DOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE

Transcription

1 Chapter 1 : Cisco ASA DMZ Configuration Example â Speak Network Solutions Cisco ASA Quick Start Guide. Step 1 Connect the power supply adaptor to the power cable.. Step 2 Connect the rectangular connector of the power supply adaptor to the power connector on the rear panel of the ASA. Now when your router is restarted you will get this question: Pre-configure Firewall now through interactive prompts [yes]? Now we can start the configuration. The 1st thing you want to do is get into configuration mode. This means your in configuration mode. Now we will give our ASA another hostname. Privilege 15 is the highest of the privileges and gives you full control over the device. Security level for "inside" set to by default. With security levels you can always go from high to low 0 but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside. So far for the inside VLAN. Now we will start on the outside WAN configuration. Depending on the provider you might have to do this a little bit different but I will start with a static IP address first. Security level for outside set to 0 by default. You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway. ExampleASA config interface vlan 2 ExampleASA config-if ip address dhcp setroute ExampleASA config-if nameif outside With this command you dont need to configure a default gateway since you will get this from your provider. And now to make internet work from your inside network we have to configure NAT. The interface part means that you use your interface IP address to translate to. In this case the outside interface. ExampleASA config nat inside 10 This links the inside network to the outside global. The subnet behind that states that the network You now should have an internet connection! But now you want to manage the ASA without having to walk to the server room all the time. First we start with SSH. The name for the keys will be: ExampleASA config ssh Next, we enable the ASDM graphic interface. You can do this by saving the configuration with the following command. ExampleASA config write mem Cryptochecksum: You are now finished with configuring your ASA. Next time I will go into the more detailed configuration of an ASA. Currently working as Cisco Engineer at Neon-Networking. Page 1

2 Chapter 2 : HowTo: Basic ASA configuration - racedaydvl.com Forums The Cisco ASA Firewall is the smallest model in the new Cisco series of hardware appliances. Although this model is suitable for small businesses, branch offices or even home use, its firewall security capabilities are the same as the biggest models (,, etc). Do you have a guest Wi-Fi enabled but you do not want visitors to access your internal resource? The information in this session applies to legacy Cisco ASA s i. Since ASA code version 8. We will cover the configuration for both pre You can download the entire lab setup and configuration files for FREE As part of our documentation effort, we maintain current and accurate information we provided. Documentations are routinely reviewed and updated. We ask for your address to keep you notified when the article is updated. Their security level from high to low is as following: LAN is considered the most secured network. It not only hosts internal user workstations as well as mission critical production servers. LAN users can reach other networks. However, no inbound access is allowed from any other networks unless explicitly allowed. DMZ1 hosts public facing web servers. Any one on the Internet can reach the servers on TCP port DMZ2 is designed as untrusted guest network. Its sole purpose is providing Internet access for visitors. But we do not want to open any firewall holes to our most secured network. The concept is not Cisco specific. It applies to any other business grade firewalls. By default, traffic passing from a lower to higher security level is denied. This can be overridden by an ACL applied to that lower security interface. Also the ASA, by default, will allow traffic from higher to lower security interfaces. This behavior can also be overridden with an ACL. The security levels are defined by numeric numbers between 0 and And is the most secured network. In our example we assign security levels as following: Lab topology setup In our lab, we used one host in each network to represent the characteristics of that subnet. A host is placed on the internet side for testing. Their security levels are: You do not need an ACL because all outbound traffic is traversing from higher security level inside, dmz1 and dmz2 to lower security level outside. The reason we want to give it the least preference is to avoid possible conflict with other NAT rules. The first of the two, Object NAT, is configured within the definition of a network object. This is the easiest form of NAT, but with that ease comes with a limitation in configuration granularity. For example, you cannot make translation decision based on the destination in the packet as you could with the second type of NAT, Manual NAT. Manual NAT is more robust in its granularity, but it requires that the lines be configured in the correct order in order to achieve the correct behavior. Traffic that does not match any NAT rules will traverse the firewall without any translation like NAT exemption but without explicitly configuring it, more like an implicit NAT exemption. The static and global keywords are deprecated. Next is configuring a default gateway and route all traffic to the upstream ISP. It allows icmp return traffic to pass the ASA while the Ping is initiated from inside hosts. Configure static NAT to web servers, grant Internet inbound access to web servers First we define two objects for the web server, one for its internal IP and one for its public facing IP. You can only have one set of configuration at a time. It is important to understand that these NAT rules are bi-directional in nature. As a result you can re-phrase this sentence by flipping the wording around. The result makes a lot more sense: When hosts on the outside establish a connection to Because traffic from the outside to the dmz1 network is denied by the ASA by default, users on the Internet cannot reach the web server despite the NAT configuration. We will need to configure ACLs and allow Internet inbound traffic to access the web server. In earlier versions of ASA code 8. In other words, the ACL had to permit the packet as if you were to capture that packet on the interface. This means that for 8. All other segment access is denied. The default rules can be overwritten by ACLs. In our example, we need the guests in dmz2 to be able to use the DNS servers in dmz1. We added three more lines to deny access to dmz1 and inside networks while allowing the reset of traffic to go to the Internet. What about ACLs on dmz1 and inside interfaces? We do not need any ACLs on those interfaces because the default security behavior meets our requirements. Verification and troubleshooting In this session I will demonstrate a few verification and troubleshooting techniques to quickly validate the configuration and identify the problem if any. The first technique is using ICMP ping to verify network connectivity. Obviously ping is working does Page 2

3 not conclude everything else is also working. However it is a simple tool to confirm that packet from point A can reach point B. In our example we wanted to verify that hosts in each subnet of inside, dmz1 and dmz2 have Internet access. We tried pinging the Internet host at By default, the debug messages are sent to the log buffer instead of the screen. In our case, we wanted to see the logs immediately as they popping up on the screen. Responses are being received. ICMP echo request from inside: The ASA knows exactly who requested it and who is desperately waiting for it. After testing, do remember to deactivate the debug mode because it is system resource consuming. It is an excellent tool when you do not have access to either side of the servers to generate real traffic. We first simulate web browsing traffic initiated from a host on the internet with IP The following command sates: The packet comes with source IP Implicit Rule Additional Information: Forward Flow based lookup yields rule: NAT divert to egress interface dmz1 Untranslate It is a major change since ASA code 8. Prior to code 8. Phase 3 shows the outside ACL is being verified and the traffic is allowed. The reset of the phases put the packet through various of policy checks such as QoS, policy-maps and etc. In the end, a nice summary is displayed. The input interface is outside, the output interface is dmz1 and the traffic is sent through successfully. ASA1 packet-tracer input dmz2 udp Resolve Egress Interface Result: The output interface dmz1 was identified. Phase 3 checks the ACL, and it granted traffic to go through. The reset of the phases stayed the same. In the end, the packet was sent through dmz1 interface successfully. Both packet tracer results confirmed our configuration is correct. Let try packet tracer testing on something that is not supposed to work. We wanted to see the ASA actually blocks the traffic. The web server is not configured to serve FTP traffic. ASA1 packet-tracer input outside tcp Assign security level to each ASA interface same Step 2: The default route to the Internet gateway is configured the same. The ACL permits anyone on the Internet to access the web server on port We do not want the ASA to perform Network Address Translations among internal interfaces unless the traffic is heading to the outside interface. The configuration below basically states: Same logic applies the traffic going from dmz2 to dmz1. You can download the entire lab setup and configuration files for FREE. Page 3

4 Chapter 3 : 6 Steps Cisco ASA Basic Configuration Tutorial If you have a factory default configuration, see the "ASA Default Configuration" section to check if you want to change the default interface settings according to this procedure. For more information about ASA interfaces, see the "Information About ASA Interfaces" section. This step is essential and will help the ASA Firewall understand which interface is connected to the trusted private and untrusted public network: Security level for "inside" set to by default. Security level for "outside" set to 0 by default. The ASA Firewall will automatically set the security level to for inside interfaces and 0 to outside interfaces. Traffic can flow from higher security levels to lower private to public, but not the other way around public to private unless stated by an access-lists. To change the security-level of an interface use the security-level xxx command by substituting xxx with a number from 0 to The higher the number, the higher the security level. DMZ interfaces are usually configured with a security level of In case the public interface VLAN2 is configured using the ip address dhcp setroute command, configuration of the default gateway is not required. ASA config route outside 0. ASA config ping Usually these networks can be reached via a Layer3 switch or an internal router. These additional networks are contactable via a Layer3 device with IP address ASA config route outside Network Address Translation is essential to masquerade our internal network using the single IP address our Public interface has been configured with. Network Address Translation, along with all its variations Static, Dynamic etc, is covered in great depth in our popular Network Address Translation section. We will provide both commands to cover installations with software version up to v8. The following commands apply to ASA appliances with software version up to 8. Another method of configuring NAT is with the use of access lists. With software version 8. The following commands software version 8. ASA config object network network1 ASA config-network-object nat inside,outside dynamic interface! Page 4

5 Chapter 4 : CISCO ASA GETTING STARTED MANUAL Pdf Download. The ASA adaptive security appliance supports a built-in switch. There are two kinds of ports and interfaces that you need to configure: â Physical switch portsâ The adaptive security appliance has eight Fast Ethernet switch ports that forward traffic at Layer 2, using the switching function in hardware. Type enable and then simply press enter when it prompts you for a password. So to start with lets set the hostname and the configure up the interfaces. Now unlike routers which you may be used to configuring, the ports on the back of the ASA are not actual ports like you would expect to find on the back of cisco routers. Rather than configure an IP to an interface, the ports on the back are switchports. In the above you can see: Now I mentioned security levels earlier, this is a simple way of controlling access between interfaces. Think of it like being a water drop on a steep hill. Security level 0 at the bottom. Security level at the top. Quickly make sure you can ping your default gateway, then add the route and make sure you can ping something on the internet I use googles DNS server 8. That should be all right? Surely we should be able to ping google then. How can this be though? Lets try adding in a NAT rule and seeing what happens. Try opening up a browserâ We magically get google, yet pings are failing, strange. Hint starts with Access â. But we can configure them later on, for now this guide is just about getting the ASA up and running and getting you outside access, which you are now able to do. Not so hard after all was it? In this example I will store the username and password on the device itself local. Finally http server enable enables HTTP access and http Once done, browse to the gateway of the ASA https: And there we have it, the ASA is now ready to be configured to your specificationâ. Page 5

