Getting started with Cisco ASA

First StepsEven with people who work in networking, as soon as you say the word “firewall” a lot of people tend to stare at that far away place that only exists in their minds. I think some of this comes from the fact that “it’s not a router”. Another reason is that people just haven’t taken the time to get familiar with firewalls. The ASA is Ciscos firewall or VPN device. Though the ASA can do a lot of things, in this post I will cover the basics such as how you set it up and connect the device to the Internet.

There are a few different ASA models, however in terms on configuration they are mostly the same. The main difference is the baby ASA, or 5505 which is a quietish table top device, where you configure vlan interfaces instead of physical interfaces. For the other ASA appliances the names of the interfaces will differ, i.e fastethernet or gigabitethernet. Aside from the appliances you also have the ASA services module which you can use in a Catalyst 6500 switch, on those the interfaces are also configured differently. However overall the configuration is the same on all ASA platforms.

Default config

If you don’t have any other way of accessing the device you can reach it through the console port. Set your COM port to 9600 bauds and connect through Putty or another console application. If it’s a used device you might be prompted for a username and password, if you don’t have it you can perform a password reset. You will be presented with a prompt.

ciscoasa>

The “>” character lets you know that you have entered the asa in unpriviledged mode. This is a mode where your access is limited, if you type a question mark you will see that you only have a few commands available. You can ping other devices and have a few show commands at your disposal. ‘show curpriv’ for example lets you know that you are at priviledge level 1 which doesn’t really grant you much access.

In order to go to the priviledged mode you type enable. Press enter or type “cisco” at the password prompt, it should be blank by default.

ciscoasa> enable
Password:
ciscoasa#

Now you are in priviledged or enable mode. If you again type a question mark you will note that you have access to a lot more commands compared to the unpriviledged mode. ‘show curpriv’ shows that you are at level 15, the highest priviledge. 

In order to make changes on the ASA you have to enter the configuration mode which is done by the ‘configure terminal’ command.

ciscoasa# conf term
ciscoasa(config)#

To start with a fresh configuration you execute any of these:

write erase
config factory-default

The write erase command removes the startup configuration and once you have rebooted your ASA (with the reload command) and chosen not to save the configuration you will have a fresh config. The config factory default command does basically the same but does it in memory. I would advice against using any of these commands in a production environment if you don’t know what you are doing.

ciscoasa(config)# configure factory-default
Based on the management IP address and mask, the DHCP address
pool size is reduced to 253 from the platform limit 256

WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.

Begin to apply factory-default configuration:
Clear all configuration
WARNING: DHCPD bindings cleared on interface 'management', address pool removed
Executing command: interface management0/0
Executing command: nameif management
INFO: Security level for "management" set to 0 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: no shutdown
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 management
Executing command: dhcpd address 192.168.1.2-192.168.1.254 management
Executing command: dhcpd enable management
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa(config)#

Just looking at the output from the command tells you what it does. It configures the interface called “management0/0” with an ip address of 192.168.1.1/24, enables the http server and allowed ASDM access from the 192.168.1.0/24 network. The command also configures the internal dhcp server. If you are using an ASA 5505 which doesn’t have a management0/0 interface, vlan1 will be used instead but as the inside interface. The ASA 5505 default configuration also sets vlan2 to outside and configures it as a DHCP client. Also on the 5505 NAT is configured from the start so the small device can function more as a plug and play device.

I can’t really remember ever using the ‘configure factory-default’ command and use the ‘write erase’ option instead. Once the firewall has reloaded after issuing write erase you are presented with a prompt.

Pre-configure Firewall now through interactive prompts [yes]?

I usually just choose no and configure it by myself. As for starting from scratch, regardless of if you used write erase or configure factory-default your configuration won’t be empty. If you execute ‘show running-config’ you will see some default configuration such as timeout values for tcp connections. This is just the default configuration which is visible, there is even more if you run ‘show run all’.

