A Hut8 Networking Techtorial: Cisco Adaptive Security Appliance (ASA) Modular Policy Framework

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] bienvenidos Bhushan DN welcome to this Hut eight networking tectorial on the a si firewall in this module module six or the tectorial way point six we're going to be diving into the modular policy framework or the MPF and this is really where we start to get into some of the more advanced concepts with the a si firewall now before we dive in to the modular policy framework what we need to talk about is the difference between something being stateful like an a si firewall and access controls that are state less so for example on a router if I configure and let's get on to the command line here on the ISP router here if I was to configure an access list and this is irrespective of whether it's a layer three or layer four ACL in other words layer three being if I was simply matching on source IP right that would be a layer three ACL layer for ACL would be if I was looking for you know port 80 or port 23 for telnet right so let's go ahead and let's configure a basic ACL here so I'm just going to say access list and we'll say one and permit from two nine 165 200.000 to zero to 255 so make it a slash 24 so basically that's an ACL that says permit traffic from this network right now this is just simply a layer c8 layer 3 ACL I'm basically saying permit any traffic from that source network right from the 209 165 200.000 so if I were to apply this to the do show IP interface brief I can't remember which interface I think it's gig 0 0 and it is so if I was going to interface Gigabit Ethernet 0 0 and I was to say whoops maybe IP in their IP Access Group 1 inbound so if I was to apply that ACL in the inbound direction I'm basically permitting traffic coming from 209 165 200.000 right and I'm going to tell net to the ISP router to 9 165 200 250 4 now remember this IP address the real RFC 1918 inside IP address of this PC on the inside interface of the a sa is 1000 10 and it's being added to the 209 165 whatever IP address we got with our DHCP configuration so let's go ahead and hit enter and you can see I get the username prompt so I'm going to say Travis and then I'll enter the password of Cisco and there it is and I apologize it is very small there but as you can see it's going to make it a little larger here as you can see I'm on the ISP router right now so but here's the thing is that this ACL this is state less there is no connection table there is no state table there's no information being kept on the router about this conversation because telnet uses TCP right so this ACL is not looking at TCP sequence numbers it's not looking at the thin packets or the reset packet it's not inspecting right it's not evaluating things at a deeper level other than to say it's checking every single packet that comes in and all that it's checking in the IP header is the source address and that's all that it looks at and that's all that it makes its determination on as to whether or not this traffic or the traffic from the telnet session is going to be permitted again in other words it's state less the router with these basic access control entries and these ACLs the access control lists which have ace access control entries in them maintain no state information about the different flows and conversations and communications that are going that are taking place here right and so that is what stateless is and that's the big difference between an ACL which is just simply a layer 3 or layer 4 ACL and the Cisco is a firewall so now let's transition back to the slides here because this again this is what causes a lot of confusion so you may be asking yourself okay well you've shown me that the standard and the extended ACL is when we apply those on a router or a switch or whatever the case may be that those are state less so what makes the firewall state full in other words how is it that the firewall is maintaining a connection table a state table in which it is tracking actively the conversations that are taking place through the interfaces on the firewall for transit traffic right for traffic that is entering one interface on the firewall and then egressing out another interface on the firewall and it's all done with the modular policy framework the MPF this is what gives the aasa' firewall its stateful characteristics and its stateful abilities and capabilities it is all based on this em PF and so I hope that right now you've got a clear understanding of what state less is right where it's not maintaining any of that connection information it's not inspecting or doing a deeper inspection of what's going on right that state less activity simply looks at the layer three or the layer for information and says hey is it port 80 yeah sure let it in you know hey is it from this source going to this destination sure let it in right that's all that it's checking on a per packet basis so what npf does the modular policy framework is it is going to maintain and inspect right it's going to do a deeper inspection of the traffic that is transiting the aasa' firewall and so here's how it doesn't and I'm going to start from the bottom up and there's three main components that we're going to talk about the class map the policy map and then the service policy and if you're familiar with QoS quality of service or if you've seen any QoS configurations this may look very familiar but remember we are on an AAS a firewall here we are not on a router we are not on a switch so when we're issuing the class map command and the policy map command it has nothing to do with QoS and this context here it's all about the modular policy framework so here are the building blocks of the modular policy framework and this is also where we're going to get our answer to why ping will not work when we're trying to ping from a host on the inside to the ISP router so the first building block and I like to refer to this as the foundation of the modular policy framework it's the class map and I've got the command right here where we can say show run class map and you can put in the name of your class map and so what is the class map well the class map is the which in other words which protocols or which traffic which VPN groups do I want to match so that I can then take an action on that traffic I could inspect the traffic right so again this is the foundation of the MPS house right this is the brick and mortar on the foundation on which MPF is built and it's the class map again that is going to dictate what type of traffic right what am i interested in maintaining state information for and this is where the class map comes into play so if the class map is the foundation think of the policy map is the framing right or the walls on top of which or on top of the class map where the framing and the walls are going to be built so you can simply say show run policy map and then give the name of the policy map and what does the policy map do what is the policy map well it is that is what it is it's the what in other words what action am I going to take against the traffic that I matched in the class map right remember the which protocols right which traffic which VPN groups which traffic am i interested in maintaining in theme or doing something else with right and the policy map is the what so we match in the class map and then we take action in the policy map now you can define more than a single action and we'll talk about some of the different actions that you can take right you can inspect you can police in fact I think I have yeah so you can inspect you can change TCP connection options right you can shape the traffic in a QoS sense you can police it in a cue essence and so the policy map is all about the what what am I going to do with this traffic which I have matched in the class map now the third and final component of the MPS house right this is the roof under which the walls and the framing and the foundation all sit it's the service policy and so think of the service policy is the overarching umbrella right that roof that sits over everything now the service policy we can apply it to a specific interface right so you could say you know service policy whatever you know interface outside right we can apply to the outside interface or we're interested in our conversation is going to be around the global application of the service policy and here's the thing the modular policy framework and the extended ACLs and I'm going to specifically call out I'm going to say extended because with the AAAS a firewall something to keep in mind is that you can do standard ACLs but it's in use cases where we're talking about maybe it's like a VPN group of some kind or split tunneling right when you're applying the access control the ACLS the access groups or the the ACLs that get applied as access groups to the interfaces on the firewall when you're applying those all of those ACLs are extended ACLs you cannot apply a standard ACL to an a sa interface it has to be extended and I'm talking about the inside interface the outside interface the DMZ interface right all of those ACLs are extended and so the modular policy framework in conjunction with right in coordination with the ACLs they work together okay so it's not oh I'm going to either use I'm going to it is not an either/or right you don't make the choice like I'm going to use the modular policy framework and not be ACLs or I'm going to use the ACLs and not the modular policy framework that is not the case so what I'm trying to say is the modular policy framework which we've just looked at right here the class map the policy map and then we apply it with the service policy command right the MPF is inextricably linked right it works in conjunction with the access control lists your ACLs which are applied to interfaces with that access group command these things work in conjunction because if we didn't have the modular policy framework on the ACL I'm sorry on the aasa' and all we were doing was applying ACLs it would not be stateful you would simply have a bunch of ACLs just like we do on routers right or on switches which we've already discussed as be mean state less and so the modular policy framework and again I want to make sure them really really clear on this because this causes so much confusion when learners are trying to figure out well wait a minute do I do an ACL or do I do how is the modular policy framework working with the ACL I don't get that so again it's the modular policy framework that is going to give the a s a firewall its stateful attributes its stateful capabilities and the ACLs are also used in conjunction with the modular policy framework in order to control the connections that are going to transit and we're not going to talk about management ACLs right now so I'm going to stick with the traffic transiting VA sa so let's go ahead now and let's take a look at the command line here and we're back and this I reloaded it but other than that we have the same configuration we ended up with yesterday the only thing I change was we're back now let's actually let's get into privileged exec let's say show run I've added that small unfortunately this tiny little window this MacBook now is hanging off I think it's interface it's either interface 0 to which is not the DMZ it's part of VLAN 99 so it's either interface o to or o7 but needless to say this Mac right here that we're looking at in this remote window is now in the inside we'll call the zone the inside zone along with this iMac here and so and that's VLAN 99 and so you can see this is what we've got and so the only thing I changed was I removed the static IP because that's how we ended yesterday's tectorial the IP address DHCP set route back into play which means when we say show route we do have a static default route which we're getting from the ISP router because we're getting all of our addressing information from that router and there is that information now let's go ahead and let's say show run here one more time I killed it too early there and let's come down to the section that we've discussed very very briefly before and we're going to stop right there and so here and this is by default right we didn't create this this is here by default on the aasa' firewall even if I was to do a right mem rightie race or a configure factory default this configuration is going to be there now remember the modular policy framework what are the three pillars that we talked about we talked about the foundation right the which which traffic am i interested in matching right in other words taking a look at later or taking action on later in the policy map and so this class map that we get and this is Universal on the aasa' that you're going to see this with these names right remember we didn't create as I haven't created this this is by default that's here so that is the name of the default class map that we are presented with right and we're going to dig into exactly what this default inspection traffic means but right now we're going to go over the the different pieces so the class map by default the name is inspection underscore default now remember we said the class map is our foundation this is where we classify identify right in other words pick which trash am i interested in matching in maybe taking an action on later in this policy map and so I am matching something called default dash inspection - traffic now that is a pre-canned set of protocols that I can match right so when you say and this is just default traffic types so in other words it's kind of Cisco's way of saying hey here is a list of a bunch of common traffic types that you would probably want to do inspection on right and so this is what we're going to be taking a look at right this is what we are matching this is the which which traffic are we going to be grabbing classifying right it's this default inspection traffic now once the class map has been configured and we are done here and we've said yeah I want to match right I want to classify the default inspection traffic you would then come down and configure your policy map and in fact I should have came down just a little further here sorry about that go ahead and ignore that right now for this DNS here so the policy map down here write the name of the policy map is global underscore policy and again when your if you go to create a class map you can name it whatever you want it's just something that the name is descriptive that's going to make it easy for you to identify it later on and it's the same thing here the policy map global underscore policy right very descriptive name means this is going to be applied globally right and we'll see that when we get to the service policy statement which is a little further down it's going to be applied go in other words globally means all interfaces on the aasa' right and that's in the service policy and we'll see that where it will have that global keyword but this is a great descriptive name and so the policy map is all about action remember the policy map is the what what am I going to do with traffic that I have matched and you can see here policy map we have the name of the policy map and then how does the policy map know what traffic it's going to be taking action on well under the policy map we define the class right for the class map inspection default so where was this exactly it's right there so the policy map simply references the class map or class maps right because it could reference more than one that you want to take action on and so then now this raises the question okay I know how to pick right I understand the class map that's going to classify or pick the traffic which I would like to take action on in my policy map and so now it's here in the policy map where we take the action and here are the actual you can see it's basically one action but what is or what are these actions well remember the policy map can do all kinds of things you could tweak the TCP options right so I could tweak the timeout of TCP activity things like that I can shape the traffic but what we're interested in here at this level is this in so I'm going to do an inspection and I'm going to apply and you see all these names right here this is one thing that's commonly confusing is when you see these names it's not that you're inspecting FTP or NetBIOS these are the names of the inspection engines right these are the engines under the hood of the aasa' inspection capabilities that are going to run against the traffic that we have matched and so it's these engines that are going to allow us to do deeper type inspections inspections on things like remote shell or NetBIOS or FTP or DNS or TFTP right it's going to allow us to take a deeper look at that traffic using those inspection engines and so again the policy map references the class map and simply takes action right in this case inspection action using these engines whoops these engines on the traffic that we have matched now let me clear the screen here because we're going to have to make a minor adjustment I'm going to come down a little further so those are the first two pillars and then the third one right this is this is pretty straightforward here we have the service policy right which is referencing what the global policy map right so the service policy that I'm going to apply is going to reference the policy map and how am I going to apply that am I going to apply it to a single interface am i going to apply it to multiple interfaces or am I going to simply say global and again it's the modular policy framework what we just covered here this is what gives the a si its stateful capabilities and its stateful characteristics in that it's going to track via the connection table right it's going to be creating connection objects in the connection table and remember the connection table is synonymous with the state table those when you say connection table or state table those are the same things and we'll see the SHO connection command and show connection detail here shortly but again we need to understand conceptually what is the modular policy framework where is it located here in the configuration and again remember those commands if I were to say show run class map and hit enter right I don't have to put the name in but if I say show run class map I could have said show run class map and then type inspection underscore default right but since that's the only class map that we have you can simply say show run class map and it's going to show me that foundation of the modular policy framework now here's what's interesting is when we look at the class map you see that it says match default inspection or default inspection traffic so if I get into global config and let's say that I wanted to go into class map inspection underscore default and so here I am I'm in the class map where that match command is located and so if I do a question mark here right this is going to show me what exactly the default inspection traffic is going to consist of and so let's take a look here and I'm going to pull this line right here will draw that line right there because that's what we're in I could say match any right so match any packet but that's not what we're doing we're matching the default inspection traffic and so here it is right it's pretty straightforward you can see we've got HTTP right RSH sequel net Waze P FTP SMTP right so we've got all of these different protocols and you can see they give the port number here the FTP right and so we've got all these different protocols here that we're tracking that we're maintaining the state information for and you can see that we've got ICMP this is what we want to match these are all the things that we are matching and this ICMP one right here let's put a little asterisk here because if you're looking at this right now you're saying we'll wait a second ICMP is not working you're telling me that we're matching it here and I'm going to say yeah we are right but remember matching it with the class map is different then taking action on it and that policy map is what is going to dictate what I'm maintaining the state information the connection table the connection objects that are going to get created that go into the connection table those right now are dictated by the policy map that determines whether I'm interested in the traffic at a deeper level or I am NOT interested in the traffic right so here's everything that by default we are matching right that's how you can see what that default inspection traffic is all about so now that we know what the class map is interested in matching and you can see here this was Waze is matching pcp every single port right for was so pretty pretty extensive okay so let's clear this here so that's what the class map is matching so remember we can also see the policy map if I say show run policy underscore map book sorry policy - map policy - map if I say show run policy map you can see this one here we're just gonna ignore that one for right now but this is the one that we're interested in here so remember we just looked at everything we're matching right in the class map we saw it here and we saw that ICMP is actually listed there but remember what I told you matching the traffic in the class map that's the first step that's our foundational step once I match all the traffic now I take action against the traffic what is it that I want to do and if I'm not inspecting it right if I'm not taking action against the traffic that I have matched then I am NOT creating connection objects in the connection or the state table right the connection table in the state table it's not going to happen so let me ask you this do you see inspect I see m-p anywhere in here we do not and again remember we're starting from a default configuration and so this is why we can't ping through the a sa into the inside interface out the outside interface to the ISP router with an echo request and we that's why we're not getting an echo reply back is because there is no state information being maintained about ICMP now ICMP in and of itself is a state less protocol right the a si is smart enough to look when we say inspect ICMP the a si is smart enough to get that source IP and destination IP and the port information it's smart enough to look at that information create an entry in the connection table to create a connection object in the connection table so that it understands that when the echo reply comes back that it knows to let it through because you'll notice something do we have any access lists and I'm going to use a word here I'm going to stress this word do we have any access lists that we have explicitly defined have I gone in here on the a si and created extended ACLs and then applied those ACLs to interfaces on the a si we haven't right we haven't so by default remember what I said earlier on we talked about the security level remember the inside interface on the a si the inside interface and I'll just put I for inside and put over outside is security level 100 the outside is zero by default if I haven't explicitly created any ACLs and applied them to interfaces on the aasa' then by default traffic from a higher level security zone can transit to a lower level security zone it will just put wwa it's a webserver out here right so this is by default but this will change and again remember we haven't done any explicit ACLs and so it's at this juncture where the the GUI actually provides some benefit here so if I was to say show access list right because this is how you see the ACLs and there you have it right there there are no I don't have any ACLs explicitly defined now you're probably wondering why I keep stressing on explicit and we're going to do I'm going to have to break it up because I want to make sure this doesn't run for you know a couple hours so we're going to be breaking it up I'm going to briefly touch on the ACLs that are implicitly on the aasa' and remember the difference between implicit and explicit let me make sure we're clear on that here so if I come over here but the password in if I say show access list and I'm on the router right but again this is going to prove the point so this isn't it this is an explicit ACL you remember me going in and creating access list one saying permit all traffic from the 209 165 200.000 all kinds of matches going on here right this is explicitly created i explicitly went into global context sit sorry about that i explicitly went into global config typed in access lists one permit and the rest of the syntax that was required this is explicit now what is implicit about this ACL exactly it's implicit that somewhere beyond the AC II entries that I explicitly created that the very last entry and I'll just put last depending on you know what the sequence numbers are the last entry is what deny any any and it doesn't show up here right why doesn't it show up because it's M it's implicit it is implicitly inferred right that this exists so we don't see it because it's implicit if it's explicit we do see the entry and the same is true on the aasa' so if i transition and actually we're going to tackle this i don't want that there we're going to tackle this from the GUI because again you don't see it here when I say show access list you're probably saying well wait a second you're telling me that there's a CLS here and that they're implicit but I don't see them when I say show access list and the reason that you don't see them is the same reason that you don't see the implicit deny any any at the end of an ACL is because it's implicit right it's assumed that it's going to be there and so when we pull the GUI up here and you can see the gooeys been tracking what i've been doing here and you know we've looked at some things and so it says do you want to refresh because obviously some changes were made so i'm going to say yes and we'll put in my password here go and again this is where the GUI can be of great benefit so how do we do it we go to configuration I come down here firewall is already picked and take a look at the access rules right in other words the ACLs that exist by default and let me see if I can't stretch some of these things out here just a skosh alright so and again I apologize this is a little small here but not a lot of output so it should be easy to follow so remember I said we've got the a si we've got the inside interface we've got the outside interface security excuse me security level 100 security level zero so when I say by default that traffic is allowed from a higher level a higher security level interface to a lower security level interface and we refer to that as outbound traffic right this egress outbound traffic from the higher level security interface to the lower level security interface is allowed because of this implicit rule so there's one implicit incoming rule into the interface which means if I had a switch hanging off over here and we've got all these hosts all of their traffic right do some X's here all of the traffic from all of these hosts when it comes in that is ingress inbound right and that is the direction in which this access rule or this ACL this implicit incoming rule is defined and so let's take a look it's there's the sequence number right and so it's any source traffic so any traffic right any ingress inbound incoming traffic into the inside interface destination going where to any less secure network in other words any interface with a lower security level and so it doesn't just have to be zero if we had a DMZ hanging off over here right now I've got some web servers WW and let's say that the security level is 50 by default right this is the implicit rule that you do not see when that show run output is run or even the show access list and so the service right what protocols I'm allowing IP remember IP is everything IP is like the umbrella or the top level and under that you've got TCP you've got UDP you've got ICMP you've got everything right just remember that if you see IP that means that everything from a protocol perspective is allowed and what is the action going to any less secure networks it is permit right great description here implicit rule permit all traffic to less secure networks now we've also got this global rule and this sort of turns into a catch-all right and it's an implicit rule that shows up at the end of the other access rules and we'll get deeper into this later on because again we're going to be dedicating a module to this in fact the next module is dedicated to this but I want to make sure we cover this because it's not good enough just to say oh yeah by default you can go from a higher level security zone to a lower level security zone because as soon as I apply an ACL via the access group command to that interface or that interface like let's say we want to do port forwarding we're going to be doing that right so I have to allow traffic to come inbound on that outside interface so we're going to have to put an ACL there that's when the default behavior changes and it's no longer correct to say that traffic from a higher level security zone can by default go to a lower level security zone okay because as soon as I put an ACL with the access group command on the inside interface of that a si this implicit rule saying that oh yeah you can all traffic can go from my inside zone to any lower zone no longer the case but it's critical to understand why this is the case now because when we go to build and put those access rules those ACLs on to the interfaces of the a si then you'll understand why we'll wait a minute why do i no longer why can I no longer just randomly have all my traffic going outbound to lower security level interfaces right you'll understand why that is so this is also important so the outside interface remember I said the global is the catch-all right and this comes into play right here the outside interface says zero implicit incoming rules right because by default can traffic from a lower security level interface just simply make its way through to higher level security interfaces and the answer is no so from the outside here right this is P router I simply can't just SSH to devices that may be sitting here on the inside zone right because this no implicit incoming rules you can see it's it doesn't say any or any more secure Network here it doesn't say IP it doesn't say permit right so there is no implicit rule for interfaces that have a security level of 0 because 0 is what yeah that is the lowest possible security level if we created a management only interface which we're not going to do right now but if I did it would be 0 in addition to that no traffic would be allowed to transit it does not routing traffic through the management only interface but it would be zero you can go no lower than zero right so we are at the bottom excuse me and so what does that mean so if there's not an implicit rule for the outside interface then how is it that traffic is getting denied and if you're looking down just a little further you got it right it's this global implicit rule so you're probably saying we'll wait a second Travis how come it's not denying traffic up here well remember the global implicit rule is applied to all a SI interfaces as the last rule right but if the first rule allows everything do we ever get to the last rule right no because everything is already implicitly allowed into the inside interface to any lower security level interface on the a si right however with the outside it's already at the lowest security level zero so there is nothing allowed which means there's nothing permitted but there's nothing denied but there doesn't have to be anything denied because this catch-all global implicit rule which is going to be the last rule that's looked at on every interface and so what does this rule do for the outside interface traffic from any of sorry where we are here source traffic from anywhere going to anywhere and what kind of traffic all traffic is denied and this is an implicit rule and so this is why you don't see these when you do the show run of the show access list but they are here and thank goodness for the GUI which allows me to see this information so we do have ACLs that are in play but they are M sorry I keep mispronouncing that they're implicit they're implicit right they're not explicitly created and applied they are implicitly applied which means it's assumed that they're applied and this again is by default and so right now when I make that statement that you can go from any higher level security zone to any lower level security zone that is a true statement if I was to add in right and let's do this here let's scoop sorry we'll step away for a second if I go into interface let's say int VLAN and we'll call it 50 and I'll say IP address 170 216 dot I'm sorry 172 dot 16.1 dot 0 255 dot 255 255 dot 0 we'll go ahead and say no shut bad mask 16 as you know and all right let's just do this believe the whole slash 16 here IP address 172 dot 1600 whoops 255 255 Oh apologize I thought I did one dot one my bad 255 255 0 that's why we got the mask thing so we're going to give that IP address to the interface and we're going to name it right name if dmz not DMX but DMZ now fortuitous failure here I have the base license on this firewall which means and the spells the air tells you right away that the base license will not allow me to configure more than two interfaces with name if without the know forward command on this interface right now what this no forward command means is I can say no forward and what I'm going to have to do is I'm going to pick the interface to which I do not want to forward traffic so from the DMZ I wouldn't be going to the inside interface so I'll say interface inside books and what do we call it Oh what's the VLAN sorry interface VLAN and we used 99 for the inside interface right so I'm going to say no forwarding traffic I said name if and what do we call this as a DMZ right yeah so you can see DMZ set to 0 by default but what if I want to change the security level we'll make it 50 now let's go back to the GUI where we should be greeted with that dialog box saying hey you made some changes here let's refresh so I'm going to refresh it and what are we going to see change up here bingo we've got a new access rule right another implicitly applied we're not going to see it in the running config but it's implicitly applied right here right and so again traffic from any source in the DMZ so traffic that shows up at the DMZ interface on the firewall can go to any less secure networks and every single interface that I would create as long as it has a security level greater than 0 will have this implicit rule created for it and that is again why you can say that by default traffic from a higher level security interface can go to a lower level security interface and again you can see how the ACLs right are inextricably linked they're very related to the modular policy framework right so back to the modular policy framework we had to take a little detour there but back to the modular policy framework and the conversation that we were having on ICMP and why ICMP is not working and the reason that it's not working is because it's not being inspected there is no state information being created by the aasa' policy map it's not creating a connection object in the connection table the state table that's going to allow the return traffic to come back because that might be what you're asking yourself is wait a second so you just told me that traffic from the outside cannot come in to the inside so how is it that HTTP is working and again it's the modular policy framework it's going to create a state entry in the connection table right a connection object in the connection table that's going to track the TCP sequence numbers right or the ICMP source and destination IP address and the seat and the connection information so that when the return traffic comes back it allows it to come through and it protects me on the inside because what I could do here right is I could go off and I could create an a CL but I don't want to do that I want a stateful approach to be taken here so how do we do that it's very simple first let's confirm that it's not working so here I am I'm going to say ping 209 165 200 254 right and is the ping working no it's not because in actually if I was to go over to so outbound right and we'll come back here so if I say on this is P router and Cisco is my password debug IP packet right so I'm debugging the IP packet so let me ask you this and actually let's just go ahead and say you all real quickly here we'll stop it because we've got enough information right so let me ask you this as soon as this stops hopefully I caught it before were none situation right to power it off oh come on now hoping it's going to cooperate here because what I want to show you is this again proves okay there we go finally alright so this again proves the point that out bounced of traffic from a lower level security interface is and I'm back up to the beginning here so that traffic from a lower level security interface is allowed outbound on the aasa' firewall and so we are looking for we've got the source and destination IP feature access was 47 check 109 so we can see that traffic sourcing sorry I'm going to make sure I highlight the right thing here traffic source seen from 209 165 251 that is traffic that is the aasa' traffic you can see it was destined to 81 161 and not the here we go this is what I'm look for something a little more reflective here sorry about that so again this proves the point that traffic is being allowed transit traffic is entering the inside interface on the a si right it's being added on the outside interface been allowed with a destination of 209 165 200 250 for to show up here on the ISP router so this proves the point right it proves the point that the traffic is being allowed out but what don't you see we see a whole bunch of IP right but do I see I see MP without an inspect if the traffic shows up at an interface and it's not being inspected no connection object is going to be created for it and it's not going to be allowed so let's transition back to the a si and let's solve the problem here so how do we solve it well we simply need to modify the inspection setup here by adding in ICMP and you'll see how many things we can actually um policy map global underscore policy so I'm in the policy map right if I say inspect whoops sorry I can spell in Orton I get it in the right policy map handle oops sorry I left off the class map go to class map inspection default or actually no we don't and hold on confusing myself here so in the policy map I have to go under the class map which is where I would say for all these things that I'm matching right what inspection engines do I want to turn on and there it is there just happens to be an ICMP inspection engine so again we rotate back to this window here it's not working and I'm pretty sure I'm going to have to it may click on right away or it may not I may have to stop and then restart so let's say inspect ICMP as soon as I hit enter we transition back over here and yeah so we're going to have to say ctrl C and we're going to start it off again and now take a look now it's working because it's allowing the ICMP echo replies to come back in so while all traffic for which a connection object is going to be created going outbound it allows that traffic to come back inbound if I was to pull up a Safari here and let's jump off this page and say - and I 165 202 54 right you can see it says you're not connected to oh and you know what I've got to leave the wireless on so yeah it's not going to work and let me pull this guy back up here and see if we get because we had this working the other day so it's going to try to pull up the HTTP web page so if we go to 209 165 200 254 so Safari can't open the page right so we'll come back to that so with the pings though take a look ICMP is now functioning if I pull up the firewall and say show connection right here is our here are all the connections for which I maintain you can see we've got all kinds of DNS right because if it's trying to go to the 71 that's the Verizon DNS server because now we're on this iMac here which still has configuration to get to my outside Verizon service provider in DNS servers you can see port 53 right where is it showing up on the inside interface and there's that random high port ok and we can see all that information now there's our TCP connects right so we're going from the inside trying to get to the web server at 81 161 59 132 on port 80 and so this is the stateful information this is your connection table here are the connection objects which the aasa' is tracking to make that determination as to whether or not traffic is a allowed out you know to go from inside to outside and a connection entry to be created and be whether or not that traffic would be allowed coming back because when the traffic and there's an order of operations concern here right when the return traffic is coming back to these ICMP echo requests right so here's the aasa' inside interface outside interface right we've got you know all of our hosts out here plugged in on the inside we'll say I for inside 104 outside zero so I'm pinging right now and I'm pinging this router over here the ISP router the echo reply goes out and the echo request comes back and so the question is is what is evaluated first is it the state table the connection table right is it the stateful information that's looked at first or would it be the ACL and we have the answer to our question already it's the state table because what is the implicit a CL on that outside interface right now yeah it's referencing the global policy which says deny any any this is what's protecting us right now it's the state table that is saying I see traffic coming into the inside interface my service policy told me to apply the policy map to all interfaces on this a si and so when traffic shows up here for which the a si is going to inspect and create a connection object that stateful activity of creating a connection object when the a si creates that if it's allowed on that inside interface then we're allowed to go out that lower level security interface and when the traffic comes back the a si first checks the state table the connection table for a connection object because it's looking to see do I have an entry that I can look at and say yeah that ICMP echo reply coming back into the outside interface I have a state table entry in here and I am going to allow that to come back into the a si from a lower level security interface to the higher level security interface because it was initiated on the higher level interface and I have state information about that and so we know right now that by default the state table is looked at first because there is a deny any any on that interface implicitly defined because what I can't do is I can't come out here to the ISP and hang a host that's back over here it won't be allowed because the echo request and let me change colors I'm terrible at changing colors so I apologize the echo request if it was to come in here right what is the a si on the outside interface going to check yeah it's going to check the state table and it's going to say yeah unfortunately I don't have any connection objects that state that you can come in this outside interface there's nothing existing here that's telling me that yeah you've already been communicating and I'm going to poke a hole in this inside or this outside interface here to allow that traffic to come in it's not there there's no state information the traffic is dropped the traffic is dropped right and again that's what's happening by default so the state information is looked at first okay all right so let me go ahead and clear the screen here and I think that that is going to do it if we say show run let's take one last look or actually I could just simply say show a policy map and I can put the policy map name in here which is I've drawn a blank global policy global underscore policy policy and I cannot do that show policy policy list Oh she'll run sorry I left around she'll run policy map global underscore policy too many things to keep at the front of my mind so that way we don't see that other one that we want to ignore so here we go and what is different about this policy map now right what is different right there it's the inspect ICMP because now traffic initiated from the higher level security zone the inside security zone going to the outside security zone it's allowed and I now have state information being maintained for ICMP and hopefully you see that hopefully you've got a good solid understanding and I am really really hopeful that this explanation of how it is that the a si is a stateful device and what it is right that is making the a si a stateful device in the fact that the ACLS work hand in hand they are inextricably linked they are tightly coupled with the modular policy framework and so this is a good stopping point and the next module that I do is going to be on those access lists we're going to now start to combine the ACLs with the modular policy framework and we're going to see that this default behavior here let me refresh this real quick this default implicit behavior where anything from a higher level security interface can go to anything on a lower level security interface is allowed that will no longer be the case and again that's one of the confusing things for learners is that that you hear that when you're trying when you're learning first about the a si firewall you hear that statement that oh yeah you can go from any higher level security interface to any lower level security interface and that is true if and only if you have not applied explicit ACL rules to those interfaces that you're talking about and so that is what we're going to be tackling in module number whoops module number seven alright again I really appreciate your time I hope it was worth it I'm going to leave the question section open on this video on youtube so please feel free to give me your feedback did this make sense did it not make sense was it clear was it not clear and again really really hope that it was clear and that last bullet there about the global policy we saw that all right well this concludes module 6 again a monster module but this is one of the most important topics when we discuss the aasa' as the modular policy framework this is what makes the a si a stateful device all right thanks so much for watching hope to see you in module 7

Info

Channel: Travis Bonfigli

Views: 881

Rating: 5 out of 5

Keywords: AACC, CCNA, CCNP, CCIE, Cisco, Networking, Modular Policy Framework, MPF, ASA, Adaptive Security Appliance, Access Rules, network, Security, Firewall, class-map, policy-map, service-policy global_policy global

Id: EQWojnpzr_A

Channel Id: undefined

Length: 71min 22sec (4282 seconds)

Published: Sun Aug 06 2017