5 Things I bet you didn’t know your Cisco ASA FW could do

I've compiled 5 very useful ASA features that I find most customers don't know about yet. You've probably heard of one or even two but I'm betting not all 5. How in-depth is your ASA knowledge, put it to the test. Application Firewalling The ASAs include several deep packet inspection engines in its software. This makes the ASA not only a stateful packet filtering firewall but also an application firewall. The most popular is the http engine. The way all of the application inspection engines work is you pick an interface you want to inspect traffic on, then you define the traffic matching criteria, then you define what application level data you want to write policy for. This is configured here in ASDM: Firewall / Service Policy Rules Figure 1: Define interface to apply policy to

Figure 2: Define traffic match criteria, I picked ACL
Figure 3: Choose a application inspection, I chose http
Figure 4: Configure the http inspection rules, I chose medium security. There is also a expert view where you can create your own regex expression for any of the URI fields or body.
Your done! Embedded host posture assessment and remediation (NAC) for VPN clients The ASA includes NAC functionality for host posture assessment built-in. For a nominal fee you can upgrade to the advanced host inspection license and obtain some remediation features and a detailed checklist of over 40 AV/AS vendors products as well. The whole system is based off of OPSWAT. It is not as robust as Cisco’s NAC Appliance solution but in many cases it makes sense anyway. You configure your host posture assessment checks via DAP (dynamic access policy) rules. These rules can be based on AAA criteria as well. Here is a screenshot:

Here are two screenshots showing a snippit from the vendor list and the auto remediation feature and host firewall rules you get when you enable the advanced inpsection license.

Authenticate and authorize your ASA Admin users directly via LDAP Most of you authenticate and authorize your ASA administrators using TACACS+ or RADIUS which sometimes backends into a LDAP database. Now you can authenticate and authorize directly to LDAP databases for your administrators. You simply map LDAP attributes to Radius attributes so you can control their privilege level (1-15). Here is an instructions snippit from the Cisco docs:

The following example shows how to limit management sessions to the security appliance based on an LDAP attribute called accessType. The accessType attribute has three possible values: 
•  VPN 
•  admin 
•  helpdesk 
Each value is mapped to one of the valid IETF RADIUS Service-Types that the security appliance supports: remote-access (Service-Type 5) Outbound, admin (Service-Type 6) Administrative, and nas-prompt (Service-Type 7) NAS Prompt. 
hostname(config)# ldap attribute-map MGMT
hostname(config-ldap-attribute-map)# map-name accessType IETF-Radius-Service-Type
hostname(config-ldap-attribute-map)# map-value accessType VPN 5
hostname(config-ldap-attribute-map)# map-value accessType admin 6
hostname(config-ldap-attribute-map)# map-value accessType helpdesk 7

hostname(config-ldap-attribute-map)# aaa-server LDAP protocol ldap
hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.254.91
hostname(config-aaa-server-host)# ldap-base-dn CN=Users,DC=cisco,DC=local
hostname(config-aaa-server-host)# ldap-scope subtree
hostname(config-aaa-server-host)# ldap-login-password test
hostname(config-aaa-server-host)# ldap-login-dn 
CN=Administrator,CN=Users,DC=cisco,DC=local
hostname(config-aaa-server-host)# server-type auto-detect
hostname(config-aaa-server-host)# ldap-attribute-map MGMT
Allow TCP applications over clientless sslvpn without plugins The ASA has a clientless SSLVPN feature called Smart Tunnels. Smart tunnels allow you to use almost any TCP based application across your clientless portal SSLVPN without a full sslvpn client. You define the full or partial path to the executable you want to tunnel (/applications/Instantmessenger.exe) and an optional hash of the file checksum. Now when the client opens instantmessenger.exe its traffic is automatically tunneled back to the ASA Proxy via smart tunnels. It is important to note that Cisco also has application plug-ins for things like ssh, citrix, etc. Plugins have better performance than smarttunnels so use them when available. Here is a screenshot of smart tunnels:
Ability to control clientless sslvpn user access via URL access lists This is called Web ACLs in Cisco documentation. It is very similar to applying a IP ACL to a group except this one filters on actual URLs. It can permit or deny the following URL types: http, https, ica, imap4, nfs, pop3, rdp, smarttunnel, ssh, smtp, telnet, cifs, citrix, citrixs, ftp, tn5250, and vnc. This is configured here in ASDM: Remote access / clientless / advanced / web url Screenshot of Web ACL configuration
So how many of these features did you already know about? Have any obscure ASA features you’d like to make others aware of?

The opinions and information presented here are my personal views and not those of my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022