Tag Archives: Cisco ASA

ASA FirePOWER Licensing

ASA FirePOWER Module Licenses

Licenses allow your device to perform a variety of functions including:

  • Intrusion Detection and Prevention
  • Security Intelligence filtering
  • File Control and Advanced Malware Protection
  • Application, User, and URL Control

Certain licenses, like the Control license, are perpetual. Other licenses require that you purchase a service subscription to enable the license.

License Type  Service Subscription Capabilities Prerequisite Expire Capable
Protection TA Intrusion Detection and Prevention, File Control,
Security Intelligence Filtering
None No
Control None (included with module) User and Application Control Protection No
Malware TAM, TAMC, AMP Advanced Malware
Protection (Network-based
Malware Detection and
Blocking)
Protection Yes
URL Filtering TAC, TAMC, URL Category and Reputation-based URL Filtering Protection Yes
Service Subscriptions
Subscription Types License You Assign in FirePOWER System
TA Control + Protection (a.k.a. “Threat & Apps,” required for system updates)
TAC Control + Protection + URL Filtering
TAM Control + Protection + Malware
TAMC Control + Protection + URL Filtering + Malware
AMP Malware (add-on where TA is already present)
URL URL Filtering (add-on where TA is already present)

TA – Threat & Apps License required for system updates
TAC – URL Filtering license as a services subscription combined with Threat & Apps
TAM – Malware license as a subscription combined with Threat & Apps
TAMC – Malware license as a subscription combined with Threat & Apps and URL Filtering
AMP – Advanced Malware Protection License
URL – URL Filtering License

Protection License
  • Intrusion Detection and Prevention – It allows you to analyze network traffic for intrusions and exploits and, optionally, drop offending packets.
  • File control – It allows you to detect and, optionally, block users from uploading or downloading files of specific types over specific application protocols. With a Malware license , you can also inspect and block a restricted set of those file types
    based on their malware dispositions.
  • Security Intelligence Filtering – It allows you to blacklist (deny traffic to and from) specific IP addresses, before the traffic is subjected to analysis by access control rules.  Dynamic feeds allow to immediately blacklist connections based on the latest intelligence. Optionally, you can use a “monitor-only” setting for Security Intelligence filtering.

A Protection license is automatically included (along with a Control license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

Control License

A Control license allows you to implement user and application control by adding user and application conditions to access control rules. To enable Control, you must also enable Protection.

A Control license is automatically included (along with a Protection license) in the purchase of an ASA FirePOWER module. This license is perpetual, but you must also purchase a TA subscription to enable system updates.

Malware License

A Malware license allows you to perform advanced malware protection, that is, use devices to detect and block malware in files transmitted over your network. To enable Malware on a device, you must also enable Protection.

URL Filtering License

URL filtering allows you to write access control rules that determine the traffic that can traverse network based on URLs requested by monitored hosts, correlated with information about those URLs, which is obtained from the Cisco cloud by the ASA FirePOWER module. To enable URL Filtering, you must also enable a Protection license.

Test AAA Server on Cisco ASA and IOS Devices

When We configure AAA on Cisco ASA or any IOS device (Router/Switch), it is always a good practice to confirm that the configuration is good and the server is available and responding correctly.

Cisco IOS:

Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ROUTER-1#test aaa group radius server 10.1.2.3 amolak password123 legacy
Attempting authentication test to server-group radius using radius
User was successfully authenticated.

ROUTER-1#test aaa group radius server 10.1.2.3 amolak wrongpassword legacy  
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

Cisco ASA:

Radius Servers Group Name: RADIUS-SERVERS
Radius Server IP Address: 10.1.2.3
Username: amolak
Password: password123

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: password123
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
INFO: Authentication Successful

ASA-1# test aaa-server authentication RADIUS-SERVERS
Server IP Address or name: 10.1.2.3
Username: amolak
Password: wrongpassword
INFO: Attempting Authentication test to IP address <10.1.2.3> (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure

Note that you can choose the group, or specific server in the group. This makes it possible to check all servers in the group are working.

Packet Flow through Cisco ASA Firewall

Cisco ASA Packet Process Algorithm

The interface that receives the packet is called the ingress interface and the interface through which the packet exits is called the egress interface. When referring to the packet flow through any device, it can be easily simplified by looking at the task in terms of these two interfaces.

Here is a diagram of how the Cisco ASA processes the packet that it receives:

asa-packet-flow-2

Here are the individual steps in detail:

1. Packet is reached at the ingress interface.

2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

3. Cisco ASA will first verify if this is an existing connection by looking at its internal connection table details. If the packet flow matches an existing connection, then the access-control list (ACL) check is bypassed, and the packet is moved forward.

If packet flow does not match an existing connection, then TCP state is verified. If it is a SYN packet or UDP packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count will be incremented by one when the packet matches the ACL entry.

5. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

6. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionalities. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

Additional Security-Checks will be implemented if a CSC module is involved.

7. The IP header information is translated as per the NAT/PAT rule and checksums are updated accordingly. The packet is forwarded to AIP-SSM for IPS related security checks, when the AIP module is involved.

8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on global route lookup.

9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that will take the priority.

10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. Layer 2 rewrite of MAC header happens at this stage.

11. The packet is transmitted on wire, and Interface counters increment on the egress interface.

Show Commands

Here are some useful commands that help in tracking the packet flow details at different stages of processing:

Show interface
Show conn
Show access-list
Show xlate
Show service-policy inspect
Show run static
Show run nat
Show run global
Show nat
Show route
Show arp

Syslog Messages

Syslog messages provide useful information about packet processing. Here are some example syslog messages for your reference:

Syslog message when there is no connection entry:

%ASA-6-106015: Deny TCP (no connection) from
IP_address/port to IP_address/port flags tcp_flags on interface
interface_name

Syslog message when the packet is denied by an access-list:

%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port by access_group
acl_ID

Syslog message when there is no translation rule is found:

%ASA-3-305005: No translation group found for protocol
src interface_name: source_address/source_port dst interface_name:
dest_address/dest_port

Syslog message when a packet is denied by Security Inspection:

%ASA-4-405104: H225 message received from
outside_address/outside_port to inside_address/inside_port before
SETUP

Syslog message when there is no route information:

%ASA-6-110003: Routing failed to locate next-hop for
protocol from src interface:src IP/src port to dest interface:dest IP/dest
port