Friday, September 25, 2015

Cisco ASA Notes

Cut-through proxy authenticates the connection at the application layer, but process the subsequent data at layers 3 and 4. 

The ASA 5505 does not support active/active failover.

The security appliance will not load-balance between multiple paths- they will only use one path. If the metric is different the appliance will use the path with lower metric value. If the metric value is same, the appliance will use first route command configured.

You cannot create a summary route of, instead, you need to use default-information originate command.

The appliance treats UDP as a stateful connection, like TCP. However, because there is no defined connection teardown process, the appliances will examine the idle period of a UDP connection to determine when it should be removed from the connection table. The process makes inbound UDP sessions more susceptible to IP spoofing and session replay attacks.

Once the pool of addresses is used up, no further translations can take place for additional internal devices matching for same policy- their traffic is dropped.

ACLs on an appliance use a subnet mask- not wildcard mask like CISCO IOS router.

Even though a static commands set up the static NAT translations, traffic will not be allowed to go from the outside to dmz and outside to inside interfaces until you configure ACL.

Anytime when you add, change or delete a translation policy, you should clear the translation table with the clear xlate command in order for your changes to take effect.

Appliance ACLs filter traffic flowing through the appliances, not to it.

At the end of every ACL on the appliance is an implicit deny statement- this drops all traffic that is not matched on the previous statement. This statement is invisible when you look at the ACL with a show access-list command. So the recommendation is to use deny ip any any command at the end of every extended ACL so that you can see the hit count of dropped packets.

If you execute show running-config command, ACL line numbers are not seen; nor they are saved in flash when you execute the write memory command. However, you can see the line numbers with the show access-list command.

When you delete ACL, the associated access-group commands are also deleted.

You can abbreviate as 0

Radius is most commonly used on appliances for connection going through it, like CTP and remote access VPNs. Radius is actually required for some security features like 802.1x and LEAP. RADIUS used one UDP connection for authentication and authorization and a second connection for accounting. Depending on the implementation of RADIUS, the port numbers for authentication/authorization and accounting are either 1645 and 1646 or 1812 and 1813 respectively.

TACACS+ is most commonly used on the appliances for controlling administrative access to the appliance itself. Note that you can use both RADIUS and TACACS+ simultaneously on your appliance. For example, you could use TACACS+ to control access to the appliance, but use RADIUS for CTP.

Cisco AAA server supports both RADIUS and TACACS+

Autoconfiguration is the simplest method of assigning an IPv6 address on an appliance interface.

If you don't define any connection limits, whatever the appliance can fit in its state table (the licensed limit) is what the appliance with allow.

SMTP and ESMTP inspection only apply to inbound (lower to higher level) traffic.

By default FTP and http inspection is enabled in the global policy on all interfaces; you can change this policy or set up interface-specific policies that override global policy.

You should not allow RSH traffic through your appliance because it is susceptible to spoofing attacks. If you must allow it, restrict its use with ACLs.

You need at least a DES encryption key to set up VPNs on your appliance.

There are two problems with IPSec over TCP. It is Cisco propriety which means endpoints should be the cisco devices, and Ipsec over TCP inserts a 20 byte header, almost 3 times as much as NAT-T inserts.

To properly import the root and identity certificates, the appliance must receive the certificates in the PEM (primary enhanced mail) format.

Normally site-to-site connections do not travel through translation or firewall devices, and thus NAT-T/or Ipsec over TCP is not needed. However, if this is not the case, you'll need to configure these options on the appliance.

Dead Peer Detection(DPD) sends keepalive across the management connection, allowing the appliance to detect a dead management connection. Because this is Cisco propriety, it should only be enabled for a tunnel group that has Cisco devices for remote peers.

For each remote site, you'll need a separate crypto ACL.

If the crypto ACLs aren't mirrored between the two peers, you typically see a mismatched proxy condition in your logs or debug output. This indicates you have non-symmetrical crypto ACLs on the two peers.

You can have multiple transform sets for different peers- this is necessary if you have different peers with different capabilities. For example, you might have one peer that support AES256, but another that only supports 3DES. In this situation, you would need two transform sets for the two respective peers.

The configuration of crypto maps is slightly different on an appliance compared with an IOS router. On an appliance, all the crypto map commands are configured in global configuration mode. In IOS routers, each entry you create in the crypto map takes you to subcommand mode where you complete the configuration for an associated peer. To activate the crypto map on a router, you perform this from interface subcommand mode.

If you put both remote peers at a location in separate crypto map entries, the appliance can actually build two tunnels(one for each peer) instead of one.

The advantage of PFS is that it is more secure than the management connection, the disadvantage of PFS is that it slows the building of the data connections.

If you change the parameters in a crypto map entry, the changes don't affect any existing data SAs- you must tear down the existing one or wait till they expire before the changes take place.

Tunnels will not be built until traffic needs to be sent to a remote site that matches a crypto ACL associated with a crypto map entry.

One common entry to include in a crypto MAP is ICMP traffic associated with the two peers. This way performing a ping from one of the peers will attempt to bring the tunnel up.

If asa1 has connections to two sites, like asa2 and asa3, and you want traffic to flow from asa2 through asa1 to asa3, you'll need to configure the same-security-traffic permit intra-interface command on asa1 to allow traffic to flow into and out of the same interface.

The vpn-sessiondb max-session-limit command applies to both L2L and remote access tunnels but is used more often to limit the number of remote access connection since they are dynamic in nature.

If two policies are very similar, after creating the first one, use the from option in the preceding command to inherit the policy attributes from the first group policy to the second. Then go in and modify the second group policy attributes as needed.

It is recommended to use NAT-T rather than IPSec over UDP since NAT-T uses a discovery process to determine if the UDP encapsulation of ESP is necessary.

If you allow split tunneling, then the recommendation is to set up a firewall or NAC policy and require the remote to have a firewall installed to protect the user from clear-text traffic.

For non-admin appliance accounts make sure the privilege level is 0, which ensures that remote access users can't access the appliance itself.

To use authorization and or accounting, you must have an AAA server perform authentication.

Redistribution is necessary when you are doing load balancing. Otherwise, if you have only one appliance, use static routes on the internal devices, and point them to the appliance to reach the remote internet address.

If you want to set up two clusters in the same subnet, changing the port number is one set logically separates the two clusters. Clients then need to know a virtual IP address in either of the clusters to connect, and then load balancing will occur within the connected cluster.

One restriction with remote access connections is that the remote can have only one tunnel up at a time.

Client mode is typically used when you're short of address space or you don't need corporate office devices initiating connections to remote office devices. For example, if you have a VOIP implementation, client mode would not work since phones at the corporate office wouldn't be able to establish connections to the remote office phones.

Network extension mode is commonly used when corporate office devices, like VOIP phones or management stations, need to access remote office devices.

By default an ASA only supports a license for two WebVPN sessions- you need to purchase the appropriate license for the number of simultaneous WebVPN sessions you'll need to support.

Use revert webvpn customization command to remove a specified imported customization profile.

Use the revert webvpn url-list command to remove a specified url-list in case of SSL vpn.

A group or user cannot be associated with more than one list of smart tunnel applications.

Anyconnect supports split tunneling. The default policy is that all traffic, except for DHCP and ARP messages, must be transported across the tunnel. As an administrator of the WebVPN server, you define the split tunneling policy on a per-group or per-user basis.

If you'll be using certificates, both the user and the ASA will need certificates form the CA that can generate SSL identity certificates. The ASA itself can be a CA for SSL certificates.

If the two interfaces of the appliance are not connected to two different switches and the switches are not directly connected together, then you can use the same VLAN number for the interfaces of the appliance between the two switches.

Make sure you aren't creating any layer 2 loops when using transparent mode.

When setting up transparent mode, only two interfaces, physical and/or vlan can be used. The devices on the two sides must be in different broadcast domains, like VLANs but they must be on the same subnet.

When switching from routed to transparent mode, you are not prompted to continue the process- the appliance immediately executes the command, your configuration is erased, and you're in transparent mode. So first backup the configuration before trying this.

Remember that when allowing non-IP traffic, you'll need to apply an ACL to both interfaces in order to allow traffic in both directions.

By default, an admin who has access to the admin context can switch to the system are unless restricting this. However non-admin contexts do not have access to system area.

When chaining contexts, a VLAN interface must be shared among the contexts. Basically, you're creating the illusion that a logical segment is interconnecting the contexts. Given this even though the same interface is being shared, each context will have to have different MAC address for that interface, making it appear that the shared interface really appears as multiple logical interfaces to each context that is chained.

A packet entering an interface without a context associated with it will be dropped.

You might assume that if each context has a unique IP address, the appliance would use the routing table to match up a packet to the correct context; however, this is not the case. Only MAC address and translation rules are used to match a packet to a context when interface is shared.

To switch back to single mode use the mode single command in the system area.

You can go into the context and associate a MAC address to the interface, but the mac

If the configuration file is located on an external server and the appliance boots up and can't reach the external server, the context configuration will not be loaded, and thus the context will fail. Therefore, it is recommended that the context configuration file should be placed in flash on the appliance itself

You cannot delete a context that has been flagged as the admin context. You first have to denote another context as the admin context, and then you can delete it.

If no interfaces were shared between contexts, the MAC addresses on the subinterfaces could be the same or different; however if an interface is shared between contexts, make sure you execute the mac-address auto command in the appliance system area.

Failover can occur if context fails(context based) or if the entire appliance fails (unit based)

HTTP connections in the conn table of the active unit are not by default replicated to the secondary unit. Cisco set this as the default since downloading a web page can involve many connections that typically are very short-lived. If most of your traffic is web-based, this can create a burden to replicate these changes. You have the option of enabling http connection replication, but typically this is not recommended. If failover occurs in the middle of someone opening a web page, the easiest way to fix the problem is to have users click their refresh button within their web browser application.

With few exceptions, all commands must be executed on the active appliance and are then replicated across a failover link to the standby ASA.

Creating a context and assigning the IP addresses to the data interfaces can be done at any time- before or after the configuration of failover.

The synchronization of the contexts themselves to the secondary is a great feature since this reduces the amount of configuration you'll have to do on the secondary asa.

Enabling scanning threat detection on the appliance will affect its CPU and memory usage since the appliance must build a database of devices and their connection characteristics, and then compare connections with the database. So if you enable this feature, you should carefully monitor it to ensure that the scanning threat detection feature doesn't overwhelm the appliance and causes the appliance to inadvertently drop legitimate packets.

If you enable threat statistics, the performance of the asa can suffer. Port statistics have the least impact on the asa, and host statistics has most impact.

TCP maps are only applicable for TCP connections; so make sure that the corresponding layer3/4 class map only contain TCP connections.

You can use the fragment command to control how many fragments make up a packet, the number of concurrent fragmented packets, and the period that the appliance must receive all the fragments for a given packet. The number of fragments the appliance will allow for a packet defaults to 24, where the number of concurrently fragmented packets can't exceed 200 and the timeout for reassembling fragments back to a complete packet is 5 sec.

If the asa is in multiple mode and the interface is shared between contexts, DHCP relay is unsupported. Also, DHCP relay is unnecessary if the asa is in transparent mode since the asa will forward broadcasts between interfaces by default.

Never use a time source from the internet to acquire your timing information, since no server will authenticate message on the internet, and there is a change you might receive a spoofed message. This can create denial of service attack when you are using certificates and/or corrupt your logging information. Always set up your own internal time source and enable NTPv3 authentication of the time messages. OS like UNIX can also be used.

Unlike most IOS devices, the security appliance lack NVRAM. On IOS devices, NVRAM is used to store the configuration file. Security appliances store their configuration file in flash.

You can create subdirectories in flash (mkdir), move around to different directories in flash (cd) and delete directories in flash (rmdir) and view text in flash (more). 

You can re-enable the password recovery by re-executing the service password-recovery command without no parameter.

All keys and passwords are automatically encrypted, unlike with CISCO IOS devices.

Cisco secure desktop (CSD) policies must be defined from ASDM - the CLI is unsupported.

You can't just copy the CSD image to flash and use it; you must also install it. CSD information is stored in the cache location in ASA flash. To view it, execute dir cache:/sdesktop

When using ASDM to access the system area, you must first log into the administrative context.