Sunday, October 19, 2014

Basic Commands of the ASA

Basic Commands of the ASA

After the acquisition of Network Translation in 1995, the Cisco Secure PIX Firewall went through many changes. Over time, the PIX hardware and the operating system also changed. One of the biggest changes occurred with the release of 7.0 code. Along with the release of the new 7.0 operating system was the release of a new firewall appliance, the Adaptive Security Appliance (ASA).


With a PIX Firewall running 6.x code, there were some basic commands that established a secure firewall configuration perspective. They were known as the six basic commands.



  • NAMEIF
  • INTERFACE
  • IP ADDRESS
  • GLOBAL
  • NAT
  • ROUTE

There are basic commands that create a similar secure perspective with 7.0 and newer versions of operating system. The configuration of these commands is the same on both the PIX and the ASA.



As pointed out previously (while it is sometimes difficult to refer to users as “trusted” or “untrusted”), there is a measure of a trust relationship in any communications. For understanding the basic configuration parameters, we will assume that the internal users of your company (HQ) are trusted users and external users are untrusted. This measure of trust is required for configuring the security levels that are assigned to the interfaces of your appliance.

The command line interface may be accessed via the serial console port of the appliance. Cisco security appliances use a command line interface that is similar to the Cisco IOS. There are four modes of administrative access.

  • Unprivileged Mode -- This mode is available when you first access the security appliance via Telnet, SSH, or the console (also referred to as the User mode). Restricted settings are only viewable in this mode, and the prompt displays a “>” character.
  • Privileged Mode -- This mode is accessed if you issue the enable command from the unprivileged mode and provide the appropriate enable password. This mode displays a “#” prompt and provides access to all privileged and unprivileged commands.
  • Configuration Mode -- This mode is accessed when you issue the configure terminal command while in privileged mode. The mode displays a “(config)#” prompt (or other appropriate subcommand prompt) and provides access to security appliance configuration commands.
  • Monitor Mode -- This mode is accessed when you disrupt the security appliance’s normal flash boot sequence, and it is used primarily for troubleshooting or image updates via TFTP.
nameif
The nameif command provides a name for a specific interface. The configured name is used in all configuration commands instead of the interface type and ID (i.e., gigethernet0/0), and is required before traffic can pass through an interface. This command is an interface command.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/0
  • ASA(config-if)# nameif outside
ip address
The ip address command is used to assign an ip address to a specific interface. This command is an interface command.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/0
  • ASA(config-if)# ip address 192.168.1.1 255.255.255.0
  • security-leve
The security-level command is used to assign a security level, 0 to 100, to a specific interface. The security level assigned creates a level of trust for an interface. 0 is the least trusted security level and 100 is the most trusted. This command is an interface command.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/2
  • ASA(config-if)# security-level 50

nat-control
nat-control establishes a requirement that packets traversing from a more trusted interface to a less trusted interface be configured with NAT to translate the inside host. By default, nat-control is disabled. Therefore, by default, if interfaces are configured with IP addresses and are not shut down (are operational), traffic is permitted when entering from a more trusted interface and exiting a less trusted interface. There will be no address translation.

  • ASA# configure terminal
  • ASA(config)# nat-control
nat
The nat command identifies addresses associated with traffic flow that comes inbound on one interface. Those addresses can then be mapped to an address to translate to. The nat command, when used in association with a global command as described in this paper, is used to define address translation (and permission when nat-control is enabled).

  • ASA# configure terminal
  • ASA(config)# nat (inside) 1 10.1.1.0 255.255.255.0

global
The global command identifies the addresses users will translate to. The nat defined addresses are translated to the global addresses. This is done by using the same nat_id (a number between 1 and 2147483647 used to map the global statement to the nat statement in the configuration. In this example, the nat_id¬ is the number 1) in the global and nat commands.

  • ASA# configure terminal
  • ASA(config)# global (outside) 1 192.168.1.1-192.168.1.254
speed
The speed command defines the speed for a specific physical interface. This is an interface command, and the default is to auto negotiate the speed setting.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/0
  • ASA(config-if)# speed 1000
duplex
The duplex command defines the duplex setting for a specific physical interface. This is an interface command, and the default is to auto negotiate the duplex setting.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/0
  • ASA(config-if)# duplex full

no shutdown
The shutdown command is used to disable an interface. To re-enable the interface use the no shutdown command. This is an interface command.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/0
  • ASA(config-if)# no shutdown
Based on the above information an ASA basic configuration would look like this.

  • ASA# configure terminal
  • ASA(config)# interface gigabitethernet 0/0
  • ASA(config-if)# nameif outside
  • ASA(config-if)# ip address 192.168.1.1 255.255.255.0
  • ASA(config-if)# security-level 0
  • ASA(config-if)# speed 1000
  • ASA(config-if)# duplex full 
  • ASA(config-if)# no shutdown
  • ASA(config-if)# interface gigabitethernet 0/1
  • ASA(config-if)# nameif inside
  • ASA(config-if)# ip address 10.1.1.1 255.255.255.0
  • ASA(config-if)# security-level 100
  • ASA(config-if)# speed 1000
  • ASA(config-if)# duplex full
  • ASA(config-if)# no shutdown
  • ASA(config-if)# nat-control
  • ASA(config)# nat (inside) 1 10.1.1.0 255.255.255.0
  • ASA(config)# global (outside) 1 192.168.1.2-192.168.1.254
After the interface is named with nameif and the ip address and security level are assigned, the interface can be reached. A device that is on the inside network can ping the inside interface and get a reply. Due to nat-control being off by default, users on the inside network can pass data through the ASA to the outside. It is usually the case that nat-control is enabled. In the above scenario users on the inside network with an ip address from 10.1.1.1 through 10.1.1.254 would be permitted to pass through the firewall and be translated to an address in the range 192.168.1.2 through 192.168.1.254. No other users on any other network would be allowed to pass through the ASA at this point.

Even with nat-control disabled (the default), no users entering the outside interface would be allowed access to a device through the inside interface. After nat-control is enabled, this is also true

Conclusion
The basic concept of securing your network from untrusted users is the core of your firewall appliance. This paper was designed to point you in the right direction. It is just the beginning of understanding firewalls and the configuration for the Cisco Adaptive Security Appliance.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)