This section demonstrates how Cisco ASA appliances are deployed in SecureMe's branch offices, as well as how a business partner company uses Cisco ASA to provide firewall and site-to-site VPN connectivity to SecureMe.
Branch Offices
SecureMe has several small branch offices around the world. There are 20 to 25 users at each branch office. A Cisco ASA 5510 is deployed at each of the three branch offices (New York, Los Angeles, and Atlanta), as shown in Figure 22-1.
Figure 22-1. Branch Offices
The Cisco ASA 5510 at each location is connected to a Cisco IOS router providing Internet connectivity. The Cisco ASAs are also connected to Cisco Catalyst switches (not shown in Figure 22-1) to provide connectivity to internal users.
SecureMe's security policies restrict all of its branch office users from communicating to the Internet on any port other than TCP port 80 (www) and TCP port 443 (SSL). Its business model requires the following:
The IT staff in Washington developed an application to provide the capability to remotely control user workstations at remote branch offices from the Washington regional site network. This application is also used to remotely install software (that is, operating system patches and antivirus updates) and it communicates over TCP port 7788. Figure 22-2 is a diagram of the New York branch office network with all the assigned IP addresses.
Figure 22-2. New York Branch Office Network
To accommodate the previously listed requirements, the configuration in Example 22-1 is deployed at the New York branch office. This same configuration is deployed on the Cisco ASA at Los Angeles and Atlanta branch offices as well, with the exception of the IP addresses corresponding to each specific location.
Example 22-1. New York Branch Configuration
! The public outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.200.231 255.255.255.224 ! ! The private inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.165.200.231 255.255.255.0 ! ! hostname NewYork ! !The following access control list entries restrict internal users to only be able to !send HTTP, HTTPS, and DNS traffic to the Internet access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 any eq www access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 any eq https access-list insideACL extended permit udp 10.165.200.0 255.255.255.0 any eq domain ! !The following access control list entries restrict internal users to only be able to !send TCP port 8912 and 8913 traffic to the 10.20.1.60 server in Washington, which hosts !the previously mentioned third-party application. access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 host 10.20.1.60 eq 8912 access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 host 10.20.1.60 eq 8913 ! !The following access control list entries restrict internal users to only be able to !send SMTP, POP3, and IMAP4 traffic to the 10.20.4.50 mail server in Washington. access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 host 10.20.4.50 eq smtp access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 host 10.20.4.50 eq pop3 access-list insideACL extended permit tcp 10.165.200.0 255.255.255.0 host 10.20.4.50 eq imap4 ! !The following access control list entry allows the 10.10.220.0/24 management segment in !Washington to be able to launch a remote control session to the internal user workstations !in NY. access-list outsideACL extended permit tcp 10.10.220.0 255.255.255.0 10.165.200.0 255.255.255.0 eq 7788 ! !The following access control list entries are used to define what traffic should be !encrypted over the IPSec site-to-site tunnel to Washington. access-list encryptACL extended permit ip 10.165.200.0 255.255.255.0 10.20.4.0 255.255.255.0 access-list encryptACL extended permit ip 10.165.200.0 255.255.255.0 10.20.1.0 255.255.255.0 access-list encryptACL extended permit ip 10.165.200.0 255.255.255.0 10.10.220.0 255.255.255.0 ! !The following access control list entries allows the ASA to bypass NAT for the IPSec !tunnel traffic. access-list nonat extended permit ip 10.165.200.0 255.255.255.0 10.20.4.0 255.255.255.0 access-list nonat extended permit ip 10.165.200.0 255.255.255.0 10.20.1.0 255.255.255.0 access-list nonat extended permit ip 10.165.200.0 255.255.255.0 10.10.220.0 255.255.255.0 ! !The following NAT configuration allows all the internal devices within the !10.165.200.0/24 network to be port address translated to the outside interface address !except for the VPN traffic. global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 10.165.200.0 255.255.255.0 ! !Access-lists are applied to the corresponding access-groups access-group insideACL in interface inside access-group outsideACL in interface outside ! ! Default gateway pointing to the external router's IP address route outside 0.0.0.0 0.0.0.0 209.165.200.232 1 ! !The following is the IPSec site-to-site tunnel configuration to the Washington ASA !209.165.201.1. crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto map IPSec_map 10 set peer 209.165.201.1 crypto map IPSec_map 10 set transform-set myset crypto map IPSec_map 10 match address encryptACL crypto map IPSec_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key 1qaz@WSX
Note that the sysopt connection permit-ipsec command is not used in the configuration in Example 22-1. This is purposefully done to ensure that the decrypted VPN traffic passes through the interface ACL applied to the outside interface.
Small Business Partners
Partner-A is a small company that buys supplies from SecureMe on a regular basis. There is a specific ecommerce application that SecureMe and Partner-A use to do all of their business transactions. Partner-A deploys the Cisco ASA 5510 to provide site-to-site extranet VPN services and to secure its infrastructure, as shown in Figure 22-3.
Figure 22-3. Extranet Communication
The e-commerce application used by Partner-A to buy its materials is a web-based application over Secure HTTP (HTTPS). SecureMe and Partner-A policies dictate that only TCP port 443 (HTTPS) traffic should be allowed over their site-to-site VPN connection to the e-commerce server in Washington (10.20.2.70). Traffic destined to the rest of 10.x.x.x networks in Washington is not allowed. All other traffic is allowed to leave the security appliance. Example 22-2 shows the configuration for Partner-A's Cisco ASA to achieve this goal.
Example 22-2. Partner-A Configuration
! The public outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ip address 209.165.202.129 255.255.255.224 ! ! The private inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.144.1 255.255.255.0 ! hostname Partner-A ! Access-list allowing only HTTPS communication to the 10.20.2.70 server and dropping all ! other communication to the 10.0.0.0/8 supersubnet for networks in Washington. access-list Part_in_ACL extended permit tcp 192.168.144.0 255.255.255.0 host 10.20.2.70 eq https access-list Part_in_ACL extended deny ip 192.168.144.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list Part_in_ACL extended permit ip any any ! ! Access-lists to bypass NAT and classify what packets will be encrypted over the tunnel access-list nonat extended permit ip 192.168.144.0 255.255.255.0 host 10.20.2.70 access-list encryptACL extended permit ip 192.168.144.0 255.255.255.0 host 10.20.2.70 ! ! NAT configuration global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.144.0 255.255.255.0 ! !Access-list Part_in_ACL applied to inside interface access-group Part_in_ACL in interface inside route outside 0.0.0.0 0.0.0.0 209.165.202.130 1 !IPSec site-to-site configuration crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac crypto map IPSec_map 10 match address encryptACL crypto map IPSec_map 10 set peer 209.165.201.1 crypto map IPSec_map 10 set transform-set myset crypto map IPSec_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key 3edc$RFV
Partner-A has a total of 75 users. Its Network Address Translation (NAT) configuration is designed to allow all of its users to have Port Address Translation (PAT) resolve the address of the ASA's public interface.
The network security administrator at Partner-A receives a call from Partner-A's Chief Information Officer (CIO) mentioning that the security policy has been changed such that ActiveX and Java should be blocked for all of Partner-A's user web traffic to the Internet. The commands shown in Example 22-3 are appended to SecureMe's Cisco ASA configuration to fulfill this requirement.
Example 22-3. Blocking ActiveX and Java
filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ActiveX and Java are filtered for all sources, and destinations on port 80.
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies