ASA Essentials (Part 2)

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.

ASA Essentials Part 2 NAT, Advanced Firewall, VPN October , 2012

Bogdan Doinea

Technical Manager CEE&RCIS

Cisco Networking Academy

[email protected]

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Translations and Connections

Advanced Firewall Configurations

A look at VPNs on the ASA

Technical Demo


• NAT defines the way that we translate private addresses into public ones and vice-versa

• What are the private address spaces?

Class A: 10.0.0.0/8: 16,777,214 hosts

Class B: 172.16.0.0/12: 1,048,574 hosts

Class C: 192.168.0.0/16: 65,534 hosts

• Private addresses are defined in RFC

• In relation to how many hosts must be translated and how many public IP addresses we have, there are 2 types of translations:

NAT (Network Address Translation) – layer 3

PAT (Port Address Translation) – layer 4

..…..…... 1918


• In relation to the direction of the translation:

Inside NAT – addresses from the LAN are translated to addresses in the WAN (space)

Outside NAT – addresses from the WAN are translated to addresses in the WAN(space)

• Inside NAT

• The FW only modifies the layer 3 header to do NAT

192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000 141.85.99.10 80

141.85.99.10 80 192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000

192.168.10.10

192.168.10.1 209.100.65.1

141.85.99.10


• Outside NAT

It’s actually bidirectional NAT

The source address of packets coming from the Internet gets translated

• Used in cases where hosts on the outside want to appear like they are on the inside of the Network

192.168.10.30 24000 192.168.10.10 80 141.85.99.10 24000 209.100.65.10 80

192.168.10.10 80 192.168.10.30 24000 209.100.65.10 80 141.85.99.10 24000

192.168.10.10

192.168.10.1 209.100.65.1

141.85.99.10


• “NAT conserves addresses” The private-public translation is done at a 1-to-1 ratio

PAT conserves addresses

• “NAT is a security mechanism” The security functionality that NAT brings is a consequence of the design, not an objective

It is not a good practice to rely on NAT for inside-outside security

There is another device that does the same thing as NAT from the security of connections point of view: stateful firewall

Plus, a stateful firewall has other extra functionality (Application Inspection etc.)


• Be careful, the NAT terminology is pretty diverse

What is SNAT?

Inside NAT

What is DNAT?

A concept called port forwarding/port redirection, not Outside NAT


• Port address translation

Allows the translation of multiple private addresses, using a single public IP address

• Because 1-to-1 mapping cannot be done at level 3 anymore, it’s done at level 4 by mapping ports

• Each private pair (IP_intern, port_intern) is mapped to a public pair (IP_extern, port_extern)

• By default, PAT will try to map the internal port to the same external port

• The PAT translations are saved to the RAM of the FW


• For the translated address, we can use: The address of the outgoing interface

A public IP address that hasn’t been asigned to any interface

• For connection-oriented protocol, the FW erases the translated entry from RAM once the connection is terminated (FIN)

• For connectionless protocols, each communication has a timeout

192.168.10.10 24000 141.85.99.10 80 209.100.65.1 24000 141.85.99.10 80

192.168.10.20 24000 141.85.99.10 80 209.100.65.1 30000 141.85.99.10 80

192.168.10.0 /24

192.168.10.1 209.100.65.1

141.85.99.10

.10

.20


• Be careful, the two words are different concepts for a firewall

• Scenario: a user downloads a web pave, transmits an IM and downloads his email with an email client

• How many connections does the firewall have in memory?

A minimum of 3 (can depend on the way the protocols work)

• How many layer 3 NAT translations does the firewall have in memory?

1

Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 11

Advanced Firewall Configuration The insides of Application Inspection


• Why do we need application inspection?

(1) Scenarios in which applications run over non-standard ports

• By default, all firewalls identify applications using their standardly assigned port

• Ex: if HTTP work over port 8080, all firewalls are going to implicitly drop the HTTP packets

192.168.10.10

192.168.10.1 209.100.65.1

141.85.99.10

HTTP: port 8080



(2) Applications that need to open dynamic ports in order to work

The dynamically opened ports are negociated by the application usually on the control communication channel

Examples: Active FTP, multimedia streaming, VoIP

• Case study:

Active FTP vs. Passive FTP


1. The client initiates a connection to port 21 on the server using a random source port N > 1023.

2. The server responds with an ACK from its port 21 to the N port of the client

3. The client sends the command “PORT N+1” over the control channel and opens port N+1 for receive. By this, the client is telling the server the port it wants to use for data transfer

4. The server tried to open(initiate) a connection from its port nr 20(default data port) to the N+1 port on the client

5. The firewall block the connection at bullet 4, because it does not have a state object for it in RAM memory

Client Server

N+1

Data

N

Cmd

20

Data

21

Cmd

1

2

3

4 4


1. The client initiates a connection the the port nr. 21 of the server from a random source port, N>1023. The client opens port N+1 for data transfer

2. The server sends an ACK from its port nr 21 to the N port on the client

3. The client sends the PASV command to the server

4. The server opens a random port X >1024 for data transfer and sends the command “Port X” to the client

5. The client initiates the data connection from its N+1 port to the X port on the server

Client Server

N+1

Data

N

Cmd

X

Data

21

Cmd

1

2

3

4

5


• Conclusions: Active FTP does not work by default if the client is behind a Firewall

Because of the stateful inspection

Because of NAT

Passive FTP should always work

At least if the FTP server lies in a DMZ type of area and access is granted from the outside

• Why do we want to use Active FTP? Because it opens fewer sockets on the server: http://www.faqs.org/rfcs/rfc1579.html

• With Application Inspection: The Firewall can read commands sent on the Control Channel of FTP

When the Firewall sees the “Port N+1” command, it opens port N+1 for data transfer between the 2 IP addresses(client and server)

http://www.faqs.org/rfcs/rfc1579.html



(3) Aplications that embed the IP address in the control channel messaging and, thus, conflict with NAT

As a result, the IP address in the layer 3 header will not be the same with the one embedded at layer 7

The Application tries to open sockets to the private IP address and cannot succeed

• Application Inspection to the rescue!

The Firewall inspects the IP address in the control

channel and rewrites it with the one in the xlate

table


• What is MPF?

A set of structures and commands in ASA OS

A way of making logical connections between the various theoretical concepts and their practical implementations

• What does MPF offer?

The possibility to control and configure the below features, using the same commands and OS structures

Application Inspection

IPS (AIP-SSM)

Anti {virus | spam | spyware} (CSC –SSM)

Setting connection limits

Traffic policing


• MPF is defined through 3 basic structures

Class-map

Used to identify traffic flows using different strategies

We have generic class-maps that identify traffic at layer 3 and 4 and inspection class-maps that can identify traffic at layer 7

Policy-map

Used to associate one or more actions to packets identified by the class-map

We have generic policy-maps that apply standard actions (inspect, police, set connection etc) and inspection policy-maps that can specifically control application layer information

Service-policy (comandă)

Used to apply a policy at a global or interface level


• Class-map Internet

SE

IP telephony

IP telephony

System Enginners

• Policy-map Inspect Police Prioritize

• Service-policy

Outside


• Defining a class-map (L3/L4)

• The match command is used to identify traffic

ciscoasa(config)# class-map identify_by_L3_or_L4

ciscoasa(config-cmap)# ?

MPF class-map configuration commands:

description Specify class-map description

exit Exit from MPF class-map configuration mode

help Help for MPF class-map configuration commands

match Configure classification criteria

no Negate or set default values of a command

rename Rename this class-map


• What criteria can the match command used to identify data?

access-list: uses an ACL for classification

any

dscp: matches the ToS field using the IETF DSCP standard

precedence: matches the ToS field using the IP Precedence standard

tunnel-group: match traffic going into a tunnel. This can only be used for QoS purposes.

flow ip destination-address: used for identifying a destionation IP inside a tunnel-group. Can only be used together with tunnel-group

port: identifies a UDP or TCP port

default-inspection-traffic: match on a series of protocols that work over their standard, well-known ports


• A class-map supports a single match command

the exception lies in the tunnel-group and the default-inspection-traffic that let the admin specify another match statement

when we have 2 match commands, the firewall applies a logical AND between them

• By default, the class map inspection_default is activated

ciscoasa# sh run

....

class-map inspection_default

match default-inspection-traffic

....


• What does default-inspection-traffic contain?

ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:

access-list Match an Access List

any Match any packet

default-inspection-traffic Match default inspection traffic:

ctiqbe----tcp--2748 dns-------udp--53

ftp-------tcp--21 gtp-------udp--2123,3386

h323-h225-tcp--1720 h323-ras--udp--1718-1719

http------tcp--80 icmp------icmp

ils-------tcp--389 mgcp------udp--2427,2727

netbios---udp--137-138 radius-acct---udp--1646

rpc-------udp--111 rsh-------tcp--514

rtsp------tcp--554 sip-------tcp--5060

sip-------udp--5060 skinny----tcp--2000

smtp------tcp--25 sqlnet----tcp--1521

tftp------udp--69 waas------tcp--1-65535


• The policy-map determines the action the Firewall will take on inspection

• Step1: we give the policy map a name

• Step2: we make an association with a class-map

• Step3: we specify the action

ciscoasa(config)# policy-map test_policy

ciscoasa(config-pmap)# class major_protocols

ciscoasa(config-pmap-c)# inspect ftp

ciscoasa(config-pmap-c)# inspect icmp


• One policy-map can have multiple actions and of different categories

ciscoasa(config-pmap-c)# ?

MPF policy-map class configuration commands:

csc Content Security and Control service module

exit Exit from MPF class action configuration mode

flow-export Configure filters for NetFlow events

help Help for MPF policy-map class/match submode commands

inspect Protocol inspection services

ips Intrusion prevention services

no Negate or set default values of a command

police Rate limit traffic for this class

priority Strict scheduling priority for this class

quit Exit from MPF class action configuration mode

service-policy Configure QoS Service Policy

set Set connection values

shape Traffic Shaping


ciscoasa# sh run

..........

!

class-map example

match port tcp eq www

!

policy-map http_policy

class http_map

inspect http

police input 1000000

set connection conn-max 1000 per-client-embryonic-max 50

!

..........


• A policy can be applied globally, or at an interface level

• The globally applied policy applies to all the traffic entering the ASA, on any interface, but only the ingress direction

• The interface-level applied policy applies to all the traffic on the interface, ingress and egress

# applied on the interface

ciscoasa(config)# service-policy inspect_http interface inside

# applied globally

ciscoasa(config)# service-policy inspect_http global


• If the policy-maps actions are different, the packets can match multiple times inside a policy-map, as long as the same class-map is reffered.

• If the policy-maps actions are different, the packets can match multiple times inside a policy-map, as long as the class-maps identify the traffic

• If the action is the same, the packets only match one class-map

class-map example

match port tcp eq www

policy-map http_policy

class example

police input 1000000

set connection conn-max 1000 per-client-embryonic-max 50

class inspection_default

inspect http

Cisco Confidential 30 © 2010 Cisco and/or its affiliates. All rights reserved.

Virtual Private Networks A look at types of VPNs supported on the ASA


• A solution to create an end-to-end private connection over an unsafe, open network like the Internet

• There are leased solutions that achieve the same end result: leased lines

• What’s the difference between having a leased line and a VPN?

The cost


• Relative to the ISP: Overlay

Point-to-point

• The overlay model makes the ISP network invisible to the client

• The ISP routers do not get to know the client networks

• Types of overlay VPNs: L2TP, PPTP, IPSec

ISP


• In this model, the ISP participates in the routing decision

• The routing adjacency is done between the ISP and the client

• Overlay VPN models were dominating 90% of the market before the popularity of ………

• Still, MPLS does not provide any confidentiality or authentication scheme

MPLS

ISP


• Relative to the topology:

Site-to-Site

Remote-access

• A Site-to-Site ties together many fixed locations in the Internet

• Configurations only have to be made on the firewalls/routers

• There is no need to have a VPN client on the laptop/computer

Headquarters

Remote office Remote office


Example: IPIP tunnel

Used when the end-to-end source or destination network is not known in the routing table of an intermediate router

• Most VPN technologies are based on tunneling

• Tunneling means an extra header is added at the layer where the tunnel is built

Antet IP original Antet nivel 4 Date Antet IP tunel

The original, end-to-end header is hidden to all the routers that are traversed between the tunnel endpoints


• IPSec is a security protocol framework


DH7

Lungimea

cheii: 56 biți

Lungimea

cheii: 168

biți

Lungimea

cheii: 256

biți Lungimea

cheii: 160

biți

• IPSec: Confidentiality


• IPSec: Integrity

DH7

Lungimea

cheii: 128

biți

Lungimea

cheii: 160

biți


• IPSec: authentication with non-repudation

DH7


• Telecommuting is increasing more and more as an option for working

The risk of passing company information over the Internet is very great

• Remote access VPN

IPSec

SSL

Remote office


IPSec SSL

Aplications Any IP-based app WEB, e-mail, file sharing

in native mode

(clientless)

Encryption power Very strong– key lengths

from 56 to 256 biți

Moderate– key lengths

from 40 to 128 de bits

Authentication Strong – two-way

authentication

Moderate– one-way or

two-way authentication

Ease of use Moderate – can be

challenging for a non-

technical user

Very easy

Options for connecting A preconfigured client is

necessary

No client is needed, only

a working browser

As remote access solutions, the 2 options do not exclud each other

IPSec = security

SSL = mobility, flexibility


• The SSL VPN architecture will presume:

A SSL VPN server at the company headquarters

The SSL VPN client installed on the teleworker’s laptop

• The SSL VPN client has 3 operating modes

Clientless

Thin client

Full client

Remote office


• For both modes, the browser is the client

• Clientless does not allow anything else except HTTP and HTTPS

The user authenticates on the SSL portal to get access to internal company web resources

Thin client

In this mode, the user downloads JAVA applets from the portal

The Applets behave like TCP Proxies for applications

The user connections to several applications through the TCP Proxy (POP3, SMTP, IMAP, Telnet, SSH, CIFS)

The Applet makes a HTTP connection to the SSL Server that contains the addressing information in the payload to reach another service

The SSL Server makes the connection to the end service inside the company network


• The full client can usually be downloaded from the SSL portal after the user authenticates

• Depending on the vendor, the client could install seamlessly or manually, with user intervention


1

2

3

4

5

Utilizatorul face o conexiune

TCP către portul 443

Firewall-ul răspunde cu o

cheie publică semnată cu

certificat

Software-ul client generează o

cheie secretă

Clientul transmite cheia

secretă criptată cu cheia

publică

Se face bulk encryption

folosind cheia secretă


ASA Fa0/1 Fa0/1

R1 R2 Fa 0/0 Fa 0/2

outside

inside

Thank you.

Documents

ASA Essentials (Part 2)