Sie sind auf Seite 1von 54

CCNA Security

Chapter 10 Lab F: Configuring ASA 5510 Basic Settings and Firewall sing AS!" (Instructor Version)
#rey $ighlighting % indicates answers provided on instructor lab copies only

&opology

Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet interfaces

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $ of ,-

CCNA Security

'( Addressing &able


!e)ice R$ R2 R3 !S! 'nterface F!'.' S'.'.' (2"E) S'.'.' S'.'.$ (2"E) F!'.$ S'.'.$ E'.' (outside) E'.$ (inside) E'.2 (d(5) 1I" 1I" 1I" '( Address 2'% $/, 2'' 22, $' $ $ $ $' $ $ 2 $' 2 2 2 $42 $/ 3 $ $' 2 2 $ 2'% $/, 2'' 22/ $%2 $/0 $ $ $%2 $/0 2 $ $%2 $/0 2 3 $%2 $/0 $ 3 $42 $/ 3 3 Subnet "as* 2,, 2,, 2,, 2-0 2,, 2,, 2,, 2,2 2,, 2,, 2,, 2,2 2,, 2,, 2,, 2,2 2,, 2,, 2,, ' 2,, 2,, 2,, 2,2 2,, 2,, 2,, 2-0 2,, 2,, 2,, ' 2,, 2,, 2,, ' 2,, 2,, 2,, ' 2,, 2,, 2,, ' 2,, 2,, 2,, ' !efault #ateway 1.! 1.! 1.! 1.! 1.! 1.! 1! 1! 1! $%2 $/0 2 $ $%2 $/0 $ $ $42 $/ 3 $ Switch (ort !S! E'.' 1.! 1.! 1.! S3 F!'., 1.! R$ F!'.' S2 F!'.2S$ F!'.2S$ F!'./ S2 F!'.$0 S3 F!'.$0

+"6! +"67 +"6"

+b,ecti)es
(art 1: Lab Setup "able the networ8 as shown in the topology "onfigure hostna(es and interface I+ addresses for routers) switches) and +"s "onfigure static routing) including default routes) between R$) R2) and R3 "onfigure 9**+ and *elnet access for R$ Verify connectivity between hosts) switches) and routers

(art -: Accessing the ASA Console and AS!" Access the ASA console and view hardware, software, and configuration settings. "lear previous configuration settings Use CLI to configure settings for ASDM access. Test Ethernet and Layer connectivity to the ASA.

Access the ASDM !UI and e"#lore $a%or windows and o#tions. sing the AS!" Startup /i0ard Configure the hostna$e, do$ain na$e, and ena&le #assword. Configure the inside and outside interfaces. Configure D'C( for the inside networ). Configure #ort address translation *(AT+ for the inside networ). Configure Telnet and SS' ad$inistrative access. Set the date and ti$e. Configure a static default route for the ASA.

(art .: Configuring ASA Settings and Firewall

(art 1: Configuring ASA Settings fro2 the AS!" Configuration "enu

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 2 of ,-

CCNA Security Test connectivity using ASDM (ing and Traceroute. "onfigure :ocal !!! user authentication ;odify the ;+F application inspection policy

Part 5: Configuring a DMZ, Static NAT and ACLs "onfigure static 1!* for the 2;< server "onfigure an !": on the !S! to allow access to the 2;< for Internet users Verify access to the 2;< server for e=ternal and internal users >se !S2; ;onitor to graph traffic

Bac*ground 3 Scenario
*he "isco !daptive Security !ppliance (!S!) is an advanced networ8 security device that integrates a statefull firewall as well as V+1 and other capabilities *his lab e(ploys an !S! ,,$' to create a firewall and protect an internal corporate networ8 fro( e=ternal intruders while allowing internal hosts access to the Internet *he !S! creates three security interfaces? @utside) Inside and 2;< It provides outside users li(ited access to the 2;< and no access to internal resources Inside users can access the 2;< and outside resources *he focus of this lab is on the configuration of the !S! as a basic firewall @ther devices will receive (ini(al configuration to support the !S! portion of the lab *his lab uses the !S! G>I interface !S2;) which is si(ilar to the S2; and ""+ used with "isco ISRs) to configure basic device and security settings In +art $ of the lab you will configure the topology and non6!S! devices In +art 2 you will prepare the !S! for !2S; access In +art 3 you will use the !S2; Startup wi5ard to configure basic !S! settings and the firewall between the inside and outside networ8s In +art - you will configure additional settings via the !S2; configuration (enu In +art , you will configure a 2;< on the !S! and provide access to a server in the 2;< Aour co(pany has one location connected to an IS+ Router R$ represents a "+E device (anaged by the IS+ Router R2 represents an inter(ediate Internet router Router R3 connects an ad(inistrator fro( a networ8 (anage(ent co(pany) who has been hired to (anage your networ8 re(otely *he !S! is an edge "+E security device that connects the internal corporate networ8 and 2;< to the IS+ while providing 1!* and 29"+ services to inside hosts *he !S! will be configured for (anage(ent by an ad(inistrator on the internal networ8 as well as the re(ote ad(inistrator !S! :ayer 3 routed interfaces provide access to the three areas created in the lab? Inside) @utside) and 2;< *he IS+ has assigned the public I+ address space of 2'% $/, 2'' 22-.2%) which will be used for address translation on the !S! Note: *he routers used with this lab are "isco $0-$ with "isco I@S Release $2 -(2')* (!dvanced I+ i(age) *he switches are "isco BS6"2%/'62-**6: with "isco I@S Release $2 2(-/)SE ("2%/'6:!17!SEC%6; i(age) @ther routers) switches) and "isco I@S versions can be used 9owever) results and output (ay vary *he !S! used with this lab is a "isco (odel ,,$' with four FastEthernet routed interfaces) running @S version 0 -(2) and !S2; version / -(,)) and co(es with a 7ase license that allows a (a=i(u( of ,' V:!1s Note: ;a8e sure that the routers and switches have been erased and have no startup configurations 'nstructor Notes: Instructions for erasing both the switch and router are provided in the :ab ;anual) located on !cade(y "onnection in the *ools section Instructions for erasing the !S! and accessing the console are provided in this lab

4e5uired 4esources
3 routers ("isco $0-$ with "isco I@S Release $2 -(2')*$ or co(parable) 3 switches ("isco 2%/' or co(parable)
+age 3 of ,-

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

CCNA Security $ !S! ,,$' (@S version 0 -(2) and !S2; version / -(,) and 7ase license or co(parable) +"6!? Bindows D+) Vista) or Bindows 4 with ""+) +u**y SS9 client (Beb and F*+ server optional) +"67? Bindows D+) Vista) or Bindows 4 with +u**y SS9 client and Eava version / = or higher (!S2; loaded on the +" is optional) +"6"? Bindows D+) Vista) or Bindows 4 with ""+) +u**y SS9 client Serial and Ethernet cables as shown in the topology Rollover cables to configure the routers and !S! via the console

'nstructor Notes: *his lab is divided into five parts +art $ and 2 can be perfor(ed separately but (ust be perfor(ed before +arts 3 through , +art 2 uses the !S! ":I to prepare the !S! for !S2; access +arts 3 through , can be perfor(ed individually or in co(bination with others as ti(e per(its) but should be perfor(ed seFuentially In so(e cases) a tas8 assu(es the configuration of certain features in a prior tas8 *he (ain goal is to use an !S! to i(ple(ent firewall and other services that (ight previously have been configured on an ISR !s with :ab $'E) the student configures the (ost co((on basic !S! ,,$' settings and services) such as 1!*) !":) 29"+) !!!) and SS9 Bhereas :ab $'E uses the ":I to configure these features and settings) this lab uses !S2;) the !S! G>I *he final running configs for all devices are found at the end of the lab

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age - of ,-

CCNA Security

(art 1: Basic 4outer3Switch3(C Configuration


In +art $ of this lab) you will set up the networ8 topology and configure basic settings on the routers such as interface I+ addresses and static routing Note: 2o not configure any !S! settings at this ti(e

Step 1: Cable the networ* and clear pre)ious de)ice settings6


!ttach the devices that are shown in the topology diagra( and cable as necessary ;a8e sure that the routers and switches have been erased and have no startup configurations

Step -: Configure basic settings for routers and switches6


a b c d "onfigure host na(es as shown in the topology for each router "onfigure router interface I+ addresses as shown in the I+ !ddressing *able "onfigure a cloc8 rate for routers with a 2"E serial cable attached to the serial interface "onfigure the host na(e for the switches Bith the e=ception of the host na(e) the switches can be left in their default configuration state "onfiguring the V:!1 (anage(ent I+ address for the switches is optional

Step .: Configure static routing on the routers6


a "onfigure a static default route fro( R$ to R2 and fro( R3 to R2
R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0 R3(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/1

"onfigure a static route fro( R2 to the R$ Fa'.' subnet (connected to !S! interface E'.') and a static route fro( R2 to the R3 :!1
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0 R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1

Step 1: 7nable the $&&( ser)er on 41 and set the enable and )ty passwords6
a Enable 9**+ access to R$ using the ip http server co((and in global config (ode "onfigure an enable password of class !lso set the vty and console passwords to cisco *his will provide web and *elnet targets for testing later in the lab
R1(config)# ip http server R1(config)# enable password class R1(config)# line vt 0 4 R1(config-line)# password cisco R1(config-line)# lo!in R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# lo!in

@n routers R2 and R3) set the sa(e enable) console and vty passwords as with R$

Step 5: Configure (C host '( settings6


"onfigure a static I+ address) subnet (as8) and default gateway for +"6!) +"67) and +"6" as shown in the I+ !ddressing *able

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age , of ,-

CCNA Security

Step 8: 9erify connecti)ity6


7ecause the !S! is the focal point for the networ8 5ones and it has not yet been configured) there will be no connectivity between devices that are connected to it 9owever) +"6" should be able to ping the Fa'.' interface of R$ Fro( +"6") pin! the R$ Fa'.' I+ address (2'% $/, 2'' 22,) If these pings are not successful) troubleshoot the basic device configurations before continuing Note: If you can ping fro( +"6" to R$ Fa'.' and S'.'.' you have de(onstrated that static routing is configured and functioning correctly

Step :: Sa)e the basic running configuration for each router and switch6

(art -: Accessing the ASA Console and AS!"


In +art 2 of this lab) you will access the !S! via the console and use various show co((ands to deter(ine hardware) software) and configuration settings Aou will prepare the !S! for !S2; access and e=plore so(e of the !S2; screens and options

Step 1: Access the ASA console6


a b c d !ccessing the !S! via the console port is the sa(e as with a "isco router or switch "onnect to the !S! console port with a rollover cable >se a ter(inal e(ulation progra( such as *era*er( or 9yper*er(inal to access the ":I >se the Serial port settings of %/'' baud) eight data bits) no parity) one stop bit) and no flow control If pro(pted to enter Interactive Firewall configuration (Setup (ode)) answer no Enter privileged (ode with the enable co((and and password (if set) 7y default the password is blan8 so you can Gust press 7nter If the password has been changed to that specified in this lab) the password will be class In addition) the hostna(e and pro(pt will be ""#$S%$S$&) as shown here *he default !S! hostna(e and pro(pt is ciscoasa&
CCNAS-ASA> enable Password: class (or press 7nter if none set)

Step -: !eter2ine the ASA )ersion; interfaces; and license6


*he !S! ,,$' used in this lab has four integrated $'.$'' FastEthernet interfaces (E'.' & E'.3) >nli8e the ,,', (odel) these are :ayer 3 routed interfaces si(ilar to those in an ISR In addition) a special ;anage(ent FastEthernet interface (;'.') is also provided) which is not present on the !S! ,,', >se the show version co((and to deter(ine various aspects of this !S! device
CCNAS-ASA# show version Cisco Adapti e Sec!rit" Appliance Software #ersion $%&(2) 'e ice (anager #ersion )%&(*) Co+piled on ,ed 1*--!n-11 1$:1. /" /!ilders S"ste+ i+age file is 0dis12:3asa$&2-1$%/in0 Config file at /oot was 0start!p-config0 CCNAS-ASA !p 2& +ins * secs 4ardware: ASA**125 122& (6 RA(5 CP7 Penti!+ & Celeron 1*88 (49 :nternal A;A Co+pact <las=5 2*)(6 6:>S <las= (*2<,21) ? 2@fff222225 22&$A6 Bncr"ption =ardware de ice : Cisco ASA-**@2 on-/oard 6oot +icrocode : SSC3:AB +icrocode : :PSec +icrocode : accelerator (re ision 2@2) CN1222-(C-6>>;-2%22 CNCite-(C-SSC+-PC7S-2%23 CNlite-(C-:PSBC+-(A:N-2%2)
+age / of ,-

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

CCNA Security
N!+/er of accelerators: 1 2: 1: 2: 3: &: *: ): B@t: B@t: B@t: B@t: B@t: :nt: :nt: Bt=ernet232 Bt=ernet231 Bt=ernet232 Bt=ernet233 (anage+ent232 Not !sed Not !sed : : : : : : : address address address address address irD 11 irD * is is is is is &&d3%cafd%8$)c5 &&d3%cafd%8$)d5 &&d3%cafd%8$)e5 &&d3%cafd%8$)f5 &&d3%cafd%8$)/5 irD irD irD irD irD 8 8 8 8 11

Cicensed feat!res for t=is platfor+: (a@i+!+ P="sical :nterfaces : 7nli+ited (a@i+!+ #CANs : *2 :nside 4osts : 7nli+ited <ailo er : 'isa/led #PN-'BS : Bna/led #PN-3'BS-ABS : Bna/led Sec!rit" Conte@ts : 2 E;P3EPRS : 'isa/led An"Connect Pre+i!+ Peers : 2 An"Connect Bssentials : 'isa/led >t=er #PN Peers : 2*2 ;otal #PN Peers : 2*2 S=ared Cicense : 'isa/led An"Connect for (o/ile : 'isa/led An"Connect for Cisco #PN P=one : 'isa/led Ad anced Bndpoint Assess+ent : 'isa/led 7C P=one Pro@" Sessions : 2 ;otal 7C Pro@" Sessions : 2 6otnet ;raffic <ilter : 'isa/led :nterco+pan" (edia Bngine : 'isa/led ;=is platfor+ =as a 6ase license% Houtput o(ittedI

perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al perpet!al

Bhat software version is this !S! ,,$' runningJ *he !S! in this lab uses version 0 -(2) Bhat is the na(e of the syste( i(age file and fro( where was it loadedJ *he syste( i(age file in the !S! for this lab is asa0-2680 bin and it was loaded fro( dis8'? (or flash?) *he !S! can be (anaged using a built6in G>I 8nown as the !daptive Security 2evice ;anager (!S2;) Bhat version of !S2; is this !S! runningJ *he !S! in this lab uses !S2; version / -(,) 9ow (uch R!; does this !S! haveJ *he !S! in this lab has $ G7 R!; 9ow (uch flash (e(ory does this !S! haveJ *he !S! in this lab has 2,/ ;7 flash (e(ory 9ow (any Ethernet interfaces does this !S! haveJ *he !S! in this lab has - Ethernet interfaces Bhat type of license does this !S! haveJ 7ase license 9ow (any V:!1s can be created with this licenseJ ,' V:!1s with the 7ase license 'nstructor Note: >nli8e the !S! ,,', base license) which can only create three V:!1s) the ,,$' base license can create up to ,' V:!1s and does not have the 2;< feature restriction

Step .: !eter2ine the file syste2 and contents of flash 2e2ory6


a 2isplay the !S! file syste( using the show 'ile s ste( co((and to deter(ine what prefi=es are supported
CCNAS-ASA# show 'ile s ste( <ile S"ste+s:

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 4 of ,-

CCNA Security
Si9e(/) F 2)223&*)2 <ree(/) 18$2.22.2 ;"pe dis1 dis1 networ1 opaD!e networ1 networ1 networ1 networ1 <lags rw rw rw rw ro ro rw rw Prefi@es dis12: flas=: dis11: tftp: s"ste+: =ttp: =ttps: ftp: s+/:

Bhat is another na(e for flash?J 2is8'? b 2isplay the contents of flash (e(ory using one of these co((ands? show 'lash) show dis)0) dir 'lash* or dir dis)0*
CCNAS-ASA# show 'lash* --#-- --lengt=-- -----date3ti+e-----12& 1*382.22 >ct 18 2211 1*:&8:&$ 12* 1)2$2*&& >ct 18 2211 1$:22:2& 3 &28) -an 21 2223 22:23:32 12 &28) -an 21 2223 22:2&:22 11 &28) -an 21 2223 22:2&:2& 12 &3 -an 21 2223 22:2&:2& 12. 1212*313 >ct 18 2211 1$:2.:*2 12$ &28) >ct 18 2211 1$:2.:*2 13* 1&)2 >ct 18 2211 1$:2.:*2 128 2$*.*)$ >ct 18 2211 1$:2.:*& 132 3223828 >ct 18 2211 1$:2.:*& 131 &$323&& >ct 18 2211 1$:2.:*$ 132 *228&23 >ct 18 2211 1$:2$:22 pat= asa$&2-1$%/in asd+-)&*%/in log cr"ptoGarc=i e cored!+pinfo cored!+pinfo3cored!+p%cfg csdG3%*%$&1-18%p1g sdes1top sdes1top3data%@+l an"connect-wince-AR( &:-2%&%1212-18%p1g an"connect-win-2%&%1212-18%p1g an"connect-+acos@-i3$)-2%&%1212-18%p1g an"connect-lin!@-2%&%1212-18%p1g

2)223&*)2 /"tes total (18$2.22.2 /"tes free)

Bhat is the na(e of the !S2; file in flash?J asd(6/-, bin 'nstructor Notes: "hec8 the contents of flash (e(ory occasionally to see if there are (any upgradeKstartupKerror log files *he !S! generates these as a result of erasing the startup config Aou can delete these by issuing the co((and del 'lash*up!rade+startup+errors, fro( the enable pro(pt and pressing Enter at each pro(pt CCNAS-ASA# del 'lash*up!rade+startup+errors, 'elete filena+e H!pgradeGstart!pGerrorsFIJ 'elete dis12:3!pgradeGstart!pGerrorsG2211281&11*.%logJ Hconfir+I KBnter> 'elete dis12:3!pgradeGstart!pGerrorsG2211281&122&%logJ Hconfir+I KBnter> Ko!tp!t o+itted> Note: !lternatively) you can use the co((and dir 'lash*/,.lo! to view the log files and then use the del 'lash*/,.lo! co((and to re(ove the(

Step 1: !eter2ine the current running configuration6


*he !S! ,,$' is co((only used as an edge security device that connects a (ediu(6si5ed business to an IS+ for access to the Internet *he default factory configuration for the !S! ,,$' includes the following? *he (anage(ent interface) ;anage(ent '.') is configured If you did not set the I+ address using the con'i!ure 'actor %de'ault co((and) then the I+ address and (as8 are $%2 $/0 $ $ and 2,, 2,, 2,, '

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 0 of ,-

CCNA Security Note: *he ;anage(ent '.' interface is a separate physical FastEthernet interface on the !S! ,,$' *his interface is not present on the !S! ,,', *he 29"+ server is enabled on the security appliance) so a +" connecting to the ;anage(ent '.' interface receives an address between $%2 $/0 $ 2 and $%2 $/0 $ 2,-

Note: Bith the default factory configuration) it is assu(ed that the +" connected to ;anage(ent '.' is a 29"+ client and will be used to configure the ,,$' using the !S2; G>I i(bedded in flash *he 9**+ server is enabled for !S2; and is accessible to users on the $%2 $/0 $ ' networ8 1o console or enable passwords are reFuired and the default host na(e is ciscoasa

Note: *he default factory configuration only configures the ;anage(ent '.' interface and does not configure an inside or outside networ8 interface *he configuration consists of the co((ands listed below Note: 2o not use these co((ands to configure the !S! at this ti(e inter'ace (ana!e(ent 0/0 ip address 192.168.1.1 255.255.255.0 na(ei' (ana!e(ent securit %level 100 no shutdown lo!!in! asd( in'or(ational 100 asd( histor enable http server enable http 192.168.1.0 255.255.255.0 (ana!e(ent dhcpd address 192.168.1.2%192.168.1.254 (ana!e(ent dhcpd lease 3600 dhcpd pin!+ti(eout 750 dhcpd enable (ana!e(ent a 2isplay the current running configuration using the show runnin!%con'i! co((and @utput will vary depending on the current state of the !S! configuration
CCNAS-ASA# show runnin!%con'i! : Sa ed : ASA #ersion $%&(2) L =ostna+e CCNAS-ASA ena/le password $R"2MN:"t.RRO72& encr"pted passwd 2A<Pn/N:d:%2AM>7 encr"pted na+es L interface Bt=ernet232 s=!tdown no na+eif no sec!rit"-le el no ip address L Houtput o(ittedI

&ip: *o stop the output fro( a co((and using the ":I) press the letter < If you see the ;anage(ent interface configured) and other settings as described previously) the device is (ost li8ely configured with the default factory configuration Aou (ay also see other security features such as a global policy that inspects selected application traffic) which the !S! inserts by default) if the original startup configuration has been erased *he actual output will vary depending on the !S! (odel) version and configuration status

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age % of ,-

CCNA Security b Aou can restore the !S! to its factory default settings by using the co((and con'i!ure 'actor %de'ault fro( global configuration (ode as shown here
CCNAS-ASA# con' t CCNAS-ASA(config)# con'i!ure 'actor %de'ault ,ARN:NE: ;=e /oot s"ste+ config!ration will /e cleared% ;=e first i+age fo!nd in dis12:3 will /e !sed to /oot t=e s"ste+ on t=e ne@t reload% #erif" t=ere is a alid i+age on dis12:3 or t=e s"ste+ will not /oot% 6egin to appl" factor"-defa!lt config!ration: Clear all config!ration B@ec!ting co++and: interface +anage+ent232 B@ec!ting co++and: na+eif +anage+ent :N<>: Sec!rit" le el for 0+anage+ent0 set to 2 /" defa!lt% B@ec!ting co++and: ip address 182%1)$%1%1 2**%2**%2**%2 B@ec!ting co++and: sec!rit"-le el 122 B@ec!ting co++and: no s=!tdown B@ec!ting co++and: e@it B@ec!ting co++and: =ttp ser er ena/le B@ec!ting co++and: =ttp 182%1)$%1%2 2**%2**%2**%2 +anage+ent B@ec!ting co++and: d=cpd address 182%1)$%1%2-182%1)$%1%2*& +anage+ent B@ec!ting co++and: d=cpd ena/le +anage+ent B@ec!ting co++and: logging asd+ infor+ational <actor"-defa!lt config!ration is co+pleted

Review this output Aou (ay wish to capture and print the factory6default configuration as a reference Note: Restoring the !S! to factory default settings resets the hostna(e and pro(pt to ciscoasa&

Step 5: Clear the pre)ious ASA configuration settings6


a >se the write erase co((and to re(ove the startup=config file fro( flash (e(ory
ciscoasa# write erase Brase config!ration in flas= +e+or"J Hconfir+I H>AI ciscoasa# ciscoasa# show start No Config!ration

Note: *he I@S co((and erase startup%con'i! is not supported on the !S! b >se the reload co((and to restart the !S! If pro(pted to save the configuration) respond with LnoM
ciscoasa# reload Proceed wit= reloadJ Hconfir+I KBnter> ciscoasa# FFF FFF --- S;AR; ERACB<7C S47;'>,N --S=!tting down isa1+p S=!tting down <ile s"ste+ FFF FFF --- S47;'>,N N>, --Process s=!tdown finis=ed Re/ooting%%%%% C:SC> SMS;B(S B+/edded 6:>S #ersion 1%2(12)13 2$32$32$ 1*:*2:3.%&* Houtput o(ittedI

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $' of ,-

CCNA Security

Step 8: Bypass setup 2ode and configure the ASA interfaces6


Bhen the !S! co(pletes the reload process) it should detect that the startup=config file is (issing and present a series of interactive pro(pts to configure basic !S! settings If it does not co(e up in this (ode) repeat Step , a Bhen pro(pted to pre6configure the firewall through interactive pro(pts (Setup (ode)) respond with Lno M
Pre-config!re <irewall now t=ro!g= interacti e pro+pts H"esIJ no

b c

Enter privileged EDE" (ode with the enable co((and and press HEnterI *he password should be blan8 (no password) at this point Enter global configuration (ode using the co((and con'i! t *he first ti(e you enter configuration (ode after reloading you will be as8ed if you wish to enable anony(ous reporting Respond with Lno M

ASA 5510 interface notes: *he ,,$' and other higher6end ,,'' series !S! (odels are different fro( the !S! ,,', Bith the ,,$' a physical FastEthernet interface can be assigned a :ayer 3 I+ address directly) (uch li8e a "isco router Bith the !S! ,,',) the eight integrated switch ports are :ayer 2 ports and V:!1s (ust be created *his is not the case with the ,,$' *he four FastEthernet interfaces on the ,,$' are routed interfaces Note: If you co(pleted the initial configuration Setup utility) ;anage(ent interface ;'.' is configured with an I+ address of $%2 $/0 $ $ Aou will need to re(ove the I+ address fro( the ;'.' interface in order to assign it to the inside interface E'.$ Instructions are provide here to configure both the inside (E'.$) and outside interface (E'.') at this ti(e *he 2;< interface (E'.2) will be configured in +art / of the lab d Re(ove the configuration fro( the ;'.' interface and shut it down (if reFuired)
ciscoasa(config)# inter'ace (0/0 ciscoasa(config-if)# shutdown ciscoasa(config-if)# no na(ei' ciscoasa(config-if)# no securit %level ciscoasa(config-if)# no ip address

"onfigure interface E'.$ for the inside networ8) $%2 $/0 $ '.2- 1a(e the interface inside) set the security level to the highest setting of 100 and bring it up
ciscoasa(config)# inter'ace e0/1 ciscoasa(config-if)# na(ei' inside ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 ciscoasa(config-if)# securit %level 100 ciscoasa(config-if)# no shutdown

"onfigure interface E'.' for the outside networ8) 2'% $/, 2'' 22-.2% 1a(e the interface outside) set the security level to the lowest setting of 0 and bring it up
ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# ciscoasa(config-if)# inter'ace e0/0 na(ei' outside ip address 209.165.200.226 255.255.255.248 securit %level 0 no shutdown

'nterface security le)el notes: Aou (ay receive a (essage that the security level for the inside interface was set auto(atically to $'' and the outside interface was set to ' *he !S! uses interface security levels fro( ' to $'' to enforce the security policy Security :evel $'' (inside) is the (ost secure and level ' (outside) is the least secure 7y default) the !S! applies a policy where traffic fro( a higher security level interface to one with a lower level is per(itted and traffic fro( a lower security level interface to one with a higher security level is denied *he !S! default security policy per(its outbound traffic) which is inspected by default Returning
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age $$ of ,-

CCNA Security traffic is allowed because of statefull pac8et inspection *his default Lrouted (odeM firewall behavior of the !S! allows pac8ets to be routed fro( the inside networ8 to the outside networ8 but not vice versa In +art 3 of this lab you will configure 1!* to increase the firewall protection g >se the show inter'ace ip brie' co((and to ensure that !S! interfaces E'.' and E'.$ are both up.up 1ote that this co((and is different fro( the I@S co((and show ip inter'ace brie' If either port is shown as down.down) chec8 the physical connections If either port is ad(inistratively down) bring it up with the no shutdown co((and
ciscoasa(config-if)# show inter'ace ip brie' :nterface :P-Address >AJ (et=od Bt=ernet232 228%1)*%222%22) MBS +an!al Bt=ernet231 182%1)$%1%1 MBS +an!al Bt=ernet232 !nassigned MBS !nset Bt=ernet233 !nassigned MBS !nset (anage+ent232 !nassigned MBS !nset Stat!s Protocol !p !p !p !p ad+inistrati el" down !p ad+inistrati el" down down ad+inistrati el" down down

&ip: ;ost !S! show co((ands) as well as pin!) cop and others) can be issued fro( within any config (ode pro(pt without the LdoM co((and reFuired with I@S h 2isplay the :ayer 3 interface infor(ation using the show ip address co((and
ciscoasa(config)# show ip address Houtput o(ittedI C!rrent :P Addresses: :nterface Na+e Bt=ernet232 o!tside Bt=ernet231 inside :P address 228%1)*%222%22) 182%1)$%1%1 S!/net +as1 2**%2**%2**%2&$ 2**%2**%2**%2 (et=od +an!al (an!al

Aou (ay also use the co((and show runnin!%con'i! inter'ace to display the configuration for a particular interface fro( the running6config
ciscoasa# show run inter'ace e0/0 L interface Bt=ernet232 na+eif o!tside sec!rit"-le el 2 ip address 228%1)*%222%22) 2**%2**%2**%2&$

*est basic connectivity to the !S! by pinging fro( +"67 to !S! interface E'.$ I+ address $%2 $/0 $ $ *he pings should be successful

Step :: Configure $&&( and )erify AS!" access to the ASA6


a "onfigure the !S! to accept 9**+S connections using the http co((and to allow access to !S2; fro( any host on the inside networ8 $%2 $/0 $ '.2ciscoasa(config)# http server enable ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside

@pen a browser on +"67 and test the 9**+S access to the !S! by entering https?..$%2 $/0 $ $ Note: 7e sure to specify the 9**+S protocol in the >R:

Step >: Access AS!" and e?plore the # '6


a !fter entering the >R: above) you should see a security warning about the website security certificate "lic8 Continue to this website *he !S2; Belco(e page will display Fro( this screen) you can run !S2; as a local application on the +" (installs !S2; on the +")) run !S2; as a browser6based Eava applet directly fro( the !S!) or run the Startup wi5ard

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $2 of ,-

CCNA Security

b c

"lic8 the 4un AS!" button "lic8 @es for any other security warnings Aou should see the Cisco AS!"='!" Launcher dialog bo= where you can enter a userna(e and password :eave these fields blan8 as they have not yet been configured

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $3 of ,-

CCNA Security

d e

"lic8 +A to continue !S2; will load the current configuration into the G>I *he initial G>I screen is displayed with various areas and options *he (ain (enu at the top left of the screen contains three (ain sectionsN 9o(e) "onfiguration) and ;onitoring *he 9o(e section is the default and has two dashboards? 2evice and Firewall *he 2evice dashboard is the default screen and shows device infor(ation such as *ype (!S! ,,$')) !S! and !S2; version) a(ount of (e(ory and firewall (ode (routed) *here are five areas on the 2evice 2ashboard !e)ice 'nfor2ation 'nterface Status 9(N Sessions Syste2 4esources Status &raffic Status

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $- of ,-

CCNA Security

"lic8 the Configuration and "onitoring tabs to beco(e fa(iliar with their layout and to see what options are available

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $, of ,-

CCNA Security

(art .: Configuring Basic ASA Settings and Firewall Startup /i0ard


a

sing the AS!"

Step 1: Access the Configuration 2enu and launch the Startup wi0ard6
"lic8 the Configuration button at the top left of the screen *here are five (ain configuration areas? b !e)ice Setup Firewall 4e2ote Access 9(N Site=to=Site 9(N !e)ice "anage2ent

*he 2evice Setup Startup wi5ard is the first option available and displays by default Read through the on6screen te=t describing the Startup wi5ard and then clic8 the Launch Startup /i0ard button

Step -: Configure hostna2e; do2ain na2e; and enable password6


a @n the first Startup Bi5ard screen) you have a choice of (odifying the e=isting configuration or resetting the !S! to the factory defaults Bith the "odify 7?isting Configuration option selected) clic8 Ne?t to continue @n the Startup Bi5ard Step 2 screen) Basic Configuration) configure the !S! host na(e CCNAS= ASA and do(ain na(e of ccnasecurity6co2 "lic8 the chec8bo= for changing the enable (ode password and change it fro( blan8 (no password) to class and enter it again to confir( Bhen the entries are co(pleted) clic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $/ of ,-

CCNA Security

Step .: Configure the outside interface6


a @n the Startup Bi5ard Step 3 screen & +utside 'nterface Configuration) 'nterface Settings tab) review the interface properties shown 2o not change the current settings because these were previously defined using the ":I "lic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $4 of ,-

CCNA Security

@n the Startup Bi5ard Step - screen & +ther 'nterface Configuration) verify the settings for the inside interface) which were previously configured via the ":I Aou can edit the settings for any of the interfaces fro( this screen Note: 2o not chec8 the two bo=es for enabling traffic between interfaces of the sa(e security level and hosts on the sa(e interface

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $0 of ,-

CCNA Security

@n the Startup Bi5ard Step , screen & Static 4outes) clic8 Ne?t to bypass this wi5ard option at this ti(e Aou will configure a static route for the !S! later using the "onfiguration (enu

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age $% of ,-

CCNA Security

Step 1: Configure !$C(; address translation and ad2inistrati)e access6


a @n the Startup Bi5ard Step / screen & !$C( Ser)er) select the chec8bo= to 7nable !$C( ser)er on the inside interface Enter a Starting I+ !ddress of 1B-618>6165 and Ending I+ !ddress of 1B-618>61650 Enter the 21S Server $ address of 106-06.0610 and 2o(ain 1a(e ccnasecurity6co2 2o N+& chec8 the bo= to Enable autoconfiguration fro( interface "lic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 2' of ,-

CCNA Security

@n the Startup Bi5ard Step 4 screen & Address &ranslation CNA&3(A&D) clic8 the button se (ort Address &ranslation C(A&D *he default is to use the I+ address of the outside interface 1ote that you can also specify a particular I+ address for +!* or a range of addresses with 1!* "lic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 2$ of ,-

CCNA Security

@n the Startup Bi5ard Step 0 screen & Ad2inistrati)e Access) 9**+S.!S2; access is currently configured for hosts on inside networ8 $%2 $/0 $ '.2- !dd *elnet access to the !S! for the inside networ8 $%2 $/0 $ ' with a subnet (as8 of 2,, 2,, 2,, ' !dd SS9 access to the !S! fro( host $42 $/ 3 3 on the outside networ8 ;a8e sure the chec8bo= 7nable $&&( ser)er for $&&(S3AS!" access is chec8ed "lic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 22 of ,-

CCNA Security

@n the Startup Bi5ard Step % screen & Auto pdate Ser)er) review the on6screen te=t describing the function of !uto >pdate but do not chec8 the bo= to Enable !uto >pdate !S! "lic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 23 of ,-

CCNA Security

@n the Startup Bi5ard Step $' screen & Cisco S2art Call $o2e 7nroll2ent) review the on6screen te=t describing the function of S(art "all 9o(e and leave the default radio button selected to not enable this feature "lic8 Ne?t to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 2- of ,-

CCNA Security

Step 5: 4e)iew the su22ary and deli)er the co22ands to the ASA6
a @n the Startup Bi5ard Step $$ screen & Startup /i0ard Su22ary) review the "onfiguration Su((ary and clic8 Finish !S2; will deliver the co((ands to the !S! device and then reload the (odified configuration Note: If the G>I dialogue bo= stops responding during the reload process) close it) e=it !S2;) and restart the browser and !S2; If pro(pted to save the configuration to flash (e(ory) respond with @es Even though !S2; (ay not appear to have reloaded the configuration) the co((ands were delivered If there are errors encountered as !S2; delivers the co((ands) you will be notified with a list of co((ands that succeeded and those that failed

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 2, of ,-

CCNA Security

Restart !S2; and provide the new enable password class with no userna(e Return to the 2evice 2ashboard and chec8 the Interface Status window Aou should see the inside and outside interfaces with I+ address and status *he inside interface should show so(e nu(ber of Cb.s *he *raffic Status window (ay show the !S2; access as *"+ traffic spi8e

Step 8: &est &elnet and SS$ access to the ASA6


a b Fro( a co((and pro(pt or G>I *elnet client on +"67) *elnet to the !S! inside interface at I+ address $%2 $/0 $ $ :ogin to the !S! using the default login password of cisco Enter privileged EDE" (ode by using the enable co((and and provide the password class E=it the *elnet session by using the -uit co((and In +art 3) Step -) SS9 access was configured using the Startup wi5ard to allow access to the !S! fro( outside +"6" ($42 $/ 3 3) Fro( +"6") open an SS9 client such as +u**A and atte(pt to connect to the !S! outside interface at 2'% $/, 2'' 22/ Aou will not be able to establish the
+age 2/ of ,-

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

CCNA Security connection because SS9 access (!S! version 0 -(2) and later) reFuires that you also configure !!! and provide an authenticated user na(e !!! will be configured in the +art - of the lab

Step :: &est access to an e?ternal website fro2 (C=B6


a b @pen a browser on +"67 and enter the I+ address of the R$ Fa'.' interface (2'% $/, 2'' 22,) to si(ulate access to an e=ternal website *he R$ 9**+ server was enabled in +art $ of the lab so you should be pro(pted with a user authentication login dialog bo= fro( the R$ G>I device (anger :eave the userna(e blan8 and enter the password of class E=it the browser Aou should see *"+ activity in the !S2; 2evice 2ashboard
*raffic Status window

Step >: &est access to an e?ternal website using the AS!" (ac*et &racer utility6
a b Fro( the !S2; 9o(e page) choose &ools E (ac*et &racer "hoose the 'nside interface fro( the Interface drop down (enu and clic8 &C( fro( the +ac8et *ype radio buttons Fro( the Source drop down (enu) choose I+ !ddress and enter the address 1B-618>616. (+"67) with a source port of 1500 Fro( the 2estination drop down (enu) choose I+ !ddress and enter -0B61856-006--5 (R$ Fa'.') with a 2estination +ort of $&&( "lic8 Start to begin the trace of the pac8et *he pac8et should be per(itted

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 24 of ,-

CCNA Security

Reset the entries by clic8ing the Clear button *ry another trace and choose +utside fro( the Interface drop down (enu and leave &C( as the pac8et type Fro( the Source drop down (enu) choose I+ !ddress and enter -0B61856-006--5 (R$ Fa'.') and a Source +ort of 1500 Fro( the 2estination drop down (enu) choose I+ !ddress and enter the address -0B61856-006--8 (!S! outside interface) with a 2estination +ort of telnet "lic8 Start to begin the trace of the pac8et *he pac8et should be dropped "lic8 Close to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 20 of ,-

CCNA Security

(art 1: Configuring ASA Settings fro2 the AS!" Configuration "enu


In (art ,, you will set the ASA cloc), configure a default route, test connectivity using ASDM tools (ing and Traceroute, configure Local AAA user authentication, and $odify the M(a##lication ins#ection #olicy.

Step 1: Set the ASA date and ti2e6


a b Fro( the "onfiguration screen) 2evice Setup (enu) choose Syste2 &i2e E Cloc* Select your *i(e <one fro( the drop6down (enu and enter the current date and ti(e in the fields provided *he cloc8 is a 2-6hour cloc8 "lic8 Apply to send the co((ands to the !S!

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 2% of ,-

CCNA Security

Step -: Configure a static default route for the ASA6


a Fro( the !S2; *ools (enu) select (ing and enter the I+ address of router R$ S'.'.' ($' $ $ $) *he !S! does not have a default route to un8nown e=ternal networ8s *he ping should fail because the !S! has no route to $' $ $ $ "lic8 Close to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 3' of ,-

CCNA Security b c Fro( the "onfiguration screen) 2evice Setup (enu) choose 4outing E Static 4outes "lic8 the '()1 +nly button and clic8 Add to add a new static route In the !dd Static Route dialogue bo=) choose the outside interface fro( the drop down (enu "lic8 the ellipsis button to the right of Networ* and select any fro( the list of networ8 obGects) then clic8 +A *he selection of any translates to a LFuad 5eroM (' ' ' ' ' ' ' ') route For the Gateway I+) enter -0B61856-006--5 (R$ Fa'.')

"lic8 +A and clic8 Apply to send the co((ands to the !S!

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 3$ of ,-

CCNA Security

e f

Fro( the !S2; &ools (enu) select (ing and enter the I+ address of router R$ S'.'.' ($' $ $ $) *he ping should succeed this ti(e "lic8 Close to continue Fro( the !S2; &ools (enu) select &raceroute and enter the I+ address of e=ternal host +"6" ($42 $/ 3 3) "lic8 on &race 4oute *he traceroute should succeed and show the hops fro( the !S! through R$) R2) and R3 to host +"6" "lic8 Close to continue

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 32 of ,-

CCNA Security

Step .: Configure AAA user authentication using the local ASA database6
It is necessary to enable !!! user authentication in order to access the !S! using SS9 Aou allowed SS9 access to the !S! fro( the outside host +"6" when the Startup wi0ard was run *o allow the re(ote networ8 ad(inistrator at +"6" to have SS9 access to the !S!) you will create a user in the local database a Fro( the "onfiguration screen) 2evice ;anage(ent area) clic8 sers3AAA "lic8 ser Accounts and then Add "reate a new user na(ed ad2in with a password of cisco1-. and enter the password again to confir( it !llow this user Full access (!S2;) SS9) *elnet) and console) and set the privilege level to 15 "lic8 +A to add the user and clic8 Apply to send the co((ands to the !S!

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 33 of ,-

CCNA Security

Fro( the "onfiguration screen) 2evice ;anage(ent area) clic8 sers3AAA "lic8 AAA Access @n the !uthentication tab) select the chec8bo=es to reFuire authentication for $&&(3AS!") SS$ and &elnet connections and specify the L:@"!:M server group for each connection type "lic8 Apply to send the co((ands to the !S!

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 3- of ,-

CCNA Security

Note: *he ne=t action you atte(pt within !S2; will reFuire you to login as ad2in with password cisco1-. c
Fro( +"6") open an SS9 client such as +u**A and atte(pt to access the !S! outside interface at

2'% $/, 2'' 22/ Aou should be able to establish the connection Bhen pro(pted to login) enter user na(e ad2in and password cisco1-. d !fter logging in to the !S! using SS9) enter the enable co((and and provide the password class Issue the show run co((and to display the current configuration you have created using !S2; Note: *he default ti(eout for *elnet and SS9 is , (inutes Aou can increase this setting using the ":I as described in :ab $'! or go to !S2; !e)ice "anage2ent E "anage2ent Access E AS!"3$&&(3&elnet3SS$

Step 1: "odify the "(F application inspection policy6


For application layer inspection) as well as other advanced options) the "isco ;odular +olicy Fra(ewor8 (;+F) is available on !S!s a *he default global inspection policy does not inspect I";+ *o enable hosts on the internal networ8 to ping e=ternal hosts and receive replies) I";+ traffic (ust be inspected Fro( the Configuration screen) Firewall area (enu) clic8 Ser)ice (olicy 4ules

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 3, of ,-

CCNA Security

Select the inspectionFdefault policy and clic8 7dit to (odify the default inspection rules @n the Edit Service +olicy Rule window) clic8 the 4ule Actions tab and select the chec8bo= for 'C"( 2o not change the other default protocols that are chec8ed "lic8 +A and then clic8 Apply to send the co((ands to the !S! If pro(pted) login as again ad2in with a password of cisco1-.

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 3/ of ,-

CCNA Security

Fro( +"67) ping the e=ternal interface of R$ S'.'.' ($' $ $ $) *he pings should be successful

(art 5: Configuring a !"G; Static NA& and ACLs


In +art 3 of this lab) you configured address translation using +!* for the inside networ8 In this part) you create a 2;< on the !S!) configure static 1!* to a 2;< server) and apply an !": to control access to the server

Step 1: Configure the ASA !"G interface6


In this step you will configure a new interface E'.2 na(ed d20) set the security level to 4') and bring the interface up a b c Fro( the "onfiguration screen) 2evice Setup (enu) clic8 'nterfaces Select interface Ethernet'.2 and clic8 7dit In the Edit Interface dialog bo=) the General tab is displayed by default 1a(e the interface d20) assign it a security level of :0) and (a8e sure the 7nable 'nterface chec8bo= is chec8ed Ensure that the se Static '( button is selected and enter an I+ address of 1B-618>6-61 with a subnet (as8 of -556-556-5560 "lic8 +A Bhen the Security :evel "hange warning is displayed) read it and then clic8 +A again @n the Interfaces screen) clic8 Apply to send the co((ands to the !S!

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 34 of ,-

CCNA Security

Step -: Configure the !"G ser)er and static NA&6


*o acco((odate the addition of a 2;< and a web server) you will use another address fro( the IS+ range assigned) 2'% $/, 2'' 22-.2% ( 22-6 23$) Router R$ Fa'.' and the !S! outside interface are

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 30 of ,-

CCNA Security already using 2'% $/, 2'' 22, and 22/) respectively Aou will use public address 2'% $/, 2'' 224 and static 1!* to provide address translation access to the server a Fro( the "onfiguration screen) Firewall (enu) clic8 the (ublic Ser)ers option and clic8 Add to define the 2;< server and services offered In the !dd +ublic Server dialog bo=) specify the +rivate Interface as d20) the +ublic Interface as outside and the +ublic I+ address as -0B61856-006--:

"lic8 the ellipsis button to the right of +rivate I+ !ddress 6 In the 7rowse +rivate I+ !ddress window) clic8 Add to define the server as a Networ* +b,ect Enter the na(e !"G=Ser)er) with a *ype of $ost and the +rivate I+ !ddress of 1B-618>6-6. Bhile in the !dd 1etwor8 @bGect dialog bo=) clic8 the double down arrow button for NA& "lic8 the chec8bo= for Add Auto2atic Address &ranslation 4ules and enter the type as Static Enter *ranslated !ddr? -0B61856-006--: Bhen the screen loo8s li8e the following) clic8 +A to add the server networ8 obGect Fro( the 7rowse +rivate I+ !ddress window) clic8 +A Aou will return to the !dd +ublic Server dialog bo=

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age 3% of ,-

CCNA Security

In the !dd +ublic Server dialog) clic8 the ellipsis button to the right of +rivate Service In the 7rowse +rivate Service window) double clic8 to select the following services? tcp3http) tcp3ftp) ic2p3echo and ic2p3echo=reply (scroll down to see all services) "lic8 +A to continue and return to the Add (ublic Ser)er dialog

Note: Aou can specify +ublic services if different fro( the +rivate services) using the option on this screen

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -' of ,-

CCNA Security

Bhen you have co(pleted all infor(ation in the !dd +ublic Server dialog bo=) it should loo8 li8e the one shown below "lic8 +A to add the server "lic8 Apply at the +ublic Servers screen to send the co((ands to the !S!

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -$ of ,-

CCNA Security

Step .: 9iew the !"G Access 4ule CACLD generated by AS!"6


a Bith the creation of the 2;< server obGect and selection of services) !S2; auto(atically generates an !ccess Rule (!":) to per(it the appropriate access to the server and applies it to the outside interface in the inco(ing direction View this !ccess Rule in !S2; by choosing Configuration E Firewall E Access 4ules It appears as an outside inco(ing rule Aou can select the rule and use the hori5ontal scroll bar to see all of the co(ponents

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -2 of ,-

CCNA Security

Note: Aou can also see the actual I@S co((ands generated using the AS!" &ools E Co22and Line 'nterface and entering the co((and show run

Step 1: &est access to the !"G ser)er fro2 the outside networ*6
a b Fro( +"6") ping the I+ address of the static 1!* public server address (2'% $/, 2'' 224) *he pings should be successful 7ecause the !S! inside interface E'.$ is set to security level $'' (the highest) and the 2;< interface E'.2 is set to 4') you can also access the 2;< server fro( a host on the inside networ8 *he !S! acts li8e a router between the two networ8s +ing the 2;< server (+"6!) internal address ($%2 $/0 2 3) fro( inside networ8 host +"67 ($%2 $/0 $ 3 or 29"+ assigned address) *he pings should be successful due to interface security level and the fact that I";+ is being inspected on the inside interface by the global inspection policy *he 2;< server cannot ping +"67 on the inside networ8 *his is because the 2;< interface E'.2 has a lower security level (4') than inside interface E'.$ ($'') *ry to ping fro( the 2;< server +"6! to +"67 at I+ address $%2 $/0 $ D *he pings should not be successful

Step 5:

se AS!" "onitoring to graph pac*et acti)ity6

*here are a nu(ber of aspects of the !S! that can be (onitored using the "onitoring screen *he (ain categories on this screen are 'nterfaces) 9(N) 4outing) (roperties) and Logging In this step you will create a graph to (onitor pac8et activity for the !S! outside interface a Fro( the ;onitoring screen) Interfaces (enu) clic8 'nterface #raphs E outside Select (ac*et Counts and clic8 Add to add the graph *he e=hibit below shows +ac8et "ounts added

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -3 of ,-

CCNA Security

"lic8 the Show #raphs button to display the graph Initially there is no traffic displayed

Fro( a privileged (ode co((and pro(pt on R2) si(ulate Internet traffic to the !S! by pinging the 2;< server public address with a repeat count of $''' Aou can increase the nu(ber of pings if desired
R2# pin! 209.165.200.227 repeat 1000 ;"pe escape seD!ence to a/ort% Sending 12225 122-/"te :C(P Bc=os to 228%1)*%222%22.5 ti+eo!t is 2 seconds: LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL Ko!tp!t o+itted> LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL LLLLLLLLLLLLLLLLLLLL S!ccess rate is 122 percent (122231222)5 ro!nd-trip +in3a g3+a@ Q 132312 +s

Aou should see the results of the pings fro( R2 on the graph as an Input +ac8et "ount *he scale of the graph is auto(atically adGusted depending on the volu(e of traffic Aou can also view the data in tabular for( by clic8ing the &able tab 1otice that the View selected at the botto( left of the Graph screen is Real6ti(e) data every $' seconds "lic8 the pull6down (enu to see the other options available +ing fro( +"67 to R$ Fa'.' at 2'% $/, 2'' 22, using the &n option (nu(ber of pac8ets) to specify $''' pac8ets

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -- of ,-

CCNA Security
C:>R pin! 209.165.200.225 .n 1000

Note: *he response fro( the +" is relatively slow and it (ay ta8e a while to show up on the graph as @utput +ac8et "ount *he graph below shows an additional ,''' input pac8ets as well as both input and output pac8et counts

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -, of ,-

CCNA Security

4eflection:
$ Bhat are so(e benefits to using !S2; over the ":IJ *he !S2; G>I is easier to use) especially for less technical staff) and can generate very co(ple= configurations through the use of (ouse selections) fill6in fields) and wi5ards 2 Bhat are so(e benefits to using the ":I over !S2;J In so(e cases) the ":I can provide (ore precise control over the desired configuration !lso) so(e ":I co((ands are necessary to prepare the !S! for G>I access ":I reFuires only a serial console connection) whereas !S2; reFuires :ayer 3 (I+) connectivity to an !S! interface

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -/ of ,-

CCNA Security

4outer 'nterface Su22ary &able


4outer 'nterface Su22ary Router ;odel Ethernet Interface Ethernet Interface Serial Interface Serial Interface O$ O2 O$ O2 Fast Ethernet '.' Fast Ethernet '.$ Serial '.'.' Serial '.'.$ $0'' (Fa'.') (Fa'.$) (S'.'.') (S'.'.$) Gigabit Ethernet '.' Gigabit Ethernet '.$ Serial '.'.' Serial '.'.$ $%'' (G'.') (G'.$) (S'.'.') (S'.'.$) Fast Ethernet '.' Fast Ethernet '.$ Serial '.'.' Serial '.'.$ 20'' (Fa'.') (Fa'.$) (S'.'.') (S'.'.$) Gigabit Ethernet '.' Gigabit Ethernet '.$ Serial '.'.' Serial '.'.$ 2%'' (G'.') (G'.$) (S'.'.') (S'.'.$) Note: *o find out how the router is configured) loo8 at the interfaces to identify the type of router and how (any interfaces the router has *here is no way to effectively list all the co(binations of configurations for each router class *his table includes identifiers for the possible co(binations of Ethernet and Serial interfaces in the device *he table does not include any other type of interface) even though a specific router (ay contain one !n e=a(ple of this (ight be an IS21 7RI interface *he string in parenthesis is the legal abbreviation that can be used in "isco I@S co((ands to represent the interface

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age -4 of ,-

CCNA Security

!e)ice Configs ASA 5510


CCNAS-ASA# s= r!n : Sa ed : ASA #ersion $%&(2) L =ostna+e CCNAS-ASA do+ain-na+e ccnasec!rit"%co+ ena/le password P+Ne1e2C3t-dCCe$ encr"pted passwd 2A<Pn/N:d:%2AM>7 encr"pted na+es L interface Bt=ernet232 na+eif o!tside sec!rit"-le el 2 ip address 228%1)*%222%22) 2**%2**%2**%2&$ L interface Bt=ernet231 na+eif inside sec!rit"-le el 122 ip address 182%1)$%1%1 2**%2**%2**%2 L interface Bt=ernet232 na+eif d+9 sec!rit"-le el .2 ip address 182%1)$%2%1 2**%2**%2**%2 L interface Bt=ernet233 s=!tdown no na+eif no sec!rit"-le el no ip address L interface (anage+ent232 s=!tdown no na+eif no sec!rit"-le el no ip address L ftp +ode passi e cloc1 ti+e9one BS; -* cloc1 s!++er-ti+e B'; rec!rring dns ser er-gro!p 'efa!lt'NS do+ain-na+e ccnasec!rit"%co+ o/Nect networ1 '(S-Ser er =ost 182%1)$%2%3 o/Nect-gro!p ser ice '(G:NC:NBGSBR#:CBG2 ser ice-o/Nect ic+p ec=o ser ice-o/Nect ic+p ec=o-repl" ser ice-o/Nect tcp destination eD ftp ser ice-o/Nect tcp destination eD www access-list o!tsideGaccess e@tended per+it o/Nect-gro!p '(G:NC:NBGSBR#:CBG2 an" o/Nect '(S-Ser er pager lines 2&
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age -0 of ,-

CCNA Security +t! o!tside 1*22 +t! inside 1*22 +t! d+9 1*22 ic+p !nreac=a/le rate-li+it 1 /!rst-si9e 1 no asd+ =istor" ena/le arp ti+eo!t 1&&22 L o/Nect networ1 '(S-Ser er nat (d+95o!tside) static 228%1)*%222%22. L nat (inside5o!tside) after-a!to so!rce d"na+ic an" interface access-gro!p o!tsideGaccess in interface o!tside ro!te o!tside 2%2%2%2 2%2%2%2 228%1)*%222%22* 1 ti+eo!t @late 3:22:22 ti+eo!t conn 1:22:22 =alf-closed 2:12:22 !dp 2:22:22 ic+p 2:22:22 ti+eo!t s!nrpc 2:12:22 =323 2:2*:22 =22* 1:22:22 +gcp 2:2*:22 +gcp-pat 2:2*:22 ti+eo!t sip 2:32:22 sipG+edia 2:22:22 sip-in ite 2:23:22 sip-disconnect 2:22:22 ti+eo!t sip-pro isional-+edia 2:22:22 !a!t= 2:2*:22 a/sol!te ti+eo!t tcp-pro@"-reasse+/l" 2:21:22 ti+eo!t floating-conn 2:22:22 d"na+ic-access-polic"-record 'fltAccessPolic" !ser-identit" defa!lt-do+ain C>CAC aaa a!t=entication =ttp console C>CAC aaa a!t=entication ss= console C>CAC aaa a!t=entication telnet console C>CAC =ttp ser er ena/le =ttp 182%1)$%1%2 2**%2**%2**%2 inside no sn+p-ser er location no sn+p-ser er contact sn+p-ser er ena/le traps sn+p a!t=entication lin1!p lin1down coldstart war+start telnet 182%1)$%1%2 2**%2**%2**%2 inside telnet ti+eo!t 12 ss= 1.2%1)%3%3 2**%2**%2**%2** o!tside ss= ti+eo!t * console ti+eo!t 2 d=cpd address 182%1)$%1%*-182%1)$%1%*2 inside d=cpd dns 12%22%32%&2 interface inside d=cpd do+ain ccnasec!rit"%co+ interface inside d=cpd ena/le inside L t=reat-detection /asic-t=reat t=reat-detection statistics access-list no t=reat-detection statistics tcp-intercept we/ pn !serna+e ad+in password e19$8R3cSe8At):/ encr"pted pri ilege 1* L class-+ap inspectionGdefa!lt +atc= defa!lt-inspection-traffic L L polic"-+ap t"pe inspect dns presetGdnsG+ap para+eters +essage-lengt= +a@i+!+ client a!to +essage-lengt= +a@i+!+ *12 polic"-+ap glo/alGpolic" class inspectionGdefa!lt inspect dns presetGdnsG+ap inspect ftp
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age -% of ,-

CCNA Security inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect inspect =323 =22* =323 ras ip-options net/ios rs= rtsp s1inn" es+tp sDlnet s!nrpc tftp sip @d+cp ic+p

L ser ice-polic" glo/alGpolic" glo/al pro+pt =ostna+e conte@t no call-=o+e reporting anon"+o!s call-=o+e profile Cisco;AC-1 no acti e destination address =ttp =ttps:33tools%cisco%co+3its3ser ice3oddce3ser ices3'' CBSer ice destination address e+ail call=o+e?cisco%co+ destination transport-+et=od =ttp s!/scri/e-to-alert-gro!p diagnostic s!/scri/e-to-alert-gro!p en iron+ent s!/scri/e-to-alert-gro!p in entor" periodic +ont=l" s!/scri/e-to-alert-gro!p config!ration periodic +ont=l" s!/scri/e-to-alert-gro!p tele+etr" periodic dail" Cr"ptoc=ec1s!+:2.fa&2/$1$c&c$21d2&.cffa/&&2)313 : end

4outer 41
R1#s= r!n 6!ilding config!ration%%% C!rrent config!ration : 11&8 /"tes L ersion 12%& ser ice ti+esta+ps de/!g dateti+e +sec ser ice ti+esta+ps log dateti+e +sec no ser ice password-encr"ption L =ostna+e R1 L /oot-start-+ar1er /oot-end-+ar1er L logging +essage-co!nter s"slog ena/le password class L no aaa new-+odel dot11 s"slog ip so!rce-ro!te L
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,' of ,-

CCNA Security L L L ip cef no ip ) cef L +!ltilin1 /!ndle-na+e a!t=enticated L arc=i e log config =ide1e"s L interface <astBt=ernet232 ip address 228%1)*%222%22* 2**%2**%2**%2&$ d!ple@ a!to speed a!to L interface <astBt=ernet231 no ip address s=!tdown d!ple@ a!to speed a!to L interface Serial23232 ip address 12%1%1%1 2**%2**%2**%2*2 cloc1 rate 2222222 L interface Serial23231 no ip address s=!tdown L interface Serial23132 no ip address s=!tdown cloc1 rate 2222222 L interface Serial23131 no ip address s=!tdown cloc1 rate 2222222 L ip forward-protocol nd ip ro!te 2%2%2%2 2%2%2%2 Serial23232 ip =ttp ser er no ip =ttp sec!re-ser er L L control-plane L L line con 2 password cisco login line a!@ 2 line t" 2 & password cisco login L
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,$ of ,-

CCNA Security sc=ed!ler allocate 22222 1222 end

4outer 4R2#s= r!n 6!ilding config!ration%%% C!rrent config!ration : 8$3 /"tes L ersion 12%& ser ice ti+esta+ps de/!g dateti+e +sec ser ice ti+esta+ps log dateti+e +sec no ser ice password-encr"ption L =ostna+e R2 L /oot-start-+ar1er /oot-end-+ar1er L logging +essage-co!nter s"slog ena/le password class L no aaa new-+odel ip cef L interface <astBt=ernet232 no ip address s=!tdown d!ple@ a!to speed a!to L interface <astBt=ernet231 no ip address s=!tdown d!ple@ a!to speed a!to L interface <astBt=ernet23132 L interface <astBt=ernet23131 L interface <astBt=ernet23132 L interface <astBt=ernet23133 L interface Serial23232 ip address 12%1%1%2 2**%2**%2**%2*2 no fair-D!e!e cloc1 rate 2222222 L interface Serial23231 ip address 12%2%2%2 2**%2**%2**%2*2 cloc1 rate 2222222 L interface #lan1
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,2 of ,-

CCNA Security no ip address L ip ro!te 1.2%1)%3%2 2**%2**%2**%2 Serial23231 ip ro!te 228%1)*%222%22& 2**%2**%2**%2&$ Serial23232 L L ip =ttp ser er no ip =ttp sec!re-ser er L L control-plane L line con 2 password cisco login line a!@ 2 line t" 2 & password cisco login L sc=ed!ler allocate 22222 1222 end R2#

4outer 4.
R3#s= r!n 6!ilding config!ration%%% C!rrent config!ration : 12)2 /"tes L ersion 12%& ser ice ti+esta+ps de/!g dateti+e +sec ser ice ti+esta+ps log dateti+e +sec no ser ice password-encr"ption L =ostna+e R3 L /oot-start-+ar1er /oot-end-+ar1er L logging +essage-co!nter s"slog ena/le password class L no aaa new-+odel dot11 s"slog ip so!rce-ro!te L L L L ip cef no ip ) cef L +!ltilin1 /!ndle-na+e a!t=enticated L arc=i e
!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation +age ,3 of ,-

CCNA Security log config =ide1e"s L interface <astBt=ernet232 no ip address s=!tdown d!ple@ a!to speed a!to L interface <astBt=ernet231 ip address 1.2%1)%3%1 2**%2**%2**%2 d!ple@ a!to speed a!to L interface <astBt=ernet23132 L interface <astBt=ernet23131 L interface <astBt=ernet23132 L interface <astBt=ernet23133 L interface Serial23232 no ip address s=!tdown no fair-D!e!e cloc1 rate 2222222 L interface Serial23231 ip address 12%2%2%1 2**%2**%2**%2*2 L interface #lan1 no ip address L ip forward-protocol nd ip ro!te 2%2%2%2 2%2%2%2 Serial23231 ip =ttp ser er no ip =ttp sec!re-ser er L control-plane L line con 2 password cisco login line a!@ 2 line t" 2 & password cisco login L sc=ed!ler allocate 22222 1222 end

Switches S1; S-; and S. % se default configs; e?cept for host na2e

!ll contents are "opyright # $%%2&2'$2 "isco Syste(s) Inc !ll rights reserved *his docu(ent is "isco +ublic Infor(ation

+age ,- of ,-