CISCO ASA Firewall Commands Cheat Sheet [Part 7]

June 24, 2016 | Views: 4421

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello folks! Here we go with the 7th part of the CISCO ASA Firewall Commands Cheat Sheet. This part will briefly explain how to control your network traffic and prioritize some traffic over others, using QOS. Also, it will give you a simple way to integrate security service modules with ASA to form an Intrusion Prevention System.

Let’s begin…

Configuring MTU Size for More Control of Fragmented Traffic

Suppose we’ll configure the MTU size on the outside interface to control the incoming packets to our network (to reduce the percentage of packets fragmentation to enable more inspection on the traffic by our ASA). We’ll need to increase the size of MTU to maximum size:

MTU outside 65535

The least value of MTU is 64 Bytes. To verify the MTU size on an interface, we use the command:

Show fragment outside

Configuring QOS and Prioritizing Packets

Every packet arrives to the ASA or comes to the ASA is first stored in the Best-effort queue. This queue is used to store packets in a buffer and then retransmit them respectively. Suppose we have critical packets such as audio streaming or video, we need to create a Low-latency queue – a buffer that stores packets to transmit them ahead of other packets in BEQ. We need to enable LLQ on an interface and specify a policy map and class map to match the traffic:

Priority-queue outside

Class-map QOS

Match RTP 5060-65

Policy-map RTP

Class-map QOS

Priority

Exit

Service-policy RTP interface outside

 

Configuring Traffic Policing and Traffic Shaping

Controlling bandwidth limits is essential when it comes to QOS and prioritizing packets over other ones. Controlling packets is performed either by dropping the packet, which surpasses the bandwidth threshold or by re-shaping it so it conforms to the bandwidth limits.

Traffic Policing

Suppose we want to configure a policy map to match all traffic and drop every packet that consumes more than 2Mbps. To achieve this, we need a policy map with a class map to match all traffic. Therefore, we need the following commands:

Class-map Policing

Match any

Exit

Policy-map mine

Class-map policing

Police output 200000000 conform-action transmit exceed-action drop

Exit

Exit

Service-policy mine interface outside

Traffic Shaping

Traffic shaping is the act of placing the packets inside a buffer and then pulling out the traffic with a bandwidth limits beneath the threshold. This type of bandwidth control is applicable and permissible only to all traffic or bulk:

Policy-map outside-policy

Class class-default

Shape average 200000000

Exit

Exit

Service-policy outside-policy interface outside

 

Using Transparent Firewall Mode

Deploying transparent mode has some challenges and restrictions. This mode should not be applied until you specify your network requirements and recognize the limitations imposed by this mode:

·         IPsec protocol and VPN tunnels

·         Dynamic routing protocols

·         Broadcast and multicast packets

·         DHCP relay

·         QOS and bandwidth control

Before implementing transparent mode, be sure to back up the current configuration in case you want to revert back to routed mode.

Use the following command to switch to transparent mode:

Firewall transparent

Configuring interfaces – one as outside and the another as inside – with the same IP address for both:

Interface eth0/0

Namif outside

Security-level 0

No shutdown

Exit

Interface eth0/1

Nameif inside

Security-level 100

No shutdown

Exit

Ip address   192.168.1.100   255.255.255.0

Because this mode does not support dynamic routing, a static route or default route must be configured:

Route  [inside interface or outside]    network-ip  subnet-mask   next-hop ip

Permitting OSPF or EIGRP packets through transparent mode

Access-list permit-ospf  extended permit ospf [source]  [dest]

Access-group  permit-ospf [ in | out ] interface [ outside | inside ]

Protection from ARP Spoofing attack and ARP flooding attack

The protection from ARP spoofing attack includes the creation of static ARP entries in the firewall MAC address table, stating the IP address and the associated MAC address so the firewall can compare and match the incoming packet with the information in the ARP table. It will drop the packet or allow it to pass based on the match conditions.

Arp  interface  ip_address   mac_address

Arp-inspection interface enable

Show arp-inspection

Prevent MAC address denial of service by disabling MAC address learning feature in transparent mode. Here, the administrator must create MAC address table (as above) and maintain it regularly.

Mac-learn      interface       disable

Mac-address-table     static    interface      mac_address

 

Integrating Security Service module, Intrusion Prevention System and Content Security Control

After inserting the card module in the specified slot, create a VLAN and upload the IPs software to the modules through the commands

Interface vlan 10

Allow-ssc-mgmt

IP address   ip_address   subnet_mask

Nameif inside

Interface eth0/10

Switchport mode access vlan 10

No shutdown

Hw-module 1 recover configure

Hw-module 1 recover boot

Hw-module 1 password-rest : resets to “cisco”

Hw-module 1 reload

Hw-module 1 reset

Hw-module 1 shutdown : used to shutdown the module

Coming to initialization knowing that the IPs could work in an inline mode [drop the packets as it violates or determined a malicious] or in a promiscuous mode [allow the packet to pass to the intended destination while sending the packet for analysis].

Session 1

Setup

Policy-map IPS

Class class-default

Ips inline fail-open

Service-policy IPS interface outside

 

Thanks and please post your comments below!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. thanks so much is very handy specially is hundreds of commands

  2. Thnx for sharing..

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel