Introduction to Cisco PIX and

ASA

© 2006 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Network Security - Firewalls
Firewall
 A firewall is a system or group of systems that manages access between two
networks. It provides the first line of perimeter defense.

 It prevents unauthorized access to a network.

 It protects the trusted network from attacks.

 It manages the information flow and restrict dangerous free access.

 It can permit, deny, encrypt, decrypt or proxy the traffic.

 Provides ability to expose internet services in a limited ability to the outside world
via a DMZ.
Cisco PIX
PIX – Private Internet Exchange
Users Adaptive Security Algorithm
Not a UTM , stateful firewall, NAT , VPN
PIX OS, similar to IOS, but there are some differences
Have GUI of PDM – PIX Device Manager
Starts with 500 series
EOL
Cisco ASA
ASA – Adaptive Security Appliance
With Add on Module can be used as a UTM
Had add on modules, for Anti-Virus, VPN, IPS
More similar to that of a IOS
Has GUI – ASDM Adaptive Security Device Manager
Starts with 5500 series
Cisco ASA Different Editions
Cisco PIX 501

PIX 501
Processor:
Processor: 133
133 MHz
MHz AMD
AMD SC520
SC520
Memory:
Memory: 16MB
16MB
Ethernet:
Ethernet: 22
Flash:
Flash: 88 MB
MB
Connections:
Connections: 3500
3500
Clear
Clear Text
Text
Throughput:
Throughput: 10Mbps
10Mbps
VPN
VPN Peers:
Peers: 55
Cisco PIX 506

PIX 506
Processor:
Processor: 300
300 MHz
MHz Intel
Intel Celeron
Celeron
Memory:
Memory: 32MB
32MB
Ethernet:
Ethernet: 22
Flash:
Flash: 88 MB
MB
Clear
Clear Text
Text
Throughput:
Throughput: 20Mbps
20Mbps
VPN
VPN Peers:
Peers: 25
25
Cisco PIX 515
•• PIX
PIX 515
515

•• Processor:
Processor: 200
200 MHz
MHz Pentium
Pentium
Pro
Pro
•• Memory:
Memory: 32
32 MB
MB (515-R)
(515-R)
64
64 MB
MB (515-UR)
(515-UR)
•• Ethernet:
Ethernet: 22 (515-R)
(515-R)
66 (515-UR)
(515-UR)
•• Flash:
Flash: 88 MB
MB (515-R)
(515-R)
16
16 MB
MB (515-UR)
(515-UR)
•• Connections:
Connections: 50,000
50,000 (515-R)
(515-R)
100,000
100,000 (515-UR)
(515-UR)
Cisco PIX 525

PIX-525
Processor:
Processor: 600
600 MHz
MHz Pentium
Pentium III
III
Memory:
Memory: 128
128 MB
MB SDRAM
SDRAM
Ethernet:
Ethernet: 66 Configurable
Configurable
Token
Token Ring
Ring 44 configurable
configurable
FDDI
FDDI 22 configurable
configurable
Ethernet/TR
Ethernet/TR 66 total
total
Flash:
Flash: 16
16 MB
MB
Connections:
Connections: 256,000+
256,000+
VPN
VPN Tunnels
Tunnels :: 2000
2000
Cisco PIX 535

PIX-535
Processor:
Processor: 1GhzPentium
1GhzPentium III
III
Memory:
Memory: 512
512 MB
MB SDRAM
SDRAM
Ethernet:
Ethernet: 4/6
4/6 Configurable
Configurable
Flash:
Flash: 16
16 MB
MB
Connections:
Connections: 500,000
500,000
VPN
VPN Tunnels
Tunnels :: 2000
2000
PIX Firewall Models
Model 501 506e 515e 525 535

Intel Intel Intel P

CPU type AMD Celeron Celeron III Intel P III
433
CPU speed 133 MHz 300 MHz MHz 600 MHz 1 GHz
Default RAM
(MB) 16 32 64 128 512
Default flash 8 MB 8 MB 16 MB 16 MB 16 MB
Interfaces 2 2 6 (M) 6(M) 8(M)
VPN accelerator
supported No No Yes Yes Yes
Failover
Supported No No Yes Yes Yes
Cisco ASA Models
Cisco ASA Models
Cisco ASA Models
Cisco ASA Models
ASA 5510/5520/5540

Status Flash
Power Active VPN
Compact Flash
Security Service Module
(SSM) Monitoring Port 10/100 Out of Band Console
Management Port Port

Four 10/100/1000 AUX Ports

Copper Gigabit Ports
Two USB 2.0 Ports
Cisco ASA – Security Services Module

High Performance Module

for Additional Services
Gigabit Ethernet Port for
Out-of-Band Management, etc.
 Failover—Hot Standby
DMZ
Web
Server
Failover Internet
Internal Cable DNS
LAN Server

FTP
Server

failover
active
− Minimizes single point of failure
− Maximizes reliability of network
− Transparent to users behind firewall
− Failover units must be identical model of PIX/ASA
Context Firewall
• Cisco feature for Cisco 5500 Series Adaptive Security Appliance with software
version 7.2 and later.
− Note: The multiple context feature is not supported on the ASA 5505 Series
Adaptive Security Appliance. ASA 5510 supports maximum of 5 contexts even if
it adds an additional 4Eth card.
• Partition a single device into multiple virtual deices. Each context is an independent
device with its own configuration.
• Supports routing tables, firewall features, IPS, and standalone devices etc…
• Multiple context mode does not support the following features:
− Dynamic routing protocols (Security contexts support only static routes. You
cannot enable OSPF or RIP in multiple context mode).
− VPN
− Multicast
• System administrator rights is mandatory when a user logs into admin context.
• Admin context is not counted in the context license. For example, if you get the
default license, you are allowed to have one admin context and two other contexts.
− when buying a new ASA5500 with a default license, we can run ‘three’ firewalls
contexts

19 Tuesday, December Company confidential

07, 2021
 Sample Network
10.10.10.0/24 200.200.200.1/30

E1 E0
Internet
Internal
Inside Outside
LAN
E2

DMZ

172.16.30.0/27
Basic Configuration – Interface
interface Ethernet0
description "Outside Interface-Conn to Internet Router"
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.252
interface Ethernet1
description "Inside Interface - Conn to Core Switch
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Ethernet2
description "DMZ Interface towards DMZ1 servers"
nameif DMZ
security-level 50
ip address 172.16.30.1 255.255.255.224
!
Basic Configuration - DNS
• dns domain-lookup outside
• dns server-group DefaultDNS
• name-server 3.3.3.3
• name-server 4.4.4.4
• dns server-group DefaultDNS
• domain-name xyz.net
Basic Configuration - Time
• clock timezone IST 5 30  
• ntp server 1.1.1.1
• ntp server 2.2.2.2
Basic Configuration - Logging
• logging enable
• logging timestamp
• logging monitor informational
• logging buffered informational
• logging trap informational
• logging asdm informational
• logging host <interface> <syslogger IP>
• Ex: logging host inside 10.10.10.1

•
Basic Configuration - SNMP
• snmp-server host <interface> 6.6.6.6 poll community "snmp-rostring"
• snmp-server host <interface> 7.7.7.7 poll community "snmp-rostring“
• snmp-server location "<location>"
• snmp-server contact "XYZ,Phone +91 123456789"
• --------------------------------------------------------------------------------------------
----------------------------------------------------------

• snmp-server host inside 6.6.6.6 poll community Cisco

• snmp-server host inside 7.7.7.7 community Procurve
• snmp-server location Bangalore
• snmp-server contact "XYZ,Phone +91 123456789"
Basic Configuration - AAA
• aaa-server admin protocol tacacs+
• aaa-server admin (<interface>) host 1.2.3.4
• timeout 5
• key "tacacs-key"
• aaa-server admin (<interface>) host 3.4.5.6
• timeout 5
• key "tacacs-key"
• aaa authentication telnet console admin LOCAL
• aaa authentication ssh console admin LOCAL
• aaa authentication enable console admin LOCAL
• aaa authentication serial console admin LOCAL
Failover Configuration
• failover
• failover lan unit primary
• failover lan interface failover Ethernet0/3
• failover key 123456
• failover link failover Ethernet0/3
• failover interface ip failover 20.20.20.1 255.255.255.0
standby 20.20.20.2
Access-List and Access-Groups
• access-list acl_inside
• access-list acl_dmz
• access-list acl_outside

• access-group acl_inside in interface inside

• access-group acl_outside in interface outside
• access-group acl_dmz in interface DMZ
ACL
Inside ACL
access-list acl_inside extended permit ip 10.10.10.0 255.255.255.0 172.16.30.0
255.255.255.224
Outside ACL
access-list acl_outside extended permit tcp any host 200.200.200.5 eq smtp
DMZ ACL
access-list acl_dmz extended permit tcp host 172.16.30.10 any eq smtp

NAT
Static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
static (dmz,outside) 200.200.200.5 172.16.30.10 netmask 255.255.255.255
Commands
• Show ip address
• Show int ip brief
• Show failover
• Show interface
• Object-group
• Names
IPSEC - Recap
IKE Phase 1 Parameters
 IKE encryption algorithm (DES, 3DES, or AES)
 IKE authentication algorithm (MD5 or SHA-1)
 IKE key (preshare, RSA signatures)
 Diffie-Hellman version (1, 2, or 5)
 IKE tunnel lifetime (time and/or byte count)

IKE Phase 2 Parameters

 IPsec protocol (ESP or AH)
 IPsec encryption type (DES, 3DES, or AES)
 IPsec authentication (MD5 or SHA-1)
 IPsec mode (tunnel or transport)
 IPsec SA lifetime (seconds or kilobytes)
 IPSEC VPN
Command Purpose

crypto isakmp policy 1 This creates a new isakmp policy, the number here usually doesn't matter

encr 3des Sets encryption to triple-DES

hash sha Sets hash algorithm to SHA-1

authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers

group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)

   
crypto isakmp key [Shared-key] address [Remote-
External-IP] This sets the pre-shared key for a specific IPSEC peer

   
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-
hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha- This defines a list of common preset algorithms. The preset name is the word
hmac right after "transform-set". Most of the newer IOS software images will support
compression and AES encryption. Older ones will only support 3DES encryption.
crypto ipsec transform-set 3DES-SHA-compression esp- Some of the images will only support DES.
3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes
esp-sha-hmac comp-lzs
IPSEC VPN
Creates an access list that defines what goes into the
ip access-list extended Crypto-list tunnel
permit ip [Local-Int-NetID] [Local-Int-RMask] [Remote-Int- You can create multiple lists of source, destination, and
NetID] [Remote-Int-RMask] services
   
crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels
per interface by incrementing the "10" on the next map
with the same name "VPN-Map-1".

set peer [Remote-External-IP] Defines the IP address of the remote peer

set transform-set [Algorithm-preset] Sets the algorithm preset we defined above
set pfs group2 Enables perfect forwarding secret
Defines the access list we created earlier of what goes into
match address Crypto-list the tunnel
   
interface [External-Interface] Enters the external interface configuration
Attaches map "VPN-Map-1" to this interface. Only one
crypto map VPN-Map-1 map per interface allowed.
   
Enters the external firewall policy for controlling inbound
ip access-list extended [Firewall-policy-name] traffic
permit udp host [Remote-External-IP] any eq isakmp Permits IPSEC IKE setup from the peer
permit esp host [Remote-External-IP] any Permits IPSEC payload from the peer
IPSEC VPN
Command Purpose
This creates a new isakmp policy, the number here usually doesn't
crypto isakmp policy 1 matter
encr 3des Sets encryption to triple-DES
hash sha Sets hash algorithm to SHA-1

authentication pre-share Sets authentication type to a pre-shared key between IPSEC peers

group 2 Sets policy to use Diffie-Hellman group 2 type (768 bit key)
   

crypto isakmp key test123 address 100.100.100.100 This sets the pre-shared key for a specific IPSEC peer
   
crypto ipsec transform-set 3DES-SHA esp-3des esp-
sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-
sha-hmac This defines a list of common preset algorithms. The preset name is
the word right after "transform-set". Most of the newer IOS software
images will support compression and AES encryption. Older ones
crypto ipsec transform-set 3DES-SHA-compression will only support 3DES encryption. Some of the images will only
esp-3des esp-sha-hmac comp-lzs support DES.

crypto ipsec transform-set AES-SHA-compression

esp-aes esp-sha-hmac comp-lzs
IPSEC VPN
ip access-list extended Crypto-list Creates an access list that defines what goes into the tunnel
You can create multiple lists of source, destination, and
permit ip 10.10.10.0 0.0.0.255 10.0.20.0 0.0.0.255 services
   
crypto map VPN-Map-1 10 ipsec-isakmp Creates an IPSEC map. You can have multiple tunnels per
interface by incrementing the "10" on the next map with the
same name "VPN-Map-1".

set peer 100.100.100.100 Defines the IP address of the remote peer

set transform-set AES-SHA-compression Sets the algorithm preset we defined above
set pfs group2 Enables perfect forwarding secret
Defines the access list we created earlier of what goes into
match address Crypto-list the tunnel
   
interface Ethernet0 Enters the external interface configuration
Attaches map "VPN-Map-1" to this interface. Only one map
crypto map VPN-Map-1 per interface allowed.
   
Enters the external firewall policy for controlling inbound
ip access-list extended Internet-inbound-ACL traffic

permit udp host 100.100.100.100 any eq isakmp Permits IPSEC IKE setup from the peer
permit esp host 100.100.100.100 any Permits IPSEC payload from the peer