Scribd
Upload
27 views

All Chapter 10 Lab B Configuring ASA Bas

Uploaded by

than kyaw
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
27 views

All Chapter 10 Lab B Configuring ASA Bas

Uploaded by

than kyaw
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

CCNA Security

Chapter 10 Lab B: Configuring ASA Basic Settings and Firewall


Using ASDM
Topology

Note: ISR G2 devices have Gigabit Ethernet interfaces instead of Fast Ethernet interfaces.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 42
CCNA Security

IP Addressing Table
Default
Device Interface IP Address Subnet Mask Gateway Switch Port
R1 FA0/0 209.165.200.225 255.255.255.248 N/A ASA E0/0
S0/0/0 10.1.1.1 255.255.255.252 N/A N/A
(DCE)
R2 S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
S0/0/1 10.2.2.2 255.255.255.252 N/A N/A
(DCE)
R3 FA0/1 172.16.3.1 255.255.255.0 N/A S3 FA0/5
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
ASA VLAN 1 192.168.1.1 255.255.255.0 NA S2 FA0/24
(E0/1)
ASA VLAN 2 209.165.200.226 255.255.255.248 NA R1 FA0/0
(E0/0)
ASA VLAN 3 192.168.2.1 255.255.255.0 NA S1 FA0/24
(E0/2)
PC-A NIC 192.168.2.3 255.255.255.0 192.168.2.1 S1 FA0/6
PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1 S2 FA0/18
PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1 S3 FA0/18

Objectives
Part 1: Lab Setup
 Cable the network as shown in the topology.
 Configure hostnames and interface IP addresses for routers, switches, and PCs.
 Configure static routing, including default routes, between R1, R2, and R3.
 Configure HTTP and Telnet access for R1.
 Verify connectivity between hosts, switches, and routers.
Part 2: Accessing the ASA Console and ASDM
 Access the ASA console and view hardware, software, and configuration settings.
 Clear previous configuration settings.
 Use CLI to configure settings for ASDM access.
 Test Ethernet connectivity to the ASA.
 Access the ASDM GUI and explore major windows and options.
Part 3: Configuring ASA Settings and Firewall Using the ASDM Startup Wizard
 Configure the hostname, domain name, and enable password.
 Configure the inside and outside VLAN interfaces.
 Configure DHCP for the inside network.
 Configure port address translation (PAT) for the inside network.
 Configure Telnet and SSH administrative access.
Part 4: Configuring ASA Settings from the ASDM Configuration Menu

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 42
CCNA Security

 Set the date and time.


 Configure a static default route for the ASA.
 Test connectivity using ASDM Ping and Traceroute.
 Configure Local AAA user authentication.
 Modify the MPF application inspection policy.
Part 5: Configuring a DMZ, Static NAT and ACLs
 Configure static NAT for the DMZ server.
 Configure an ACL on the ASA to allow access to the DMZ for Internet users.
 Verify access to the DMZ server for external and internal users.
 Use ASDM Monitor to graph traffic.

Background / Scenario
The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates a
statefull firewall as well as VPN and other capabilities. This lab employs an ASA 5505 to create a firewall and
protect an internal corporate network from external intruders while allowing internal hosts access to the
Internet. The ASA creates three security interfaces: Outside, Inside and DMZ. It provides outside users limited
access to the DMZ and no access to internal resources. Inside users can access the DMZ and outside
resources.
The focus of this lab is on the configuration of the ASA as a basic firewall. Other devices will receive minimal
configuration to support the ASA portion of the lab. This lab uses the ASA GUI interface ASDM, which is
similar to the SDM and CCP used with Cisco ISRs, to configure basic device and security settings.
In Part 1 of the lab you will configure the topology and non-ASA devices. In Part 2 you will prepare the ASA
for ADSM access. In Part 3 you will use the ASDM Startup wizard to configure basic ASA settings and the
firewall between the inside and outside networks. In Part 4 you will configure additional settings via the ASDM
configuration menu. In Part 5 you will configure a DMZ on the ASA and provide access to a server in the
DMZ.
Your company has one location connected to an ISP. Router R1 represents a CPE device managed by the
ISP. Router R2 represents an intermediate Internet router. Router R3 connects an administrator from a
network management company, who has been hired to manage your network remotely. The ASA is an edge
CPE security device that connects the internal corporate network and DMZ to the ISP while providing NAT
and DHCP services to inside hosts. The ASA will be configured for management by an administrator on the
internal network as well as the remote administrator. Layer 3 VLAN interfaces provide access to the three
areas created in the lab: Inside, Outside, and DMZ. The ISP has assigned the public IP address space of
209.165.200.224/29, which will be used for address translation on the ASA.
Note: The routers used with this lab are Cisco 1841 with Cisco IOS Release 12.4(20)T (Advanced IP image).
The switches are Cisco WS-C2960-24TT-L with Cisco IOS Release 12.2(46)SE (C2960-LANBASEK9-M
image). Other routers, switches, and Cisco IOS versions can be used. However, results and output may vary.
The ASA use with this lab is a Cisco model 5505 with an 8-port integrated switch, running OS version 8.4(2)
and ASDM version 6.4(5) and comes with a Base license that allows a maximum of three VLANs.
Note: Make sure that the routers and switches have been erased and have no startup configurations.

Required Resources
 3 routers (Cisco 1841 with Cisco IOS Release 12.4(20)T1 or comparable)
 3 switches (Cisco 2960 or comparable)
 1 ASA 5505 (OS version 8.4(2) and ASDM version 6.4(5) and Base license or comparable)

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 42
CCNA Security

 PC-A: Windows XP, Vista, or Windows 7 with CCP, PuTTy SSH client (Web and FTP server optional)
 PC-B: Windows XP, Vista, or Windows 7 with PuTTy SSH client and Java version 6.x or higher
(ASDM loaded on the PC is optional)
 PC-C: Windows XP, Vista, or Windows 7 with CCP, PuTTy SSH client
 Serial and Ethernet cables as shown in the topology
 Rollover cables to configure the routers and ASA via the console

Part 1: Basic Router/Switch/PC Configuration


In Part 1 of this lab, you will set up the network topology and configure basic settings on the routers such as
interface IP addresses and static routing.
Note: Do not configure any ASA settings at this time.

Step 1: Cable the network and clear previous device settings.


Attach the devices that are shown in the topology diagram and cable as necessary. Make sure that the
routers and switches have been erased and have no startup configurations.

Step 2: Configure basic settings for routers and switches.


a. Configure host names as shown in the topology for each router.
b. Configure router interface IP addresses as shown in the IP Addressing Table.
c. Configure a clock rate for routers with a DCE serial cable attached to the serial interface. Router R1 is
shown here as an example.
R1(config)# interface S0/0/0
R1(config-if)# clock rate 64000

d. Configure the host name for the switches. With the exception of the host name, the switches can be
left in their default configuration state. Configuring the VLAN management IP address for the switches
is optional.

Step 3: Configure static routing on the routers.


a. Configure a static default route from R1 to R2 and from R3 to R2.

R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0


R3(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/1

b. Configure a static route from R2 to the R1 Fa0/0 subnet (connected to ASA interface E0/0) and a
static route from R2 to the R3 LAN.
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0
R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1

Step 4: Enable the HTTP server on R1 and set the enable and vty passwords.
a. Enable HTTP access to R1 using the ip http server command in global config mode. Configure
an enable password of class. Also set the VTY and console passwords to cisco. This will provide
web and Telnet targets for testing later in the lab.
R1(config)# ip http server
R1(config)# enable password class

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 42
CCNA Security

R1(config)# line vty 0 4


R1(config-line)# password cisco
R1(config-line)# login

R1(config)# line con 0


R1(config-line)# password cisco
R1(config-line)# login

Step 5: Configure PC host IP settings.


Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C as shown in
the IP Addressing Table.

Step 6: Verify connectivity.


Because the ASA is the focal point for the network zones and it has not yet been configured, there will be
no connectivity between devices that are connected to it. However, PC-C should be able to ping the R1
interface Fa0/0. From PC-C, ping the R1 Fa0/0 IP address (209.165.200.225). If these pings are not
successful, troubleshoot the basic device configurations before continuing.
Note: If you can ping from PC-C to R1 Fa0/0 and S0/0/0 you have demonstrated that static routing is
configured and functioning correctly.

Step 7: Save the basic running configuration for each router and switch.

Part 2: Accessing the ASA Console and ASDM


In Part 2 of this lab, you will access the ASA via the console and use various show commands to determine
hardware, software, and configuration settings. You will prepare the ASA for ASDM access and explore some
of the ASDM screens and options.

Step 1: Access the ASA console.


a. Accessing the ASA via the console port is the same as with a Cisco router or switch. Connect to the
ASA console port with a rollover cable.
b. Use a terminal emulation program such as TeraTerm or HyperTerminal to access the CLI. Use the
Serial port settings of 9600 baud, eight data bits, no parity, one stop bit, and no flow control.
c. If prompted to enter Interactive Firewall configuration (Setup mode), answer no.
d. Enter privileged mode with the enable command and password (if set). By default the password is
blank so you can just press Enter. If the password has been changed to that specified in this lab,
enter the password class. The default ASA hostname and prompt is ciscoasa>.
ciscoasa> enable
Password: class (or press Enter if no password is set)

Step 2: Determine the ASA version, interfaces, and license.


The ASA 5505 comes with an integrated 8-port Ethernet switch. Ports E0/0 though E0/5 are normal
Fast Ethernet ports and ports E0/6 and E0/7 are PoE ports for use with PoE devices such as IP
phones or network cameras.
Use the show version command to determine various aspects of this ASA device.
ciscoasa# show version

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 42
CCNA Security

Cisco Adaptive Security Appliance Software Version 8.4(2)


Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders


System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 23 hours 0 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz


Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)


Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is 0007.7dbf.5645, irq 11


1: Ext: Ethernet0/0 : address is 0007.7dbf.563d, irq 255
2: Ext: Ethernet0/1 : address is 0007.7dbf.563e, irq 255

<output omitted>

What Software version is this ASA running? _____________________________________________


What is the name of the System image file and from where was it loaded?
________________________________________________________________________________
The ASA can be managed using a built-in GUI known as the Adaptive Security Device Manager
(ASDM). What version of ASDM is this ASA running? _____________________________________
How much RAM does this ASA have? _________________________________________________
How much flash memory does this ASA have? __________________________________________
How many Ethernet ports does this ASA have? __________________________________________
What type of license does this ASA have? ______________________________________________
How many VLANs can be created with this license? ______________________________________

Step 3: Determine the file system and contents of flash memory.


a. Display the ASA file system using the show file system command to determine what prefixes are
supported.
ciscoasa# show file system

File Systems:

Size(b) Free(b) Type Flags Prefixes


* 128573440 55664640 disk rw disk0: flash:
- - network rw tftp:
- - opaque rw system:
- - network ro http:
- - network ro https:
- - network rw ftp:
- - network rw smb:

What is another name for flash:? _______

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 42
CCNA Security

b. Display the contents of flash memory using one of these commands: show flash, show disk0,
dir flash: or dir disk0:
ciscoasa# show flash:
--#-- --length-- -----date/time------ path
168 25159680 Aug 29 2011 13:00:52 asa842-k8.bin
122 0 Aug 29 2011 13:09:32 nat_ident_migrate
13 2048 Aug 29 2011 13:02:14 coredumpinfo
14 59 Aug 29 2011 13:02:14 coredumpinfo/coredump.cfg
169 16280544 Aug 29 2011 13:02:58 asdm-645.bin
3 2048 Aug 29 2011 13:04:42 log
6 2048 Aug 29 2011 13:05:00 crypto_archive
171 34816 Jan 01 1980 00:00:00 FSCK0000.REC
173 36864 Jan 01 1980 00:00:00 FSCK0001.REC
174 12998641 Aug 29 2011 13:09:22 csd_3.5.2008-k9.pkg
175 2048 Aug 29 2011 13:09:24 sdesktop
211 0 Aug 29 2011 13:09:24 sdesktop/data.xml
176 6487517 Aug 29 2011 13:09:26 anyconnect-macosx-i386-2.5.2014-k9.pkg
177 6689498 Aug 29 2011 13:09:30 anyconnect-linux-2.5.2014-k9.pkg
178 4678691 Aug 29 2011 13:09:32 anyconnect-win-2.5.2014-k9.pkg
<output omitted>

What is the name of the ASDM file in flash:? _________________

Step 4: Determine the current running configuration.


The ASA may be configured with the default factory configuration or may have a configuration remaining from
a previous lab. The default factory configuration for the ASA 5505 includes the following:
 An inside VLAN 1 interface is configured and by default, Ethernet 0/1 through 0/7 switch ports are
assigned to it. The VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0.
 An outside VLAN 2 interface is configured that includes the Ethernet 0/0 switch port. By default, VLAN 2
derives its IP address from the upstream device (usually the ISP) using DHCP.
 The default route is also derived from the upstream DHCP default gateway.
 All inside IP addresses are translated when accessing the outside interface using PAT on the VLAN 2
interface.
 By default, an access list allows inside users to access the outside, and outside users are prevented from
accessing the inside.
 The DHCP server is enabled on the security appliance. Therefore, a PC connecting to any VLAN 1
interface receives an address between 192.168.1.5 and 192.168.1.36 (Base license).
 The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0/24 network.
 No console or enable passwords are required and the default host name is ciscoasa.
Note: In this lab you will use ASDM to configure settings similar to those listed above, as well as some
additional ones.

a. Display the current running configuration using the show running-config command.
ciscoasa# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 42
CCNA Security

names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2

<output omitted>

Note: To stop the output from a command using the CLI, press the letter Q.
If you see VLANs 1 and 2 configured and other settings as described previously, the device is most
likely configured with the default factory configuration. You may also see other security features such
as a global policy that inspects selected application traffic, which the ASA inserts by default, if the
original startup configuration has been erased. The actual output will vary depending on the ASA
model, version and configuration status.

Step 5: Clear the previous ASA configuration settings.


a. Use the write erase command to remove the startup-config file from flash memory.
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa#

ciscoasa# show start


No Configuration

Note: The IOS command erase startup-config is not supported on the ASA.
b. Use the reload command to restart the ASA.
ciscoasa# reload
Proceed with reload? [confirm] <enter>
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
<output omitted>

Step 6: Bypass setup mode and configure the ASDM VLAN interfaces.
When the ASA completes the reload process, it should detect that the startup-config file is missing and
present a series of interactive prompts to configure basic ASA settings. If it does not come up in this
mode, repeat Step 5.
a. When prompted to pre-configure the firewall through interactive prompts (Setup mode), respond with
“no”
Pre-configure Firewall now through interactive prompts [yes]? no

b. Enter privileged EXEC mode with the enable command. The password should be blank (no
password) at this point.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 42
CCNA Security

c. Enter global configuration mode using the command config t. The first time you enter configuration
mode after reloading you will be asked if you wish to enable anonymous reporting. Respond with
“no”.
d. Configure the inside interface VLAN 1 to prepare for ASDM access. The Security Level should be
automatically set to the highest level of 100. The VLAN 1 logical interface will be used by PC-B to
access ASDM on ASA physical interface E0/1.
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# exit

PC-B is connected to switch S2 which is connected to ASA port E0/1. Why is it not necessary to add
physical interface E0/1 to this VLAN? __________________________________________________

ASA 5505 interface notes:


The 5505 is different from the other 5500 series ASA models. With other ASAs, the physical port can be
assigned a Layer 3 IP address directly, much like a Cisco router. With the ASA 5505, the eight integrated
switch ports are Layer 2 ports. To assign Layer 3 parameters, you must create a switch virtual interface
(SVI) or logical VLAN interface and then assign one or more of the physical Layer 2 ports to it.

e. By default, all ASA physical interfaces are administratively down, unless the Setup utility has been
run or the factory defaults have been reset. Because no physical interface in VLAN 1 has been
enabled, the VLAN 1 status is down/down. Use the show interface ip brief command to
verify this.

ciscoasa(config)# show interface ip brief


Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset administratively down up
Ethernet0/2 unassigned YES unset administratively down up
Ethernet0/3 unassigned YES unset administratively down up
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual down down
Virtual0 127.0.0.1 YES unset up up

f. Enable the E0/1 interface using the no shutdown command and verify the E0/1 and VLAN 1
interface status. The status and protocol for interface E0/1 and VLAN 1 should be up/up.

ciscoasa(config)# interface e0/1


ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

ciscoasa(config)# show interface ip brief


Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down up
Ethernet0/3 unassigned YES unset administratively down up
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 42
CCNA Security

Internal-Data0/0 unassigned YES unset up up


Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual up up
Virtual0 127.0.0.1 YES unset up up

g. Also pre-configure outside interface VLAN 2, add physical interface E0/0 to VLAN 2, and bring up the
E0/0 interface. You will assign the IP address using ASDM.

ciscoasa(config)# interface vlan 2


ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# interface e0/0


ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

h. Test Connectivity to the ASA by pinging from PC-B to ASA interface VLAN 1 IP address 192.168.1.1.
The pings should be successful.

Step 7: Configure ASDM and verify access to the ASA.


a. Configure the ASA to accept HTTPS connections using the http command to allow access to ASDM
from any host on the inside network 192.168.1.0/24.
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
b. Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1.
Note: Be sure to specify the HTTPS protocol in the URL.

Step 8: Access ASDM and explore the GUI.


a. After entering the URL above, you should see a security warning about the website security
certificate. Click Continue to this website. The ASDM Welcome page will display. From this screen,
you can run ASDM as a local application on the PC (installs ASDM on the PC), run ASDM as a
browser-based Java applet directly from the ASA, or run the Startup wizard.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 42
CCNA Security

b. Click the Run ASDM button.


c. Click Yes for any other security warnings. You should see the Cisco ASDM-IDM Launcher dialog
box where you can enter a username and password. Leave these fields blank as they have not yet
been configured.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 42
CCNA Security

d. Click OK to continue. ASDM will load the current configuration into the GUI.
e. The initial GUI screen is displayed with various areas and options. The main menu at the top left of
the screen contains three main sections; Home, Configuration, and Monitoring. The Home section is
the default and has two dashboards: Device and Firewall. The Device dashboard is the default screen
and shows device information such as Type (ASA 5505), ASA and ASDM version, amount of memory
and firewall mode (routed). There are five areas on the Device Dashboard.
 Device Information
 Interface Status
 VPN Sessions
 System Resources Status
 Traffic Status

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 42
CCNA Security

f. Click the Configuration and Monitoring tabs to become familiar with their layout and to see what
options are available.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 42
CCNA Security

Part 3: Configuring Basic ASA Settings and Firewall Using the ASDM
Startup Wizard.
Step 1: Access the Configuration menu and launch the Startup wizard.
a. Click the Configuration button at the top left of the screen. There are five main configuration areas:
 Device Setup
 Firewall
 Remote Access VPN
 Site-to-Site VPN
 Device Management
b. The Device Setup Startup wizard is the first option available and displays by default. Read through
the on-screen text describing the Startup wizard and then click the Launch Startup Wizard button.

Step 2: Configure hostname, domain name, and enable password.


a. On the first Startup Wizard screen, you have a choice of modifying the existing configuration or
resetting the ASA to the factory defaults. With the Modify Existing Configuration option selected,
click Next to continue.
b. On the Startup Wizard Step 2 screen, configure the ASA host name CCNAS-ASA and domain name
of ccnasecurity.com. Click the checkbox for changing the enable mode password and change it
from blank (no password) to class and enter it again to confirm. When the entries are completed,
click Next to continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 42
CCNA Security

Step 3: Configure the inside and outside VLAN interfaces.

a. On the Startup Wizard Step 3 screen – Interface Selection, for the Outside and Inside VLANs, do
not change the current settings because these were previously defined using the CLI. The inside
VLAN is named inside and the security level is set to 100 (highest). The Outside VLAN interface is
named outside and the security level set to 0 (lowest). For the DMZ VLAN click the Do not
configure button and uncheck the Enable VLAN checkbox. The DMZ VLAN will be configured later.
Click Next to continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 15 of 42
CCNA Security

b. On the Startup Wizard Step 4 screen – Switch Port Allocation, verify that port Ethernet1 is in Inside
VLAN 1 and that port Ethernet0 is in Outside VLAN 2.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 16 of 42
CCNA Security

c. On the Startup Wizard Step 5 screen – Interface IP Address Configuration, enter an Outside IP
Address of 209.165.200.226 and Mask 255.255.255.248. You can use the pull-down menu to select
the mask. Leave the inside interface IP address as 192.168.1.1 with a mask of 255.255.255.0. Click
Next to continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 17 of 42
CCNA Security

Step 4: Configure DHCP, address translation and administrative access.


a. On the Startup Wizard Step 6 screen – DHCP Server, select the checkbox to Enable DHCP server
on the inside interface. Enter a Starting IP Address of 192.168.1.3 and Ending IP Address of
192.168.1.30. Enter the DNS Server 1 address of 10.20.30.40 and Domain Name
ccnasecurity.com. Do NOT check the box to enable Autoconfiguration from Interface. Click Next to
continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 18 of 42
CCNA Security

b. On the Startup Wizard Step 7 screen – Address Translation (NAT/PAT), click the button Use Port
Address Translation (PAT). The default is to use the IP address of the outside interface. Note that
you can also specify a particular IP address for PAT or a range of addresses with NAT. Click Next to
continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 19 of 42
CCNA Security

c. On the Startup Wizard Step 8 screen – Administrative Access, HTTPS/ASDM access is currently
configured for hosts on inside network 192.168.1.0/24. Add Telnet access to the ASA for the inside
network 192.168.1.0 with a subnet mask of 255.255.255.0. Add SSH access to the ASA from host
172.16.3.3 on the outside network. Make sure the checkbox Enable HTTP server for HTTPS/ASDM
access is checked. Click Next to continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 20 of 42
CCNA Security

Step 5: Review the summary and deliver the commands to the ASA.

a. On the Startup Wizard Step 9 screen – Startup Wizard Summary, review the Configuration
Summary and click Finish. ASDM will deliver the commands to the ASA device and then reload the
modified configuration.

Note: If the GUI dialogue box stops responding during the reload process, close it, exit ASDM, and
restart the browser and ASDM. If prompted to save the configuration to flash memory, respond with
Yes. Even though ASDM may not appear to have reloaded the configuration, the commands were
delivered. If there are errors encountered as ASDM delivers the commands, you will be notified with a
list of commands that succeeded and those that failed.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 21 of 42
CCNA Security

b. Restart ASDM and provide the new enable password class with no username. Return to the Device
Dashboard and check the Interface Status window. You should see the inside and outside interfaces
with IP address and status. The inside interface should show some number of Kb/s. The Traffic
Status window may show the ASDM access as TCP traffic spike.

Step 6: Test Telnet and SSH access to the ASA.


a. From a command prompt or GUI Telnet client on PC-B, telnet to the ASA inside interface at IP
address 192.168.1.1.
b. Login to the ASA using the default login password of cisco. Enter privileged EXEC mode by using the
enable command and provide the password class. Exit the Telnet session by using the quit
command.
c. In Lab Step 4, SSH access was configured using the Startup wizard to allow access to the ASA from
outside PC-C (172.16.3.3). From PC-C, open an SSH client such as PuTTY and attempt to connect
to the ASA outside interface at 209.165.200.226. You will not be able to establish the connection
because SSH access (ASA version 8.4(2) and later) requires that you also configure AAA and
provide an authenticated user name. AAA will be configured in the Part 4 of the lab.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 22 of 42
CCNA Security

Step 7: Test access to an external website from PC-B.


a. Open a browser on PC-B and enter the IP address of the R1 Fa0/0 interface (209.165.200.225) to
simulate access to an external website.
b. The R1 HTTP server was enabled in Part 1 of the lab so you should be prompted with a user
authentication login dialog box from the R1 GUI device manger. Leave the username blank and enter
the password of class. Exit the browser. You should see TCP activity in the ASDM Device Dashboard
Traffic Status window.

Step 8: Test access to an external website using the ASDM Packet Tracer utility.
a. From the ASDM Home page, choose Tools > Packet Tracer.
b. Choose the Inside interface from the Interface drop down menu and click TCP from the Packet Type
radio buttons. From the Source drop down menu, choose IP Address and enter the address
192.168.1.3 (PC-B) with a source port of 1500. From the Destination drop down menu, choose IP
Address and enter 209.165.200.225 (R1 Fa0/0) with a Destination Port of HTTP. Click Start to begin
the trace of the packet. The packet should be permitted.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 23 of 42
CCNA Security

c. Reset the entries by clicking Clear. Try another trace and choose outside from the Interface drop
down menu and leave TCP as the packet type. From the Sources drop down menu, choose IP
Address and enter 209.165.200.225 (R1 Fa0/0) and a Source Port of 1500. From the Destination
drop down menu, choose IP Address and enter the address 209.165.200.226 (ASA outside
interface) with a Destination Port of telnet. Click Start to begin the trace of the packet. The packet
should be dropped. Click on Close to continue.

Part 4: Configuring ASA Settings from the ASDM Configuration Menu.


In Part 4, you will set the ASA clock, configure a default route, test connectivity using ASDM tools Ping and
Traceroute, configure Local AAA user authentication, and modify the MPF application inspection policy.

Step 1: Set the ASA date and time.


a. From the Configuration screen, Device Setup menu, choose System Time > Clock.
b. Select your Time Zone from the drop-down menu and enter the current date and time in the fields
provided. The clock is a 24-hour clock. Click Apply to send the commands to the ASA.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 24 of 42
CCNA Security

Step 2: Configure a static default route for the ASA.


a. From the ASDM Tools menu, select Ping and enter the IP address of router R1 S0/0/0 (10.1.1.1).
The ASA does not have a default route to unknown external networks. The ping should fail because
the ASA has no route to 10.1.1.1. Click Close to continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 25 of 42
CCNA Security

b. From the Configuration screen, Device Setup menu, choose Routing > Static Routes. Click the IPv4
Only button and click Add to add a new static route.
c. In the Add Static Route dialogue box, choose the outside interface from the drop down menu. Click
the ellipsis button to the right of Network and select Any from the list of network objects, then click
OK. The selection of Any translates to a “quad zero” route. For the Gateway IP, enter
209.165.200.225 (R1 Fa0/0).

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 26 of 42
CCNA Security

d. Click OK and click Apply to send the commands to the ASA.

e. From the ASDM Tools menu, select Ping and enter the IP address of router R1 S0/0/0 (10.1.1.1).
The ping should succeed this time. Click Close to continue.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 27 of 42
CCNA Security

f. From the ASDM Tools menu, select Traceroute and enter the IP address of external host PC-C
(172.16.3.3). Click on Trace Route. The traceroute should succeed and show the hops from the ASA
through R1, R2, and R3 to host PC-C. Click Close to continue.

Step 3: Configure AAA user authentication using the local ASA database.
It is necessary to enable AAA user authentication in order to access the ASA using SSH. You allowed
SSH access to the ASA from the outside host PC-C when the Startup wizard was run. To allow the
remote network administrator at PC-C to have SSH access to the ASA, you will create a user in the local
database.
a. From the Configuration screen, Device Management area, click Users/AAA. Click User Accounts
and then Add. Create a new user named admin with a password of cisco123 and enter the
password again to confirm it. Allow this user Full access (ASDM, SSH, Telnet, and console) and set
the privilege level to 15. Click OK to add the user and click Apply to send the command to the ASA.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 28 of 42
CCNA Security

b. From the Configuration screen, Device Management area, click Users/AAA. Click AAA Access. On
the Authentication tab, click the checkbox to require authentication for HTTP/ASDM, SSH and Telnet
connections and specify the “LOCAL” server group for each connection type. Click Apply to send the
commands to the ASA.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 29 of 42
CCNA Security

Note: The next action you attempt within ASDM will require you to login as admin with password
cisco123.
c. From PC-C, open an SSH client such as PuTTY and attempt to access the ASA outside interface at
209.165.200.226. You should be able to establish the connection. When prompted to login, enter user
name admin and password cisco123.
d. After logging in to the ASA using SSH, enter the enable command and provide the password class.
Issue the show run command to display the current configuration you have created using ASDM.
Note: The default timeout for Telnet and SSH is 5 minutes. You can increase this setting using the
CLI as described in Lab 10A or go to ASDM Device Management > Management Access >
ASDM/HTTP/Telnet/SSH.
Step 4: Modify the MPF application inspection policy.
For application layer inspection, as well as other advanced options, the Cisco Modular Policy
Framework (MPF) is available on ASAs.
a. The default global inspection policy does not inspect ICMP. To enable hosts on the internal network
to ping external hosts and receive replies, ICMP traffic must be inspected. From the Configuration
screen, Firewall area menu, click Service Policy Rules.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 30 of 42
CCNA Security

b. Select the inspection_default policy and click Edit to modify the default inspection rules. On the Edit
Service Policy Rule window, click the Rule Actions tab and select the checkbox for ICMP. Do not
change the other default protocols that are checked. Click OK and then click Apply to send the
commands to the ASA. If prompted, login as again admin with a password of cisco123.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 31 of 42
CCNA Security

c. From PC-B, ping the external interface of R1 S0/0/0 (10.1.1.1). The pings should be successful.

Part 5: Configuring a DMZ, Static NAT and ACLs.


In Part 3 of this lab, you configured address translation using PAT for the inside network. In this part, you
create a DMZ on the ASA, configure static NAT to a DMZ server, and apply an ACL to control access to
the server.

Step 1: Configure the ASA DMZ VLAN 3 interface.


In this step you will create a new interface VLAN 3 named dmz, assign physical interface E0/2 to the
VLAN, set the security level to 70, and limit communication from this interface to the inside (VLAN1)
interface.
a. From the Configuration screen, Device Setup menu, click Interfaces. Click Add to define a new
interface. The General tab is displayed by default and currently defined inside (VLAN 1, E0/1) and
outside (VLAN 2, E0/0) interfaces are listed. Click Add to create a new interface.
b. In the Add Interface dialog box, select port Ethernet0/2 and click Add. You will be prompted to
change the interface from the inside network. Click OK for the message to remove the port from the
inside interface and add it to this new interface. In the Interface Name box, name the interface dmz,
assign it a security level of 70, and make sure the Enable Interface checkbox is checked.
c. Ensure that the Use Static IP button is selected and enter an IP address of 192.168.2.1 with a subnet
mask of 255.255.255.0. Do NOT click OK at this time.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 32 of 42
CCNA Security

d. ASDM will configure this interface as VLAN ID 12 by default. Before clicking OK to add the interface,
click the Advanced tab and specify this interface as VLAN ID 3.
Note: If you are working with the ASA 5505 base license, you are allowed to create up to three named
interfaces. However, you must disable communication between the third interface and one of the other
interfaces. Because the DMZ server does not need to initiate communication with the inside users, you
can disable forwarding to interfaces VLAN 1.
e. On the Advanced tab, you also need to block traffic from this interface VLAN 3 (dmz) to the VLAN 1
(inside) interface. From the Block Traffic area, select vlan1 (inside) from the drop down menu. Click
OK to return to the Interfaces window. You should see the new interface named dmz, in addition to
the inside and outside interfaces. Click Apply to send the commands to the ASA.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 33 of 42
CCNA Security

Step 2: Configure the DMZ server and static NAT


To accommodate the addition of a DMZ and a web server, you will use another address from the ISP
range assigned, 209.165.200.224/29 (.224-.231). Router R1 Fa0/0 and the ASA outside interface are
already using 209.165.200.225 and .226, respectively. You will use public address 209.165.200.227 and
static NAT to provide address translation access to the server.
a. From the Firewall menu, click the Public Servers option and click Add to define the DMZ server and
services offered. In the Add Public Server dialog box, specify the Private Interface as dmz, the Public
Interface as outside and the Public IP address as 209.165.200.227.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 34 of 42
CCNA Security

b. Click the ellipsis button to the right of Private IP Address. In the Browse Private IP Address window,
click Add to define the server as a Network Object. Enter the name DMZ-Server, with a Type of
Host and the Private IP Address of 192.168.2.3.
c. While in the Add Network Object dialog box, click the double down arrow button for NAT. Click the
checkbox for Add Automatic Address Translation Rules and enter the type as Static. Enter
209.165.200.227 as the Translated Addr. When the screen looks like the following, click OK to add
the server network object. From the Browse Private IP Address window, click OK. You will return to
the Add Public Server dialog box.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 35 of 42
CCNA Security

In the Add Public Server dialog, click the ellipsis button to the right of Private Service. In the Browse
Private Service window, double click to select the following services: tcp/http, tcp/ftp, icmp/echo
and icmp/echo-reply (scroll down to see all services). Click OK to continue and return to the Add
Public Server dialog.
Note: You can specify Public services if different from the Private services, using the option on this
screen.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 36 of 42
CCNA Security

d. When you have completed all information in the Add Public Server dialog box, it should look like the
one shown below. Click OK to add the server. Click Apply at the Public Servers screen to send the
commands to the ASA.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 37 of 42
CCNA Security

Step 3: View the DMZ Access Rule (ACL) generated by ASDM.


a. With the creation of the DMZ server object and selection of services, ASDM automatically generates
an Access Rule (ACL) to permit the appropriate access to the server and applies it to the outside
interface in the incoming direction.
b. View this Access Rule in ASDM by choosing Configuration > Firewall > Access Rules. It appears
as an outside incoming rule. You can select the rule and use the horizontal scroll bar to see all of the
components.

c. Note: You can also see the actual commands generated using the Tools > Command Line
Interface and entering the command show run.

Step 4: Test access to the DMZ server from the outside network.
a. From PC-C, ping the IP address of the static NAT public server address (209.165.200.227). The
pings should be successful.
b. Because the ASA inside interface (VLAN 1) is set to security level 100 (the highest) and the DMZ
interface (VLAN 3) is set to 70, you can also access the DMZ server from a host on the inside
network. The ASA acts like a router between the two networks. Ping the DMZ server (PC-A) internal
address (192.168.2.3) from inside network host PC-B (192.168.1.X). The pings should be successful
due to interface security level and the fact that ICMP is being inspected on the inside interface by the
global inspection policy.
c. The DMZ server cannot ping PC-B on the inside network. This is because the DMZ interface VLAN 3
has a lower security level and the fact that, when the VLAN 3 interface was created, it was necessary
to specify the no forward command. Try to ping from the DMZ server PC-A to PC-B at IP address
192.168.1.X. The pings should not be successful.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 38 of 42
CCNA Security

Step 5: Use ASDM Monitoring to graph packet activity.


There are a number of aspects of the ASA that can be monitored using the Monitoring screen. The main
categories on this screen are Interfaces, VPN, Routing, Properties, and Logging. In this step you will
create a graph to monitor packet activity for the outside interface.

a. From the Monitoring screen, Interfaces menu, click Interface Graphs > outside. Select Packet
Counts and click Add to add the graph. The exhibit below shows Packet Counts added.

b. Click the Show Graphs button to display the graph. Initially there is no traffic displayed.

c. From a privileged mode command prompt on R2, simulate Internet traffic to the ASA by pinging the
DMZ server public address with a repeat count of 1000. You can increase the number of pings if
desired.

R2# ping 209.165.200.227 repeat 1000

Type escape sequence to abort.


Sending 1000, 100-byte ICMP Echos to 209.165.200.227, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<output omitted>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (1000/1000), round-trip min/avg/max = 1/2/12 ms

d. You should see the results of the pings from R2 on the graph as an Input Packet Count. The scale of
the graph is automatically adjusted depending on the volume of traffic. You can also view the data in

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 39 of 42
CCNA Security

tabular form by clicking the Table tab. Notice that the View selected at the bottom left of the Graph
screen is Real-time, data every 10 seconds. Click the pull-down menu to see the other options
available.

e. Ping from PC-B to R1 Fa0/0 at 209.165.200.225 using the –n option (number of packets) to specify
1000 packets.

C:>\ ping 209.165.200.225 –n 1000

Note: The response from the PC is relatively slow and it may take a while to show up on the graph as
Output Packet Count. The graph below shows an additional 5000 input packets as well as both input
and output packet counts.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 40 of 42
CCNA Security

Reflection:
1. What are some benefits to using ASDM over the CLI?
________________________________________________________________________________
________________________________________________________________________________

2. What are some benefits to using the CLI over ASDM?


________________________________________________________________________________
________________________________________________________________________________

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 41 of 42
CCNA Security

Router Interface Summary Table


Router Interface Summary
Router Ethernet Interface Ethernet Interface Serial Interface Serial Interface
Model #1 #2 #1 #2
Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
1800
(Fa0/0) (Fa0/1) (S0/0/0) (S0/0/1)
Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
1900
(G0/0) (G0/1) (S0/0/0) (S0/0/1)
Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
2800
(Fa0/0) (Fa0/1) (S0/0/0) (S0/0/1)
Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 Serial 0/0/1
2900
(G0/0) (G0/1) (S0/0/0) (S0/0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router
and how many interfaces the router has. There is no way to effectively list all the combinations of
configurations for each router class. This table includes identifiers for the possible combinations of
Ethernet and Serial interfaces in the device. The table does not include any other type of interface,
even though a specific router may contain one. An example of this might be an ISDN BRI interface.
The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to
represent the interface.

All contents are Copyright © 1992–2012 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 42 of 42

You might also like