Deploying Cisco ASA Firewall Features (FIREWALL) v1.0. Global Knowledge European Remote Labs Instructor Guide

Transcription

1 Deploying Cisco ASA Firewall Features (FIREWALL) v1.0 Global Knowledge European Remote Labs Instructor Guide Revision Draft /03/2011

2 1. Contents 1. Contents.2 2. Introduction.3 3. Remote Labs Topology, Connections and setup.3 4. Initial Lab Configuration Set-up.5 5. Lab Clear Down / Set-up Procedure.5 6. Lab Exercises.6 Lab 2:...6 Lab 3: 9 Lab 4: Lab 6: Copyright Global Knowledge - Revision Draft /03/2011 Page 2

3 2. Introduction xxxxxxxx Support Contact Details: Web Support Portal: Telephone: +44 (0) Remote Labs Topology, Connections and Setup xxxxx Copyright Global Knowledge - Revision Draft /03/2011 Page 3

4 4. Initial Lab Configuration Set-up PC Logins Load the Base configurations for all devices from the Device Management tool on the Instructor Web Access page. All PC s will have been reset to default, prior to the lab being available for use. It is recommended for the ASA s to first run the Erase Device then Load Base Config occasionally a previous class may not have cleared down correctly and the Erase will ensure no configuration corruption. Note: The initial configuration for the Pod ASA Firewalls will ensure that the correct starting IOS and ASDM files are loaded. It is also sufficient to test basic connectivity (see Lab 2-1, Task 1 in Lab Notes section below). The Core Router is used as an NTP Master Clock ensure that the Router clock is set to the current time. The Pod Client and Server logins are: administrator / cisco The Shared Server logins are: Instructor Login: administrator / globalk Student Login: studentx / cisco123 (where X is the Pod number). Note: The issue with launching the Shared Server from the Web page link for the Students has now been resolved and should work OK via the link. Core Device Logins Core Router logins are: VTY password: cisco Instructor Enable password: globalk Core Switch Instructor Enable password: globalk Copyright Global Knowledge - Revision Draft /03/2011 Page 4

5 5. Lab Clear Down Procedure Load the Base configurations for all devices from the Device Management tool on the Instructor Web Access page. Notify Remote Lab Support that you have finished using the equipment by replying to the End of Course Confirmation , which will have been sent to you during the class. Please do NOT reply to the End of Course Confirmation for any other purpose this may cause confusion and your rack may be disconnected or cleared as a result..!! Should you have not received the above , please send an to the Support address (Section 2 above), confirming the Course and Rack used, that you have completed the class and finished using the equipment. Copyright Global Knowledge - Revision Draft /03/2011 Page 5

6 6. Lab Exercises Lab 2-1: Configuring Basic Connectivity Task 1 Pre-Lab Steps: The ASA firewalls start with a base configuration, which will ensure that the correct starting IOS is loaded and also provide sufficient configuration to test connectivity to the Pod Client PC, Pod DMZ Server and the Core Router. To test, from the ASA, ping the following devices (where X is the Pod number): Client PC: DMZ Server: Core Router: 10.0.X X X.2 Task 2 Step 2: Additionally, set the interface Speed to 100 and Duplex to full. For all occasions throughout the labs, where an interface is to be configured, please set the speed and duplex as above. This will ensure correct operation and data speeds. If left to auto, incorrect operation can result, e.g. ASDM is very slow to load up, etc. Task 3 The starting ASDM version is 6.1(3). Do NOT install the Desktop icons when asked. Once ASDM is upgraded to version 6.2(5)53, they will no longer operate. always launch ASDM via a Web browser to Task 4 - Steps 2 & 3: Reminder to set speed to 100 and duplex to full. Task 5 All OK Task 6 All OK Copyright Global Knowledge - Revision Draft /03/2011 Page 6

7 Lab 2-2: Configuring Management Features Task 1 Step 3: DO NOT use the ASDM to TFTP the files to the ASA. Although the transfer will work OK, many times the IOS will then fail to load. Instead use command line to TFTP the files across to the ASA. copy tftp: disk0: Additionally, if the file already exists in flash, it should first be deleted it has been found that a pre-existing file in flash may cause the file corruption on TFTP transfer. Should the reload fail, do the following: Reboot the ASA via the Power Management tool on the Instructor Web page. Press ESC when prompted during the boot process. Enter: boot disk0:/asa803-k8.bin Wait for the ASA to reboot and then TFTP the files again via the command line. Task 2 Step 1: The old 6.1(3) ASDM may have been left open, if so, close all windows and reopen via a Web Browser (any desktop icon will fail). Note: The correct time for the NTP Master Core Router should have been set prior to this lab. Task 3 Step 4: via Logging Filters Task 4 All OK Task 5 Step 5: The ASA command required is: crypto key generate rsa modulus 2048 Task 6 Step 9: Supply the User credentials of student / cisco Copyright Global Knowledge - Revision Draft /03/2011 Page 7

