Category Archives: Cisco ASA

ASA FirePOWER Licensing

ASA FirePOWER Module Licenses

Licenses allow your device to perform a variety of functions including:

  • Intrusion Detection and Prevention
  • Security Intelligence filtering
  • File Control and Advanced Malware Protection
  • Application, User, and URL Control

Certain licenses, like the Control license, are perpetual. Other licenses require that you purchase a service subscription to enable the license.

License Type  Service Subscription Capabilities Prerequisite Expire Capable
Protection TA Intrusion Detection and Prevention, File Control,
Security Intelligence Filtering
None No
Control None (included with module) User and Application Control Protection No
Malware TAM, TAMC, AMP Advanced Malware
Protection (Network-based
Malware Detection and
Blocking)
Protection Yes
URL Filtering TAC, TAMC, URL Category and Reputation-based URL Filtering Protection Yes
Service Subscriptions
Subscription Types License You Assign in FirePOWER System
TA Control + Protection (a.k.a. “Threat & Apps,” required for system updates)
TAC Control + Protection + URL Filtering
TAM Control + Protection + Malware
TAMC Control + Protection + URL Filtering + Malware
AMP Malware (add-on where TA is already present)
URL URL Filtering (add-on where TA is already present)

TA – Threat & Apps License required for system updates
TAC – URL Filtering license as a services subscription combined with Threat & Apps
TAM – Malware license as a subscription combined with Threat & Apps
TAMC – Malware license as a subscription combined with Threat & Apps and URL Filtering
AMP – Advanced Malware Protection License
URL – URL Filtering License

Protection License
  • Intrusion Detection and Prevention – It allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
  • File control – It allows you to detect and, optionally, block users from uploading or downloading files of specific types over specific application protocols. With a Malware license , you can also inspect and block a restricted set of those file types
    based on their malware dispositions.
  • Security Intelligence Filtering – It allows you to blacklist (deny traffic to and from) specific IP addresses, before the traffic is subjected to analysis by access control rules.  Dynamic feeds allow to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

A Protection license is automatically included (along with a Control license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

Control License

A Control license allows you to implement user and application control by adding user and application conditions to access control rules. To enable Control, you must also enable Protection.

A Control license is automatically included (along with a Protection license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

Malware License

A Malware license allows you to perform advanced malware protection, that is, use devices to detect and block malware in files transmitted over your network. To enable Malware on a device, you must also enable Protection.

URL Filtering License

URL filtering allows you to write access control rules that determine the traffic that can traverse network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the ASA FirePOWER module. To enable URL Filtering, you must also enable a Protection license.

Test AAA Server on Cisco ASA and IOS Devices

When We configure AAA on Cisco ASA or any IOS device (Router/Switch), it is always a good practice to confirm that the configuration is good and the server is available and responding correctly.

Cisco IOS:

Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ROUTER-1#test aaa group radius server 10.1.2.3 amolak password123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

ROUTER-1#test aaa group radius server 10.1.2.3 amolak wrongpassword legacy  
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

Cisco ASA:

Radius Servers Group Name: RADIUS-SERVERS
Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: password123
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
INFO: Authentication Successful

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: wrongpassword
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure

Note that you can choose the group, or specific server in the group. This makes it possible to check all servers in the group are working.

Self Signed Certificate for WebVPN on ASA

We will configure self signed certificate on Cisco ASA for AnyConnect (WebVPN).

1.Generate an RSA key for the certificate. The name should be unique. For example, sslvpnkeypair.

ASA-1(config)#crypto key generate rsa label sslvpnkeypair modulus 1024
INFO: The name for the keys will be: sslvpnkeypair
Keypair generation process begin. Please wait…

2. Create a trustpoint for the self-issued certificate.

ASA-1(config)#crypto ca trustpoint self

3. The fully qualified domain name is used for both fqdn and CN. The name should resolve to the ASA outside interface IP address.

ASA-1(config-ca-trustpoint)#enrollment self
ASA-1(config-ca-trustpoint)#fqdn vpn.amolak.net
ASA-1(config-ca-trustpoint)#subject-name CN=vpn.amolak.net

4. The RSA key is assigned to the trustpoint for certificate creation.

ASA-1(config-ca-trustpoint)#keypair sslvpnkeypair

5. Assign the trustpoint to be used for SSL connections on the outside interface.

ASA-1(config-ca-trustpoint)#crypto ca enroll self noconfirm
% The fully-qualified domain name in the certificate will be: vpn.amolak.net
ASA-1(config)# ssl trust-point self outside

Final Configuration:

crypto key generate rsa label sslvpnkeypair modulus 1024
!
crypto ca trustpoint self
 enrollment self
 fqdn vpn.amolak.net
 subject-name CN=vpn.amolak.net
 keypair sslvpnkeypair
!
crypto ca enroll self noconfirm
!
ssl trust-point self outside

ASA Static Route with Object Tracking

We will use following topology to configure floating static route on Cisco ASA with Object Tracking.

Objective of this task:

  1. Configure floating static route with object tracking
  2. Configure Dynamic NAT via Primary and Backup Link
  3. Configure Static NAT with auto failover between Primary and Backup Link

asa-static-route-track

 

Basic Configuration on ASA:

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 1.1.14.1 255.255.255.0 
!
interface GigabitEthernet1
 nameif outside-2
 security-level 0
 ip address 2.2.14.1 255.255.255.0 
!
interface GigabitEthernet2
 nameif inside
 security-level 100
 ip address 10.10.123.1 255.255.255.0 
!
  • Primary internet link IP subnet is 1.1.14.0/24 and ISP GW IP is 1.1.14.4.
  • Backup internet link IP subnet is 2.2.14.0/24 and ISP GW IP is 2.2.14.4
  • We will track reachability to IP address 4.4.4.4 via primary internet link to confirm if it is working fine.
# Configure static route to reach IP address 4.4.4.4 via primary internet link

route outside 4.4.4.4 255.255.255.255 1.1.14.4

# Create SLA Monitor session

sla monitor 101
 type echo protocol ipIcmpEcho 4.4.4.4 interface outside
 num-packets 5
 frequency 10
sla monitor schedule 101 life forever start-time now

# Create track session

track 1 rtr 101 reachability

# Configure default route via primary internet link with tracking

route outside 0.0.0.0 0.0.0.0 1.1.14.4 1 track 1

# Configure default route via backup internet link with higher administrative distance (i.e, 200, default AD is 1 for static route)

route outside-2 0.0.0.0 0.0.0.0 2.2.14.4 200

# Configure Dynamic NAT rule for LAN users to access internet via primary or backup internet link

object network ANY
 subnet 0.0.0.0 0.0.0.0
!
object network ANY-2
 subnet 0.0.0.0 0.0.0.0
!
object network ANY
 nat (inside,outside) dynamic interface
!
object network ANY-2
 nat (inside,outside-2) dynamic interface

Verify default route and internet access

# Verify SLA Monitor configuration

ASA# show sla monitor configuration 
SA Agent, Infrastructure Engine-II
Entry number: 101
Owner: 
Tag: 
Type of operation to perform: echo
Target address: 4.4.4.4
Interface: outside
Number of packets: 5
Request size (ARR data portion): 28
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0x0
Verify data: No
Operation frequency (seconds): 10
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Enhanced History:

# Verify SLA Monitor operational status

ASA# show sla monitor operational-state 
Entry number: 101
Modification time: 09:54:01.469 UTC Sat Aug 1 2015
Number of Octets Used by this Entry: 1480
Number of operations attempted: 34
Number of operations skipped: 0
Current seconds left in Life: Forever
Operational state of entry: Active
Last time this entry was reset: Never
Connection loss occurred: FALSE
Timeout occurred: FALSE
Over thresholds occurred: FALSE
Latest RTT (milliseconds): 8
Latest operation start time: 09:59:31.479 UTC Sat Aug 1 2015
Latest operation return code: OK
RTT Values:
RTTAvg: 8       RTTMin: 1       RTTMax: 20
NumOfRTT: 5     RTTSum: 42      RTTSum2: 602

# Verify track status

ASA# show track 
Track 1
  Response Time Reporter 101 reachability
  Reachability is Up
  2 changes, last change 00:05:45
  Latest operation return code: OK
  Latest RTT (millisecs) 4
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify routing

ASA# show run route
route outside 0.0.0.0 0.0.0.0 1.1.14.4 1 track 1
route outside-2 0.0.0.0 0.0.0.0 2.2.14.4 200
route outside 4.4.4.4 255.255.255.255 1.1.14.4 1
 
ASA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.14.4, outside

# Ping internet IP address 5.5.5.5 (It is configured on R5)

R2#ping 5.5.5.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/36/48 ms

# Verify NAT on ASA

ASA# show xlate 
3 in use, 3 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:09:24 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:09:30 timeout 0:00:00
ICMP PAT from inside:10.10.123.2/2 to outside:1.1.14.1/35590 flags ri idle 0:00:28 timeout 0:00:30

ASA# show conn address 5.5.5.5
1 in use, 4 most used
ICMP outside 5.5.5.5:0 inside 10.10.123.2:3, idle 0:00:00, bytes 72

# Let's simulate primary internet link failure
# Shutdown int f0/0 on R4

R4#sh run int f0/0
Building configuration...

Current configuration : 92 bytes
!
interface FastEthernet0/0
 ip address 1.1.14.4 255.255.255.0
 speed 100
 full-duplex
end

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int f0/0
R4(config-if)#shut 
R4(config-if)#
*Mar  1 00:13:08.571: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Mar  1 00:13:09.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R4(config-if)#

# Verify Track status on ASA

ASA# show track
Track 1
  Response Time Reporter 101 reachability
  Reachability is Down
  3 changes, last change 00:00:31
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify Routing

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [200/0] via 2.2.14.4, outside-2

# As you see in above output it has selected default route via backup ISP GW (2.2.14.4) now.

# Verify Internet access from LAN and NAT status on ASA. Now LAN subnet is dynamically NAT'ed to backup interface.

R2#ping 5.5.5.5        

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/64 ms

ASA# show xlate 
3 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:18:18 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:18:24 timeout 0:00:00
ICMP PAT from inside:10.10.123.2/6 to outside-2:2.2.14.1/5805 flags ri idle 0:00:39 timeout 0:00:30

ASA# show conn address 5.5.5.5
1 in use, 6 most used
ICMP outside-2 5.5.5.5:0 inside 10.10.123.2:6, idle 0:00:00, bytes 72

# Let's restore primary internet link

R4(config-if)#no shut
R4(config-if)#end
R4#
*Mar  1 00:22:12.595: %SYS-5-CONFIG_I: Configured from console by console
R4#
*Mar  1 00:22:13.935: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Mar  1 00:22:14.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

# Track status is UP now

ASA# show track
Track 1
  Response Time Reporter 101 reachability
  Reachability is Up
  4 changes, last change 00:00:28
  Latest operation return code: OK
  Latest RTT (millisecs) 8
  Tracked by:
    STATIC-IP-ROUTING 0

# Verify Routing

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 1.1.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 1.1.14.4, outside

So everything is working as expected, default route is used via primary link when track object IP 4.4.4.4 is reachable and when there is any issue with the primary link, i.e., IP 4.4.4.4 is not reachable via primary link, then this default route is removed and backup link become active. Also NAT translations are done based on the outgoing interface used by default route.

Now we have another requirement, We have a server (10.10.123.3) in LAN which need to be accessed from internet. First, we should have static NAT to be created for this server.

We will create two static NAT entries for this server. So that it can be accessed via either  IP and internet link (Primary/Backup)

# Define Objects

object network SERVER-R3-PRIMARY
 host 10.10.123.3
!
object network SERVER-R3-BACKUP
 host 10.10.123.3

# Configure NAT Rules

object network SERVER-R3-PRIMARY
 nat (inside,outside) static 1.1.14.103
!
object network SERVER-R3-BACKUP
 nat (inside,outside-2) static 2.2.14.103

# Verify reachability from Internet (R5) to Server (Real IP: 10.10.123.3, Primary NAT: 1.1.14.103)

R5#ping 1.1.14.103

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.14.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/40 ms

# Verify NAT status on ASA

ASA# show xlate
2 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:36:19 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:00:11 timeout 0:00:00

ASA# show conn address 10.10.123.3
1 in use, 6 most used
ICMP outside 1.1.45.5:5 inside 10.10.123.3:0, idle 0:00:00, bytes 72

# Primary internet link is down now and default route is changed via backup ISP GW now

ASA# show track 
Track 1
  Response Time Reporter 101 reachability
  Reachability is Down
  5 changes, last change 00:00:01
  Latest operation return code: Timeout
  Tracked by:
    STATIC-IP-ROUTING 0

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 2.2.14.4 to network 0.0.0.0

C    1.1.14.0 255.255.255.0 is directly connected, outside
C    2.2.14.0 255.255.255.0 is directly connected, outside-2
S    4.4.4.4 255.255.255.255 [1/0] via 1.1.14.4, outside
C    10.10.123.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [200/0] via 2.2.14.4, outside-2

# The Server is still reachable from internet via backup NAT IP

R5#ping 2.2.14.103        

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.14.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/40/48 ms

# Verify NAT and connection status on ASA

ASA# sh xlate 
2 in use, 5 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.10.123.3 to outside-2:2.2.14.103
    flags s idle 0:00:00 timeout 0:00:00
NAT from inside:10.10.123.3 to outside:1.1.14.103
    flags s idle 0:04:03 timeout 0:00:00

ASA# show conn address 10.10.123.3
1 in use, 6 most used
ICMP outside-2 1.1.45.5:10 inside 10.10.123.3:0, idle 0:00:00, bytes 72 

Good Luck! 🙂

Packet Flow through Cisco ASA Firewall

Cisco ASA Packet Process Algorithm

The interface that receives the packet is called the ingress interface and the interface through which the packet exits is called the egress interface. When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces.

Here is a diagram of how the Cisco ASA processes the packet that it receives:

asa-packet-flow-2

Here are the individual steps in detail:

1. Packet is reached at the ingress interface.

2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.

5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

Additional Security-Checks will be implemented if a CSC module is involved.

7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.

8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority.

10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

11. The packet is transmitted on wire, and Interface counters increment on the egress interface.

Show Commands

Here are some useful commands that help in tracking the packet flow details at different stages of processing:

Show interface
Show conn
Show access-list
Show xlate
Show service-policy inspect
Show run static
Show run nat
Show run global
Show nat
Show route
Show arp

Syslog Messages

Syslog messages provide useful information about packet processing. Here are some example syslog messages for your reference:

Syslog message when there is no connection entry:

%ASA-6-106015: Deny TCP (no connection) from
IP_address/port to IP_address/port flags tcp_flags on interface
interface_name

Syslog message when the packet is denied by an access-list:

%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port by access_group
acl_ID

Syslog message when there is no translation rule is found:

%ASA-3-305005: No translation group found for protocol
src interface_name: source_address/source_port dst interface_name:
dest_address/dest_port

Syslog message when a packet is denied by Security Inspection:

%ASA-4-405104: H225 message received from
outside_address/outside_port to inside_address/inside_port before
SETUP

Syslog message when there is no route information:

%ASA-6-110003: Routing failed to locate next-hop for
protocol from src interface:src IP/src port to dest interface:dest IP/dest
port