
0:21:03
|
if we manually permit the traffic in the ACL
|
|
0:21:06
|
it is not have to already have a state
|
|
0:21:08
|
created by the Marginal Policy Framework
|
|
0:21:17
|
Hey, the next thing thats significant about the ASA
|
|
0:21:20
|
is its two different modes of operation
|
|
0:21:22
|
that are called the contacts
|
|
0:21:25
|
and we support two different contacts, single contacts mode and multiple contacts mode
|
|
0:21:30
|
multiple contacts mode
|
|
0:21:33
|
is when we have
|
|
0:21:35
|
virtual firewalls
|
|
0:21:38
|
that we are using to separate the logic of one how policy is different that the other one
|
|
0:21:44
|
and the we are trying to think of this
|
|
0:21:47
|
would be like the virtual routing and forwarding or the VRF instances on an IOS router
|
|
0:21:53
|
where we are taking the same, we are taking one physical box
|
|
0:21:58
|
but we are splitting it into multiple virtual routers
|
|
0:22:01
|
and in the case of a VRF we have multiple virtual routing table
|
|
0:22:05
|
where interfaces 1 and 2 will be assigned to VRF A
|
|
0:22:09
|
interfaces 3 and 4 are assigned to VRF B
|
|
0:22:12
|
which implicitly means that the traffic cannot move
|
|
0:22:17
|
simply based on the facts that they do not have routes to each other
|
|
0:22:21
|
now multiple contacts mode is going to take the same type of logic
|
|
0:22:24
|
but we are going to apply it to the firewall inspection engine
|
|
0:22:29
|
so we have multiple physical interfaces that are either logically separated
|
|
0:22:35
|
or physically separated
|
|
0:22:37
|
that were defining different types of
|
|
0:22:39
|
inspections policies on or different types of security policy
|
|
0:22:43
|
now in the single contacts mode this is how we run as by default
|
|
0:22:48
|
means that all of our interfaces, all of our policies
|
|
0:22:51
|
are going to be controlled by one single configuration
|
|
0:22:55
|
So how traffic is routing between the links is based on our one single config
|
|
0:23:00
|
now the multiple contacts mode
|
|
0:23:03
|
this going separate the configuration
|
|
0:23:05
|
the interfaces and the policies on a per virtual contact
|
|
0:23:11
|
so if would have four interfaces on the ASA
|
|
0:23:14
|
I can create two different logical firewalls
|
|
0:23:17
|
where two of the physical interfaces are the inside and outside of the contacts A
|
|
0:23:22
|
and third and fourth interfaces are the inside and outside of contacts B
|
|
0:23:28
|
then the inspection of contact A is going to be completely different from contacts B
|
|
0:23:34
|
So, either you typically will do this for policy separation
|
|
0:23:38
|
or if you trying do some sort of mandate services
|
|
0:23:41
|
like in a hosting environment if you want to take one physical firewall
|
|
0:23:44
|
lets split it into multiple different virtual firewalls on per customer basis
|
|
0:23:49
|
this is what the multiple contacts mode is going to allow you to do
|
|
0:23:54
|
now we will see when we actually get into the configuration of this
|
|
0:23:57
|
there are some limitation of the feature
|
|
0:23:59
|
mainly that when we enabled multiple contacts mode
|
|
0:24:03
|
it disables our ablity to run any dynamic routing
|
|
0:24:07
|
but most importantly it disables our ability to do VPN termination
|
|
0:24:14
|
so if the ASA is running in the multiple contacts mode, it is only in firewall, it is not a VPN termination device
|
|
0:24:21
|
So, no IPSec VPN, no SSL VPN
|
|
0:24:25
|
its a pretty big limitation of the feature there
|
|
0:24:31
|
Now for the firewall itself
|
|
0:24:34
|
there is two separte modes of operation that we can run in
|
|
0:24:37
|
with this, they are independ of whether we are running in
|
|
0:24:41
|
single contacts mode or multiple contacts mode
|
|
0:24:44
|
these are the routed firewall and the transparent firewall
|
|
0:24:50
|
Now the routed firewall, like the single contacts mode, this going to be the default
|
|
0:24:55
|
routed firewall says that the interfaces
|
|
0:24:57
|
are not going to be in different subnets
|
|
0:25:00
|
but they are also in different VLANs
|
|
0:25:03
|
So, my inside interface, my outside interface, they are all different broadcast domains
|
|
0:25:07
|
they are on different subnets
|
|
0:25:09
|
So, if were to move traffic from the inside to the outside, it needs to route
|
|
0:25:14
|
so, just like a normal layer 3 router
|
|
0:25:17
|
the packets going to come in
|
|
0:25:19
|
we decapsulate the layer 2 header
|
|
0:25:22
|
do a routing lookup in the layer 2 header
|
|
0:25:25
|
figure out what is out going interface, what is the next hop value
|
|
0:25:29
|
switch the packets that interface and then rebuilt the encapsulation for the new interface to forward up
|
|
0:25:36
|
so, just like a router this will imply that we just need a static either routing
|
|
0:25:39
|
or dynamic routing to actually do that routing lookup
|
|
0:25:43
|
to figure out when the packet comes in
|
|
0:25:45
|
what is outgoing interface going to be
|
|
0:25:49
|
now this, particular procedure
|
|
0:25:53
|
this is independent of the any of the firewall inspection
|
|
0:25:56
|
where any layer 3 device, the routing process
|
|
0:26:00
|
is always going to separate than any of the other processes
|
|
0:26:04
|
or see that this is true not only on the ASA but also on the router's firewall
|
|
0:26:10
|
So, things like the zone based firewall
|
|
0:26:13
|
content based access control
|
|
0:26:15
|
Network Address Translation, Access Lists
|
|
0:26:19
|
all of those are unrelated to the routing process
|
|
0:26:22
|
we always need to make sure that routing is working first
|
|
0:26:25
|
before we can actually do any type of content filtering on top of that
|
|
0:26:31
|
now the transparent firewall
|
|
0:26:33
|
is similarly to the router firewall
|
|
0:26:37
|
going to have its interfaces in different VLANs
|
|
0:26:41
|
but they are going to be on the same subnet
|
|
0:26:46
|
So, the case of the transparent firewall, the inside and outside are on the same subnet, but they are on different VLAN
|
|
0:26:55
|
Now, what this means, is that since the outside and inside are on the same layer 3 network
|
|
0:27:00
|
is that the firewall is going to be bridging between interfaces instead of routing between interfaces
|
|
0:27:07
|
So, just like a normal transparent bridge
|
|
0:27:09
|
we will see that its going to build a CAM table
|
|
0:27:12
|
or the Content Addressable Memory
|
|
0:27:14
|
thats going to store what are the particular MAC addresses that are associated with the individual ports
|
|
0:27:20
|
then based on this MAC address table
|
|
0:27:22
|
the ASA is going to bridge traffic between the interfaces
|
|
0:27:26
|
in addition to sending it through the Marginal Policy Framework for the inspection
|
|
0:27:32
|
so, the nice thing about transparent firewall
|
|
0:27:35
|
is that you do not need to change your layer 3 design
|
|
0:27:38
|
in order to put the firewall in the transit path
|
|
0:27:42
|
so, if would have a case where
|
|
0:27:45
|
I have a link
|
|
0:27:47
|
that is routed between my ISP
|
|
0:27:51
|
and me, my router is down there
|
|
0:27:57
|
I can put the ASA here
|
|
0:28:00
|
where the ISP may be the address is 100.0.0.1
|
|
0:28:05
|
and router 1 has the address 100.0.0.2
|
|
0:28:10
|
So, these hosts are technically same layer 3 network
|
|
0:28:15
|
but its traffic enters the inside interface of the ASA
|
|
0:28:18
|
its then bridged to the outside interface
|
|
0:28:22
|
and in the middle here, this is where its going through its inspection
|
|
0:28:26
|
with the Marginal Policy Framework
|
|
0:28:29
|
So, even though the traffic comes out
|
|
0:28:32
|
and this router here is still going to see its sourced from the MAC address
|
|
0:28:37
|
ah, whatever router 1 has
|
|
0:28:40
|
