|
0:00:13
|
In our next section here for the ASA
|
|
0:00:16
|
we are going to talk about the basic management methods for connecting
|
|
0:00:20
|
to both the console and the web interface through the ASTM
|
|
0:00:24
|
we are going to look at the basic initialization
|
|
0:00:27
|
enabling the interfaces
|
|
0:00:29
|
with the names and the security levels and the IP addressing
|
|
0:00:33
|
you get the basic single mode of routed firewall working
|
|
0:00:38
|
where as I mentioned, there going to be two different methods of management that we are going to look at
|
|
0:00:44
|
first and foremost we have the command line interface or the CLI
|
|
0:00:48
|
which we are going to get access to
|
|
0:00:50
|
on either through the console directly connecting to the ASA
|
|
0:00:55
|
or remotely either through telnet or SSH
|
|
0:01:00
|
now the ASA also supports web management
|
|
0:01:03
|
through the ASDM - Adaptive Security Device Manager
|
|
0:01:07
|
which essentially is the .. , a java based web interface that is going to run over SSL
|
|
0:01:14
|
now with the CLI
|
|
0:01:17
|
this is where we are going to be doing the vast majority of our work
|
|
0:01:21
|
when the platform starts at the blank configuration
|
|
0:01:24
|
we need to connect to the console to get our basic
|
|
0:01:26
|
management sesssion up first
|
|
0:01:29
|
before we can access the device even remotely from telnet or from SSH
|
|
0:01:34
|
now we will see later when we get into the multiple context modes
|
|
0:01:38
|
we will see that there is a special management access to the
|
|
0:01:42
|
multiple context in the admin context
|
|
0:01:46
|
where again with the single mode
|
|
0:01:48
|
with the single context mode, everything is going to be controlled by one main configuration
|
|
0:01:54
|
So in regular single mode whether we are telnetting or SSHing in
|
|
0:01:58
|
we are going to be accessing the same management sesssion as if we were directly connected to the console
|
|
0:02:03
|
in multiple context mode that going to be a little bit different
|
|
0:02:07
|
now, we can also
|
|
0:02:09
|
as I mentioned, enable the ASDM access which is going to be from the web interface
|
|
0:02:15
|
over https
|
|
0:02:17
|
however within the scope of the security lab exam
|
|
0:02:21
|
I do not believe that you would have access to this
|
|
0:02:25
|
Now, the blueprint for the version 3 of CCIE security does exclusively say
|
|
0:02:31
|
that the web interface is available for the IPS
|
|
0:02:34
|
but it does not that it is available for the ASA
|
|
0:02:38
|
Now most of the stuff you should be able to do from the console
|
|
0:02:42
|
the only things that is going to get a little bit problematic is when we get into the
|
|
0:02:46
|
the anyconnect VPN and the advanced web VPN configurations
|
|
0:02:51
|
when we look at the documentation on those, unfortunately most of those are from the perspective of ASDM
|
|
0:02:56
|
so we are going to figure out, what are the
|
|
0:02:59
|
the command line equivalence
|
|
0:03:01
|
of the changes that the ASDM has actually made
|
|
0:03:04
|
Now one way to configure this out
|
|
0:03:07
|
is to actually set up the management through ASDM
|
|
0:03:10
|
go through the basic wizard of setting up
|
|
0:03:12
|
either client list web VPN
|
|
0:03:15
|
or the anyconnect SSL client
|
|
0:03:18
|
and then look at the end result of that .. the command line
|
|
0:03:25
|
now in order to do our basic initialization
|
|
0:03:29
|
first thing tha we need to do
|
|
0:03:31
|
is to connect to the console
|
|
0:03:34
|
hey, once we are connected
|
|
0:03:37
|
assuming the initial configuration is now already blank
|
|
0:03:41
|
just like in the routers we can either save write away or clear the startup configuration and then reload
|
|
0:03:47
|
but there is also enable option on the ASA
|
|
0:03:50
|
that is the clear configure command
|
|
0:03:53
|
now this is going to be a shortcut that we can use
|
|
0:03:56
|
for any configuration change that we want to undo
|
|
0:04:01
|
wherein the case of saying clear configure all is going to essentially delete all of your configuration
|
|
0:04:07
|
and is going to go back toward the factory defaults
|
|
0:04:10
|
if we like to say clear configure access list
|
|
0:04:13
|
means its going to do delete all of the access lists
|
|
0:04:16
|
if we say clear configure cypto is going to delete all or VPN configurations
|
|
0:04:22
|
now the only problem with this is that when you say clear configure all
|
|
0:04:26
|
it does not prompt you for confirmation
|
|
0:04:29
|
so if you accidently type clear configure all instead of clear configure access lists or clear configure router ospf
|
|
0:04:36
|
then its going to delete all of your configuration
|
|
0:04:41
|
but if you make a bunch of changes you want to quickly roll them back
|
|
0:04:43
|
there is one way that you can quickly do it, its with the clear configure command
|
|
0:04:48
|
now when we boot up the ASA with its default configuration
|
|
0:04:54
|
its going to be running in single context mode with the routing firewall
|
|
0:04:58
|
if we change this to multiple context mode
|
|
0:05:02
|
or we change this to transparent firewall
|
|
0:05:05
|
its going to remove any of the previous configuration that we have only
|
|
0:05:09
|
So, when we get into those two variations later, multiple context mode and transparent mode
|
|
0:05:15
|
with transparent firewall you do need to be carefull with those commands
|
|
0:05:19
|
which would be the multiple
|
|
0:05:21
|
if you are on a multi context mode
|
|
0:05:23
|
or the firewall transparent from global config
|
|
0:05:27
|
the multiple context mode, it will ask you for confirmation
|
|
0:05:31
|
but changing the firewalls mode
|
|
0:05:34
|
if you change from router to transparent its not going to ask you for confirm
|
|
0:05:39
|
so if I am doing some configuration in global config and accidentally save firewall transparent
|
|
0:05:44
|
its going to delete everything I have there
|
|
0:05:47
|
switch to tranparent mode and then have a blank configuration
|
|
0:05:55
|
now this question - Does greater labs offer the ASTM config you spoke up? - Yes, it does
|
|
0:06:01
|
So, I will show here when we do the basic initialization
|
|
0:06:06
|
how to get access to the ASTM
|
|
0:06:08
|
the best majority of demos we are going to be doing for this class are going to be based on the command line
|
|
0:06:13
|
but if you are accessing our equipment, you do have the optioin to do either, or
|
|
0:06:17
|
you could do the command line or you could do the ASTM
|
|
0:06:24
|
so configuration wise
|
|
0:06:26
|
once we have console access next thing we want to do is the
|
|
0:06:29
|
a basic initialization fo the interfaces
|
|
0:06:33
|
so the interfaces are going to shut down by default
|
|
0:06:36
|
so we need to go to , whatever the physical links are and simply say no shut down
|
|
0:06:40
|
and you could see this if you look at the show interface outward
|
|
0:06:43
|
just like on the routers its going to tell you the interface statistics
|
|
0:06:46
|
and with the status on the links
|
|
0:06:48
|
so, is it administratively-down, is it down-down,is it up-up, is it up-down
|
|
0:06:54
|
for a fully functional interface we are looking for the line protocol is up
|
|
0:06:59
|
and the link is up, so the up-up state
|
|
0:07:03
|
next we would need to figure out
|
|
0:07:05
|
are we running the interfaces as trunks or regular layer 2 access ports
|
|
0:07:11
|
so just like the routers IOS
|
|
0:07:14
|
ASA does support multiple
|
|
0:07:16
|
possible modes of the link
|
|
0:07:18
|
for trunking this is going to be 802.1q enscapsulation
|
|
0:07:22
|
this does not support ISL
|
|
0:07:24
|
So if we were to use trunking
|
|
0:07:27
|
we create multiple subinterfaces
|
|
0:07:29
|
and then specify what particular VLAN is going to be associated with that
|
|
0:07:34
|
So we will look at some case where we are doing trunking both with single context mode
|
|
0:07:39
|
and with multiple context mode
|
|
0:07:42
|
when we look at the transparent firewall
|
|
0:07:44
|
there are some limitations as to how you are allocating interfaces
|
|
0:07:48
|
that when we run single mode tranparent firewall
|
|
0:07:53
|
we need a physical inside and a physical outside interface
|
|
0:07:57
|
if we run multiple context mode with transparent firewall
|
|
0:08:01
|
we cannot share physical interfaces between the contacts
|
|
0:08:06
|
so it means that we will need at least four
|
|
0:08:08
|
physical links to run multi context mode with transparent firewall
|
|
0:08:12
|
an inside and outside for one context
|
|
0:08:14
|
and a separate physical inside and outside for the secondary context
|
|
0:08:21
|
now once the interfaces are up
|
|
0:08:23
|
then we are going to specify what are the security levels
|
|
0:08:27
|
which again the higher numbered
|
|
0:08:29
|
is the more trusted interface
|
|
0:08:31
|
wherein an inside interfaces allocated a security level of 100
|
|
0:08:36
|
and every thing else is 0 by default
|
|
0:08:40
|
so when we look at the inspection engine of a Marginal Policy Framework
|
|
0:08:44
|
its going to be allowing any traffic that originates from an interface with a higher security level
|
|
0:08:50
|
that leaves through a lower security level
|
|
0:08:54
|
so a normal inside to outside flow will be starting at 100
|
|
0:08:57
|
and then leaving by a 0
|
|
0:09:00
|
when the traffic returns its coming back in 0
|
|
0:09:03
|
will be 100 which is okay
|
|
0:09:06
|
only if there is a state already created in the connections table
|
|
0:09:11
|
so we are not going to allow unsolicitated traffic from the outside in
|
|
0:09:14
|
but we will allow outside in traffic if it is in response
|
|
0:09:18
|
to something that was already initiated
|
|
0:09:23
|
next we need the interfaces name or the nameif
|
|
0:09:27
|
this is just a string that we are going use to reference to interface
|
|
0:09:32
|
from different configurations like Network Address Translation
|
|
0:09:36
|
or Access Lists Application
|
|
0:09:38
|
where instead of referencing the physical hardware
|
|
0:09:41
|
for example ethernet 0/0
|
|
0:09:44
|
or Gigabit ethernet 0/1
|
|
0:09:47
|
we would represent by the nameif
|
|
0:09:50
|
which typically would be like inside, outside, DMZ
|
|
0:09:53
|
inside 2, outside 2 etc
|
|
0:09:57
|
so taking to you can use whatever conventions you can
|
|
0:10:00
|
it is most of the time you could typically see this as inside and outside interfaces
|
|
0:10:06
|
then last step we have is to assign the ip addresses
|
|
0:10:11
|
so just like an IOS we have the IP address commands followed by the address in the maps
|
|
0:10:16
|
so basic initialization here
|
|
0:10:19
|
really not too complex
|
|
0:10:21
|
now the only thing we need to remember is that if we do not create
|
|
0:10:25
|
we do not assign the security level or the nameif
|
|
0:10:29
|
so we miss here two steps
|
|
0:10:31
|
we cannot forward traffic over the interface
|
|
0:10:35
|
so we need both the security level and the nameif
|
|
0:10:40
|
now in our particular case here
|
|
0:10:42
|
we have the ASA2
|
|
0:10:45
|
that is going to have three separate segments that we are connecting to
|
|
0:10:49
|
we have the inside network
|
|
0:10:51
|
the outside network and the DMZ
|
|
0:10:55
|
so once the configuration is complete
|
|
0:10:57
|
ideally what we should be able to do is to send traffic
|
|
0:11:00
|
from the inside out
|
|
0:11:03
|
then have the traffic flow return
|
|
0:11:07
|
then we would have traffic that would move from the inside to the DMZ
|
|
0:11:12
|
and be able to return
|
|
0:11:16
|
then from the outside to the DMZ and to the top
|
|
0:11:21
|
so, assuming that whatever devices are on this DMZ segment
|
|
0:11:26
|
these are public servers
|
|
0:11:29
|
if we want these to be accessible both from the host on the inside and on the outside
|
|
0:11:34
|
we need to think of what are the security
|
|
0:11:37
|
levels going to be, the numerical values
|
|
0:11:40
|
and how is this going to effect, how the traffic is going to be inspected between the interfaces
|
|
0:11:47
|
Now, in many case you would see, this type of configuration
|
|
0:11:51
|
where the inside interface is going to be assigned a security level of 100
|
|
0:11:55
|
the outside interface would be assigned 0
|
|
0:12:00
|
and the DMZ interface would be somewhere in between 50 for eg
|
|
0:12:07
|
Now, since we are allowed to send traffic from the higher to lower
|
|
0:12:11
|
and then return assuming the traffic is being inspected
|
|
0:12:14
|
this would mean that the traffic flows
|
|
0:12:16
|
that should be allowed would be from inside to out and then back
|
|
0:12:20
|
from DMZ to out and then back
|
|
0:12:24
|
but not from DMZ to inside
|
|
0:12:28
|
not from outside to inside and not from outside to the DMZ
|
|
0:12:33
|
now depending on what this is actually want with the design
|
|
0:12:37
|
this valid to use these number assignments
|
|
0:12:40
|
another way to do this would be to set the outside interface
|
|
0:12:45
|
as a number somewhere between the
|
|
0:12:48
|
DMZ and the inside
|
|
0:12:51
|
so if were to say 100
|
|
0:12:53
|
50 and 0
|
|
0:12:56
|
it may make more sense from my public Servers
|
|
0:12:59
|
so lets say, I have a webserver here
|
|
0:13:02
|
the web server normally would not be initiating traffic out to the network
|
|
0:13:08
|
so in this particular design I would allow traffic
|
|
0:13:11
|
from the outside to go to the web server
|
|
0:13:14
|
and return
|
|
0:13:17
|
from the inside to go out and return
|
|
0:13:20
|
and also from the inside to the DMZ return, inside to the web server
|
|
0:13:27
|
Now, regardless of what the security levels are
|
|
0:13:30
|
we can always configure an exception to this
|
|
0:13:33
|
with Access List and with the Inspection, with the Modular Policy Framework
|
|
0:13:38
|
So, the security level is kind of just a default value
|
|
0:13:42
|
thats going to make the design a little bit easier to implement
|
|
0:13:45
|
where we know automatically that the high to low is going to move
