00:00:01 - ASA firewall, the Adaptive
00:00:04 - Appliance from Cisco Systems.
00:00:06 - In this video, you and I are
going to take a look at the
00:00:09 - thought process of how an ASA
acts by default, what the
00:00:13 - default behaviors are, what
flows are allowed.
00:00:16 - And once we understand the logic
of how it thinks, you
00:00:18 - and I are going to take an ASA
with a brand new wiped config
00:00:23 - and configure it from zero
to functioning firewall,
00:00:26 - including network address
translation and policy
00:00:28 - modification in this Nugget.
00:00:30 - We'll get live on
00:00:31 - Let's jump in.
00:00:33 - We should probably begin our
journey in the world of the
00:00:35 - adaptive security appliance by
pointing out that that's what
00:00:38 - ASA stands for.
00:00:40 - The ASA is the Adaptive
Security Appliance, a
00:00:42 - purpose-built firewall
00:00:45 - And it does lots of really
amazing things, which we'll
00:00:48 - talk about.
00:00:48 - But the most primary functional
thing it does is
00:00:52 - something called stateful
00:00:56 - And you're like Keith, you mean
stateful filtering, just
00:00:58 - like a zone-based firewall?
00:00:59 - That's what I'm talking about.
00:01:00 - It does stateful filtering.
00:01:02 - So as an example, and a quick
review, if Bob was right here
00:01:06 - and Bob wanted to go out to the
internet, Bob would send
00:01:09 - traffic out to the internet.
00:01:11 - The firewall would do stateful
00:01:13 - filtering, put that information
00:01:15 - in a session table.
00:01:16 - Why?
00:01:17 - So that when the server replied,
the ASA could say,
00:01:20 - oh, this matches correctly.
00:01:22 - What Bob sent out is the
correct return traffic.
00:01:25 - I will go ahead and dynamically
allow that to come
00:01:27 - back to Bob.
00:01:28 - That's it in a nutshell, the
primary function of the ASA is
00:01:32 - stateful inspection.
00:01:33 - So how does it do it?
00:01:34 - How does it decide whether or
not traffic should be allowed
00:01:38 - in the first place?
00:01:40 - So for this ASA right here,
let's give it a name.
00:01:42 - Let's call it ASA-1,
make it personal.
00:01:45 - And ASA-1, when he gets Bob's
packet that needs to be
00:01:48 - forwarded out to 22.214.171.124, let's
consider what's required
00:01:53 - to make that happen.
00:01:54 - The first thing that's
overlooked a lot is something
00:01:58 - called routing.
00:02:00 - If this ASA gets a packet and
the packet is destined to
00:02:04 - 126.96.36.199, and the ASA looks at
its routing table and say, I
00:02:07 - have no clue how to forward
00:02:10 - I've got no default route.
00:02:11 - I don't have that
00:02:13 - I haven't learned
00:02:14 - The packet is going
to be dropped.
00:02:16 - So routing is critical
to be in place.
00:02:18 - So let's assume that routing is
in place, that we got an IP
00:02:21 - address from our DHCP server
on the internet from the
00:02:24 - service provider.
00:02:25 - We have a default route to
that service provider.
00:02:28 - How do we decide whether or not
Bob's packet is allowed?
00:02:32 - And the secret to understanding
this, I kid you
00:02:34 - not, is water.
00:02:36 - I want you to write
out with me water.
00:02:38 - And we're going to a little
graphical representation here.
00:02:41 - I want you to imagine that
there's a river.
00:02:44 - And this river is going
in this direction.
00:02:48 - So we have a river, it's going
in this direction, and it
00:02:51 - happens to be at 100
00:02:57 - So imagine visually, there's
water at 100 feet going in
00:03:00 - this river, slightly downhill,
and then there's a cliff.
00:03:04 - And I will label that so there's
no mistaking that
00:03:06 - there's a cliff right here.
00:03:09 - And the cliff actually goes down
until it hits some more
00:03:12 - ground at zero feet.
00:03:15 - And then the river continues.
00:03:17 - Now, my question is, what
happens to water as it's going
00:03:20 - down the river and
hits this cliff?
00:03:23 - Does it go down or doesn't it?
00:03:26 - I want you to think about
that with me.
00:03:27 - Does the water go down the cliff
from 100 feet down to 0
00:03:31 - feet, yes or no?
00:03:32 - And the answer is, without
00:03:36 - non-gravity, external force
scenario, water's going to go
00:03:40 - from higher to lower.
00:03:42 - And that, my friends, is how the
ASA decides whether or not
00:03:46 - it is going to forward traffic,
00:03:48 - routing in place.
00:03:50 - Every interface-- and let's take
a look at them right now.
00:03:52 - Every interface has associated
with it a security level.
00:03:56 - The inside interface here,
I've named it INSIDE.
00:03:58 - By the way, on the ASA, we use
these really clever names to
00:04:02 - configure the interfaces.
00:04:03 - So when we're configuring
details for this interface
00:04:07 - right here, I would refer
to its name, which
00:04:09 - I gave it of INSIDE.
00:04:10 - I also gave this interface the
name of DMZ, and I gave this
00:04:13 - interface the name of OUTSIDE.
00:04:15 - But besides a name, which every
good interface is going
00:04:17 - to have on an ASA that's doing
routing, we're also going to
00:04:21 - have this security level.
00:04:22 - So security level of 100
is on the inside.
00:04:25 - A security level of
50 is on the DMZ.
00:04:27 - And a security level of 0.
00:04:29 - So let's get back
to Bob's packet.
00:04:31 - Bob's sending a packet.
00:04:32 - It goes to the ASA because
that's his default gateway
00:04:35 - very likely in this topology.
00:04:37 - And the ASA says, oh, I've
got to default route.
00:04:39 - I know how to get to 188.8.131.52,
not a problem.
00:04:42 - It needs to go out the
00:04:44 - to the service provider.
00:04:45 - And that's the magic where it
gets to compare, am I going to
00:04:49 - forward this initial traffic?
00:04:50 - If the traffic is going from
100 and it's going out an
00:04:54 - interface based on the routing
table that has a security
00:04:56 - level of 0, the answer is yes.
00:04:59 - I am willing.
00:05:00 - I am willing to forward the
packet, and it will forward
00:05:02 - the packet.
00:05:03 - That's the secret of, does the
initial packet, does initial
00:05:07 - flow go through the ASA if it's
coming in on an interface
00:05:10 - that's higher security
level-wise than the exit
00:05:14 - interface based on the routing
table of the ASA, that traffic
00:05:17 - will be allowed.
00:05:18 - Higher to lower goes.
00:05:20 - So that's the secret of deciding
whether the packet's
00:05:23 - going to flow.
00:05:23 - Let me do a couple scenarios
00:05:25 - Let's say I have a user on
the inside, and that user
00:05:28 - wants to ping 172--
00:05:30 - left not use ping.
00:05:31 - Let's use web services.
00:05:33 - Let's say the user, Bob, wants
to open up in a web browser to
00:05:37 - a DMZ server that's at 0.10.
00:05:40 - So he puts in his browser
00:05:44 - The packet goes to the ASA.
00:05:46 - The ASA does a route lookup
that's directly connected to
00:05:48 - these two networks.
00:05:49 - And the ASA says, should
I forward this initial
00:05:52 - frame, yes or no?
00:05:53 - The source is 100, the
destination, based on the
00:05:57 - routing table of
the ASA, is 50.
00:05:59 - So it's going from 100 to 50.
00:06:00 - Does the initial packet and
subsequent flow of traffic,
00:06:04 - does it go?
00:06:05 - And the answer is just
like water, higher to
00:06:08 - lower goes by default.
00:06:10 - Isn't that fantastic?
00:06:11 - Let's do one more.
00:06:12 - This is a great game.
00:06:13 - And it's an important game too,
because these are the
00:06:15 - fundamentals that when you get
into CCNP security and CCIE
00:06:20 - security, understanding that
basic thought process of the
00:06:24 - ASA is going to be critical
for the real world and for
00:06:27 - your certification.
00:06:28 - So let's do a couple
00:06:30 - So we have a user here.
00:06:32 - So we have a user sitting at
a web server, for whatever
00:06:35 - reason, and he wants
to open up a web
00:06:38 - browser out to 184.108.40.206.
00:06:41 - So he opens up a browser,
he forwards the
00:06:44 - packet, it hits the ASA.
00:06:45 - The ASA does a route lookup
and says, oh, to get to
00:06:48 - 220.127.116.11, I don't have a
more specific route.
00:06:51 - I'm going to use my default
00:06:52 - is the service provider.
00:06:55 - It now knows the ingress
interface, the DMZ.
00:06:58 - It knows the egress interface
of the OUTSIDE.
00:07:01 - It compares the security levels
and says, this is from
00:07:03 - 50 going to 0.
00:07:05 - Does it go, yes or no?
00:07:08 - And the answer is absolutely
yes, higher to lower.
00:07:11 - It's just like water.
00:07:12 - So what have we identified
00:07:13 - You're doing great,
by the way.
00:07:15 - Fantastic progress.
00:07:17 - We've identified that these
flows will go by default.
00:07:19 - I'll put them in green.
00:07:22 - That would work because it's
going from 100 to 50.
00:07:25 - This would work because it's
going from 50 to 0.
00:07:28 - And this would work because
it's going from 100 to 0.
00:07:32 - Are you with me?
00:07:33 - Those are all the initial flows
of traffic that the ASA
00:07:37 - by default, without any
additional changes to the
00:07:39 - security policy, would
allow to happen.
00:07:41 - Now, what about the
00:07:43 - Oh my gosh, with if these
users all initiate these
00:07:46 - connections.
00:07:47 - How in the world is reply
traffic going to get back?
00:07:49 - And the answer is stateful
00:07:52 - Stateful inspection is on by
default for TCP and UDP.
00:07:56 - So a lot of the most common
applications that ride on top
00:07:59 - of those layer 4 protocols, the
sessions will be analyzed,
00:08:03 - inspected, statefully
remembered, and return traffic
00:08:05 - is going to be allowed
00:08:07 - Fantastic story, it's just like
in zone-based firewalls.
00:08:10 - By default, the ASA is doing a
fantastic job of saying no.
00:08:15 - 0 to 50 is a no.
00:08:16 - 0 to 100 is a no.
00:08:18 - And you know what
else is a no?
00:08:20 - 50 to 100 is a no.
00:08:21 - So all those reds right there
are all no's by default.
00:08:26 - So we have a very, very secure
security posture right out of
00:08:29 - the gate with the adaptive
security appliance because if
00:08:32 - these are the security levels
we're using, the outside world
00:08:35 - can't get to us but we can
get to the outside world.
00:08:38 - So the immediate next question
normally comes up saying,
00:08:41 - well, Keith, you've got a couple
of web servers here on
00:08:44 - the DMZ, or email servers,
or other public servers.
00:08:47 - Don't you want, like Jim on
the internet to be able to
00:08:50 - access your servers?
00:08:51 - And the answer is yes.
00:08:53 - So what we could do on an
outside interface, as an
00:08:56 - example, is we could
use an ACL.
00:08:58 - And ACLs will override the
default security levels.
00:09:02 - Meaning if we say on the ACL,
permit HTTP traffic TCP port
00:09:07 - 80 to these two web servers,
then Jim on the internet, as
00:09:11 - he comes into this interface,
if the ACL says permit it,
00:09:15 - even though it's trying to go
from a 0 to a 50, the ACL
00:09:18 - because it says permit, the
traffic would be allowed.
00:09:20 - So ACLs can be exceptions
to the rule.
00:09:24 - That could also be a bad thing
for Bob over here.
00:09:26 - If we have rules in place where
we don't want Bob to be
00:09:30 - able to go out using certain
protocols, we could go ahead
00:09:33 - and put an access control list
inbound on the INSIDE
00:09:35 - interface and simply tell
the ASA, you know what?
00:09:38 - We're not allowing any
kind of telnet.
00:09:40 - So even though it would be
traffic from higher going to
00:09:43 - some lower interface, because of
the ACL that says no telnet
00:09:47 - or no other protocol that you
want to deny, the ACL would
00:09:51 - triumph and win over the default
00:09:56 - So what else can this little
box do for us?
00:09:58 - I say little box.
00:09:59 - This is a 5505.
00:10:01 - It has some bigger brothers that
are based on the ability
00:10:04 - to have more capacity.
00:10:06 - So not every size fits all.
00:10:07 - If we're in a larger
environment, we'd probably buy
00:10:09 - a bigger model, bigger
flavor of the ASA.
00:10:12 - But the basic functionality is
the same in all of them.
00:10:15 - So on the 5505, we've
got the front here.
00:10:18 - And this was built for a small
00:10:21 - And it's got a built-in
00:10:22 - Somebody said, I don't want to
have to buy a physical switch
00:10:25 - and a router and a firewall.
00:10:27 - Can I just get all that
functionality built into one?
00:10:29 - And Cisco said, absolutely,
00:10:32 - So here's the features
that are supported.
00:10:34 - We have stateful inspection for
Bob's traffic as it goes
00:10:36 - out to the internet, so
the return traffic
00:10:38 - can come back in.
00:10:39 - We have access lists that we can
use on the interfaces for
00:10:43 - overriding that policy
if we need to let--
00:10:45 - for example, Jim
go to a server.
00:10:47 - We have application
00:10:50 - So if Bob agrees, if Bob says,
yes, I won't use any
00:10:53 - peer-to-peer networking software
ever, I promise.
00:10:56 - The ASA can analyze all the
traffic going through it.
00:11:00 - If it sees peer-to-peer, it can
drop it based on policy.
00:11:03 - See, people can hide
00:11:05 - in different protocols.
00:11:06 - They can hide it under, maybe
port 80 or other ports that
00:11:09 - maybe are trying to hide their
HTTP, but they're really not.
00:11:13 - With protocol and application
inspection, the ASA
00:11:16 - can figure that out.
00:11:17 - It can say, oh my goodness,
00:11:19 - not valid HTTP traffic.
00:11:20 - I'm going to go ahead
and drop it.
00:11:22 - It also supports a little
solution for this problem.
00:11:26 - This is a private IP
00:11:28 - This is a private IP
00:11:29 - The internet doesn't route
private IP addresses.
00:11:33 - So we can't use these addresses
on the internet, so
00:11:35 - it also supports NAT and PAT
and all of its flavors.
00:11:40 - So if we had one IP address here
from a DHCP server, we
00:11:43 - could do port address
translation and translate,
00:11:46 - maybe not the DMZ devices
but our internal
00:11:48 - users to that one address.
00:11:50 - And then we could NAT
the servers to other
00:11:52 - globally-reachable
addresses so that
00:11:54 - they could be accessed.
00:11:55 - Or, we could actually do port
address translation just for
00:11:58 - port 80, and have port 80
redirected to one or both of
00:12:02 - these servers.
00:12:03 - There's also VPN support.
00:12:04 - So Jill, out on the internet,
wants to get to the home
00:12:07 - office and she can build a
virtual private network from
00:12:11 - her computer on the internet
all the way to the ASA.
00:12:14 - Could it use SSL?
00:12:15 - Could it use IPsec?
00:12:16 - And the answer is yes, it
supports both of those.
00:12:19 - Even the little 5505, you get
two licenses for VPNs.
00:12:23 - And you can purchase additional
00:12:25 - additional users
if you need to.
00:12:28 - What else does it do?
00:12:29 - It supports object groups.
00:12:33 - Very similar to what we
have on the router as
00:12:35 - far as object groups.
00:12:36 - So if you wanted to have an
access list that identified an
00:12:39 - object group and the object
group could then reference 10
00:12:41 - or 20 different servers as far
as IP addresses go, very
00:12:45 - capable of doing that right
here on the ASA.
00:12:48 - It also has the ability
to do something
00:12:49 - called botnet filtering.
00:12:52 - Now, what is a botnet?
00:12:54 - I am a robot.
00:12:54 - I am at your command.
00:12:56 - What if we had 10,000 machines
that we had comp-- not we, but
00:13:00 - somebody had compromised, and
any time that attacker wanted
00:13:04 - to use those 10,000 machines to
launch an attack, it could.
00:13:07 - That would be an example
of a botnet.
00:13:09 - There's botnet support.
00:13:11 - And it can even leverage
00:13:14 - So you can actually subscribe
and actually get information
00:13:17 - on botnets that are out there,
and that way the ASA can
00:13:20 - self-defend your network
and say, oh my
00:13:22 - goodness, there's a botnet.
00:13:23 - It's well defined.
00:13:24 - It's attacking across
00:13:26 - And we can learn that
information from an external
00:13:29 - trusted source, like Cisco, and
then the botnet filtering
00:13:33 - could protect against that
specific type of traffic and
00:13:36 - those addresses that are
involved in the botnet.
00:13:40 - A few other features that are
also supported for example, if
00:13:43 - we wanted to administer this box
and not have to keep all
00:13:45 - our user names and passwords
on the ASA
00:13:47 - itself, we can use AAA.
00:13:49 - Very similar to how we did it
with our routers, by setting
00:13:52 - up authentication, proving who
people are, authorization--
00:13:56 - what are they allowed to do--
and accounting records being
00:13:58 - sent back to a AAA server.
00:13:59 - And finally, we also have
00:14:02 - High availability means
00:14:04 - That's what that means.
00:14:05 - Why buy one when you can buy
two at twice the price?
00:14:08 - For companies that can't afford
to be down, by having
00:14:11 - two adaptive security appliances
side by side
00:14:14 - forwarding traffic.
00:14:15 - If one goes belly up, the
other keeps going.
00:14:17 - That's an important feature
for most commerce and
00:14:20 - real-time network applications
00:14:23 - can't tolerate failure.
00:14:24 - It's too expensive or too
painful to have the network go
00:14:26 - Down, so they buy two.
00:14:27 - They put them in a
fault-tolerant or high
00:14:29 - availability failover situation
so that they can
00:14:31 - support each other in the
event of a failure.
00:14:34 - So let's say we have the ASA up
and running, which we will
00:14:37 - here in a moment.
00:14:37 - Together, you and I will
configure it from scratch.
00:14:39 - We'll do the whole
00:14:41 - And it's up for a couple weeks
and the boss comes to us and
00:14:45 - says, hey guys, what we want
to do is, can we do deep
00:14:48 - packet inspection on HTTP to
really analyze whether or not
00:14:52 - valid HTTP commands are being
forwarded or not?
00:14:55 - And we look at each other and
say, yes, we can do it.
00:14:57 - As soon as the boss leaves, we
talk to each other and we say,
00:15:00 - how would we do that?
00:15:01 - Now, the answer to that
question, which we're going to
00:15:03 - discover right now, is knowing
how the ASA implements its
00:15:07 - policies regarding inspection or
policing of traffic or any
00:15:11 - type of data manipulation.
00:15:13 - It does this, I think
you'll enjoy it.
00:15:15 - It uses something called
a class map.
00:15:20 - Now, what does a class
map do for a living?
00:15:22 - Well, Keith, it does the same
thing it did for quality of
00:15:24 - service, which is to
00:15:27 - It does the same thing it did in
the zone-based firewall in
00:15:29 - IOS, and that is to
00:15:32 - Guess what it's going to
do here on the ASA?
00:15:34 - We use it to identify traffic
based on IP addresses or layer
00:15:38 - 4 protocols or application
00:15:41 - So class maps identify the
traffic that we want to
00:15:44 - manipulate.
00:15:45 - Then, as we want to manipulate
that traffic, maybe we want to
00:15:47 - turn on inspection for our
00:15:51 - Or maybe we want to
00:15:53 - Or maybe we want to prioritize
00:15:55 - How do we specify the action?
00:15:57 - And the action is identified
by using something called a
00:16:00 - policy map.
00:16:02 - And here's how they
00:16:03 - And it's not a coincidence,
this is exactly how it
00:16:06 - functions with modular quality
of service command line
00:16:09 - interface for QoS on routers.
00:16:11 - This is how it works with
00:16:13 - The class map identifies
00:16:15 - The policy map says, hey, if
this class map's traffic is
00:16:18 - matched, I want to
take an action.
00:16:20 - And that action could be
policing the traffic,
00:16:23 - prioritizing the traffic,
inspecting the traffic.
00:16:26 - And how do we apply
00:16:28 - The way we apply a policy
00:16:30 - called a service policy.
00:16:35 - And we can apply the service
policy globally, which means
00:16:38 - traffic on all interfaces, or
we can apply a policy to a
00:16:42 - specific interface in a specific
direction, if we only
00:16:45 - want to have the policy
based on traffic
00:16:47 - on that single interface.
00:16:48 - So class maps identify
00:16:50 - Policy maps specify the action
to take, and service policy is
00:16:53 - how we apply it.
00:16:54 - We'll take a look at modifying
the default policy here as we
00:16:57 - bring up the system.
00:16:58 - Having said that, let's bring
up this device from scratch.
00:17:02 - I just wiped this guy out.
00:17:03 - This is in my home office.
00:17:05 - It's a 5505.
00:17:06 - I just erased the configuration,
00:17:08 - thing, and I've got
00:17:10 - So I've got a PC that
has a console
00:17:14 - connection right there.
00:17:16 - And what we're going
to do is this.
00:17:18 - Here's our game plan.
00:17:19 - These are ports.
00:17:20 - They call them ethernet.
00:17:21 - They're really fast ethernet,
but they're labeled E0/--
00:17:24 - this is 0/0, 0/1, 2,
3, 4, 5, 6, and 7.
00:17:31 - These two here have power
00:17:33 - So if you had a webcam or access
point, or something
00:17:36 - else that needs power
over ethernet, you
00:17:37 - got those two ports.
00:17:38 - It's great.
00:17:39 - My PC has an ethernet cable
connected right here.
00:17:43 - So our mission, should we choose
to accept it, is to
00:17:46 - take this completely default
configuration ASA and get it
00:17:51 - up and working.
00:17:52 - So the first things-- and this
is true with a lot of devices.
00:17:55 - The very first thing we need to
do is make sure we give it
00:17:57 - enough information, so that
we can manage it with our
00:18:00 - management tools, such as SSH.
00:18:02 - Or, we could ASDM.
00:18:04 - What is ASDM?
00:18:06 - Glad you asked.
00:18:06 - ASDM, the ASA Security
00:18:11 - So ASDM.
00:18:12 - It's the GUI.
00:18:14 - What the Cisco configuration
professional is to a router,
00:18:18 - the ASDM is to the firewall.
00:18:20 - And it's a great tool.
00:18:21 - There's a lot of really
cool things that we
00:18:23 - could do with it.
00:18:24 - However, I also encourage you,
if you're going to practice
00:18:26 - with this, is to also use the
option to see the commands at
00:18:30 - the CLI before it
pushes them out.
00:18:32 - That way you can see the
commands that from the CLI
00:18:34 - perspective as well as knowing
how to navigate the graphical
00:18:37 - user interface.
00:18:38 - So to get ASDM from my PC
working, and I'm connected to
00:18:42 - this port right here,
we need to first of
00:18:44 - all enable this port.
00:18:46 - Now, these are all
00:18:47 - And by default, all those ports
are members of VLAN 1
00:18:51 - from a Layer 2 perspective.
00:18:53 - So we're going to need
to take this port,
00:18:55 - and that's port 0/5.
00:18:57 - We're going to need to
do a no shut on it.
00:19:00 - We would want to assign it to
VLAN 1, which is a default.
00:19:03 - You don't have to do that, but
I wanted to show it to you.
00:19:05 - And I will because
I want you to be
00:19:06 - aware of what's happening.
00:19:08 - And then once we no shut that
interface and make sure it's
00:19:10 - an access port in VLAN 1, we're
then going to go to
00:19:13 - interface VLAN 1.
00:19:18 - Now, interface VLAN 1, this is
just like an SVI on a switch.
00:19:23 - On a switch, a Layer 2 switch
that's manageable, if you want
00:19:26 - to manage it, it has to
have an IP address.
00:19:28 - So where do you get
an IP address?
00:19:30 - You pop in a switched virtual
interface, interface VLAN 1.
00:19:34 - Enter.
00:19:35 - You're now in interface
00:19:37 - And then you can give
it an IP address.
00:19:38 - On the ASA, we're going to
do three basic things.
00:19:42 - Besides just giving it
an IP address, which
00:19:44 - is one of the things.
00:19:45 - So we'll give an IP address.
00:19:47 - We're also going to give it a
name and we're going to call
00:19:50 - ours INSIDE, because on the ASA,
all the interfaces like
00:19:54 - to have names.
00:19:55 - And we refer to those names
for the interface.
00:19:57 - And then the last thing we're
going to do is set up a
00:19:59 - security level.
00:20:04 - Now, these elements are just
to bootstrap the device so
00:20:07 - that we can connect to it with
either SSH or a graphical
00:20:11 - tool, like ASDM so
we can manage it.
00:20:13 - If we do want to manage it, we
also need to enable HTTP so
00:20:18 - the box will respond when we
make our HTTP request.
00:20:21 - And on an ASA, even though it
says HTTP when we configure
00:20:25 - it, it's really referring
00:20:28 - It's not going to allow HTTP
connections to the box, even
00:20:32 - though the command to
enable HTTP is HTTP.
00:20:35 - So we'll enable it, and we're
also going to set up an ACL
00:20:38 - that tells me the ASA,
00:20:40 - It's OK if anybody on the 10
network, at least initially,
00:20:44 - go ahead and connects to you.
00:20:46 - And then we can lock it
down after that point.
00:20:48 - So that's the bootstrap
process of the ASA.
00:20:51 - Let's just make sure we have our
quick checklist, and then
00:20:53 - we'll do it together.
00:20:54 - Number one, we're going
to take that port
00:20:55 - out of shutdown state.
00:20:57 - We're going to make sure
it's in VLAN 1.
00:20:59 - We're going to go to the logical
interface for VLAN 1.
00:21:01 - We're going to give it a name.
00:21:04 - We're going to give it an IP.
00:21:05 - We're going to give it
a security level.
00:21:07 - And we're going to enable HTTP
globally on the box so it will
00:21:11 - respond to our HTTPS request.
00:21:14 - And we're going to set the ACL
that allows people to connect.
00:21:17 - So that's the bootstrapping
we're going to do.
00:21:20 - Let's bring in the interface
00:21:22 - do it all from scratch.
00:21:24 - So let's bring in the ASA.
00:21:25 - It's been recently rebooted,
less than three minutes old.
00:21:28 - It just finished
on powering up.
00:21:30 - It asked me if I wanted to
run the setup script.
00:21:32 - I said no.
00:21:32 - I pressed Enter a few times
to clear the screen.
00:21:34 - Let's go ahead and do our basic
bootstrap right here.
00:21:37 - The very first thing we're going
to do is going to go
00:21:38 - into privilege mode, just
like on an IOS router
00:21:41 - by typing in Enable.
00:21:42 - The tricky part is there's
no password by default.
00:21:45 - But you do have to
00:21:47 - So when it asks you your
password, press Enter, and
00:21:49 - you're good to go.
00:21:50 - Next, we're going to go into
configuration mode, very much
00:21:52 - on like an IOS router.
00:21:54 - And from configuration
mode, we can then
00:21:56 - configure the device.
00:21:57 - Let's go into interface e0/5.
00:22:00 - Tell it that we want it to be
assigned to VLAN 1, just like
00:22:03 - a normal switch port layer 2.
00:22:05 - And we'll also do a no shut.
00:22:06 - Now, that's a little
00:22:08 - On traditional 3560s and so
forth, and switches, they are
00:22:12 - up by default-- the
00:22:13 - On the ASA, the switch ports
are shut down by default.
00:22:16 - So it's up.
00:22:17 - It's assigned to VLAN 1.
00:22:18 - And now, let's carve out the
logical VLAN 1 interface.
00:22:23 - This is the interface that's
going to get the name command,
00:22:26 - the security level, and
also the IP address.
00:22:28 - So we're going to
call it INSIDE.
00:22:30 - I'm going to use uppercase.
00:22:31 - It doesn't have to be.
00:22:32 - But you want to make sure
you follow the same case
00:22:34 - sensitivity throughout the
config because the interface
00:22:37 - name is going to be used to
refer to that interface.
00:22:40 - So security level's 100, name if
INSIDE and the IP address.
00:22:45 - So again, we're just
bootstrapping this router with
00:22:47 - enough information so we can
communicate with it.
00:22:50 - We also need to enable HTTPS,
so we'll use the HTTP server
00:22:54 - enable command.
00:22:55 - And we're going to specify
where HTTPS sessions are
00:22:58 - allowed to come in from.
00:23:00 - And that's going to be, I'm
going to say, anywhere on the
00:23:01 - 10 network.
00:23:02 - Wild card masks are a thing
of the past with ASA.
00:23:06 - There's no such thing
as a wild card mask.
00:23:09 - So access lists or network
statements or anything else,
00:23:12 - if you ever need to identify an
IP subnet, you're going to
00:23:15 - using a normal mask.
00:23:17 - No wild card masks anywhere.
00:23:19 - So the HTTP is allowed from
the 10.0.0 network if it's
00:23:23 - coming in from the INSIDE,
and then we have a
00:23:26 - show command for IP--
00:23:27 - show interface IP brief.
00:23:29 - And I wanted to point out here
that we can use our show
00:23:32 - commands right from
00:23:34 - You don't have to put
a do in there.
00:23:35 - You can just stay in
configuration and do your show
00:23:38 - commands as much
as you'd like.
00:23:39 - Also, they couldn't use this--
00:23:41 - they could of, but
00:23:43 - They didn't use the same
exact command set.
00:23:45 - So on a Cisco router to show IP
interface brief, on an ASA
00:23:48 - you can do show interface
00:23:51 - We can also do a show IP and
it's going to show us some
00:23:54 - details regarding the address.
00:23:56 - So here it's showing us
the VLAN 1 interface.
00:23:58 - The name is INSIDE.
00:23:59 - It's IP address is this.
00:24:00 - The mask is that.
00:24:02 - And we can also see that we have
these other interfaces
00:24:04 - that are all switch ports.
00:24:06 - This is the one port that's
up, and it's currently
00:24:08 - assigned to VLAN 1, which
they're all assigned to VLAN 1
00:24:11 - by default.
00:24:12 - So now it's strapped.
00:24:13 - What do we do next?
00:24:15 - Well, the next thing is to get
ourselves an IP address on
00:24:18 - that 10 network.
00:24:19 - So I'm going to move
this out of way.
00:24:21 - And let's say that this
PC here is one of
00:24:25 - those PCs is ours.
00:24:26 - And let's give ourselves the
address of 10.0.0.2.
00:24:31 - I'm going to have to manually
configure that because right
00:24:34 - now I'm on a different
00:24:35 - So I'm going to physically
take my PC.
00:24:38 - I'm going to plug it into
this port right here, so
00:24:40 - it'll look like that.
00:24:41 - I'll be at 10.0.0.2, and then
we can open up ASDM to go
00:24:46 - ahead and manage this through
a graphical user interface.
00:24:50 - So let's take a look at
my IP address, make
00:24:51 - sure I got that right.
00:24:53 - You can be the eyes
over my shoulder
00:24:54 - here as we do it together.
00:24:56 - If we go to Properties
of that interface and
00:24:58 - TCP/IP, there's 10.0.0.2.
00:25:01 - My default gate was 10.0.0.1.
00:25:03 - And I'm using DNS of 18.104.22.168.
00:25:06 - So right now, the ASA doesn't
have access out to the
00:25:08 - internet yet because we don't
have the OUTSIDE interface
00:25:11 - configured.
00:25:12 - And certainly, the DMZ
isn't up yet either.
00:25:14 - So from our PC perspective
though, I'll click OK.
00:25:16 - Click OK.
00:25:17 - Close that.
00:25:18 - And let's just verify that we
can ping the device before we
00:25:21 - try to open an HTTPS session.
00:25:23 - So bring up command and
ping it from here.
00:25:30 - And OK, that looks promising.
00:25:32 - That means at leas we have on
the same broadcast domain and
00:25:34 - our IP addresses are responding
to each other.
00:25:37 - So let's open up the ASDM.
00:25:38 - Now, how would we do this in
a brand new environment?
00:25:40 - We would launch a browser, HTTPS
to the IP address of the
00:25:45 - ASA at 10.0.0.1 and it would
prompt us to download the
00:25:50 - adaptive security device
00:25:53 - We could actually run it right
there through Java, or we
00:25:56 - could download the app, install
it locally, and run it
00:25:59 - from our computer.
00:25:59 - Either way, we're conversing
and communicating with the
00:26:02 - actual ASA.
00:26:03 - I've already installed the
software ASDM, so I don't need
00:26:06 - to go through the install
00:26:08 - It's asking me, who do
I want to connect to?
00:26:09 - Now, this is challenging.
00:26:11 - We just configured this
00:26:12 - We didn't configure
any user name.
00:26:15 - We didn't configure
00:26:16 - So how do we log in with ASDM?
00:26:18 - The answer is you simply
click on OK.
00:26:21 - That's definitely something we'd
want to fix by setting up
00:26:23 - authentication for people trying
to access via HTTPS.
00:26:27 - But for now, we can
say, yeah, sure.
00:26:29 - I'll accept the certificate.
00:26:30 - It's not signed by a CA server
that my browser trusts, and
00:26:34 - that would be expected because
it's a self-signed certificate
00:26:37 - that the ASA just generated
for the SSL session.
00:26:40 - So we'll click on Yes.
00:26:41 - It's going to open up ASDM.
00:26:43 - I'll size it, and then we can
take a look at it together.
00:26:46 - There's the dashboard
00:26:48 - that's going on here.
00:26:49 - We have the host name, which
is Cisco ASA by default.
00:26:53 - The version of software
00:26:55 - So how do we configure this?
00:26:56 - Really simple.
00:26:57 - There's a Configuration tab.
00:26:58 - And if we want to start with
interfaces that would be a
00:27:00 - good thing to do.
00:27:02 - And it's saying, OK, you've got
one interface named INSIDE
00:27:04 - and all the switchports
are currently assigned
00:27:07 - to that same VLAN.
00:27:08 - So let's create a second
00:27:11 - If we take a look at our
topology here, we've got the
00:27:13 - OUTSIDE interface
that we need.
00:27:14 - And it's going to be security
level 0 and it's going to DHCP
00:27:17 - assigned IP address.
00:27:19 - Now, what VLAN should
we use for this?
00:27:21 - Now by default, all these ports
are currently in VLAN 1.
00:27:25 - So it doesn't really matter what
VLAN we use, as long as
00:27:28 - we use a different VLAN
for the connection
00:27:30 - going to the outside.
00:27:31 - So what we could do is we could
take this port here,
00:27:33 - which is physically connected to
the outside world going to
00:27:36 - a cable modem in my home office
here, and we can make
00:27:39 - that port a member of VLAN 2.
00:27:41 - We create a VLAN 2 interface.
00:27:44 - We name it OUTSIDE.
00:27:46 - We give it a security level of
0, and we tell it we want it
00:27:48 - to have a DHCP-assigned
00:27:51 - So let's do that right now.
00:27:52 - We'll bring our GUI interface
back in, ASDM.
00:27:55 - There it is in all
00:27:56 - We'll click on Add.
00:27:58 - And let me get this so it's
readable by everybody.
00:28:02 - And let's go ahead and click on
that we want the interface
00:28:05 - named OUTSIDE.
00:28:07 - We want the security
level to be 0.
00:28:09 - Now, the 0 is just subjective.
00:28:12 - If we had two interfaces, the
INSIDE had 100 and the OUTSIDE
00:28:15 - at 99, with just two interfaces,
00:28:19 - policy would be the same.
00:28:20 - Traffic would flow from
higher to lower.
00:28:23 - Return traffic would make it--
if it was inspected on the way
00:28:26 - out, the reply traffic
would be allowed.
00:28:27 - Initial traffic coming from the
outside, if it started at
00:28:30 - 99, wouldn't make it to
interface of 100.
00:28:34 - We often use 0 for the OUTSIDE
and 100 for the INSDIE, but
00:28:37 - they're just numbers for a
comparison purpose for the
00:28:39 - initial policy.
00:28:41 - So we say it's 0.
00:28:42 - It's outside.
00:28:43 - The IP address is going
to be via DHCP.
00:28:46 - And we want to add this
interface 0/0, which currently
00:28:49 - is associated with VLAN
1 on the INSIDE.
00:28:51 - And if we go to Advanced,
we can actually
00:28:54 - choose our VLAN number.
00:28:56 - So we're going to use VLAN
2, just because we can.
00:28:58 - And in the background, it's
assigning that port as an
00:29:01 - access port for VLAN 2.
00:29:03 - It will also create a new
logical VLAN 2 interface and
00:29:06 - name it OUTSIDE and try to get
an IP address via DHCP.
00:29:10 - So if that looks OK,
which it does.
00:29:11 - I'll click on Okey-doke
and apply it.
00:29:16 - So there's the actual syntax
that it's going to push out.
00:29:19 - It's going to Interface
Configuration Mode and it's
00:29:20 - saying, OK, switch port
access VLAN 2.
00:29:23 - You're in access port VLAN 2.
00:29:24 - For the logical interface VLAN
2, it's going to bring it out
00:29:27 - of shut down.
00:29:28 - It's going to go ahead and give
it a security level of 0,
00:29:30 - name it OUTSIDE, and do an
IP address via DHCP.
00:29:34 - And we'll set our default
route based on what we
00:29:37 - learned from DHCP.
00:29:38 - Check this out, though.
00:29:39 - You know what's missing here?
00:29:41 - I'm looking at this syntax.
00:29:43 - That interface is currently
00:29:46 - Ethernet 0/0 is currently
00:29:48 - And as a result, just assigning
it to access VLAN 2
00:29:51 - is not going to cut it.
00:29:52 - But we can fix that.
00:29:54 - Let's apply this.
00:29:55 - We'll send it out.
00:29:58 - And it's pushing the
00:29:59 - configuration, that's fantastic.
00:30:01 - And it says it's enabled.
00:30:04 - Let's go to switchports 0/0.
00:30:07 - It says No here.
00:30:10 - So the logical interface
is enabled, the OUTSIDE
00:30:13 - interface, the interface
00:30:16 - However, the physical switchport
is not enabled.
00:30:18 - It says so right there.
00:30:19 - So let's edit that, and let's
go ahead and say Enable
00:30:22 - SwitchPort and apply it.
00:30:25 - And we're good to go.
00:30:28 - So no shut down.
00:30:29 - That's going to be really
important for that to work.
00:30:32 - OK, so now having done that,
what should happen is, if my
00:30:35 - connection is in place, which I
believe it is, going out to
00:30:38 - the internet on this port right
here, the pieces in
00:30:41 - place are that port is an
access port on VLAN 2.
00:30:44 - We have a logical VLAN 2
interface that wants to be a
00:30:47 - DHCP client, and that goes out
to the internet via cable
00:30:50 - modem who should be supplying
an IP address via DHCP.
00:30:53 - That's the theory, anyway.
00:30:55 - Let's see if that
all works out.
00:30:56 - So we'll bring back this
guy right here.
00:30:59 - And let's refresh this with
the big Refresh button.
00:31:03 - Oh, look at that.
00:31:05 - Perfect.
00:31:06 - So under Configuration
Interfaces, this is showing me
00:31:09 - the DHCP-assigned IP address--
00:31:11 - temporarily, I might add.
00:31:14 - So please don't attack this IP
address in the near future
00:31:18 - because it won't be mine after
this demonstration is done.
00:31:21 - So that's the IP address on
the OUTSIDE interface.
00:31:23 - Now, can my customers get
out to the internet?
00:31:25 - Let's take a look at
00:31:26 - This is real world here.
00:31:28 - I've got my PC literally
00:31:31 - I'm on the 10 network.
00:31:32 - My IP address is 0.2.
00:31:34 - My default gateway is 0.1.
00:31:36 - It's the ASA.
00:31:37 - And the IP address
has been assigned
00:31:40 - on the OUTSIDE interface.
00:31:41 - Can I get out to the internet,
yes or no?
00:31:43 - We could try it.
00:31:45 - But the answer is it's not going
to be too happy yet.
00:31:48 - Because there's no network
address translation involved.
00:31:51 - NAT has to be put in place
because my ASA has a valid IP
00:31:55 - address on the internet,
but my PC doesn't.
00:31:58 - So I need to do network address
translation to-- and
00:32:01 - we could do PAT on this
interface so that my client
00:32:04 - could go out to the internet.
00:32:05 - So how do you configure
00:32:07 - And again, in CCNA my friend,
we're talking about just some
00:32:11 - basic foundation components
00:32:14 - Basic IP addressing, getting
the ASA bootstrapped and
00:32:19 - getting a NAT configured so that
we can have a client go
00:32:22 - out to the internet.
00:32:23 - So to configure the ASA for
network address translation,
00:32:27 - where would we do that?
00:32:29 - Well, under Interfaces there's
no options here.
00:32:31 - But if we go down to-- under
configuration, if we go down
00:32:34 - to Firewall, most of the
policies that we can implement
00:32:38 - on the ASA are done
00:32:41 - So Access Rules.
00:32:42 - I'm going to go ahead and say
take off the IPv6 just to
00:32:45 - clean it up a little bit.
00:32:46 - The access rules apply to
access control lists.
00:32:49 - The NAT rules applies to NAT,
and that's what we need to do.
00:32:52 - So let's go ahead and set up a
NAT rule that says taking all
00:32:56 - the clients on the INSIDE and
allowing to be translated to
00:32:59 - the global address that the
ASA has on the outside.
00:33:02 - So to do that, it's really
simple to set up a NAT role.
00:33:05 - You simply click on Add.
00:33:07 - You specify the details
for you NAT.
00:33:08 - You say, well if any traffic
is coming in on the INSIDE
00:33:12 - interface, regardless of its
source address, we could also
00:33:15 - limit it to one subnet that we
want to do translation for.
00:33:18 - And the destination interface
is the OUTSIDE.
00:33:20 - Regardless of destination IP
address we're going to, we
00:33:24 - want to go ahead and do
00:33:26 - We're going to do PAT
where we're going to
00:33:27 - overload on the interface.
00:33:29 - And we're going to specify the
new source address should be
00:33:32 - whatever the IP address is
on the OUTSIDE interface.
00:33:35 - That's it.
00:33:36 - That's NAT in a nutshell.
00:33:38 - So we'll click on OK.
00:33:40 - And then we'll click on--
actually, let's look at it
00:33:41 - first, then we'll
click on Apply.
00:33:43 - So this is saying traffic from
the inside going to the
00:33:46 - outside from any IP address
going to any IP address,
00:33:49 - regardless of service, we want
the translated packet to have
00:33:52 - the OUTSIDE IP address.
00:33:54 - And the destination we're
not changing that.
00:33:56 - If you're going to Google,
you're still going to Google.
00:33:59 - And we're set, so apply it.
00:34:01 - And it's showing us the syntax
that we could use at the
00:34:03 - command line to implement this
network address translation.
00:34:06 - We'll send that off on
its way, and now
00:34:08 - our NAT is in place.
00:34:10 - So the question now is, should
we be able to go out to the
00:34:14 - internet as a client?
00:34:15 - Let's go back and take a peek.
00:34:17 - So here's our PC.
00:34:18 - We haven't changed.
00:34:19 - We're at 10.0.0.2.
00:34:22 - Our default gateway
00:34:24 - We have DNS of 22.214.171.124 and
we have NAT going on.
00:34:29 - So any traffic source from the
inside going to be outside
00:34:32 - should be NATed and it should be
allowed because we're going
00:34:35 - from higher to lower
00:34:37 - And because of the stateful
inspection that happens by
00:34:39 - default, return traffic should
be allowed back in.
00:34:42 - So I'm thinking we
have a strong
00:34:43 - possibility of it working.
00:34:45 - So let's go ahead and test it.
00:34:47 - Let's bring up a
00:34:49 - And here's a command prompt.
00:34:51 - And let's do an nslookup
00:34:58 - Well, that's a very good sign.
00:35:01 - That means that UDP is working
because we just got a response
00:35:04 - regarding the IP addresses
we can use to reach
00:35:07 - cbtnuggets.com.
00:35:08 - And we could probably ping I
guess as well to 126.96.36.199.
00:35:13 - That's an IP address of
a DNS server provided.
00:35:16 - Oh, and ping is not working.
00:35:17 - I wonder why that is.
00:35:19 - UDP works, but ICMP
00:35:22 - What could that be?
00:35:22 - Well, let's go ahead and look
at the policy to understand
00:35:26 - why that's not working and
how to change the policy
00:35:29 - if we wanted to.
00:35:31 - So to take a look at why that
might not be working, let's
00:35:33 - take a look at our
00:35:35 - And by default, we have the
implicit rules where traffic
00:35:38 - from higher security interfaces
is allowed to be
00:35:41 - initiated to lower security
00:35:43 - And we know that UDP works, so
that isn't the issue here.
