Icon
Icon		Icon
Icon		Icon
Icon

Troubleshooting Cisco Secure PIX Firewalls

1:20 AM
0 comments


Troubleshooting Cisco Secure PIX Firewalls

A PIX firewall falls into the category of stateful firewall. It provides security to the perimeter network by creating and maintaining the state information of connections. PIX boosts performance because its OS is embedded and runs directly from RAM for packet processing. Cisco Adaptive Security Appliance (ASA 5500 Series), is the next-generation security appliance, which runs the same OS as the PIX, but provides more security services (for example, an SSM blade for IPS, SSL VPN, and so on) than PIX Firewall. Beginning with Version 7.0, the ASA 5500 (minimum version requirement on the ASA is 7.0), and PIX platforms (running Version 7.0), provide the same firewall features. As the primary focus of this chapter is to discuss firewall features, additional services provided by the ASA 5500 (IPS, SSL, VPN, and so on) will not be discussed. The troubleshooting discussion in this chapter is based on the PIX platform, which also can be used for ASA 5500.
PIX Firewall has a very flexible and robust command-line interface (CLI) parser that is very similar to a router (in particular on PIX Version 7.0). In addition, a GUI such as Adaptive Security Device Manager or ASDM (formally known as PIX Device Manager or PDM) and a firewall management console (MC) can be used to manage the PIX firewall. Most troubleshooting, however, is performed using the CLI; hence the primary focus on the chapter is using the CLI on the new version of PIX, which is 7.0.

Overview of PIX Firewall

The architecture of PIX Firewall is based on the Adaptive Security Algorithm (ASA), which maintains the state information and provides security to your connection. ASA is a set of rules and policies that the packet has to conform to while traversing the firewall. As mentioned before, PIX is a stateful firewall, which means it works based on connections, not on a per-packet basis. It remembers every connection through the firewall.

ASA

ASA has the following characteristics:
  • ASA provides a stateful connection.
  • ASA allows return packets for established connections.
  • ASA tracks source and destination ports and addresses, Transmission Control Protocol (TCP) sequences, and additional TCP flags.
  • TCP sequence numbers are randomized.
  • The inside interface has a security level of 100.
  • The outside interface has a security level of 0.
  • Demilitarized zone (DMZ) interfaces have user-settable security levels from 1 through 99.
  • Starting with PIX OS 5.2, users are allowed to change the default security levels of both the outside and inside interfaces, but it is not recommended.
  • By default, the PIX allows traffic to pass from higher security interfaces to lower security interfaces, and in the case of TCP and User Datagram Protocol (UDP) connections, it allows the return traffic back through. The same does not hold for Internet Control Message Protocol (ICMP).

PIX Packet Processing

Packet flow across the PIX firewall is depicted in Figure 3-1. Work through the following steps to understand the packet flow:

1.
Packets are received on the ingress interface

Packets arrive on the ingress interface, which is indicated by input counters of the interface.
2.
Existing connection checks

Packets go through the existing connection check. If the connection exists, the ACL check is bypassed. If there is no existing connection, TCP non-SYN packets will be dropped and logged. If PIX receives a TCP SYN or UDP request packet, packets are passed to ACL checks.

3.
Interface ACL check

The initial packet in the flow of packet is processed through interface ACLs. Packets that are denied by interface ACLs are dropped and logged.

4.
NAT check

The initial packet in the flow must match a translation rule. To perform NAT, it is important to know the egress interface. Hence a quick route lookup is performed. If the translation is turned off, the translation is skipped. If the NAT is configured and the translation rule is matched, the connection is created on the PIX firewall. If an overlapping NAT is configured, the following order of NAT operations is performed:

a. nat 0 access-list (nat-exempt).
b. Match existing xlates.
c. Match static commands (first match). Static NAT with and without access-list is checked before Static PAT with and without an access-list.
d. Match nat commands. nat access-list is matched first. Then nat
is checked. If the ID is 0, create an identity xlate. Use a global pool for dynamic NAT. Use a global pool for dynamic PAT.
5.
Inspection check

Inspections are applied to NAT embedded IPs in the payload. Commands in control channels are inspected for compliance and secondary data channels. Additional security checks are also applied to the packet with inspection.

6.
Perform NAT

Perform IP address or the port translation.

7.
Packets forwarded to egress interface

Packets are forwarded to the egress interface. The egress interface is determined by the translation rules first. If translation rules do not specify the egress interface, the global route lookup is performed to determine the egress interface.
8.
Interface route lookup

Once the packet is on the egress interface, an interface route lookup is performed. Only routes pointing out the egress interface are used to forward the packet. Remember that the translation rule can forward the packet to the egress interface, even though the routing table may point to a different interface.

9.
Layer 2 address lookup for the next-hop address

After the interface route lookup is performed, the next-hop address is identified. At this stage, ARP resolution is performed. Then the packets are put in the wire, and the interface counters are incremented.

File System Overview

When upgraded to PIX 7.0, PIX Flash memory is reformatted. The contents of the files are different than in the older versions. Table 3-1 shows the different files that go into Flash on PIX Firewall Version 6.3 and earlier, and on PIX Firewall Version 7.0 and later.

Table 3-1. Different Files Go Into Flash On Different Versions
Release 6.3 and Earlier
Release 7.0 and Later
SW Image
SW Image
Config File
Config File
Private Data File
Private Data
PDM Image
ASDM Image
Crash Information
Backup Image (If disk and flash space are available)
Backup config file (if disk and flash space are available)
Virtual Firewall Config File
Crash Info (Internal Only) 1M/ASA, 128K/PIX

The Flash file system can be viewed with either the dir or show flash command as shown in Example 3-1.

Example 3-1. Flash File System on PIX 7.0

PIX# dir
Directory of flash:/
3      -rw-  4902912     13:37:33 Nov 24 2004   cdisk.7.0.0.89
4      -rw-  6748932     13:21:13 Nov 24 2004   ASDM
16128000 bytes total (4472832 bytes free)
PIX(config)#
! Boot [system | config}  is the command that needs to be used to define the file
! using which the system should boot. It is possible to store more than one system
! image and config file. Designate which system image and start-up config file to boot.
PIX(config)# boot system flash:/cdisk.7.0.0.89
! Verify the start-up System Image. Display the system boot image.
PIX# show bootvar
BOOT variable = flash:/cdisk.7.0.0.89
Current BOOT variable = flash:/cdisk.7.0.0.89
CONFIG_FILE variable =
Current CONFIG_FILE variable =
PIX#

Table 3-2 shows the commands available to work with the Flash File System CLI.

Table 3-2. Commands Available for PIX Flash File System
Command
Meaning
cd
Change the current working directory to the one specified.
delete
Deletes a file. If a path is not specified, the file would be deleted from the current working directory. When deleting files the user would be prompted with the filename and asked to confirm the delete. The /recursive option would delete files recursively.
dir
Displays the content of the current directory.
format
Formats the disk using File Allocation Table (FAT).
mkdir
Creates a new directory.
more
Displays the contents of a specified file. more [/ascii] [/binary][disk:][]
rename
Renames a specified file.
rmdir
Removes a specified directory. Use will be prompted.
pwd
Shows the present working directory.
copy
Copies a file from flash: ftp, http, https, running and startup config tftp, system.

Example 3-2 shows the debug command available for troubleshooting the Flash file system.

Example 3-2. debug Command For Troubleshooting File System

PIX# debug disk ?
  file
  file-verbose
  filesystem
PIX# debug disk

You might receive the following warnings and errors related to file system misbehavior: Out of space, run fsck, filename too long, no such file. The solution for these is self evident.

Access-List

The implementation of access-list is same as before on the PIX firewall, with some additional features that are discussed in the sections that follow.

time-range Keyword
The time-range keyword provides a way for the Network Security Manager to specify a time interval when connectivity to the specified destinations is permitted or denied. Multiple time ranges can be defined. The command allows easy and routine control of traffic connectivity through the firewall device.
The time-range keyword is used to control the execution of various features in the PIX/ASA. The time-range feature is available in access control and VPN access hours (an attribute of group policy).
First, define a period of timestart/stop, certain days, and so on, that can be evaluated to a true/false condition when compared to the current appliance time.
Then, place the keyword qualifier Time-Range with the name as one of the last parameters on an access-list statement that describes the connectivity path.
The Time-Range keyword, when applied on an access-list statement, identifies a statement that is applied only when the current time of the security appliance clock is in the time period specified by the command (a true condition). Example 3-3 shows how to configure the time-range option.

Example 3-3. Using the time-range Command

! Choose a time-range name:
PIX(config)# time-range ?
  WORD < 64 char Time range name
PIX(config)# time-range sevt
PIX(config-time-range)# ?
! More than one periodic entry can be defined. Decide how to specify the time period:
PIX(config-time-range)# ?
Time range configuration commands:
  absolute  absolute time and date (one per time-range)
  exit      Exit from time-range configuration mode
  help      Help for time-range configuration commands
  no        Negate a command or set its defaults
  periodic  periodic time and date (multiple are permitted)
! More than one TIME-RANGE entry can be made Absolute Time Start and End, or just start
! with no end, . . . or end with no start (immediate start)
PIX(config-time-range)# absolute ?
  end    ending time and date
  start  starting time and date
PIX(config-time-range)# periodic ?
  Friday     Friday
  Monday     Monday
  Saturday   Saturday
  Sunday     Sunday
  Thursday   Thursday
  Tuesday    Tuesday
  Wednesday  Wednesday
  daily      Every day of the week
  weekdays   Monday thru Friday
  weekend    Saturday and Sunday
! And finally a configuration
. . .
time-range BusinessHours
 absolute start 10
 periodic weekdays 7
. . .
access-list outside_mpc_in remark Only WWW traffic goes to DMZ
access-list outside_mpc_in extended permit tcp any 1.1.1.0 255.255.255.0 eq www
time-range BusinessHours
. . .
! "show time-range", "show clock" and "show access-list" are useful debugging commands
! when trying to determine if a time-range or ACE is active at the current time. e.g
! (note the inactive label in the ace below):
PIX# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list ACL1; 2 elements
access-list ACL1 line 1 extended permit ip any any time-range TR1 (hitcnt=0)
  (inactive)
access-list ACL1 line 2 extended deny ip any any (hitcnt=0)
PIX#


Enable/Disable
Access Control Lists (ACLs) are common traffic control commands. PIX OS 7.0 provides more control, especially in troubleshooting, by providing an easy way to "turn on" or "turn off" the processing of a specific access policy (access-list entry). This aids greatly in troubleshooting.
The keyword INACTIVE is applied at the end of an access-list entry to remove it from processing.
The command syntax for applying the access-list is as follows:
[View full width]
access-list outside_access_in extended permit tcp any object-group mail-servers eq smtp 
inactive

There are no debug commands, output, logging outputs, caveats, or limitations specifically related to this keyword. Debug information comes from the access-list command features.

Outbound ACL
PIX OS 7.0 provides more granular access control by allowing both "incoming at interface" and "outgoing at interface" access policies to be configured.
The OUT keyword is applied on the access-group command. It identifies an access policy (access-list) that applies to outgoing traffic at the specified interface. The OUT keyword can reduce the number of commands in a configuration and make its logical interpretation easier.
To bind an access-list to an interface, use the access-group command in global configuration mode. To unbind an access-list from the interface, use the "no" form of this command.
access-group access-list {in | out} interface interface_name [per-user-override]
  no access-group access-list {in | out} interface interface_name

Example 3-4 shows how to use the access-list and apply that as outbound.

Example 3-4. Using an Outbound ACL

PIX# configure terminal
PIX(config)#
PIX(config)# names
PIX(config)# name user_net 10.1.1.0
PIX(config)# name dev_net 20.1.1.0
PIX(config)# name 24mask 255.255.255.0
. . .
PIX(config)# access-list acl_outbound permit tcp user_net 24mask any eq 80
PIX(config)# access-list acl_outbound deny tcp dev_net 24mask any
. . .
PIX(config)# access-group acl_outbound out interface outside
. . .


Note
The per-user-override option allows downloaded access-lists to override the access-list applied to the interface. If the per-user-override optional argument is not present, PIX preserves the existing filtering behavior.
The per-user access list is governed by the timeout value specified by the uauth option of the timeout command, but it can be overridden by the AAA per-user session timeout value.

nat-control

The PIX always has been a device supporting, even requiring, Network Address Translation (NAT) for maximum flexibility and security. NAT is introduced as an option in PIX OS 7.0.
Configuring nat-control on the PIX forces the PIX firewall to require NAT for a source address (for outbound traffic) and for a destination address for inbound traffic.
If you upgrade PIX firewall from 6.x to Version 7.x, nat-control is enabled on the PIX. For new configurations, nat-control is disabled by default. If no nat-control is specified, only hosts that require NAT need to have a NAT rule configured.
The nat-control statement is valid in routed firewall mode and in single and multiple security context modes. No new NAT functionality is provided with this feature. All existing NAT functionality remains the same.
If you have no nat-control configured, and if there is a nat matching, it will go through the NAT engine. Otherwise, the packet will go through without NATing. In PIX 6.3 and earlier, the packet is dropped if there is no NAT match.
Table 3-3 shows the comparison between nat-control and no nat-control.

Table 3-3. Comparison Between nat-control and no nat-control
nat-control
no nat-control
No inside nat rule
No outside nat rule
Deny
Continue
No inside nat rule
outside nat rule
Continue
Continue
No inside nat rule
No outside nat rule
Deny
Continue

The difference between the no nat-control command and the nat 0 (identity NAT) command is that identity NAT requires that traffic be initiated from the more secure interface. The no nat-control command does not have this requirement, nor does it require a static command to allow communication to inside hosts. It relies on access-policies.

Modular Policy Framework (MPF) Objective

There is a growing need to provide greater granularity and flexibility in configuring network policies. For example, it is extremely important to have the ability to include a destination IP address as one of the criteria to identify traffic for Network Address Translation, or the ability to create a timeout configuration that is specific to a particular TCP application, as opposed to the current timeout scheme, which applies a timeout value to all TCP applications, and so on. MPF provides the tools to meet these and other needs.
MPF features are derived from quality of service (QoS) as implemented in IOS. Not all features have been carried across. MPF is built on three related CLI commands:
  • class-map This command identifies the traffic that needs a specific type of control. Class-maps have specific names, which tie them into the policy-map. This just selects the traffic.
  • policy-map This command describes the actions to be taken on the traffic described in the class-map. Class-maps are listed by name under the appropriate policy-map. Policy-maps have specific names too, which tie them into the service-policy. They specify what action needs to be taken.
  • service-policy This command describes where the traffic should be intercepted for control. Only one service-policy can exist per interface. An additional service-policy, global-service-policy, is defined for traffic and general policy application. This policy applies to traffic on all interfaces. The command applies the policy. You can have only one service policy per interface.
PIX 7.0 has the following restrictions for match/policy and class statements.
  • Number of Policy-map: 64.
  • Number of Class-map: 255.
  • Number of Classes in a policy-map: 63.
  • Number of match statements in a class-map: 1. For match tunnel-group and default-inspect, allow two statements.

Transparent Firewall

Transparent Firewall works based on Layer 2 information. This provides the ability to deploy a PIX firewall in a secure bridging mode. It provides rich Layer 2 through 7 security services as a Layer 2 device.
Remember these points while implementing a Transparent Firewall on the PIX Firewall:
  • One inside and outside interface is supported for the transparent firewall.
  • Each directly connected network must be on the same subnet.
  • A management IP address must be configured and should be on the same subnet as the connected network.
  • This management IP address cannot be a default gateway for connected devices, so you should point to the other router's IP address as your default gateway.
  • The PIX uses this IP address as the source address for packets that originate on the outside interface.
  • You can pass non-IP traffic such as Internetwork Pack Exchange (IPX) traffic using an EtherType ACL to allow non-IP traffic through.
  • Dynamic routing protocols will run on the device and will pass through the PIX.
  • NAT is not supported. NAT is performed on the upstream router. You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the PIX.
If you configure multiple contexts with Transparent Firewall, you must note the following points:
  • A management IP address is required for each context, even if you do not intend to use Telnet to the context.
  • For multiple context modes, each context must use different VLANs; you cannot share a virtual LAN (VLAN) across contexts.
  • For multiple context mode, each context can use the same (overlapping) subnet or different subnets under different VLANs.
  • Be sure that the upstream router performs NAT if you use overlapping subnets.
You might encounter several limitations with Transparent Firewall and VPN implementations:
  • VPN tunnels are allowed only when configured for single (Routed) context mode.
  • To-the-box IPsec traffic is supported.
  • Through-the-box IPsec data, or data carried through a tunnel destined for the secure side of the transparent firewall, is not supported.
  • Only static crypto maps are supported.
  • The IP address configured for the management access is the VPN peer address.
  • WebVPN is not supported while the device is operating in transparent mode.
  • Only L2L tunnels are supported, and only one tunnel at a time.
  • X-Auth and mode config attributes should not be used during tunnel negotiation, but are configurable.
  • VPN tunnel cannot be initiated from the firewall (answer only).
  • VPN Load Balancing and VPN Stateful Failover are not supported.
  • QoS of VPN data is not supported.
  • NAT over the tunnel is not supported.

If You Enjoyed This Post Please Take a Second To Share It.

You Might Also Like

Stay Connected With Free Updates

Subscribe via Email

teaser