Wednesday 8 June 2022

What is ASA firewall? How to configure Adaptive Security Appliance?

Introduction to firewalls

The firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet have to be checked by our firewall.




There are two kinds of firewalls one is software firewalls just like preinstalled with Microsoft Windows. The second one is the hardware firewall which we are going to see.   

 



 

From the above diagram, we have LAN with two host PC and a cisco switch. On the other hand, you can see a router that is connected to the ISP for an internet connection. We place our firewall in between to protect our LAN network.

Stateless and stateful filtering.

You can use a router as a firewall but it's not a good choice because most the router does not spend much time on filtering, the router checks the access list for the port number source and destination IP address if it matches in the entry of access-list router is going to permit or deny the packet and router do not keep track of the packet this is called stateless filtering but the firewall uses stateful filtering, the firewall keeps track of all incoming and outgoing connections.

 

ASA (Adaptive Security Appliance) is a cisco security device that combines the classic firewall with VPN, IPS (Intrusion Prevention System), and antivirus capabilities. ASA is capable of providing threat defense before most of the attacks spread into our LAN network.  

I think we have done enough talking rest of the theory we will see in the next section.

 let's see how to configure: -

Topology: -




Goal:

  • Configure the topology as per the diagram
  • Assign an IP address to the ASA interface
  • Configure nameif to the ASA interface
  • Configure the security level to the interface
  • Configure hostname to ASA Firewall
  • Configure password


ciscoasa>enable

Password:


ciscoasa(config)#interface gigabitEthernet 1/1

ciscoasa(config-if)#ip address 10.1.1.2 255.0.0.0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#nameif inside



ciscoasa(config-if)#security-level 100

ciscoasa(config-if)#exit


ciscoasa(config)#hostname ASA-Firewall


ASA-Firewall(config)#enable password internetworks

ASA-Firewall(config)#username Admin password internetworks


ASA-Firewall(config)#end


Friday 3 June 2022

What is Route Leaking? How to configure Leak-Map?

 The leak-map name keyword configures the stub router to advertise selected EIGRP-learned routes which are not ordinarily advertised. The name refers to a route map that matches one or more ACLs or prefix lists and permits the matched subnets or addresses to be leaked.

 

The EIGRP Stub feature is very useful when we want to prevent unnecessary EIGRP queries and want to filter a few routes that we advertise but when we want to configure our EIGRP router as a stub and still we want to make an exception to some routes (network) to advertise this is possible with the help of Leak-map.

 

In summary route-

Whenever we configure our EIGRP summary route, all the networks within the range of our summary are no longer advertised on interfacing the only this is left is a summary route, but we want to advertise some networks separately next to our summary route this can also be done with summary leak-map. Let's see how to configure the leak map.

Topology: -





Goal:

  • Configure the topology as per the diagram.
  • Assigning the IP addresses to their interfaces.
  • Configure EIGRP 1234 on all the routers.
  • Configure EIGRP STUB connected on router 3.
  • Configure Leak-Map on router 3 with the exception that network 192.168.32.1 network only advertises to all the routers. 



R1(config)#interface serial 4/0
R1(config-if)#ip address 1.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R1(config)#interface loopback 0
R1(config-if)#ip address 10.1.1.1 255.0.0.0
R1(config-if)#no shutdown
R1(config-if)#exit

R2(config)#interface serial 4/1
R2(config-if)#ip address 2.2.2.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R2(config)#interface loopback 0
R2(config-if)#ip address 20.1.1.1 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit

R3(config)#interface serial 4/0
R3(config-if)#ip address 1.1.1.2 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/1
R3(config-if)#ip address 2.2.2.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

R3(config)#interface serial 4/2
R3(config-if)#ip address 3.3.3.1 255.0.0.0
R3(config-if)#no shutdown
R3(config-if)#exit

t

R4(config)#interface fastEthernet 2/1
R4(config-if)#ip address 192.168.32.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface serial 4/2
R4(config-if)#ip address 3.3.3.2 255.0.0.0
R4(config-if)#no shutdown
R4(config-if)#exit

R4(config)#interface fastEthernet 0/0
R4(config-if)#ip address 192.168.30.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R4(config)#interface fastEthernet 2/0
R4(config-if)#ip address 192.168.31.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#no keepalive
R4(config-if)#exit

R1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial4/0                       1.1.1.1         YES manual up                    up
Loopback0                  10.1.1.1        YES manual up                    up


R2#show ip interface brief 
Interface                  IP-Address      OK? Method Status                Protocol
Serial4/1                       2.2.2.2         YES manual up                    up
Loopback0                  20.1.1.1        YES manual up                    up

R3#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Serial4/0                  1.1.1.2         YES manual up                    up
Serial4/1                  2.2.2.1         YES manual up                    up
Serial4/2                  3.3.3.1         YES manual up                    up



R4#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.30.1    YES manual up                    up
FastEthernet2/0            192.168.31.1    YES manual up                    up
FastEthernet2/1            192.168.32.1    YES manual up                    up
Serial4/2                            3.3.3.2         YES manual up                    up





R1(config)#router eigrp 1234
R1(config-router)#network 0.0.0.0 255.255.255.255
R1(config-router)#no auto-summary
R1(config-router)#exit

*Jun  2 23:22:30.379: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.2 (Serial4/0) is up: new adjacency


R2(config)#router eigrp 1234
R2(config-router)#network 0.0.0.0 255.255.255.255
R2(config-router)#no auto-summary
R2(config-router)#exit

*Jun  2 23:52:39.419: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.1 (Serial4/1) is up: new adjacency


R3(config)#router eigrp 1234
R3(config-router)#network 0.0.0.0 255.255.255.255
R3(config-router)#no auto-summary
R3(config-router)#exit

