SNAF |, Securing Networks with ASA Fundamentals Version 1.0 Lab Guidewcttpanes Saat tothe Scene Rae cisco. See ees ‘ca hae mer nan 20 coos weds kt shane AF ns TazMur ES A Wk 2onN co Weta ot wwrmelsco commeomCes, ‘recone acioeimra once erect yea ona nn Satins Won rune sea eet [DISCLAIMER WARRANTY. THIS CONTENT IS BEING PROVIDED "AS IS” CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF ITHIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU, CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR |PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This learning product may conan cry elens cont, and while Cisco Belen itt be acura, it falls nubjos t thedcamer above, Printod in CanadaTable of Contents Lab Guide 1 Overview 1 Outline af Lab 3-1: Prepare to Use Cisco ASDM to Configure the Securily Appliance 2 Activity Objective 2 Visual Objective 2 ‘Task 1: Execute General Commands 3 Task 2: Initialize the Security Appliance 8 Task 3: Configure the Boot System Variable "1 ‘Task 4: Launch Cisco ASDM 13 Lab 4-1; Configure the Security Appliance with Cisco ASDM 7 Activity Objective 7 Visual Objective w ‘Task 1: Run the Cisco ASDM Startup Wizard 18 Task 2: Verify and Edit the Security Appliance Configuration 19 ‘Task 3: Test Your Configuration 24 Task 4: Use Cisco ASDM to Configure Logging to a Syslog Server 26 Task 5: Verify and Test the Syslog Configuration 27 Lab 5-1: Configure Translations 28 Activity Objective 28 Visual Objective 28 Task 1: Test NAT Control 29 Task 2: Configure Dynamic NAT 31 Task 3: Configure Static Translations 36 Lab 6-1; Configure ACLs 38 Activity Objective 38 Visual Objective 38 Task 1: Configure Inbound Access Rules on the Security Appliance 39 Task 2: Configure Outbound Access Rules on the Securly Appliance 46 Lab 7-1: Configure Object Groups 51 Activity Objective 51 Visual Objective 51 Task 1: Configure a Service Object Group 52 Task 2: Configure an ICMP-Type Object Group 52 Task 3: Configure Network Object Groups 53 Task 4: Configure an Inbound ACL with Object Groups 53 Task 5: Configure Inbound Web and ICMP Access 55 Task 6; Test and Verify the Inbound ACL 87 Lab 9-1: Configure AAA on the Security Appliance Using Cisco Secure ACS for Windows 60 Activity Objective 60 Visual Objective 61 Task 1: Install isco Secure ACS on a Windows Server 81 Task 2: Add the Security Appliance to the Cisco Secure ACS AAA Client Database 62 ‘Task 3: Add a User to the Cisco Secure ACS Database 63 Task 4: Identify the AAA Server and Protocol 63 Task 5: Configure and Test Inbound Authentication 64 Task 6: Configure and Test Outbound Authentication 66 Task 7: Configure and Test Virtual Tetnet Authentication 68 Task 8: Change and Test Authentication Timeouts and Prompts 69 J2sk 9: Configure ACS to Download ACLs to the Security Appliance During RADIUS Inbound Authentication nm Task 10: Test Downloadable ACLs with Inbound Authentication a Task 11: Test Downloadable ACLs with Oulbound Authentication a Task 12: Configure and Test Accounting 79Lab 11-1: Configure Advanced Protocol Inspection on the Security Appliance 81 Activity Objective at Visual Objective 81 Task 1: Display the Inspection Protocol Configurations 82 ‘Task 2: Change the Inspection Protocol Configurations 83 Task 3: Test the Outbound FTP Inspection Protocol 83 Lab 12-1: Configure Threat Detection 86 Activity Objective 86 Visual Objective 86 Task 1: Examining the Capabilies of Basic Threat Detection a7 ‘Task 2: Configure Scanning Threat Detection with Shunning 88 Lab 13-1: Configure Security Appliance Site-to-Site VPN with Pre-Shared Keys 90 Activity Objective 90 Visual Objective 90 Scenario 90 Task 1: Prepare to Configure VPN Support 1 Task 2: Use the Cisco ASDM IPsec VPN Wizard to Configure a Site-to-Site VPN 1 ‘Task 3: Use Cisco ASDM to Verify the Site-to-Site VPN Configuration 93 Task 4: Test the Site-to-Site VPN 96 Lab 14-1: Configure a Secure VPN Using IPsec Between a Security Appliance and a Cisco VPN Client tot Objectives 101 Visual Objective 101 ‘Scenario 102 ‘Task 1: Prepare to Configure a Remote-Access VPN 102 ‘Task 2: Use the Cisco ASDM IPsec VPN Wizard to Configure a Remote-Access VPN 103 ‘Task 3: Verify Your Configuration 4105 Task 4: Configure the Cisco VPN Client on the Remote Office Server 108 ‘Task 5: Launch the Cisco VPN Client 107 Task 6: Verify the VPN Connection 107 Lab 15-1: Configure the Security Appliance to Provide Secure Clientless SSL VPN Connectivity 109 ‘Activity Objective 109 Visual Objective 109 Scenario 109 ‘Task 1: Use the SSL VPN Wizard to Configure a Secure SSL VPN 110 ‘Task 2: Test Your SSL VPN 111 Task 3: Create a Customization Object 413 ‘Task 4: Modify the FIRSTGROUP Group Policy 114 Task 5: Test Your Configuration 115 Lab 16-1: Configure Security Appliance Transparent Firewall 417 Objectives “7 Visual Objective 17 ‘Task 1: Configure the Corporate Server Networking Parameters 118 Task 2: Enable Transparent Firewall Mode 118 ‘Task 3: Configure Security Appliance Interfaces and Management IP Address 120 ‘Task 4: Test Inside and Outside Connectivity 122 ‘Task 5: Test and Verify Transparent Firewall Operations 122 Task 6: Disable Transparent Firewall Mode. 124 Lab 18-1: Configure LAN-Based Active/Standby Failover 125 Activity Objective 125 Visual Objective 125 ‘Task 1: Prepare the Primary and Secondary Security Appliances for Failover Configuration via, Cisco ASDM 126 ‘Task 2: Use the Cisco ASDM High Availabilty and Scalability Wizard to Configure LAN-Based Failover 128 Task 3: Test LAN-Based Failover 131 ‘Task 4: Configure Stateful LAN-Based Failover 433 Task 5: Test Stateful LAN-Based Failover 135 ‘Task 6: Make the Primary Security Appliance Active 136 ‘Securing Networks wity ASA Fundamental (SNAF) v1.0 {© 2008 Cisco Systems, ncLab 18-2: Configure LAN-Based Active/Active Failover 140 Activity Objective 140 Visual Objective 141 Task 1: Enable Multiple Context Mode 141 Task 2: Confirm Multiple Context Mode 142 Task 3: Create Security Contexts on the Primary Security Appliance 145 Task 4: Configure the CTX1 Context on the Primary Security Appliance 147 Aabk 5: Prepare the Security Appliances for Active/Active Fallover Configuration via Cisco ASDM 150 ask 8: Use the Cisco ASOM High Availability and Scalability Wizard to Configure Active/Actie Failover 181 Task 7: Configure Standby IP Addresses for CTX1 154 Task 8: Exercise Active/Active Failover 155 Task 9: Return the Failover Devices to Single Mode 188 Lab 19-1: Manage the Security Appliance +160 Objectives 160 Visual Objective 160 Task 1: Configure Enable-Level Command Authorization with Passwords 161 Task 2: Test Enable-Level Command Authorization 162 Task 3: Generate an RSA Key Pair for Encrypted SSH Sessions. 165 Task 4: Establish an SSH Connection to the Security Appliance 166 Task 5: Configure Command Authorization Using the Local User Database 167 Task 6: Test Command Authorization Using the Local User Database 168 Task 7: Upgrade the Security Appliance Software image 170 Answer Key 172 Lab :] Answer Koy: Prepare to Use Cisco ASDM to Configure the Security Appliance 172 Lab 5-1 Answer Key: Configure Translations 173 ab 11-1 Answer Key: Configure Advanced Protocol Inspection on the Securly Appliance 17 (© 2008 Cisco Systems, ine. Seouring Networks with ASA Fundamentals (SNAF) v1.0‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, in.SNAF Lab Guide ILS caiman emt Overview ‘This guide presents the instructions and other information concerning the activities for this course. You can find the solutions in the lab activity Answer Key Outline This guide includes these activities: Lab 3-1: Prepare to Use Cisco ASDM to Configure the Security Appl = Lab 4-1: Configure the Security Appliance with Cisco ASDM = Lab 5-1: Configure Translations = Lab 6-1: Configure Access Lists Lab 7-1: Configure Object Groups Lab 9-1: Configure AAA on the Security Appliance Using Cisco Secure ACS for Windows Lab 11-1: Configure Advanced Protocol Inspection on the Security Appliance = Lab 12-1; Configure Threat Detection on the Security Appliance = Lab 13-1: Configure Security Appliance Site-to-Site VPN Lab 14-1: Configure a Secure VPN Using IPsec Between a Security Appliance and a Cisco VPN Client = Lab 15-1: Configure the Security Appliance to Provide Secure Clientless § Connectivity = Lab 16-1: Configure Security Appliance Transparent Firewall = Lab 18-1: Configure LAN-Based Active/Standby Failover = Lab 18-2: Configure LAN-Based Active/Active Failover = Lab 19-1: Manage the Security ApplianceLab 3-1: Prepare to Use Cisco ASDM to Configure the Security Appliance Complete this lab activity to practice what you learned in the related lesson. Activity Objective In this activity, you will prepare to use Cisco ASDM to configure the security appliance. After completing this activity, you will be able to meet these objectives: Execute general commands 2 Use the CLI to configure basic network settings = Configure the boot system variable = Prepare the security appliance for configuration via Cisco ASDM and launch Cisco ASDM Visual Objective ‘The figure illustrates what you will accomplish in this activity Lab 3-1: Visual Objective Internat Server vreaczaso a Wee Rts t otra Wem ee rape sels am) 192,100°.0 yo sr216r0_4 (VON Chen sword “Seas” 2 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IncTask 1: Execute General Commands In this task, you will familiarize yourself with the general “getting started” commands. Observe the output of the commands carefully. Pay close attention to the questions that are asked after certain steps. The instructor will provide you with the procedures to access the security appliance console port because these will vary according to your lab connectivity setup. After you access the security appliance console por, the security appliance prompt will appeer. Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Stop 4 an Step 5 Step 6 Q2) Step7 Erase the default configuration of the security appliance. When prompted to confirm, press Enter. ciscoasa# write erase Erase configuration in flash memory? [confirm] foxy Reboot the security appliance. When prompted to confirm, press Enter. ciscoasa# reload Proceed with reload? {confirm} Afler the security appliance reboots, it will prompt you to bootstrap it through interactive prompts, Press Ctrl-Z to escape. The unprivileged mode prompt is displayed Pre-configure Firewall now through interactive prompts [yes]? Type help or '?* for a list of available commands ciscoasa> Display the list of help commands ciscoasa> ? How many commands are listed?” Enter the privileged mode of the security appliance. When prompted for a password, press Enter. ciscoasa> enable Password: ciscoasat Display the list of help commands. Press the spacebar on the keyboard to scroll through the list. ciscoasal > How many commands are listed? Use the show run command to display the security appliance configuration on the terminal screen, (© 2008 Cisco Systems, ine, Lab Guide 3Note The shew run ouput may vary, depending on the platform, ciscoasa# show run saved ASA Version 8.0(2) hostname ciscoasa enable password sRy2YjIyt7RRXU24 encrypted interface GigabitEtherneto/o shutdown no nameif no security-level no ip address interface Gigabitstherneto/1 shutdown, no nameif no security-level no ip address interface Gigabitetherneto/2 shutdown no nameif no security-level no ip address 1 interface Gigabitstherneto/3 ohutdown no nameif no security-level no ip address interface Management 0/0 shutdown no namei€ no security-level no ip address 4 Seating Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Inc(© 2008 Cisco Systems, ine. Pasowd 2KFQnbNTAT.2K¥OU encrypted ftp mode passive pager lines 24 no failover iomp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdn-602, bin no asdm history enable arp timeout 14400 timeout xlate 3:00:00 Gingout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpe 0:10:00 n323 mgcp-pat 0:05:00 dine ai 0:30:00 Bip_media 0:02:00 sip-invite 0:02:00 sip- disconnect 0:02:00 #05:00 h225 1:00:00 mgcp 0:05:00 timeout uauth 0:05:00 absolute @ynamic-access-policy-record D£1tnccessPolicy no snmp-server location no snmp-server contact garb gerver enable traps snmp authentication linkup Linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 sch timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list class-map inspection default match default -inspection-traffic 1 Policy-map type inspect dns preset_dne_map Parameters message-length maximum 512 policy-map global_policy cla inspection_default inspect dns preset_dne_map inspect ftp inspect n323 ha2s inspect 323 ras Lab Guideinspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpe inspect tftp inspect sip inspect xdmep service-policy global_policy global prompt hostname context Cryptochecksum: 746821fb5661c001ebeaed14437309£1 send Step 8 Enter the show memory command. Note ‘The show memory output will vary depending on the platform, ciscoasa# show memory Free memory: 433425192 bytes (81%) Used memory 103445720 bytes (19%) Total memory: $36670912 bytes (1008) Step9 Enter the show version command. Note ‘The show version output will vary depending on the Cisco ASA security appliance platform and licenses, ciscoasa# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(2) Compiled on Pri 15-Jun-07 19:29 by builders System image file is "disk0:/asa802-k8.bin" Config file at boot was "startup-config" ciscoasa up 6 mins 36 secs ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 "© 2008 Cisco Systems, Inc.Hardware: Miz ASASS20, 512 MB RAM, CPU Pentium 4 Celeron 2000 Internal ATA Compact Flash, 64mp BIOS Flash ATASLWOSO @ oxffe00000, 1024KB Encryption hardware device accelerator (revision 0x0) Boot microcode SSL/IKE microcode: IPSec microcode 2 Gigabitetherneto/o Gigabitetherneto/1 Gigabitetherneto/2 + Gigabitetherneto/s Managemento/o Internal-patao/o Internal -Controlo/o: : address : address : address Cisco ASA-55x0 on-board -€M1000-MC-BooT-2.00 ibite-NC-ssin-PLUS-2.01 -CMLite-MC-1PSECm-MAIN-2.04 address is 0013.cas2 0013.cae2 0013, 2052, 2053, 482.2054, 2055, 2e51, 0002, 0001, irq address is ig is irg is 0013.caa2 irq address is 0013 0000 0000 c4e2 0001 0001 ig 9 9 8 9 a is irg 1 5 address is ira Licensed features for thie platform Maximum Physical interfaces Maximum VLANS Inside Hosts Failover VeN-DES VeN-3DES-ARS Security Contexts erp /aprs VPN Peers WebVPN Peers Advanced Endpoint Assessment ‘This platform has an ASA 5520 VPN Plus Serial Number: gMxoo44KocT Unlimited 1s0 unlimited 1 Active/Active Enabled : Enabled 2 : Disabled 750 z Disabled license. Running Activation Key: 0x96311f61 Oxe8ccSécc 0xe4130530 0x831454e0 oxsd34dgaa Configuration register is 0x2001 Configuration has not been modified since last system restart Q3) What is the ASA image version? Q4) What is the Cisco ASDM version? __ (© 2008 Cisco Systems, ne Lab Guide 7Q5) What model is your adaptive security appliance? Q6) How many VLANs does the license support? __ Q7) What type of failover does the license support, any? Q8) IS VPN-DES enabled? Q9) Is VPN-3DES-AES enabled?__ Q10) How many security contexts does the license support? _ QI1) How many VPN peers does the license support? ___ Q12) How many WebVPN peers does the license support? __ Step 10 Enter the show history command, ciscoasat show history enable show run show memory show version show history Task 2: Initialize the Security Appliance In this task, you will prepare the security appliance for configuration via Cisco ASDM. You will first specify which physical interface will be used as the inside interface. You will then use the setup command interactive prompts to configure the basic parameters needed for accessing Cisco ASDM. Activity Procedure ‘Complete these steps: Step Enter configuration mode. ciscoasal configure terminal Step 2 Specify GigabitEthernet0/1 as the inside interface and accept the default security level ciscoasa(config)# interface 90/1 ciscoasa(config-if) nameif inside INFO: Security level for "inside" set to 100 by default. Step3__ Return to configuration mode. eiscoasa(config-if)# exit Step 4 Enter the setup command to access the setup command interactive prompts. ciscoasa(config)# setup {8 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne.Step 5 Step 6 Stop 7 Stop 8 Step 9 Step 10 Step 14 Stop 12, Step 13 Step 14 Stop 15 Step 16 Step 17 Press Enter to answer “yes” when prompted to preconfigure the firewall through interactive prompts. retort {9uxe Firevall now through interactive prompts [yes]? Press Enter to accept the default firewall mode, which is routed. Firewall Mode [Routed]: Enter the enable password eiseo123, Bnable password [ Press Enter to accept the year shown in brackets i tis corect. IPnot, enter the current year. Clock (ure) ; Year (2008): Press Enter to accept the month shown in brackets if tis eorect. If not, enter the ‘current month, Month [Nar]: Press Enter (o accept the day shown in brackets itis corret. I'mot, enter the current day, Day (241: Press Enter to accept the time shown in brackets ift i corect If nt, enter the ‘current time in hh:mm:ss format and 24-hour time. Time [09:48:06 Enter an IP address forthe inside interface, Inside IP address 0.0.0.0]: 10.0.P.1 Enter the network mask forthe inside interface IP address Inside network mask [255.255.255.255]: 255.255.255.0 Enter a host name for the security appliance. Host name (ciscoasal: asaP Enter a domain name for the security appliance. Domain name: training.com Fnler the IP address ofthe corporate serve, from which you will ru Ciseo ASDM 7P address of host running Device Manager: 10.0.P.10 ‘The following configuration will be used: Enable password: cisco123 Allow password recovery: yes Clock (UTC): 09:48:06 Mar 24 2008 (© 2008 Cisco Systems, ine. Lab GuigeFirewall Mode: Routed Inside IP address: 10.0.P.2 Inside network mask: 255.255.255.0 Host name: asaP Domain name: training. com IP address of host running Device Manager: 10.0.P.10 Step 18 Enter yes when asked if you want to use this configuration and write it to flash memory. Use this configuration and write to flash? yea Step 19 Use the show run command to verify your eonfiguration, asap (config)# show run saved ASA Version 8.0(2) hostname asaP domain-name training.com enable password 2KFQnbNIar.2KYOU encrypted interface Gigabitetherneto/o ‘shutdown no names no security-level no ip address interface Gigabitzthernet0/1 nameif inside security-level 100 ip address 10.0.P.1 255.255.255.0 interface Gigabicstherneto/2 shutdown, no security-level no ip address interface Gigabitetherneto/3 shutdown no naneif no security-level no ip address interface Management0/0 shutdown no naneif no security-level no ip address ' passwd 2kPQnbWIdr.2KYOU encrypted ftp mode passive dns server-group DefaultDus domain-name training.com pager lines 24 mtu inside 1500 no failover fomp unreachable rate-limit 1 burst-size 1 asd image disk0: /asdm-602.bin no adn history enable arp timeout 14400 Timeout xlate 3:00:00 10 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systoms, IncTask 3: timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Eimeout sunrpe 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 Eimeout sip 0:30:00 sip media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 Cimeout uauth 0:05:00 absolute dynamic-access-policy-record D£LtAccesePolicy http server enable heep 10.0.P.10 255.255.255.255 inside no snmp-server location no snmp-server contact. snnp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout § Ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map paraneters Ressage-length maximum 512 policy-map global pol icy class inspection_default inspect dns preset_dns_map inspect ftp inspect 323 h22s inspect h323 ras inspect netbios inspect rsh inepect reap inspect skinny inspect esmtp inspect sginet inepect sunrpe inopect tftp inspect sip inapect xanep service-policy global_policy global Prompt hostname context Cryptochecksum:c7#a9811bbaaag44a893955b753c3bb1, end Configure the Boot System Variable With Cisco ASA and PIX Security Appliance Software Version 7.x and higher, the security appliance can store multiple versions of operating software (memory space permitting). When a Cisco ASA or PIX security appliance powers up or reloads, it checks the boot variable Parameter (o determine which version of operating code it should load. If the boot variable is blank, the security appliance boots the first version of software that it encounters in flash memory. If multiple versions of the operating system are in memory, you may wish to select. the version of software to boot by configuring the boot system variabie. In this task, you will configure the boot system variable, (© 2008 cisco Systems, ine. Lab Guide 14Activity Procedure Complete these steps: Step 1 Step 2 Step 3 step 4 step 5 Check the boot variable, Ifthe current boot variable is blank, proceed to Step 2. Ifa value is present in the current boot variable, verify that it points to the correct image file, and then proceed to Task 4. asaP (config) # show bootvar BOOT variable = Current BOOT variable CONF1G_FILE variable Current CONFIG FILE variable = Determine if a version of the operating software is stored in flash memory. Verify that asa802-k8.bin is displayed. You may see other files as well. asaP(config)# dir Directory of disk0:/ 8 -rwx 14524416 13:37:33 Sep 5 2007 asa802-k8.bin If operating system software is stored in flash memory, set the boot system variable (where asa802-k8.bin = name of operating system file stored in flash memory). asaP(config)# boot system disk 02-k8 bin Verify that the boot variable was added, asaP (config) show bootvar BOOT variable = Current BOOT variable = disk0:/asa802-k8.bin CONFIG_PILE variable - Current CONFIG_PILE variable = Save your configuration to flash memory, asaP(config)# write memory Building configuration... Cryptochecksum: 901c202 27a9dbl9 7e3¢2878 Ofc0966b 2139 bytes copied in 3.330 secs (713 bytes/sec) (ox 12 Securing Networks with ASA Fundamentals (SNAF) v1.0, (© 2008 Cisco Systems, neTask 4: Launc! h Cisco ASDM In this task, you will launch Cisco ASDM, Activity Procedure Complete Stop 1 Step 2 these steps: Verify that Sun Java SE2 Plug-In 1.4.2, 1.5.0, or 1.6.0 is loaded on the corporate server. Verify that encryption is enabled on the security appliance. asaP(config)# show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(2) Compiled on Fri 15-Jun-07 19:29 by builders System image file is *disk0:/asa602-k8.bin" Config file at boot was "startup-config* asal up 3 hours 23 mins Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 Miz Internal ATA Compact Flash, 64MB BIOS Flash AT@SLWO80 @ Oxffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : .cN1000-MC-BoOT-2.00 SSL/IKE microcode: .CNLite-MC-SSLm-PLUS-2.01 TPSec microcode : .CN1ite-NC-IPSECm-MAIN-2.04 O+ Ext: GigabitBtherneto/o ; address is 0013.c482.2e52, irq 9 t+ Ext; Gigabitktherneto/1 : address is 0013.c482.2653, irq 9 2: Ext: Gigabitethernet0/2 : address is 0013.c4a2.2054, irq 9 3: Ext: GigabitBthernet0/3 : address is 0013.c482.2e55, irq 9 4: Ext: Managemento/o # address is 0013.c4a2.2e51, irg 11 | 5: Int: Internal-patad/o : address is 0000.0001.0002, irq 11 6 + ints Internal-Control0/0 : address is 0000.0001.0001, irq 5 Licensed features for this platform Maximum Physical Interfaces : Unlimited Maximum VLANs 150 Inside Hosts : Unlimited (© 2008 Ciseo Systeme, Inc. LabGuiee 49Failover Active/active VEN-DES + Enabled VPN-3DES-AES : Enabled Security Contexte 2 re/cprs Disabled VPN Peers +750 WebveN Peers 2 Advanced Endpoint Assessment : Disabled ‘This platform has an ASA 5520 VPN Plus license Serial Number: JMKO944KO6T Running Activation Key: 0x96311f61 Oxesec5éce 0xe4138530 0x8314540e0 ox8d34d9ad Configuration register is 0x2001 Configuration last modified by enable_15 at10:00:59.276 UTC Tue Feb 18 2008 Step3 Verify that the time and date on the security appliance and on the corporate server match. If they do not match, any issued certificates may not be valid m= asaP(config)# show clock m= 09:03:38:832 UTC Mon Feb 25 2008 Notice that the clock defaults to UTC time. Make sure that the time and time zone match on the security appliance and on the device manager PC. If they do not, the certificate may not be valid. Step 4 Check the version of Cisco ASDM on the security appliance. asaP (config) # show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(2) Step5 If the show version output does not display “Device Manager Version 6.0 (2),” configure the Cisco ASDM image asaP(config)# aadm image diek0:/ dm-602.bin Step6 Open the Internet Explorer web browser on the corporate server and delete cookies by completing the following substeps: 1. From the Intemet Explorer toolbar, choose Tools > Internet Options. The Internet Options window opens. 