Rating: 0 out of 5 stars
0 ratings
Ebook1,265 pages8 hours
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Rating: 0 out of 5 stars
()
About this ebook
This book is written for Network engineers working in the Security field and to prepare the CCNP Security exam, it includes Cisco ASA Firewall, ASA with FirePOWER, Firepower Threat Defense FTD, Web Security Appliance, VPN Technologies, Cisco ISE, Cisco Umbrella with practice labs in one book with a simple explanation with more than 70 Scenarios.
Read more from Redouane Meddane
IP Routing Protocols All-in-one: OSPF EIGRP IS-IS BGP Hands-on Labs Dial Plan and Call Routing Demystified On Cisco Collaboration Technologies: Cisco Unified Communication Manager Rating: 0 out of 5 stars0 ratingsOSPF Demystified With RFC: Request For Comments Translated Into Practice Rating: 5 out of 5 stars5/5
Related to Network Security All-in-one
Related ebooks
Cisco CCNA Command Guide: An Introductory Guide for CCNA & Computer Networking Beginners: Computer Networking, #3 Rating: 0 out of 5 stars0 ratingsCompTIA Security+: Network Attacks Rating: 5 out of 5 stars5/5Learn Cisco Network Administration in a Month of Lunches Rating: 0 out of 5 stars0 ratingsConcise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5Comptia Security+ Primer Rating: 5 out of 5 stars5/5A Practical Guide Wireshark Forensics Rating: 5 out of 5 stars5/5Cisco Network Administration Interview Questions: CISCO CCNA Certification Review Rating: 5 out of 5 stars5/5VMware NSX Network Essentials Rating: 0 out of 5 stars0 ratingsHands-On Network Forensics: Investigate network attacks and find evidence using common network forensic tools Rating: 0 out of 5 stars0 ratingsCCST Cisco Certified Support Technician Study Guide: Networking Exam Rating: 0 out of 5 stars0 ratingsThe Compete Ccna 200-301 Study Guide: Network Engineering Edition Rating: 5 out of 5 stars5/5CCNA Interview Questions You'll Most Likely Be Asked Rating: 0 out of 5 stars0 ratingsDesigning and Implementing Linux Firewalls and QoS using netfilter, iproute2, NAT and l7-filter Rating: 0 out of 5 stars0 ratingsCompTIA PenTest+ Study Guide: Exam PT0-002 Rating: 0 out of 5 stars0 ratingsSSL VPN : Understanding, evaluating and planning secure, web-based remote access Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Study Guide: Exam CS0-003 Rating: 0 out of 5 stars0 ratingsWireshark for Security Professionals: Using Wireshark and the Metasploit Framework Rating: 4 out of 5 stars4/5Network Performance and Security: Testing and Analyzing Using Open Source and Low-Cost Tools Rating: 0 out of 5 stars0 ratingsCEH v11 Certified Ethical Hacker Study Guide Rating: 0 out of 5 stars0 ratingsUnderstanding TCP/IP Rating: 4 out of 5 stars4/5CCNA (640-802) Exam Questions Cisco Rating: 5 out of 5 stars5/5Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5TCP / IP For Dummies Rating: 0 out of 5 stars0 ratingsSubnetting Rating: 0 out of 5 stars0 ratingsCisco ACI Cookbook Rating: 3 out of 5 stars3/5CCNP Enterprise Certification Study Guide: Implementing and Operating Cisco Enterprise Network Core Technologies: Exam 350-401 Rating: 0 out of 5 stars0 ratingsCCNA Routing and Switching Complete Study Guide: Exam 100-105, Exam 200-105, Exam 200-125 Rating: 4 out of 5 stars4/5CCNA Routing and Switching Complete Review Guide: Exam 100-105, Exam 200-105, Exam 200-125 Rating: 0 out of 5 stars0 ratings
Certification Guides For You
Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Coding For Dummies Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5CompTIA A+ Complete Review Guide: Core 1 Exam 220-1101 and Core 2 Exam 220-1102 Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA A+ Certification Passport, Seventh Edition (Exams 220-1001 & 220-1002) Rating: 2 out of 5 stars2/5CCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsMike Meyers CompTIA Security+ Certification Passport, Sixth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA A+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Core 1 Exam 220-1101 Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Certification Practice Exams, Fourth Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5Mike Meyers' CompTIA A+ Certification Passport, Sixth Edition (Exams 220-901 & 220-902) Rating: 4 out of 5 stars4/5CompTIA A+ Certification All-in-One For Dummies Rating: 3 out of 5 stars3/5Mike Meyers' CompTIA Security+ Certification Guide, Third Edition (Exam SY0-601) Rating: 5 out of 5 stars5/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsUnderstanding Cisco Networking Technologies, Volume 1: Exam 200-301 Rating: 0 out of 5 stars0 ratingsPHR and SPHR Professional in Human Resources Certification Complete Practice Tests: 2018 Exams Rating: 4 out of 5 stars4/5PHR and SPHR Professional in Human Resources Certification Complete Study Guide: 2018 Exams Rating: 0 out of 5 stars0 ratingsCompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide Rating: 5 out of 5 stars5/5Microsoft Office 365 for Business Rating: 4 out of 5 stars4/5How to Get Started as a Technical Writer Rating: 4 out of 5 stars4/5Comptia A+ 220-901 Q & A Study Guide: Comptia 21 Day 900 Series, #2 Rating: 5 out of 5 stars5/5CompTIA Network+ CertMike: Prepare. Practice. Pass the Test! Get Certified!: Exam N10-008 Rating: 0 out of 5 stars0 ratingsAWS Certified Cloud Practitioner All-in-One Exam Guide (Exam CLF-C01) Rating: 5 out of 5 stars5/5CISSP Official (ISC)2 Practice Tests Rating: 5 out of 5 stars5/5CompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsCISSP Study Guide Rating: 4 out of 5 stars4/5
Related podcast episodes
S17:E5 - What is AWS and how you become a cloud engineer (Hiroko Nishimura): Opening doors and knocking out AWS jargon 100% found this document usefulCCNP Specializations: In this episode of The Broadcast Storm, we'll talk about the potential specialization exams that can be paired with ENCOR (350-401) in order to complete a CCNP certification. Happy listening! ---------- Want to secure your Internet connection? Click ... 100% found this document usefulcybersecurity maturity model certification (CMMC) (noun) [Word Notes] 0% found this document usefulBreaking Down the NEW CCNA: In this episode of The Broadcast Storm, we'll discuss the topics appearing on Cisco's newly announced CCNA certification exam. To help you complete your current CCNA R/S studies before February 24, 2020 (or to help you get a jump start studying for... 100% found this document usefulIs enhanced hardware security the answer to ransomware? [CyberWire-X] 100% found this document usefulCISSP Training - Domain 1 - Lecture 1 0% found this document useful
Related articles
KRACK Wi-Fi Attack Threatens All Networks: How To Stay Safe And What You Need To Know MacWorldArticle
KRACK Wi-Fi Attack Threatens All Networks: How To Stay Safe And What You Need To Know
Nov 29, 2017
5 min read“Wi-Fi Congestion In Suburban Areas Has Never Been So Bad, And Sorting Out The Mess Needs Tools” PC Pro MagazineArticle
“Wi-Fi Congestion In Suburban Areas Has Never Been So Bad, And Sorting Out The Mess Needs Tools”
Apr 8, 2021
10 min readAll about Ethernet TechLifeArticle
All about Ethernet
Jan 11, 2021
4 min readThe 5 Worst Home Networking Mistakes and How to Avoid Them Residential Tech TodayArticle
The 5 Worst Home Networking Mistakes and How to Avoid Them
Oct 15, 2020
4 min readHacker’s Manual Maximum PCArticle
Hacker’s Manual
Mar 2, 2021
1 min readSophos XGS 126w PC Pro MagazineArticle
Sophos XGS 126w
Aug 10, 2023
2 min readDray Tek Vigor AP 960C PC Pro MagazineArticle
Dray Tek Vigor AP 960C
Jun 10, 2021
2 min readTP-Link Omada EAP660 HD PC Pro MagazineArticle
TP-Link Omada EAP660 HD
Apr 8, 2021
2 min readSynology RT6600ax Wi-Fi 6 router APCArticle
Synology RT6600ax Wi-Fi 6 router
Jun 13, 2022
2 min readQnap TVS-675 PC Pro MagazineArticle
Qnap TVS-675
Jan 6, 2022
3 min readTP-Link Omada EAP670 PC Pro MagazineArticle
TP-Link Omada EAP670
Jan 5, 2023
SCORE PRICE £195 exc VAT from broadbandbuyer.com Stepping up to the pinnacle of TP-Link’s family of Wi-Fi 6 business access points, the Omada EAP670 is the company’s fastest yet. This big ceiling mount discus has an AX5400 rating and claims speeds of
2 min readBuild Your First Reverse Proxy Maximum PCArticle
Build Your First Reverse Proxy
Jan 7, 2020
7 min readDrayTek VigorAP 1060C PC Pro MagazineArticle
DrayTek VigorAP 1060C
Jan 6, 2022
3 min readTP-Link Omada EAP620 HD PC Pro MagazineArticle
TP-Link Omada EAP620 HD
Jan 6, 2022
2 min readIpaddons Linux FormatArticle
Ipaddons
Apr 7, 2020
IPFire has everything you need and more to run an advanced firewall solution. But its functionality can be extended far beyond what’s in the box. For one thing, it’s its own distro with its own package manager (Pakfire), which can be used directly or
1 min readThe Verdict Linux FormatArticle
The Verdict
May 2, 2023
2 min readUltimate Networking Security Guide Maximum PCArticle
Ultimate Networking Security Guide
Jan 4, 2022
13 min readWatchGuard Firebox T45-W-PoE PC Pro MagazineArticle
WatchGuard Firebox T45-W-PoE
Aug 10, 2023
2 min readLiz Rice Chief Open Source Officer at Isovalent TechfastlyArticle
Liz Rice Chief Open Source Officer at Isovalent
Apr 1, 2022
5 min readD-Link DAP-X2850 PC Pro MagazineArticle
D-Link DAP-X2850
Apr 6, 2023
2 min readUltimate Networking Security Guide APCArticle
Ultimate Networking Security Guide
Jan 24, 2022
13 min readZyxel WAX630S PC Pro MagazineArticle
Zyxel WAX630S
Dec 8, 2022
2 min readProtect Your Network Linux FormatArticle
Protect Your Network
Apr 7, 2020
4 min readAdding A Reverse Proxy To Nextcloud Linux FormatArticle
Adding A Reverse Proxy To Nextcloud
Mar 10, 2020
8 min readZyxel WAX610D Unified Pro Access Point PC Pro MagazineArticle
Zyxel WAX610D Unified Pro Access Point
May 7, 2022
3 min readThat Russia Router Malware Threat Might Be Worse Than Feared: What You Need To Know MacWorldArticle
That Russia Router Malware Threat Might Be Worse Than Feared: What You Need To Know
Jul 17, 2018
4 min readThat Russia Router Malware Threat Might Be Worse Than Feared: What You Need To Know PCWorldArticle
That Russia Router Malware Threat Might Be Worse Than Feared: What You Need To Know
Jul 3, 2018
4 min readEnGenius ESG510 PC Pro MagazineArticle
EnGenius ESG510
Nov 9, 2023
3 min readWatchGuard Firebox T45-CW PC Pro MagazineArticle
WatchGuard Firebox T45-CW
Feb 8, 2024
3 min readTP-Link Omada EAP655-Wall PC Pro MagazineArticle
TP-Link Omada EAP655-Wall
May 11, 2023
An affordable wall-mount Wi-Fi 6 AP with good speed, triple gigabit download ports and great cloud management PRICE £101 exc VAT from broadbandbuyer.com TP-Link’s EAP655-Wall is designed to offer discrete Wi-Fi 6 services to a wide range of environme
3 min read
Reviews for Network Security All-in-one
Rating: 0 out of 5 stars
0 ratings
0 ratings0 reviews
Book preview
Network Security All-in-one - Redouane MEDDANE
Lab 7: Active/Standby Failover
C:\Users\Administrator\Desktop\Topo ASA\topo2.PNGTo provide device redundancy, we can deploy ASA adaptive security appliances in an active/standby or active/active high-availability failover.
In Active/Standby failover, one unit is the active unit, it passes traffic. The standby unit does not actively pass traffic. When a failover occurs, the active unit fails over to the standby unit, which then becomes active.
We can deploy the active/standby in two different active/standby failovers configurations:
1-Stateless failover: stateless failover only provides hardware redundancy. If the active device fails, the standby device becomes actives. All information on tracked connections through the previously device is lost such connection table, NAT table. Therefore the Host applications must start a new connection to restart communication through the newly device because the previously active device did not pass state information.
2-Stateful failover: The stateful failover features extends the stateless failover functionality by continuously passing state information from the active to the standby unit. If a failover occurs, all relevant state information such as connection table and nat table is already available on the newly active unit.
Configuration of Active/Standby failover:
ON ASA-1:
Specify active and standby IP addresses on the inside and outside interfaces:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture1.PNGC:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture2.PNGConfigure a description for the LAN/LINK failover (optional):
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture3.PNGVerification of the VLAN interfaces on ASA-1:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture4.PNGVerification of the physical interfaces:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture5.PNGThe following commands are configured to:
1-enable failover.
2-Specify unit as primary.
3-Specify interface used as the failover interface.
4-Specify interface used as the stateful failover interface.
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture6.PNGASA-1(config)# failover lan unit primary
ASA-1(config)# failover lan interface LAN-FAILOVER vlan3
INFO: Non-failover interface config is cleared on Vlan3 and its sub-interfaces
ASA-1(config)# failover interface ip LAN-FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
On ASA-2 the configuration should be done in the global configuration mode:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture7.PNGOn ASA-2:
ASA-2(config# interface GigabitEthernet2
ASA-2(config-if)# description LAN/STATE Failover Interface
1-enable failover.
2-Specify unit as secondary.
3-Specify interface used as the failover interface.
4-Specify interface used as the stateful failover interface.
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture8.PNGASA-2(config)# failover lan unit secondary
ASA-2(config)# failover lan interface LAN-FAILOVER vlan3
INFO: Non-failover interface config is cleared on Vlan3 and its sub-interfaces
ASA-2(config)# failover interface ip LAN-FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
ASA-2(config)#
Let's configure the physical interface e0/2 in VLAN 3:
You should see the message that the Active unit is detected and the replication is done and as a result the hostname of the ASA-2 is changed to be the same as the unit primary ASA-1.
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture9.PNGSince after replication both devices have the same hostname, you can use the prompt hostname priority state command to distinguish between the primary/secondary and the active/standby device.
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture10.PNGLet's do the same with the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture12.PNGVerification of the unit secondary, the configuration of the VLANs and physical interfaces is copied into the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture11.PNGC:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture15.PNGLet's verify the failover status on the unit primary and unit secondary using the show failover command:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture13.PNGC:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture14.PNGThe show failover interface command displays the IP address of each unit of the LAN failover:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture17.PNGC:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture16.PNGLet's test the replication:
Configure a username with password and enable telnet using local database for the subnet 192.168.1.0/24 on the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture19.PNGASA-1/pri/act(config)# username admin password cisco
ASA-1/pri/act(config)# telnet 192.168.1.0 255.255.255.0 inside
ASA-1/pri/act(config)# aaa authentication telnet console LOCAL
ASA-1/pri/act(config)# telnet timeout 5
Let's verify the replication on the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture20.PNGIf we issue the write memory command on the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture18.PNGYou will see this on the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture22.PNGSince the telnet configuration is enabled on the unit secondary after replication, we can manage the unit secondary remotely:
Let's launch telnet connection to 192.168.1.2 the IP address of the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture23.PNGC:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture24.PNGLet's configure auto-nat on the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture25.PNGASA-1/pri/act(config)# object network INSIDE-NET
ASA-1/pri/act(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-1/pri/act(config-network-object)# nat (inside,outside) dynamic interface
Verify the replication of the NAT on the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture26.PNGEnable ICMP inspection on the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture27.PNGYou will this message on the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture30.PNGLet's verify the ICMP inspection using the show run policy-map command:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture28.PNGC:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture29.PNGLet's test the connectivity between PC1 and PC2:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture31.PNGTo test the failover issue a ping 100.100.100.10 -t to PC2 let's disable the port Fa0/1 of the switch connected to the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture33.PNGSW1(config)#int Fa0/1
SW1(config-if)#shutdown
SW1(config-if)#
Now we will see this message on the unit primary, this means that it is becoming the Standby ASA:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture34.PNGLet's verify that the ASA-1 is now the unit secondary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture35.PNGAnd the unit secondary tells us that it is becoming the Active ASA:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture36.PNGLet's verify that the ASA-2 is now the unit primary:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture37.PNGWhen the port of the Switch is enabled, the old unit primary stays in the standby state, which means there is no preemption, in order to force the old Active ASA to be the unit primary we can use the failover active command on ASA-1:
C:\Users\Administrator\Desktop\Nouveau dossier (3)\Failover\Capture38.PNGLab 8: Firewal Transparent mode
C:\Users\Administrator\Desktop\Topo ASA\topo1.PNGBy default, an ASA is in the routed firewall mode. It operates at OSI Layer 3, forwarding decisions are based on IP address.
An ASA can also be configured to operate in transparent firewall mode, in this mode it appears as a Layer 2 device.
To enable transparent firewall mode, use the following command:
Capture1The ASA’s interfaces have no assigned IP addresses, but they can be mapped into one or more logical bridge groups, the Logical bridge group is configured with an IP address so that it will be used for traffic sourced by the transparent firewall itself or destined for management traffic, such as Telnet and SSH.
Let's configure the AS's interfaces, G0/0 interface will face the outside, while G0/1 will face the inside. Both interfaces will be part of bridge group 1.
Capture2ciscoasa(config)# int g0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shut
Capture3ciscoasa(config)# int g0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shut
Let's assign an IP address to bridge group 1:
Capture4ciscoasa(config)# int bvI 1
ciscoasa(config-if)# ip add 192.168.1.100 255.255.255.0
Verify the the Firewall mode:
Capture5Verify the configuration of the ASA's interfaces:
Capture6Verify the bridge group interface:
Capture7Dynamic routing protocols are not supported in transparent firewall mode. To allow the ASA to communicate with any host that is located outside the local subnet, we should configure a static route, the next-hop is the router R1:
Capture8ciscoasa(config)# route outside 0 0 192.168.1.1
In transparent firewall mode IP packets are also inspected by ASA’s inspection engines and MPFconfiguration.
Let's test the MPF by enabling ICMP inspection:
Capture9ciscoasa(config)# fixup protocol icmp
INFO: converting 'fixup protocol icmp ' to MPF commands
ciscoasa(config)#
Let's test the connectivity from PC1 to FTP server:
Capture10With 8.0 and later, an ASA can integrate Network Address Translation (NAT) with transparent firewall mode.
Let's configure Auto-nat for inside network 192.168.1.0/24:
Notice that we cannot use the IP address of the Bridge group as a mapped IP address, let's choose the IP address 192.168.1.200:
Capture11ciscoasa(config)# object network TEST
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 192.168.1.200
Let's execute a ping command from PC1 to FTP server:
Capture13Let's verify the translation using the show xlate commande, the IP address 192.168.1.10 is translated to the PAT IP address 192.168.1.200:
Capture12Capture14Let's configure FTP inspection:
Creates two regular expressions that match the files .exe and .doc:
Capture18ciscoasa(config)# regex EXE \.exe
ciscoasa(config)# regex DOC \.doc
Creates a class-map type regex to incorporate the regular expressions:
Capture19ciscoasa(config)# class-map type regex match-any TEST-REGEX
ciscoasa(config-cmap)# match regex EXE
ciscoasa(config-cmap)# match regex DOC
Let's creates another class-map type inspect to identify the delete FTP command:
Capture16ciscoasa(config)# class-map type inspect ftp TEST-CLASS
ciscoasa(config-cmap)# match request-command dele
Creates a policy-map type inspect to match the two class-map named TEST-REGEX and TEST-CLASS and use the reset log as an action to prevent a PC1 to download the files .exe and .doc and the FTP command delete
:
ciscoasa(config)# policy-map type inspect ftp TEST-POLICY
ciscoasa(config-pmap)# match filename regex class TEST-REGEX
ciscoasa(config-pmap-c)# reset log
ciscoasa(config-pmap-c)# class TEST-CLASS
ciscoasa(config-pmap-c)# reset log
Creates an access-list to identify the FTP traffic:
Capture21Creates a class-map L3/4 that matches the access-list called TEST:
Capture22ciscoasa(config)# class-map FTP-CLASS
ciscoasa(config-cmap)# match access-list TEST
Creates a policy-map L3/4 and associates the class-map L3/4 called FTP-CLASS:
Capture23ciscoasa(config-pmap)# policy-map FTP-POLICY
ciscoasa(config-pmap)# class FTP-CLASS
ciscoasa(config-pmap-c)# inspect ftp strict TEST-POLICY
Apply the policy-map L3/4 called FTP-POLICY to inside interface using service-policy command:
Capture24ciscoasa(config)# service-policy FTP-POLICY interface inside
Access the FTP files from PC1 to PC2 and try to delete a file:
Capture25The attempts fails because the FTP inspection as shown by the console message displayed by the ASA:
Capture27Let's try to download a file .docx:
Capture29Also the attempts fails because the FTP inspection as shown by the following message:
Capture28Let's try to download a file .rar:
Capture31The attempts is successful:
Capture30Let's verify the service policy and the number of packet allowed, and dropped:
Capture32Like a Switch, an ASA in transparent mode firewall must maintain a MAC address table of the source address learned in each received packet.
Let's verify the MAC address table of the ASA, two entries are added for PC1 and R1:
Capture33008c.fa29.b453 is the MAC address of PC1:
C:\Users\user\Desktop\ASA m\Capture34.PNG6412.2599.e4e0 is the MAC address of R1:
C:\Users\user\Desktop\ASA m\Capture35.PNGAnother useful command is the show bridge-group 1 command, it displays the ASA's interfaces mapped in this group and the number of the dynamic learned mac-address entries:
Capture36To prevent ARP spoofing, we can configure ARP inspection on the ASA. ARP inspection uses static ARP entries, ASA will examine each ARP reply packet and compare the source IP, MAC addresses and the source interface, to the configured static entries in its own ARP table.
By default the ARP table is built dynamically.
Let's ping from PC1 to R1:
Capture37The show arp command displays two ARP entries for PC1 and R1:
The number 63 is the aging time of the entries:
Capture38Since only two valid hosts are the router and the PC1, let's define a static ARP entries for PC1 and R1 for ARP inspection. Each entry will associate an IP address with a MAC address:
Capture39ciscoasa(config)# arp inside 192.168.1.10 008c.fa29.b453
ciscoasa(config)# arp outside 192.168.1.1 6412.2599.e4e0
Let's verify the the ARP table, the static ARP entries never age out as shown by the dash line at the end of each entry:
Capture40By default, ARP inspection is disabled on all ASA interfaces, let's enable the ARP inspection on the inside and outside interfaces:
Capture41ciscoasa(config)# arp-inspection inside enable
ciscoasa(config)# arp-inspection outside enable
Let's verify the ARP inspection status on each interface with the show arp-inspection command:
Capture42Let's change the MAC address of G0/0's R1:
Capture43R1(config)#int g0/0
R1(config-if)#mac-address 0000.0000.1111
Let's verify that the MAC address of R1 is changed:
Capture44Let's test the connectivity from PC1 to R1 and FTP server:
Capture46Capture47If either the MAC address or the IP address is found in the ARP table, but not both in a single entry, the ARP reply contains invalid or spoofed information. Therefore, it is dropped and not forwarded through the ASA. In this case the ARP reply receive by the ASA contains invalid MAC address 0000.0000.1111, so the ARP inspection drops the packets as shown by the console message:
Capture45Lab 9: ASA FirePOWER module installation
C:\Users\Administrator\Desktop\Nouveau dossier (2)\ASA Source fire\topo.PNGConfigure an IP address to the management interface (by default the ASA 5506 and above comes with the default ip address in the management interface 192.168.1.1).
C:\Users\user\Desktop\ASA\ASA Source fire\2.PNGIf the ASA has the cxsc and the ips modules installed, shudown and uninstall the modules:
ciscoasa#sw-module module cxsc shutdown
ciscoasa#sw-module module cxsc uninstall
ciscoasa#sw-module module ips shutdown
ciscoasa#sw-module module ips uninstall
ciscoasa#reload
Upload the boot image to the ASA appliance 's flash memory, and make it run, you can use FTP or TFTP to copy the image, i already copied the image so let's verify using the show flash command:
C:\Users\user\Desktop\ASA\ASA Source fire\1.PNGExecute the following commands:
ciscoasa# sw-module module sfr recover configure image flash:asasfr-5500x-boot-5.4.1-211.img
ciscoasa# sw-module module sfr recover boot
C:\Users\user\Desktop\ASA\ASA Source fire\4.PNGVerify the SFR module using the show module command, we can see that the SFR is not powered on completely and it is in recover state:
C:\Users\user\Desktop\ASA\ASA Source fire\6.PNGWe can use the show module sfr details to verify if the sfr is ready for console session, in this case the console session is not ready:
C:\Users\user\Desktop\ASA\ASA Source fire\7.PNGWe should wait until the console session become ready as shown below:
C:\Users\user\Desktop\ASA\ASA Source fire\8.PNGTo connect to SFR module, we issue a session sfr console command.
Default Username: admin
Default Password: Admin123
Once the default credentials are entered , we get the SFR prompt and begin the basic setup to configure network settings such as IP address, default gateway, domain name.
C:\Users\user\Desktop\ASA\ASA Source fire\9.PNGC:\Users\user\Desktop\ASA\ASA Source fire\10.PNGWe are now ready to copy the FirePOWER package to the module via ftp, This could take some time .
C:\Users\user\Desktop\ASA\ASA Source fire\11.PNGNow we log to the sfr module again with session sfr console command, the login credentials now are admin/Sourcefire. We need to accept the EULA and walk through the setup process.
C:\Users\user\Desktop\ASA\ASA Source fire\12.PNGC:\Users\user\Desktop\ASA\ASA Source fire\13.PNGC:\Users\user\Desktop\ASA\ASA Source fire\13-1.PNGAt this point, we have completed the installation of the SFR module. And we are prompted to the SFR console. We can issued somme commands to verify the SFR module operation:
The show ifconfig command displays the IP address of the SFR module
Enjoying the preview?
Page 1 of 1