Cisco Asa Lab Manual Final

(1)

SNAF

Securing Networks with ASA

Fundamentals

Lab Manual

Developed by

M. Irfan Ghauri

M. Tanzeel Nasir

C-32/1 Block-5 Gulshan-e-Iqbal, Karachi

ESP Press

Ph #021-6034003 Copyrights 2011

(2)

LAB. LABS DESCRIPTION PAGE

NO. 1 ASA Basic & Accessing ASA through Telnet/SSH/HTTP 3

2 NETWORK ADDRESS TRANSLATION

• Nat Control • Static NAT • Dynamic NAT • PAT • STATIC PAT • POLICY NAT • NAT 0 8

3 Fitering ACTIVEX Objects and JAVA Applets 17

4 Transparent Firewall 18

5 Syslog server 20

6 Cut through proxy through LOCAL database & AAA

server 21 7 Downloadable Acl 24

8 Tcp intercept Max connection 29

9 Object Grouping and Time-based Acl 30 10 Routing

a.Static Routing b.Dynamic Routing

(3)

11 Dynamic Host Configuration Protocol 34

12 Demilitarized Zone 37

13 Intervlan Routing with ASA 39

14 Modular Policy Framework 41

15 Virtual Private Network Site to Site VPN Web VPN

Remote Access VPN

(4)

Lab # 1

ASA Basic

Configuration

How to verify Version

ciscoasa(config)# sh version

How to Set Hostname

ciscoasa(config)# hostname ESP

How to Set Time & Date

ciscoasa# clock set 03:40:50 29 december 2010

How to Set Desired Banners

ciscoasa(config)# banner exec "you are off"

How to Configure a particular Interface

ciscoasa(config)# interface ethernet 0/0 • Assign IP

ciscoasa(config-if)# ip address 20.0.0.10 • Alive Interface

ciscoasa(config-if)# no shutdown • Set Speed

ciscoasa(config-if)# speed auto • Give Label

ciscoasa(config-if)# nameif outside • Mention Security Level

ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown

(5)

ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100

How to check Particular Interface information

ciscoasa# sh interface ethernet 0/0 ciscoasa# sh interface ethernet 0/1

How to check the applied IP Addresses on the Device

ciscoasa# sh ip addresses

How to check interface Labels & Security Levels

ciscoasa# sh nameif

How to check Interfaces summary

ciscoasa(config)# sh interface ip brief

How to Save Configuration

ciscoasa(config)# copy running-config start

How to check state table

ciscoasa(config)# sh conn

How to check memory status

ciscoasa# sh memory

How to restrict access on Privilege mode

ciscoasa(config)# enable password cisco

How to check running configuration

ciscoasa(config)# sh run

How to check History of CLI

(6)

Accessing ASA through Telnet/HTTP/SSH

Configuration

Assigning Speed & IP Address on Inside & Outside Interfaces.

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config-if)# ip address 20.0.0.10

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# speed auto

ciscoasa(config-if)# nameif

outside

ciscoasa(config)# interface ethernet 0/1

ciscoasa(config-if)# ip address 10.0.0.10

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# speed auto

ciscoasa(config-if)# nameif

inside

How to Telnet Adaptive Security Appliance

ciscoasa(config)# telnet 10.0.0.4 255.255.255.255 inside ciscoasa(config)# passwd cisco

ciscoasa(config)# enable password cisco (Telnet only allow from inside)

How to HTTP Adaptive Security Appliance

ciscoasa(config)#http server enable

ciscoasa(config)#http 10.0.0.1 255.255.255.255 inside

How to SSH Adaptive Security Appliance

ciscoasa(config)# crypto key generate rsa modulus 1024 ciscoasa(config)# ssh 10.0.0.1 255.255.255.255 inside ciscoasa(config)# ssh 20.0.0.4 255.255.255.255 outside

Authentication With local database

ciscoasa(config)#username tanzeel password cisco123 ciscoasa(config)# aaa authentication ssh console LOCAL

(7)

At Machine 10.0.0.1:

(8)

Verification Commands:

ciscoasa(config)# show ssh

ciscoasa(config)# show ssh session

ciscoasa(config)# ssh disconnect session_id ciscoasa(config)# show crypto key mypubkey rsa

(9)

Lab # 2

NETWORK ADDRESS TRANSLATION

Network Address Translation allows to translate Private

Addresses into Public Addresses

• Nat Control • Static NAT • Dynamic NAT • PAT • STATIC PAT • POLICY NAT • NAT 0

Configuration

Assigning Speed & IP Address on Inside & Outside Interfaces.

ciscoasa(config)# interface ethernet 0/0

ciscoasa(config-if)# ip address 20.0.0.10

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# speed auto

ciscoasa(config-if)# nameif

outside

ciscoasa(config)# interface ethernet 0/1

ciscoasa(config-if)# ip address 10.0.0.10

ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# speed auto

ciscoasa(config-if)# nameif

inside

ciscoasa

(config)#nat-control

ciscoasa

(config)# access-list 1 permit ip any any

(10)

STATIC NETWORK ADDRESS TRANSLATION

Configuration

Establish Static NAT & ACLs.

ciscoasa

(config)# static (inside,outside) 20.0.0.51 10.0.0.1

ciscoasa

(config)# static (inside,outside) 20.0.0.52 10.0.0.2

Verify Configuration by using following commands.

ciscoasa

(config)# show running-config nat

ciscoasa

(config)# show xlate

(11)

DYNAMIC NETWORK ADDRESS

TRANSLATION

Configuration

Establish Dynamic NAT, POOL & ACLss on Inside Interfaces.

ciscoasa

(config)# nat (inside) 1 0 0

ciscoasa

(config)# global (outside) 1 20.0.0.51-20.0.0.60

ciscoasa

(config)# show running-config global

ciscoasa

(12)

DYNAMIC PORT ADDRESS TRANSLATION

Configuration

Establish Dynamic PAT, POOL & ACLs

ciscoasa

(config)# global (outside) 1 20.0.0.51

OR

Establish Dynamic PAT by assigning Outside Interface IP Address to POOL

ciscoasa

(config)# global (outside) 1 interface

ciscoasa

(13)

ciscoasa

(config)# show access-list 1

(14)

STATIC PAT

Configuration

Establish Port Redirection & ACLs

ciscoasa

(config)# static (inside,outside) tcp 20.0.0.50 http 10.0.0.1 80

Verify results by browsing 20.0.0.50 from outside machine.

(Outside Machine will successfully access local Web Server)

ciscoasa

(15)

POLICY NAT

Configuration

Apply ACLs & NAT POLICY

ciscoasa

(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 host

20.0.0.1

ciscoasa

(config)# access-list 102 permit ip 10.0.0.0 255.0.0.0 host

20.0.0.2

ciscoasa

(config)# nat (inside) 1 access-list 101

ciscoasa

(config)# global (outside) 1 20.0.0.51

ciscoasa

(config)# nat (inside) 2 access-list 102

(16)

ciscoasa

(17)

NAT CONTROL

AND

NAT 0

Configuration

Enable Nat control.

ciscoasa

(config)# nat-control

Apply NAT 0 Policy for ATIF.

ciscoasa

(config)# nat (inside) 0 10.0.0.2 255.255.255.255

ciscoasa

IP Address 10.0.0.1

IP Address 20.0.0.2

ATIF using NAT0 policy 10.0.0.2→10.0.0.2 IP Address 20.0.0.1 IP Address 10.0.0.2

ALI requires a NAT rule

IP Address

10.0.0.10 IP Address _20.0.0.10

(18)

Lab # 3

FILTERING ACTIVEX OBJECTS

AND

JAVA APPLETS

Configuration

Apply Filters.

ciscoasa

(config)# filter java 80 0 0 0 0

ciscoasa

(config)# filter activex 80 0 0 0 0

Verify results by browsing outside machine from any inside machine.

(19)

Lab # 4

TRANSPARENT FIREWALL

Configuration

Assigning Speed & no Shut Inside & Outside Interfaces.

ciscoasa

(config)# firewall transparent

ciscoasa

(config)# interface ethernet 0/0

ciscoasa (config-if)# no shutdown ciscoasa (config-if)# speed auto ciscoasa (config-if)# nameif outside

ciscoasa

(config)# interface ethernet 0/1

ciscoasa (config-if)# no shutdown ciscoasa (config-if)# speed auto ciscoasa (config-if)# nameif inside

IP Address 10.0.0.1 IP Address 10.0.0.2 IP Address 10.0.0.3

(20)

ciscoasa

(config)# access-group 1 in interface outside

ciscoasa

(config)# ip address 10.0.0.10 255.255.255.0

Verify results by IOS commands.

ciscoasa

(config)# show firewall

(21)

Lab # 5

SYSLOG SERVER

Configuration:

ciscoasa(config)# logging on

ciscoasa(config)# logging host inside 10.0.0.2 ciscoasa(config)# logging trap 7

ciscoasa(config)# show logging IP Address 10.0.0.1 IP Address 20.0.0.2 IP Address 20.0.0.1 SYSLOG IP Address 10.0.0.2 IP Address 10.0.0.10 IP Address _20.0.0.10 E1 EO

(22)

Lab # 6

Cut through proxy through LOCAL database

& AAA server

Configuration

Cut through Proxy through Local database

ciscoasa(config)# username admin password admin

ciscoasa(config)# aaa authentication include any inside 0 0 0 0 LOCAL

Cut through Proxy with AAA server

ciscoasa(config)# aaa-server esp protocol tacacs+

ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.1 cisco123 ciscoasa(config)# aaa authentication include any inside 0 0 0 0 esp

IP Address 10.0.0.2 IP Address 20.0.0.2 IP Address 20.0.0.1 IP Address 10.0.0.3 IP Address 10.0.0.10 IP Address _20.0.0.10 E1 EO AAA SERVER IP Address 10.0.0.1

(23)

(24)

User accounts on AAA

ciscoasa(config)# show uauth ciscoasa(config)# clear uauth

(25)

Lab # 7

Downloadable Acl

Cisco Secure ACS allows to create downloadable ACLs. By this various ACLs can be formed for different users. Downloadable ACL will be activated only when the particular user sign in.

Step 1:Configure AAA server using Radius Protocol. ciscoasa(config)# aaa-server esp protocol radius

ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.4 cisco ciscoasa(config-aaa-server-host)# aaa authentication include any inside 0 0 0 0 esp IP Address 10.0.0.2 IP Address 20.0.0.2 ATIF IP Address 20.0.0.1 IP Address 10.0.0.3 ALI IP Address 10.0.0.10 IP Address _20.0.0.10 E1 EO AAA SERVER IP Address 10.0.0.1

(26)

Configuration on ACS server

Step 2:Form Downloadable ACL through Shared profile Components (if Downloadable option is not available then click on Interface Configuration. )

(27)

(28)

(29)

Step 3: Add User “Ali” and apply Downloadable ACL on users profile.

Step 3: Verify results.

( Atif can successfully browse & ftp outside network) BUT

( Ali can only successfully ftp outside network)

ciscoasa(config)# show uauth ciscoasa(config)# clear uauth ciscoasa(config)# show conn

(30)

Lab # 8

TCP Intercept Maximum Connection

Configuration:

ciscoasa(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0 ciscoasa(config)# access-list 1 permit ip any any

ciscoasa(config)# access-group 1 in interface outside

ciscoasa(config)# show running-config static ciscoasa(config)# show local-host

ciscoasa(config)# show xlate ciscoasa(config)# show conn

IP Address 10.0.0.1 IP Address 20.0.0.2 IP Address 20.0.0.1 FTP & WEB SERVER IP Address 10.0.0.2 IP Address 10.0.0.10 IP Address _20.0.0.10 E1 EO

(31)

Lab # 9

Object Grouping

Configuration:

Create network object

ciscoasa(config)# object-group network esp

ciscoasa(config-network)# network-object host 20.0.0.1 ciscoasa(config-network)# network-object host 20.0.0.2 ciscoasa(config-network)# network-object host 20.0.0.3 ciscoasa(config-network)# exi

Create service object

ciscoasa(config)# object-group service httpftp tcp ciscoasa(config-service)# port-object eq 80 ciscoasa(config-service)# port-object eq 21 ciscoasa(config-service)# exi IP Address 10.0.0.1 IP Address 20.0.0.2 IP Address 20.0.0.1 FTP & WEB SERVER IP Address 10.0.0.2 IP Address 10.0.0.10 IP Address _20.0.0.10 E1 EO

(32)

Calling object in ACL

ciscoasa(config)# access-list 101 extended permit tcp object-group esp host 10.0.0.1 object-group httpftp

ciscoasa(config)# access-group 101 in interface outside

Time-based Acl

Configuration:

ciscoasa(config)#time-range test

ciscoasa(config-time-range)#periodic daily 15:00 to 15:30 ciscoasa(config-time-range)#exit

ciscoasa(config)# access-list 101 permit ip any any time-range test ciscoasa(config)#access-group 101 in interface outside

Verifying commands

ciscoasa(config)# show access-list

(33)

Lab # 10

Routing

Configuration :

ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 15.0.0.1 ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# nameif outside ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# speed auto

R2 IP Address 15.0.0.2 Fa0/0 IP Address 15.0.0.1 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 FTP Server Host B IP Address 10.0.0.2 WEB Server IP Address 20.0.0.1 IP Address 20.0.0.10 Fa0/1 IP Address 20.0.0.2

(34)

ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100 • Static Routing • Dynamic Routing • RIP • OSPF • EIGRP

Static Routes Commands on Asa

ciscoasa(config)#route outside 20.0.0.0 255.0.0.0 15.0.0.2

Rip Commands on Asa

ciscoasa(config)#router rip

ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0

Ospf Commands on Asa

ciscoasa(config)#router ospf 64

ciscoasa(config-router)#network 15.0.0.0 255.0.0.0 area 0 ciscoasa(config-router)#network 10.0.0.0 255.0.0.0 area 0

Eigrp Commands on Asa

ciscoasa(config)#router eigrp 10 ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0 ciscoasa(config-router)#exit Verifying Commands ciscoasa(config)#sh route

ciscoasa(config)#sh rip database ciscoasa(config)#sh ospf interface ciscoasa(config)#sh ospf neighbor ciscoasa(config)# sh eigrp interfaces ciscoasa(config)# sh eigrp neighbors

(35)

Lab # 11

DYNAMIC HOST CONFIGURATION PROTOCOL

ASA Firewall has features that let it be Configured as a

• DHCP SERVER

• DHCP CLIENT

• DHCP SERVER

Configuration

Create POOL for Inside Hosts.

ciscoasa(config)# dhcpd address 10.0.0.51-10.0.0.61 inside

Enable DHCP on the ASA Firewall.

(36)

ciscoasa(config)# show dhcpd binding ciscoasa(config)# show dhcpd state ciscoasa(config)# clear dhcpd bindings ciscoasa(config)# debug dhcpd events ciscoasa(config)# debug dhcpd packet

DHCP CLIENT

Configuration

Step 1: Enable DHCP Client.

ciscoasa(config)#int e0/0

(37)

Step 2: Define new scope for IP addresses range.

Step 3: Verify Configuration by using following commands.

ciscoasa(config)#debug dhcpd events ciscoasa(config)#debug dhcpd packet

(38)

Lab # 12

Demilitarized Zone

Configuration

Step 1:Assign IPs and Define Security Levels.

ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside

(39)

ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif dmz

Apply PAT for inside Users & Static Nat for server on DMZ Interface.

ciscoasa(config)# nat (inside) 1 0 0

ciscoasa(config)# global (outside) 1 interface

ciscoasa(config)# static (dmz,outside) 40.0.0.51 30.0.0.1 ciscoasa(config)# static (dmz,outside) 40.0.0.52 30.0.0.2

Establish ACL to allow traffic from lower security level to servers.

ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.51 eq www ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.52 eq ftp ciscoasa(config)# access-group 1 in interface outside

Verifying Commands

ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface

(40)

Lab # 13

INTER-VLAN ROUTING WITH ASA

Configuration

ciscoasa(config)#Interface Ethernet0/2 ciscoasa(config-if)#no shut ciscoasa(config-if)#no ip add ciscoasa(config-if)#exit Vlan 30 Vlan 40 FTP Server 40.0.0.1/8 40.0.0.10 WEB Server 30.0.0.1/8 30.0.0.10 2950 Fa 0/4 Fa 0/3 E 0 / 2.30 30.0.0.10 / 8 E 0 / 2.40 40.0.0.10 / 8 Fa 0/24 Security-level 30 Security-level 40 IP Address 10.0.0.10 Ethernet 0/1 IP Address 20.0.0.10 Ethernet 0/0 IP Address 20.0.0.1 IP Address 10.0.0.1

(41)

ciscoasa(config)#Interface Ethernet0/2.30 ciscoasa(config-if)#vlan 30 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif www ciscoasa(config-if)#security-level 30 ciscoasa(config-if)#ip address 30.0.0.10 255.0.0.0 ciscoasa(config)#Interface Ethernet0/2.40 ciscoasa(config-if)#vlan 40 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif ftp ciscoasa(config-if)#security-level 40 ciscoasa(config-if)#ip address 40.0.0.10 255.0.0.0

After Configuration inside(100) users access ftp(40) and web(30) service now if u want to allow outside users to access ftp and web service make an access-list to allow them

ciscoasa(config)# access-list 101 permit tcp any host 30.0.0.1 eq ftp ciscoasa(config)#access-group 101 in interface outside

Switch configuration

Switch(config)#vlan 30 Switch(config-vlan)#name www Switch(config)#vlan 40 Switch(config-vlan)#name ftp Switch(config)#interface fa0/3

Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 30 Switch(config)#interface fa0/4

Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 40 Switch(config)#interface fa0/24

Switch(config-if)#switchport mode trunk

Verifying Commands

ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface

(42)

Lab # 14

MODULAR POLICY FRAMEWORK

Configuration

Step 1:Define Class Name.

ASA(config)# class-map http

ASA(config-cmap)# match port tcp eq 80

Step 2:Define Classes to the Policy Map

ASA(config)# policy-map esp ASA(config-pmap)# class-map http

ASA(config-pmap-c)# priority-queue inside ASA(config)# service-policy esp interface inside

Step 3:Verify Results by IOS commands.

(43)

Lab # 15

SITE TO SITE VPN

Configuration

Site-to-Site Vpn Configuration on Asa

ciscoasa(config)#crypto isakmp enable outside

ciscoasa(config-isakmp-policy)#crypto isakmp policy 10 ciscoasa(config)# authen pre-share

ciscoasa(config)# hash md5 ciscoasa(config)# encrypt des ciscoasa(config)# group 2

ciscoasa(config)# tunnel-group 15.0.0.2 type ipsec-l2l ciscoasa(config)# tunnel-group 15.0.0.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123

WAN RmtRouter IP Address 15.0.0.2 Fa0/0 IP Address 15.0.0.1 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 FTP Server Host B IP Address 10.0.0.2 WEB Server IP Address 20.0.0.1 IP Address 20.0.0.10 Fa0/1 IP Address 20.0.0.2 Rmt Users

(44)

ciscoasa(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0

ciscoasa(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac ciscoasa(config)# crypto map outside_map 1 set peer 15.0.0.2

ciscoasa(config)# crypto map outside_map 1 set transform-set aset ciscoasa(config)#crypto map outside_map 1 match address 101 ciscoasa(config)# crypto map outside_map interface outside

(45)

(46)

(47)

(48)

(49)

CLIENT LESS WEB VPN

Unlike a standard IPSec VPN which requires specific client software, Web VPN is a clientless Remote-Access VPN that uses a web browser to access a Corporate Network.

Configuration

SSL VPN Wizard WAN IP Address 20.0.0.10 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 IP Address 20.0.0.1 With no Vpn client

Local web Server IP Address 10.0.0.2

Local FTP Server IP Address 10.0.0.3

IP Address 20.0.0.5 With no Vpn client

(50)

(51)

(52)

(53)

(54)

(55)

Verify results by accessing Corporate Network. Type username and password .

(56)

Step 3(A): Verify results by IOS commands. ciscoasa# show running-config webvpn

(57)

REMOTE-ACCESS VPN

Access VPN provides secure communication with remote users who are working from home and connect through modem or mobile but they should have client Hardware & client Software running on there computers.

Configuration

IPsec(Remote-access) VPN Wizard WAN IP Address 20.0.0.10 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 IP Address 20.0.0.1 With Vpn client

Local web Server IP Address 10.0.0.2

Local FTP Server IP Address 10.0.0.3

IP Address 20.0.0.5 With Vpn client

(58)

(59)

(60)

(61)

(62)