Thursday, July 22, 2010

CCNA Security 32

Setting up a normal ASA solution requires proper design of the network infrastructure. It would be difficult if your normal ASA firewall solution is to be installed into a mature network infrastructure.
To easily add a firewall into an existing network without changing any of its infrastructure, we will need to implement something called TFM. TFM stands for Transparent Firewall Mode. By default, the router runs in Routed Mode, so each interface needs to be a different subnet. You can push ASA into a layer 2 configuration by starting TFM. In TFM mode, the ASA can be seen as a bridge.

The only IP address we will need to add is the management interface of the ASA. The downside of TFM is that it only supports 2 data interfaces. Traffic is now switched by MAC, and Ethertype traffic is permitted.

A management IP address is required and it must be on the same subnet. The two interfaces can only pass traffic. Both connected networks must be in the same subnet and there should be a proper default gateway configured.

If you use TFM, you cannot use DDNS, Routing Protocols (these protocols can traverse the ASA, it's just that the ASA cannot use a protocol), DHCP Relay, QoS, Multicast and VPN Termination. ASA only supports NAT in transparent mode. You however cannot use PAT.

To check the firewall mode, we can use this command in EXEC mode:
show firewall

To change the firewall mode, we'll use the command:
firewall transparent

This will actually WIPE OUT all your current configurations! Now, we'll begin by configuring the interface like we typically do:
in e0
nameif OUTSIDE
sec 0
in e1
nameif INSIDE
sec 100

Now we'll configure the management IP address. This is done at the global configuration prompt:
ip address

To add a default-gateway, we'll type:
route OUTSIDE 0 0

At this point we'll use a topology that looks like this to demonstrate the firewall operation:

The User has an IP of and the Router has an IP of By the time you typed the above commands, the User would be able to telnet into the router but not the other way round. This is very similar to normal ASA functionality except that it's done in L2.

ASA has a feature to perform ARP inspection. ARP inspection makes sure that there are no IP to ARP to source interface mismatch. To turn on ARP Inspection, we'll type:
arp-inspection INSIDE enable no-flood
arp-inspection OUTSIDE enable no-flood

Note that the ASA being transparent doesn't mean that it cannot look further than that. It can actually still filter packets as usual! We'll demonstrate this by allowing the Router to telnet back to the User. To do this, we'll type:
access-l PERMITTELNET ext permit tcp host host eq 23

Similarly, you can configure an ACL for non-IP traffic by configuring an EtherType access list using:
access-list PERMITMPLSUNICAST permit mpls-unicast

No comments :

Post a Comment