Jimmys Cyber Corner » Cisco ASA

What about wiping your firewall for breakfast?

Jimmy Larsson — Fri, 16 Jul 2010 08:33:14 +0000

You know how it is? You are typing so fast making changes in you cisco gear you not always pay attention to which mode you are in? Doing config-command in exec-level, exec-commands in config-level and adding “do” in front just to make them pass? Wanna know if that happens to fast and you are in the wrong place doing the wrong time?

Below I am in system context of a multi context ASA firewall. My intention is to do something with a context. I go into config mode and then into the context definition of the context I wanna change. What if I get interrupted or whatever and enter the “conf t”-command in the context configuration mode?

act# sh mode Security context mode: multiple act# act# conf t act(config)# context LEFT act(config-ctx)# conf t INFO: Converting t to disk0:/t . WARNING: Could not fetch the URL disk0:/t INFO: Creating context with default config INFO: Admin context will take some time to come up .... please wait. act(config-ctx)#

Congrats! Your firewall is gone!

Doing some magic translations in Cisco ASA

Jimmy Larsson — Mon, 05 Jul 2010 18:59:01 +0000

I recently got a question from a collegue regarding address translations in Cisco ASA. He wrote:

Got a question from a customer if you can do the following:

1. NAT the . IP address of a machine located on the DMZ to inside with the same address as the NAT has been: at the outside (ie publish public address inwards too)

2. Source NAT for inside addresses (clients) when they must go above the DMZ server (in the “public” address) so that the source is a different puclic address.

Have not tested yet so I do not know but the config must be abit weird.

ok. Lets try. I put together a quick lab-setup. A 3-legged ASA with a one-legged router on each firewall-interface:

interface Vlan10 nameif outside security-level 0 ip address 200.1.1.1 255.255.255.0 ! interface Vlan20 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! interface Vlan30 no forward interface Vlan20 nameif dmz security-level 50 ip address 10.2.2.1 255.255.255.0 !

And the routers.

R1:
interface FastEthernet0 ip address 200.1.1.99 255.255.255.0 duplex auto speed auto end

R2:
interface FastEthernet0 ip address 10.1.1.99 255.255.255.0 duplex auto speed auto end

and R3:
interface FastEthernet0 ip address 10.2.2.2 255.255.255.0 duplex auto speed auto end

Ok. R1 is the outside host on internet. R2 is an inside host on our corporate network. R3 is this magical server on DMZ. In this example it is a high performance telnet server!

line vty 0 4 no login

First, make sure that this is reachable from internet. We do a static and allow the traffic on outside acl:

static (dmz,outside) 200.1.1.2 10.2.2.2 netmask 255.255.255.255 access-list OUTSIDE extended permit tcp any host 200.1.1.2 eq telnet

Verification. Telnet from R1 to public IP:
R1#telnet 200.1.1.2 Trying 200.1.1.2 ... Open R3>

Great. Now we want to reach the DMZ server from inside. Since this is higher security level to lower and we dont have any acl on inside we dont have to care about open the traffic. But we want to use an OUTSIDE address as destination ip to reach a DMZ host. Lets try a static:

FW(config)# static (dmz,inside) 200.1.1.2 10.2.2.2

The command above seems weird, right? I agree. Someday when I have a lot of time I will explain the theory but for now, just trust me!

Verification:
R2#telnet 200.1.1.2 Trying 200.1.1.2 ... Open R3>

Next step is to hide the source address of that telnet client on inside. Right now it is using its own source ip:
R3>en Password: R3# R3#sh users Line User Host(s) Idle Location 0 con 0 idle 00:08:09 * 6 vty 0 idle 00:00:00 10.1.1.99


  Interface    User               Mode         Idle     Peer Address

R3#

So, how do we accomplish that? The easiest way is to use a policy nat-statement. We create an access-list which defines which traffic to translate. We then create a nat-statement with a nat-id of your choice and call the access-list. Finaly we define which global ip to use. (outside. Remember dmz is outside relative to inside since dmz has lower security-level)
access-list Inside2DMZ extended permit tcp 10.1.1.0 255.255.255.0 host 200.1.1.2 eq telnet nat (inside) 1 access-list Inside2DMZ global (dmz) 1 200.1.1.10

Verification:
R2#telnet 200.1.1.2 Trying 200.1.1.2 ... Open


R3>sh users

    Line       User       Host(s)              Idle       Location

*  6 vty 0                idle                 00:00:00 200.1.1.10
  Interface    User               Mode         Idle     Peer Address

R3>

Voila! So, the client is on a private ip network 10.1.1.0 and establish a connection to what he think is on outside, because it is an public/outside ip. The traffic passes the magic ASA and the server on DMZ believes that the client is on internet since it has a public/outside source ip.

Mission accomplished.

Lab notes – WB1 Lab4 Part 1

Jimmy Larsson — Fri, 26 Feb 2010 13:46:22 +0000

Today I started to work with IPExpert CCIE Security workbook 1 Lab 4a – VPN-solutions. During my work I made the following notes which might be interresting to read for other CCIE-candidates. I will also from now on continue to do these notes and post them on this blog. Explaining and writing is simply a great way for me to learn.

Also, if my boss some day ask me what the heck I am doing all these work-hours, I will gladly give him a link to this blog.

Task 4.1 – IOS CA

This was quite straight-forward. Make an IOS become a root certificate authority for later use.

What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.

Task 4.2 – IOS L2L

This is all about enrollment of certificates from the CA in previous task to two IOS-routers and setup an ipsec-tunnel.

What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.

Task 4.3 – VPN IOS-ASA

The task was to setup a tunnel between IOS and ASA. Preshared-key, all straight-forward. However, I was asked to prioritize to certan traffic going into the tunnel from the IOS-router. This was done by creating a service-policy on outside-interface like this:

class-map match-all VPN-CLASS

match access-group 150 ! The ACL that defines the traffic to prioritize

policy-map VPN-POLICY

class VPNCLASS


priority 200 (I was also assign to restrict the prioritized traffic to 200kbps)
interface Fa1/1

service-policy output VPN-POLICY

And, dont forget to do “qos pre-classify” on the crypto map! Otherwise your class-map has to look for ESP-traffic and that is not very granular, is it?
“create lo3 on r2, assign it ip 192.168.3.2/24″ and “create a vpn tunnel between Vlan100 and the newly created loopback network”. I used “host 192.168.3.2″ in acl, but it clearly states “the loopback _network_”. Darn!

Task 4.4 L2L Aggressive mode with PSK

Stuck Twice.

I PROMISE NEVER TO FORGET TO APPLY THE CRYPTO MAP TO THE INTERFACE AGAIN

I PROMISE NOT TO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN

I PROMISE NOTTO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN

Stuck again. Couldn´t get the tunnel up even when comparing my configs with the solution guide. After getting help from OSL I made it:

I am struggling with this task, I simply cannot get the tunnel up. And I cant see what Ive done wrong.

Background: Make a tunnle between r2 and r5. Assume that r5-ip is dynamic, the tunnel should only be initiated from r5. (that is: dynamic map on r2).

The relevant parts of the config looks like this:

Answer from Brandon:

Not sure if this is it or not but you have crypto isakmp key ipexpert
hostname r5.ipexpert.com and the debug shows FQDN name : R5.ipexpert.com

Voila! Changed the “r5″ to “R5″ and it started working!

Task 4.5 L2L Overlapping subnets.

The task was to create a tunnel between 4 routers to protect traffic between internal nets. The restrictions was: no static routing, no crypto maps and no GRE.

I havent worked very much with tunnel-interfaces but this was a pleasant first date. It´s kind of magic making a virtual interface and make the router route traffic thru it. Even more coolish when you encrypt the traffic and make a routing protocol talk thru the tunnel.
Since I wasn´t allowed to use static routing I had to create loopback-interfaces to force knowledge of that local networks translated address-space into the routing-protocol. I was thinking of some kind of “add-reverse-route”-option for the “ip nat source static network”-command but I guess there is no such solution? Or could this routing-issue be solved in another way?

Task 4.6 – Easy VPN Server on IOS

This task deals with connecting a plain ipsec-client from XP workstation to an VPN-server on ios. First step was to verify connectivity on XP. Wrong IP, changing it. Now, a good advice from someone “who knows”: Do NOT add a default route on the student NIC of the labb pc:s. It has 2 nics and the other one is convinently named “Outside NIC – Do not Touch!” which is fine because thats how you reach the machine over internet. But if you add a default “gateway” on the student nic (which you are allowed to fool with) you will convert that kind little XP-machine into an unpredicible beast. If you are lucky u will reach it after a while and remove that default gw. So I´ve heard.
IOS auto-enroll and the enroll-feature of ipsec vpn client is cool. Just point it to http:///cgi-bin/pkiclient.exe and request a certificate.
I had to look at the solution guide quite alot in this case. Even when doing that I couldnt get the vpn-client to connect. I just got these error messages:


Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH    (peer 8.9.2.200)
Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH    (peer 8.9.2.200)

Suddenly I looked at the bottom right corner of my screen and saw tht the time was 3 minutes until the lab-period was over. I have never backed up a bunch of routers this fast before. First thing next lab-attempt will be to load the configs and troubleshoot the EasyVPN-config of R4.

Conclusion of this lab so far: It´s intense! I´ve been configuring plenty of VPN-solutions before, but I guess that my experience covers only 20-30% of the VPN-related topics in this lab. All these profiles-configurations in IOS are all new to me. I guess I have some CCO-chapters to read during the weekend…

Here are my current configurations: asa1, r2, r4, r5 and r6.

Cisco Ipsec VPN-client for 64-bit windows-OS after all?

Jimmy Larsson — Sun, 21 Feb 2010 19:44:23 +0000

It seems that Cisco has changed their mind. For long it has been told that one major step for Cisco to promote use of the new SSL Anyconnect VPN-client was to not release a traditional Ipsec VPN-client for 64-bits Windows. Cisco have received lots of critics for this, primary because Anyconnect-usage is a licensed feature in ASA Firewall in contradiction to the free ipsec-vpn-client-usage.

This peek into the download area for VPN-clients seems to change the way we look at it. Still a beta, but anyway…

Cisco ASA “active/active” failover

Jimmy Larsson — Thu, 11 Feb 2010 21:21:08 +0000

I often get into discussions with customers about the active/active feature of Cisco firewalls (ASA/FWSM). There seems to be a lot of confusions regarding the possible redundancy scenarios.

The short story first: The only scenario when active/active can be done is when you have 2 physical units and at least 2 virtual firewalls (contexts) configured.

But we start from the beginning…

Single Box – Single Context

The most common solution for small companies is having one single firewall without any redundancy. There is not much to say about it…

Dual boxes – Single Contexts

By adding another box you get a active/passive-failover, also known as hot standby. The primary box is doing all the work and the secondary just waits to stand in in case of a failure of the primary. There is no load-sharing.

The usage for this is an organisation that has no need for multiple contexts but wants their firewall to be redundant.

Single Box – Multiple Contexts

If there is need for multiple context, the firewall can be configured so. Two (or more) different configurations can share the same physical hardware. They can also share interfaces with some exemptions. Each context can have different administrative profiles configured so that a specific person can configure only one context.

Example: Company A and Company B shares a common firewall. Each company has their specific security policies and are each administered separately.

Dual boxes – Multiple Contexts

By extending the previos scenario with duplicated hardware one can get a redundant solution. With both contexts active on the left hardware this unit will handle all traffic for both of them. In case of a hardware-failure both contexts will become active on the other unit.

Example: The need for high-available firewall-functionality made the company AB to invest in redundant firewalls. They need to have multiple security policies administered by each companys respective IT-department. It all runs in Unit 1, while Unit 2 is configured as a hot-spare.

Dual boxes – Multiple Contexts balanced

If one context is active in one hardware and another context in the other one you will get a load-balanced-ish solution. Normal case is that the left unit handles Department A context and the right unit takes care of all traffic for Department B. In case of a hardware failure on either unit, the context(s) that were active in the failed unit “moves” to the other hardware.

Scenario: To gain performance company AB have distributed the placement of each contexts active unit. The left unit takes care of Department A:s context and the left one handles the context of Department B. Each unit is hot-spare for respective context.

Important notes:

The only case when “active/active” can be built is when you have multiple contexts.
There is no load-sharing done “within” a context. That means that if traffic going thru the green context it will suck all resources out of the left unit without any “help” from the right unit.
These multiple-contexts-scenarios also applies to when having more than two contexts. For example, if there are 5 contexts, 0, 1, 2, 3, 4 or five of them can be active in each unit. It´s all configurable. This configuration is done by putting contexts in failover-groups and this config is the only difference between the two last scenarios above.

Final words:

A Cisco ASA-solution without multiple contexts can never be active/active.

MPF Task: Solution!

Jimmy Larsson — Mon, 08 Feb 2010 18:10:03 +0000

Solution:

The solution to this is the fact that this doesn´t work with the regexps:

class-map type inspect http match-all class-FIND-BANNED-URLS match request uri regex class class-map-JIMMYS-BANNED-SITES !

uri is the part of the url after the hostname, the directory-path and filename on the web-server. By matching uri you can in the “http://www.facebook.com/jimmy.larsson” match on substrings within the “/jimmy.larsson”-subset but not in “http://www.facebook.com”-part.

By instead match on the request header host string I get the desired result:

class-map type inspect http match-all class-FIND-BANNED-URLS match request header host regex class class-map-JIMMYS-BANNED-SITES

Verification:

When trying to access facebook (after making sure that the clock is not in my 5 min per hour grace period ) I get this in the log:

%ASA-5-415008: HTTP - matched Class 29: class-FIND-BANNED-URLS in policy-map policy-INSPECT-HTTP, header matched - Resetting connection from inside:192.168.1.50/51194 to outside: 69.63.181.15/80

Caveat:

Since I match on host-name I cannot do stuff like this:

regex googlereader ".*google\.com\/reader*"

This will work.:

regex googlereader ".*google\.com*"

However it will prevent me from using any google-service during my studies. (Which might be a good thing. ) Anyway, how do I prevent access to google reader at google.com/reader without killing my google-searching-abilities? Like this:

regex reader ".*reader\/.*" regex google ".*\.google\..*" ! class-map type inspect http match-all GOOGLEREADER match request header host regex google match request uri regex reader ! policy-map type inspect http policy-INSPECT-HTTP parameters class class-FIND-BANNED-URLS reset log class GOOGLEREADER reset log

Mission accomplished!

MPF Task: prevent surfing to those sites at these times.

Jimmy Larsson — Mon, 08 Feb 2010 10:57:58 +0000

For todays lab-session I gave myself a small task: Configure the internet-ASA to prevent myself from surfing to specific time-consuming websites except from 5 minutes every hour.

The task sounds easy an as soon as I figured out to do MPF with a time-based acl for specifying inspect-traffic it just took me a few minutes to do this:

time-range STUDY-TIME periodic weekdays 7:00 to 7:55 periodic weekdays 8:00 to 8:55 periodic weekdays 9:00 to 9:55 periodic weekdays 10:00 to 10:55 periodic weekdays 11:00 to 11:55 periodic weekdays 12:00 to 12:55 periodic weekdays 13:00 to 13:55 periodic weekdays 14:00 to 14:55 periodic weekdays 15:00 to 15:55 ! access-list acl-MAKE-JIMMY-WORK extended permit tcp any any eq www time-range STUDY-TIME ! class-map class-NOSURF match access-list acl-MAKE-JIMMY-WORK ! regex gmail ".*mail\.google\.com*" regex googlereader ".*google\.com\/reader*" regex twitter ".*\.twitter\.com*" regex facebook ".*\.facebook\.com*" ! class-map type regex match-any class-map-JIMMYS-BANNED-SITES match regex gmail match regex googlereader match regex twitter match regex facebook ! class-map type inspect http match-all class-FIND-BANNED-URLS match request uri regex class class-map-JIMMYS-BANNED-SITES ! policy-map type inspect http policy-INSPECT-HTTP parameters class class-FIND-BANNED-URLS reset log ! policy-map policy-inside class class-NOSURF inspect http policy-INSPECT-HTTP ! service-policy policy-inside interface inside

However, it didn´t work. I was still able to get to facebook. I verified that there were hitcounts in the access-list and there was. I verified that the time-range was active, and it was. Still, no reset of traffic.

What have I done wrong? Feel free to try to spot the error and write a comment below…

Solution here!

Asymmetric routing in ASA – TCP state bypass

Jimmy Larsson — Mon, 01 Feb 2010 21:01:33 +0000

Today I continued my work to fully understand MPF (Modular Policy Framework) and found a new cool feature in ASA 8.2: TCP State Bypass. By bypassing TCP state machine for certain traffic you can get around problems with asymettricrouting. In my home lab I built this scenario:

On my inside network I have this client host who wants to access the FTP-server on outside. However, there are multiple links between the networks and the routing seems to be assymmetric. My inside hosts outbound traffic leaves thru the router but the return traffic goes thru the firewall. What happens is that the ASA sees the SYN ACK return packet but havent seen the preceeding SYN-packet. The result is that it blocks the packet:
%ASA-2-106001: Inbound TCP connection denied from 192.168.1.50/21 to 10.0.11.100/59677 flags SYN ACK on interface outside %ASA-2-106001: Inbound TCP connection denied from 192.168.1.50/21 to 10.0.11.100/59677 flags SYN ACK on interface outside %ASA-2-106001: Inbound TCP connection denied from 192.168.1.50/21 to 10.0.11.100/59677 flags SYN ACK on interface outside
She solution to this is to configure a policy-map that makes an exception to this state-machine-thing and allows that return-traffic anyway. Lets rock!

First, make sure that the inbound traffic gets thru. Doing state-bypass doesnt mean that acls will be bypassed. Since this is return traffic we need to permit permit with the source-port being 21.

access-list acl_outside extended permit tcp host 192.168.1.50 eq ftp any access-group acl_outside in interface outside !

Next, define which traffic to do state-bypassing with. It happens to be the same layout as the acl above.

access-list ACL-STATE-BYPASS extended permit tcp host 192.168.1.50 eq ftp any

Now, create a class-map, give it a fancy name and match the access-list above…

class-map state-bypass match access-list ACL-STATE-BYPASS

Next, a policy-map which references the class-map above and sets the tcp-state-bypass advanced option.

policy-map POLICY-OUTSIDE class state-bypass set connection advanced-options tcp-state-bypass
Finally. Apply it. Since its all about inbound traffic it needs to be applied to outside interface. Remember, if you already hava an service-policy for that interface, addit to that existing policy…
service-policy POLICY-OUTSIDE interface outside

Now, when trying to access my outside FTP-server from my inside client it works. I get this in the ASA-log:

%ASA-6-302303: Built TCP state-bypass connection 47 from outside:192.168.1.50/21 (192.168.1.50/21) to inside:10.0.11.100/37781 (10.0.11.100 /37781)
As you can see I get hitcounts in both access-lists:
fw1# sh access-list acl_outside access-list acl_outside; 1 elements; name hash: 0xdcd74233 access-list acl_outside line 1 extended permit tcp host 192.168.1.50 eq ftp any (hitcnt=1) 0x6863abc6 fw1# sh access-list ACL-STATE-BYPASS access-list ACL-STATE-BYPASS; 1 elements; name hash: 0xbe9fc05e access-list ACL-STATE-BYPASS line 1 extended permit tcp host 192.168.1.50 eq ftp any (hitcnt=1) 0xad18b614 fw1#
Voila! Or “Vålla” as we say in Sweden!

ASA built-in help

Jimmy Larsson — Tue, 12 Jan 2010 09:44:05 +0000

Did you know that the kind coders at Cisco has put a lot of help for us into the CLI of ASA firewall? Here are two examples:

vpnsetup todo-list

With the vpnsetup-command you can see a list of configuration tasks needed for setting up different types of VPN:

fw2(config)# vpnsetup ?

configure mode commands/options: ipsec-remote-access Display IPSec Remote Access Configuration Commands l2tp-remote-access Display L2TP/IPSec Configuration Commands site-to-site Display IPSec Site-to-Site Configuration Commands ssl-remote-access Display SSL Remote Access Configuration Commands

Let´s say that we need to make a new Lan2Lan-tunnel:

fw2(config)# vpnsetup site-to-site steps


Steps to configure a site-to-site IKE/IPSec connection with examples:
1. Configure Interfaces
        interface GigabitEthernet0/0

         ip address 10.10.4.200 255.255.255.0

         nameif outside

         no shutdown
        interface GigabitEthernet0/1

         ip address 192.168.0.20 255.255.255.0

         nameif inside

         no shutdown
2. Configure ISAKMP policy
        crypto isakmp policy 10

         authentication pre-share

         encryption aes

         hash sha
3. Configure transform-set
        crypto ipsec transform-set myset esp-aes esp-sha-hmac
4. Configure ACL
        access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
5. Configure Tunnel group
        tunnel-group 10.20.20.1 type ipsec-l2l

        tunnel-group 10.20.20.1 ipsec-attributes

         pre-shared-key P@rtn3rNetw0rk
6. Configure crypto map and attach to interface
        crypto map mymap 10 match address L2LAccessList

        crypto map mymap 10 set peer 10.10.4.108

        crypto map mymap 10 set transform-set myset

        crypto map mymap 10 set reverse-route

        crypto map mymap interface outside
7. Enable isakmp on interface
        crypto isakmp enable outside

fw2(config)#

Command syntax help

Of course you can use question-mark and tab-completion. But did You know that there is also a built-in man-page for every command? Try “help ”

fw2(config)# help global


USAGE:
        [no] global ()  {[-] [netmask ]} | interface

        show running-config [all] global [()] []

        clear configure global
DESCRIPTION:
global          Specify, delete or view global address pools,

                or designate a PAT(Port Address Translated) address
SYNTAX:
<(ext_if_name)> The external network interface name
        The id of the nat group(from the nat command) that

                will draw from these global addresses
     The IP address, network or range of addresses that will

                dynamically be translated on an as needed basis to hosts

                in the nat group .

                If this  is connected to the Internet, the

                 should be registered with the Network Information

                Center(NIC).

                These addresses should also be reverse resolvable(in-addr.arpa)

                on the outside DNS servers.

                An address specified singly will be used as a PAT address.

                When all of the non-PAT addresses of a global pool are in use

                and there is a PAT address, subsequent hosts from the nat

                group  will share the single PAT address for up to

                the number of licensed connections.

                [netmask ] The netmask of the global_ip.
interface       IP address of  overloaded for PAT.
see also:       nat, alias, static

fw2(config)#

CCIE Security – Cisco ASA Modular Policy Framework Example

Jimmy Larsson — Thu, 07 Jan 2010 14:47:03 +0000

This is first in a serie of posts in english dealing with technical configurations and solutions. The reason for this is me studying for CCIE Security certification and along the road I will probably find interresting stuff to share with others in the same situation as I am. (I´ve already found that more good configuration examples can be found at blogs than in technical references as CCO. Another purpose for me posting about stuff like this is that I learn alot when trying to explain and write about it. )

I have been bangning my head a couple of ours now trying to understand the modularity of Cisco ASA MPF. There are Class-maps, policy-maps and service-policies. There are a lot of different types of each of them and different combinations are invalid. Deeper information can be found att CCO.

MPF is built with 3 different types of modules:

class-maps. Defining what to look for
policy-maps. What shall we do with it?
service-policy. where do we do it?

I made up an hypothetical example. Lets say that I want to prevent my users from downloading mp3-files with ftp. This is a good example of when MPF comes handy (yes I know that some users know how to rename files, do encrypted file-transfers or use other protocols than ftp.)

Ok. On my LAN I have this PC with IP 192.168.1.215 which should not be able to GET files whose name contains “.mp3″. Where do I start?

First I create a regexp defining the string to search for:

regex mp3 ".*\.mp3.*"

Next I create a class-map type regex that uses the regex defined:

class-map type regex match-any class-map-TEST-mp3-regex match regex mp3

Next thing to do is to create a class-map type inspect which is going to look into the ftp application-data sent and have a look for filenames with the regexp-string matched:

class-map type inspect ftp match-all class-map-TEST-ftpfilter match filename regex class class-map-TEST-mp3-regex

After that I create a policy-map that defines the action (reset tcp connection and log the event) to be taken when the class-map above is triggered:

policy-map type inspect ftp policy-map-TEST-dropftp parameters class class-map-TEST-ftpfilter reset log

Now I need to define which traffic to look into. Remember the host

-IP above? I create an acl:

access-list acl_TEST_mytraffic extended permit tcp host 192.168.1.215 any eq ftp

Before putting everything together you need to decide where to apply this. It can be done either globally or inbound to a specific interface. The most logical thing to do in this case is to apply it on my inside-interface where my ftp-clients are. If you have already a policy-map bound to that interface you need to reuse that policy-map in the next step. Otherwise, just create a new policy-map.

asa# sh run service-policy service-policy policy-inside interface inside asa#

So I reuse this policy and add a new class:
policy-map policy-inside class class-map-TEST-mytraffic inspect ftp strict policy-map-TEST-dropftp
Let´s see if it works…
ftp> (connected to FTP-server from my host)

ftp> ls

200 PORT command successful

150 Connecting to port 40538


file.mp3
file.mpt
pub
226 3 matches total
ftp: 25 bytes received in 0,03Seconds 0,96Kbytes/sec.
ftp> get file.mpt
200 PORT command successful
150-Connecting to port 17047
150 3948.3 kbytes to download
226-File successfully transferred
226 4.742 seconds (measured here), 0.81 Mbytes per second
ftp: 4056688 bytes received in 4,79Seconds 847,08Kbytes/sec.
ftp> get file.mp3
200 PORT command successful

Connection closed by remote host.

Finally, a bleeding rocket-science flow-chart with home-made arrows and sugar on top…