Author: Ben
Preface
Recently many readers ask us about Firewall configuration and hope that we can make a detail explanation to the latest two functions of Firewall: Virtual Firewall and Transparent Firewall (Layer 2 Firewall). To respond all readers’ expectation, in this document, we will specially introduce some very useful functions of Firewall in current industry to every engineer and information manager.
Additionally, the previous issue of NetAdmin extensively reports on information security related to UTM, in which Firewall is also a very important issue. Thus, we tend to proceed with our discussion from Firewall and then introduce UTM based on Cisco ASA 5500 series.
Due to page limitation, we divide the topic of Firewall technique into three parts. We aim to provide all readers with a complete concept but not fragmental introduction. Thus, in the present document, we will briefly introduce Firewall configuration in one single Firewall.
Equipment:
- Cisco PIX/ASA Firewall
Software and kernel:
- Cisco PIX or ASA 5500, firmware v7.21, management application ASDM 5.21
- Cisco 3524 Switch
Essential knowledge:
- VLAN protocol 802.1Q
- Routing and Firewall basis
- Cisco IOS operation
Initialize Cisco PIX/ASA Firewall
Before explaining PIX/ASA initialization, we will first briefly introduce Firewall evolution in industry. Formerly, PIX Firewall was still a better choice than Cisco no matter on its function and performance. Nevertheless, the configuration manner of PIX was still based on CLI (Command Line Interface). In recent decades, as the concept of information security has been popularized, all enterprises and government agencies require the deployment of network security device whose functions possess timely response and effective defense. Thus, an easily controlled interface gradually becomes the tendency in industry development.
Cisco Systems CEO John Chambers had realized this market tendency before years so he led his team to actively improve the operation interface of Cisco device. One of the most important objectives is developing a simple and easily understood GUI (Graphic User Interface). Though we are used to using CLI to implement devices, in this document, we will mainly utilize GUI to make readers understand Cisco PIX/ASA configuration so as to make you easily configure advanced information security device.
First, when we get a whole new PIX/ASA Firewall, like Cisco IOS router, we need to utilize Windows Hyper Terminal or Linux minicom to initialize PIX/ASA via serial port. The procedure is demonstrated as follows:
The figure above shows that PIX/ASA asks us whether we will pre-configure it when we start Power On. The objective of initialization is developing the basic management configuration. The configuration content is shown in the following figure:
There are some questions need to be answered when initializing Firewall. Here we will explain every question in the following table (Note: the numbers in the brackets refer to default value).
| Question | Explanation |
|---|---|
| Firewall Mode [Routed]: | PIX/ASA has two major modes based on OSI model: Routed and Transparent. |
| Enable password [ | Enter enable mode password; here we won’t set it for convenience. |
| Allow password recovery [yes]: | Ensure whether we re-configure password based on password recovery procedure when losing password. |
| Clock (UTC): | Configure PIX time. |
| Inside IP address: | Configure PIX inside interface IP address, usually Ethernet 0/1. |
| Inside network mask: | Configure PIX inside interface subnet mask. |
| Host name: | Configure host name |
| Domain name: | Configure domain name |
| IP address of host running Device Manager: | Configure the access of selected IP address to PIX/ASA ADSM (Adaptive Security Device Manager). |
Next PIX will ask “Use this configuration and write to flash?” If yes, the previous configuration will be written in flash memory. If no, the previous procedure will repeat again.
Next every reader can use browser to connect ADSM access IP address (192.168.1.2) via SSL. The management screen is shown as follows:
There are two ways connecting to management interface: one is installing ASDM client program while the other is using ASDM JAVA applet. Here we choose the later one to start this interface. So we just click “Run ASDM Applet”. Besides, because we don’t enter password previously, if it appears authentication information, just click log in.
As “Device Information” in ASDM dashboard shows, every reader should clearly understand whether the current Firewall mode is Routed or Transparent and Context Mode is Single or Multiple. As we can see, this PIX Firewall is on Single & Routed mode.
We can also realize CPU and Memory status in “System Resources Status”, interface configuration value and start condition in “Interface Status”, TCP and UDP information traffic in “Traffic Status” and system real-time messages in “Latest ASDM Syslog Messages”.
