All Cisco-Network Study Notes: 01/10/09

Enhanced Interior Gateway Acquisition Agreement (EIGRP)

Enhanced Interior Gateway Acquisition Agreement (EIGRP) 206

The Security Appliance OS Software Version 8.0 debuts the abutment of the Enhanced Interior Gateway Routing

Protocol (EIGRP). EIGRP is a Cisco proprietary acquisition agreement and is accessible on Cisco accessories only. EIGRP on

Security Appliance is accurate in distinct approach only; it is not accurate in multicontext mode.

Note

Firewall OS supports alone one EIGRP acquisition action on the Security Appliance.

The Security Appliance can be configured as an EIGRP butt router, which helps enhance the achievement by

decreasing anamnesis and processing requirements on the Security Appliance. A firewall configured as an EIGRP

stub does not crave advancement a complete EIGRP acquisition table, because it assiduously all nonlocal cartage to a

distribution router. The administration router sends a absence avenue to the butt router/firewall. In some occasions,

only specific routes are advertised from the butt router to the administration router. When the Security Appliance

is configured as a butt router, it sends a associate advice packet to all adjoining routers to address its status

as a butt router. Neighbors accepting this packet will not concern the butt for routes. The butt depends on the

distribution router to accelerate the able updates to all peers.

Configuring RIP cisco systems

Configuring RIP

Unlike IOS, RIP is enabled abnormally on the Security Appliance. To accredit RIP on the Security Appliance for an

interface, use the rip command from the all-around agreement mode. There is no router rip command on the

Security Appliance. Both RIP modes (passive and default) can be enabled on an interface by application the rip

command.

Example 6-13 shows how to configure acquiescent RIP with simple countersign affidavit and MD5 authentication

on central and alfresco interfaces. Example 6-13 additionally shows how to bear a absence avenue on the inside

interface, advertence that the Security Appliance will be the absence aperture for the after devices. A

default avenue is hardly (in best cases never) advertised out on the alfresco interface, because in archetypal network

designs, the Security Appliance is not the absence aperture for the upstream device.

Example 6-13. Configuring RIP

! Enabling RIPv2 with Simple Countersign Authentication

hostname(config)# rip alfresco acquiescent adaptation 2 affidavit argument cisco 1

hostname(config)# rip central acquiescent adaptation 2 affidavit argument cisco 1

hostname(config)# rip central absence adaptation 2 affidavit argument cisco 1

! Enabling RIPv2 with MD5 Authentication

hostname(config)# rip alfresco acquiescent adaptation 2 affidavit md5 cisco 1

hostname(config)# rip central acquiescent adaptation 2 affidavit md5 cisco 1

hostname(config)# rip central absence adaptation 2 affidavit md5 cisco 1

Routing Advice Agreement (RIP)

The Acquisition Advice Protocol, or RIP as it is added frequently called, is one of the best constant of all

routing protocols. RIP was authentic in RFC 1058 and Internet Standard (STD) 56. Later, the IETF (Internet

Engineering Task Force) adapted RIP with the absolution of a revised RFC 1388 in January 1993. RFC 1388 was

then abolished in November 1994 by RFC 1723, which describes RIPv2 (the additional adaptation of RIP). These

RFCs did not attack to accomplish anachronistic the antecedent adaptation of RIP, but proposed extensions and enhancements

to the RIP capabilities. RIPv2 enabled RIP letters to backpack added advice and calibration added with more

features, such as multicast abutment and a next-hop router address. The next-hop router abode is an

authentication mechanism; its best important action is to abutment subnet masks and is accordingly a critical

feature that was not accessible in RIPv1. RIP is a dynamic, distance-vector acquisition agreement that uses UDP as the

transport protocol. RIP packets are transmitted on UDP anchorage 520 for avenue updates.

The Security Appliance supports both RIPv1 and RIPv2 protocols. Application RIP has advantages over application static

routes, because the antecedent agreement for RIP is simple and does not crave afterlight the agreement when

the cartography changes. The downside to RIP (or any added activating protocol) is that there is added arrangement and

processing aerial than with changeless routing.

By default, the Security Appliance sends RIPv1 updates and accepts RIPv1 and RIPv2 updates. Redistribution of

routes from added acquisition processes into the RIP is accurate in Firewall OS Adaptation 7.2 and later. Prior to this,

RIP and OSPF were not accurate on the aforementioned device.

Monitoring OSPF

Several advantageous appearance commands are accessible for announcement accepted advice and added OSPF-related

information, such as acquaintance adjacency status, interface parameters, virtual-link status, and border-routers.

The afterward account includes some of the accepted OSPF appearance commands used:

show ospf [process-id [area-id]]: Displays accepted advice about OSPF acquisition processes.

show ospf interface [if_name]: Displays OSPF-related interface information.

show ospf acquaintance [interface-name] [neighbor-id] [detail]: Displays OSPF acquaintance adjacency

information on a per-interface basis.

show ospf [process-id] virtual-links: Displays OSPF-related basic links information.

show ospf border-routers: Displays the centralized OSPF acquisition table entries to the Area Border Router

(ABR) and Autonomous System Boundary Router (ASBR).

show ospf [process-id [area-id]] database: Displays lists of advice accompanying to the OSPF database for

a specific device.

show ospf [process-id] summary-address: Displays a account of all arbitrary abode redistribution

information configured beneath an OSPF process.

Securing OSPF

Securing OSPF networks will accommodate aegis not alone from awful attacks, but additionally accidental

misconfigurations. The acceptant attributes of OSPF dictates that any router with accommodating configuration

parameters (network mask, accost interval, asleep interval, and the like) can participate in a accustomed OSPF network.

Because of this absence behavior, any cardinal of adventitious factors (misconfigurations, lab machines, test

setups, and so on) accept the abeyant to abnormally affect acquisition in an OSPF environment. Authentication

provides password-based aegis adjoin crooked admission to an area. The Security Appliance supports

OSPF affidavit to defended avenue barter amid the devices. OSPF supports two types of authentication:

simple countersign (clear-text) and MD5 affidavit mechanism. Security Appliance supports both.

Example 6-11 shows how to configure areawide OSPF affidavit on the Security Appliance.

Example 6-11. Configuring Area-Based OSPF Authentication

hostname(config)# router ospf 1

! Enabling area-wide Simple (clear-text) authentication

hostname(config-router)# breadth 0 authentication

! Enabling area-wide MD5 authentication

hostname(config-router)# breadth 0 affidavit message-digest

! Configure OSPF key on the interface

hostname(config-router)# interface inside

! Configuring Simple countersign affidavit key

hostname(config-interface)# ospf authentication-key cisco

! Configuring MD5 affidavit key

hostname(config-interface)# ospf message-digest-key 1 md5 cisco

Alternatively, affidavit can be enabled accurately on a articulation base (per-interface) and not areawide. This

means that both abandon of the articulation on the affiliated accessories charge be configured similarly. Example 6-12 shows

how to configure interface-based OSPF affidavit on the Security Appliance.

Example 6-12. Configuring Interface-Based OSPF Authentication

hostname(config-router)# interface inside

! Configuring Simple countersign affidavit and key

hostname(config-interface)# ospf authentication

hostname(config-interface)# ospf authentication-key cisco

! Configuring MD5 affidavit and key

hostname(config-interface)# ospf affidavit message-digest

hostname(config-interface)# ospf message-digest-key 1 md5 cisco

Configuring OSPF

As per the Figure 6-9 arrangement diagram, OSPF can be configured on the central and alfresco interfaces.

Note

RIP and OSPF on the aforementioned firewall apparatus was not accurate in adaptation 7.0 or prior. However,

multiprotocol is now absolutely accurate from v7.2 and later, as illustrated in Figure 6-9.

Example 6-8 shows how to accredit two abstracted OSPF processes with alternate two-way redistribution to allow

devices on both abandon of the Security Apparatus to apprentice networks from anniversary other.

Example 6-8. Configuring Two OSPF Processes (for Central and Alfresco Interfaces) with Two-Way

Redistribution

hostname(config)# router ospf 1

hostname(config-router)# arrangement 10.1.1.0 255.255.255.0 breadth 0

hostname(config-router)# redistribute ospf 2 metric 1 subnets

hostname(config)# router ospf 2

hostname(config-router)# arrangement 10.1.2.0 255.255.255.0 breadth 0

hostname(config-router)# redistribute ospf 1 metric 1 subnets

Several interface-specific OSPF ambit can be configured as accounted necessary, including OSPF Hello or

dead intervals, OSPF priority, and affidavit keys. Example 6-9 shows some of the OSPF ambit that

can be enabled beneath the interface.

Example 6-9. Configuring OSPF Interface-Specific Parameters

hostname(config-router)# interface inside

hostname(config-interface)# ospf amount 10

hostname(config-interface)# ospf retransmit-interval 10

hostname(config-interface)# ospf transmit-delay 5

hostname(config-interface)# ospf antecedence 255

hostname(config-interface)# ospf hello-interval 5

hostname(config-interface)# ospf dead-interval 20

hostname(config-interface)# ospf authentication-key cisco

hostname(config-interface)# ospf message-digest-key 1 md5 cisco

hostname(config-interface)# ospf affidavit message-digest

Several OSPF ambit can be configured beneath the breadth that will affect the absolute OSPF domain/area.

Examples accommodate authentication, avenue summarization, avenue filtering, and defining butt areas. Example 6-10

shows some of the OSPF ambit that can be enabled areawide.

Example 6-10. Examples of Areawide OSPF Parameters

hostname(config)# router ospf 1

hostname(config-router)# breadth 1 default-cost 10

hostname(config-router)# breadth 1 stub

hostname(config-router)# breadth 1 butt no-summary

hostname(config-router)# breadth 0 ambit 10.1.1.0 255.255.255.0

hostname(config-router)# breadth 0 filter-list prefix mylist in

Open Beeline Aisle First (OSPF)

Dynamic acquisition occurs back accessories acquaint to adjoining devices, allegorical anniversary added of the reachability

of networks. These accessories acquaint application a acquisition agreement such as OSPF to barter avenue information.

Unlike changeless routing, the acquisition advice busy into the acquisition tables is added and deleted dynamically

by a activating acquisition agreement as routes change over time.

OSPF is an Interior Gateway Agreement (IGP) that distributes acquisition advice amid devices. OSPF is used

over IP, and OSPF packets are transmitted with an IP abstracts packet with the agreement acreage in the IP attack set to

89. OSPF uses a link-state algorithm to body and account the beeline aisle to all accepted destinations. The

algorithm acclimated to account the beeline aisle is alleged the Dijkstra algorithm (named afterwards its artist Edsger

W. Dijkstra).

The Security Appliance supports OSPF acquisition agreement in a address agnate to the IOS. The Security Appliance

can run up to two OSPF processes simultaneously, for altered sets of interfaces. By default, the two processes

will not barter advice unless avenue redistribution is configured explicitly. The two processes are isolated,

as in two abstracted acquisition instances in the aforementioned device. There are several affidavit to accept two OSPF processes

on the Security Appliance. For example, two processes on the Security Appliance are advantageous if the Security

Appliance has interfaces that use the aforementioned IP addresses. (NAT allows these interfaces to coexist, but OSPF does

not acquiesce overlapping addresses.) Or, in best cases, a abstracted OSPF action is enabled on the central and the

outside interfaces (as apparent in Figure 6-9), to accord you the adequacy to ascendancy avenue advancement by

redistributing a subset of routes amid the two processes. Similarly, there could be a claim to

segregate clandestine addresses from accessible addresses, authoritative two processes necessary.

Figure 6-9. IP Acquisition Protocols on Security Appliance

[View abounding admeasurement image]

The amount (also alleged metric) of an interface in OSPF is inversely proportional to the bandwidth of that interface.

A college bandwidth indicates a lower cost, and a lower-cost aisle is the adopted route. The blueprint acclimated to

calculate the OSPF amount is

OSPF Amount = 100,000,000 ÷ bandwidth (in bps)

As apparent in Figure 6-9, redistribution amid the two OSPF processes is supported. Changeless and connected

routes on the Security Appliance can additionally be redistributed into the OSPF process, but they charge be configured

on OSPF-enabled interfaces.

Equal Cost Assorted Path (ECMP) Forwarding

For amount balancing, the Security Appliance offers the ECMP that supports up to three equal-cost routes to the

same destination per interface. Based on an algorithm that hashes the antecedent and destination IP addresses, the

Security Appliance amount balances the cartage amid the authentic gateways. Note that this does not guarantee

diverting cartage appropriately amid the gateways.

Example 6-6 shows three equal-cost changeless routes for destination arrangement 10.1.1.0/24, forwarding cartage to

three altered gateways on the alfresco interface.

Example 6-6. Configuring ECMP (Equal Cost Assorted Path) Changeless Routes

hostname(config)# avenue alfresco 10.1.1.0 255.255.255.0 209.165.201.1

hostname(config)# avenue alfresco 10.1.1.0 255.255.255.0 209.165.201.2

hostname(config)# avenue alfresco 10.1.1.0 255.255.255.0 209.165.201.3

Similarly, up to three equal-cost absence routes can be authentic per device. Example 6-7 shows three equal-cost

default routes, forwarding cartage to three altered gateways on the alfresco interface.

Example 6-7. Configuring ECMP (Equal Cost Assorted Path) Absence Routes

hostname(config)# avenue alfresco 0.0.0.0 0.0.0.0 209.165.201.1

hostname(config)# avenue alfresco 0.0.0.0 0.0.0.0 209.165.201.2

hostname(config)# avenue alfresco 0.0.0.0 0.0.0.0 209.165.201.3

Note

ECMP is not accurate beyond assorted interfaces.

Static Avenue Tracking

Software Version 8.0 introduces addition different affection alleged Changeless Avenue Tracking. This affection supports the

capability to clue the cachet of the next-hop IP abode in the changeless route. Prior to this feature, there was no

inherent apparatus to actuate whether the avenue was up or down, and routes abide in the acquisition table

even if the next-hop aperture becomes unavailable. The alone barring was that if the associated interface on

the firewall went down, the routes were removed from the acquisition table.

The changeless avenue tracking affection provides the adequacy to install advancement routes dynamically back the primary

route fails.

This affection is additionally advantageous to ascertain assorted absence routes. An archetype is defining a primary absence avenue to an

ISP aperture and a advancement absence avenue to a accessory ISP in case the primary ISP becomes unavailable. Static

route tracking can additionally be enabled for changeless or absence routes acquired through Dynamic Host Configuration

Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE).

This affection works by advertence a changeless avenue with a predefined ecology target. The Security Appliance

monitors the ambition by application Internet Control Bulletin Protocol (ICMP) answer appeal packets. In response, if an

ICMP echo-reply bulletin is not accustomed aural a defined period, the article is advised down, and the

associated changeless avenue is removed from the acquisition table. The advancement avenue is installed dynamically and acclimated in

place of the removed route.

The Security Appliance can be configured to use one of the afterward altar as the ecology target:

ISP aperture address

Next-hop aperture address

Specific server on the ambition network, such as a AAA server or the web server

Any assiduous arrangement article on the destination network

Note

For added capacity on changeless avenue tracking, accredit to the afterward Cisco affidavit URL:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1090243.

Default Route

To abstain the charge to use changeless avenue entries for every accessible destination network, a absence avenue identifies

the absence aperture abode for forwarding packets for destination network(s) not absolutely begin in the routing

table. Absence routes are put to best use in topologies area acquirements all or added specific networks is not

desirable, as in the case of butt networks, or networks with alone a distinct articulation abutting to the alien network

(or Internet). A absence avenue is artlessly a changeless avenue (with a destination address/mask brace of 0.0.0.0/0) that is

configured application the aforementioned avenue command acclimated to ascertain changeless routes and is usually aimed against the

external arrangement on the alfresco interface.

The Security Appliance has the adequacy to ascertain a abstracted absence avenue for encrypted cartage forth with the

standard absence route. Use the tunneled advantage in a absence avenue account to ascertain a abstracted gateway

address for forwarding all encrypted traffic. The tunneled advantage does not abutment assorted equal-cost path

routes. Archetype 6-5 shows a Security Appliance configured with two absence routes, one for the non-encrypted

traffic and addition for encrypted traffic. Non-encrypted cartage for which there is no changeless or dynamically learned

route is forwarded to aperture 209.165.201.1. Encrypted cartage for which there is no changeless or dynamically

learned avenue is forwarded to aperture 209.165.201.2.

Example 6-5. Configuring Abstracted Absence Routes for Encrypted and Non-Encrypted Traffic

hostname(config)# avenue alfresco 0.0.0.0 0.0.0.0 209.165.201.1

hostname(config)# avenue alfresco 0.0.0.0 0.0.0.0 209.165.201.2 tunneled

Figure 6-8 shows an archetype to configure a changeless and absence route. A absence avenue is configured to accelerate all

traffic to the upstream accessory on the alfresco interface. Arrangement A and Arrangement B are nonconnected networks;

hence, two changeless routes are created that accelerate cartage destined for Arrangement A (172.16.1.0/24) to the downstream

router (10.1.1.2) that is affiliated to the central interface, and for Arrangement B (192.168.1.0/24) to the

downstream router (10.1.2.2) affiliated to the DMZ interface.

Figure 6-8. Configuring a Changeless and Absence Route

Static Route

As the name implies, a changeless avenue provides IP acquisition advice to the Security Appliance after the charge of

dynamic acquisition protocol. A changeless avenue has a college antecedence over any activating acquisition agreement and is

always the best alternative to advanced cartage to the adapted destination. The absence authoritative ambit for a

static avenue is 1, giving it antecedence over added routes apparent by activating acquisition protocols, but not

directly affiliated routes. Affiliated routes consistently booty antecedence over changeless or dynamically discovered

routes. In the accident of a assorted entries bout for a defined destination address, the longest bout is

preferred. The longest bout is the access with the accomplished cardinal of 1 $.25 in its Acquisition Mask.

Configure changeless routes application the avenue command from the all-around agreement approach to advanced cartage for

specified nonconnected destination network. One disadvantage of a changeless avenue is that avenue access will always

remain in the acquisition table, alike if the defined aperture becomes unavailable. This is because no mechanism

exists for the Security Appliance to actuate that the aperture abode is not reachable. (This behavior is

prevented aback application activating acquisition protocol.) If the defined aperture becomes unavailable, changeless routes

need to be manually removed. However, changeless routes are removed automatically from the acquisition table if the

specified concrete interface goes down, and they are reinstated aback the interface comes aback up.

Static and Absence Routes

The simplest advantage is to use changeless or absence route(s) to advanced the packets. A absence avenue assiduously all traffic

for which no avenue is begin in the acquisition table to the aperture address. In contrast, a changeless avenue forwards

traffic for defined destination networks to the next-hop affiliated accessory that is specific in the route

statement. No avenue is appropriate for anon affiliated networks on the Security Appliance.

Static or absence routes are appropriate in cellophane approach to advanced cartage that originates on the Security

Appliance destined for nonconnected networks.

IP Routing

IP Acquisition is one of the basal initialization accomplish acclimated back configuring the Aegis Appliance. Acquisition is the

process of chief the aisle for anniversary packet that a Aegis Appliance handles. The acquisition table contains a list

of IP arrangement addresses for which the Aegis Appliance is advised to accommodate IP acquisition services. After the

address adaptation and added routines are completed, a avenue identifies the interface and the aperture acclimated to

forward packets for a specific destination network. Using the destination IP abode in the packet header, the

routing apparatus decides whether the packet is to be forwarded if a accurate avenue access is begin in the routing

table; if not, the packet is discarded.

Note

The acquisition apparatus should not be acclimated to apparatus aegis policy; it should be acclimated alone as a

supporting anatomy advised to advanced packets calmly and reliably.

Security Appliance supports the afterward four means to accredit IP Routing:

Static and absence routes

OSPF

RIP

EIGRP

Tip

Security Appliance supports up to three according amount routes on the aforementioned interface for amount balancing.

Redundant Interface

Software Version 8.0 introduces the adequacy to actualize bombastic interface pairs that accumulation assorted physical

interfaces into a analytic accumulation to accommodate an active/standby environment. Back the alive interface fails, the

standby interface becomes alive and starts casual traffic. This affection offers added believability and ensures

traffic will canyon back there is a botheration with a concrete interface. Note that this affection is abstracted from devicelevel

failover. Bombastic interfaces can be configured forth with approved failover configuration. The Security

Appliance supports up to eight bombastic interface pairs.

Perform the afterward accomplish to configure a bombastic interface on the Security Appliance.

Step 1. Enable the analytic bombastic interface by application the afterward commands from the global

configuration mode. The cardinal altercation is an accumulation amount amid 1 and 8.

firewall(config)# interface bombastic number

Step 2. Add the aboriginal affiliate interface to the bombastic interface analytic group.

firewall(config-if)# member-interface 1st_physical_interface

Step 3. Add the additional affiliate interface to the bombastic interface analytic group.

firewall(config-if)# member-interface 2nd_physical_interface

Use the appearance interface redundantnumber detail command to appearance the bombastic interface settings and also

to actuate which interface is currently active. By default, the aboriginal affiliate interface in the agreement is

active. However, this can be afflicted by application the redundant-interface redundantnumber active-member

physical_interface command.

Security Levels

The Adaptive Aegis Algorithm permits admission from one firewall arrangement interface to addition by application a

security akin mechanism. Anniversary interface charge be assigned with a aegis akin alignment amid 0 (lowest) to

100 (highest). By default, the Aegis Appliance assigns the centralized arrangement (the central network) aegis level

100, admitting the alien arrangement (outside network) affiliated to the Internet is assigned with akin 0. Other

networks, such as DMZ, can be assigned any cardinal in between.

By default, the Aegis Appliance allows cartage to breeze advisedly from an centralized arrangement (higher aegis level

100) to an alien arrangement (lower aegis akin 0).

For cartage to breeze amid the interfaces through the Aegis Appliance, basal ambit charge to be

configured. These accommodate the interface name, aegis level, an IP address, and the activating or changeless routing

and enabling of the interface as concrete interfaces are shut bottomward by default.

Example 6-3 shows how to configure concrete interface ambit in distinct mode.

Example 6-3. Configuring Interface Ambit in Distinct Mode

hostname(config)# interface Ethernet1

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip abode 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

Example 6-4 shows how to configure interface ambit in assorted contexts approach for the system

configuration. The archetype creates a subinterface Ethernet1.100, by putting it in VLAN 100 allocating the

Ethernet1.100 subinterface to contextA.

Example 6-4. Configuring Interface Ambit in Assorted Mode

hostname(config)# interface Ethernet1

hostname(config-if)# acceleration 100

hostname(config-if)# bifold full

hostname(config-if)# no shutdown

hostname(config-if)# interface Ethernet1.100

hostname(config-subif)# vlan 100

hostname(config-subif)# no shutdown

hostname(config-subif)# ambience contextA

hostname(config-ctx)# ...

hostname(config-ctx)# allocate-interface Ethernet1.100

By default, the Adaptive Aegis Algorithm does not admittance interfaces on the aforementioned aegis akin to

communicate with anniversary other. To absolutely admittance this, use the afterward command from the global

configuration approach to accredit cartage breeze amid aforementioned aegis akin interfaces after admission lists.

hostname(config)# same-security-traffic admittance inter-interface

Configuring Security Context

To ascertain a ambience mode, add, or change a ambience in the arrangement configuration, accomplish the afterward steps:

Step 1. Ascertain the ambience approach (single or multiple). Use the approach {single | multiple} command from

the all-around configuration. The apparatus will crave a reboot. Note that the approach agreement is

not stored in the agreement file.

Step 2. To add or adapt a ambience in the arrangement beheading amplitude or the admin context, use the context

{name} command from the all-around agreement approach to access the ambience submode. The prompt

changes to the afterward to announce it is still in the arrangement beheading amplitude and is modifying

parameters for the specific context:

hostname(config-ctx)#

Step 3. Specify the interface(s) allocated to a context. Access the command adapted for a physical

interface or for one or added subinterfaces application the allocate-interface command from the context

submode. Repeat these commands assorted times to specify altered ranges. Note that the

transparent firewall approach allows for alone two interfaces to canyon through traffic. Same interfaces can

be assigned to assorted contexts in baffled mode, if desired. Transparent approach does not allow

shared interfaces.

Step 4. Identify the URL from which the arrangement downloads the ambience agreement by application the configurl

command. Ambience agreement can be downloaded via several methods, such as internal

flash, HTTP/HTTPS, TFTP, or application FTP server.

Step 5. Change amid contexts to accomplish agreement and ecology tasks aural anniversary ambience by

using the changeto ambience {name} command. The alert changes to the following:

hostname/context-name#

Step 6. To appearance the ambience information, use the appearance ambience [name | detail| count] command.

Example 6-1 shows how to accredit assorted contexts mode. The archetype sets the admin-context to be

administrator, creates a ambience alleged "administrator" on the centralized beam memory, and adds addition two

contexts: a ambience alleged customerA from an FTP server, and addition ambience alleged customerB from internal

flash. Note that the ambience names are case sensitive.

Example 6-1. Configuring Assorted Contexts

Code View:

hostname(config)# approach multiple

hostname(config)# admin-context administrator

hostname(config)# ambience administrator

hostname(config-ctx)# allocate-interface Ethernet0.1

hostname(config-ctx)# allocate-interface Ethernet1.1

hostname(config-ctx)# allocate-interface Management0/0

hostname(config-ctx)# config-url flash:/admin.cfg

hostname(config-ctx)# ambience customerA

hostname(config-ctx)# allocate-interface Ethernet0.100 int1

hostname(config-ctx)# allocate-interface Ethernet0.102 int2

hostname(config-ctx)# allocate-interface Ethernet0.103-Ethernet0.108 int3-int8

hostname(config-ctx)# config-url ftp://joe:password@10.1.1.1/configs/

customerA.cfg

hostname(config-ctx)# ambience customerB

hostname(config-ctx)# allocate-interface Ethernet1.200 int1

hostname(config-ctx)# allocate-interface Ethernet1.202-Ethernet1.203 int2-int3

hostname(config-ctx)# allocate-interface Ethernet1.205-Ethernet1.210 int5-int10

hostname(config-ctx)# config-url flash:/customerB.cfg

Example 6-2 shows how to change amid contexts and the arrangement beheading amplitude in advantaged EXEC mode

to accomplish agreement and ecology tasks aural anniversary context. The arrangement beheading amplitude is the admin

context from area you can about-face amid the contexts. Ensure the location, because the configuration

changes fabricated are applicative to the accepted position (within the context). For example, back the show

running-config command is executed, it will affectation alone the accepted agreement of that ambience and not the

running configurations of all contexts (system additional all contexts).

Example 6-2. Changing Amid Contexts

hostname/admin# changeto system

hostname# changeto ambience customerA

hostname/customerA#

hostname# changeto ambience customerB

hostname/customerB#

Multiple Contexts—Transparent Mode

Figure 6-7 shows an admin ambience additional three assorted contexts for assorted barter in a cellophane mode.

Each chump has its own aegis ambience with its own aegis action (NAT, admission list, changeless routes, and so

on). A cellophane firewall is in a defended bridging approach and connects the central and alfresco interfaces to the

same arrangement (Net A). Anniversary aegis ambience is assigned a administration IP abode of 10.1.x.2 on the same

connected (Net A) IP subnet.

Figure 6-7. Assorted Contexts—Transparent Mode

[View abounding admeasurement image]

Note

Transparent approach does not acquiesce aggregate interfaces.

Note

In assorted approach environments, all contexts can be configured either in baffled or cellophane mode.

Mix-mode ambiance is not supported.

Caution

Dynamic acquisition protocols are not accurate in assorted ambience modes; changeless acquisition can be used. VPN

and Multicast are additionally not supported.

How does the Aegis Apparatus allocate which ambience to accelerate a packet to?

All packets entering the apparatus charge be classified to actuate which ambience to accelerate a packet to. The

classifier uses the afterward action to accredit the packet to a context:

Unique Interface: If alone one ambience is associated with the admission interface, the Aegis Appliance

classifies the packet into that context. Note that back application the cellophane mode, use different interfaces

only because cellophane approach requires different interface allocation for anniversary context. For baffled mode, the

following methods additionally apply.

Unique MAC Address: If assorted contexts are associated with the admission interface, the apparatus classifies

the packet into a ambience by analogous interface MAC addresses. By default, aggregate interfaces in a context

do not accept a different MAC address, and it uses the absence concrete MAC abode in every context. This can

cause ARP issues as an upstream accessory cannot accelerate the packet to the actual ambience due to the

duplicate MAC abode beyond assorted ambience interfaces. The band-aid is to accredit a different MAC address

to the aggregate interface aural anniversary context. This can be done application the mac-address mac_address

[standby mac_address] command beneath the interface agreement mode. Alternatively, you can use the

global command mac-address auto to automatically accomplish MAC addresses to anniversary aggregate context

interface.

Address Translation: If you are not application different MAC addresses as aloof explained, again Aegis Appliance

classifies the packet into a ambience by analogous the destination abode to one of the afterward context

configurations. The classifier relies on the NAT agreement and matches the destination IP abode in

either a changeless command or all-around command and looks at the following:

Global abode in a changeless NAT account area the all-around interface matches the ingress

interface of the packet

b. All-around NAT basin for IP addresses articular by a all-around basin for the admission interface.

Security Context

Software Version 7.0 alien the adequacy to actualize assorted basic firewalls, which are additionally referred to as

security contexts aural a distinct appliance. Assorted contexts are agnate to accepting assorted standalone devices.

Each virtualized allotment is an absolute accessory and has its own set of aegis behavior (NAT, admission list,

routing, and so on), analytic interfaces, and authoritative domain. Assorted contexts approach supports about all

the options that are configurable on a standalone device, such as NAT, firewall features, acquisition tables, IPS, and

management features. Some features, such as VPN and activating acquisition protocols, are not accurate in

multiple ambience mode. In addition, interfaces can be aggregate amid contexts but accurate in baffled mode

only. For example, the alfresco interface can be aggregate to conserve interfaces, or Inside and demilitarized zone

(DMZ) interfaces can be acclimated to allotment assets amid contexts.

There are a cardinal of means to set up a Aegis Apparatus in assorted mode. The afterward sections illustrate

two accepted means for the implementation, including administration an interface amid the contexts.

Multiple Contexts—Routed Mode (with Aggregate Resources)

Figure 6-6 shows an admin ambience additional two assorted contexts for assorted departments aural an organization,

each with three segments: an Inside, an Outside, and a aggregate segment. Each administration has its own security

context (virtual firewall) so that it can accept its own aegis action (NAT, admission list, routing, and so on). Several

servers are aggregate beyond both departments. Hence these servers are placed on a aggregate arrangement application the

shared interface concept.

Figure 6-6. Assorted Contexts—Routed Mode (with Aggregate Resources)

Adaptive Security Algorithm Operation

Figure 6-5 illustrates how the stateful-inspection and appliance intelligence works in the Security Appliance.

Conceptually, three basal operational functions are performed:

Access lists: Controlling arrangement admission based on specific networks, hosts, and casework (TCP/UDP port

numbers).

Connections (xlate and conn tables): Maintaining accompaniment advice for anniversary connection. This

information is acclimated by the Adaptive Security Algorithm and cut-through proxy to finer advanced traffic

within accustomed connections.

Inspection Engine: Perform stateful analysis accompanying with application-level analysis functions. These

inspection aphorism sets are predefined to validate appliance acquiescence as per RFC and added standards and

cannot be altered.

Figure 6-5. Adaptive Security Algorithm Operations

[View abounding admeasurement image]

Figure 6-5 is numbered with the operations in the adjustment they action and are abundant as follows:

1. An admission TCP SYN packet arrives on the Security Appliance to authorize a new connection.

2. The Security Appliance checks the admission account database to actuate whether the affiliation is permitted.

The Security Appliance creates a new access in the affiliation database (XLATE and CONN tables) using

the all-important affair information.

The Security Appliance checks the predefined aphorism sets in the analysis agent and in case of well-known

applications, added performs application-level inspection.

At this point, Security Appliance makes a accommodation whether to advanced or bead the packet according to the

findings of the analysis engine. The Security Appliance assiduously the packet to the adapted destination

subject to approval from the appliance analysis engine.

6. The destination arrangement responds to the antecedent appeal abiding the packet.

The Security Appliance receives the acknowledgment packet, performs the inspection, and looks up the affiliation in

the affiliation database to actuate whether the affair advice matches an absolute connection.

8. The Security Appliance assiduously the packet acceptance to an absolute accustomed session.

Table 6-2 lists all the appliance protocols and capacity for which the Security Appliance provides application

layer analysis capability.

Application Band Agreement Inspection

In accession to the stateful-inspection ahead discussed, the Adaptive Aegis Algorithm is added with

powerful capabilities and is congenital with application-layer intelligence that assists in audition and preventing

protocol and application-layer attacks. It performs abysmal packet analysis of application-layer agreement traffic

(such as HTTP) by blockage the packet IP attack and the burden contents. Accepted firewalls advance the

session advice capacity up to Band 4, admitting the Aegis Appliance adds addition bank of aegis by

extending its analysis in the abstracts burden at Band 7.

With the application-layer awareness, Aegis Appliance performs abysmal packet analysis in the abstracts payload

for any awful activity. As apparent in Figure 6-4, back the Aegis Appliance receives a packet that is of wellknown

application agreement (such as HTTP), it added examines the packet for corresponding appliance operation to

check for adherence to RFC standards and acquiescence operations to ensure there is no awful intent. If the

packet is crafted maliciously with unauthorized, abnormal action and begin to be assuming noncompliance

operations (illegal commands), the packet is blocked. In a accepted access-list filtering, this packet would be

allowed, because alone the Band 3 and Band 4 advice in the packet would be checked.

Figure 6-4. Appliance Band Intelligence

[View abounding admeasurement image]

The Aegis Appliance armed with the appliance intelligence provides aegis from several types of network

attacks that use the embedding address to canyon awful cartage encapsulating in acclaimed application

protocols.

Application analysis is enabled by absence for best accepted acclaimed protocols with specific TCP or UDP

port numbers. See Table 6-2 for a complete account of accurate protocols, with their corresponding standard

compliance enforcement. Aegis Appliance can be acquainted to acquaint the analysis agent to accept on

nonstandard ports. For example, the HTTP anchorage can be afflicted from a accepted TCP/80 to a nonstandard

TCP/8080 port. Some protocols cannot be changed; Table 6-2 identifies which protocols can be adapted to

inspect for abnormal ports. The Modular Policy Framework Command Line Interface (CLI) is acclimated to change

the absence settings for appliance analysis for any appliance band analysis (discussed added in this

chapter). The MPF is agnate to the Cisco IOS Software address alleged Modular QoS CLI (MQC).

Table 6-2. Appliance Analysis Engines

Application PAT? NAT

(1-1)?

Ports Can Be

Modified to

Nonstandard?

Default Anchorage Standards

Compliance

CTIQBE Yes Yes Yes TCP/2748 —

DNS Yes Yes No UDP/53 RFC 1123

FTP Yes Yes Yes TCP/21 RFC 959

GTP Yes Yes Yes UDP/3386

UDP/2123

—

H.323 Yes Yes Yes TCP/1720

UDP/1718 UDP

(RAS) 1718-

1719

ITU-T H.323,

H.245, H225.0,

Q.931, Q.932

HTTP Yes Yes Yes TCP/80 RFC 2616

ICMP Yes Yes No — —

ICMP ERROR Yes Yes No — —

ILS (LDAP) Yes Yes Yes — —

MGCP Yes Yes Yes 2427, 2727 RFC 2705bis-05

NBDS / UDP Yes Yes No UDP/138 —

NBNS / UDP No No No UDP/137 —

NetBIOS over IP3 No No No — —

PPTP Yes Yes Yes 1723 RFC 2637

RSH Yes Yes Yes TCP/514 Berkeley UNIX

RTSP No No Yes TCP/554 RFC 2326, RFC

2327, RFC 1889

SIP Yes Yes Yes TCP/5060

UDP/5060

RFC 2543

SKINNY (SCCP) Yes Yes Yes TCP/2000 —

SMTP/ESMTP Yes Yes Yes TCP/25 RFC 821, 1123

SQL*Net Yes Yes Yes TCP/1521 (v.1) —

Sun RPC No Yes No UDP/111

TCP/111

—

Application PAT? NAT

(1-1)?

Ports Can Be

Modified to

Nonstandard?

Default Anchorage Standards

Compliance

XDCMP No No No UDP/177 —

The advice in Table 6-2 is taken from "Cisco Aegis Appliance Command Line Configuration

Guide, Version 7.0" at

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1250375.

Transparent Firewall Approach (Stealth Firewall)

Firewall Software Adaptation 7.0 and after introduces the adequacy to arrange the Security Apparatus in a secure

bridging mode, as a Layer 2 device, to accommodate affluent Layer 2 through 7 firewall services. In a cellophane mode,

the Security Apparatus acts like a "bump in the wire" and is not a router hop. There is no charge to redesign the IP

network (Layer 3 acclamation scheme). The Security Apparatus connects the aforementioned arrangement (IP subnet) on its

inside and alfresco interfaces. The central and alfresco interfaces are put on altered Layer 2 segments if they are

connected on the aforementioned about-face (use different VLAN numbers or use abstracted switches).

In essence, the arrangement is breach into two Layer 2 segments and the apparatus is placed in between, thereby

acting in arch mode, and Layer 3 charcoal unchanged. Alternatively, audience can be affiliated on either side

into two abstracted switches that are absolute of anniversary added (and not affiliated to anniversary added in any way).

Figure 6-3 illustrates this further. Even admitting the firewall is in the arch mode, an ACL is still appropriate to

control and acquiesce all Layer 3 cartage that is casual through the firewall, with the barring of ARP traffic, which

does not charge an ACL. ARP cartage can be controlled with ARP analysis on the firewall.

Figure 6-3. Cellophane Firewall Setup

[View abounding admeasurement image]

Transparent approach does not abutment IP acquisition protocols for cartage casual through the router, because the

firewall is in arch mode. Static routes are acclimated for cartage basic from the apparatus and not for traffic

traversing the appliance. However, IP acquisition protocols through the firewall are supported, as continued as the access

lists on the firewall admittance the protocols to canyon through. OSPF, RIP, EIGRP, and Border Aperture Protocol (BGP)

adjacencies can be accustomed through the firewall in the cellophane mode.

While active in cellophane mode, the Security Apparatus continues to accomplish the stateful analysis with

application-layer intelligence and accomplish all approved firewalling capabilities, including NAT support. NAT

configuration is accurate in software adaptation 8.0 and later. Prior to adaptation 8.0, NAT was not accurate in

transparent mode.

The departure interface for the approachable packets is bent by assuming a MAC abode lookup instead of a

route lookup. The alone Layer 3 acclamation appropriate on the firewall is the administration IP address. The

management IP abode is additionally acclimated as the antecedent IP abode for packets basic from the Security

Appliance, such as arrangement letters or communications with AAA or SYSLOG servers. The administration IP

address charge be on the aforementioned subnet as the affiliated network.

Transparent approach is a acceptable abode to assure the arrangement irenic (camouflage) after the

intruder/attacker audition the actuality of the firewall.

Figure 6-3 shows an archetype of cellophane firewall implementation. The archetype shows three client

workstations with the absence aperture set to upstream router 10.1.1.1. Note that all PCs, the upstream router,

and the administration IP abode are in the aforementioned IP subnet 10.1.1.0/24, but they accept been breach in different

Layer 2 VLANs because all the accessories in the diagram are affiliated into the aforementioned switch. Client workstations

and the central interface of Security Apparatus are set in VLAN 10, and the upstream router and alfresco interface

are set to VLAN 20. Note that if audience and all accessories on both abandon are affiliated to abstracted switches, and

the switches are not affiliated to anniversary added in any way, the VLAN numbers can be the same, or annihilation for

that matter, because they are absolute and do not interconnect.

Routed Firewall Mode

In this mode, the Security Appliance is advised to be a router hop in the network. (This is the approved mode

that anybody is accustomed with.) Arrangement Address Translation and activating acquisition agreement capabilities using

Routing Information Agreement (RIP) and Open Short Path First (OSPF) can be performed in this mode. Note that

routing protocols RIP and OSPF are accurate in distinct ambience approach only. Multimode ambience does not support

routing. In addition, baffled approach supports use of assorted interfaces. Each interface charge be on a different

subnet, and interfaces can be aggregate amid contexts. By default, baffled approach is set as the absence mode.

Stateful Inspection

Every entering packet is inspected adjoin the adaptive aegis algorithm and the affiliation accompaniment information

to adjudge whether to acquiesce or abjure the packet. Like the PIX and ASA Aegis Appliance, a stateful firewall

checks the accompaniment of a packet as follows:

Is this a new connection?

If the accession packet is allotment of a new connection, the Adaptive Aegis Algorithm checks the packet

against admission lists and performs added accepted tasks (such as avenue lookup) to actuate whether the

packet is accustomed or denied. The affair administration aisle is amenable for assuming the following:

Perform the admission account checks

Perform avenue lookups

Allocate NAT translations (xlate table)

Establish the affair in the "fast path"

Packets are added anesthetized to the ascendancy even aisle to appraise the burden for application-level (Layer 7)

inspection.

Is this an accustomed connection?

If the accession packet is allotment of an absolute connection, the Adaptive Aegis Algorithm does not

reexamine the packet, and analogous packets in the accustomed affiliation table can go through the fast

path in both directions. The fast aisle is amenable for assuming the afterward checks:

IP checksum verification

Session lookup

TCP arrangement cardinal check

NAT translations based on absolute sessions

Layer 3 and Layer 4 attack adjustments

In some instances, accustomed affair packets charge abide to go through the affair management

path or the ascendancy even aisle for protocols that crave Layer 7 inspection. For example, HTTP packets

requiring agreeable clarification charge to go through the affair administration path.

Firewall Modes

Firewall Modes
The Security Appliance runs in two firewall modes:
Routed firewall mode
Transparent firewall mode (stealth firewall)

Firewall Appliance OS Software

Cisco Aegis Appliance software for firewalls delivers the latest firewall and VPN capabilities, enhanced

performance, and aegis improvements, as able-bodied as a account of new features. Adaptation 7.0 and the latest release,

version 8.0, acquaint cogent enhancements to all above anatomic areas. These areas accommodate firewalling

and analysis casework such as cellophane (Layer 2) firewall or baffled (Layer 3) firewall operation and multiple

security contexts (virtualized firewalls), Added Interior Gateway Routing Protocol (EIGRP) support,

Application-Aware Analysis Services, added VPN services, Dynamic Access Policies (DAP), browser-based

SSL VPN, arrangement integration, aerial availability (Active/Active) and added administration and monitoring

services.

Some of the avant-garde appearance accommodate TCP beck reassembly, which assists in audition attacks that are

spread beyond assorted packets (fragmented) by reassembling packets into a abounding packet beck and performing

analysis on the absolute stream.

Another feature, TCP normalization, provides bigger techniques to ascertain TCP-based attacks and is designed

to bead packets that do not arise normal. A austere analysis is performed to affirm RFC acquiescence on the

TCP attack (advanced attack assay for flags and blockage option, window variation, checksum

verification and apprehension of abstracts analytical in retransmitted packets). Several added avant-garde appearance and

enhancements are accessible in the added contempo software adaptation releases.

The Aegis Appliance combines in one accessory avant-garde stateful firewall, VPN concentrator functionality, and

advanced aegis appearance to ambush and acknowledge to arrangement attacks.

The Aegis Appliance software supports an intuitive, easy-to-use GUI-based appliance alleged Adaptive

Security Accessory Manager (ASDM). ASDM is a browser-based Java applet acclimated to configure, monitor, and

manage the Aegis Appliances. ASDM is covered in Chapter 24, "Security and Policy Management."

With the abrupt addition and artefact overviews, sections to chase will altercate the appearance and the

configuration details.

Firewall Appliance Software for PIX 500 and ASA 5500

Cisco Firewall Appliance provides chip accouterments and software carrying abounding stateful firewall protection

and VPN capabilities. It provides all-embracing packet analysis and flow-specific monitoring, bigger network

integration, resiliency, and scalability. Unlike archetypal CPU-intensive proxy servers, the Cisco Firewall Software

uses a non-UNIX secure, real-time, anchored system.

Both accessories (PIX 500 and ASA 5500 series) are based on the industry-leading Cisco Firewall Software

currently on adaptation 8.0 as of this writing. The majority of the functions are the aforementioned on both appliances, with

the barring that in allegory to the PIX 500 series, the ASA 5500 alternation has the added abutment of SSL

VPN technology (WebVPN), VPN Load Balancing, the Security Services Bore (SSM)—IPS module, Compact

Flash (CF) agenda support, and Aux anchorage support.

Note

PIX 501 and 506E models do not abutment the new firewall software versions. They are able of running

up to adaptation 6.3 only.

Cisco Firewall Services Bore (FWSM)

Cisco Firewall Services Bore (FWSM), pictured in Figure 6-2, is a high-speed, high-performance integrated

firewall bore that is installed in Cisco Catalyst 6500 switches and Cisco 7600 Series routers.

Figure 6-2. Cisco Firewall Services Bore (FWSM)

[View abounding admeasurement image]

The FWSM provides ample enterprises and account providers with unparalleled security, reliability, scalability and

performance. Some of the key appearance in FWSM are the following:

Integrated module: Installs central a Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Router. The

FWSM integrates firewall aegis central the arrangement infrastructure.

Superior achievement and scalability: The FWSM offers the fastest firewall band-aid in the industry,

with aberrant abstracts rates. FWSM can handle up to 5 Gbps of traffic, 100,000 access per second

(cps), and 1 actor circumstantial connections, thereby accouterment incomparable achievement to accommodated future

requirements. With the accommodation to install up to four FWSMs in a distinct chassis, throughput achievement is

enhanced to 20 Gbps per anatomy to accommodated growing demands.

Proven technology: The FWSM software is based on Cisco PIX technology and uses the aforementioned timetested

Cisco PIX Operating System, a secure, real-time operating system.

Lower TCO (total amount of ownership): Virtualized FWSM delivers assorted firewalls on one physical

hardware platform. Virtualization reduces the cardinal of concrete accessories appropriate in a network, thereby

significantly aspersing the complication of managing arrangement basement and operational efficiency.

ROI (return on investment): Higher ROI with adjustable deployment leveraging absolute infrastructure

investments.

Cisco PIX 500 Series Aegis Appliances

Cisco flagship and industry-leading PIX 500 Series Aegis Apparatus provides absolute security,

performance, and believability for arrangement environments of all sizes, alms an arrangement of multitiered solutions. It is

a ancestors of specialized accessories that accommodate able-bodied chip arrangement aegis services, including stateful

inspection firewalling, VPNs, and inline advance detection.

The committed software agent incorporates the advanced Cisco Adaptive Aegis Algorithm, which

provides stateful analysis firewall casework by ecology the accompaniment of all accustomed arrangement communications

while preventing crooked arrangement access. Cisco PIX Aegis Accessories action an added band of security

by amalgam added than two dozen purpose-built analysis engines that accomplish all-embracing packet examination

for the best accepted applications and protocols acclimated today. The Cisco PIX Aegis Apparatus provides a wide

range of chip aegis casework in an easy-to-deploy, high-performance solution.

THe Cisco PIX 500 Series ambit from desktop accessories for baby and home offices to modular gigabit

appliances for action and service-provider environments, as apparent in Table 6-1. (Note that photos are not

available for the Cisco PIX 506E and Cisco PIX 515E.)

Table 6-1. Cisco PIX 500 Series Devices

Device Description

Cisco PIX 501 Compact, plug-n-play Aegis Appliance

for baby office/home office

environments. PIX 501 appliances

provide an chip 4-port Fast

Ethernet (10/100) about-face and a Fast

Ethernet (10/100) interface.

Cisco PIX 506E Cost-effective, high-performance

Security Apparatus for remote

office/branch appointment environments. PIX

506E provides two auto-sensing Fast

Ethernet (10/100) interfaces.

Cisco PIX 515E Modular, high-performance Security

Appliance for small-to-medium and

enterprise arrangement environments. PIX

515E apparatus is a modular one-rackunit

design acknowledging up to six 10/100

Fast Ethernet interfaces.

Cisco PIX 525 Gigabit Ethernet connectivity, modular

Security Apparatus for medium-to-large

Device Description Aegis Apparatus for medium-to-large

enterprise arrangement environments. PIX

525 apparatus is a modular two-rack-unit

design acknowledging up to eight 10/100

Fast Ethernet interfaces or three Gigabit

Ethernet interfaces.

Cisco PIX 535 Highly modular, high-performance

Gigabit Ethernet connectivity Security

Appliance for action and service

provider arrangement environments. PIX 535

appliance is a modular three-rack-unit

design acknowledging up to ten 10/100 Fast

Ethernet interfaces or nine Gigabit

Ethernet interfaces and bombastic power

supplies.

Note

Cisco PIX 506, 515, and 520 Firewall models accept accomplished end of auction (EOS).

Cisco ASA 5500 Alternation Adaptive Aegis Appliances-ASA 5505-ASA 5510-ASA 5520-ASA 5540-ASA 5550

Cisco ASA 5500 Alternation Adaptive Aegis Appliances

The Cisco ASA 5500 Alternation Adaptive Aegis Apparatus (Figure 6-1) is the newest affiliate in the accumulation of Cisco

Firewall technology products. The ASA 5500 alternation includes multifunction Aegis Accessories delivering

converged firewall, Intrusion Prevention System (IPS), avant-garde adaptive blackmail aegis casework including

Anti-X defenses, apparatus security, and VPN casework simplifying arrangement aegis solutions.

Figure 6-1. Cisco ASA 5500 Alternation Apparatus i

[View abounding admeasurement image]

The ASA 5500 Alternation is one of the key apparatus in the Cisco Self-Defending Arrangement initiative. At the heart

of the ASA 5500 Alternation architectonics is the Adaptive Identification and Acknowledgment (AIM) architectonics that provides

proactive blackmail mitigation, thereby endlessly attacks afore they advance through the network, arrangement activity

controls, and apparatus traffic. The AIM architectonics delivers flexible, high-performance site-to-site VPN,

remote admission VPN, and SSL VPN solutions.

In a distinct platform, the Cisco ASA 5500 Alternation offers the following:

Market-proven firewall, IPS, adaptive blackmail defense, and VPN capabilities

Adaptive identification and acknowledgment casework architecture, thereby carrying diminutive action ascendancy and

future casework extensibility

Saving all-embracing deployment and operational costs and bargain complexity

The Cisco ASA 5500 Alternation is an avant-garde apparatus that builds on the abyss and across of aegis features,

combining the afterward three industry-leading aegis and VPN technologies:

Firewall technology

IPS (inline) technology

VPN technology—IPsec, SSL (WebVPN), and AnyConnect VPN

Blending these assorted functions, the Cisco ASA 5500 Alternation delivers an incomparable best-of-breed in network

protection solutions. The Cisco ASA 5500 Alternation brings calm a avant-garde ambit of aegis and VPN technologies

to accommodate affluent apparatus security, Anti-X defenses, arrangement ascendancy and control, and defended connectivity

tightening the arrangement aegis posture.

Cisco ASA 5500 Alternation action bristles high-performance purpose-built accessories that amount small- and medium-sized

to ample action and account provider environments. Concurrent aegis casework architectonics lowers

operational complication and reduces the all-embracing deployment and operation costs.

ASA 5505: Cost-effective, easy-to-deploy apparatus for baby business, annex office, and enterprise

teleworkers environments with chip 8 anchorage 10/100 Fast Ethernet about-face (includes two Power over

Ethernet [PoE] ports)

ASA 5510: Cost-effective, easy-to-deploy apparatus for medium-sized business, remote/branch, and

enterprise environments with avant-garde aegis and networking services

ASA 5520: High-availability Active/Active casework and Gigabit Ethernet connectivity apparatus for

medium-sized action networks, in a modular, high-performance network

ASA 5540: High-density, with Active/Active high-availability casework and Gigabit Ethernet connectivity

with greater reliability, high-performance apparatus for medium-to-large enterprises and service-provider

networks

ASA 5550: Gigabit-class alms up to 1.2 Gbps firewall throughput, with Active/Active high-availability

services, and Fiber and Gigabit Ethernet connectivity; high-performance apparatus for ample action and

service-provider networks

Hardware Versus Software Firewalls

The primary differentiator amid a hardware- and software- based firewall is the basal annex on

the operating systems they run on. Both can prove appropriately defended if the arrangement architecture and agreement are

impeccable. As apparent in the antecedent chapter, the software-based Cisco IOS Firewall technology is integrated

functionality central the Cisco IOS Software, thereby accouterment a stateful analysis firewall agent with

application-level intelligence. There are a brace of affidavit why accouterments firewalls are bigger than software

firewalls: accouterments firewalls are able-bodied and congenital accurately for the purpose of "firewalling," and they are less

vulnerable than software firewalls. Hence, accouterments firewalls accept an bend over software-based firewalls.

The Cisco Firewall technology provides a abundance of avant-garde aegis and networking casework for small-tomedium

enterprise and account provider networks, in a modular, purpose-built solution. Cisco hardware-based

firewall technology comes in three flavors:

PIX 500 Series Aegis Appliances

ASA 5500 Series Adaptive Aegis Appliances

Catalyst 6500 Series and Cisco 7600 Series Firewall Casework Module (FWSM)

Cisco Firewall technology solutions accommodate application-aware and agreement inspection, admission ascendancy and flowbased

policy enforcement, multi-vector advance protection, and defended connectivity casework through a advanced range

of affluent aegis and networking services. The afterward sections will briefly highlight appearance of anniversary platform.

Firewalls Overview

A firewall is a accouterments or software band-aid implemented aural the arrangement to accomplish aegis behavior by

controlling arrangement access. The acceptable action of firewalls has acquired from the aboriginal action of

protecting a arrangement from crooked alien access. Besides attention the ambit of a network, today's

firewalls apparatus the following: admission control, basic clandestine arrangement (VPN) services, affection of service

(QoS) features, back-up mechanisms, and abundant more. In general, firewalls can action abstracts privacy, integrity,

and availability.

A firewall is generally apparent as the aboriginal footfall against a arrangement aegis solution. Arrangement aegis needs to be

architected as a foundation for success, and firewalls are an basic allotment of this architecture.

Firewall deployment requires charting arrangement boundaries amid aegis domains. A arrangement security

domain is a abutting area of a arrangement that operates beneath a compatible aegis policy. A action enforcement

mechanism is appropriate area these domains interconnect. This is area firewall technology comes into play.

Firewalls ensure aegis by acting as the aboriginal band of arrangement defense.

Cisco Firewalls: Apparatus and Module

The firewall has become a accepted article and is a all-important and basic allotment of every arrangement infrastructure.

The best analytical claim in best aegis solutions today is implementing a firewall. Networks today have

grown both in admeasurement and complexity, with the ambiance acceptable more hostile. This affiliate brings

together Cisco industry-leading avant-garde firewall technology with flagship articles abnormally positioned to

deliver purpose-built, feature-rich firewall technology.

The antecedent affiliate focused on a router-based IOS Firewall solution, admitting this affiliate mainly focuses on

the hardware-based, purpose-built Cisco Firewall technology.

The affiliate discusses assorted types of Cisco Firewalls accessible and includes a abrupt overview of anniversary model.

The affiliate is disconnected into two segments—features and agreement based on the following:

Firewall apparatus software for PIX 500 and ASA 5500 platforms

Firewall bore software for Firewall Services Bore (FWSM)

The affiliate takes a afterpiece attending at amount concepts, such as firewall modes, aegis contexts, stateful inspection,

the Adaptive Aegis Algorithm, IP routing, assorted types of Arrangement Address Translation (NAT), the ascendancy of

traffic breeze and arrangement admission through the firewall, the Modular Policy Framework (MPF), and the provisioning

of high-availability and airy networks.

Configuring ZFW Application Cisco Activity Language (CPL)

ZFW is configured application the new command set of Cisco Activity Language (CPL). CPL is the new architecture to enable

ZFW. The architecture is agnate to the Modular QoS CLI (MQC) in application class-map to analyze the cartage and the

action activated in a activity map.

Several accomplish are appropriate to complete the configuration. Although the arrangement of tasks that follows is not

important, some tasks depend on anniversary other. For example, class-map charge be configured afore it can be

used in the policy-map. Similarly, the policy-map cannot be assigned to a zone-pair afore configuring the

policy-map itself, and so on.

The afterward tasks are appropriate to complete the ZFW agreement application the CPL:

Define zones

Define zone-pairs

Define class-map(s) that analyze the cartage that charge accept activity activated as it traverses a zone-pair

Define a policy-map to administer activity to the cartage in a class-map

Apply a policy-map to a zone-pair

Assign interface(s) to zones

Note

By default, cartage amid the zones is blocked unless an absolute activity dictates the permission.

Based on Figure 5-8, Archetype 5-7 shows a actual basal ZFW agreement that uses the new CPL command set in

two zones.

Figure 5-8. Basal ZFW for Two-Zone Setup

Example 5-7. Basal ZFW Agreement Application CPL

Code View:

class-map blazon audit match-any myclass

match agreement tcp

match agreement udp

match agreement icmp

policy-map blazon audit mypolicy

class blazon audit myclass

inspect

zone aegis private

zone aegis public

zone-pair aegis mypair antecedent clandestine destination public

service-policy blazon audit mypolicy

Interface FastEthernet0/0

zone-member aegis private

interface FastEthernet0/1

zone-member aegis public

Configuring Zone-Based Policy Firewall

ZFW does not use the classical CBAC ip audit command set. ZFW behavior are configured with the new Cisco

Policy Language (CPL), which employs a hierarchical anatomy to ascertain analysis for arrangement protocols and the

groups of hosts to which the analysis will be applied. Note that the two agreement models (Classical CBAC

and new ZFW) can be acclimated accordingly on the aforementioned router; however, they cannot be accumulated on the same

interface overlapping anniversary other. An interface cannot be configured as a area affiliate and be configured for ip

inspect simultaneously.

Note

It is important to accept that ZFW absolutely changes the agreement syntax for Cisco IOS

Firewall stateful inspection, as compared to Classical CBAC.

Security Zones

Security Zones authorize the aegis boundaries of the arrangement area cartage is subjected to action restrictions

as it crosses to addition arena aural the network.

As apparent in Figure 5-7, a area can accept one or added interface(s) assigned to it. This archetype shows a Cisco

IOS Firewall router with four interfaces and three zones:

Interface #1 affiliated to the Accessible Internet zone

Interfaces #2 and #3 affiliated to a Clandestine area abutting book servers and audience on a LAN (on

separate concrete interfaces, but in the aforementioned aegis zone), which charge not be attainable from the public

Internet

Interface #4 affiliated to the DMZ zone, abutting a web server and Domain Name System (DNS)

server, which charge be attainable to the accessible Internet

Figure 5-7. Basic Aegis Zone

[View abounding admeasurement image]

In the archetype illustrated by Figure 5-7, the IOS Firewall will about accept three capital aegis policies:

Private area connectivity to the Internet

Private area connectivity to DMZ

Public area connectivity to DMZ

Devices affiliated in the clandestine area would be able to canyon cartage to all added accessories amid interface #2

and #3 because they are in the aforementioned Clandestine zone. If an added new interface is added to the Clandestine zone,

inter-interface and intra-interface cartage is accustomed aural the aforementioned zone. Additionally, the hosts' cartage to hosts

in added zones would be analogously afflicted by absolute policies.

Zone-Based Action Overview

Before the ZFW was introduced, the Cisco IOS Firewall offered stateful analysis application the CBAC feature. CBAC

was covered in detail in the antecedent sections of this chapter.

In the contempo releases of Cisco IOS Software from Version 12.4(6)T and later, the CBAC archetypal is actuality replaced

with the new agreement archetypal that uses ZFW.

This new affection was added mainly to affected the limitations of the CBAC that was employing stateful

inspection action on an interface-based model. To be specific, the limitation was that all cartage casual through

the interface was accountable to the aforementioned analysis policy, thereby attached the granularity and action enforcement,

particularly in scenarios area assorted interfaces existed.

With ZFW, stateful analysis can now be activated on a zone-based model. Interfaces are assigned to zones, and

policy analysis is activated to cartage affective amid zones. This accessory provides added granularity,

flexibility, scalability, and an easy-to-use zone-based aegis approach. With a zone-based analysis model,

varying interzone behavior can be activated to assorted hosts or groups of hosts affiliated to the aforementioned interface.

Tip

The afterward Cisco whitepaper URL provides added capacity on the conceptual aberration amid Cisco

IOS Classic and ZFW features:

www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_paper0900aecd806f31f9.shtml.

Zone-Based Policy Firewall (ZFW)

The new ZFW affection was alien in Cisco IOS Software Release 12.4(6)T for the added Cisco IOS

Firewall affection set.

All appearance from above-mentioned to IOS Software Release 12.4(6)T are across-the-board in this new accomplishing and are

supported in the new zone-based inspection.

ZFW supports the afterward features:

Stateful packet Analysis (SPI)

VRF-aware Cisco IOS Firewall

URL filtering

Denial-of-service (DoS) mitigation

More ZFW appearance were added into Cisco IOS Software Release 12.4(9)T for per-class session/connection and

throughput limits, as able-bodied as appliance analysis and control:

HTTP

Post Office Protocol (POP3)

Internet Mail Access Protocol (IMAP)

Simple Mail Transfer Protocol and Added Simple Mail Transfer Protocol (SMTP/ESMTP)

Sun Remote Procedure Call (RPC)

Instant Messaging (IM) applications, including Microsoft Messenger (MSN), Yahoo Messenger, and AOL

Instant Messenger

Peer-to-peer (P2P) book sharing, including Bittorrent, KaZaA, Gnutella, and eDonkey

Note

Stateful analysis for multicast cartage is not accurate in ZFW or bequest archetypal Firewall CBAC.

Inspection of Router-Generated Traffic

The Cisco IOS Firewall affection is added to abutment analysis for cartage that was originated by or destined to the CBACconfigured

device. Analysis of router-generated cartage augments CBAC functionality to audit TCP, UDP, and H.323

connections that accept the firewall as one of the affiliation endpoints. CBAC dynamically opens acting holes for TCP,

UDP, and H.323 ascendancy approach admission to and from the router, and for the abstracts and media channels adjourned over

the H.323 ascendancy channels. For example, CBAC can be configured to audit a Telnet accomplished from the CBAC-enabled router

to a accessory in the caught zone, acceptance acknowledgment cartage dynamically after defective to absolutely admittance in the admission list.

To accredit the Router-Generated Cartage analysis feature, use the router-traffic keyword in the ip audit name

command back configuring CBAC analysis rules. This advantage is accessible for H.323, TCP, and UDP protocols only.

This affection was alien in IOS Version 12.3(14)T.

Application Analysis and Ascendancy (AIC)

In accession to the all-encompassing ZFW appearance and capabilities, ZFW extends the action of appliance inspection

and ascendancy (AIC) agent by accouterment added capabilities to the ZFW. AIC behavior are activated at Layer 7 of

the OSI model, assuming abysmal packet analysis at the application-protocol level.

ZFW offers appliance analysis and ascendancy for the afterward appliance services:

HTTP

SMTP

POP3

IMAP

Sun alien action call

Peer-to-peer appliance traffic

Instant Messaging applications

Note

AIC is configured as an added set of application-specific class-maps and policy-maps, which are then

applied to absolute analysis class-maps and policy-maps.

Summary

This affiliate discussed the router-based IOS Firewall technology and focused mainly on one of the several

subsystems—the SPI technology that uses the classical firewall that in about-face uses CBAC and the new ZFW

structures. SPI is an avant-garde firewall agent for stateful analysis accouterment traffic-filtering functionality on a

Cisco IOS–based accessory as a distinct point of protection.

The affiliate declared CBAC functions and how they assignment application step-by-step agreement processes with

examples.

The affiliate additionally covered the new ZFW abstraction application aegis zones and exemplified the appropriate accomplish to

configure the ZFW.

The affiliate additionally provided an overview of some of the avant-garde IOS Firewall appearance alien in the newer

IOS Software versions.

References

www.cisco.com/en/US/products/ps6441/products_configuration_guide_book09186a008049e249.html

www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a00800fd670.html

www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_bulletin09186a00801abfda.html

www.cisco.com/en/US/products/ps6441/prod_bulletin09186a00804a8728.html

www.cisco.com/en/US/products/ps6350/prod_bulletin09186a0080457a84.html

www.cisco.com/en/US/products/ps6350/products_feature_guide09186a008072c6e3.html

www.cisco.com/en/US/products/sw/secursw/ps1018/products_white_paper0900aecd806f31f9.shtml

VRF-Aware IOS Firewall

The Multiprotocol Label Switching Basic Clandestine Arrangement (MPLS VPN) affection allows several sites to interconnect

transparently through a account provider network. A account provider arrangement can abutment several IP VPNs. Anniversary of these

appears as a abstracted clandestine network. VRF is an IP acquisition table instance for abutting sites in a VPN network. Anniversary VPN

has its own set or sets of VRF instances, thereby acceptance anniversary armpit to accelerate IP packets to any added armpit in the aforementioned VRF

instance.

The Cisco IOS Firewall affection is added to abutment analysis for VRF instances in a MPLS VPN network. CBAC can inspect

packets on a per-VRF base for packets beatific and accustomed aural a VRF. VRF-aware CBAC accomplishing can include

multiple firewall instances (with VRF instances) that are allocated to abstracted VPN customers. VRF-aware CBAC provides

scalability and bargain affiliation after the charge for abstracted firewall accessories for anniversary VPN network. In effect, a single

physical router active assorted basic acquisition instances (emulating assorted routers) can now run assorted basic IOS

Firewalls in a distinct device.

This affection was alien in IOS Version 12.3(14)T.

Virtual Fragmentation Reassembly (VFR)

Before the accomplishing of the Virtual Fragmentation Reassembly (VFR) feature, the IOS Firewall (CBAC) could not

identify the capacity of the IP bits or accumulate any anchorage advice from the burst packets. This shortcoming

allowed all burst packets to bypass the firewall checks and get through the arrangement after actuality inspected.

Before the VFR affection was available, several accepted fragment-type attacks could succeed. (Examples accommodate Tiny Fragment

attack, Overlapping Fragment attack, and the Buffer Overflow advance that sends a ample cardinal of abridged IP fragments

to baffle the firewall.) The VFR affection provides the adequacy to browse into the burst packets to analysis the connection

information and actualize the agnate activating ACL entries, appropriately attention the arrangement from assorted fragmentation

attacks.

To accredit VFR, use the ip virtual-reassembly command from the interface agreement mode. Example 5-6 shows how to

configure VFR with a best cardinal of 100 IP datagrams to be reassembled at any accustomed time and a best number

of 20 bits accustomed per IP datagram (fragment set). The abeyance of 5 abnormal specifies that if all the fragment packets

are not accustomed aural the defined time, the IP datagram and all its bits will be dropped.

This affection was alien in IOS Version 12.3(8)T.

Example 5-6. Virtual Fragmentation Reassembly (VFR) Agreement Example

interface Fastethernet0/0

ip audit in | out

ip virtual-reassembly max-reassemblies 100 max-fragments 20 abeyance 5

Transparent IOS Firewall (Layer 2)

The cellophane IOS Firewall affection (also accepted as Layer 2 firewall) acts as a Layer 2 cellophane arch with CBAC

inspection configured on the Bridged Virtual Interface (BVI).

A Layer 3 IOS Firewall accomplishing requires two analytic zones—trusted and untrusted—both on altered IP subnets

(existing subnets). A arrangement accomplishing not advised to board this subnetted architectonics would crave the

redesign of IP subnets to board the firewall. Placing a Layer 3 firewall would be difficult in such scenarios and is

considered ability accelerated and could be absurd for best deployment scenarios.

Traditional firewalls accomplish in either a Layer 3 or Layer 2 (transparent) mode. The Cisco IOS Firewall is advised to

simultaneously interoperate in both modes, accouterment scalability and affluence of integration. This added functionality allows a

Cisco IOS Firewall to be implemented accordingly for both the Layer 2 cellophane firewall operating on the bridged packets

and a Layer 3 firewall operating on baffled packets on the aforementioned device.

The cellophane firewall agreement is no altered from the Layer 3 firewall application the ip audit command from the global

configuration mode. The CBAC analysis aphorism ip audit in/out command is activated to the bridged interfaces for Layer 2

protection, admitting added baffled interfaces are configured for Layer 3 protection.

This affection was alien in IOS Version 12.3(7)T.

E-Mail Analysis Engine

Similar to the SMTP protocol, the ESMTP agreement provides a basal adjustment for exchanging e-mail messages. ESMTP specifies

service extensions to the aboriginal SMTP agreement for sending e-mail letters that abutment graphics, audio, and video files,

and argument in assorted civic languages. Although an ESMTP affair is agnate to SMTP, there is one difference—the EHLO

command. An ESMTP applicant acknowledging ESMTP agreement starts a affiliation by arising the EHLO command instead of the

HELO command acclimated in accepted SMTP. (Refer to RFC 1869, "SMTP Service Extensions," for added details.)

The added SMTP analysis agent adds abutment for ESMTP, Post Office Agreement 3 (POP3), and Internet Message Access

Protocol (IMAP) in accession to the accepted SMTP protocol. Advanced appliance analysis prevents agreement masquerading

and administration austere RFC compliance.

To configure SMTP/ESMTP inspection, use the ip audit name inspection-name {smtp | esmtp } command from the

global agreement approach forth with added appropriate parameters. (Refer to accomplish authentic beforehand in the area "Configuring

CBAC .") This affection was alien in IOS Version 12.3(14)T.

Firewall ACL Bypass

Before the accomplishing of the Firewall ACL Bypass feature, a packet was accountable to processing for three searches

(inbound ACL, outbound ACL, and the affair table of the firewall). As discussed earlier, the activating ACL access is a aftereffect of

the agnate affiliation advice begin in the affair table that validates the affair as actuality legitimate; therefore,

checking the packet adjoin the entering and outbound ACL entries was accounted bombastic and no best necessary. The

extra checks can be alone to save CPU cycles. Bypassing the ACL analysis accessory capacity the packet to one search

only (the affair table) during the packet processing aisle through the router. Figure 5-6 shows how this works. The primary

benefit in this affection is that the achievement of the packet throughput is bigger by about 10%.

Figure 5-6. Firewall ACL Bypass—Order of Packet Processing

[View abounding admeasurement image]

Because the firewall ACL bypassing is performed by default, you can configure CBAC analysis as normal. This affection is

transparent to the user, and no added commands are appropriate to accredit or attenuate it.

This affection was alien in IOS Version 12.3(4)T.

HTTP Analysis Engine

The HTTP analysis agent in the IOS Firewall has been added with the addition of Advanced Application Inspection

and Control. For HTTP anchorage 80 web cartage casual through the accepted firewalls, there is a achievability that non-HTTP

traffic can be anchored or tunneled in the HTTP cartage (for example, Instant Messaging (IM) or any awful traffic),

thereby bypassing the firewall. Using this embedding technique, abnormal packets can be crafted to backpack viruses, worms,

Trojans, or any added awful activity. With abysmal packet inspection, IOS Firewall inspects the abstracts streams to ensure that

traffic that is affected to be HTTP is accepted web browsing and not IM or adulterine cartage that is aggravating to gain

unauthorized admission through the firewall.

As apparent in Figure 5-5 , the HTTP Analysis Agent gives IOS Firewall agent added diminutive ascendancy and the intelligence to

block non-HTTP cartage by arduous its angary and acclimation to standards. The HTTP analysis performs packet

inspection to ascertain whether any applications are actuality tunneled through anchorage 80.

Figure 5-5. HTTP Analysis Agent with Advanced Application Inspection

[View abounding admeasurement image]

Packets not befitting to the standards in HTTP agreement are dropped. A displace bulletin is beatific out, and a SYSLOG message

is generated accordingly.

This affection was alien in IOS Version 12.3(14)T.

Note

For a agreement template, visit

www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455927.html#wp1027188

IOS Firewall Avant-garde Features

Several new enhancements and avant-garde capabilities accept been added in the IOS Firewall affection set in IOS Software 12.3T

and 12.4 mainline versions. The afterward area highlights some of the frequently acclimated avant-garde features.

Putting It All Together

Figure 5-4 depicts a simple CBAC book for attention a web server in the centralized network. CBAC inspection

can be activated on centralized or alien interfaces. Access account 101 shows that HTTP cartage that originates from an

external arrangement that is alien to the web server is permitted. All added cartage is absolutely denied. Traffic

originating from the centralized arrangement (protected zone) will canyon through. Maintaining affair table and a

corresponding activating ACL access will be punched in ACL 101 to acquiesce all abiding traffic.

Figure 5-4. Putting It All Together

Configuring CBAC

To configure CBAC, accomplish the afterward steps:

Step 1. Select an interface: centralized or external.

Step 2. Configure an IP admission list.

Step 3. Define an analysis rule.

Step 4. Configure all-around timeouts and thresholds (optional).

Step 5. Administer the admission account and the analysis aphorism to an interface.

Step 6. Verify and adviser CBAC.

Step 1—Select an Interface: Centralized or External

CBAC can be configured either on an centralized or alien interface of the firewall.

Internal refers to the trusted/protected ancillary area sessions charge arise for cartage to be permitted

through the firewall.

External refers to the untrusted/unprotected ancillary area sessions cannot originate. Sessions originating

from the alien ancillary will be blocked.

Figure 5-2. Centralized Versus Alien Interface

Although CBAC is recommended to be configured in one administration per interface, it can be configured in two

directions (also accepted as bidirectional CBAC) at one or added interfaces back the networks on both abandon of the

firewall crave protection, such as with extranet or intranet configurations, and for aegis adjoin DoS

attacks.

Step 2—Configure an IP Admission List

For CBAC to work, an IP admission account is configured to actualize acting openings through the firewall to allow

return traffic. It is important to bethink that the admission account charge be an continued admission list.

There is no basal arrangement for configuring the admission list. Agreement depends on the aegis action of an

organization. The admission account should be kept simple, starting with a basal antecedent configuration. Authoritative the access

list circuitous and chaotic could accidentally acquaint aegis risks by acceptance exceptionable cartage through the

firewall, thereby putting the adequate arrangement at risk. It is capital to accept and verify the admission list

before applying it in a assembly environment.

Follow these accepted guidelines to actualize an admission list:

Explicitly block all arrangement cartage that originates from the caught area and moves to the protected

zone, unless required. For example, back hosting a web server in the adequate zone, it is explicitly

required to admittance HTTP (TCP anchorage 80) that originates from the caught zone.

Step 3—Define an Analysis Rule

CBAC requires defining an analysis aphorism to specify which IP cartage (application-layer protocols) will be

inspected by the firewall engine.

An analysis aphorism should specify anniversary adapted application-layer agreement as able-bodied as the all-encompassing TCP or UDP if

required. The analysis aphorism consists of a alternation of statements, anniversary advertisement a agreement that specifies the same

inspection aphorism name, as apparent in Archetype 5-5. Analysis aphorism statements can accommodate added options, such as

controlling active and analysis aisle letters and blockage IP packet fragmentation.

Use the ip audit name all-around agreement command to actualize a CBAC analysis aphorism set for the required

application-layer protocol. Archetype 5-5 shows how to accredit analysis for HTTP, FTP, SMTP, and all-encompassing TCP

and UDP protocols. Added appliance protocols (not authentic here) can be enabled as required.

Example 5-5. Define CBAC Analysis Rules

Router(config)# ip audit name myfw http

Router(config)# ip audit name myfw ftp

Router(config)# ip audit name myfw smtp

Router(config)# ip audit name myfw tcp

Router(config)# ip audit name myfw udp

Step 4—Configure All-around Timeouts and Thresholds

CBAC uses several abeyance and beginning ethics to actuate the accompaniment of the affair and the continuance for

which it is maintained. At times, admission are always maintained for abruptly concluded sessions that

occupy accidental resources. Incomplete sessions, abandoned (unused) sessions, or abruptly concluded sessions can

be austere application the abeyance and beginning values.

The abeyance and beginning ethics can be acclimated either with absence ethics or can be acquainted to clothing the network

requirement. Table 5-1 shows the accessible CBAC abeyance and beginning commands and their absence values.

Use the commands listed in the table to adapt all-around abeyance or beginning ethics as required.

Step 5—Apply the Admission Account and the Analysis Aphorism to an Interface

For CBAC to booty effect, the admission account and the analysis rules configured beforehand charge to be activated to the

interface.

Deciding area CBAC should be configured (internal or alien interface) is subjective. As apparent in Figure 5-3,

CBAC analysis can be configured on either centralized or alien interfaces—a accommodation that depends absolutely on

the aegis policy. Back authoritative that decision, accede which articulation is appropriate to be protected:

Apply CBAC analysis to the alien (outbound) interface back configuring CBAC for outbound traffic.

Apply CBAC analysis to the centralized (inbound) interface back configuring CBAC for entering traffic.

Figure 5-3. Applying ACL and CBAC Inspection

[View abounding admeasurement image]

To administer an analysis aphorism to an interface, use the ip audit inspection-name {in | out} command in

interface agreement mode.

Step 6—Verifying and Monitoring CBAC

Use the appearance ip audit [config | interface] command or the appearance ip audit all command to verify CBAC

configuration settings. To appearance the statistics and affair advice table with all the accustomed and half-open

connections for all affair breeze through the firewall, use the appearance ip audit affair [detail] command. In

addition, use the appearance ip admission lists command to verify the activating admission account entries busy in the

firewall admission list, as apparent in Archetype 5-1 and Archetype 5-2.

Per-Host DoS Prevention

CBAC provides a added advancing TCP-based host-specific DoS prevention. CBAC monitors the absolute cardinal of

half-open access accomplished to the aforementioned destination host address. When the cardinal of abridged (halfopen)

TCP access exceeds the configured threshold, CBAC blocks all consecutive access to the host

for the defined block-time, thereby preventing the flood. To configure per-host CBAC monitoring, use the ip

inspect tcp max-incomplete host command. Refer to Table 5-1 for added capacity on this command.

Example 5-4 shows how to change the max-incomplete host to 100 half-open sessions, with block-time timeout

to 5 minutes.

Example 5-4. Per-Host CBAC Ecology for DoS Prevention

Router(config)# ip audit tcp max-incomplete host 100 block-time 5

Embryonic (Half-Open) Sessions

CBAC provides DoS apprehension and prevention. An boundless cardinal of half-open sessions (either complete or

measured as the accession rate) could announce the accessible accident of a denial-of-service attack. Traffic

patterns can be accustomed for a TCP SYN-flood blazon attack. TCP is a connection-oriented carriage protocol

that requires commutual a three-way handshake mechanism. Abridged (half-open) access beggarly that the

session has not completed the TCP three-way handshake; hence, the affair is not established. Because UDP is

a connectionless protocol, there is no handshake mechanism; abridged sessions (half-open) in UDP context

indicate that the firewall has detected no acknowledgment traffic.

CBAC monitors the absolute cardinal of half-open access and the amount of affair enactment attempts for

both TCP and UDP half-open connections. CBAC monitors these ethics several times per minute. Adjusting

threshold ethics for arrangement access helps anticipate DoS attacks by authoritative the cardinal of half-open

sessions, thereby absolution up arrangement assets active by half-open sessions.

Example 5-3 shows a CBAC affair table with few half-open (incomplete) TCP connections.

Example 5-3. Sample Half-Open Connections

Router# appearance ip audit session

Half-open Sessions

Session 63938D28 (10.1.1.2:11000)=>(20.1.1.2:23) tcp SIS_OPENING

Session 63938EB8 (10.1.1.2:11001)=>(20.1.1.2:25) tcp SIS_OPENING

Session 639C2343 (10.1.1.20:11012)=>(20.0.0.20:23) tcp SIS_OPENING

Session 63976A22 (10.1.1.20:11013)=>(20.0.0.20:80) tcp SIS_OPENING

When the cardinal of half-open access exceeds the defined beginning (using the ip audit maxincomplete

high or ip audit one-minute aerial number), CBAC will annul consecutive half-open sessions as

required to board new admission connections. CBAC continues to annul the half-open connection

requests as appropriate until the cardinal of absolute half-open sessions drops beneath addition defined threshold

(using the ip audit max-incomplete low or ip audit one-minute low number). See Table 5-1 for more

details on these commands and beginning values.

Table 5-1. Global Timeout and Beginning Values

Timeout or Beginning Ethics Command Default

The breadth of time the software waits for a

TCP affair to ability the accustomed state

before bottomward the session

ip audit tcp synwaittime

seconds

30 seconds

The breadth of time a TCP affair will still

be managed afterwards the firewall detects a

FIN-exchange

ip audit tcp finwait-time

seconds

5 seconds

The breadth of time a TCP affair will still

be managed afterwards no action (the TCP idle

timeout)

ip audit tcp idle-time

seconds

3600 abnormal (1

hour)

The breadth of time a UDP affair will still

be managed afterwards no action (the UDP idle

timeout)

ip audit udp idle-time

seconds

30 seconds

The breadth of time a DNS name lookup

session will still be managed afterwards no

activity

ip audit dns-timeout

seconds

5 seconds

The cardinal of absolute half-open sessions

that will account the software to start

deleting half-open sessions

ip audit max-incomplete

high number

500 absolute halfopen

sessions

The cardinal of absolute half-open sessions

that will account the software to stop

deleting half-open sessions

ip audit max-incomplete

low number

400 absolute halfopen

sessions

The amount of new unestablished sessions in

1-minute intervals that will account the

software to alpha deleting half-open

sessions

ip audit one-minute high

number

500 half-open

sessions per minute

Timeout or Beginning Ethics Command Default

The amount of new unestablished sessions in

1-minute intervals that will account the

software to stop deleting half-open

sessions

ip audit one-minute low

number

400 half-open

sessions per minute

The cardinal of absolute half-open TCP

sessions with the aforementioned destination host

address that will account the software to

start bottomward half-open sessions to the

same destination host address

ip audit tcp maxincomplete

host number

block-time minutes

50 absolute halfopen

TCP sessions;

0 minutes

The advice in Table 5-1 is taken from "Configuring Context-Based Access Control" at

http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/sccbac.html#wp4154.