Skip to main content

CCIE-LAB-ASA

1) to see ASA as a hop during traceroute you need to:

policy-map global_policy
class class-default
set connection ttl-decrement

2) interface: port-channel & redundant

a) port channel - active - active mode (port channel on switch is required)

b) redundant - active/passive mode (default settings on switch because only one port is active

3) traceroute

linux/cisco version:
 
a) router send udp packet on port 33434 -> send to destination with ttl 1 (3 times)
b) icmp time-exceeded -> because of ttl=0
c) udp on port 33437 -> send with incremented ttl+1 (ttl=2)
d) and so on till it reach the destination
e) destination sends icmp port unreachable

windows version:
 
a) icmp echo request ->
b) icmp time exceeded  <-
c) and so on
d) icmp echo reply

4) global access-list

Starting with code 8.3(1), you can also apply one IPv4 and one IPv6 ACL globally, configured with the command access-group global; the global access-list is always interpreted as an inbound ACL. When the global ACL is applied, the implicit deny ip any any rule is removed from any ACL applied inbound on any interfaces, so that the global ACL is inspected. Assuming all ACLs are configured, and assuming a packet enters the inside interface and exits the outside interface, the rules are:

-Traffic is matched against the inbound ACL applied on the inside interface. If there is a match, the action is taken; if not, it will match on the default deny ip any any unless global ACL is configured.

-Traffic is matched against the global ACL. If there is a match, the action is taken; if not, it will match on the default deny ip any any rule.

-Traffic is matched against the outbound ACL applied on the outside interface. If there is a match, the action is taken; if not, it will match on the default deny ip any any rule.

5) objects

You can specify an object with different protocols (i.e. tcp and udp) and use it for protocol specification, you don’t need to specify ports numbers again:
 
!
object-group service OTHER_PORTS
 service-object tcp destination eq 21
 service-object udp destination eq 123
!
access-list VLAN29_INBOUND extended permit object-group OTHER_PORTS object-group R2 object-group ALL_DESTINATIONS
!

6) routing

You can send default route and metric can be changed by a route-map (default is 1):
 
!
route-map RIP_DEFAULT_ROUTE permit 10
 set metric 10
!
router rip
 network 7.0.0.0
 network 8.0.0.0
 default-information originate route-map RIP_DEFAULT_ROUTE
 no auto-summary
!

7) EIGRP - prefix filtering

I’d like to stop sending prefix 66.66.66.0/24:
 
access-list EIGRP standard deny 66.66.66.0 255.255.255.0 
access-list EIGRP standard permit any 
!        
router eigrp 100
 no auto-summary
 distribute-list EIGRP out
 network 7.7.7.0 255.255.255.0
 network 8.8.8.0 255.255.255.0
!

8) NAT

old way:
 
static (inside,outside) tcp interface 2023 7.7.7.1 telnet netmask 255.255.255.255

new way:
 
object network TELNET-R
 nat (inside,outside) static interface service tcp telnet 2023 
!
object network TELNET-R
 host 11.11.11.11

9) Policy NAT

-STATIC

8.2:
 
access-list NAT1 extended permit ip host 22.22.22.22 host 11.11.11.11 

!
nat (outside) 1 access-list NAT1 outside
!
global (inside) 1 150.1.1.1

8.4:
 
object network R1-LO
 host 11.11.11.11
object network R3-LO
 host 22.22.22.22
object network R3-LO-N
 host 150.1.1.1
!
access-list OUT extended permit ip host 22.22.22.22 host 11.11.11.11 
!
nat (outside,inside) source static R3-LO R3-LO-N destination static R1-LO R1-LO
!

-DYNAMIC

8.4:
 
!
object network R1-LAN
 subnet 11.11.11.0 255.255.255.0
object network R1-LAN-N-POOL
 range 136.1.49.120 136.1.49.130
object network R1-LAN-N-POOL-PAT
 host 136.1.49.130
!
nat (inside,outside) source dynamic R1-LAN R1-LAN-N-POOL
nat (inside,outside) source dynamic R1-LAN pat-pool R1-LAN-N-POOL-PAT
nat (VLAN19,any) source dynamic R1_LO0_REAL pat-pool PAT_POOL round-robin

8.2:
 
asa2(config)# sh run nat
nat (inside) 2 access-list NAT2
asa2(config)# sh run global
global (outside) 2 136.1.29.120-136.1.29.130 netmask 255.255.255.0
global (outside) 2 136.1.29.131 netmask 255.255.255.255
asa2(config)#

-OTHERS

Let’s assume we accept only telnet request on port 2023 (ASA will rewrite it to 23) and we want to change source IP go global IP (static):

8.2:
 
static (outside,inside) tcp 32.32.32.32 2023 32.32.32.32 telnet netmask 255.255.255.255


access-list TELNET1 extended permit tcp host 4.4.4.1 host 32.32.32.32 eq 2023 

nat (inside) 2 access-list TELNET1
global (outside) 2 150.150.150.150

and I tested it:
 
telnet 32.32.32.32 2023
asa2# sh xlate 
2 in use, 3 most used
PAT Global 32.32.32.32(2023) Local 32.32.32.32(23) 
PAT Global 150.150.150.150(59001) Local 4.4.4.1(53207) 
asa2#

8.3:
 
nat (inside,outside) source dynamic R1-int-R R1-int-N interface service TELNET-2023 TELNET-23

nat (inside,outside) source static R1-lo0-R interface service TELNET-2023 TELNET-23

10) Asymmetric traffic (multicontext)
 
hostname/ctx(config)# interface phy_if

hostname/ctx(config-if)# asr-group num

11) QOS

Configure priority queuing for shaped VoIP bearer and GETVPN signaling traffic on ASA1:

-GETVPN signaling is defined as GDOI exchange on the default port. -VoIP bearer traffic is marked with the DSCP value of EF. -All other traffic should receive best-effort service. -Adjust traffic-shaping interval to provide minimum delay for VoIP traffic.
 
ASA1:
class-map VPN
 match port udp eq 848
!
class-map VOICE
 match dscp ef
!
policy-map CHILD_POLICY
 class VPN
  priority
 class VOICE
  priority
!
policy-map SHAPER
 class class-default
  shape average 512000 5120
  service-policy CHILD_POLICY
!
service-policy SHAPER interface VLAN49

2nd example:
 
hostname(config)# access-list ike permit udp any any eq 500 
hostname(config)# class-map ike
hostname(config-cmap)# match access-list ike
hostname(config-cmap)# class-map voice_traffic
hostname(config-cmap)# match dscp EF AF13
hostname(config-cmap)# policy-map qos_class_policy
hostname(config-pmap)# class voice_traffic
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# class ike
hostname(config-pmap-c)# priority
hostname(config-pmap-c)# policy-map qos_outside_policy
hostname(config-pmap)# class class-default
hostname(config-pmap-c)# shape average 2000000 16000
hostname(config-pmap-c)# service-policy qos_class_policy
hostname(config-pmap-c)# service-policy qos_outside_policy interface outside

12) MFP - SMTP
 
ASA2: 
 
regex UNWANTED “(cyberspam.org|nullroute.com)”
!
policy-map type inspect esmtp SMTP_INSPECT
 parameters
   mask-banner
   mail-relay cisco.com action drop-connection
 match invalid-recipients count gt 3
   reset
 match sender-address regex UNWANTED
   reset
!
access-list SMTP_SERVER permit tcp any host 172.16.10.100 eq 25
!
class-map SMTP_SERVER
 match access-list SMTP_SERVER
!
policy-map VLAN19
 class SMTP_SERVER
  set connection conn-max 100
  set connection embryonic-conn-max 50
  inspect esmtp SMTP_INSPECT
!
service-policy VLAN19 interface VLAN19

13) MFP - TCP
 
asa1(config)# tcp-map TEST
asa1(config-tcp-map)# ?

TCP-map configuration commands:
  check-retransmission    Check retransmit data, disabled by default
  checksum-verification   Verify TCP checksum, disabled by default
  default                 Set a command to its defaults
  exceed-mss              Packet that exceed the Maximum Segment Size set by
                          peer, default is to allow packet
  invalid-ack             Packets with invalid ACK, default is to drop packet
  no                      Negate a command or set its defaults
  queue-limit             Maximum out-of-order packets queued for a connection,
                          default is 0 packets
  reserved-bits           Reserved bits in TCP header are set, default is to
                          allow packet
  seq-past-window         Packets that have past-window seq numbers, default is
                          to drop packet
  syn-data                TCP SYN packets that contain data, default is to
                          allow packet
  synack-data             TCP SYN-ACK packets that contain data, default is to
                          drop packet
  tcp-options             Options in TCP header
  ttl-evasion-protection  Protection against time to live (TTL) attacks,
                          enabled by default
  urgent-flag             Urgent flag and urgent offset set, default is to
                          clear flag and offset
  window-variation        Unexpected window size variation, default is to allow
                          connection
asa1(config-tcp-map)#

14) MFP - management
 
class-map type management c1
  match port udp eq radius-acct


policy-map type inspect radius-accounting radius_accounting_map
  parameters
    host 172.16.10.100 inside key 123456789
    send response
    validate-attribute 26


policy-map type management global_policy
  class c1
    inspect radius-accounting radius_accounting_map

15) SNMP
 
!
snmp-map SNMP_VERSION_1
 deny version 1
!
policy-map global_policy
 class inspection_default
   inspect snmp SNMP_VERSION_1

16) IDENT

Configure ASA1 to quickly terminate the IDENT lookup sessions going from VLAN 49 for TCP sessions initiated by VLAN 59 users. Consider both users translated using identity mappings the outside interface IP address.
 
service resetinbound
service resetoutside

17) BGP through ASA
 
class-map BGP
 match port tcp eq 179
!
tcp-map BGP
 tcp-options range 19 19 allow
!
policy-map global_policy
 class BGP
  set connection random-sequence-number disable
  set connection advanced-options BGP

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...
8 comments
Read more

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...
1 comment
Read more