PPT – Security - Cisco Firewall TRAINING PowerPoint presentation

About This Presentation

Title:

Security - Cisco Firewall TRAINING

Description:

Security - Cisco Firewall TRAINING ... – PowerPoint PPT presentation

Number of Views:1628

Avg rating:3.0/5.0

Slides: 157

Provided by: NguyenHuu

Category:

more less

Transcript and Presenter's Notes

Title: Security - Cisco Firewall TRAINING

1
Security - Cisco FirewallTRAINING
2
Course Flow
Day 1
Day 2
Day 3

N?i Dung
M?c Tiêu
L?ch H?c Trong 5 ngày
Sáng t? 9h-11h30
Chi?u t? 14h-16h30

Lesson 2 Getting Started with Cisco Security
Appliances (continue) Lesson 3 Managing the
Security Appliance Lession 4 Access Control
Lists
Lesson 1 Cisco Security Appliances Overview
Lesson 2 Getting Started with Cisco Security
Appliances
Lesson 5 Cisco Adaptive Security Device
Manager Lesson 6 Firewall Switch Modules
(FWSM)
AM 8h30-11h30 Theory
Lession 1 Console connection setting Lession 2
Execute general command Lession 3 Configure
Security Appliance Interfaces
Lession 4 Configure NAT, and Routing Lession
5 Test the Inside, Outside, and DMZ Interface
Connectivity Lession 6 Configure ACLs on the
Security Appliance
Lession 7 Managing the Security Appliance
PM 14h-17h Hand-on Lab
3
Introduction

Trainer Introduction
Name
Position
Experiences
Trainee Introduction
Name
Position
Security Network knowledges and experiences

4
Lession 1 Cisco Security Appliances Overview
5
What Is a Firewall?
DMZ Network
Internet
Outside Network
Inside Network
A firewall is a system or group of systems that
manages access between two or more networks.
6
Firewall Technologies

Firewall operations are based on one of three
technologies
Packet filtering
Proxy server
Stateful packet filtering

7
Packet Filtering
DMZ Server B
Inside Server C
Data A B
Host A
Internet
Data A C
AB-Yes AC-No
Limits information that is allowed into a network
based on the destination and source address
8
Proxy Server
Proxy Server
Internet
Inside Network
Outside Network
Requests connections on behalf of a client
9
Stateful Packet Filtering
DMZ Server B
Inside Server C
Data HTTP A B
Host A
Internet
State Table
Limits information that is allowed into a
network based not only on the destination and
source addresses, but also on the packets state
table content
Source address
10.0.0.11
192.168.0.20
Destination address
172.16.0.50
172.16.0.50
Source port
1026
1026
Destination port
80
80
Initial sequence no.
49091
49769
Ack
Flag
Syn
Syn
10
Security Appliances What Are They?

Cisco security appliances deliver
enterprise-class security for small-to-medium-size
d business and enterprise networks in a modular,
purpose-built appliance. Some features of Cisco
security appliances are
Proprietary operating system
Stateful packet inspection
User-based authentication
Protocol and application inspection
Modular policy framework
Virtual private networking
Security contexts (virtual firewalls)
Stateful failover capabilities
Transparent firewalls
Web-based management solutions

11
Proprietary Operating System

Eliminates the risks associated with
general-purpose operating systems

12
Stateful Packet Inspection

The stateful packet inspection algorithm provides
stateful connection security.
It tracks source and destination ports and
addresses, TCP sequence numbers, and additional
TCP flags.
It randomizes the initial TCP sequence number of
each new connection.
By default, the stateful packet inspection
algorithm allows connections originating from
hosts on inside (higher security level)
interfaces.
By default, the stateful packet inspection
algorithm drops connection attempts originating
from hosts on outside (lower security level)
interfaces.
The stateful packet inspection algorithm supports
authentication, authorization, and accounting.

13
Application-Aware Inspection
FTP Server
Client
Control Port 2008
Data Port 2010
Data Port20
Control Port 21
Data - Port 2010
Port 2010 OK
Data

Protocols such as FTP, HTTP, H.323, and SQLNet
need to negotiate connections to dynamically
assigned source or destination ports through the
firewall.
The security appliance inspects packets above the
network layer.
The security appliance securely opens and closes
negotiated ports for legitimate client-server
connections through the firewall.

14
Modular Policy
Internet
System Engineer
Headquarters
T1
SE
exec
Internet
Executives
S2S
S2S
Site C
Site B
Class Map Traffic Flow Default Internet Systems
Engineer Executives Site to Site
Policy Map Services Inspect IPS Police Priority
Service Policy Interface/Global Global Outside
15
Virtual Private Network
Site to Site
Internet
IPsec VPN SSL VPN
Headquarters
Remote Access
16
Security Context (Virtual Firewall)
One Physical Firewall Four Virtual Firewalls
Four Physical Firewalls
Internet
Internet
Ability to create multiple security contexts
(virtual firewalls) within a single security
appliance
17
Failover Capabilities Active/Standby,
Active/Active, and Stateful Failover
Failover Active/Standby
Failover Active/Active
Contexts
2
1
2
1
Primary Failed Firewall
Secondary Active Firewall
Primary Failed/Standby
Secondary Active/Active
Internet
Internet

Failover protects the network if the primary
security appliance goes offline..
Active/standby Only one unit can be actively
processing traffic the other is hot standby.
Active/Active Both units can process traffic and
serve as backup units.
Stateful failover maintains the operating state
during failover.

18
Transparent Firewall
192.168.1.5
192.168.1.2
Internet

Has the ability to deploy a security appliance in
a secure bridging mode
Provides rich Layers 2 through 7 security
services as a Layer 2 device

19
Web-Based Management Solutions
Adaptive Security Device Manager
20
Models and Features of Cisco Security Appliances
21
ASA 5500 Series
ASA 5550
ASA 5540
ASA 5520
Price
ASA 5510
ASA 5505
Gigabit Ethernet
SMB
Enterprise
ROBO
SOHO
SP
Functionality
SP service provider
22
PIX 500 Series
PIX 535
PIX 525
PIX 515E
Price
PIX 506E
PIX 501
Gigabit Ethernet
SMB
Enterprise
ROBO
SOHO
SP
Functionality
23
Cisco ASA 5510 Adaptive Security Appliance

Delivers advanced security and networking
services, including high-performance VPN
services, for small and medium-sized businesses
and enterprise branch offices
Provides up to 130,000 concurrent connections
Provides up to 300-Mbps firewall throughput
Provides interface support
Up to 5 10/100 Fast Ethernet interfaces
Up to 25 VLANs
Up to 5 contexts
Supports failover
Active/standby
Supports VPNs
Site to site (250 peers)
Remote access
WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco
ASA CSC SSM, and four-portGigabit Ethernet SSM)

24
Cisco ASA 5520 Adaptive Security Appliance

Delivers advanced security services, including
high-performance VPN services, for medium-sized
enterprise networks
Provides up to 280,000 concurrent connections
Provides up to 450-Mbps firewall throughput
Provides Interface support
4 10/100/1000 Gigabit Ethernet interfaces
1 10/100 Fast Ethernet interface
Up to 100 VLANs
Up to 20 contexts
Supports failover
Active/standby
Active/active
Supports VPNs
Site to site (750 peers)
Remote access
WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco
ASA CSC SSM, and four-portGigabit Ethernet SSM)

25
Cisco ASA 5540 Adaptive Security Appliance

Delivers high-performance, high-density security
services, including high-performance VPN
services, for medium-sized and large enterprise
networks and service provider networks
Provides up to 400,000 concurrent connections
Provides up to 650-Mbps firewall throughput
Provides Interface support
4 10/100/1000 Gigabit Ethernet interfaces
1 10/100 Fast Ethernet interface
Up to 200 VLANs
Up to 50 contexts
Supports failover
Active/standby
Active/active
Supports VPNs
Site to site (5,000 peers)
Remote access
WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco
ASA CSC SSM, and four-portGigabit Ethernet SSM)

26
ASA 5510, 5520, and 5540 Adaptive Security
Appliances Front Panel
Flash
Status
Power
Active
VPN
27
ASA 5510, 5520, and 5540 Adaptive Security
Appliances Back Panel
CompactFlash
Fixed interfaces
Security services module
28
ASA 5510, 5520, and 5540 Adaptive Security
Appliances Connectors
CompactFlash
10/100 out-of-band management port
Power supply (AC or DC)
Console port
Four 10/100/1000 Gigabit Ethernet ports
AUX ports
Two USB 2.0 ports
ASA 5510 Adaptive Security Appliance supports
10/100 Fast Ethernet ports.
29
Cisco ASA Security Services Module

High-performance module designed to provide
additional security services
Diskless (Flash-based) design for improved
reliability
Gigabit Ethernet port for out-of-band management

30
SSM Models

SSM-10
2.0-GHz processor
1.0 GB RAM
SSM-20
2.4-GHz processor
2.0 GB RAM

Speed

Link andactivity

Power

Status

31
Four-Port Gigabit Ethernet SSM
RJ-45 link LED
SFP link LED
SFP speed LED
RJ-45 speed LED
Status LED
SFP ports
RJ-45 ports
Power LED
32
Summary

A firewall is a system or group of systems that
manages access between two or more networks.
Statefull firewall is a device works most
effectively
Cisco Security Appliance including Cisco PIX and
ASA.
Security devices ASA 5510, 5520 targeting the
small and medium enterprises.
The function of security devices can be expanded
by the SSMs

33
Lession 2

Getting Started with Cisco Security Appliances

34
User Interface
35
Security Appliance Access Modes

A Cisco security appliance has four main
administrative access modes
Unprivileged
Privileged
Configuration
Monitor

36
Access Privileged Mode
Internet
ciscoasagt
enable priv_level

Used to control access to the privileged mode
Enables you to enter other access modes

ciscoasagt enable password ciscoasa
37
Access Configuration Mode configure terminal
Command
ciscoasa
configure terminal

Used to start configuration mode to enter
configuration commands from a terminal

ciscoasa
exit
Used to exit from an access mode
ciscoasagt enable password ciscoasa configure
terminal ciscoasa(config) exit ciscoasa
exit ciscoasagt
38
help Command
ciscoasa gt help ? enable Turn on privileged
commands exit Exit the current command
mode login Log in as a particular user
logout Exit from current user profile to
unprivileged mode perfmon Change or view
performance monitoring options ping Test
connectivity from specified interface to an IP
address quit Exit the current command
mode ciscoasa gt help enable USAGE
enable ltpriv_levelgt
39
File Management
40
Viewing and Saving Your Configuration

The following commands enable you to view your
configuration
Show running-config
Show startup-config
The following commands enable you to save your
configuration
copy run start
write memory

To save configuration changes copy run start
startup- config (saved)
running- config
Configuration Changes
41
Clearing Running Configuration
Clear the running configuration clear config all
startup- config
running- config (default)
ciscoasa(config)
clear configure all
Clears the running configuration
ciscoasa(config) clear config all
42
Clearing Startup Configuration
Clear the startup configuration write erase
startup- config (default)
running- config
ciscoasa
write erase
Clears the startup configuration
ciscoasa write erase
43
Reload the Configuration reload Command
ciscoasa
reload at hhmm month day day month
cancel in hhmm max-hold-time hhmm
noconfirm quick reason text save-config

Reboots the security appliance and reloads the
configuration
Allows scheduled reboots

ciscoasa reload Proceed with reload?confirm y
Rebooting...
44
File System
Release 7.0 and later

Software image
Configuration file
Private data
ASDM image
Backup image
Backup configuration file

45
Displaying Stored Files System and Configuration

Internet

ASA disk0 disk1
PIX Security Appliance flash
ciscoasa
dir /all /recursive all-filesystems disk0
disk1 flash system

Display the directory contents

ciscoasa dir Directory of disk0/ 8 -rw-
8202240 133733 Jul 28 2006
asa721-k8.bin 1264 -rw- 5539756 132113
Jul 28 2006 asdm-521.bin 62947328 bytes total
(49152000 bytes free)
46
Security Level Example
g0/2
g0/1
g0/0
47
Examining Security Appliance Status
48
show Commands
asa1 show run interface . . . interface
GigabitEthernet0/0 speed 1000 duplex full
nameif outside security-level 0 ip address
192.168.1.2 255.255.255.0 ! interface
GigabitEthernet0/1 speed 1000 duplex full
nameif inside security-level 100 ip address
10.0.1.1 255.255.255.0 . . .
show run interface
asa1 show interface Interface GigabitEthernet0/0
"outside", is up, line protocol is up
Detected Speed 1000 Mbps, Full-duplex
Requested Auto MAC address
000b.fcf8.c538, MTU 1500 IP address
192.168.1.2, subnet mask 255.255.255.0 0
packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0
ignored, 0 abort 0 packets output, 0
bytes, 0 underruns input queue (curr/max
blocks) hardware (0/0) software (0/0)
output queue (curr/max blocks) hardware (0/0)
software (0/0) Received 0 VLAN
untagged packets, 0 bytes
Transmitted 0 VLAN untagged packets, 0 bytes
Dropped 0 VLAN untagged packets
show interface
49
show memory Command
ciscoasa
show memory
asa1 show memory Free memory 468962336
bytes (87) Used memory 67908576 bytes
(13) ------------- ---------------- Total
memory 536870912 bytes (100)
50
show cpu usage Command
10.0.1.11
10.0.1.4
ciscoasa
show cpu usage
asa1 show cpu usage CPU utilization for 5
seconds 0 1 minute 0 5 minutes 0
51
show version Command
asa1 show version Cisco Adaptive Security
Appliance Software Version 7.2(1) Device Manager
Version 5.2(1) Compiled on Wed 31-May-06 1445
by root System image file is "disk0/asa721-k8.bin
" Config file at boot was "startup-config" ciscoa
sa up 2 mins 51 secs Hardware ASA5520, 512 MB
RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA
Compact Flash, 64MB BIOS Flash AT49LW080 _at_
0xffe00000, 1024KB . . .
52
show ip address Command
172.16.1.0
.1
192.168.1.0
10.0.1.0
10.1.1.0
.2
.1
.1
asa1 show ip address System IP
Addresses Interface Name IP
address Subnet mask Method GigabitEthernet0/0
outside 192.168.1.2 255.255.255.0
CONFIG GigabitEthernet0/1 inside
10.0.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.1.1
255.255.255.0 CONFIG Current IP
Addresses Interface Name IP
address Subnet mask Method GigabitEthernet0/0
outside 192.168.1.2 255.255.255.0
CONFIG GigabitEthernet0/1 inside
10.0.1.1 255.255.255.0 CONFIG
GigabitEthernet0/2 dmz 172.16.1.1
255.255.255.0 CONFIG
53
show interface Command
asa1 show interface Interface GigabitEthernet0/0
"outside", is up, line protocol is up Hardware
is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask
255.255.255.0 8 packets input, 1078
bytes, 0 no buffer Received 8 broadcasts,
0 runts, 0 giants 0 input errors, 0 CRC,
0 frame, 0 overrun, 0 ignored, 0 abort 0
L2 decode drops 0 packets output, 0
bytes, 0 underruns 0 output errors, 0
collisions 0 late collisions, 0 deferred
input queue (curr/max blocks) hardware
(8/0) software (0/0) output queue
(curr/max blocks) hardware (0/0) software (0/0)
Traffic Statistics for "outside" 8
packets input, 934 bytes 0 packets
output, 0 bytes 8 packets dropped 1
minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec 5 minute
input rate 0 pkts/sec, 0 bytes/sec 5
minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
54
show nameif Command
GigabitEthernet0/2 Interface name dmz
Security level 50
g0/2
g0/1
g0/0
GigabitEthernet0/1 Interface name inside
Security level 100
GigabitEthernet0/0 Interface name outside
Security level 0
asa1 show nameif Interface Name
Security GigabitEthernet0/0
outside 0 GigabitEthernet0/1
inside 100 GigabitEthernet
0/2 dmz 50
55
show run nat Command
10.0.1.11
10.0.1.X
X.X.X.X
NAT
10.0.1.4
ciscoasa
show run nat
Displays a single host or range of hosts to be
translated
asa1 show run nat nat (inside) 1 10.0.1.0
255.255.255.0 0 0
56
show run global Command
10.0.1.11
10.0.1.X
Mapped Pool 192.168.1.20-192.168.1.254
10.0.1.4
ciscoasa
show run global
Displays the pool of mapped addresses
asa1 show run global global (outside) 1
192.168.1.20-192.168.1.254 netmask 255.255.255.0
57
show xlate Command
10.0.1.11
10.0.1.11
192.168.1.20
Inside local
Outside mapped pool
10.0.1.4
Xlate Table
10.0.1.11
192.168.1.20
ciscoasa
show xlate
Displays the contents of the translation slots
asa1 show xlate 1 in use, 1 most used Global
192.168.1.20 Local 10.0.1.11
58
show route Command
172.16.1.0
g0/2
10.0.1.0
192.168.1.0
.1
g0/1
g0/0
ciscoasa
show route interface_name ip_address netmask
static
Displays the contents of the routing table
asa1(config) show route S 0.0.0.0 0.0.0.0
1/0 via 192.168.1.1, outside C 10.0.1.0
255.255.255.0 is directly connected, inside C
127.0.0.0 255.255.0.0 is directly connected,
cplane C 172.16.1.0 255.255.255.0 is directly
connected, dmz C 192.168.1.0 255.255.255.0 is
directly connected, outside
59
ping Command
10.0.1.11
10.0.1.4
ciscoasa
ping if_name host data pattern repeat count
size bytes timeout seconds validate

Determines whether other devices are visible from
the security appliance

asa1 ping 10.0.1.11 Sending 5, 100-byte ICMP
Echos to 10.0.1.11, timeout is 2
seconds !!!!! Success rate is 100 percent (5/5),
round-trip min/avg/max 10/12/20 ms
60
traceroute Command
example.com
ciscoasa
traceroute destination_ip hostname source
source_ip source-interface numeric timeout
timeout_value probe probe_num ttl min_ttl
max_ttl port port_value use-icmp
Determines the route packets will take to their
destination
asa1traceroute 172.26.26.20
61
Basic Security Appliance Configuration
62
Basic CLI Commands for Security Appliances

hostname
interface
nameif
ip address
security-level
speed
duplex
no shutdown
nat-control
nat
global
route

g0/2
g0/1
g0/0
63
Assigning a Hostname to Security Appliance
Changing the CLI Prompt
New York ( asa1)
Server
Boston (asa2)
Server
Dallas (asa3)
Server
ciscoasa(config)
hostname newname

Changes the hostname in the security appliance
CLI prompt

ciscoasa(config) hostname asa1asa1(config)
64
interface Command and Subcommands
GigabitEthernet0/2
g0/2
g0/1
g0/0
GigabitEthernet0/1
GigabitEthernet0/0
ciscoasa(config)
interface physical_interface.subinterface
mapped_name

Enters configuration mode for the interface you
specify

asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if)
65
Assign an Interface Namenameif Subcommand
GigabitEthernet0/2 Interface name dmz
g0/2
g0/1
g0/0
GigabitEthernet0/0 Interface name outside
GigabitEthernet0/1 Interface name inside
ciscoasa(config-if)
nameif if_name

Assigns a name to an interface on the security
appliance.

asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if) nameif outside
66
Assign Interface IP Address ip address
Subcommand
g0/2
g0/1
g0/0
GigabitEthernet0/0 Interface name outside IP
address 192.168.1.2
ciscoasa(config-if)
ip address ip_address mask standby ip_address

Assigns an IP address to each interface

asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if) nameif outside asa1(config-if) ip
address 192.168.1.2 255.255.255.0
67
DHCP-Assigned Address
DHCP Assigned
g0/0
GigabitEthernet0/0 Interface name outside IP
address dhcp
ciscoasa(config-if)
ip address dhcp setroute
Enables the DHCP client feature on the outside
interface
asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if) nameif outside asa1(config-if) ip
address dhcp
68
Assign a Security Level security-level
Subcommands
g0/2
g0/1
g0/0
GigabitEthernet0/0 Interface name outside IP
address 192.168.1.2 Security level 0
ciscoasa(config-if)
security-level number

Assigns a security level to the interface

asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if) nameif outside asa1(config-if) ip
address 192.168.1.2 asa1(config-if)
security-level 0
69
Interfaces with Same Security Level
same-security-traffic Command
DMZ Network
GigabitEthernet0/2 Security level 100 Interface
name dmz
g0/2
g0/1
g0/0
Inside Network
GigabitEthernet0/1 Security level 100 Interface
name inside
ciscoasa(config)
same-security-traffic permit inter-interface
intra-interface

Enables communication between interfaces with the
same security level or allows traffic to enter
and exit the same interface

asa1(config) same-security-traffic permit
inter-interface
70
Assign an Interface Speed and Duplex speed and
duplex SubCommands
GigabitEthernet0/0 Speed 1000 Duplex full
g0/2
g0/1
g0/0
ciscoasa(config-if)
speed 10 100 1000 auto
nonegotiate duplex auto full half

Enable the interface speed and duplex

asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if) nameif outside asa1(config-if) ip
address 192.168.1.2 asa1(config-if)
security-level 0 asa1(config-if) speed
1000 asa1(config-if) duplex full
71
ASA Management Interface
Management0/0 Management only no
g0/2
m0/0
g0/1
g0/0
ciscoasa(config-if)
management-only
Configures an interface to accept management
traffic only
no management-only
Disables management-only mode
asa1(config) interface management0/0 asa1(config-
if) no management-only

Disables management-only mode (for ASA 5520,
5540 and 5550)

72
Enabling and Disabling Interfaces shutdown
Subcommand
g0/2
g0/1
g0/0
GigabitEthernet0/0 Enabled
ciscoasa(config-if)
shutdown
Disables an interface no shutdown enabled
asa1(config) interface GigabitEthernet0/0 asa1(co
nfig-if) no shutdown
Disables management-only mode (for ASA 5520,
5540 and 5550)
73
Network Address Translation
NAT
10.0.0.11
192.168.0.20
10.0.0.11
192.168.10 .11
Inside Local
Outside Mapped Pool
10.0.0.4
Translation Table
10.0.0.11
192.168.0.20
74
Enable NAT Control
NAT
10.0.0.11
192.168.0.20
10.0.0.11
200.200.200.11
Inside Local
Outside Mapped Pool
10.0.0.4
Translation Table
10.0.0.11
192.168.0.20
Enable or disable NAT configuration requirement
asa1(config) nat-control
75
nat Command
10.0.1.11
10.0.1.11
X.X.X.X
NAT
10.0.1.4
ciscoasa(config)
nat (if_name) nat_id address netmask dns

Enables IP address translation

asa1(config) nat (inside) 1 0.0.0.0 0.0.0.0
76
global Command
10.0.1.11
10.0.1.11
192.168.1.20
NAT
ciscoasa(config)
10.0.1.4
global(if_name) nat_id mapped_ip-mapped_ipnet
mask mapped_mask interface

Works with the nat command to assign a registered
or public IP address to an internal host when
accessing the outside network through the
firewall, for example, 192.168.0.20-192.168.0.254

asa1(config) nat (inside) 1 0.0.0.0
0.0.0.0 asa1(config) global (outside) 1
192.168.1.20-192.168.1.254
77
Configure a Static Route route Command
Default Route
Static Route
10.1.1.11
10.0.1.102
192.168.1.1
ciscoasa(config)
10.1.1.4
route if_name ip_address netmask gateway_ip
metric

Defines a static or default route for an interface

asa1(config) route outside 0.0.0.0 0.0.0.0
192.168.1.1 1 asa1(config) route inside 10.1.1.0
255.255.255.0 10.0.1.102 1
78
Host Name-to-IP-Address Mapping name Command
bastionhost 172.16.1.2
.2
172.16.1.0
.1
10.0.1.0
insidehost 10.0.1.11
.11
.1
ciscoasa(config)
name ip_address name

Configures a list of name-to-IP-address mappings
on the security appliance

asa1(config) names asa1(config) name 172.16.1.2
bastionhost asa1(config) name 10.0.1.11
insidehost
79
Configuration Example
172.16.1.0
.1
10.0.1.0
10.1.1.0
192.168.1.0
.1
.2
.1
GigabitEthernet0/0 Interface name outside
Security level 0 IP address 192.168.1.2
GigabitEthernet0/1 Interface name inside
Security level 100 IP address 10.0.1.1
asa1(config) write terminal . . . interface
GigabitEthernet0/0 speed 1000 duplex full
nameif outside security-level 0 ip address
192.168.1.2 255.255.255.0 interface
GigabitEthernet0/1 speed 1000 duplex full
nameif inside security-level 100 ip address
10.0.1.1 255.255.255.0 . . .
80
Configuration Example (Cont.)
GigabitEthernet0/2 Interface name dmz
Security level 50 IP address 172.16.1.1
bastionhost 172.16.1.2
insidehost 10.1.1.11
172.16.1.0
.1
10.0.1.0
10.1.1.0
192.168.1.0
.2
.1
.1
interface GigabitEthernet0/2 nameif dmz
security-level 50 speed 1000 duplex full ip
address 172.16.1.1 255.255.255.0 passwd
2KFQnbNIdI.2KYOU encrypted hostname asa1 names
name 172.16.1.2 bastionhost name 10.1.1.11
insidehost
81
Configuration Example (Cont.)
bastionhost 172.16.1.2
insidehost 10.1.1.11
172.16.1.0
.2
Default Route
Static Route
.1
10.0.1.0
10.1.1.0
192.168.1.0
.2
.1
.1
.1
.102
10.0.0.0
Mapped Pool 192.168.1.20 - 254
nat-control nat (inside) 1 0.0.0.0 0.0.0.0 0
0 global (outside) 1 192.168.1.20-192.168.1.254 ro
ute outside 0.0.0.0 0.0.0.0 192.168.1.1 1 route
inside 10.1.1.0 255.255.255.0 10.0.1.102 1
82
Summary

Cisco security appliances have four main
administrative access modes unprivileged,
privileged, configuration, and monitor.
There are two configuration memories in the Cisco
security appliances running configuration and
startup configuration.
The show running-config command displays the
current configuration in the security appliance
RAM on the terminal.
You can use the copy run start or the write
memory command to save the current running
configuration to flash memory, startup
configuration.
Interfaces with a higher security level can
access interfaces with a lower security level,
but interfaces with a lower security level cannot
access interfaces with a higher security level
unless given permission.
The security appliance show commands help you
manage the security appliance.
The basic commands that are necessary to
configure Cisco security appliances are the
following interface, nat, global, and route.
The nat and global commands work together to
translate IP addresses.

83
Lession 3

Managing the Security Appliance

84
Managing System Access
85
Configuring Telnet Access to the Security
Appliance Console
10.0.0.11
Telnet
ciscoasa(config)
telnet hostname IP_address mask
interface_name IPv6_address interface_name
timeout number
Enables you to specify which hosts can access the
security appliance console with Telnet and set
the maximum time a console Telnet session can be
idle before being logged off by the security
appliance
ciscoasa(config)
passwd password encrypted
Sets the password for Telnet access to set the
security appliance
asa1(config) telnet 10.0.0.11 255.255.255.255
inside asa1(config) telnet timeout
15 asa1(config) passwd telnetpass
86
Viewing and Disabling Telnet
ciscoasa
show running-config telnet timeout
Displays IP addresses permitted to access the
security appliance via Telnet
ciscoasa(config)
clear configure telnet
Removes the Telnet connection and the idle
timeout from the configuration
ciscoasa
who local_ip
Enables you to view which IP addresses are
currently accessing the security appliance
console via Telnet
ciscoasa
kill telnet_id
Terminates a Telnet session
87
SSH Connections to the Security Appliance

SSH connections to the security appliance
Provide secure remote access
Provide strong authentication and encryption
Require RSA key pairs for the security appliance
Require 3DES/AES or DES activation keys
Allow up to five SSH clients to simultaneously
access the security appliance console
Use the Telnet password for local authentication

88
Configuring SSH Access to the Security Appliance
Console
ciscoasa(config)
ciscoasa(config)
crypto key generate rsa usage-keys
general-keys label key-pair-label modulus
size noconfirm
crypto key zeroize rsa dsa label
key-pair-label default noconfirm

Removes any previously generated RSA keys

Generates an RSA key pair
ciscoasa(config)
ciscoasa(config)
ssh ip_address mask ipv6_address/prefix
interface
write memory
Saves the CA state
Specifies the host or network authorized to
initiate an SSH connection
ciscoasa(config)
ciscoasa(config)
ssh timeout number
domain-name name
Specifies how long a session can be idle before
being disconnected
Configures the domain name
89
Connecting to the Security Appliance with an SSH
Client
username pix password telnetpassword
SSH
172.26.26.50
asa1(config) crypto key zeroize
rsa asa1(config) write memory asa1(config)
domain-name cisco.com asa1(config) crypto key
generate rsa modulus 1024 asa1(config) write
memory asa1(config) ssh 172.26.26.50
255.255.255.255 outside asa1(config) ssh timeout
30
90
Managing Software, Licenses, and Configurations
91
Viewing Directory Contents
10.0.0.11
dir
192.168.0.0
10.0.0.3
ciscoasa
dir /all /recursive all-filesystems
disk0 disk1 flash system path
Displays the directory contents
asa1 dir Directory of disk0/ 4346 -rw- 8202240
150110 Oct 19 2006 asa721-k8.bin 6349 -rw-
5539756 153039 Oct 19 2006 asdm521.bin 7705
-rw- 3334 070357 Oct 22 2006
old_running.cfg 62947328 bytes total (29495296
bytes free)
You can use the pwd command to display the
current working directory.
92
Copying Files
10.0.0.11
copy
192.168.0.0
10.0.0.3
ciscoasa
copy /noconfirm /pcap url running-config
startup-config running-config startup-config
url
Copies a file from one location to another
asa1 copy disk0MYCONTEXT.cfg startup-config
Copies the file MYCONTEXT.cfg from disk0 to the
startup configuration
93
Downloading and Backing Up Configuration Files
Example
10.0.0.11
config
192.168.0.0
10.0.0.3
FTP server
ciscoasa
copy ftp startup-config
Copies the configuration file from an FTP server
ciscoasa
copy running-config ftp
Copies the configuration file to an FTP server
94
Image Upgrade
95
Viewing Version Information

version?

10.0.0.11

10.0.0.3

ciscoasa
show version
Displays the software version, hardware
configuration, license key, and related uptime
data
asa1 show version Cisco Adaptive Security
Appliance Software Version 7.2(1) Device Manager
Version 5.2(1) Compiled on Wed 31-May-06 1445
by root System image file is disk0/asa721-k8.bin
Config file at boot was startup-config asa1
up 17 hours 40 mins . . .
96
Image Upgrade
10.0.0.11
TFTP
10.0.0.3
ciscoasa
copy tftp//server/path/filename flash/filename
Enables you to change software images without
accessing the TFTP monitor mode.
asa1 copy tftp//10.0.0.3/asa721-k8.bin flash
The TFTP server at IP address 10.0.0.3 receives
the command and determines the actual file
location from its root directory information.
The server then downloads the TFTP image to the
security appliance.
97
Summary

SSH provides secure remote management of the
security appliance.
TFTP is used to upgrade the software image on
security appliances.
You can enable Telnet to the security appliance
on all interfaces.
.

98
Lesson 4

Access Control Lists (ACLs)

99
Security Appliance ACL Configuration
Inside
Outside
Internet
ACL for Inbound Access
ACL for Outbound Access
No ACL - Outbound permitted by default -
Inbound denied by default
Security appliance configuration philosophy is
interface-based. Interface ACL permits and denies
the initial incoming and outgoing packets on that
interface. An ACL must describe only the initial
packet of the application return traffic does
not need to be described. If no ACL is attached
to an interface The outbound packet is permitted
by default. The inbound packet is denied by
default.
100
Inbound Traffic to DMZ Web Server
DMZ
Public Web Server
Inbound
Inside
X
192.168.1.0
Internet
10.0.1.0
.1
.2
Outside

There is no ACL, so by default, inbound access is
denied. To permit inbound traffic, complete the
following steps
Configure a static translation for the web server
address
Configure an inbound ACL
Apply the ACL to the outside interface

101
Create a Static Translation for Web Server
DMZ
172.16.1.2
Public Web Server
Inside
192.168.1.9
192.168.1.0
Internet
.1
.2
10.0.1.0
Outside
asa1(config) static (DMZ,outside) 192.168.1.9
172.16.1.2 0 0
Maps an inside private address to an outside
public address
102
access-list Command
DMZ
Permit Inbound HTTP
172.16.1.2
Public Web Server
Inside
192.168.1.9
192.168.1.0
Internet
.1
.2
10.0.1.0
Outside
ciscoasa(config)
access-list id line line-number extended
deny permit protocol object-group
protocol_obj_grp_idhost sip sip smask
interface ifc_name object-group
network_obj_grp_id any operator port port
object-group service_obj_grp_id host dip dip
dmask interface ifc_name object-group
network_obj_grp_id any operator port port
object-group service_obj_grp_id object-group
icmp_type_obj_group_id log level interval
secs disable default inactive
time-range time_range_name
asa1(config) access-list ACLOUT permit tcp any
host 192.168.1.9 eq www
Permits outside HTTP traffic to access the public
web server
103
access-group Command
Apply ACL to interface
DMZ
Public Web Server
Inside
192.168.1.0
Internet
10.0.1.0
.1
.2
Outside
ciscoasa(config)
access-group access-list in out interface
interface_name per-user-override
Applies an ACL to an interface
asa1(config) access-group ACLOUT in interface
outside
104
show access-list Command
ICMPDMZ
ACLOUT
ACLIN
Internet
192.168.1.0
192.168.6.10
asa1(config) show access-list access-list cached
ACL log flows total 0, denied 0 (deny-flow-max
4096) alert-interval 300 access-list ACLOUT 4
elements access-list ACLOUT line 1 extended
permit tcp 192.168.6.0 255.255.255.0 host
192.168.1.11 eq www (hitcnt4)0x984ebd70 access-li
st ACLOUT line 2 extended permit tcp host
192.168.6.10 host 192.168.1.11 eq ftp (hitcnt1)
0x53490ecd access-list ACLOUT line 3 extended
permit tcp any host 192.168.1.9 eq www (hitcnt8)
0x83af39ca access-list ACLOUT line 4 extended
deny ip any any (hitcnt4) 0x2ca30385 access-list
ICMPDMZ 1 elements access-list ICMPDMZ line 1
extended permit icmp host bastionhost any
echo-reply
105
clear access-list counters Command
Web Server 172.16.1.2
192.168.6.10
192.168.1.9
ACLIN
Internet
ACLOUT
asa1(config) clear access-list ACLOUT
counters asa1(config) show access-list access-lis
t cached ACL log flows total 0, denied 0
(deny-flow-max 4096) alert-interval
300 access-list ACLOUT 4 elements access-list
ACLOUT line 1 extended permit tcp 192.168.6.0
255.255.255.0 host 192.168.1.11 eq www (hitcnt0)
0x984ebd70 access-list ACLOUT line 2 extended
permit tcp host 192.168.6.10 host 192.168.1.11 eq
ftp (hitcnt0) 0x53490ecd access-list ACLOUT line
3 extended permit tcp any host 192.168.1.9 eq www
(hitcnt0) 0x83af39ca access-list ACLOUT line 4
extended deny ip any any (hitcnt0) 0x2ca30385
106
ACL Logging
Internet
Syslog Server
ACL Syslog Messages
ciscoasa(config)
access-list id line line-number extended
deny permit protocol object-group
protocol_obj_grp_idhost sip sip smask
interface ifc_name object-group
network_obj_grp_id any operator port port
object-group service_obj_grp_id host dip dip
dmask interface ifc_name object-group
network_obj_grp_id any operator port port
object-group service_obj_grp_id object-group
icmp_type_obj_group_id log level interval
secs disable default inactive
time-range time_range_name
asa1(config) access-list OUTSIDE-ACL permit icmp
any host 192.168.1.11 log 7 interval 600
Enables the logging option for inbound ICMP to
192.168.1.11
107
ACL Comments
ciscoasa(config)
access-list id line line-number remark text
Inserts ACL comment
asa1(config) access-list ACLOUT line 2 remark
WebMailA access-list
asa1(config) show access-list access-list cached
ACL log flows total 0, denied 0 (deny-flow-max
4096) alert-interval 300 access-list ACLOUT 6
elements access-list ACLOUT line 1 extended
permit tcp any host 192.168.1.7 eq www (hitcnt0)
0x3df6ed1e access-list ACLOUT line 2 remark
WebMailA access-list access-list ACLOUT line 3
extended permit tcp any host 192.168.1.8 eq www
(hitcnt0) 0xd5383eba access-list ACLOUT line 4
extended permit tcp any host 192.168.1.9 eq www
(hitcnt0)0x2c4288ad access-list ACLOUT line 5
extended permit tcp any host 192.168.1.10 eq www
(hitcnt0) 0xb70c935b access-list ACLOUT line 6
extended permit tcp any host 192.168.1.11 eq www
(hitcnt0) 0x8b43382e
former line 2
108
Inbound HTTP Access Solution
DMZ
172.16.1.2
Public Web Server
Inbound
Inside
192.168.1.9
192.168.1.0
Internet
.1
.2
10.0.1.0
Outside
asa1(config) static (DMZ,outside) 192.168.1.9
172.16.1.2 0 0 asa1(config) access-list ACLOUT
permit tcp any host 192.168.1.9 eq
www asa1(config) access-group ACLOUT in
interface outside

Permits outside HTTP traffic to access the public
web server

109
icmp Command
Inside
Outside
Internet
ICMP Echo ICMP Unreachable
X
ciscoasa(config)
icmp permit deny host sip sip smask any
icmp-type if_name

Enables or disables pinging to an interface

asa1(config) icmp permit any echo-reply
outside asa1(config) icmp permit any unreachable
outside
Permits all unreachable messages at the outside
interface and denies all ping requests at the
outside interface
110
Summary

ACLs enable you to determine which systems can
establish connections through your security
appliance.
With ICMP ACLs, you can disable pinging to a
security appliance interface so that your
security appliance cannot be detected on your
network.
.

111
Lession 5

Cisco Adaptive Security Device Manager

112
ASDM Overview and Operating Requirements
113
What Is ASDM?
Internet
SSL Secure Tunnel

ASDM is a browser-based configuration tool
designed to help configure and monitor your
security appliance.

114
ASDM Features

Runs on a variety of platforms
Implemented in Java to provide robust, real-time
monitoring
Works with SSL to ensure secure communication
with the PIX security appliance
Comes preloaded in flash memory on new Cisco ASA
and Cisco PIX security appliances running
Versions 7.2 and later
ASDM sessions
5 ASDM sessions per unit (single mode) or context
(multiple mode)
32 sessions per unit in multiple mode
Operates on PIX 515E, 525, and 535 Security
Appliances
Operates on Cisco ASA 5505, 5510, 5520, 5540, and
5550 Security Appliances

ASDM Version 5.2 is not supported on the PIX
501 or 506 Security Appliance.
115
ASDM Security Appliance Requirements

A security appliance must meet the following
requirements to run ASDM
Activation key that enables DES or 3DES
Supported Java plug-in
Security appliance software version compatible
with the ASDM software version you plan to use
Hardware model compatible with the ASDM software
version you plan to use

ASDM Version 5.2 requires Security Appliance
Software Version 7.2.

116
ASDM Browser Requirements

To access ASDM from a browser, the following
requirements must be met
JavaScript and Java must be enabled on the
computer where the browser resides.
SSL must be enabled in the browser.
Popup blockers may prevent ASDM from starting.

117
Supported Platforms

Windows
Sun Solaris
Linux

118
Running ASDM

Run ASDM as a
Local application
Java applet

Launch Startup Wizard
119
Configure the Security Appliance to Use ASDM

Before you can use ASDM, you need to enter the
following information on the security appliance
via a console terminal
Time
Inside IP address
Inside network mask
Host name
Domain name
Enable the HTTP server on the security appliance
IP addresses of hosts authorized to access HTTP
server

If more than one ASDM image is stored in the
flash memory of your security appliance, also
specify the ASDM image to be used.
120
Setup Dialog
Pre-configure Firewall now through interactive
prompts yes? ltEntergt Firewall Mode Routed
Enable Password ltuse current passwordgt
cisco123 Allow password recovery yes ? Clock
(UTC) Year 2006 ltEntergt Month Sep
ltEntergt Day 2 ltEntergt Time 102149
ltEntergt Inside IP address 10.0.1.1 Inside
network mask 255.255.255.0 Host name
asa1 Domain name ciscoasa.com IP address of host
running Device Manager 10.0.1.11 Use this
configuration and write to flash? Y
121
Navigating ASDM Configuration Windows
122
ASDM Home Window
123
ASDM Home Window (Cont.)
License tab
124
Startup Wizard

Startup Wizard
Interfaces
NAT and PAT
Hostname
Domain name
Enable password

125
VPN Wizard

VPN Wizard
Site-to-Site
Remote Access

Note Use Configuration gt VPN to edit VPN
connections.

126
High Availability and Scalability Wizard

High Availability and Scalability Wizard
Active/Active Failover
Active/Standby Failover
VPN Cluster Load Balancing

127
Configuration Window

Configuration
Interface
Security Policy
NAT
VPN
IPS or
CSD Manager
Routing
Global Objects
Properties

128
Interfaces

IP address
Static
DHCP
Same security level

129
Security Policy

Access Rules
AAA Rules
Filter Rules
Service Policy Rules

130
NAT

Translation Rules
NAT
Policy NAT
NAT exemption
Maximum connections
Embryonic connections
NAT0

131
VPN

Edit VPN
General
IKE
IPsec
IP Address Management
Load Balancing
NAC
WebVPN
E-Mail Proxy

Note Use the Remote Access or Site-to-Site VPN
Wizard for new VPN connections.

132
Routing

Static Routes
Dynamic Routing
OSPF
RIP
Multicast
IGMP
MRoute
PIM
Proxy ARPs

133
Global Objects

Network Object Groups
IP Names
Service Groups
Class Maps
Inspect Maps
Regular Expressions
TCP Maps
Time Ranges

134
Monitoring Button

Interfaces
VPN
IPS or Trend Micro Content Security
Routing
Properties
Logging

135
Interface Graphs Panel

The Interface Graphs panel enables you to monitor
per-interface statistics, such as bit rates, for
each enabled interface on the security appliance.

136
Packet Tracer
137
Options gt Preferences
Options
138
Tools

Tools
Command Line Interface
Packet Tracer
Ping
Traceroute
File Management
Ugrade Software
Upload ASDM Assistant Guide
System Reload
ASDM Java Console

139
Help

Help
Help Topics
Help for Current Screen
Release Notes
Getting Started
VPN 3000 Migration Guide
Glossary
.

140
Online Help
141
Summary

ASDM is a browser-based tool used to configure
your security appliance.
Minimal setup on the security appliance is
required to run ASDM.
ASDM contains several tools in addition to the
GUI to help you configure your security
appliance.
The following ASDM wizards are available to
simplify security appliance configuration
Startup Wizard Walks you step by step through
the initial configuration of the security
appliance
VPN Wizard Walks you step by step through the
creation of site-to-site and remote access VPNs
High Availability and Scalability Wizard Walks
you step by step through the configuration of
active/active failover, active/standby failover,
and VPN cluster load balancing

142
Lession 6

Firewall Switch Modules (FWSM)

143
Overview

The Cisco Firewall Services Module (FWSM) is
based on Cisco PIX Security Appliance technology,
and therefore offers the same security and
reliability
The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600
Series Internet routers.

144
FWSM Key Features

Brings switching and firewalls into a single
chassis
Based on PIX Firewall technology
Supports transparent or routed firewall mode
Up to 100 security contexts
Up to 256 VLANs per context
Up to 1000 VLANs all contexts
5-Gbps throughput
One million concurrent connections
100,000 connections per second
Multiple blades supported in one chassis (4
maximum)
Dynamic routing via RIP v1 and v2 and OSPF
High availability via intra- or inter-chassis
stateful failover

145
FWSM and PIX Firewall FeatureComparison
146
Network Model
147
MSFC placement
148
Getting Started with the FWSM

Before you can begin configuring the FWSM,
complete the following tasks
Verify FWSM installation.
Configure the switch VLANs.
Configure the FWSM VLANs.

149
Verify FWSM Installation
150
Configure the Switch VLANs
Create Vlan
Defines a controlled VLAN on the MSFC. Assigns an
IP address.
151
Firewall VLAN-Group
Creates a firewall group of controlled VLANs
152
Configure the FWSM Interfaces
Establishes a console session with the module
Processor should always be 1
153
Configure a Default Route
Default route Static routes are required in
multiple context mode.
154
Configure the FWSM Access-List
FWSM1(config) access-list 200 permit ip 10.1.1.0
255.255.255.0 any FWSM1(config) access-group 200
in interface inside
By default all traffic is denied through the
FWSM. Traffic permitted into an interface can
exit through any other interface
155
Resetting and Rebooting the FWSM

Resets and reboots the FWSM

156
Summary

The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600
Series Internet routers.
The FWSM is a high-performance firewall solution
based on PIX Firewall Security Appliance
technology.
The FWSM supports transparent and routed firewall
modes.
The FWSM commands are almost identical to
security appliance commands.
PDM can be used to configure and monitor
the FWSM.