The robust transparent firewall solution can be deployed in different ways. This section covers two design scenarios for ease of understanding:
Note
These design scenarios are discussed here to enforce learning and thus they should be used for reference only.
SMTF Deployment
SecureMe has a remote location in Brussels that uses IP as the Layer 3 protocol. SecureMe wants to deploy an ASA in transparent firewall mode so that it does not have to modify the existing network addresses. Figure 10-6 shows SecureMe's new topology in Brussels after setting up an ASA.
Figure 10-6. SecureMe Brussels Network Topology
Additionally, SecureMe wants to achieve the following goals:
Example 10-11 shows the relevant configuration for the Cisco ASA in Brussels. SecureMe has set up an ACL that is applied to the inside interface to allow inbound DNS and HTTP traffic and filter out everything else. The security appliace is also configured with an ACL applied on the outside interface to allow SMTP traffic.
Example 10-11. ASA Relevant Configuration to Allow IP Traffic
Brussels# show running-config ! transparent firewall mode is enabled firewall transparent ! outside interface interface GigabitEthernet0/0 nameif outside security-level 0 ! inside interface interface GigabitEthernet0/1 nameif inside security-level 100 ! hostname Brussels ! Access-list entry to allow DNS packets to pass through the ASA. access-list inside_in extended permit udp 192.168.1.0 255.255.255.0 host 192.168.2.2 eq 53 ! Access-list entry to allow HTTP packets to pass through the ASA. access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.2.5 eq 80 ! Access-list entry to deny and log all other packets. access-list inside_in extended deny ip any any log ! Access-list entry to allow SMTP traffic. access-list outside_in extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.2 eq 25 ! Global IP address ip address 192.168.1.10 255.255.255.0 ! Static command is used to specify the maximum and embryonic connection limit static (inside,outside) 192.168.1.2 192.168.1.2 netmask 255.255.255.255 tcp 300 200 ! Access-list is applied to the inside interface of the ASA access-group inside_in in interface inside ! Access-list is applied to the outside interface of the ASA access-group outside_in in interface outside ! Default gateway. It is used by the ASA for the traffic originating from it route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
MMTF Deployment with Security Contexts
SecureMe plans to provide firewall services to two different organizations at its Brussels office. These organizations not only use different Layer 3 protocols but also have unique sets of requirements that SecureMe needs to account for. Figure 10-7 shows SecureMe's new topology in Brussels to provide these services.
Figure 10-7. SecureMe Brussels Multimode Topology
Both customersCubs and Bearshave provided SecureMe with a list of requirements:
Cubs
Bears
Example 10-12 shows ASA's relevant configuration with three security contexts. The system execution space has been set up to allocate interfaces to customers' contexts. An admin context is configured to do the following:
Additionally, there are two other contexts: Cubs and Bears. These security contexts are set up to meet the requirements of SecureMe's customers.
