CCNASv1.1_Chp10_Lab-A_ASA-FW-CLI_Student.doc

8/14/2019 CCNASv1.1_Chp10_Lab-A_ASA-FW-CLI_Student.doc

1/24

CCNA Security

Chapter 10 Lab A: Configuring ASA Basic Settings and Firewall

Using CL

!opology

Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age 1 of 2(


2/24

CCNA Security

" Addressing !able

#e$ice nterface " Address Subnet %asefault

'ateway Switch "ort

R1 FA")" 2".1*+.2"".22+ 2++.2++.2++.2(, -)A ASA E")"

S")")"/CE0

1".1.1.1 2++.2++.2++.2+2 -)A -)A

R2 S")")" 1".1.1.2 2++.2++.2++.2+2 -)A -)A

S")")1/CE0

1".2.2.2 2++.2++.2++.2+2 -)A -)A

R FA")1 12.1*..1 2++.2++.2++." -)A S FA")+

S")")1 1".2.2.1 2++.2++.2++.2+2 -)A -)A

ASA 34A- 1E")10

12.1*,.1.1 2++.2++.2++." -A S2 FA")2(

ASA 34A- 2E")"0

2".1*+.2"".22* 2++.2++.2++.2(, -A R1 FA")"

ASA 34A-

E")20

12.1*,.2.1 2++.2++.2++." -A S1 FA")2(

'C5A -IC 12.1*,.2. 2++.2++.2++." 12.1*,.2.1 S1 FA")*

'C56 -IC 12.1*,.1. 2++.2++.2++." 12.1*,.1.1 S2 FA")1,

'C5C -IC 12.1*.. 2++.2++.2++." 12.1*..1 S FA")1,

(b)ecti$es

"art 1: Lab Setup

Cable the net7or8 as sho7n in the topology.

Config&re hostna#es and interface I' addresses for ro&ters$ s7itches$ and 'Cs.

Config&re static ro&ting$ incl&ding defa&lt ro&tes$ bet7een R1$ R2$ and R.

Config&re 9%%' and %elnet access for R1.

3erify connectivity bet7een hosts$ s7itches$ and ro&ters.

"art *: Accessing the ASA Console and Using CL Setup %ode to Configure Basic Settings+

Access the ASA console and view hardware, software, and configuration settings.

Clear previo&s config&ration settings.

:se C4I Set&p #ode to config&re basic settings hostna#e$ pass7ords$ cloc8$ etc.0.

"art ,: Configuring Basic ASA Settings and nterface Security Le$els Using CL+

Config&re the hostna#e and do#ain na#e.

Config&re the login and enable pass7ords.

Set the date and ti#e.

Config&re the inside and o&tside interfaces.

%est connectivity to the ASA.

Config&re re#ote #anage#ent 7ith %elnet.

Config&re 9%%'S access to the ASA for AS/;.

"art -: Configuring .outing/ Address !ranslation and nspection "olicy Using CL+



3/24

CCNA Security

Configure a static default route for the ASA.

Configure port address translation (PAT) for the inside network.

;odify the ;'F application inspection policy.

"art : Configuring #C"/ AAA/ and SS+

Config&re the ASA as a /9C' server)client.

Config&re 4ocal AAA &ser a&thentication.

Config&re re#ote #anage#ent 7ith SS9.

"art 2: Configuring a #%3/ Static NA!/ and ACLs

Config&re static -A% for the /;< server.

Config&re an AC4 on the ASA to allo7 access to the /;< for Internet &sers.

3erify access to the /;< server for e=ternal and internal &sers.

Bac&ground 4 Scenario

%he Cisco Adaptive Sec&rity Appliance ASA0 is an advanced net7or8 sec&rity device that integrates astatef&ll fire7all as 7ell as 3'- and other capabilities. %his lab e#ploys an ASA ++"+ to create a fire7all andprotect an internal corporate net7or8 fro# e=ternal intr&ders 7hile allo7ing internal hosts access to theInternet. %he ASA creates three sec&rity interfaces> ?&tside$ Inside$ and /; Inside$ ?&tside and /;


4/24

CCNA Security

1 ASA ++"+ ?S version ,.(20 and AS/; version *.(+0 and 6ase license or co#parable0

'C5A> indo7s '$ 3ista$ or indo7s 7ith CC'$ '&%%y SS9 client

'C56> indo7s '$ 3ista$ or indo7s 7ith '&%%y SS9 client AS/; optional0

'C5C> indo7s '$ 3ista$ or indo7s 7ith CC'$ '&%%y SS9 client

Serial and Ethernet cables as sho7n in the topology

Rollover cables to config&re the ro&ters and ASA via the console

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age ( of 2(


5/24

CCNA Security

"art 1: Basic .outer4Switch4"C Configuration

In 'art 1 of this lab$ yo& set &p the net7or8 topology and config&re basic settings on the ro&ters$ s&ch asinterface I' addresses and static ro&ting.

Note: /o not config&re any ASA settings at this ti#e.

Step 1: Cable the networ& and clear pre$ious de$ice settings+

Attach the devices that are sho7n in the topology diagra# and cable as necessary. ;a8e s&re that thero&ters and s7itches have been erased and have no start&p config&rations.

Step *: Configure basic settings for routers and switches+

a. Config&re host na#es as sho7n in the topology for each ro&ter.

b. Config&re ro&ter interface I' addresses as sho7n in the I' Addressing %able.

c. Config&re a cloc8 rate for ro&ters 7ith a /CE serial cable attached to their serial interface. Ro&ter R1is sho7n here as an e=a#ple.

R1(config)# interface S0/0/0R1(config-if)# clock rate 64000

d. Config&re the host na#e for the s7itches. ?ther than the host na#e$ the s7itches can be left in theirdefa&lt config&ration state. Config&ring the 34A- #anage#ent I' address for the s7itches isoptional.

Step ,: Configure static routing on the routers+

a. Config&re a static defa&lt ro&te fro# R1 to R2 and fro# R to R2.

R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0R3(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/1

b. Config&re a static ro&te fro# R2 to the R1 Fa")" s&bnet connected to ASA interface E")"0 and astatic ro&te fro# R2 to the R 4A-.

R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1

Step -: 6nable the !!" ser$er on .1 and set the enable and $ty passwords+

a. Enable 9%%' access to R1 &sing the ip http serverco##and in global config #ode. Also setthe console and 3%@ pass7ords to cisco. %his 7ill provide 7eb and %elnet targets for testing later inthe lab.

R1(config)# ip http server

R1(config)# enable passor! class

R1(config)# line vt" 0 4R1(config-line)#passor! ciscoR1(config-line)# lo#in

R1(config)# line con 0R1(config-line)#passor! ciscoR1(config-line)# lo#in

b. ?n ro&ters R2 and R$ set the sa#e enable$ console and vty pass7ords as 7ith R1.

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age + of 2(


6/24

CCNA Security

Step : Configure "C host " settings+

Config&re a static I' address$ s&bnet #as8$ and defa&lt gate7ay for 'C5A$ 'C56$ and 'C5C as sho7n inthe I' Addressing %able.

Step 2: 7erify connecti$ity+

6eca&se the ASA is the focal point for the net7or8 Dones and it has not yet been config&red$ there 7ill beno connectivity bet7een devices that are connected to it. 9o7ever$ 'C5C sho&ld be able to ping the R1interface. Fro# 'C5C$ ping the R1 Fa")" I' address 2".1*+.2"".22+0. If these pings are not s&ccessf&l$tro&bleshoot the basic device config&rations before contin&ing.

Note:If yo& can ping fro# 'C5C to R1 Fa")" and S")")" yo& have de#onstrated that static ro&ting isconfig&red and f&nctioning correctly.

Step 8: Sa$e the basic running configuration for each router and switch+

"art *: Accessing the ASA Console and Using Setup to Configure Basic

SettingsIn 'art 2 of this lab$ yo& 7ill access the ASA via the console and &se vario&s showco##ands to deter#inehard7are$ soft7are$ and config&ration settings. @o& 7ill clear the c&rrent config&ration and &se the C4Iinteractive Set&p &tility to config&re basic ASA settings.

Note: /o not config&re any ASA settings at this ti#e.

Step 1: Access the ASA Console+

a. Accessing the ASA via the console port is the sa#e as 7ith a Cisco ro&ter or s7itch. Connect to theASA console port 7ith a rollover cable.

b. :se a ter#inal e#&lation progra# s&ch as %era%er# or 9yper%er#inal to access the C4I. %hen &sethe serial port settings of *"" ba&d$ eight data bits$ no parity$ one stop bit$ and no flo7 control.

c. Enter privileged #ode 7ith the enableco##and and pass7ord if set0. 6y defa&lt the pass7ord isblan8 so yo& can &st press 6nter. If the pass7ord has been changed to that specified in this lab$enter the 7ord class. %he defa&lt ASA hostna#e and pro#pt is ciscoasa$.

ciscoasa$ enablePassword: class (or press %nterif none set)

Step *: #eter9ine the ASA $ersion/ interfaces/ and license+

%he ASA ++"+ co#es 7ith an integrated ,5port Ethernet s7itch. 'orts E")" tho&gh E")+ are nor#alFast Ethernet ports and ports E")* and E") are 'oE ports for &se 7ith 'oE devices s&ch as I'phones or net7or8 ca#eras.

a. :se thesho version

co##and to deter#ine vario&s aspects of this ASA device.

ciscoasa# sho version

Cisco Adaptive Securit Appliance Software !ersion "$(2)%evice &anager !ersion '$()

Copiled on *ed 1-+un-11 1":1, uildersSste iage file is .dis/0:asa"$2-/"in.Config file at oot was .startup-config.

ciscoasa up 23 ours 0 ins

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age * of 2(


7/24

CCNA Security

ardware: ASA04 12 &5 RA&4 CP6 7eode 00 &89nternal AA Copact ;las4 12"&559t: @ternet01 : address is 000,,df'3e4 ir 2

Doutput oittedE

hat soft7are version is this ASA r&nning

hat is the na#e of the syste# i#age file and fro# 7here 7as it loaded

%he ASA can be #anaged &sing a b&ilt5in G:I 8no7n as the Adaptive Sec&rity /evice ;anager

AS/;0. hat version of AS/; is this ASA r&nning

9o7 #&ch RA; does this ASA have

9o7 #&ch flash #e#ory does this ASA have

9o7 #any Ethernet ports does this ASA have

hat type of license does this ASA have

9o7 #any 34A-s can be created 7ith this license

Step ,: #eter9ine the file syste9 and contents of flash 9e9ory+

a. /isplay the ASA file syste# &sing the sho file s"ste&co##and to deter#ine 7hat prefi=es ares&pported.

ciscoasa# sho file s"ste&

;ile Sstes:

Si8e() ;ree() pe ;lags Prefi>esF 12",3$$0 ''$'$0 dis/ rw dis/0: flas: - - networ/ rw tftp: - - opaue rw sste: - - networ/ ro ttp: - - networ/ ro ttps: - - networ/ rw ftp:

- - networ/ rw s:

hat is another na#e for flash>

b. /isplay the contents of flash #e#ory &sing one of these co##ands> sho flash' sho !isk0'!ir flash(or !ir !isk0>

ciscoasa# sho flash(--#-- --lengt-- -----datetie------ pat 1'" 21G'"0 Aug 2G 2011 13:00:2 asa"$2-/"in 122 0 Aug 2G 2011 13:0G:32 natHidentHigrate 13 20$" Aug 2G 2011 13:02:1$ coredupinfo 1$ G Aug 2G 2011 13:02:1$ coredupinfocoredupcfg 1'G 1'2"0$$ Aug 2G 2011 13:02:" asd-'$in 3 20$" Aug 2G 2011 13:0$:$2 log

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age of 2(


8/24

CCNA Security

' 20$" Aug 2G 2011 13:0:00 crptoHarcive 1,1 3$"1' +an 01 1G"0 00:00:00 ;SC?0000R@C 1,3 3'"'$ +an 01 1G"0 00:00:00 ;SC?0001R@C 1,$ 12GG"'$1 Aug 2G 2011 13:0G:22 csdH3200"-/Gp/g 1, 20$" Aug 2G 2011 13:0G:2$ sdes/top 211 0 Aug 2G 2011 13:0G:2$ sdes/topdata>l 1,' '$",1, Aug 2G 2011 13:0G:2' anconnect-acos>-i3"'-2201$-/Gp/g

1,, ''"G$G" Aug 2G 2011 13:0G:30 anconnect-linu>-2201$-/Gp/g 1," $',"'G1 Aug 2G 2011 13:0G:32 anconnect-win-2201$-/Gp/g Doutput oittedE

hat is the na#e of the AS/; file in flash>

Step -: #eter9ine the current running configuration+

%he ASA ++"+ is co##only &sed as an edge sec&rity device that connects a s#all b&siness or tele7or8er toan IS' device$ s&ch as a /S4 or cable #ode#$ for access to the Internet. %he defa&lt factory config&ration forthe ASA ++"+ incl&des the follo7ing>

An inside 34A- 1 interface is config&red that incl&des the Ethernet ")1 thro&gh ") s7itch ports. %he

34A- 1 I' address and #as8 are 12.1*,.1.1 and 2++.2++.2++.".

An o&tside 34A- 2 interface is config&red that incl&des the Ethernet ")" s7itch port. 6y defa&lt$ 34A- 2

derives its I' address fro# the IS' &sing /9C'.

%he defa&lt ro&te is also derived fro# the /9C' defa&lt gate7ay.

All inside I' addresses are translated 7hen accessing the o&tside$ &sing interface 'A% on the 34A- 2

interface.

6y defa&lt$ inside &sers can access the o&tside 7ith an access list$ and o&tside &sers are prevented fro#

accessing the inside.

%he /9C' server is enabled on the sec&rity appliance$ so a 'C connecting to the 34A- 1 interface

receives an address bet7een 12.1*,.1.+ and 12.1*,.1.* base license0$ tho&gh the act&al range #ayvary.

%he 9%%' server is enabled for AS/; and is accessible to &sers on the 12.1*,.1.")2( net7or8.

-o console or enable pass7ords are reH&ired and the defa&lt host na#e is ciscoasa.

Note: In this lab yo& 7ill #an&ally config&re settings si#ilar to those listed above$ as 7ell as so#e additionalones$ &sing the ASA C4I.

a. /isplay the c&rrent r&nning config&ration &sing the sho runnin#)confi#co##and.

ciscoasa# sho runnin#)confi#: Saved:ASA !ersion "$(2)

Iostnae ciscoasaenale password "R2JK9t,RRL62$ encrptedpasswd 2?;Mn9d92?J


9/24

CCNA Security

Doutput oittedE

Note: %o stop the o&tp&t fro# a co##and &sing the C4I$ press the letter .

If yo& see 34A-s 1 and 2 and other settings as described previo&sly$ the device is #ost li8elyconfig&red 7ith the defa&lt factory config&ration. @o& #ay also see other sec&rity feat&res s&ch as a

global policy that inspects selected application traffic$ 7hich the ASA inserts by defa&lt$ if the originalstart&p config&ration has been erased. %he act&al o&tp&t 7ill vary depending on the ASA #odel$version and config&ration stat&s.

b. @o& can restore the ASA to its factory defa&lt settings by &sing the co##and confi#urefactor")!efaultas sho7n here.

ciscoasa# conf tciscoasa(config)# confi#ure factor")!efault

*AR97: e oot sste configuration will e clearede first iage found in dis/0: will e used to oot tesste on te ne>t reload!erif tere is a valid iage on dis/0: or te sste willnot oot

5egin to appl factor-default configuration:Clear all configuration*AR97: %CP% indings cleared on interface NinsideN4 address pool reoved@>ecuting coand: interface @ternet 00@>ecuting coand: switcport access vlan 2@>ecuting coand: no sutdown@>ecuting coand: e>it@>ecuting coand: interface @ternet 01@>ecuting coand: switcport access vlan 1@>ecuting coand: no sutdown

@>ecuting coand: e>it

Doutput oittedE

c. Revie7 this o&tp&t and pay partic&lar attention to the 34A- interfaces$ and -A% and /9C' relatedsections. %hese 7ill be config&red later in this lab &sing the C4I.

d. @o& #ay 7ish to capt&re and print the factory5defa&lt config&ration as a reference. :se the ter#inale#&lation progra# to copy it fro# the ASA and paste it into a te=t docent. @o& can then edit thisfile$ if desired$ so that it contains only valid co##ands. @o& sho&ld also re#ove pass7ord co##andsand enter the no shutco##and to bring &p the desired interfaces.

Step : Clear the pre$ious ASA configuration settings+

a. :se therite eraseco##and to re#ove the startup;config file fro# flash #e#ory.

ciscoasa#rite erase@rase configuration in flas eorO confirQ


10/24

CCNA Security

FFFFFF --- SAR 7RAC@;6B S6%


11/24

CCNA Security

Note: In the above config&ration$ the I' address of the host r&nning AS/; 7as left blan8. It is notnecessary to install AS/; on a host. It can be r&n fro# the flash #e#ory of the ASA device itself&sing the bro7ser of the host. %his process is described in Chapter 10 Lab B, Configuring ASABasic Settings and Firewall Using ASDM.

@o& #ay also see the 7arning above stating that the ASA 9%%' server has not yet been enabled.%his 7ill be done in a s&bseH&ent step.

Note:%he responses to the pro#pts are a&to#atically stored in the startup;configand the runningconfig. 9o7ever$ additional sec&rity related co##ands$ s&ch as a global defa&lt inspection servicepolicy$ are inserted into the r&nning5config by the ASA ?S.

b. Iss&e the sho runco##and to see the additional sec&rity related config&ration co##ands that areinserted by the ASA.

c. Iss&e the cop" run startco##and to capt&re the additional sec&rity related co##ands in thestart&p5config.

d. Iss&e the reloa!co##and to restart the ASA and load the start&p config&ration.

ASA-9nit#reloa!

Proceed wit reloadO confirQ*enter$

*output o&itte!$

e. Enter privileged EEC #ode 7ith the enableco##and. 'rovide the pass7ord set in Step *acisco0. Iss&e the sho runnin#)confi#co##and. @o& sho&ld see the entries yo& provided inthe interactive config&ration process.

"art ,: Configuring ASA Settings and nterface Security Using the CL

In 'art of this lab$ yo& config&re basic settings by &sing the ASA C4I$ even tho&gh so#e of the# 7erealready config&red &sing the Set&p #ode interactive pro#pts in 'art 2. In this part yo& start 7ith the

settings config&red in 'art 2 and add to or #odify the# to create a #ore co#plete basic config&ration.

!ip:@o& 7ill find that #any ASA C4I co##ands are si#ilar to if not the sa#e as those &sed 7ith CiscoI?S C4I. In addition$ #oving bet7een config&ration #odes and s&b#odes is essentially the sa#e.

Note:@o& #&st co#plete 'art 2 before beginning 'art .

Step 1: Configure the hostna9e and do9ain na9e+

a. Enter Global config&ration #ode &sing the confi# tco##and. %he first ti#e yo& enterconfig&ration #ode after r&nning Set&p yo& 7ill be as8ed if yo& 7ish to enable anony#o&s reporting.Respond 7ith noJ.

ASA-9nit# conf tASA-9nit(config)#

FFFFFFFFFFFFFFFFFFFFFFFFFFFFF


12/24

CCNA Security

issue te coand .call-oe reporting anonous.

Please reeer to save our configuration

b. Config&re the ASA host na#e &sing the hostna&eco##and.

ASA-9nit(config)# hostna&e +S)+S+

c. Config&re the do#ain na#e &sing the !o&ain)na&eco##and.

CCAS-ASA(config)#!o&ain)na&e ccnasecurit".co&

Step *: Configure the login and enable 9ode passwords+

a. %he login pass7ord is &sed for %elnet connections and SS9 prior to ASA version ,.(0. 6y defa&lt it isset to cisco. @o& can change the login pass7ord &sing thepass!orpassor!co##and. For thislab leave it set to the defa&lt of cisco.

b. Config&re the privileged EEC #ode enable0 pass7ord &sing the enable passor!co##and.

CCAS-ASA(config)# enable passor! class

Step ,: Set the date and ti9e+

a. %he date and ti#e can be set #an&ally &sing the clock setco##and. %he synta= for the cloc8 setco##and is clock sethh:mm:ss {month day | day month} year. %he follo7ing is ane=a#ple of ho7 to set the date and ti#e &sing a 2(5ho&r cloc8.

CCAS-ASA(config)# clock set 14(25(00 october 1 2011

Step -: Configure the inside and outside interfaces+

ASA 0 interface notes:%he ++"+ is different fro# the other ++"" series ASA #odels. ith other ASAs$ the physical port can beassigned a 4ayer I' address directly$ #&ch li8e a Cisco ro&ter. ith the ASA ++"+$ the eight integrateds7itch ports are 4ayer 2 ports. %o assign 4ayer para#eters$ yo& #&st create a s7itch virt&al interface

S3I0 or logical 34A- interface and then assign one or #ore of the physical layer 2 ports to it. All , s7itchports are initially assigned to 34A- 1$ &nless the factory defa&lt config is present$ in 7hich case port E")"is assigned to 34A- 2. In this step yo& create internal and e=ternal 34A- interfaces$ na#e the#$ assignI' addresses$ and set the interface sec&rity level.

If yo& co#pleted the initial config&ration Setup&tility$ interface 34A- 1 is config&red as the #anage#ent34A- 7ith an I' address of 12.1*,.1.1. @o& 7ill config&re it as the inside interface for this lab. @o& 7illonly config&re the 34A- 1 inside0 and 34A- 2 o&tside0 interfaces at this ti#e. %he 34A- d#D0interface 7ill be config&red in 'art * of the lab.

a. Config&re a logical 34A- 1 interface for the inside net7or8$ 12.1*,.1.")2($ and set the sec&rity level tothe highest setting of 1"".

CCAS-ASA(config)# interface vlan 1

CCAS-ASA(config-if)# na&eif insi!eCCAS-ASA(config-if)# ip a!!ress 192.168.1.1 255.255.255.0CCAS-ASA(config-if)# securit")level 100

b. Create a logical 34A- 2 interface for the o&tside net7or8$ 2".1*+.2"".22()2$ set the sec&rity level tothe lo7est setting of " and bring &p the 34A- 2 interface.

CCAS-ASA(config-if)# interface vlan 2CCAS-ASA(config-if)# na&eif outsi!e9;


13/24

CCNA Security

CCAS-ASA(config-if)# no shut!on

nterface security le$el notes:@o& #ay receive a #essage that the sec&rity level for the inside interface 7as set a&to#atically to 1""and the o&tside interface 7as set to ". %he ASA &ses interface sec&rity levels fro# " to 1"" to enforce thesec&rity policy. Sec&rity 4evel 1"" inside0 is the #ost sec&re and level " o&tside0 is the least sec&re.

6y defa&lt$ the ASA applies a policy 7here traffic fro# a higher sec&rity level interface to one 7ith a lo7erlevel is per#itted and traffic fro# a lo7er sec&rity level interface to one 7ith a higher sec&rity level isdenied. %he ASA defa&lt sec&rity policy per#its o&tbo&nd traffic$ 7hich is inspected by defa&lt. Ret&rningtraffic is allo7ed beca&se of statef&ll pac8et inspection. %his defa&lt ro&ted #odeJ fire7all behavior of the

ASA allo7s pac8ets to be ro&ted fro# the inside net7or8 to the o&tside net7or8 b&t not vice versa. In 'art( of this lab yo& 7ill config&re -A% to increase the fire7all protection.

c. :se the sho interfaceco##and to ens&re that ASA 4ayer 2 ports E")" for 34A- 20 and E")1 for34A- 10 are both &p. An e=a#ple is sho7n for E")". If either port is sho7n as do7n)do7n$ chec8 thephysical connections. If either port is ad#inistratively do7n$ bring it &p 7ith the no shut!onco##and.

CCAS-ASA# sho interface e0/09nterface @ternet00 ..4 is adinistrativel down4 line protocol is up

ardware is ""@'0G4 5* 100 &ps4 %BJ 100 usec Auto-%uple>(;ull-duple>)4 Auto-Speed(100 &ps)Doutput oittedE

d. Assign ASA 4ayer 2 port E")1 to 34A- 1 and port E")" to 34A- 2 and &se the no shut!onco##andto ens&re they are &p.