First, we utilize Single & Routed mode to make the host whose IP address is 192.168.1.1 connect to Internet. Here are two procedures: 1) configure outside interface IP address; 2) configure NAT.
Click “Configuration” to enter in configuration screen and then choose “Interface” on left side. In terms of PIX, Ethernet0 is usually configured as external interface and named as ‘outside’. Thus, you can highlight the designate interface and then click “Edit” on the right side to enter in interface configuration screen.
After entering in interface configuration screen, please check “Enable Interface” to start this interface and name “Interface Name” as ‘outside’. Here we want to explain a specific configuration item of Cisco PIX/ASA called “Security Level” whose range is 0-100. The smaller numbers refers to less reliable, more dangerous and less securer packets. Thus, we usually configure the interface connected to external network as 0, the interface connected to internal network as 100 and DMZ as any values in 0-100. The transition between information with different values of security level has its regulation: the packet possessing high security level transmitted to destination owning low security level won’t be blocked and vice versa. If we want to allow the access permission of low secured packet, it must be examined by additional Firewall rule. Next we can configure the way to obtain IP address. Generally speaking, we usually configure as static IP addressing but here we use DHCP to obtain IP address automatically. After configuration finished, click “OK” to leave windows and then click “Apply” to start configuration.
Next is NAT configuration. Click “NAT” on left side to enter in the following configuration screen.
As we can see, it supplies all NAT/PAT configurations. To make private IP address of internal network able to communicate with external network, we have to add an NAT rule onto internal network packet. So we can click “Add” and then choose “Add Dynamic NAT rule”.
Here we select transformed IP address and designate ‘outside’ as Dynamic Translation interface. Then click “Add”.
Choose “Port Address Translation (PAT) using IP Address of the interface” then click “Add >>” to add in “Address Pool”. Click “OK”.
So it appears a new dynamic translation rule named as ‘outside’ and its Pool ID is 1. At last, please click “NAT Options”.
Please check “Translate the DNS replies that match the translation rule” in “DNS Rewrite” then click “OK”.
After configuration, we can see a brief figure on the windows below that represents the function of this rule. Here we have to notice that the default value of PIX/ASA won’t let ICMP packet enter in network with high security level. Thus, ping is no reaction here but other protocols have no such problems.
Latest ASDM provides a quite important function called “Packet Tracer” in which it can examine the process of packet passing through Firewall. If packet is blocked, “Packet Tracer” will show where this packet is dropped. Here we ping from internal to external network for our example.
Here we choose outside interface and ICMP protocol. The source IP is a legal external IP address while destination is internal IP address. Packet tracer found the packet was dropped so that it proves the ICMP packet from external to internal network is successfully blocked.
If we want to allow ICMP packet to enter in PIX/ASA, we can add a rule that permits ICMP packet from outside interface to enter in inside interface. Please choose “Security Policy” on the right side.
PIX/ASA already has three default security policies (If you are Linux user, these rules are equivalent to the rules run by iptables in Netfilter). These three rules make PIX/ASA users possess high security.
To allow external ICMP packet to pass through PIX/ASA, configuration is as follows: click “Add” to add a rule that makes all ICMP packets from outside interface able, which have no limits on packet source or destination IP address, enter in internal network.
Click “OK” and then “Apply” so that new configuration allows ICMP packet to successfully enter in internal network.
The figure above shows that ping is ok.
Conclusion
In this document, we briefly introduce the essential knowledge and interface configuration of PIX/ASA Firewall so as to develop the foundation for further understanding Firewall issue in Part II and Part III. In the next issue, we will introduce Virtual Firewall and Transparent Firewall as well as explain the key points of Firewall deployment and configuration. On the other hand, to increase the opportunities of interacting with more readers, during 8/3-8/7 in Taipei Computer Application Show, we will answer the related questions to you in GeeGo Education’s stand (A407). Also we will hold a technical document conference in GeeGo Education on 8/14 (Mon.) evening, 8/26 (Sat.) afternoon and 9/6 (Wed.) evening respectively. Then we can discuss related techniques face to face. Due to place limitation, readers can call 0800-296-296 to make participating appointment. If for any other questions about techniques or configurations, please feel free to discuss with us.