8 Lab 3-1: Configuring Basic Access Control Task 2 All OK Task 3 Step 2: Note that this step is to configure incorrect IP address for the Shared Server HOWEVER the DMZ network SHOULD be X.0 /24. This allows for a failure test to be performed first. Then the correct IP address for the Shared Server is configured. Task 4 All OK. Lab 3-2: Tuning Basic Cisco ASA Adaptive Security Appliance Stateful Inspection Features Task 2 All OK Task 3 All OK Lab 3-3: Configuring Application-Layer Policies Task 2 All OK Except, during testing it was not possible to block the PNG image file. Currently not sure if this is a lab step problem or an issue with the Web Site build. Further testing is on-going. Does not affect any other lab steps so can safely move on. Copyright Global Knowledge - Revision Draft /03/2011 Page 8

9 Lab 3-4: Configuring Advanced Access Controls Task 2 All OK Task 3 A reboot of the ASA may be required before logging output is seen. Task 4 All OK Task 5 Botnet This is an optional task. Skip this task as we do not currently have the BOTNET licenses. Lab 3-5: Configuring User-Based Policies (Cut-Through Proxy) Task 2 All OK Task 3 All OK Task 4 All OK On completion, ensure that all AAA configuration is removed. The simplest method is to use the command line: clear configure aaa Lab 4-1: Configuring Cisco ASA Adaptive Security Appliance NAT Task 2 All OK Task 3 All OK. Student Telnet password for the Core Router is: cisco Copyright Global Knowledge - Revision Draft /03/2011 Page 9

10 Lab 4-2: Configuring Transparent Firewall Mode Task 1 Step 1: Record the Client PC IP settings first to allow later reconfiguration. Use the PC interface marked CLASS LAB INTERFACE. Task 2 Step 2: ENSURE that the configuration has been properly saved to flash BEFORE setting the firewall to transparent mode. (It is intended that a recovery configuration will be supplied, to be loaded via the Device Management tool in case of accidents..). Task 3 Reminder to set interface speed and duplex. Task 4 If the ping to the Core Router fails, try clearing the ARP cache on the ASA Firewall (see note in Lab Guide at the top of Page 100). Task 5 Note: Ensure that the ASA is configured to provide ASDM version 6.2(5)53: asdm image disk0:/asdm-625.bin Step 14: The source network is incorrect in the Answer Key. It should be X.0/24 Task 6 Step 3: Only restore the configurations on the odd numbered Pod ASA s (1, 3, 5 & 7) as the even numbered Pod ASA s will be used as Failover Devices during the next lab. Client PC IP addressing is: IP Address: 10.0.X Default Gateway: 10.0.X.1 Copyright Global Knowledge - Revision Draft /03/2011 Page 10

11 Lab 5-1: Deploying a Cisco ASA Adaptive Security Appliance Active/Standby Failover Setup Load the Lab 5-1 configurations to Core Switches 1 and 2, ASA s 2, 4, 6 and 8 as required. At this stage, students will be paired up in order to provide the required pair of ASA s for the Failover Labs (lab 5-1 and Lab 5-2). The pairs are set as follows: Pod 1 & 2, Pod 3 & 4, Pod 5 & 6, Pod 7 & 8 Note: Loading the Lab 5-1 configurations on the Even numbered Pod ASA s (2, 4, 6 & 8) will erase any remaining configuration. At this point students should switch their Web Access page view from the drop-down menu at the top right of the page select Lab 5-1 Active/Standby Failover Note: Both the even and odd numbered pod ASA s are now shown, HOWEVER the PC s used for this lab (Lab 5-1) and the next lab (Lab 5-2) will be only the odd numbered Pod PC s. e.g. For the Pod 1 / 2 pair, the PC s are from Pod 1, for the Pod 3 / 4 pair, the Pc s are from Pod 3 etc. Access the Core Router and ensure that the ARP Cache is cleared: clear arp Ensure ALL Pod ASA s are running with IOS version 8.2(2) and that the ASDM image is set to version 6.2(5)53. Failover will fail unless both ASA s in a pair are running identical IOS and ASDM images. Task 2 All OK Task 3 Step 5: show ip and show fail. Step 7: Using ls in FTP fails as this has not been permitted during earlier lab steps. pwd will work to prove the connection. As an alternative, telnet to the Core Router on X.2 would prove the test successfully. Step 9: Also, review the Syslog output on the DMZ server for failover messages. Copyright Global Knowledge - Revision Draft /03/2011 Page 11

12 Task 4 All OK Task 5 All OK Lab 5-2: Deploying a Cisco ASA Adaptive Security Appliance Active/Active Failover Setup Load the Lab 5-2 configurations to the Core Router, Core Switches 1 and 2. Students are asked to erase the ASA configurations as part of the initial lab steps, however, if preferred, the Erase Device configuration script can be used instead. Task 1 Verify that all ASA s now have a Blank configuration and all are running IOS version 8.2(2) and ASDM version 6.2(5)53. Task 2 Set all interfaces for speed and duplex. Note: The X for the ASA2 is the Odd numbered Pod number NOT the even pod number e.g. Pod 1 not Pod 2, Pod 3 not Pod 4 etc Task 3 All OK Task 4 Initial Answer key output example for the show fail command shows the initial stae when the ASA1 is Active for both groups. The second show fail command is the output after the ASA2 has been configured to be Active for Group 2. Task 5 All OK Task 6 All OK Copyright Global Knowledge - Revision Draft /03/2011 Page 12