Professional Documents
Culture Documents
Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet Interfaces.
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 1 of 2(
CCNA Security
R2
(b)ecti$es
"art 1: Lab Setup Cable the net7or8 as sho7n in the topology. Config&re hostna#es and interface I' addresses for ro&ters$ s7itches$ and 'Cs. Config&re static ro&ting$ incl&ding defa< ro&tes$ bet7een R1$ R2$ and R1. Config&re 9%%' and %elnet access for R1. 3erify connectivity bet7een hosts$ s7itches$ and ro&ters.
"art *: Accessing the ASA Console and Using CL Setup %ode to Configure Basic Settings+ Access the ASA console and view hardware, software, and configuration settings. Clear previo&s config&ration settings. :se C4I Set&p #ode to config&re basic settings .hostna#e$ pass7ords$ cloc8$ etc.0.
"art ,: Configuring Basic ASA Settings and nterface Security Le$els Using CL + Config&re the hostna#e and do#ain na#e. Config&re the login and enable pass7ords. Set the date and ti#e. Config&re the inside and o&tside interfaces. %est connectivity to the ASA. Config&re re#ote #anage#ent 7ith %elnet. Config&re 9%%'S access to the ASA for AS/;.
CCNA Security Configure a static default route for the ASA. Configure port address translation (PAT) for the inside network. ;odify the ;'F application inspection policy.
"art 0: Configuring #1C"/ AAA/ and SS1+ Config&re the ASA as a /9C' server)client. Config&re 4ocal AAA &ser a&thentication. Config&re re#ote #anage#ent 7ith SS9.
"art 2: Configuring a #%3/ Static NA!/ and ACLs Config&re static -A% for the /;< server. Config&re an AC4 on the ASA to allo7 access to the /;< for Internet &sers. 3erify access to the /;< server for e=ternal and internal &sers.
Bac&ground 4 Scenario
%he Cisco Adaptive Sec&rity Appliance .ASA0 is an advanced net7or8 sec&rity device that integrates a statef&ll fire7all as 7ell as 3'- and other capabilities. %his lab e#ploys an ASA ++"+ to create a fire7all and protect an internal corporate net7or8 fro# e=ternal intr&ders 7hile allo7ing internal hosts access to the Internet. %he ASA creates three sec&rity interfaces> ?&tside$ Inside$ and /;<. It provides o&tside &sers li#ited access to the /;< and no access to inside reso&rces. Inside &sers can access the /;< and o&tside reso&rces. %he foc&s of this lab is on the config&ration of the ASA as a basic fire7all. ?ther devices 7ill receive #ini#al config&ration to s&pport the ASA portion of the lab. %his lab &ses the ASA C4I$ 7hich is si#ilar to the I?S C4I$ to config&re basic device and sec&rity settings. In part 1 of the lab yo& config&re the topology and non5ASA devices. In 'arts 2 thro&gh ( yo& config&re basic ASA settings and the fire7all bet7een the inside and o&tside net7or8s. In part + yo& config&re the ASA for additional services s&ch as /9C'$ AAA$ and SS9. In 'art * yo& config&re a /;< on the ASA and provide access to a server in the /;<. @o&r co#pany has one location connected to an IS'. Ro&ter R1 represents a C'E device #anaged by the IS'. Ro&ter R2 represents an inter#ediate Internet ro&ter. Ro&ter R1 represents an IS' that connects an ad#inistrator fro# a net7or8 #anage#ent co#pany$ 7ho has been hired to #anage yo&r net7or8 re#otely. %he ASA is an edge C'E sec&rity device that connects the internal corporate net7or8 and /;< to the IS' 7hile providing -A% and /9C' services to inside hosts. %he ASA 7ill be config&red for #anage#ent by an ad#inistrator on the internal net7or8 as 7ell as by the re#ote ad#inistrator. 4ayer 1 34A- interfaces provide access to the three areas created in the lab> Inside$ ?&tside and /;<. %he IS' has assigned the p&blic I' address space of 2" .1*+.2"".22()2 $ 7hich 7ill be &sed for address translation on the ASA. Note: %he ro&ters &sed 7ith this lab are Cisco 1,(1 7ith Cisco I?S Release 12.(.2"0% .Advanced I' i#age0. %he s7itches are Cisco AS5C2 *"52(%%54 7ith Cisco I?S Release 12.2.(*0SE .C2 *"54A-6ASEB 5; i#age0. ?ther ro&ters$ s7itches$ and Cisco I?S versions can be &sed. 9o7ever$ res<s and o&tp&t #ay vary. %he ASA &sed 7ith this lab is a Cisco #odel ++"+ 7ith an ,5port integrated s7itch$ r&nning ?S version ,.(.20 and AS/; version *.(.+0 and co#es 7ith a 6ase license that allo7s a #a=i#&# of three 34A-s. Note: ;a8e s&re that the ro&ters and s7itches have been erased and have no start&p config&rations.
.e5uired .esources
1 ro&ters .Cisco 1,(1 7ith Cisco I?S Release 12.(.2"0%1 or co#parable0 1 s7itches .Cisco 2 *" or co#parable0
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1 of 2(
CCNA Security 1 ASA ++"+ .?S version ,.(.20 and AS/; version *.(.+0 and 6ase license or co#parable0 'C5A> Aindo7s C'$ 3ista$ or Aindo7s 2 7ith CC'$ '&%%y SS9 client 'C56> Aindo7s C'$ 3ista$ or Aindo7s 2 7ith '&%%y SS9 client .AS/; optional0 'C5C> Aindo7s C'$ 3ista$ or Aindo7s 2 7ith CC'$ '&%%y SS9 client Serial and Ethernet cables as sho7n in the topology Rollover cables to config&re the ro&ters and ASA via the console
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age ( of 2(
CCNA Security
d. Config&re the host na#e for the s7itches. ?ther than the host na#e$ the s7itches can be left in their defa< config&ration state. Config&ring the 34A- #anage#ent I' address for the s7itches is optional.
b. Config&re a static ro&te fro# R2 to the R1 Fa")" s&bnet .connected to ASA interface E")"0 and a static ro&te fro# R2 to the R1 4A-.
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0 R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1
Step -: 6nable the 1!!" ser$er on .1 and set the enable and $ty passwords+
a. Enable 9%%' access to R1 &sing the ip http server co##and in global config #ode. Also set the console and 3%@ pass7ords to cisco. %his 7ill provide 7eb and %elnet targets for testing later in the lab.
R1(config)# ip http server R1(config)# enable pass or! class R1(config)# line vt" 0 4 R1(config-line)# pass or! cisco R1(config-line)# lo#in R1(config)# line con 0 R1(config-line)# pass or! cisco R1(config-line)# lo#in
b. ?n ro&ters R2 and R1$ set the sa#e enable$ console and vty pass7ords as 7ith R1.
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age + of 2(
CCNA Security
Step 8: Sa$e the basic running configuration for each router and switch+
"art *: Accessing the ASA Console and Using Setup to Configure Basic Settings
In 'art 2 of this lab$ yo& 7ill access the ASA via the console and &se vario&s show co##ands to deter#ine hard7are$ soft7are$ and config&ration settings. @o& 7ill clear the c&rrent config&ration and &se the C4I interactive Set&p &tility to config&re basic ASA settings. Note: /o not config&re any ASA settings at this ti#e.
Cisco Adaptive Securit Appliance Software !ersion "#$(2) %evice &anager !ersion '#$(() Co)piled on *ed 1(-+un-11 1":1, - -uilders S ste) i)age file is .dis/0:1asa"$2-/"#-in. Config file at -oot was .startup-config. ciscoasa up 23 2ours 0 )ins
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age * of 2(
CCNA Security
3ardware: ASA((0(4 (12 &5 RA&4 CP6 7eode (00 &38 9nternal A:A Co)pact ;las24 12"&5 59<S ;las2 &(0;*01' = 0>fff000004 20$"?5 @ncr ption 2ardware device : Cisco ASA-((0( on--oard 5oot )icrocode : SSB19?@ )icrocode : 9PSec )icrocode : Au)-er of accelerators: 0: 9nt: 9nternal-%ata010 1: @>t: @t2ernet010 2: @>t: @t2ernet011 Doutput o)ittedE accelerator (revision 0>0) CA1000-&C-5<<:-2#00 CABite-&C-SSB)-PB6S-2#03 CAlite-&C-9PS@C)-&A9A-2#0' 1
: address is 000,#,d-f#('$(4 irC 11 : address is 000,#,d-f#('3d4 irC 2(( : address is 000,#,d-f#('3e4 irC 2((
Ahat soft7are version is this ASA r&nningF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Ahat is the na#e of the syste# i#age file and fro# 7here 7as it loadedF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG %he ASA can be #anaged &sing a b&ilt5in G:I 8no7n as the Adaptive Sec&rity /evice ;anager .AS/;0. Ahat version of AS/; is this ASA r&nningF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #&ch RA; does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #&ch flash #e#ory does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #any Ethernet ports does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Ahat type of license does this ASA haveF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 9o7 #any 34A-s can be created 7ith this licenseF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
Ahat is another na#e for flash>F GGGGGGGGGGG b. /isplay the contents of flash #e#ory &sing one of these co##ands> sho !ir flash( or !ir !isk0>
ciscoasa# sho flash( --#-- --lengt2-- -----date1ti)e-----1'" 2(1(G'"0 Aug 2G 2011 13:00:(2 122 0 Aug 2G 2011 13:0G:32 13 20$" Aug 2G 2011 13:02:1$ 1$ (G Aug 2G 2011 13:02:1$ 1'G 1'2"0($$ Aug 2G 2011 13:02:(" 3 20$" Aug 2G 2011 13:0$:$2
All contents are Copyright 1
flash' sho
!isk0'
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
CCNA Security
' 20$" 1,1 3$"1' 1,3 3'"'$ 1,$ 12GG"'$1 1,( 20$" 211 0 1,' '$",(1, 1,, ''"G$G" 1," $',"'G1 Doutput o)ittedE Aug +an +an Aug Aug Aug Aug Aug Aug 2G 01 01 2G 2G 2G 2G 2G 2G 2011 1G"0 1G"0 2011 2011 2011 2011 2011 2011 13:0(:00 00:00:00 00:00:00 13:0G:22 13:0G:2$ 13:0G:2$ 13:0G:2' 13:0G:30 13:0G:32 cr ptoHarc2ive ;SC?0000#R@C ;SC?0001#R@C csdH3#(#200"-/G#p/g sdes/top sdes/top1data#>)l an connect-)acos>-i3"'-2#(#201$-/G#p/g an connect-linu>-2#(#201$-/G#p/g an connect-win-2#(#201$-/G#p/g
Note: In this lab yo& 7ill #an&ally config&re settings si#ilar to those listed above$ as 7ell as so#e additional ones$ &sing the ASA C4I. a. /isplay the c&rrent r&nning config&ration &sing the sho
ciscoasa# sho runnin#)confi# : Saved : ASA !ersion "#$(2) I 2ostna)e ciscoasa ena-le password "R 2JK9 t,RRL62$ encr pted passwd 2?;Mn-A9d9#2?J<6 encr pted na)es I interface @t2ernet010 switc2port access vlan 2 I interface @t2ernet011 I interface @t2ernet012
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age , of 2(
runnin#)confi# co##and.
CCNA Security
Doutput o)ittedE
Note: %o stop the o&tp&t fro# a co##and &sing the C4I$ press the letter :. If yo& see 34A-s 1 and 2 and other settings as described previo&sly$ the device is #ost li8ely config&red 7ith the defa< factory config&ration. @o& #ay also see other sec&rity feat&res s&ch as a global policy that inspects selected application traffic$ 7hich the ASA inserts by defa<$ if the original start&p config&ration has been erased. %he act&al o&tp&t 7ill vary depending on the ASA #odel$ version and config&ration stat&s. b. @o& can restore the ASA to its factory defa< settings by &sing the co##and confi#ure factor")!efault as sho7n here.
ciscoasa# conf t ciscoasa(config)# confi#ure factor")!efault *ARA9A7: :2e -oot s ste) configuration will -e cleared# :2e first i)age found in dis/0:1 will -e used to -oot t2e s ste) on t2e ne>t reload# !erif t2ere is a valid i)age on dis/0:1 or t2e s ste) will not -oot# 5egin to appl factor -default configuration: Clear all configuration *ARA9A7: %3CP% -indings cleared on interface NinsideN4 address pool re)oved @>ecuting co))and: interface @t2ernet 010 @>ecuting co))and: switc2port access vlan 2 @>ecuting co))and: no s2utdown @>ecuting co))and: e>it @>ecuting co))and: interface @t2ernet 011 @>ecuting co))and: switc2port access vlan 1 @>ecuting co))and: no s2utdown @>ecuting co))and: e>it Doutput o)ittedE
c.
Revie7 this o&tp&t and pay partic&lar attention to the 34A- interfaces$ and -A% and /9C' related sections. %hese 7ill be config&red later in this lab &sing the C4I.
d. @o& #ay 7ish to capt&re and print the factory5defa< config&ration as a reference. :se the ter#inal e#&lation progra# to copy it fro# the ASA and paste it into a te=t doc&#ent. @o& can then edit this file$ if desired$ so that it contains only valid co##ands. @o& sho&ld also re#ove pass7ord co##ands and enter the no shut co##and to bring &p the desired interfaces.
Note: %he I?S co##and erase startup)confi# is not s&pported on the ASA. b. :se the reloa! co##and to restart the ASA. %his 7ill ca&se the ASA to co#e &p in C4I Set&p #ode. If pro#pted that the config has been #odified$ as8ing if yo& 7ant to save it$ respond I-J.
ciscoasa# reloa! Proceed wit2 reloadO Pconfir)Q ciscoasa#
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age of 2(
CCNA Security
FFF FFF --- S:AR: 7RAC@;6B S36:%<*A --S2utting down isa/)p S2utting down ;ile s ste) FFF FFF --- S36:%<*A A<* --Process s2utdown finis2ed Re-ooting##### C9SC< SJS:@&S @)-edded 59<S !ersion 1#0(12)13 0"12"10" 1(:(0:3,#$( Doutput o)ittedE
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 1" of 2(
CCNA Security Note: In the above config&ration$ the I' address of the host r&nning AS/; 7as left blan8. It is not necessary to install AS/; on a host. It can be r&n fro# the flash #e#ory of the ASA device itself &sing the bro7ser of the host. %his process is described in Chapter 10 Lab B, Configuring ASA Basic Settings and Firewall Using ASDM. @o& #ay also see the 7arning above stating that the ASA 9%%' server has not yet been enabled. %his 7ill be done in a s&bseH&ent step. Note: %he responses to the pro#pts are a&to#atically stored in the startup;config and the running config. 9o7ever$ additional sec&rity related co##ands$ s&ch as a global defa< inspection service policy$ are inserted into the r&nning5config by the ASA ?S. b. Iss&e the sho run co##and to see the additional sec&rity related config&ration co##ands that are inserted by the ASA. c. Iss&e the cop" run start co##and to capt&re the additional sec&rity related co##ands in the start&p5config.
ASA-9nit# reloa! Proceed wit2 reloadO Pconfir)Q *enter$ *output o&itte!$
d. Iss&e the reloa! co##and to restart the ASA and load the start&p config&ration.
e. Enter privileged ECEC #ode 7ith the enable co##and. 'rovide the pass7ord set in Step *a .cisco0. Iss&e the sho runnin#)confi# co##and. @o& sho&ld see the entries yo& provided in the interactive config&ration process.
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
CCNA Security
issue t2e co))and .call-2o)e reporting anon )ous.# Please re)e)-er to save our configuration#
c.
b. Create a logical 34A- 2 interface for the o&tside net7or8$ 2" .1*+.2"".22()2 $ set the sec&rity level to the lo7est setting of " and bring &p the 34A- 2 interface.
CCAAS-ASA(config-if)# interface vlan 2 CCAAS-ASA(config-if)# na&eif outsi!e 9A;<: Securit level for .outside. set to 0 -
default#
CCNA Security
CCAAS-ASA(config-if)# no shut!o n
nterface security le$el notes: @o& #ay receive a #essage that the sec&rity level for the inside interface 7as set a&to#atically to 1"" and the o&tside interface 7as set to ". %he ASA &ses interface sec&rity levels fro# " to 1"" to enforce the sec&rity policy. Sec&rity 4evel 1"" .inside0 is the #ost sec&re and level " .o&tside0 is the least sec&re. 6y defa<$ the ASA applies a policy 7here traffic fro# a higher sec&rity level interface to one 7ith a lo7er level is per#itted and traffic fro# a lo7er sec&rity level interface to one 7ith a higher sec&rity level is denied. %he ASA defa< sec&rity policy per#its o&tbo&nd traffic$ 7hich is inspected by defa<. Ret&rning traffic is allo7ed beca&se of statef&ll pac8et inspection. %his defa< Iro&ted #odeJ fire7all behavior of the ASA allo7s pac8ets to be ro&ted fro# the inside net7or8 to the o&tside net7or8 b&t not vice versa. In 'art ( of this lab yo& 7ill config&re -A% to increase the fire7all protection. :se the sho interface co##and to ens&re that ASA 4ayer 2 ports E")" .for 34A- 20 and E")1 .for 34A- 10 are both &p. An e=a#ple is sho7n for E")". If either port is sho7n as do7n)do7n$ chec8 the physical connections. If either port is ad#inistratively do7n$ bring it &p 7ith the no shut!o n co##and.
CCAAS-ASA# sho interface e0/0 9nterface @t2ernet010 ..4 is ad)inistrativel down4 line protocol is up 3ardware is ""@'0G(4 5* 100 &-ps4 %BJ 100 usec Auto-%uple>(;ull-duple>)4 Auto-Speed(100 &-ps) Doutput o)ittedE
c.
d. Assign ASA 4ayer 2 port E")1 to 34A- 1 and port E")" to 34A- 2 and &se the no shut!o n co##and to ens&re they are &p.
CCAAS-ASA(config)# interface e0/1 CCAAS-ASA(config-if)# s itchport access vlan 1 CCAAS-ASA(config-if)# no shut!o n CCAAS-ASA(config-if)# interface e0/0 CCAAS-ASA(config-if)# s itchport access vlan 2 CCAAS-ASA(config-if)# no shut!o n
Note: Even tho&gh E")1 is in 34A- 1 by defa<$ the co##ands are provided above. e. /isplay the stat&s for all ASA interfaces &sing the sho interface ip brief co##and. -ote that this co##and is different fro# the I?S co##and sho ip interface brief. If any of the physical or logical interfaces previo&sly config&red are not :'):'$ tro&bleshoot as necessary before contin&ing. !ip: ;ost ASA show co##ands$ as 7ell as ping$ copy and others$ can be iss&ed fro# 7ithin any config #ode pro#pt 7itho&t the IdoJ co##and reH&ired 7ith I?S.
CCAAS-ASA(config)# sho 9nterface @t2ernet010 @t2ernet011 @t2ernet012 @t2ernet013 @t2ernet01$ @t2ernet01( @t2ernet01' @t2ernet01, 9nternal-%ata010 9nternal-%ata011 !lan1 !lan2 !irtual0 interface ip brief 9P-Address unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned unassigned 1G2#1'"#1#1 20G#1'(#200#22' 12,#0#0#1 <?O J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S &et2od unset unset unset unset unset unset unset unset unset unset )anual )anual unset Status up up up down down down down down up up up up up Protocol up up up down down down down down up up up up up
f.
/isplay the infor#ation for the 4ayer 1 34A- interfaces &sing the sho
CCAAS-ASA(config)# sho ip a!!ress
ip a!!ress co##and.
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 11 of 2(
CCNA Security
S ste) 9P Addresses: 9nterface Aa)e !lan1 inside !lan2 outside Current 9P Addresses: 9nterface Aa)e !lan1 inside !lan2 outside
g. :se the sho s itch vlan co##and to display the inside and o&tside 34A-s config&red on the ASA and to display the assigned ports.
CCAAS-ASA# sho s itch vlan !BAA Aa)e Status Ports ---- -------------------------------- --------- ----------------------------1 inside up @t0114 @t0124 @t0134 @t01$ @t01(4 @t01'4 @t01, 2 outside up @t010
h. @o& #ay also &se the co##and sho runnin#)confi# interface t"pe/nu&ber to display the config&ration for a partic&lar interface fro# the r&nning5config.
CCAAS-ASA# sho run interface vlan 1 I interface !lan1 na)eif inside securit -level 100 ip address 1G2#1'"#1#1 2((#2((#2((#0
d. Fro# 'C56$ telnet to the ASA &sing address 1 2.1*,.1.1. Aere yo& able to #a8e the connectionF Ahy or 7hy notF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
Step 2: Configure !elnet access to the ASA fro9 the inside networ&+
a. @o& can config&re the ASA to accept %elnet connections fro# a single host or a range of hosts on the inside net7or8. Config&re the ASA to allo7 %elnet connections fro# any host on the inside net7or8 1 2.1*,.1.")2( and set the %elnet ti#eo&t to 1" #in&tes .the defa< is + #in&tes0.
CCAAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 insi!e CCAAS-ASA(config)# telnet ti&eout 10
b. Fro# 'C56$ telnet to the ASA &sing address 1 2.1*,.1.1 to verify the %elnet access. :se the re#ote access login pass7ord cisco to access the ASA C4I pro#pt. E=it the %elnet session &sing the 0uit co##and.
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 1( of 2(
CCNA Security Note: @o& cannot &se %elnet to the lo7est sec&rity interface .o&tside0 fro# the o&tside &nless yo& &se %elnet inside an I'sec t&nnel. %elnet is not the preferred re#ote access tool beca&se of its lac8 of encryption. In 'art + of this lab yo& 7ill config&re SS9 access fro# the internal and e=ternal net7or8.
b. ?pen a bro7ser on 'C56 and test the 9%%'S access to the ASA by entering https>))1 2.1*,.1.1. @o& 7ill be pro#pted 7ith a sec&rity certificate 7arning. Clic8 Continue to this 7ebsite. Clic8 <es for the other sec&rity 7arnings. @o& sho&ld see the Cisco AS/;5I/; 4a&ncher 7here yo& can enter a &serna#e and pass7ord. 4eave the &serna#e blan8 and enter the pass7ord cisco$ 7hich 7as config&red 7hen yo& ran the Set&p &tility. Note: 6e s&re to specify the 9%%'S protocol in the :R4. c. Close the bro7ser. In the ne=t lab$ yo& 7ill &se AS/; e=tensively to config&re the ASA. %he obEective here is not to &se the AS/; config&ration screens$ b&t to verify 9%%')AS/; connectivity to the ASA. If yo& are &nable to access AS/;$ chec8 yo&r config&rations or contact yo&r instr&ctor or do both.
"art -: Configuring .outing/ Address !ranslation and nspection "olicy Using the CL +
In 'art ( of this lab$ yo& provide a defa< ro&te for the ASA to reach e=ternal net7or8s. @o& config&re address translation &sing net7or8 obEects to enhance fire7all sec&rity. @o& then #odify the defa< application inspection policy to allo7 specific traffic. Note: @o& #&st co#plete 'art 1 before going on to 'art (.
route co##and to display the ASA ro&ting table and the static defa< ro&te E&st
CCAAS-ASA# sho route Codes: C - connected4 S - static4 9 - 97RP4 R - R9P4 & - )o-ile4 5 - 57P % - @97RP4 @L - @97RP e>ternal4 < - <SP;4 9A - <SP; inter area
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 1+ of 2(
CCNA Security
A1 - <SP; ASSA e>ternal t pe 14 A2 - <SP; ASSA e>ternal t pe 2 @1 - <SP; e>ternal t pe 14 @2 - <SP; e>ternal t pe 24 @ - @7P i - 9S-9S4 B1 - 9S-9S level-14 B2 - 9S-9S level-24 ia - 9S-9S inter area F - candidate default4 6 - per-user static route4 o - <%R P - periodic downloaded static route 7atewa C C SF of last resort is 20G#1'(#200#22( to networ/ 0#0#0#0
1G2#1'"#10#0 2((#2((#2((#0 is directl connected4 inside 20G#1'(#200#22$ 2((#2((#2((#2$" is directl connected4 outside 0#0#0#0 0#0#0#0 P110Q via 20G#1'(#200#22(4 outside
e. 'ing fro# the ASA to R1 S")")" I' address 1".1.1.1. Aas the ping s&ccessf&lF GGGGGGGGGGGGGGGG
b. %he ASA splits the config&ration into the obEect portion that defines the net7or8 to be translated and the act&al nat co##and para#eters. %hese appear in t7o different places in the r&nning5config. /isplay the -A% obEect config&ration &sing the sho run ob1ect and sho run nat co##ands.
CCAAS-ASA# sho run ob1ect o-Kect networ/ inside-net su-net 1G2#1'"#1#0 2((#2((#2((#0 CCAAS-ASA# sho run nat I o-Kect networ/ inside-net nat (inside4outside) d na)ic interface
c.
Fro# 'C56 atte#pt to ping the R1 Fa")" interface at I' address 2" .1*+.2"".22+. Aere the pings s&ccessf&lF GGGGG
d. Iss&e the sho nat co##and on the ASA to see the translated and &ntranslated hits. -otice that$ of the pings fro# 'C56$ ( 7ere translated and ( 7ere not. %his is d&e to the fact that that IC;' is not being inspected by the global inspection policy. %he o&tgoing pings .echos0 7ere translated$ the ret&rning echo replies 7ere bloc8ed by the fire7all policy. @o& 7ill config&re the defa< inspection policy to allo7 IC;' in the ne=t step.
CCAAS-ASA# sho nat
Auto AA: Policies (Section 2) 1 (inside) to (outside) source d na)ic inside-net interface translateH2its R $4 untranslateH2its R $
e. 'ing fro# 'C56 to R1 again and H&ic8ly iss&e the sho addresses being translated.
CCAAS-ASA# sho 4late
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 1* of 2(
CCNA Security
1 in use4 2" )ost used ;lags: % - %AS4 i - d na)ic4 r - port)ap4 s - static4 9 - identit 4 : - twice 9C&P PA: fro) inside:1G2#1'"#1#31(12 to outside:20G#1'(#200#22'121$'G flags ri idle 0:00:03 ti)eout 0:00:30
Note: %he flags .r and i0 indicate that the translation 7as based on a port #ap .r0 and 7as done dyna#ically .i0. f. ?pen a bro7ser on 'C56 and enter the I' address of R1 Fa")" .2" .1*+.2"".22+0. @o& sho&ld be pro#pted by R1 for S/; or CC' G:I login. %C'5based 9%%' traffic is per#itted by defa< by the fire7all inspection policy. 4late co##ands again to see the hits and addresses
g. ?n the ASA &se the sho nat an! sho being translated for the 9%%' connection.
Step ,: %odify the default %"F application inspection global ser$ice policy+
For application layer inspection$ as 7ell as other advanced options$ the Cisco ;od&lar 'olicy Fra#e7or8 .;'F0 is available on ASAs. Cisco ;'F &ses three config&ration obEects to define #od&lar$ obEect5oriented$ hierarchical policies> Class 9aps: /efine a #atch criterion "olicy 9aps: Associate actions to the #atch criteria Ser$ice policies: Attach the policy #ap to an interface$ or globally to all interfaces of the appliance. a. /isplay the defa< ;'F policy #ap that perfor#s the inspection on inside5to5o&tside traffic. ?nly traffic that 7as initiated fro# the inside is allo7ed bac8 in to the o&tside interface. -otice that the IC;' protocol is #issing.
CCAAS-ASA# sho run Doutput o)ittedE class-)ap inspectionHdefault )atc2 default-inspection-traffic I polic -)ap t pe inspect dns presetHdnsH)ap para)eters )essage-lengt2 )a>i)u) client auto )essage-lengt2 )a>i)u) (12 polic -)ap glo-alHpolic class inspectionHdefault inspect dns presetHdnsH)ap inspect ftp inspect 2323 222( inspect 2323 ras inspect ip-options inspect net-ios inspect rs2 inspect rtsp inspect s/inn inspect es)tp inspect sClnet inspect sunrpc inspect tftp inspect sip inspect >d)cp I service-polic glo-alHpolic glo-al
b. Add the inspection of IC;' traffic to the policy #ap list &sing the follo7ing co##ands> CCAAS-ASA(config)# polic")&ap #lobal5polic" CCAAS-ASA(config-p)ap)# class inspection5!efault
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 12 of 2(
CCNA Security CCAAS-ASA(config-p)ap-c)# inspect ic&p c. Fro# 'C56 atte#pt to ping the R1 Fa")" interface at I' address 2" .1*+.2"".22+. %he pings sho&ld be s&ccessf&l this ti#e beca&se IC;' traffic is no7 being inspected and legiti#ate ret&rn traffic is being allo7ed.
Aere yo& able to do this on this ASAF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG Repeat the !hcp! co##and and specify the pool as 1 2.1*,.1.+51 2.1*,.1.1*
CAAS-ASA(config)# !hcp! a!!ress 192.168.1.5)192.168.1.36 insi!e
b. .?ptional0 Specify the I' address of the /-S server to be given to clients.
CCAAS-ASA(config)# !hcp! !ns 209.165.201.2
Note: ?ther para#eters can be specified for clients$ s&ch as AI-S server$ lease length$ and do#ain na#e. c. Enable the /9C' dae#on 7ithin the ASA to listen for /9C' client reH&ests on the enabled interface .inside0.
CCAAS-ASA(config)# !hcp! enable insi!e
e. Access the -et7or8 Connection I' 'roperties for 'C56 and change it fro# a static I' address to a /9C' client so that it obtains an I' address a&to#atically fro# the ASA /9C' server. %he proced&re to do this varies depending on the 'C operating syste#. It #ay be necessary to iss&e the ipconfi# /rene co##and on 'C56 to force it obtain a ne7 I' address fro# the ASA.
b. Config&re AAA to &se the local ASA database for %elnet and SS9 &ser a&thentication.
CCAAS-ASA(config)# aaa authentication ssh console 67.+6
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 1, of 2(
CCNA Security
CCAAS-ASA(config)# aaa authentication telnet console 67.+6
Note: For added sec&rity$ starting in ASA version ,.(.20$ it is necessary to config&re AAA a&thentication in order to s&pport SS9 connections. %he %elnet)SS9 defa< login is not s&pported. @o& can no longer connect to the ASA &sing SS9 7ith the defa< &serna#e and the login pass7ord.
b. Save the RSA 8eys to persistent flash #e#ory &sing either the cop" run start or rite &e& co##and.
CCAAS-ASA# rite &e& 5uilding configuration### Cr ptoc2ec/su): 3c"$(d0f -'-""3Ga fGe$3-e0 33fe-$ef 32,0 - tes copied in 0#"G0 secs P<?Q
c.
Config&re the ASA to allo7 SS9 connections fro# any host on the inside net7or8 1 2.1*,.1.")2( and fro# the re#ote #anage#ent host at the branch office .122.1*.1.10 on the o&tside net7or8. Set the SS9 ti#eo&t to 1" #in&tes .the defa< is + #in&tes0.
CCAAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 insi!e CCAAS-ASA(config)# ssh 172.16.3.3 255.255.255.255 outsi!e CCAAS-ASA(config)# ssh ti&eout 10
d+ ?n 'C5C$ &se an SS9 client$ s&ch as '&%%@$ to connect to the ASA o&tside interface at I' address 2" .1*+.2"".22*. %he first ti#e yo& connect yo& #ay be pro#pted by the SS9 client to accept the RSA host 8ey of the ASA SS9 server. 4og in as &ser ad9in and provide the pass7ord cisco1*,. @o& can also connect to the ASA inside interface fro# a 'C56 SS9 client &sing I' address 1 2.1*,.1.1.
CCNA Security Note: If yo& are 7or8ing 7ith the ASA ++"+ base license$ yo& 7ill get the error #essage sho7n in the o&tp&t belo7. %he ASA ++"+ base license allo7s for the creation of &p to three na#ed 34Ainterfaces. 9o7ever$ yo& #&st disable co##&nication bet7een the third interface and one of the other interfaces &sing the no for ar! co##and. %his is not an iss&e if the ASA has a Sec&rity 'l&s license$ 7hich allo7s 2" na#ed 34A-s. 6eca&se the server does not need to initiate co##&nication 7ith the inside &sers$ disable for7arding to interface 34A- 1.
CCAAS-ASA(config)# interface vlan 3 CCAAS-ASA(config-if)# ip a!!ress 192.168.2.1 255.255.255.0 CCAAS-ASA(config-if)# na&eif !&8 @RR<R: :2is license does not allow configuring )ore t2an 2 interfaces wit2 na)eif and wit2out a .no forward. co))and on t2is interface or on 1 interface(s) wit2 na)eif alread configured# CCAAS-ASA(config-if)# no for ar! interface vlan 1 CCAAS-ASA(config-if)# na&eif !&8 9A;<: Securit level for .d)8. set to 0 - default# CCAAS-ASA(config-if)# securit")level 70 CCAAS-ASA(config-if)# no shut
b. Assign ASA physical interface E")2 to /;< 34A- 1 and enable the interface.
CCAAS-ASA(config-if)# interface %thernet0/2 CCAAS-ASA(config-if)# s itchport access vlan 3 CCAAS-ASA(config-if)# no shut
c.
/isplay the stat&s for all ASA interfaces &sing the sho
CCAAS-ASA # sho interface ip brief 9nterface 9P-Address @t2ernet010 unassigned @t2ernet011 unassigned @t2ernet012 unassigned @t2ernet013 unassigned @t2ernet01$ unassigned @t2ernet01( unassigned @t2ernet01' unassigned @t2ernet01, unassigned 9nternal-%ata010 unassigned 9nternal-%ata011 unassigned !lan1 1G2#1'"#1#1 !lan2 20G#1'(#200#22' !lan3 1G2#1'"#2#1 !irtual0 12,#0#0#1 <?O J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S J@S
d. /isplay the infor#ation for the 4ayer 1 34A- interfaces &sing the sho
CCAAS-ASA 9 sho ip a!!ress
ip a!!ress co##and.
S ste) 9P Addresses: 9nterface Aa)e !lan1 inside !lan2 outside !lan3 d)8 Doutput o)ittedE
e. /isplay the 34A-s and port assign#ents on the ASA &sing the sho
CCAAS-ASA(config)# s2ow switc2 vlan !BAA Aa)e
All contents are Copyright 1
Status
Ports
'age 2" of 2(
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
CCNA Security
---- -------------------------------- --------- ----------------------------1 inside up @t0114 @t0134 @t01$4 @t01( @t01'4 @t01, 2 outside up @t010 3 d)8 up @t012
Step *: Configure static NA! to the #%3 ser$er using a networ& ob)ect+
a. Config&re a net7or8 obEect na#ed d9=;ser$er and assign it the static I' address of the /;< server .1 2.1*,.2.10. Ahile in obEect definition #ode$ &se the nat co##and to specify that this obEect is &sed to translate a /;< address to an o&tside address &sing static -A% and specify a p&blic translated address of 2" .1*+.2"".222.
CCAAS-ASA(config)# ob1ect net ork !&8)server CCAAS-ASA(config-networ/-o-Kect)# host 192.168.2.3 CCAAS-ASA(config-networ/-o-Kect)# nat 2!&8'outsi!e3 static 209.165.200.227
Step ,: Configure an ACL to allow access to the #%3 ser$er fro9 the nternet+
a. Config&re a na#ed access list ?:%SI/E5/;< that per#its any I' protocol fro# any e=ternal host to the internal I' address of the /;< server. Apply the access list to the ASA o&tside interface in the II-J direction.
CCAAS-ASA(config)# access)list 7:;S,<%)<=> per&it ip an" host 192.168.2.3 CCAAS-ASA(config)# access)#roup 7:;S,<%)<=> in interface outsi!e
Note: :nli8e I?S AC4s$ the ASA AC4 per&it state#ent #&st per#it access to the internal private /;< address. E=ternal hosts access the server &sing its p&blic static -A% address$ and the ASA translates it to the internal host I' address and applies the AC4. @o& can #odify this AC4 to allo7 only services that yo& 7ant to be e=posed to e=ternal hosts$ s&ch as 7eb .9%%'0 or file transfer .F%'0.
b. Clear the -A% co&nters &sing the clear nat counters co##and.
CCAAS-ASA# clear nat counters
c.
'ing fro# 'C5C to the /;< server at the p&blic address 2" .1*+.2"".222. %he pings sho&ld be s&ccessf&l.
d. Iss&e the sho nat and sho 4late co##ands on the ASA to see the effect of the pings. 6oth the 'A% .inside to o&tside0 and static -A% .d#D to o&tside0 policies are sho7n.
CCAAS-ASA# sho nat
Auto AA: Policies (Section 2) 1 (d)8) to (outside) source static d)8-server 20G#1'(#200#22,
All contents are Copyright 1 2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation. 'age 21 of 2(
CCNA Security
translateH2its R 04 untranslateH2its R $ 2 (inside) to (outside) source d na)ic inside-net interface translateH2its R $4 untranslateH2its R 0
Note: 'ings fro# inside to o&tside are translated hits. 'ings fro# o&tside host 'C5C to the /;< are considered &ntranslated hits.
CCAAS-ASA# sho 4late 1 in use4 3 )ost used ;lags: % - %AS4 i - d na)ic4 r - port)ap4 s - static4 9 - identit 4 : - twice AA: fro) d)8:1G2#1'"#2#3 to outside:20G#1'(#200#22, flags s idle 0:22:(" ti)eout 0:00:00
-ote the flag this ti#e is IsJ indicating a static translation. e. 6eca&se the ASA inside interface .34A- 10 is set to sec&rity level of 1"" .the highest0 and the /;< interface .34A- 10 is set to 2"$ yo& can also access the /;< server fro# a host on the inside net7or8. %he ASA acts li8e a ro&ter bet7een the t7o net7or8s. 'ing the /;< server .'C5A0 internal address .1 2.1*,.2.10 fro# inside net7or8 host 'C56 .1 2.1*,.1.C0. %he pings sho&ld be s&ccessf&l d&e to the interface sec&rity level and the fact that IC;' is being inspected on the inside interface by the global inpseciton policy. %he pings fro# 'C56 to 'C5A 7ill not affect the -A% translation co&nts beca&se both 'C56 and 'C5A are behind the fire7all and no translation ta8es place. f. %he /;< server cannot ping 'C56 on the inside net7or8. %his is beca&se the /;< interface 34A- 1 has a lo7er sec&rity level and the fact that$ 7hen the 34A- 1 interface 7as created$ it 7as necessary to specify the no for ar! co##and. %ry to ping fro# the /;< server 'C5A to 'C56 at I' address 1 2.1*,.1.C. %he pings sho&ld not be s&ccessf&l. run co##and to display the config&ration for 34A- 1.
CCAAS-ASA# sho run interface vlan 3 I interface !lan3 no forward interface !lan1 na)eif d)8 securit -level ,0 ip address 1G2#1'"#2#1 2((#2((#2((#0
Note: An access list can be applied to the inside interface if it is desired to control the type of access to be per#itted or denied to the /;< server fro# inside hosts.
.eflection
1. 9o7 does the config&ration of the ASA fire7all differ fro# that of an ISRF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 2. Ahat does the ASA &se to define address translation and 7hat is the benefitF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG 1. 9o7 does the ASA ++"+ &se logical and physical interfaces to #anage sec&rity and ho7 does this differ fro# other ASA #odelsF GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 22 of 2(
CCNA Security
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 21 of 2(
CCNA Security
2!2"12 Cisco Syste#s$ Inc. All rights reserved. %his doc&#ent is Cisco '&blic Infor#ation.
'age 2( of 2(