|
|
0:13:50
|
we are going look at this in the case of the IOS's firewall with the zone based firewall
|
|
0:13:55
|
that is not the case
|
|
0:13:58
|
it was no default association between the zones and the IOS
|
|
0:14:02
|
we mainly have to define them
|
|
0:14:04
|
whether they are inside, outside in
|
|
0:14:07
|
inside the DMZ, outside the DMZ etc
|
|
0:14:12
|
over the ASA, the security number
|
|
0:14:14
|
is whats giving us a default association between the interfaces
|
|
0:14:21
|
now there is question here - Certain interfaces are classified as separate interface context
|
|
0:14:28
|
or separate interfaces or using multi context transparent mode
|
|
0:14:33
|
Some inerfaces would be used
|
|
0:14:36
|
not in transparent mode, they are going to be used in routed mode
|
|
0:14:40
|
So, in this particular design here
|
|
0:14:43
|
known as that the physically
|
|
0:14:45
|
on the inside of the DMZ
|
|
0:14:48
|
were sharing the same main interface - ethernet 0/1
|
|
0:14:53
|
on the DMZ if ethernet 0/1.10
|
|
0:14:57
|
on the inside of ethernet 0/1.125
|
|
0:15:02
|
now the actual numbers of the interfaces
|
|
0:15:05
|
are arbitrary, I can set here E0/1.1.500. whateever I want
|
|
0:15:11
|
but normally you would match this to whatever VLAN number is being encapsulated
|
|
0:15:16
|
just for clarity in you configuration
|
|
0:15:20
|
So we were to look at this physically
|
|
0:15:22
|
the physical design of ASA 2
|
|
0:15:26
|
has some sort of link that goes to E0/1
|
|
0:15:30
|
and from the layer 2 switch that is attached to that
|
|
0:15:33
|
this is a DOTq trunk
|
|
0:15:39
|
where as the outside interfaces were using the physical link ethernet 0/0 there
|
|
0:15:43
|
we don't need any special configuration
|
|
0:15:46
|
simply the nameif, the security level, and ip address
|
|
0:15:50
|
say noshut down on the link
|
|
0:15:52
|
it should be good to go with the configuration
|
|
0:15:55
|
it were the trunking the only other thing to do is to find where the subinterfaces
|
|
0:15:59
|
and then specify the VLAN
|
|
0:16:02
|
so we will look at the cases of trunking here both with using the
|
|
0:16:06
|
single context mode with the routed firewall
|
|
0:16:09
|
and the multiple context mode with the routed firewall
|
|
0:16:13
|
but not in the transparent mode
|
|
0:16:15
|
so in transparent mode we need to separate physical interfaces
|
|
0:16:21
|
So, lets take a look at the command line of ASA 2 here
|
|
0:16:25
|
right now I have a completely blank configuration, the only thing I went
|
|
0:16:29
|
and did so far was to go through the initial configuration dialogue
|
|
0:16:33
|
and essentially saying, No, I don't want to configure through the
|
|
0:16:37
|
prompts, so when you reload the device
|
|
0:16:40
|
just like in a router, you can go through that
|
|
0:16:42
|
that initial configuration dialogues is going to ask you questions
|
|
0:16:46
|
you can go through that basic setup if want to I could also just say
|
|
0:16:54
|
and may not be able to do when I am on this version
|
|
0:16:59
|
lets actually, lets reload the other so we can exactly what it says
|
|
0:17:11
|
Hey, we will come back to this side of ASA while
|
|
0:17:14
|
the first one is loading, so from here
|
|
0:17:17
|
we can see it has a default host name of Ciscoasa
|
|
0:17:20
|
on the pound side just like on the router, it means that were privilege level 15
|
|
0:17:24
|
when we look at the show privilege
|
|
0:17:37
|
and you see, lets show mode and show firewall
|
|
0:17:43
|
we are in router mode
|
|
0:17:53
|
I may need to configure AAA before we do that, we will come back to this later
|
|
0:17:56
|
when we get to AAA
|
|
0:17:58
|
but, by default the pound sign here means that we are at
|
|
0:18:01
|
privilege level 15
|
|
0:18:03
|
so essentially we can make whatever changes we want
|
|
0:18:08
|
if we look at the show interfaces
|
|
0:18:12
|
we can see the basic statistics of them
|
|
0:18:15
|
the links are running on a negotiation by default in this case they negotiated to full duplex or 100 megs
|
|
0:18:22
|
really the only thing that I care about here
|
|
0:18:24
|
is what the state it lies
|
|
0:18:26
|
so if would have said show interface and include
|
|
0:18:30
|
the protocol, with the keyword protocol
|
|
0:18:34
|
you will see that there are 6 different links
|
|
0:18:37
|
four of them are physical ethernets
|
|
0:18:40
|
we have the dedicated management interface
|
|
0:18:43
|
and then a virtual interface
|
|
0:18:45
|
we will come back to it little bit later and talk about what the virtual interfaces are for
|
|
0:18:50
|
we can see at the physical links
|
|
0:18:52
|
by default most of them are shut down
|
|
0:18:55
|
so, this would be my step, just to go to links, say no shutdown
|
|
0:18:59
|
and make sure that come into the up and up state
|
|
0:19:04
|
Now, one thing that is different between the routers and the ASA
|
|
0:19:08
|
is that it does not run cdp
|
|
0:19:11
|
we look at show cdp neighbours - doesn't supports
|
|
0:19:15
|
So, we will have to know based on the physical wiring of the network
|
|
0:19:19
|
exactly where the interfaces are pluged in
|
|
0:19:22
|
with the routers and the switches its little bit easier to do this
|
|
0:19:26
|
because we can just say show cdp neighbours
|
|
0:19:28
|
and verify how the nework is physically wired
|
|
0:19:32
|
now within the scope of this CCIE lab exam the will give you some sort of table
|
|
0:19:37
|
thats going to show how the network is physically cabled
|
|
0:19:40
|
you would then need to corelate this
|
|
0:19:43
|
with the logical layer 3 diagram
|
|
0:19:46
|
to figure out how the network actually needs to be build
|
|
0:19:50
|
so if we look at the logical diagram that I have here
|
|
0:19:53
|
the ASA is using two different interfaces
|
|
0:19:56
|
it is the interface
|
|
0:19:59
|
e0/0
|
|
0:20:01
|
and interface e0/1
|
|
0:20:06
|
where in my case the e0/0
|
|
0:20:09
|
is physically connected to switch 2's
|
|
0:20:12
|
port fast ethernet 12
|
|
0:20:16
|
and ethernet 0/1 is going to switch 1's port
|
|
0:20:22
|
fast ethernet 0/13
|
|
0:20:27
|
so from a layer 2 networking point of view
|
|
0:20:30
|
I would probably want to verify before going any further
|
|
0:20:33
|
is the layer 2 switch
|
|
0:20:35
|
actually properly configure on this port
|
|
0:20:38
|
so that its a signed in VLAN 122
|
|
0:20:43
|
then for ethernet 0/1 since I am going to be using this for trunking
|
|
0:20:48
|
I would want to verify on switch 1
|
|
0:20:50
|
is this port actually configures as a dot 1q trunk
|
|
0:20:54
|
if it is configured as a dot1q trunk
|
|
0:20:57
|
is it actually forwarding VLAN 10 and VLAN 125
|
|
0:21:01
|
which is what I am trying to encapsulate
|
|
0:21:05
|
so as I mentioned before
|
|
0:21:07
|
you don't have to be an expert in layer 2 and layer 3 networking for this security topics
|
|
0:21:12
|
but if you don't understand the basic logic about how the network is built
|
|
0:21:16
|
if you run into a problem and you need to troubleshoot
|
|
0:21:19
|
you do into take into account, Layer 2 and Layer 3
|
|
0:21:23
|
so something if routing is broken then your VPNs are going to be broken
|
|
0:21:27
|
if something in ethernet, or frame relay or ETN
|
|
0:21:31
|
whatever other layer 2 protocol you are using
|
|
0:21:33
|
if thats not working then none of the other topics on top of that is going to work
|
|
0:21:39
|
so lets go the the switches bread crumb
|
|
0:21:42
|
and that switch 1, lets look at the
|
|
0:21:45
|
show interface status
|
|
0:21:48
|
well, again in my case
|
|
0:21:51
|
ASA 2's ethernet 0/1
|
|
0:21:54
|
is connected to port 50
|
|
0:21:58
|
now you will see just for some documentation
|
|
0:22:02
|
of the network I do have descriptions pre configured on this links
|
|
0:22:05
|
so it will make it a little bit easier for us to understand how the network is physically wired
|
|
0:22:09
|
as we are moving the configurations of these interfaces around
|
|
0:22:14
|
so fast ethernet 0/15 if we show run interface fa0/15
|
|
0:22:20
|
so this going to ASA 2's port e0/1, it is configured as a trunk
|
|
0:22:26
|
now just like the routers
|
|
0:22:29
|
the ASA does not support the Dynamic Trunking Protocol which is DTP
|
|
0:22:35
|
this means that the mode of the interface
|
|
0:22:38
|
must be hardcoded to be a trunk
|
|
0:22:42
|
depending on the particular platform and the catalyst IOS that its are using
|
|
0:22:47
|
the interface could be configured
|
|
0:22:49
|
as dynamic desirable or a dynamic order port
|
|
0:22:53
|
which means that they are either sending
|
|
0:22:56
|
DTP negotiations
|
|
0:22:58
|
in the case of dynamic desirable
|
|
0:23:00
|
or listening for DTP negotiations in the case of dynamic order
|
|
0:23:06
|
but since the ASA does not supports this
|
|
0:23:08
|
it not automatically going to trunk on its interface
|
|
0:23:12
|
so on switch 1 when I am doing here its just hard coding its encapsulation and hard coding the trunking
|
|
0:23:17
|
So, now if I look into show spanning tree
|
|
0:23:20
|
interface fast ethernet 0/15
|
|
0:23:23
|
I should ideally see that the VLANs I want
|
|
0:23:26
|
which are VLAN 10
|
|
0:23:28
|
and VLAN 125
|
|
0:23:31
|
but those are actually forwarding over the interface
|
|
0:23:37
|
now, we can also see in this case there is a number of other different VLANs
|
|
0:23:42
|
that I am not actally using in a design that are forwarding on that link
|
|
0:23:47
|
from network optimisation point of view this is not what I would want
|
|
0:23:53
|
because when we look at the logical topology
|
|
0:23:56
|
ASA 2 really should only be encapsulating
|
|
0:23:59
|
two different VLANs on its interface there
|
|
0:24:03
|
it should be encapsulating VLAN 10
|
|
0:24:08
|
for the DMZ network
|
|
0:24:10
|
and should be encapsulating VLAN 125 for the inside network
|
|
0:24:15
|
if I have other VLANs
|
|
0:24:18
|
that the switch is actually trunking to that link but the ASA is not encapsulating
|
|
0:24:23
|
what is it going to mean from the ASA point of view
|
|
0:24:30
|
what other type of traffic is going to be received down that physical interface
|
|
0:24:37
|
its going to be any unknown unicast in that VLAN
|
|
0:24:43
|
any unknown multicast and any broadcast traffic
|
|
0:24:47
|
so here when I look in to show spanning tree interface
|
|
0:24:51
|
there is tonnes of other VLANs that I am not actually using, you know 4
|
|
0:24:54
|
6,10 not actually, 10 I do want
|
|
0:24:58
|
but the other ones that is not 10 and not 125
|
|
0:25:02
|
its a bunch of useless traffic that I am receiving on the ASAs interface
|
|
0:25:07
|
so typically what would want to do in this type of design
|
|
0:25:11
|
is go to the interface
|
|
0:25:13
|
and remove all of the VLANs that you are not encapsulating
|
|
0:25:18
|
I would say the switch port trunk allow list
|
|
0:25:22
|
is going to include just VLAN 10 and 125
|
|
0:25:29
|
Now, if we look at the output of the show spanning tree
|
|
0:25:32
|
or the show interface fast ethernet 15 trunk
|
|
0:25:36
|
the only two VLANs that are now encapsulated
|
|
0:25:40
|
are the ones that I actually need
|
|
0:25:45
|
so again you technically don't need to do this in the design
|
|
0:25:48
|
its simply an optimization of traffic flow
|
|
0:25:51
|
its now going to be sure
|
|
0:25:53
|
that ASA is not going to recieve
|
|
0:25:56
|
broadcast for unknown frames
|
|
0:25:59
|
for any VLANs that it does not actually want to use
|
|
0:26:03
|
now additionally if I was doing VTP pruning in my layer 2 network
|
|
0:26:08
|
this configuration here were limited to trunk
|
|
0:26:11
|
this would be required for VTP pruning
|
|
0:26:16
|
does anybody knows why that is the case
|
|
0:26:21
|
if I did not do this commands switchport trunk allowed vlan 10, 125
|
|
0:26:27
|
this is going to break VTP pruning
|
|
0:26:32
|
and specifically the reason why
|
|
0:26:35
|
is that the switch that is attached to the ASA
|
|
0:26:38
|
so we have ASA2
|
|
0:26:42
|
and this is ehternet 0/1
|
|
0:26:46
|
or again ethernet 0/1 is going to switch 1
|
|
0:26:49
|
port fast ethernet
|
|
0:26:52
|
13, excuse me 15
|
|
0:26:55
|
and then we have some other layer 2 switches in the network thats switch 2
|
|
0:26:58
|
and theoritically we have any number of switches beyond that
|
|
0:27:04
|
now these switches are all running VTP
|
|
0:27:07
|
and running VTP prunning
|
|
0:27:09
|
in order to limit the amount of traffic that is going over trunk lines
|
|
0:27:13
|
whats going to happen is that
|
|
0:27:16
|
switch 1 says this is a trunk
|
|
0:27:19
|
hey this is a trunk because I manually configured it that way
|
|
0:27:22
|
its encapsulated dot1q
|
|
0:27:24
|
this means that VTP messages
|
|
0:27:27
|
are going to go out there
|
|
0:27:29
|
I am going to send a VTP prunning request
|
|
0:27:35
|
what is the ASA is going to do when it gets this VTP message
|
|
0:27:41
|
its simply going to get started
|
|
0:27:44
|
because it support VTP, its not a layer 2 switch
|
|
0:27:48
|
so what happens from switch 1's perspective
|
|
0:27:51
|
is that the VTP
|
|
0:27:53
|
a request goes out
|
|
0:27:55
|
it then never receives a response back in
|
|
0:27:58
|
but since this is a trunk link
|
|
0:28:01
|
it can guarantee
|
|
0:28:03
|
that switch 2 and whatever switches are beyond there
|
|
0:28:07
|
can prune VLANs off of the trunks
|
|
0:28:11
|
so essentially what that means
|
|
0:28:13
|
is that all of these links that are connecting to switches
|
|
0:28:18
|
so this between switch 1 and switch 2
|
|
0:28:21
|
and any of the links them beyond them
|
|
0:28:23
|
it would basically do the same is to save the link VTP prune
|
|
0:28:28
|
from none of the VLANs anywhere in the network will be able to prune
|
|
0:28:32
|
because you cannot guarantee
|
|
0:28:34
|
that they do need to be forwarded out that line
|
|
0:28:38
|
and the way that we can manually prune it
|
|
0:28:41
|
again is with this command switchport trunk allowed vlan
|
|
0:28:47
|
so this technically not directly related to VTP
|
|
0:28:50
|
but its an optimisation both of the
|
|
0:28:53
|
stopping the unknown frames
|
|
0:28:56
|
then for an interface that normally would have VTP prunning allowed
|
|
0:29:01
|
this is the manual way to do it
|
|
0:29:04
|
so switch 1 would know it could send a prunning
|
|
0:29:07
|
of request to the other switches
|
|
0:29:09
|
and say the only VLANs that I need here 10, 125
|
|
0:29:12
|
and then whatever other ones I am locally using for that I am in the transit path for
|
|
0:29:21
|
Okay, for upto this point we verified now that the
|
|
0:29:24
|
trunk and the end side is correct is going through ASA 2
|
|
0:29:28
|
now I need to know, on that outside interface
|
|
0:29:31
|
that is connecting to
|
|
0:29:38
|
connecting to VLAN 122
|
|
0:29:41
|
is this outside interface actually assigned to that VLAN
|
|
0:29:45
|
in this particular case again ethernet 0/0
|
|
0:29:47
|
is connected to switch
|
|
0:29:50
|
to port 40
|
|
0:29:53
|
so on switch 2 if we look at the show interface status
|
|
0:29:59
|
out here the description here says port 14 is going to ASA 2's e0/0
|
|
0:30:05
|
This is running in VLAN 122
|
|
0:30:09
|
Now this for the CCIE Security Lab exam
|
|
0:30:12
|
at this point I would take a couple of extra minutes
|
|
0:30:14
|
and actually verify that the rest of the VLAN assignments are correct
|
|
0:30:19
|
So I don't want to start my troubleshooting process, its something at layer 3 or above
|
|
0:30:25
|
when I not yet verified the layer 2 network is actually functioning
|
|
0:30:31
|
So its really not going to take me that long
|
|
0:30:33
|
to look at the show interface commands
|
|
0:30:36
|
and I can even exclude the interfaces that are not connected
|
|
0:30:42
|
just simply look at this list
|
|
0:30:44
|
of what are the links that are actually being used
|
|
0:30:47
|
what are the VLAN assignments or the tunking
|
|
0:30:51
|
then compare this with the diagram to make sure its actually matching up
|
|
0:30:55
|
where the other link at router 2 is attaching there
|
|
0:30:58
|
is in a ?? VLAN is in 122
|
|
0:31:01
|
the link that router 5 is using
|
|
0:31:03
|
fast ethernet 0/1
|
|
0:31:06
|
this is going to
|
|
0:31:08
|
switch 2's port fast ethernet 5, this is in VLAN 125
|
|
0:31:12
|
So, I could tell that there is no problem with the basic layer 2 network
|
|
0:31:18
|
Okay, our next step will then be to
|
|
0:31:21
|
do the rest of the initialization of the interfaces
|
|
0:31:24
|
So, we will go to global config
|
|
0:31:26
|
a will give it a hostname just for clarity, say this is
|
|
0:31:30
|
Rack9asa2
|
|
0:31:32
|
So, I am on rack9 for these demos
|
|
0:31:34
|
and on interface 0/0
|
|
0:31:39
|
this again is going to be the outside interface
|
|
0:31:43
|
you can see it says the outside interface is being set to security level 0 by default
|
|
0:31:48
|
So, we couldn't manually define this
|
|
0:31:52
|
or the nameif is going to automatically assign it
|
|
0:31:55
|
to 0 unless the nameif is inside
|
|
0:31:59
|
the keyword inside
|
|
0:32:02
|
is a special denomination that is for the link of the highest security level
|
|
0:32:08
|
by the name of the security level
|
|
0:32:10
|
if it is not shut down then I want the IP Address
|
|
0:32:14
|
and in this specific case I am
|
|
0:32:17
|
unless outside link its 200.0.122.12/24
|
|
0:32:24
|
so 200.0.122.12/24
|
|
0:32:34
|
Now at this assuming that the rest of the layer 2 network is working
|
|
0:32:38
|
I shoud be able to do a basic test with ICMP
|
|
0:32:41
|
So, if I say ping 200.0.122.2
|
|
0:32:44
|
thats router2 's address
|
|
0:32:47
|
here we can see, ICMP is working
|
|
0:32:51
|
so by default from the ASA itself
|
|
0:32:55
|
we are able to locally originate ICMP echos and get the replies back in
|
|
0:33:01
|
if I were to go to the other end of this connection on router2
|
|
0:33:05
|
and ping the ASA's address
|
|
0:33:10
|
even though we are coming in on the outside interface
|
|
0:33:14
|
basic ICMP ping is allowed by default just for testing
|
|
0:33:20
|
now we could filter this out, or we could disable
|
|
0:33:23
|
the feature on the ASA that it would not respond to ICMP pings
|
|
0:33:28
|
but just for the basic initialization this is a good test to make sure that the link itself is working
|
|
0:33:36
|
So, now lets do it on our inside in DMZ interfaces
|
|
0:33:40
|
the inside interface is going to be subinterface that 125
|
|
0:33:44
|
and this is in VLAN 125
|
|
0:33:48
|
it will say interface e0/1.125
|
|
0:33:53
|
this is being used to encapsulate VLAN 125
|
|
0:33:57
|
Now, notice that it doesn't give us the option of are we using wq or isl
|
|
0:34:03
|
only supports dot1q encapsulation
|
|
0:34:07
|
from this point on we are going to treat the subinterface just as it was any other physical LAN
|
|
0:34:13
|
So, only these two commands
|
|
0:34:15
|
are going to be the main difference
|
|
0:34:18
|
between using the physical interface
|
|
0:34:21
|
and using the subinterface for using the VLAN encapsulation
|
|
0:34:27
|
So, either if you only have one physical interface on your ASA
|
|
0:34:31
|
you still could define the different subinterfaces
|
|
0:34:34
|
and then have multiple security levels for
|
|
0:34:36
|
testing complex policies
|
|
0:34:43
|
So, again this is going to be our inside interface
|
|
0:34:46
|
So, we wll say, nameif inside
|
|
0:34:49
|
and we can see that this does set the security level automatically to 100
|
|
0:34:55
|
but anything else besides this, if I said inside1 or inside2, or any other variation
|
|
0:35:00
|
thats always going to be 0 by default
|
|
0:35:03
|
only the quote unquote inside interface get security level 100
|
|
0:35:08
|
but again I could manually change this if I want to, I can set any value 0 through 100
|
|
0:35:15
|
Hey, next I want my ip address
|
|
0:35:19
|
which on this segment is going to be 10.0.125.12/24
|
|
0:35:26
|
10.0.125.12/24
|
|
0:35:31
|
and ideally I sould now be able to ping
|
|
0:35:34
|
router5's address, which I can
|
|
0:35:38
|
same case is going to be for the DMZ
|
|
0:35:41
|
DMZ is using VLAN 10
|
|
0:35:44
|
it has the address 10.0.0.12/24
|
|
0:35:52
|
the nameif, I will call this DMZ, and we can see it is set to 0
|
|
0:35:58
|
So right now both the DMZ and the outside interface they have the same security level
|
|
0:36:04
|
what are the host on this segment is the AAA server
|
|
0:36:08
|
has the address 1.0.0.100
|
|
0:36:13
|
and we can see we do have connected to that
|
|
0:36:17
|
Now, at this point
|
|
0:36:20
|
now the ASA is ready to
|
|
0:36:22
|
to route the traffic between its interfaces
|
|
0:36:26
|
since we did not yet configured any routing protocols
|
|
0:36:29
|
its only able to send traffic to any directly connected destinations
|
|
0:36:35
|
but technically this would be your minimum configuration if you need
|
|
0:36:40
|
So, simply initialize the interfaces
|
|
0:36:43
|
give them their names
|
|
0:36:45
|
give them the security levels
|
|
0:36:50
|
assuming we are running IPv4 we need to give an IP address
|
|
0:36:54
|
and just make sure that the interface is not shut down
|
|
0:36:59
|
again for the subinterfaces, the only other change is the subinterface number
|
|
0:37:02
|
and then whatever the VLANs that were used
|
|
0:37:06
|
So, technically these don't have to be the same
|
|
0:37:08
|
but there is really no reason that you would not want to match them, So just for clarity here
|
|
0:37:16
|
okay, so lets look at the traffic flows
|
|
0:37:19
|
through the device
|
|
0:37:21
|
now I don't have any routing configured
|
|
0:37:23
|
so when I am going to do temporarily is go to the routers
|
|
0:37:27
|
on the inside and the outside
|
|
0:37:30
|
which are router5 and router2
|
|
0:37:33
|
and I am simply going to configure static routing
|
|
0:37:36
|
So, router5 is going to say to get to the network 200.0.122.0/24
|
|
0:37:44
|
I am going to use the next hop of 10.0.125.12
|
|
0:37:48
|
its pointing to the address of ASA
|
|
0:37:52
|
then likewise router2 from the outside in
|
|
0:37:55
|
is going say to get to 10.012.0/24
|
|
0:38:01
|
will use 200.0.122.12
|
|
0:38:08
|
now as I mentioned before, if we were running in multiple context mode
|
|
0:38:13
|
or transparent firewall
|
|
0:38:15
|
thats going to disable your ability to use any dynamic routing protocol
|
|
0:38:20
|
so after we get the basic functionality working, we will look at the dynamic routing
|
|
0:38:25
|
but in transparent mode and in multi context mode
|
|
0:38:28
|
dynamic routing is not enabled or not available
|
|
0:38:33
|
as you get router2 just going to say to that, particular
|
|
0:38:39
|
I am routing towards the ASA
|
|
0:38:47
|
then router5 is going to say the same thing
|
|
0:39:07
|
so again router5 is on the inside and router2 is on the outside
|
|
0:39:11
|
since we are going from a higher security level to a lower security level
|
|
0:39:15
|
this traffic should be allowed by default
|
|
0:39:19
|
now what we would next need to know is
|
|
0:39:22
|
what exactly is the traffic that is being inspected
|
|
0:39:25
|
because remember as I mentioned with the Marginal Policy Framework
|
|
0:39:29
|
there is application level inspections
|
|
0:39:32
|
and then there is manual exceptions that you would do with an Access List
|
|
0:39:37
|
if the traffic is not being inspected
|
|
0:39:40
|
and it is not being allowed with an access list
|
|
0:39:44
|
it would still be denied
|
|
0:39:46
|
even though we are going from higher to a lower security level
|
|
0:39:51
|
that has to do with the return traffic that is coming back inbound
|
|
0:39:56
|
Now, if we look at the ASA
|
|
0:39:59
|
and look at the show run all
|
|
0:40:03
|
and show run all, you will see, I am going to be using a lot during these demos
|
|
0:40:08
|
this is little bit different thing than the IOS
|
|
0:40:11
|
because when we say show run all
|
|
0:40:14
|
its going to show its not only the changes we have made
|
|
0:40:17
|
but the whatever the default options
|
|
0:40:20
|
of the configuration
|
|
0:40:22
|
So, if I were to say show run all interface
|
|
0:40:28
|
we could see that on the physical link ethernet 0/0
|
|
0:40:32
|
the speed is auto, the duplex is auto and the delay is 1
|
|
0:40:36
|
with the elay this would be used for routing network
|
|
0:40:40
|
if we compare this to the show run interface instead show run all interface
|
|
0:40:46
|
the second output does not whats the defaults
|
|
0:40:52
|
now where this specially going to be useful
|
|
0:40:55
|
is for any of our Modular Policty Framework changes
|
|
0:40:59
|
or any of our crypto configs
|
|
0:41:02
|
where the crypto configs would be like our IPSec, Lan-to-Lan
|
|
0:41:05
|
IpSec remote access or the SSL VPN remote acces
|
|
0:41:10
|
So, the main ones that we are going to look at are the show run or policy map
|
|
0:41:17
|
which tells us hat arethe inspection policy
|
|
0:41:23
|
So, all of these options, these are all the defaults
|
|
0:41:27
|
show run all class map
|
|
0:41:31
|
is going to show us, what is the default traffic that is being matched
|
|
0:41:38
|
the show run all regex
|
|
0:41:40
|
for regular expressions
|
|
0:41:42
|
is going to show us what are somebody care to patterns
|
|
0:41:46
|
that the ASA is matching during its inspections
|
|
0:41:50
|
So, if were to look at
|
|
0:41:52
|
lets say, this one that says default
|
|
0:41:55
|
msn - messenger
|
|
0:41:59
|
its saying look for either
|
|
0:42:01
|
an upper case or lower case A
|
|
0:42:05
|
an uppercase or lowercase P
|
|
0:42:08
|
case insensitive p case insensitive o etc
|
|
0:42:12
|
then we are doing on a scape sequence for
|
|
0:42:16
|
a /[slash]
|
|
0:42:20
|
x-msn-messenger
|
|
0:42:25
|
what this is actually looking for
|
|
0:42:28
|
is the string, essentially the case insensitive string
|
|
0:42:32
|
that would say application
|
|
0:42:40
|
application / [forward slash] msn
|
|
0:42:46
|
application/x-msn-messenger
|
|
0:42:51
|
or application
|
|
0:42:53
|
\[back slash]x-msn-messenger
|
|
0:42:57
|
and both of this would be case insensitive
|
|
0:43:02
|
Now where this regex is being called from
|
|
0:43:05
|
is an inspection class
|
|
0:43:08
|
that is doing an insatant messaging inspection
|
|
0:43:12
|
so what its doing is looking inside the pay load of TCP
|
|
0:43:16
|
and trying to figure out, Can I figure out the string
|
|
0:43:19
|
that reads as either one of these
|
|
0:43:22
|
now the key here
|
|
0:43:25
|
is that your msn instant messenger or your msn live messenger
|
|
0:43:30
|
is somewhere in the header
|
|
0:43:32
|
of its communication, going to use this
|
|
0:43:35
|
this signature application/x-msn-messenger
|
|
0:43:39
|
so if this regular expression matches true
|
|
0:43:42
|
it means that we would either be able to permit or deny the traffic based on the actual application
|
|
0:43:51
|
So, when you actually look at behind the scenes, how the application inspection works
|
|
0:43:56
|
its a lot of manual work that we need to go through
|
|
0:43:59
|
to figure out what is the signature
|
|
0:44:01
|
at the application level
|
|
0:44:03
|
for that particular type of traffic
|
|
0:44:07
|
Now when we get into the advanced inspection, we will look a change in this
|
|
0:44:10
|
things like, how do I match a particular domain name
|
|
0:44:14
|
or a particular file type, or a particular mime type
|
|
0:44:19
|
like to say I don't want people to be able to run java
|
|
0:44:22
|
or I don't want people to be able to run flash on websites
|
|
0:44:26
|
So, we could look into any arbitrary string
|
|
0:44:29
|
inside of the payload of the packet
|
|
0:44:32
|
both for UDP and TCP flows
|
|
0:44:36
|
and then take custom action that we are going to define
|
|
0:44:39
|
now in this particular case
|
|
0:44:42
|
if we look at here this default
|
|
0:44:44
|
msn-messenger regular expression
|
|
0:44:47
|
this should then have been called
|
|
0:44:49
|
from a inspection class
|
|
0:44:53
|
which is
|
|
0:44:56
|
this one here
|
|
0:45:00
|
says class type inspect http match all default msn messenger
|
|
0:45:05
|
which is match response header context type regex default msn messenger
|
|
0:45:11
|
Hey, whats its saying is that we are doing a web inspection
|
|
0:45:15
|
If I hit the server and the in its header sends me the response
|
|
0:45:20
|
that has that string that says
|
|
0:45:23
|
application/x-msn-messenger
|
|
0:45:26
|
then I know its from that IM service
|
|
0:45:29
|
Now what I actually doing with this is looking where the inspection class is called from
|
|
0:45:36
|
it should be inside one of these default policy maps
|
|
0:45:44
|
and actually its not called it off, what this means
|
|
0:45:48
|
is that by default ASA is not inspecting msn instant messenger
|
|
0:45:53
|
if I were to say inspect that type of application
|
|
0:45:57
|
its going to use those default values
|
|
0:46:00
|
from the
|
|
0:46:03
|
particular regular expression that are configured here
|
|
0:46:08
|
So, again we are going to get into these in much more later
|
|
0:46:12
|
but the key is that the show run all command
|
|
0:46:15
|
is going to show you a lot of default options
|
|
0:46:18
|
that you can then change around to match whatever particular syntax that you want
|
|
0:46:23
|
So, show run all class map
|
|
0:46:26
|
show run all policy map
|
|
0:46:29
|
show run all regex
|
|
0:46:31
|
show run all service policy
|
|
0:46:34
|
this shows us the actual application of the policy
|
|
0:46:38
|
show run all group-policy
|
|
0:46:43
|
and show run all tunnel-group
|
|
0:46:48
|
these two are going to be for IPSec configurations
|
|
0:46:51
|
Hey and technically on SSL VPN
|
|
0:46:54
|
where here it says we have different types of tunnel groups
|
|
0:46:59
|
one of them is the tunnel group that is default L2L group
|
|
0:47:02
|
this is a type IPSec L2L
|
|
0:47:05
|
Hey, this means that a Lan-to-Lan or Site to Site IPSec tunnel
|
|
0:47:11
|
and specifically for the
|
|
0:47:16
|
IPSec tunnels that are defined with this default group policy
|
|
0:47:20
|
they are not going to have a pre-shared key defined
|
|
0:47:25
|
they don't have a trust point which would be like the certicate authority
|
|
0:47:29
|
the keep alive threshold is 10 retries 2, so this is for our phase 1 keep alives
|
|
0:47:35
|
we can see what are allowed for the default values here
|
|
0:47:39
|
if we then look at the remote access groups
|
|
0:47:43
|
this would be like for our easy VPN server
|
|
0:47:47
|
its says that by default
|
|
0:47:50
|
that there is not DHCP server defined for you
|
|
0:47:54
|
and there is no IPv4, IPv6 address pool defined
|
|
0:47:59
|
says the default group policy is dflt grp policy
|
|
0:48:05
|
which what I saw, when I said show all group policy
|
|
0:48:09
|
these would be the different attributes that are going to be then apply to the VPN user
|
|
0:48:16
|
So, for example, if I can configure this as a VPN server, when I connect my client
|
|
0:48:21
|
there is not going to be a default value, there is not a default DNS server or default Win server that is defined
|
|
0:48:29
|
what you could see just by looking at these default values, a lot of the syntax is fairly self explanatory as to what it does
|
|
0:48:37
|
So, now we don't need to spend a lot of time in either the configuration guide or the command reference to look the stuff up
|
|
0:48:44
|
because assuming we know what perfect forward secrecy is within the scope of IPSec
|
|
0:48:51
|
its simply a switch that I am either enabling or disabling
|
|
0:48:55
|
to see its going to apply to this particular users
|
|
0:48:58
|
Hey, where in this case a perfect forward secrecy means what
|
|
0:49:04
|
Okay, it means that when we run phase II
|
|
0:49:08
|
for your IPSec negotiation
|
|
0:49:11
|
everytime you rekey, so everytime you create a new encrytion key
|
|
0:49:16
|
you rerun the Diffy Halmann negotiation or DH exchange
|
|
0:49:20
|
so that means you generate new prime numbers and then you generate new encryption key
|
|
0:49:25
|
since its not based off the previous keys
|
|
0:49:29
|
its much less likely that someone would be able to, do like a brute force attack on the key
|
|
0:49:35
|
So, for higher security environment you would want this on
|
|
0:49:39
|
the problem is that its more CPU intensive because you need to regenrate the algorithm
|
|
0:49:43
|
everytime you do a new key for Phase II
|
|
0:49:47
|
and if I would like to say that my phase II time security association is like 30 seconds
|
|
0:49:53
|
then you would see that the ASA just be using 100% CPU all the time
|
|
0:49:58
|
trying to recalculate the keys over and over
|
|
0:50:03
|
So, we will get into more details as to
|
|
0:50:06
|
exactly what these default values are and when we would , would not like to change them
|
|
0:50:10
|
but the key, just upto this point, is that, we have that command which is the show run all
|
|
0:50:15
|
so its going to be very helpful for lot of the changes we are, now what we are doing here
|
|
0:50:22
|
Okay, so getting back to, the basic testing, so now I have the
|
|
0:50:27
|
the static routing configured on router5 and router2
|
|
0:50:31
|
if we look at the show run all class map
|
|
0:50:38
|
this tells me
|
|
0:50:40
|
that I have a class that is called
|
|
0:50:44
|
inspection default, that says match default inspection traffic
|
|
0:50:49
|
if you were to say show run all
|
|
0:50:56
|
default inspection traffic, I need to see this under
|
|
0:51:01
|
I see, I got need to see under a class map
|
|
0:51:04
|
we we say class map, this is given any random name for now, say class-map X
|
|
0:51:10
|
match ?[question mark]
|
|
0:51:13
|
this default inspection traffic
|
|
0:51:17
|
this are the application level inspections that we are doing automatically
|
|
0:51:24
|
So, FTP, HTTP, DNS
|
|
0:51:28
|
that stuff is going to match automatically, now
|
|
0:51:32
|
the rest of the normal TCP and UDP applications
|
|
0:51:36
|
those should be allowed from the higher security to the lower security
|
|
0:51:40
|
So one basic way that we can test this, if its working, it to telnet
|
|
0:51:46
|
So from the inside network on router5 I am going to telnet outside to router2
|
|
0:51:53
|
and I have all the routers pre configured with the username password cisco
|
|
0:51:57
|
enable password likewise is cisco
|
|
0:51:59
|
from here if I look at the show users
|
|
0:52:03
|
we could see that the session is coming from that address that is on the inside
|
|
0:52:08
|
10.0.125.5
|
|
0:52:12
|
if we now were to go to the ASA
|
|
0:52:16
|
and look at the show connections
|
|
0:52:19
|
or the show connections details
|
|
0:52:24
|
we should see now in the state engine
|
|
0:52:27
|
the ASA knows that someone on the inside network with this address
|
|
0:52:33
|
10.0.125.5 is using this source code
|
|
0:52:39
|
So its a random port, 65382
|
|
0:52:42
|
its going to this destination on the outside
|
|
0:52:45
|
using port no. 23 and this is TCP
|
|
0:52:49
|
So, the flags are [capital u] U, [capital i] I, [capital o]O
|
|
0:52:54
|
where U is the session is up
|
|
0:52:57
|
I - we have inbound data
|
|
0:52:59
|
and O - we have outbound data, so its directional
|
|
0:53:03
|
hey, then the timeout there
|
|
0:53:05
|
eventually the connection would be deleted
|
|
0:53:08
|
if we do not hear either a TCP reset the rst
|
|
0:53:13
|
or the TCP or the f-i-n, the fin
|
|
0:53:18
|
if I now go the router5 and disconnect, so exit out of the telnet session
|
|
0:53:24
|
when we look at the show connections on the ASA
|
|
0:53:27
|
now the connection is gone
|
|
0:53:31
|
because a normal termination occur
|
|
0:53:34
|
where the TCP client
|
|
0:53:36
|
is exiting the exact session
|
|
0:53:39
|
so thats generating the TCP fin
|
|
0:53:42
|
thats the normal finishing of the session
|
|
0:53:45
|
if it was abnormally dropped
|
|
0:53:48
|
were needed the fin or the reset was heard
|
|
0:53:51
|
the connection is going to stay in the table but eventually then its going to time out
|
|
0:53:58
|
now we will see that when we get into the more details of the Modular Policy Framework
|
|
0:54:02
|
essentially all of this is customizable
|
|
0:54:06
|
we could say the connection limits the connection timeouts
|
|
0:54:09
|
we could do all of these on a pro host basis, we could do it on pro protocol, pro subnet basis
|
|
0:54:14
|
there is a lot of fexibility about how the inspection engine works
|
|
0:54:20
|
now there is a question here
|
|
0:54:23
|
about ICMP
|
|
0:54:26
|
we saw that from router5, we were able to telnet, there is no problem with that
|
|
0:54:30
|
but if I ping from the same address
|
|
0:54:35
|
this is not allowed automatically
|
|
0:54:43
|
and that was kind of strange, thats right, because if we look at the
|
|
0:54:48
|
default inspection traffic, it does say ICMP
|
|
0:54:52
|
but ICMP is not actually inspected, automatically here
|
|
0:54:56
|
now you can't do this, we will see at some different ways that you can do the inspection or can do the
|
|
0:55:02
|
the excetptions are the access lists, if we look at the show run policy map
|
|
0:55:07
|
okay, not show run all policy map , just show run policy map
|
|
0:55:12
|
this is the default inspection policy that we will see in the global config
|
|
0:55:16
|
So when inspecting the DNS
|
|
0:55:20
|
FTP, H333
|
|
0:55:22
|
instead of some other protocols here
|
|
0:55:25
|
Now if wanted to allow the pings
|
|
0:55:28
|
to go out, and then return back in
|
|
0:55:31
|
I need to tell the ASA's inspection engine to match that
|
|
0:55:36
|
Now what we will actually see
|
|
0:55:39
|
is that if I go to the inside and I am going to generate a bunch of these things
|
|
0:55:45
|
then I am going to go router2 on the outside and look at the debug ICIPM
|
|
0:55:52
|
Notice the traffic from router 5 to router 2 is actually getting there
|
|
0:56:00
|
So, if we look at the diagram, router5 is sending things to router2
|
|
0:56:06
|
They are going out this way, they get to 2, 2 is replying
|
|
0:56:12
|
5 is neighbour getting the reply, we can tell by based on the timeouts, that is getting here the dots
|
|
0:56:20
|
If we look at the ASA
|
|
0:56:22
|
and turn logging on
|
|
0:56:25
|
So we say logging is on, and at the console we are logging at severity 7
|
|
0:56:31
|
we should see although the traffic that it is dropping
|
|
0:56:37
|
now obviously in production if you because it is going to show every single packet that is dropped
|
|
0:56:46
|
But this is one way that we can quickly see
|
|
0:56:49
|
is the traffic flow that we are trying through is permitted or being denied by the policy
|
|
0:56:56
|
where in this case it says that
|
|
0:56:58
|
the traffic is ICMP is being denied in
|
|
0:57:02
|
as it comes inbound on the outside interface
|
|
0:57:05
|
from that particular host
|
|
0:57:08
|
the destination is inside, the type is 0, the code is 0
|
|
0:57:13
|
where ICMP type 0, code 0 thats an echo reply, thats a ping reply
|
|
0:57:20
|
So, now I have a couple of options, If I want to allow the pings through
|
|
0:57:25
|
either I need to tell the inspection engine to watch the traffic as it leaves
|
|
0:57:31
|
because notice I am not denying it as its leaving, I am just not inspecting it.
|
|
0:57:36
|
This would be a equivalent of what in the IOS's zone based firewall
|
|
0:57:45
|
it would be equivalent of the pass action
|
|
0:57:48
|
so pass in IOS zone firewall is different that inspect
|
|
0:57:52
|
because it says you can allow it through but simply not match the traffic
|
|
0:57:58
|
its now that the asa say no logging or no logging on
|
|
0:58:04
|
hey thats the same as basically saying like underbug arm on the routers you are just trying to logging on
|
|
0:58:12
|
so again there is this 2 ways i can fix this
|
|
0:58:15
|
either inspect the traffic or manually allow the backend ??
|
|
0:58:20
|
now for now i am just going to inspect the traffic
|
|
0:58:24
|
we will get into later more detail how we can use the access lists as these exceptions
|
|
0:58:29
|
so we look at the show run policy map
|
|
0:58:33
|
i am going to go to this global policy
|
|
0:58:36
|
i'll say for class inspection default i want to inspect
|
|
0:58:42
|
icmp
|
|
0:58:44
|
so these options here these are the default applications that the asa can support and inspection of
|
|
0:58:54
|
so if we look at router 5
|
|
0:58:57
|
we should see here once the inspection actually applies
|
|
0:59:01
|
so its going to take a minute for it to compile internally
|
|
0:59:07
|
we should see that these things are going to start to go through
|
|
0:59:14
|
we look at the show run policy map
|
|
0:59:18
|
we see at the end now icp is being inspected
|
|
0:59:21
|
we look at the show connections or show connections detail
|
|
0:59:25
|
now we can see the icmp is being matched in there
|
|
0:59:36
|
and now the traffic flows going through
|
|
0:59:41
|
so the key here is that when the traffic is matched by the inspection engine
|
|
0:59:46
|
its a bidirectional flow
|
|
0:59:49
|
the asa is watching the traffic as it comes from inside and moves out
|
|
0:59:53
|
so it assumes that when it comes from outside back in
|
|
0:59:58
|
since there was already an entry in the connection table
|
|
1:00:02
|
this reverse session should be allowed
|
|
1:00:06
|
so you can think of a kind like dynamic access entry it says on the outside interface
|
|
1:00:11
|
and allow traffic to come from 200.0.122.2
|
|
1:00:16
|
if it is using icmp type code 0
|
|
1:00:21
|
and its going on the inside interface can go to this address
|
|
1:00:28
|
now what this does not allow us to do
|
|
1:00:31
|
is to send unsolicit traffic from the outside in
|
|
1:00:36
|
so even though router 5 can ping to
|
|
1:00:41
|
2 cannot ping 5
|
|
1:00:43
|
because the asa knows the difference between the different icmp type codes
|
|
1:00:49
|
so as i am inspecting icmp and someone is doing a ping
|
|
1:00:53
|
for every one echo that i send out
|
|
1:00:56
|
i should be receiving one echo reply back in
|
|
1:01:01
|
so once if the echo goes out and the echo reply comes back
|
|
1:01:05
|
its gonna delete that connection out of the tape
|
|
1:01:08
|
thats why we don't see tonnes of connections here we only see as i said atmost one
|
