lab05 - configuring asa basic settings and firewall using cli

8/9/2019 Lab05 - Configuring ASA Basic Settings and Firewall Using CLI

1/26

25

Confguring ASA & Firewall using CLI (2)

onfiguring ASA Basic Settings and

Firewall Using LI

To p o lo gy

Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces.


2/26

25


IP Addressing Table

R1

Fa0/0 209.16.200.22 2.2.2.2!" #/$ $S$ E0/0

S0/0/0 %&'E( 10.1.1.1 2.2.2.22 #/$ #/$

R2S0/0/0 10.1.1.2 2.2.2.22 #/$ #/$

S0/0/1 %&'E( 10.2.2.2 2.2.2.22 #/$ #/$

R)Fa 0/1 1*2.16.).1 2.2.2.0 #/$ S) Fa0/

S0/0/1 10.2.2.1 2.2.2.22 #/$ #/$

$S$ +,$# 1 %E0/1( 192.16".1.1 2.2.2.0 #/$ S2 Fa0/2!

$S$ +,$# 2 %E0/0(209..16.200.22

62.2.2.2!" #/$ R1 Fa0/0

$S$ +,$# ) %E0/2( 192.16".2.1 2.2.2.0 #/$ S1 Fa0/2!

-'$ #I' 192.16".2.) 2.2.2.0 192.16".2.1 S1 Fa0/6

-' #I' 192.16".1.) 2.2.2.0 192.16".1.1 S2 Fa0/1"

-'' #I' 1*2.16.).) 2.2.2.0 1*2.16.).1 S) Fa0/1"

O bjetivos

Part 1: Basic Router/Sitc!/P" "on#iguration

'ab0e the netor as shon in the to3o0og4.

'onfigure hostna5es and interface I- addresses for routers6 sitches6 and

-'s. 'onfigure static routing6 inc0uding defau0t routes6 beteen R16 R26 and R).

Enab0e 788- and 8e0net access for R1.

'onfigure -' host I- settings.

+erif4 connectivit4 beteen hosts6 sitches6 and routers.

Save the basic running configuration for each router and sitch.

Part $: Accessing t!e ASA "onsole and %sing "&I Setup 'ode to

"on#igure Basic Settings $ccess the $S$ conso0e and vie hardare6 softare6 and configuration

settings. &eter5ine the $S$ version6 interfaces6 and 0icense.

&eter5ine the fi0e s4ste5 and contents of f0ash 5e5or4.

9se ',I Setu3 5ode to configure basic settings %hostna5e6 3assords6

c0oc6 etc.(.

Part (: "on#iguring Basic ASA Settings and Inter#ace Security &evels

%sing t!e "&I)

'onfigure the hostna5e and do5ain na5e.

'onfigure the 0ogin and enab0e 3assords.

Set the date and ti5e.

'onfigure the inside and outside interfaces.


3/26

25


8est connectivit4 to the $S$.

'onfigure 8e0net access to the $S$.

Part *: "on#iguring Routing+ Address Translation+ and Inspection Policy

%sing t!e "&I

'onfigure a static defau0t route for the $S$. 'onfigure 3ort address trans0ation %-$8( and netor ob:ects.

;odif4 the ;-F a330ication ins3ection g0oba0 service 3o0ic4.

Part ,: "on#iguring -."P+ AAA+ and SS.

'onfigure the $S$ as a &7'- server/c0ient.

'onfigure ,oca0 $$$ user authentication.

'onfigure SS7 re5ote access to the $$$.

Part : "on#iguring -'0+ Static NAT+ and A"&s

'onfigure the &;< interface +,$#) on the $S$.

'onfigure static #$8 for the &;< server using a netor ob:ect.

'onfigure an $', to a00o access to the &;< for Internet users. +erif4 access to the &;< server for e=terna0 and interna0 users.

Bacground / Scenario

8he 'isco $da3tive Securit4 $33iance %$S$( is an advanced netor securit4 device that integrates a

statefu firea +-# and other ca3abiities. 8his ab e53o4s an $S$ 0 to create a firea and 3rotect

an interna cor3orate netor fro5 e=terna intruders hie aoing interna hosts access to the Internet. 8he

$S$ creates three securit4 interfaces: >utside Inside and &;ther devices i receive 5ini5a

configuration to su33ort the $S$ 3ortion of this ab. 8his ab uses the $S$ ',I hich is si5iar to the I>S

',I to configure basic device and securit4 settings.

In -art 1 of this ab 4ou i configure the to3oog4 and non$S$ devices. In -arts 2 through ! 4ou configure

basic $S$ settings and the firea beteen the inside and outside netors. In 3art 4ou configure the $S$

for additiona services such as &7'- $$$ and SS7. In -art 6 4ou i configure a &;< on the $S$ and

3rovide access to a server in the &;utside and &;S Reease 1.1%!(;"

%$dvanced I- Services i5age(. >ther routers and 'isco I>S versions can be used. See the Router Interface

Su55ar4 8abe at the end of this ab to deter5ine hich interface identifiers to use based on the eAui35ent


4/26

25


in the ab. &e3ending on the router 5ode and 'isco I>S version the avaiabe co55ands and out3ut

3roduced 5ight var4 fro5 hat is shon in this ab.

8he $S$ used ith this ab is a 'isco 5ode 0 ith an "3ort integrated sitch running >S version ".!%2(

and $da3tive Securit4 &evice ;anager %$S&;( version *.2%1( and co5es ith a ase icense that aos a

5a=i5u5 of three +,$#s.

Note:Ensure that the routers and sitches have been erased and have no startu3 configurations.

Re2uired Resources

) Routers %'isco 1"!1 ith 'isco I>S Reease 1.1%!(;" $dvanced I- Services i5age or

co53arabe(

) Sitches %'isco 2960 or co53arabe(

1 $S$ 0 %>S version ".!%2( and $S&; version *.2%1( and ase icense or co53arabe(

) -'s %Bindos +ista or Bindos * ith ''- 2. 'isco +-# 'ient atest version of Cava Internet

E=3orer and Fash -a4er(

Seria and Ethernet cabes as shon in the to3oog4

'onsoe cabes to configure the routers via the consoe

""P Notes:

Refer to ,ab 0.0.0.0 for instructions on ho to insta and run ''-.

If the -' on hich ''- is instaed is running Bindos +ista or Bindos * it 5a4 be necessar4 to

rightcic the ''- icon or 5enu ite5 and seect Run as ad5inistrator.

8o run ''- it 5a4 be necessar4 to te53orari4 disabe antivirus 3rogra5s and >/S fireas. Ensure

that a 3o3u3 bocers are turned off in the broser.


5/26

25


"on#iguration

Part 1: Basic Router "on#iguration

In -art 1 of this ab 4ou set u3 the netor to3oog4 and configure basic settings on the routers such as

interface I- addresses and static routing.Note:&o not configure an4 $S$ settings at this ti5e.

Step 1: "able t!e netor and clear previous device settings)

$ttach the devices that are shon in the to3oog4 diagra5 and cabe as necessar4. ;ae sure that the

routers and sitches have been erased and have no startu3 configurations.

Step $: "on#igure basic settings #or routers and sitc!es)

a) 'onfigure hostna5es as shon in the to3oog4 for each router.

b) 'onfigure router interface I- addresses as shon in the I- addressing tabe.

c) 'onfigure a coc rate for routers ith a &'E seria cabe attached to their seria interface. Router R1is

shon here as an e=a53e.

R1(config)# interface S0/0/0

R1(config-if)# clock rate 64000

d) 'onfigure a coc host na5e for the sitches. >ther than the host na5e the sitches can be eft in their

defaut configuration state. 'onfiguring the +,$# 5anage5ent I- address for the sitches is o3tiona.

Step (: "on#igure static routing on t!e routers)

a) 'onfigure a static defaut route fro5 R1 to R2 and fro5 R) to R2.

R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0


b) 'onfigure a static route fro5 R2 to the R1 Fa0/0 subnet %connected to $S$ interface E0/0( and a static

route fro5 R2 to the R) ,$#.



Step *: 3nable t!e .TTP server on R1 and set t!e enable and vty passords)

a) Enabe 788- access to R1 using the i3 htt3 server co55and in goba config 5ode. $so set the

consoe and +8@ 3assords to cisco. 8his i 3rovide eb and 8enet targets for testing ater in the ab.

R1(config)# ip http server

R1(config)# enable passor! class


6/26

25


R1(config)# line vt" 0 4

R1(config-line)#passor! cisco

R1(config-line)# lo#in

R1(config)# line con 0

R1(config-line)#passor! cisco

R1(config-line)# lo#in

b) >n routers R2 and R) set the sa5e enabe consoe and vt4 3assords as ith R1.

Step ,: "on#igure P" !ost IP settings)

'onfigure a static I- address subnet 5as and defaut gatea4 for -'$ -' and -'' as shon in the

I- $ddressing 8abe.

Step : 4eri#y connectivity)

ecause the $S$ is the foca 3oint for the netor Dones and it has not 4et been configured there i be no

connectivit4 beteen devices that are connected to it. 7oever -'' shoud be abe to 3ing the R1

interface. Fro5 -'' 3ing the R1 Fa0/0 I- address %$56)1,)$55)$$,(. If these 3ings are not successfu

troubeshoot the basic device configurations before continuing.

Note: If 4ou can 3ing fro5 -'' to R1 Fa0/0 and S0/0/0 4ou have de5onstrated that static routing is

configured and functioning correct4.

Step 7: Save t!e basic running con#iguration #or eac! router and sitc!)

Part $: Accessing t!e ASA "onsole and %sing "&I Setup to "on#igure Basic Settings

In -art 2 of this ab 4ou i access the $S$ via the consoe and use various s!o co55ands to deter5ine

hardare softare and configuration settings. @ou i cear the current configuration and use the ',I

interactive Setu3 utiit4 to configure basic $S$ settings.

Note: &o not configure an4 $S$ settings at this ti5e.

Step 1: Access t!e ASA console)

a) $ccessing the $S$ via the consoe 3ort is the sa5e as ith a 'isco router or sitch. 'onnect to the

$S$ consoe 3ort ith a roover cabe.

b) se a ter5ina e5uation 3rogra5 such as 8era8er5 or -u884 to access the ',I. 8hen use the seria

3ort settings of 9600 baud " data bits no 3arit4 one sto3 bit and no fo contro.

c) Enter 3rivieged 5ode ith the enable co55and and 3assord %if set(. 4 defaut the 3assord is

ban 3ress 3nter. If the 3assord has been changed to that s3ecified in this ab enter the ord class.

8he defaut $S$ hostna5e and 3ro53t is ciscoasa8.

ciscoasa> enable

Password: class (or press $nter if none set)


7/26

25


Step $: -eter9ine t!e ASA version+ inter#aces+ and license)

8he $S$ 0 co5es ith an integrated "3ort Ethernet sitch. -orts E0/0 to E0/ are nor5a Fast Ethernet

3orts and 3orts E0/6 and E0/* are -oE 3orts for use ith -oE devices such as I- 3hones or netor

ca5eras.se the s!o version co55and to deter5ine various as3ects of this $S$ device.

ciscoasa# sho version

Cisco Adaptive Secrit! Appliance Software "ersion $%(2)

&evice 'anager "ersion $%()

Co*piled on +ed 1-,n-11 1:1 .! .ilders

S!ste* i*age file is /dis0:asa%2-0$.in/

Config file at .oot was /startp-config/

ciscoasa p 23 ors *ins

4ardware: ASA5 12 '6 RA'5 CP7 8eode '49

nternal A;A Co*pact

Bhat softare version is this $S$ running

Bhat is the na5e of the s4ste5 i5age fie and fro5 here as it oaded

8he $S$ can be 5anaged using a buitin GI non as $S&;. Bhat version of $S&; is this $S$ running

7o 5uch R$; does this $S$ have

7o 5uch fash 5e5or4 does this $S$ have

7o 5an4 Ethernet 3orts does this $S$ have

Bhat t43e of icense does this $S$ have

7o 5an4 +,$#s can be created ith this icense

Step (: -eter9ine t!e #ile syste9 and contents o# #las! 9e9ory)


8/26

25


a) &is3a4 the $S$ fie s4ste5 using the s!o #ile syste9 co55and to deter5ine hat 3refi=es are

su33orted.

ciscoasa# sho file s"ste%


9/26

25


8he defaut route is aso derived fro5 the &7'- defaut gatea4.

$ inside I- addresses are transated hen accessing the outside using interface -$8 on the +,$# 2

interface.

4 defaut inside users can access the outside ith an access ist and outside users are 3revented

fro5 accessing the inside.

8he &7'- server is enabed on the securit4 a33iance so a -' connecting to the +,$# 1 interfacereceives an address beteen 192.16".1. and 192.16".1.)6 %base icense( though the actua range

5a4 var4.

8he 788- server is enabed for $S&; and is accessibe to users on the 192.16".1.0/2! netor.

#o consoe or enabe 3assords are reAuired and the defaut hostna5e is ciscoasa.

Note: In this ab 4ou i 5anua4 configure settings si5iar to those isted above as e as so5e additiona

ones using the $S$ ',I.

a) &is3a4 the current running configuration using the s!o runningcon#ig co55and.

ciscoasa# sho runnin#'confi#

: Saved

:

ASA "ersion $%(2)

I

ostna*e ciscoasa

ena.le password R!2JK!tRRL72% encr!pted

passwd 2@

Note: 8o sto3 the out3ut fro5 a co55and using the ',I 3ress ;.

If 4ou see +,$#s 1 and 2 and other settings as described 3revious4 the device is 5ost ie4

configured ith the defaut factor4 configuration. @ou 5a4 aso see other securit4 features such as a

goba 3oic4 that ins3ects seected a33ication traffic hich the $S$ inserts b4 defaut if the origina

startu3 configuration has been erased. 8he actua out3ut varies de3ending on the $S$ 5ode version

and configuration status.

b) @ou can restore the $S$ to its factor4 defaut settings b4 using the con#igure #actoryde#ault

co55and.

ciscoasa# conf t

ciscoasa(config)# confi#ure factor"'!efault

+ARBB8: ;e .oot s!ste* configration will .e cleared$

;e first i*age fond in dis0: will .e sed to .oot te

s!ste* on te ne?t reload$

"erif! tere is a valid i*age on dis0: or te s!ste* will not .oot$

6egin to appl! factor!-defalt configration:


10/26

25


Clear all configration

+ARBB8: &4CP& .indings cleared on interface NinsideN5 address pool re*oved

?ecting co**and: interface ternet

?ecting co**and: switcport access vlan 2

?ecting co**and: no stdown

?ecting co**and: e?it

?ecting co**and: interface ternet 1

?ecting co**and: switcport access vlan 1

?ecting co**and: no stdown

?ecting co**and: e?it

Eotpt o*itted>

c) Revie this out3ut and 3a4 3articuar attention to the +,$# interfaces and #$8 and &7'-reated

sections. 8hese i be configured ater in this ab using the ',I.

d) @ou 5a4 ant to ca3ture and 3rint the factor4defaut configuration as a reference. se the ter5ina

e5uation 3rogra5 to co34 it fro5 the $S$ and 3aste it into a te=t docu5ent. @ou can then edit this fie

if desired so that it contains on4 vaid co55ands. @ou shoud aso re5ove 3assord co55ands and

enter the no s!ut co55and to bring u3 the desired interfaces.

Step ,: "lear t!e previous ASA con#iguration settings)

a) se the rite erase co55and to re5ove the startupcon#ig fie fro5 fash 5e5or4.

ciscoasa#rite erase

rase configration in flas *e*or!O confir*Q

=@Qciscoasa#

ciscoasa# sho start

Bo Configration

Note: 8he I>S co55and erase startupcon#ig is not su33orted on the $S$.

b) se the reload co55and to restart the $S$. 8his causes the $S$ to co5e u3 in ',I Setu3 5ode. If

3ro53ted that the config has been 5odified asing to save it res3ond ith N and then 3ress 3nter to

3roceed ith the reoad.

ciscoasa# reloa!

Proceed wit reloadO confir*Q

ciscoasa#

FFF

FFF --- S;AR; 8RAC


11/26

25


Eotpt o*itted>

Step : %se t!e Setup interactive "&I 9ode to con#igure basic settings)

Bhen the $S$ co53etes the reoad 3rocess it shoud detect that the startupcon#ig fie is 5issing and3resent a series of interactive 3ro53ts to configure basic $S$ settings. If it does not co5e u3 in this 5ode

re3eat Ste3 . $s an aternative 4ou can run the setup co55and at the goba configuration 5ode 3ro53t

but 4ou 5ust first create a +,$# interface %+,$# 1( na5e the +,$# 9anage9ent %using the na9ei#

co55and( and assign the +,$# an I- address.

Note: 8he interactive 3ro53t 5ode does not configure the $S$ ith factor4 defauts as described in Ste3 !.

8his 5ode can be used to configure 5ini5a basic settings such as hostna5e coc 3assords etc. @ou

can aso b43ass this 5ode and go direct4 to the ',I to configure the $S$ settings as described in -art ).

a) Res3ond to the Setup interactive 3ro53ts as shon here after the $S$ reoads.

Pre-configre

Note: In the above configuration the I- address of the host running $S&; as eft ban. It is not

necessar4 to insta $S&; on a host. It can be run fro5 the fash 5e5or4 of the $S$ device itsef using


12/26

25


the broser of the host. 8his 3rocess is described in 'ha3ter 9 ,ab 'onfiguring $S$ asic Settings

and Firea sing $S&;.H

@ou 5a4 aso see the arning above stating that the $S$ 788- server has not 4et been enabed. 8his

i be done in a subseAuent ste3.

Note: 8he res3onses to the 3ro53ts are auto5atica4 stored in the startupcon#ig and the running

con#ig. 7oever additiona securit4reated co55ands such as a goba defaut ins3ection service

3oic4 are inserted into the runningconfig b4 the $S$ >S.

b) Enter 3rivieged EE' 5ode ith the enable co55and. Enter cisco for the 3assord.

c) Issue the s!o run co55and to see the additiona securit4reated configuration co55ands that are

inserted b4 the $S$.

d) Issue the copy run start co55and to ca3ture the additiona securit4reated co55ands in the startu3

config fie.

e) Issue the reload co55and to restart the $S$ and oad the startu3 configuration.

ASA-nit# reloa!

Proceed wit reloadO confir*Q($nter)

Eotpt o*itted>

#) Enter 3rivieged EE' 5ode ith the enable co55and. -rovide the 3assord set in Ste3 6a %cisco(.

Issue the s!o runningcon#ig co55and. @ou shoud see the entries 4ou 3rovided in the interactive

configuration 3rocess.

Part (: "on#iguring ASA Settings and Inter#ace Security %sing t!e "&I

In -art ) 4ou i configure basic settings b4 using the $S$ ',I even though so5e of the5 ere aread4

configured using the Setu3 5ode interactive 3ro53ts in -art 2. In this 3art 4ou i start ith the settings

configured in -art 2 and add to or 5odif4 the5 to create a 5ore co53ete basic configuration.

Tip: @ou i find that 5an4 $S$ ',I co55ands are si5iar to if not the sa5e as those used ith the 'isco

I>S ',I. In addition 5oving beteen configuration 5odes and sub5odes is essentia4 the sa5e.

Note: @ou 5ust co53ete -art 2 before beginning -art ).

Step 1: "on#igure t!e !ostna9e and do9ain na9e)

a) Enter goba configuration 5ode using the con#ig t co55and. 8he first ti5e 4ou enter configuration

5ode after running Setu3 4ou i be 3ro53ted to enabe anon45ous re3orting. Res3ond ith no.

ASA-nit# conf t

ASA-nit(config)#

FFFFFFFFFFFFFFFFFFFFFFFFFFFFF B=;C FFFFFFFFFFFFFFFFFFFFFFFFFFFFF

4elp to i*prove te ASA platfor* .! ena.ling anon!*os reporting5

wic allows Cisco to secrel! receive *ini*al error and ealt

infor*ation fro* te device$ ;o learn *ore a.ot tis featre5

please visit: ttp:www$cisco$co*gos*artcall
http://www.cisco.com/go/smartcallhttp://www.cisco.com/go/smartcall


13/26

25


+old !o li0e to ena.le anon!*os error reporting to elp i*prove

te prodctO JQes5 BQo5 AQs0 later: n

n te ftre5 if !o wold li0e to ena.le tis featre5

isse te co**and /call-o*e reporting anon!*os/$

Please re*e*.er to save !or configration$

b) 'onfigure the $S$ hostna5e using the !ostna9e co55and.

ASA-nit(config)# hostna%e ,,-*S'*S*

c) 'onfigure the do5ain na5e using the do9ainna9e co55and.

CCBAS-ASA(config)# !o%ain'na%e ccnasecurit".co%

Step $: "on#igure t!e login and enable 9ode passords)

a) 8he ogin 3assord is used for 8enet connections %and SS7 3rior to $S$ version ".!(. 4 defaut it is

set to cisco. @ou can change the ogin 3assord using the passd or passord co55and. For this

ab eave it set to the defaut of cisco.

b) 'onfigure the 3rivieged EE' 5ode %enabe( 3assord using the enable passord co55and.

CCBAS-ASA(config)# enable passor! class

Step (: Set t!e date and ti9e)

8he date and ti5e can be set 5anua4 using the cloc set co55and. 8he s4nta= for the coc set co55and

is cloc set hh:mm:ss {month day | day month} year. 8he fooing e=a53e shos ho to set the date and

ti5e using a 2!hour coc:

CCBAS-ASA(config)# clock set 14&25&00 april 15 2014

Step *: "on#igure t!e inside and outside inter#aces)

ASA ,,5, inter#ace notes:

8he 0 is different fro5 the other 00 series $S$ 5odes. Bith other $S$s the 3h4sica 3ort can be

assigned a ,a4er ) I- address direct4 5uch ie a 'isco router. Bith the $S$ 0 the eight integrated

sitch 3orts are ,a4er 2 3orts. 8o assign ,a4er ) 3ara5eters 4ou 5ust create a sitch virtua interface %S+I(

or ogica +,$# interface and then assign one or 5ore of the 3h4sica ,a4er 2 3orts to it. $ eight sitch

3orts are initia4 assigned to +,$# 1 uness the factor4 defaut config is 3resent in hich case 3ort E0/0 is

assigned to +,$# 2. In this ste3 4ou create interna and e=terna +,$# interfaces na5e the5 assign I-

addresses and set the interface securit4 eve.

If 4ou co53eted the initia configuration Setu3 utiit4 interface +,$# 1 is configured as the 5anage5ent

+,$# ith an I- address of 192.16".1.1. @ou i configure it as the inside interface for this ab. @ou i on4configure the +,$# 1 %inside( and +,$# 2 %outside( interfaces at this ti5e. 8he +,$# ) %d5D( interface i

be configured in -art 6 of the ab.


14/26

25


a) 'onfigure a ogica +,$# 1 interface for the inside netor 192.16".1.0/2! and set the securit4 eve to

the highest setting of 155.

CCBAS-ASA(config)# interface vlan 1

CCBAS-ASA(config-if)# na%eif insi!e

CCBAS-ASA(config-if)# ip a!!ress 192.168.1.1 255.255.255.0

CCBAS-ASA(config-if)# securit"'level 100

b) 'reate a ogica +,$# 2 interface for the outside netor 209.16.200.22!/29 set the securit4 eve to

the oest setting of 5 and bring u3 the +,$# 2 interface.

CCBAS-ASA(config-if)# interface vlan 2

CCBAS-ASA(config-if)# na%eif outsi!e

B

d) $ssign $S$ ,a4er 2 3ort E0/1 to +,$# 1 and 3ort E0/0 to +,$# 2 and use the no s!utdon co55and

to ensure the4 are u3.

CCBAS-ASA(config)# interface e0/1

CCBAS-ASA(config-if)# sitchport access vlan 1

CCBAS-ASA(config-if)# no shut!on

CCBAS-ASA(config-if)# interface e0/0

CCBAS-ASA(config-if)# sitchport access vlan 2

CCBAS-ASA(config-if)# no shut!on

Note: Even though E0/1 is in +,$# 1 b4 defaut the co55ands are 3rovided above.


15/26

25


e) &is3a4 the status for a $S$ interfaces using the s!o inter#ace ip brie# co55and.

Note: 8his co55and is different fro5 the s!o inter#ace ip brie# I>S co55and. If an4 of the 3h4sica

or ogica interfaces 3revious4 configured are not u3/u3 troubeshoot as necessar4 before continuing.

Tip: ;ost $S$ s!o co55ands as e as ping copy and others can be issued fro5 ithin an4

configuration 5ode 3ro53t ithout the do co55and reAuired ith I>S.

CCBAS-ASA(config)# sho interface ip brief

nterface P-Address =@O 'etod Stats Protocol

ternet nassigned JS nset p p

ternet1 nassigned JS nset p p


ternet3 nassigned JS nset down down

ternet% nassigned JS nset down down

ternet nassigned JS nset down down

ternet nassigned JS nset down downternet nassigned JS nset down down

nternal-&ata nassigned JS nset p p

nternal-&ata1 nassigned JS nset p p

"lan1 1G2$1$1$1 JS *anal p p

"lan2 2G$1$2$22 JS *anal p p

"irtal 12$$$1 JS nset p p

#) &is3a4 the infor5ation for the ,a4er ) +,$# interfaces using the s!o ip address co55and.