Configuring interfaces

As stated earlier, configuring the interfaces is really the only thing that differs if you are using an ASA 5505 compared to a larger box. There are a few other differences, for instance the 5505 doesn’t support multiple context mode. A thing that the ASA 5505 has but the bigger firewalls doesn’t have is two PoE interfaces. Still configuration wise it’s the same thing. Using a clean ASA 5510 I will configure the fastethernet0/0 as my Internet facing interface and fastethernet0/1 as my inside network. From the global configuration mode I paste:

interface Ethernet0/0
 nameif OUTSIDE
 ip address dhcp setroute
 no shutdown

As this is pasted into the device you will see “INFO: Security level for “OUTSIDE” set to 0 by default.” 0 is the lowest security level. If you create an interface with the name INSIDE the security level will be 100. By default without any access-lists traffic will be permitted from a higher security level to a lower. Traffic won’t be permitted between interfaces which have the same security level, this can be changed with the ‘same-security-traffic permit inter-interface’ command. In the above example I will get my address from the ISP, depending on what kind of dhcp server they are running you might need the command ‘dhcp-client client-id interface OUTSIDE’ (which changes the DHCP discovery packets). You probably guessed it but the setroute argument lets the ASA know that you want to set the default gateway to be that of the gateway you get from the DHCP server. If you have a static ip address you need to specify the default gateway by pointing to the correct outgoing interface and next hop address such as:

route OUTSIDE 0.0.0.0 0.0.0.0 172.16.1.1

I also configure the inside interface.

interface Ethernet0/1
 nameif INSIDE
 ip address 10.10.1.1 255.255.255.0
 no shutdown

If you are instead using an ASA 5505 the above configuration would look like this.

!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/0
 switchport access vlan 1
!
interface Vlan1
 nameif INSIDE
 security-level 0
 ip address 10.10.1.1 255.255.255.0
!   
interface Vlan2
 nameif OUTSIDE
 security-level 0
 ip address dhcp setroute
!

When viewing the configuration above ‘switch port access vlan 1’ wouldn’t actually be shown under the Ethernet0/0 interface as VLAN1 is the default vlan.

Setting up Network Address Translation

The first thing to be said about NAT in the ASA is that it worked completely different in version 8.2 and below. This example shows you how to configure NAT in 8.3 and above.

In modern versions of ASA you can setup NAT in two ways, object NAT and twice NAT. The below example is object NAT.

object network EVERYTHING
 subnet 0.0.0.0 0.0.0.0
object network EVERYTHING
 nat (INSIDE,OUTSIDE) dynamic interface

So first we have an object called EVERYTHING which contain all IPv4 addresses. Basically this means that the firewall would translate any address from the INSIDE network going to the OUTSIDE network, in our case the Internet. The interface parameter in the NAT statement tells the ASA to translate everything to the ip address assigned to the OUTSIDE interface. Though this is enough to get you started there’s a lot of other ways you can configure NAT in ASA.

DHCP Services

If you’re just running a small network the DHCP server which comes with the ASA might be enough for you. I use it in a few of the VLANs in my home network. However it’s quite limited and you might miss some options you would require from another DHCP server.

You can configure DHCP options globally or at the interface level.

dhcpd domain networklore.com
dhcpd domain guests.networklore.com interface GUEST

The above would set networklore.com as the default domain on all interfaces (which have a DHCP server enabled) but instead give the domain guests.networklore.com to DHCP clients on the GUEST interface.

dhcpd dns 8.8.4.4 8.8.8.8 interface INSIDE
dhcpd address 10.10.1.100 10.10.1.150 interface INSIDE
dhcpd enable INSIDE

The ASA also has support to be a DHCP relay agent.

Connecting the ASA to the Internet

At this point you can connect the ASA to the Internet. As described above, by default traffic going from an interface with higher security-level to lower security-level will be allowed. Traffic going from a higher to lower security level will not be allowed. So all traffic from the INSIDE interface will be allowed to pass through the firewall, but traffic from the Internet will not be allowed to the INSIDE network. If we want to restrict this access we can apply an access-list to the INSIDE interface and bypass the default behaviour of allowing all traffic.

access-list INSIDE_IN remark — Traffic going from INSIDE to OUTSIDE
access-list INSIDE_IN permit icmp 10.10.1.0 255.255.255.0 any echo
access-list INSIDE_IN permit udp 10.10.1.0 255.255.255.0 any eq 53
access-list INSIDE_IN permit tcp 10.10.1.0 255.255.255.0 any eq 53
access-list INSIDE_IN permit tcp 10.10.1.0 255.255.255.0 any eq 80
access-group INSIDE_IN in interface INSIDE

The above access-list would allow clients on the INSIDE network to connect to the Internet and use DNS, HTTP and Ping. In this example actual ip addresses and ports are used, you can also use object-groups to build more scalable rules. Once you start testing you notice that clients can surf the web. However they are unable to ping external devices.

p-mbpro-3:~ patrick$ ping -c 4 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
p-mbpro-3:~ patrick$

Is Google down? Of course they could be. Actually when I met a new customer for the first time to replace their old firewall with an ASA nothing worked and I told the guy. “Your ISP is having a problem”, it had worked 10 minutes ago. I think he thought I incompetent until he actually called his ISP and they confirmed they had a problem. So you should never assume that something else is working. However in this case we can actually ping Google from the firewall itself.

ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ciscoasa#

So what is happening, why are we unable to ping through the ASA? In fact, why is HTTP and DNS working, wasn’t the ASA supposed to block all traffic coming from the Internet? (Higher to lower security level)

Modular Policy Framework

How is the return traffic allowed? The ASA is a stateful firewall and keeps a connection table for all of the connection which flow through the device. You can see the connections by issuing the ‘show conn’ command. You might be asking yourself about the connections for UDP packets. Since UDP is a stateless protocol, how could the ASA keep track of those connections and allow UDP back through the firewall? For some protocols such as DNS the firewall knows that when we send out a DNS query we expect a DNS reply and can therefore open up a temporary hole for the return traffic. For unknown UDP traffic the ASA uses its default timeout values. The default timeout for UDP traffic this is set to 2 minutes, so if you send a UDP packet from the inside out, the ASA will open up a hole in the firewall for that return traffic and will keep the hole open unless the connection has been idle for two minutes. However inspection for icmp traffic isn’t enabled by default. So while the icmp echo packets are allowed from the inside to outside interface, the returning echo reply packets are being blocked. You can actually see this happening if you check the logs. One way to enable the icmp echo reply packets would be to just create an access-list and bind it to the OUTSIDE interface. However this would allow the packets even when they aren’t needed. They only need to be allowed when you’ve actually sent out an echo request from the inside first. The better way would be to add icmp to the list of inspected protocols.

Though it might depend on which version of the ASA software you are using, the inspection rules will look something like this.

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect dns
  inspect xdmcp
!
service-policy global_policy global

This is configuration from what is called the Modular Policy Framework, it’s built around the same logic as with Quality of Service in Cisco IOS. First we have a class-map which matches against “default-inspection-traffic”. If you create a class-map and type “match ?”, you can see what’s actually included in the default inspection traffic.

ciscoasa(config-cmap)# match ?                          

mpf-class-map mode commands/options:
  access-list                 Match an Access List
  any                         Match any packet
  default-inspection-traffic  Match default inspection traffic:
                              ctiqbe----tcp--2748      dns-------udp--53       
                              ftp-------tcp--21        gtp-------udp--2123,3386
                              h323-h225-tcp--1720      h323-ras--udp--1718-1719
                              http------tcp--80        icmp------icmp          
                              ils-------tcp--389       ip-options-----rsvp     
                              mgcp------udp--2427,2727 netbios---udp--137-138  
                              radius-acct----udp--1646 rpc-------udp--111      
                              rsh-------tcp--514       rtsp------tcp--554      
                              sip-------tcp--5060      sip-------udp--5060     
                              skinny----tcp--2000      smtp------tcp--25       
                              sqlnet----tcp--1521      tftp------udp--69       
                              waas------tcp--1-65535   xdmcp-----udp--177      
  dscp                        Match IP DSCP (DiffServ CodePoints)
  flow                        Flow based Policy
  port                        Match TCP/UDP port(s)
  precedence                  Match IP precedence
  rtp                         Match RTP port numbers
  tunnel-group                Match a Tunnel Group
ciscoasa(config-cmap)#

The class-map inspection_default is then mapped in the policy-map global_policy and a number of protocols are enabled by default for inspection. To enable the actual policy the “service-policy global_policy global” command is used. This enables the policy named global_policy globally. If you wanted a specific policy for one interface you would enable that policy-map like this:

service-policy OUTSIDE-POLICY interface OUTSIDE

There are a lot of options we can configure with the modular policy framework. For now if we just want to allow the icmp return traffic we can enable inspection of icmp by adding the protocol under the default class-map in the default policy-map.

policy-map global_policy
 class inspection_default
  inspect icmp
  inspect icmp error

 Basic settings

Setting hostname and domain for the device.

hostname NL-ASA-01
domain-name networklore.com

Configure logging, the buffered setting it for what syslog level which will be stored in the local buffer and will be shown when you issue the command “show log”. The logging trap is for what level of messages will be sent to your syslog server.

logging enable
logging buffer-size 8196
logging buffered warnings
logging trap informational
logging host INSIDE 10.10.1.12

Allow a server to poll the ASA with SNMP queries.

snmp-server host INSIDE 10.10.1.32 community public version 2c

Setup time syncronization with NTP.

ntp server 10.10.1.34

Configuring management access to the ASA device

Device administration is done through SSH for CLI access and HTTPS for GUI access with ASDM or another tool.

The first thing you need to do is to create a crypto key, this can be done once you have set the hostname and default domain as per above. From the global config mode you issue:

crypto key generate rsa modulus 2048

With the ssh and http commands you define which hosts can manage the device and what interface they have to come from.

ssh 10.10.1.0 255.255.255.0 INSIDE
http 10.10.1.0 255.255.255.0 INSIDE

Set ssh to use version 2 and enable secure copy so you can transfer files to the device with scp.

ssh scopy enable
ssh version 2

Even if you end up using Tacacs you should define a local user and use the local database as a fallback method. If you don’t you will be unable to login to any of your devices if there is a problem reaching the server.

username admin password S3cret123 privilege 15

Although you can configure the device to use Tacacs or Radius for user authentication, in this guide we’ll just use the local database. In this case we give the admin user privilege level 15 which is the highest and the user will have access to all commands. If more people than yourself will access the device you should setup command authorization with Cisco ACS. That way you could allow specific commands to your helpdesk users. Or if your using RANCID you can set it up so that the rancid user can only run specific commands to show information but not change the configuration.

aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL

ASDM access will default to using the local database. But you can also set it.

aaa authentication http console LOCAL

Locally you can also set the enable password using the enable command.

enable password s3cretp@ssword

Saving your configuration and backups

Changes to the configuration is only kept in memory and if you reload your device without saving all the changes will be lost. There are two ways to save the configuration which accomplishes the same thing. They are run from exec mode.

write memory
copy running-config startup-config

This will store the configuration on the local flash and preserve it over reloads. However it’s not a backup. You should also keep a backup outside of the device so that you can recover from a crash. There is a “write net” command which can copy the running configuration to a tftp or ftp server. However then it is sent unencrypted over the network, if you haven’t setup an ipsec tunnel to the server. A better way would be to copy the configuration using ssh.

show running-config
more system:running-config

While the show command will give you the current configuration it masks some passwords. So if you’ve setup VPN on your ASA the pre-shared keys for VPN won’t be included in your backup. To keep a backup you need to use the “more system command”.

Another thing to note is that even the more system will only show the actual configuration. While it will cover everything which we’ve gone through in this guide, it won’t backup everything. Things like AnyConnect profiles, private keys (for ssh and digital certificates) are stored elsewhere. You can also perform backups using ASDM.

Other features on the Cisco ASA

This post is about getting familiar with the ASA devices. Mostly we’ve just briefly touched on the basic settings. Aside from going in deeper with the features already mentioned there are a lot of other things the ASA can to.

The ASA supports a number of different VPN setups. Traditional site to site ipsec vpn and remote access ipsec vpn. Also SSL VPN with the AnyConnect client, or clientless ssl vpn (which is a licensed feature). The device even has support for a small CA server which can provision digital certificates to your clients if you want to use certificate based authentication. The ASA doesn’t support GRE based VPN such as DMVPN, also it doesn’t support GETVPN.

The ASA also supports failover, which allowes you to minimize downtime. If you use failover you won’t be able to use the internal PKI server, however if you need failover you might be big enough anyway to want another CA server.

With transparent mode you use the firewall in layer 2 mode. So you can place the ASA within a VLAN and protect one part of the VLAN from the other. I’ve only used it when a payment service provider wanted to block specific addresses from Brazil from accessing their VPN gateways. The VPN devices weren’t able to restrict traffic themselves and the router in front of the devices would be to slow. They were unable to change their routing infrastructure, so we installed a Cisco ASA in transparent mode between their VPN gateways and their router and were able to block the undesired traffic.

If you have overlapping ip addresses in your environment, or perhaps you are a hosting provider and want to separate your customers with virtual firewalls you can use multiple mode. While multiple mode doesn’t support all the features of the ASA it does enable you to create virtual firewalls with different rulesets and administration. Depending on which version you are running you might not have support for dynamic routing in the ASA when using multiple mode.

Aside from the basic ASA firewall it can be expanded with different addons. Previously we had the old IPS module and a CSC (Content Security and Controle) module. If you want to live a rich and happy life, avoid the CSC module like the plauge. Cisco is now phasing out the ASA-CX (Context Aware Security) concept. With Ciscos purchase of Sourcefire the current technology to use with the ASA is FirePOWER.

Conclusion

This has just been a brief quickstart guide, to give you an introduction to the ASA firewall family. I hope you feel a bit more comfortable with the device after reading through this post.

If you think I should cover additional topics about the ASA, please let me know.