CCAS-ASA(config)# interface e0/1CCAS-ASA(config-if)# sitchport access vlan 1CCAS-ASA(config-if)# no shut!onCCAS-ASA(config-if)# interface e0/0CCAS-ASA(config-if)# sitchport access vlan 2CCAS-ASA(config-if)# no shut!on

Note: Even tho&gh E")1 is in 34A- 1 by defa&lt$ the co##ands are provided above.

e. /isplay the stat&s for all ASA interfaces &sing the sho interface ip briefco##and. -ote thatthis co##and is different fro# the I?S co##and sho ip interface brief. If any of the physical orlogical interfaces previo&sly config&red are not :'):'$ tro&bleshoot as necessary before contin&ing.

!ip: ;ost ASA showco##ands$ as 7ell as ping$ copyand others$ can be iss&ed fro# 7ithin any config#ode pro#pt 7itho&t the doJ co##and reH&ired 7ith I?S.

CCAS-ASA(config)# sho interface ip brief9nterface 9P-Address


14/24

CCNA Security

Sste 9P Addresses:9nterface ae 9P address Sunet as/ &etod!lan1 inside 1G21'"11 2220 anual!lan2 outside 20G1'20022' 2222$" anual

Current 9P Addresses:9nterface ae 9P address Sunet as/ &etod

!lan1 inside 1G21'"11 2220 anual!lan2 outside 20G1'20022' 2222$" anual

g. :se the sho sitch vlanco##and to display the inside and o&tside 34A-s config&red on the ASAand to display the assigned ports.

CCAS-ASA# sho sitch vlan!BA ae Status Ports---- -------------------------------- --------- -----------------------------1 inside up @t014 @t024 @t034 @t0$ @t04 @t0'4 @t0,2 outside up @t00

h. @o& #ay also &se the co##and sho runnin#)confi# interface t"pe/nu&berto display the

config&ration for a partic&lar interface fro# the r&nning5config.

CCAS-ASA# sho run interface vlan 1Iinterface !lan1naeif insidesecurit-level 100ip address 1G21'"11 2220

Step : !est connecti$ity to the ASA+

a. Ens&re that 'C56 has a static I' address of 12.1*,.1. along 7ith s&bnet #as8 2++.2++.2++." anddefa&lt gate7ay 12.1*,.1.1 the I' address of ASA 34A- 1 inside interface0.

b. @o& sho&ld be able to ping fro# 'C56 to the ASA inside interface address and ping fro# the ASA to 'C5

6. If the pings fail$ tro&bleshoot the config&ration as necessary.

CCAS-ASA#pin# 192.168.1.3pe escape seuence to aortSending 4 100-te 9C&P @cos to 1G21'"134 tieout is 2 seconds:IIIIISuccess rate is 100 percent ()4 round-trip inavga> 111 s

c. Fro# 'C56$ ping the 34A- 2 o&tside0 interface at I' address 2".1*+.2"".22*. @o& sho&ld not be ableto ping this address.

d. Fro# 'C56$ telnet to the ASA &sing address 12.1*,.1.1. ere yo& able to #a8e the connection hy or7hy not

Step 2: Configure !elnet access to the ASA fro9 the inside networ&+

a. @o& can config&re the ASA to accept %elnet connections fro# a single host or a range of hosts on theinside net7or8. Config&re the ASA to allo7 %elnet connections fro# any host on the inside net7or812.1*,.1.")2( and set the %elnet ti#eo&t to 1" #in&tes the defa&lt is + #in&tes0.

CCAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 insi!eCCAS-ASA(config)# telnet ti&eout 10

b. Fro# 'C56$ telnet to the ASA &sing address 12.1*,.1.1 to verify the %elnet access. :se the re#oteaccess login pass7ord ciscoto access the ASA C4I pro#pt. E=it the %elnet session &sing the uitco##and.

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age 1( of 2(


15/24

CCNA Security

Note: @o& cannot &se %elnet to the lo7est sec&rity interface o&tside0 fro# the o&tside &nless yo& &se%elnet inside an I'sec t&nnel. %elnet is not the preferred re#ote access tool beca&se of its lac8 ofencryption. In 'art + of this lab yo& 7ill config&re SS9 access fro# the internal and e=ternal net7or8.

Step 8: Configure AS#% access to the ASA+

a. @o& can config&re the ASA to accept 9%%'S connections &sing the httpco##and. %his allo7s

access to the ASA G:I AS/;0. Config&re the ASA to allo7 9%%'S connections fro# any host onthe inside net7or8 12.1*,.1.")2(.

CCAS-ASA(config)# http server enableCCAS-ASA(config)# http 192.168.1.0 255.255.255.0 insi!e

b. ?pen a bro7ser on 'C56 and test the 9%%'S access to the ASA by entering https>))12.1*,.1.1.@o&7ill be pro#pted 7ith a sec&rity certificate 7arning. Clic8 Continueto this 7ebsite. Clic8


16/24

CCNA Security

1 - ternal tpe 14 2 - ternal tpe 2 @1 - ternal tpe 14 @2 - ternal tpe 24 @ - @7P i - 9S-9S4 B1 - 9S-9S level-14 B2 - 9S-9S level-24 ia - 9S-9S inter area F - candidate default4 6 - per-user static route4 o -


17/24

CCNA Security

1 in use4 2" ost used;lags: % - %S4 i - dnaic4 r - portap4 s - static4 9 - identit4 - twice

9C&P PA fro inside:1G21'"1312 to outside:20G1'20022'21$'G flags ri idle0:00:03 tieout 0:00:30

Note: %he flags r and i0 indicate that the translation 7as based on a port #ap r0 and 7as done

dyna#ically i0.f. ?pen a bro7ser on 'C56 and enter the I' address of R1 Fa")" 2".1*+.2"".22+0. @o& sho&ld be

pro#pted by R1 for S/; or CC' G:I login. %C'5based 9%%' traffic is per#itted by defa&lt by thefire7all inspection policy.

g. ?n the ASA &se the sho nat an! sho late co##ands again to see the hits and addressesbeing translated for the 9%%' connection.

Step ,: %odify the default %"F application inspection global ser$ice policy+

For application layer inspection$ as 7ell as other advanced options$ the Cisco ;od&lar 'olicyFra#e7or8 ;'F0 is available on ASAs. Cisco ;'F &ses three config&ration obects to define #od&lar$obect5oriented$ hierarchical policies>

Class 9aps: /efine a #atch criterion

"olicy 9aps:Associate actions to the #atch criteria

Ser$ice policies:Attach the policy #ap to an interface$ or globally to all interfaces of the appliance.

a. /isplay the defa&lt ;'F policy #ap that perfor#s the inspection on inside5to5o&tside traffic. ?nlytraffic that 7as initiated fro# the inside is allo7ed bac8 in to the o&tside interface. -otice that theIC;' protocol is #issing.

CCAS-ASA# sho runDoutput oittedEclass-ap inspectionHdefaultatc default-inspection-trafficIpolic-ap tpe inspect dns presetHdnsHap

paraeters essage-lengt a>iu client auto essage-lengt a>iu 12

polic-ap gloalHpolicclass inspectionHdefault inspect dns presetHdnsHap inspect ftp inspect 323 22 inspect 323 ras inspect ip-options inspect netios inspect rs inspect rtsp inspect s/inn

inspect estp inspect slnet inspect sunrpc inspect tftp inspect sip inspect >dcpIservice-polic gloalHpolic gloal

b. Add the inspection of IC;' traffic to the policy #ap list &sing the follo7ing co##ands>

CCAS-ASA(config)#polic")&ap #lobalpolic"CCAS-ASA(config-pap)# class inspection!efault



18/24

CCNA Security

CCAS-ASA(config-pap-c)# inspect ic&p

c. Fro# 'C56 atte#pt to ping the R1 Fa")" interface at I' address 2".1*+.2"".22+. %he pings sho&ldbe s&ccessf&l this ti#e beca&se IC;' traffic is no7 being inspected and legiti#ate ret&rn traffic isbeing allo7ed.

"art : Configuring #C"/ AAA/ and SS

In 'art + of this lab$ yo& config&re ASA feat&res$ s&ch as /9C' and enhanced login sec&rity$ &sing AAAand SS9.

Note:@o& #&st co#plete 'art ( before beginning 'art +.

Step 1: Configure the ASA as a #C" ser$er+

%he ASA can be both a /9C' server and a /9C' client. In this step yo& config&re the ASA as a /9C'server to dyna#ically assign I' addresses for /9C' clients on the inside net7or8.

a. Config&re a /9C' address pool and enable it on the ASA inside interface. %his is the range ofaddresses to be assigned to inside /9C' clients. Atte#pt to set the range fro# 12.1*,.1.+ thro&gh

12.1*,.1.1"".CCAS-ASA(config)# !hcp! a!!ress 192.168.1.5)192.168.1.100 insi!e*arning4 %CP pool range is liited to 32 addresses4 set address range as: 1G21'"1-1G21'"13'

ere yo& able to do this on this ASA

Repeat the !hcp!co##and and specify the pool as 12.1*,.1.+512.1*,.1.*

CAS-ASA(config)# !hcp! a!!ress 192.168.1.5)192.168.1.36 insi!e

b. ?ptional0 Specify the I' address of the /-S server to be given to clients.

CCAS-ASA(config)# !hcp! !ns 209.165.201.2

Note: ?ther para#eters can be specified for clients$ s&ch as I-S server$ lease length$ and do#ainna#e.

c. Enable the /9C' dae#on 7ithin the ASA to listen for /9C' client reH&ests on the enabled interfaceinside0.

CCAS-ASA(config)# !hcp! enable insi!e

d. 3erify the /9C' dae#on config&ration by &sing the sho run !hcp!co##and.

CCAS-ASA(config)# sho run !hcp!dcpd address 1G21'"1-1G21'"13' insidedcpd enale inside

e. Access the -et7or8 Connection I' 'roperties for 'C56 and change it fro# a static I' address to a/9C' client so that it obtains an I' address a&to#atically fro# the ASA /9C' server. %heproced&re to do this varies depending on the 'C operating syste#. It #ay be necessary to iss&e theipconfi# /reneco##and on 'C56 to force it obtain a ne7 I' address fro# the ASA.

Step *: Configure AAA to use the local database for authentication+

a. /efine a local &ser na#ed ad9inby entering the userna&eco##and. Specify a pass7ord of cisco1*,.

CCAS-ASA(config)# userna&e a!&in passor! cisco123

b. Config&re AAA to &se the local ASA database for %elnet and SS9 &ser a&thentication.

CCAS-ASA(config)# aaa authentication ssh console +

All contents are Copyright 12!2"12 Cisco Syste#s$ Inc. All rights reserved. %his docent is Cisco '&blic Infor#ation. 'age 1, of 2(


19/24

CCNA Security

CCAS-ASA(config)# aaa authentication telnet console +

Note:For added sec&rity$ starting in ASA version ,.(20$ it is necessary to config&re AAA a&thenticationin order to s&pport SS9 connections. %he %elnet)SS9 defa&lt login is not s&pported. @o& can no longerconnect to the ASA &sing SS9 7ith the defa&lt &serna#e and the login pass7ord.

Step ,: Configure SS re9ote access to the ASA+

@o& can config&re the ASA to accept SS9 connections fro# a single host or a range of hosts on theinside or o&tside net7or8.

a. Generate an RSA 8ey pair$ 7hich is reH&ired to s&pport SS9 connections. %he #od&l&s in bits0can be +12$ *,$ 1"2($ or 2"(,. %he larger the 8ey #od&l&s siDe yo& specify$ the longer it ta8es togenerate an RSA. Specify a #od&l&s of 1"2( &sing the cr"pto ke"co##and.

CCAS-ASA(config)# cr"pto ke" #enerate rsa &o!ulus 10249;


20/24

CCNA Security

Note: If yo& are 7or8ing 7ith the ASA ++"+ base license$ yo& 7ill get the error #essage sho7n in theo&tp&t belo7. %he ASA ++"+ base license allo7s for the creation of &p to three na#ed 34A-interfaces. 9o7ever$ yo& #&st disable co##&nication bet7een the third interface and one of theother interfaces &sing the no forar!co##and. %his is not an iss&e if the ASA has a Sec&rity 'l&slicense$ 7hich allo7s 2" na#ed 34A-s.

6eca&se the server does not need to initiate co##&nication 7ith the inside &sers$ disable for7arding

to interface 34A- 1.

CCAS-ASA(config)# interface vlan 3CCAS-ASA(config-if)# ip a!!ress 192.168.2.1 255.255.255.0CCAS-ASA(config-if)# na&eif !&

@RR


21/24

CCNA Security

---- -------------------------------- --------- -----------------------------1 inside up @t014 @t034 @t0$4 @t0 @t0'4 @t0,2 outside up @t003 d8 up @t02

Step *: Configure static NA! to the #%3 ser$er using a networ& ob)ect+

a. Config&re a net7or8 obect na#ed d9=;ser$erand assign it the static I' address of the /;< server12.1*,.2.0. hile in obect definition #ode$ &se the natco##and to specify that this obect is&sed to translate a /;< address to an o&tside address &sing static -A% and specify a p&blictranslated address of 2".1*+.2"".22.

CCAS-ASA(config)# obect netork !&)serverCCAS-ASA(config-networ/-oKect)# host 192.168.2.3CCAS-ASA(config-networ/-oKect)# nat !&'outsi!e static 209.165.200.227

Step ,: Configure an ACL to allow access to the #%3 ser$er fro9 the nternet+

a. Config&re a na#ed access list ?:%SI/E5/;< that per#its any I' protocol fro# any e=ternal host tothe internal I' address of the /;< server. Apply the access list to the ASA o&tside interface in theI-J direction.

CCAS-ASA(config)# access)list :;S,


22/24

CCNA Security

translateHits 04 untranslateHits $

2 (inside) to (outside) source dnaic inside-net interface translateHits $4 untranslateHits 0

Note: 'ings fro# inside to o&tside are translated hits. 'ings fro# o&tside host 'C5C to the /;< areconsidered &ntranslated hits.

CCAS-ASA# sho late1 in use4 3 ost used;lags: % - %S4 i - dnaic4 r - portap4 s - static4 9 - identit4 - twiceA fro d8:1G21'"23 to outside:20G1'20022, flags s idle 0:22:" tieout0:00:00

-ote the flag this ti#e is sJ indicating a static translation.

e. 6eca&se the ASA inside interface 34A- 10 is set to sec&rity level of 1"" the highest0 and the /;

Documents

CCNASv1.1_Chp10_Lab-A_ASA-FW-CLI_Student.doc