Asa Lab Manual
Short Description
Download Asa Lab Manual...
Description
LAB MANUAL
Securing Networks with ASA Fundamentals(SNAF) Version 1.0
Developed By: Mr. Ahmed Saeed Network Manager
CTTC (PVT) Limited, Karachi Pakistan. 1
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
TABLE OF CONTENTS LAB 1: Configure Cisco ASA Appliance for basic configuration CLI LAB 2: Configure the Security Appliance for ASDM LAB 3: Configure Interfaces and verifying configuration through CLI LAB 4: Configure Interfaces and verifying configuration through ASDM LAB 5: Configure ASA Appliance for Syslog Server from ASDM LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration LAB7: Configure PAT on interface IP of ASA through ASDM LAB8: Configure Static NAT with ACL to allow inside access through ASDM LAB9: Configuring Remote Access VPN (Easy VPN) LAB10: Configure Remote Access VPN using AAA LAB11: Configure Site to Site IPSEC VPN through ASDM LAB12: Configuring ASA Appliance for Static Route through ASDM LAB13: Configuring ASA Appliance for Passive RIP through ASDM LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM LAB15: Configuring ASA Software Image and Licenses through ASDM LAB16: Monitoring ASA Appliance through ASDM
2
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 1: Configure Cisco ASA Appliance for Basic Configuration CLI Step1 CTTC(config)# write erase This command will erase the startup configuration (default) of ASA appliance. Step2 CTTC(Config)# reload This command will reload the security appliance. Step3 CTTC> ? Display the help of supported commands in user mode. Step4 CTTC> enable Password : Enter in the privilege mode of appliance and press enter after prompting for password Step5 CTTC# Show Run This command will show the running configuration of your Security appliance. Step6 CTTC# Show memory Free memory:
1000431424 bytes (93%)
Used memory:
73310400 bytes ( 7%)
-------------
3
----------------
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Total memory:
1073741824 bytes (100%)
This command will show the memory of security appliance (Output may vary for different platforms).
Step7 CTTC# Show Version Cisco Adaptive Security Appliance Software Version 7.0(8) Device Manager Version 5.0(8) Compiled on Sat 31-May-08 23:48 by builders System image file is "disk0:/asa708-k8.bin" Config file at boot was "startup-config" CTTC up 3 days 18 hours Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Ext: GigabitEthernet0/0 : address is 0022.90fe.2006, irq 9 1: Ext: GigabitEthernet0/1 : address is 0022.90fe.2007, irq 9 2: Ext: GigabitEthernet0/2 : address is 0022.90fe.2008, irq 9 3: Ext: GigabitEthernet0/3 : address is 0022.90fe.2009, irq 9 4: Ext: Management0/0
: address is 0022.90fe.200a, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11 6: Int: Not used
4
: irq 5
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs Inside Hosts
: 200 : Unlimited
Failover
: Active/Active
VPN-DES
: Enabled
VPN-3DES-AES
: Enabled
Security Contexts
:2
GTP/GPRS
: Disabled
VPN Peers
: 5000
This platform has an ASA 5540 VPN Premium license. Serial Number: JMX1247L0RJ Running Activation Key: 0x6000e973 0x0c5221a3 0xf4b1a9dc 0xa14c5408 0x4a11229b Configuration register is 0x1 Configuration last modified by ahmed at 22:42:10.042 UTC Tue Jan 19 2010
Step8 CTTC# show History Enable Show version Show history This command will show the history of previously entered commands. Step9 CTTC# show bootvar BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin Current BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin CONFIG_FILE variable = Current CONFIG_FILE variable =
5
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
This command will let you know that from which image file your ASA firewall load.
Step10 CTTC# dir Directory of disk0:/ 47
-rwx 5474304
00:04:44 Jan 01 2003 asa705-k8.bin
48
-rwx 5823304
08:29:00 Aug 15 2006 asdm505.bin
50
-rwx 5474304
01:22:08 May 16 2007 asa706-k8.bin
51
-rwx 8312832
03:31:14 Mar 10 2008 asa722-k8.bin
52
-rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin
2
drwx 8192
00:47:45 Jan 23 2010 log
9
drwx 8192
00:47:53 Jan 23 2010 crypto_archive
59
drwx 8192
00:50:48 Jan 23 2010 coredumpinfo
62
drwx 8192
02:30:00 Jan 23 2010 snmp
255426560 bytes total (213508096 bytes free) This command will show the contents of internal flash memory of your firewall Step 11 CTTC # boot system disk0:/asa821-k8.bin CTTC # boot system disk0:/asa705-k8.bin This command will define that the firewall will first boot from disk0:/asa821-k8.bin this image and if this image is corrupt or not found firewall will boot from this disk0:/asa705-k8.bin image.
6
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB2: Configure the Security Appliance for ASDM Step1 To verify that you ASA firewall has ASDM image in flash memory. CTTC # dir Directory of disk0:/ 47
-rwx 5474304
00:04:44 Jan 01 2003 asa705-k8.bin
50
-rwx 5474304
01:22:08 May 16 2007 asa706-k8.bin
52
-rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin
2
drwx 8192
00:47:45 Jan 23 2010 log
9
drwx 8192
00:47:53 Jan 23 2010 crypto_archive
59
drwx 8192
00:50:48 Jan 23 2010 coredumpinfo
62
drwx 8192
02:30:00 Jan 23 2010 snmp
64
-rwx 11491880 03:24:24 Jan 25 2010 asdm-623.bin
255426560 bytes total (216154112 bytes free) Step2 CTTC (Config) # asdm image disk0:asdm-623.bin This command will define which asdm image will be used in flash. Step3 CTTC (config)# http server enable This command will enable HTTP server on ASA firewall that is necessary for ASDM. Step4 CTTC (config)# http 10.0.50.10 255.255.255.255 inside Step5 CTTC (config)# aaa authentication http console LOCAL This command will enable authentication for ASDM. Step6
7
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Open Web Brower and enter the following URL: https://10.254.1.2 then click “RUN ASDM”
8
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
(Inside Interface IP Address) and
SNAF Lab Manual
Step 7 Click “YES”
Step 8 Enter Username and Password
9
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 9 After entering username and password, home page of ASDM will open
10
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB3: Configure Interfaces and Verifying Configuration through CLI Step1 CTTC# configure factory-default This command will erase all configurations on your ASA firewall and your ASA firewall configuration will revert back to factory default. Step 2 CTTC (config) # int vlan 1 CTTC (config-if) # nameif inside CTTC (config-if) # security-level 100 CTTC (config-if) # ip address 10.0.0.1 255.0.0.0 CTTC (config-if) # no shut These commands will configure inside interface and security level of the ASA 5505 Firewall. Step 3 CTTC (config) # int vlan 2 CTTC (config-if) # nameif outside CTTC (config-if) # security-level 0 CTTC (config-if) # ip address 20.0.0.1 255.0.0.0 CTTC (config-if) # no shut These commands will configure outside interface and security level of the ASA 5505 Firewall. Step 4 CTTC# show nameif Interface
Name
Vlan1
inside
Vlan2
outside
11
Security 100 0
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
This command will verify the name and security level of each interface. Step 5 CTTC# show ip System IP Addresses: Interface
Name
Vlan1
inside
Vlan2
outside
IP address 10.0.0.1
Subnet mask 255.0.0.0
20.0.0.1
Method
manual
255.0.0.0
manual
Current IP Addresses: Interface
Name
Vlan1
inside
Vlan2
outside
IP address 10.0.0.1
Subnet mask 255.0.0.0
20.0.0.1
Method
manual
255.0.0.0
manual
This command will verify the IP addresses of all interfaces of firewall. Step 6 CTTC# show switch vlan VLAN Name
Status Ports
---- -------------------------------- --------- ----------------------------1 inside
down
Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7 2 outside
down
Et0/0
This command will let you know that which interfaces of firewall are in inside VLAN and which interfaces are in outside VLAN. Step 7 (Optional) CTTC (config) # clear configure all This command will clear the running configuration of ASA Firewall.
12
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB4: Configure Interfaces and Verifying Configuration through ASDM Step 1 Click configuration TAB and then click on Interfaces .You can see that firewall is already configured for inside interface with the security level of 100 and IP Address 10.0.0.1.
13
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step2 To add a new interface click Add button and then add Ethernet 0/0 interface to selected switch ports and then write outside in Interface Name field. Click on Enable interface and check on use static IP and then configure 20.0.0.1 IP address and Subnet mask 255.0.0.0.Click Ok.
14
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 3 Now Outside interface is listed in the below window. Click Apply.
15
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 4 You can verify the interface status and IP Address and traffic status of the interface from Home TAB.
16
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB5: Configure ASA Appliance for Syslog Server from ASDM Step 1: In order to configure Syslog Server, navigate the configuration TAB and then Click on logging.
NETWORK TOPOLOGY
E0/0
E0/1 10.0.0.1
20.0.0.1
Cisco ASA5505 Syslog Server
20.0.0.10
10.0.0.10
17
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 2 Click on Logging Setup and check on enable logging and then press apply.
18
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 3 Click on Syslog Server TAB and then press Add. Select the interface of ASA appliance on which Syslog Server is connected and then enter the IP Address of Syslog Server. Press ok.
19
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 4 You can see that Syslog Server entry is created on below window. Please note that you can add up to 16 Syslog Servers. Press Apply.
20
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 5 In order to enable Syslog time stamping, click on Syslog Setup and then check on the box Include time stamp in Syslog. Press Apply.
21
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 6 Click on Event Lists and then press Add button. A new dialog box appears ADD EVENT LIST.
22
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 7 Configure Name of event List and then press Add. New Dialog box will appear in which select event class ALL and severity Debugging. Press Ok.
23
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 8 You can see that event list is added. Press Apply.
24
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 9 Press logging Filter from logging menu and then select Syslog Servers. Press Edit Button.
25
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 10 Press on Radio button USE EVENT LIST and then select the list CTTCSYSLOG. Press Ok.
26
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 11 You can see the logs on Kiwi Syslog server. Verify the time stamping and log format.
27
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration Step 1: In order to configure Dynamic NAT, click configuration and then click NAT RULES NETWORK TOPOLOGY IP Pool 20.0.0.100-200 E0/0
E0/1 10.0.0.1
20.0.0.1
Cisco ASA5505
20.0.0.10 Telnet Server
28
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 2 Click Add and then select Add Dynamic NAT Rule
29
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 3 New Window will open. Select inside interface and also in Source field select inside-network/8
30
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 4 In order to define Global pool, click Manage Tab and then add a Global Address Range. Select Interface Outside, Pool ID 1 and range 20.0.0.100-20.0.0.200.Press add and then Ok.
31
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 5 The following window will appear. You can see the dynamic NAT entry, you had just configured. In order to implement restriction on firewall that no traffic will pass through firewall without Nat Entry uncheck the box unable traffic through firewall without NAT. Press Apply.
32
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 6 In order to verify Dynamic NAT Configuration, use the following Commands. CTTC# show run nat-control nat-control This command will show that no traffic will pass between interfaces through firewall without NAT. CTTC# show run nat nat (inside) 1 10.0.0.0 255.0.0.0 This command will show the inside network that will be translated. CTTC# show run global global (outside) 1 20.0.0.100-20.0.0.200 netmask 255.0.0.0 This command will display the global address space. CTTC# show xlate 1 in use, 1 most used Global 20.0.0.112 Local 10.0.0.10 This command will display the NAT Table of ASA Appliance. CTTC# clear xlate This command will clear the NAT Table of ASA Appliance. CTTC# show arp inside 10.0.0.10 0017.423c.6806 52 outside 20.0.0.10 0021.9b37.b62e 473 This command will display Arp Cache of your security Appliance. CTTC# clear arp This command will clear arp cache of your appliance.
33
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 7: Configure PAT on interface IP of ASA through ASDM Step 1 Repeat the first three steps of previous lab and then click on outside interface and then check the box PAT using IP address of the interface. Press Add and then click ok. The translation would be done on outside interface of the firewall.
34
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 8: Configure Static NAT with ACL to allow inside access through ASDM Step1: Press NAT RULE and press add and then add static NAT Rule. NETWORK TOPOLOGY Translated IP 20.0.0.100 E0/0
E0/1 10.0.0.1
20.0.0.1
Cisco ASA5505 Telnet Server
20.0.0.10
10.0.0.10
35
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 2 A New Window will be open and then click source
36
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 3 A new window will open press add and then IP name
37
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 4 A new window is opened. Enter Name: Telnet Server and IP Address: 10.0.0.1. Press ok.
38
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 5 Check use IP address field and then enter IP address 20.0.0.100 as an translated IP.
39
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6 Press enter. Following window will be opened. Press Apply.
40
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 7 To allow the access to telnet server connected to inside interface, we have to configure the access rule from outside machine to telnet server.
41
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 8 Press Add and then select interface “Outside” and then press on “Permit”. On source field select any and in destination field enter the translated IP Address 20.0.0.100.Select traffic direction In. Also Select services TCP/Telnet.
42
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 9 Press Ok and you can see the access rule on the following window. Now telnet from outside machine to telnet server that is translated with 20.0.0.100 IP address.
43
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 9: Configure Remote Access VPN (Easy VPN) through ASDM Step 1 Press Configuration menu and then select VPN tab. NETWORK TOPOLOGY IP Pool: 172.16.1.1-254 E0/0
E0/1 10.0.0.1
20.0.0.1
Cisco ASA5505 Telnet Server 10.0.0.10
44
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
20.0.0.10 Cisco VPN Client
SNAF Lab Manual
Step 2: Click Launch VPN Wizard and new window will be opened. Click Remote access VPN and then select outside interface as a VPN terminated interface. Enter Next.
45
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 3 Select the VPN client Type to Cisco VPN Client 3.X or higher and then press Next.
46
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 4 Enter pre-share key cisco123 and tunnel group name CTTC.
47
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 5 Click on authenticating local user database
48
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 6 Add another user test in local database of ASA appliance.
49
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 7 Create a new local pool of IP Addresses. Click New.
50
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 8 Enter the name of Pool “CTTCPOOL” and then starting range 172.16.1.1 and Ending IP Address 172.16.1.254.
51
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 9 Enter the primary DNS server 10.0.0.100 and domain name “cttc.net.pk”.
52
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 10 Configure IKE Phase 1 parameters as soon in the below window. Click Next.
53
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 11 Select IPSEC phase parameters as shown in below window and then click next.
54
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 12 In order to bypass VPN traffic from Network Address Translation, you need to select interface “Inside” and configure 10.0.0.0 with the default mask of 255.255.255.0. Press Add and then click Next.
55
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 13 Just see the summary of VPN configuration and then click on finish to complete.
56
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 14 Open VPN Client Software Click New
A New window will open. Enter the connection entry name “cttc” and host IP Address 20.0.0.1 . Enter the Tunnel Group Name “CTTC” and then enter pre-share key “cisco123”.Click Save.
57
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 15 A new Connection Entry will be created as shown in below window.
Double click the connection entry after that a new window will be opened . Enter the Username and Password for VPN local Database Authentication.
After entering the username and password VPN tunnel will be established and you can verify the credential of VPN connections from the below window.
58
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 10: Configure Remote Access VPN (Easy VPN) using AAA Step1: Press on configuration menu and then click on “AAA Server Group”. Press Add. NETWORK TOPOLOGY IP Pool: 172.16.1.1-254 E0/0
E0/1 10.0.0.1
20.0.0.1
Cisco ASA5505
20.0.0.10 Cisco VPN Client
10.0.0.10
59
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 2: Type the Server Group as “default” and then select protocol “TACACS+” and then press Ok.
60
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step3: Press Add “AAA Servers” and then select the Interface on which AAA server is placed “inside”. Enter AAA Server IP Address “10.0.0.10” and then enter Secret Server Key “cisco123”. Press Pk.
61
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 4: Both Entries configured shown in below window. Press Apply.
62
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step5: Select “IPSEC CONECTION PROFILE” from the window and then select “CTTC” connection entry and then press “Edit”.
63
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6: In User Authentication select Server Group “default” and then click on Use Local if Server Group fails. Press Ok.
64
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step7: In order to enable accounting, select “AAA Access” from window and then press on “Accounting”. Then click on Enable Server Group and select the Group “default”. Press Apply.
65
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 8: In order to Add User on Cisco Secure ACS, press on” User Setup” and enter the username “ahmed” and then click “Add/Edit”.
66
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step9: Enter and confirmed password in below mentioned window. Then press Submit.
67
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step10: Select “Network Configuration” from menu and then click on “Add Entry” for AAA client.
68
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step11: Enter AAA Client name “CTTCA” and then enter the IP address of AAA client i.e. ASA inside Interface IP “10.0.0.1”. Enter the server secret key “cisco123” and then select Authenticating using “TACACS+ (Cisco IOS)”. Then press Submit.
69
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step12: You can see the selected entry has been added in AAA client List in below window.
70
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step13: For accounting, press “Reports and Activity”.
71
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step14: Select “TACACS+ Accounting” and then select “TACACS+ Accounting active.csv”.
72
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step15: Accounting statics mentioned in below window.
73
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB 11: Configuring IPSEC Site to Site VPN through ASDM Step1: On CTTC B Firewall, Click “Wizard” option from the top menu and then selects IPSEC Wizard. Select Site to Site VPN Option and then press Next.
NETWORK TOPOLOGY
E0/1 10.0.0.1
E0/0 11.0.0.1 CTTCA
10.0.0.10
74
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
E0/1
E0/0 11.0.0.2
20.0.0.1 CTTCB 20.0.0.10
SNAF Lab Manual
Step2: Enter the Peer IP Address “11.0.0.2” and then select Authentication method “ Pre-shared Key” and then enter Pre-Shared Key “ Cisco123”. Leave the tunnel group name as “11.0.0.2”.Press Next.
75
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step3: Enter the IKE Phase 1 parameters as mentioned in below window.
76
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step4: Enter the IKE Phase 2 parameters as shown in below mentioned window.
77
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step5: In order to define the interesting VPN traffic selects the source network from which traffic will be transmitted to tunnel. Press the inside-network 20.0.0.0/8 as a source network. Press Ok.
78
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6: Enter the remote network to which VPN traffic will be forwarded as “10.0.0.0/8”.Press Ok.
79
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step7: Both the configured entries are shown in below mention window. Traffic from Local network to Remote Network will only pass through VPN Tunnel. Press Next.
80
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step8: Below mentioned window shows the summary of VPN configuration. Press finish to complete the configuration on CTTCB firewall.
NOTE: Repeat these steps on CTTCA firewall as well as in order to configure Site to Site VPN.
81
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 9: After configuring CTTCA firewall, you can verify that VPN Tunnel Status in below mention window. IKE: 1 and IPSEC: 1
82
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step10: Click monitoring Tab and then click VPN and then sessions.
83
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step11: Verify the IKE phase 1 and IPSEC phase parameters. ciscoasa# sh crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 ciscoasa# sh crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 11.0.0.2 access-list outside_1_cryptomap permit ip 20.0.0.0 255.0.0.0 remotenetwork 255.255.255.0 local ident (addr/mask/prot/port): (20.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (remotenetwork/255.255.255.0/0/0) current_peer: 11.0.0.1 #pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226 #pkts decaps: 226, #pkts decrypt: 226, #pkts verify: 226 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 11.0.0.2, remote crypto endpt.: 11.0.0.1 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 2DBE841E inbound esp sas: spi: 0x023E2818 (37627928) transform: esp-des esp-md5-hmac no compression
84
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB12: Configuring Static Route on ASA Firewall through ASDM Step1: Press Configuration and then device setup and then select Static Routes. Press Add.(CTTCA)
NETWORK TOPOLOGY
E0/1 10.0.0.1
E0/0 11.0.0.1 CTTCA
10.0.0.10
85
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
E0/1
E0/0 11.0.0.2
20.0.0.1 CTTCB 20.0.0.10
SNAF Lab Manual
Step2: Select the Interface “Outside” and then mention the destination network “20.0.0.0” and subnet mask “255.0.0.0”. And then click on gateway IP option.
86
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step3: A new window will open. Press Add.
87
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step4: Enter the Network Object Name “next hop” and mentioned the IP Address of next hop “11.0.0.2”. Select network mask 255.255.255.255 and press Ok.
88
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step5: Anew window will open as below. Press Ok.
89
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6: A new window will be opened as below. Press Apply to configure the static route.
90
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 7: Repeat the previous steps to configure the below mentioned static route on CTTCB firewall.
91
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB13: Configuring Passive RIP on ASA Firewall through ASDM Step1: Click on enable RIP routing and then check RIP version1 and then add 10.0.0.0 and 11.0.0.0 networks and then click “outside” interface as a passive interface on CTTCA firewall.
NETWORK TOPOLOGY
E0/1 10.0.0.1
E0/0 11.0.0.1 CTTCA
10.0.0.10
92
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
E0/1
E0/0 11.0.0.2
20.0.0.1 CTTCB 20.0.0.10
SNAF Lab Manual
Step2: Click on enable RIP routing and then check RIP version1 and then add 20.0.0.0 and 11.0.0.0 networks and then click “outside” interface as a passive interface on CTTCB firewall.
93
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM Step1: Click on Configuration >Device Management>Management Access> asdm/http/https/ssh/Telnet. Press Add.
94
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step2: Click on telnet and mentioned the IP address 10.0.0.10 that is connected to inside interface of firewall. Firewall can only be accessed from 10.0.0.10 IP. Press Ok.
95
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step3: The firewall is configured for telnet and that is highlighted on below mention window.
96
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step4: For SSH Configuration, select the inside interface and then click on SSH. Enter the IP address of the client that initiate SSH to the security appliance.
97
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step5: For SSH you need to configure domain name and hostname of firewall. Configuration>Device Setup>DeviceName/Password.
98
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6: Generate RSA Key. Configuration>device management>Certificate Management>Identity Management
99
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step7: Click on Add a new identity certificate and then click on new.
100
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step8: Press Generate now to generate RSA key for SSH.
101
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB15: Configuring ASA for Software Image and Licensing Step1: In order to configure the Boot Sequence of ASA image and also to define the ASDM image please Navigate the following: Configuration>Device Management> System image/configuration>Boot image/configuration. Press Add.
102
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step2: In order to define the Flash Image click on Browse Flash.
103
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step3: Select the appropriate image and then press Ok.
104
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step4: The software image has been added. In order to define ASA image file path press on Browse Flash.
105
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step5: Press on appropriate ASDM image file as below window. Press Ok.
106
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6 : Press Apply to push the configuration to ASA Appliance.
107
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step7 : In order to upgrade the license we need to change activation key. Configuration>Device Management>Activation Key
108
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
LAB16: Monitoring ASA Appliance through ASDM Step1: To verify the Platform, ASA version, ASDM version, Device Uptime, Interface Status, CPU and memory utilization and latest asdm Syslog messages go to Home page of ASDM.
109
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step2: Foe the monitoring of Routing Tables please navigate Monitoring>Routing.
110
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step 3: For interfaces monitoring please navigate Monitoring>Interfaces
111
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step4: For AAA Servers monitoring, please navigate Monitoring>Properties>AAA Servers
112
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step5: For real time logging please navigate Monitoring>Logging>Real Time Log View
113
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
Step6: Press view to see the real time logs.
114
CTTC (PVT) Limited@2010 Web: www.cttc.net.pk Ph: 92-21-4310956-8
SNAF Lab Manual
View more...
Comments
