Ready to Start Your Career?

CISCO ASA Firewall Commands Cheat Sheet [Part 5-A]

Motasem 's profile image

By: Motasem

May 30, 2016

cat6-and-gigabit-switch-cybraryThis part is divided into two sections: A an B. This part is the most important part, regarding packet inspection and filtering. Section A will explain and list commands used to configure inspection for packets belonging to the OSI 3-4 layer.

Defining a Service Policy, Policy Map and Class Map

          Service-policy srv1

            Policy-map pmap1

                        Class-map cmap1

                        Action

            Class-map cmap1

            Match….

            Service-policy policy-map-name interface outside

Note 1: To inspect traffic passes through the ASA, a service policy that contains policy map and class map must be created.

Note 1.1: The policy map is responsible for taking an action when a specified traffic is matched by class map. The action that the could be taken by the policy map ranges from setting connection timeouts, connection volumes, TCP parameters, HTTP parameters, FTP parameters, DNS parameters, ESMTP parameters, management traffic, sending the matched traffic to inspection engines and Intrusion prevention systems, providing priority handling and limiting bandwidth.

Note 1.2: The class map matches the traffic whether it's all traffic, defined set of traffic, traffic destined for specific destination, destined for specific port, matches against specific access list, matches against VPN traffic or QOS values.

1

Table 1

Note 1.3: The table above lists of all available commands that can be typed and specified in class map to match against specific 3-4 OSI layer traffic. Most of these match commands will be used on the outside interface to inspect traffic incoming to our network.

 

2

Table 2 - Policy Map Action Commands

Note 1.4: Table 2 lists all actions that could be taken when specified criterion matched in the class map.

Note 1.5: The last command in the table above binds the policy map inside a service policy and applies it to the outside interface.

 

3

Table 3 - Traffic Direction by Policy Map Actions

Note 1.6: Table 3 lists the directions in which the actions of policy map could be applied. For example, setting connection’s volume and limits, adjusting TCP parameters and sending the traffic to an inspection engine and IP's could be applied and implemented on an interface in both direction for traffic destined to the internet and for inbound traffic.

Note1.7: Applying quality of service, limiting bandwidth and shaping the traffic could be only on an egress direction, meaning for outbound traffic only.

 

Essential and Important: The service policy, which contains policy map and class map, could be applied for 3-4 OSI traffic or 5-7 OSI traffic, while the former is used to examine, analyze and inspect TCP and UDP traffic for connection parameters, connection volumes, connection timeouts , protocol inspection , traffic analyzation using IPS module and for OOS of service purposes. The latter, which is 5-7 OSI traffic, is used to examine and inspect application layer traffic destined for DMZ servers.

 

Configuring TCP Cconnection Parameters to Prevent TCP SYN Attacks

By using policy map with class map to set connection timeouts for embryonic connections and limiting the number of simultaneous connections by setting connection volume.

4

Table 4 - TCP Connection Timeouts

Table 4 lists parameters for use in the “set connection timeouts” command when defining an action to be taken by the policy map.

set connection timeout [embryonic {hh:mm:ss | 0}] [half-closed {hh:mm:ss | 0}] [tcp {hh:mm:ss | 0} [dcd [retry_interval [max_retries]]

 

 

5

Table 5 - TCP Connection Volume

Table 5 lists the parameters to be used in “set connection” command to control TCP embryonic-max n] [per-client-max n]

 

To prevent a TCP SYN attack, the ASA must set a maximum number of simultaneous embryonic connections which are half open or half closed. If the maximum number is reached, the ASA triggers the TCP Intercept feature and begins to act as a proxy and send TCP handshakes on the target host's behalf to determine if the source address, which communicates with the target host, is legitimate or not (so it will drop the connection if it's not).

Assuming that internal clients are under object-group (see previous sheet about object-groups), “Internal-clients” and DMZ servers are under object-group “DMZ-Servers”.

Let’s apply a connection limit for embryonic connections initiated by these object groups.

            Access-list INSIDE line 1 extended permit tcp Internal-clients any eq any

            Access-list INSIDE line 2 extended permit udp Internal-clients any eq any

            Service-policy   SYN-Attack-protect

            Class-map   cmap1

            Match access-list INSIDE

            Policy-map pmap1

            Class-map cmap1

            Set connection embryonic-conn-max 65000

            Access-list DMZ line 1 extended permit tcp any DMZ-Servers eq http

            Access-list DMZ line 2 extended permit tcp DMZ-Servers any  eq http

            Service-policy   SYN-Attack-protect

            Class-map   cmap2

            Match access-list DMZ

            Policy-map pmap2

            Class-map cmap2

            Set connection embryonic-conn-max 65000

 

Configuring and Enabling the Protection from TCP Sequence Number Brute Force

            set connection random-sequence-number {enable | disable}

 

Configuring TCP Connection Options using TCP Normalizer

TCP Normalizer is used to manipulate the TCP connection content like TCP checksum, TCP flags, TCP options. TCP Normalizer used change or alter the content of TCP packet content to render it compatible with some protocol or connection requirements.

In addition, it can be leveraged to protect DMZ hosts against packets that are crafted to evade stateful inspections like information gathering packets or reconnaissance packets.

6

Table 6 - TCP Normalizer Actions

7

Table 7 - TCP Options Table

TCP-map TCP-Protect

invalid-ack                     drop

synack-data                  drop

ttl-evasion-protection

seq-past-window         drop

exit

class-map  cmap1

match access-list Internal-clients

exit

class-map cmap2

match access-list DMZ-Servers

exit

policy-map pmap3

class cmap1

set connection advanced-options TCP-Protect

exit

class cmap2

match access-list DMZ-Servers

set connection advanced-options TCP-Protect

exit

service-policy pmap3 interface outside

Note 4: The commands above match against traffic inbound to internal clients and internal DMZ servers and check for certain TCP parameters to protect internal hosts from TCP SYN attack, reconnaissance packets and SYN flood attack by limiting the number or embryonic connections, dropping invalid handshake packets or packets that contains invalid payload, dropping packets with invalid sequence number and dropping values above maximum segment size in TCP window packet.

Thanks and I hope you enjoyed Part 5-A!

 
Schedule Demo