Transparent firewalling with Cisco ASAv

Topology

Snap4

Lab Objective

Linux 7 and Linux 8 are within the same subnet, however all initiated traffic towards Linux 8 must be blocked.

Linux 8 is allowed to access to all destination.

ASAv Setup

  1. Change ASAv1 and ASAv2 into transparent firewall

firewall transparent

2. Configure failover on ASAv1 as primary

!one of the interface will be a standby.
int redundant1
member-interface gi0/0
member-interface gi0/1
exit

!declare ASAv1 as failover primary
failover lan unit primary

!assign redundant1 as the failover link,
!"failover" is the name of the failover link.
failover lan interface failover redundant1

!assign redundant1 as the state link
!"failover" is the name of the stateful link.
failover link failover redundant1

!assign failover ip addresses, standby is the address 
!for the secondary peer
failover interface ip 192.168.1.1 255.255.255.252 standby 192.168.1.2

!lastly enable failover
failover
end

!Gi0/2 will be the link downstream to the switch
!This interface will trunk two vlans 10 and 19.
!vlan 10 is untrusted (outside) 
!vlan 19 is trusted (inside)
!Create subinterfaces and tag vlan ids
interface gi0/2.10
vlan 10
nameif outside10
security-level 0
bridge-group 10
exit

interface gi0/2.19
vlan 19
nameif inside19
security-level 100
bridge-group 10
exit

!Create interface BVI 10 which is bridge-group10
!BVI ip addresses can be used for monitor interface
!if gi0/2 is down a failover will occur.
interface bvi10
ip address 10.10.10.253 255.255.255.0 standby 10.10.10.254
exit

!Monitor interface of outside10 and inside19
!whenever these links are down a failover will occur
!use the "no monitor-interface" command to disable monitoring.
!the "no monitor-interface" command will not trigger a failover.
monitor-interface outside10
monitor-interface inside19

SW5 and SW6 setup
SW5 and SW6 are access switches connecting to Linux 7 and Linux 8 respectively. Assign Linux 7 to vlan 10 and Linux 8 to vlan 19. Linux 7 and Linux 8 are belonging to the same subnet 10.10.10.0/24.
Linux 7 = 10.10.10.4
Linux 8 = 10.10.10.8
Below configuration is the same for both SW5 and SW6


!Available vlans are 10 and 19, trunk all vlans
interface Ethernet1/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
end
interface Ethernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
end

Assign vlan 10 to Linux 7 on SW5 and vlan 19 to Linux 8 on SW6


SW5#sh run int e0/1
Building configuration...

Current configuration : 104 bytes
!
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access
 spanning-tree portfast
end

SW6#sh run int e0/1
Building configuration...

Current configuration : 104 bytes
!
interface Ethernet0/1
 switchport access vlan 19
 switchport mode access
 spanning-tree portfast
end

L3-3 and L3-4 setup
vlan 19 is a non-routable vlan, transparent firewall uses L2 to segregate between inside and outside. The gateway of Linux 8 is actually the SVI of vlan 10 which is a virtual ip address of HSRP.


L3-3#sh run int vlan 10
Building configuration...

Current configuration : 221 bytes
!
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
 standby 10 ip 10.10.10.3
 standby 10 timers msec 800 msec 2400
 standby 10 priority 110
 standby 10 preempt delay minimum 10
 standby 10 authentication hsrp10
end

L3-3#sh run int gi0/0
Building configuration...

Current configuration : 169 bytes
!This is connecting towards ASAv1, vlan 10 and 19 are tagged.
interface GigabitEthernet0/0
 switchport trunk allowed vlan 10,19
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
end

L3-4#sh run int vlan 10
Building configuration...

Current configuration : 179 bytes
!
interface Vlan10
 ip address 10.10.10.2 255.255.255.0
 standby 10 ip 10.10.10.3
 standby 10 timers msec 800 msec 2400
 standby 10 preempt
 standby 10 authentication hsrp10
end

L3-4#sh run int gi0/0
Building configuration...

Current configuration : 169 bytes
!
interface GigabitEthernet0/0
 switchport trunk allowed vlan 10,19
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
end

 

Verification
I have not put in firewall policy to ASAv yet, however it will still work and prove that transparent firewalling on ASAv works fine.

In cisco’s ASA way nameif and security-level has to be defined. A higher security-level is by default allow to any nameif with security-level that is lower.

Hence in Linux 8 case, it can access Linux 7 even if there is no explicit firewall policy defined and by default Linux 7 access to Linux 8 is blocked.

First I will want to test icmp from Linux 8 to Linux 7, however the icmp reply will be blocked. Either create a two way rule that is to allow Linux 7 icmp-reply to Linux 8 and Linux 8 icmp-echo to Linux7 or inspect icmp in global_policy.

Creating a firewall policy will override the behaviour of security-level, that is once you created a firewall policy security-level will be useless and Linux 8 will only allow to ping and cannot access anywhere.


policy-map global_policy
class inspection_default
inspect icmp
linux8 ping to linux7

Linux 8 is pinging to Linux 7 with replies.

linux7 ping to linux8

Ping from Linux 7 to Linux 8 is blocked by default. Due to Linux 7 is in a lower security-level than Linux 8.

Advertisements
This entry was posted in ASA/PIX, Firewall, General stuffs, Security and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s