Tuesday, January 1, 2019

Cisco ASA FirePOWER Traffic Redirection, Security Zone and Network Object via ASDM

Below is the normal traffic flow in a Cisco ASA Firewall with FirePOWER module.


You can check the ASA Access Rules under Configuration > Firewall > Access Rules (click the box/or maximize icon). There's an implicit permit rule for traffic from the inside and wifi going out to the Internet (outside). You'll need to permit traffic from inside to outside and redirect it to the FirePOWER module in order to apply Next-Generation firewall services such as IPS, URL filter and Advanced Malware Protection (AMP).


Below is the inspection flow for the FirePOWER Access Control Rules


Click on ASA FirePOWER to check the Access Control Policy for the FirePOWER module. Notice there are no rules created yet and the Default Action is set to Access Control: Trust All Traffic 


To redirect traffic to the FirePOWER module, go to Configuration > Firewall > Service Policy Rules. There's a global_policy and inspection_default configured by default. Click on the inspection_default and click Delete (trash) icon.



Click Add (down arrow) > Add Service Policy Rule


Leave the default settings in Step 1 and click Next.


Choose Use class-default as the traffic class > click Next.


Go to ASA FirePOWER Inspection tab > tick Enable ASA FirePOWER for this traffic flow > leave the default Permit traffic > click Finish.

This will allow traffic to flow normally even though the FirePOWER module has failed.
 

Click Apply and ASDM will display an error. Just click Close.


Below is the configuration for the traffic redirection on the FirePOWER module. I also generated some web traffic from a machine residing on the inside interface.


ASA5506W-X# show run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect dns preset_dns_map
  inspect icmp
  inspect icmp error
policy-map global-policy
 class class-default
  sfr fail-open
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection


ASA5506W-X# show service-policy

Global policy:
  Service-policy: global-policy
    Class-map: class-default

      Default Queueing      SFR: card status Up, mode fail-open
        packet input 5636, packet output 5636, drop 0, reset-drop 0


You'll need to prepare several objects (alias) to be used for FirePOWER Access Control Policy Rules. First, create the logical Security Zones under Configuration > ASA FirePOWER Configuration > Object Management > Security Zones > Add Security Zone


Choose ASA (which is the only optional available) under Type in order to load the Available Interfaces. In my case I got interfaces on the outside, several inside and wifi.


Type a Name (INSIDE-WIRED) > select the interface(s) > Add > Store ASA FirePOWER changes.

I encountered an issue wherein there were no hits on the FirePOWER access rules. You'll need to add all the inside interface except the interface going to FirePOWER  (inside-1). This is the direct cable between the ASA 5506W-X G1/2 and MGT1/1 interface.


Click the arrow on the Security Zone Object (INSIDE-WIRED) to expand and show its associated interfaces.


Configured the same for the wifi and outside interfaces.



Click the arrow to expand the Security Zone Object and show its associated interfaces.


Next, create individual network objects under Configuration > ASA FirePOWER Configuration > Object Management  Network > Individual Objects.

By default the Network Object for the RFC 1918 Private Networks is configured.


Click Add Network > Type a Name for the Network Object > type the Network (CIDR notation) > click Add > Store ASA FirePOWER Changes.

In this case I added the inside wired (192.168.1.0/24) and wifi (192.168.10.0/24) networks.
 



You then create a Network Group Object to tie together the individual network objects create earlier under Configuration > ASA FirePOWER Configuration > Object Management > Object Groups > Add Network Group.


Type a Name for the Network Group Object > select the individual Network Objects on the left > click Add to move under Selected Networks on the right > Store ASA FirePOWER changes.



No comments:

Post a Comment