Example 10-12. ASA's Relevant Configuration in Transparent Mode with Multiple Contexts
System Execution Space Brussels# show run ! transparent firewall mode is enabled in the system context firewall transparent ! Main GigabitEthernet0/0 interface interface GigabitEthernet0/0 ! Sub-interface assigned to the admin context as the inside interface. A VLAN ID is ! assigned to the interface interface GigabitEthernet0/0.1 vlan 5 ! Sub-interface assigned to the Cubs context as the inside interface. A VLAN ID is ! assigned to the interface interface GigabitEthernet0/0.2 vlan 10 ! Sub-interface assigned to the Bears context as the inside interface. A VLAN ID is ! assigned to the interface interface GigabitEthernet0/0.3 vlan 20 ! Main GigabitEthernet0/1 interface interface GigabitEthernet0/1 ! Sub-interface assigned to the admin context as the outside interface. A VLAN ID is ! assigned to the interface interface GigabitEthernet0/1.1 vlan 101 ! Sub-interface assigned to the Cubs context as the outside interface. A VLAN ID is ! assigned to the interface interface GigabitEthernet0/1.2 vlan 110 ! Sub-interface assigned to the Bears context as the outside interface. A VLAN ID is ! assigned to the interface interface GigabitEthernet0/1.3 vlan 120 hostname Brussels ! context named "admin" is the designated Admin context admin-context admin ! "admin" context definition along with the allocated interfaces. context admin description admin Context for admin purposes allocate-interface GigabitEthernet0/0.1 allocate-interface GigabitEthernet0/1.1 config-url disk0:/admin.cfg ! "Cubs" context definition along with the allocated interfaces. context Cubs description Cubs Customer Context allocate-interface GigabitEthernet0/0.2 allocate-interface GigabitEthernet0/1.2 config-url disk0:/Cubs.cfg ! "Bears" context definition along with the allocated interfaces. context Bears description Bears Customer Context allocate-interface GigabitEthernet0/0.3 allocate-interface GigabitEthernet0/1.3 config-url disk0:/Bears.cfg _____________________________________________________________________________ Admin Context Brussels/admin# show running ! transparent firewall mode is enabled in all contexts firewall transparent ASA Version 7.0(1) ! inside interface of the admin context with security level set to 100 interface GigabitEthernet0/0.1 nameif inside security-level 100 ! outside interface of the admin context with security level set to 0 interface GigabitEthernet0/1.1 nameif outside security-level 0 ! hostname admin ! Global IP address ip address 192.168.1.10 255.255.255.0 ! configuration of a syslog server with logging level set to emergencies with timestamp logging enable logging timestamp logging trap emergencies logging host inside 192.168.1.100 ! route outside 0.0.0.0 0.0.0.0 192.168.1.1 ! configuration of a AAA server using RADIUS for authentication aaa-server uauth protocol radius aaa-server uauth host 192.168.1.20 key cisco123 !Telnet and SSH using RADIUS for authentication aaa authentication telnet console uauth aaa authentication ssh console uauth ! Telnet to the admin context is allowed from the inside interface telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ! SSH to the admin context is allowed from the outside interface ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 _____________________________________________________________________________ Security Context for Cubs Brussels/Cubs# show running ! transparent firewall mode is enabled in all contexts firewall transparent ASA Version 7.0(1) !inside interface of the Cubs context with security level set to 100 interface GigabitEthernet0/0.2 nameif inside security-level 100 !outside interface of the Cubs context with security level set to 0 interface GigabitEthernet0/1.2 nameif outside security-level 0 ! hostname Cubs ! Access-list entry to allow IPX and BPDU traffic access-list layer2_acl ethertype permit ipx access-list layer2_acl ethertype permit bpdu access-list layer2_acl ethertype deny any ! Access-list is applied to the inside interface access-group layer2_acl in interface inside ! Access-list is also applied to the outside interface access-group layer2_acl in interface outside ! Management IP address ip address 192.168.10.10 255.255.255.0 ! Default route for management traffic route outside 0.0.0.0 0.0.0.0 192.168.10.1 1 ! L2F timeout is set to 20 minutes mac-address-table aging-time 20 ______________________________________________________________________________ Security Context for Bears Brussels/Bears# show running ! transparent firewall mode is enabled in all contexts firewall transparent ASA Version 7.0(1) !inside interface of the Bears context with security level set to 100 interface GigabitEthernet0/0.3 nameif inside security-level 100 !outside interface of the Bears context with security level set to 0 interface GigabitEthernet0/1.3 nameif outside security-level 0 ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Bears ! Access-list entry to allow all IP traffic on the inside interface access-list inside_in extended permit ip any any ! Access-list entry to only allow EIGRP and VRRP traffic on the outside interface access-list outside_in extended permit eigrp any any access-list outside_in extended permit 112 any any access-list outside_in extended deny ip any any log ! ! Global IP address ip address 192.168.20.10 255.255.255.0 ! Access-list is applied to the inside interface access-group inside_in in interface inside ! Access-list is applied to the outside interface access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.20.1 1 ! learning MAC address on the outside interface is not allowed mac-learn outside disable ! Static L2F entry of outside router as dynamic learning is not allowed mac-address-table static outside 00ff.fff0.003e
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies