Copyright Cisco ASA, PIX, and FWSM Firewall Handbook David Hucaby Copyright© 2008 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing August 2007 Library of Congress Cataloging-in-Publication Data Hucaby, David. Cisco ASA, PIX, and FWSM firewall handbook / Dave Hucaby. --2nd ed. p. cm. Earlier ed. published under title: Cisco ASA and PIX firewall handbook. ISBN 978-1-58705-457-0 (pbk.) 1. Computer networks--Security measures. 2. Firewalls (Computer security) I. Hucaby, Dave. Cisco ASA and PIX firewall handbook. II. Cisco Systems, Inc. III. Title. TK5105.59.H83 2007 005.8--dc22 ISBN-13: 978-1-58705-457-0 Warning and Disclaimer This book is designed to provide information about configuring and using the Cisco Adaptive Security Algorithm (ASA) series and the Cisco Catalyst Firewall Services Module (FWSM). Every effort has been made to make this book as complete and accurate as possible, but no warranty or fitness is implied. The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com. For sales outside the United States please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at feedback@ciscopress.com . Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Publisher Paul Boger Senior Development Editor Christopher Cleveland Project Editor Mandie Frank Copy Editor Kevin Kent Technical Editors Greg Abelar, Mark Macumber Editorial Assistant Vanessa Evans Designer Louisa Adair Composition S4 Carlisle Publishing Services Indexer Tim Wright Proofreader Kathy Bidmen Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems, Inc. 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Europe Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: +31 0 800 020 0791 Fax: +31 0 20 357 1100 Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices. ©2007 Cisco Systems, Inc. All rights reserved. CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0609R) Dedications As always, this book is dedicated to the most important people in my life—my wife, Marci, and my two little daughters, Lauren and Kara. I would also like to dedicate the book to my parents, Reid and Doris Hucaby. God has blessed me with a very wonderful and supportive family. About the Author David Hucaby, CCIE No. 4594, is a lead network engineer for the University of Kentucky, where he works with health-care networks based on the Cisco Catalyst, ASA, FWSM, and VPN product lines. He was one of the beta reviewers of the ASA 8.0 operating system software. He has a B.S. and M.S. in electrical engineering from the University of Kentucky. He is the author of three other books from Cisco Press: CCNP BCMSN Official Exam Certification Guide, Cisco Field Manual: Router Configuration, and Cisco Field Manual: Catalyst Switch Configuration. He lives in Kentucky with his wife, Marci, and two daughters. About the Technical Reviewers Greg Abelar has been an employee of Cisco since December 1996. He was an original member of the Cisco Technical Assistance Security team, helping to hire and train many of the engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco. Greg is the primary founder and project manager of the Cisco written CCIE Security exam. Greg is the author of the Cisco Press title Securing Your Business with Cisco ASA and PIX Firewalls and coauthor of Security Threat Mitigation and Response: Understanding Cisco Security MARS, and has been a technical editor for various Cisco Press security books. Visit Greg's blogs: Internet Security for the Home—http://security1a.blogspot.com/ Enterprise Internet Security—http://security2b.blogspot.com/ Mark Macumber is a systems engineer in the field sales organization for Cisco. Mark joined Cisco in 1999 working in the Network Service Provider Sales Division on Internet Service Provider networks and with telco DSL network designs. Since 2002, Mark has served in the large enterprise customer space working through customer designs for campus switching, WAN routing, unified communications, wireless, and security. Security products and architecture are Mark's current technical focus within the enterprise space. The Enterprise Security SE team learns and delivers content on Cisco security products such as firewalls, host/network based intrusion detection/prevention systems, AAA, security information management, network admission control, and SSL/IPSec VPN. Acknowledgments It is my pleasure to be involved in writing another Cisco Press book. Technical writing, for me, is great fun, although writing large books is hard work. The good folks at Cisco Press provided a wealth of help during the writing process. In particular, I'm very grateful to have worked with my friends Brett Bartow and Chris Cleveland yet again. They are amazing at what they do, and I'm very appreciative! I'm