Introduction
This document provides configuration scenarios on an Adaptive Security Appliance (ASA) 5500x Intrusion Preventions Systems (IPS) module.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- ASA 5500x IPS modules
Components Used
The information in this document is based on these software and hardware versions:
- ASA 5500x IPS modules
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background
With the introduction of the ASA 5500x and the software implementation of IPS, there are fundamental changes to the way IPS management is allowed to behave.
- The IPS can only use Management 0/0 interface for external management access.
- If the ASA has a nameif assigned to Management 0/0, the IPS must have an address in the same subnet as the nameif.
- You cannot remove the management-only command from the Management 0/0 interface of the ASA.
- If the ASA tries to route traffic through the management nameif with the "management-only" statement, the ASA drops the traffic.
- If there is no nameif assigned to the Management 0/0, the IPS functions similarly to the Advanced Inspection and Prevention Security Services Module (AIP-SSM) modules management interface.
These behaviors inhibit communications from the IPS to external networks that pass through the ASA if there is a nameif on the Management 0/0 interface. The ASA drops connections that pass through other interfaces as through-the-box traffic because the IP address belongs to the "management" nameif subnet. This can also cause problems because the IPS needs external gateways in order to route traffic properly to the ASA.
Preface
The IPS module on the ASA 5500X uses the Management 0/0 interface to communicate with the outside world. This document provides information on how to set up this interface in multiple environments.
All scenarios include this basic address scheme:
- ASA outside interface: 203.0.113.1/24
- ASA inside interface: 198.51.100.1/24
- ASA management interface: 192.0.2.1/24
- IPS management address: 192.0.2.2/24
All scenarios assume that the inside interface and Management 0/0 are connected to the same switch.
Note: If there is a nameif assisgned to the ASA Management 0/0 interface, a Layer 3 device with interfaces in both "inside" and "management" nameif sub-networks is required. The IPS also requires that the default gateway for the IPS be located on that Layer 3 device.
Scenarios
Scenario 1
Best Practice for Setup of IPS and ASA Management
- IPS and ASA management cannot both be accessed through the Management 0/0 interface.
- There should be no nameif assigned to the ASA Management 0/0 interface. ASA management is accessed on traffic bearing interfaces.
- The IPS is given an IP address reachable from the “inside” nameif.
- Access from the “inside” occurs through either the switch or router, without involvement of the ASA.
- In order to allow management from the outside, create a static Network Address Translation (NAT) for the sensor IP address, or define port forwarding to the appropriate port (port redirection is used in this example).
In this scenario, the IPS management communications to the outside network behaves similar to any other host on the inside network. This is used for signature updates, Global Correlation, and IPS Service License requests.
Configuration:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.0.0 !! interface GigabitEthernet0/1 nameif inside security-level 0 ip address 198.51.100.1 255.255.255.0 !! interface Management0/0 no nameif security-level 0 management-only !! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network IPS-management host 198.51.100.2 object network ASA-inside host 198.51.100.1 object network ASA-outside host 203.0.113.1 object-group service HTTP service-object tcp-udp destination eq www service-object tcp destination eq https access-list global_access extended permit ip any any access-list global_access_1 remark Allow IPS management out through to the internet. access-list global_access_1 extended permit object-group HTTP object IPS-management any nat (inside,outside) source dynamic IPS-management IPS-management interface nat (inside,outside) static IPS-management ASA-outside service tcp 443 65432 !! Use of an ephemeral port allows for the use of common ports for other !! network applications. This also conceals the actual management port by making it !! not well known. ASA# show module ips details | include Mgmt Mgmt IP addr: 198.51.100.2 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 198.51.100.1 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true
Scenario 2
IPS management is in the same subnet as the “management” nameif and is in a Layer 3 network
- Point the gateway of the IPS to a Layer 3 interface in the network other than the ASA management nameif IP. This device must support routing between both subnets; for example, 192.0.2.2/24,192.0.2.254.
- Create a static route on the inside interface of the ASA to point the traffic to the layer 3 interface IP address; for example, route inside 192.0.2.2 255.255.255.255 192.0.1.254.
- Make sure all access control list (ACL) and NAT rules apply to the IP address of the IPS management.
In this configuration, the IPS sends requests for Global Correlation updates, License requests and IPS signature updates to the default gateway (192.0.2.254), and is translated to the outside address. Return traffic routes back via the inside route and is forwarded to the Layer 3 device that houses an interface in the inside and management networks.
