Firewall Core for CCIE Candidates By Rafael Leiva-Ochoa

Transcription

1 Firewall Core for CCIE Candidates By Rafael Leiva-Ochoa BRKCCIE Cisco Systems, Inc.

2 Introduction Rafael since Oct 2000 Works in the TS Training Group (Part of Delivers courses on Security to Global TAC Centers CCIE Security since Cisco Systems, Inc.

3 Participate in session polling and Q&A Step 1: Download the Mobile App Get all the information you need at your fingertips! Step 2: Access the session Log into the app using your Cisco Live login & find your session

4 2013 Cisco Systems, Inc. CCIE Security Program Overview

5 Firewall Topics Covered in CCIE Security CCIE Security Topics Configure EtherChannel High availability and redundancy Layer 2 transparent firewall Security contexts (virtual firewall) Cisco Modular Policy Framework Identity firewall services Configure Cisco ASA with ASDM Context-aware services IPS capabilities QoS capabilities Cisco ASA firewalls Basic firewall Initialization Device management Address translation ACLs IP routing and route tracking Object groups VLANs 2013 Cisco Systems, Inc.

6 Cisco Gear Used on CCIE Security Cisco 3800 Series Integrated Services Routers (ISR) Cisco 1800 Series Integrated Services Routers (ISR) Cisco 2900 Series Integrated Services Routers (ISR G2) Cisco Catalyst TS Series Switches Cisco Catalyst 3750-X Series Switches Cisco ASA 5500 and 5500-X Series Adaptive Security Appliances Cisco IPS Series 4200 Intrusion Prevention System sensors Cisco S-series Web Security Appliance Cisco ISE 3300 Series Identity Services Engine Cisco WLC 2500 Series Wireless LAN Controller Cisco Aironet 1200 Series Wireless Access Point Cisco IP Phone 7900 Series* Cisco Secure Access Control System *Device Authentication only, provisioning of IP phones is NOT required.

7 Cisco Code Used on CCIE Security Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x Cisco IPS Software Release 7.x Cisco VPN Client Software for Windows, Release 5.x Cisco Secure ACS System software version 5.3x Cisco WLC 2500 Series software 7.2x Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x) Cisco WSA S-series software version 7.1x Cisco ISE 3300 series software version 1.1x Cisco NAC Posture Agent v4.x Cisco AnyConnect Client v3.0x Cisco ASA GUI tools may or may not be available, therefore candidates are expected to configure Cisco ASA appliances using CLI.

8 ASA Code Versions Covered in CCIE Security Cisco ASA 5500, and 5500-X Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x 2013 Cisco Systems, Inc.

9 Agenda Introduction ASA 5500 and 5500-X Platform Stateful Features NAT MPF Failover Conclusion 2013 Cisco Systems, Inc.

10 CCIE Security Practice Labs

11 /24.2 Internet / / Primary/Active /24 Secondary/Standby Guests DHCP / / / DHCP HTTP HTTPS SMTP DHCP Server

12 2013 Cisco Systems, Inc. ASA 5500, and 5500-X Platform

13 Performance and Scalability Cisco ASA 5500 Platforms Cisco ASA 5500 Series Adaptive Security Appliances ASA5585-S60P60 ASA5585-S40P40 ASA5585-S20P20 ASA5585-S10P10 ASA-5505 ASA-5510 ASA-5540 ASA-5520 ASA-5550 Teleworker Branch Office Internet Edge Campus Data Center

14 Cisco ASA 5500-X Series Next-Generation Firewalls Supports Cisco ASA Software Release and later images; four times the firewall throughput of Cisco ASA 5500 Series platforms Cisco Systems, Inc.

15 2013 Cisco Systems, Inc. ASA Stateful Features

16 Connection Table

17 Basic Connection States Flag Meaning Flag Meaning a Awaiting outside ACK to SYN O Outbound data A Awaiting inside ACK to SYN r Inside acknowledged FIN B Initial SYN from outside R Outside acknowledged FIN f Inside FIN s Awaiting outside SYN F Outside FIN S Awaiting inside SYN I Inbound data U Up ASA1#show conn TCP outside :2230 dmz :25, idle 0:00:00, bytes 0, flags saa TCP outside :80 inside :4685, idle 0:00:06, bytes 11911, flags UfFrRIO TCP dmz :22 inside :1474, idle 0:02:40, bytes , flags UIO Note: There are also other connection states that indicate application-awareness.

18 Connection States Flags

19 Example Connection States (TCP 3Way Handshake) TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags SaAB Outside Inside SYN TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags ab Outside Inside SYN-ACK TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags UB Outside ACK Inside

20 Example Connection States (TCP Data Transmission) TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags UIB Outside Inside TCP PUSH TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags UIOB Outside Inside TCP PUSH

21 Example Connection States (TCP Close) TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags UBF Outside FIN Inside TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags UBfFr Outside Inside FIN-ACK TCP outside :2230 inside :25, idle 0:00:00, bytes 0, flags UBfFRr Outside ACK Inside

22 Troubleshooting Common Stateful Issues

23 Packets are not coming back ASA1#show conn TCP outside :25 inside :1072, idle 0:00:00, bytes 0, flags saa ASA1#show logging %ASA : Built outbound TCP connection 11 for inside: :1072( /1072)to outside: /25 ( /25) %ASA : Teardown TCP connection 11 for inside: /1072 to outside: /25 duration 0:00:30 bytes 0 SYN Timeout ASA1 Inside Outside ASA2

24 Asymmetric Traffic You have two ASA s connected to the same ISP. The ISP has loaded balanced traffic to each ASA. ASA1 Inside Outside ASA2 Drop

25 Asymmetric Traffic ASA2#show conn UDP outside :53 inside :51132, idle 0:01:41, bytes 1739, flags - TCP outside :22 inside :1474, idle 0:02:40, bytes , flags UIO ASA2#show logging %ASA : Deny TCP (no connection) from :25 to :1072 flags SYN ACK on interface outside ASA1 Inside Outside ASA2 Drop

26 Addressing Issue Call the IPS to stop load balancing traffic between the two ASA s Configure TCP State Bypass on ASA 2 ASA1 Inside Outside ASA2 Drop

27 TCP State Bypass You can bypass Cisco ASA security appliance stateful inspection algorithms for some flows. Is configurable through Cisco MPF traffic classes. Causes the appliance to treat these flows similarly to Cisco IOS Software stateless ACLs. Also disables Cisco AIC, Cisco ASA AIP-SSM, Cisco SSC-SSM,* cutthrough proxy, and TCP normalizer for these flows. Is used only for trusted flows. TCP SYN Deny unidirectional TCP flow. TCP SYN-ACK (synchronization and acknowledgment)

28 TCP State Bypass: CLI Configuration access-list STATE-BYPASS-ACL permit tcp host host eq 25 access-list STATE-BYPASS-ACL permit tcp host eq 25 host ! class-map STATE-BYPASS match access-group STATE-BYPASS-ACL!! Create a class map and! specify matching criteria.! policy-map global_policy class STATE-BYPASS set connection advanced-options tcp-state-bypass! service-policy global_policy global Create ACL s that match traffic to bypass SFT. Edit the policy map and apply actions to traffic classes. Default servicepolicy already applying globally.

29 TCP Normalizer and Fragmentation

30 TCP Normalizer Overview The Cisco ASA security appliance TCP normalizer feature does the following: Verifies adherence to the TCP protocol and prevents evasion attacks Minimizes TCP features by default Performs TCP sequence number randomization for protected hosts Provides the reassembled byte stream to upper-layer inspectors Reassembled Stream Incoming TCP Segments Normalized TCP Segments

31 Sequence Number Randomization Only happens on communication from high to low security interfaces Only done to the initial SYC packet Tracked in the Stateful Table Server Outside Inside Client SYN = Seq SYN = Seq 0 Hacker

32 Cisco ASA Security Appliance IP Fragment Handling The appliance performs virtual IP reassembly: Buffers fragments of a packet until all have been received Verifies that fragments are properly fragmented Reassembles IP fragments internally, to perform TCP normalization and application inspection Forwards fragments as they are received Reassembled Packet Incoming IP Fragments Outgoing IP Fragments

33 Fragment size, chain, and time Fragmentation is controlled per interface The fragment size controls how many fragments the database can hold for reassembly. The fragment chain controls how much a signal packet can be fragmented. Note: The fragment size will only wait for 5 seconds by default for all the fragments to arrive. If all fragments of the packet do not arrive by the number of seconds configured, all fragments of the packet that were already received will be discarded.! fragment size 1000 inside fragment size 1000 outside!! fragment chain 250 inside fragment chain 250 outside! fragment timeout 10 inside fragment timeout 10 outside

34 CCIE Security Example

35 /24.2 Internet /24.1 BGP Peer /24 Normalizer Tuning (Increase Conn Timeout) BGP Peering (Disable SNR, and Keep Options) Primary/Active.2 VPN /24 Tunnel Secondary/Standby Fragmentation (Increase fragmentation chain) Guests DHCP /24.1 BGP Peer / / DHCP HTTP HTTPS SMTP DHCP Server

36 Timout Extention, BGP Peering, and Fragment Tuning CCIE Security Lab access-list SSH-TO-HOST permit tcp host eq 22 access-list BGP-PEERING permit tcp host host eq 179 access-list BGP-PEERING permit tcp host host eq 179! class-map BGP-PEERING match access-group BGP-PEERING! tcp-map TCP-BGP-AUTH tcp-options range allow! class-map HOST-TIMEOUT match access-group SSH-TO-HOST! policy-map CUSTOM_MPF_POLICY class HOST-TIMEOUT set connection timeout idle 4:00:00 reset class BGP-PEERING set connection advanced-options TCP-BGP-AUTH set connection random-sequence-number disable! service-policy CUSTOM_MPF_POLICY global fragment chain 30 inside fragment chain 30 outside

37 2013 Cisco Systems, Inc. Network Address Translation (NAT)

38 ASA NAT on 8.2 and Earlier vs. 8.3 and Later NAT Changes 8.2 and Earlier Very strict order of processing NAT ACL for Server access needs to reflect the MAPPED IP (NATED IP) None Objected Oriented, and hard to follow, and hard to structure NAT Control Interfaces needed to be named for NAT to work 8.3 and Later NAT Processed from the TOP/DOWN ACL for Server access needs to reflect the REAL IP (SERVER IP) Objected Oriented, very structured, and scalable NAT Control Removed ANY command can now be used to save time, and lines of configuration Twice NAT Support Global ACL Support (Input Traffic Only)

39 Static NAT

40 Static NAT Static NAT is used to link to two interfaces that need access to the outside world. It is used for a server to communicate on a low-security interface using a routable IP, but still maintaining its private IP. Local Address dmz outside Translate Internet

41 Static NAT (Cont.) Static NAT Examples Real Interface Mapped Interface ASA1(config)#static (dmz,outside) and Earlier Mapped IP Private IP 8.3 and Later Object Name Private IP ASA1(config)# object network DMZ-Server Mapped IP ASA1(config-network-object)# host ASA1(config-network-object)# nat (dmz,outside) static NAT Type

42 Dynamic NAT

43 Dynamic NAT Dynamic NAT allows many internal clients to translate to a range of public IP s. Note: The range of public IP s limits how many clients can reach the internet at the same time. Local Addresses /24 inside outside Translate to Internet

44 Dynamic NAT (Cont.) Dynamic NAT Examples Private IP Subnet ASA1(config)#nat (inside) ASA1(config)#global (outside) and Earlier Mapped IP Range 8.3 and Later Mapped IP Range ASA1(config)# object network Public_Pool ASA1(config-network-object)# range Private IP Subnet Mapped IP Range Applied ASA1(config)# object network Inside_Network ASA1(config-network-object)# subnet ASA1(config-network-object)# nat (inside,outside) dynamic Public_Pool

45 Dynamic PAT

46 Dynamic PAT Dynamic PAT allows many internal clients to translate to a signal public address. Local Addresses /24 inside outside Internet Translate to outside interface IP

47 Dynamic PAT (Cont.) Dynamic PAT Examples ASA1(config)#nat (inside) ASA1(config)#global (outside) 1 interface 8.2 and Earlier 8.3 and Later Private IP Subnet Private IP Subnet ASA1(config)# object network Inside_Network ASA1(config-network-object)# subnet ASA1(config-network-object)# nat (inside,outside) dynamic interface

48 Static PAT

49 Static PAT Static PAT is used to link one public IP to more then one server regardless of interface. Local Address FTP Server Local Address dmz HTTP Server outside Translate Internet

50 Static PAT (Cont.) Static PAT Examples Mapped Port Real Port ASA1(config)#static (dmz,outside) tcp ftp ftp 8.2 and Earlier 8.3 and Later ASA1(config)# object network DMZ-Server ASA1(config-network-object)# host ASA1(config-network-object)# nat (dmz,outside) static tcp ftp ftp Real Port Mapped Port

51 Troubleshooting NAT

52 NAT Table Changes: Cisco ASA Software Version 8.3 and Later NAT configuration builds entries in the NAT table. The new NAT table in Cisco ASA Software Version 8.3 and later has three parts: - Manual NAT (first section) Default location for manual NAT statements - Auto NAT (second section) Also called object NAT Default location for auto NAT statements - Manual NAT after auto NAT(third section) Manual NAT entries that are specified with the after-auto keyword

53 NAT 8.3 and Later Order ASA1(config)# show run nat nat (dmz-wireless,outside) source dynamic dmz-wireless interface destination static DNS-Server1 DNS-Server2 nat (inside,outside) source static smtp_access interface service smtp_port smtp_port nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup Manual NAT! object network inside nat (inside,dmz-wireless) static no-proxy-arp route-lookup object network All_Networks nat (any,outside) dynamic interface object network http_access nat (inside,outside) static interface service tcp www www object network https_access nat (inside,outside) static interface service tcp www www Auto NAT

54 NAT 8.3 and Later Order ASA1(config)# show nat Manual NAT Policies (Section 1) 1 (dmz-wireless) to (outside) source dynamic dmz-wireless interface destination static DNS-Server1 DNS-Server2 translate_hits = 319, untranslate_hits = (inside) to (outside) source static smtp_access interface service smtp_port smtp_port translate_hits = 9780, untranslate_hits = (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface translate_hits = 34, untranslate_hits = (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup translate_hits = 12, untranslate_hits = 0 5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT noproxy-arp route-lookup translate_hits = 714, untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (inside) to (outside) source static http_access interface service tcp www www translate_hits = 0, untranslate_hits = 0 2 (inside) to (outside) source static https_access interface service tcp www www translate_hits = 0, untranslate_hits = 0 3 (inside) to (dmz-wireless) source static inside no-proxy-arp route-lookup translate_hits = 175, untranslate_hits = (any) to (outside) source dynamic All_Networks interface translate_hits = , untranslate_hits =

55 NAT 8.3 and Later Order Manual NAT Sections 1, and 3 Applied on a first match basis, in the order they appear in the configuration. By default, twice NAT rules are added to section Outside Inside

56 NAT 8.3 and Later Order ASA1(config)# show run nat <input omitted>! nat (dmz-wireless,outside) source dynamic dmz-wireless interface destination static DNS-Server1 DNS-Server2 nat (inside,outside) source static smtp_access interface service smtp_port smtp_port nat (outside,outside) source dynamic DM_INLINE_NETWORK_1 interface nat (dmz-wireless,outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp routelookup nat (inside,outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup!! ASA1(config)# show nat Manual NAT Policies (Section 1) 1 (dmz-wireless) to (outside) source dynamic dmz-wireless interface destination static DNS-Server1 DNS-Server2 translate_hits = 319, untranslate_hits = (inside) to (outside) source static smtp_access interface service smtp_port smtp_port translate_hits = 9780, untranslate_hits = (outside) to (outside) source dynamic DM_INLINE_NETWORK_1 interface translate_hits = 34, untranslate_hits = (dmz-wireless) to (outside) source static No_Nat_Src_DMZ No_Nat_Src_DMZ destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp route-lookup translate_hits = 12, untranslate_hits = 0 5 (inside) to (outside) source static No_NAT_Src_IN No_NAT_Src_IN destination static No_Nat_Dst_OUT No_Nat_Dst_OUT no-proxy-arp routelookup translate_hits = 714, untranslate_hits = 0

57 NAT 8.3 and Later Order Auto NAT Section 2 Section 2 rules are applied in the following order, as automatically determined by the ASA: 1. Static rules. 2. Dynamic rules. Within each rule type, the following ordering guidelines are used: a. Quantity of real IP addresses From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses. b. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, is assessed before c. If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.

58 NAT 8.3 and Later Order ASA1(config)# show run nat <input omitted>! object network inside nat (inside,dmz-wireless) static no-proxy-arp route-lookup object network All_Networks nat (any,outside) dynamic interface object network http_access nat (inside,outside) static interface service tcp www www object network https_access nat (inside,outside) static interface service tcp www www! ASA1(config)# show nat Auto NAT Policies (Section 2) 1 (inside) to (outside) source static http_access interface service tcp www www translate_hits = 0, untranslate_hits = 0 2 (inside) to (outside) source static https_access interface service tcp www www translate_hits = 0, untranslate_hits = 0 3 (inside) to (dmz-wireless) source static inside no-proxy-arp route-lookup translate_hits = 175, untranslate_hits = (any) to (outside) source dynamic All_Networks interface translate_hits = , untranslate_hits =

59 CCIE Security Example

60 /24.2 Internet Static NAT /24 Dynamic PAT / Primary/Active /24 Secondary/Standby Guests DHCP / / / DHCP HTTP HTTPS SMTP DHCP Server

61 Dynamic PAT Solution CCIE Security Lab ASA1(config)#nat (inside) ASA1(config)#global (outside) 1 interface 8.2 and Earlier 8.3 and Later ASA1(config)# object network Client_Network ASA1(config-network-object)# subnet ASA1(config-network-object)# nat (inside,outside) dynamic interface

62 Static NAT CCIE Security Lab ASA1(config)#static (dmz,outside) and Earlier 8.3 and Later ASA1(config)# object network Server ASA1(config-network-object)# host ASA1(config-network-object)# nat (dmz,outside) static

63 Modular Policy Framework (MPF)

64 Cisco ASA Security Appliance Cisco MPF Overview Different traffic flows may require different network policies. Cisco MPF provides granularity and flexibility when you implement network policies for traffic flows: Defines traffic flows that require access control beyond ACLs Associates network policies with traffic flows Enables network policies on specific interface or globally Send traffic from the Internet to the Cisco ASA CSC-SSM. Branch Office Prioritize VoIP traffic. Internet Enable data loss prevention for HTTP, FTP, and SMTP traffic. Allow only safe HTTP methods. Headquarters

65 OSI Layer 3 and Layer 4 Class Maps To identify traffic for IP Phone: Branch Office To identify VoIP traffic, match DSCP EF.

66 Configure OSI Layer 3 and Layer 4 Policies: CLI Commands class-map VoIP match dscp ef! policy-map outside-policy class VoIP priority Create a class map and specify matching attribute. Create a policy map. Refer to the class map.! Specify an action for the traffic class. service-policy outside-policy interface outside Apply policy map to the interface using the service policy.

67 Verify OSI Layer 3 and Layer 4 Policies ASA1#show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0 tcp-proxy: bytes in buffer 0, bytes dropped 0 <...part of the output omitted...> Interface outside: Service-policy: outside-policy Class-map: VoIP Priority: Interface outside: aggregate drop 0, aggregate transmit 0 Class-map: class-default

68 Regular Expressions Regular expressions are a computer language that is used to describe patterns. Used to describe a set of strings without describing individual elements Used by the security appliance to match custom application layer content Drop HTTP requests containing CMD.EXE, /bin/sh, /bin/bash, /bin/ksh, /bin/tcsh... Allow only HTTP requests to cisco.com domain.

69 OSI Layer 3 and Layer 4 Class Maps To identify traffic for IP Phone: IS P Block: bad.com, and iamverybad.com.

70 Configure OSI Layers 5 to 7 Policies CLI Commands regex SECRET_PAGES "[Bb][Aa][Dd]\.[Cc][Oo][Mm]" regex GAMES_PAGES [Ii][Aa][Mm][Vv][Ee][Rr][Yy][Bb][Aa][Dd]\.[Cc][Oo][Mm]! class-map type regex match-any BAD_PAGES match regex BAD_PAGES match regex VERYBAD_PAGES! class-map type inspect http match-any BAD_HTTP_TRAFFIC match request header host regex class BAD_PAGES! policy-map type inspect http INSPECT_HTTP class BAD_HTTP_TRAFFIC reset log! policy-map global_policy class inspection_default inspect http INSPECT_HTTP Refer to Layers 5 to 7 class map, and apply actions Apply a Layers 5 to 7 policy map in a Layers 3 and 4 policy map. Create regular expressions. Create regular expression class map. Create Layers 5 to 7 class map for HTTP traffic. Specify match attributes inside HTTP traffic. Create Layers 5 to 7 policy map for HTTP traffic.

71 Verify OSI Layers 5 to 7 Policies CLI Commands ASA1#show service-policy Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 0, drop 0, reset-drop 0 Inspect: ftp, packet 0, drop 0, reset-drop 0 < output omitted > Inspect: http INSPECT_HTTP, packet 484, drop 6, reset-drop 6 Inspect: icmp, packet 38, drop 0, reset-drop 0 Interface Branch_Net: Service-policy: Branch_Net-policy Class-map: VoIP1 Priority: Interface Branch_Net: aggregate drop 0, aggregate transmit 0 Class-map: class-default

72 CCIE Security Example

73 /24.2 Internet / /24 Server Protections (Embryonic) Server Protections (Conn Limit).2.3 FTP Server (FTP Inspection) Primary/Active /24 Secondary/Standby Guests DHCP / / / DHCP FTP Server DHCP Server

74 Embryonic Conn, Conn Limits and FTP Inspection CCIE Security Lab access-list SERVER_EMB_LIMITS permit ip any host ! access-list SERVER_TRAFFIC_LIMITS permit ip any host ! access-list FTP_TRAFFIC permit tcp any host eq 21! class-map FTP_TRAFFIC_PASS match access-list FTP_TRAFFIC! class-map CONN_MAX match access-list SERVER_TRAFFIC_LIMITS! class-map EMBRYONIC_CONN_MAX match access-list SERVER_EMB_LIMITS! policy-map SERVER_POLICY class EMBRYONIC_CONN_MAX set connection embryonic-conn-max 90 per-client-embryonic-max 10 class CONN_MAX set connection conn-max per-client-max 50 class FTP_TRAFFIC_PASS inspect ftp! service-policy SERVER_POLICY interface outside

75 Failover Active/Standby

76 Cisco ASA Adaptive Security Appliance Active/Standby Failover Overview Two Cisco ASA security appliances can be paired into an active/standby failover to provide device redundancy. One physical device is permanently designated as primary, the other device as secondary. One of the pair is elected to be in active state (forwarding traffic), and the other in hot standby state (waiting). The health of devices is monitored over the LAN failover interface. Secondary/Standby Internet / / /24 Primary/Active

77 Failover Deployment Options Stateless failover: Provides hardware redundancy only. All established statefully tracked connections are dropped after switchover. Users may have to re-establish connections. Stateful failover extends stateless failover: Provides hardware and state table redundancy. Connections remain active during the failover. Users do not have to re-establish connections. Requires a stateful link between devices (in addition to the LAN-based failover link).

78 Stateful Failover Support State Information Passed to Standby Unit NAT table TCP connection states UDP connection states ARP table MAC address table (applies to transparent mode only) ISAKMP SAs, IPsec SAs, SSL sessions GTP PDP connection database SIP signaling sessions Dynamic routing table entries State Information Not Passed to Standby Unit HTTP connection table (unless HTTP replication is enabled) User authentication table State information for Cisco AIP-SSM DHCP server leases Phone proxy sessions Cisco ASA security appliance supports IPv6 failover beginning with Cisco ASA Software Version 8.2(2).

79 Verify Active/Standby Failover Displays information about the failover status of the unit ASA1/pri/act# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 160 maximum failover replication http Version: Ours 8.4(1), Mate 8.4(1) Last Failover at: 02:59:27 UTC Aug This host: Primary - Active Active time: 930 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys) Interface outside ( ): Normal Interface inside ( ): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up) IPS, 6.0(3)E1, Up Other host: Secondary - Standby Ready Active time: 495 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys) Interface outside ( ): Normal Interface inside ( ): Normal < output omitted >

80 Troubleshooting Failover Active/Standby

81 Troubleshooting Typical Failover Problems ASA are not Like-for-Like The secondary is not able to talk to the Primary (Failover Cable Issues) The monitoring interface policy was changed The secondary has failed

82 Cisco ASA Security Appliance Failover Requirements Hardware requirements for both devices: Same hardware model Same number and type of interfaces Same SSM software installed (if any) Same amount of RAM is recommended Software requirements for both devices: Same major and minor software version Same licensed features (8.2 and earlier) License includes active/standby failover feature Same operating mode (transparent or routed, multiple- or single-context)

83 Verify Failover Peer ASA1/act/pri# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up) < output omitted > Last Failover at: 02:59:27 UTC Aug This host: Primary - Active Active time: 930 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys) Interface outside ( ): Normal (Waiting) Interface inside ( ): Normal (Waiting) slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up) IPS, 6.0(3)E1, Up Other host: Secondary - Not Detected Active time: 0 (sec) slot 0: empty Interface outside ( ): Unknown (Waiting) Interface inside ( ): Unknown (Waiting) slot 1: empty Peer device has not been detected and failover cannot occur. Verify connectivity between devices and failover configuration on the secondary device.

84 Verify Active/Standby Failover Interface Policy Displays information about the failover status of the unit ASA1/pri/act# show failover Failover On Failover unit Primary Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 2 of 160 maximum failover replication http Version: Ours 8.4(1), Mate 8.4(1) Last Failover at: 02:59:27 UTC Aug This host: Primary - Active Active time: 930 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1)) status (Up Sys) Interface outside ( ): Normal Interface inside ( ): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(3)E1) status (Up/Up) IPS, 6.0(3)E1, Up Other host: Secondary - Standby Ready Active time: 495 (sec) slot 0: ASA5520 hw/sw rev (1.0/8.4(1))status (Up Sys) Interface outside ( ): Normal Interface inside ( ): Normal < output omitted >

85 Failover Health Monitoring Unit health monitoring The Cisco ASA security appliance determines the health of the other unit by monitoring the failover link. Devices exchange hello messages(sent every 1sec) over the failover interface. When there is no response from the active device, switchover occurs. Interface health monitoring Each network interface can be monitored. Devices exchange hello messages(sent every 5sec) over monitored (1 Interface policy) interfaces. When a specified number of monitored interfaces fail on the active device, switchover occurs.

86 CCIE Security Example

87 /24.2 Internet / /24 Gig0/1.2.3 Gig0/1 Guests Primary/Active DHCP Gig0/ /24 Gig0/3.2.3 Secondary/Standby Gig0/ / / / DHCP HTTP HTTPS SMTP DHCP Server

88 Primary Security Appliance Configure active/standby failover on the primary Cisco ASA security appliance. interface GigabitEthernet0/3 no shutdown! failover lan unit primary primary. failover lan interface FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER standby failover link FAILOVER failover key 6X9vLuFt983d8FltTf7 failover! Enable failover. Enable the interface used for failover. Specify unit as Specify key for the failover link. interface GigabitEthernet0/1 ip address standby ! interface GigabitEthernet0/0 ip address standby Specify interface used as the failover interface. Specify the interface used as the stateful failover link. Specify active and standby IP addresses. Specify active and standby IP addresses. Assign active and standby IP addresses to the failover link.

89 Secondary Security Appliance Configure active/standby failover on the secondary Cisco ASA security appliance. interface GigabitEthernet0/3 no shutdown! failover lan unit secondary failover lan interface FAILOVER GigabitEthernet0/3 failover interface ip FAILOVER standby failover link FAILOVER failover key 6X9vLuFt983d8FltTf7 failover Enable failover. Enable HTTP replication. Enable interface used for failover. Specify unit as secondary. Specify interface used as the failover interface. Assign active and standby IP addresses to the failover link. Specify the interface used as the stateful failover link. Specify key for the failover link.

90 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

91 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

92 Thank you

93