the ASA that I am going to control, do I actually allow this traffic
|
|
0:28:44
|
is this going to be inspected, that when the traffic tries to come back in
|
|
0:28:49
|
whats going to hapen ? - Am I going to allow this back in or am I going to drop it
|
|
0:28:54
|
now there are some other limitations that you run into with transparent mode
|
|
0:28:59
|
just like in multiple contacts mode
|
|
0:29:02
|
and one of them again is there is no VPN termination
|
|
0:29:05
|
since its not routing
|
|
0:29:08
|
we can't run the layer 3 VPN process
|
|
0:29:11
|
because VPN and Routing, they go hand in hand
|
|
0:29:16
|
Hey, the other issue is that there is a limitation to the number of
|
|
0:29:20
|
physical links, and I want to say that it is just one inside and one outside
|
|
0:29:24
|
We will take a look at this in more detail when we actually go to the configuration transparent firewall
|
|
0:29:29
|
and we will look at the specific release notes for the different platforms
|
|
0:29:34
|
but in general I think its just one inside and one outside interface
|
|
0:29:41
|
Now, the contacts mode and the firewall modes
|
|
0:29:44
|
these are independent of each other
|
|
0:29:47
|
and we can run then in any combination that we want
|
|
0:29:50
|
which means that we can use the defualt which is single contact as a routed firewall
|
|
0:29:56
|
or we can also run single contacts as transparent firewall
|
|
0:30:00
|
multiple contacts as a routed firewall or multiple contacts as a transparent firewall
|
|
0:30:07
|
so we are going to look at all four different variation of the configuration
|
|
0:30:12
|
as I mention as if you were to go to multiple contacts mode
|
|
0:30:16
|
its stops you from doing dynamic routing
|
|
0:30:19
|
and from doing VPN termination
|
|
0:30:21
|
same is going to be true with transparent firewall
|
|
0:30:24
|
there is no dynamic routing, because we are bridging
|
|
0:30:28
|
and there is no VPN termination
|
|
0:30:31
|
So depending on what you want the device to do, if its going to be SSL VPN Server or Easy VPN Server
|
|
0:30:38
|
what I mean is its only one of these combination thats going to work
|
|
0:30:41
|
is the first one, single contacts mode with the routed firewall
|
|
0:30:45
|
any of these other 3
|
|
0:30:48
|
it means that there is no VPN termination
|
|
0:30:54
|
now for the different VPN terminations
|
|
0:30:56
|
ASA is going to support
|
|
0:30:59
|
two different variations of this
|
|
0:31:01
|
both IPSec and SS VPNs
|
|
0:31:05
|
now in the case of IPSec
|
|
0:31:08
|
we can do this with authentication header
|
|
0:31:10
|
we can do with the Encapsulating Security Payload - ESP
|
|
0:31:14
|
we can also do with ESP tunnels over UDP and TCP
|
|
0:31:19
|
what the ASA does not currently supports
|
|
0:31:23
|
is IPSec over a GRE tunnel
|
|
0:31:28
|
IPSec with GRE would then mean
|
|
0:31:31
|
we cannot do routing over our LAN-to-LAN tunnels
|
|
0:31:35
|
and we cannot do DM VPN
|
|
0:31:38
|
the ASA is not a DM VPN device, just a regular
|
|
0:31:41
|
LAN-to-LAN IPSec tunnel with either AH ESP or ESP tunnel over UDP or TCP
|
|
0:31:50
|
and the other variation is the SSL over TCP
|
|
0:31:55
|
now we support both remote access and LAN-to-LAN VPNs
|
|
0:31:59
|
where LAN-to-LAN is going to be with IPSec
|
|
0:32:02
|
which is also known as the site to site VPNs
|
|
0:32:06
|
so between two ASAs, between an ASA and IOS Router
|
|
0:32:10
|
been an ASA and some other third party vendor
|
|
0:32:13
|
as long as they are conforming to the IKE and the IPSec RFCs
|
|
0:32:20
|
to the standard implementation
|
|
0:32:22
|
then you should be able to do integration
|
|
0:32:24
|
with ASA or IOS into any other third party
|
|
0:32:29
|
okay, there is couple of questions here
|
|
0:32:34
|
Now for the ASA and transparent mode, Does it bridge routing protocols ? - Yes, it can
|
|
0:32:39
|
and Are they running protocols subject to the MPF? - Yes, they are.
|
|
0:32:43
|
Hey, so will look at it today, when we get to the transparent mode
|
|
0:32:48
|
there are some individual
|
|
0:32:52
|
configuration that are really going to need to change in the design in order to account for that if we are trying to route through the firewall, thats fine
|
|
0:32:58
|
we have a thing that the IPSec and the DM VPN
|
|
0:33:03
|
yes again, the ASAs does not support GRE tunnels
|
|
0:33:07
|
which means it cannot be a DM VPN end point
|
|
0:33:13
|
So, again we have both IPSec, LAN-to-LAN and IPSec remote access
|
|
0:33:18
|
the IPSec remote access VPNs these are sometimes called the Easy VPN server
|
|
0:33:24
|
sometimes its spelled as E-a-s-y sometimes its just E-Z-E VPN
|
|
0:33:30
|
this is what the Cisco Unified VPN client is called
|
|
0:33:36
|
the other variation of remote access is through SSL VPNs
|
|
0:33:41
|
which runs into two different modes, the client list VPN
|
|
0:33:46
|
which is also know as the web VPN
|
|
0:33:48
|
then the anyconnect SSL client
|
|
0:33:54
|
the anyconnect client and the easy VPN client
|
|
0:33:58
|
they are essentially doing the same thing
|
|
0:34:00
|
thats a regular client you will have the install and you set up the particular
|
|
0:34:05
|
server that you are trying to terminate to
|
|
0:34:08
|
the difference between them is they are using different transports
|
|
0:34:11
|
where the easy VPN client is using ESP
|
|
0:34:15
|
and either ESP tunnel over UDP or TCP
|
|
0:34:20
|
and the SSL VPN client is using
|
|
0:34:23
|
normal SSL over port 443
|
|
0:34:28
|
now we will look at some variatioins to this
|
|
0:34:31
|
where you can actually run
|
|
0:34:33
|
easy VPN over
|
|
0:34:35
|
TCP over port 443
|
|
0:34:38
|
but there is still a fundmental difference between the SSL VPN and the IPSec VPN
|
|
0:34:43
|
because they don't use different negotiations for keying
|
|
0:34:47
|
they use different algorithms
|
|
0:34:49
|
even though they are trying to accomplish the same thing
|
|
0:34:54
|
Okay, another, I forgot mention it here, multiple contacts mode
|
|
0:35:01
|
plus no active-active
|
|
0:35:03
|
multiple contacts mode would be the only one that you run in active-active
|
|
0:35:10
|
So, if you are in
|
|
0:35:14
|
and we need to go back to the different variations here
|
|
0:35:18
|
okay, if you are in single contacts mode, routed firewall
|
|
0:35:22
|
anywhere running failover
|
|
0:35:25
|
it means you are running active standby
|
|
0:35:28
|
like-wise single contacts mode transparent firewall, you can write active standby
|
|
0:35:33
|
if you are in multiple contacts mode
|
|
0:35:36
|
we got this whether you wanted routed or transparent firewall
|
|
0:35:39
|
thats when you can run active-active
|
|
0:35:42
|
so, essentially what that means
|
|
0:35:44
|
is that you have two physical boxes
|
|
0:35:47
|
one of them is forwarding for one contexts
|
|
0:35:50
|
and another one is forwarding for an additional context
|
|
0:35:55
|
but from the user's point of view, they don't know, actually what they are going through
|
|
0:36:01
|
because they both have identical configuration, its a stateful configuration
|
|
0:36:06
|
so if one backs up or fails the secondary one is going to take over for all of the context
|
|
0:36:13
|
I will see when the test is out, its almost instanteneous failureove
|
|
0:36:17
|
So as long as you are running
|
|
0:36:19
|
some sort application really doesn't care about minor delays
|
|
0:36:23
|
like if you are doing web browsing or you can like telnet
|
|
0:36:25
|
you are not going to know when its going to failover or begin with
|
|
0:36:28
|
its only something that
|
|
0:36:30
|
if you are doing like high frequency trading
|
|
0:36:32
|
and you are counting your packets to the milliseconds
|
|
0:36:35
|
then the failover would really matter
|
|
0:36:38
|
but normally its going to be
|
|
0:36:40
|
pretty much transparent to the people who are actually forwarding the traffic through
|