Configuration:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.0.0 !! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 198.51.100.1 255.255.255.0 !! interface Management0/0 nameif management security-level 0 ip address 192.0.2.1 255.255.255.0 !! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service HTTP service-object tcp-udp destination eq www service-object tcp destination eq https access-list global_access extended permit ip any any access-list global_access_1 remark Allow IPS management out through to the internet. access-list global_access_1 extended permit object-group HTTP host 192.0.2.2 any route inside 192.0.2.2 255.255.255.255 198.51.100.254 1 ASA# show module ips details | include Mgmt Mgmt IP addr: 192.0.2.2 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true
Scenario 3
IPS management is needed from the outside interface and there is a “management” nameif
- Point the gateway of the IPS to a Layer 3 interface in the network other than the ASA management nameif IP. This device must support routing between both subnets.
- Create a static route on the inside interface of the ASA to point the traffic to the Layer 3 interface IP address.
- Make sure all ACL and NAT rules apply to the IP address of the IPS management.
Everything is the same as above, except an ACL must be written to allow a host from the outside to manage the IPS.
Configuration:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.0.0 !! interface GigabitEthernet0/1 nameif inside security-level 0 ip address 198.51.100.1 255.255.255.0 !! interface Management0/0 nameif management security-level 0 ip address 192.0.2.1 255.255.255.0 management-only !! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network ASA-management host 192.0.2.1 object network ASA-inside host 198.51.100.1 object network IPS-management host 192.0.2.2 object-group service HTTP service-object tcp-udp destination eq www service-object tcp destination eq https access-list global_access extended permit ip any any access-list global_access_1 remark Allow IPS management out through to the internet. access-list global_access_1 extended permit object-group HTTP object IPS-management any object-group service MGMT_SERVICES service-object tcp-udp destination eq http service-object tcp destination eq https service-object tcp destination eq ssh access-list outside_access_in line 1 remark Allow outside management to IPS. access-list outside_access_in line 2 extended permit object-group MGMT_SERVICES host 203.0.113.1 object IPS-management access-group outside_access_in in interface outside nat (inside,outside) source dynamic IPS-management IPS-management interface route inside 192.0.2.2 255.255.255.255 198.51.100.254 1 ASA# show module ips details | include Mgmt Mgmt IP addr: 192.0.2.2 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true
Scenario 4
IPSec Tunnel Directly Connected to the ASA
- Termination of a VPN tunnel to the ASA has the same effect as management from the interface on which you terminate the VPN.
- Once you have setup your VPN, you need to write a route from the interface on which the VPN terminates to the next-hop to an internal Layer 3 gateway.
- The IPS management also needs to point to a gateway that does not reside on the ASA, but inside the "management" nameif.
- If there are no Layer 3 devices behind the ASA, you must remove the "management" nameif and the IP address on the ASA Management 0/0, and then enter the IPS in the "inside" nameifsubnet.
Management traffic that leaves the IPS works the same as in a network without the VPN connection. However, management access must be addressed from the network on which the VPN terminates.
Configuration:
interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.0.0 !! interface GigabitEthernet0/1 nameif inside security-level 0 ip address 198.51.100.1 255.255.255.0 !! interface Management0/0 nameif management security-level 0 ip address 192.0.2.1 255.255.255.0 management-only !! same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network ASA-management host 192.0.2.1 object network ASA-inside host 198.51.100.1 object network IPS-management host 192.0.2.2 object-group service DM_INLINE_SERVICE_1 service-object tcp-udp destination eq www service-object tcp destination eq https access-list global_access extended permit ip any any access-list global_access_1 remark Allow IPS management out through to the internet. access-list global_access_1 extended permit object-group DM_INLINE_SERVICE_1 object IPS-management any no pager logging enable ip local pool vpn 198.51.100.3-198.51.100.49 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside access-group global_access_1 global route outside 0.0.0.0 0.0.0.0 203.0.113.2 route inside 192.0.2.2 255.255.255.255 198.51.100.254 1 dynamic-access-policy-record DfltAccessPolicy description "access" webvpn svc ask enable default svc user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 outside crypto ipsec ikev1 transform-set tranny esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime kilobytes 20000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa proxy-ldc-issuer crl configure crypto ca certificate chain ASDM_TrustPoint0 crypto isakmp identity address crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ikev1 enable outside crypto ikev1 enable inside crypto ikev1 policy 5 authentication pre-share encryption aes hash md5 group 2 lifetime 86400 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 60 console timeout 0 dhcp-client client-id interface outside ssl trust-point ASDM_TrustPoint0 inside ssl trust-point ASDM_TrustPoint0 outside webvpn port 8080 enable outside enable inside dtls port 8080 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 anyconnect profiles ANYconnect disk0:/anyconnect.xml anyconnect enable group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless address-pools value vpn webvpn anyconnect profiles value ANYconnect type user ASA# show module ips detail | include Mgmt Mgmt IP addr: 192.0.2.2 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true
1 comment:
NOBEDS” was created by Lithuanians Saulius Chomentauskas and Tomas Bickus. These talented freelancers are experienced in multi-programming, graphic design and marketing.
Free property management system
Post a Comment