00:35:45 - And there's no manual access
list configured by default.
00:35:49 - So let's go ahead and take a
look at service policy rules.
00:35:51 - Service policy is all about the
class maps and policy maps
00:35:55 - being applied by a service
policy to the traffic.
00:35:58 - And here's our default global
policy that's in place.
00:36:01 - And it's saying that it wants to
go ahead and do inspection
00:36:04 - of these protocols.
00:36:06 - Take a look.
00:36:06 - We have DNS.
00:36:08 - And also what it doesn't mention
here is we also have
00:36:10 - TCP and UDP generic inspection
00:36:13 - But if you'll notice if we take
a look at this list, it
00:36:15 - does not include any
00:36:19 - So ICMP, because it's not being
inspected, that's the
00:36:22 - reason it's not being allowed.
00:36:23 - We could also use another
tool to verify it.
00:36:25 - This is really an awesome
tool as well.
00:36:27 - It's called Packet Tracer.
00:36:29 - And we could actually do the
Packet Tracer from right here.
00:36:31 - They have an icon for it.
00:36:32 - You can launch it
from the menu.
00:36:33 - You can launch it
from an icon.
00:36:35 - And we could say, well, let's
see why a ping doesn't work.
00:36:38 - So with Packet Tracer, if we
wanted to simulate what the
00:36:41 - firewall would do with a
specific packet, we could say,
00:36:44 - we want to take traffic
from the inside.
00:36:46 - If it's coming from IP address
10.0.0.2 going to 188.8.131.52 and
00:36:55 - it's an echo request.
00:36:56 - And we could go ahead and Start
and it would run that
00:36:58 - cycle and say, you know what?
00:37:00 - This packet would make it
or it wouldn't make it.
00:37:02 - Now, for marketing purposes
perhaps, they actually show it
00:37:05 - to you in slow motion with every
step along the way the
00:37:08 - process it's going through.
00:37:09 - But we could also de-select Show
Animation and it would
00:37:12 - just show us the final result
without the fanfare.
00:37:14 - So this implies that from route
lookups, checking access
00:37:18 - lists, checking NAT all the way
through, that this packet
00:37:20 - is allowed.
00:37:22 - So the ASA is saying, I've got
no problem forwarding this
00:37:24 - ping request from the client
out to 184.108.40.206.
00:37:28 - Well, why didn't it work?
00:37:30 - The reason it didn't work is
because by default, the ASA
00:37:33 - doesn't inspect ICMP.
00:37:36 - It inspects TCP generic,
00:37:39 - It inspects these applications
that I have right here, but it
00:37:42 - doesn't inspect ICMP.
00:37:44 - If we wanted to change that
behavior, or any of the other
00:37:47 - inspections that are on or off,
or we want to manipulate
00:37:49 - it, here's how we do.
00:37:51 - We'd go to Service
00:37:53 - On the Default Policy,
click on Edit.
00:37:56 - And here we have the
00:37:59 - And this is specifying the
applications that we're going
00:38:01 - to inspect.
00:38:02 - And check it out, ICMP is not
inspected by default.
00:38:06 - That's why the ping
00:38:08 - So if we did this side by side,
we bring over the PC
00:38:12 - that didn't work.
00:38:13 - So we'll try our ping again.
00:38:14 - It's not flying.
00:38:15 - We go back here to the policy.
00:38:17 - We say, yep, I want to
inspect ICMP as well.
00:38:20 - Click OK.
00:38:21 - Apply it.
00:38:22 - It's going to modify the policy
map to say for class
00:38:26 - inspection default, we want to
go ahead and inspect the ICMP.
00:38:29 - So that when the return
00:38:31 - back, the echo replies.
00:38:33 - Because there's going to be
a session entry for that
00:38:35 - session, the reply
will be allowed.
00:38:38 - So we'll send that over.
00:38:39 - We'll go back to the
00:38:41 - We'll try our ping again.
00:38:42 - And now the ping's working.
00:38:44 - Why is it working?
00:38:45 - It's because we're
00:38:47 - And one step further if we
wanted to, if we wanted to go
00:38:49 - take a look at deeper packet
inspection, for many of these
00:38:52 - applications we can actually
configure specific application
00:38:56 - policy maps to get very deep
into application layer
00:39:00 - protocols looking for specific
protocol compliance or other
00:39:04 - details up in the application
00:39:07 - That's why each of these have
the additional Configure
00:39:09 - option next to them.
00:39:11 - So one more thing I wanted to
discuss with you before we
00:39:13 - close on the ASA is the concept
of access control list
00:39:17 - and how they override policy.
00:39:19 - Currently as we have it
configured, our customer is
00:39:22 - allowed to go out to the
internet with TCP and UDP and
00:39:25 - a whole bunch of other
00:39:27 - And it can do ICMP.
00:39:29 - Why is that?
00:39:30 - Because the inspection rule
said inspect ICMP so that
00:39:34 - reply traffic could come back.
00:39:36 - And that's still working.
00:39:37 - We could verify that real quick
that's nothing's changed
00:39:39 - by doing the ping we did just a
few moments ago to 220.127.116.11.
00:39:44 - And it indeed, is working.
00:39:45 - Fantastic.
00:39:46 - If we wanted to override the
policy of traffic being able
00:39:51 - to go out, we could implement
an access list.
00:39:53 - And access lists are important
to see at least once.
00:39:56 - So let's take a look at the
ASA and how an access list
00:39:59 - could be applied.
00:40:00 - From a planning perspective,
let's apply the access list to
00:40:04 - block ICMP traffic if it's
destined to 18.104.22.168 and if
00:40:12 - it's sourced from the
00:40:15 - Now, here's a big difference.
00:40:17 - On the IOS routers, we use wild
card masks to indicate we
00:40:21 - don't care about
the last octet.
00:40:22 - We could use 0.0.0.255.
00:40:25 - On the ASA, there's never, ever,
ever, never, never, ever
00:40:29 - the use of a wild card mask.
00:40:31 - It's always just normal masks.
00:40:33 - So we can have standard ACLs,
which filter only on the
00:40:36 - source IP address, both in the
router and on the ASA.
00:40:39 - We can have extended access
lists, which can filter on
00:40:42 - virtually anything at layer 3
or 4, source or destination.
00:40:45 - But the difference is when we
apply an access list or create
00:40:48 - one, we don't use the
wild card masks.
00:40:50 - So let's go ahead
and create one.
00:40:52 - Let me clear off the screen.
00:40:53 - Let's bring in Cisco
00:40:56 - Here it is.
00:40:57 - And to get to the access lists,
we go to Configuration,
00:41:00 - click on Firewall, and then
go to Access Rules.
00:41:03 - That's just the fancy way of
saying here's where the ACLs
00:41:06 - are if you want to
00:41:07 - So to create one, we'll
simply click on Add.
00:41:10 - And we're going to have this
apply it on the INSIDE.
00:41:12 - You can apply it the INSIDE
or the OUTSIDE.
00:41:14 - Apply it on the INSIDE.
00:41:15 - We're going to say Deny, and
we want to deny traffic if
00:41:18 - it's from anywhere
on the INSIDE.
00:41:21 - So I'm going to go ahead
and pick this.
00:41:23 - There's an object group
00:41:24 - for the INSIDE network.
00:41:26 - So I'm going to create that
one by double clicking.
00:41:28 - It puts it down here.
00:41:29 - I'm going to click OK.
00:41:30 - So that's the 10.0.0/24.
00:41:33 - And I'm going to say
if the destination
00:41:35 - is a specific host.
00:41:37 - So I'm actually going to type
in right here 22.214.171.124.
00:41:41 - That's the host we want
to try to reach.
00:41:43 - And the service is ICMP.
00:41:45 - We just want to block ICMP.
00:41:47 - So we can pick that.
00:41:48 - Green is TCP and the
blue is UDP.
00:41:52 - And then we have ICMP.
00:41:52 - I'm going to say echo.
00:41:54 - Great, no echo requests
being sent out.
00:41:56 - So the echo request will
never make it.
00:41:59 - And I can do a description
if we wanted to.
00:42:02 - So I'm going to go ahead
and click on OK.
00:42:04 - And now I've got this really
cool access list entry.
00:42:07 - Now, what's the problem
00:42:09 - It's on the INSIDE interface.
00:42:10 - It's inbound on that
00:42:13 - And check it out,
00:42:15 - anything else?
00:42:16 - If the answer is no, we just
killed all of our traffic
00:42:20 - because an access list, just
like in an IOS router, has a
00:42:23 - default implicit deny
at the end.
00:42:26 - So we would be well to highlight
this access list.
00:42:29 - So we're going to
00:42:31 - And we're going to say, I want
to go ahead and add a permit
00:42:33 - for IP any, any for all the
rest of the traffic.
00:42:36 - So now we have two rules
in place in our
00:42:38 - INSIDE access list.
00:42:39 - We have a deny of the traffic
from 10.0.0 if it's going to
00:42:44 - 126.96.36.199 and it's an echo.
00:42:45 - And we're going to allow
00:42:48 - So Apply that and take a look
at the syntax here.
00:42:50 - Look at this IP address.
00:42:52 - We have 10.0.0 for the network,
and I want you to pay
00:42:55 - attention to that mask.
00:42:56 - It's just a normal mask,
00:43:00 - So anything weird, like
0.0.0.255 wouldn't be a valid
00:43:05 - syntax on as ASA as part
of an access list.
00:43:09 - So having said that, it's going
to create the access
00:43:11 - list, two entries.
00:43:12 - It's going to apply it inbound
on the INSIDE interface.
00:43:15 - We'll send it over, and let's go
try our test one more time.
00:43:18 - So we'll bring back our
00:43:20 - This ping worked a moment ago.
00:43:22 - Now it's not working,
and that's good.
00:43:25 - That means we're applied
00:43:26 - But let's make sure that
we can still get
00:43:27 - out with other protocols.
00:43:29 - So let's do--
00:43:30 - I think we have still on
the-- there we go.
00:43:32 - We'll do our nslookup.
00:43:33 - That's still working.
00:43:33 - So UDP works.
00:43:35 - And if we wanted to open up a
browser, let's go ahead and
00:43:38 - bring in Google.
00:43:40 - It's already open.
00:43:41 - I clicked on it to launch
it and it went.
00:43:43 - So if we went to another site
such as cbtnuggets.com, it
00:43:49 - comes right up.
00:43:50 - We're good to go.
00:43:51 - So everything is working
except for the
00:43:52 - pings out to 188.8.131.52.
00:43:55 - The DNS work out that works out
there, which is UDP but
00:43:58 - not the pings.
00:43:59 - If we wanted to troubleshoot
that and we say, well, why
00:44:01 - isn't ping working?
00:44:02 - Let's say we didn't realize
or understand why.
00:44:04 - We could go back to our good
friend the Packet Tracer and
00:44:07 - say, why isn't the
ping working from
00:44:09 - 10.0.0.2 out to 184.108.40.206.
00:44:13 - It's ICMP.
00:44:14 - It's an echo request.
00:44:16 - And let's say 1 there
and 1 there.
00:44:18 - And then we'll say Start.
00:44:20 - And it's going to send it out
and it's going to go--
00:44:21 - I should have clicked on don't
show the animation.
00:44:24 - But it's going for
the route lookup.
00:44:26 - It then goes to the
00:44:28 - It stops.
00:44:28 - The little x there says
it never made it.
00:44:31 - And it actually tells us,
the flow is denied by
00:44:33 - a configured rule.
00:44:34 - The access list killed
00:44:37 - So there's the details of it
right there, access list
00:44:39 - INSIDE and it denied ICMP coming
from the 10.0.0 network
00:44:44 - going to 220.127.116.11.
00:44:46 - So that's a great method
00:44:48 - Another tool, while I have you,
is we could go ahead and
00:44:51 - look at logging.
00:44:51 - This is also amazing.
00:44:53 - Under monitoring,
if we go down to
00:44:56 - logging and enable it--
00:44:58 - we'll say, yeah, I want
to enable logging.
00:45:00 - And we could launch this
real-time logging viewer.
00:45:04 - So let me bring back our command
prompt and let's go
00:45:06 - try the ping that
00:45:09 - This one.
00:45:10 - And it's going to show us
exactly what happened.
00:45:12 - So here we have the entry.
00:45:13 - We have a deny.
00:45:14 - The details are all down here.
00:45:16 - So it says deny ICMP source
INSIDE, destination OUTSIDE,
00:45:20 - ICMP type 8 by access group
called INSIDE access in.
00:45:24 - So it's a great way
to visually see.
00:45:26 - This is just syslog messages
that we can see right here in
00:45:29 - the graphical user interface.
00:45:32 - So in this video, we've taken
a look at the ASA, the
00:45:35 - Adaptive Security Appliance.
00:45:37 - How to bootstrap it so we can
get basic connectivity to it,
00:45:40 - how we can use ASDM
to manage it.
00:45:43 - And it once it's in place, it's
doing stateful inspection
00:45:46 - for traffic as well as NAT if we
configure it, so that when
00:45:49 - users go out to the internet
00:45:52 - to the OUTSIDE interface
00:45:53 - That's based on what
00:45:55 - And because of the stateful
inspection, return traffic is
00:45:58 - allowed for TCP, for UDP,
and there's a host of
00:46:02 - application-layer inspections
00:46:04 - But what isn't inspected
by default as ICMP.
00:46:07 - We turned on ICMP inspection,
and then all of a sudden we
00:46:10 - could send ICMP out and get
our replies back as well.
00:46:14 - What else does ASA support?
00:46:16 - It can support DHCP.
00:46:18 - It can be a client
and a server.
00:46:19 - A client here and a server
here to its devices.
00:46:23 - It can provide botnet support.
00:46:27 - It can do application-layer
00:46:30 - it can use object groups.
00:46:31 - It can support VPNs.
00:46:32 - And by the way, VPNs we'll cover
in a complete separate
00:46:35 - Nugget just on IPsec and SSL
VPNs in the latter part of
00:46:39 - this Nugget series.
00:46:40 - So that's coming up.
00:46:41 - Hang onto that one.
00:46:42 - It also has support for AAA,
00:46:46 - Authorization, and Accounting.
00:46:47 - So if this is an ASA inside of
your enterprise, you don't
00:46:50 - have to create all your local
users on that ASA.
00:46:53 - You can have them
on a AAA server.
00:46:55 - And then when Jill VPNs in and
wants to authenticate, the ASA
00:47:00 - can check with the AAA server
and say, hey, it's Jill.
00:47:02 - Here's her credentials.
00:47:03 - Is she valid?
00:47:04 - And if so, provide access
into the network.
00:47:07 - I have had a lot of fun taking
this little ASA with you and
00:47:11 - bringing it all way from a
default config into a working
00:47:14 - config that involved stateful
inspection, network address
00:47:17 - translation, and even
customizing the policy to tell
00:47:21 - it to inspect ICMP as well.
00:47:23 - I hope this has been informative
for you, and I'd
00:47:25 - like to thank you for viewing.