Transparent Firewall
Default firewall mode is routed.
To change ASA in transparent mode
ciscoasa(config)# firewall transparent
Firewall will reboot and will delete configuration & security context (if configured)
ciscoasa(config)# show firewall
Firewall mode: Transparent
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# nameif inside1
INFO: Security level for "inside1" set to 0 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shut
ciscoasa(config-if)# interface gigabitEthernet 1
ciscoasa(config-if)# nameif inside2
INFO: Security level for "inside2" set to 0 by default.
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shut
ciscoasa(config)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.10.100 255.255.255.0
By default ASA does not allow communication between interfaces having same security-level.
ciscoasa(config)# same-security-traffic permit inter-interfaceThe ASA supports two types of interfaces: routed and bridged.
Bridged interfaces belong to a bridge group, and all interfaces are on the same network.
The bridge group is represented by a Bridge Virtual Interface (BVI) that has an IP address on the bridge network.
Routed mode supports both routed and bridged interfaces, and you can route between routed interfaces and BVIs.
Transparent firewall mode only supports bridge group and BVI interfaces.
Arp is allowed by default in both directions i.e. higher to lower security-level and also from lower to higher.
Firewall can't participate in dynamic routing protocols i.e. rip,eigrp,ospf & bgp.
Brodcast & Multicast traffic isn't allowed by default.
BPDU's aren't allowed by default and if there is switch on both side of firewall then they won't see each other.
To Allow BPDU's "ethertype" access-list required to be configured.
access-list ALLOW_BPDU_INSIDE ethertype permit bpdu
Access-group ALLOW_BPDU_INSIDE in interface inside
access-list ALLOW_BPDU_OUTSIDE ethertype permit bpdu
Access-group ALLOW_BPDU_OUTSIDE in interface outside
Just like routed mode everything from inside to outside is allowed so can be done in transparent mode.
access-list inside_access_in line 1 extended permit ip any any
access-group inside_access_in in interface outside
DHCP is also a multicast so by default if DHCP server won't be able to give ip address if server and client are connected between two different interfaces of firewall.
ALLOW DHCP TRAFFIC
To allow DHCP request to come inside we need to put access-list on outside interface.
object network broadcast
host 255.255.255.255
object network dhcp-server
host 192.168.1.1
access-list outside_access_in line 1 extended permit udp object dhcp-server object broadcast eq bootpc
access-group outside_access_in in interface outside
Mac-Spoofing Attack can be avoided by creating static arp enteries.
arp inside 192.168.1.26 001b.7765.4321
If we enable flood arp packets then firewall will look at static arp table and if there is no conflict and new arp is present then it will going to forward it .
If this feature is disabled then new arp will be dropped.
Cut-through Proxy
The firewall cut-through proxy requires the user to authenticate before passing any traffic through the Cisco ASA. A common deployment is to authenticate users before accessing a web server behind the Cisco ASA
step 1. The user on the outside of the Cisco ASA attempts to create an HTTP connection to the web server behind the ASA.
step 2. The Cisco ASA prompts the user for authentication.
step 3. The Cisco ASA receives the authentication information from the user and sends an AUTH Request to aaa server.
step 4. The server authenticates the user and sends an AUTH Accept message to the Cisco ASA.
step 5. The Cisco ASA allows the user to access the web server.
Active Standby Failover
To replicate the stateful inspection of Active firewall another dedicated cable is required.
# show ip
The Active unit uses the system IP address & standby unit uses the standby addresses.
All configuration is done on Active unit and is replicated on secondary unit by "failover" cable.
int Gig0/1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
int Gig0/2
ip address 172.16.0.1 255.255.255.0 standby 172.16.0.2
Failover & Stateful configuration has to be done on secondary unit & it's ip doesn't change incase of failover.
Primary Unit
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
Secondary Unit
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/6
failover link STATEFULL GigabitEthernet0/7
failover interface ip FAILOVER 192.168.1.1 255.255.255.252 standby 192.168.1.2
failover interface ip STATEFULL 192.168.2.1 255.255.255.252 standby 192.168.2.2
Data between active & standby unit can be encrypted
(config)# failover key cisco
Https traffic state is not replicated by default
(config) # failover replication http
To display priority state
(config)# prompt hostname priority state
ASA1/pri/act (config)#
To change role of active and standby firewall
ASA/pri/act (config) # no failover active
Virtual Firewall (Multiple Mode)
If requirement is like that there are one physical firewall but there are two admin groups & we don't want them to mess up with each other's config.
So in order to keep each other's access separate we logically divide a firewall into two.
Firewall in multiple mode can't support VPN and dynamic routing protocols
ASA# conf t
ASA(config)# copy startup-config backup.txt
ASA# show mode
ASA# single
ASA(config)# mode multi
WARNING: This command will change the behavior of the device
WARNING: This command will initiate a Reboot
Proceed with change mode? [confirm]
Convert the system configuration? [confirm]
!
The old running configuration file will be written to flash
Converting the configuration – this may take several minutes for a large configuration
The admin context configuration will be written to flash
The new running configuration file was written to flash
Security context mode: multiple
***
*** — SHUTDOWN NOW —
ASA# show mode
Security context mode: multiple
Now firewall after reboot will be in System Config.
System Config will have all information about firewall & flash but no interface or access-list etc.
CONFIGURE SECURITY CONTEXTS
Three Steps
Step 1 : Name Of Context
ASA(config)# admin-context admin1
ASA(config)# context admin1
Step 2 : Allocation of Resources
ASA(config-ctx)# allocate-interface gigabitethernet 9
Step 3 : config url
ASA(config-ctx)# config-url flash:/admin1.cfg
Note : by default "admin.cfg" will be present as default user is admin. Let's assume this "admin.cfg" is holding config from single mode.
So whatever configuration you will do will merge with existing config. Hence this "admin.cfg" must be deleted or different admin name (we used admin1) must be used.
Similarly Configure CONTEXT1 & CONTEXT2
ASA# changeto context admin1
ASA(config-ctx)# context CONTEXT1
ASA(config-ctx)# allocate-interface Gigabitethernet1 CONTEXT1_inside invisible
ASA(config-ctx)# allocate-interface Gigabitethernet 3 CONTEXT1_outside invisible
ASA(config-ctx)# config-url disk0:/CONTEXT1.cfg
ASA(config-ctx)# context CONTEXT2
ASA(config-ctx)# allocate-interface Gigabitethernet2 CONTEXT2_inside invisible
ASA(config-ctx)# allocate-interface Gigabitethernet 3 CONTEXT2_outside invisible
ASA(config-ctx)# config-url disk0:/CONTEXT2.cfg
Here "CONTEXT2_inside" & "CONTEXT2_outside" are alias assigned to physical interfaces . Also the admins of CONTEXT1 & CONTEXT2 can't see physical interface due to keyword "invisible"
Let's CONFIGURATION INTERFACE IN THE CONTEXT
ASA# changeto context CONTEXT1
ASA/CONTEXT1# conf t
ASA/CONTEXT1(config)# interface CONTEXT1_inside
ASA/CONTEXT1(config-if)# nameif INSIDE_CONTEXT1
ASA/CONTEXT1(config-if)# security-level 100
ASA/CONTEXT1(config-if)# ip address 11.11.11.11 255.255.255.0
ASA/CONTEXT1(config)# http server enable
ASA/CONTEXT1(config)# http 0 0 inside
ASA/CONTEXT1(config-if)# end
ASA/CONTEXT1# conf t
ASA/CONTEXT1(config)# interface CONTEXT1_outside
ASA/CONTEXT1(config-if)# nameif OUTSIDE_CONTEXT1
ASA/CONTEXT1(config-if)# security-level 100
ASA/CONTEXT1(config-if)# ip address 99.99.99.99 255.255.255.0
ASA/CONTEXT1(config-if)# end
Now let’s move to CONTEXT2 context and configure interfaces.
ASA/CONTEXT1# changeto context CONTEXT2
ASA/CONTEXT2# conf t
ASA/CONTEXT2(config)# interface CONTEXT2_inside
ASA/CONTEXT2(config-if)# nameif INSIDE_CONTEXT2
ASA/CONTEXT2(config-if)# security-level 100
ASA/CONTEXT2(config-if)# ip address 22.22.22.22 255.255.255.0
ASA/CONTEXT2(config-if)# end
ASA/CONTEXT2(config)# interface CONTEXT2_outside
ASA/CONTEXT2(config-if)# nameif OUTSIDE_CONTEXT2
ASA/CONTEXT2(config-if)# security-level 100
ASA/CONTEXT2(config-if)# ip address 99.99.99.99 255.255.255.0
ASA/CONTEXT2(config-if)# end
Configure Resource Classes
CiscoASA(config)# class default
CiscoASA(config-class)# limit-resource conns 20%
CiscoASA(config-class)# limit-resource routes 500
CiscoASA(config-class)# limit-resource vpn other 5
CiscoASA(config-class)# class silver
CiscoASA(config-class)# limit-resource conns 80%
CiscoASA(config-class)# limit-resource routes 2000
CiscoASA(config-class)# limit-resource vpn other 15
CiscoASA(config-ctx)# context CONTEXT1
CiscoASA(config-ctx)# member default
CiscoASA(config-class)# context CONTEXT2
CiscoASA(config-ctx)# member silver
We must assign management interface shared to each context so that admins could connect to their respective context.
ACTIVE ACTIVE FAILOVER
Active Active Failover is by default not supported by ASA & to make it work we need to configure firewall in multiple mode.
It can be routing or transparent but for that either both should be in routing or both should be transparent.
The two units in a failover pair must have the same hardware. They must be the same model,have the same number and types of interfaces , and the same amount of RAM.
ASA1/ASA2(config) # failover lan interface fail-config Gigabitethernet 4
ASA1/ASA2(config) # failover link fail-state Gigabitethernet 5
ASA1/ASA2(config) # failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA1/ASA2(config)# failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
ASA1 --> Primary -------> Group 1 ---> Context 1 ---> Active
ASA2 --> Secondary ----> Group 2 ---> Context 2 ---> Active
While configuring Failover ensure that firewall capacity is less than 50% so incase of failover one firewall can take load of other.
The Standby address can be applied in context only.
By default there is no preemption configured so if ASA2 fails then ASA1 will take care of both context 1 & 2 but when ASA2 comes back then it will sit idle.
Now we already created CONTEXT1 & CONTEXT2 and assigned interface Gigabitethernet 1/Gigabitethernet 3 & Gigabitethernet 2/Gigabitethernet 3 respectively.
Step 1 : Let configure Failover Groups
Failover Groups can only be two
ASA1 (config) # failover group 1
ASA1 (config-fover-group) # primary
ASA1 (config-fover-group) # preempt 120
# exit
ASA1 (config)# failover group 2
# secondary
# preempt 120
# exit
Step 2 : Add context to failover group
ASA1 (config) # Context CONTEXT1
ASA1 (config-ctx) # join failover group1
# exit
ASA1 (config) # Context CONTEXT2
ASA1 (config-ctx) # join failover group2
# exit
Step 3 : Tell firewall primary and secondary
ASA1 (config) # failover lan unit primary
Step 4 : Now configure ip and name for failover & stateful interface
Please note the below steps are common for both Active-Standby or Active-Active configuration
ASA1(config) # failover lan unit primary
ASA2(config) # failover lan unit secondary
ASA1/ASA2(config) # failover lan interface fail-config Gigabitethernet 4
ASA1/ASA2(config) # failover link fail-state Gigabitethernet 5
ASA1/ASA2(config) # failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
ASA1/ASA2(config) # failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
Step 5 : Set Prompt to include context
ASA1(config) # prompt hostname context
Step 6 : Go to both context and assign ip address (we already did) & virtual mac address for shared interface.
ASA1(config) # changeto Context CONTEXT1
ASA1/CONTEXT1 (config) # interface CONTEXT1_outside
ASA1/CONTEXT1 (config-if) # mac-address ccie.6399.9936
ASA1(config) # changeto Context CONTEXT2
ASA1/CONTEXT1 (config) # interface CONTEXT2_outside
ASA1/CONTEXT1 (config-if) # mac-address ccie.6399.9939
Step 7 : Enable Failover
failover
show failover
show failover state
Step 8 : Assign Group 2 to Secondary Firewall
ASA1/pri/act (config) # no failover active group 1
To save configuration in both primary and secondary firewall
ASA1# write memory all
Comments