Securing Networks with PIX and ASA (SNPA) v4.0 Volume 3.pdf - SNPA Securing Networks with PIX and ASA Volume 3 Version 4.0 Student Guide Text Part

Securing Networks with PIX and ASA (SNPA) v4.0 Volume 3.pdf...

This preview shows page 1 out of 252 pages.

You've reached the end of your free preview.

Want to read all 252 pages?

Unformatted text preview: SNPA Securing Networks with PIX and ASA Volume 3 Version 4.0 Student Guide Text Part Number: 97-2242-01 The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Copyright © 2005, Cisco Systems, Inc. All rights reserved. Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at . Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Cyprus • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe Copyright © 2005 Cisco Systems, Inc. All rights reserved. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R) DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS.” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may contain early release content, and while Cisco believes it to be accurate, it falls subject to the disclaimer above. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Students, this letter describes important course evaluation access information! Welcome to Cisco Systems Learning. Through the Cisco Learning Partner Program, Cisco Systems is committed to bringing you the highest-quality training in the industry. Cisco learning products are designed to advance your professional goals and give you the expertise you need to build and maintain strategic networks. Cisco relies on customer feedback to guide business decisions; therefore, your valuable input will help shape future Cisco course curricula, products, and training offerings. We would appreciate a few minutes of your time to complete a brief Cisco online course evaluation of your instructor and the course materials in this student kit. On the final day of class, your instructor will provide you with a URL directing you to a short post-course evaluation. If there is no Internet access in the classroom, please complete the evaluation within the next 48 hours or as soon as you can access the web. On behalf of Cisco, thank you for choosing Cisco Learning Partners for your Internet technology training. Sincerely, Cisco Systems Learning The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Table of Contents Volume 3 Configuring Security Contexts Overview Objectives Security Context Overview Enabling Multiple Context Mode Configuring a Security Context Managing Security Contexts Summary Failover Overview Objectives Understanding Failover Serial Cable-Based Failover Configuration Active/Standby LAN-Based Failover Configuration Active/Active Failover Configuration Summary 15-1 15-1 15-1 15-2 15-7 15-11 15-18 15-23 16-1 16-1 16-1 16-2 16-10 16-24 16-37 16-51 Cisco Security Appliance Device Manager 17-1 Overview Objectives ASDM Overview and Operating Requirements Windows Requirements SUN Solaris Requirements Linux Requirements General Guidelines Prepare for ASDM Navigating ASDM Configuration Windows Navigating ASDM Multimode Windows Summary 17-1 17-1 17-2 17-6 17-6 17-7 17-7 17-9 17-13 17-35 17-41 AIP-SSM—Getting Started Overview Objectives AIP-SSM Overview AIP-SSM SW Loading Initial IPS ASDM Configuration Configure a Security Policy on the ASA Security Appliance Summary Managing Security Appliances Overview Objectives Managing System Access Managing User Access Levels Managing Software, Licenses, and Configurations Image Upgrade and Activation Keys Summary The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. 18-1 18-1 18-1 18-2 18-7 18-17 18-22 18-29 19-1 19-1 19-1 19-2 19-12 19-31 19-38 19-45 Configuring PIX Security Appliance Remote Access Using Cisco Easy VPN Overview Objectives PIX Security Appliance Easy VPN Remote Feature Overview Easy VPN Remote Configuration PPPoE and the PIX Security Appliance DHCP Server Configuration Summary A1-1 A1-1 A1-1 A1-2 A1-3 A1-7 A1-19 A1-30 Firewall Services Module A2-1 Overview Objectives FWSM Overview Network Model Getting Started Summary A2-1 A2-1 A2-2 A2-6 A2-10 A2-21 ii Securing Networks with PIX and ASA (SNPA) v4.0 © 2005, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Lesson 15 Configuring Security Contexts Overview This lesson describes the purpose of security contexts and how to enable, configure, and manage multiple contexts. Objectives Upon completing this lesson, you will be able to configure the security appliance to support multiple contexts. This ability includes being able to meet these objectives: „ Explain the purpose of security contexts „ Enable and disable multiple context mode „ Configure a security context „ Manage a security context The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Security Context Overview This topic provides an overview of security contexts. Virtualization • You can partition a single security appliance into multiple virtual firewalls, known as security contexts. • Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. • The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the security appliance. • When the system needs to access network resources, it uses one of the contexts that is designated as the admin context. © 2005 Cisco Systems, Inc. All rights reserved. Security Appliance Security Context A Security Context B Security Context C SNPA v4.0—15-3 You can partition a single security appliance into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. Having multiple contexts is similar to having multiple stand-alone firewalls. Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. If desired, you can allow individual context administrators to implement the security policy on the context. Some resources are controlled by the overall system administrator, such as VLANs and system resources, so that one context cannot affect other contexts inadvertently. The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the security appliance. The system administrator has privileges to manage all contexts. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs into the admin context, that user has system administrator rights and can access the system execution space and all other contexts. Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server. 15-2 Securing Networks with PIX and ASA (SNPA) v4.0 © 2005, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Common Uses for Security Contexts Security Appliance Multiple security contexts can be used in the following situations: • Service provider wanting to sell firewall services to many customers • Large enterprise or a college campus wanting to keep departments completely separate • Enterprise wanting to provide distinct security policies to different departments Security Context A Company A Security Context B Company B Security Context C Company C • Any network requiring more than one firewall © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—15-4 You might want to use multiple security contexts in the following situations: „ You are a service provider and want to sell firewall services to many customers. „ You are a large enterprise or a college campus and want to keep departments completely separate. „ You are an enterprise that wants to provide distinct security policies to different departments. „ You have a network that requires more than one firewall. © 2005, Cisco Systems, Inc. Configuring Security Contexts The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. 15-3 Service Provider-Managed Security Appliance with Multiple Contexts Service Provider Internet Customer Prem VFW1 VFW2 • Same service as available with multiple security appliances VFW3 VFW4 • Now available in smaller, more manageable package © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—15-5 In this example, a service provider is using a single security appliance divided into multiple contexts to deliver the same service as multiple stand-alone small security appliances. By enabling multiple security contexts on the security appliance, the service provider can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration. 15-4 Securing Networks with PIX and ASA (SNPA) v4.0 © 2005, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Context Configuration Files Security Appliance Context configuration files have the following characteristics: • Each context has its own configuration file. • The security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. System Config Security Context Admin Security Context Admin Config Security Context B Security Context B Config Security Context C Security Context C Config © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—15-6 Each context has its own configuration file that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. You can store context configurations on the local disk partition on the Flash memory card, or you can download them from a TFTP, FTP, or Hypertext Transfer Protocol secure (HTTPS) server. In addition to system configurations in individual security contexts, the security appliance also includes a system configuration that identifies basic settings for the security appliance, including a list of contexts. Like the single-mode configuration, the security appliance configuration resides as the startup configuration in the Flash memory partition. © 2005, Cisco Systems, Inc. Configuring Security Contexts The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. 15-5 Packet Classification Each packet that enters the security appliance must be classified, so that the security appliance can determine to which context to send a packet. The security appliance checks for the following characteristics: • Source interface (VLAN) • Destination address The security appliance uses the characteristic that is unique and not shared across contexts. • You can share a VLAN interface as long as each IP address space on that VLAN is unique. Security Appliance Security Context A vlan1 192.168.0.1 Security Context B vlan2 192.168.0.1 Security Context C vlan3 192.168.0.1 • You can have overlapping IP addresses as long as the VLANs are unique. © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—15-7 Each packet that enters the security appliance must be classified so that the security appliance can determine to which context to send a packet. The security appliance checks for the following characteristics: „ Source interface (VLAN) „ Destination address In classifying the packets, the security appliance uses the characteristic of each packet that is unique and not shared across contexts. For example, if you share a VLAN across contexts, the classifier uses the IP address. You can share a VLAN interface as long as each IP address space on that VLAN is unique, or you can have overlapping IP addresses as long as the VLANs are unique. The figure shows multiple contexts sharing an outside VLAN, while the inside VLANs are unique, allowing overlapping IP addresses. 15-6 Securing Networks with PIX and ASA (SNPA) v4.0 © 2005, Cisco Systems, Inc. The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. Enabling Multiple Context Mode This topic describes how to enable multiple contexts on the security appliance. Backing Up the Single-Mode Configuration When you convert from single mode to multiple mode, the running configuration is converted into two files: • New startup configuration that comprises the system configuration • Admin.cfg that comprises the admin context Security Appliance Multimode System Config Security Appliance Single Mode Security Context Admin Running Config Admin Config old_running.cfg Config The original running configuration is saved as old_running.cfg (in disk). © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—15-9 When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration (in Flash memory) that comprises the system configuration, and admin.cfg (in the disk partition) that comprises the admin context. The original running configuration is saved as old_running.cfg (in disk). The original startup configuration is not saved, therefore if it differs from the running configuration, you should back it up before proceeding. © 2005, Cisco Systems, Inc. Configuring Security Contexts The PDF files and any printed representation for this material are the property of Cisco Systems, Inc., for the sole use by Cisco employees for personal study. The files or printed representations may not be used in commercial training, and may not be distributed for purposes other than individual study. 15-7 The Admin Context The admin context has the following characteristics: • The system execution space has no traffic-passing interfaces, and uses the policies and interfaces of the admin context to communicate with other devices. • Used to fetch configs for other contexts and send system-level syslogs. Security Appliance Multimode System Config Security Context Admin Admin Config • Users logged in to the admin context are able to change to the system context and create new contexts. • Aside from its significance to the system, it could be used as a regular context. Security Context A Security Context B © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—15-10 The system configuration does not include any network interfaces or network settings for itself; instead, when the system needs to access network resources (such as downloading the contexts from a server), it uses one of the contexts that is designated as the admin context. If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the disk partition called admin.cfg. The admin context has the following characteristics: 15-8 „ The system execution space has no traffic-passing in...
View Full Document

  • Fall '17
  • ja

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture