Configuring ASA Interfaces

1
CTTC (PVT) Limited@2010 SNAF Lab Manual

Web: www.cttc.net.pk
Ph: 92-21-4310956-8

LAB MANUAL

Securing Networks with ASA
Fundamentals(SNAF)

Version 1.0

Developed By: Mr. Ahmed Saeed
Network Manager
CTTC (PVT) Limited, Karachi Pakistan.

2
Ph: 92-21-4310956-8

TABLE OF CONTENTS
LAB 1: Configure Cisco ASA Appliance for basic configuration CLI
LAB 2: Configure the Security Appliance for ASDM
LAB 3: Configure Interfaces and verifying configuration through CLI
LAB 4: Configure Interfaces and verifying configuration through ASDM
LAB 5: Configure ASA Appliance for Syslog Server from ASDM
LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration
LAB7: Configure PAT on interface IP of ASA through ASDM
LAB8: Configure Static NAT with ACL to allow inside access through ASDM
LAB9: Configuring Remote Access VPN (Easy VPN)
LAB10: Configure Remote Access VPN using AAA
LAB11: Configure Site to Site IPSEC VPN through ASDM
LAB12: Configuring ASA Appliance for Static Route through ASDM
LAB13: Configuring ASA Appliance for Passive RIP through ASDM
LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM
LAB15: Configuring ASA Software Image and Licenses through ASDM
LAB16: Monitoring ASA Appliance through ASDM

3
Ph: 92-21-4310956-8

LAB 1: Configure Cisco ASA Appliance for Basic Configuration CLI
Step1
CTTC(config)# write erase
This command will erase the startup configuration (default) of ASA appliance.
Step2
CTTC(Config)# reload
This command will reload the security appliance.
Step3
CTTC> ?
Display the help of supported commands in user mode.
Step4
CTTC> enable
Password :
Enter in the privilege mode of appliance and press enter after prompting for password
Step5
CTTC# Show Run
This command will show the running configuration of your Security appliance.
Step6
CTTC# Show memory
Free memory: 1000431424 bytes (93%)
Used memory: 73310400 bytes ( 7%)

------------- ----------------
4
Ph: 92-21-4310956-8

Total memory: 1073741824 bytes (100%)
This command will show the memory of security appliance (Output may vary for different platforms).

Step7
CTTC# Show Version
Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)
Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"
CTTC up 3 days 18 hours
Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0022.90fe.2006, irq 9
4: Ext: Management0/0 : address is 0022.90fe.200a, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
5
Ph: 92-21-4310956-8

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
This platform has an ASA 5540 VPN Premium license.
Serial Number: JMX1247L0RJ
Running Activation Key: 0x6000e973 0x0c5221a3 0xf4b1a9dc 0xa14c5408 0x4a11229b
Configuration register is 0x1
Configuration last modified by ahmed at 22:42:10.042 UTC Tue Jan 19 2010
Step8
CTTC# show History
Enable
Show version
Show history
This command will show the history of previously entered commands.
Step9
CTTC# show bootvar
BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin
Current BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
6
Ph: 92-21-4310956-8

This command will let you know that from which image file your ASA firewall load.

Step10
CTTC# dir
Directory of disk0:/
47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin
48 -rwx 5823304 08:29:00 Aug 15 2006 asdm505.bin
50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin
51 -rwx 8312832 03:31:14 Mar 10 2008 asa722-k8.bin
52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin
2 drwx 8192 00:47:45 Jan 23 2010 log
9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive
59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo
62 drwx 8192 02:30:00 Jan 23 2010 snmp
255426560 bytes total (213508096 bytes free)
This command will show the contents of internal flash memory of your firewall
Step 11
CTTC # boot system disk0:/asa821-k8.bin
CTTC # boot system disk0:/asa705-k8.bin
This command will define that the firewall will first boot from disk0:/asa821-k8.bin this image and if
this image is corrupt or not found firewall will boot from this disk0:/asa705-k8.bin image.

7
Ph: 92-21-4310956-8

LAB2: Configure the Security Appliance for ASDM
Step1
To verify that you ASA firewall has ASDM image in flash memory.
CTTC # dir
Directory of disk0:/
47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin
50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin
52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin
2 drwx 8192 00:47:45 Jan 23 2010 log
9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive
59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo
62 drwx 8192 02:30:00 Jan 23 2010 snmp
64 -rwx 11491880 03:24:24 Jan 25 2010 asdm-623.bin
255426560 bytes total (216154112 bytes free)
Step2
CTTC (Config) # asdm image disk0:asdm-623.bin
This command will define which asdm image will be used in flash.
Step3
CTTC (config)# http server enable
This command will enable HTTP server on ASA firewall that is necessary for ASDM.
Step4
CTTC (config)# http 10.0.50.10 255.255.255.255 inside
Step5
CTTC (config)# aaa authentication http console LOCAL
This command will enable authentication for ASDM.
Step6
8
Ph: 92-21-4310956-8

Open Web Brower and enter the following URL: https://10.254.1.2 (Inside Interface IP Address) and
then click RUN ASDM

9
Ph: 92-21-4310956-8

Step 7
Click YES

Step 8
Enter Username and Password

10
Ph: 92-21-4310956-8

Step 9
After entering username and password, home page of ASDM will open

11
Ph: 92-21-4310956-8

LAB3: Configure Interfaces and Verifying Configuration through CLI
Step1
CTTC# configure factory-default
This command will erase all configurations on your ASA firewall and your ASA firewall configuration will
revert back to factory default.
Step 2
CTTC (config) # int vlan 1
CTTC (config-if) # nameif inside
CTTC (config-if) # security-level 100
CTTC (config-if) # ip address 10.0.0.1 255.0.0.0
CTTC (config-if) # no shut
These commands will configure inside interface and security level of the ASA 5505 Firewall.
Step 3
CTTC (config) # int vlan 2
CTTC (config-if) # nameif outside
CTTC (config-if) # security-level 0
CTTC (config-if) # ip address 20.0.0.1 255.0.0.0
CTTC (config-if) # no shut
These commands will configure outside interface and security level of the ASA 5505 Firewall.
Step 4
CTTC# show nameif
Interface Name Security
Vlan1 inside 100
Vlan2 outside 0
12
Ph: 92-21-4310956-8

This command will verify the name and security level of each interface.
Step 5
CTTC# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.0.0.0 manual
Vlan2 outside 20.0.0.1 255.0.0.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.0.0.0 manual
Vlan2 outside 20.0.0.1 255.0.0.0 manual
This command will verify the IP addresses of all interfaces of firewall.
Step 6
CTTC# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside down Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside down Et0/0
This command will let you know that which interfaces of firewall are in inside VLAN and which interfaces
are in outside VLAN.
Step 7 (Optional)
CTTC (config) # clear configure all
This command will clear the running configuration of ASA Firewall.

13
Ph: 92-21-4310956-8

LAB4: Configure Interfaces and Verifying Configuration through ASDM
Step 1
Click configuration TAB and then click on Interfaces .You can see that firewall is already configured for
inside interface with the security level of 100 and IP Address 10.0.0.1.

14
Ph: 92-21-4310956-8

Step2
To add a new interface click Add button and then add Ethernet 0/0 interface to selected switch ports
and then write outside in Interface Name field. Click on Enable interface and check on use static IP and
then configure 20.0.0.1 IP address and Subnet mask 255.0.0.0.Click Ok.

15
Ph: 92-21-4310956-8

Step 3
Now Outside interface is listed in the below window. Click Apply.

16
Ph: 92-21-4310956-8

Step 4
You can verify the interface status and IP Address and traffic status of the interface from Home TAB.

17
Ph: 92-21-4310956-8

LAB5: Configure ASA Appliance for Syslog Server from ASDM
Step 1: In order to configure Syslog Server, navigate the configuration TAB and then Click on logging.
Cisco ASA5505
10.0.0.1
E0/1
E0/0
20.0.0.1
10.0.0.10
20.0.0.10
Syslog Server
NETWORK TOPOLOGY

18
Ph: 92-21-4310956-8

Step 2
Click on Logging Setup and check on enable logging and then press apply.

19
Ph: 92-21-4310956-8

Step 3
Click on Syslog Server TAB and then press Add. Select the interface of ASA appliance on which Syslog
Server is connected and then enter the IP Address of Syslog Server. Press ok.

20
Ph: 92-21-4310956-8

Step 4
You can see that Syslog Server entry is created on below window. Please note that you can add up to 16
Syslog Servers. Press Apply.

21
Ph: 92-21-4310956-8

Step 5
In order to enable Syslog time stamping, click on Syslog Setup and then check on the box Include time
stamp in Syslog. Press Apply.

22
Ph: 92-21-4310956-8

Step 6
Click on Event Lists and then press Add button. A new dialog box appears ADD EVENT LIST.

23
Ph: 92-21-4310956-8

Step 7
Configure Name of event List and then press Add. New Dialog box will appear in which select event class
ALL and severity Debugging. Press Ok.

24
Ph: 92-21-4310956-8

Step 8
You can see that event list is added. Press Apply.

25
Ph: 92-21-4310956-8

Step 9
Press logging Filter from logging menu and then select Syslog Servers. Press Edit Button.

26
Ph: 92-21-4310956-8

Step 10
Press on Radio button USE EVENT LIST and then select the list CTTCSYSLOG. Press Ok.

27
Ph: 92-21-4310956-8

Step 11
You can see the logs on Kiwi Syslog server. Verify the time stamping and log format.

28
Ph: 92-21-4310956-8

LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration
Step 1: In order to configure Dynamic NAT, click configuration and then click NAT RULES
Cisco ASA5505
10.0.0.1
E0/1
E0/0
20.0.0.1
IP Pool
20.0.0.100-200
20.0.0.10
Telnet Server
NETWORK TOPOLOGY

29
Ph: 92-21-4310956-8

Step 2
Click Add and then select Add Dynamic NAT Rule

30
Ph: 92-21-4310956-8

Step 3
New Window will open. Select inside interface and also in Source field select inside-network/8

31
Ph: 92-21-4310956-8

Step 4
In order to define Global pool, click Manage Tab and then add a Global Address Range. Select Interface
Outside, Pool ID 1 and range 20.0.0.100-20.0.0.200.Press add and then Ok.

32
Ph: 92-21-4310956-8

Step 5
The following window will appear. You can see the dynamic NAT entry, you had just configured. In order
to implement restriction on firewall that no traffic will pass through firewall without Nat Entry uncheck
the box unable traffic through firewall without NAT. Press Apply.

33
Ph: 92-21-4310956-8

Step 6
In order to verify Dynamic NAT Configuration, use the following Commands.
CTTC# show run nat-control
nat-control
This command will show that no traffic will pass between interfaces through firewall without NAT.
CTTC# show run nat
nat (inside) 1 10.0.0.0 255.0.0.0
This command will show the inside network that will be translated.
CTTC# show run global
global (outside) 1 20.0.0.100-20.0.0.200 netmask 255.0.0.0
This command will display the global address space.
CTTC# show xlate
1 in use, 1 most used
Global 20.0.0.112 Local 10.0.0.10
This command will display the NAT Table of ASA Appliance.
CTTC# clear xlate
This command will clear the NAT Table of ASA Appliance.
CTTC# show arp
inside 10.0.0.10 0017.423c.6806 52
outside 20.0.0.10 0021.9b37.b62e 473
This command will display Arp Cache of your security Appliance.
CTTC# clear arp
This command will clear arp cache of your appliance.
34
Ph: 92-21-4310956-8

LAB 7: Configure PAT on interface IP of ASA through ASDM
Step 1
Repeat the first three steps of previous lab and then click on outside interface and then check the box
PAT using IP address of the interface. Press Add and then click ok. The translation would be done on
outside interface of the firewall.

35
Ph: 92-21-4310956-8

LAB 8: Configure Static NAT with ACL to allow inside access through ASDM
Step1: Press NAT RULE and press add and then add static NAT Rule.
Cisco ASA5505
10.0.0.1
E0/1
E0/0
20.0.0.1
10.0.0.10
20.0.0.10
Telnet Server
NETWORK TOPOLOGY
Translated IP
20.0.0.100

36
Ph: 92-21-4310956-8

Step 2
A New Window will be open and then click source

37
Ph: 92-21-4310956-8

Step 3
A new window will open press add and then IP name

38
Ph: 92-21-4310956-8

Step 4
A new window is opened. Enter Name: Telnet Server and IP Address: 10.0.0.1. Press ok.

39
Ph: 92-21-4310956-8

Step 5
Check use IP address field and then enter IP address 20.0.0.100 as an translated IP.

40
Ph: 92-21-4310956-8

Step6
Press enter. Following window will be opened. Press Apply.

41
Ph: 92-21-4310956-8

Step 7
To allow the access to telnet server connected to inside interface, we have to configure the
access rule from outside machine to telnet server.

42
Ph: 92-21-4310956-8

Step 8
Press Add and then select interface Outside and then press on Permit. On source field
select any and in destination field enter the translated IP Address 20.0.0.100.Select traffic
direction In. Also Select services TCP/Telnet.

43
Ph: 92-21-4310956-8

Step 9
Press Ok and you can see the access rule on the following window. Now telnet from outside
machine to telnet server that is translated with 20.0.0.100 IP address.

44
Ph: 92-21-4310956-8

LAB 9: Configure Remote Access VPN (Easy VPN) through ASDM
Step 1 Press Configuration menu and then select VPN tab.
Cisco ASA5505
10.0.0.1
E0/1
E0/0
20.0.0.1
10.0.0.10
20.0.0.10
Telnet Server
NETWORK TOPOLOGY
Cisco VPN Client
IP Pool: 172.16.1.1-254

45
Ph: 92-21-4310956-8

Step 2: Click Launch VPN Wizard and new window will be opened. Click Remote access VPN and
then select outside interface as a VPN terminated interface. Enter Next.

46
Ph: 92-21-4310956-8

Step 3 Select the VPN client Type to Cisco VPN Client 3.X or higher and then press Next.

47
Ph: 92-21-4310956-8

Step 4 Enter pre-share key cisco123 and tunnel group name CTTC.

48
Ph: 92-21-4310956-8

Step 5 Click on authenticating local user database

49
Ph: 92-21-4310956-8

Step 6 Add another user test in local database of ASA appliance.

50
Ph: 92-21-4310956-8

Step 7 Create a new local pool of IP Addresses. Click New.

51
Ph: 92-21-4310956-8

Step 8 Enter the name of Pool CTTCPOOL and then starting range 172.16.1.1 and Ending IP
Address 172.16.1.254.

52
Ph: 92-21-4310956-8

Step 9 Enter the primary DNS server 10.0.0.100 and domain name cttc.net.pk.

53
Ph: 92-21-4310956-8

Step 10 Configure IKE Phase 1 parameters as soon in the below window. Click Next.

54
Ph: 92-21-4310956-8

Step 11 Select IPSEC phase parameters as shown in below window and then click next.

55
Ph: 92-21-4310956-8

Step 12 In order to bypass VPN traffic from Network Address Translation, you need to select interface
Inside and configure 10.0.0.0 with the default mask of 255.255.255.0. Press Add and then click Next.

56
Ph: 92-21-4310956-8

Step 13 Just see the summary of VPN configuration and then click on finish to complete.

57
Ph: 92-21-4310956-8

Step 14 Open VPN Client Software Click New

A New window will open. Enter the connection entry name cttc and host IP Address 20.0.0.1 .
Enter the Tunnel Group Name CTTC and then enter pre-share key cisco123.Click Save.

58
Ph: 92-21-4310956-8

Step 15 A new Connection Entry will be created as shown in below window.

Double click the connection entry after that a new window will be opened . Enter the Username and
Password for VPN local Database Authentication.

After entering the username and password VPN tunnel will be established and you can verify the
credential of VPN connections from the below window.

59
Ph: 92-21-4310956-8

LAB 10: Configure Remote Access VPN (Easy VPN) using AAA
Step1: Press on configuration menu and then click on AAA Server Group. Press Add.
Cisco ASA5505
10.0.0.1
E0/1
E0/0
20.0.0.1
10.0.0.10
20.0.0.10
NETWORK TOPOLOGY
Cisco VPN Client
IP Pool: 172.16.1.1-254

60
Ph: 92-21-4310956-8

Step 2: Type the Server Group as default and then select protocol TACACS+ and then press Ok.

61
Ph: 92-21-4310956-8

Step3: Press Add AAA Servers and then select the Interface on which AAA server is placed inside.
Enter AAA Server IP Address 10.0.0.10 and then enter Secret Server Key cisco123. Press Pk.

62
Ph: 92-21-4310956-8

Step 4: Both Entries configured shown in below window. Press Apply.

63
Ph: 92-21-4310956-8

Step5: Select IPSEC CONECTION PROFILE from the window and then select CTTC connection entry
and then press Edit.

64
Ph: 92-21-4310956-8

Step6: In User Authentication select Server Group default and then click on Use Local if Server Group
fails. Press Ok.

65
Ph: 92-21-4310956-8

Step7: In order to enable accounting, select AAA Access from window and then press on Accounting.
Then click on Enable Server Group and select the Group default. Press Apply.

66
Ph: 92-21-4310956-8

Step 8: In order to Add User on Cisco Secure ACS, press on User Setup and enter the username
ahmed and then click Add/Edit.

67
Ph: 92-21-4310956-8

Step9: Enter and confirmed password in below mentioned window. Then press Submit.

68
Ph: 92-21-4310956-8

Step10: Select Network Configuration from menu and then click on Add Entry for AAA client.

69
Ph: 92-21-4310956-8

Step11: Enter AAA Client name CTTCA and then enter the IP address of AAA client i.e. ASA inside
Interface IP 10.0.0.1. Enter the server secret key cisco123 and then select Authenticating using
TACACS+ (Cisco IOS). Then press Submit.

70
Ph: 92-21-4310956-8

Step12: You can see the selected entry has been added in AAA client List in below window.

71
Ph: 92-21-4310956-8

Step13: For accounting, press Reports and Activity.

72
Ph: 92-21-4310956-8

Step14: Select TACACS+ Accounting and then select TACACS+ Accounting active.csv.

73
Ph: 92-21-4310956-8

Step15: Accounting statics mentioned in below window.

74
Ph: 92-21-4310956-8

LAB 11: Configuring IPSEC Site to Site VPN through ASDM
Step1: On CTTC B Firewall, Click Wizard option from the top menu and then selects IPSEC Wizard.
Select Site to Site VPN Option and then press Next.
10.0.0.1
E0/1 E0/0
11.0.0.1
10.0.0.10
20.0.0.10
NETWORK TOPOLOGY
CTTCB CTTCA
E0/0
11.0.0.2
E0/1
20.0.0.1

75
Ph: 92-21-4310956-8

Step2: Enter the Peer IP Address 11.0.0.2 and then select Authentication method Pre-shared Key
and then enter Pre-Shared Key Cisco123. Leave the tunnel group name as 11.0.0.2.Press Next.

76
Ph: 92-21-4310956-8

Step3: Enter the IKE Phase 1 parameters as mentioned in below window.

77
Ph: 92-21-4310956-8

Step4: Enter the IKE Phase 2 parameters as shown in below mentioned window.

78
Ph: 92-21-4310956-8

Step5: In order to define the interesting VPN traffic selects the source network from which traffic will be
transmitted to tunnel. Press the inside-network 20.0.0.0/8 as a source network. Press Ok.

79
Ph: 92-21-4310956-8

Step6: Enter the remote network to which VPN traffic will be forwarded as 10.0.0.0/8.Press Ok.

80
Ph: 92-21-4310956-8

Step7: Both the configured entries are shown in below mention window. Traffic from Local network to
Remote Network will only pass through VPN Tunnel. Press Next.

81
Ph: 92-21-4310956-8

Step8: Below mentioned window shows the summary of VPN configuration. Press finish to complete the
configuration on CTTCB firewall.

NOTE: Repeat these steps on CTTCA firewall as well as in order to configure Site to Site VPN.

82
Ph: 92-21-4310956-8

Step 9: After configuring CTTCA firewall, you can verify that VPN Tunnel Status in below mention
window. IKE: 1 and IPSEC: 1

83
Ph: 92-21-4310956-8

Step10: Click monitoring Tab and then click VPN and then sessions.

84
Ph: 92-21-4310956-8

Step11: Verify the IKE phase 1 and IPSEC phase parameters.
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 11.0.0.2
access-list outside_1_cryptomap permit ip 20.0.0.0 255.0.0.0 remotenetwork 255.255.255.0
local ident (addr/mask/prot/port): (20.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (remotenetwork/255.255.255.0/0/0)
current_peer: 11.0.0.1
#pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226
#pkts decaps: 226, #pkts decrypt: 226, #pkts verify: 226
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 11.0.0.2, remote crypto endpt.: 11.0.0.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 2DBE841E
inbound esp sas:
spi: 0x023E2818 (37627928)
transform: esp-des esp-md5-hmac no compression
85
Ph: 92-21-4310956-8

LAB12: Configuring Static Route on ASA Firewall through ASDM
Step1: Press Configuration and then device setup and then select Static Routes. Press Add.(CTTCA)
10.0.0.1
E0/1 E0/0
11.0.0.1
10.0.0.10
20.0.0.10
NETWORK TOPOLOGY
CTTCB CTTCA
E0/0
11.0.0.2
E0/1
20.0.0.1

86
Ph: 92-21-4310956-8

Step2: Select the Interface Outside and then mention the destination network 20.0.0.0 and subnet
mask 255.0.0.0. And then click on gateway IP option.

87
Ph: 92-21-4310956-8

Step3: A new window will open. Press Add.

88
Ph: 92-21-4310956-8

Step4: Enter the Network Object Name next hop and mentioned the IP Address of next hop
11.0.0.2. Select network mask 255.255.255.255 and press Ok.

89
Ph: 92-21-4310956-8

Step5: Anew window will open as below. Press Ok.

90
Ph: 92-21-4310956-8

Step6: A new window will be opened as below. Press Apply to configure the static route.

91
Ph: 92-21-4310956-8

Step 7: Repeat the previous steps to configure the below mentioned static route on CTTCB firewall.

92
Ph: 92-21-4310956-8

LAB13: Configuring Passive RIP on ASA Firewall through ASDM
Step1: Click on enable RIP routing and then check RIP version1 and then add 10.0.0.0 and 11.0.0.0
networks and then click outside interface as a passive interface on CTTCA firewall.
10.0.0.1
E0/1 E0/0
11.0.0.1
10.0.0.10
20.0.0.10
NETWORK TOPOLOGY
CTTCB CTTCA
E0/0
11.0.0.2
E0/1
20.0.0.1

93
Ph: 92-21-4310956-8

Step2: Click on enable RIP routing and then check RIP version1 and then add 20.0.0.0 and 11.0.0.0
networks and then click outside interface as a passive interface on CTTCB firewall.

94
Ph: 92-21-4310956-8

LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM
Step1: Click on Configuration >Device Management>Management Access> asdm/http/https/ssh/Telnet.
Press Add.

95
Ph: 92-21-4310956-8

Step2: Click on telnet and mentioned the IP address 10.0.0.10 that is connected to inside interface of
firewall. Firewall can only be accessed from 10.0.0.10 IP. Press Ok.

96
Ph: 92-21-4310956-8

Step3: The firewall is configured for telnet and that is highlighted on below mention window.

97
Ph: 92-21-4310956-8

Step4: For SSH Configuration, select the inside interface and then click on SSH. Enter the IP address of
the client that initiate SSH to the security appliance.

98
Ph: 92-21-4310956-8

Step5: For SSH you need to configure domain name and hostname of firewall. Configuration>Device
Setup>DeviceName/Password.

99
Ph: 92-21-4310956-8

Step6: Generate RSA Key. Configuration>device management>Certificate Management>Identity
Management

100
Ph: 92-21-4310956-8

Step7: Click on Add a new identity certificate and then click on new.

101
Ph: 92-21-4310956-8

Step8:
Press Generate now to generate RSA key for SSH.

102
Ph: 92-21-4310956-8

LAB15: Configuring ASA for Software Image and Licensing
Step1: In order to configure the Boot Sequence of ASA image and also to define the ASDM image please
Navigate the following: Configuration>Device Management> System image/configuration>Boot
image/configuration. Press Add.

103
Ph: 92-21-4310956-8

Step2: In order to define the Flash Image click on Browse Flash.

104
Ph: 92-21-4310956-8

Step3: Select the appropriate image and then press Ok.

105
Ph: 92-21-4310956-8

Step4: The software image has been added. In order to define ASA image file path press on Browse
Flash.

106
Ph: 92-21-4310956-8

Step5: Press on appropriate ASDM image file as below window. Press Ok.

107
Ph: 92-21-4310956-8

Step6 : Press Apply to push the configuration to ASA Appliance.

108
Ph: 92-21-4310956-8

Step7 : In order to upgrade the license we need to change activation key. Configuration>Device
Management>Activation Key

109
Ph: 92-21-4310956-8

LAB16: Monitoring ASA Appliance through ASDM
Step1: To verify the Platform, ASA version, ASDM version, Device Uptime, Interface Status, CPU and
memory utilization and latest asdm Syslog messages go to Home page of ASDM.

110
Ph: 92-21-4310956-8

Step2: Foe the monitoring of Routing Tables please navigate Monitoring>Routing.

111
Ph: 92-21-4310956-8

Step 3: For interfaces monitoring please navigate Monitoring>Interfaces

112
Ph: 92-21-4310956-8

Step4: For AAA Servers monitoring, please navigate Monitoring>Properties>AAA Servers

113
Ph: 92-21-4310956-8

Step5: For real time logging please navigate Monitoring>Logging>Real Time Log View

114
Ph: 92-21-4310956-8

Step6: Press view to see the real time logs.

Configuring ASA Interfaces

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Configuring ASA Interfaces

Încărcat de

Drepturi de autor:

Formate disponibile

1

CTTC (PVT) Limited@2010 SNAF Lab Manual

S-ar putea să vă placă și