Cisco ASA Firewall

TAC Training
Tariq Bader
CCIE# 35627
Technical Team Leader – AMM TAC
July 2015
Agenda
• Introduction to Firewalls
o Cisco Firewalls
• ASA Firewall
o ASA Hardware
o ASA Modules
o ASA Software
• Introduction to ASA Features
• ASA Stateful Packet Filtering & Security Levels
• ASA Basic Configuration
• ASA Interface Types
Agenda (cont.)
• IP Routing
• Objects & Object Groups
• Access Control Lists (ACLs)
• ICMP Access Rules
• Connections & Translations
• Network Address Translation (NAT)
o NAT in ASA 8.2 & earlier
o NAT in ASA 8.3 & later
o Proxy ARP on ASA

• Same Security Level Communication

Agenda (cont.)
• Modular Policy Framework (MPF)
o Application Inspection
• ASA Packet Flow
o Egress Interface Selection
• Authentication, Authorization & Accounting (AAA)
• ASA Administration
o Management Access
o ASDM
o Upgrade/Downgrade
o Backup/Restore
o Licensing
Introduction to Firewalls
What Is a Firewall DMZ
Network

Internet
Outside Inside
Network Network

•A firewall is an access control device that looks at the IP packet,

compares with policy rules and decides whether to allow, deny or
take some other actions on the packet
Firewall Technologies

• Firewall operations are based on one of the following technologies:

o Packet filtering
o Proxy server
o Stateful packet filtering
o NGFW
Packet Filtering DMZ:
Server B

Host A

Internet
Outside Inside:
Network Server C
AB Yes
AC No

• Limits information that is allowed into a network based

on the destination and source address/port  ACL
Proxy Server Proxy
Server

Internet

• Requests connections on behalf of a client that is inside

the firewall and the Internet
• Also called Application Gateways.
 Stateful Packet Filtering DMZ:
Web Server

Inside:
HTTP request A  B Server C
Host A

Internet

• Limits information that is allowed into a

State Table
network based not only on the Source address 192.168.0.20 10.0.0.11

destination and source addresses, but Destination address

Source port
172.16.0.50
1026
172.16.0.50
1026
also on the packets state Destination port 80 80

table content Initial sequence #

Ack
49769 49091

Flag Syn Syn

Next-Generation Firewall (NGFW)

• NGFW is an integrated network platform that combines a traditional firewall with other
network device filtering functionalities such as:
o Application firewall using in-line deep packet inspection (DPI)
o An intrusion prevention system (IPS)
o Other techniques such as SSL and SSH interception
o Website filtering
o QoS/bandwidth management
o Antivirus inspection
o Third-party integration
Firewall in the Attack Continuum
Attack Continuum

BEFORE DURING AFTER

Discover Detect Scope
Enforce Block Contain
Harden Defend Rem ediate

Advanced Malware
Firewall/VPN NGIPS Protection

Detailed App Control Security Intelligence Retrospective Security

IoCs/Incident
Modern Threat Control Web Security Response

Visibility and Automation

Cisco Firewalls
PIX – Private Internet Exchange (EOL)
• First introduced 1994
• Announced EOS in 2008
• High performance Firewall, almost no packet delay
• Finesse (OS) runs from RAM like a router
• Based on Intel x86 architecture.
• Command Line Interpreter or GUI
• Primary purpose is to block external users from starting
Inbound connections, while allowing Internal users to
start Outbound connections and receive the return traffic
• Models: 506, 510, 515, 520, 501, 506e, 515e, 525, 535
Firewall Services Module (FWSM)
• Introduced 2003
• Announced EOS in 2012
• FWSM is a firewall module integrated by Cisco into its Komodo blade on Catalyst 6500 Switches and
7600 Series Routers.
• The FWSM is based on Cisco PIX technology and uses the same Cisco PIX Operating System
• Command Line Interpreter or GUI
• Provides 5-Gbps throughput, 100,000 CPS, and 1M concurrent connections.
• Up to four FWSMs can be installed in a single chassis, providing scalability to 20 Gbps per chassis.
• FWSM allows any VLAN on the switch to be passed through to the device to operate as a firewall
port and integrates firewall security inside the network infrastructure.
ASA – Adaptive Security Appliance
• Very high performance Firewall.
• Succeeded three lines of popular Cisco products:
o PIX (As a Firewall, NAT/PAT capabilities … etc)
o IPS (which works as intrusion prevention system)
o VPN3K Concentrator (Which provides VPN capabilities)

• First generation appliances based on Intel x86 architecture like the PIX (single
processor)
• Next generation-X series based on SMP (multi processors)
• Comes as integrated service module (ASA-SM) and virtual appliance (ASAv)
• Also have both CLI and GUI for administration and control.
• Supports expansion modules (HW & SW)
Cisco IOS Firewall
• It is a security feature set for Cisco IOS router
software.
• It integrates robust firewall functionality and intrusion
detection for every perimeter of the network and
enriches existing Cisco IOS security capabilities.
• Makes the router a real stateful firewall.
• CBAC & Zone Based Firewall.
ASA Firewall
ASA Overview
• ASA = Adaptive Security Appliance that runs Adaptive Security Algorithm
• Stateful architecture is about flows or connections, not packets
o Most effective with TCP, UDP, and ICMP
o TCP is the main reason for deploying a stateful firewall
• Acts as a segregation gateway between networks, enforcing selective connectivity
policies
• Tracks all packets as part of a stateful connection; blocks packets not part of a
connection, and performs atomic security checks
• Performs network address translation (NAT); applies NAT to embedded application
protocol data
• Inspects some application traffic flows for higher level protocol conformance and
deep-packet inspection
• Integrates with other solutions (Unified Communications technologies, scansafe, etc.)
ASA Benefits & Features
• Proprietary operating system
• Stateful packet filtering
• High-speed NAT
• Identity-based Access Control (IDFW)
• Protocol and application inspection
• Modular policy framework (MPF)
• Virtual private networking (VPN)
• Security contexts (virtual firewalls)
• High Availability and Clustering
• Stateful failover capabilities
ASA Benefits & Features (cont.)
• Dynamic Routing
• Transparent firewalls
• Quality of Service (QoS)
• Web-based management solutions (ASDM & CSM)
• NetFlow v9 for security monitoring
• Botnet traffic filtering (Ironport integration)
• ASA Phone Proxy and other UC integration features
• Integration with IPS, CSC, CX & FirePOWER modules
ASA Features (9.0 & later)
• Clustering
• Scansafe integration
• TrustSec integration
• Dynamic routing in multi-context mode
• L2L VPN in multi-context mode
• Mixed multi-context mode
ASA Products
• Adaptive Security Appliance (ASA) – hardened firewall appliance,
proprietary OS, Ethernet and fiber ports on box. (1G/10G)
o Does not run IOS but CLI has a similar look and feel
o All management can also be completed with GUI (on-box or multi-manager)
• ASA SM – Next Gen line card for Catalyst 6500, no physical interfaces,
runs ASA code image
• Adaptive Security Virtual Appliance Firewall (ASAv) – Virtualization-
based ASA that runs with a full ASA code base, not dependent upon
Nexus1000v
• ASA with FirePOWER Services – ASA firewall appliance which
integrates a full installation of FirePOWER NGFW, NGIPS, AMP and
Contextual Services
ASA Family
ASA Hardware
ASA 5505
Front and Back images of ASA-5505

Ethernet 0/6 and 0/7 offer PoE for IP Phones, APs

8x switchports
ASA 5510/5520/5540
Front Panel

Status Flash
Power Active VPN
ASA 5510/5520/5540
Back Panel Connections
Compact Flash
Security Service Module
(SSM) Monitoring Port 10/100 Out of Band Console
Management Port Port

Security Services Four 10/100/1000 AUX Port

Module Copper Gigabit Ports
ASA 5500-X Appliances (Saleen)
ASA 5500-X Appliances (Saleen)
ASA 5585-X (Spyker) Chassis and SSP
 For your
reference

ASA 5500-X Hardware Comparison

 For your
reference

ASA 5500-X Performance Comparison

ASA Modules
 4-Port Gigabit Ethernet Security Services
Module (4GE SSM)
• High-performance module

• Four 10/100/1000 RJ-45 ports and four Small

Form-Factor Pluggable (SFP) ports
• Support both copper and optical connections

• Supported ASA models: 5510, 5520, 5540

• In 5550, ASA 4GE SSM is built-in and not user-

removable
• Supported ASA SW: 7.0(4) and later
 Advanced Inspection and Prevention
(AIP) SSC-5
• Adds IPS capabilities to ASA 5505

• Providing up to 75 Mbps of IPS throughput

• Inline or Promiscuous

• Can be managed from the back-plane using Session

or ASDM, or remotely using VLAN interface
• Supported IPS SW: 6.2 (7.0 & later is not supported)

• Supported ASA models: 5505

• Supported ASA SW: 8.2(1) and later

 Advanced Inspection and Prevention
Security Services Module (AIP-SSM)
• High performance module designed to provide additional
security services (IPS capabilities)
• Diskless (Flash-Based) Design for improved reliability
• Gigabit Ethernet port for Out-of-Band management, etc.
• Inline or Promiscuous
• Can be managed from the back-plane using Session or
ASDM
• Also can be managed by IDM and IME
• Models: SSM-10, SSM-20, SSM-40  varies in memory
• Supported IPS SW: 5.0  7.1
• Supported ASA models: 5510, 5520, 5540
• Supported ASA SW: 7.0(1) & later
Content Security and Control Security
Services Module (CSC-SSM)
• Comprehensive malware protection
• Advanced content filtering
• Integrated message security
• Stops network threats including viruses, worms, spyware, spam and phishing
• Gigabit Ethernet port for Out-of-Band management, etc.
• Can be managed from the back-plane using Session or ASDM

• Utilizes Trend Micro's antivirus and anti-spyware technologies

• Models: SSM-10, SSM-20  varies in memory
• CSC SW: 6.0  6.6
• Supported ASA models: 5510, 5520, 5540
• Supported ASA SW: 7.1(1) & later
 IPS Security Services Processor (IPS
SSP)
• ASA IPS SSP software module:
o Supported IPS SW: 7.1(3), 7.2
o Supported ASA models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X
o Supported ASA SW: 8.6(1) & later

• ASA IPS SSP hardware module:

o Requires to install in slot 1, with matching-level ASA SSP in slot 0
o Models: SSP-10, SSP-20, SSP-40, SSP-60
o Supported IPS SW: 7.1, 7.2
o Supported ASA models: 5585-X
o Supported ASA SW: 8.2(4)4 & later; 8.4(2) & later  not supported in 8.3
CX Security Services Processor (CX SSP)
• Context-Aware Security

• Next Generation Firewall (NGFW)

• Threat Protection/NG-IPS

• URL Category/Reputation

• HTTP Inspection

• TLS Proxy

• Application Visibility & Control (AVC)

• Managed by Prime Security Manager (PRSM), on-box or off-box

 CX Security Services Processor (CX SSP)
• ASA CX SSP software module:
o Requires Cisco solid state drive (SSD)
o CX SW: 9.1  9.3
o Supported ASA models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X
o Supported ASA SW: 9.1(1) & later

• ASA CX SSP hardware module:

o Requires to install in slot 1, with matching-level ASA SSP in slot 0
o Models: SSP-10, SSP-20, SSP-40, SSP-60
o CX SW:
 9.0  9.3 (SSP-10 & -20)
 9.2  9.3 (SSP-40 & -60)
o Supported ASA models: 5585-X
o Supported ASA SW: 8.4(4)1 & later
ASA FirePOWER (SFR SSP)
• Next Generation Firewall (NGFW)

• Granular Application Visibility and Control to support over 3000 application-layer and
risk-based controls
• Cisco FirePOWER Next-Generation IPS, which provide threat prevention and
contextual awareness
• URL Filtering

• Discovery and protection against advanced malware and threats

• Managed by the Cisco FireSIGHT Management Center

ASA FirePOWER (SFR SSP)

Cisco® Collective Security Intelligence Enabled

Adv anced Malware

WWW
Intrusion Protection
Clustering and (Subscription)
URL Filtering
High Av ailability Prev ention (Subscription)
(Subscription)
FireSIGHT
Analytics &
Automation

Application
Netw ork Firew all Visibility and Built-in Netw ork Identity-Policy
Routing | Sw itching Control Profiling Control and VPN

Cisco ASA
 ASA FirePOWER (SFR SSP)
• ASA FirePOWER software module:
o Requires Cisco solid state drive (SSD)
o FirePOWER SW: 5.3.1+
o Supported ASA models: 5506-X, 5508-X 5512-X, 5515-X, 5516-X 5525-X, 5545-X, 5555-X
o Supported ASA SW: 9.2(2)4 & later

• ASA FirePOWER SSP hardware module:

o Requires to install in slot 1, with matching-level ASA SSP in slot 0
 Starting ASA 9.3(2) w e can have mixed level SSPs

o Models: SSP-10, SSP-20, SSP-40, SSP-60

o FirePOWER SW: 5.3.1+
o Supported ASA models: 5585-X
o Supported ASA SW: 9.2(2)4 & later
ASA Software
Proprietary Operating System

• Eliminates the risks associated with general-purpose

operating systems
ASA Software Builds Version

8.3 – Broadview
• New trains introduce new features 8.4 – AC Milan Train
9.0 – Arsenal
• Maintenance images undergo the most testing
o Concentrate on bug fixes, avoid new features
• Interim images are usually internal (available via TAC)
x.y.z.a

Maintenance
Minor

Interim
Major
o Limited testing, so only provided for specific problems
o Some are posted on cisco.com (CCO) after more testing
o Interims are cumulative
o Last interim becomes next Maintenance release
o Engineering images
ASA Software Builds
ASA Models Supported SW
• Legacy ASA Models supports ASA code up to 9.1  5510,5520,5540,5550,5580
o Except 5505 that supports up to 9.2
o 8.1(x) is platform specific for ASA 5580 only
• ASA 5500-X (Saleen) series started with 8.6(1) (platform specific) then 9.0 & later

• ASA 5585-X (Spyker) started with 8.2(3)  8.2(5) then 8.4(1(  8.4(7) then 9.0 & later

• ASA-SM started with 8.5(1) (platform specific) then 9.0 & later

• ASAv started with 9.2(1) & later

• ASA 1000V runs with 8.7(1)1 (platform specific)

• ASA 5506-X & 5508-X (Kenton) started with 9.4(1)

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-111774
 ASA Images

• We have two types of ASA images:

o Single Processor Images  5505, 5510, 5520, 5540, 5550
Example: asa915-k8.bin
o Multi Processor Images  5506-X, 5512-X, 5515-X, 5525-X, 5545-X, 5555-X,
5580, 5585-X, ASA-SM
Example: asa915-smp-k8.bin
Introduction to ASA
Features
Stateful Packet Filtering
• The Adaptive Security Algorithm (ASA) provides stateful connection
security, every inbound packet is checked against the Adaptive Security
Algorithm and against connection state information in memory.
o It tracks source and destination ports and addresses, TCP sequence
numbers, and additional TCP flags.
o It randomizes the initial TCP sequence number of each new
connection.
• By default, the stateful packet inspection algorithm allows connections
originating from hosts on inside (higher security level) interfaces.
• By default, the stateful packet inspection algorithm drops connection
attempts originating from hosts on outside (lower security level)
interfaces.
Stateful Packet Filtering (cont.)
Maintaining state
•Stateful firewalls inspect and maintain a record (a state table) of the
state of each connection that passes through the firewall
o To adequately maintain the state of a connection the firewall needs to
inspect every packet
o But short cuts can be made once a packet is identified as being part
of an already established connection
o Different vendors record slightly different information about the state
of a connection
•High performance and most popular
Stateful Packet Filtering (cont.)
ASA

Internet

www.yahoo.com Outside Inside PC

Get Sports Page (Request)

Sports Page (Reply) [Return traffic is allowed by default]

Inside to DMZ and
return access are
allowed
Outside access is denied by default
Outside PC
DMZ Server
Application-Aware Inspection
FTP
Server Client

Internet
Active Data Control Control Data
FTP Port Port Port Port
20 21 2008 2010
Data - Port 2010
Port 2010 OK
Data

• Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to
dynamically assigned source or destination ports through the firewall.
• The security appliance inspects packets above the network layer.
• The security appliance securely opens and closes negotiated ports for legitimate client-
server connections through the firewall.
Virtual Private Network (VPN)
Branch 1 Site to Site
Headquarter

Branch 2

Internet

IPSec VPN
SSL VPN
Remote Access
Users
Security Context (Virtual Firewall)

• Ability to create multiple security contexts (virtual firewalls) within a single

security appliance
High Availability – Failover
• Failover protects the network should the primary
go offline.
o Active/standby—Only one unit can be actively
processing traffic; the other is
hot standby.
o Active/Active—Both units can process traffic
and serve as backup units.
• Stateful failover maintains operating state during
failover.
 Transparent Firewall

10.1.5.0/24 10.1.5.0/24

10.1.5.1 10.1.5.2
10.1.5.254

• Has the ability to deploy a security appliance in a secure bridging

mode
• Provides rich Layers 2 through 7 security services as a Layer 2
device
 Identity Firewall (IDFW) Traffic filtered by ACL User/Group policies
Cisco ASA

Domain user Domain username

Domain
and group
Username/Group to
information (LDAP)
IP Mapping
(Radius)

User Login Event

User Login Event
Security Log (WMI)

Active Directory Cisco CDA or AD-Agent

Domain Controller
Web-Based Management Solutions
• Adaptive Security Device Manager (ASDM)  On-Box management

• Cisco Security Manager (CSM)  Off-Box management  Multi-device management

ASA Stateful Packet Filtering
& Security Levels
Sessions in an IP World

• In an IP world, a network session is a transaction between two end

systems.
It is carried out primarily over two transport layer protocols:
o TCP
o UDP
TCP

• TCP is a connection-oriented, reliable-delivery, robust, and high

performance transport layer protocol.
• TCP features
o Sequencing and acknowledgement of data.
o A defined state machine (open connection, data flow, retransmit, close connection).
o Congestion detection and avoidance mechanisms.
 TCP Initialization: Inside to Outside
The firewall appliance checks
Private network for a connection slot. If one is Public network
10.0.0.11 not found, it creates one after 192.168.0.20
Source address
verifying NAT, ACL, and other
Destination address 172.30.0.50 172.30.0.50
rules, if any. If OK, a connection
Source port 1026 is created. 1026
Destination port 23 23
Initial sequence # 49091 Start the embryonic 49769
Ack connection counter 172.30.0.50
10.0.0.11
# 1 Flag Syn Syn
#2
No data

#4 172.30.0.50 172.30.0.50 #3
10.0.0.11 The firewall appliance follows the 192.168.0.20
Adaptive Security Algorithm:
23 23
• (source IP, source port,
IP header 1026 destination IP, destination 1026
TCP header 92513 port) check  conn check 92513
49092 • Sequence number check 49770
Syn-Ack • Translation check  xlate Syn-Ack
 TCP Initialization: Inside to Outside (cont.)

Private network Public network

Source address 10.0.0.11 192.168.0.20
172.30.0.50
Reset the embryonic 172.30.0.50
Destination address
1026
counter for this client. It 1026
Source port
23
then increases the 23
Destination port
49092 connection counter for 49770
Initial sequence #
92514 this host. 92514
10.0.0.11 Ack 172.30.0.50
Flag Ack Ack

#5 #6
Data flows

IP header Strictly follows the

TCP header Adaptive Security
Algorithm
UDP

• Connectionless protocol.
• Efficient protocol for some services.
• Resourceful but difficult to secure.
UDP (cont.) The firewall appliance checks
for a connection slot. If one is
not found, it creates one after
verifying NAT, ACL, and other
Private network rules, if any. If OK, a Public network
Source address 10.0.0.11 connection is created. 192.168.0.20
Destination address 172.30.0.50 172.30.0.50
All UDP responses arrive
Source port 1028 1028
from outside and within UDP
Destination port 45000 user-configurable timeout 45000
10.0.0.11 (default=2 minutes). 172.30.0.50
#1 #2

#4 #3
172.30.0.50 The firewall appliance 172.30.0.50
10.0.0.11 follows the Adaptive Security 192.168.0.20
IP header Algorithm:
45000 45000
TCP header
1028 • (source IP, source port, 1028
destination IP, destination
Port ) check  conn check
• Translation check  xlate
State Table – conn & xlate Tables

• conn(ection) table stores the state of every single active flow

o Every incoming packet is checked against the table
o Biggest memory consumer (maximum count is limited by platform)
• xlate table stores active NAT mappings
o Independent of the conn table
o Maximum size is only limited by available memory
Interfaces & Security Levels
• Each interface should be configured with a name and a security level
to declare its trustworthiness.
• Inside Interface has a security level of 100 by default*
• Any other interface such as Outside/DMZ interfaces has a security
level of 0 by default.
• Security levels are a configurable value that can be between 0-100.
• The common setup, 100 for inside, 0 for outside and between 1-99 for
DMZ.
*The default security level values are applied based on the interface given name. Inside is a known keyword
in the ASA, so it’s given security level of 100, otherwise the default value is set to 0
Interfaces & Security Levels (cont.)

• By default, firewalls allow traffic to pass from higher

security interfaces to lower security interfaces, and in
the case of TCP and UDP connections, it allows the
return traffic back through  TCP & UDP are stateful
• The same does not apply for ICMP, as ICMP return
traffic is denied by default  ICMP is stateless
Security Levels Example
Outside Network
Security Level 0
Internet
Interface Name = Outside

Security Level 30
GE0 GE2 Interface Name = DMZ1
ASA Firewall Perimeter Networks

GE1 GE3 Security Level 40

Inside Network Interface Name = DMZ2

Security Level 100

Interface Name = Inside
Packets flow through the Firewall

Inside to outside communications:

• Translation statement for outgoing traffic
• Return traffic are allowed in case if stateful
Outside to inside communications:
• Pre-defined static translation and an access-list to permit the incoming
traffic
Inside to Outside (Outbound) Connections
• Inside to outside connections mean traffic from higher
security level interface to a lower security level interface,
for this to happen there is a condition, which is to have a
NAT/PAT statement, i.e. translation statement or this
traffic.
ASA
Inside
Security 100

Internet
Outside
www.yahoo.com Security 0 Inside PC

Dynamic NAT/PAT
 Outside to Inside (Inbound) Connections
•The static NAT and access-list are needed to allow connections from a
lower security interface to a higher security interface
•The static NAT is used to create a permanent mapping between an local
IP address and a global IP address
•The access-list command is an exception in the firewall’s inbound security
policy for a given host
ASA
Inside
Security 100

Internet
Outside
Outside PC Security 0 Inside Server

Static NAT & ACL permission

ASA Basic Configuration
Access Modes
•There are four administrative access modes:
o Unprivileged mode
o Privileged mode
o Configuration mode
o Monitor mode

ASA>
ASA> enable
ASA#
ASA# conf t
ASA(config)#
Set Device Identification
• hostname command
hostname newname

ASAfirewall(config)# hostname proteus

proteus(config)#
Setting the Domain Name
• domain-name command
domain-name name

ASAfirewall(config)# domain-name example.com

Changing the Login Password
• The login password is used for Telnet connections.

• The default login password is "cisco.“

{passwd | password} password

• Starting 9.0(2)/9.1(2)  The default Telnet login password was removed; you must manually
set the password before using Telnet
Changing the Enable Password
• Enable password lets you enter privileged EXEC mode.

• By default, the enable password is blank.

enable password password

View Current Version

• Use the show version command to verify the software version of your ASA.

show version
Create Host Name Table
•Configures a list of name-to-IP address mappings on the ASA
Firewall

name ip-address host-name

ASAfirewall(config)# name 172.16.0.2 frodo

Enable the Interfaces
•By default, each interface is shutdown, so we need to enable the interface
before using it:

ASAfirewall(config)# interface GigabitEthernet0/0

ASAfirewall(config-if)# no shutdown
Naming and Security levels
ASAfirewall(config)# interface GigabitEthernet0/0
ASAfirewall(config-if)# nameif outside
ASAfirewall(config-if)# security-level 0

ASAfirewall(config)# interface GigabitEthernet0/1

Internet ASAfirewall(config-if)# nameif inside
ASAfirewall(config-if)# security-level 100

Outside Network
GE0
GE2

GE3
GE1
Inside Network
 Assign IP Addresses

•No traffic passes until an IP address is assigned to the interface of the

firewall.

ASAfirewall(config)# interface GigabitEthernet0/0

ASAfirewall(config-if)# ip address 1.1.1.1 255.255.255.0
DHCP Assigned Address
• Enables the DHCP client feature on the outside interface.

fw1(config)# interface GigabitEthernet0/0

fw1(config-if)# nameif outside
fw1(config-if)# ip address dhcp
 Test Connectivity using ping.
ping [source_if_name] ip_address
ASAfirewall(config)# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!

ASAfirewall(config)# ping inside 10.10.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
 Display Interface Status
ASAfirewall# show interface
interface ethernet0 “outside” is up, line protocol is up
hardware is i82557 ethernet, irq 10, address is 0060.7380.2f16
ip address 192.168.1.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 1000000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 crc, 0 frame, 0 overrun, 0 ignored, 0
abort
1 packets output, 0 bytes, 0 underruns
 Display IP Address Table
ASA# show int ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.0.2.2 YES CONFIG up up
Ethernet0/1 10.1.1.2 YES CONFIG up up
Ethernet0/2 192.168.1.2 YES CONFIG up up
Ethernet0/3 unassigned YES unset administratively down down
Management0/0 10.48.67.231 YES CONFIG up up

ASA# show ip
System IP Addresses:
Interface Name IP address Subnet mask
Ethernet0/0 outside 192.0.2.2 255.255.255.0
Ethernet0/1 inside 10.1.1.2 255.255.255.0
Ethernet0/2 dmz 192.168.1.2 255.255.255.0
Management0/0 management 10.48.67.231 255.255.254.0
 Configuring the DNS Server
• Enable the ASA to send DNS requests to a DNS server to perform a name lookup for
supported commands.
dns domain-lookup interface_name
• Specify the DNS server group that the ASA uses for outgoing requests.
dns server-group DefaultDNS
• Specify one or more DNS servers.
name-server ip_address [ip_address2] [...] [ip_address6]

hostname(config)# dns domain-lookup inside

hostname(config)# dns server-group DefaultDNS
hostname(config-dns-server-group)# name-server 10.1.1.5 192.168.1.67 209.165.201.6
 Assign Static Routes
route <if_name> <network> <mask> <next_hop> <metric>

route outside 0.0.0.0 0.0.0.0 171.11.23.1 1

route inside 10.0.2.0 255.255.255.0 10.0.1.100 1

• The ASA can act as a default gateway for inside hosts/routers.

• We can have only one default route configured per interface. Only one default route active at
a time.
Display Routing Table
ASA5555(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 10.48.66.1 to network 0.0.0.0

C 192.168.10.0 255.255.255.0 is directly connected, inside

C 10.10.10.0 255.255.255.0 is directly connected, dmz
C 10.10.20.0 255.255.255.0 is directly connected, dmz2
C 10.48.66.0 255.255.254.0 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, fover
S* 0.0.0.0 0.0.0.0 [1/0] via 10.48.66.1, outside
Display ARP Table
ASA5555(config)# show arp
outside 10.48.66.1 0006.f62a.c4a3 0
outside 10.48.66.119 0050.563f.ff11 58
outside 10.48.66.109 bc16.6525.a541 382
outside 10.48.67.250 10f3.11a7.e541 941
outside 10.48.66.2 0006.f62a.c42b 1097
outside 10.48.66.100 503d.e59d.9086 8271
inside 192.168.10.103 0050.5699.3a94 14
inside 192.168.10.101 0050.5699.3a97 25
inside 192.168.10.100 000c.290d.e341 48
inside 192.168.10.110 0050.5699.3aa8 160
inside 192.168.10.102 0050.5699.3a6f 274
inside 192.168.10.105 b838.61d7.2673 6357
inside 192.168.10.104 3c08.f6da.864e 11037
fover 192.168.1.1 3c08.f6da.8656 8525
ASA Interfaces Types
ASA Interfaces
• Physical interfaces are externally visible Ethernet ports
• Virtual interfaces may share or bundle physical interfaces
o IEEE 802.1Q VLAN trunks

• Redundancy  Less overhead with a Redundant interface, but more

capacity with Etherchannel
Regular Physical Interfaces

interface GigabitEthernet0/0
nameif outside
security-level 0
speed 100
duplex full
ip address 192.168.2.2 255.255.255.0
Management Interfaces
• Management interfaces do not forward traffic by default

• Use “no management-only” to use it as data interface

• The exception is in ASAs 5512-X  5555-X

o We cannot use the management interface as data interface at all (no through traffic support)

interface Management0/0
nameif management
security-level 0
ip address 10.48.67.231 255.255.254.0
management-only

ASA# show int m0/0

…
Management-only interface. Blocked 0 through-the-device packets
Sub-Interfaces
• ASA supports 802.1q trunking interface GigabitEthernet0/0
no nameif
• No Dynamic Trunking Protocol (DTP) security-level 0
support no ip address
!
• The physical interface is in the Native (Un- interface GigabitEthernet0/0.10
Tagged) VLAN vlan 10
• While not required, it is a best practice that nameif outside
the sub-interface number matches the security-level 0
VLAN ID. ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/0.15
vlan 15
nameif inside
security-level 100
ip address 10.15.15.2 255.255.255.0
Sub-Interfaces
show interface

Physical Interface Counters Sub-Interface Counters

• Speed / Duplex setting • VLAN specific packet / byte counts
• Interface Errors • VLAN specific packet drops
• Overruns / No Buffers
• Input / Output queues
• Aggregate packet / byte counts

Outside – VLAN 10
Inside – VLAN 15
Trunk Eng – VLAN 20 Trunk
Gi0/0 MFG – VLAN 25
 Redundant Interfaces – ASA 8.0(2)
• Redundant Interfaces provide nearly
instantaneous, physical layer interface Redundant1
redundancy member-interface Ethernet0/2
• Can be used with or without failover member-interface Ethernet0/3
nameif outside
• Can be used with Sub-Interfaces
(VLANs) security-level 0
ip address 10.10.10.2 255.255.255.0
• Up to 8 redundant interfaces, 2
members per interface
ASA# show int redundant 1
• Uses the MAC address of the first …
member interface (first configured in
order) Redundancy Information:
Member Ethernet0/2(Active), Ethernet0/3
• If active fails, members swap MACs Last switchover at 02:41:21 UTC Jun 24 2012
• Alternatively, you can assign a MAC
address to the redundant interface ASA# redundant-interface Redundant 1 active-member
• Use “show int redundant <num>” to ethernet 0/3
verify
EtherChannel – ASA 8.4(1)
• LACP or ON, PAgP not supported

• Port-channel inherits MAC from 1 st member interface

• Use “show port-channel …” to verify

interface GigabitEthernet0/0
channel-group <num> mode {active | passive | on}
lacp port-priority <1-65535>
!
interface port-channel <num>
lacp max-bundle <1-8>
port-channel min-bundle <1-8>
port-channel load-balance …
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
IP Routing
ASA Routing Internet

• The ASA performs L3 route lookup as part of its

Static Default Route

normal packet processing flow
o ASA is optimized as a ‘flow-based inspection’ device
and is not optimized as a ‘packet forwarding’ router outside
0
o As such, ASA should not be considered a viable router
DMZ
replacement 50
• ASA may still need to become a routing device
‘source of truth’ in some network deployments

Static or IGP
inside
100
• ASA routing types:
o Static Routing
o Dynamic Routing
o Multicast Routing
ASA Routing
• Configuration is similar to IOS

• Metric and Admin Distance are supported

• PBR is not implemented until 9.4(1)

• null0 and loopback interfaces are not implemented  null0 introduced in 9.4(1)

ASA# show run route

route outside 0.0.0.0 0.0.0.0 192.0.2.1 1
ASA# show route
…
Gateway of last resort is 192.0.2.1 to network 0.0.0.0

C 10.1.1.0 255.255.255.0 is directly connected, inside

C 10.48.66.0 255.255.254.0 is directly connected, management
C 192.168.1.0 255.255.255.0 is directly connected, dmz
C 192.0.2.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.0.2.1, outside
 ASA Routing Table
• Routing table is used ASA5555# show route
to determine next hop
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
for every packet D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
o Egress interface is N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
often determined by E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
other means i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
o Load-balancing on P - periodic downloaded static route
the ASA is possible
only for multiple next Gateway of last resort is 10.48.66.1 to network 0.0.0.0
hops available using
a single egress C 192.168.10.0 255.255.255.0 is directly connected, inside
interface C 10.10.10.0 255.255.255.0 is directly connected, dmz
C 10.10.20.0 255.255.255.0 is directly connected, dmz2
o No support for load- C 10.48.66.0 255.255.254.0 is directly connected, outside
balancing same C 192.168.1.0 255.255.255.0 is directly connected, fover
traffic across multiple S* 0.0.0.0 0.0.0.0 [1/0] via 10.48.66.1, outside
interfaces  until
9.3(2)
Static Routing

route <if_name> <network> <mask> <next_hop> <metric>

route outside 0.0.0.0 0.0.0.0 171.11.23.1 1

route inside 10.0.2.0 255.255.255.0 10.0.1.100 1
Dynamic Routing
• ASA Supports most IGP routing protocols
o OSPF v2 & OSPF v3 (IPv6)
o EIGRP
o RIP v1/v2
o BGPv4 (9.2.1) & BGPv6 (9.3.2)

ASA5555(config)# router ?

configure mode commands/options:

eigrp Enhanced Interior Gateway Routing Protocol (EIGRP)
ospf Open Shortest Path First (OSPF)
rip Routing Information Protocol (RIP)
Objects & Object Groups
Unified Objects object network Server
host 192.168.1.2

• First introduced in 8.3 object network LAN

subnet 10.1.0.0 255.255.0.0
• Useful to refer to IP addresses, subnets, ranges
or services by name  easier management object network Pool
range 10.1.1.1 10.1.1.254
• Types of objects:
o Network Object is a named container which object network CISCO
holds An IP (host, network, range, or FQDN) fqdn www.cisco.com
o Service Object is used with TCP, UDP, and ICMP
as well
object service MSSQL_ADMIN
service tcp destination eq 1434
object service ICMP_ADMIN_PROHIBITED
service icmp unreachable 9
object service RTP_PORTS
service udp source range 16384 32767 destination range 16384 32767
Unified Objects (cont.)

• Objects can be applied in:

o Object-groups
o Access-lists
o NAT Rules (8.3 & later)

object-group network ServerFarm

network-object object WebServer
network-object object ServerNet

access-list outside permit tcp any object WebServer eq 80

nat (inside,outside) source static WebServer PublicWebServer

Object Groups
• Tie multiple similar objects into a single policy entity:

• Significantly simplify policy management

• Types of object groups:

o Network  group of host or subnet IP addresses
o Protocol  group of protocols, such as TCP, etc
o Service  group of TCP/UDP ports/services
o ICMP type  group of ICMP types, such as echo
object-group network INSIDE_NETWORKS
o User  single identity user, local or import user group
network-object object ACCOUNTING
• Can be used in: network-object 2001:DB8::/64
network-object 192.168.2.0 255.255.255.0
o ACLs group-object BRANCH_NETWORKS
o NAT (8.3 & later) object-group network BRANCH_NETWORKS
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
Access Control Lists (ACL)
Access Control Lists (ACL)
• access-lists are used mainly to block or permit traffic into an interface.
• As in IOS we have standard ACL as well as extended ACL.
• The access-group command binds an access-list to an interface either inbound or
outbound.
• Each interface can have only one access list applied per each direction.

access-list acl_name [deny | permit] protocol src_addr src_mask operator port dest_addr
dest_mask operator port
access-list acl_name [deny | permit] icmp src_addr src_mask dest_addr dest_mask
icmp_type [ icmp_code ]

access-group acl_name in/out interface interface-name

Access Control Lists (ACL)

• The access-list command is identical to the one in IOS,

except subnet masks are used to specify networks/hosts
instead of wildcard bits (inverse masks) as is done in IOS.
• An important note that there is an implicit deny ip any any
at the end of each access-list as there is in IOS.
Global ACLs
• Starting from ASA 8.3, a global ACL can be
applied.
Policy Ordering
• Interface independent policy
• Global ACL is applied inbound on all interfaces. Interface Specific access-list
• Global ACLs are only for transient traffic, not
traffic destined to-the-ASA
Global access-list
• Best used for new installations, or migration
from other vendor products
Default (implicit) deny ip any any
access-group <access_list> [global]
Access Control Lists (ACL) Usage

1. Interface ACLs
2. NAT (8.2 & earlier only)
3. VPN
4. Matching traffic for inspection, QoS & connection settings
5. Sending traffic to modules
Permitting Inbound Access

• If an access-list is bound to the outside interface, permitting traffic in, then

inbound traffic that matches the access-list is allowed from lower to higher
security interfaces.

• The following allows anyone to access 171.11.23.2 on port 80 (web).

*(assuming there is a corresponding static nat)

access-list 100 permit tcp any 171.11.23.2 255.255.255.255 eq 80

access-group 100 in interface outside
Deny Web Access to the Internet
(Outbound Access)
ASAfirewall(config)# show running-config
...
access-list acl_out deny tcp any any eq www
access-list acl_out permit ip any any
access-group acl_out in interface inside
...

•Denies web traffic on port 80 from the inside network to the Internet
•Permits all other IP traffic from the inside network to the Internet

WWW
IP Internet
ICMP Access Rules
ICMP (to/from the ASA)

• By default:
o User can only ping the local interface of the firewall (the facing interface)
o User cannot ping remote (far) interface of the firewall (by design).
o The ASA does not respond to ICMP echo requests directed to a broadcast address.

inside outside
Internet
echo request
dmz
ICMP Access Rules

• To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces
to particular hosts, networks, or ICMP types.
• ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a
packet defines the action.
• If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of
the ICMP rule list, changing the default behavior.
• You must include a permit any rule at the end of the ICMP rule list to allow the remaining message
types.
Configure ICMP Rules
icmp {permit | deny} {host ip_address | ip_address mask | any} [icmp_type] interface_name

• If you do not specify an icmp_type, the rule applies to all types.

• To control ping, specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA).

hostname(config)# icmp deny host 10.1.1.15 inside

hostname(config)# icmp permit any inside

hostname(config)# icmp permit host 10.1.1.15 inside

hostname(config)# icmp deny any echo-reply outside

hostname(config)# icmp permit any packet-too-big outside
Connections & Translations
Connections vs. Translations
• Translations  xlate table
o IP address to IP address translation
o Independent of the conn table
o Maximum size is only limited by available memory
• Connections  conn table
o Mapping of L4 information from an internal to external addresses.
o Every incoming packet is checked against the table
o Building conn; When a SYN packet arrives for TCP, or when the first packet arrives for UDP.
o Tearing down conn; Receiving the final ACK packet for TCP, or when the timeout expires for the
UDP session.
o Biggest memory consumer (maximum count is limited by platform)
Control Connections & Translations
• The show xlate command displays the contents of the translation slots
show xlate [global_ip [local_ip]]

• The clear xlate command clears the contents of the translation slots
clear xlate [global_ip [local_ip]]

• The show conn command displays the contents of the connection table
show conn

• The clear xlate command clears the contents of the translation slots
clear conn
Network Address
Translation (NAT)
IPv4 Addressing Problem
NAT

1.1.1.1 10.0.0.11
Internet
10.0.0.11

10.0.0.4
• NAT was created to overcome several addressing problems that occurred with the
expansion of the Internet:
o To mitigate global address depletion
o To use RFC 1918 addresses internally
o To conserve internal address plan
• NAT also increases security by hiding the internal topology.
NAT Evolution within ASA Software
• Pre 7.0 (PIX Family): nat-control was the only model. You always have to provide an
explicit answer regarding NAT (even “no NAT”)
• From 7.0 to 8.2.X: no nat-control is the default operation mode. NAT is optional but can be
made mandatory if you configure nat-control explicitly.
• Starting on 8.3: New NAT Model
o No concept of nat-control anymore
o Brand new syntax
o NAT Table divided in 3 Sections
o Easier to define Dual NAT rules
o When NAT is in place, permissions on ACLs refer to the Real Address (as opposed to previous
models which considered the Translated Address)
NAT in ASA 8.2 & earlier
Access Through the ASA Firewall

nat and global

GE0/1 inside GE0/0 outside
security level 100 security level 0
Internet

ASA Firewall

static and access-list

ASA NAT Types

• ASA mainly has the following NAT types:

1) Dynamic NAT  nat & global commands
2) PAT  nat and global commands
3) Static NAT  static command
4) Static PAT  static command
 NAT-Control
• Nat-Control means that all the traffic passing the firewall must be controlled by NAT, in
different words, if the traffic don’t have a translation it will be denied from passing
through.
• If Nat-control is disabled, traffic are allowed to pass without a translation entry, however
if there is a translation statement configured it will still be applied.
• NAT-Control was enabled by default on old PIX versions and disabled by default on
versions 7.0 – 8.2 on both PIX and ASA.
• This feature is no more exist starting ASA 8.3

• We will assume that nat-control enabled for the coming slides

ASA1# show nat dmz out
ASA1# show running-config nat-control match ip dmz any out any
nat-control no translation group, implicit deny
policy_hits = 0
Inside Address Translation
NAT
Web
1.1.1.20 10.0.0.4
Internet Server
10.0.0.4
Outside global
Dynamic IP address pool
10.0.0.4
Translation 1.1.1.1.20-254

10.0.0.11
Outside global Inside local
Static
IP Address IP Address Web
Translation 1.1.1.10 10.0.0.11 Server

• Inside NAT translates addresses of hosts on higher security level to a less

secure interface:
o Dynamic translation
o Static translation
Dynamic Translation
• If NAT-control is enabled, no traffic can pass through the ASA until a
translation can be built.
• Dynamic translations are built using:
1) Network Address Translation (NAT)  one-to-one mapping
OR
2) Port Address Translation (PAT)  many-to-one mapping
Dynamic Translation

• The nat command is used to specify which networks (or hosts) and source interface
which are allowed to be translated to access networks (or hosts) on another interface.
• The global command is used to define which destination interface you want users to
access from the source interface defined by the nat command.
• One or more global statements are coupled to one or more nat statements
depending on the nat_ID.
• The nat_ID can be any number greater than 0, and it corresponds to the
complementary global statement
 Network Address Translation (NAT)
• Network Address Translation (NAT) creates a one-to-one mapping between a local IP
and another global IP (i.e. changing the source IP)
• For outbound traffic, the source IP address of the packet on the higher level security
interface is translated to an IP address that is available in the a global pool of IP’s.
The source port remains the same, it’s just IP translation.
• The return packet’s destination IP address is translated again as the packet traverses
from the lower security level interface to the higher security level interface, the firewall
does that by checking the xlate table to match translated IP’s

nat (inside) 1 0 0
global (outside) 1 192.150.50.9 – 192.150.50.254 netmask 255.255.255.0
 NAT Illustration Example
Global IP Pool
• ASA checks security rules 192.150.50.9 -
• Source IP address replaced from global pool 192.150.50.254

Source Addr 10.0.0.3 Source Addr 192.150.50.10

Destination Addr 200.200.200.10 Destination Addr 200.200.200.10
Source Port 49090 Source Port 49090

Destination Port 23 Destination Port 23

10.0.0.3
Internet
Inside Outside
DMZ

10.0.0.4
 NAT Configuration Example
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 172.16.1.128-172.16.1.254 netmask 255.255.255.0

Perimeter
Router
• Creates a global pool of IP addresses for
172.16.1.3 connections to the outside
172.16.1.2 172.16.1.1 • All inside addresses will be address
ASA translated to global addresses
10.1.1.2 10.1.1.1 10.1.1.3 • ASA assigns addresses from global pool
Engineering Sales
starting at the low end to the high end of
the range specified in global command
10.1.3.0 10.1.2.0

Information
Systems
NAT Configuration Example
nat (inside) 3 10.1.0.0 255.255.255.0
Perimeter nat (inside) 3 10.1.1.0 255.255.255.0
Router nat (inside) 3 10.1.2.0 255.255.255.0
172.16.1.3
nat (inside) 3 10.1.3.0 255.255.255.0
172.16.1.2
global (outside) 3 172.16.1.10-172.16.1.115
172.16.1.1
ASA or
10.1.1.2 10.1.1.1 10.1.1.3 nat (inside) 3 10.1.0.0 255.255.252.0
Engineering Sales global (outside) 3 172.16.1.10-172.16.1.115

10.1.3.0 10.1.2.0 • Translates inside IP addresses to

addresses specified in global
command
Information
Systems • Still maintains firewall security for
connection
 Two Interfaces with NAT (Multiple Internal
Networks) 10.0.0.0 /24
Global Pool
192.168.0.1-14
192.168.0.0
Internet
Global Pool
192.168.0.17-30

10.1.0.0/24
• All hosts on the inside networks can start outbound connections.
• A separate global pool is used for each internal network.
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
ASAfirewall(config)# nat (inside) 2 10.1.0.0 255.255.255.0
ASAfirewall(config)# global(outside) 1 192.168.0.1-192.168.0.14 netmask 255.255.255.240
ASAfirewall(config)# global(outside) 2 192.168.0.17-192.168.0.30 netmask 255.255.255.240
 Three Interfaces with NAT (Multiple
Internal Networks)
Internet .1 172.16.0.0/24
192.168.0.0/24 ge0 outside .2
security level 0
ASA .2 DMZ Web Server
ge2 dmz .1
172.26.26.50 ge1 inside .1 security level 50
security level 100
Outside Server 10.0.0.0 /24
Inside Host
.3
ASAfirewall(config)# nat(inside) 1 10.0.0.0 255.255.255.0
ASAfirewall(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
ASAfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
ASAfirewall(config)# global(dmz) 1 172.16.0.20-172.16.0.254 netmask 255.255.255.0

• Inside users can start outbound connections to both the DMZ and the Internet.
• The nat (dmz) command gives DMZ services access to the Internet.
• The global (dmz) command gives inside users access to the web server on the DMZ.
Identity NAT (nat 0)
• Identity NAT using nat 0 is used to translate the IP address to itself (self translation)
• This is still considered as a translation
• Creates a dynamic translation in the xlate table.
• nat 0 still maintains firewall security for all connections
• Does not need a global command nat (inside) 0 0.0.0.0 0.0.0.0

• Applies on all egress interfaces nat (inside) 0 192.168.1.0 255.255.255.0

• Identity NAT is unidirectional in nature and is not suited for “publishing” a server
address DMZ Inside
50 100

192.168.1.0/24 192.168.1.0/24
Port Address Translation (PAT)
• The translation entry is a combination of the IP address and the
source port number.
• Same IP address is used for all the packets but with different source
port for each session.
• The IP used for PAT can be either the interface IP or a dedicated IP
used to translate outgoing packets.
nat (inside) 1 0 0
global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 170.1.1.10
 PAT Example
• ASA checks security rules
• Source IP replaced with same global IP address
• Source port changed to a unique number greater than 1024

Source Addr 10.0.0.3 Source Addr 192.150.50.10

Global Pool
Destination Addr 200.200.200.10 Destination Addr 200.200.200.10 192.150.50.10/24

Source Port 49090 Source Port 2000

Destination Port 23 Destination Port 23

Inside Outside
Internet
10.0.0.3 10.0.0.4 192.150.50.10
Source Addr Source Addr
Destination Addr 200.200.200.10 Destination Addr 200.200.200.10

Source Port 49090 Source Port 2001

10.0.0.4
Destination Port 23 Destination Port 23
 PAT Configuration Example – Using
Single Global Address
ASAfirewall(config)# global (outside) 1 2.2.2.2
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.0.0.0

• Assign single IP address (2.2.2.2) to global statement.

• Source addresses of hosts in network 10.0.0.0 are translated to 2.2.2.2 for outgoing access
• Source port changed to a unique number greater that 1024
PAT Configuration Example – Using
interface Address
ASAfirewall(config)# global (outside) 1 interface
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0

• Use the interface option to enable use of the outside interface as the PAT address
• Source addresses of hosts in network 10.0.0.0 are translated to outside interface
address for outgoing access
Using a Global NAT Pool with PAT
• PAT and NAT can be used together.
• PAT is used only when NAT is not available.
• First NAT will take place, after the exhaustion of the global pool, PAT will take place.
• PAT statements will take place respectively.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 170.1.1.1-170.1.1.9
global (outside) 1 170.1.1.10
global (outside) 1 170.1.1.11
 Using a Global NAT Pool with PAT
ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
ASAfirewall(config)# global (outside) 1 192.168.0.20-192.168.0.254
ASAfirewall(config)# global (outside) 1 192.168.0.19

• When hosts on the 10.0.0.0 network access the outside network through the firewall, they are
assigned public addresses from the 192.168.0.20-192.168.0.254 range

• When the addresses from the global pool are exhausted, PAT begins
Static NAT
static (real_if_name,mapped_if_name) mapped_ip real_ip [netmask network_mask]
[max_conns [em_limit]] [norandomseq]
.
• The static statement is usually used to permanently associate a host address (or
network address) on a higher security level interface with a host address (or network
address) on a lower security level interface.
• Static NAT is a bi-directional NAT
• Static NAT creates a permanent xlate entry in the xlate table  never expires
• The following statically NATs host 10.10.10.1 on the inside to 5.5.5.5 on the outside.

ASAfirewall(config)# static (inside, outside) 5.5.5.5 10.10.10.1

Static NAT
• To allow hosts on a lower security level interface to access hosts on a higher security
level interface the static statement should be coupled with an access-list statement.
• Example: say we have 10.10.10.10 as a web server in the DMZ and we want to publish it as
5.5.5.5 and allow access to it from the outside:

static (DMZ,outside) 5.5.5.5 10.10.10.10

access-list permit_web_access permit tcp any host 5.5.5.5 eq 80
access-group permit_web_access in interface outside

Internet

10.10.10.10 5.5.5.5
 Static NAT
Internet

10.0.1.3 2.2.2.2

ASAfirewall(config)# static (inside,outside) 2.2.2.2 10.0.1.3

• Statically maps a local IP address to a global IP address
• Packet from 10.0.1.3 has source address of 2.2.2.2
• Permanently maps a single IP address  create a static permanent entry in xlate table
• Recommended for internal service hosts (internal servers)
• We can read this statement as:
o The outside users will see my inside server that has the ip 10.0.1.3 with this ip 2.2.2.2 instead.
 Static NAT - Host Translation
Internet
1.1.1.2
1.1.1.1
ASA
10.0.1.3 10.0.1.10
DNS Server

ASAfirewall(config)# static (inside, outside) 1.1.1.101 10.0.1.10 100 700

• Packet from 10.0.1.10 has source address of 1.1.1.101
• Permanently maps a single IP address

• The maximum number of simultaneous tcp connections the host allows is 100

• The maximum number of embryonic connections per host is 700

• The max_conn values applies to both inbound and outbound connections

• Recommended for internal service hosts like a DNS server

 Static NAT - Network Translation
outside inside

172.16.1.0/24 10.1.1.0/24

ASAfirewall(config)# static (inside,outside) 172.16.1.0 10.1.1.0 netmask 255.255.255.0

• Net statics permanently map a complete network range of IP addresses

• 256 addresses are mapped in this example

• Mapping will happen as one-to-one, i.e. 10.1.1.1 will take 172.16.1.1, so on and so forth.
Static NAT
• Static NAT is bi-directional

• Means it can be source translation or destination translation

• Source translation is when the host (real IP) is the source and the access is from the host’s
interface to the mapped interface (the one we published the host to)
o e.g. The server itself is accessing the internet  Outbound access
• Destination translation is when the host is being the destination and someone on the
mapped interface is trying to access that host by its published (translated) address
o e.g. Accessing the internal server from the internet  Inbound access

ASAfirewall(config)# static (inside, outside) 5.5.5.5 10.10.10.1

Static NAT Example: Destination NAT
#1
DNS query for www.cisco.com
#2
DNS response for www.cisco.com
Inside Outside
Client Internet
10.1.1.3
#3 Client Request
172.11.0.2

Dest. NAT

DMZ
Server Reply Web Server
#5 #4 External: 172.11.0.2
Client DNS
10.1.1.4 Internal: 192.168.1.2 Server

static (DMZ, Outside) 172.11.0.2 192.168.1.2 netmask 255.255.255.255

static (DMZ, Inside) 172.11.0.2 192.168.1.2 netmask 255.255.255.255
Static NAT Example: Permit ONLY Web
Access to the DMZ
Internet

192.168.0.0/24 • The ACL acl_out_dmz permits web traffic on

DMZ Web server port 80 from the Internet to the DMZ Web
172.16.0.2 server
• The ACL acl_out_dmz denies all other IP
172.16.0.0/24 traffic from the Internet

static (dmz,outside) 192.168.0.11 172.16.0.2

access-list acl_out_dmz permit tcp any host 192.168.0.11 eq www
access-list acl_out_dmz deny ip any any
access-group acl_out_dmz in interface outside
 Static Identity
• Static Identity NAT is a self translation where the IP
address being statically translated to itself and published
to the mapped interface. Inside Outside
Client
• Its also create a static permanent xlate entry in the xlate 10.1.1.3
table that never expires.

DMZ
• We can use it when we need to provide access to some
hosts/networks using the same real IP address(es)
Web Server
• In this example we published the DMZ web server to the Client 10.10.10.100
inside LAN by its real IP address. 10.1.1.4

ASAfirewall(config)# static (dmz, inside) 10.10.10.100 10.10.10.100

Static PAT
static (real_if_name,mapped_if_name) {tcp|udp} {mapped_ip |interface} mapped_port
real_ip real_port [netmask mask] [max_conns[emb_limit [norandomseq]]]

• Static PAT also called: Port Forwarding/Redirection

• The static PAT command creates a permanent mapping between a local IP
address/port with a global IP address/port. Connection limit options limit
embryonic and maximum number of connections.
• Static PAT can be used to overload the outside interface address of the ASA and
map mail, web, ftp and other servers to various internal IPs.
• Static PAT is not limited to the outside interface. It can be used for any global
address.
 Static PAT
Interface PAT
static (inside,outside) tcp interface telnet 10.1.1.3 telnet netmask 255.255.255.255
static (inside,outside) tcp interface www 10.1.1.2 www netmask 255.255.255.255

Static PAT
static (inside,outside) tcp 172.11.0.9 telnet 10.1.1.6 telnet netmask 255.255.255.255
static (inside,outside) tcp 172.11.0.9 ftp 10.1.1.5 ftp netmask 255.255.255.255

Changing Ports
static (inside,outside) tcp 172.11.0.8 8080 10.1.1.7 www netmask 255.255.255.255

• You still need to permit the traffic inbound on the outside interface  inbound ACL
• Note: For the above examples, if the internal servers also needed outbound access, a nat
statement would need to include their address with a corresponding global.
NAT Example

ASAfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0

ASAfirewall(config)# global (outside) 1 192.168.0.10-192.168.0.254
ASAfirewall(config)# global (dmz) 1 172.16.0.10-172.16.0.254

ASAfirewall(config)# static (dmz,outside) 192.168.0.11 172.16.0.2

ASAfirewall(config)# access-list 100 permit tcp any host 192.168.0.11 eq http
ASAfirewall(config)# access-group 100 in interface outside

ASAfirewall(config)# static (dmz,dmz2) 172.26.26.11 172.16.0.2

ASAfirewall(config)# access-list 101 tcp any host 172.26.26.11 eq http
ASAfirewall(config)# access-group 101 in interface dmz2
Policy NAT/PAT/Static
• Policy NAT/PAT/Static means to translate traffic based on an access-list defining the criteria
for allowing or denying the NAT process.
• To use the policy NAT/PAT/Static feature we need to have an ACL that permits or denies
(based on what we want), then defining the NAT/PAT/Static and associate the ACL with that.
• To allow a packet to get translated we need to allow it in an access-list, and vise versa.

• We can set the criteria by specifying IP addresses as well as ports if we want to

access-list 100 permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 1 access-list 100
nat (inside) 2 0 0
global (outside) 1 5.5.5.1-5.5.5.254
global (outside) 2 interface
Policy NAT

access-list 100 permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 1 access-list 100
nat (inside) 2 0 0
global (outside) 1 5.5.5.1-5.5.5.254
global (outside) 2 interface
Policy PAT

access-list 100 permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

nat (inside) 1 access-list 100
global (outside) 1 5.5.5.5
Policy Static

access-list 100 permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

Static (inside,outside) 5.5.5.0 access-list 100

access-list 101 permit ip host 10.10.10.1 host 20.20.20.2

Static (inside,outside) 5.5.5.5 access-list 101
 Policy Static PAT

access-list 101 extended permit tcp host 10.10.10.100 eq www 5.5.5.0 255.255.255.0
static (inside,outside) tcp 1.1.1.100 www access-list 101

ciscoasa(config)# show nat

…
match tcp inside host 10.10.10.100 eq 80 outside 5.5.5.0 255.255.255.0
static translation to 1.1.1.100/80
translate_hits = 0, untranslate_hits = 0
 NAT Exemption
• NAT exemption is a nat 0 with access list defining the traffic.

• Its exclude the traffic from being translated  bypasses NAT

• Its used mostly in VPN, as in VPN we usually don’t want to get the VPN traffic to be
translated, however all other traffic should be translated to pass the firewall.
• Unlike policy NAT, NAT exemption does not consider the ports in the access list,
we only specify the real and destination IP addresses.
access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
global (outside) 1 interface
 NAT Exemption vs. Identity NAT
• NAT Exemption
o nat 0 with ACL
nat (real_interface_name) 0 access-list acl_name
o This works exactly the same way
as static identity, except it bypasses nat (inside) 0 access-list nonat
NAT.
o Does not create xlate entries.
o It is bi-directional.

• Identity NAT (Regular Identity NAT)

o nat 0 without ACL
nat (real_interface_name) 0 real_ip [mask]
o Makes self translation
o Creates a dynamic xlate entry nat (inside) 0 0.0.0.0 0.0.0.0
o Its uni-directional only  outbound nat (inside) 0 192.168.1.0 255.255.255.0
from the real interface
 Identity NAT vs. Static Identity
• Identity NAT
nat (dmz) 0 10.10.10.130 255.255.255.255
o Self translation
o Creates a dynamic xlate entry ASA1# show xlate debug
1 in use, 5 most used
o Its uni-directional only 
outbound from the real interface Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
NAT from dmz:10.10.10.130 to out:10.10.10.130 flags iI idle 0:00:21 timeout 3:00:00
o It is not suited for “publishing” a
server address

• Static Identity
static (dmz,out) 10.10.10.130 10.10.10.130
o Self translation
o Creates a static xlate entry ASA1# show xlate debug
o Its bi-directional 1 in use, 1 most used

o commonly used for address Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, r - portmap, s - static
Publishing NAT from dmz:10.10.10.130 to out:10.10.10.130 flags s idle 0:00:13 timeout 0:00:00
Outside NAT
• Using NAT to translate outside address to inside using a NAT and Global
• Goal: Users coming from the 209.165.201.0 network should be PATed to 172.18.124.5
when they access the web server: www.myco.com
One would think the following commands would suffice:
nat (outside) 1 209.165.201.0 255.255.255.0 outside
global (inside) 1 172.18.124.5
static (inside,outside) 210.10.10.10 192.168.101.100
access-list 101 permit tcp any host 210.10.10.10
access-group 101 in interface outside

www.cisco.com
.253 .254
Internet 209.165.201.1
172.18.124.0
210.10.10.1

209.165.201.2
Web Server = www.myco.com
192.168.101.100 210.10.10.10
Outside NAT

• However, the previous commands are not enough! Once you apply a
nat command to the Outside interface, you need to define all IPs out
that interface in a nat command. Otherwise, when the Internal host
attempts to make an Outbound connection, they will get:
305005: No translation group found…
• Because by applying a single nat statement to the Outside interface,
you have effectively hidden everything on the Outside interface from
the Inside. The only way to resolve this is to Un-hide the rest of the
IPs out the Outside interface.
Outside NAT
• Here is the full configuration needed to resolve this:
! Deny the traffic we want to use Outside NAT on and permit all else
access-list nonat deny ip 209.165.201.0 255.255.255.0 any
access-list nonat permit ip any any
nat (outside) 0 access-list nonat

! Now, apply Outside NAT

nat (outside) 1 209.165.201.0 255.255.255.0 outside
global (inside) 1 172.18.124.5

! Don’t forget, we still need the static for inbound, plus an ACL
static (inside,outside) 210.10.10.10 192.168.101.100
access-list 101 permit tcp any host 210.10.10.10
access-group 101 in interface outside

www.cisco.com
.253 .254
Internet 209.165.201.1
172.18.124.0
210.10.10.1

209.165.201.2
Web Server = www.myco.com
192.168.101.100 210.10.10.10
 Overlapping Address Problem
• Problem: We are using the same internal network as another company, and we need to access
that other company.
• Solution: Use outside static NAT to translate the other company’s Address Range into another
network:
static (inside,outside) 200.10.10.0 209.165.201.0
static (outside,inside) 200.10.10.0 209.165.201.0
route outside 209.165.201.0 255.255.255.128 210.10.11.111
route outside 209.165.201.128 255.255.255.128 210.10.11.111 1

• P.S: This can be done in just translating the other company’s addresses using static and use nat &
global for the internal network.

209.165.201.0 200.10.10.0
www.a_site.com
.100
Host A .1 .1 .111
Internet 209.165.201.100
NAT Order of Operations (Priority)
1. nat 0 access-list (nat-exempt)
2. Match against existing xlates
3. Static statements
Note: Static identity NAT is included in this category.
a) static NAT with and without access-list (first match)
b) static PAT with and without access-list (first match)
4. Regular dynamic NAT
a) nat with access-list/policy nat (first match)
Note: nat 0 with access-list command is not part of this category.
b) nat (without access-list) (best match)
Note: nat 0 without access-list is part of this category
Note: When choosing a global address from multiple pools with the same NAT ID, this
order is attempted:
1) If the ID is 0 (Regular identity NAT), create an identity xlate.
2) Use the global pool for the dynamic NAT.
3) Use the global pool for the dynamic PAT.
NAT in ASA 8.3 & later
NAT 8.3 (Broadview) Enhancements &
Advantages
• Ease of configuration (single command to configure NAT rule)
• Object-oriented configuration
• All NAT rules in a single table, applied on first match basis
• Ability to insert the rule in any arbitrary order
• NAT configuration is independent of security-levels
• Removal of ACL support
• Use of objects instead of inline IPs
• Auto NAT
• Manual NAT (Twice NAT)
• Per-session NAT
• Many-to-few static mapping
Auto NAT

• Auto-NAT is the simplest NAT configuration. It is also called object-NAT

• To enable address or port translation on a singleton network object, use the nat command in
network object configuration mode. NAT rules are automatically generated and inserted into
section 2 of the NAT global translation table.
• One NAT command within an object (host/subnet/range)
• Inline IP may be used to specify a mapped address
• Real and mapped ports must be specified inline for static PAT
• Destination parameters are not configurable
• Rules get automatically inserted into section-2 and are not editable via the NAT table
Auto NAT
• Auto-NAT is the simplest NAT configuration. It is also called object-NAT

• Auto-NAT configuration is defined in the object itself

ASA(config)# object network webServer
ASA(config-network-object)# host 192.168.1.88
ASA(config-network-object)# nat (inside,dmz) static 172.18.232.42
• This specifies a one-to-one static translation from inside to dmz
ASA# show xlate local 192.168.1.88
25 in use, 104 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T -
twice
NAT from inside:192.168.1.88 to dmz:172.18.232.42
flags s idle 0:01:59 timeout 0:00:00
ASA#
Auto NAT
Host NAT
object network obj-WebServer
host 10.3.19.50
nat (inside,outside) static 198.51.100.50

Network NAT
object network Servers
subnet 10.0.54.0 255.255.255.0
nat (inside,outside) static 203.0.113.0

Dynamic PAT (interface overload)

object network InternalUsers
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface
Auto NAT
• Object-NAT configuration and object subnet information are present in different places in the
configuration.
!
object network webServer
host 192.168.1.88
!
Other ASA configuration here…….
!
object network webServer
nat (inside,dmz) static 172.18.232.42
!

• Global and static commands from pre-version 8.3 are now gone! Only the ‘nat’ command is
used.
Auto NAT
• “real-ip” feature
o Starting in 8.3, traffic permitted by an ACL must refer to the LOCAL (Real) address for the host, instead
of the GLOBAL (Mapped) address (like pre-8.3)
object network inside-server
host 192.168.1.99
object network inside-server-global
host 14.36.103.222
!
object network inside-server
nat (inside,outside) static inside-server-global

access-list outside_in permit ip any host 192.168.1.99

access-group outside_in in in out
or
access-list outside_in permit ip any object inside-server
access-group outside_in in in out
or
access-list outside_in permit ip any object inside-server
access-group outside_in global
Manual NAT
• Manual NAT is used to specify how to translate traffic depending on the destination IP
subnet of the packet
• Manual NAT is also called “Twice-NAT” because it can specify how to translate the source
and the destination of the packet in one line (“NAT the packet twice”)
• If the manual NAT line specifies an identity translation for the destination, then the
destination is not changed, and the destination is simply used to “match” the packet.
object network inside-net
subnet 192.168.1.0 255.255.255.0
object network VPNhosts
subnet 10.10.1.0 255.255.255.0
!
nat (inside,outside) source dynamic inside-net interface destination static VPNhosts VPNhosts

“When the subnet in object ‘inside-net’ behind the inside interface accesses any ip in the ‘VPNhosts’
subnet behind the outside interface, PAT them to the outside interface. Do not change the
destination IP in the packet.”
 Manual NAT Command Breakdown
Change the source Translate the
For a packet moving from destination of
of the IP packet
the inside to the outside from ‘inLocal’ to the packet
interface statically (one
‘inGlobal’
to one)

nat (in,out) source static inLocal inGlobal destination static outGlobal outLocal

Change the
Also, for the packet destination of the IP
to match this packet from outGlobal
Translate the to outLocal
translation it
source statically
requires a match on
(one to one)
the destination of
the packet
Manual NAT
• Key differences between version 8.2 and 8.3
o Interface security levels no longer matter when making NAT decisions
o Previous to version 8.3, NAT commands were only effective when applied to the higher security-
level interface (or have to use outside keyword)
 So if a user wanted to not translate traffic initiated from the dmz to the inside interface, the NAT 0 statement
(exemption) was applied to the inside interface, instead of the DMZ interface
o These two commands are equivalent (notice inside and outside interfaces are flipped):

nat (inside,outside) source static insideReal insideMapped

nat (outside,inside) source static any any destination static insideMapped insideReal
 Manual NAT Example – NAT Exemption
8.2 configuration
access-list vpnacl permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
!
nat (in) 0 access-list vpnacl

8.3 configuration
object network inside-hosts
subnet 192.168.1.0 255.255.255.0
Object network vpn-hosts
subnet 10.1.2.0 255.255.255.0
!
nat (in,out) source static inside-hosts inside-hosts destination static vpn-hosts vpn-hosts
 Manual NAT Example – Policy NAT
8.2 configuration
access-list policynat permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0
!
nat (in) 44 access-list vpnacl
global (out) 44 33.33.33.33

8.3 configuration
object network inside-hosts
subnet 192.168.1.0 255.255.255.0
Object network PATGlobal2
host 33.33.33.33
Object network vpn-hosts
subnet 10.1.2.0 255.255.255.0
!
nat (in,out) source dynamic inside-hosts PATGlobal2 destination static vpn-hosts vpn-hosts
 Manual NAT Example – Dynamic NAT with
PAT overload
8.2 configuration
nat (inside) 1 10.10.0.0 255.255.0.0
global (outside) 1 209.165.201.1-209.165.201.30
global (outside) 1 209.165.201.31
global (outside) 1 209.165.201.32

8.3 configuration
object network MAPPEDip1
host 209.165.201.31
object network MAPPEDip2
host 209.165.201.32
object network MAPPEDrange
range 209.165.201.1 209.165.201.30
object-group network MappedObjectGrp
network-object object MAPPEDrange
network-object object MAPPEDip1
network-object object MAPPEDip2
!
nat (inside,outside) source dynamic obj-10.10.0.0 MappedObjectGrp
 Unified NAT Table
• Revising the NAT order-of-operations that is applied pre-8.3:
1. Nat 0 w/access-list
2. Match existing xlate
3. Static NAT with and without ACL
4. Static PAT with and without ACL…….

• That “order-of-operations” concept is gone. Now packets starting a new connection (TCP SYN, first UDP packet) are
run through a unified NAT table to find a match, to determine how to translate a packet.

• All NAT rules reside in a single table and are applied on a first match basis. The global NAT rule table is comprised of
three sections:
o Section 1 : Manual NAT
 Rules can be inserted by the user in any order.
 To be used when source & destination need to be specified together.
o Section 2 : Auto NAT
 Rules are inserted automatically when NAT in enabled on an object.
 ASA orders these rules implicitly.
o Section 3 : After-auto
 Manual NAT entries can go here only if specified with ‘after-auto’ keyword
 Unified NAT Table
Default section for Section 1: Manual NAT
source + destination Allows Manual Ordering
(Twice NAT) of Translation Rules
translation rules

Section 2: Object NAT

Suitable for Automatic Ordering
source-only rules (Auto NAT) of Translation Rules

Only used when Section 3: Manual NAT

after-auto parameter Allows Manual Ordering
is specified in a nat (Twice NAT) of Translation Rules
statement
 Understanding the NAT Table
• Example output of show nat command
ASA(config)# show nat

Manual NAT Policies (Section 1)

1 (inside) to (dmz) source static work-private-net work-private-net destination static remote-vpn-net remote-vpn-net
translate_hits = 0, untranslate_hits = 0
2 (inside) to (dmz) source static work-private-net work-private-net destination static remote-vpn-net2 remote-vpn-net2
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic work-private-net interface
translate_hits = 150, untranslate_hits = 3
4 (inside) to (outside) source dynamic work-private-net interface destination static All-ips All-ips
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (inside) to (inside) source static insideservar globalip
translate_hits = 0, untranslate_hits = 18
2 (inside) to (outside) source static webServer 172.18.232.42
translate_hits = 0, untranslate_hits = 0
3 (dmz) to (outside) source dynamic inside-core-switch interface
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source dynamic ot-training-net interface
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source dynamic work-private-net interface
translate_hits = 1852, untranslate_hits = 48
6 (inside) to (dmz) source dynamic work-private-net-nat2 interface
translate_hits = 0, untranslate_hits = 0
 Object NAT vs. Manual NAT
object network obj_any
• NAT CLI Configuration subnet 0.0.0.0 0.0.0.0
of the same auto and !
manual NAT object network obj_any
statements  nat (inside,outside) dynamic interface
!
nat (inside,outside) source dynamic any interface

ASA# show nat detail

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 14.36.103.94/16
• The Resulting NAT
table entries  Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 14.36.103.94/16
Manual NAT Ordering
• Use numeric argument to specify location of the new rule
ASA83(config)# sh run nat
nat (inside,outside) source static insideServer2 outsideGlobal2
ASA83(config)#
ASA83(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static insideServer2 outsideGlobal2
translate_hits = 0, untranslate_hits = 0 Here we specify this new rule should
be inserted at line 1
ASA83(config)# nat (inside,outside) 1 source static insideServer outsideGlobal1
ASA83(config)# sh run nat
nat (inside,outside) source static insideServer outsideGlobal1
nat (inside,outside) source static insideServer2 outsideGlobal2
ASA83(config)#
ASA83(config)# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static insideServer outsideGlobal1
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static insideServer2 outsideGlobal2
translate_hits = 0, untranslate_hits = 0
 First: All static translations
Most specific object subnet
Auto NAT Ordering
Most broad object subnet

Second: All dynamic translations

Most specific object subnet

Most broad object subnet

ASA83# show nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static staticNATslash16 192.168.0.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static staticNATslash8 192.0.0.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source dynamic dynamicNATslash16 192.168.0.0
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source dynamic dynamicPATslash8 interface
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source dynamic dynamicPATAllIPs interface
translate_hits = 0, untranslate_hits = 0
 Service Objects in NAT Rules
ASA83# sh run all object service
object service ah pre-defined
object service TCPServiceObject service ah
description This is a pre-defined object
service tcp source eq 8433
object service eigrp pre-defined
service eigrp
description This is a pre-defined object
object service esp pre-defined
• Several pre-defined services exist service esp
already in the ASA’s configuration object service tcp-imap4 pre-defined
service tcp destination eq imap4
description This is a pre-defined object
object service tcp-irc pre-defined
service tcp destination eq irc
description This is a pre-defined object
 Service Objects in NAT Rules
• Service objects are used to specify port mappings in NAT rules

object service ServiceSourceTelnet

service tcp source eq telnet
object service ServiceSource9999
service tcp source eq 9999
!
nat (dmz,outside) source static dmzServer interface service ServiceSourceTelnet ServiceSource9999

• Translate TCP port 9999 from the outside interface to TCP port 23 to the dmz host “dmzServer”

• Inbound connections to the outside interface destined to port 9999 will be forwarded to the dmzServer with destination port of 23

• Note that since the translation was from dmz to outside (outbound) the service defined the source port.

ASA83(config)# show nat detail

Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static dmzServer interface service ServiceSourceTelnet
ServiceSource9999
translate_hits = 0, untranslate_hits = 2
Source - Origin: 10.10.6.50/32, Translated: 14.36.103.94/16
Service - Origin: tcp source eq telnet , Translated: tcp source eq 9999
ASA83(config)#
 Service Objects in NAT Rules
• Now lets flip the NAT rule; The behavior is essentially the same, but the service objects must now specify destination

object service ServiceDstTelnet

service tcp destination eq telnet
object service ServiceDst9999
service tcp destination eq 9999
!
nat (outside,dmz) source static any any destination static interface dmzServer service ServiceDst9999
ServiceDstTelnet

• Translate TCP port 9999 from the outside interface to TCP port 23 to the dmz host “dmzServer”

• Inbound connections to the outside interface destined to port 9999 will be forwarded to the dmzServer with destination port of 23

ASA83(config)# show nat detail

Manual NAT Policies (Section 1)
1 (outside) to (dmz) source static any any destination static interface dmzServer service ServiceDst9999
ServiceDstTelnet
translate_hits = 1, untranslate_hits = 1
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 14.36.103.94/16, Translated: 10.10.6.50/32
Service - Origin: tcp destination eq 9999 , Translated: tcp destination eq telnet
Identity NAT
• No nat 0 anymore

• No nat exemption (bypassing NAT) anymore

object network SUBNET3

subnet 10.10.10.128 255.255.255.192
nat (dmz,out) static SUBNET3

nat (dmz,out) source static SUBNET3 SUBNET3

ASA1# show xlate

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from dmz:10.10.10.128/26 to out:10.10.10.128/26
flags sI idle 0:01:35 timeout 0:00:00

ASA1# show nat interface dmz detail

Auto NAT Policies (Section 2)
1 (dmz) to (out) source static SUBNET3 SUBNET3
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.128/26, Translated: 10.10.10.128/26
NAT New Features
One-to-many Mapping
webServerGlobal1

webServer

webServerGlobal2
• Translate one inside host to two different global IPs on an interface
• External users can connect to either global IP address, and access the same internal resource. This is useful if
global DNS entries are being changed, and some clients still connect to the old global IP address for the server.

object network webServer

host 192.168.1.99
object network webServerGlobal1
host 209.165.200.225
object network webServerGlobal2
host 209.165.200.226
!
nat (inside,outside) source static webServer webServerGlobal1
nat (inside,outside) source static webServer webServerGlobal2
NAT New Features
Unidirectional NAT Translations webServerGlobal1

webServer

webServerGlobal2
• Translate the traffic (connection) differently depending on the direction the connection was initiated
• For example, all connections initiated OUTBOUND from the webServer should be translated to webServerGlobal1,
but inbound connections initiated to that IP will not be translated.
• Has been added in 8.3(2)
object network webServer
host 192.168.1.99
object network webServerGlobal1
host 209.165.200.225
object network webServerGlobal2
host 209.165.200.226
!
nat (inside,outside) source static webServer webServerGlobal1 unidirectional
nat (inside,outside) source static webServer webServerGlobal2
 NAT New Features
Static mapping for service port-range
• Maps a range of ports from one global IP to another

!
object service UDP-ports
service udp source range 16384 32768
!
nat (inside,outside) source static obj-192.168.100.100-03 interface service UDP-ports UDP-ports
!

ASA83# show xlate

UDP PAT from inside:192.168.100.100 16384-32768 to outside:4.2.2.2 16384-32768 flags sr idle
0:00:40 timeout 0:00:00
NAT New Features
PAT Overload Enhancements
• Some mobile operators were having trouble with many inside devices being PAT’d to the same IP

• New NAT arguments (keywords) are being added to modify the behavior of the ASA regarding PAT IP
pools  added first in 8.4(1)11 & 8.4(2)
1. round-robin will use the next global IP in the pool for each new PAT translation. Ensures that connection
PAT translations are spread out evenly across the full range of global PAT IPs, instead of consecutive
ports on the same IP.
By default, all ports for a PAT address will be allocated before the next PAT address is used.
2. pat-pool will cause the ASA to treat a network object as a range of global PAT IP addresses

object network mobileUsers

subnet 10.1.0.0 255.255.0.0
object network patGlobalIPs
range 209.165.200.225 209.165.200.254
!
object network mobileUsers
nat (inside,outside) dynamic pat-pool patGlobalIPs round-robin
 NAT New Features object network SUBNET3
no-proxy-arp subnet 10.10.10.128 255.255.255.192
nat (dmz,out) static SUBNET3 no-proxy-arp
• Has been added in 8.4(2)

• For static NAT, disables proxy ARP for incoming packets to the mapped IP addresses.

• Used with Identity NAT

o 8.3  8.4(1): Proxy ARP is disabled for Identity NAT (not configurable)

RFC1918 RFC1918
Addresses Addresses

object-group network RFC1918

network-object object obj-10.0.0.0
network-object object obj-192.168.0.0
network-object object obj-172.16.0.0
!
nat (any,any) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp
 Inside Outside
NAT New Features
172.16.0.0/16

DMZ
route-lookup 172.16.12.0/24
• Has been added in 8.4(2)
172.16.12.4
• NAT commands override the routing table by default

• Use route-lookup to only apply NAT rules that match the routing table entries

• Used with Identity Nat

o 8.3  8.4(1): route lookup was always used to determine the egress interface for Identity NAT (not configurable)
Inbound Packets to 172.16.12.4
get touted to inside based on
Without route-lookup (default): order of NAT
nat (inside,outside) source static 172.16.0.0-net 172.16.0.0-net match
nat (dmz,outside) source static 172.16.12.0-net 172.16.12.0-net

With route-lookup:
nat (inside,outside) source static 172.16.0.0-net 172.16.0.0-net route-lookup
nat (dmz,outside) source static 172.16.12.0-net 172.16.12.0-net match
Other NAT Arguments

• dns Translates DNS replies. Be sure DNS inspection is enabled (inspect dns) (it is
enabled by default). You cannot configure the dns keyword if you configure a
destination address  also exists in ASA 8.2 & earlier with the static command
• inactive To make this rule inactive without having to remove the command, use the
inactive keyword. To reactivate it, reenter the whole command without the inactive
keyword.
• after-auto Inserts the rule at the end of section 3 of the NAT table, after the network
object NAT rules. By default, twice NAT rules are added to section 1. You can insert a
rule anywhere in section 3 using the line argument.
Proxy ARP on ASA
Proxy ARP on ASA

• The Network Address Translation (NAT) configuration on the ASA might cause it to respond
to ARP requests for IP addresses other than the ASA's interface IP address.
• So the directly connected L3 devices will know where to forward the traffic destined to these
mapped (translated) addresses.
• That mapped IP address could be from the same ASA mapped interface subnet or a different
one.
• This is happening with Dynamic NAT/PAT and Static NAT translations when the mapped IP
address is not the ASA mapped interface IP address.
 Proxy ARP Behavior for NAT
• In ASA 8.2 & earlier:
o Simply the ASA does proxy-arp when ARP request for the mapped address
is received on the mapped interface.
 The mapped address can be from the same mapped interface subnet or a different
one.
 For Static Identity NAT or regular NAT.
 Would not proxy-arp for static identity only in transparent mode

static (inside,outside) 192.168.1.3 192.168.1.3

.2
Inside Outside
static (inside,outside) 192.168.1.3 1.1.1.3
.3 1.1.1.0/24
static (inside,outside) 192.168.1.3 2.2.2.3 192.168.1.0/24
Proxy ARP Behavior for NAT
• In ASA 8.3  8.4(1):
o Proxy ARP is disabled for Static Identity NAT
o The ASA does proxy-arp when ARP request is received on interface [interface
specified] for any subnet [No change in behavior here same as pre-8.3]  Also 8.4(2)
o When ARP request is received on interface any, ASA will proxy-arp only when the IP
resides on the same subnet as the corresponding egress ifc [new in 8.3 with
introduction of interface independent policy]  This is applicable for 8.3 & later
object network webServer
host 192.168.1.3
!
nat (inside,outside) source static webServer webServer .2
Inside Outside
object network webServer
host 192.168.1.3 .3 1.1.1.0/24
! 192.168.1.0/24
nat (any,any) source static webServer webServer
 Proxy ARP Behavior for NAT
• In ASA 8.4(2) & later:
o Proxy ARP is enabled by default on both Static and Identity NAT statements
o Configurable argument has been added to disable proxy ARP for Identity NAT
o When upgrading to 8.4(2), all identity NAT configurations will now include the no-proxy-
arp and route-lookup keywords
o You can leave these settings as is, or you can enable or disable them discretely
o you can now also disable proxy ARP for regular static NAT
object network webServer
host 192.168.1.3
!
nat (inside,outside) source static webServer webServer .2
Inside Outside
object network webServer
host 192.168.1.3 .3 1.1.1.0/24
! 192.168.1.0/24
nat (any,any) source static webServer webServer no-proxy-arp
Proxy ARP Behavior for NAT
• Using a mapped address that doesn’t belong to the ASA mapped interface
subnet:
o In ASA 8.4(2) & earlier:
 The ASA would respond to ARP requests that were not in the IP subnet of the ASA's interface  if
the mapped interface is specified
o In 8.4(3) & later:
 The ASA will not respond to ARP requests received on an interface, for IP addresses that are not a
part of that interface's IP subnet.
o In 8.4(5) & later:
 An enhancement was created and implemented to allow ARP cached entries from non connected
subnets. .2
 arp permit-nonconnected  disabled by default Inside Outside

object network webServer .3 1.1.1.0/24

host 192.168.1.3 192.168.1.0/24
nat (inside,outside) static 2.2.2.3
Enable/Disable Proxy ARP Globally

• Proxy ARP is enabled by default on a per interface basis. This can be confirmed via
running the command.
ciscoasa# sh run all sysopt | i proxy
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp dmz

• You can disable Proxy Arp on a certain interface

ciscoasa(config)# sysopt noproxyarp inside

Same Security Level
Communication
Access Between Two Interfaces with
Same Security Level
• DMZ and DMZ2 interfaces are configured with security level

DMZ2
(50); by default, these two interfaces cannot talk.

50
• To enable the access between same security interfaces:
inside outside
same-security-traffic permit inter-interface
100 0
• It will let the traffic flow freely between all same security
interfaces without access lists.
• By default NAT is not required between same security level

DMZ
50
interfaces (even if you enable NAT control in old ASA versions).
• You can optionally configure NAT if desired.
U-Turn Traffic/Hairpinning Traffic

• U-Turn traffic is the traffic that enters an

interface and then routed out of that same inside outside
VPN Client
interface. 100 0
Internet
• U-Turn traffic is denied by default on the same
interface.
• To enable U-Turn traffic on an interface: Public Internet
same-security-traffic permit intra-interface

• Used in VPN to give clients internet access via

the ASA.
Modular Policy Framework
(MPF)
MPF Overview

• Modular Policy Framework provides a consistent and flexible way to configure security
appliance features.
• Efficiently apply advanced firewall policies to select traffic:
o Connection limit and timeout settings, TCP policy overrides (TCP normaliztion)
o Policing and traffic prioritization (QoS)
o Application Inspection
MPF Usage
• Modular Policy Framework supports the following features (functions):

1. Connection Settings  TCP normalization, TCP and UDP connection limits and timeouts,
TCP state bypass & TCP sequence number randomization
2. Application Inspection

3. QoS
1)QoS input & output policing
2)QoS standard priority queue
3)QoS traffic shaping, hierarchical priority queue

4. Sending traffic to modules  IPS, CSC, CX & SFR

MPF Operation

• Hierarchical approach to connection classification:

1. Define a traffic class at network and transport level (L3-L4)
2. Create a policy that applies actions on per-class basis
3. Apply the policy to a particular interface or globally
4. Optional application-specific classes and policies are available
Traffic Classification
Class Maps (L3-L4)
o Class Maps (L3-L4) are used to match traffic for a certain action:
o Possible in-line matching criteria include ACL, TCP/UDP ports, DSCP, precedence and VPN groups
o match default-inspection-traffic  Matches default traffic for inspection; the default TCP and UDP
ports used by all applications that the ASA can inspect.
o ACL matching is preferred for granularity and AD Identity support
o You can include only one match command in the class map
access-list HTTP_PORTS extended permit tcp any any eq www
access-list HTTP_PORTS extended permit tcp any any eq 8080
class-map HTTP_TRAFFIC
match access-list HTTP_PORTS
class-map all_http
description "This class-map matches all HTTP traffic"
match port tcp eq http
Traffic Classification
• Default Class Maps (L3-L4)
o inspection_default
class-map inspection_default
 It matches the default inspection traffic
match default-inspection-traffic
 Used in the default global policy
 Its a special shortcut to match the default ports for all
inspections.
o class-default
 It matches all traffic
class-map class-default
 Appears at the end of all Layer 3/4 policy maps and essentially
tells the ASA to not perform any actions on all other traffic match any
 You can use the class-default class if desired, rather than
making your own match any class map.
 Some features are only available for class-default.
 Traffic Classification
Inspection Class Maps (L7)
• This type of class map allows you to match criteria that is specific to an application

• match-all class map  groups multiple traffic matches

• match-any class map  match any of a list of matches

• Not all applications support inspection class maps

class-map type inspect ftp match-all FTP_PUT_COMMAND

match request-command put

class-map type inspect http match-all http-traffic

match req-resp content-type mismatch
match request body length gt 1000 class-map type inspect http match-any monitor-http
match not request uri regex class URLs match request method get
match request method put
match request method post
 class-map inspection_default
Applying Actions match default-inspection-traffic
class-map http_traffic
Policy Maps (L3-L4) match port tcp eq 80

• Policy Maps tie classes with intended actions policy-map outside_policy

• Actions types: set connection, inspect, csc,
class inspection_default
ips, cxsc, police, priority & more inspect http http_map
inspect sip
• Only one action of each type can apply to a class http_traffic
connection set connection timeout idle 0:10:0

access-list http-server permit tcp any host 10.1.1.1

class-map http-server
match access-list http-server

policy-map global-policy
class http-server
set connection conn-max 256
Applying Actions
• Only one action of each type can apply to a connection
First configured action applies policy-map global_policy
for overlapping feature type in class ALL_TCP
overlapping traffic classes
set connection conn-max 10000
class HTTP
Different action types under
one class are allowed set connection conn-max 5000
inspect http

• Some actions apply to new connections at creation time  connection settings

• Inspection, policing and traffic prioritization are applied on per-packet basis

• Only the inspection_default class map allows multiple inspect actions.

Applying Actions
• Order in Which Multiple Feature Actions are Applied:
1. QoS input policing
2. TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number
randomization, and TCP state bypass.
3. ASA CSC
4. Application inspections
5. ASA IPS
6. ASA CX
7. ASA FirePOWER (ASA SFR)
8. QoS output policing
9. QoS standard priority queue
 Applying Actions
Inspection Policy Maps (L7)
• Lets you configure special actions for many application inspections  Advanced protocol inspection

• Inspection Policy Maps are used with Inspection Class Maps

• An inspection policy map consists of one or more of the following elements:

o Traffic matching command  define a traffic matching command directly then you can enable action directly
o Inspection class map  An inspection class map includes multiple traffic matching commands
o Parameter  Parameters affect the behavior of the inspection engine.

• The exact options available for an inspection policy map depends on the application.

policy-map type inspect ftp FTP_BLOCK_PUT_COMMAND

parameters policy-map test
class FTP_PUT_COMMAND
class FTP
reset log
inspect ftp FTP_BLOCK_PUT_COMMAND
Applying The Service Policy
service-policy policy_map_name {global | interface interface_name}

• We can apply the policy map either globally or to an interface.

service-policy global_policy global

service-policy INSIDE_INTERFACE interface inside

• Interface policies override global policy for overlapping actions

• You can only apply one global policy.

• By default, the configuration includes a global policy that matches all default application
inspection traffic and applies inspection to the traffic globally
• For most actions, global service policy applied inbound to the interfaces, while interface
policies applied bi-directional.
Default Service Policy Configuration
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect ip-options _default_ip_options_map
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
Layer 3/4 Class Maps vs. Layer 7 Class Maps
Layer 3/4 Class Maps Layer 7 Class Maps
• Match traffic based on protocols, ports, IP
addresses, and other layer 3 or 4 attributes: • Work with layer 7 policy maps to implement
advanced protocol inspection
o ACL
o Any packet • Match criteria is specific to one of the following
o Default inspection traffic applications:
o IP differentiated services code point o IM, RTSP, SIP, DNS, FTP, H.323 , HTTP,
o TCP and UDP ports Scansafe
o IP precedence
• Enable you to specify a not operator for a
o RTP port numbers
match condition
o VPN tunnel group
• Typically contain only one match condition • Can contain one or more match conditions

• Are mandatory MPF components • Can use regular expressions as match criteria

• Are optional MPF components (match criteria

can be specified in a layer 7 policy map
instead)
Layer 3/4 Policy Maps vs. Layer 7 Policy Maps
Layer 3/4 Policy Maps Layer 7 Policy Maps
• Used to create the following policy action
types: • Implement advanced protocol inspection,
o Application inspection
which defends against application layer
attacks
o TCP normalization
o TCP and UDP connection limits and timeouts • Also called Inspection Policy Maps
o TCP sequence number randomization
o Cisco CSC, CX or SFR • Can be used for advanced inspection of:
o Cisco IPS o dcerpc, dns, esmtp, ftp, gtp, h323, http, im, ip-
o QoS input policing options, ipsec-pass-thru, ipv6, mgcp, netbios,
radius-accounting, rtsp, scansafe, sip, skinny
o QoS output policing
o QoS priority queue • Must be applied to a layer 3/4 policy
• Must be applied to an interface or globally map
via a service policy
• Are optional MPF components
• Are mandatory MPF components
Configuring MPF
1) Create a Layer 3/4 class 2) Create a Layer 3/4 policy 3) Use a service policy to
map to identify traffic by map to associate one of the activate the Layer 3/4 policy
matching: following policy actions with
• An ACL traffic defined in a Layer 3/4
class map:
• Any packet
• TCP normalization
• The default inspection traffic
• TCP and UDP connection limits
• A DSCP value
and timeouts
• A destination IP address
• TCP sequence number
• TCP or UDP ports randomization
• IP precedence • Application inspection
• RTP ports • Cisco CSC, CX or SFR
• A tunnel-group • Cisco IPS
• QoS policing
• QoS priority queuing
Application Inspection
Application Inspection Engines
• Why we need this ?
1. Perform embedded IP rewrites
2. Open dynamic ACL pinholes for secondary connections
3. Very few engines enforce protocol compliance (protocol RFC standard)
4. Inspection Policy Maps can be used to match protocol fields for custom actions  Advanced
Protocol Inspection
• Exclusive matching, only class inspection_default allows multiple inspect actions

• Very heavy performance impact on ASA due to extra work  happens in Control Path

policy-map global_policy
class inspection_default
inspect ftp FTP_BLOCK_PUT_COMMAND
Configuring Default Inspection (L3/L4 Maps)
1) Create a Layer 3/4 class 2) Create a Layer 3/4 policy 3) Use a service policy to
map to identify traffic by map to inspect the traffic activate the Layer 3/4 policy
matching: defined in a Layer 3/4 class and apply it on an interface
• An ACL map, we can inspect the or globally
following: • We can also modify the
• Any packet
• The default inspection traffic ctiqbe – dcerpc – dns – esmtp - ftp default global policy to
add/remove protocols
• A DSCP value gtp - h323 – http – icmp – ils - im inspection.
• A destination IP address
ip-options - ipsec-pass-thru - ipv6
• TCP or UDP ports
mgcp – netbios – pptp – rsh - rtsp
• IP precedence
• RTP ports scansafe – sip – skinny - snmp
• A tunnel-group sqlnet – sunrpc – tftp – vxlan - waas

xdmcp
Configuring Layer 7 Inspection
1) Create a Layer 7 class map to identify traffic 2) Create a Layer 7 policy map to defend
by matching criteria specific to applications: against Application Layer attacks by
• IM referencing a Layer 7 class-map and
applying an action
• RTSP
• SIP 3) Create a Layer 3/4 policy map to associate
• DNS traffic defined in a Layer 3/4 class map and
reference the Layer 7 policy map
• FTP
• H.323 4) Use a service policy to activate the Layer 3/4
• HTTP policy on an interface or globally
• Scansafe
Default Service Policy Configuration
class-map inspection_default • This as it is in ASA 9.3
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters • By default, the configuration includes a
message-length maximum client auto policy that matches all default application
message-length maximum 512
dns-guard inspection traffic and applies certain
protocol-enforcement inspections to the traffic on all interfaces
nat-rewrite
policy-map global_policy
(a global policy).
class inspection_default
inspect dns preset_dns_map • Default application inspection traffic
inspect ftp includes traffic to the default ports for each
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map protocol
inspect ip-options _default_ip_options_map
inspect netbios • DNS advanced inspection is enabled by
inspect rsh default, using the preset_dns_map
inspect rtsp
inspect skinny inspection policy map.
inspect esmtp _default_esmtp_map
inspect sqlnet • There are other default inspection policy
inspect sunrpc
inspect tftp maps such as  show running-config
inspect sip all policy-map
inspect xdmcp
service-policy global_policy global
Advanced Protocol Inspection

• Advanced protocol inspection gives you options such as the following for defending against
application layer attacks:
o Blocking *.exe attachments
o Prohibiting use of Kazaa or other peer-to-peer file-sharing programs
o Setting limits on URL lengths
o Prohibiting file transfer or whiteboard as part of IM sessions
o Protecting your web services by ensuring that XML schema is valid
o Resetting a TCP session if it contains a string you know is malicious
o Dropping sessions with packets that are out of order
 DNS Doctoring
• ASA can rewrite the embedded IP in transit DNS responses per NAT rules
o DNS inspection is needed to achieve this
o Modifies A (IPv4) or AAAA (IPv6) record when crossing the mapped interface
o Should be used with Static NAT
o DNS doctoring is enabled per the static NAT rules using the keyword dns
o DNS inspection is enabled by default on the ASA
object network HTTP_SERVER
host 192.168.1.57
Web Server nat (inside,outside) static 198.51.100.170 dns
192.168.1.57

inside outside
DNS Server
 policy-map type inspect dns preset_dns_map
DNS Doctoring parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
ASA 8.2 & earlier
static (inside,outside) 198.51.100.170 192.168.1.57 dns

ASA 8.3 & later object network HTTP_SERVER

object network HTTP_SERVER host 192.168.1.57
host 192.168.1.57 nat (inside,outside) static 198.51.100.170 dns
object network SERVER_MAPPED
host 198.51.100.170
nat (inside,outside) source static HTTP_SERVER SERVER_MAPPED dns
 DNS Doctoring
Remote Client
DNS Server on the Outside of the ASA
object network HTTP_SERVER
host 192.168.1.57
Web Server nat (inside,outside) static 198.51.100.170 dns
www.abcd.com
192.168.1.57
inside outside
4. Access
Internet DNS Server
192.168.1.57

3. Rewrite
2. www.abcd.com
Local Client 198.51.100.170→
is 198.51.100.170
192.168.1.57

1. Who is
www.abcd.com ?
 DNS Doctoring object network HTTP_SERVER
host 192.168.1.57
nat (inside,outside) static 198.51.100.170 dns
DNS Server on the Inside of the ASA
4. Access
Web Server 198.51.100.170
www.abcd.com Remote Client
192.168.1.57
inside outside
Internet

Local Client 1. Who is

www.abcd.com ?

DNS Server
3. Rewrite
2. www.abcd.com
192.168.1.57 →
is 192.168.1.57
198.51.100.170
 object network INSIDE_NETWORK
subnet 10.1.200.0 255.255.255.0

FTP Inspection nat (inside,outside) dynamic interface

policy-map global_policy
class inspection_default
inspect ftp
Active FTP
6. Open ACL pinhole for TCP conn 5. FTP Data conn opened to
192.0.2.1→198.51.100.1/22222 10.1.200.3/11111 via 198.51.100.1/22222

Client inside outside FTP Server

Internet
10.1.200.3 10.1.200.1 198.51.100.1 192.0.2.1

1. FTP Control conn over TCP 2. Dynamic PAT and Inspect FTP on TCP/21
10.1.200.3/12345→192.0.2.1/21 10.1.200.3/12345→198.51.100.1/54321

3. Client requests Data conn 4. FTP Inspect allocates xlate and rewrites
from Server to 10.1.200.3/11111 10.1.200.3/11111→198.51.100.1/22222
[PORT 10,1,200,3 43,103] [PORT 198,51,100,1 86206]
 Blocking URL Patterns with Regex
• Enhanced HTTP Inspection can match URL and reset connection
o Consider performance implications, especially on single-core platforms
o Use ASA CX or Cloud Web Security (ScanSafe) instead
regex BAD_URI ".*verybadscript.*"
regex BAD_HOST "verybadsite\.com"

class-map type inspect http match-all BLOCK_URL

match request uri regex BAD_URI
match request header host regex BAD_HOST

policy-map type inspect http URL_POLICY

class BLOCK_URL
reset log

policy-map global_policy
class inspection_default
inspect http URL_POLICY
service-policy global_policy global
ASA Packet Flow
Understanding the Packet Flow
• To effectively troubleshoot a problem, one must first understand the packet path through the
network.
• Attempt to isolate the problem down to a single device.

• Then perform a systematic walk of the packet path through the device to determine where
the problem could be.
• For problems relating to the firewall always:
o Determine the flow: SRC IP, DST IP, SRC port, DST port, and protocol
o Determine the interfaces through which the flow passes
• All firewall issues can be simplified to two Interfaces (Ingress & Egress) and the rules tied to
both
Understanding the Packet Flow

• Once the device and flow have been identified, walk the path of the packet through the
device.
• The packet path through the firewall is illustrated in the next several slides.

• For troubleshooting, pay careful attention to where the packet can be dropped in the
decision-making process.
 Client
Flow Example 10.1.1.9

Flow: inside
• SRC IP: 10.1.1.9
• SRC Port: 11030
• DST IP: 198.133.219.25
• DST Port: 80
• Protocol: TCP
Interfaces: outside
• SRC Interface: Inside
• DST Interface: Outside

Server
198.133.219.25
 Packet Flow Diagram
CSC/CX/SFR
Module
IPS
Module

Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

Yes

The packet flow change in

Existing
No Match xlate/
Yes ACL
Yes Inspection 8.3 & later
Conn Untranslate Permit Sec Checks
 Packet is un-translated first,
No before ACL check
Drop
 Ingress Interface
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• Packet is reached at the ingress

interface. ASA# show interface gig1
interface gb-ethernet1 "inside" is up, line protocol is up
• Once the packet reaches the internal Hardware is i82543 rev02 gigabit ethernet, address is 0003.470d.6214
buffer of the interface, the input IP address 10.1.1.1, subnet mask 255.255.255.0
counter of the interface is MTU 1500 bytes, BW 1 Gbit full duplex
5912749 packets input, 377701207 bytes, 0 no buffer
incremented by one. Received 29519 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
• Software input queue (RX Ring) is an 286298 packets output, 18326033 bytes, 0 underruns
indicator of load input queue (curr/max blocks): hardware (0/25) software (0/0)
output queue (curr/max blocks): hardware (0/3) software (0/0)
• Overrun counter indicates packet
drops (usually packet bursts)
 Check for Existing Connection
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• Check first for existing connection Established Connection:

• If connection exists, flow is matched; ASA# show conn
TCP out 198.133.219.25:80 in 10.1.1.9:11030 idle 0:00:04 Bytes 1293
bypass the ACL check & xlate
flags UIO
matching  go to Fastpath
• If no existing connection
Syslog Because of NO Connection, and Non-SYN Packet:
o TCP non-SYN packet, drop and log
%ASA-6-106015: Deny TCP (no connection) from 10.1.1.9/11031 to
o TCP SYN or UDP packet, pass to ACL 198.133.219.25/80 flags PSH ACK on interface inside
& NAT checks  go to Slowpath
 ACL Check
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• First packet in flow is processed through

interface ACLs Packet Permitted by ACL:
ASA# show access-l inside
• ACLs are first match access-list inside line 10 permit ip 10.1.1.0 255.255.255.0
any (hitcnt=1)
• First packet in flow matches ACE,
incrementing hit-count by one
Syslog When Packet Is Denied by ACL:
• Denied packets are dropped and logged
%ASA-4-106023: Deny tcp src inside:10.1.1.9/11034 dst
outside:198.133.219.25/80 by access-group "inside"
 Match Translation
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• The packet is verified for the translation rules.

o ASA 8.3 & later  no nat-control on the ASA Translation Exists:
o ASA 8.2 & earlier  if nat-control was on and a packet did ASA# show xlate debug
not match an XLATE it was dropped & logged. NAT from inside:10.1.1.9 to outside:172.18.124.68 flags -
• A route lookup could be conducted here to determine idle 0:00:07 timeout 3:00:00
egress interface to match NAT rules  Initial outbound
connection (source NAT)
• In case of destination NAT  NAT diversion used to Syslog message when there is no translation rule is found:
select egress interface at this stage
%ASA-3-305005: No translation group found for protocol
• If no existing xlate entry then a one created  dynamic src interface_name: source_address/source_port dst
NAT interface_name:
dest_address/dest_port
• If a packet passes through this check, connection entry
is created for this flow, and the packet moves forward.
 Inspection Security Check
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop
• The packet is subjected to an Inspection Check.
• This inspection verifies whether or not this specific packet
flow is in compliance with the protocol.
• Cisco ASA has a built-in inspection engine that inspects Syslog messages when a packet is denied by Security Inspection:
each connection as per its pre-defined set of application-
level functionalities. %ASA-4-405104: H225 message received from
o Inspection rules are applied to NAT embedded IPs in payload outside_address/outside_port to
(e.g. DNS Doctoring). inside_address/inside_port before SETUP
o Commands in control channels are inspected for
compliance/secondary data channels (e.g. FTP). %ASA-4-406002: FTP port command different address:
• If it passed the inspection, it is moved forward. Otherwise, 10.2.252.21(192.168.1.21) to 209.165.202.130 on
the packet is dropped and the information is logged. interface inside

• (Optional) Additional Security-Checks will be implemented if

a CSC, CX or SFR (Firepower) module is involved.
 NAT IP Header
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• Translate the IP address in the IP header

• Translate the port if performing PAT
• Update checksums
• The packet is forwarded to the IPS module for IPS related security checks.
 Egress Interface
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• Packet is “virtually” forwarded to egress interface (i.e. not forwarded to the driver yet)
• Egress interface is determined first by translation rules
• If no egress interface is specified in the translation rule, the results of a global route
lookup are used to determine egress interface
 L3 Route Lookup
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• Once on egress interface, an interface route lookup is performed

• Only routes pointing out the egress interface are eligible
• Remember: translation rule can forward the packet to the egress interface, even though
the routing table may point to a different interface (translation rule has priority).
Syslog from Packet on Egress Interface with No Route Pointing out Interface:
%ASA-6-110003: Routing failed to locate next-hop for
protocol from src interface:src IP/src port to dest interface:dest IP/dest
port

%ASA-6-110001: No route to 209.165.202.130 from 10.1.1.9

 L2 Address Lookup
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• Once a layer 3 route has been found, and next hop identified, layer 2 resolution is
performed
• Layer 2 re-write of MAC header
• If layer 2 resolution fails—no syslog
 Transmit Packet
Yes

Recv Existing
No ACL
Yes Match
Yes Egress L3 L2 Xmit
Ingress Inspection NAT IP
Pkt Interface Conn Permit xlate Sec Checks Header Interface Route Addr Pkt

No No No No No
Drop Drop Drop Drop Drop

• The packet is transmitted on

wire ASA# show interface GigabitEthernet0/1
interface GigabitEthernet0/1 "outside" is up, line protocol is up
• Interface counters increment Hardware is i82543 rev02 gigabit ethernet, address is 0003.470d.626c
on the egress interface. IP address 172.18.124.64, subnet mask 255.255.255.0
MTU 1500 bytes, BW 1 Gbit full duplex
• Output hardware and 3529518 packets input, 337798466 bytes, 0 no buffer
software queues (TX Ring) Received 32277 broadcasts, 0 runts, 0 giants
indicate buffering at driver 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
level, interface is busy 5585431 packets output, 359059032 bytes, 80 underruns
input queue (curr/max blocks): hardware (0/25) software (0/0)
• Underrun counter indicates output queue (curr/max blocks): hardware (0/2) software (0/0)
drops due to egress interface
oversubscription
Egress Interface Selection
Egress Interface Selection Process

General Rules:
1. If a destination IP translating XLATE already exists, the egress interface for the packet is
determined from the XLATE table, but not from the routing table.
2. If a destination IP translating XLATE does not exist, but a matching static translation exists
(for the destination), then the egress interface is determined from the static NAT rule and an
XLATE is created, and the routing table is not used.
3. If a destination IP translating XLATE does not exist and no matching static translation exists,
the packet is not destination IP translated. The ASA processes this packet by looking up
the route (route-lookup) to select the egress interface, then source IP translation is performed
(if necessary).
Egress Interface Selection Process

In Summary:
• Destination translation  Egress interface is selected using existing XLATE or static
translation rules (NAT diversion)
o Network Object NAT diverts packets to real interface only for actual translation (object identity NAT
uses route-lookup)
o Manual NAT rules divert packets to respective interfaces by default
o Best to disable NAT divert for identity manual NAT rules  using route-lookup keyword
• Outbound initial connection (source translation only)  Egress interface is selected based on
route lookup, NAT rule is selected (if no existing xlate) and then xlate entry is created.
o The incoming return packets are forwarded to egress interface using existing XLATE only.
 NAT Diversion
object network DMZ_FTP Identity translation, so inbound packets from
host 198.51.100.200 outside to 198.51.100.200 use routing table
nat (dmz,outside) static 198.51.100.200
object network DMZ_MAIL Actual translation happens, so inbound
host 172.16.171.125 packets from inside to 192.168.1.201 will
always divert to 172.16.171.125 on DMZ
nat (dmz,inside) static 192.168.1.201

Traffic from 192.168.2.0 on outside to Traffic from 192.168.1.0 on inside to

192.168.1.0 is diverted to inside 192.168.2.0 is diverted to outside

nat (inside,outside) source static 192_168_1_0 192_168_1_0 destination static 192_168_2_0 192_168_2_0
Inbound Destination NAT  NAT Divert

nat (inside,outside) source static obj-192.168.10.250 obj-192.168.10.250

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.10.250 obj-192.168.10.250
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.10.250/0 to 192.168.10.250/0
 Inbound Destination NAT  Route Lookup
nat (inside,outside) source static obj-192.168.10.250 obj-192.168.10.250 route-lookup

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.0 255.255.255.0 inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.10.250 obj-192.168.10.250 route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.10.250/0 to 192.168.10.250/0
Authentication, Authorization
& Accounting (AAA)
AAA Overview

• AAA is a set of services for controlling access to computer resources, enforcing policies,
assessing usage, and providing the information necessary to bill for services. These
processes are considered important for effective network management and security.
o Authentication  identifies a user
o Authorization  determines what that user can do
o Accounting  monitors the network usage time
Authentication
• Provides a way to identify a user
• Valid username and valid password must be provided to grant access
• The AAA server compares a user's authentication credentials against its database

• If the credentials match, the user is permitted access to the network. If the credentials do not match,
authentication fails and network access is denied.
• You can configure the Cisco ASA to authenticate the following items:
o All administrative (management) connections to the ASA, including the following sessions:
 Telnet  aaa authentication telnet console
 SSH  aaa authentication ssh console
 Serial console  aaa authentication serial console
 ASDM using HTTPS  aaa authentication http console
o The enable command  aaa authentication enable console
o Network access  Cut-through proxy & IDFW
o VPN access
Authorization

• Authorization is the process of enforcing policies

• Determining what types of activities, resources, or services a user is permitted to access.

• After a user is authenticated, that user may be authorized for different types of access or
activity.
• You can configure the ASA to authorize the following items:
o Exec authorization (privilege level)  aaa authorization exec
o Management commands  aaa authorization command
o Network access  Cut-through proxy
o VPN access
Accounting
• Accounting measures the resources a user consumes during access
o The amount of system time or the amount of data that a user has sent or received during a
session.
• Accounting is carried out through the logging of session statistics and usage information,
which is used for authorization control, billing, trend analysis, resource utilization, and
capacity planning activities.
• I can do accounting for the following:
o Serial  aaa accounting serial console
o SSH  aaa accounting ssh console
o Telnet  aaa accounting telnet console
o Enable  aaa accounting enable console
o Network Access  Cut-through proxy
o Commands Accounting  aaa accounting command
AAA Servers
AAA Servers
• The AAA server is a network server that is used for access control.
AAA Server Groups
• If you want to use an external AAA server for authentication, authorization, or accounting:
1. You must first create at least one AAA server group per AAA protocol and add one or more servers to each
group.
2. You identify AAA server groups by name.
3. Each server group is specific to one type of server or service.

Local Database Support

• The ASA maintains a local database that you can populate with user profiles.
• You can use a local database instead of AAA servers to provide user authentication, authorization,
and accounting.
AAA Server Types on ASA

ASA supports several protocols that are used in AAA

communications:
1. TACACS+
2. RADIUS
3. LDAP
RADIUS vs. TACACS+
RADIUS TACACS+
RADIUS uses UDP TACACS+ uses TCP
• UDP 1812 for Authentication & Authorization • TCP port 49
• UDP 1813 for Accounting
• Unofficially  UDP 1645 & 1646
RADIUS encrypts only the password in the Packet. TACACS+ encrypts the entire body of the packet.

RADIUS combines authentication and authorization TACACS+ uses the AAA architecture, which separates
authentication, authorization, and accounting.

Industry standard Cisco Proprietary

RADIUS does not support ARA access, Net BIOS Frame TACACS+ offers multiprotocol support.
Protocol Control protocol,
NASI, and X.25 PAD connections.
RADIUS does not support command authorization TACACS+ supports command authorization, on a per-
user or per-group basis.
TACACS+ Server Configuration
aaa-server <Server_Group_Name> protocol tacacs+
aaa-server <Server_Group_Name> (Int_Name) host <Server_IP> <pre-shared_key> timeout <1-300>

aaa authentication <Protocol> console < Server_Group_Name1> < Server_Group_Name2> <LOCAL>

ciscoasa(config)# aaa-server TACACS protocol tacacs+

ciscoasa(config-aaa-server-group)# max-failed-attempts 2
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server TACACS (inside) host 10.1.1.1
ciscoasa(config-aaa-server-host)# key TACPlusUauthKey
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# aaa-server TACACS (inside) host 10.1.1.2
ciscoasa(config-aaa-server-host)# key TACPlusUauthKey2
ciscoasa(config-aaa-server-host)# exit
RADIUS Server Configuration
aaa-server <Server_Group_Name> protocol radius
aaa-server <Server_Group_Name> (Int_Name) host <Server_IP> <pre-shared_key> timeout <1-300>

aaa authentication <Protocol> console < Server_Group_Name1> < Server_Group_Name2> <LOCAL>

ciscoasa(config)# aaa-server RADIUS protocol radius

ciscoasa(config-aaa-server-group)# aaa-server RADIUS host 192.168.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry-interval 7
ciscoasa(config-aaa-server-host)# authentication-port 1650
ciscoasa(config-aaa-server-host)# authorization-port 1645
ciscoasa(config-aaa-server-host)# key mysecretkeyexampleiceage2
ciscoasa(config-aaa-server-host)# exit
RADIUS AAA Servers

• Cisco ASA supports the following RFC-compliant RADIUS servers for AAA:
o Cisco Secure ACS 3.2, 4.0, 4.1, 4.2, and 5.x
o Cisco Identity Services Engine (ISE) ACS
o RSA RADIUS in RSA Authentication Manager 5.2, 6.1, and 7.x
o Microsoft

ISE
 LDAP Server Configuration

ciscoasa(config)# aaa-server LDAP protocol ldap

ciscoasa(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.254.91
ciscoasa(config-aaa-server-host)# ldap-base-dn CN=Users,DC=cisco,DC=local
ciscoasa(config-aaa-server-host)# ldap-scope subtree
ciscoasa(config-aaa-server-host)# ldap-login-password test
ciscoasa(config-aaa-server-host)# ldap-login-dn CN=Administrator,CN=Users,DC=cisco,DC=local
ciscoasa(config-aaa-server-host)# server-type auto-detect
ciscoasa(config-aaa-server-host)# ldap-attribute-map MGMT
LDAP AAA Servers

• The Cisco ASA is compatible with the most LDAPv3 directory servers, including:
o Sun Microsystems JAVA System Directory Server
o Microsoft Active Directory
o Novell
o OpenLDAP
LOCAL ASA Database
username <username> password <passwd> privilege <0-15>

aaa authentication <Protocol> console LOCAL

• You can use the local database for the following functions:
o ASDM per-user access
o Console authentication
o Telnet and SSH authentication
o enable command authentication
o Command authorization
o Network access authentication
o VPN client authentication
ASA5555# show run username
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
LOCAL Database Fallback

• The local database can act as a fallback method for several functions. This behavior is
designed to help you prevent accidental lockout from the ASA.
• Fallback means if the servers in the AAA server group failed (dead), the AAA request
will be forwarded to the next AAA group or the LOCAL DB, NOT if the authentication
fails.
 Testing AAA

• To test the AAA connectivity, use the command:

test aaa-server authentication <Server_Group_Name> host <Server_IP> username <username> password <Paswd>
ASA Management
ASA Management Access

• ASA can be managed via the following ways:

o Command Line (CLI)
1. Serial Console
2. SSH  Secure (encrypted)  Best CLI option
3. Telnet  Non-secure (clear text)
o Web GUI interface  ASDM
• You can only manage the ASA from the facing interface, the only exception is the VPN
management access.
Telnet
telnet source_IP_address mask source_interface

telnet 192.168.1.2 255.255.255.255 inside

telnet 192.168.3.0 255.255.255.0 inside
username exampleuser1 password examplepassword1
aaa authentication telnet console LOCAL
telnet timeout 30
• 5 concurrent sessions

• You cannot use Telnet to the lowest security interface unless you use Telnet inside a VPN
tunnel.
• The login password (passwd) is only used for Telnet if you do not configure Telnet user
authentication (the aaa authentication telnet console command).
• Starting 9.0(2)/9.1(2)  The default Telnet login password was removed; you must manually
set the password before using Telnet  passwd command
 SSH crypto key generate rsa modulus modulus_size

ssh source_IP_address mask source_interface

ciscoasa(config)# crypto key generate rsa modulus 1024

ciscoasa(config)# write memory
ciscoasa(config)# aaa authentication ssh console LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
ciscoasa(config)# username exampleuser1 password examplepassword1
ciscoasa(config)# ssh 192.168.1.2 255.255.255.255 inside
ciscoasa(config)# ssh timeout 30

• 5 concurrent sessions

• The ASA supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and
supports DES and 3DES ciphers.
• Starting 8.4  The SSH default username is no longer supported. You can no longer connect to the
ASA using SSH with the pix or asa username and the login password. To use SSH, you must
configure AAA authentication using the aaa authentication ssh console
Adaptive Security Device Manager (ASDM)
asdm image {disk0:/ | disk1:/}[path/]asdm_image_name
http source_IP_address mask source_interface
http server enable [port]

ciscoasa(config)# asdm image disk0:/asdm-731.bin

ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.2 255.255.255.255 inside
ciscoasa(config)# aaa authentication http console radius_1 LOCAL

• By default, you can log into ASDM with a blank username and the enable password set by
the enable password command. Note that if you enter a username and password at the
login screen (instead of leaving the username blank), ASDM checks the local database for a
match.
• If you configure HTTP authentication, you can no longer use ASDM with a blank username
and the enable password.
ASDM
ASDM

• The adaptive security device manage (ASDM) is a Java based web

user interface that can be used to configure the ASA
• Because ASDM is Java based it allows any operating system that
supports Java to be used to configure the ASA
ASDM Configuration Tab
• Easily find and change configuration sections
o Configuration panes sections organized by feature
• Configuration wizards
o High-availability (Failover)
o VPN
o Unified communications
o Packet capture utility
o Phone Proxy
• Update ASA and ASDM software from within ASDM

• Download and upload files directly to the ASA from local computer or cisco.com
ASDM Monitoring Tab
• Graphing  Watching changes over time

Perfmon Data (AAA,

Inspection, HTTP, Connections Xlates
Connections, Xlates)
Interface Byte/Packet
Memory Usage Interface Bit Rates
counts
Interface buffer
Blocks Usage CPU Usage
resources

• Real-time syslog monitor

o Searching capabilities
o Auto-create ACL rules based on packets denied in syslog
ASA Upgrade, Downgrade,
Backup/Restore
 Upgrade the ASA
copy tftp://server[/path]/asa_image_name {disk0:/ | disk1:/}[path/]asa_image_name
boot system {disk0:/ | disk1:/}[path/]asa_image_name
write memory
reload

ciscoasa# copy tftp://10.1.1.1/asa931-smp-k8.bin disk0:/asa931-smp-k8.bin

ciscoasa# show running-config boot system
boot system disk0:/asa914-smp-k8.bin
ciscoasa# config terminal
ciscoasa(config)# no boot system disk0:/asa914-smp-k8.bin
ciscoasa(config)# boot system disk0://asa931-smp-k8.bin
ciscoasa(config)# write memory
ciscoasa(config)# reload
 Upgrade the ASDM

copy tftp://server[/path]/asdm_image_name {disk0:/ | disk1:/}[path/]asdm_image_name

asdm image {disk0:/ | disk1:/}[path/]asdm_image_name

ciscoasa# copy tftp://10.1.1.1/asdm-731.bin disk0:/asdm-731.bin

ciscoasa(config)# asdm image disk0:/asdm-731.bin
Upgrade Path
Current ASA Version First Upgrade to: Then Upgrade to:
8.2(x) and earlier 8.4(6) 9.3(1) or later
8.3(x) 8.4(6) 9.3(1) or later
8.4(1) through 8.4(4) 8.4(6), 9.0(4), or 9.1(2) 9.3(1) or later
8.4(5) and later — 9.3(1) or later
8.5(1) 9.0(4) or 9.1(2) 9.3(1) or later
8.6(1) 9.0(4) or 9.1(2) 9.3(1) or later
9.0(1) 9.0(4) or 9.1(2) 9.3(1) or later
9.0(2) or later — 9.3(1) or later
9.1(1) 9.1(2) 9.3(1) or later
9.1(2) or later — 9.3(1) or later
9.2(x) — 9.3(1) or later
Upgrade to 8.3 & later

• NAT command syntax is converted to new style

• ACLs are changed to use real ip
• Network objects created to represent hosts
Upgrade to 8.3 or later
1) Download 8.3 or later to disk0:/ and set boot pointer
ASA(config)# boot system disk0:/asa841-smp-k8.bin
ASA(config)# write mem
[OK]
ASA(config)# reload

2) ASA boots back up, saves old configuration

INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file
'flash:8_2_4_0_startup_cfg.sav'

3) ASA converts configuration, saves migration log to flash

INFO: NAT migration completed.
Real IP migration logs:
ACL <outside_in> has been migrated to real-ip version
INFO: MIGRATION - Saving the startup errors to file
'flash:upgrade_startup_errors_201105301452.log'
Upgrade to 8.3 or later
access-list outside_in extended permit tcp any host 14.36.103.82 eq www
!
global (outside) 1 interface
nat (inside) 1 192.168.103.0 255.255.255.0

Automatic conversion

access-list outside_in extended permit tcp any host 192.168.4.2 eq www

!
object network obj-192.168.103.0
subnet 192.168.103.0 255.255.255.0
!
object network obj-192.168.103.0
nat (inside,outside) dynamic interface
 Downgrade the ASA
• To downgrade your software version, use the downgrade command in global configuration
mode.
• This command introduced in 8.3(1)
• This command is a shortcut for completing the following functions:
1. Clearing the boot image configuration (clear configure boot).
2. Setting the boot image to be the old image (boot system).
3. Saving the running configuration to startup (write memory). This sets the BOOT environment
variable to the old image, so when you reload, the old image is loaded.
4. Copying the old configuration to the startup configuration (copy old_config_url startup-config).
5. Reloading (reload).

downgrade [ /noconfirm ] old_image_url old_config_url [ activation-key old_key ]

 Downgrade the ASA
ASA# downgrade disk0:/asa824-smp-k8.bin disk0:/8_2_4_0_startup_cfg.sav
The device will reload and downgrade to the specified image.
Press [Y]es or <newline> to confirm (any other key will abort):Y
INFO: Boot parameters cleared
INFO: Boot system configured to be disk0:/asa824-smp-k8.bin
Cryptochecksum: 649f039b 0c1e911f 73cf3717 d93017a9
3616 bytes copied in 1.740 secs (3616 bytes/sec)
INFO: Saving disk0:/8_2_4_0_startup_cfg.sav to startup-config
Copy in progress...C
3550 bytes copied in 0.10 secs
Process shutdown finished
Rebooting…
Upgrade the ASA from Rommon
• You need to setup a TFTP server first.

• You need to enter to the ROMMON mode by pressing the Break button when you get
prompted to.
monitor>INTERFACE= <num>
monitor>ADDRESS= <ASA_ip_address>
monitor>SERVER= <TFTP_server_ip_address>
monitor>GATEWAY= <gateway_ip_address>
monitor>FILE=<filename>
monitor>ping <tftp_server_ip_address>
monitor>tftp

• The Firewall will boot from the RAM, not the FLASH, so after finishing you’ll need to copy it
again to the Flash memory
ASAfirewall>enable
ASAfirewall#copy tftp flash
 Backup Configuration

• You can copy the startup configuration or running configuration to an external server or to the
local flash memory.

copy [/noconfirm] { startup-config | running-config } tftp://server[/path]/dst_filename

copy [/noconfirm] { startup-config | running-config } ftp://[user[:password]@]server[/path]/dst_filename

copy [ /noconfirm ] { startup-config | running-config } { disk0 | disk1}:/[path/]dst_filename

ciscoasa# copy running-config tftp://10.1.1.67/files/new-running.cfg

ciscoasa# copy startup-config ftp://jcrichton:aeryn@10.1.1.67/files/new-startup.cfg
ciscoasa# copy /noconfirm running-config disk0:/new-running.cfg
Configuring the Boot Startup Configuration

• By default, the ASA boots from a startup configuration that is a hidden file.

• Sets the startup configuration to be a known file instead of the default hidden file .

boot config { disk0:/ |disk1:/ }[ path /] filename

ciscoasa(config)# boot config disk0:/configs/startup1.cfg

 Complete System Backup/Restore
• Starting 9.3  backup & restore commands have been introduced to perform a complete
system backup/restore.
• It will create a tar.gz backup file.

backup [ /noconfirm ] [ context name ] [ cert-passphrase value ] [ location path ]

ciscoasa# backup location disk0:/sample-backup

Backup location [disk0:/sample-backup]?

restore [/noconfirm] [context name] [cert-passphrase value] [location path]

ciscoasa# restore location disk0:/5525-2051.backup.2014-07-09-223$

restore location [disk0:/5525-2051.backup.2014-07-09-223251.tar.gz]?
ASA Licensing
ASA Licensing
• Some features of the ASA are licensed, and can only be enabled with an Activation Key; some features and
limits are based upon platform type
Preinstalled License
• By default, your ASA ships with a license already installed.
• This license might be the Base License, to which you want to add more licenses, or it might already have
all of your licenses installed, depending on what you ordered and what your vendor installed for you.
Permanent License
• You can have one permanent activation key installed.
• The permanent activation key includes all licensed features in a single key.
• If you also install time-based licenses, the ASA combines the permanent and time-based licenses into a
running license.
Time-Based Licenses
• In addition to permanent licenses, you can purchase time-based (temporary) licenses or receive an
evaluation license that has a time-limit.
ASA Licensing & Failover

• For ASA 8.2 & earlier  permanent licenses had to match exactly on both ASAs

• For ASA 8.3 & later  licenses do not have to match

o 5505, 5510 & 5512-X must still have Security Plus license to enable failover on both units  base
license for these models does not support failover.
o For most features the licenses will be aggregated between the two ASAs in the failover pair

Primary/Active Secondary/Standby
Time-Based Licenses

• Support added in 8.0(4) for VPN time-based Licenses.

• 8.2 introduce time-based license for Botnet traffic filter.

• ASA 8.2 & earlier  allowed only one time-based license to be active

• ASA 8.3 & later  allows multiple time-based licenses to be active at a time
• Time-based licenses are aggregated for failover
 Install the License
activation-key key [activate | deactivate]

ciscoasa# activation-key 0xd11b3d48 0xa80a4c0a 0x48e0fd1c 0xb0443480 0x843fc490

• You can install one permanent key, and multiple time-based keys.

• If you enter a new permanent key, it overwrites the already installed one.

• The activate and deactivate keywords are available for time-based keys only

• ASA reload might be required, some permanent licenses require you to reload the ASA
after entering the new activation key. If you need to reload, you will see the following
message:
o WARNING: The running activation key was not updated with the requested
key. The flash activation key was updated with the requested key, and
will become active after the next reload.
Licensing Considerations

• Ensure ASA system clock is accurate

• Be aware of license updates requiring reboot:
o Changing encryption license
o 5512/5510/5505 upgrade to security plus

o Downgrading a permanent license

References & Resources
References & Resources
• ASA CLI Configuration Guide
• ASA Command Reference
• ASA Syslog Messages
• ASA Release Notes
• Cisco ASA Compatibility
• Cisco ASA 5500 Migration Guide for Version 8.3
• Configuration Examples and TechNotes
• TECSEC-2999 CISCO ASA product line: A 360-Degree Perspective – Cisco Live 2014 Milan
• TECSEC-2020 Unleashing the ASA – Cisco Live 2011 Las Vegas
• ASA NAT 8.3 Configuration and Troubleshooting Training by Jay Johnston