Network Security ASA Firewall – Rich Macfarlane 1 Lab 8: Firewalls – ASA Firewall Device Rich Macfarlane 2015 8.1 Details Aim: The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its stateful firewalling functionality, and the creation of a DMZ network and associated firewall rulesets. 8.2 Activities 9.2.1 Create Virtual Topology Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client. Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be assigned a group folder to work with which contains the 4 VMs needed for the lab (check Moodle for the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a Windows2003 VM and 2 Linux Ubuntu VMs running network services. Power on your Windows7-GNS3 VM, open a console window, login to the Windows7-GNS3 VM, and run the GNS3 network simulator AS ADMINISTRATOR You can create a new project for Lab8, or a preconfigured starting project should be in the Projects folder. If you wish to start with that just click Recent Projects button and select lab8_start, then save as a project called lab8 or suchlike (save as, before you power on devices). The topology, shown below, mimics an organisation with an ASA firewall at its perimeter. It is connected via the untrusted Internet via the 10.1.Y.0/24 network. The ASA will be configured to provide security for the organisation from the network policy. Starting Topology You will be assigned networks to address the hosts and ASA gateway interfaces to – from Moodle: 192.168.X.0/24, 10.1.Y.0/24 and 192.168.Z.0/24 THE CORRECT NETWORKS MUST BE USED BY EACH STUDENT AS WE ARE SHARING VIRTUAL NETWORKS. ANNOTATE YOUR DIAGRAM/TAKE NOTE OF THE ADDRESS RANGES FOR YOUR GRP. PLEASE ONLY USE GROUP VMs AND NETWORK IP ADDRESSES ASSIGNED TO YOUR GROUP.
24
Embed
Lab 8: Firewalls – ASA Firewall Device - School of Computing40001507/CSN11111/Lab8.pdf · lab 8: firewalls – asa firewall device ... please only use group vms and network ip addresses
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Aim: The aim of this lab is to investigate a Cisco ASA Firewall Device, its default traffic flows, its
stateful firewalling functionality, and the creation of a DMZ network and associated
firewall rulesets.
8.2 Activities
9.2.1 Create Virtual Topology
Connect to our vSphere virtual environment at vc2003.napier.ac.uk using a vSphere Client.
Navigate to the Module folder such as VMs & Templates>Production>CSN11111/8. You will be
assigned a group folder to work with which contains the 4 VMs needed for the lab (check Moodle for
the Groups and IP Addressing for each Group). Lab VMs: Windows7 VM running GNS3, a
Windows2003 VM and 2 Linux Ubuntu VMs running network services.
Power on your Windows7-GNS3 VM, open a console window, login to the Windows7-GNS3 VM, and
run the GNS3 network simulator AS ADMINISTRATOR
You can create a new project for Lab8, or a preconfigured starting project should be in the Projects
folder. If you wish to start with that just click Recent Projects button and select lab8_start, then
save as a project called lab8 or suchlike (save as, before you power on devices).
The topology, shown below, mimics an organisation with an ASA firewall at its perimeter. It is
connected via the untrusted Internet via the 10.1.Y.0/24 network. The ASA will be configured to
provide security for the organisation from the network policy.
Starting Topology
You will be assigned networks to address the hosts and ASA gateway interfaces to – from Moodle: 192.168.X.0/24, 10.1.Y.0/24 and 192.168.Z.0/24
THE CORRECT NETWORKS MUST BE USED BY EACH STUDENT AS WE ARE SHARING VIRTUAL NETWORKS. ANNOTATE YOUR DIAGRAM/TAKE NOTE OF THE ADDRESS RANGES FOR YOUR GRP.
PLEASE ONLY USE GROUP VMs AND NETWORK IP ADDRESSES ASSIGNED TO YOUR GROUP.
Network Security ASA Firewall – Rich Macfarlane 2
PLEASE DO NOT USE YOUR OWN IP ADDRESSES OR THE LAB DEMO ADDRESSES IN THIS DOCUMENT!
