Asa Essentials Part 2

ASA Essentials Part 2
NAT, Advanced Firewall, VPN

October , 2012
Bogdan Doinea
Technical Manager CEE&RCIS
Cisco Networking Academy
bdoinea@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Translations and Connections
Advanced Firewall Configurations
A look at VPNs on the ASA
Technical Demo
• NAT defines the way that we translate private addresses into public
ones and vice-versa
• What are the private address spaces?

Class A: 10.0.0.0/8: 16,777,214 hosts
Class B: 172.16.0.0/12: 1,048,574 hosts
Class C: 192.168.0.0/16: 65,534 hosts
• Private addresses are defined in RFC ..…..…...
1918
• In relation to how many hosts must be translated and how many
public IP addresses we have, there are 2 types of translations:
NAT (Network Address Translation) – layer 3
PAT (Port Address Translation) – layer 4
• In relation to the direction of the translation:
Inside NAT – addresses from the LAN are translated to addresses in the WAN
(space)
Outside NAT – addresses from the WAN are translated to addresses in the
WAN(space)
• Inside NAT
192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000 141.85.99.10 80
192.168.10.10 141.85.99.10
192.168.10.1 209.100.65.1
141.85.99.10 80 192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000
• The FW only modifies the layer 3 header to do NAT
• Outside NAT
It’s actually bidirectional NAT
The source address of packets coming from the Internet gets translated
192.168.10.30 24000 192.168.10.10 80 141.85.99.10 24000 209.100.65.10 80
192.168.10.10 141.85.99.10
192.168.10.1 209.100.65.1
192.168.10.10 80 192.168.10.30 24000 209.100.65.10 80 141.85.99.10 24000
• Used in cases where hosts on the outside want to appear like they
are on the inside of the Network
• “NAT conserves addresses”
The private-public translation is done at a 1-to-1 ratio
PAT conserves addresses
• “NAT is a security mechanism”
The security functionality that NAT brings is a consequence of the
design, not an objective
It is not a good practice to rely on NAT for inside-outside security
There is another device that does the same thing as NAT from the
security of connections point of view: stateful firewall
Plus, a stateful firewall has other extra functionality (Application
Inspection etc.)
• Be careful, the NAT terminology is pretty diverse
What is SNAT?
Inside NAT
What is DNAT?
A concept called port forwarding/port redirection, not Outside NAT
• Port address translation
Allows the translation of multiple private addresses, using a single
public IP address
• Because 1-to-1 mapping cannot be done at level 3 anymore,

it’s done at level 4 by mapping ports
• Each private pair (IP_intern, port_intern) is mapped to a public
pair (IP_extern, port_extern)
• By default, PAT will try to map the internal port to the same
external port
• The PAT translations are saved to the RAM of the FW
• For the translated address, we can use:
 The address of the outgoing interface
 A public IP address that hasn’t been asigned to any interface
192.168.10.10 24000 141.85.99.10 80 209.100.65.1 24000 141.85.99.10 80
192.168.10.0 /24
.10
141.85.99.10
.20 192.168.10.1 209.100.65.1
192.168.10.20 24000 141.85.99.10 80 209.100.65.1 30000 141.85.99.10 80
• For connection-oriented protocol, the FW erases the translated

entry from RAM once the connection is terminated (FIN)
• For connectionless protocols, each communication has a timeout
• Be careful, the two words are different concepts for a firewall
• Scenario: a user downloads a web pave, transmits an IM and
downloads his email with an email client
• How many connections does the firewall have in memory?
 A minimum of 3 (can depend on the way the protocols work)
• How many layer 3 NAT translations does the firewall have in

memory?
1
Advanced Firewall
Configuration
The insides of Application Inspection
• Why do we need application inspection?
(1) Scenarios in which applications run over non-standard ports
• By default, all firewalls identify applications using their

standardly assigned port
• Ex: if HTTP work over port 8080, all firewalls are going to
implicitly drop the HTTP packets
192.168.10.10 141.85.99.10
192.168.10.1 209.100.65.1
HTTP: port 8080
(2) Applications that need to open dynamic ports in order to work
The dynamically opened ports are negociated by the application usually
on the control communication channel
Examples: Active FTP, multimedia streaming, VoIP
• Case study:
Active FTP vs. Passive FTP
Client 1 Server
N+1 N 2 21 20
Data Cmd Cmd Data
3
1. The client initiates a connection to port 21 on the server using a random source port N >
1023.
2. The server responds with an ACK from its port 21 to the N port of the client
3. The client sends the command “PORT N+1” over the control channel and opens port N+1
for receive. By this, the client is telling the server the port it wants to use for data transfer
4. The server tried to open(initiate) a connection from its port nr 20(default data port) to
the N+1 port on the client
5. The firewall block the connection at bullet 4, because it does not have a state object for it
in RAM memory
Client 1 Server
N+1 N 2 21 X
Data Cmd Cmd Data
3
1. The client initiates a connection the the port nr. 21 of the server from a random source
port, N>1023. The client opens port N+1 for data transfer
2. The server sends an ACK from its port nr 21 to the N port on the client
3. The client sends the PASV command to the server
4. The server opens a random port X >1024 for data transfer and sends the command
“Port X” to the client
5. The client initiates the data connection from its N+1 port to the X port on the server
• Conclusions:
 Active FTP does not work by default if the client is behind a Firewall
 Because of the stateful inspection
 Because of NAT
 Passive FTP should always work
 At least if the FTP server lies in a DMZ type of area and access is granted from
the outside
• Why do we want to use Active FTP?

Because it opens fewer sockets on the server:
http://www.faqs.org/rfcs/rfc1579.html
• With Application Inspection:
The Firewall can read commands sent on the Control Channel of FTP
When the Firewall sees the “Port N+1” command, it opens port N+1 for
data transfer between the 2 IP addresses(client and server)
 (3) Aplications that embed the IP address in the control channel
messaging and, thus, conflict with NAT
 As a result, the IP address in the layer 3 header will not be the same
with the one embedded at layer 7
 The Application tries to open sockets to the private IP address and
cannot succeed
• Application Inspection to the rescue!

The Firewall inspects the IP address in the control
channel and rewrites it with the one in the xlate
table
• What is MPF?
A set of structures and commands in ASA OS
A way of making logical connections between the various theoretical
concepts and their practical implementations
• What does MPF offer?

The possibility to control and configure the below features, using the
same commands and OS structures
Application Inspection
IPS (AIP-SSM)
Anti {virus | spam | spyware} (CSC –SSM)
Setting connection limits
Traffic policing
• MPF is defined through 3 basic structures
Class-map
 Used to identify traffic flows using different strategies
 We have generic class-maps that identify traffic at layer 3 and 4 and
inspection class-maps that can identify traffic at layer 7
Policy-map
 Used to associate one or more actions to packets identified by the class-map
 We have generic policy-maps that apply standard actions (inspect, police, set
connection etc) and inspection policy-maps that can specifically control
application layer information
Service-policy (comandă)
 Used to apply a policy at a global or interface level
IP telephony
System Enginners
• Class-map • Policy-map • Service-policy

Internet  Inspect  Outside
SE  Police
IP telephony  Prioritize
• Defining a class-map (L3/L4)
ciscoasa(config)# class-map identify_by_L3_or_L4

ciscoasa(config-cmap)# ?
MPF class-map configuration commands:

description Specify class-map description
exit Exit from MPF class-map configuration mode
help Help for MPF class-map configuration commands
match Configure classification criteria
no Negate or set default values of a command
rename Rename this class-map
• The match command is used to identify traffic
• What criteria can the match command used to identify data?
access-list: uses an ACL for classification
any
dscp: matches the ToS field using the IETF DSCP standard
precedence: matches the ToS field using the IP Precedence standard
tunnel-group: match traffic going into a tunnel. This can only be used
for QoS purposes.
flow ip destination-address: used for identifying a destionation IP
inside a tunnel-group. Can only be used together with tunnel-group
port: identifies a UDP or TCP port
default-inspection-traffic: match on a series of protocols that work
over their standard, well-known ports
• A class-map supports a single match command
 the exception lies in the tunnel-group and the default-inspection-traffic
that let the admin specify another match statement
 when we have 2 match commands, the firewall applies a logical AND
between them
• By default, the class map inspection_default is activated
ciscoasa# sh run
....
class-map inspection_default
match default-inspection-traffic
....
• What does default-inspection-traffic contain?
ciscoasa(config-cmap)# match ?
mpf-class-map mode commands/options:

access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 radius-acct---udp--1646
rpc-------udp--111 rsh-------tcp--514
rtsp------tcp--554 sip-------tcp--5060
sip-------udp--5060 skinny----tcp--2000
smtp------tcp--25 sqlnet----tcp--1521
tftp------udp--69 waas------tcp--1-65535
• The policy-map determines the action the Firewall will take on
inspection
• Step1: we give the policy map a name
• Step2: we make an association with a class-map
• Step3: we specify the action
ciscoasa(config)# policy-map test_policy

ciscoasa(config-pmap)# class major_protocols
ciscoasa(config-pmap-c)# inspect ftp
ciscoasa(config-pmap-c)# inspect icmp
• One policy-map can have multiple actions and of different categories
ciscoasa(config-pmap-c)# ?
MPF policy-map class configuration commands:

csc Content Security and Control service module
exit Exit from MPF class action configuration mode
flow-export Configure filters for NetFlow events
help Help for MPF policy-map class/match submode commands
inspect Protocol inspection services
ips Intrusion prevention services
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
ciscoasa# sh run
..........
!
class-map example
match port tcp eq www
!
policy-map http_policy
class http_map
inspect http
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
!
..........
• A policy can be applied globally, or at an interface level
• The globally applied policy applies to all the traffic entering the ASA, on
any interface, but only the ingress direction
• The interface-level applied policy applies to all the traffic on the interface,
ingress and egress
# applied on the interface

ciscoasa(config)# service-policy inspect_http interface inside
# applied globally
ciscoasa(config)# service-policy inspect_http global
• If the policy-maps actions are different, the packets can match multiple
times inside a policy-map, as long as the same class-map is reffered.
• If the policy-maps actions are different, the packets can match multiple
times inside a policy-map, as long as the class-maps identify the traffic
class-map example
match port tcp eq www
policy-map http_policy
class example
police input 1000000
set connection conn-max 1000 per-client-embryonic-max 50
class inspection_default
inspect http
• If the action is the same, the packets only match one class-map
Virtual Private Networks
A look at types of VPNs supported on the ASA
• A solution to create an end-to-end private connection over an
unsafe, open network like the Internet
• There are leased solutions that achieve the same end result:
leased lines
• What’s the difference between having a leased line and a VPN?
 The cost
• Relative to the ISP:
Overlay
Point-to-point
ISP
• The overlay model makes the ISP network invisible to the client
• The ISP routers do not get to know the client networks
• Types of overlay VPNs: L2TP, PPTP, IPSec
• In this model, the ISP participates in the routing decision
• The routing adjacency is done between the ISP and the client
ISP
• Overlay VPN models were dominating 90% of the market before the
popularity of MPLS
………
• Still, MPLS does not provide any confidentiality or authentication
scheme
• Relative to the topology: Headquarters
Site-to-Site
Remote-access
Remote office Remote office
• A Site-to-Site ties together many fixed locations in the Internet

• Configurations only have to be made on the firewalls/routers
• There is no need to have a VPN client on the laptop/computer
• Most VPN technologies are based on
tunneling
• Tunneling means an extra header is
added at the layer where the tunnel is
built
 Example: IPIP tunnel
 Used when the end-to-end source or destination network is not known
in the routing table of an intermediate router
Antet IP tunel Antet IP original Antet nivel 4 Date
 The original, end-to-end header is hidden to all the routers

that are traversed between the tunnel endpoints
• IPSec is a security protocol framework
• IPSec: Confidentiality
Lungimea
cheii: 56 biți
Lungimea
cheii: 168
biți
Lungimea
cheii:
DH7256 Lungimea
biți
cheii: 160
biți
• IPSec: Integrity
Lungimea Lungimea
cheii: 128 cheii: 160
biți biți
DH7
• IPSec: authentication with non-repudation
DH7
• Telecommuting is increasing more and more as an option for
working
 The risk of passing company information over the Internet is very great
• Remote access VPN

IPSec
SSL
Remote office
IPSec SSL
Aplications Any IP-based app WEB, e-mail, file sharing
in native mode
(clientless)
Encryption power Very strong– key lengths Moderate– key lengths
from 56 to 256 biți from 40 to 128 de bits
Authentication Strong – two-way Moderate– one-way or
authentication two-way authentication
Ease of use Moderate – can be Very easy
challenging for a non-
technical user
Options for connecting A preconfigured client is No client is needed, only
necessary a working browser
 As remote access solutions, the 2 options do not exclud each other

 IPSec = security
 SSL = mobility, flexibility
• The SSL VPN architecture will presume:
A SSL VPN server at the company headquarters
The SSL VPN client installed on the teleworker’s laptop
• The SSL VPN client has 3 operating modes

Clientless
Thin client
Full client
Remote office
• For both modes, the browser is the client
• Clientless does not allow anything else except HTTP
and HTTPS
 The user authenticates on the SSL portal to get access to
internal company web resources
 Thin client
 In this mode, the user downloads JAVA applets from the portal
 The Applets behave like TCP Proxies for applications
 The user connections to several applications through the TCP Proxy
(POP3, SMTP, IMAP, Telnet, SSH, CIFS)
 The Applet makes a HTTP connection to the SSL Server that contains the
addressing information in the payload to reach another service
 The SSL Server makes the connection to the end service inside the
company network
• The full client can usually be downloaded from the SSL portal
after the user authenticates
• Depending on the vendor, the client could install seamlessly or
manually, with user intervention
Utilizatorul face o conexiune
1
TCP către portul 443
Firewall-ul răspunde cu o
2 cheie publică semnată cu
certificat
Software-ul client generează o

3
cheie secretă
Clientul transmite cheia

4 secretă criptată cu cheia
publică
Se face bulk encryption

5
folosind cheia secretă
ASA
R1 R2
Fa0/1 Fa 0/0 Fa 0/2 Fa0/1
outside
inside
Thank you.

Asa Essentials Part 2

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Asa Essentials Part 2

Загружено:

Авторское право:

Доступные форматы

ASA Essentials Part 2

NAT, Advanced Firewall, VPN

Advanced Firewall Configurations

A look at VPNs on the ASA

• What are the private address spaces?

141.85.99.10 80 192.168.10.10 24000 141.85.99.10 80 209.100.65.10 24000

• The FW only modifies the layer 3 header to do NAT

192.168.10.30 24000 192.168.10.10 80 141.85.99.10 24000 209.100.65.10 80

192.168.10.10 80 192.168.10.30 24000 209.100.65.10 80 141.85.99.10 24000

• Because 1-to-1 mapping cannot be done at level 3 anymore,

192.168.10.10 24000 141.85.99.10 80 209.100.65.1 24000 141.85.99.10 80

.20 192.168.10.1 209.100.65.1

192.168.10.20 24000 141.85.99.10 80 209.100.65.1 30000 141.85.99.10 80

• For connection-oriented protocol, the FW erases the translated

• How many layer 3 NAT translations does the firewall have in

• By default, all firewalls identify applications using their

HTTP: port 8080

3. The client sends the PASV command to the server

• Why do we want to use Active FTP?

• Application Inspection to the rescue!

• What does MPF offer?

• Class-map • Policy-map • Service-policy

ciscoasa(config)# class-map identify_by_L3_or_L4

MPF class-map configuration commands:

• The match command is used to identify traffic

• By default, the class map inspection_default is activated

mpf-class-map mode commands/options:

ciscoasa(config)# policy-map test_policy

MPF policy-map class configuration commands:

# applied on the interface

• A Site-to-Site ties together many fixed locations in the Internet

Antet IP tunel Antet IP original Antet nivel 4 Date

 The original, end-to-end header is hidden to all the routers

• Remote access VPN

 As remote access solutions, the 2 options do not exclud each other

• The SSL VPN client has 3 operating modes

Software-ul client generează o

Clientul transmite cheia

Se face bulk encryption

Вам также может понравиться