All About Cisco ASA 5500 firewalls

Learn how to configure any Cisco ASA model with step-by-step explanations and tons of practical configuration examples and network diagrams to help you visualize how the Cisco ASA works in different scenarios. You get also a FREE Cisco ASA 5505 Configuration Tutorial with several real-world examples to help you implement the smallest ASA 5505 model.

DOWNLOAD CISCO ASA eBook Tutorial HERE

The second Edition ebook is packed with extra advanced concepts and features so it will be of great benefit for both novices and experts in the field of network security. This ebook covers also the newest Cisco ASA version 8.3 which incorporates the complete redesign of NAT mechanism

EBOOK CONTENTS

• Getting Started with Cisco ASA Firewalls


• File Management


• Basic Firewall Configuration Steps


• Traffic Flow between Security Levels


• Configuring Network Address Translation (NAT, PAT, Static NAT, Port Redirection)


• Configuring DMZ Networks


• Configuring and Using Access Control Lists to enforce security rules


• Controlling Inbound and Outbound Traffic with ACLs


• Configuring VLANs and Subinterfaces


• IPSEc VPNs (site-to-site VPN, Remote Access VPN, VPN client)


• Advanced Configuration features such as AAA, Syslog, NTP


• Routing Configuration on ASA (static routes, RIP, OPSF, EIGRP)


• Modular Policy Framework configuration, connection limits, CSC, IPS, Rate Limiting etc


• How to Configure Cisco Anyconnect WebVPN

DOWNLOAD CISCO ASA eBook Tutorial HERE

The Cisco ASA 5500 series is the descendant of the older Cisco PIX 500 series firewall which was very successful in network security implementations. The ASA is not just a pure hardware firewall, rather is a full featured security appliance. What we mean by that is that the ASA hardware appliance, in addition to being a solid network firewall, is capable of working also as a content inspection engine, antivirus, antispam, IDS/IPS engine, VPN device, SSL device etc. The extra security functionality of the firewall is achieved with add-on module cards which offer the additional security features.

The Cisco ASA has one of the biggest market shares in the hardware firewall appliance market, together with Juniper Netscreen, Checkpoint, SonicWall, WatchGuard etc.

The ASA 5500 series is comprised from seven models, as we will see below.

There are seven ASA models as described below:

• ASA 5505 Model
This is the smallest model for SOHO use or for small branch offices. It comes with either a Base License or Security Plus License which offers some hardware and software enhancements. It is the only model which instead of having normal layer-3 interfaces, it has an 8-port layer 2 switch. This switch has also 2 Power over Ethernet ports in which you can connect IP Phones or other PoE devices. The total firewall throughput is 150Mbps. This model is a replacement of the older PIX 501 or PIX 506 models.


• ASA 5510 Model
This model is ideal for small business as an Internet edge firewall. Like the 5505, it comes with a Base License or Security Plus License. Regarding its network interfaces, it is equipped with 5 x 10/100 ports (with the Base License) or 2 x 10/100/100 Plus 3 x 10/100 ports with the Security Plus License. The total firewall throughput is 300Mbps.This model usually replaces the older PIX 506 or PIX 515 models.


• ASA 5520 Model
Again an Internet Edge model for slightly more traffic than a small business. Can be used for a small-to-medium enterprise. With 450Mbps total firewall throughput and 280,000 maximum firewall connections. It has also more memory compared with the previous two models (512 MB compared with 256MB). Comes with integrated 4 x 10/100/1000 Plus 1 x 10/100 network interfaces.


• ASA 5540 Model
Used in medium to large enterprises as Internet edge or for internal LAN network segmentation. 650Mbps firewall throughput with 400,000 maximum firewall connections. With its bigger RAM memory (1GB) can also support a much bigger number of site-to-site or remote access VPN connections (5000 compared with 750 for the 5520). Comes with integrated 4 x 10/100/1000 Plus 1 x 10/100 network interfaces.


• ASA 5550 Model
Used in large Campus environments with high traffic, or for large enterprises, or for ISP applications. Boasts 1.2 Gbps firewall throughput with 650,000 maximum firewall connections. From this model on there is no support for the add-on security services module which can be used in smaller models to support extra security features (IDS, IPS, content inspection etc). However, it comes with integrated 8 x 10/100/1000 interfaces plus 4 x SFP optical gigabit ports for extra port density.


• ASA 5580-20 Model
Used in Data Center and Large Campus networks. With 5 Gbps firewall throughput beats almost any other hardware firewall in terms of performance. With add-on interfaces cards, it can support several gigabit port interfaces, both copper ports or fiber optic ports (8 total gigabit ports). Its the only model also that supports 2 x 10GE ports. Also, it has 8GB RAM memory and supports 1 million maximum firewall connections.


• ASA 5580-40 Model
The same model as above, but with even more performance. 10 Gbps firewall throughput, 2 million firewall connections, 12GB memory and much more. This is the top of the line.

If you want to learn how to configure any Cisco ASA 5500 model, there is an excellent Cisco ASA Configuration Tutorial ebook which you can download instantly from the link above. This book comes also with a FREE Cisco ASA 5505 step-by-step configuration guide.

The smallest firewall model, the Cisco ASA 5505, has some hardware and license differences compared with the rest ASA appliance models.

First, it is not rack-mountable. All other models are either 1U or bigger and can be mounted on a rack.

The second important difference is that it has an 8-port 10/100 switch with 2 Power over Ethernet ports. Ethernet port 0 is by default used for connecting to the outside (internet) zone, and the rest of the interfaces (ports 1 to 7) are used to connect internal LAN hosts.

The appliance has a factory default configuration out of the box which assigns dynamic IP addresses to the inside hosts via DHCP. Also, the outside interface is by default configured to receive an IP address from the ISP dynamically. Since the appliance interfaces are layer 2, they are assigned by default to certain VLANs. Port Ethernet 0 is assigned to VLAN2 and ports 1 to 7 are assigned to VLAN1 by default.

Another difference of the ASA 5505 has to do with the device license. The Base License restricts the number of internal hosts (10 or 50) and also allows only 3 VLANs. The Security Plus License allows unlimited internal hosts and up to 20 VLANs.

The Cisco ASA 5500 Security appliance works in different network operation modes. The most common one is the routed firewall mode which is the default out-of-the-box configuration. In this mode, the appliance works as Layer3 firewall with traffic routed between the interfaces of the firewall, which applies all required security controls.

The second mode of operation is Layer 2 transparent mode. In this setup, the appliance works as bump in the wire. This means that there is no Layer 3 interface configured on the firewall. Rather, we configure only two Layer 2 interfaces through which all the traffic passes.

We can have also multiple firewall contexts. A firewall context is a different instance of a firewall appliance (virtual firewall). By default, all firewall models come with two firewall security contexts, which means you can build two virtual firewalls on the same box. If you need more contexts, an extra license needs to be purchased.

One of the main functionalities of a hardware firewall (such as the Cisco ASA) is to control network traffic flow using configured policy rules. On the Cisco ASA, these policy rules are implemented using Access Control Lists (ACL). An ACL is a list with several entries specifying permit or denying statements for source and destination traffic.

The format of an ACL entry is as following:

access-list [name] extended [permit | deny] [tcp | udp | ip] [source ip] [destination ip] [destination port]

Example:

access-list OUTSIDE_ACL extended permit tcp any host 100.100.100.1 eq 80

The example ACL above permits traffic from "any" source address to access IP 100.100.100.1 on port 80. (This means the host is a Web Server and we allow access from the internet towards this web server).

Cisco ASA firewalls provide several ways for accessing the appliance for configuration and management. These include Telnet, SSH and HTTPs for remote management over the network, and also serial console access for local management. The most secure way to manage the appliance is through a cryptographic connection, like SSHv2 for example.

Let's see how to enable SSH access to a Cisco ASA 5500 Firewall.

Step1: First it is a good practice to create a local administrator username and password:

ciscoasa(config)#username ciscoadmin password adminpassword

Step2: Then tell the ASA appliance to authenticate SSH using the local username

ciscoasa(config)#aaa authentication ssh console LOCAL

Step3: Now generate an RSA key which will be used for the SSH communication

ciscoasa(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait...
ciscoasa(config)#

Step4: Specify which hosts are allowed to connect to the security appliance via ssh

ciscoasa(config)#ssh 10.1.1.1 255.255.255.255 inside
ciscoasa(config)#ssh 200.200.200.1 255.255.255.255 outside

Thats it. Now you can connect to the ASA with SSH

The Cisco ASA 5500 Firewall Appliance is a stateful firewall device, meaning that for every connection passing through the device, the stateful mechanism keeps a record of all connection states and parameters. It does this in order to check return inbound packets if they belong to an already established connection and let them in.

A connection is a state entry of source IP/source port and destination IP/destination port. For example a connection in the firewall is an entry with source IP 10.1.1.1 and source port 1025 and destination IP 100.100.100.1 with destination port 80. This connections belongs to an internal PC accessing a public web server.

A translation is an entry of a source IP and its mapped translated IP. A translation entry results from a NAT rule configured in the firewall.

We can see connection entries using "show conn". We can see translation entries using "show xlate".

You can find an excellent description about connections and translations on the Unofficial Cisco ASA Blog

The following is a question I received from a visitor on my cisco asa blog:

Hello

I am trying to configure packet capture in ASA 5520 for troubleshooting. I am in the impression that

1. The captured data is stored in the RAM of the Firewall. Is this correct?

2. If that the case won't the firewall run out of memory for normal traffic if I run the capture of sometime?

3. How to reserve the memory space for packet capture?

Can you help me on this?

Answer:
By default ASA only reserves 512k for capture and stops when it is filled, but you can increase this using the buffer option ie

capture CAPTURE-NAME access-list CAPTURE-ACL interface outside buffer 20000

Or you can use a circular buffer to keep capture running ie

capture CAPTURE-NAME access-list CAPTURE-ACL interface outside buffer 20000 circular-buffer

Similarly with a Cisco Router, the Cisco ASA Firewall appliance has two configuration instances: The running-configuration and the startup-configuration.

The first one (running-configuration) is the current active configuration which runs in RAM memory. Any commands you execute on the appliance are affecting the running-configuration. The commands you enter are active instantaneously after you press enter.

The second configuration (startup-configuration) is the "backup" configuration of the running one. When you execute the command "write memory", the running-config is saved on NVRAM and becomes the startup-configuration. Every time you execute the command "write memory", you overwrite the startup-config with any changes you have made to the running-config. The startup-config is the one loaded when you reboot the appliance.

Command to display the running config: show running-configuration

Command to display the startup config: show startup-configuration

There are numerous commands you can use to monitor several parameters and statistics on the Cisco ASA. Regarding however the appliance hardware resources, there are two vital commands you need to know. All "monitor" commands are executed with the "show [parameter]" statement.

1. Examine RAM Memory Usage

ciscoasa# show memory
The output of the command above will show you the total memory, used memory and free memory of the device

2. Examine CPU Usage

ciscoasa# show cpu usage
The output of the command above will show you the CPU utilization over a period of 5 seconds, 1 minute and 5 minutes

The Cisco ASA security appliance, in addition to being an excellent network firewall, it offers also secure VPN capabilities to the network administrator. The Cisco ASA offers various VPN technologies as listed below:

1. IPSEC Lan-to-Lan VPN

This is the most common VPN type. With this VPN technology, we can connect distant offices with a central office over the Internet. It is a cheap and proven connectivity method which is widely used in enterprises. As the name implies, we can connect Local Area Networks with other company LANs over a secure IPSEC tunnel.


2. IPSEC Remote Access client VPN

This type is used for remote teleworkers and single person offices. A software VPN client is installed on the remote user PC. The software VPN client connects secure to a central ASA firewall, thus providing full network access to the teleworker.


3. WEB VPN - or SSL VPN

This is relatively new technology. The ASA firewall can be used as a secure SSL web server. The remote user just needs a browser with SSL encryption (HTTPs) to connect to the central office ASA Web VPN appliance.

The whole Internet community was shocked a couple of years ago when Dan Kaminsky (a security researcher) revealed a serious security weakness in DNS servers throught the world. This weakness sparked the fear that the whole DNS mechanism - which is the cornerstone of Internet communication - is a very serious weakness in the proper operation of the whole Internet. There were numerous cases where DNS servers were compromised by hackers and therefore users were directed to rogue websites instead of their desired destination.

DNSSEC is the answer to securing the DNS protocol. All DNS requests and replies will be digitally signed in order to avoid spoofing, poisoning and other malicious attacks. The current maximum DNS packet size is 512 bytes. Any DNS packet larger than that is considered bad. Therefore, Cisco ASA firewalls are configured by default to reject any DNS message lengths larger than 512 bytes. However, the new DNSSEC protocol which will be in effect in mid-2010, will be using packet sizes of DNS larger than 512. Therefore you need to configure your Cisco ASA settings accordingly. You need to increase DNS max message length as following:

The following is the default configuration:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

The following configuration increases DNS to 1024 (you need to decide the max packet size according to your needs)

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024