(For Windows versions up to and including Windows 7, BES can be used to limit the percentage CPU
usage for applications. It can be download from http://mion.faireal.net/BES/)
9.2.2 Configure the Hosts
Power on your Linux Ubuntu_205 VM and Windows2003_206 VM. Configure the 192.168.X.10 and
10.1.Y.10 network IP Addresses on the Ubuntu_205 and Windows2003_206 systems respectively,
and set the Default Gateways to the ASA interface addresses at X.254 and Y.254 the appropriate
hosts.
To configure the Linux system for IP Address and Default Gateway:
The following document has a section on setting the Windows IP and default gateway:
www.dcs.napier.ac.uk/~cs342/CSN11111/GNSAddVM.pdf
(Section: Windows-Setting Static IP Address and Default Gateway)
9.2.3 Basic ASA Configuration
Boot the ASA security device, and open a Console Window.
Using a similar CLI to a router, the ASA uses the same command modes structure, starting in User Exec Mode with the ciscoasa> prompt. Use ? to see the available commands for the current
command mode. Even less commands are available than on a router in this mode:
Change from User Exec Mode to Privileged Exec command mode, the password should not be set so
just press <RETURN>. Use the show version command to check the device setup.
Questions
Q: Which Cisco ASA security appliance is being simulated?
The Cisco PIX and ASA firewall devices are hardware devices built specifically for firewalling, unlike
the firewall software running on routers which we have encountered in previous labs. The device (or
being simulated) in this lab is a PIX 525, a medium to large enterprise device, with up to eight 10/100
Fast Ethernet interfaces, or three Gigabit interfaces.
Display the list of commands available in Privilege mode using ?
View the PIX configuration file with the command show running-config
Questions
Q: Which version of the ASA firewall Operating System is running?
Q: Compared to a router, which extra attributes can be defined for each interface of the ASA?
9.2.4 Configure Interfaces and Security Levels
ASA security devices use an algorithm called the Adaptive Security Algorithm (ASA), which allows
traffic to flow between the interfaces depending on the security level set on the interfaces (related
to the trust levels for each attached network). The security trust level value can be set from 0 (the
lowest) to 100) the highest). By default the inside interface (trusted network) is set to 100, and the
outside interface (untrusted Internet) is set to 0. Other networks, such as DMZs are set to values of
1-99.
By default, the ASA allows traffic to flow from a higher security level to a lower one, and between
levels with the same value, but blocks traffic flowing from a lower level to a higher one, as shown in
the figure below.
Network Security ASA Firewall – Rich Macfarlane 4
Trusted
Internal Network
DMZ
Public Facing
Servers
Untrusted Internet
Trust
Level 0
Trust
Level
100
Trust
Level 50
PIX
ASA
Configure the Interfaces
Certain attributes must be set on the interfaces, and then the default security behaviour can be
observed.
Set up the outside interface, which is connected to the internet, using the following commands.
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 10.1.Y.254 255.255.255.0
Additionally configure the MAC Address on the interfaces with the following command, using the format <ca0 module code grpno 0 intno> such as the following for module csn11118 group 99:
ciscoasa(config-if)# mac-address 0001.1118.9900
ciscoasa(config-if)# no shutdown
Set up the inside interface, which is connected to the trusted internal network:
ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.X.254 255.255.255.0
ciscoasa(config-if)# mac-address 000p.pppp.qq0r
ciscoasa(config-if)# no shutdown
Set up the DMZ interface, which is connected to the DMZ network:
ciscoasa(config)# interface Ethernet2
ciscoasa(config-if)# nameif dmz
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# ip address 192.168.Z.254 255.255.255.0
ciscoasa(config-if)# mac-address 000p.pppp.qq0r
ciscoasa(config-if)# no shutdown
Annotate your diagram/notes with the security trust levels for each interaface/connected network.
Questions
Network Security ASA Firewall – Rich Macfarlane 5
Q: Why did we only set the security level on the dmz interface, and not the inside or outside
interfaces?
