Cisco CCIE Security 350-701- Cisco ASA Configuration Part 2

5. ASA Security Policies – Default

Now the next thing we’ll see the ASAP basic 3D policies will verify here. So in the previous video I did the basic setup on the ASA with this configurations. So if I say show interface IP brief you can see the interface configurations and also on the router I do have the basic IP configuration. The router one is connecting on if zero resident interface is to ASA and I do have reachability between the router one and the ASA as well as from the ASA to the router two. So the first thing and also what I did is I just configured some basic default route to provide some kind of end to end reachability. So on the router one, I have configured some default route pointing towards the ASA. And in the router two, also I have configured a default route pointing towards the ASA to provide end to end reachable team and of.

Course on this interfaces we configured the signal level of 100 year and then we are we have configured signal level of zero, which is something already pre configured on the ASAP. So if you try to verify on the router two also if I search wipe out static, I do have a default route pre configured to provide or to do some kind of testing. Now by default on the ASA, ASA is going to do something like stateful packing inspection. Now we discuss stateful packet inspection in our basic topics like stateful packet inspection is nothing but it allows the traffic to pass through the ASF Firewall if it is permitted and ensure that it traffic automatically comes back. But if any traffic is originating on the outside interface from the internet it’s by default denied because of the default Segregate levels.

Because we want to make sure that the traffic coming from going from 100 to zero should be allowed at the same direction traffic should come back. But anything coming from zero to 100 is not allowed by default unless you write some ACOs to permit the traffic. Now the straightforward pack inspection is nothing but the Asif firewall is going to allow the traffic to pass through and then it is going to write down that in the search session table or the state table and then when it is coming back it will check whether it is a part of the existing session or not. And based on that it is going to allow that again. So to do some basic testing and by default ASA will do inspection of TCP and the UDP traffic. Like as for my topology here, I’ll try to initiate some traffic from my insert interface.

So I’ll try to initiate a telep traffic for testing purpose. You can initiate any other traffic but generally telnet is a simple way to test it out. I should be able to turn it to the router two. At the same time I’ll try to initiate a tenant from the router two to router one. That should not be a load by default. So make sure that we do have reachability between the routers. So from the router one, I already configured some passwords, I think. So tenant to the router two type is 100 00:22 password. And you can see, I say show users, of course it’s not required password. So I’m initiating a tenant from the router one, router two, it’s by default allowed. But if you go to router two, and if you try to initiate a traffic telegraph to router one, by default it’s not allowed. Because as for the ASAP, we discussed that the traffic initiated from the lower strict level interface, zero 200 is not allowed by default.

So we can try initiating any of the TCP or GDB traffic. Telenet is the best way to verify. Now, this is mainly because by default ASA is going to maintain something like default inspection is going to do based on some default configurations. If I say show run, you will see some default configurations here, like there is a default class map and then which is going to match the default inspection traffic and then the policy map. And it is applied globally on the ASA. Globally means which applies for all the interfaces. Now, by default, ASA has some preconfigured preconfigured policies and it is configured in the form of modular policy framework. Like I discussed already. This is where we can use the class maps to match a specific traffic. Policy map is going to tell what action you want to take, whether you want to inspect the traffic.

Inspect means allow the traffic, if it is returning back, it should be allowed. Or you want to pass, you want to do some kind of rate limiting.We can do a lot of things and then finally we apply by using some service policies. So if you get into the ASA, by default, ASAP will have some default class map which is going to match a default inspection traffic. And if it says show on policy map the default global policy, this is a default global policy we have it’s going to inspect the default. This is traffic which are by default inspected. And if you want to add any additional things like let’s say ICMP here, you can see ICMP is not by default inspected. And that’s the reason if I go to my router one, let’s say from the router one, I’ll try to initiate a thing traffic 100 00:22.

The thing is working. And the reason is, I think I already configured, I modified this policy, where I have added this inspect ICMP option here. By default, ICMP traffic is not inspected by default. So let me remove that. Because if you go with the default configurations, you don’t see that ICMP in general. So I need to say showrun policy map, that’s how we can get into the policy map. So I need to say policy map, I need to get into the global concentration mode policy map. I have to say global underscore policy, the one which is all dependent. Now I’m using this VMC viewer, I cannot copy paste from here. So I need to match this and I need to remove this one. So I need to say class inspection default. And then I said no inspect. So I removed this itemb section.

So let me just confirm this by getting into Show and Global shorten policy map, just to confirm it’s been removed. So now if I try to ping once again, the ping doesn’t work. Now by default it’s going to inspect the TCP and the UDP traffic. So if you want to inspect any other traffic, probably you can specifically mention that inside the default global policy. Now, we don’t need to modify that. Most of the time because of this default policy, most of the inspection goes. But we can do most of the advanced things if we’re using this policy maps, like we can actually do some application specific engines. We can configure some specific inspection policies or some connection limits. We can limit the number of TCP UDP connections initiated for matching the traffic.

We can do a lot of things like adjust the TCP parameters or limit the management traffic from where it should be allowed in general, plenty of things we can do. Probably that is something you will be seeing more in detail in the CCNP level, where we’ll be seeing like how we can use this modular positive framework to tune some of the security policies. Now by default, these are the policies. What you will see what is actually pre configured on the ASA firewalls. And based on that, by default, traffic from higher to lower is by default, a low return traffic automatically counts back.

Probably in my laps I’ll be using inspections because what I’ll be doing is I’ll always use Inspect ICMP command because most of the time we do testing in our labs, either by generating some kind of telegraphic or ICMP traffic. And maybe I will try to generate some TFTP traffic. But again, I need some TFTP setup for that. But most of the laps in ours, I’ll be using telenet and ICMP traffic. So probably what I’ll be doing is I’m going to enable Inspect ICMP on my ass in the next generation labs so that I can do some basic connectivity testing in general.

Let me just quickly configure this so I can say PolicyMap, so policy map, global policy, and then we can say class inspection default, and then I say Inspect ICMP. Now, once I inspect ICMP, I’ll be seeing these configurations up to this point. So I should be looking if I did the correct configurations, if I miss, then it’s not going to work. The main thing, I just miss type these things. If you try to see here, I’ve tried to see here, what I did is I just miss type this one. I think this is something that I missed out on. So I just use Global Hyphen policy. It has to be global. Underscore policy, there’s only mistake. But if you just type in the correct if you if you get into the correct global policy, then you will see the inspect ICMP option here. Anyway, I’ll.

6. ASA Routing

The next thing we’ll see on the Asif file was the basic routing configurations. Now at this point of time, I expect you to know the basic concepts of the routing. So I’m not going to cover what is routing and what are the different types of routings. So most of these things you already did in the CC routing switching. So I expect you to know the basic routing concepts like conference, static routes or default routes. Now in this section we’ll only see what are the configuration changes or change in the commands in the ASA firewall compared to the router configurations. Basically, ASA needs to be configured with some routing protocols. Like maybe this is my head office connecting to some Internet and you’re connecting to your router and then connecting to my LAN.

And maybe this head office router is also having some connectivity to multiple branch offices if a user sitting here is trying to access a Yahoo server. Now I want all the traffic between these branch offices. If a user sitting here want to go to Internet, it should go via our head office. Now based on that, you need to make sure that this ASA firewall along with all the routers must know each other. Because when this router generates a traffic, sends a default through default routing, it reaches the router and router forward to the ASA. ASA do some kind of inspection, forward it back to the Internet and the traffic. When it comes back, the ASA should know how to return the packet to which branch office the ASA should know.

Which means we must be running some kind of routing on the ASA as well, along with along with the routers. So we can use any of the routing. Of course, dynamic routing protocols are much more scalable solutions. Now we can do static routing in general on the ASA by using slightly different commands. Like these are the commands on the routers. Now on the ASA we need to say route. The command starts with route and then we need to tell whether you are writing a standing route towards the land or towards the Internet. So if you’re writing a static route towards the land, then we give a name.

If the name of that interface, we need to specify the name of the interface, the inside, and then whatever the destination network, destination network may be, just ten dot, one dot dot network. Let’s say if you assume that this is my land and then the subnet mask and then the next top IP address. So likewise if you’re writing a static route or the default route towards the next towards other router, let’s say. Now verification wise, we use show route command instead of Show IP route and you’ll see a route displayed as a static whatever the static route you write and then on which interface it is facing towards. And then of course you can ping from the router one to the land interface. Now this actually it can be anything. Either one one dot or ten one one. Whatever it is, you should be able to ping.

So that confirms that we do have some reachable lead. Likewise, if anything default routes like mostly on the ASA, we must confer any unknown traffic should be sent to the Internet. And then we say route outside because we are routing towards our interface and 0000 we can simply write 1010 also in the ASA instead of writing four zeros and then the next stop IP v four address. Likewise we need to verifications are still the same. If you are using any dynamic routing protocols, there is no difference in the commands. Almost the same commands what we use on the routers on the as also we use the same commands with Rap verification wise we use show route command EHRP also we use the same commands, same modes.

In the ASA firewall when you compare with the routers and likewise verification commands are also similar. Like instead of saying show IP HRP neighbors, we use show EHRP neighbors and show route commands. You see, the router will be learning as D and also with OSPF also we use the same thing. But the difference is in OSPF we generally use wild card mask inside the routers. If you do the conflict on the routers but in as a firewall, we don’t use wild card mask, instead we use a submit mask. So not only in OSPF in the next classes when we discuss ACLs like Ospfinacis uses wildcard mask in the routers but whereas here we use submit mask now there’s a difference. Rest of the configurations are still the same. Now mostly if you are doing some kind of redistributions also the same thing, the commands are almost the same. Okay.