*Jun  2 23:52:43.191: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is resync: summary configured

*Jun  2 23:52:40.287: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency


R4(config)#router eigrp 1234.
R4(config-router)#network 0.0.0.0 255.255.255.255
R4(config-router)#no auto-summary
R4(config-router)#exit

*Jun  3 00:14:00.539: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.1 (Serial4/2) is up: new adjacency


R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    1.0.0.0/8 is directly connected, Serial4/0
D    2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:04:44, Serial4/0
D    192.168.31.0/24 [90/2684416] via 1.1.1.2, 00:00:14, Serial4/0
D    3.0.0.0/8 [90/2681856] via 1.1.1.2, 00:03:45, Serial4/0
D    192.168.30.0/24 [90/2684416] via 1.1.1.2, 00:00:14, Serial4/0
D    20.0.0.0/8 [90/2809856] via 1.1.1.2, 00:04:43, Serial4/0
C    10.0.0.0/8 is directly connected, Loopback0
D    192.168.32.0/24 [90/2684416] via 1.1.1.2, 00:00:14, Serial4/0

R3(config)#router eigrp 1234
R3(config-router)#eigrp stub ?

  connected      Do advertise connected routes
  leak-map       Allow dynamic prefixes based on the leak-map
  receive-only   Set IP-EIGRP as receive only neighbor
  redistributed  Do advertise redistributed routes
  static         Do advertise static routes
  summary        Do advertise summary routes
  <cr>


R3(config-router)#eigrp stub connected

*Jun  3 00:15:23.055: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is down: peer info changed
*Jun  3 00:15:23.055: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is down: peer info changed
*Jun  3 00:15:23.063: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is down: peer info changed
R3(config-router)#
*Jun  3 00:15:26.391: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency
*Jun  3 00:15:26.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is up: new adjacency
*Jun  3 00:15:26.955: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency

R3(config-router)#exit




R3(config)#router eigrp 1234
R3(config-router)#eigrp stub connected leak
R3(config-router)#eigrp stub connected leak-map Route-Leak

*Jun  3 00:16:53.475: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is down: peer info changed
*Jun  3 00:16:53.483: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is down: peer info changed
*Jun  3 00:16:53.487: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is down: peer info changed
*Jun  3 00:16:54.003: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
R3(config-router)#exit
*Jun  3 00:16:54.783: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is up: new adjacency
R3(config-router)#exit

R3(config)#route-map Route-Leak
R3(config-route-map)#match ip address 1
R3(config-route-map)#exit



*Jun  3 00:18:07.935: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is resync: route configuration changed
*Jun  3 00:18:07.935: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is resync: route configuration changed
*Jun  3 00:18:07.939: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is resync: route configuration changed


R3(config)#access-list 1 permit 192.168.32.0 0.0.0.255

*Jun  3 00:18:51.583: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is down: route configuration changed
*Jun  3 00:18:51.599: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is down: route configuration changed
*Jun  3 00:18:51.603: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is down: route configuration changed
*Jun  3 00:18:52.079: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 2.2.2.2 (Serial4/1) is up: new adjacency
*Jun  3 00:18:52.735: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 1.1.1.1 (Serial4/0) is up: new adjacency
*Jun  3 00:18:55.883: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1234: Neighbor 3.3.3.2 (Serial4/2) is up: new adjacency

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    1.0.0.0/8 is directly connected, Serial4/0
D    2.0.0.0/8 [90/2681856] via 1.1.1.2, 00:00:09, Serial4/0
D    3.0.0.0/8 [90/2681856] via 1.1.1.2, 00:00:09, Serial4/0
C    10.0.0.0/8 is directly connected, Loopback0
D    192.168.32.0/24 [90/2684416] via 1.1.1.2, 00:00:08, Serial4/0

R1#ping 192.168.32.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/36 ms

R1#traceroute 192.168.32.1

Type escape sequence to abort.
Tracing the route to 192.168.32.1

  1 1.1.1.2 8 msec 8 msec 12 msec
  2 3.3.3.2 16 msec 12 msec 24 msec

R1#traceroute 192.168.32.1

Type escape sequence to abort.
Tracing the route to 192.168.32.1

  1 1.1.1.2 40 msec 20 msec 20 msec
  2 3.3.3.2 16 msec 32 msec 40 msec


R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

D    1.0.0.0/8 [90/2681856] via 2.2.2.1, 00:00:19, Serial4/1
C    2.0.0.0/8 is directly connected, Serial4/1
D    3.0.0.0/8 [90/2681856] via 2.2.2.1, 00:00:19, Serial4/1
C    20.0.0.0/8 is directly connected, Loopback0
D    192.168.32.0/24 [90/2684416] via 2.2.2.1, 00:00:16, Serial4/1


R2#ping 192.168.32.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.32.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/27/36 ms


R2#ping 192.168.31.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.31.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R3#show ip protocols
Routing Protocol is "eigrp 1234"
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Default networks flagged in outgoing updates
  Default networks accepted from incoming updates
  EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
  EIGRP maximum hopcount 100
  EIGRP maximum metric variance 1
  EIGRP stub, connected, leak-map Route-Leak
  Redistributing: eigrp 1234
  EIGRP NSF-aware route hold timer is 240s
  Automatic network summarization is not in effect
  Maximum path: 4
  Routing for Networks:
    0.0.0.0
  Routing Information Sources:
    Gateway         Distance      Last Update
    2.2.2.2               90      00:48:15
    1.1.1.1               90      00:48:12
    3.3.3.2               90      00:48:11
  Distance: internal 90 external 170


What is layer 3 etherchannel? How to configure layer 3 etherchannel?

EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide ...