CCNA Security

Chapter 10 Lab A: Configuring ASA Basic Settings and Firewall Using CL

!opology

Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 1 of 2(

CCNA Security

" Addressing !able

#e$ice R1 nterface FA")" S")")" ./CE0 S")")" S")")1 ./CE0 FA")1 S")")1 34A- 1 .E")10 34A- 2 .E")"0 34A- 1 .E")20 -IC -IC -IC " Address 2" .1*+.2"".22+ 1".1.1.1 1".1.1.2 1".2.2.2 122.1*.1.1 1".2.2.1 1 2.1*,.1.1 2" .1*+.2"".22* 1 2.1*,.2.1 1 2.1*,.2.1 1 2.1*,.1.1 122.1*.1.1 Subnet %as& 2++.2++.2++.2(, 2++.2++.2++.2+2 2++.2++.2++.2+2 2++.2++.2++.2+2 2++.2++.2++." 2++.2++.2++.2+2 2++.2++.2++." 2++.2++.2++.2(, 2++.2++.2++." 2++.2++.2++." 2++.2++.2++." 2++.2++.2++." #efault 'ateway -)A -)A -)A -)A -)A -)A -A -A -A 1 2.1*,.2.1 1 2.1*,.1.1 122.1*.1.1 Switch "ort ASA E")" -)A -)A -)A S1 FA")+ -)A S2 FA")2( R1 FA")" S1 FA")2( S1 FA")* S2 FA")1, S1 FA")1,

R2

R1 ASA ASA ASA 'C5A 'C56 'C5C

(b)ecti$es
"art 1: Lab Setup Cable the net7or8 as sho7n in the topology. Config&re hostna#es and interface I' addresses for ro&ters$ s7itches$ and 'Cs. Config&re static ro&ting$ incl&ding defa&lt ro&tes$ bet7een R1$ R2$ and R1. Config&re 9%%' and %elnet access for R1. 3erify connectivity bet7een hosts$ s7itches$ and ro&ters.

"art *: Accessing the ASA Console and Using CL Setup %ode to Configure Basic Settings+ Access the ASA console and view hardware, software, and configuration settings. Clear previo&s config&ration settings. :se C4I Set&p #ode to config&re basic settings .hostna#e$ pass7ords$ cloc8$ etc.0.

"art ,: Configuring Basic ASA Settings and nterface Security Le$els Using CL + Config&re the hostna#e and do#ain na#e. Config&re the login and enable pass7ords. Set the date and ti#e. Config&re the inside and o&tside interfaces. %est connectivity to the ASA. Config&re re#ote #anage#ent 7ith %elnet. Config&re 9%%'S access to the ASA for AS/;.

"art -: Configuring .outing/ Address !ranslation and nspection "olicy Using CL +

All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 2 of 2(

CCNA Security Configure a static default route for the ASA. Configure port address translation (PAT) for the inside network. ;odify the ;'F application inspection policy.

"art 0: Configuring #1C"/ AAA/ and SS1+ Config&re the ASA as a /9C' server)client. Config&re 4ocal AAA &ser a&thentication. Config&re re#ote #anage#ent 7ith SS9.

"art 2: Configuring a #%3/ Static NA!/ and ACLs Config&re static -A% for the /;< server. Config&re an AC4 on the ASA to allo7 access to the /;< for Internet &sers. 3erify access to the /;< server for e=ternal and internal &sers.

Bac&ground 4 Scenario
%he Cisco Adaptive Sec&rity Appliance .ASA0 is an advanced net7or8 sec&rity device that integrates a statef&ll fire7all as 7ell as 3'- and other capabilities. %his lab e#ploys an ASA ++"+ to create a fire7all and protect an internal corporate net7or8 fro# e=ternal intr&ders 7hile allo7ing internal hosts access to the Internet. %he ASA creates three sec&rity interfaces> ?&tside$ Inside$ and /;<. It provides o&tside &sers li#ited access to the /;< and no access to inside reso&rces. Inside &sers can access the /;< and o&tside reso&rces. %he foc&s of this lab is on the config&ration of the ASA as a basic fire7all. ?ther devices 7ill receive #ini#al config&ration to s&pport the ASA portion of the lab. %his lab &ses the ASA C4I$ 7hich is si#ilar to the I?S C4I$ to config&re basic device and sec&rity settings. In part 1 of the lab yo& config&re the topology and non5ASA devices. In 'arts 2 thro&gh ( yo& config&re basic ASA settings and the fire7all bet7een the inside and o&tside net7or8s. In part + yo& config&re the ASA for additional services s&ch as /9C'$ AAA$ and SS9. In 'art * yo& config&re a /;< on the ASA and provide access to a server in the /;<. @o&r co#pany has one location connected to an IS'. Ro&ter R1 represents a C'E device #anaged by the IS'. Ro&ter R2 represents an inter#ediate Internet ro&ter. Ro&ter R1 represents an IS' that connects an ad#inistrator fro# a net7or8 #anage#ent co#pany$ 7ho has been hired to #anage yo&r net7or8 re#otely. %he ASA is an edge C'E sec&rity device that connects the internal corporate net7or8 and /;< to the IS' 7hile providing -A% and /9C' services to inside hosts. %he ASA 7ill be config&red for #anage#ent by an ad#inistrator on the internal net7or8 as 7ell as by the re#ote ad#inistrator. 4ayer 1 34A- interfaces provide access to the three areas created in the lab> Inside$ ?&tside and /;<. %he IS' has assigned the p&blic I' address space of 2" .1*+.2"".22()2 $ 7hich 7ill be &sed for address translation on the ASA. Note: %he ro&ters &sed 7ith this lab are Cisco 1,(1 7ith Cisco I?S Release 12.(.2"0% .Advanced I' i#age0. %he s7itches are Cisco AS5C2 *"52(%%54 7ith Cisco I?S Release 12.2.(*0SE .C2 *"54A-6ASEB 5; i#age0. ?ther ro&ters$ s7itches$ and Cisco I?S versions can be &sed. 9o7ever$ res&lts and o&tp&t #ay vary. %he ASA &sed 7ith this lab is a Cisco #odel ++"+ 7ith an ,5port integrated s7itch$ r&nning ?S version ,.(.20 and AS/; version *.(.+0 and co#es 7ith a 6ase license that allo7s a #a=i#&# of three 34A-s. Note: ;a8e s&re that the ro&ters and s7itches have been erased and have no start&p config&rations.

.e5uired .esources
1 ro&ters .Cisco 1,(1 7ith Cisco I?S Release 12.(.2"0%1 or co#parable0 1 s7itches .Cisco 2 *" or co#parable0
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1 of 2(

All contents are Copyright 1

CCNA Security 1 ASA ++"+ .?S version ,.(.20 and AS/; version *.(.+0 and 6ase license or co#parable0 'C5A> Aindo7s C'$ 3ista$ or Aindo7s 2 7ith CC'$ '&%%y SS9 client 'C56> Aindo7s C'$ 3ista$ or Aindo7s 2 7ith '&%%y SS9 client .AS/; optional0 'C5C> Aindo7s C'$ 3ista$ or Aindo7s 2 7ith CC'$ '&%%y SS9 client Serial and Ethernet cables as sho7n in the topology Rollover cables to config&re the ro&ters and ASA via the console

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age ( of 2(

CCNA Security

"art 1: Basic .outer4Switch4"C Configuration

In 'art 1 of this lab$ yo& set &p the net7or8 topology and config&re basic settings on the ro&ters$ s&ch as interface I' addresses and static ro&ting. Note: /o not config&re any ASA settings at this ti#e.

Step 1: Cable the networ& and clear pre$ious de$ice settings+

Attach the devices that are sho7n in the topology diagra# and cable as necessary. ;a8e s&re that the ro&ters and s7itches have been erased and have no start&p config&rations.

Step *: Configure basic settings for routers and switches+

a. Config&re host na#es as sho7n in the topology for each ro&ter. b. Config&re ro&ter interface I' addresses as sho7n in the I' Addressing %able. c. Config&re a cloc8 rate for ro&ters 7ith a /CE serial cable attached to their serial interface. Ro&ter R1 is sho7n here as an e=a#ple.
R1(config)# interface S0/0/0 R1(config-if)# clock rate 64000

d. Config&re the host na#e for the s7itches. ?ther than the host na#e$ the s7itches can be left in their defa&lt config&ration state. Config&ring the 34A- #anage#ent I' address for the s7itches is optional.

Step ,: Configure static routing on the routers+

a. Config&re a static defa&lt ro&te fro# R1 to R2 and fro# R1 to R2.
R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0 R3(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/1

b. Config&re a static ro&te fro# R2 to the R1 Fa")" s&bnet .connected to ASA interface E")"0 and a static ro&te fro# R2 to the R1 4A-.
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0 R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1

Step -: 6nable the 1!!" ser$er on .1 and set the enable and $ty passwords+
a. Enable 9%%' access to R1 &sing the ip http server co##and in global config #ode. Also set the console and 3%@ pass7ords to cisco. %his 7ill provide 7eb and %elnet targets for testing later in the lab.
R1(config)# ip http server R1(config)# enable pass or! class R1(config)# line vt" 0 4 R1(config-line)# pass or! cisco R1(config-line)# lo#in R1(config)# line con 0 R1(config-line)# pass or! cisco R1(config-line)# lo#in

b. ?n ro&ters R2 and R1$ set the sa#e enable$ console and vty pass7ords as 7ith R1.

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age + of 2(

CCNA Security

Step 0: Configure "C host " settings+

Config&re a static I' address$ s&bnet #as8$ and defa&lt gate7ay for 'C5A$ 'C56$ and 'C5C as sho7n in the I' Addressing %able.

Step 2: 7erify connecti$ity+

6eca&se the ASA is the focal point for the net7or8 Dones and it has not yet been config&red$ there 7ill be no connectivity bet7een devices that are connected to it. 9o7ever$ 'C5C sho&ld be able to ping the R1 interface. Fro# 'C5C$ ping the R1 Fa")" I' address .2" .1*+.2"".22+0. If these pings are not s&ccessf&l$ tro&bleshoot the basic device config&rations before contin&ing. Note: If yo& can ping fro# 'C5C to R1 Fa")" and S")")" yo& have de#onstrated that static ro&ting is config&red and f&nctioning correctly.

Step 8: Sa$e the basic running configuration for each router and switch+

"art *: Accessing the ASA Console and Using Setup to Configure Basic Settings
In 'art 2 of this lab$ yo& 7ill access the ASA via the console and &se vario&s show co##ands to deter#ine hard7are$ soft7are$ and config&ration settings. @o& 7ill clear the c&rrent config&ration and &se the C4I interactive Set&p &tility to config&re basic ASA settings. Note: /o not config&re any ASA settings at this ti#e.

Step 1: Access the ASA Console+

a. Accessing the ASA via the console port is the sa#e as 7ith a Cisco ro&ter or s7itch. Connect to the ASA console port 7ith a rollover cable. b. :se a ter#inal e#&lation progra# s&ch as %era%er# or 9yper%er#inal to access the C4I. %hen &se the serial port settings of *"" ba&d$ eight data bits$ no parity$ one stop bit$ and no flo7 control. c. Enter privileged #ode 7ith the enable co##and and pass7ord .if set0. 6y defa&lt the pass7ord is blan8 so yo& can E&st press 6nter. If the pass7ord has been changed to that specified in this lab$ enter the 7ord class. %he defa&lt ASA hostna#e and pro#pt is ciscoasa$. ciscoasa$ enable Password: class (or press %nter if none set)

Step *: #eter9ine the ASA $ersion/ interfaces/ and license+

%he ASA ++"+ co#es 7ith an integrated ,5port Ethernet s7itch. 'orts E")" tho&gh E")+ are nor#al Fast Ethernet ports and ports E")* and E")2 are 'oE ports for &se 7ith 'oE devices s&ch as I' phones or net7or8 ca#eras. a. :se the sho version co##and to deter#ine vario&s aspects of this ASA device.
version ciscoasa# sho

Cisco Adaptive Securit Appliance Software !ersion "#$(2) %evice &anager !ersion '#$(() Co)piled on *ed 1(-+un-11 1":1, - -uilders S ste) i)age file is .dis/0:1asa"$2-/"#-in. Config file at -oot was .startup-config. ciscoasa up 23 2ours 0 )ins

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age * of 2(

CCNA Security
3ardware: ASA((0(4 (12 &5 RA&4 CP6 7eode (00 &38 9nternal A:A Co)pact ;las24 12"&5 59<S ;las2 &(0;*01' = 0>fff000004 20$"?5 @ncr ption 2ardware device : Cisco ASA-((0( on--oard 5oot )icrocode : SSB19?@ )icrocode : 9PSec )icrocode : Au)-er of accelerators: 0: 9nt: 9nternal-%ata010 1: @>t: @t2ernet010 2: @>t: @t2ernet011 Doutput o)ittedE accelerator (revision 0>0) CA1000-&C-5<<:-2#00 CABite-&C-SSB)-PB6S-2#03 CAlite-&C-9PS@C)-&A9A-2#0' 1

: address is 000,#,d-f#('$(4 irC 11 : address is 000,#,d-f#('3d4 irC 2(( : address is 000,#,d-f#('3e4 irC 2((

Ahat soft7are version is this ASA r&nningF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Ahat is the na#e of the syste# i#age file and fro# 7here 7as it loadedF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG %he ASA can be #anaged &sing a b&ilt5in G:I 8no7n as the Adaptive Sec&rity /evice ;anager .AS/;0. Ahat version of AS/; is this ASA r&nningF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #&ch RA; does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #&ch flash #e#ory does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #any Ethernet ports does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Ahat type of license does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #any 34A-s can be created 7ith this licenseF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

Step ,: #eter9ine the file syste9 and contents of flash 9e9ory+

a. /isplay the ASA file syste# &sing the sho s&pported.
ciscoasa# sho ;ile S ste)s: Si8e(-) F 12"(,3$$0 ;ree(-) ((''$'$0 : pe dis/ - networ/ - opaCue - networ/ - networ/ - networ/ - networ/ ;lags rw rw rw ro ro rw rw Prefi>es dis/0: flas2: tftp: s ste): 2ttp: 2ttps: ftp: s)-: file s"ste&

file s"ste& co##and to deter#ine 7hat prefi=es are

Ahat is another na#e for flash>F GGGGGGGGGGG b. /isplay the contents of flash #e#ory &sing one of these co##ands> sho !ir flash( or !ir !isk0>
ciscoasa# sho flash( --#-- --lengt2-- -----date1ti)e-----1'" 2(1(G'"0 Aug 2G 2011 13:00:(2 122 0 Aug 2G 2011 13:0G:32 13 20$" Aug 2G 2011 13:02:1$ 1$ (G Aug 2G 2011 13:02:1$ 1'G 1'2"0($$ Aug 2G 2011 13:02:(" 3 20$" Aug 2G 2011 13:0$:$2
All contents are Copyright 1

flash' sho

!isk0'

pat2 asa"$2-/"#-in natHidentH)igrate coredu)pinfo coredu)pinfo1coredu)p#cfg asd)-'$(#-in log

'age 2 of 2(

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

CCNA Security
' 20$" 1,1 3$"1' 1,3 3'"'$ 1,$ 12GG"'$1 1,( 20$" 211 0 1,' '$",(1, 1,, ''"G$G" 1," $',"'G1 Doutput o)ittedE Aug +an +an Aug Aug Aug Aug Aug Aug 2G 01 01 2G 2G 2G 2G 2G 2G 2011 1G"0 1G"0 2011 2011 2011 2011 2011 2011 13:0(:00 00:00:00 00:00:00 13:0G:22 13:0G:2$ 13:0G:2$ 13:0G:2' 13:0G:30 13:0G:32 cr ptoHarc2ive ;SC?0000#R@C ;SC?0001#R@C csdH3#(#200"-/G#p/g sdes/top sdes/top1data#>)l an connect-)acos>-i3"'-2#(#201$-/G#p/g an connect-linu>-2#(#201$-/G#p/g an connect-win-2#(#201$-/G#p/g

Ahat is the na#e of the AS/; file in flash>F GGGGGGGGGGGGGGGGGGG

Step -: #eter9ine the current running configuration+

%he ASA ++"+ is co##only &sed as an edge sec&rity device that connects a s#all b&siness or tele7or8er to an IS' device$ s&ch as a /S4 or cable #ode#$ for access to the Internet. %he defa&lt factory config&ration for the ASA ++"+ incl&des the follo7ing> An inside 34A- 1 interface is config&red that incl&des the Ethernet ")1 thro&gh ")2 s7itch ports. %he 34A- 1 I' address and #as8 are 1 2.1*,.1.1 and 2++.2++.2++.". An o&tside 34A- 2 interface is config&red that incl&des the Ethernet ")" s7itch port. 6y defa&lt$ 34A- 2 derives its I' address fro# the IS' &sing /9C'. %he defa&lt ro&te is also derived fro# the /9C' defa&lt gate7ay. All inside I' addresses are translated 7hen accessing the o&tside$ &sing interface 'A% on the 34A- 2 interface. 6y defa&lt$ inside &sers can access the o&tside 7ith an access list$ and o&tside &sers are prevented fro# accessing the inside. %he /9C' server is enabled on the sec&rity appliance$ so a 'C connecting to the 34A- 1 interface receives an address bet7een 1 2.1*,.1.+ and 1 2.1*,.1.1* .base license0$ tho&gh the act&al range #ay vary. %he 9%%' server is enabled for AS/; and is accessible to &sers on the 1 2.1*,.1.")2( net7or8. -o console or enable pass7ords are reH&ired and the defa&lt host na#e is ciscoasa.

Note: In this lab yo& 7ill #an&ally config&re settings si#ilar to those listed above$ as 7ell as so#e additional ones$ &sing the ASA C4I. a. /isplay the c&rrent r&nning config&ration &sing the sho
ciscoasa# sho runnin#)confi# : Saved : ASA !ersion "#$(2) I 2ostna)e ciscoasa ena-le password "R 2JK9 t,RRL62$ encr pted passwd 2?;Mn-A9d9#2?J<6 encr pted na)es I interface @t2ernet010 switc2port access vlan 2 I interface @t2ernet011 I interface @t2ernet012
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age , of 2(

runnin#)confi# co##and.

CCNA Security

Doutput o)ittedE

Note: %o stop the o&tp&t fro# a co##and &sing the C4I$ press the letter :. If yo& see 34A-s 1 and 2 and other settings as described previo&sly$ the device is #ost li8ely config&red 7ith the defa&lt factory config&ration. @o& #ay also see other sec&rity feat&res s&ch as a global policy that inspects selected application traffic$ 7hich the ASA inserts by defa&lt$ if the original start&p config&ration has been erased. %he act&al o&tp&t 7ill vary depending on the ASA #odel$ version and config&ration stat&s. b. @o& can restore the ASA to its factory defa&lt settings by &sing the co##and confi#ure factor")!efault as sho7n here.
ciscoasa# conf t ciscoasa(config)# confi#ure factor")!efault *ARA9A7: :2e -oot s ste) configuration will -e cleared# :2e first i)age found in dis/0:1 will -e used to -oot t2e s ste) on t2e ne>t reload# !erif t2ere is a valid i)age on dis/0:1 or t2e s ste) will not -oot# 5egin to appl factor -default configuration: Clear all configuration *ARA9A7: %3CP% -indings cleared on interface NinsideN4 address pool re)oved @>ecuting co))and: interface @t2ernet 010 @>ecuting co))and: switc2port access vlan 2 @>ecuting co))and: no s2utdown @>ecuting co))and: e>it @>ecuting co))and: interface @t2ernet 011 @>ecuting co))and: switc2port access vlan 1 @>ecuting co))and: no s2utdown @>ecuting co))and: e>it Doutput o)ittedE

c.

Revie7 this o&tp&t and pay partic&lar attention to the 34A- interfaces$ and -A% and /9C' related sections. %hese 7ill be config&red later in this lab &sing the C4I.

d. @o& #ay 7ish to capt&re and print the factory5defa&lt config&ration as a reference. :se the ter#inal e#&lation progra# to copy it fro# the ASA and paste it into a te=t doc&#ent. @o& can then edit this file$ if desired$ so that it contains only valid co##ands. @o& sho&ld also re#ove pass7ord co##ands and enter the no shut co##and to bring &p the desired interfaces.

Step 0: Clear the pre$ious ASA configuration settings+

a. :se the rite erase co##and to re#ove the startup;config file fro# flash #e#ory.
ciscoasa# rite erase @rase configuration in flas2 )e)or O Pconfir)Q P<?Q ciscoasa# ciscoasa# sho start Ao Configuration

Note: %he I?S co##and erase startup)confi# is not s&pported on the ASA. b. :se the reloa! co##and to restart the ASA. %his 7ill ca&se the ASA to co#e &p in C4I Set&p #ode. If pro#pted that the config has been #odified$ as8ing if yo& 7ant to save it$ respond I-J.
ciscoasa# reloa! Proceed wit2 reloadO Pconfir)Q ciscoasa#
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age of 2(

CCNA Security
FFF FFF --- S:AR: 7RAC@;6B S36:%<*A --S2utting down isa/)p S2utting down ;ile s ste) FFF FFF --- S36:%<*A A<* --Process s2utdown finis2ed Re-ooting##### C9SC< SJS:@&S @)-edded 59<S !ersion 1#0(12)13 0"12"10" 1(:(0:3,#$( Doutput o)ittedE

Step 2: Use the Setup interacti$e CL 9ode to configure basic settings+

Ahen the ASA co#pletes the reload process$ it sho&ld detect that the start&p5config file is #issing and present a series of interactive pro#pts to config&re basic ASA settings. If it does not co#e &p in this #ode$ repeat Step +. As an alternative$ yo& can r&n the setup co##and at the global config&ration pro#pt$ b&t yo& #&st first create a 34A- interface .34A- 10$ na#e the 34A- I#anage#entJ .&sing the na&eif co##and0$ and assign the 34A- an I' address. Note: %he interactive pro#pt #ode does not config&re the ASA 7ith factory defa&lts as described in Step (. %his #ode can be &sed to config&re #ini#al basic settings s&ch as host na#e$ cloc8$ pass7ords$ etc. @o& can also bypass this #ode and go directly to the C4I in order to config&re the ASA settings$ as described in 'art 1 of this lab. a. Respond to the Setup interactive pro#pts as sho7n here$ after the ASA reloads.
Pre-configure ;irewall now t2roug2 interactive pro)pts P esQO *enter$ ;irewall &ode PRoutedQ: *enter$ @na-le password PDuse current passwordEQ: cisco Allow password recover P esQO *enter$ Cloc/ (6:C): Jear P2011Q: *enter$ &ont2 P<ctQ: *enter$ %a P01Q: *enter$ :i)e P12:2$:$2Q: *enter$ &anage)ent 9P address: 192.168.1.1 *enter$ &anage)ent networ/ )as/: 255.255.255.0 *enter$ 3ost na)e: +S+),nit %o)ain na)e: #eneric.co& 9P address of 2ost running %evice &anager: *enter$ :2e following configuration will -e used: @na-le password: cisco Allow password recover : "es Cloc/ (6:C): 12:2$:$2 Sep 25 2011 ;irewall &ode: -oute! &anage)ent 9P address: 192.168.1.1 &anage)ent networ/ )as/: 255.255.255.0 3ost na)e: +S+),nit %o)ain na)e: generic.co& 9P address of 2ost running %evice &anager: *enter$ 6se t2is configuration and write to flas2O "es 9A;<: Securit level for .)anage)ent. set to 0 - default# *ARA9A7: 2ttp server is not et ena-led to allow AS%& access# Cr ptoc2ec/su): c"a(3(f0 e2,3d$Ge (-ddfd1G e12(''-1 20,0 - tes copied in 0#G$0 secs : pe 2elp or NON for a list of availa-le co))ands# ASA-9nit#

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 1" of 2(

CCNA Security Note: In the above config&ration$ the I' address of the host r&nning AS/; 7as left blan8. It is not necessary to install AS/; on a host. It can be r&n fro# the flash #e#ory of the ASA device itself &sing the bro7ser of the host. %his process is described in Chapter 10 Lab B, Configuring ASA Basic Settings and Firewall Using ASDM. @o& #ay also see the 7arning above stating that the ASA 9%%' server has not yet been enabled. %his 7ill be done in a s&bseH&ent step. Note: %he responses to the pro#pts are a&to#atically stored in the startup;config and the running config. 9o7ever$ additional sec&rity related co##ands$ s&ch as a global defa&lt inspection service policy$ are inserted into the r&nning5config by the ASA ?S. b. Iss&e the sho run co##and to see the additional sec&rity related config&ration co##ands that are inserted by the ASA. c. Iss&e the cop" run start co##and to capt&re the additional sec&rity related co##ands in the start&p5config.
ASA-9nit# reloa! Proceed wit2 reloadO Pconfir)Q *enter$ *output o&itte!$

d. Iss&e the reloa! co##and to restart the ASA and load the start&p config&ration.

e. Enter privileged ECEC #ode 7ith the enable co##and. 'rovide the pass7ord set in Step *a .cisco0. Iss&e the sho runnin#)confi# co##and. @o& sho&ld see the entries yo& provided in the interactive config&ration process.

"art ,: Configuring ASA Settings and nterface Security Using the CL

In 'art 1 of this lab$ yo& config&re basic settings by &sing the ASA C4I$ even tho&gh so#e of the# 7ere already config&red &sing the Set&p #ode interactive pro#pts in 'art 2. In this part yo& start 7ith the settings config&red in 'art 2 and add to or #odify the# to create a #ore co#plete basic config&ration. !ip: @o& 7ill find that #any ASA C4I co##ands are si#ilar to if not the sa#e as those &sed 7ith Cisco I?S C4I. In addition$ #oving bet7een config&ration #odes and s&b#odes is essentially the sa#e. Note: @o& #&st co#plete 'art 2 before beginning 'art 1.

Step 1: Configure the hostna9e and do9ain na9e+

a. Enter Global config&ration #ode &sing the confi# t co##and. %he first ti#e yo& enter config&ration #ode after r&nning Set&p yo& 7ill be as8ed if yo& 7ish to enable anony#o&s reporting. Respond 7ith InoJ.
ASA-9nit# conf t ASA-9nit(config)# FFFFFFFFFFFFFFFFFFFFFFFFFFFFF A<:9C@ FFFFFFFFFFFFFFFFFFFFFFFFFFFFF 3elp to i)prove t2e ASA platfor) - ena-ling anon )ous reporting4 w2ic2 allows Cisco to securel receive )ini)al error and 2ealt2 infor)ation fro) t2e device# :o learn )ore a-out t2is feature4 please visit: 2ttp:11www#cisco#co)1go1s)artcall *ould ou li/e to ena-le anon )ous error reporting to 2elp i)prove t2e productO PJQes4 PAQo4 PAQs/ later: n 9n t2e future4 if
All contents are Copyright 1

ou would li/e to ena-le t2is feature4

'age 11 of 2(

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

CCNA Security
issue t2e co))and .call-2o)e reporting anon )ous.# Please re)e)-er to save our configuration#

b. Config&re the ASA host na#e &sing the hostna&e co##and.

ASA-9nit(config)# hostna&e ../+S)+S+

c.

Config&re the do#ain na#e &sing the !o&ain)na&e co##and.

CCAAS-ASA(config)# !o&ain)na&e ccnasecurit".co&

Step *: Configure the login and enable 9ode passwords+

a. %he login pass7ord is &sed for %elnet connections .and SS9 prior to ASA version ,.(0. 6y defa&lt it is set to cisco. @o& can change the login pass7ord &sing the pass ! or pass or! co##and. For this lab leave it set to the defa&lt of cisco. b. Config&re the privileged ECEC #ode .enable0 pass7ord &sing the enable pass or! co##and.
CCAAS-ASA(config)# enable pass or! class

Step ,: Set the date and ti9e+

a. %he date and ti#e can be set #an&ally &sing the clock set co##and. %he synta= for the cloc8 set co##and is clock set hh:mm:ss {month day | day month} year. %he follo7ing is an e=a#ple of ho7 to set the date and ti#e &sing a 2(5ho&r cloc8.
CCAAS-ASA(config)# clock set 14(25(00 october 1 2011

Step -: Configure the inside and outside interfaces+

ASA 0000 interface notes: %he ++"+ is different fro# the other ++"" series ASA #odels. Aith other ASAs$ the physical port can be assigned a 4ayer 1 I' address directly$ #&ch li8e a Cisco ro&ter. Aith the ASA ++"+$ the eight integrated s7itch ports are 4ayer 2 ports. %o assign 4ayer 1 para#eters$ yo& #&st create a s7itch virt&al interface .S3I0 or logical 34A- interface and then assign one or #ore of the physical layer 2 ports to it. All , s7itch ports are initially assigned to 34A- 1$ &nless the factory defa&lt config is present$ in 7hich case port E")" is assigned to 34A- 2. In this step yo& create internal and e=ternal 34A- interfaces$ na#e the#$ assign I' addresses$ and set the interface sec&rity level. If yo& co#pleted the initial config&ration Setup &tility$ interface 34A- 1 is config&red as the #anage#ent 34A- 7ith an I' address of 1 2.1*,.1.1. @o& 7ill config&re it as the inside interface for this lab. @o& 7ill only config&re the 34A- 1 .inside0 and 34A- 2 .o&tside0 interfaces at this ti#e. %he 34A- 1 .d#D0 interface 7ill be config&red in 'art * of the lab. a. Config&re a logical 34A- 1 interface for the inside net7or8$ 1 2.1*,.1.")2($ and set the sec&rity level to the highest setting of 1"".
CCAAS-ASA(config)# interface vlan 1 CCAAS-ASA(config-if)# na&eif insi!e CCAAS-ASA(config-if)# ip a!!ress 192.168.1.1 255.255.255.0 CCAAS-ASA(config-if)# securit")level 100

b. Create a logical 34A- 2 interface for the o&tside net7or8$ 2" .1*+.2"".22()2 $ set the sec&rity level to the lo7est setting of " and bring &p the 34A- 2 interface.
CCAAS-ASA(config-if)# interface vlan 2 CCAAS-ASA(config-if)# na&eif outsi!e 9A;<: Securit level for .outside. set to 0 -

default#

CCAAS-ASA(config-if)# ip a!!ress 209.165.200.226 255.255.255.248

All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 12 of 2(

CCNA Security
CCAAS-ASA(config-if)# no shut!o n

nterface security le$el notes: @o& #ay receive a #essage that the sec&rity level for the inside interface 7as set a&to#atically to 1"" and the o&tside interface 7as set to ". %he ASA &ses interface sec&rity levels fro# " to 1"" to enforce the sec&rity policy. Sec&rity 4evel 1"" .inside0 is the #ost sec&re and level " .o&tside0 is the least sec&re. 6y defa&lt$ the ASA applies a policy 7here traffic fro# a higher sec&rity level interface to one 7ith a lo7er level is per#itted and traffic fro# a lo7er sec&rity level interface to one 7ith a higher sec&rity level is denied. %he ASA defa&lt sec&rity policy per#its o&tbo&nd traffic$ 7hich is inspected by defa&lt. Ret&rning traffic is allo7ed beca&se of statef&ll pac8et inspection. %his defa&lt Iro&ted #odeJ fire7all behavior of the ASA allo7s pac8ets to be ro&ted fro# the inside net7or8 to the o&tside net7or8 b&t not vice versa. In 'art ( of this lab yo& 7ill config&re -A% to increase the fire7all protection. :se the sho interface co##and to ens&re that ASA 4ayer 2 ports E")" .for 34A- 20 and E")1 .for 34A- 10 are both &p. An e=a#ple is sho7n for E")". If either port is sho7n as do7n)do7n$ chec8 the physical connections. If either port is ad#inistratively do7n$ bring it &p 7ith the no shut!o n co##and.
CCAAS-ASA# sho interface e0/0 9nterface @t2ernet010 ..4 is ad)inistrativel down4 line protocol is up 3ardware is ""@'0G(4 5* 100 &-ps4 %BJ 100 usec Auto-%uple>(;ull-duple>)4 Auto-Speed(100 &-ps) Doutput o)ittedE

c.

d. Assign ASA 4ayer 2 port E")1 to 34A- 1 and port E")" to 34A- 2 and &se the no shut!o n co##and to ens&re they are &p.
CCAAS-ASA(config)# interface e0/1 CCAAS-ASA(config-if)# s itchport access vlan 1 CCAAS-ASA(config-if)# no shut!o n CCAAS-ASA(config-if)# interface e0/0 CCAAS-ASA(config-if)# s itchport access vlan 2 CCAAS-ASA(config-if)# no shut!o n

Note: Even tho&gh E")1 is in 34A- 1 by defa&lt$ the co##ands are provided above. e. /isplay the stat&s for all ASA interfaces &sing the sho interface ip brief co##and. -ote that this co##and is different fro# the I?S co##and sho ip interface brief. If any of the physical or logical interfaces previo&sly config&red are not :'):'$ tro&bleshoot as necessary before contin&ing. !ip: ;ost ASA show co##ands$ as 7ell as ping$ copy and others$ can be iss&ed fro# 7ithin any config #ode pro#pt 7itho&t the IdoJ co##and reH&ired 7ith I?S.
CCAAS-ASA(config)# sho 9nterface @t2ernet010 @t2ernet011 @t2ernet012 @t2ernet013 @t2ernet01$ @t2ernet01( @t2ernet01' @t2ernet01, 9nternal-%ata010 9nternal-%ata011 !lan1 !lan2 !irtual0 interface ip brief 9P-Address unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned 1G2#1'"#1#1 20G#1'(#200#22' 12,#0#0#1 <?O J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S &et2od unset unset unset unset unset unset unset unset unset unset )anual )anual unset Status up up up down down down down down up up up up up Protocol up up up down down down down down up up up up up

f.

/isplay the infor#ation for the 4ayer 1 34A- interfaces &sing the sho
CCAAS-ASA(config)# sho ip a!!ress

ip a!!ress co##and.

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 11 of 2(

CCNA Security
S ste) 9P Addresses: 9nterface Aa)e !lan1 inside !lan2 outside Current 9P Addresses: 9nterface Aa)e !lan1 inside !lan2 outside

9P address 1G2#1'"#1#1 20G#1'(#200#22' 9P address 1G2#1'"#1#1 20G#1'(#200#22'

Su-net )as/ 2((#2((#2((#0 2((#2((#2((#2$" Su-net )as/ 2((#2((#2((#0 2((#2((#2((#2$"

&et2od )anual )anual &et2od )anual )anual

g. :se the sho s itch vlan co##and to display the inside and o&tside 34A-s config&red on the ASA and to display the assigned ports.
CCAAS-ASA# sho s itch vlan !BAA Aa)e Status Ports ---- -------------------------------- --------- ----------------------------1 inside up @t0114 @t0124 @t0134 @t01$ @t01(4 @t01'4 @t01, 2 outside up @t010

h. @o& #ay also &se the co##and sho runnin#)confi# interface t"pe/nu&ber to display the config&ration for a partic&lar interface fro# the r&nning5config.
CCAAS-ASA# sho run interface vlan 1 I interface !lan1 na)eif inside securit -level 100 ip address 1G2#1'"#1#1 2((#2((#2((#0

Step 0: !est connecti$ity to the ASA+

a. Ens&re that 'C56 has a static I' address of 1 2.1*,.1.1 along 7ith s&bnet #as8 2++.2++.2++." and defa&lt gate7ay 1 2.1*,.1.1 .the I' address of ASA 34A- 1 inside interface0. b. @o& sho&ld be able to ping fro# 'C56 to the ASA inside interface address and ping fro# the ASA to 'C5 6. If the pings fail$ tro&bleshoot the config&ration as necessary. CCAAS-ASA# pin# 192.168.1.3 : pe escape seCuence to a-ort# Sending (4 100-- te 9C&P @c2os to 1G2#1'"#1#34 ti)eout is 2 seconds: IIIII Success rate is 100 percent ((1()4 round-trip )in1avg1)a> R 11111 )s c. Fro# 'C56$ ping the 34A- 2 .o&tside0 interface at I' address 2" .1*+.2"".22*. @o& sho&ld not be able to ping this address.

d. Fro# 'C56$ telnet to the ASA &sing address 1 2.1*,.1.1. Aere yo& able to #a8e the connectionF Ahy or 7hy notF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

Step 2: Configure !elnet access to the ASA fro9 the inside networ&+
a. @o& can config&re the ASA to accept %elnet connections fro# a single host or a range of hosts on the inside net7or8. Config&re the ASA to allo7 %elnet connections fro# any host on the inside net7or8 1 2.1*,.1.")2( and set the %elnet ti#eo&t to 1" #in&tes .the defa&lt is + #in&tes0.
CCAAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 insi!e CCAAS-ASA(config)# telnet ti&eout 10

b. Fro# 'C56$ telnet to the ASA &sing address 1 2.1*,.1.1 to verify the %elnet access. :se the re#ote access login pass7ord cisco to access the ASA C4I pro#pt. E=it the %elnet session &sing the 0uit co##and.

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 1( of 2(

CCNA Security Note: @o& cannot &se %elnet to the lo7est sec&rity interface .o&tside0 fro# the o&tside &nless yo& &se %elnet inside an I'sec t&nnel. %elnet is not the preferred re#ote access tool beca&se of its lac8 of encryption. In 'art + of this lab yo& 7ill config&re SS9 access fro# the internal and e=ternal net7or8.

Step 8: Configure AS#% access to the ASA+

a. @o& can config&re the ASA to accept 9%%'S connections &sing the http co##and. %his allo7s access to the ASA G:I .AS/;0. Config&re the ASA to allo7 9%%'S connections fro# any host on the inside net7or8 1 2.1*,.1.")2(.
CCAAS-ASA(config)# http server enable CCAAS-ASA(config)# http 192.168.1.0 255.255.255.0 insi!e

b. ?pen a bro7ser on 'C56 and test the 9%%'S access to the ASA by entering https>))1 2.1*,.1.1. @o& 7ill be pro#pted 7ith a sec&rity certificate 7arning. Clic8 Continue to this 7ebsite. Clic8 <es for the other sec&rity 7arnings. @o& sho&ld see the Cisco AS/;5I/; 4a&ncher 7here yo& can enter a &serna#e and pass7ord. 4eave the &serna#e blan8 and enter the pass7ord cisco$ 7hich 7as config&red 7hen yo& ran the Set&p &tility. Note: 6e s&re to specify the 9%%'S protocol in the :R4. c. Close the bro7ser. In the ne=t lab$ yo& 7ill &se AS/; e=tensively to config&re the ASA. %he obEective here is not to &se the AS/; config&ration screens$ b&t to verify 9%%')AS/; connectivity to the ASA. If yo& are &nable to access AS/;$ chec8 yo&r config&rations or contact yo&r instr&ctor or do both.

"art -: Configuring .outing/ Address !ranslation and nspection "olicy Using the CL +
In 'art ( of this lab$ yo& provide a defa&lt ro&te for the ASA to reach e=ternal net7or8s. @o& config&re address translation &sing net7or8 obEects to enhance fire7all sec&rity. @o& then #odify the defa&lt application inspection policy to allo7 specific traffic. Note: @o& #&st co#plete 'art 1 before going on to 'art (.

Step 1: Configure a static default route for the ASA+

In 'art 1$ yo& config&red the ASA o&tside interface 7ith a static I' address and s&bnet #as8. 9o7ever$ the ASA does not have a gate7ay of last resort defined. %o enable the ASA to reach e=ternal net7or8s$ yo& 7ill config&re a defa&lt static ro&te on the ASA o&tside interface. Note: If the ASA o&tside interface 7ere config&red as a /9C' client$ it co&ld obtain a defa&lt gate7ay I' address fro# the IS'. 9o7ever$ in this lab$ the o&tside interface is config&red 7ith a static address. a. 'ing fro# the ASA to R1 Fa")" I' address 2" .1*+.2"".22+. Aas the ping s&ccessf&lF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG b. 'ing fro# the ASA to R1 S")")" I' address 1".1.1.1. Aas the ping s&ccessf&lF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG c. Create a IH&ad DeroJ defa&lt ro&te &sing the route co##and$ associate it 7ith the ASA o&tside interface$ and point to the R1 Fa")" I' address 2" .1*+.2"".22+ as the gate7ay of last resort. %he defa&lt ad#inistrative distance is 1 by defa&lt.
CCAAS-ASA(config)# route outsi!e 0.0.0.0 0.0.0.0 209.165.200.225

d. Iss&e the sho created.

route co##and to display the ASA ro&ting table and the static defa&lt ro&te E&st

CCAAS-ASA# sho route Codes: C - connected4 S - static4 9 - 97RP4 R - R9P4 & - )o-ile4 5 - 57P % - @97RP4 @L - @97RP e>ternal4 < - <SP;4 9A - <SP; inter area
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1+ of 2(

CCNA Security
A1 - <SP; ASSA e>ternal t pe 14 A2 - <SP; ASSA e>ternal t pe 2 @1 - <SP; e>ternal t pe 14 @2 - <SP; e>ternal t pe 24 @ - @7P i - 9S-9S4 B1 - 9S-9S level-14 B2 - 9S-9S level-24 ia - 9S-9S inter area F - candidate default4 6 - per-user static route4 o - <%R P - periodic downloaded static route 7atewa C C SF of last resort is 20G#1'(#200#22( to networ/ 0#0#0#0

1G2#1'"#10#0 2((#2((#2((#0 is directl connected4 inside 20G#1'(#200#22$ 2((#2((#2((#2$" is directl connected4 outside 0#0#0#0 0#0#0#0 P110Q via 20G#1'(#200#22(4 outside

e. 'ing fro# the ASA to R1 S")")" I' address 1".1.1.1. Aas the ping s&ccessf&lF GGGGGGGGGGGGGGGG

Step *: Configure address translation using "A! and networ& ob)ects+

Note: 6eginning 7ith ASA version ,.1$ net7or8 obEects are &sed to config&re all for#s of -A%. A net7or8 obEect is created and it is 7ithin this obEect that -A% is config&red. In Step 2a a net7or8 obEect inside;net is &sed to translate the inside net7or8 addresses 1 2.1*,.1".")2( to the global address of the o&tside ASA interface. %his type of obEect config&ration is called A&to5-A%. a. Create net7or8 obEect inside;net and assign attrib&tes to it &sing the subnet and nat co##ands. In version ,.1 and ne7er only the nat co##and is &sed and the static and #lobal co##ands are no longer s&pported.
CCAAS-ASA(config)# ob1ect net ork CCAAS-ASA(config-networ/-o-Kect)# CCAAS-ASA(config-networ/-o-Kect)# CCAAS-ASA(config-networ/-o-Kect)# insi!e)net subnet 192.168.1.0 255.255.255.0 nat 2insi!e'outsi!e3 !"na&ic interface en!

b. %he ASA splits the config&ration into the obEect portion that defines the net7or8 to be translated and the act&al nat co##and para#eters. %hese appear in t7o different places in the r&nning5config. /isplay the -A% obEect config&ration &sing the sho run ob1ect and sho run nat co##ands.
CCAAS-ASA# sho run ob1ect o-Kect networ/ inside-net su-net 1G2#1'"#1#0 2((#2((#2((#0 CCAAS-ASA# sho run nat I o-Kect networ/ inside-net nat (inside4outside) d na)ic interface

c.

Fro# 'C56 atte#pt to ping the R1 Fa")" interface at I' address 2" .1*+.2"".22+. Aere the pings s&ccessf&lF GGGGG

d. Iss&e the sho nat co##and on the ASA to see the translated and &ntranslated hits. -otice that$ of the pings fro# 'C56$ ( 7ere translated and ( 7ere not. %his is d&e to the fact that that IC;' is not being inspected by the global inspection policy. %he o&tgoing pings .echos0 7ere translated$ the ret&rning echo replies 7ere bloc8ed by the fire7all policy. @o& 7ill config&re the defa&lt inspection policy to allo7 IC;' in the ne=t step.
CCAAS-ASA# sho nat

Auto AA: Policies (Section 2) 1 (inside) to (outside) source d na)ic inside-net interface translateH2its R $4 untranslateH2its R $

e. 'ing fro# 'C56 to R1 again and H&ic8ly iss&e the sho addresses being translated.
CCAAS-ASA# sho 4late

4late co##and to see the act&al

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 1* of 2(

CCNA Security
1 in use4 2" )ost used ;lags: % - %AS4 i - d na)ic4 r - port)ap4 s - static4 9 - identit 4 : - twice 9C&P PA: fro) inside:1G2#1'"#1#31(12 to outside:20G#1'(#200#22'121$'G flags ri idle 0:00:03 ti)eout 0:00:30

Note: %he flags .r and i0 indicate that the translation 7as based on a port #ap .r0 and 7as done dyna#ically .i0. f. ?pen a bro7ser on 'C56 and enter the I' address of R1 Fa")" .2" .1*+.2"".22+0. @o& sho&ld be pro#pted by R1 for S/; or CC' G:I login. %C'5based 9%%' traffic is per#itted by defa&lt by the fire7all inspection policy. 4late co##ands again to see the hits and addresses

g. ?n the ASA &se the sho nat an! sho being translated for the 9%%' connection.

Step ,: %odify the default %"F application inspection global ser$ice policy+
For application layer inspection$ as 7ell as other advanced options$ the Cisco ;od&lar 'olicy Fra#e7or8 .;'F0 is available on ASAs. Cisco ;'F &ses three config&ration obEects to define #od&lar$ obEect5oriented$ hierarchical policies> Class 9aps: /efine a #atch criterion "olicy 9aps: Associate actions to the #atch criteria Ser$ice policies: Attach the policy #ap to an interface$ or globally to all interfaces of the appliance. a. /isplay the defa&lt ;'F policy #ap that perfor#s the inspection on inside5to5o&tside traffic. ?nly traffic that 7as initiated fro# the inside is allo7ed bac8 in to the o&tside interface. -otice that the IC;' protocol is #issing.
CCAAS-ASA# sho run Doutput o)ittedE class-)ap inspectionHdefault )atc2 default-inspection-traffic I polic -)ap t pe inspect dns presetHdnsH)ap para)eters )essage-lengt2 )a>i)u) client auto )essage-lengt2 )a>i)u) (12 polic -)ap glo-alHpolic class inspectionHdefault inspect dns presetHdnsH)ap inspect ftp inspect 2323 222( inspect 2323 ras inspect ip-options inspect net-ios inspect rs2 inspect rtsp inspect s/inn inspect es)tp inspect sClnet inspect sunrpc inspect tftp inspect sip inspect >d)cp I service-polic glo-alHpolic glo-al

b. Add the inspection of IC;' traffic to the policy #ap list &sing the follo7ing co##ands> CCAAS-ASA(config)# polic")&ap #lobal5polic" CCAAS-ASA(config-p)ap)# class inspection5!efault
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 12 of 2(

CCNA Security CCAAS-ASA(config-p)ap-c)# inspect ic&p c. Fro# 'C56 atte#pt to ping the R1 Fa")" interface at I' address 2" .1*+.2"".22+. %he pings sho&ld be s&ccessf&l this ti#e beca&se IC;' traffic is no7 being inspected and legiti#ate ret&rn traffic is being allo7ed.

"art 0: Configuring #1C"/ AAA/ and SS1

In 'art + of this lab$ yo& config&re ASA feat&res$ s&ch as /9C' and enhanced login sec&rity$ &sing AAA and SS9. Note: @o& #&st co#plete 'art ( before beginning 'art +.

Step 1: Configure the ASA as a #1C" ser$er+

%he ASA can be both a /9C' server and a /9C' client. In this step yo& config&re the ASA as a /9C' server to dyna#ically assign I' addresses for /9C' clients on the inside net7or8. a. Config&re a /9C' address pool and enable it on the ASA inside interface. %his is the range of addresses to be assigned to inside /9C' clients. Atte#pt to set the range fro# 1 2.1*,.1.+ thro&gh 1 2.1*,.1.1"".
CCAAS-ASA(config)# !hcp! a!!ress 192.168.1.5)192.168.1.100 insi!e *arning4 %3CP pool range is li)ited to 32 addresses4 set address range as: 1G2#1 '"#1#(-1G2#1'"#1#3'

Aere yo& able to do this on this ASAF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Repeat the !hcp! co##and and specify the pool as 1 2.1*,.1.+51 2.1*,.1.1*
CAAS-ASA(config)# !hcp! a!!ress 192.168.1.5)192.168.1.36 insi!e

b. .?ptional0 Specify the I' address of the /-S server to be given to clients.
CCAAS-ASA(config)# !hcp! !ns 209.165.201.2

Note: ?ther para#eters can be specified for clients$ s&ch as AI-S server$ lease length$ and do#ain na#e. c. Enable the /9C' dae#on 7ithin the ASA to listen for /9C' client reH&ests on the enabled interface .inside0.
CCAAS-ASA(config)# !hcp! enable insi!e

d. 3erify the /9C' dae#on config&ration by &sing the sho

CCAAS-ASA(config)# sho run !hcp! d2cpd address 1G2#1'"#1#(-1G2#1'"#1#3' inside d2cpd ena-le inside

run !hcp! co##and.

e. Access the -et7or8 Connection I' 'roperties for 'C56 and change it fro# a static I' address to a /9C' client so that it obtains an I' address a&to#atically fro# the ASA /9C' server. %he proced&re to do this varies depending on the 'C operating syste#. It #ay be necessary to iss&e the ipconfi# /rene co##and on 'C56 to force it obtain a ne7 I' address fro# the ASA.

Step *: Configure AAA to use the local database for authentication+

a. /efine a local &ser na#ed ad9in by entering the userna&e co##and. Specify a pass7ord of cisco1*,.
CCAAS-ASA(config)# userna&e a!&in pass or! cisco123

b. Config&re AAA to &se the local ASA database for %elnet and SS9 &ser a&thentication.
CCAAS-ASA(config)# aaa authentication ssh console 67.+6

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 1, of 2(

CCNA Security
CCAAS-ASA(config)# aaa authentication telnet console 67.+6

Note: For added sec&rity$ starting in ASA version ,.(.20$ it is necessary to config&re AAA a&thentication in order to s&pport SS9 connections. %he %elnet)SS9 defa&lt login is not s&pported. @o& can no longer connect to the ASA &sing SS9 7ith the defa&lt &serna#e and the login pass7ord.

Step ,: Configure SS1 re9ote access to the ASA+

@o& can config&re the ASA to accept SS9 connections fro# a single host or a range of hosts on the inside or o&tside net7or8. a. Generate an RSA 8ey pair$ 7hich is reH&ired to s&pport SS9 connections. %he #od&l&s .in bits0 can be +12$ 2*,$ 1"2($ or 2"(,. %he larger the 8ey #od&l&s siDe yo& specify$ the longer it ta8es to generate an RSA. Specify a #od&l&s of 1"2( &sing the cr"pto ke" co##and.
CCAAS-ASA(config)# cr"pto ke" #enerate rsa &o!ulus 1024 9A;<: :2e na)e for t2e /e s will -e: D%efault-RSA-?e E ?e pair generation process -egin# Please wait###

b. Save the RSA 8eys to persistent flash #e#ory &sing either the cop" run start or rite &e& co##and.
CCAAS-ASA# rite &e& 5uilding configuration### Cr ptoc2ec/su): 3c"$(d0f -'-""3Ga fGe$3-e0 33fe-$ef 32,0 - tes copied in 0#"G0 secs P<?Q

c.

Config&re the ASA to allo7 SS9 connections fro# any host on the inside net7or8 1 2.1*,.1.")2( and fro# the re#ote #anage#ent host at the branch office .122.1*.1.10 on the o&tside net7or8. Set the SS9 ti#eo&t to 1" #in&tes .the defa&lt is + #in&tes0.
CCAAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 insi!e CCAAS-ASA(config)# ssh 172.16.3.3 255.255.255.255 outsi!e CCAAS-ASA(config)# ssh ti&eout 10

d+ ?n 'C5C$ &se an SS9 client$ s&ch as '&%%@$ to connect to the ASA o&tside interface at I' address 2" .1*+.2"".22*. %he first ti#e yo& connect yo& #ay be pro#pted by the SS9 client to accept the RSA host 8ey of the ASA SS9 server. 4og in as &ser ad9in and provide the pass7ord cisco1*,. @o& can also connect to the ASA inside interface fro# a 'C56 SS9 client &sing I' address 1 2.1*,.1.1.

"art 2: Configuring a #%3/ Static NA! and ACLs

In 'art ( of this lab$ yo& config&red address translation &sing 'A% for the inside net7or8. In this part$ yo& create a /;< on the ASA$ config&re static -A% to a /;< server$ and apply AC4s to control access to the server. %o acco##odate the addition of a /;< and a 7eb server$ yo& 7ill &se another address fro# the IS' range assigned$ 2" .1*+.2"".22()2 ..22(5.2110. Ro&ter R1 Fa")" and the ASA o&tside interface are already &sing 2" .1*+.2"".22+ and .22*$ respectively. @o& 7ill &se p&blic address 2" .1*+.2"".222 and static -A% to provide address translation access to the server.

Step 1: Configure the #%3 interface 7LAN , on the ASA+

a. Config&re /;< 34A- 1 7hich is 7here the p&blic access 7eb server 7ill reside. Assign it I' address 1 2.1*,.2.1)2($ na#e it d9= and assign it a sec&rity level of 2".
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1 of 2(

CCNA Security Note: If yo& are 7or8ing 7ith the ASA ++"+ base license$ yo& 7ill get the error #essage sho7n in the o&tp&t belo7. %he ASA ++"+ base license allo7s for the creation of &p to three na#ed 34Ainterfaces. 9o7ever$ yo& #&st disable co##&nication bet7een the third interface and one of the other interfaces &sing the no for ar! co##and. %his is not an iss&e if the ASA has a Sec&rity 'l&s license$ 7hich allo7s 2" na#ed 34A-s. 6eca&se the server does not need to initiate co##&nication 7ith the inside &sers$ disable for7arding to interface 34A- 1.
CCAAS-ASA(config)# interface vlan 3 CCAAS-ASA(config-if)# ip a!!ress 192.168.2.1 255.255.255.0 CCAAS-ASA(config-if)# na&eif !&8 @RR<R: :2is license does not allow configuring )ore t2an 2 interfaces wit2 na)eif and wit2out a .no forward. co))and on t2is interface or on 1 interface(s) wit2 na)eif alread configured# CCAAS-ASA(config-if)# no for ar! interface vlan 1 CCAAS-ASA(config-if)# na&eif !&8 9A;<: Securit level for .d)8. set to 0 - default# CCAAS-ASA(config-if)# securit")level 70 CCAAS-ASA(config-if)# no shut

b. Assign ASA physical interface E")2 to /;< 34A- 1 and enable the interface.
CCAAS-ASA(config-if)# interface %thernet0/2 CCAAS-ASA(config-if)# s itchport access vlan 3 CCAAS-ASA(config-if)# no shut

c.

/isplay the stat&s for all ASA interfaces &sing the sho
CCAAS-ASA # sho interface ip brief 9nterface 9P-Address @t2ernet010 unassigned @t2ernet011 unassigned @t2ernet012 unassigned @t2ernet013 unassigned @t2ernet01$ unassigned @t2ernet01( unassigned @t2ernet01' unassigned @t2ernet01, unassigned 9nternal-%ata010 unassigned 9nternal-%ata011 unassigned !lan1 1G2#1'"#1#1 !lan2 20G#1'(#200#22' !lan3 1G2#1'"#2#1 !irtual0 12,#0#0#1 <?O J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S

interface ip brief co##and.

&et2od unset unset unset unset unset unset unset unset unset unset )anual )anual )anual unset Status up up up down down down down down up up up up up up Protocol up up up down down down down down up up up up up up

d. /isplay the infor#ation for the 4ayer 1 34A- interfaces &sing the sho
CCAAS-ASA 9 sho ip a!!ress

ip a!!ress co##and.

S ste) 9P Addresses: 9nterface Aa)e !lan1 inside !lan2 outside !lan3 d)8 Doutput o)ittedE

9P address 1G2#1'"#1#1 20G#1'(#200#22' 1G2#1'"#2#1

Su-net )as/ 2((#2((#2((#0 2((#2((#2((#2$" 2((#2((#2((#0

&et2od )anual )anual )anual

e. /isplay the 34A-s and port assign#ents on the ASA &sing the sho
CCAAS-ASA(config)# s2ow switc2 vlan !BAA Aa)e
All contents are Copyright 1

s itch vlan co##and.

Status

Ports
'age 2" of 2(

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

CCNA Security
---- -------------------------------- --------- ----------------------------1 inside up @t0114 @t0134 @t01$4 @t01( @t01'4 @t01, 2 outside up @t010 3 d)8 up @t012

Step *: Configure static NA! to the #%3 ser$er using a networ& ob)ect+
a. Config&re a net7or8 obEect na#ed d9=;ser$er and assign it the static I' address of the /;< server .1 2.1*,.2.10. Ahile in obEect definition #ode$ &se the nat co##and to specify that this obEect is &sed to translate a /;< address to an o&tside address &sing static -A% and specify a p&blic translated address of 2" .1*+.2"".222.
CCAAS-ASA(config)# ob1ect net ork !&8)server CCAAS-ASA(config-networ/-o-Kect)# host 192.168.2.3 CCAAS-ASA(config-networ/-o-Kect)# nat 2!&8'outsi!e3 static 209.165.200.227

Step ,: Configure an ACL to allow access to the #%3 ser$er fro9 the nternet+
a. Config&re a na#ed access list ?:%SI/E5/;< that per#its any I' protocol fro# any e=ternal host to the internal I' address of the /;< server. Apply the access list to the ASA o&tside interface in the II-J direction.
CCAAS-ASA(config)# access)list 7:;S,<%)<=> per&it ip an" host 192.168.2.3 CCAAS-ASA(config)# access)#roup 7:;S,<%)<=> in interface outsi!e

Note: :nli8e I?S AC4s$ the ASA AC4 per&it state#ent #&st per#it access to the internal private /;< address. E=ternal hosts access the server &sing its p&blic static -A% address$ and the ASA translates it to the internal host I' address and applies the AC4. @o& can #odify this AC4 to allo7 only services that yo& 7ant to be e=posed to e=ternal hosts$ s&ch as 7eb .9%%'0 or file transfer .F%'0.

Step -: !est access to the #%3 ser$er+

a. Create a loopbac8 " interface on Internet ro&ter R2 representing an e=ternal host. Assign 4o" I' address 122.1".1.1 and a #as8 of 2++.2++.2++."$ 'ing the /;< server p&blic address fro# R2 &sing the loopbac8 interface as the so&rce of the ping. %he pings sho&ld be s&ccessf&l.
R2(config-if)# interface 6o0 R2(config-if)# ip a!!ress 172.30.1.1 255.255.255.0 R2# pin# 209.165.200.227 source lo0 : pe escape seCuence to a-ort# Sending (4 100-- te 9C&P @c2os to 20G#1'(#200#22,4 ti)eout is 2 seconds: Pac/et sent wit2 a source address of 1,2#30#1#1 IIIII Success rate is 100 percent ((1()4 round-trip )in1avg1)a> R 1121$ )s

b. Clear the -A% co&nters &sing the clear nat counters co##and.
CCAAS-ASA# clear nat counters

c.

'ing fro# 'C5C to the /;< server at the p&blic address 2" .1*+.2"".222. %he pings sho&ld be s&ccessf&l.

d. Iss&e the sho nat and sho 4late co##ands on the ASA to see the effect of the pings. 6oth the 'A% .inside to o&tside0 and static -A% .d#D to o&tside0 policies are sho7n.
CCAAS-ASA# sho nat

Auto AA: Policies (Section 2) 1 (d)8) to (outside) source static d)8-server 20G#1'(#200#22,
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 21 of 2(

CCNA Security
translateH2its R 04 untranslateH2its R $ 2 (inside) to (outside) source d na)ic inside-net interface translateH2its R $4 untranslateH2its R 0

Note: 'ings fro# inside to o&tside are translated hits. 'ings fro# o&tside host 'C5C to the /;< are considered &ntranslated hits.
CCAAS-ASA# sho 4late 1 in use4 3 )ost used ;lags: % - %AS4 i - d na)ic4 r - port)ap4 s - static4 9 - identit 4 : - twice AA: fro) d)8:1G2#1'"#2#3 to outside:20G#1'(#200#22, flags s idle 0:22:(" ti)eout 0:00:00

-ote the flag this ti#e is IsJ indicating a static translation. e. 6eca&se the ASA inside interface .34A- 10 is set to sec&rity level of 1"" .the highest0 and the /;< interface .34A- 10 is set to 2"$ yo& can also access the /;< server fro# a host on the inside net7or8. %he ASA acts li8e a ro&ter bet7een the t7o net7or8s. 'ing the /;< server .'C5A0 internal address .1 2.1*,.2.10 fro# inside net7or8 host 'C56 .1 2.1*,.1.C0. %he pings sho&ld be s&ccessf&l d&e to the interface sec&rity level and the fact that IC;' is being inspected on the inside interface by the global inpseciton policy. %he pings fro# 'C56 to 'C5A 7ill not affect the -A% translation co&nts beca&se both 'C56 and 'C5A are behind the fire7all and no translation ta8es place. f. %he /;< server cannot ping 'C56 on the inside net7or8. %his is beca&se the /;< interface 34A- 1 has a lo7er sec&rity level and the fact that$ 7hen the 34A- 1 interface 7as created$ it 7as necessary to specify the no for ar! co##and. %ry to ping fro# the /;< server 'C5A to 'C56 at I' address 1 2.1*,.1.C. %he pings sho&ld not be s&ccessf&l. run co##and to display the config&ration for 34A- 1.
CCAAS-ASA# sho run interface vlan 3 I interface !lan3 no forward interface !lan1 na)eif d)8 securit -level ,0 ip address 1G2#1'"#2#1 2((#2((#2((#0

g. :se the sho

Note: An access list can be applied to the inside interface if it is desired to control the type of access to be per#itted or denied to the /;< server fro# inside hosts.

.eflection
1. 9o7 does the config&ration of the ASA fire7all differ fro# that of an ISRF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 2. Ahat does the ASA &se to define address translation and 7hat is the benefitF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 1. 9o7 does the ASA ++"+ &se logical and physical interfaces to #anage sec&rity and ho7 does this differ fro# other ASA #odelsF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 22 of 2(

CCNA Security

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 21 of 2(

CCNA Security

.outer nterface Su99ary !able

.outer nterface Su99ary Ro&ter ;odel Ethernet Interface Ethernet Interface Serial Interface Serial Interface K1 K2 K1 K2 Fast Ethernet ")" Fast Ethernet ")1 Serial ")")" Serial ")")1 1,"" .Fa")"0 .Fa")10 .S")")"0 .S")")10 Gigabit Ethernet ")" Gigabit Ethernet ")1 Serial ")")" Serial ")")1 1 "" .G")"0 .G")10 .S")")"0 .S")")10 Fast Ethernet ")" Fast Ethernet ")1 Serial ")")" Serial ")")1 2,"" .Fa")"0 .Fa")10 .S")")"0 .S")")10 Gigabit Ethernet ")" Gigabit Ethernet ")1 Serial ")")" Serial ")")1 2 "" .G")"0 .G")10 .S")")"0 .S")")10 Note: %o find o&t ho7 the ro&ter is config&red$ loo8 at the interfaces to identify the type of ro&ter and ho7 #any interfaces the ro&ter has. %here is no 7ay to effectively list all the co#binations of config&rations for each ro&ter class. %his table incl&des identifiers for the possible co#binations of Ethernet and Serial interfaces in the device. %he table does not incl&de any other type of interface$ even tho&gh a specific ro&ter #ay contain one. An e=a#ple of this #ight be an IS/- 6RI interface. %he string in parenthesis is the legal abbreviation that can be &sed in Cisco I?S co##ands to represent the interface.

All contents are Copyright 1

2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.

'age 2( of 2(