6 Chapter 5 : *How To* Configure and get started with Cisco ASA racedaydvl.com In brief, Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. The first thing to note is that the and units have 8 ports, the has 4 ports. Any port can be configured as a WAN side port or LAN side port or another type of port failover between 2 units for example. However, only the unit can use a set of ports in switching or bridging mode â enabling you to setup 1 port for the WAN connection and 7 ports as a LAN side switch where you can connect all your equipment. For some reason Cisco decided not to include this functionality in the newer units and there is some consternation about this decision and debate as the whether they can physically include that functionality in a future software release â a lot of people will upgrade to the to gain gigabit speeds is a mbit unit only expecting it to function the same as the but will be disappointed. So for now you have to use the as a standard router with 1 port for WAN and 1 port for LAN connected to a separate switch 8 port gigabit switch is pretty cheap anyway. Although you do lose the ability to do switching you do gain in terms of licensing â the basic license for a unit does not include trunking and failover. It also limits the number of inside hosts to The units basic licensing includes unlimited inside hosts and trunking via sub-interfaces. You still have to pay extra for failover though. To connect to the router there is a separate management port usually set to IP: To connect, change your network adapters IP address to an IP within that range e. In your browser goto the address: You will need Java runtime installed on your machine in order to use ASDM and you may get problems with newer versions of Java regarding certificates. Usually you can just ignore certificate warnings but if you do get problems Java 7 release 45 is the version that works without any problems. For more details on this goto the Cisco site: Or setup a self signed certificate: Setting up the WAN interface: Most broadband connections will require you authenticate with the ISPs servers using the PPPoE protocol point-to-point protocol over ethernet: Make sure the Security Level is set to zero. Make sure the interface is enabled. You may have a different setup to mine and your ISP may use a different method of connecting you e. DHCP, in which case choose the method that is relevant to your situation. Click on the Advanced tab and check the MTU setting â the default is but you may need to change this, again depending on your ISPs setup. See here for more info: There are obviously loads of other settings here because a Cisco router can basically connect to anything if setup correctly but these should be the only changes you need to make for a standard broadband connection. Setting up the LAN interface: Make sure the security level is set to a higher number than was given for the WAN port â 50 is the default. Make sure the enable interface option is ticked. Choose a static IP and fill in the IP address and Subnet mask â this is a number on your internal network. In my case I use the IP range It is also possible to use any valid IP range as these numbers are never routed to the outside world but the convention is to use a private range specifically designated for this purpose. If you wish to block this you can do so by adding a Management Access Rule. Set the Action to Deny. Set the IP address and the Mask to Any or 0. There are two ways of adding this functionality: There should be a Default Inspection rule listed â hit Edit. Goto the Rule Actions tab. Select permit for the Action. Source will by Any. I prefer the second method as it separates the default rules from the ones you have added and keeps your rules listed under one section in the Firewall Access Rules. Setting up the DHCP server: Your next task is to setup the DHCP server which assigns addresses from your local network address range when devices try to connect. In our case I have chosen Cisco routers do not allow address reservation. This is a function on, most consumer broadband routers, that allows you to reserve a particular IP for a device from the DHCP range according to the devices MAC address. This is useful if later on you want to use port forwarding to the device â you need the IP of the device to not change over time otherwise your port forwarding and routing rules, which have been specified for a particular internal IP number, will not work. This is an essential requirement if you want to host a server behind your router â web server, minecraft server etc. When using Cisco routers you have to set the devices IP statically on the devices themselves â usually in their network adapter settings. So I have started my address range at 10 so that I can use the IPs Setting up NAT translation: In order for your devices to be able to communicate to Page 6

7 the outside world you need to setup some kind of translation to and from the external IP address and your internal IP addresses. You achieve this using a NAT rule. Destination address and service should be set to Original. Your NAT screen should look something like the image below. I have added a port forwarding NAT rule just to illustrate where the NAT rule should be positioned â it should always be at the bottom of the list otherwise your port forwarding rule would overide it. For port forwarding rules read my article here: Cisco ASA Port forwarding. Configuring NAT rules guide: But just to check here is the default Access Rules screen: At the bottom is a Global rule that denies all traffic hence IP as the service â both Inbound and Outbound. And you can then explicitly allow traffic for invidual services above this rule e. Time is a critical component for the router so you should make sure the ASA is getting the correct time from the internet. You can set the time under the Clock section. To set the ntp server goto NTP section and click Add. I prefer to use the NTP. ORG servers â unfortunately you cannnot put a host name in here, you have to use an IP. Tick the preferred box. Set the interface to Outside you can set it to an internal time server if you wish. Click OK and Apply. Going forward you should make sure you keep your router up-to-date with the latest firmware and ASDM version. And one final thing â backup your configuration using Tools, Backup Configurations. Do this now and before you do any upgrades. Chapter 6 : Cisco ASA (and, ) Basic Setup â IslandEarth For the SMB/SOHO market, Cisco's initial offering was the PIX, followed by the successful Cisco ASA The latter came to an End-of-Sale in and now the replacement low-end model is the new Cisco ASA X. Chapter 7 : ASA Factory reset - Cisco Community Cisco ASA Configuration Manual. Asa series. Cisco ASA Series Configuration Guide using ASDM Software Version, for use with Cisco ASA Chapter 8 : Sample configuration for connecting Cisco ASA devices to Azure VPN gateways Microsoft Do Now unlike routers (which you may be used to configuring), the ports on the back of the ASA are not actual ports like you would expect to find on the back of cisco routers. Instead they follow the same configuration method as the Cisco /'s etc. Chapter 9 : Cisco ASA Commands Cheat Sheet Download PDF This paper will be focusing on the Cisco ASA series adaptive security appliance (with base license) and its incorporation into a small business or Home Network. Specifically, it will look at the initial. Page 7