Hello folks! Here we go with the 7th part of the CISCO ASA Firewall Commands Cheat Sheet. This part will briefly explain how to control your network traffic and prioritize some traffic over others, using QOS. Also, it will give you a simple way to integrate security service modules with ASA to form an Intrusion Prevention System.Let's begin...
Configuring MTU Size for More Control of Fragmented Traffic
Suppose we'll configure the MTU size on the outside interface to control the incoming packets to our network (to reduce the percentage of packets fragmentation to enable more inspection on the traffic by our ASA). We'll need to increase the size of MTU to maximum size:MTU outside 65535The least value of MTU is 64 Bytes. To verify the MTU size on an interface, we use the command:Show fragment outside
Configuring QOS and Prioritizing Packets
Every packet arrives to the ASA or comes to the ASA is first stored in the Best-effort queue. This queue is used to store packets in a buffer and then retransmit them respectively. Suppose we have critical packets such as audio streaming or video, we need to create a Low-latency queue - a buffer that stores packets to transmit them ahead of other packets in BEQ. We need to enable LLQ on an interface and specify a policy map and class map to match the traffic:Priority-queue outsideClass-map QOSMatch RTP 5060-65Policy-map RTPClass-map QOSPriorityExitService-policy RTP interface outside
Configuring Traffic Policing and Traffic Shaping
Controlling bandwidth limits is essential when it comes to QOS and prioritizing packets over other ones. Controlling packets is performed either by dropping the packet, which surpasses the bandwidth threshold or by re-shaping it so it conforms to the bandwidth limits.Traffic Policing
Suppose we want to configure a policy map to match all traffic and drop every packet that consumes more than 2Mbps. To achieve this, we need a policy map with a class map to match all traffic. Therefore, we need the following commands:Class-map PolicingMatch anyExitPolicy-map mineClass-map policingPolice output 200000000 conform-action transmit exceed-action dropExitExitService-policy mine interface outsideTraffic Shaping
Traffic shaping is the act of placing the packets inside a buffer and then pulling out the traffic with a bandwidth limits beneath the threshold. This type of bandwidth control is applicable and permissible only to all traffic or bulk:Policy-map outside-policyClass class-defaultShape average 200000000ExitExitService-policy outside-policy interface outside
Using Transparent Firewall Mode
Deploying transparent mode has some challenges and restrictions. This mode should not be applied until you specify your network requirements and recognize the limitations imposed by this mode:· IPsec protocol and VPN tunnels· Dynamic routing protocols· Broadcast and multicast packets· DHCP relay· QOS and bandwidth controlBefore implementing transparent mode, be sure to back up the current configuration in case you want to revert back to routed mode.Use the following command to switch to transparent mode:Firewall transparentConfiguring interfaces - one as outside and the another as inside - with the same IP address for both:Interface eth0/0Namif outsideSecurity-level 0No shutdownExitInterface eth0/1Nameif insideSecurity-level 100No shutdownExitIp address 192.168.1.100 255.255.255.0Because this mode does not support dynamic routing, a static route or default route must be configured:Route [inside interface or outside] network-ip subnet-mask next-hop ipPermitting OSPF or EIGRP packets through transparent mode
Access-list permit-ospf extended permit ospf [source] [dest]Access-group permit-ospf [ in | out ] interface [ outside | inside ]Protection from ARP Spoofing attack and ARP flooding attack
The protection from ARP spoofing attack includes the creation of static ARP entries in the firewall MAC address table, stating the IP address and the associated MAC address so the firewall can compare and match the incoming packet with the information in the ARP table. It will drop the packet or allow it to pass based on the match conditions.Arp interface ip_address mac_addressArp-inspection interface enableShow arp-inspectionPrevent MAC address denial of service by disabling MAC address learning feature in transparent mode. Here, the administrator must create MAC address table (as above) and maintain it regularly.Mac-learn interface disableMac-address-table static interface mac_address
Integrating Security Service module, Intrusion Prevention System and Content Security Control
After inserting the card module in the specified slot, create a VLAN and upload the IPs software to the modules through the commandsInterface vlan 10Allow-ssc-mgmtIP address ip_address subnet_maskNameif insideInterface eth0/10Switchport mode access vlan 10No shutdownHw-module 1 recover configureHw-module 1 recover bootHw-module 1 password-rest : resets to “cisco”Hw-module 1 reloadHw-module 1 resetHw-module 1 shutdown : used to shutdown the moduleComing to initialization knowing that the IPs could work in an inline mode [drop the packets as it violates or determined a malicious] or in a promiscuous mode [allow the packet to pass to the intended destination while sending the packet for analysis].Session 1SetupPolicy-map IPSClass class-defaultIps inline fail-openService-policy IPS interface outside Thanks and please post your comments below!