Traffic from a higher security zone (max 100) to a lower security zone (minimum 0) is allowed by default and vice-versa is blocked.
Traffic between two interfaces, which have the same security level, isn't allowed by default.
To allow traffic from lower security zone to higher access-list required to be configured.
Cisco ASA is a stateful firewall which means it maintains the connection state table & knows which traffic (return traffic) to allow.
So a user in the office type google.com in the browser then the firewall will allow a response of google webpage.
Similarly for passive FTP.
Passive FTP
Port 21 is used to establish the connection and port 20 to transfer data.
The client connects the FTP server on port 21 i.e. the source port is a random, high-numbered port & destination port is 21.
The server responds with a random, high-numbered port that the client can connect to initiate data connection in place of port 20.
The client initiates a connection to the server on this port.
The server responds with an ACK. The FTP session has now been established because the client initiates all connections, and the client firewall will not block any traffic.
Configuring FTP to be inspected on the nonstandard port in addition to port 21
Let's say we want to enable additional port 2100 for FTP inspection.
Step 1: Create an access list to match port 2100
access-list FTP-list extended permit TCP any any eq 2100
Step 2: Create a class map to match that access-list
class-map FTP2100
match access-list ftp-list
You can also create Class-map and match TCP port 2100 directly in it.
Class FTP2100
Match port tcp eq 2100
Step 3: Now go into global_policy and call the class map that was created before, set the action to "inspect FTP" on it.
policy-map global_policy
class FTP2100
inspect ftp
Assuming that Service-policy is already applied globally, once configure FTP inspection will start on port 2100 along with port 21.
Default Policy on ASA
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
Nat - Control
It requires that traffic going from a higher-level security interface to a lower-level security interface match a NAT rule.
This feature has now been deprecated & disabled by default in newer ASA versions (8.3+).
THREE Sections of NAT
Manual NAT (Section 1)
Say From Source A going to Destination B then translate A to C
A (10.10.10.10) --> B (100.100.100.100)
C (20.20.20.20)--> B (100.100.100.100)
If the case is like that if Source A goes to Destination B then the firewall will translate A to C & also B to D then it's called Double NAT.
A (10.10.10.10) --> B (100.100.100.100)
C (20.20.20.20)--> D (101.101.101.101)
Auto NAT (Section 2)
If source A belongs to a specific pool (10.10.10.0/24) & it's going to a particular destination B then it has to be translated to the defined pool (20.20.20.20-24) is called Auto Nat.
A (10.10.10.10) --> B (100.100.100.100)
C (20.20.20.20-24)--> B (100.100.100.100)
Manual NAT (Section 3)
If the source IP translation is from a different pool & destination IP is static.
A (10.10.10.0/24) --> B (100.100.100.100)
C (20.20.20.20)--> B (100.100.100.100)
And If
A (10.10.11.0/24) --> B (100.100.100.100)
C (20.20.20.21)--> B (100.100.100.100)
Static NAT
If the organization wants to make the server reachable from the internet then it must have a public IP address configured.
Generally, instead of assigning public IP to the server, its private IP is mapped to the public IP on the firewall.
Apart from creating NAT entries on the firewall, we also need to create the access list to allow that traffic i.e. traffic from OUTSIDE (low-security) to DMZ (high-security).
Access list uses a subnet mask & not a wild card mask.
Modular Policy Framework
Class Map : Define traffic with help of access-list
Policy Map : Action
Service Polcy : Apply it to interface
Example
access-list dmz-ftp permit tcp any any eq ftp
class-map FTP_Class_Map
match access-list dmz-ftp
policy-map FTP_Policy_MAP
class FTP_Class_MAP
inspect ftp
service-policy FTP_Policy_MAP interface dmz
There a is default service policy that applies to all interfaces.
show run class-map / policy-map / service policy
Embryonic Connection
An embryonic connection is basically a half-open connection.
It means when the host sends SYN to the server then the server sends back SYN-ACK & will be waiting for the ACK back from the host.
Now host never send an ack and thus TCP handshake didn't complete.
It could be Denial-of-Service (DoS) attack or any other attack.
DoS attack is known as SYN-flooding. In this,the attacker sends a series of TCP SYN packets that typically originate from spoofed IP addresses.
The constant flood of SYN packets can prevent serv s from handling legitimate connection requests.
Class-map TCP-Sessions
match port tcp range 1 65000
Policy-map Conn-Limits
class TCP-Sessions
set connection conn-max 500 embryonic-conn-max 50
set connection timeout idle 0:15:00
Service-policy conn-limits interface outside
conn-max n argument
sets the maximum number of simultaneous TCP and/or UDP connections allowed, between 0 and 65535. The default is 0, which allow unlimited connections.
embryonic-conn-max
This argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535. The default is 0, which allows unlimited connections.
The idle timeout interval is used to remove entries from the ASA state table for any connections which have been idle for a specified time, usually one hour.
Normally TCP entries will be deleted when the ASA sees that the connection has been terminated (FIN or RST).
With this configurat,ion all TCP sessions will remain in the state table until 15 mins (idle timeout) is reached.
By running ‘sh connection count’ we can check the number of open connections.
Advance TCP Options
TCP option 19
It is a TCP extension to enhance security for BGP when using MD5 authentication.
So if ASA is in between two routers having bgp neighbourship then by default there isn't any issue but if BGP authentication is used then it will fail as ASA will strip TCP option 19.
By default, ASA does TCP Sequence Number Randomizatifor to every session passing through it.
To resolve the issue we need to create a TCP Map that allows TCP Option 19 and also disable the TCP Sequence Number Randomization for this specific BGP traffic class.
Step1:
Match the BGP traffic with an ACL:
access-list bgp-traffic extended permit tcp host 10.11.11.11 host 10.22.22.22 eq bgp
access-list bgp-traffic extended permit tcp host 10.22.22.22 host 10.11.11.11 eq bgp
Step2:
Allow TCP option 19 with a TCP Map.
tcp-map ALLOW-TCP-19
tcp-options range 19 19 allow
Step3:
Create a class map to match the BGP Traffic.
class-map BGP-CLASS
match access-list bgp-traffic
Step4:
Use the Global Policy to apply all the actions:
policy-map global_policy
class BGP-CLASS
set connection random-sequence-number disable
set connection advanced-options ALLOW-TCP-19
TCP State bypass
Host initiates 3 Way Handshake for TCP communication.
ASA checks the state of each packet and assigns it to either the session management path (a new connection Synchronize (SYN) packet), the fast path (an established connection), or the control plane path (advanced inspection).
So both outbound and inbound flows of a connection must pass through the ASA else it will drop the packet and cause trouble when asymmetrical routing solutions are deployed.
Solution of this problem is to ask ASA to bypass bypass TCP state checks
Step 1: Create access list containing the destination IP going to exclude from TCP SYN checks.
access-list NoSYNChecksACL extended permit tcp 172.16.0.0 255.240.0.0 172.16.0.0 255.240.0.0 log disable
Step 2 : Create a class map to identify packets based on the ACL
class-map NoSYNChecksCM
match access-list NoSYNChecksACL
Step 3: Create a Policy Map to tell the ASA to bypass TCP state checks ( SYN / ACK ) for traffic matching our class map.
policy-map NoSYNChecksPM
class NoSYNChecksCM
set connection timeout idle 0:15:00
set connection advanced-options tcp-state-bypass
service-policy NoSYNChecksPM interface Inside
Redundant Interface
It is a logical interface & is a pair of an active and a standby physical interface. When the active interface fails, the standby interface becomes active.
Redundant interfaces are numbered from 1 to 8 and have the name redundant X.
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
To forcefully change active port
(config)# redundant-interface redundant 1 active-member GigabitEthernet0/1
The firewall will remove configuration from physical interface while adding the physical interface to a new group.
The logical redundant interface will take the MAC address of the first interface added to the group.
This MAC address is not changed with the member interface failures, but changes when you swap the order of the physical interfaces to the pair.
TCP 3-way handshake
It is a process that is used in a TCP/IP network to make a connection between the server and client before the real data communication process starts.
SYN : Client establishes a connection with a server. It sends a segment with SYN and informs the server to start communication.
SYN-ACK : Server responds to the client request with SYN-ACK signal set (ACK is acknowledgment of previous SYN segment) and SYN signifies sequence number to start with the segment.
ACK : Client acknowledges the response of the Server, and they both create a stable connection post which data transfer process begins.
(config-t)# same-security-traffic permit intra-interface
lets traffic enter and exit the same interface, which is normally not allowed. This feature might be useful for VPN traffic that enters an outside interface but is then routed out of the same interface to reach the server hosted on cloud.
(config-t)#same-security-traffic permit inter-interface
This command will allow traffic between all interfaces of the same level, which may not always be desirable.
Unicast Reverse Path Filtering (uRPF)
Normally routing is done with respect the to destination ip address.
If a packet comes to the firewall from an outside interface and the firewall isn't using that interface to reach the source ip of packet then it will be considered as bocoz and will be dropped.
Configuration --> Firewall --> Advanced --> Anti-Spoofing
# ip verify reverse-path interface outside.
Comments