CCBAS-ASA(config)# sho ip a!!ress

S!ste* P Addresses:nterface Ba*e P address S.net *as0 'etod

"lan1 inside 1G2$1$1$1 2$2$2$ *anal

"lan2 otside 2G$1$2$22 2$2$2$2% *anal

Crrent P Addresses:

nterface Ba*e P address S.net *as0 'etod


"lan2 otside 2G$1$2$22 2$2$2$2% *anal

g) se the s!o sitc! vlan co55and to dis3a4 the inside and outside +,$#s configured on the $S$

and to dis3a4 the assigned 3orts.

CCBAS-ASA# sho sitch vlan

"AB Ba*e Stats Ports

---- --------------------------- --------- ---------------------

1 inside p t15 t25 t35 t%

t5 t5 t

2 otside p t

!) @ou 5a4 aso use the s!o runningcon#ig inter#ace type/nu9ber co55and to dis3a4 the

configuration for a 3articuar interface fro5 the running configuration.

CCBAS-ASA# sho run interface vlan 1I


16/26

25


interface "lan1

na*eif inside

secrit!-level 1

ip address 1G2$1$1$1 2$2$2$

Step ,: Test connectivity to t!e ASA)

a) Ensure that -' has a static I- address of 16$)1


17/26

25


CCBAS-ASA(config)# http server enable

CCBAS-ASA(config)# http 192.168.1.0 255.255.255.0 insi!e

b) >3en a broser on -' and test the 788-S access to the $S$ b4 entering !ttps://16$)1 In the Cava 'ontro -ane seect Security tab. 'ic 3dit Site &ist@(> In the E=ce3tion Site ist cic Add. In the ,ocation fied t43e !ttps://16$)1 'ic O to add the I- address.

,> +erif4 that the I- address has been added. 'ic O to acce3t the changes.

c) 'ose the broser. In the ne=t ab 4ou i use $S&; e=tensive4 to configure the $S$. 8he obective

here is not to use the $S&; configuration screens but to verif4 788-/$S&; connectivit4 to the $S$. If

4ou are unabe to access $S&; chec 4our configurations or contact 4our instructor or do both.

Part *: "on#iguring Routing+ Address Translation+ and Inspection Policy %sing t!e

"&I


18/26

25


In -art ! of this ab 4ou i 3rovide a defaut route for the $S$ to reach e=terna netors. @ou i configure

address transation using netor obects to enhance firea securit4. @ou i then 5odif4 the defaut

a33ication ins3ection 3oic4 to ao s3ecific traffic.

Note: @ou 5ust co53ete -art ) before going on to -art !.

Step 1: "on#igure a static de#ault route #or t!e ASA)

In -art ) 4ou configured the $S$ outside interface ith a static I- address and subnet 5as. 7oever the

$S$ does not have a gatea4 of ast resort defined. 8o enabe the $S$ to reach e=terna netors 4ou i

configure a defaut static route on the $S$ outside interface.

Note: If the $S$ outside interface ere configured as a &7'- cient it coud obtain a defaut gatea4 I-

address fro5 the IS-. 7oever in this ab the outside interface is configured ith a static address.

a) -ing fro5 the $S$ to R1 Fa0/0 I- address $56)1,)$55)$$,. Bas the 3ing successfu

b) -ing fro5 the $S$ to R1 S0/0/0 I- address 15)1)1)1. Bas the 3ing successfu

c) 'reate a JAuad DeroH defaut route using the route co55and associate it ith the $S$ outside

interface and 3oint to the R1 Fa0/0 I- address $56)1,)$55)$$, as the gatea4 of ast resort. 8he

defaut ad5inistrative distance is 1 b4 defaut.

CCBAS-ASA(config)# route outsi!e 0.0.0.0 0.0.0.0 209.165.200.225

d) Issue the s!o route co55and to dis3a4 the $S$ routing tabe and the static defaut route ustcreated.

CCBAS-ASA# sho route

Codes: C - connected5 S - static5 - 8RP5 R - RP5 ' - *o.ile5 6 - 68P

& - 8RP5 L - 8RP e?ternal5 = - =SP


19/26

25


Note: eginning ith $S$ version ".) netor obects are used to configure a for5s of #$8. $ netor

obect is created and it is ithin this obect that #$8 is configured. In Ste3 2a a netor obect insidenet is

used to transate the inside netor addresses 192.16".10.0/2! to the goba address of the outside $S$

interface. 8his t43e of obect configuration is caed $uto#$8.

a) 'reate netor obect insidenet and assign attributes to it using the subnet and nat co55ands. In

version ".) and neer on4 the nat co55and is used and the static and global co55ands are no

onger su33orted.

CCBAS-ASA(config)# obect netork insi!e'net

CCBAS-ASA(config-networ0-o.Kect)# subnet 192.168.1.0 255.255.255.0

CCBAS-ASA(config-networ0-o.Kect)# nat insi!eoutsi!e !"na%ic interface

CCBAS-ASA(config-networ0-o.Kect)# en!

b) 8he $S$ s3its the configuration into the obect 3ortion that defines the netor to be transated and the

actua nat co55and 3ara5eters. 8hese a33ear in to different 3aces in the running configuration.

&is3a4 the #$8 obect configuration using the s!o run object and s!o run nat co55ands.

CCBAS-ASA# sho run obect

o.Kect networ0 inside-net

s.net 1G2$1$1$ 2$2$2$

CCBAS-ASA# sho run nat

I

o.Kect networ0 inside-net

nat (inside5otside) d!na*ic interface

c) Fro5 -' atte53t to 3ing the R1 Fa0/0 interface at I- address $56)1,)$55)$$,. Bere the 3ings

successfu

d) Issue the s!o nat co55and on the $S$ to see the transated and untransated hits. #otice that of the

3ings fro5 -' four ere transated and four ere not because I';- is not being ins3ected b4 the

goba ins3ection 3oic4. 8he outgoing 3ings %echoes( ere transated the returning echo re3ies ere

boced b4 the firea 3oic4. @ou i configure the defaut ins3ection 3oic4 to ao I';- in the ne=t

ste3.

CCBAS-ASA# sho nat

Ato BA; Policies (Section 2)

1 (inside) to (otside) sorce d!na*ic inside-net interfacetranslateHits %5 ntranslateHits %

e) -ing fro5 -' to R1 again and Auic4 issue the s!o late co55and to see the actua addresses

being transated.

CCBAS-ASA# sho late

1 in se5 2 *ost sed


20/26

25


#) >3en a broser on -' and enter the I- address of R1 Fa0/0 %$56)1,)$55)$$,(. @ou shoud be

3ro53ted b4 R1 for ''- GI ogin. 8'-based 788- traffic is 3er5itted b4 defaut b4 the firea

ins3ection 3oic4.

g) >n the $S$ reissue the s!o nat and s!o late co55ands to see the hits and addresses being

transated for the 788- connection.

Step (: 'odi#y t!e de#ault 'PC application inspection global service policy)

For a33ication a4er ins3ection as e as other advanced o3tions the 'isco ;oduar -oic4 Fra5eor

%;-F( is avaiabe on $S$s. 'isco ;-F uses three configuration obects to define 5oduar obectoriented

hierarchica 3oicies:

"lass 9aps: &efine a 5atch criterion.

Policy 9aps:$ssociate actions to the 5atch criteria.

Service policies:$ttach the 3oic4 5a3 to an interface or goba4 to a interfaces of the a33iance.

a) &is3a4 the defaut ;-F 3oic4 5a3 that 3erfor5s the ins3ection on insidetooutside traffic. >n4 traffic

that as initiated fro5 the inside is aoed bac in to the outside interface. #otice that the I';-

3rotoco is 5issing.

CCBAS-ASA# sho run

Eotpt o*itted>

class-*ap inspectionHdefalt

*atc defalt-inspection-traffic

I

polic!-*ap t!pe inspect dns presetHdnsH*ap

para*eters

*essage-lengt *a?i** client ato*essage-lengt *a?i** 12

polic!-*ap glo.alHpolic!

class inspectionHdefalt

inspect dns presetHdnsH*ap

inspect ftp

inspect 323 22

inspect 323 ras

inspect ip-options

inspect net.ios

inspect rs

inspect rtsp

inspect s0inn!

inspect es*tp

inspect sDlnet

inspect snrpc

inspect tftp

inspect sip

inspect ?d*cp

I

service-polic! glo.alHpolic! glo.al

b) $dd the ins3ection of I';- traffic to the 3oic4 5a3 ist using the fooing co55ands:

CCBAS-ASA(config)# class'%ap inspection!efault

CCBAS-ASA(config-c*ap)# eitCCBAS-ASA(config)#polic"'%ap #lobalpolic"


21/26

25


CCBAS-ASA(config-p*ap)# class inspection!efault

CCBAS-ASA(config-p*ap-c)# inspect ic%p

c) Fro5 -' atte53t to 3ing the R1 Fa0/0 interface at I- address $56)1,)$55)$$,. 8he 3ings shoud be

successfu this ti5e because I';- traffic is no being ins3ected and egiti5ate return traffic is being

aoed.

Part ,: "on#iguring -."P+ AAA+ and SS.

In -art 4ou i configure $S$ features such as &7'- and enhanced ogin securit4 using $$$ and SS7.

Note: @ou 5ust co53ete -art ! before beginning -art .

Step 1: "on#igure t!e ASA as a -."P server)

8he $S$ can be both a &7'- server and a &7'- cient. In this ste3 4ou i configure the $S$ as a &7'-

server to d4na5ica4 assign I- addresses for &7'- cients on the inside netor.

a) 'onfigure a &7'- address 3oo and enabe it on the $S$ inside interface. 8his is the range of

addresses to be assigned to inside &7'- cients. $tte53t to set the range fro5 16$)13tiona( S3ecif4 the I- address of the S server to be given to cients.

CCBAS-ASA(config)# !hcp! !ns 209.165.201.2

Note: >ther 3ara5eters can be s3ecified for cients such as BI#S server ease ength and do5ainna5e.

c) Enabe the &7'- dae5on ithin the $S$ to isten for &7'- cient reAuests on the enabed interface

%inside(.

CCBAS-ASA(config)# !hcp! enable insi!e

d) +erif4 the &7'- dae5on configuration b4 using the s!o run d!cpd co55and.

CCBAS-ASA(config)# sho run !hcp!

dcpd dns 2G$1$21$2I

dcpd address 1G2$1$1$-1G2$1$1$3 inside


22/26

25


dcpd ena.le inside

e) $ccess the #etor 'onnection I- -ro3erties for -' and change it fro5 a static I- address to a

&7'- cient so that it obtains an I- address auto5atica4 fro5 the $S$ &7'- server. 8he 3rocedure to

do this varies de3ending on the -' o3erating s4ste5. It 5a4 be necessar4 to issue the ipcon#ig /rene

co55and on -' to force it obtain a ne I- address fro5 the $S$.

Step $: "on#igure AAA to use t!e local database #or aut!entication)

a) &efine a oca user na5ed ad9in b4 entering the userna9e co55and. S3ecif4 a 3assord of

cisco1$(.

CCBAS-ASA(config)# userna%e a!%in passor! cisco123

b) 'onfigure $$$ to use the oca $S$ database for 8enet and SS7 user authentication.

CCBAS-ASA(config)# aaa authentication ssh console ,*CCBAS-ASA(config)# aaa authentication telnet console ,*

Note: For added securit4 starting in $S$ version ".!%2( configure $$$ authentication to su33ort SS7

connections. 8he 8enet/SS7 defaut ogin is not su33orted. @ou can no onger connect to the $S$ using

SS7 ith the defaut userna5e and the ogin 3assord.

Step (: "on#igure SS. re9ote access to t!e ASA)

@ou can configure the $S$ to acce3t SS7 connections fro5 a singe host or a range of hosts on the inside or

outside netor.

a) Generate an RS$ e4 3air hich is reAuired to su33ort SS7 connections. 8he 5oduus %in bits( can be

12 *6" 102! or 20!". 8he arger the e4 5oduus siDe 4ou s3ecif4 the onger it taes to generate an

RS$. S3ecif4 a 5oduus of 15$* using the crypto ey co55and.

CCBAS-ASA(config)# cr"pto ke" #enerate rsa %o!ulus 1024

B

@e!pair generation process .egin$ Please wait$$$

Note: @ou 5a4 receive a 5essage that a RS$ e4 3air is aread4 defined. 8o re3ace the RS$ e4 3air

enter yes at the 3ro53t.

b) Save the RS$ e4s to 3ersistent fash 5e5or4 using either the copy run start or rite 9e9 co55and.

CCBAS-ASA#rite %e%

6ilding configration$$$

Cr!ptocec0s*: 3c%df ..3Ga fGe%3.e 33fe.%ef

32 .!tes copied in $G secs

=@Q

c) 'onfigure the $S$ to ao SS7 connections fro5 an4 host on the inside netor 16$)1


23/26

25


CCBAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 insi!e

CCBAS-ASA(config)# ssh 172.16.3.3 255.255.255.255 outsi!e

CCBAS-ASA(config)# ssh ti%eout 10

d) >n -'' use an SS7 cient such as -u88@ to connect to the $S$ outside interface at I- address

$56)1,)$55)$$. 8he first ti5e 4ou connect 4ou 5a4 be 3ro53ted b4 the SS7 cient to acce3t the RS$

host e4 of the $S$ SS7 server. ,og in as user ad9in and 3rovide the 3assord cisco1$(. @ou can

aso connect to the $S$ inside interface fro5 a -' SS7 cient using I- address 16$)1


24/26

25


c) &is3a4 the status for a $S$ interfaces using the s!o inter#ace ip brie# co55and.

CCBAS-ASA # sho interface ip brief

nterface P-Address =@O 'etod Stats Protocol

ternet nassigned JS nset p p



ternet3 nassigned JS nset down down

ternet% nassigned JS nset down down




nternal-&ata nassigned JS nset p p

nternal-&ata1 nassigned JS nset p p


"lan2 2G$1$2$22 JS *anal p p


"irtal 12$$$1 JS nset p p

d) &is3a4 the infor5ation for the ,a4er ) +,$# interfaces using the s!o ip address co55and.

CCBAS-ASA # sho ip a!!ress

S!ste* P Addresses:

nterface Ba*e P address S.net *as0 'etod


"lan2 otside 2G$1$2$22 2$2$2$2% *anal

"lan3 d*9 1G2$1$2$1 2$2$2$ *anal

Eotpt o*itted>

e) &is3a4 the +,$#s and 3ort assign5ents on the $S$ using the s!o sitc! vlan co55and.

CCBAS-ASA(config)# sho sitch vlan

"AB Ba*e Stats Ports

------ --------------- --------------- -------------------------------

1 inside p t15 t35 t%5 t

t5 t

2 otside p t

3 d*9 p t2

Step $: "on#igure static NAT to t!e -'0 server using a netor object)

'onfigure a netor obect na5ed d9Dserver and assign it the static I- address of the &;< server

%16$)1


25/26

25


'onfigure a na5ed access ist O%TSI-3-'0 that 3er5its an4 I- 3rotoco fro5 an4 e=terna host to the

interna I- address of the &;< server. $334 the access ist to the $S$ outside interface in the IN direction.

CCBAS-ASA(config)# access'list S+$':; per%it ip an" host 192.168.2.3

CCBAS-ASA(config)# access'#roup S+$':; in interface outsi!e

Note: nie I>S $',s the $S$ $', per9it state5ent 5ust 3er5it access to the interna 3rivate &;

lab05 - configuring asa basic settings and firewall using cli

Documents