Asa Lab Manual

September 21, 2017 | Author: IT2000 | Category: Virtual Private Network, Ip Address, World Wide Web, Technology, Network Architecture
Share Embed Donate


Short Description

Download Asa Lab Manual...

Description

LAB MANUAL

Securing Networks with ASA Fundamentals(SNAF) Version 1.0

Developed By: Mr. Ahmed Saeed Network Manager

CTTC (PVT) Limited, Karachi Pakistan. 1

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

TABLE OF CONTENTS LAB 1: Configure Cisco ASA Appliance for basic configuration CLI LAB 2: Configure the Security Appliance for ASDM LAB 3: Configure Interfaces and verifying configuration through CLI LAB 4: Configure Interfaces and verifying configuration through ASDM LAB 5: Configure ASA Appliance for Syslog Server from ASDM LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration LAB7: Configure PAT on interface IP of ASA through ASDM LAB8: Configure Static NAT with ACL to allow inside access through ASDM LAB9: Configuring Remote Access VPN (Easy VPN) LAB10: Configure Remote Access VPN using AAA LAB11: Configure Site to Site IPSEC VPN through ASDM LAB12: Configuring ASA Appliance for Static Route through ASDM LAB13: Configuring ASA Appliance for Passive RIP through ASDM LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM LAB15: Configuring ASA Software Image and Licenses through ASDM LAB16: Monitoring ASA Appliance through ASDM

2

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 1: Configure Cisco ASA Appliance for Basic Configuration CLI Step1 CTTC(config)# write erase This command will erase the startup configuration (default) of ASA appliance. Step2 CTTC(Config)# reload This command will reload the security appliance. Step3 CTTC> ? Display the help of supported commands in user mode. Step4 CTTC> enable Password : Enter in the privilege mode of appliance and press enter after prompting for password Step5 CTTC# Show Run This command will show the running configuration of your Security appliance. Step6 CTTC# Show memory Free memory:

1000431424 bytes (93%)

Used memory:

73310400 bytes ( 7%)

-------------

3

----------------

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Total memory:

1073741824 bytes (100%)

This command will show the memory of security appliance (Output may vary for different platforms).

Step7 CTTC# Show Version Cisco Adaptive Security Appliance Software Version 7.0(8) Device Manager Version 5.0(8) Compiled on Sat 31-May-08 23:48 by builders System image file is "disk0:/asa708-k8.bin" Config file at boot was "startup-config" CTTC up 3 days 18 hours Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Ext: GigabitEthernet0/0 : address is 0022.90fe.2006, irq 9 1: Ext: GigabitEthernet0/1 : address is 0022.90fe.2007, irq 9 2: Ext: GigabitEthernet0/2 : address is 0022.90fe.2008, irq 9 3: Ext: GigabitEthernet0/3 : address is 0022.90fe.2009, irq 9 4: Ext: Management0/0

: address is 0022.90fe.200a, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11 6: Int: Not used

4

: irq 5

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs Inside Hosts

: 200 : Unlimited

Failover

: Active/Active

VPN-DES

: Enabled

VPN-3DES-AES

: Enabled

Security Contexts

:2

GTP/GPRS

: Disabled

VPN Peers

: 5000

This platform has an ASA 5540 VPN Premium license. Serial Number: JMX1247L0RJ Running Activation Key: 0x6000e973 0x0c5221a3 0xf4b1a9dc 0xa14c5408 0x4a11229b Configuration register is 0x1 Configuration last modified by ahmed at 22:42:10.042 UTC Tue Jan 19 2010

Step8 CTTC# show History Enable Show version Show history This command will show the history of previously entered commands. Step9 CTTC# show bootvar BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin Current BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin CONFIG_FILE variable = Current CONFIG_FILE variable =

5

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

This command will let you know that from which image file your ASA firewall load.

Step10 CTTC# dir Directory of disk0:/ 47

-rwx 5474304

00:04:44 Jan 01 2003 asa705-k8.bin

48

-rwx 5823304

08:29:00 Aug 15 2006 asdm505.bin

50

-rwx 5474304

01:22:08 May 16 2007 asa706-k8.bin

51

-rwx 8312832

03:31:14 Mar 10 2008 asa722-k8.bin

52

-rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin

2

drwx 8192

00:47:45 Jan 23 2010 log

9

drwx 8192

00:47:53 Jan 23 2010 crypto_archive

59

drwx 8192

00:50:48 Jan 23 2010 coredumpinfo

62

drwx 8192

02:30:00 Jan 23 2010 snmp

255426560 bytes total (213508096 bytes free) This command will show the contents of internal flash memory of your firewall Step 11 CTTC # boot system disk0:/asa821-k8.bin CTTC # boot system disk0:/asa705-k8.bin This command will define that the firewall will first boot from disk0:/asa821-k8.bin this image and if this image is corrupt or not found firewall will boot from this disk0:/asa705-k8.bin image.

6

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB2: Configure the Security Appliance for ASDM Step1 To verify that you ASA firewall has ASDM image in flash memory. CTTC # dir Directory of disk0:/ 47

-rwx 5474304

00:04:44 Jan 01 2003 asa705-k8.bin

50

-rwx 5474304

01:22:08 May 16 2007 asa706-k8.bin

52

-rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin

2

drwx 8192

00:47:45 Jan 23 2010 log

9

drwx 8192

00:47:53 Jan 23 2010 crypto_archive

59

drwx 8192

00:50:48 Jan 23 2010 coredumpinfo

62

drwx 8192

02:30:00 Jan 23 2010 snmp

64

-rwx 11491880 03:24:24 Jan 25 2010 asdm-623.bin

255426560 bytes total (216154112 bytes free) Step2 CTTC (Config) # asdm image disk0:asdm-623.bin This command will define which asdm image will be used in flash. Step3 CTTC (config)# http server enable This command will enable HTTP server on ASA firewall that is necessary for ASDM. Step4 CTTC (config)# http 10.0.50.10 255.255.255.255 inside Step5 CTTC (config)# aaa authentication http console LOCAL This command will enable authentication for ASDM. Step6

7

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Open Web Brower and enter the following URL: https://10.254.1.2 then click “RUN ASDM”

8

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

(Inside Interface IP Address) and

SNAF Lab Manual

Step 7 Click “YES”

Step 8 Enter Username and Password

9

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 9 After entering username and password, home page of ASDM will open

10

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB3: Configure Interfaces and Verifying Configuration through CLI Step1 CTTC# configure factory-default This command will erase all configurations on your ASA firewall and your ASA firewall configuration will revert back to factory default. Step 2 CTTC (config) # int vlan 1 CTTC (config-if) # nameif inside CTTC (config-if) # security-level 100 CTTC (config-if) # ip address 10.0.0.1 255.0.0.0 CTTC (config-if) # no shut These commands will configure inside interface and security level of the ASA 5505 Firewall. Step 3 CTTC (config) # int vlan 2 CTTC (config-if) # nameif outside CTTC (config-if) # security-level 0 CTTC (config-if) # ip address 20.0.0.1 255.0.0.0 CTTC (config-if) # no shut These commands will configure outside interface and security level of the ASA 5505 Firewall. Step 4 CTTC# show nameif Interface

Name

Vlan1

inside

Vlan2

outside

11

Security 100 0

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

This command will verify the name and security level of each interface. Step 5 CTTC# show ip System IP Addresses: Interface

Name

Vlan1

inside

Vlan2

outside

IP address 10.0.0.1

Subnet mask 255.0.0.0

20.0.0.1

Method

manual

255.0.0.0

manual

Current IP Addresses: Interface

Name

Vlan1

inside

Vlan2

outside

IP address 10.0.0.1

Subnet mask 255.0.0.0

20.0.0.1

Method

manual

255.0.0.0

manual

This command will verify the IP addresses of all interfaces of firewall. Step 6 CTTC# show switch vlan VLAN Name

Status Ports

---- -------------------------------- --------- ----------------------------1 inside

down

Et0/1, Et0/2, Et0/3, Et0/4

Et0/5, Et0/6, Et0/7 2 outside

down

Et0/0

This command will let you know that which interfaces of firewall are in inside VLAN and which interfaces are in outside VLAN. Step 7 (Optional) CTTC (config) # clear configure all This command will clear the running configuration of ASA Firewall.

12

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB4: Configure Interfaces and Verifying Configuration through ASDM Step 1 Click configuration TAB and then click on Interfaces .You can see that firewall is already configured for inside interface with the security level of 100 and IP Address 10.0.0.1.

13

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step2 To add a new interface click Add button and then add Ethernet 0/0 interface to selected switch ports and then write outside in Interface Name field. Click on Enable interface and check on use static IP and then configure 20.0.0.1 IP address and Subnet mask 255.0.0.0.Click Ok.

14

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 3 Now Outside interface is listed in the below window. Click Apply.

15

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 4 You can verify the interface status and IP Address and traffic status of the interface from Home TAB.

16

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB5: Configure ASA Appliance for Syslog Server from ASDM Step 1: In order to configure Syslog Server, navigate the configuration TAB and then Click on logging.

NETWORK TOPOLOGY

E0/0

E0/1 10.0.0.1

20.0.0.1

Cisco ASA5505 Syslog Server

20.0.0.10

10.0.0.10

17

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 2 Click on Logging Setup and check on enable logging and then press apply.

18

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 3 Click on Syslog Server TAB and then press Add. Select the interface of ASA appliance on which Syslog Server is connected and then enter the IP Address of Syslog Server. Press ok.

19

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 4 You can see that Syslog Server entry is created on below window. Please note that you can add up to 16 Syslog Servers. Press Apply.

20

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 5 In order to enable Syslog time stamping, click on Syslog Setup and then check on the box Include time stamp in Syslog. Press Apply.

21

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 6 Click on Event Lists and then press Add button. A new dialog box appears ADD EVENT LIST.

22

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 7 Configure Name of event List and then press Add. New Dialog box will appear in which select event class ALL and severity Debugging. Press Ok.

23

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 8 You can see that event list is added. Press Apply.

24

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 9 Press logging Filter from logging menu and then select Syslog Servers. Press Edit Button.

25

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 10 Press on Radio button USE EVENT LIST and then select the list CTTCSYSLOG. Press Ok.

26

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 11 You can see the logs on Kiwi Syslog server. Verify the time stamping and log format.

27

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration Step 1: In order to configure Dynamic NAT, click configuration and then click NAT RULES NETWORK TOPOLOGY IP Pool 20.0.0.100-200 E0/0

E0/1 10.0.0.1

20.0.0.1

Cisco ASA5505

20.0.0.10 Telnet Server

28

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 2 Click Add and then select Add Dynamic NAT Rule

29

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 3 New Window will open. Select inside interface and also in Source field select inside-network/8

30

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 4 In order to define Global pool, click Manage Tab and then add a Global Address Range. Select Interface Outside, Pool ID 1 and range 20.0.0.100-20.0.0.200.Press add and then Ok.

31

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 5 The following window will appear. You can see the dynamic NAT entry, you had just configured. In order to implement restriction on firewall that no traffic will pass through firewall without Nat Entry uncheck the box unable traffic through firewall without NAT. Press Apply.

32

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 6 In order to verify Dynamic NAT Configuration, use the following Commands. CTTC# show run nat-control nat-control This command will show that no traffic will pass between interfaces through firewall without NAT. CTTC# show run nat nat (inside) 1 10.0.0.0 255.0.0.0 This command will show the inside network that will be translated. CTTC# show run global global (outside) 1 20.0.0.100-20.0.0.200 netmask 255.0.0.0 This command will display the global address space. CTTC# show xlate 1 in use, 1 most used Global 20.0.0.112 Local 10.0.0.10 This command will display the NAT Table of ASA Appliance. CTTC# clear xlate This command will clear the NAT Table of ASA Appliance. CTTC# show arp inside 10.0.0.10 0017.423c.6806 52 outside 20.0.0.10 0021.9b37.b62e 473 This command will display Arp Cache of your security Appliance. CTTC# clear arp This command will clear arp cache of your appliance.

33

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 7: Configure PAT on interface IP of ASA through ASDM Step 1 Repeat the first three steps of previous lab and then click on outside interface and then check the box PAT using IP address of the interface. Press Add and then click ok. The translation would be done on outside interface of the firewall.

34

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 8: Configure Static NAT with ACL to allow inside access through ASDM Step1: Press NAT RULE and press add and then add static NAT Rule. NETWORK TOPOLOGY Translated IP 20.0.0.100 E0/0

E0/1 10.0.0.1

20.0.0.1

Cisco ASA5505 Telnet Server

20.0.0.10

10.0.0.10

35

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 2 A New Window will be open and then click source

36

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 3 A new window will open press add and then IP name

37

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 4 A new window is opened. Enter Name: Telnet Server and IP Address: 10.0.0.1. Press ok.

38

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 5 Check use IP address field and then enter IP address 20.0.0.100 as an translated IP.

39

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6 Press enter. Following window will be opened. Press Apply.

40

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 7 To allow the access to telnet server connected to inside interface, we have to configure the access rule from outside machine to telnet server.

41

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 8 Press Add and then select interface “Outside” and then press on “Permit”. On source field select any and in destination field enter the translated IP Address 20.0.0.100.Select traffic direction In. Also Select services TCP/Telnet.

42

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 9 Press Ok and you can see the access rule on the following window. Now telnet from outside machine to telnet server that is translated with 20.0.0.100 IP address.

43

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 9: Configure Remote Access VPN (Easy VPN) through ASDM Step 1 Press Configuration menu and then select VPN tab. NETWORK TOPOLOGY IP Pool: 172.16.1.1-254 E0/0

E0/1 10.0.0.1

20.0.0.1

Cisco ASA5505 Telnet Server 10.0.0.10

44

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

20.0.0.10 Cisco VPN Client

SNAF Lab Manual

Step 2: Click Launch VPN Wizard and new window will be opened. Click Remote access VPN and then select outside interface as a VPN terminated interface. Enter Next.

45

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 3 Select the VPN client Type to Cisco VPN Client 3.X or higher and then press Next.

46

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 4 Enter pre-share key cisco123 and tunnel group name CTTC.

47

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 5 Click on authenticating local user database

48

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 6 Add another user test in local database of ASA appliance.

49

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 7 Create a new local pool of IP Addresses. Click New.

50

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 8 Enter the name of Pool “CTTCPOOL” and then starting range 172.16.1.1 and Ending IP Address 172.16.1.254.

51

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 9 Enter the primary DNS server 10.0.0.100 and domain name “cttc.net.pk”.

52

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 10 Configure IKE Phase 1 parameters as soon in the below window. Click Next.

53

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 11 Select IPSEC phase parameters as shown in below window and then click next.

54

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 12 In order to bypass VPN traffic from Network Address Translation, you need to select interface “Inside” and configure 10.0.0.0 with the default mask of 255.255.255.0. Press Add and then click Next.

55

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 13 Just see the summary of VPN configuration and then click on finish to complete.

56

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 14 Open VPN Client Software Click New

A New window will open. Enter the connection entry name “cttc” and host IP Address 20.0.0.1 . Enter the Tunnel Group Name “CTTC” and then enter pre-share key “cisco123”.Click Save.

57

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 15 A new Connection Entry will be created as shown in below window.

Double click the connection entry after that a new window will be opened . Enter the Username and Password for VPN local Database Authentication.

After entering the username and password VPN tunnel will be established and you can verify the credential of VPN connections from the below window.

58

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 10: Configure Remote Access VPN (Easy VPN) using AAA Step1: Press on configuration menu and then click on “AAA Server Group”. Press Add. NETWORK TOPOLOGY IP Pool: 172.16.1.1-254 E0/0

E0/1 10.0.0.1

20.0.0.1

Cisco ASA5505

20.0.0.10 Cisco VPN Client

10.0.0.10

59

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 2: Type the Server Group as “default” and then select protocol “TACACS+” and then press Ok.

60

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step3: Press Add “AAA Servers” and then select the Interface on which AAA server is placed “inside”. Enter AAA Server IP Address “10.0.0.10” and then enter Secret Server Key “cisco123”. Press Pk.

61

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 4: Both Entries configured shown in below window. Press Apply.

62

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step5: Select “IPSEC CONECTION PROFILE” from the window and then select “CTTC” connection entry and then press “Edit”.

63

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6: In User Authentication select Server Group “default” and then click on Use Local if Server Group fails. Press Ok.

64

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step7: In order to enable accounting, select “AAA Access” from window and then press on “Accounting”. Then click on Enable Server Group and select the Group “default”. Press Apply.

65

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 8: In order to Add User on Cisco Secure ACS, press on” User Setup” and enter the username “ahmed” and then click “Add/Edit”.

66

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step9: Enter and confirmed password in below mentioned window. Then press Submit.

67

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step10: Select “Network Configuration” from menu and then click on “Add Entry” for AAA client.

68

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step11: Enter AAA Client name “CTTCA” and then enter the IP address of AAA client i.e. ASA inside Interface IP “10.0.0.1”. Enter the server secret key “cisco123” and then select Authenticating using “TACACS+ (Cisco IOS)”. Then press Submit.

69

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step12: You can see the selected entry has been added in AAA client List in below window.

70

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step13: For accounting, press “Reports and Activity”.

71

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step14: Select “TACACS+ Accounting” and then select “TACACS+ Accounting active.csv”.

72

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step15: Accounting statics mentioned in below window.

73

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB 11: Configuring IPSEC Site to Site VPN through ASDM Step1: On CTTC B Firewall, Click “Wizard” option from the top menu and then selects IPSEC Wizard. Select Site to Site VPN Option and then press Next.

NETWORK TOPOLOGY

E0/1 10.0.0.1

E0/0 11.0.0.1 CTTCA

10.0.0.10

74

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

E0/1

E0/0 11.0.0.2

20.0.0.1 CTTCB 20.0.0.10

SNAF Lab Manual

Step2: Enter the Peer IP Address “11.0.0.2” and then select Authentication method “ Pre-shared Key” and then enter Pre-Shared Key “ Cisco123”. Leave the tunnel group name as “11.0.0.2”.Press Next.

75

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step3: Enter the IKE Phase 1 parameters as mentioned in below window.

76

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step4: Enter the IKE Phase 2 parameters as shown in below mentioned window.

77

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step5: In order to define the interesting VPN traffic selects the source network from which traffic will be transmitted to tunnel. Press the inside-network 20.0.0.0/8 as a source network. Press Ok.

78

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6: Enter the remote network to which VPN traffic will be forwarded as “10.0.0.0/8”.Press Ok.

79

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step7: Both the configured entries are shown in below mention window. Traffic from Local network to Remote Network will only pass through VPN Tunnel. Press Next.

80

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step8: Below mentioned window shows the summary of VPN configuration. Press finish to complete the configuration on CTTCB firewall.

NOTE: Repeat these steps on CTTCA firewall as well as in order to configure Site to Site VPN.

81

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 9: After configuring CTTCA firewall, you can verify that VPN Tunnel Status in below mention window. IKE: 1 and IPSEC: 1

82

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step10: Click monitoring Tab and then click VPN and then sessions.

83

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step11: Verify the IKE phase 1 and IPSEC phase parameters. ciscoasa# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 ciscoasa# sh crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 11.0.0.2 access-list outside_1_cryptomap permit ip 20.0.0.0 255.0.0.0 remotenetwork 255.255.255.0 local ident (addr/mask/prot/port): (20.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (remotenetwork/255.255.255.0/0/0) current_peer: 11.0.0.1 #pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226 #pkts decaps: 226, #pkts decrypt: 226, #pkts verify: 226 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 11.0.0.2, remote crypto endpt.: 11.0.0.1 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 2DBE841E inbound esp sas: spi: 0x023E2818 (37627928) transform: esp-des esp-md5-hmac no compression

84

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB12: Configuring Static Route on ASA Firewall through ASDM Step1: Press Configuration and then device setup and then select Static Routes. Press Add.(CTTCA)

NETWORK TOPOLOGY

E0/1 10.0.0.1

E0/0 11.0.0.1 CTTCA

10.0.0.10

85

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

E0/1

E0/0 11.0.0.2

20.0.0.1 CTTCB 20.0.0.10

SNAF Lab Manual

Step2: Select the Interface “Outside” and then mention the destination network “20.0.0.0” and subnet mask “255.0.0.0”. And then click on gateway IP option.

86

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step3: A new window will open. Press Add.

87

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step4: Enter the Network Object Name “next hop” and mentioned the IP Address of next hop “11.0.0.2”. Select network mask 255.255.255.255 and press Ok.

88

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step5: Anew window will open as below. Press Ok.

89

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6: A new window will be opened as below. Press Apply to configure the static route.

90

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 7: Repeat the previous steps to configure the below mentioned static route on CTTCB firewall.

91

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB13: Configuring Passive RIP on ASA Firewall through ASDM Step1: Click on enable RIP routing and then check RIP version1 and then add 10.0.0.0 and 11.0.0.0 networks and then click “outside” interface as a passive interface on CTTCA firewall.

NETWORK TOPOLOGY

E0/1 10.0.0.1

E0/0 11.0.0.1 CTTCA

10.0.0.10

92

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

E0/1

E0/0 11.0.0.2

20.0.0.1 CTTCB 20.0.0.10

SNAF Lab Manual

Step2: Click on enable RIP routing and then check RIP version1 and then add 20.0.0.0 and 11.0.0.0 networks and then click “outside” interface as a passive interface on CTTCB firewall.

93

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM Step1: Click on Configuration >Device Management>Management Access> asdm/http/https/ssh/Telnet. Press Add.

94

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step2: Click on telnet and mentioned the IP address 10.0.0.10 that is connected to inside interface of firewall. Firewall can only be accessed from 10.0.0.10 IP. Press Ok.

95

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step3: The firewall is configured for telnet and that is highlighted on below mention window.

96

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step4: For SSH Configuration, select the inside interface and then click on SSH. Enter the IP address of the client that initiate SSH to the security appliance.

97

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step5: For SSH you need to configure domain name and hostname of firewall. Configuration>Device Setup>DeviceName/Password.

98

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6: Generate RSA Key. Configuration>device management>Certificate Management>Identity Management

99

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step7: Click on Add a new identity certificate and then click on new.

100

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step8: Press Generate now to generate RSA key for SSH.

101

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB15: Configuring ASA for Software Image and Licensing Step1: In order to configure the Boot Sequence of ASA image and also to define the ASDM image please Navigate the following: Configuration>Device Management> System image/configuration>Boot image/configuration. Press Add.

102

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step2: In order to define the Flash Image click on Browse Flash.

103

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step3: Select the appropriate image and then press Ok.

104

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step4: The software image has been added. In order to define ASA image file path press on Browse Flash.

105

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step5: Press on appropriate ASDM image file as below window. Press Ok.

106

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6 : Press Apply to push the configuration to ASA Appliance.

107

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step7 : In order to upgrade the license we need to change activation key. Configuration>Device Management>Activation Key

108

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

LAB16: Monitoring ASA Appliance through ASDM Step1: To verify the Platform, ASA version, ASDM version, Device Uptime, Interface Status, CPU and memory utilization and latest asdm Syslog messages go to Home page of ASDM.

109

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step2: Foe the monitoring of Routing Tables please navigate Monitoring>Routing.

110

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step 3: For interfaces monitoring please navigate Monitoring>Interfaces

111

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step4: For AAA Servers monitoring, please navigate Monitoring>Properties>AAA Servers

112

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step5: For real time logging please navigate Monitoring>Logging>Real Time Log View

113

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

Step6: Press view to see the real time logs.

114

CTTC (PVT) [email protected] Web: www.cttc.net.pk Ph: 92-21-4310956-8

SNAF Lab Manual

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF