Category Archives: Cisco

Protected: Cisco Talos vs PA Unit 42

This content is password protected. To view it please enter your password below:

Advertisements

Port NAT

In the below scenario we will translate port 3389 which is a well known port use for RDP and it’s also a vulnerable port.

pnat

I. Object

object network SVR-RDP_192.168.1.1
host 192.168.1.1
object network PUB-P1_123.1.1.1
host 123.1.1.1

II. NAT Rules (Translate Port 3389 to any custom port)

Original Packet Transalated  Packet
Source Destination Service Source Destination Service
Any PUB-P1_123.1.1.1 8389 Original SVR-RDP_192.168.1.1 3389

Nat (dmz,outside) tcp SVR-RDP_192.168.1.1 3389 PUB-P1_123.1.1.1 8389

III. Policy

Firewall Rules
Source Zone Destination Service Action
Any Outside 8389 accept
Any DMZ SVR-RDP_192.168.1.1 3389 accept

IV. Verify

On user remote via 123.1.1.1:8389

(Conf. not yet verified)

ASA packet inspection phase

Initial checking phase 1:
Packets arriving at firewall interface are checked for basic integrity.
Integrity of packet source address, use unicast RPF used to inspect the source IP address in each incoming packet and drops spoofed packet.

Note: Not Enabled by default.

XLATE phase 2:
2nd(outgoing) and the fifth(In-coming) phase.
Translation table, Dynamically created and Static created on Xlate entry.

Connection lookup phase 3:

Stateful inspection – ASA examines and documents the state of each connection passing through it.

Connection IDlE timeout period: The timeout period was use whenever there no data thru one of this flow or connection, Once those IDLE timeout are reach, the connection aged-out on the connection table.

Summary:
When ever connection is allowed thru the firewall it gonna create a flow or a connection entry in it’s connection table, When the return traffic is sent back it’s gonna match that flow in connection table and be immediately permitted to the device.

There’s a Idle timeout period for connections and whenever that timeout is reach
the connection is aged-out out of the connection table.
“set connection idle hh:mm:ss [reset]—The idle timeout period after which an established connection of any protocol closes, between 0:0:1 and 1193:0:0. The default is 1:0:0. For TCP traffic, the reset keyword sends a reset to TCP endpoints when the connection times out.
The default udp idle timeout is 2 minutes. The default icmp idle timeout is 2 seconds. The default esp and ha idle timeout is 30 seconds. For all other protocols, the default idle timeout is 2 minutes.”

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/conns-connlimits.pdf

ACL lookup phase 4:
A list of permit or deny statement on the firewall. It either ingressing or egressing of the interface of the firewall.

Once the access-list were applied on the firewall interface it’s become vital part of the packet inspection process because that ACL explicitly list the type of traffic can be permitted thru. If it’s not explicitly permitted it’s going to be implicitly denied.

ACL doesn’t inspect connection state, they s simply define what packet’s are permitted or deny in a single direction. By default ACL are not created or applied to any firewall interfaces. Cisco ASA uses the default security policy of security levels in order to filter traffic.

Default Security Policy(Security Levels):
Traffic sourcing to highest security level destined to lower security level is permitted.
But
Traffic sourcing to a lower security level to a higher security level is denied.
The only situation when traffic going from a lower security level to higher security is permitted is when it’s return traffic from a connection that was originated and initiated by a higher level security interface.

UAUTH Lookup phase 6:
Authentication – Autenticate users

Inspection Engine phase 7:
Inspection connectionles and connection-oriented protocol.
UDP Header example: Source/Destination Port / Lenght / Checksum
TCP Header example: Source/Destination Port / Sequence / ACK/ FLAGS / WINDOWING /Checksum / irgent / Options.

Allow ICMP through Cisco ASA

By Default our Cisco ASA doesn’t permit ICMP from inside to outside. Cisco ASA assign a security level to each interface. 

Security levels help us to determine how trusted/safe our interfaces. The higher security level, the more trusted interface! Default Security Levels:  Inside = 100 , DMZ = 50 and Outside = 0

Based on this scenario we can see that we need to add a ladder so that deadpool can go to inside area.

How to make a ladder? 

Using ACL – We need to create ACL (Extended) to permit inside to outside.

Q: What is the difference standard & extended access list?

A: ACL’s are used to make filtering and classification of the traffic. Standard ACL denies/permits all traffic whereas Extended ACL selectively deny/permit some or all traffic depending on your requirement.

 #access-list 100 extended permit icmp x.x.x.x x.x.x.x any echo

! We use echo to allow the icmp reply from destination.

#access-list 100 extended permit icmp any x.x.x.x x.x.x.x echo-reply

! Apply the ACL

#access-group 100 in interface outside

Using Modular Policy Framework (MPF).

Create a classmap, policymap and service policy.


Classmap – Used to identify traffic.

Policymap – Used for action, policing, dropping and prioritizing.

Service Policy – Decide where the policymap gonna do the action.

#class-map inspection_default
match default-inspection-traffic

#policy-map global_policy
class inspection_default
inspect icmp

        inspect icmp error

#service-policy global_policy global


MYWORKSTATION>ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=45 time=141.607 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=45 time=182.624 ms

Upgrading Cisco ASA software version w/out removing the current Configuration.

Cisco Adaptive Security Appliance Upgrade
Note’s Before Upgrading
1. Upgrading from older version (8.2) to a newer version:
– Verify the upgrade path.
– NAT commands will be different from all older version.
– Need to upgrade ASDM
– Verify the release notes if your not sure with other features.
! To Verify your current version
#show running-config boot system
2. You need to verify the Prerequisites:
– License
– Memory
! To Verify your ASA memory.
#show version | include RAM
3. Backup your current configuration before you start the upgrade.
! To backup your running-configuration
#copy running-config tftp:
4. Download the latest or the specific version you want.
5. Start the upgrade.
#copy tftp://X.X.X.X/NEWVERSION disk0:
! Remove the current boot system
config#no boot system disk0:/oldversion
! Add the new version
config#boot system disk0:/newversion
config#exit

! Save & Reload
#write memory
#reload
! Now verify
#show running-config boot system
#show version
Q’s & A’s
1. After upgrading to a newer version do I need to recofigure the appliance from scratch?
A: No, you just need to save the current configuration “WR MEM” before upgrading so that the configuration will be save.
2. Is it required to upgrade your ASA to a newer version?
A: No, Yes if you want to meet your goals and use the newer feature’s.
3. If I update my ASA verion is there any disadvantages?
A: For me I do not see any disadvantages. you just need to be sure or verify the release notes before upgrading.