Sie sind auf Seite 1von 160

FIREWALLS

What Is a Firewall?

 A firewall is a system or group of systems that manages access


between two networks namely trusted and untrusted network .

 The primary task of a network firewall is to deny or permit traffic that


attempts to enter the network based on explicit preconfigured
policies and rules.

2
Firewall Technologies

Firewall operations are based on one of three technologies:

 Simple packet-filtering techniques

 Application proxies

 Stateful packet filtering

3
Packet-Filtering Techniques

 Usually inspect traffic at the transport layer


 Inspect the following elements within a packet:
 Source address
 Destination address
 Source port
 Destination port
 Protocol

 Packet filters do not commonly inspect additional Layer 3 and Layer 4 fields
such as sequence numbers, TCP control flags, and TCP acknowledgement
(ACK) field.

4
Application Proxies

Application proxies, or proxy servers, are devices that operate as


intermediary agents on behalf of clients that are on a private or
protected network. Clients on the protected network send
connection requests to the application proxy in order to transfer data
to the unprotected network or the Internet. Consequently, the
application proxy sends the request on behalf of the internal client.

5
Stateful Inspection Firewalls

 Stateful firewalls examine not only the packet header contents, but
also the application layer information within the payload.
 A stateful firewall monitors the state of the connection and maintains
a database with this information. This database is usually called the
state table.
 The state of the connection details whether such connection has
been established, closed, reset, or is being negotiated. These
mechanisms offer protection for different types of network attacks.

6
Sessions in an IP World

 In an IP world, a network session is a transaction


between two end systems. It is carried out over two
transport layer protocols:

 TCP (Transmission Control Protocol)

 UDP (User Datagram Protocol)


TCP

 TCP is a connection-oriented,reliable-delivery, robust,


and high performance transport layer protocol.
 TCP features
 Sequencing and acknowledgement of data
 A defined state machine (open connection, data flow,
retransmit, close connection)
 Congestion management and avoidance mechanisms
TCP Initialization—Inside to Outside

Private network The PIX Firewall checks for a Public network


Source addr 10.0.0.3 translation slot. If one is not 192.168.0.20
found, it creates one after
Destination addr 172.30.0.50 verifying NAT, global, access 172.30.0.50
control, and authentication or
Source port 1026 1026
authorization, if any. If OK, a
Destination port 23 connection is created. 23

Initial sequence # 49091 49769

#1
Ack PIX Firewall #2
10.0.0.3 Flag Syn Syn 172.30.0.50
Start the embryonic
No data connection counter

#4 172.30.0.50 172.30.0.50
#3
10.0.0.3 The PIX Firewall follows the 192.168.0.20
Adaptive Security Algorithm:
23 • (Src IP, Src Port, 23
Dest IP, Dest Port ) check
1026 1026
• Sequence number check
IP header 92513 92513
• Translation check
TCP header 49092 49770
If the code bit is not syn-ack,
Syn-Ack PIX drops the packet. Syn-Ack
TCP Initialization—Inside to Outside (cont.)

Private network Public network


Source addr 10.0.0.3 192.168.0.20
Reset the embryonic
Destination addr 172.30.0.50 counter for this client. It 172.30.0.50
1026
then increments 1026
Source port
the connection counter for
Destination port 23 this host. 23

Initial sequence # 49092 49770

Ack 92514 92514

#5 Flag Ack PIX Firewall Ack #6


10.0.0.3 172.30.0.50

Data flows Strictly follows the


Adaptive Security
Algorithm
IP header
TCP header
UDP

Connectionless protocol

Efficient protocol for some services

Resourceful but difficult to secure


UDP (cont.)

Private network The PIX Firewall checks for a Public network


translation slot. If one is not
Source addr 10.0.0.3 192.168.0.20
found, it creates one after
Destination addr 172.30.0.50 verifying NAT, global, access 172.30.0.50
control, and authentication or
Source port 1028 authorization, if any. If OK, a 1028
connection is created.
Destination port 45000 45000

#1 PIX Firewall #2
10.0.0.3 172.30.0.50
All UDP responses arrive from
outside and within UDP user-
configurable timeout.
#4 (default=2 minutes) #3
172.30.0.50 172.30.0.50
The PIX Firewall follows the
10.0.0.3 192.168.0.20
Adaptive Security Algorithm:
45000 • (Src IP, Src Port, 45000
Dest IP, Dest Port ) check
1028 1028
• Translation check
IP header
TCP header
PIX FIREWALL

13
PIX Firewall—What Is it?

 Stateful firewall with high security and fast performance

 Secure, real-time, embedded Finesse operating system—no


UNIX or NT security holes

 Adaptive security algorithm provides stateful security

 Cut-through proxy eliminates application-layer bottlenecks

 AMD SC520 (501), Pentium MMX (506), Pentium Pro (515),


Pentium II (520), or Pentium III (525 and 535) processor-based
system

14
Adaptive Security Algorithm

 Provides “stateful” connection security


 Tracks source and destination ports and addresses, TCP
sequences, and additional TCP flags
 TCP sequence numbers are randomized
 Tracks UDP and TCP session state
 Connections allowed out—allows return session back flow (TCP
ACK bit)
 Supports authentication, authorization, and Syslog accounting
Functions of the Adaptive Security Algorithm

 Implements stateful connection control through the


PIX Firewall
 Allows one-way (inside to outside) connections
without an explicit configuration for each internal
system and application
 Monitors return packets to ensure they are valid
 Randomizes the TCP sequence number to minimize
the risk of attack
Cut-Through Proxy Operation

1. The user makes a


2. The PIX Firewall
request to an
Internal/ intercepts the connection.
IS resource.
external 3. The PIX Firewall prompts the user
user for a username and password,
authenticates the user, and checks
3. Username and Password Required the security policy on a RADIUS or
PIX Firewall TACACS+ server.
Enter username for CCO at www.com
IS resource
Cisco
User Name: student Secure
Password: 123@456 4. The PIX Firewall initiates
a connection from the
OK Cancel PIX Firewall to the
destination IS resource.

5. The PIX Firewall directly connects the


internal or external user to the IS
resource via ASA.
Authenticates once at the application layer (OSI Layer 7) for each supported service
Connection is passed back to the PIX Firewall high-performance ASA engine, while maintaining session
state
PIX Firewall Family

PIX 535
Price

PIX 525

PIX 515

PIX 506

PIX 501 Gigabit Ethernet

SOHO ROBO SMB Enterprise SP

Functionality
PIX Firewall 501

 Designed for small offices


and teleworkers
 3,500 simultaneous
connections
 10 Mbps cleartext throughput
 133 MHz processor
 16 MB of SDRAM
 Supports 1 10BaseT Ethernet
interface (outside) and a 4-
port 10/100 switch (inside)
 3 Mbps 3DES throughput
 5 simultaneous VPN peers
PIX Firewall 506

 Designed for small and


remote offices
 10,000 simultaneous
connections
 20 Mbps cleartext throughput
 200 MHz processor
 32 MB RAM
 Supports 2 interfaces
(10BaseT)
 10 Mbps 3DES throughput
 25 simultaneous VPN peers
PIX Firewall 515

 Designed for small to medium


businesses
 128,000 simultaneous connections
 147 Mbps cleartext throughput
 200 MHz processor
 64 MB RAM
 Supports 6 interfaces
 Supports failover
 10 Mbps 3DES throughput
PIX Firewall 520

 Designed for enterprise


 256,000 simultaneous
connections
 240 Mbps cleartext throughput
 350 MHz processor
 128 MB RAM
 Supports 6 interfaces
 Supports failover
 20 Mbps 3DES throughput
PIX Firewall 525

 Designed for enterprise


 280,000 simultaneous connections
 360 Mbps cleartext throughput
 600 MHz processor
 256 MB RAM
 Supports 8 interfaces
 Supports failover
 70 Mbps 3DES throughput
PIX Firewall 535

 Designed for enterprise and service


providers
 500,000 simultaneous connections
 1.7 Gbps cleartext throughput
 1 GHz processor
 1 GB RAM
 Maximum of 10 interfaces
 Supports failover
 96 Mbps 3DES throughput
Firewall Zones and Security Levels

Outside network
Internet e0
• Security level 0
• Interface name = outside

e0
PIX Firewall
e2
e1 DMZ network
Inside network
e2
e1 • Security level 50
• Security level 100 • Interface name = DMZ/intf2
• Interface name = inside
Firewall Zones and Security Levels (contd )

OUTSIDE

 Commonly the external public network is referred as Outside


zone.
 This is the most unsecured zone with lowest security level.

26
Firewall Zones and Security Levels (contd )

INSIDE

 Commonly the internal private network is referred as Inside


zone.
 This is the most secured zone with highest security level.

 Normally all backend servers and inside users are placed in


this zone.

27
Firewall Zones and Security Levels (contd )

DMZ (Demilitarized Zone)

 A demilitarized zone (DMZ) is a separate network located in the


neutral zone between a private (inside) network and a public
(outside) network.
 Servers which need to be exposed to public network are kept in
this zone.
 This zone is protected by firewall, but with a lesser security level
than Inside zone.

28
PIX Firewall Basic Commands

 enable, enable password, and passwd

 write erase, write memory, and write term

 show interface, show ip address, show memory, show


version, and show xlate

 exit and reload

 hostname, ping, and telnet


enable Command

pixfirewall>
enable

 Enables you to enter different access


modes
pixfirewall> enable
password:
pixfirewall# configure terminal
pixfirewall(config)#
pixfirewall(config)# exit
pixfirewall#
enable password and passwd Commands

pixfirewall#
enable password password

 The enable password command is used


to control access to the privileged mode.

pixfirewall#
passwd password
The passwd command is used to set
a Telnet password.
write Commands

The following are the write commands:


 write net
 write erase
 write floppy
 write memory
 write standby
 write terminal
telnet Commands

pixfirewall(config)#
telnet ip_address [netmask] [if_name]
 Enables you to specify which hosts can
access the PIX Firewall console via Telnet
pixfirewall(config)#
kill telnet_id
Terminates a Telnet session
pixfirewall(config)#
who [local_ip]
Enables you to view which IP addresses are currently
accessing the PIX Firewall console via Telnet
http Commands

pixfirewall(config)#
http ip_address [netmask] [if_name]
 Enables you to specify the clients that are
allowed to access the PIX Firewall’s HTTP
server

pixfirewall(config)#
http server enable
Enables the PIX Firewall HTTP server
hostname and ping Commands

pixfirewall(config)#
hostname newname
 hostname command

pixfirewall (config)# hostname


proteus
proteus(config)# hostname
pixfirewall

pixfirewall(config)#
Ping ip_address
 ping command
pixfirewall(config)# ping 10.0.0.3
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
10.0.0.3 response received -- 0Ms
show Commands

The following are show commands:


 show history
 show memory
 show version
 show xlate
 show cpu usage
 show interface
 show ip address
show interface Command

pixfirewall# show interface


interface ethernet0 “outside” is up, line protocol is up
hardware is i82557 ethernet, address is 0060.7380.2f16
ip address 192.168.0.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 1000000 Kbit half duplex
1184342 packets input, 1222298001 bytes, 0 no buffer
received 26 broadcasts, 27 runts, 0 giants
4 input errors, 0 crc, 4 frame, 0 overrun, 0 ignored, 0
abort
1310091 packets output, 547097270 bytes, 0 underruns 0 unicast
rpf drops
0 output errors, 28075 collisions, 0 interface resets
0 babbles, 0 late collisions, 117573 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128)
software (0/1)
output queue (curr/max blocks): hardware (0/2)
software (0/1)
show ip address Command

pixfirewall# show ip address


Building configuration……
System IP Addresses:
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
Current IP Addresses:
ip address outside 192.168.0.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip address dmz 172.16.0.1 255.255.255.0
PIX Firewall Primary Commands

There are six primary configuration commands for the PIX


Firewall:

 nameif
 interface
 ip address
 nat
 global
 route
Command 1: nameif

pixfirewall(config)#
nameif hardware_id if_name security_level

 The nameif command assigns a name to each


interface on the PIX Firewall and specifies its security
level.

pixfirewall(config)# nameif ethernet2 dmz sec50


Command 2: interface

pixfirewall(config)#
interface hardware_id hardware_speed

 The interface command configures the type and capability of


each perimeter interface.

pixfirewall(config)# interface ethernet0 100full


pixfirewall(config)# interface ethernet1 100full

 The outside and inside interfaces are set for 100 Mbps Ethernet
full-duplex communication.
Command 3: ip address

pixfirewall(config)#

ip address if_name ip_address [netmask]

 The ip address command assigns an IP address


to each interface.
pixfirewall(config)# ip address dmz
172.16.0.1 255.255.255.0
PIX with DMZ

43
NAT (Network Address Translation)

Cisco PIX, being a security device, can mask the network address on
the trusted side from the untrusted networks. Address translation is
useful in the following network deployments:
 You use a private addressing scheme internally, and want to assign
global routable addresses to those hosts.
 You change to a service provider that requires you to change the
addressing scheme. Rather than redesign the entire IP infrastructure,
you implement translation on the border appliance.
 To hide internal address scheme.
 You have more internal hosts than the number of global IP addresses.

44
NAT (Continued)

Cisco PIX supports the following types of address translation:

 Dynamic NAT
 PAT
 Static NAT
 Port Redirection (Static PAT)

45
Dynamic NAT

Dynamic NAT assigns a random IP address from a preconfigured


pool of global IP addresses. The security appliance uses a one-to-
one methodology by allocating one global IP address to an inside IP
address.

46
Dynamic NAT (Continued)

47
PAT (Port Address Translation)

 Port Address Translation (PAT) defines a many-to-one address


mapping.
 To distinguish between the inside hosts using the same global IP
address, security appliance changes the source port in translated
packet and populates the translation table accordingly.

48
PAT (Continued)

49
Port Address Translation

PAT Global
192.168.0.15

Source addr 10.0.0.2 192.168.0.15 Source addr


10.0.0.2 Destination 172.30.0.50 172.30.0.50 Destination addr
addr
Source port 49090 2000 Source port
Destination
port 23 23 Destination port

Internet
Source addr 10.0.0.3 192.168.0.15 Source addr

Destination Destination
172.30.0.50 172.30.0.50
addr addr

Source port 49090 2001 Source port


10.0.0.3
Destination Destination
port 23 23
port
PAT Example

pixfirewall(config)# ip address inside 10.0.0.1


255.255.255.0
pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0
192.168.0.1 1
Perimeter router
pixfirewall(config)# global (outside) 1 192.168.0.9 netmask
255.255.255.0
192.168.0.1 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
192.168.0.2
PIX Firewall Bastion host Assign a single IP address (192.168.0.9)
to global pool
10.0.0.1 172.16.0.2
IP addresses are typically registered with
Engineering Sales InterNIC
Source addresses of hosts in network
10.0.1.0 10.0.2.0 10.0.0.0 are translated to 192.168.0.9 for
outgoing access
Source port changed to a unique number
greater than 1024
Information systems
PAT Using Outside Interface Address

pixfirewall(config)# ip address inside 10.0.0.1


255.255.255.0
pixfirewall(config)# ip address outside 192.168.0.2
255.255.255.0
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0
Perimeter router 192.168.0.1 1
pixfirewall(config)# global (outside) 1 interface
192.168.0.1 pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
192.168.0.2
PIX Firewall Bastion host
Use the interface option to enable use of
10.0.0.1 172.16.0.2 the outside interface as the PAT address.
Engineering Sales
Source addresses of hosts in network
10.0.0.0 are translated to 192.168.0.2 for
outgoing access.
10.0.1.0 10.0.2.0
The source port is changed to a unique
number greater than 1024.

Information systems
Mapping Subnets to PAT Addresses

pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0


pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
pixfirewall(config)# global (outside) 1 192.168.0.8 netmask
255.255.255.0
pixfirewall(config)# global (outside) 2 192.168.0.9 netmask
Perimeter router 255.255.255.0
pixfirewall(config)# nat (inside) 1 10.0.1.0 255.255.255.0
pixfirewall(config)# nat (inside) 2 10.0.2.0 255.255.255.0
192.168.0.1
192.168.0.2
PIX Firewall Map different internal subnets to different
Bastion host
PAT addresses..
10.0.0.1 172.16.0.2
Source addresses of hosts in network
Engineering Sales 10.0.1.0 are translated to 192.168.0.8 for
outgoing access.
10.0.1.0 10.0.2.0
Source addresses of hosts in network
10.0.2.0 are translated to 192.168.0.9 for
outgoing access.
Information systems The source port is changed to a unique
number greater than 1024.
Augmenting a Global Pool with PAT

pixfirewall(config)# ip address inside 10.0.0.1 255.255.255.0


pixfirewall(config)# ip address outside 192.168.0.2 255.255.255.0
pixfirewall(config)# route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
pixfirewall(config)# global outside 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
Perimeter router pixfirewall(config)# global outside 1 192.168.0.19 netmask
255.255.255.0
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
192.168.0.1
192.168.0.2
PIX Firewall Bastion host
When hosts on the 10.0.0.0 network
access the outside network through the
10.0.0.1 172.16.0.2 firewall, they are assigned public
Engineering addresses from the 192.168.0.20-
Sales
192.168.0.254 range.
10.0.1.0 10.0.2.0

When the addresses from the global pool


10.0.0.0 are exhausted, PAT begins.
Information systems
Static NAT

 Static NAT creates a fixed translation of real address to mapped


address.
 Static NAT allows hosts on the destination network to initiate traffic
to a translated host (if there is an access list that allows it), which
dynamic NAT or PAT does not.
 Static NAT is basically used to masquerade real IPs of servers that
are accessed from public network.

55
Static command

 The static command allow connections from a


lower security
interface to a higher security interface.

 The static command is used to create a


permanent mapping between an
inside IP address and a global
IP address.
Outside
Security 0

Inside
Security 100
static Command

pixfirewall(config)#
static [(internal_if_name, external_if_name)]
global_ip local_ip [netmask
network_mask][max_conns[em_limit]][norandomseq]

 Maps a local IP address to a global IP address

pixfirewall(config)# static Perimeter router


(inside,outside) 192.168.0.10 10.0.0.3
netmask 255.255.255.255 0 1000 192.168.0.1

192.168.0.2
Packet sent from 10.0.0.3 has a source
PIX Firewall
address of 192.168.0.10
10.0.0.1
Permanently maps a single IP address
Recommended for internal service hosts
10.0.0.3
Static PAT / Port Redirection

 Static PAT, also known as port redirection, is useful when the security
appliance needs to statically map multiple inside servers to one global IP
address.

 Port redirection is applied on traffic when it passes through the security


appliance from a lower security interface to a higher security interface.

 The outside hosts connect to the global IP address on a specific TCP or


UDP port, which the security appliance redirects to the internal server.

58
Static PAT / Port Redirection (Contd)

59
Port Redirection

pixfirewall(config)#

static [(internal_if_name, external_if_name)]


{tcp|udp}{global_ip|interface}global-port local_ip
local-port[netmask mask][max_conns[emb_limit
[norandomseq]]]

 Allows outside users to connect to a particular IP address or port


and have the PIX redirect traffic to the appropriate inside server.
pixfirewall(config)# static (inside,outside) tcp
192.168.0.15 ftp 10.0.0.3 ftp netmask
255.255.255.255 0 0
External users direct FTP requests to unique IP address
192.168.0.15. The PIX Firewall redirects the request to
10.0.0.3.
Port Redirection Example

telnet 192.168.0.2
Internet
Perimeter router
192.168.0.1
http://192.168.0.9:8080 192.168.0.2
172.16.0.2
PIX Firewall Web Server
10.0.0.1

10.0.0.4 10.0.0.3

pixfirewall(config)# static (inside,outside)tcp interface telnet 10.0.0.4


telnet netmask 255.255.255.255 0 0
pixfirewall(config)# static (inside,outside) tcp 192.168.0.9 8080
172.16.0.2 www netmask 255.255.255.255 0 0

 The external user directs a Telnet request to the PIX Firewall’s outside IP address,
192.168.0.2. The PIX Firewall redirects the request to host 10.0.0.4.
 The external user directs an HTTP port 8080 request to the PIX Firewall PAT address,
192.168.0.9. The PIX Firewall redirects this request to host 172.16.0.2 port 80.
No Network Address Translation (nat 0)

pixfirewall(config)# nat (inside) 0 192.168.0.9


255.255.255.255
pixfirewall(config)# show nat
nat 0 192.168.0.9 will be non-translated

nat 0 ensures that Perimeter router


192.168.0.9 is not translated.
192.168.0.1
192.168.0.2
PIX Firewall
ASA remains in effect with
10.0.0.1
nat 0.

192.168.0.9
Connections vs. Translations

Translations—xlate
IP address to IP address translation
65,536 translations supported

Connections—conns
TCP or UDP sessions
How data moves through PIX ?

This section describes how data moves through the security


appliance when :

 An Inside User Visits a Web Server in Outside zone.

 An Outside User Visits a Web Server on the DMZ.

 An Outside User Attempts to Access an Inside Host.

64
xlate Command

pixfirewall(config)#

 clear xlate [global_ip [local_ip]]

• The clear xlate command clears the contents of the


translation slots.
Only Two Ways Through the PIX Firewall

Valid user request


 Inside to outside communications

Pre-defined static and conduit


 Outside to inside communications
 Defines addresses, ports, and applications
An Inside User Visits a Web Server in Outside

67
Continued…

The following steps describe how data moves through ASA when an
Inside user visits a Web Server in Outside as shown in previous slide.

1. The user on the inside network requests a web page from www.example.com.

2. The security appliance receives the packet and because it is a new session, the
security appliance verifies that the packet is allowed according to the terms of the
security policy (access lists, filters, AAA).

3. The security appliance translates the local source address (10.1.2.27) to the
global address 209.165.201.10, which is on the outside interface subnet.

68
Continued…

4. The security appliance then records that a session is established and forwards
the packet from the outside interface.

5. When www.example.com responds to the request, the packet goes through the
security appliance, and because the session is already established, the packet
bypasses the many lookups associated with a new connection. The security
appliance performs NAT by translating the global destination address to the
local user address, 10.1.2.27.

6. The security appliance forwards the packet to the inside user.

69
An Outside User Visits a Web Server on DMZ.

70
Continued…

The following steps describe how data moves through ASA when an
Outside user visits a Web Server on DMZ as shown in previous slide.

1. A user on the outside network requests a web page from the DMZ web server using
the global destination address of 209.165.201.3, which is on the outside interface
subnet.

2. The security appliance receives the packet and because it is a new session, the
security appliance verifies that the packet is allowed according to the terms of the
security policy (access lists, filters, AAA).

3. The security appliance translates the destination address to the local address
10.1.1.3.

71
Continued…

4. The security appliance then adds a session entry to the fast path and forwards the
packet from the DMZ interface.

5. When the DMZ web server responds to the request, the packet goes through the
security appliance and because the session is already established, the packet
bypasses the many lookups associated with a new connection. The security
appliance performs NAT by translating the local source address to 209.165.201.3.

6. The security appliance forwards the packet to the outside user.

72
An Outside User Attempts to Access an Inside Host

73
Continued…

The following steps describe how data moves through ASA when an Outside
user attempts to access an Inside host as shown in previous slide.

1. A user on the outside network attempts to reach an inside host (assuming the host
has a routable IP address). If the inside network uses private addresses, no outside
user can reach the inside network without NAT. The outside user might attempt to
reach an inside user by using an existing NAT session.

2. The security appliance receives the packet and because it is a new session, the
security appliance verifies if the packet is allowed according to the security policy
(access lists, filters, AAA).

3. The packet is denied, and the security appliance drops the packet and logs the
connection attempt.

74
Command 4: nat

pixfirewall(config)#
nat [(if_name)] nat_id local_ip
[netmask]

 The nat command shields IP addresses on the


inside network from the outside network.

pixfirewall(config)# nat (inside)


1 0.0.0.0 0.0.0.0
NAT Example

Inside Outside
Source addr 10.0.0.3 Source addr 192.168.0.20

Destination addr 200.200.200.10 Destination addr 200.200.200.10

Source port 49090 Source port 49090

Destination port 23 Destination port 23

10.0.0.3 192.168.0.20
Internet
10.0.0.3

Inside Local Global


10.0.0.4 IP Address IP Pool
10.0.0.3 192.168.0.20
Translation table
10.0.0.4 192.168.0.21
Command 5: global

pixfirewall(config)#
global[(if_name)] nat_id {global_ip[-global_ip]
[netmask global_mask]} | interface

 Works with the nat command to assign a registered or public IP


address to an internal host when accessing the outside network
through the firewall
pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0
pixfirewall(config)# global (outside) 1 120.92.168.1-
120.92.168.254

 When internal hosts access the outside network through the firewall,
they are assigned public addresses from the 120.92.168.1 –
120.92.168.254 range
Access Through the PIX
Firewall
nat and global

e1 inside .1
security level 100
Internet
e0 outside .2
security level 0 PIX Firewall

Static and access list


Two Interfaces with NAT (Multiple Internal Networks)

Internet Pod perimeter router


.1
192.168.0.0/24 e0 outside .2
security level 0
PIX Firewall
e1 inside .1
10.0.0.0 /24 security level 100
172.26.26.50

Backbone, 10.1.0.0 /24


web, FTP, and TFTP server

pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0


pixfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0
pixfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
pixfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240

 All hosts on the inside networks can start outbound connections.


 A separate global pool is used for each internal network.
Three Interfaces with NAT

Internet Pod perimeter router


.1
192.168.0.0/24 e0 outside .2 172.16.0.0/24
security level 0 Bastion host, and
PIX Firewall web and FTP server
e2 dmz .1 .2
e1 inside .1 security level 50
security level 100
172.26.26.50
10.0.0.0 /24
Backbone, web,
FTP, and TFTP server .3
Inside host, and
web and FTP server
pixfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
pixfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
pixfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

 Inside users can start outbound connections to both the DMZ and the Internet.
 The nat (dmz) command gives DMZ services access to the Internet.
 The global (dmz) command gives inside users access to the web server on the DMZ.
Command 6: route

pixfirewall(config)#
route if_name ip_address netmask gateway_ip
[metric]

 The route command defines a static or default route for an


interface.
pixfirewall(config)# route outside 0.0.0.0
0.0.0.0 192.168.0.1 1
Firewall Logging

 The PIX Firewall can generate Syslog messages for


system events.
 Syslog messages can be sent to the PIX Firewall
buffer.
 The PIX Firewall can forward Syslog messages to
any Syslog server.
Configure Logging in PIX

 PIX Firewall uses sends Syslog log messages to a designated


Syslog Server

Pod perimeter router

.1
192.168.0.0/24

e0 outside .2
PIX Firewall 172.16.0.0/24 .2

e2 dmz .1
e1 inside .1 Bastion host
web and FTP server
10.0.0.0 /24

.3

Inside host
Syslog server
Syslog Messages

 The PIX Firewall sends Syslog messages to


document the following events:

 Security
 Resources
 System
 Accounting
Configure Message Output to the PIX Firewall Buffer

pixfirewall(config)#
logging buffered level
 Step 1—Send Syslog messages to an internal buffer.
pixfirewall(config)#
show logging
 Step 2—View messages in the internal buffer.
pixfirewall(config)#
clear logging
 Step 3—Clear the internal buffer.
pixfirewall(config)#
[no] logging message syslog_id
 Enable or disable specific Syslog message type logging.
pixfirewall(config)#
logging standby
 Allow a standby unit to send Syslog messages.
Configure Message Output to a Syslog Server

pixfirewall(config)#
logging host [in_if_name]
ip_address [protocol/port]

 Step 1—Designate the Syslog host server.

pixfirewall(config)#
logging trap level

Step 2—Set the logging level.


Configure Message Output to a Syslog Server (cont.)

pixfirewall(config)#
logging facility facility
Step 3—Set the facility marked on all messages.
pixfirewall(config)#
[no] logging timestamp

Step 4—Start and stop sending timestamp


messages.
pixfirewall(config)#
[no] logging on

Step 5—Start or stop sending


messages to the Syslog server.
Adaptive Security
Appliance (ASA )

88
ASA Overview

 Firewall and anti-malware security appliance


 The Enterprise Editions include four versions: Firewall, IPS, Anti-X, and VPN.
 ASA can also serve as an intrusion prevention system (IPS) and VPN concentrator.
 Also covers new threats to a network like viruses, worms, unwanted applications (e.g., P2P,
games, instant messaging), phishing, and application-layer attacks.
 Act as an “all-in-one” device—or a unified threat management (UTM) device.
 SSL VPN with thin client Any connect client feature available
 Act as an “all-in-one” device—or a unified threat management (UTM) device
 Active/Active Active/Standby failover
 QOS support
 Command authorization though ACS

89
ASA Basic configuration

This section describes how to configure basic settings on ASA that are
typically required for a functioning configuration. This includes the following :

 Setting up the Host Name


 Setting Up the Domain Name
 Configuring Interfaces
 Configuring NAT
 Configuring ACLs (Access-lists)
 Apply ACLs to interfaces (Access-grouping)
 Configuring route
(These steps are discussed in detail)

90
Setting up the Host Name

Log into the ASA and go to “Configuration” mode. Now set the host name
for the device as shown below.

ciscoasa# configure terminal


ciscoasa(config)# hostname Chicago
Chicago(config)#

91
Setting Up the Domain Name

Similarly, set the Domain name for the appliance using the
command below.

Chicago(config)# domain-name securemeinc.com

92
Configuring Interfaces

The following commands show a sample configuration of ASA interfaces.

Chicago(config)# interface GigabitEthernet0/0


Chicago(config-if)# nameif outside
Chicago(config-if)# security-level 0
Chicago(config-if)# ip address 202.100.200.1 255.255.255.240
Chicago(config-if)# speed auto
Chicago(config-if)# duplex auto
Chicago(config-if)# exit

Chicago(config)# interface GigabitEthernet0/1


Chicago(config-if)# nameif inside
Chicago(config-if)# security-level 100
Chicago(config-if)# ip address 192.168.10.1 255.255.255.0
Chicago(config-if)# speed auto
Chicago(config-if)# duplex auto

93
Configuring NAT (Dynamic NAT / PAT)

Commonly, Dynamic NAT or PAT is used to translate private IP addresses of internal


hosts with Public (Routable) IP address(es). The following command shows a sample
PAT configuration.

Chicago(config)# nat (inside) 1 10.1.2.0 255.255.255.0


Chicago(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
Chicago(config)# global (outside) 1 209.165.201.3-209.165.201.10

94
Configuring NAT (Static NAT)

Static NAT is required to allow hosts on lower-security zone ot initiate connection with
servers on higher-security zone. Static NAT is typically used to NAT internal servers
which need to be accessed from external (Public) networks. The translation is always
active so both translated and remote hosts can originate connections. The following
command maps an inside IP address to an outside IP address :

Chicago(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask


255.255.255.255

95
Configuring NAT (Static PAT)

Static PAT, also called Port Redirection, is required when you need to assign one
public IP address to multiple servers which need to be accessed from Public
(external) network. ASA seggregates the request based on destination port
(TCP/UDP) of the incoming packet. The following commands show the sample
configuration of Static PAT:

Chicago(config)# static (inside,outside) tcp 80 209.165.201.12 10.1.1.15 80


netmask 255.255.255.255
Chicago(config)# static (inside,outside) tcp 25 209.165.201.12 10.1.1.20 25
netmask 255.255.255.255

96
Configuring NAT 0 (No NAT)

No NAT, also known as Identity NAT, is required when you require traffic from
specific interface to be excluded from NAT. This is genarally used in scenarios where
NAT is performed by some other device or external firewall. This is done using “NAT
0” command as shown below.

Chicago(config)# nat (inside) 0 10.1.1.0 255.255.255.0

(Note : No global command has been used.)

97
Configuring NAT (NAT Exemption)

NAT Exemption is similar to No NAT (Identity NAT). But NAT Exemption allows both
real host and host on other interface to initiate connection like Static NAT. NAT
Exemption is performed using Access-list command, which identifies addresses both
real and remote hosts. This enables all hosts identified by Access-list to initiate
connection. The following is a sample configuration of NAT Exemption.

Chicago(config)# access-list acl_bypass permit ip 10.1.2.0 255.255.255.0


209.165.200.224 255.255.255.224
Chicago(config)# nat (inside) 0 access-list acl_bypass

98
Configuring ACL (Access-list)

The ACL identifies traffic that needs to be allowed or dropped when it tries to go
through the security appliance. By default ASA allows traffic to be initiated from
Higher Security zones to lower security zones. But once an ACL is applied on the
interface, ASA allows only those traffic which are explicitly permitted in the ACL. All
other traffic is dropped by default. The following is a sample ACL configuration.

Chicago(config)# access-list acl_out extended permit tcp host 209.165.201.2


host 209.165.202.131 eq smtp

Chicago(config)# access-list acl_out extended permit tcp any host


209.165.202.131 eq www

Chicago(config)# access-list acl_in extended permit tcp 10.1.13.0 255.255.255.0


any eq www
Chicago(config)# access-list acl_in extended permit udp 10.1.13.0 255.255.255.0
host 209.165.202.10 eq domain

99
Apply ACLs to interfaces (Access-grouping)

After defining the ACL (Access-list), it needs to be applied to an interface using


Access-group command as shown below.

Chicago(config)# access-group acl_out in interface outside


Chicago(config)# access-group acl_in in interface inside

100
Configure Static IP Route

To add a static route, enter the following command:

Chicago(config)# route interface network mask gateway metric

This can be explained as, for destination specified in “network”, send the traffic out
from “interface“ to the“gateway”. The following is a sample static route configuration.

Chicago(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1

101
Configure Default IP Route

A default route identifies the gateway IP address to which the security appliance
sends all IP packets for which it does not have a learned or static route. A default
route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that
identify a specific destination take precedence over the default route. To define the
default route, enter the following command:

Chicago(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip

102
PIX and ASA Failover Architectural Overview

o Active/Standby failover lets you use a standby security appliance to take over the
functionality of a failed unit.

o The failover configuration requires two identical ASA appliances connected to each
other through a dedicated failover link.

o The ASA unit that passes the traffic is known as “Active” unit and the other one is
known as “Standby” unit.

o When the active unit fails, it changes to the standby state while the standby unit
changes to the active state.

o Initially when failover is configured, one of the ASA is configured as “Primary” unit
with IP addresses to be used in active unit. The other one is configured as
“Secondary” unit with standby IP addresses.

103
Failover Architectural Overview (Cont.)

The security appliance supports two types of failover, regular (stateless) and stateful.

Regular/Stateless Failover
When a failover occurs, all active connections are dropped. Clients need to
reestablish connections when the new active unit takes over.

Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection
state information to the standby unit. After a failover occurs, the same connection
information is available at the new active unit. Supported end-user applications are
not required to reconnect to keep the same communication session.

104
Failover Architectural Overview (Cont.)

During initial startup, by default the Primary PIX/ASA becomes the Active unit
as shown below.

105
Failover Architectural Overview (Cont.)
When Primary unit fails, Secondary unit interchanges the IP addresses and MAC
addresses of the failed (Primary) unit and becomes active. The failed unit now
becomes standby.

106
Configuring Active/Standby Failover

The configuration of the Active/Standby failover feature in the Cisco PIX/ASA is


broken down into seven steps:

Step 1. Select the failover link.

Step 2. Assign failover IP addresses.

Step 3. Set failover key (optional).

Step 4. Designate the primary Cisco PIX/ASA.

Step 5. Enable stateful failover (optional).

Step 6. Enable failover globally.

Step 7. Configure failover on the secondary Cisco PIX/ASA

107
Step 1: Select the failover link

The first step is to identify an Interface for LAN-based Failover and assign IP address
to the same. This interface will be used to send failover control messages. The
following is a sample configuration.

Chicago(config)# failover lan interface FO int GigabitEthernet0/2

Chicago(config)# failover interface ip FO int 10.10.10.1 255.255.255.252 standby


10.10.10.2
Chicago(config)# interface GigabitEthernet0/2
Chicago(config-if)# no shutdown

(Note : “10.10.10.2” is assigned to failover interface in standby unit.)

108
Step 2: Assign failover IP addresses

Assign the standby IP address for each firewall-interface configured to be used as shown
below.

Chicago(config)# interface GigabitEthernet0/0


Chicago(config-if)# nameif outside
Chicago(config-if)# security-level 0
Chicago(config-if)# ip address 209.165.200.225 255.255.255.224 standby 209.165.200.226
Chicago(config-if)# no shutdown
Chicago(config-if)# exit

Chicago(config)# interface GigabitEthernet0/1


Chicago(config-if)# nameif inside
Chicago(config-if)# security-level 100
Chicago(config-if)# ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
Chicago(config-if)# no shutdown

109
Step 3: Set failover key (optional)

To secure the failover control messages sent between the two failover units of Cisco
ASA, an administrator can optionally specify a shared secret key. The shared secret
key encrypts and authenticates the failover messages sent between the two ASA
units. The following example shows how to configure a failover shared secret key of
cisco123.

Chicago(config)# failover key cisco123

110
Step 4: Designating the Primary Cisco PIX/ASA

Designate the unit as the primary unit.

hostname(config)# failover lan unit primary

111
Step 5: Enable Stateful Failover (Optional)

a. Specify the interface to be used as Stateful Failover link:


Chicago(config)# failover link statefullink GigabitEthernet0/3

Alternatively, the same failover link (configured in Step -1) or a data interface can be used as
Stateful Failover link. Then you only need to mention the interface name in place of new name as
shown below:
Chicago(config)# failover link FO int
b. Assign an active and standby IP address to the Stateful Failover link.
Chicago(config)# failover interface ip statefullink 10.10.10.5 255.255.255.252 standby
10.10.10.6
(Note: If the same failover link or data interface is being used, skip the step b & c.
We have already defined the active and standby IP addresses for the interface.)
c. Enable the assigned interface as shown below.

Chicago(config)# interface GigabitEthernet0/3


hChicago(config-if)# no shutdown

112
Step 6: Enable Failover Globally

The last step in configuring failover on the primary Cisco ASA is to enable
failover globally and save the system configuration to Flash memory as
shown below.

Chicago(config)#failover

Chicago(config)# copy running-config startup-config

113
Step 7: Configure Failover on Secondary PIX/ASA

The only configuration required on the secondary unit is for the failover interface. The
secondary unit requires these commands to initially communicate with the primary unit.
After the primary unit sends its configuration to the secondary unit, the only permanent
difference between the two configurations is the failover lan unit command, which
identifies each unit as primary or secondary.

a. Specify the interface to be used as the failover interface and configure its IP. Enter this
command exactly as entered on the primary unit when configured the failover interface
on the primary unit.

Chicago2(config)# failover lan interface FOint GigabitEthernet0/2


Chicago2(config)# failover interface ip FOint 10.10.10.1 255.255.255.252 standby
10.10.10.2
Chicago2(config)# interface GigabitEthernet0/2
Chicago2(config-if)# no shutdown

114
Configure Failover on Secondary PIX/ASA(Cont.)

b. (Optional) Designate this unit as the secondary unit:


Chicago2(config)# failover lan unit secondary

c. Enable failover :
hostname(config)# failover

d. Save the system configuration to Flash memory


Chicago(config)# copy running-config startup-config

115
What is VPN

 A virtual private network (VPN) is a network that uses a public


telecommunication infrastructure, such as the internet, to provide
remote offices or individual users with secure access to their
organization's network.
 It aims to avoid an expensive system of owned or leased lines that
can only be used by one organization. The goal of a VPN is to
provide the organization with the same, secure capabilities, but at a
much lower cost.
 It encapsulates data transfers between two or more networked
devices not on the same private network so as to keep the
transferred data private from other devices on one or more
intervening local or wide area networks.
116
Advantages of VPN

 Extend geographic connectivity


 Reduce operational costs versus traditional WANs
 educe transit times and traveling costs for remote users• Improve
productivity
 Simplify network topology
 Provide global networking opportunities
 Provide telecommuter support•
 Provide faster Return On Investment (ROI) than traditional WAN

117
VPN Types
 Remote-Access
This is a user-to-LAN connection used by a company that has employees who need to
connect to the private network from various remote locations. Typically, a corporation that
wishes to set up a large remote-access VPN provides some form of Internet dial-up
account to their users using an Internet service provider (ISP). The telecommuters can then
dial a number to reach the Internet and use their VPN client software to access the
corporate network. Remote-access VPNs permit secure, encrypted connections between a
company's private network and remote users through a third-party service provider.

 Site-to-Site
Through the use of dedicated equipment and large-scale encryption, a company can
connect multiple fixed sites over a public network such as the Internet. Each site needs
only a local connection to the same public network, thereby saving money on long private
leased-lines. Site-to-site VPNs can be further categorized into intranets or extranets. A site-
to-site VPN built between offices of the same company is said to be an intranet VPN, while
a VPN built to connect the company to its partner or customer is referred to as an extranet
VPN.

118
VPN Features
 Data Confidentiality
This is the most important service provided by any VPN implementation. Since the private
data travels over a public network, data confidentiality is vital and can be attained by
encrypting the data. This is the process of taking all the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to decode. VPN
encryption protocols are :

 Internet Protocol Security Protocol (IPsec)


Provides enhanced security features such as stronger encryption algorithms and more
comprehensive authentication. IPsec has two encryption modes: tunnel and transport.
Tunnel mode encrypts the header and the payload of each packet while transport mode only
encrypts the payload. Only systems that are IPsec-compliant can take advantage of this
protocol. Also, all devices must use a common key or certificate and must have very similar
security policies set up.

 PPTP/MPPE
PPTP supports multi-protocol VPNs, with 40-bit and 128-bit encryption using a protocol
called Microsoft Point-to-Point Encryption (MPPE). It is important to note that PPTP by itself
does not provide data encryption.
119
VPN Features ( Contd..)
 L2TP/IPsec

Commonly called L2TP over IPsec, this provides the security of the IPsec protocol over the
tunneling of Layer 2 Tunneling Protocol (L2TP). Primarily used for remote-access VPNs with
Windows 2000 operating systems, since Windows 2000 provides a native IPsec and L2TP
client.

 Data Integrity
While it is important that the data is encrypted over a public network, it is just as important to verify
that it has not been changed while in transit. For example, IPsec has a mechanism to ensure that
the encrypted portion of the packet, or the entire header and data portion of the packet, has not
been tampered with. If tampering is detected, the packet is dropped. Data integrity can also
involve authenticating the remote peer.

 Data Origin Authentication


 It is extremely important to verify the identity of the source of the data that is sent. This is
necessary to guard against a number of attacks that depend on spoofing the identity of the
sender.

120
VPN Features ( Contd..)
 Anti Replay
This is the ability to detect and reject replayed packets and helps prevent spoofing.

 Data Tunneling/Traffic Flow Confidentiality


Tunneling is the process of encapsulating an entire packet within another packet and sending it
over a network. Tunneling, by itself, does not provide data security. The original packet is
Merely encapsulated inside another protocol and might still be visible with a packet-capture
device if not encrypted. Tunneling requires three different protocols.
 Passenger protocol
The original data (IPX, NetBeui, IP) that is carried.
 Encapsulating protocol
The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data.

121
VPN Features ( Contd..)

 Carrier protocol

The protocol used by the network over which the information is travelling. The original packet
(Passenger protocol) is encapsulated inside the encapsulating protocol, which is then put
inside the carrier protocol's header (usually IP) for transmission over the public network. For
site-to-site VPNs, the encapsulating protocol is usually IPsec or Generic Routing capsulation
(GRE).For remote-access VPNs, tunneling normally takes place using Point-to-Point
Protocol (PPP).

 AAA
Authentication, authorization, and accounting is used for more secure access in a remote-
access VPN environment. Without user authentication, anyone who sits at a laptop/PC with
pre-configured VPN client software can establish a secure connection into the remote
network. With user authentication however, a valid username and password also has to be
entered before the connection is completed. Usernames and passwords can be stored on
the VPN termination device itself, or on an external AAA server, which can provide
authentication to numerous other databases such as Windows NT, Novell, LDAP, and so on.

122
VPN

123
VPN

124
IPSec Dynamic – VPN Client/Easy VPN
Dynamic IPSec VPN

Easy VPN Remote Easy VPN Servers


Cisco VPN Client > 3.x
Cisco 800 Series Router

Cisco IOS > 12.2(8)T router

Cisco 900 Series Router

Cisco 1700 Series Router


PIX/ASA Firewall > 6.2

Cisco PIX 501/506, ASA5505 Firewall


Cisco VPN 3000 > 3.11
Cisco VPN 3002 Hardware Client (> 3.5.1 recommended)
Supported Easy VPN Client and Server

Easy VPN Client Easy VPN Server


Cisco VPN Client (software Cisco IOS > 12.2(8)T router
version) > 3.x PIX Firewall > 6.2
Cisco VPN 3002 Hardware Client ASA Firewall > 7.0
> 3.x
Cisco VPN 3000 > 3.11 (> 3.5.1
Cisco PIX Firewall 501/506 VPN recommended)
client > 6.2
Cisco ASA Firewall 5505 VPN
Client > 7.0
Cisco Easy VPN Remote router
clients:
-Cisco 800 Series
-Cisco 900 Series
-Cisco 1700 Series
Easy VPN Remote mode of operation

 Easy VPN Remote supports two modes of operation:

 Client mode (PAT mode)

 Specifies that NAT/PAT be used.


 Client automatically configures the NAT/PAT translation and ACLs
needed to implement the VPN tunnel.
 Supports split tunneling.

 Network extension mode

 Specifies that the hosts at the client end of the VPN connection use
fully routable IP addresses.
 PAT is not used.
 Supports split tunneling.
Easy VPN – Client/PAT mode

PAT 10.0.0.0/24

192.168.1.1 10.0.1.2

VPN tunnel

ASA Firewall 5505 PIX Firewall 525


(Easy VPN Remote) (Easy VPN Server)
Easy VPN – NEM (Network Extension Mode)

10.0.0.0/24

172.16.10.5 172.16.10.4

VPN tunnel

172.16.10.6 Cisco 1710 router PIX Firewall 525


(Easy VPN Remote) (Easy VPN Server)
12.2(8)YJ

172.16.20.5 PIX Firewall 501


Easy VPN Remote

172.16.20.6
Configuring Easy VPN Server with xauth
(extended authentication)

The following general tasks are used to configure Easy VPN Server on
a firewall appliance:

Task 1—Create ISAKMP policy for remote VPN Client access.


Task 2—Create IP address pool.
Task 3—Define group policy for mode configuration push.
Task 4—Create transform set.
Task 5—Create dynamic crypto map.
Task 6—Assign dynamic crypto map to static crypto map.
Task 7—Apply crypto map to firewall appliance interface.
Task 8—Configure XAUTH.
Task 9—Configure NAT and NAT 0.
Task 10—Enable IKE DPD.
Task 1—Create ISAKMP Policy for Remote VPN Client Access

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5
ISAKMP
Pre-share
DES
SHA
Group 2

fw1(config)# crypto isakmp enable outside


fw1(config)# crypto isakmp policy 20 authentication pre-share
fw1(config)# crypto isakmp policy 20 encryption des
fw1(config)# crypto isakmp policy 20 hash sha
fw1(config)# crypto isakmp policy 20 group 2
Task 2—Create IP Address Pool

Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5

vpnpool
10.0.11.1-10.0.11.254
firewall(config)#
ip local pool { pool-name low-ip-address [high-ip-
address]}
Creates an optional local address pool if the remote client is using the remote server as an external
DHCP server.

fw1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254


Task 3—Define Group Policy for Mode
Configuration Push

Task 3 contains the following steps:

Step 1—Set the tunnel group type


Step 2—Configure the IKE pre-shared key.
Step 3—Specify the local IP address pool.
Step 4—Configure the group policy type.
Step 5—Enter the group policy attributes submode
Step 6—Specify the DNS servers.
Step 7—Specify the WINS servers.
Step 8—Specify the DNS domain.
Step 9—Specify idle timeout.
Step 1—Set the Tunnel Group Type

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
VPN group
Pre-share
Push DNS server
to client WINS server
DNS domain
Address pool
firewall(config)# Idle time

tunnel-group name type type


 Names the tunnel-group.
 Defines the type of VPN connection to be established.
fw1(config)# tunnel-group training type remote-access
OR/
fw1(config)# tunnel-group training type ipsec-ra
Step 2—Configure IKE Pre-Shared Key

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to client

firewall(config)#
tunnel-group name [general-attributes | ipsec-attributes]

 Enter tunnel group ipsec-attributes submode to configure the key .


firewall(config-ipsec)#
pre-shared-key key

 Associate a pre-shared key with the connection policy.

fw1(config)# tunnel-group training ipsec-attributes


fw1(config-ipsec)# pre-shared-key cisco123
Step 3—Specify Local IP Address Pool

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Push
to client

firewall(config)#
tunnel-group name [general-attributes | ipsec-attributes]

 Enter tunnel group general-attributes submode to configure the address pool .

firewall(config-general)#
address-pool [interface name] address_pool1
[...address_pool6]

 Associate an address pool with the connection policy.


fw1(config)# tunnel-group training general-attributes
fw1(config-general)# address-pool MYPOOL
Step 4—Configure the Group Policy Type

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15

VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config)#
group-policy group_name [internal | external | attributes]

fw1(config)# group-policy training internal


Step 5—Enter the Group Policy Attributes Submode

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15

VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config)#
Group-policy group_name [internal | external | attributes]

fw1(config)# group-policy training attributes


fw1(config-group-policy)#
Step 6—Specify DNS Servers

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15

VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
dns-server value dns_ip_prim [dns_ip_sec]

fw1(config-group-policy)# dns-server value 10.0.0.15


Step 7—Specify WINS Servers

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15

VPN group
Push Pre-share
to client DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
wins-server value dns_ip_prim [dns_ip_sec]

fw1(config-group-policy)# wins-server value 10.0.0.15


Step 8—Specify DNS Domain

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
Cisco.com

VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time
firewall(config-group-policy)#
default-domain value {domain-name | none}

fw1(config-group-policy)# default-domain value cisco.com


Step 9—Specify Idle Time
Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15

VPN group
Push
Pre-share
to client
DNS server
WINS server
DNS domain
Address pool
Idle time

firewall(config-group-policy)#
vpn-idle-timeout {minutes | none}

fw1(config-group-policy)# vpn-idle-timeout 600


Task 4—Create Transform Set

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5

Transform set
DES
SHA-HMAC

firewall(config)#
crypto ipsec transform-set transform-set-name transform1
[transform2]]

fw1(config)# crypto ipsec transform-set remoteuser1


esp-des esp-sha-hmac
Task 5—Create Dynamic Crypto Map

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5

firewall(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set
transform-set transform-set-name1

fw1(config)# crypto dynamic-map rmt-dyna-map 65200 set


transform-set remoteuser1
Task 6—Assign Dynamic Crypto Map to Static Crypto Map

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5

firewall(config)#
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-
map-name

fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp


dynamic rmt-dyna-map
Task 7—Apply Crypto Map to Firewall Appliance
Outside Interface

Remote client
Outside Inside
172.26.26.1
Server
Internet 10.0.0.15
192.168.1.5

firewall(config)#
crypto map map-name interface interface-name

fw1(config)# crypto map rmt-user-map interface outside


Task 8: Configure XAUTH

Task 8 contains the following steps:

Step 1—Enable AAA login authentication.


Step 2—Define AAA server IP address and encryption key.
Step 3—Enable IKE XAUTH for the tunnel group.
Step 1: Enable AAA Login Authentication

Remote client
Outside Inside TACACS+
172.26.26.1
Internet server
10.0.0.15
192.168.1.5

firewall(config)#
aaa-server server_tag protocol auth_protocol

fw1(config)# aaa-server mytacacs protocol tacacs+


Step 2: Define AAA Server IP Address and
Encryption Key

Remote client
Outside Inside TACACS+
172.26.26.1
Internet server
10.0.0.15
192.168.1.5

firewall(config-aaa-server)#
aaa-server server_tag [(if_name)] host server_ip [key]
timeout seconds

fw1(config-aaa-server)# aaa-server mytacacs (inside) host


10.0.0.15 cisco123 timeout 5
Step 3: Enable IKE XAUTH forTunnel Group

Remote client
Outside Inside TACACS+
172.26.26.1
Internet server
10.0.0.15
192.168.1.5
XAUTH

firewall(config-general)#
authentication-server-group [interface name] server group
[LOCAL | NONE]

fw1(config)# tunnel-group training general-attributes


fw1(config-general)# authentication-server-group mytacacs
Task 9: Configure NAT and NAT 0

Remote client
Outside Inside
10.0.11.0 10.0.0.0 TACACS+
Internet server
10.0.0.15
192.168.1.5
Encrypted — no translation
Clear text — translation

fw1(config)# access-list 101 permit ip 10.0.0.0


255.255.255.0 10.0.11.0 255.255.255.0
fw1(config)# nat (inside) 0 access-list 101
fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
fw1(config)# global (outside) 1 interface

 Matches ACL: Encrypted data and no translation (NAT 0)


 Does not match ACL: Clear text and translation (PAT)
Task 10—Enable IKE DPD

Outside Inside
10.0.11.0 10.0.0.0 TACACS+
Internet server
10.0.0.15
1) DPD send: Are you there?
2) DPD reply: Yes, I am here.

firewall(config-ipsec)#
isakmp keepalive [threshold seconds] [retry seconds]
[disable]
Configure the IKE DPD parameters.

fw1(config)# tunnel-group training ipsec-attributes


fw1(config-ipsec)# isakmp keepalive threshold 30 retry 10
Difference between DPD/keepalive and lifetime

DPD/Keepalive: Keepalive message that is sent towards peer device to make sure
that the vpn peer is still alive. When there is no response after the configured
retries, it will clear the VPN tunnel down on its local side.
isakmp keepalive [threshold seconds] [retry seconds] [disable]

Phase 1 (IKE) lifetime: During phase 1 negotiation, IKE lifetime is agreed, and the
Security Association (SA) parameters agreed are retained for the duration of the
lifetime. Before SA expires, IKE negotiation will start to set new SA. Default: 86400
seconds (24 hours)
crypto isakmp policy [priority] [lifetime seconds]

Phase 2 (IPSec) lifetime: Similar process as Phase 1 lifetime however, Phase 2 lifetime
can be measured by seconds (“timed” lifetime) OR/ kilobytes (“traffic-volume”
lifetime). If both lifetimes (seconds and kilobytes lifetimes) are specified, it will
expire and renegotiate phase 2 SAs on whichever lifetime expires first. Default:
28800 seconds (8 hours)
crypto map map-name seq-num set security-association lifetime
{seconds seconds | kilobytes kilobytes}
VPN Filter

Remote client
Outside Inside
10.0.11.0 10.0.0.0 WWW server
Internet 10.0.0.20

192.168.1.5
VPN Filter ACL direction
Only allowing web access (tcp/80) from VPN Client pool to internal web server

fw1(config)# access-list vpnfilter-acl permit tcp 10.0.11.0


255.255.255.0 host 10.0.0.20 eq 80
fw1(config)# group-policy training attributes
fw1(config-group-policy)# vpn-filter value vpnfilter-acl
IPSec Site-to-Site VPN tunnel
Static IPSec Site-to-Site tunnel

Security Security
Appliance 1 Appliance 6
Internet
e0, outside e0, outside
10.0.1.11 192.168.1.2 192.168.6.2 10.0.6.11

Site 2, STATIC
Site 1 (HUB)
Static IPSec Site-to-Site tunnel (Contd )

Policy Site 1 (HUB) Site 2 (Remote)

Transform set ESP-3DES, tunnel ESP-3DES, tunnel

Peer security Peer to site 2: 192.168.1.2


appliance ip address 192.168.6.2
Peer to site 3:
Unknown

Encrypting hosts 10.0.1.11 10.0.6.11

Traffic type to be IP IP
encrypted
Static IPSec Site-to-Site tunnel (Contd )
Site 1 (HUB) Site 2 (Remote) - static
interface ethernet0 interface ethernet0
nameif outside nameif outside
ip address 192.168.1.2 255.255.255.0 ip address 192.168.6.2 255.255.255.0

crypto isakmp enable outside crypto isakmp enable outside


crypto isakmp policy 10 encryption 3des crypto isakmp policy 10 encryption 3des
crypto isakmp policy 10 hash sha crypto isakmp policy 10 hash sha
crypto isakmp policy 10 authentication pre-share crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 group 1 crypto isakmp policy 10 group 1

tunnel-group 192.168.6.2 type ipsec-l2l tunnel-group 192.168.1.2 type ipsec-l2l


tunnel-group 192.168.6.2 ipsec-attributes tunnel-group 192.168.1.2 ipsec-attributes
pre-shared-key cisco123 pre-shared-key cisco123

tunnel-group DefaultL2LGroup ipsec-attributes access-list 101 permit ip 10.0.6.0 255.255.255.0 10.0.1.0


pre-shared-key cisco123 255.255.255.0

access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.6.0 nat (inside) 0 access-list 101
255.255.255.0
access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.8.0 crypto ipsec transform-set fw6 esp-3des esp-md5-hmac
255.255.255.0
crypto map FW1MAP 10 match address 101
access-list 101 permit ip 10.0.1.0 255.255.255.0 10.0.6.0 crypto map FW1MAP 10 set peer 192.168.1.2
255.255.255.0
crypto map FW1MAP 10 set transform-set fw6
access-list 102 permit ip 10.0.1.0 255.255.255.0 10.0.8.0
255.255.255.0 crypto map FW1MAP interface outside
Thank You.

161