also grateful to Mandie Frank for managing many of the production pieces for the final product. I would like to acknowledge the hard work and good perspective of the technical reviewers for this edition: Greg Abelar and Mark Macumber. I respect these two fellows' abilities very much, and I'm glad they agreed to wade through the book with me. Several people have gone out of their way to help me, whether they realize it or not. Hopefully I have listed them all here. Mark Macumber remains a valuable resource and friend on many fronts. Surely he cringes when he sees the word "favor" in the subject line of my emails! I would also like to thank the many people on the ASA 8.0 beta team who have offered me their help and knowledge: Madhusudan Challa, Pete Davis, Matt Greene, Iqlas Ottamalika, Jeff Parker, Priyan Pathirana, Dan Qu, Nelson Rodrigues, Nancy Schmitt, Vincent Shan, Andy Teng, Mark Terrel, and Nagaraj Varadharajan. Several people involved in the FWSM 3.2 development have been very patient and helpful, even though I arrived too late to get in on the beta program: Anne Dalecki Greene, Munawar Hossain, and Reza Saadat. Two TAC engineers who have helped answer my questions along the way should also be acknowledged: Kureli Sankar and Kevin Tremblay. Finally, revising this book has been an unusually difficult project for me. As always, God has given me encouragement and endurance at just the right times. I have come to appreciate the little signs that Kara makes and sticks up around the house. Two signs in particular have been right on the mark: "Out of Time" and "Be Thankful" Icons Used in This Book Throughout this book, you will see a number of icons used to designate Cisco and general networking devices, peripherals, and other items. The following icon legend explains what these icons represent. Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows: • Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands manually by the user (such as a show command). • Italics indicates arguments for which you supply actual values. • Vertical bars | separate alternative, mutually exclusive elements. • Square brackets [ ] indicate optional elements. • Braces { } indicate a required choice. • Braces within brackets [{ }] indicate a required choice within an optional element. Foreword Today's networks are called upon to securely deliver data, voice, videoconferencing, wireless communication, and much more to a wide variety of users, such as employees, suppliers, partners, and customers. Securing the network has become a vital task to ensure this ubiquitous connectivity is delivered without risking unauthorized access, misuse, or attacks on the network. While a vast number of different security technologies are now being applied to the problem of securing networks and endpoints, the long-proven and trusted firewall remains the central component to any security deployment. It is the firewall that continues to act as the primary gatekeeper, ensuring that all network traffic, from Layer 2 to Layer 7, is authorized and verified as legitimate before it transits the network. Many books on network security and firewalls settle for a discussion focused primarily on concepts and theory. This book, however, goes well beyond these topics. It covers, in tremendous detail, the information every network and security administrator needs to know when configuring and managing market-leading firewall products from Cisco, including the PIX and ASA Security Appliances and Catalyst Firewall Services Module. As the title suggests, this book is really a handbook that provides in-depth explanations of the initial configuration and, perhaps more importantly, the ongoing management of Cisco firewalls. It provides practical, day-to-day guidance for how to successfully configure all aspects of the firewall, including topics such as establishing access control policies, authorizing end users, leveraging high availability deployments, and monitoring firewall health through a variety of management interfaces. In addition to his role managing Cisco firewalls as a lead network engineer for the University of Kentucky, the author, David Hucaby, CCIE, spent considerable time collaborating directly with the Cisco engineering teams responsible for these products to ensure this book contains the most in-depth, useful, and up-to-date information available anywhere. Keep this book handy—you will find yourself referencing it often! Jason W. Nolet Vice President of Engineering Security Technology Group Cisco June 2007 Introduction This book focuses on the complete product line of Cisco firewall hardware: the PIX and ASA Security Appliance families and the Catalyst Firewall Services Module (FWSM). Of the many sources of information and documentation about Cisco firewalls, very few provide a quick and portable solution for networking professionals. This book is designed to provide a quick and easy reference guide for all the features that can be configured on any Cisco firewall. In essence, an entire bookshelf of firewall documentation, along with other networking reference material, has been "squashed" into one handy volume. This book covers only the features that can be used for stateful traffic inspection and overall network security. Although Cisco firewalls can also support VPN functions, those subjects are not covered here. This book is based on the most current Cisco firewall software releases available at press time— ASA release 8.0(1) and FWSM release 3.2(1). In the book, you will find ASA, PIX, and FWSM commands presented side-by-side for any specific task. The command syntax is shown with a label indicating the type of software that is running, according to the following convention: • ASA— Refers to any platform that can run ASA release 7.0(1) or later. This can include the ASA 5500 family, as well as the PIX 500 family. For example, even though a PIX 535 can run a specific build of the ASA 8.0(1) code, the commands are still labeled "ASA" to follow the operating system being used. • PIX— Refers to a PIX release 6.3. • FWSM— Refers to FWSM release 3.1(1) or later. If you are using an earlier version of software, you might find that the configuration commands differ slightly. With the advent of the ASA platform, Cisco began using different terminology: firewalls became known as security appliances because of the rich security features within the software and because of the modular nature of the ASA chassis. This new terminology has been incorporated in this book where appropriate. However, the term firewall is still most applicable here because this book deals with both security appliances and firewalls embedded within Catalyst switch chassis. As you read this book, keep in mind that the terms firewall and security appliance are used interchangeably. How This Book Is Organized This book is meant to be used as a tool in your day-to-day tasks as a network or security administrator, engineer, consultant, or student. I have attempted to provide a thorough explanation of many of the more complex firewall features. When you better understand how a firewall works, you will find it much easier to configure and troubleshoot. This book is divided into chapters that present quick facts, configuration steps, and explanations of configuration options for each Cisco firewall feature. The chapters and appendixes are as follows: • Chapter 1, "Firewall Overview"— Describes how a Cisco firewall inspects traffic. It also offers concise information about the various firewall models and their performance. • Chapter 2, "Configuration Fundamentals"— Discusses the Cisco firewall user interfaces, feature sets, and configuration methods. • Chapter 3, "Building Connectivity"— Explains how to configure firewall interfaces, routing, IP addressing services, and IP multicast support. • Chapter 4, "Firewall Management"— Explains how to configure and maintain security contexts, flash files, and configuration files; how to manage users; and how to monitor firewalls with SNMP. • Chapter 5, "Managing Firewall Users"— Covers the methods you can use to authenticate, authorize, and maintain accounting records for a firewall's administrative and end users. • Chapter 6, "Controlling Access Through the Firewall"— Describes the operation and configuration of the transparent and routed firewall modes, as well as address translation. Other topics include traffic shunning and threat detection. • Chapter 7, "Inspecting Traffic"— Covers the Modular Policy Framework, which is used to define security policies that identify and act on various types of traffic. The chapter also discusses the application layer inspection engines that are used within security policies, as well as content filtering. • Chapter 8, "Increasing Firewall Availability with Failover"— Explains firewall failover operation and configuration, offering high availability with a pair of firewalls operating in tandem. • Chapter 9, "Firewall Load Balancing"— Discusses how firewall load balancing works and how it can be implemented in a production network to distribute traffic across many firewalls in a firewall farm. • Chapter 10, "Firewall Logging"— Explains how to configure a firewall to generate an activity log, as well as how to analyze the log's contents. • Chapter 11, "Verifying Firewall Operation"— Covers how to check a firewall's vital signs to determine its health, how to verify its connectivity, and how to observe data that is passing through it. • Chapter 12, "ASA Modules"— Discusses the Security Services Modules (SSMs) that can be added into an ASA chassis, along with their basic configuration and use. • Appendix A, "Well-Known Protocol and Port Numbers"— Presents lists of well-known IP protocol numbers, ICMP message types, and IP port numbers that are supported in firewall configuration commands. [...]... information about firewall functionality and securing a network: Cisco' s SAFE Blueprint documents at http://www .cisco. com/go/safe Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance by Omar Santos and Jazib Frahim, Cisco Press, ISBN 1-58705-209-1 (978-1-58705-209-5) Securing Your Business with Cisco ASA and PIX Firewalls by Greg Abelar, Cisco Press, ISBN 1-58705-214-8 (978-1-58705-214-9)... level offers complete access to all firewall information, configuration editing, and debugging commands A help system offers command syntax and command choices at any user prompt A history of executed firewall commands can be kept As well, command lines can be edited and reused The output from a command can be searched and filtered so that useful information can be found quickly ... by Wes Noonan and Ido Dubrawsky, Cisco Press, ISBN 1-58705-221-0 (978-1-58705-221-7) Network Security Principles and Practices by Saadat Malik, Cisco Press, ISBN 1-58705-025-0 (978-1-58705-025-1) Designing Network Security, Second Edition by Merike Kaeo, Cisco Press, ISBN 1-58705-117-6 (978-1-58705-117-3) Cisco Access Control Security: AAA Administration Services by Brandon Carroll, Cisco Press, ISBN... traditionally been called fixup, and more recently an inspection engine or application layer protocol inspection Some protocols are simple and have very loose guidelines about the traffic between source and destination These are called connectionless protocols, and they include ICMP and UDP Other protocols are very strict about the handshaking and packet exchange between source and destination These are called... engines and algorithms are responsible for enforcing any security policies configured into the firewall 1-2: Inspection Engines for ICMP, UDP, and TCP— Describes how a firewall reacts to traffic of different IP protocols The inspection mechanisms for the ICMP, UDP, and TCP protocols are covered 1-3: Hardware and Performance— Provides an overview and comparison of the various Cisco firewall platforms and. .. 4 discusses multiple-context mode in detail 1-3 Hardware and Performance Cisco offers firewall functionality in a variety of hardware platforms, many of which are network appliances, where the firewall is contained in a standalone chassis These include the Cisco PIX Security Appliance and Cisco Adaptive Security Appliance (ASA) platforms The FWSM is a "blade" or module that can be used in a Catalyst... described as follows: • A Cisco firewall supports user access by these methods: - Command-line interface (CLI) by an asynchronous console connection - CLI by a Telnet session - CLI by Secure Shell (SSH) version 1.x or 2 (Adaptive Security Appliance [ASA] and Firewall Services Module [FWSM] ) - Adaptive Security Device Manager (ASDM) through a web browser for ASA and FWSM platforms, and PIX Device Manager... identify and grant permission for corporate and outside users - Developing a plan for auditing the security activities Actually implementing and refining the policies becomes a continual process of four steps: a Secure the network (configure firewalls, routers, intrusion protection systems, and so on) b Monitor and respond to malicious activity c Test existing security policies and components d Manage and. .. connection, a Cisco firewall can generate a random initial sequence number (ISN) toward the foreign host Some hosts do not generate a truly random ISN, resulting in predictable values that can be exploited The firewall can substitute a truly random ISN into the TCP packets when the connection is negotiated This reduces the risk of session hijacking and is totally transparent to the local and foreign... handshake to initiate a connection is marked by flags that indicate which end sent the first SYN bit and which host is expecting the next SYN or SYNACK bit handshake Likewise, the handshake to close a TCP connection is tracked by the state of FIN bit exchanges Figure 1-7 shows how a firewall handles TCP traffic between two hosts on different interfaces Here, the packet exchange between hosts PC-1 and . Copyright Cisco ASA, PIX, and FWSM Firewall Handbook David Hucaby Copyright© 2008 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems,. David. Cisco ASA, PIX, and FWSM firewall handbook / Dave Hucaby. --2nd ed. p. cm. Earlier ed. published under title: Cisco ASA and PIX firewall handbook.