SNAF
Securing Networks with ASA
Fundamentals
Lab Manual
Developed by
M. Irfan Ghauri
M. Tanzeel Nasir
C-32/1 Block-5 Gulshan-e-Iqbal, Karachi
ESP Press
Ph #021-6034003 Copyrights 2011
LAB. LABS DESCRIPTION PAGE
NO. 1 ASA Basic & Accessing ASA through Telnet/SSH/HTTP 3
2 NETWORK ADDRESS TRANSLATION
• Nat Control • Static NAT • Dynamic NAT • PAT • STATIC PAT • POLICY NAT • NAT 0 8
3 Fitering ACTIVEX Objects and JAVA Applets 17
4 Transparent Firewall 18
5 Syslog server 20
6 Cut through proxy through LOCAL database & AAA
server 21 7 Downloadable Acl 24
8 Tcp intercept Max connection 29
9 Object Grouping and Time-based Acl 30 10 Routing
a.Static Routing b.Dynamic Routing
11 Dynamic Host Configuration Protocol 34
12 Demilitarized Zone 37
13 Intervlan Routing with ASA 39
14 Modular Policy Framework 41
15 Virtual Private Network Site to Site VPN Web VPN
Remote Access VPN
Lab # 1
ASA Basic
Configuration
How to verify Version
ciscoasa(config)# sh version
How to Set Hostname
ciscoasa(config)# hostname ESP
How to Set Time & Date
ciscoasa# clock set 03:40:50 29 december 2010
How to Set Desired Banners
ciscoasa(config)# banner exec "you are off"
How to Configure a particular Interface
ciscoasa(config)# interface ethernet 0/0 • Assign IP
ciscoasa(config-if)# ip address 20.0.0.10 • Alive Interface
ciscoasa(config-if)# no shutdown • Set Speed
ciscoasa(config-if)# speed auto • Give Label
ciscoasa(config-if)# nameif outside • Mention Security Level
ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100
How to check Particular Interface information
ciscoasa# sh interface ethernet 0/0 ciscoasa# sh interface ethernet 0/1
How to check the applied IP Addresses on the Device
ciscoasa# sh ip addresses
How to check interface Labels & Security Levels
ciscoasa# sh nameif
How to check Interfaces summary
ciscoasa(config)# sh interface ip brief
How to Save Configuration
ciscoasa(config)# copy running-config start
How to check state table
ciscoasa(config)# sh conn
How to check memory status
ciscoasa# sh memory
How to restrict access on Privilege mode
ciscoasa(config)# enable password cisco
How to check running configuration
ciscoasa(config)# sh run
How to check History of CLI
Accessing ASA through Telnet/HTTP/SSH
Configuration
Assigning Speed & IP Address on Inside & Outside Interfaces.
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# ip address 20.0.0.10
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto
ciscoasa(config-if)# nameif
outsideciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# ip address 10.0.0.10
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto
ciscoasa(config-if)# nameif
insideHow to Telnet Adaptive Security Appliance
ciscoasa(config)# telnet 10.0.0.4 255.255.255.255 inside ciscoasa(config)# passwd cisco
ciscoasa(config)# enable password cisco (Telnet only allow from inside)
How to HTTP Adaptive Security Appliance
ciscoasa(config)#http server enable
ciscoasa(config)#http 10.0.0.1 255.255.255.255 inside
How to SSH Adaptive Security Appliance
ciscoasa(config)# crypto key generate rsa modulus 1024 ciscoasa(config)# ssh 10.0.0.1 255.255.255.255 inside ciscoasa(config)# ssh 20.0.0.4 255.255.255.255 outside
Authentication With local database
ciscoasa(config)#username tanzeel password cisco123 ciscoasa(config)# aaa authentication ssh console LOCAL
At Machine 10.0.0.1:
Verification Commands:
ciscoasa(config)# show ssh
ciscoasa(config)# show ssh session
ciscoasa(config)# ssh disconnect session_id ciscoasa(config)# show crypto key mypubkey rsa
Lab # 2
NETWORK ADDRESS TRANSLATION
Network Address Translation allows to translate Private
Addresses into Public Addresses
• Nat Control • Static NAT • Dynamic NAT • PAT • STATIC PAT • POLICY NAT • NAT 0
Configuration
Assigning Speed & IP Address on Inside & Outside Interfaces.
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# ip address 20.0.0.10
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto
ciscoasa(config-if)# nameif
outsideciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# ip address 10.0.0.10
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto
ciscoasa(config-if)# nameif
insideciscoasa
(config)#nat-controlciscoasa
(config)# access-list 1 permit ip any any
STATIC NETWORK ADDRESS TRANSLATION
Configuration
Establish Static NAT & ACLs.
ciscoasa
(config)# static (inside,outside) 20.0.0.51 10.0.0.1ciscoasa
(config)# static (inside,outside) 20.0.0.52 10.0.0.2Verify Configuration by using following commands.
ciscoasa
(config)# show running-config natciscoasa
(config)# show xlate
DYNAMIC NETWORK ADDRESS
TRANSLATION
Configuration
Establish Dynamic NAT, POOL & ACLss on Inside Interfaces.
ciscoasa
(config)# nat (inside) 1 0 0ciscoasa
(config)# global (outside) 1 20.0.0.51-20.0.0.60Verify Configuration by using following commands.
ciscoasa
(config)# show running-config globalciscoasa
(config)# show running-config natciscoasa
(config)# show xlate
DYNAMIC PORT ADDRESS TRANSLATION
Configuration
Establish Dynamic PAT, POOL & ACLs
ciscoasa
(config)# nat (inside) 1 0 0ciscoasa
(config)# global (outside) 1 20.0.0.51OR
Establish Dynamic PAT by assigning Outside Interface IP Address to POOL
ciscoasa
(config)# nat (inside) 1 0 0ciscoasa
(config)# global (outside) 1 interfaceciscoasa
(config)# access-list 1 permit ip any any
Verify Configuration by using following commands.
ciscoasa
(config)# show running-config globalciscoasa
(config)# show running-config natciscoasa
(config)# show xlateciscoasa
(config)# show access-list 1
STATIC PAT
Configuration
Establish Port Redirection & ACLs
ciscoasa
(config)# static (inside,outside) tcp 20.0.0.50 http 10.0.0.1 80Verify results by browsing 20.0.0.50 from outside machine.
(Outside Machine will successfully access local Web Server)
Verify Configuration by using following commands.
ciscoasa
(config)# show running-config nat
POLICY NAT
Configuration
Apply ACLs & NAT POLICY
ciscoasa
(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 host20.0.0.1
ciscoasa
(config)# access-list 102 permit ip 10.0.0.0 255.0.0.0 host20.0.0.2
ciscoasa
(config)# nat (inside) 1 access-list 101ciscoasa
(config)# global (outside) 1 20.0.0.51ciscoasa
(config)# nat (inside) 2 access-list 102
Verify Configuration by using following commands.
ciscoasa
(config)# show running-config natciscoasa
(config)# show xlate
NAT CONTROL
AND
NAT 0
Configuration
Enable Nat control.ciscoasa
(config)# nat-controlApply NAT 0 Policy for ATIF.
ciscoasa
(config)# nat (inside) 0 10.0.0.2 255.255.255.255Verify Configuration by using following commands.
ciscoasa
(config)# show xlateciscoasa
(config)# show running-config globalIP Address 10.0.0.1
IP Address 20.0.0.2
ATIF using NAT0 policy 10.0.0.2→10.0.0.2 IP Address 20.0.0.1 IP Address 10.0.0.2
ALI requires a NAT rule
IP Address
10.0.0.10 IP Address 20.0.0.10
Lab # 3
FILTERING ACTIVEX OBJECTS
AND
JAVA APPLETS
Configuration
Apply Filters.ciscoasa
(config)# filter java 80 0 0 0 0ciscoasa
(config)# filter activex 80 0 0 0 0Verify results by browsing outside machine from any inside machine.
Lab # 4
TRANSPARENT FIREWALL
Configuration
Assigning Speed & no Shut Inside & Outside Interfaces.
ciscoasa
(config)# firewall transparentciscoasa
(config)# interface ethernet 0/0ciscoasa (config-if)# no shutdown ciscoasa (config-if)# speed auto ciscoasa (config-if)# nameif outside
ciscoasa
(config)# interface ethernet 0/1ciscoasa (config-if)# no shutdown ciscoasa (config-if)# speed auto ciscoasa (config-if)# nameif inside
IP Address 10.0.0.1 IP Address 10.0.0.2 IP Address 10.0.0.3
ciscoasa
(config)# access-list 1 permit ip any anyciscoasa
(config)# access-group 1 in interface outsideciscoasa
(config)# ip address 10.0.0.10 255.255.255.0Verify results by IOS commands.
ciscoasa
(config)# show firewall
Lab # 5
SYSLOG SERVER
Configuration:
ciscoasa(config)# logging onciscoasa(config)# logging host inside 10.0.0.2 ciscoasa(config)# logging trap 7
Verification Commands:
ciscoasa(config)# show logging IP Address 10.0.0.1 IP Address 20.0.0.2 IP Address 20.0.0.1 SYSLOG IP Address 10.0.0.2 IP Address 10.0.0.10 IP Address 20.0.0.10 E1 EO
Lab # 6
Cut through proxy through LOCAL database
& AAA server
Configuration
Cut through Proxy through Local database
ciscoasa(config)# username admin password admin
ciscoasa(config)# aaa authentication include any inside 0 0 0 0 LOCAL
Cut through Proxy with AAA server
ciscoasa(config)# aaa-server esp protocol tacacs+
ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.1 cisco123 ciscoasa(config)# aaa authentication include any inside 0 0 0 0 esp
IP Address 10.0.0.2 IP Address 20.0.0.2 IP Address 20.0.0.1 IP Address 10.0.0.3 IP Address 10.0.0.10 IP Address 20.0.0.10 E1 EO AAA SERVER IP Address 10.0.0.1
User accounts on AAA
Verification Commands:
ciscoasa(config)# show uauth ciscoasa(config)# clear uauth
Lab # 7
Downloadable Acl
Cisco Secure ACS allows to create downloadable ACLs. By this various ACLs can be formed for different users. Downloadable ACL will be activated only when the particular user sign in.
Step 1:Configure AAA server using Radius Protocol. ciscoasa(config)# aaa-server esp protocol radius
ciscoasa(config-aaa-server-group)# aaa-server esp host 10.0.0.4 cisco ciscoasa(config-aaa-server-host)# aaa authentication include any inside 0 0 0 0 esp IP Address 10.0.0.2 IP Address 20.0.0.2 ATIF IP Address 20.0.0.1 IP Address 10.0.0.3 ALI IP Address 10.0.0.10 IP Address 20.0.0.10 E1 EO AAA SERVER IP Address 10.0.0.1
Configuration on ACS server
Step 2:Form Downloadable ACL through Shared profile Components (if Downloadable option is not available then click on Interface Configuration. )
Step 3: Add User “Ali” and apply Downloadable ACL on users profile.
Step 3: Verify results.
( Atif can successfully browse & ftp outside network) BUT
( Ali can only successfully ftp outside network)
Verification Commands:
ciscoasa(config)# show uauth ciscoasa(config)# clear uauth ciscoasa(config)# show conn
Lab # 8
TCP Intercept Maximum Connection
Configuration:
ciscoasa(config)# static (inside,outside) 20.0.0.50 10.0.0.1 1 0 ciscoasa(config)# access-list 1 permit ip any any
ciscoasa(config)# access-group 1 in interface outside
Verification Commands:
ciscoasa(config)# show running-config static ciscoasa(config)# show local-host
ciscoasa(config)# show xlate ciscoasa(config)# show conn
IP Address 10.0.0.1 IP Address 20.0.0.2 IP Address 20.0.0.1 FTP & WEB SERVER IP Address 10.0.0.2 IP Address 10.0.0.10 IP Address 20.0.0.10 E1 EO
Lab # 9
Object Grouping
Configuration:
Create network objectciscoasa(config)# object-group network esp
ciscoasa(config-network)# network-object host 20.0.0.1 ciscoasa(config-network)# network-object host 20.0.0.2 ciscoasa(config-network)# network-object host 20.0.0.3 ciscoasa(config-network)# exi
Create service object
ciscoasa(config)# object-group service httpftp tcp ciscoasa(config-service)# port-object eq 80 ciscoasa(config-service)# port-object eq 21 ciscoasa(config-service)# exi IP Address 10.0.0.1 IP Address 20.0.0.2 IP Address 20.0.0.1 FTP & WEB SERVER IP Address 10.0.0.2 IP Address 10.0.0.10 IP Address 20.0.0.10 E1 EO
Calling object in ACL
ciscoasa(config)# access-list 101 extended permit tcp object-group esp host 10.0.0.1 object-group httpftp
ciscoasa(config)# access-group 101 in interface outside
Time-based Acl
Configuration:
ciscoasa(config)#time-range test
ciscoasa(config-time-range)#periodic daily 15:00 to 15:30 ciscoasa(config-time-range)#exit
ciscoasa(config)# access-list 101 permit ip any any time-range test ciscoasa(config)#access-group 101 in interface outside
Verifying commands
ciscoasa(config)# show access-list
Lab # 10
Routing
Configuration :
ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 15.0.0.1 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif outside ciscoasa(config-if)# security-level 0 ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto
R2 IP Address 15.0.0.2 Fa0/0 IP Address 15.0.0.1 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 FTP Server Host B IP Address 10.0.0.2 WEB Server IP Address 20.0.0.1 IP Address 20.0.0.10 Fa0/1 IP Address 20.0.0.2
ciscoasa(config-if)# nameif inside ciscoasa(config-if)# security-level 100 • Static Routing • Dynamic Routing • RIP • OSPF • EIGRP
Static Routes Commands on Asa
ciscoasa(config)#route outside 20.0.0.0 255.0.0.0 15.0.0.2
Rip Commands on Asa
ciscoasa(config)#router rip
ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0
Ospf Commands on Asa
ciscoasa(config)#router ospf 64
ciscoasa(config-router)#network 15.0.0.0 255.0.0.0 area 0 ciscoasa(config-router)#network 10.0.0.0 255.0.0.0 area 0
Eigrp Commands on Asa
ciscoasa(config)#router eigrp 10 ciscoasa(config-router)#network 15.0.0.0 ciscoasa(config-router)#network 10.0.0.0 ciscoasa(config-router)#exit Verifying Commands ciscoasa(config)#sh route
ciscoasa(config)#sh rip database ciscoasa(config)#sh ospf interface ciscoasa(config)#sh ospf neighbor ciscoasa(config)# sh eigrp interfaces ciscoasa(config)# sh eigrp neighbors
Lab # 11
DYNAMIC HOST CONFIGURATION PROTOCOL
ASA Firewall has features that let it be Configured as a
• DHCP SERVER
• DHCP CLIENT
•
DHCP SERVER
Configuration
Create POOL for Inside Hosts.
ciscoasa(config)# dhcpd address 10.0.0.51-10.0.0.61 inside
Enable DHCP on the ASA Firewall.
Verify Configuration by using following commands.
ciscoasa(config)# show dhcpd binding ciscoasa(config)# show dhcpd state ciscoasa(config)# clear dhcpd bindings ciscoasa(config)# debug dhcpd events ciscoasa(config)# debug dhcpd packet
DHCP CLIENT
Configuration
Step 1: Enable DHCP Client.
ciscoasa(config)#int e0/0
Step 2: Define new scope for IP addresses range.
Step 3: Verify Configuration by using following commands.
ciscoasa(config)#debug dhcpd events ciscoasa(config)#debug dhcpd packet
Lab # 12
Demilitarized Zone
Configuration
Step 1:Assign IPs and Define Security Levels.
ciscoasa(config)# interface ethernet 0/0 ciscoasa(config-if)# ip address 20.0.0.10 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif outside ciscoasa(config)# interface ethernet 0/1 ciscoasa(config-if)# ip address 10.0.0.10 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif inside
ciscoasa(config)# interface ethernet 0/2 ciscoasa(config-if)# ip address 30.0.0.10 ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# speed auto ciscoasa(config-if)# nameif dmz
Apply PAT for inside Users & Static Nat for server on DMZ Interface.
ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# static (dmz,outside) 40.0.0.51 30.0.0.1 ciscoasa(config)# static (dmz,outside) 40.0.0.52 30.0.0.2
Establish ACL to allow traffic from lower security level to servers.
ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.51 eq www ciscoasa(config)# access-list 101 permit tcp any host 40.0.0.52 eq ftp ciscoasa(config)# access-group 1 in interface outside
Verifying Commands
ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface
Lab # 13
INTER-VLAN ROUTING WITH ASA
Configuration
ciscoasa(config)#Interface Ethernet0/2 ciscoasa(config-if)#no shut ciscoasa(config-if)#no ip add ciscoasa(config-if)#exit Vlan 30 Vlan 40 FTP Server 40.0.0.1/8 40.0.0.10 WEB Server 30.0.0.1/8 30.0.0.10 2950 Fa 0/4 Fa 0/3 E 0 / 2.30 30.0.0.10 / 8 E 0 / 2.40 40.0.0.10 / 8 Fa 0/24 Security-level 30 Security-level 40 IP Address 10.0.0.10 Ethernet 0/1 IP Address 20.0.0.10 Ethernet 0/0 IP Address 20.0.0.1 IP Address 10.0.0.1
ciscoasa(config)#Interface Ethernet0/2.30 ciscoasa(config-if)#vlan 30 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif www ciscoasa(config-if)#security-level 30 ciscoasa(config-if)#ip address 30.0.0.10 255.0.0.0 ciscoasa(config)#Interface Ethernet0/2.40 ciscoasa(config-if)#vlan 40 ciscoasa(config-if)#no shutdown ciscoasa(config-if)#nameif ftp ciscoasa(config-if)#security-level 40 ciscoasa(config-if)#ip address 40.0.0.10 255.0.0.0
After Configuration inside(100) users access ftp(40) and web(30) service now if u want to allow outside users to access ftp and web service make an access-list to allow them
ciscoasa(config)# access-list 101 permit tcp any host 30.0.0.1 eq ftp ciscoasa(config)#access-group 101 in interface outside
Switch configuration
Switch(config)#vlan 30 Switch(config-vlan)#name www Switch(config)#vlan 40 Switch(config-vlan)#name ftp Switch(config)#interface fa0/3Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 30 Switch(config)#interface fa0/4
Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 40 Switch(config)#interface fa0/24
Switch(config-if)#switchport mode trunk
Verifying Commands
ciscoasa(config)#sh run access-list ciscoasa(config)#sh run interface
Lab # 14
MODULAR POLICY FRAMEWORK
Configuration
Step 1:Define Class Name.
ASA(config)# class-map http
ASA(config-cmap)# match port tcp eq 80
Step 2:Define Classes to the Policy Map
ASA(config)# policy-map esp ASA(config-pmap)# class-map http
ASA(config-pmap-c)# priority-queue inside ASA(config)# service-policy esp interface inside
Step 3:Verify Results by IOS commands.
Lab # 15
SITE TO SITE VPN
Configuration
Site-to-Site Vpn Configuration on Asa
ciscoasa(config)#crypto isakmp enable outside
ciscoasa(config-isakmp-policy)#crypto isakmp policy 10 ciscoasa(config)# authen pre-share
ciscoasa(config)# hash md5 ciscoasa(config)# encrypt des ciscoasa(config)# group 2
ciscoasa(config)# tunnel-group 15.0.0.2 type ipsec-l2l ciscoasa(config)# tunnel-group 15.0.0.2 ipsec-attributes ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco123
WAN RmtRouter IP Address 15.0.0.2 Fa0/0 IP Address 15.0.0.1 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 FTP Server Host B IP Address 10.0.0.2 WEB Server IP Address 20.0.0.1 IP Address 20.0.0.10 Fa0/1 IP Address 20.0.0.2 Rmt Users
ciscoasa(config)# access-list 101 permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0
ciscoasa(config)# crypto ipsec transform-set aset esp-des esp-md5-hmac ciscoasa(config)# crypto map outside_map 1 set peer 15.0.0.2
ciscoasa(config)# crypto map outside_map 1 set transform-set aset ciscoasa(config)#crypto map outside_map 1 match address 101 ciscoasa(config)# crypto map outside_map interface outside
CLIENT LESS WEB VPN
Unlike a standard IPSec VPN which requires specific client software, Web VPN is a clientless Remote-Access VPN that uses a web browser to access a Corporate Network.
Configuration
SSL VPN Wizard WAN IP Address 20.0.0.10 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 IP Address 20.0.0.1 With no Vpn clientLocal web Server IP Address 10.0.0.2
Local FTP Server IP Address 10.0.0.3
IP Address 20.0.0.5 With no Vpn client
Verify results by accessing Corporate Network. Type username and password .
Step 3(A): Verify results by IOS commands. ciscoasa# show running-config webvpn
REMOTE-ACCESS VPN
Access VPN provides secure communication with remote users who are working from home and connect through modem or mobile but they should have client Hardware & client Software running on there computers.
Configuration
IPsec(Remote-access) VPN Wizard WAN IP Address 20.0.0.10 E0 IP Address 10.0.0.10 Ethernet 1 Host A IP Address 10.0.0.1 IP Address 20.0.0.1 With Vpn clientLocal web Server IP Address 10.0.0.2
Local FTP Server IP Address 10.0.0.3
IP Address 20.0.0.5 With Vpn client