TABLE OF CONTENTS LAB 1: Configure Cisco ASA Appliance for basic configuration CLI LAB 2: Configure the Security Appliance for ASDM LAB 3: Configure Interfaces and verifying configuration through CLI LAB 4: Configure Interfaces and verifying configuration through ASDM LAB 5: Configure ASA Appliance for Syslog Server from ASDM LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration LAB7: Configure PAT on interface IP of ASA through ASDM LAB8: Configure Static NAT with ACL to allow inside access through ASDM LAB9: Configuring Remote Access VPN (Easy VPN) LAB10: Configure Remote Access VPN using AAA LAB11: Configure Site to Site IPSEC VPN through ASDM LAB12: Configuring ASA Appliance for Static Route through ASDM LAB13: Configuring ASA Appliance for Passive RIP through ASDM LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM LAB15: Configuring ASA Software Image and Licenses through ASDM LAB16: Monitoring ASA Appliance through ASDM
LAB 1: Configure Cisco ASA Appliance for Basic Configuration CLI Step1 CTTC(config)# write erase This command will erase the startup configuration (default) of ASA appliance. Step2 CTTC(Config)# reload This command will reload the security appliance. Step3 CTTC> ? Display the help of supported commands in user mode. Step4 CTTC> enable Password : Enter in the privilege mode of appliance and press enter after prompting for password Step5 CTTC# Show Run This command will show the running configuration of your Security appliance. Step6 CTTC# Show memory Free memory: 1000431424 bytes (93%) Used memory: 73310400 bytes ( 7%)
Total memory: 1073741824 bytes (100%) This command will show the memory of security appliance (Output may vary for different platforms).
Step7 CTTC# Show Version Cisco Adaptive Security Appliance Software Version 7.0(8) Device Manager Version 5.0(8) Compiled on Sat 31-May-08 23:48 by builders System image file is "disk0:/asa708-k8.bin" Config file at boot was "startup-config" CTTC up 3 days 18 hours Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Ext: GigabitEthernet0/0 : address is 0022.90fe.2006, irq 9 1: Ext: GigabitEthernet0/1 : address is 0022.90fe.2007, irq 9 2: Ext: GigabitEthernet0/2 : address is 0022.90fe.2008, irq 9 3: Ext: GigabitEthernet0/3 : address is 0022.90fe.2009, irq 9 4: Ext: Management0/0 : address is 0022.90fe.200a, irq 11 5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11 6: Int: Not used : irq 5 5 CTTC (PVT) Limited@2010 SNAF Lab Manual Web: www.cttc.net.pk Ph: 92-21-4310956-8
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 200 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 5000 This platform has an ASA 5540 VPN Premium license. Serial Number: JMX1247L0RJ Running Activation Key: 0x6000e973 0x0c5221a3 0xf4b1a9dc 0xa14c5408 0x4a11229b Configuration register is 0x1 Configuration last modified by ahmed at 22:42:10.042 UTC Tue Jan 19 2010 Step8 CTTC# show History Enable Show version Show history This command will show the history of previously entered commands. Step9 CTTC# show bootvar BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin Current BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin CONFIG_FILE variable = Current CONFIG_FILE variable = 6 CTTC (PVT) Limited@2010 SNAF Lab Manual Web: www.cttc.net.pk Ph: 92-21-4310956-8
This command will let you know that from which image file your ASA firewall load.
Step10 CTTC# dir Directory of disk0:/ 47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin 48 -rwx 5823304 08:29:00 Aug 15 2006 asdm505.bin 50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin 51 -rwx 8312832 03:31:14 Mar 10 2008 asa722-k8.bin 52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin 2 drwx 8192 00:47:45 Jan 23 2010 log 9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive 59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo 62 drwx 8192 02:30:00 Jan 23 2010 snmp 255426560 bytes total (213508096 bytes free) This command will show the contents of internal flash memory of your firewall Step 11 CTTC # boot system disk0:/asa821-k8.bin CTTC # boot system disk0:/asa705-k8.bin This command will define that the firewall will first boot from disk0:/asa821-k8.bin this image and if this image is corrupt or not found firewall will boot from this disk0:/asa705-k8.bin image.
LAB2: Configure the Security Appliance for ASDM Step1 To verify that you ASA firewall has ASDM image in flash memory. CTTC # dir Directory of disk0:/ 47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin 50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin 52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin 2 drwx 8192 00:47:45 Jan 23 2010 log 9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive 59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo 62 drwx 8192 02:30:00 Jan 23 2010 snmp 64 -rwx 11491880 03:24:24 Jan 25 2010 asdm-623.bin 255426560 bytes total (216154112 bytes free) Step2 CTTC (Config) # asdm image disk0:asdm-623.bin This command will define which asdm image will be used in flash. Step3 CTTC (config)# http server enable This command will enable HTTP server on ASA firewall that is necessary for ASDM. Step4 CTTC (config)# http 10.0.50.10 255.255.255.255 inside Step5 CTTC (config)# aaa authentication http console LOCAL This command will enable authentication for ASDM. Step6 8 CTTC (PVT) Limited@2010 SNAF Lab Manual Web: www.cttc.net.pk Ph: 92-21-4310956-8
Open Web Brower and enter the following URL: https://10.254.1.2 (Inside Interface IP Address) and then click RUN ASDM
LAB3: Configure Interfaces and Verifying Configuration through CLI Step1 CTTC# configure factory-default This command will erase all configurations on your ASA firewall and your ASA firewall configuration will revert back to factory default. Step 2 CTTC (config) # int vlan 1 CTTC (config-if) # nameif inside CTTC (config-if) # security-level 100 CTTC (config-if) # ip address 10.0.0.1 255.0.0.0 CTTC (config-if) # no shut These commands will configure inside interface and security level of the ASA 5505 Firewall. Step 3 CTTC (config) # int vlan 2 CTTC (config-if) # nameif outside CTTC (config-if) # security-level 0 CTTC (config-if) # ip address 20.0.0.1 255.0.0.0 CTTC (config-if) # no shut These commands will configure outside interface and security level of the ASA 5505 Firewall. Step 4 CTTC# show nameif Interface Name Security Vlan1 inside 100 Vlan2 outside 0 12 CTTC (PVT) Limited@2010 SNAF Lab Manual Web: www.cttc.net.pk Ph: 92-21-4310956-8
This command will verify the name and security level of each interface. Step 5 CTTC# show ip System IP Addresses: Interface Name IP address Subnet mask Method Vlan1 inside 10.0.0.1 255.0.0.0 manual Vlan2 outside 20.0.0.1 255.0.0.0 manual Current IP Addresses: Interface Name IP address Subnet mask Method Vlan1 inside 10.0.0.1 255.0.0.0 manual Vlan2 outside 20.0.0.1 255.0.0.0 manual This command will verify the IP addresses of all interfaces of firewall. Step 6 CTTC# show switch vlan VLAN Name Status Ports ---- -------------------------------- --------- ----------------------------- 1 inside down Et0/1, Et0/2, Et0/3, Et0/4 Et0/5, Et0/6, Et0/7 2 outside down Et0/0 This command will let you know that which interfaces of firewall are in inside VLAN and which interfaces are in outside VLAN. Step 7 (Optional) CTTC (config) # clear configure all This command will clear the running configuration of ASA Firewall.
LAB4: Configure Interfaces and Verifying Configuration through ASDM Step 1 Click configuration TAB and then click on Interfaces .You can see that firewall is already configured for inside interface with the security level of 100 and IP Address 10.0.0.1.
Step2 To add a new interface click Add button and then add Ethernet 0/0 interface to selected switch ports and then write outside in Interface Name field. Click on Enable interface and check on use static IP and then configure 20.0.0.1 IP address and Subnet mask 255.0.0.0.Click Ok.
LAB5: Configure ASA Appliance for Syslog Server from ASDM Step 1: In order to configure Syslog Server, navigate the configuration TAB and then Click on logging. Cisco ASA5505 10.0.0.1 E0/1 E0/0 20.0.0.1 10.0.0.10 20.0.0.10 Syslog Server NETWORK TOPOLOGY
Step 3 Click on Syslog Server TAB and then press Add. Select the interface of ASA appliance on which Syslog Server is connected and then enter the IP Address of Syslog Server. Press ok.
LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration Step 1: In order to configure Dynamic NAT, click configuration and then click NAT RULES Cisco ASA5505 10.0.0.1 E0/1 E0/0 20.0.0.1 IP Pool 20.0.0.100-200 20.0.0.10 Telnet Server NETWORK TOPOLOGY
Step 4 In order to define Global pool, click Manage Tab and then add a Global Address Range. Select Interface Outside, Pool ID 1 and range 20.0.0.100-20.0.0.200.Press add and then Ok.
Step 5 The following window will appear. You can see the dynamic NAT entry, you had just configured. In order to implement restriction on firewall that no traffic will pass through firewall without Nat Entry uncheck the box unable traffic through firewall without NAT. Press Apply.
Step 6 In order to verify Dynamic NAT Configuration, use the following Commands. CTTC# show run nat-control nat-control This command will show that no traffic will pass between interfaces through firewall without NAT. CTTC# show run nat nat (inside) 1 10.0.0.0 255.0.0.0 This command will show the inside network that will be translated. CTTC# show run global global (outside) 1 20.0.0.100-20.0.0.200 netmask 255.0.0.0 This command will display the global address space. CTTC# show xlate 1 in use, 1 most used Global 20.0.0.112 Local 10.0.0.10 This command will display the NAT Table of ASA Appliance. CTTC# clear xlate This command will clear the NAT Table of ASA Appliance. CTTC# show arp inside 10.0.0.10 0017.423c.6806 52 outside 20.0.0.10 0021.9b37.b62e 473 This command will display Arp Cache of your security Appliance. CTTC# clear arp This command will clear arp cache of your appliance. 34 CTTC (PVT) Limited@2010 SNAF Lab Manual Web: www.cttc.net.pk Ph: 92-21-4310956-8
LAB 7: Configure PAT on interface IP of ASA through ASDM Step 1 Repeat the first three steps of previous lab and then click on outside interface and then check the box PAT using IP address of the interface. Press Add and then click ok. The translation would be done on outside interface of the firewall.
Step 8 Press Add and then select interface Outside and then press on Permit. On source field select any and in destination field enter the translated IP Address 20.0.0.100.Select traffic direction In. Also Select services TCP/Telnet.
Step 9 Press Ok and you can see the access rule on the following window. Now telnet from outside machine to telnet server that is translated with 20.0.0.100 IP address.
Step 2: Click Launch VPN Wizard and new window will be opened. Click Remote access VPN and then select outside interface as a VPN terminated interface. Enter Next.
Step 12 In order to bypass VPN traffic from Network Address Translation, you need to select interface Inside and configure 10.0.0.0 with the default mask of 255.255.255.0. Press Add and then click Next.
A New window will open. Enter the connection entry name cttc and host IP Address 20.0.0.1 . Enter the Tunnel Group Name CTTC and then enter pre-share key cisco123.Click Save.
LAB 10: Configure Remote Access VPN (Easy VPN) using AAA Step1: Press on configuration menu and then click on AAA Server Group. Press Add. Cisco ASA5505 10.0.0.1 E0/1 E0/0 20.0.0.1 10.0.0.10 20.0.0.10 NETWORK TOPOLOGY Cisco VPN Client IP Pool: 172.16.1.1-254
Step3: Press Add AAA Servers and then select the Interface on which AAA server is placed inside. Enter AAA Server IP Address 10.0.0.10 and then enter Secret Server Key cisco123. Press Pk.
Step7: In order to enable accounting, select AAA Access from window and then press on Accounting. Then click on Enable Server Group and select the Group default. Press Apply.
Step11: Enter AAA Client name CTTCA and then enter the IP address of AAA client i.e. ASA inside Interface IP 10.0.0.1. Enter the server secret key cisco123 and then select Authenticating using TACACS+ (Cisco IOS). Then press Submit.
LAB 11: Configuring IPSEC Site to Site VPN through ASDM Step1: On CTTC B Firewall, Click Wizard option from the top menu and then selects IPSEC Wizard. Select Site to Site VPN Option and then press Next. 10.0.0.1 E0/1 E0/0 11.0.0.1 10.0.0.10 20.0.0.10 NETWORK TOPOLOGY CTTCB CTTCA E0/0 11.0.0.2 E0/1 20.0.0.1
Step2: Enter the Peer IP Address 11.0.0.2 and then select Authentication method Pre-shared Key and then enter Pre-Shared Key Cisco123. Leave the tunnel group name as 11.0.0.2.Press Next.
Step5: In order to define the interesting VPN traffic selects the source network from which traffic will be transmitted to tunnel. Press the inside-network 20.0.0.0/8 as a source network. Press Ok.
Step7: Both the configured entries are shown in below mention window. Traffic from Local network to Remote Network will only pass through VPN Tunnel. Press Next.
LAB13: Configuring Passive RIP on ASA Firewall through ASDM Step1: Click on enable RIP routing and then check RIP version1 and then add 10.0.0.0 and 11.0.0.0 networks and then click outside interface as a passive interface on CTTCA firewall. 10.0.0.1 E0/1 E0/0 11.0.0.1 10.0.0.10 20.0.0.10 NETWORK TOPOLOGY CTTCB CTTCA E0/0 11.0.0.2 E0/1 20.0.0.1
Step2: Click on enable RIP routing and then check RIP version1 and then add 20.0.0.0 and 11.0.0.0 networks and then click outside interface as a passive interface on CTTCB firewall.
LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM Step1: Click on Configuration >Device Management>Management Access> asdm/http/https/ssh/Telnet. Press Add.
Step2: Click on telnet and mentioned the IP address 10.0.0.10 that is connected to inside interface of firewall. Firewall can only be accessed from 10.0.0.10 IP. Press Ok.
Step4: For SSH Configuration, select the inside interface and then click on SSH. Enter the IP address of the client that initiate SSH to the security appliance.
LAB15: Configuring ASA for Software Image and Licensing Step1: In order to configure the Boot Sequence of ASA image and also to define the ASDM image please Navigate the following: Configuration>Device Management> System image/configuration>Boot image/configuration. Press Add.
LAB16: Monitoring ASA Appliance through ASDM Step1: To verify the Platform, ASA version, ASDM version, Device Uptime, Interface Status, CPU and memory utilization and latest asdm Syslog messages go to Home page of ASDM.