Introduction to Firewalls

Hi I want to know how how ASA FW does packet inspection on encrypted packet? If browser is using https to access something how ASA does deep packet inspection?

Hello Suman

HTTPS filtering is not supported on ASA due to the fact that HTTPS content is encrypted. So no deep packet inspection can be applied. This is according to the following Cisco documentation:

I hope this has been helpful!

Laz

hi,

if don’t have the Hardware,how to practice ASA firewall?

Thanks,
Tin

Hello Tin

The ASA is available on the GNS3 platform. Take a look at this information from the GNS3 site that details how to get the ASA working on their platform.

I hope this has been helpful!

Laz

Hi Rene,
Thanks for this tutorial but i think you should have discussed about types of firewall ?

As per my point of view the stuff of R&S ( CCNA to CCIE ) you created and sharing globally that’s great which help me a lot and and i think others as well so I want to give my view that you must add Security part ( CCNA to CCIE) written and Lab both in your curriculam.

BTW thanks a lot again you and Laz too for creating this channel and well support for clearing doubts.

I am working on some firewall/data center labs and came across a similar design and trying to find the best way to approach. fwplacement #1 image is what I have on my lab and i am trying to force the traffic to my firewall before going to the HSRP Cisco 1841s. I have two 3750 L3 switches that have 4 Vlans on them. I can point them to the firewall but I am kinda lost after that. I am used to having the firewall on the outside.

  1. Would this be the equivalent of hairpinning ? 2) Not changing the configuration, would I have to do a static route and leave no default routing.

Any suggestions would be appreciated.

M

FW placement 1
fwplacement1

FW placement 2
fwplacement2

Reference:

Hello Matt

There is no single best answer, but there are specific principles that will determine the best arrangement for a particular topology.

Remember that a firewall introduces another location where routing takes place. This affects your topology, as well as introduces a single point of failure into the network, if you ave only one device. So if you have an HSRP arrangement and you want to maintain that redundancy, introducing a high availability firewall implementation is necessary.

Next you have to determine if “firewall on a stick” is the way to go for you. In the options described in the diagrams, this is the topology that is represented. Typically, you will have three VLANs hanging off of the ASA (inside, DMZ, outside). If you use firewall on a stick, a single physical link will be used to carry traffic for all three VLANs. Alternatively, you can use three physical connections to your switches, but that uses up valuable physical ports on your switches. For this reason, you may want to place them physically inline, between the 3750s and the 1921s shown in the first diagram. That in turn, seems to defeat the purpose of the HSRP configuration, so you may consider replacing the 1921s with an Active/Active firewall arrangement will perform the same type of redundancy as the HSRP implementation. In this way, you remove additional points of failure.

If I was building something from scratch, I’d connect the firewalls directly to the service provider in an Active/Active arrangement to replace the HSRP routers. I’d connect both firewalls to both 3750 switches with two physical connections each (DMZ and inside network) and let the 3750s to the rest of the routing for the rest of the internal VLANs.

I would only use the firewall on a stick topology in an already established network for which I want to change the least amount of things.

I know I haven’t definitively answered the question, simply because there is no definitive answer. But I hope it gives you more insight in order to decide on how to proceed.

If your topology is similar to the first diagram, then you would have to configure firewall on a stick for each ASA, and then have all your outgoing traffic (from both DMZ and inside networks) use the firewall as the default gateway (or at least route the traffic there) , and have the firewall route traffic to the HSRP virtual address.

I hope this has been helpful!

Laz

1 Like

Laz,

This has been very helpful and thank you for your candid response. You brought up some points to consider and overall helped me to understand this method as opposed to the traditional one. I will work on your recommendations and then see how it goes. Thanks again for your response, much appreciated!

M

1 Like

Hi Rene,

It is a great video. Eventhough I know some of the concepts, you have tied, routers firewall, firewall server and DMZ, and explained the functionality very well. I understand the individual modules.
Awesome job!
Keep up the great work!
Thank you,
Sreeni

Dear sir,

I would like to know how to verify the following are configured in our firewall ASA

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Hardware: ASA5585-SSP-20

MD5

0e6552c7590de315878f73346f482b14
443f39b28a5b2434f1985f2fc43dc034
79abd17391adc6251ecdc58d13d76baf
3175ffeef775a428502f51818d854f02

SHA1

31c3f7b523e1e406d330958e28882227765c3c5e
C5938ec75e5b655be84eb94d73adec0f63fbce16

SHA256

195ef8cfabc2e877ebb1a60a19850c714fb0a477592b0a8d61d88f0f96be5de9
30b72e83d66cbe9e724c8e2b21179aecd4bcf68b2ec7895616807df380afab54
33afa2f1d53d5279b6fc87ce6834193fdd7e16e4b44e895aae4b9da00be0c502
4080402553e9a86e954c1d9b7d0bb059786f52aba4a179a5d00e219500c8f43d
5603a16cbf81d183d3ff4ffea5477af1a4be01321865f0978c0e128051ec0a82

Regards,
Mani

Hello Manikandan

I’m not quite sure what you are asking. MD5, SHA1, and SHA256 are encryption algorithms used in a variety of ASA features including VPNs, digital certificates, and the NTP protocol, to name a few. What in particular were you looking for?

Let us know so that we can help you further.

Laz

Dear Laz,

I have missed out your email. These are list of Indicators of Compromise (IOC) as attached. Have to scan in our network particular in firewall and DNS servers .
If any hit found, need to block it.

Thank you
Regards,
Mani

IOCs List.zip (22 Bytes)

Hello Mani

After doing some research, I have found that the Cisco ASA supports such IoC indicators when coupled with FirePOWER. You can take a look at this Cisco documentation that specifies more about how to configure it for an ASA.

This Cisco blog also talks about how it can be implemented on both network and endpoint devices:


However, it seems that without FirePOWER, implementing these IoC indicators on an ASA is not possible.

I hope this gives you some more information about what you need. (Also, it seems that your zip file attachment is empty). If you need more information, please clarify your question so that we can respond to them specifically.

I hope this has been helpful!

Laz

Dear Laz,
Our Asdm version dont have this Firepower module. Attached asdm and asa version for your reference.
Kindly advice is there upgrade is required to ASDM to get this firepower module.

image

Hello Mani

There are several ways in which FirePOWER can be incorporated into the use of an ASA device. This can be done either using the Firepower Management Center (FMC), which is a standalone software that manages multiple FirePOWER-enabled ASAs. In this scenario, ASDM is not used at all, but is replaced by the FMC. More info about this type of implementation can be found here:

Alternatively, you can enable an ASA with FirePOWER and manage it using the ASDM software. More about how this can be done can be found in the following Cisco documentation:

FMC is considered an “off-box” solution, which means that the intelligence of FirePOWER is found within the independent server while ASDM is considered the “on-box” solution because both FirePOWER and ASDM are installed and run from the ASA device itself.

I hope this has been helpful!

Laz

CaptASA

Dear sir ,

Thank you for your help provided.
Good day. Currently 10 physical interface have added in the FW. One of the customer have needs one more network have to add in the firewall. When i want to add interface it look like there is no hardware port is available. Does the model can support to create one more hardware port ? If Yes means how to make enable the hardware port.

Thank you

Regards,
Mani
verASA

Hello Mani

Each firewall interface can have only one subnet connected to it. If a customer requires more subnets within their network, they will have to have a router or layer 3 switch that performs the routing between their internal networks. Then, any traffic going outbound via the firewall can be forwarded to the physical interface of the firewall connected to their network.

Alternatively, if you want to provide them with multiple subnets that actually terminate on the firewall, you can create subinterfaces. However, this will cause the firewall to act as a router for traffic travelling between subnets of that particular customer, something that will take up more CPU and memory resources of your firewall.

For more information about subinterfaces on an ASA firewall, take a look at this lesson:

I hope this has been helpful!

Laz

Dear sir,

Have two core switch configured with HSRB . , User switch hv connected to the Nexos 5k switches and then it is connected with core switch where fw and router r connected. Customer network connected to the end switch. One segment server is connected in the firewall . Instead adding the sub interface , I have to add another subnet for server to the core switch ? Any idea how to make the configuration and connection as well?

And firewall cant see the physical interface in CLI or GUI. And physically noticed TenGig0/8 . 10G port is used for few customers as trunk which is connected in Core switch which is also Trunk port 10G.

Another 10g connection have 3 more networks TenGi0/9 -
One of the interface named as SEC . and VLAN is 282
6 networks configured as below with one 10g port.

 nameif SEC
 security-level 90
 ip address 172.25.185.129 255.255.255.192 standby 172.25.185.130

DCR8R1-N7K01# sh mac address-table |i  00a0.c917.0101
* 40       00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 88       00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 276      00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 278      00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 282      00a0.c917.0101    dynamic   0          F    F  Eth1/31
* 291      00a0.c917.0101    dynamic   0          F    F  Eth1/31

interface Ethernet1/31
  description <to ASA01 Te0/8>
  switchport
  switchport mode private-vlan trunk promiscuous
  logging event port link-status
  switchport private-vlan mapping 40 476,487,491
  switchport private-vlan trunk allowed vlan 1-3967
  switchport private-vlan mapping trunk 40 476,487,491
  no shutdown

DCR8R1-N7K01#

If they previously configured as Sub interface how to verify it ?
Model is ASA5585-SSP-20

How to add additional one sub interface ?

Any idea please help two methods to connect new network.

Thank you

Regards,
Mani

Hello Mani

It would be very helpful if you could include a diagram with your explanation as it is difficult to follow and understand your topology. However, concerning this question:

If you want to find out more about how to configure, or how to understand a configuration of subinterfaces on the ASA, take a look at the following lesson:

I await your clarifications to be able to answer the rest of your questions.

I hope this has been helpful!

Laz

Dear sir,

I have to know how to add additional sub inter face for another segments on context based asa 5585 -SSP-20 ?
if cant how to connect new segments in core switch NEXUS 7K ?

Thank you

Regards,
Mani