Review Interface configuration
Check the interfaces security levels have been configured correctly using the show nameif
command:
Check the addressing has been set up correctly on the right interfaces, by viewing the running
configuration, and by using the show ip address command, as shown.
For detail on the interfaces status, use the show interface ip brief command:
For detail on the interfaces, use the show interface detail command, as shown below.
Save the firewall configuration using copy run start.
9.2.5 Test Connectivity
From the firewall, ping each local interface, and each of the attached VM’s interfaces in turn to test
the interfaces are up and connectivity to the VMs:
Network Security ASA Firewall – Rich Macfarlane 6
Questions
Q: Where the pings to the firewall interfaces successful?
Q: Where the pings to the directly connected VM’s successful?
If not, troubleshoot the configuration, until connectivity is achieved.
Switch on the ICMP debugging trace logging, using the following command:
ciscoasa(config)# debug icmp trace
From the two VM’s connectivity can be checked using ping from console windows.
Limit the ping packets to a max of 3 with –n3 –c3 or CTRL+C to stop the ping. DO NOT LEAVE
PINGS RUNNING AS WE ARE WORKING ON SHARED VIRTUAL NETWORKS!
The ICMP ping traffic and traceroute traffic on the ASA are handled differently to a router by default.
ICMP to an interface is replied to, but inbound ICMP through the ASA is blocked by default, as traffic is not allowed to go from an interface with a lower security level to an interface with a higher level (outside 0 to inside 100 is not allowed). Outbound ICMP is permitted (inside 100 to ouside 0 is allowed), but the reply is blocked by default.
Network Security ASA Firewall – Rich Macfarlane 7
There are two options which will allow inside users to ping hosts on the outside. The first option is to setup a specific firewall rule for the echo-reply traffic, and the other is to create application inspection for ICMP.
Create an ACL Rule. Note the command is access-list , not ip access-list, as on a router, the syntax is slightly different, having to enter the ruleset name for every rule.
ciscoasa(config)# access-list ICMP_REPLY extended permit icmp any any echo-
reply
Review ugin the show access-list command to check it is configured correctly.
Apply the ACL to the outside interface. Note that the syntax is again slightly different from a router.
ciscoasa(config)# access-group ICMP_REPLY in interface outside
Use the show run command to check it is configured correctly.
The show run command can be used with filters to only config lines of interest: show run | include ICMP_REPLY
Questions
Q: What filter might be used to show all access list config lines?
Check the VM’s connectivity again.
Questions
Q: Can the WINDOWS VM ping the Linux VM now?
Network Security ASA Firewall – Rich Macfarlane 8
Use the show access-list command to check the ACL passed the ICMP traffic.
The ICMP debugging trace logging can be switched off, using::
ciscoasa(config)# undebug all
9.2.6 Network Services – Test the Linux VM Server
Test the Inside Linux VM Web Server from the Outside Network
From the Linux system, check the network services running, using the netstat command. Try netstat
–h to check the options for the command.
You can also filter output using grep, (or use the –l flag)
There should be an Apache server running on the Linux VM. This is on the inside network (behind
the perimeter firewall).
From the Linux VM, check the local web server is running correctly, using the web browser:
From the Outside Windows VM, use a web browser to test if the PIX firewall allows the web traffic
through to the Inside network. (Use CTRL+F5 to refresh the web page from the server, and make use
the page is not from the local cache).
Questions
Q: Was the Web site successfully loaded?
Q: Why is this?
Network Security ASA Firewall – Rich Macfarlane 9
9.2.7 Network Services – Test the Linux VM Server
Test the Outside Windows Web Server from the Inside Network
There should be an IIS web server running on the WINDOWS VM. This is out on the untrusted
outside network (typically the Internet).
From the Window system, check the network services running, using the Windows version of the
netstat tool. Try netstat –h to check the options for the command.
Questions:
Q. What command could be used to only list TCP connections?
You can also filter output using findstr:
From the Windows VM, check the local web server is running correctly, using the web browser: