Asa Essentials Part 1

ASA Firewall Essentials
July, 2018
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Introduction to the ASA Firewall
The ASA Operating System
ASA Firewall Configuration
ASA Remote Access
Technical Demo
• Adaptive Security Appliance - Cisco’s lead dedicated firewall
solution (All-in-One solution)
 Firewall
 VPN concentrator
 IPS
• Advanced features
 Virtual Firewalling
 Transparent/Routed mode
 High Availability
 Advanced Threat Control (AIP-SSM, AIP-SSC modules)
 Identity Firewall
• Also monitors the state of connections
Initiation, data transfer, termination
• Can detect abnormal connection behavior that might indicate attacks

or exploits.
“DMZ “
Security Level 50
“outside” “inside”
Security Level 0 Security Level 100
E0/2
E0/1
Internet
E0/3
• Only certain connections get inspected
• The administrator configures the levels of security for each interface
• Routed-mode
• the ASA is a layer 3 device
• all the ASA features and capabilities are active
• Transparent-mode
• the ASA is a layer 2 device(works with VLANs instead of IP Subnets)
• can have a global IP used for remote management
• is invisible to any attacker coming from the Internet
• Some functionalities are disabled: routing protocols, VPNs, QoS, DHCP
Relay.
• Same modular structure as IOS
Unprivileged mode
Limited rights
Privileged mode
Generaly used for show commands
Global configuration
Used for “general” configurations (e.g password for priviledged mode, static routes,
banners, hostname configuration etc)
Configuration sub-modes
Used for advanced configurations of specific features (firewall, VPN, routing
protocols etc)
• Same help system

ciscoasa > ?
enable Turn on privileged commands
ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>
• The default password is …?

CR + LF
ciscoasa > ?
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP
address
quit Exit the current command mode
ciscoasa > help enable
USAGE:
enable [<priv_level>]
DESCRIPTION:
• First we delete…
startup-config running- config
Flash RAM
Deleting configurations
ciscoasa# clear configure all
ciscoasa# write erase
• Then we save!
startup-config running- config
ciscoasa# show running
ciscoasa# show startup Flash RAM
Salvarea configurației
ciscoasa# copy running startup

ciscoasa# write mem
ciscoasa# wr
• Configuring a hostname
ciscoasa(config)# hostname ipd

ipd(config)#
• Configuring a password for the telnet line

ipd(config)# passwd cisco
• Configuring a password for privileged mode. How did we

configure this on a router?
ipd(config)# enable password cisco
ipd# sh run | i pass
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
“DMZ “
Security Level 50
E0/2
E0/1
Internet
E0/3
• Configuring security levels is done from (config-if)#
• An ASA interface that has no name or security level does not
have L3 connectivity
“DMZ “
Security Level 50
E0/2
E0/1
Internet
E0/3
ciscoasa(config)# interface e0/1

ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
• Can be configured using the security-level command
“DMZ “
Security Level 50
E0/2
E0/1
Internet
E0/3
ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
ciscoasa(config-if)#security-level 50
ciscoasa(config-if)#ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)#no shutdown
• By default access is not allowed
ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside

ciscoasa(config)# telnet timeout 10
ciscoasa(config)# passwd cisco123
• If no password is set, by default it’s “cisco”
• Access through telnet on the outside interface(security-level 0) is not

permitted unless the telnet connection is coming through an IPSec tunnel
• Monitoring connections
ciscoasa# who
0: 10.10.0.132
ciscoasa# kill 0
ciscoasa# who
• Permitted on any interface
• Step 1: generate the keys
ciscoasa(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named
<Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
• Step 2: activate SSH

ciscoasa(config)# ssh 141.85.37.0 255.255.255.0 outside
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 10
• By default, the user is “pix” and the password is the one

configured with passwd
• Configuring a specific interface
asa1# show run interface E0/3
interface Ethernet0/3
speed 10
duplex full
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
• Name of the interface and security levels
asa1# show nameif

Interface Name Security
GigabitEthernet0/0 outside 0
GigabitEthernet0/1 inside 100
GigabitEthernet0/2 dmz 50
• All the parameters of an interface
asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
• What command did we use in IOS to see the L2 and 3 status of
interfaces in a "brief" output?
show ip interface brief
• ASA does it slightly different

show interface ip brief
ciscoasa(config)# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 192.168.1.1 YES manual up up
Ethernet0/1 10.10.1.1 YES manual up up
 22
• IOS Q: can we run a show command from config mode?
A: yes, using the argument “do” in front of the command
normal_cisco_router(config)#do show clock

*15:08:07.867 UTC Thu Feb 17 2011
• We don’t have “do” in ASA OS, but …

… you can give show commands from anywhere in the OS
ciscoasa(config-if)# sh clock
15:54:01.139 UTC Thu Feb 17 2011
• There’s also the possibility of filtering output by using “|” and

the arguments:“i”, “b”, “grep”
ASA
R1 e0/0 e0/0
R2
G0 G1
outside
inside

Asa Essentials Part 1

Uploaded by

Copyright:

Available Formats

Asa Essentials Part 1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Asa Essentials Part 1

Uploaded by

Copyright:

Available Formats

ASA Firewall Essentials

The ASA Operating System

ASA Firewall Configuration

ASA Remote Access

• Can detect abnormal connection behavior that might indicate attacks

• Only certain connections get inspected

• The administrator configures the levels of security for each interface

• Same help system

enable Turn on privileged commands

• The default password is …?

enable Turn on privileged commands

exit Exit the current command mode

login Log in as a particular user

logout Exit from current user profile to unprivileged mode

perfmon Change or view performance monitoring options

ping Test connectivity from specified interface to an IP

quit Exit the current command mode

ciscoasa > help enable

enable Turn on privileged commands

ciscoasa# clear configure all

ciscoasa# write erase

ciscoasa# copy running startup

ciscoasa(config)# hostname ipd

• Configuring a password for the telnet line

• Configuring a password for privileged mode. How did we

• Configuring security levels is done from (config-if)#

ciscoasa(config)# interface e0/1

ciscoasa(config)# telnet 10.10.0.0 255.255.255.0 inside

• If no password is set, by default it’s “cisco”

• Access through telnet on the outside interface(security-level 0) is not

• Step 2: activate SSH

• By default, the user is “pix” and the password is the one

• Name of the interface and security levels

asa1# show nameif

• ASA does it slightly different

normal_cisco_router(config)#do show clock

• We don’t have “do” in ASA OS, but …

• There’s also the possibility of filtering output by using “|” and

You might also like