CCNA Security

Chapter 9 Lab A: Configuring ASA Basic Settings and Firewall

Using CLI
This lab has been updated for use on NETLAB+

Topology

Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet interfaces.

© 2018 Cisco and/or its affiliates Page 1 of 13

 CCNA Security Chapter 9 Lab

. All rights reserved. This document is Cisco Public.

IP Addressing Table
Device Interface IP Address Subnet Mask Default Gateway Switch Port

G0/0 209.165.200.225 255.255.255.248 N/A ASA G1/1

R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
G0/1 172.16.3.1 255.255.255.0 N/A S3 F0/5
R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
ASA G1/2 192.168.1.1 255.255.255.0 NA S2 F0/24
ASA G1/1 209.165.200.226 255.255.255.248 NA R1 G0/0
ASA G1/3 192.168.2.1 255.255.255.0 NA S1 F0/24
PC-A NIC 192.168.2.3 255.255.255.0 192.168.2.1 S1 F0/6
PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1 S2 F0/18
PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1 S3 F0/18
Objectives
Part 1: Basic Router/Switch/PC Configuration
• Configure hostnames and interface IP addresses for routers, switches, and PCs.
• Configure static routing, including default routes, between R1, R2, and R3.
• Enable HTTP and SSH access for R1.
• Configure PC host IP settings.
• Verify connectivity between hosts, switches, and routers.
• Save the basic running configuration for each router and switch.
Part 2: Accessing the ASA Console and Using CLI Setup Mode to Configure Basic Settings
• Access the ASA console and view hardware, software, and configuration settings.
• Determine the ASA version, interfaces, and license.
• Determine the file system and contents of flash memory.
• Use CLI Setup mode to configure basic settings (hostname, passwords, clock, etc.).
Part 3: Configuring Basic ASA Settings and Interface Security Levels Using the CLI.
• Configure the hostname and domain name.
• Configure the login and enable passwords.
• Set the date and time.
• Configure the inside and outside interfaces.
• Test connectivity to the ASA.
• Configure SSH access to the ASA.
• Configure HTTPS access on the ASA for ASDM.
Part 4: Configuring Routing, Address Translation, and Inspection Policy Using the CLI
• Configure a static default route for the ASA.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 13
 CCNA Security Chapter 9 Lab

• Configure PAT and network objects.

• Modify the
MPF application inspection global service policy.
Part 5: Configuring DHCP, AAA, and SSH
• Configure the ASA as a DHCP server/client.
• Configure Local AAA user authentication.
• Configure SSH remote access to the AAA.
Part 6: Configuring DMZ, Static NAT, and ACLs
• Configure the DMZ interface VLAN 3 on the ASA.
• Configure static NAT for the DMZ server using a network object.
• Configure an ACL to allow access to the DMZ for Internet users.
• Verify access to the DMZ server for external and internal users.

Background/Scenario
The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates a
stateful firewall, VPN, and other capabilities. This lab employs an ASA 5506 to create a firewall and protect an
internal corporate network from external intruders while allowing internal hosts access to the Internet. The
ASA creates three security interfaces: Outside, Inside, and DMZ. It provides outside users limited access to
the DMZ and no access to inside resources. Inside users can access the DMZ and outside resources.
The focus of this lab is the configuration of the ASA as a basic firewall. Other devices will receive minimal
configuration to support the ASA portion of this lab. This lab uses the ASA CLI, which is similar to the IOS
CLI, to configure basic device and security settings.
In Part 1 of this lab, you will configure the topology and non-ASA devices. In Parts 2 through 4 you will
configure basic ASA settings and the firewall between the inside and outside networks. In part 5 you will
configure the ASA for additional services, such as DHCP, AAA, and SSH. In Part 6, you will configure a DMZ
on the ASA and provide access to a server in the DMZ.
Your company has one location connected to an ISP. R1 represents a CPE device managed by the ISP. R2
represents an intermediate Internet router. R3 represents an ISP that connects an administrator from a
network management company, who has been hired to remotely manage your network. The ASA is an edge
security device that connects the internal corporate network and DMZ to the ISP while providing NAT and
DHCP services to inside hosts. The ASA will be configured for management by an administrator on the
internal network and by the remote administrator. Layer 3 interfaces provide access to the three areas
created in the lab: Inside, Outside, and DMZ. The ISP has assigned the public IP address space of
209.165.200.224/29, which will be used for address translation on the ASA.
Note: The router commands and output in this lab are from a Cisco 1941 with Cisco IOS Release 15.4(3)M2
image with a Security Technology license. Other routers and Cisco IOS versions can be used. See the Router
Interface Summary Table at the end of this lab to determine which interface identifiers to use based on the
equipment in your class. Depending on the router model and Cisco IOS version, the available commands and
output produced might vary from what is shown in this lab.
The ASA used with this lab is a Cisco model 5506 with an 8-port integrated router, running OS version 9.8(1),
Adaptive Security Device Manager (ASDM) version 7.8(1), and comes with a Base license.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 13
CCNA Security Chapter 9 Lab

Preconfiguration
Préembule 1: Préparation d’un routeur C1941

upgrade d’un routeur Cisco 1941

1. Ajouter un routeur C1941

2. Ajouter un serveur

3. Ajouter une connexion entre le routeur : GigabitEthernet0/0 et le serveur

4. Effectuer la configuration suivante sur le routeur

5. Effectuer la configuration suivante sur le serveu

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 13
CCNA Security Chapter 9 Lab

6. 6. tester le ping du serveur vers le routeur

7. De même, tester le ping du routeur vers le serveur

8. Valider que la connexion est up and running

9. Sur le serveur, aller dans services/TFTP et vérifier que le package « c1900-universalk9-mz.SPA.155-

3.M4a.bin » existe bien sur le serveur FTP

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 13
CCNA Security Chapter 9 Lab

10. Sur le routeur, aller dans le CLI et effectuer les manœuvres suivantes pour récupérer le package « c1900-
universalk9-mz.SPA.155-3.M4a.bin » depuis le serveur FTP et les copier dans la memoire flash du rou-
teur.
Routeur>enable

N.B: la copie est case sensitive, il faut faire attention à copier le le nom du fichier exact qui se trouve sur le
serveur FTP

11. Une fois la copie terminée, sauvegarder la configuration

routeur#wr memory

12. Mettre à jour la variable boot dans le running configuration

routeur#configure terminal

routeur(config)#boot system flash:c1900-universalk9-mz.SPA.155-3.M4a.bin

routeur(config)#end

routeur#wr memory

13. Verifier que la variable boot a bien été mise à jour

routeur#show running-config

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 13
CCNA Security Chapter 9 Lab

14. Regénérer la configuration du routeur pour prendre en compte la mise à jour

routeur#reload

15. Vérifier que la configuration a bien été prise en compte

routeur#show version

Préambule2: Ajout d’une interface serial

1. Sur le routeur mis à jour, aller dans Physical, faire un shut down du routeur

2. Aller dans les modules disponibles et ajouter au routeur une carte HWIC-2T afin d’incorporer deux ports
serie au routeur

3. Remettre le routeur en marche

4. Sauvegarder la configuration
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 13
 CCNA Security Chapter 9 Lab

Part 1: Basic Router/Switch/PC Configuration

In Part 1 of this lab, you will configure basic settings on the routers, such as interface IP addresses and static
routing.
Note: Do not configure ASA settings at this time.

Step 1: Configure basic settings for routers and switches.

a. Configure hostnames as shown in the topology for each router.
b. Configure router interface IP addresses as shown in the IP Addressing Table.
c. Explain the concept of DCE and DTE in serial cables and configure a clock rate for routers with a DCE serial
cable attached to their serial interface. R1 is shown here as an example.
R1(config)# interface S0/0/0
R1(config-if)# clock rate 64000
d. Configure the host name for the switches. Other than the host name, the switches can be left in their default
configuration state.

Step 2: Configure static routing on the routers.

a. What is the definition of a static route and how a static route is configured a Cisco router. Is the following
configuration of a static default route from R1 to R2 and from R3 to R2 correct?
R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0
R3(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/1
Provide another writing of a static default route from R1 to R2 and From R3 to R2
b. Configure a static route from R2 to the R1 G0/0 subnet (connected to ASA interface Gi1/1) and a static route from
R2 to the R3 LAN.
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0
R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1

Step 3: Enable the HTTP server and configure a user account, encrypted passwords, and crypto
keys for SSH.
Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the purposes
of this lab. More complex passwords are recommended in a production network.
a. Enable HTTP access to R1 using the ip http server command in global config mode.
R1(config)# ip http server
b. Configure a minimum password length of 10 characters using the security passwords command.
R1(config)# security passwords min-length 10
c. What is a domain name, what is it used for. Configure a domain name.
R1(config)# ip domain-name ccnasecurity.com

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 13
 CCNA Security Chapter 9 Lab

d. what is the usage of crypto keys in the context of a router. Configure crypto keys for SSH.
R1(config)# crypto key generate rsa general-keys modulus 1024
e. Configure an admin01 user account using algorithm-type scrypt for encryption and a password of admin01pass.
R1(config)# username admin01 algorithm-type scrypt secret admin01pass

what does the algorithm-type stand for? What are the different encryption algorithm types permitted
in Cisco routers
f. Configure line console 0 to use the local user database for logins. What is the role of exec-timeout command.
Set the log out time out to 5 minutes. What is the role of logging synchronous command?
Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which
prevents it from expiring. However, this is not considered to be a good security practice.
R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# exec-timeout 5 0
R1(config-line)# logging synchronous
g. What does vty stand for? Configure line vty 0 4 to use the local user database for logins and restrict access to
only SSH connections.
R1(config)# line vty 0 4
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exec-timeout 5 0
h. Configure the enable password with strong encryption.
R1(config)# enable algorithm-type scrypt secret admin01pass

Step 4: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C as shown in the
IP Addressing Table.

Step 5: Verify connectivity.

Because the ASA is the focal point for the network zones, and it has not yet been configured, there will be no
connectivity between devices that are connected to it. However, PC-C should be able to ping the R1 interface.
From PC-C, ping the R1 G0/0 IP address (209.165.200.225). If these pings are not successful, troubleshoot
the basic device configurations before continuing.
Note: If you can ping from PC-C to R1 G0/0 and S0/0/0 you have demonstrated that static routing is
configured and functioning correctly.

Step 6: Save the basic running configuration for each router and switch.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 13
CCNA Security Chapter 9 Lab

Part 2: Accessing the ASA Console and Using CLI Setup to Configure Basic
Settings
In Part 2 of this lab, you will access the ASA via the console and use various show commands to determine
hardware, software, and configuration settings. You will clear the current configuration and use the CLI
interactive setup utility to configure basic ASA settings.
Note: Do not configure ASA settings at this time.

Step 1: Access the ASA console.

a. Enter privileged mode with the enable command and password (if a password has been set). The
password is blank by default. Press Enter. If the password has been changed to what is specified in this
lab, enter the word class. The default ASA hostname and prompt is ciscoasa>.
ciscoasa> enable
Password: class (or press Enter if none set)
Step 2: Determine the ASA version, interfaces, and license.
The ASA 5506 comes with eight Gigabit Ethernet ports.
Use the show version command to determine various aspects of this ASA device.
ciscoasa# show version
Example of a response:
Cisco Adaptive Security Appliance Software Version 9.8(2) Firepower
Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(1)

Compiled on Sun 27-Aug-17 13:06 PDT by builders

System image file is "disk0:/asa982-lfbff-k8.SPA"
Config file at boot was "startup-config"
ciscoasa up 10 mins 59
secs

Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4
cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision

0x1)
Number of accelerators: 1

1: Ext: GigabitEthernet1/1 : address is 00f2.8b8e.69ef, irq 255

2: Ext: GigabitEthernet1/2 : address is 00f2.8b8e.69f0, irq 255
3: Ext: GigabitEthernet1/3 : address is 00f2.8b8e.69f1, irq 255
4: Ext: GigabitEthernet1/4 : address is 00f2.8b8e.69f2, irq 255
5: Ext: GigabitEthernet1/5 : address is 00f2.8b8e.69f3, irq 255
6: Ext: GigabitEthernet1/6 : address is 00f2.8b8e.69f4, irq 255
7: Ext: GigabitEthernet1/7 : address is 00f2.8b8e.69f5, irq 255
8: Ext: GigabitEthernet1/8 : address is 00f2.8b8e.69f6, irq 255
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 13
 CCNA Security Chapter 9 Lab

<output omitted>

What software version is this ASA running?

_______________________________________________________________________________________

What is the name of the system image file and from where was it loaded?
_______________________________________________________________________________________
_______________________________________________________________________________________

The ASA can be managed using a built-in GUI known as ASDM. What does ASDM refer to and what version
of ASDM is this ASA running?
_______________________________________________________________________________________
How much RAM does this ASA have?
_______________________________________________________________________________________

How much flash memory does this ASA have?

_______________________________________________________________________________________

How many network ports does this ASA have?

_______________________________________________________________________________________

What type of license does this ASA have?

_______________________________________________________________________________________

How many VLANs can be created with this license?

_______________________________________________________________________________________

Step 3: Determine the file system and contents of flash memory.

a. Display the ASA file system using the show file system command. Determine what prefixes are supported.
ciscoasa# show file system
Example of a response:
File Systems:
Size(b) Free(b) Type Flags Prefixes
* 7859437568 4465147904 disk rw disk0: flash:
- disk rw disk1: - - network rw tftp:
- - opaque rw system: - - network
ro http: - - network ro https: -
- network rw scp:
- network rw ftp:
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 13
 CCNA Security Chapter 9 Lab

-
network wo
What is another name for flash:?______________________________________________________

a. Display the contents of flash memory using one of these commands: show flash, show disk0, dir flash:, or dir
disk0:.
b. ciscoasa# show flash
Example of a response:
--#-- --length-- -----date/time------ path

103 33 Nov 29 2017 10:34:52 .boot_string

11 4096 Jan 09 2016 19:43:02 log

13 65486 Nov 29 2017 11:28:45 log/asa-appagent.log

20 4096 Jan 09 2016 19:43:52 crypto_archive

21 4096 Jan 09 2016 19:43:56 coredumpinfo

22 59 Jan 09 2016 19:43:56 coredumpinfo/coredump.cfg

104 08563072 Nov 24 2017 14:55:22 asa982-lfbff-k8.SPA

105 5209829 Oct 17 2017 21:50:48 anyconnect-win-4.5.02033webdeploy-k9.pkg

106 26916068 Nov 24 2017 15:22:28 asdm-781.bin

7859437568 bytes total (4465147904 bytes free)
What is the name of the ASDM file in flash:? ________________________________________________

Step 4: Determine the current running configuration.

The ASA 5506 is commonly used as an edge security device that connects a small business or teleworker to
an ISP device, such as a DSL or cable modem, for access to the Internet.
Display the current running configuration using the show running-config command.
ciscoasa# show running-config
: Saved
: Serial Number: JAD2002064E
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4
cores) :
ASA Version 9.8(2) !
hostname ciscoasa enable
password
$sha512$5000$ftqbmZLcP1yvT9in1bvjlg==$+GU2ZHobKrNifvyb45nWEQ== pbkdf2
xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4
any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp
any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-
session deny udp any4 any6 eq domain xlate per-session deny udp any6
any4 eq domain xlate per-session deny udp any6 any6 eq domain names !

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 13
CCNA Security Chapter 9 Lab

interface GigabitEthernet1/1 shutdown no nameif no security-level

no ip address !
interface GigabitEthernet1/2
shutdown no
nameif no
security-level no
ip address !
<output omitted>

Note: To stop the output from a command using the CLI, press Q.
You can restore the ASA to its factory default settings by using the configure factory-default command.
ciscoasa# conf t
ciscoasa(config)# configure factory-default

WARNING: The boot system configuration will be cleared. The

first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will not
boot.

Begin to apply factory-default configuration:

Clear all configuration
Executing command: …
Executing command: …
Executing command: …
Factory-default configuration is completed
<output omitted>

Note: If you receive a prompt for Anonymous Error reporting, proceed by answering No.

Review this output and pay attention to the VLAN interfaces, NAT-related, and DHCP-related sections. These
will be configured later in this lab using the CLI.
You may want to capture and print the factory-default configuration as a reference. Use the terminal
emulation program to copy it from the ASA and paste it into a text document. You can then edit this file if
desired, so that it contains only valid commands. You should remove password commands and enter the no
shut command to bring up the desired interfaces.

Step 5: Clear the previous ASA configuration settings.

Use the write erase command to remove the startup-config file from flash memory.
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa#
ciscoasa# show start
No Configuration
Note: The IOS command erase startup-config is not supported on the ASA.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 13