2. Click Delete Cookies. The Delete Cookies window opens. 3. Click OK, 4, In the Internet Options window, click OK. 4 ‘Seauring Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne.Step 7 Access the Cisco ASDM console by completing the following substeps: |. In the URL field of the browser window, enter https://10,0.P.1 2 The Security Alert window opens. Click View Certificate. The Certiticate Pop- up window opens. 3+ Click Install Certificate. The Certificate Import Wizard pop-up window opens, ‘4+ Click Next. The Certificate Import Wizard > Certificate Store pane! is displayed, 5. Click Next. The Certificate Import Wieard > Completing the Certificate Import Wizard panel is displayed. & Click Finish. The Root Certificate Store pop-up window opens Note Steps Q13) Qi4) Qis) Qi6) Qi?) Qi8) QI9) © 2008 Cisco Systems, ine {1 Security Warning window is dsplayed, cick Yes. 7 Click Yes. The Certificate Import Wizard pop-up window opens 8. Click OK. 9. Click OK in the Certificate window. 10. Click Yes in the Security Atert window. The Cisco ASDM 6.0 window open 11. Click Run ASDM. The Waming—Security pop-up window opens 12. Click Yes, {5 Ifanother Warning —Securty pop-up window is displayed, click Run, '4. The Cisco ASDM Launcher login window is displayed |S: If pop-up window is displayed asking if you would like to create a shorteut on. your desktop, click No, 16. Enter eiseo123 in the Password field. 17 Click OK. Cisco ASDM should load now and display the Home window. {huite Device Information area of the Device Dashboard, examine the contents of {he General tab, and answer the following questions What is the host name? _ ‘What isthe security appliance version? ——_ What is the Cisco ASDM version? What is the device type? What is the firewall mode? What is the context mode? ‘What is the total flash memory’? Lab Guide 15Q20) Step 9 Qal) 22) 23) Q24) @s) 6) Q27) Q28) Step 10 ‘What is the total memory? In the Device Information area, click the License tab. From the License tab information, complete the following: Encryption: Failover: Maximum VLANs: Clicntless SSL VPN Peers: GTP/GPRS: VPN Peers: ‘Maximum physical interfaces: License: Notice that the current security appliance configuration was imported. Examine the configuration by clicking the Configuration icon and then completing the following substeps: 1. Select Device Setup from the navigation pane. 2. Click Interfaces. Notice that the inside interface is configured. 3. Select Device Name/Password, Notice that the host name asaP is displayed in the Hostname field and the domain name training.com is displayed in the Domain Name field of the Device Name/Password configuration pane. 4, Select Device Management from the navigation pane. 5. Expand the Management Access menu. 6. Select ASDM/HT TPS. Notice that IP address 10.0.P.10 is displayed in the list of hosts that are allowed to access the adaptive security appliance using Cisco ASDM 6 ‘Securing Networks wth ASA Fundamentals (SNAF) v1.0 {© 2008 Giseo Systems, IneLab 4-1: Configure the Security Appliance with Cisco ASDM Complete this lab activity to practice what you leamed in the related lesson, Activity Objective In this activity, you wil earn how to configure a security appliance using Cisco ASDM. After completing this activity, you will be able to meet these objectives, = Use Cisco ASDM to configure basic network settings, inclu ng interface configurations = Use Cisco ASDM and the CLI to determine ifthe security appliance software is conf properly Use Cisco ASDM to configure logging to a syslog server oe caite ASDM to configure logging options, including adding, deleting, and modifying syslog messages, Visual Objective ‘The figure illustrates what you will accomplish in this activity ual Objective nerat Server: FIP 172282650 mzpo 4 (ooteray 0 ar210R0 4 Student Pe (PN Chon Pete (© 2008 Cisco Systems, ne lab Guide 17Task 1: Run the Cisco ASDM Startup Wizard In this task, you will run the Cisco ASDM Startup Wizard, Activity Procedure 8 Complete these steps step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Stop 8 Step 9 Choose Wizards > Startup Wizard from the main menu, The Startup Wizard opens, displaying the Starting Point (Step | of .) page Verify that the Modify Existing Configuration radio button is selected Click Next, The Basic Configuration (Step 2 of ...) page is displayed. Verify that asaP is displayed in the ASA Host Name field. Verify that training.com appears in the Domain Name field. Click Next. The Auto Update Server (Step 3 of ...) page is displayed. Click Next. The Outside Interface Configuration (Step 4 of ...) page is displayed. Complete the following substeps to configure the outside interface: 1, Select GigabitEthernet0/0 from the Interface drop-down list. 2. Enter outside in the Interface Name field. 3. Verify that the Use the Following IP Address radio button is selected 4, Enter 192,168.P.2 in the IP address field 5, From the Subnet Mask drop-down menu, choose subnet mask 255.255.255.0. 6. Select the Enable interface check box. 7. Verify that 0 is displayed in the Security Level field. Click Next. The Other Interfaces Configuration (Step 5 of 10) page is displayed. 1. Choose GigabitEthernet0/3 and click Edit, The Edit Interface window opens. 2. Check the Enable Interface check box 3. Enter dmz in the Interface Name field. 4, Enter 50 in the Security Level field 5. Verify that the Use the Following IP Address radio button is selected from the IP Address pane. 6. Enter 172.16.P.1 in the IP Address field, 7. From the Subnet Mask drop-down list, choose subnet mask 255.255.255.0. 8. Click OK. The Security Level Change window opens. 9. Click OK. ‘Securing Networks with ASA Fundamentals (SNAF) v3.0, (© 2008 Cisco Systems, IneStep 10 Step 11 Step 12 Step 13 Stop 14 Step 15 Step 16 Stop 17 Step 18 Step 19 Stop 20 {In the Other Interfaces Configuration (Step 5 of 10) window, verity that the information you entered is correct and that interfaces 0, 1, and 3 are enabled, Click Next. The Static Routes (Step 6 of 10) page is displayed. Click Add, The Add Static Route window opens. Complete the following substeps to configure a default route: 1, Select outside from the Interface Name drop-down list. 2. Enter 0.0.0.0 in the IP Address field 3. Select 0.0.0.0 from the Mask drop-down lst. 4. Enter 192.168.P.1 in the Gateway IP field, 5. Click OK. In the Static Routes (Step 6 of 10) page, click Next. The DHCP Server (Step 7 of 10) page is displayed, You will not be using DHCP at this time. Do not make any changes to this page. Click Next. The Address Translation (NAT/PAT) (Step 8 of 10) page is displayed Select the Enable Traffic Through the Firewall Without Address Translation radio button, You will not be using NAT at this time, Click Next. The Administrative Access (Step 9 of 10) page is displayed Verify the information. Notice that the Enable HTTP Server for HTTPS/ASDM Access check box is selected. The security appliance HTTP server was ‘automatically enabled when you responded to the setup command interactive prompts, Click the Next button. The Startup Wizard Summary (Step 10 of 10) page is displayed, Verify your configuration, and click the Finish button, Task 2: Verify and Edit the Security Appliance Configuration {mn this task, you will verify the configuration of the inside, outside, and DMZ, interfaces and configure their hardware properties. You will also verify the default route and configure host name-to-IP address mappings Activity Procedure Complete these steps: Stop 1 Step2 Step 3 Step 4 Click the Configuration button in the Cisco ASDM toolbar. Click Device Setup in the navigation pane. Click Interfaces in the Device Setup menu. The Interfaces panel is displayed. Verify the configuration of the inside, outside, and DMZ interfaces. {© 2006 Cisco Syatoms, ine. ab Guide 19Step5 Complete the following substeps to configure the speed and duplex settings for the outside interface. 1. Select GigabitEthernet0/0 from the Interface list 2. Click Kdit. The Edit Interface window opens. 3. Click Configure Hardware Properties. The Hardware Properties window opens. From the Duplex drop-down menu, choose full. 4, 5. From the Speed drop-down menu, choose 100. 6. Click OK. 7. Click OK in the Edit Interface window. Step6 Complete the following substeps to configure the speed and duplex settings for the de interface: 1. Select GigabitEthernet0/1 from the Interface lis. 2. Click Edit. The Fait Interface window opens. 3. Click Configure Hardware Properties. The Hardware Properties window opens. 4, From the Duplex drop-down menu, choose full, 5. From the Speed drop-down menu, choose 100. 6. Click OK. The Warming window opens. 7. Click OK. 8. Click OK in the Edit Interface window. Step7 Complete the following substeps to configure the speed and duplex settings for the DMZ interface: L._ Select Gigabit&thernet0/3 trom the Interface list. 2. Click Edit. The Edit Interface window opens. 3. Click Configure Hardware Properties. The Hardware Properties window opens. 4. From the Duplex drop-down menu, choose ful 5. From the Speed drop-down menu, choose 100 6. Click OK. 7. Click OK in the Edit Interface window. Step 8 In the Interfaces panel, click Apply. Note Ia Refresh Needed window is displayed at this time or at any time after you click Apply in Cisco ASDM, click Proceed. ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, neStep 9 Step 10 Step 14 asaP (cont ‘Saved ASA Versi hostnane GomPlet the following substeps to verify the default route that you created with the Startup Wizard: 1. Click Routing in the Device Setup menu. 2. Click Static Routes in the Routing menu, 3. Verify the default route in the Static Routes panel Complete the following substeps to create hostname-to-IP address mappings for the corporate and the DMZ servers: |. Click Firewall in the navigation pane. 2. Expand the Objects menu, 3. Click IP Names. The IP Names panel is displayed. 4. Click Add. The Add IP Name window opens. 5- Enter the name for the corporate server, insidehost, in the Name field 6. Enter 10.0.P.10 in the IP Address field 7. Click OK. In the IP Names configuration window, click Add again, The Add IP Name window opens, 9- Ener the name for the corporate DMZ server, bastionhost, inthe Name field 10. Enter 172.16.P.10 in the IP Address field LL, Click OK. 12. Click Apply in the IP Naines panel At the CLI, verify your configuration. ight how run fon 8.0(2) asap domain-nane training.com enable pa name 172, name 10.0) interface #eWord 2KPOnbNTAX.2K¥OU encrypted 16.P.10 bastionhost +P.10 inaidehost Gigabiteenerneto/o ‘speed 100 duplex full ramet o} security: AP adare interface speed 20 muteide “level 0 192.168.P.2 255.255.255.0 Gigabitztherneto/1 0 duplex £u11 naneif insid security Sp addres (© 2008 Cisco Systems, ne Level 100 30.0.P.2 255.255.255.0 Lab Guide 24interface Gigabitetherneto/2 shutdown no nameif no security-level no ip address interface Gigabituthernet0/3 ‘speed 100 duplex fu11 namelf daz security-level 50 ip address 172.16.P.1 255.255.255.0 interface Managenento/o shutdown no nameif no security-level no ip address passwd 2KPQRbNIGI.2KYOU encrypted Doot system dick0:/acasoz-ks.bin ftp mode passive dns server-group DefaultDNs domain-name cisco.com pager lines 24 mtu inside 1500 mtu dmz 2500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 fagdn image diek0:/asdn-602.bin no aedm history enable arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 192.168.P.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 Eimeout sunrpe 0:10:00 323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip media 0:02:00 eip-invite 0:03:00 sip-disconnect 0:02:00, timeout uauth 0:05:00 absolute dynamic-access-policy-record D£1tAccesspolicy http server enable http insidenost 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server enable traps snup authentication linkup Linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 sah timeout 5 coneole timeout 0 threat-detection basic-threat threat detection statistics access-list class-map inspection _default match default-inspection-traffic policy-map type inspect dns preset_dns_map paraneters ‘moseage-length maximum 512 policy-map global_policy lass inspection inspect inspect. inspect n323 225, inspect h323 ras inspect netbios ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ne.inspect rsh inspect rtop inspect skinny inspect esntp inspect inepect sunrpe inspect teep inspect sip inspect xdnop “policy global_policy global prompt hostname context Cryptochecksum:983bbf4fbSadb4gelaSe75ce79e1c73, 2 end Stop 12 Verify that the outside interface is administratively up and running, asaP (config) show interface g0/0 Interface Gigabitéthernet0/0 "outside", is up, Line protocol ia up Hardware is 18254608 rev03, BH 1000 Mbps, DLY 10 usec Full-Duplex(Full-dupiex), 100 wbps{100 Mbps) MAC address 0013.c482.2852, WU 1500 IP address 152.168.?.2, subnet mask 255.255.255.0 © packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants © input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 12 decode drops Packets output, 64 bytes, 0 underruns ‘output errors, 0 collisions, 2 interface resets late collisions, 0 deferred © input reset drops, 0 output reset drops input queue (curr/max packets): hardware (0/0) software (0/0) output queue (curr/nax packets): hardware (0/0) software (0/0) ‘Traffic Statistics for "outside" Stop 13 © packets input, 0 bytes 1 packets output, 28 bytes © packets dropped minute input rate 0 pkts/sec, 0 bytes/sec minute output rate 0 pkta/sec, 0 bytes/sec minute drop rate, 0 pkts/sec minute input rate 0 pkts/sec, 0 bytes/sec minute output rate 0 pkta/sec, 0 bytes/sec minute drop rate, 0 pkts/sec Verity that the inside interface is administratively up and running, ‘asaP(contig)# show interface g0/2 Interface Gigabitetherneto/1 "inside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Pull-puplex(Full-duplex), 100 Mbpa{100 Mbps) MAC address 0013.c482.2e53, MTU 1500 IP address 10.0.P.1, subnet. mask 255,255.255.0 10543 packets input, 873282 bytes, 173 no buffer Received 3352 broadcasts, 0 runta, 0 giante 0 input errors, 0 cRc, 0’ frame, 0’ overrun, 0 ignored, 0 abort 0 L2 decode drops 11659 packets output. 791679¢ bytes, 0 underrune 0 output errors, 0 collisions, 2 intertace resets 8 late collisions, 0 deferred © input reset drops, 0 output reset drops: input queue (curr/max packets): hardware (2/25) software (0/0) output queue (curr/max packets): hardware (0/16) software (0/0) ‘Traffic Statistics for "inside™: 10543 packets input, 645450 bytes 11664 packets output, 7701162 bytes 3449 packets dropped minute input rate 0 pkts/sec, 15 bytes/sec minute output rate 0 pkts/sec, 324 bytes/sec minute drop rate, 0 pkts/sec minute input rate 0 pkts/sec, 18 bytes/sec Lab Guide 23,Step 14 3 minute output rate 0 pkts/sec, 324 bytes/sec 5 minute drop rate, 0 pkts/sec Verify that the DMZ interfac administratively up and running asaP (config) # show interface g0/3 Interface GigabitBthernet0/3 “dnz", is up, Line protocol is up Hardware is 182546GR rev03, BM 1000 Mbps, DLY 10 usec Full-Duplex(Full-dupiex), 100 Mbps (100 Mbps) MAC address 0013.c482.2054, MTU 1500 IP address 172.16.2.1, subnet mask 255.255.255.0 © packets input, 0 bytes, 0 no butter Received 0 broadcasts, 0 runts, 0 giants © input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 L2 decode drops 0 packets output, 0 bytes, 0 underruns © output errors,'0 collisions, 0 interface resets © late collisions, 0 deferred input reset drops, 0 output reset dropa Anput queue (curr/max packets): hardware (0/0) software (0/0) output queue (curr/max packets): hardware (0/0) software (0/0) Traffic Statistica for "dnz": © packets input, 0 bytes © packets output, 0 bytes © packets dropped minute input rate 0 pkts/sec, 0 bytes/sec minute output rate 0 pkts/sec, 0 bytes/sec minute drop rate, 0 pkts/sec minute input rate 0 pkts/sec, 0 bytes/sec minute output rate 0 pkts/sec, 0 bytes/sec minute drop rate, 0 pkts/sec Note The g02 interface wil be used in a later lab fo fallover configuration. Task 3: Test Your Configuration In this task, you will test and troubleshoot interface connectivity using the security appliance ping command. Activity Procedure Complete these steps: step 1 Stop 2 Ping the inside interface. asaP(config)# ping 10.0.P.1 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.P.1, timeout is 2 second: Success rate is 100 percent (5/5), round-trip min/avg/max 1/1/i ms Ping your inside host. asaP(contig)# ping insidehoat Type escape sequence to abort ending 5, 100-byte ICMP Echos to insidehost, timeout is 2 geconds: 24 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 “© 2008 Cisco Systems, neSuccess rate is 100 pereent (5/5), round-trip min/avg/max 1/2/10 ms Step3 Ping the outside interface. asaP (config) ping 192.168.P.2 Type escape sequence to abort. Sending 5. 100-byte ICMP Echos to 192.168.P.2, timeout is 2 seconds, iccess rate is 100 percent (5/5), round-trip min/avg/max ~ 1/1/1 ms Step4 Ping the backbone router. asaP(config)# ping 192.168.P.1 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.P.1, timeout is 2 seconds fugcese rate is 100 percent (5/5), round-trip min/avg/nax 1/2/20 me Step 5 Ping the DMZ interface asaP(config)# ping 172.16.P.2 Type escape sequence to abort Sending $, 100-byte ICMP Echos to 172.16.P.1, timeout is 2 seconds Wypgees Fate is 100 percent (5/5), round-trip min/avg/max = a/i/i ms Step 6 Ping the bastion host. asaP (config) # ping bastionhost Type escape sequence to abort Sending 5, 100-byte ICMP Echos to bastionhost, timeout is 2 seconds hens fuccess rate is 100 percent (5/5), round-trip min/avg/nax = 2/2/10 ms (© 2008 Cisco Systems, in, Lab Guide 25Task 4: Use Cisco ASDM to Configure Logging to a Syslog Server Activity Procedure In this task, you will configure syslog output to.a syslog server. The instructor will provide you with the procedure to access a syslog server or host. This will vary according to the type of syslog server used in your classroom environment. Note Verity thatthe syslog server or host is turned on and that the syslog service is installed and started Complete these steps: Step Step 2 Step 3 Stop 4 Steps Step 6 Step7 Step 8 Stop Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Stop 16 Step 17 Step 18 Stop 19 ‘Stop 20 Step 24 Verify that the Configuration button is selected in the Cisco ASDM toolbar. Click Device Management in the navigation pane Expand the Logging menu. Click Logging Setup. The Loggi 1g Setup panel is displayed Check the Enable Logging check box. Click Apply. Click Syslog Servers in the Logging menu, The Syslog Servers panel is Click Add. The Add Syslog Server window opens, Choose inside from the Interface drop-down menu, Enter 10,0.P.10, the IP address of the syslog server, in the IP Address field. Click OK. You are returned to the Syslog Servers configuration panel. Click Apply. Click Logging Filters in the Logging menu. The Logging Filters panel is displayed, Click Syslog Servers in the Logging Destination column. Click Edit. The Edit Logging Filters window opens. In the Syslogs from All Event Classes area, click the Filter on Severity radio button. Choose Debugging from the Filter on Severity drop-down list. Click OK. Click Apply. Click Save in the toolbar. The Save Running Configuration to Flash window opens. Click Apply. 28 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne.Task 5: Verify and Test the Syslog Configuration Stop 1 Step 2 Step 3 Step 4 Step 5 Use the CLI to verify your configuration, asaP(config)# show logging Syslog legging: enabled Facility: 20 Timestamp logging: disabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level debugging, facility 20, 10 messages logged Logging to inside insidehost errors: 2 dropped: 7 History logging: disabled Device ID: disabled Mail logging: disabled ASDM logging: level informational, 9 messages logged ‘Open the Kiwi Syslog Daemon on your insidehost desktop. From your Windows command line, use Telnet to connect to the backbone router Ci\> telnet 192.168.P.2 Observe the messages logged to the Kiwi Syslog Daemon display sereen, ¥ASA-6-302013: Built outbound TCP connection 3 for outside:192.168.P.1/23(192.168.P.1/23} to inside: insidehost /1037 [192.168.P.20/1037) Stop sending messages to the syslog server. asaP(config)# no logging trap asaP(config)# no logging enable (© 2008 Cisco Systems, ne. Lab Guide 2Lab 5-1: Configure Translations Complete this lab activity to practice what you learned in the related lesson. Activity Objective In this activity, you will configure the security appliance to use static and dynamic address translation. After completing this activity, you will be able to meet these objectives: = Use Cisco ASDM to configure dynamic address translation = Use Cisco ASDM to configure static address translations Visual Objective ‘The figure illustrates what you will accomplish in this activity ‘Sener 17226P+100 40, eee Remote Oo 28 Securing Networks with ASA Fundamentals (SNAF) v1.0 (@ 2008 Cisca Systems, IneTask 1: Test NAT Control In this task, you will test the functionality of the NAT control feature of the security appliance. Activity Procedure Complete these steps: Stop 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 6 Step 9 Step 10 Stop 11 Stop 12 At the corporate adaptive security appliance CLI, verify that NAT control is disabled. asaP# show run nat-control Ro nat-control Determine if there are any nat commands configured on the security appliance. asaP# show run nat nat (inside) 0 0.0.0.0 0.0.0.0 From the Windows command line on the corporate server, establish a Telnet session to the backbone router. C:\> telnet 192.168.P.1 View the translation table on the corporate adaptive security appliance capi show xlate Global insidehost Local insidehost Close the Telnet connection, Clear the tr slation table on the corporate adaptive security appliance. asaPiclear xlate Verify that there are no translations. asaPiishow xlate © in use, 2 most used Enter configuration mode on the corporate adaptive security appliance asaPiconfig t asaP (contig) # Remove the NAT statement inserted in the configuration by Cisco ASDM from the configuration, asaP (config) # clear config nat Verify that there are no nat commands configured on the security appliance. asaP(config)# show run nat From the Windows command line on the corporate server, establish a Telnct session to the backbone router. You should still be able to establish a telnet connection to the router without any NAT translation configured because NAT control is disabled. C:\> telnet 192.168.P.1 Exit the Telnet connection. (© 2008 Cisco Systems, ne. Lab Guide 29Stop 13 Step 14 Step 15 Complete the following substeps to enable NAT control on the security appliance: 1, Click Configuration in the Cisco ASDM toolbar. 2. Choose Firewall from the navigation pane. 3. Choose NAT Rules from the Firewall menu, The NAT Rules panel is displayed. 4. Uncheck the Enable Traffic Through the ‘Translation check box. ‘ewall Without Address 5. Click Apply. From the Windows command line on the corporate server, establish a Telnet session to the backbone router. You should nor be able to establish a Telnet connection to the router without any NAT translation configured because NAT control is now enabled. Cr\> telnet 192.168.P.1 Close the command window. 30 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IncTask 2: Configure Dynamic NAT In this task, you will configure dynamic NAT for the inside and DMZ networks. Activity Procedure Complete these steps: Stop 1 Step2 (© 2008 Cisco Systems, ine Complete the following substeps to configure dynamic NAT for the inside network |. In the ASDM NAT Rules panel, click Add. 2. Choose Add Dynamic NAT Rule from the Add menu. The Add Dynamic NAT Rule window opens. 3. Choose inside from the Interface drop-down list in the Original area, 4, Enter 10.0.P.0/24 in the Source field in the Original arca 5. Click Manage. The Manage Global Pool window opens. 6. Click Add. The Add Global Address Pool window opens. 7. Choose outside from the Interface drop-down list. 8. Verify that 1 is displayed in the Poot ID field, 9. Click the Range radio button in the IP Addresses to Add pane 10, Enter 192,168.P.20 in the Starting IP Address field 1, Enter 192.168.P.254 in the Ending IP Address field. 12, Enter 255.255.255.0 in the Netmask field, 13. Click Add. The address range is displayed in the Addresses Pool pane, 14, Click OK. 15, Click OK in the Manage Global Pool window. 16, Verify that the global pool with the Pool ID of 1 is selected in the Translated table. 17. Click OK, 18, Click Apply in the NAT Rules panel. 19. Click the Save button in the toolbar to save the configuration to flash memory. ‘The Save Running Configuration to Flash window is displayed. 20. Click Apply. Complete the following substeps to test the operation of the dynamic NAT. configuration that you configured, 1. From the Windows command line on the corporate server, establish a Telnet session to the backbone router. You should again be able to establish a Telnet ‘connection to the router. Cr\> telnet 192.168.P.2 Lab Guide 3Stop 3 2. Exit the Telnet connection, 3. At the security appliance command line, observe the translation table. asaP(config)# show xlate Your display should appear similar to the following because a global address chosen from the low end of the global pool range has been mapped to the corporate server. 1 in use, 2 most used Global 192.168.P.20 Local insidenost 4. Open a web browser on the corporate server. 5. Use the web browser to access the Internet server at IP address 172.26.26.50. Enter http://172.26.26.50. You should be able to access the Internet server. 6. Atthe security appliance command line, observe the local host table. Notice that the display shows active connections on the inside and outside interfaces, the translation being used, and information about the current connection, asaP (config) # show local-host insidehost Interface outside: 1 active, 1 maximum active, 0 denied Interface dmz: 0 active, 1 maximum active, 0 denied Imterface inside: 1 active, 1 maximum active, 0 denied local host: , TCP flow count/Limit = 2/unlimited ‘TCP embryonic count to host = 0 ‘TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited xlate: Global 192.168.P.20 Local insidehost conn: TCP out 172.26.26.50:80 in insidehost:1255 idle 0:00:43 bytes 590527 flage UO Complete the following substeps to create a global pool of addresses to allow inside hosts to access the DMZ network: 1, Inthe ASDM NAT Rules panel, select the NAT rule that you created earlier in this lab exercise, 2. Click Edit. The Edit Dynamic NAT Rule window opens. 3. Click Manage. The Manage Global Pool window opens. 4, Click Add. The Add Global Address Pool window opens. 5. Choose dz from the Interface drop-down list. 6. Verify that 1 is displayed in the Pool ID field. 7. Verify that the R: ¢ radio button is selected in the IP Addresses to Add pane. 8, Enter 172.16.P.20 in the Starting IP Address field. 2 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0, ‘© 2008 Cisco Systems, ne.Step 4 Step 6 Stop 6 Step7 an Q) 9. Enter 172.16.P.254 in the Ending IP Address field. 10, Enter 255.255.255.0 in the Netmask field. 11. Click Add. The address range is displayed in the Addresses Pool panel. 12, Click OK. 13. Click OK in the Manage Global Poo! window. 14, Click OK in the Edit Dynamic NAT Rule window. 15, Click Apply in the NAT Rules panel. At the security appliance command line, clear the translation table so thatthe global IP address will be updated in the table, asaP(config)# clear xlate Write the current configuration to flash memory. asaP(config)# write memory ‘Test web access to the bastion host from the corporate server by completing the following substeps: 1. Open a web browser on the corporate server. 2. Use the web browser to access the bastion host, Enter http://172.16.P.10, 3. The home page of the bastion host should appear in the web browser At the security appliance command line, use the show arp, show xlate, and show conn commands to observe the transaction. asap (config) # show arp outside 192.168.P.1 00e0.1641.8762 inside insidehost 00e0.b05a.a509 mz bastionhost 00e0.1ebi.79df eplane 127.0.2.1 0000.0002.0001 sap (config) # show xlate 1 in use, 2 most used Global 172.16.P.20 Local insidehost ‘How many translations are in use in the translation table? asaP(config)# show xlate detail 1 in use, 2 most used Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random, x - portmap, 9 - static NAT from inside: insidehost to dmz:172.16.P.20 flags i ‘What does the translation flag “i” mean? asaP (config) # show conn (© 2008 Cisco Systems, ine. Lab Guide 33Note ‘You may have to refresh your browser to see the shew conn information. 1 in use, 3 most used TCP out bastionhost:80 in insidehost:1051 idle 0:00:07 bytes 461 flags UIO Q3) How many connections are in use in the connection table? List the HTTP connection table host entries here, ‘TCP out (host) (port) __in (host) (port) asaP(config)# show conn detail 1 in use, 3 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIOBE media, D = DNS, d - dump, E - outside back connection, F - outside FIN, £ = inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, 1 - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response, k - Skinny media, M - SNTP data, m- SIP media, O = outbound data, P - inside back connection, q - SQL*Net data, R ~ outside acknowledged FIN, R - UDP SUNRPC, x - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, X - inspected by service module ‘TCP dmz:bastionhost/30 inside:insidehost/1052 flags UIO Note ‘You may have to refresh your browser to see the show conn deta information Q4) What does the connection flag UIO mean? Step 8 Use the show local-host insidehost command to observe the inside host connection information. asaP(config)# show local-host insidehost Interface outside: 0 active, 1 maximum active, 0 denied Interface dmz: 1 active, 1 maximum active, 0 denied Interface inside: 1 active, 1 maximum active, 0 denied local host: , ‘TCP flow count/limit = 2/unlimited ‘TCP embryonic count to host = 0 ‘TCP intercept watermark = unlimited UDP flow count/limit = 0/unlimited xlate: Global 172.16.P.20 Local insidehost conn: ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Ine.TCP out bastionhost :80 in ingidehost :1053 idle 0:00:14 bytes 2225 flags UIO Step9 Test FIP access to the bastion host from the corporate server by completing the following substeps: |. From the Windows command line, establish an FTP session to the bastion host. You have reached the bastion host if you receive the message “Connected to 172.16.P.10." C:\> ftp 172.16.P.10 2. Log in to the FTP session. User (172.16.P.2(none)): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password Password: eigco Step 10 Usc the show conn and show xlate commands to observe the FIP connection, Q5) How many translations are in use in the translation table? __ List the translation table host entries here. Globat___Local___ Q6) How many TCP connections are in use in the connection table? _ List the connection table host entries below. (You may have to refiesh the HTTP connection to sce both connections). TCP out (host) (pon) in (host) ___: (port) ‘TCP out (host) (port)_in (host)__: (port) Step 11 Complete the following substeps to view translation and connection table entries from an outbound Telnet connection: |. From the Windows command line on the corporate server, establish a Telnet session to the backbone router. Use the password elsco. C:\> telnet 192.168.P.1 2. Use the show conn and show xlate commands to observe the transaction. Q7) How many translations are in the translation table? Q8) List the translation table host entries here. Global Local Global___Local___ Q9)__ How many TCP connections are in the connection table? List the connection host entries below. You may have to refresh the HTTP connection to see all connections, (© 2008 Cisco Systems, Inc Lab Guide 35,TCP out (host)___:(port)_in (host) (por) ‘TCP out (host) (port)_in(host)_: (port) TCP out (host) _:(port)_in (host)_: (port) 3. Clear the translation table asaP (config)# clear xlate 4. Show the translation table, asaP(config)# show xlate Q10) How many translations are in use? 5. Show the connection table, asaP(config)# show conn QI1) How many connections are in use? _ 6. Quit the FTP session.if you were able to connect and log in. fep> quit Step 12 Close the Telnet command prompt window. Step 13. Close the web browser. Step 14 Save your configuration. asaP(config)# write memory Task 3: Configure Static Translations In this task, you will configure static transtations for the bastion host and the corporate server. Activity Procedure Complete these steps: Step Inthe NAT Rules panel, click Add. Step2 Choose Add Static NAT Rule from the Add menu, The Add Static NAT Rule window opens. Step3 Choose inside from the Interface drop-down list in the Original area. Step4 Enter 10.0.P.10 in the Source field of the Original area, Step 5 Choose outside from the Inter ice drop-down list in the Translated area. Step6 Verify that the Use IP Address radio button is selected, and enter 192.168.P.10 in the corresponding field, Step7 Click OK. Step8 Choose Add Static NAT Rute again from the Add menu. The Add Static NAT Rule ‘window opens. Step9 Choose dmz from the Interface drop-down list in the Original area. 38 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Inc.Step 10 Step 14 Step 12 Step 13 Step 14 Step 15 Step 16 Enter 172.16.P.10 in the Source field of the Original area, Choose outside from the Interface drop-down list in the Translated area, Verify that the Use IP Address radio button is selected, and enter 192.168.P.11 in the corresponding fied. Click OK, Click Apply in the NAT Rules panel Use the Save button in the Cisco ASDM toolbar to save your configuration to flash memory. Complete the following substeps to test the functionality of the static translations you created: 1 From the Windows command line of the remote office server, attempt to establish an FTP session to the bastion host. You should be unable to access the bastion host via FTP without configuring an ACL to permit the inbound FTP traffic to the bastion host. C:\> ftp 192.168.P.12 Open a web browser on the remote office server to test web access to the bastion host. Enter http://192.168.P.11. You should be unable to access the bastion host via its static mapping without configuring an ACL to permit the inbound HTTP. taffic to the bastion host. (© 2008 Cisco Systems, nc Lab Guide a7Lab 6-1: Configure ACLs Complete this lab activity to practice what you leamed in the related lesson. Activity Objective In this activity, you will configure ACLs on a sect activity, you will be able to meet these objectives: ™ Use Cisco ASDM to configure inbound ACLs = Use Cisco ASDM to configure outbound ACLs Use the packet tracer to test and verify your configuration Visual Objective The figure illustrates what you will accomplish in this activity ‘Ssusent PC ty appliance . After completing this 38 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, IneTask 1: Configure Inbound Access Rules on the Security Appliance {n this task, you will configure inbound access rules on the outside interface to perform these functions: "Allow inbound web traffic from the outside network to the bastion host = Allow inbound FTP traffic from the outside network to the bastion host = Allow inbound web traffic to the corporate server "Allow inbound pings to any destination = Allow ICMP echo-replies to the corporate server ™ Deny all other inbound traffic explicitily = Configure Access Rules on the DMZ. interface in the “in” direction to perform these functions: Activity Procedure Allow ICMP echo-replies from the bastion host to any destinations Deny all other inbound traffic implicitly Complete these steps: Step Step 2 Step 3 Step 4 (© 2008 Cisco Systems, Inc. Use the eapture command to capture packets on the outside interface so that you can later view detailed information about packets and how they are processed by the security appliance. asaP (config) # capture OUTSIDE CAP interface outside trace buffer 1534 Open a.web browser on the remote office server to test web access to the corporate server. Enter http://192.168.P.10. You should be unable to access the corporate server via its static mapping without configuring an ACL to permit the inbound HTTP traffic to the corporate server Display information about the packets that you captured on the outside interface asaP(config)# show capture OUTSIDE_cAP 2 packets captured 1; 07:08:33.715564 172.26.26.50.2531 > 192.168.P.10.90: 5 2401680706:2401680706(0) win 64512 «mss 1260,nop, nop, sackOKs 2: 07:08:39.732277 172.26.26.50.2531 > 192.168.P.10.80: 5 2401680706 :2401680706(0) win 64512 ping 192.168.P.10 Pinging 192.168.P.10 with 32 bytes of data: Reply from 192.168.P.10: bytes=32 timecloms TTL=122 Reply from 192.168.P.10: bytes=32 timecloms TTL=122 Reply from 192.168.P.10: bytes=32 timeclome TTL=122 Reply from 192.168.P.10: bytes=32 timeclOms TTI 2. Ping the bastion host from the remote office server. C:\>ping 192.168.P.11 Pinging 192.168.P.11 with 32 bytes of data Reply from 192.168.P.11 timeciome TT Reply from 192.168.P.11: bytes=32 timeclons TT Reply from 192.168.P.11: bytes=32 timecLOme TTL-125 Reply from 192.168.P.11: bytes-32 timecloms TTL=125 3. Ping your bastion host from your corporate server. c:\>ping 172.16.P.10 Pinging 172.16.P.10 with 32 bytes of data: Reply from 172,16.P.10: bytes=32 timecloms TTL<126 Reply from 172.16.P.10: bytes=32 timeping 172.26.P.50 Pinging 172.26.P.50 with 32 bytes of data: Reply from 172.26.P.50: bytes=32 timeclOms TTL=125 Reply from 172.26.P.50: bytes=32 timecloms TTL-125 Reply from 172.26.P.50 Reply from 172.26.P.50 timecioms TTL=125 5. From the Windows command line on the remote office server, establish an FTP session to the bastion host. You have reached the bastion host if you receive the Connected to 192.168.P.11 message. You should now be able to access the bastion host via FTP, timecioms TTL=125 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systoms, neStep 15 Step 16 C:\> ftp 192.168.P.12 6. Use the web browser on the remote office server to access the bastion host. You should now be able to access the bastion host. Enter http://192.168.P.11 7. Clear your capture buffers. This will ensure that only packets from the following {ests are captured, and it will enable you to more easily compate the captures to ‘those containing the denied web and FTP requests in Task 4 asaP (config) #clear capture OUTSIDE CAP. 8. Use a browser on the remote office server to test web access to the corporate server. You should now be able to access the IP address of the static mapped to the corporate server. Enter http://192.168.P.10 9. From the Windows command tine on the remote office server, attempt to establish an FTP session to the corporate server. You should be unable to access the corporate server via FTP. C:\s ftp 192.168.P.10 Display information about the packets that you captured on the outside interface asaP (config) # show capture OUTSIDE_caP 4 packets captured 2: 07:08:21.089381 172.26.P.50.1166 > 192.168.P.10.80: § 1264816164:1264816164 (0) win 65535 cme 1380, nop, nop, sackOK> 2: 07:08:24.089361 192.168.P.10.80 > 172,26.P.50.1166: § 3357015960: 3357015960(0) ack 1264816165 win 65535 3: 07:08:30,089381 172.26.P.50.1166 > 192,168.P.10.80:ack 3357015961 win 65535 4: 07:08:30.08938 172.26.P.50.1166 > 192.168.P.10.80: P 1264816165: 1264916324 4 packets shown Display the ACLs again and observe the hit counts, asaP(config)# show accesa-1ist access-list cached ACL log flows: total 0, denied 0 (deny- flow-max 4096) alert-interval 300 access-list outside access_in; 6 elements access-list outside_access_in line 1 extended permit tcp 172.26.P.0 255.255.255.0 host 192.168.P.11 eq wew (hitent=2) oxfifaassc access-list outside access in line 2 extended permit tep 272.26.P.0 255.255.255.0 host 192.168.P.11 eq ftp (hitente2) ox942e87f11 access-list outside_access_in line 3 extended permit tcp 172.26.P.0 255.255.255.0 host 192.168.P.10 eq www (hiten: 0xb700935b access-list outside_access_in line 4 extended permit icmp any any echo (hitent=2) oxades52ib access-list outside_access_in line 5 extended permit icmp any host 192.168.P.10 echo-reply (hitent=3) 0x58d075a0 (© 2008 Cisco Systems, ine, LabGuice 45,access-list outside_access_in line 6 extended deny ip any any (nitent=0) ox4d2beci access-list dmz_access_in; 1 elements access-list dmz_access_in line 1 extended permit icmp host bastionhost any echo-reply (hitcnt=2) 0x3495471d Step 17 Use the packet tracer to view the result of your HTTP request to the corporate server. Complete the following substeps to trace an HTTP packet that is attempting (o travel through the outside interface from the Internet server to the corporate server: 1, Return to the Cisco ASDM session on the corporate server. 2, Click the Tools option in the Cisco ASDM menu bar. 3. Choose Packet Tracer. The Cisco ASDM Packet Tracer window opens. 4, Choose outside from the Interface drop-down list. 5. Verify that the TCP radio button is selected. 6. Enter 172.26.P.50 in the Source IP Address field. 7. Enter 1025 in the Source Port field 8, Enter 192.168,P.10 in the Destination IP Address field 9. Bnter 80 in the Destination Port field 10. Click the Show Anim: n check box. 1. Click Start. 12, When the trace is complete, expand and examine the results of the various phases of the trace in the Packet Tracer Phase panel. The RESULT phase should contain the message "The packet is allowed.” 13. Close the Packet Tracer window. Step 18 At the security appliance command line, disable packet capture. asaP(config)# no capture OUTSIDE_CAP Task 2: Configure Outbound Access Rules on the Security Appliance In this task, you will configure access rules on the inside interface to perform these functions: Deny outbound web traffic = Allow outbound FTP traffic from t internal corporate network to 172.26.26.50 Deny all other traffic explicitily Activity Procedure Complete these steps: Step1 Test web access to the Internet by completing the following substeps. You should be able to access 172.26.26.50. 446 Securing Networks with ASA Fundamentals (SNAF) v1.0 (©2008 Cisco Systems, neStep 2 Stop 3 1. Open a web browser on the corporate server. 2. Use the web browser to access Internet host 172,26.26.50. Enter http://172.26.26.50. Test FTP access to Internet host 172.26.26.50. From the FTP client on the corporate server, choose Start > Run, and enter ftp 172.26.26.50 in the Open field. You should be able to access host 172.26.26.50 via FTP. Complete the following substeps to create an ACL that prevents any host on the internal corporate network from making outbound HTTP connections to any host. 1. Return to the Cisco ASDM session on the corporate server 2. Click Add in the Access Rules panel Choose Add Access Rule. The Add Access Rule window opens. Choose ide from the Interface drop-down ist. Choose the Deny radio button. Verify that any is displayed in the Source field. Verify that any is displayed in the Destination field Enter tep/http in the Service field. Click OK. 10. Click Apply in the Access Rules panel. Note Stop 4 ‘This ACL prevents all outbound connections because there are no permit entries in the ACL, At the security appliance command line, display the ACL you configured, and ‘observe the hit count. asaP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny- flow-max 4096) alert-interval 300 access-list outside access_in; 6 elements access-list outside _access_in line 1 extended permit tep 172.26.P.0 255.255.255.0 host 192.168.P.11 eq wuw (hitcnt«2) oxf1taasse access-list outside_access_in line 2 extended permit top 172.26.P.0 255.255.255.0 host 192.168.P.11 eq ftp (hiten ox94287f11 access-list outside_access_in line 3 extended permit top 172.26.P.0 255.255.255.0 host 192.168.P.10 eq www (hiten! oxb700935b access-list outside access_in line 4 extended permit iemp any any echo (hitent=2) oxade5921b access-list outside_access_in line 5 extended permit icmp any host 192.168.P.10 echo-reply (hitent=3) 0x58d075a0 (© 2008 Cisco Systems, ine. Lab Guido a7access-list outside_access_in line 6 extended deny ip any any (hitent=0) ox4d2beci access-list dmz_access_in; 1 elements access-list dmz_access_in line 1 extended permit icmp host bastionhost any echo-reply (hitcnt=2) 0x34954714 access-list inside access in; 1 elements access-list inside access in line 1 extended deny tep any any eq wew (hitent=0) 0xb70¢935b Step 5 Test web access to the Internet by completing the following substeps. You should be unable to access the Internet host. 1. Close the web browser on the corporate server, 2. Open a new web browser on the corporate server. 3. Enter htt 172.26.26.50 in the web browser. Step6 Test FTP access to the Internet host by completing the following substeps. Like the HTTP connection, the FTP connection should fail because of the implicit deny. 1, On the corporate server, choose Start > Run, 2, Enter ftp 172.26.26.50 in the Open field. Step7 Display your ACL again and notice that the hit count has incremented on the inside_aceess_in ACL deny tcp any any eq www ACE. asaP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny- flow-max 4096) alert-interval 300 access-list outside_access_in; 6 elements access-list outside_access_in line 1 extended permit tep 172.26.P.0 255.255.255.0 host 192.168.P.11 eq www (hitcnt-2) oxe1£aa5ge access-list outside_access_in line 2 extended permit tep 172,26.P.0 255.255.255.0 host 192.168.P.11 eq ftp (hiten| 0x94287£11 access-list outside_access_in line 3 extended permit tep 172.26.P.0 255.255.255.0 host 192.168.P.10 eq www (hitent 0xb70¢935b access-list outside_access_in line 4 extended permit icmp any any echo (hitcnt=2) oxadc5921b access-list outside_access_in line 5 extended permit icmp any host 192.168.P.10 echo-reply (hitcnt=3) 0x5ed075a0 access-list outside_access_in line 6 extended deny ip any any (hitent=0) 0x4d2beci access-list dmz_access_in; 1 elements access-list dmz_access_in line 1 extended permit icmp host bastionhost any echo-reply (hitcnt=2) 0x34954714 access-list inside_access_in; 1 elements access-list inside access in line 1 extended deny tcp any any eg www (hitents3) 0xb70c935b 48° Secuting Networke with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, IneStep 8 Step 9 Step 10 Complete the following substeps to add an additional command to the ACL to permit outbound FTP access from any inside host to host 172.26.26.50: 1. Click Add in the Access Rules panel. 2. Choose Add Access Rule, The Add Access Rule window opens. Choose inside from the Interface drop-down list. 4. Verify that the Permit radio button is sclected. 5. Enter 10.0.P,0/24 in the Source field. 6. Enter 172.26.26.50 in the Destination field. 7. Enter tep/ttp in the Service field OK. Add another ACL command statement to deny all other outbound IP traffic. 1. Click Add in the Access Rules panel, 2. Choose Add Access Rule, The Add Access Rule window opens. 3. Choose inside from the Interface drop-down list. 4. Click the Deny radio button 5. Verify that any is displayed in the Source field 6. Verify that any is displayed in the Destination field. 7. Verify that ip is displayed in the Service field. 8. Click OK. Click Apply in the Access Rules panel, Note Step 14 Stop 12 (© 2008 Cisco Systems, ne. This ACL statement is needed only to enable you to view the hit counts View your ACL again, asaP(config)# show acce: list inside access_in access-list inside access_in; 3 elements access-list inside_access_in line 1 extended deny tep any any eq www (hitcnt=3) 0xa0s£3f81 access-list inside_access_in line 2 extended permit tcp 10.0.P.0 255.255.255.0 host 172.26.26.50 eq ftp (hitent=0) 0xa5186898 access-list inside access _in line 3 extended deny ip any any (hitcnt=0) 0x29£focae Test web access to the Internet by completing the following substeps. You should be tunable to aecess the Internet host because of the first deny ACL entry, 1. Open a web browser on the corporate server. 2. Enter http://172.26.26.50 in the web browser LabGuide 49Step 13__Test FTP access to the Internet host by completing the following substeps. You should now be able to connect using FTP. 1. On the corporate server, choose Start > Run 2. Enter ftp 172.26.26.50 in the Open field. Step 14 Test FTP access to the Internet by completing the following substeps. You should be unable to connect using FTP. 1. On the corporate server, choose Start > Run. 2. Enter ftp 172.26.1.200 in the Open field. Step 15 View your outbound ACL again and observe the hit counts asaP(config)# show access-list inside access in access-list inside access in; 3 elements access-list inside access_in line 1 extended deny tcp any any eq www (hitent~6) 0xa09£3£01 access-list inside_access_in line 2 extended permit tep 10.0.P.0 255.255.255.0 host 172.26.26.50 eq ftp (nitent=1) 0xd5186899 access-list inaide acces: (hitent=3) 0x29££0ca0 in line 3 extended deny ip any any Caution Be sure to enter the following command exacly as shown. If you omit the AGL name, all ACL statements will be removed. Step 16 Remove all the explicitiy configured Access Rules on the inside_access_in ACL. acaP(config)# clear configure acce: ist inside access in Step 17 Save your configuration, asaP(config)# write memory ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, ineLab 7-1: Configure Object Groups Complete this lab activity to practice what you learned in the related lesson. Activity Objective In this activity, you will configure object groups and apply them in an ACL. After completing this activity, you will be able (o meet these objectives: ™ Configure a service object group = Configure an ICMP-type object group © Configure network object groups Configure an inbound ACL with object groups to enable inbound web and ICMP traffic Test and verify the inbound ACL Visual Objective The figure illustrates what you will accomplish in this activity, Lab 7-1: Visual Objective ‘Classico outer (opera (PN Chen Peston 1267.0 192,105 P.0 10_1216R.0 Sasson Host wee Corporate Sever: “Gisco ASM sword {© 2008 Ciseo Systeme, nc Lab Gude 51Task : Configure a Service Object Group In this task, you will configure a service object group con ing HTTP and FTP. Activity Procedure Complete these steps: Step 1 Click Configuration in the Cisco ASDM toolbar. Step2 Choose Firewall from the navigation pane. Step3__ Expand the Objects menu, Step4 Click Service Groups. The Service Groups panel is displayed. Step5 Click Add. Step6 Choose TCP Service Group. The Add TCP Service Group window opens Step? Enter MYSERVICES in the Group Name field. Step@ Choose ftp from the Existing Service/Service Group lis. Step9 Click Add. Step 10 Choose http from the Existing Scrvice/Service Group list Stop 11 Click Add. Step 12 Click OK. The MYSERVIC! panel. 'S service group is displayed in the Service Groups Step 13 Click Apply. Task 2: Configure an ICMP-Type Object Group In this task, you will configure an ICMP-type object group. Activity Procedure ‘Complete these steps: Step1 Click Add in the Service Groups panel. Step2 Choose ICMP Group. The Add ICMP Group window opens. Step 3 Enter PING in the Group Name field. Step 4 — Choose echo from the Existing Service/Service Group list. step5 Click Add Step6 Choose echo-reply from the Existing Service/Service Group list. Step 7 Click Add, Step8 Choose unreachable trom the Existing Service/Serviee Group list Step9 Click Add. 52 Securing Networks wth ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IneStep 10 Step 11 Task Click OK. The PING ICMP group is displayed in the Service Groups pane! Click Apply. Configure Network Object Groups In this task, you will configure network object groups. Activity Procedure Complete these steps: stop 1 Step2 Step 3 Step 4 Step 5 Step 6 step 7 Stop 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Choose Network Object Groups fiom the Objects menu in the navigation pane ‘The Network Object Groups panel is displayed. Click Add. The Add Network Object Group window opens, Enter DMZSERVER in the Group Name field Choose 192.168,P.11 from the Existing Address list. Click Ada, Click OK. The DMZSERVER group is displayed in the Network Object Groups panel lick Add again in the Network Object Groups panel. The Add Network Object, Group window opens. Enter CORPSERVERS in the Group Name field Choose 192.168.P.11 from the Existing Address list. Click Aad. Choose 192.168.P.10 from the Existing Address list. Click Ada, Click OK. The CORPSERVERS group is displayed in the Network Object Groups panel. Click Apply. Task 4: Configure an Inbound ACL with Object Groups In this task, you will configure an inbound ACL to perform these functions: = Allow inbound web and FTP traffic from the outside 172.26.26,0/24 network to your bastion host (the DMZ server) = Deny all other traffic implicitly Activity Procedure Complete these steps: Step 1 Enter the following command at the security appliance CLI to remove the ACLs that you configured in “Lab 7-1: Configure Access Control Lists (ACLs),” if they are not cleared already. (© 2008 Cisco Systems, nc Leb Guide 53,Step 2 Step 3 Step 4 Step 5 Step 6 asaP(config)# clear configure acces Verify that all ACLs have been removed, List asaP(config)# show run access-list ‘Test web access to your bastion host by completing the following substeps. You should be unable to access the bastion host. 1. Open a web browser on the remote office server. 2. Use the web browser to attempt to access the bastion host . Enter Inttp://192.168.P.11. From the remote office server, test FTP access to your bastion host. Choose Start > Run, and enter ftp 192.168.P.11 in the Open field. You should be unable to access ‘your bastion host via FTP. Complete the following substeps to use the MYSERVICES group to create an ACL permitting inbound web and FTP access to the bastion host from any host on the outside 172,26.P.0/24 network. 1, Return to your Cisco ASDM session on the corporate server, 2, Choose Access Rules from the Firewall menu in the navigation pane. The ‘Access Rules panel is displayed. 3. Click Add, 4. Choose Add Access Rule. The Add Access Rule window opens, 5. Choose outside from the Interface drop-down list 6. Verify that the Permit radio bution is selected 7. Enter 172.26.P.0/24 in the Source field 8. Click the ellipsis (..) button in the Destination field. The Browse Destination window opens. 9. Choose DMZSERVER. 10. Click OK. The Add Access Rule window is displayed. 11. Click the ellipsis opens. 12. Choose MYSERVICES. .) button in the Service field. The Browse Service window 13, Click OK. 14, Click OK in the Add Access Rule window. The Access Rules panel is displayed, 15, Click Apply. From the remote office server, ping your bastion host. ‘The ping should fail :\eping 192.168.P.11 Pinging 192.168.P.11 with 32 bytes of data: Request timed out. Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Incstep7 Step 8 Step 9 Step 10 Step 11 Request timed out Request timed out Request timed out ‘Test web access to your bastion host by completing the following substeps. You should now be able to access your bastion host. 1, Open a web browser on the remote office server 2. Use the web browser to access the bastion host. Enter http://192.168.P.11 Test web access to your inside corporate server by completing the following ssubsteps. You should still be unable to access your corporate server. 1. Open a web browser on the remote office server. 2. Use the web browser to attempt to access the corporate server. Enter heeps//192.168.P.10. From the remote office server, test FTP access to your bastion host. Choose Start > Rum, and enter ftp 192.168.P.11 in the Open field. You should now be able to access your bastion host via FTP. Retumm to the Cisco ASDM session on the corporate server. Complete the following substeps to remove the access rule that you created in this task 1, Inthe Access Rules panel, click the access rule that you created in this task 2. Click Delete. 3. Click Apply. Task 5: Configure Inbound Web and ICMP Access In this task, you will configure the ACL outside_access_in to perform these functions: = Permit inbound web and ICMP echo, echo-reply, and unreachable traffic to hosts behind the security appliance = Deny all other traffic from the Internet explicitly You will also configure the ACL dmz_access_in to perform these functions: = Permit ICMP echo, echo-reply, and unreachable traffic to the corporate server from the bastion host Deny all other traffic from the Internet implicitly Activity Procedure Complete these steps: Step 1 Complete the following substeps to add an access rule that permits web traffic to all hosts behind the security appliance. 1. Click Add in the Access Rules panel 2. Choose Add Access Rule, The Add Access Rule window opens. (© 2008 Cisco Systems, ine. Lab Guide 653. Choose outside from the Interface drop-down ist. 4. Verify that the Permit radio button is selected 5. Accept the default setting of any in the Source field. 6. Click the ellipsis (..) button in the Destination field. The Browse Destination window opens. 7. Choose CORPSERVERS. 8, Click OK. The Add Access Rule window is displayed. 9. Enter tep/ in the Service field. A drop-down list of services opens. 10. Choose http, 11. Click OK. Step 2 Complete the following substeps to permit ICMP echo, echo-reply, and unreachable traffic to hosts behind the security appliance. 1. Click Add in the Access Rules panel. Choose Add Access Rule. The Add Access Rule window opens. Choose outside from the Interface drop-down lis. Verify that the Permit radio button is selected, 5. Accept the default setting of any in the Source field, 6. Click the ellipsis (..) button in the Destination field. The Browse Destination window opens. 7. Choose CORPSERVERS 8. Click OK. The Add Access Rule window is displayed. 9. Click the ellipsis (..) button in the Service field. The Browse Service window opens. 10, Choose the object group named PING. 11, Click OK. 12, Click OK in the Add Access Rule window. Step 3 Complete the following substeps to deny all other inbound traffic. 1. Click Add in the Access Rules panel. Choose Add Access Rule. The Add Access Rule window opens. Choose outside from the Interface drop-down list. Click the Deny radio button. Accept the default setting of any in the Source field, 6. Accept the default setting of any in the Destination field. ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne.7. Accept the default setting of ip in the Service field, 8. Click OK. The Access Rules panel is displayed. 9. Click the Advanced button near the bottom of the panel. The Access Rules ‘Advanced Options window opens. 10. Check the Per User Override check box for the outside interface, IL. Click OK. 12, Click Apply. Step4 Complete the following substeps to add an access rule that permits ICMP echo, echo-reply, and unreachable packets to the corporate server from the bastion host 1. Click Add in the Access Rules panel 2. Choose Add Access Rule. The Add Access Rule window opens, 3. Choose dm from the Interface drop-down list. 4, Verify that the Permit radio button is selected. 5. Accept the default setting of any in the Source field. 6. Accept the default setting of any in the Di tion field, 7. Click the ellipsis (...) button in the Service field, The Browse Service window opens, 8. Choose the PING object group. 9. Click OK. The Add Access Rule window is displayed, 10. Click OK. The Access Rules panel is displayed, 11. Click the Advaneed button near the bottom of the panel. The Access Rules Advanced Options window opens. 12. Check the Per User Override check box for the DMZ interface 13. Click OK. 14, Click Apply. Step 5 Observe the hit counts for your ACLs in the Hits column, Task 6: Test and Verify the Inbound ACL In this task, you will test your inbound ACL, Activity Procedure Complete these steps Step From the remote office server, ping your corporate server. c:\>ping 192.168.P.20 Pinging 192.168.P.10 with 32 bytes of data (© 2008 Cisco Systems, ne Lab Gude oyStep 2 Step 3 Step 4 Step 5 step 6 Step7 Step 8 Reply from 192.168.P.10: bytes=32 timecioms ‘TT! Reply from 192.168.P.10: bytes=32 timeclOms TTI P, Reply from 192.168.P.10: bytes=32 timecloms TTI Reply from 192.168.P.10: bytes=32 timecioms ‘TT From the remote office server, ping your bastion host C:\sping 192.168.P.12 Pinging 192.168.P.11 with 32 bytes of data: Reply from 192.168.P.11: bytes=32 Reply from 192.168 P.11: bytes=32 timecloms TTL-128 Reply from 192.168.P.11: bytes=32 timecloms TrLe128 P. Reply from 192.168.P.11: bytea=32 timeclOms TT 28 From the corporate server, ping your bastion host. C:\sping 172.16.P.20 Pinging 172.16.P.10 with 32 bytes of data: Reply from 172.16.P.10: bytes=32 timeclOne TTL=128 Reply from 172.16.P.10: bytes=32 timecloms TTL-128 Reply from 172.16.P.10: bytes-32 timeping 172.26.26.50 Pinging 172.26.26.50 with 32 bytes of data Reply from 172.26.26.50: bytes=32 timecioms TT Reply from 172.26.26.50 bytes=32 timeciome TT Reply from 172.26.26.50: bytes=32 time Run, and enter ftp 192.168.P.11 in the Open field. You should nor be able to access your bastion host via FTP. From the remote office server, test FTP access to your corporate server. Choose Start > Run, and enter ftp 192.168.P.10 in the Open field. You should not be able to access your corporate server via FTP. 58 Securing Networks wth ASA Fundamentals (SNAF) vi.0 (© 2008 Cisco Systems, neStep 9 Step 10 Step 11 Step 12 Display the ACLs again and observe the hit counts asaP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny- flow-max 4096) alert-interval 300 access-list outside_access_in ; 9 elements access-list outside access _in line 1 extended permit tep any object-group CORPSERVERS eq www 0x25e1b634 access-list outside access_in line 1 extended permit tep any host 192.168.P.11 eq www (hitent=1) oxeb43382e access-list outside access_in line 1 extended permit tep any host 192.168.P.10 eq www (hitent=1) 0xb70c935b access-list outside access_in line 2 extended permit icmp any object-group CORPSERVERS object-group PING 0x14cf3abb access-list outside access _in line 2 extended permit icmp any host 192.168.P.11 echo (hitent=1) ox3e2S18f5 access-list outside_access_in line 2 extended permit’ icmp any host 192.168.P.11 echo-reply (hitent=0) oxbedeccae access-list outside_access_in line 2 extended permit icmp any host 192.168.P.11 unreachable (hitent-0) oxf5a05bi7e access-list outside_access_in line 2 extended permit icmp any host 192.168.P.10 echo (hitent=1) 0x739a1058 access-list outside access _in line 2 extended permit icmp any host 192.168.P.10 echo-reply (hitent=1) 0x58d075a0 access-list outside_access_in line 2 extended permit icmp any host 192.168.P.10 unreachable (hitent=0) 0xa3£21e63 access-list outside access_in line 3 extended deny ip any any (hitent=15) oxédabect access-list dmz_access_in; 3 elements access-list dmz_access_in line 1 extended permit icmp any any object-group PING oxcobb3a7£ access-list dmz_access_in line 1 extended permit icmp any any echo (hitcnt=0) oxsifessce access-list dmz_access_in line 1 extended permit icmp any any echo-reply (hitent=2) Oxs£45s9a0 access-list dmz_access_in line 1 extended permit icmp any any unreachable (hitcnt=0) 0xe214254a Save your configuration asaP(config)# write memory On the corporate server, ick the Refresh button in the Cisco ASDM toolbar. In the Access Rules panel, observe the hit counts in the Hits column. (© 2008 Cisco Systems, nc. Lab GuideLab 9-1: Configure AAA on the Security Appliance Using Cisco Secure ACS for Windows Complete this lab activity to practice what you learned in the related lesson, Activity Objective In this activity, you will configure a security applia we for AAA. After completing this activity, you will be able to meet these objectives: Install Cisco Secure ACS on a Windows server Add the security appliance to the 10 Secure ACS AAA client database Add a user to the Cisco Secure ACS database Identify the AAA server and protocol Configure and test inbound authentication Configure and test outbound authentication Configure and test virtual Telnet authentication Change and test authentication timeouts and prompts Configure Cisco Secure ACS to send downloadable ACLs to the security appliance during RADIUS inbound authentication Test downloadable ACLs with inbound authentication Test downloadable ACLs with outbound authentication Configure and test accounting oo ‘Securing Networks with ASA Fundamentals (SNAF) v1.0, (© 2008 Cisco Systeme, neVisual Objective The figure illustrates what you will accomplish in this activity. Lab 9-1: Visual Objective Ietrat Saver oe eet al, we2Po ree w2eer0 (pier sunt (ven chen) Btn Hot oro et ie ie Corporate Serer (ico ASM roor.s0B MAsewver Task 1: Install Cisco Secure ACS on a Windows Server In this task, you will install Cisco Secure ACS on your corporate server. Activity Procedure ‘Complete these steps: Step 1 Stop 2 Step 3 Stop 4 Step 5 To install Cisco Secure ACS on your corporate server from the files on your hard drive, open the Cisco Secure ACS folder on the desktop and double-click the Setup icon. The Cisco Secure ACS 4.1 setup dialog box displays the software license agreement. Click Accept to accept the Software License Agreement. The Welcome window ‘opens. Read the contents of the Welcome window. Click Next to continue. The Before You Begin window opens. Read and then check all four check boxes for the items in the Before You Begin window. This is @ reminder of things that you should do prior to installation. Click Next to continue. The Choose Destination Location window opens Use the default installation folder indicated in the Choose Destination Location ‘window by clicking Next to continue. The Authentication Database Configuration window opens, © 2008 Cisco Systoms, ne. Lab Guide 61Task Step 6 Step 7 Stop 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Verify that the Check the ACS Internal Database only radio button is selected in the Authentication Database Configuration window. Click Next to start the file installation process Choose all six items displayed in the Advanced Options window. Click Next to continue. Verify that Enable Log-in Monitoring is selected in the Active Service Monitoring window. Click Next to continue. The Cisco Secure ACS Service Initiation window opens, Enter eisco123 in the New Password field Enter ciseo123 in the Confirm New Password field, Click Next. Verify that the following options are selected in the Cisco Secure ACS Service Initiation window: = Yes, 1 Want to Start the Cisco Secure ACS Service Now m= Yes, ] Want Setup to Launch the Cisco Secure ACS Administrator from My Browser Following Installation Uncheck the Yes, 1 Want to Review the Readme File check box. Click Next to start Cisco Secure ACS, Read the contents of the Setup Complete window. Click Finish to close the installation wizard and start your web browser with Cisco Secure ACS. Add the Security Appliance to the Cisco Secure ACS AAA Client Database In this task, you will add the security appliance to the Cisco Secure ACS AAA client database on your Windows server. Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Step 4 step 5 The Cisco Secure ACS interface should now be displayed in your web browser. Click the Network Configuration button to open the Network Configuration window. Click the Add Entry button beneath the AAA Clients group box. The Add AAA Client panel is displayed. In the AAA Client Hostname field, enter asaP. Inthe AAA Client IP Address field, enter the IP address of the appliance inside interface, 10.0.P.1 Cisco ASA security In the Shared Secret field, enter secretkey. 2 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systems, re.Step 6 Stop 7 From the Authenticate Using drop-town menu, choose RADIUS (Cisco VPN 3000/ASAJPIX 7x4). Click Submit + Apply to submit the changes. Task 3: Add a User to the Cisco Secure ACS Database In this task, you will add a user to the Cisco Secure ACS database on your Windows server. Activity Procedure Complete these steps: Step 1 Step 2 Stop 3 Step 4 Stop 5 Step 6 Your AAA client should now be displayed in your web browser. Click the User Setup button to open the User Setup window. ‘Add a user by entering aaauser in the User field Click Add/Edit to open the User Setup Edit panel, In the User Setup Edit panel, locate the Password field and the Confirm Password field directly beneath the following text: CiscoSecure PAP (Also used for CHAP/MS-CHAP/ARAP, if the Separate field is not checked) Give the user a password by entering aaapass in both the Password and the Confirm Password fields. Click Submit to add the new user to the Cisco Secure ACS database. Wait for the interface to return to the User Setup window. Task 4: Identify the AAA Server and Protocol In this task, you will identify the AAA server and the AAA protocol on the security appliance. ty Procedure Complete these steps: Step 1 Complete the following substeps to create a server group called MYRADIUS and assign the RADIUS protocol to it: 1, Click the Configuration button in the Cisco ASDM toolbar, 2. Choose Deviee Management from the navigation pane, 3. Expand the Users/AAA menu. 4, Choose AAA Server Groups. The AAA Server Groups panel is displayed. 5. Click Add in the AAA Server Groups area, The Add AAA Server Group window opens. 6. Enter MYRADIUS in the Server Group field 7. Choose RADIUS from the Protocol drop-down list. 8. Verify that the Accounting Mode: Single radio button is sele: (© 2008 Cisco Systems, ine Lab Guide 3Step 2 9. Click OK, The MYRADIUS server group is displayed in the AAA Server Groups table, Complete the following substeps to add a AAA server to the MYRADIUS server group: 1, Verify that the MYRADIUS server group is selected in the AAA Server Groups table. 2. Click Add in the Servers in the Selected Group area. The Add AAA Server window opens. 3. Choose inside fiom the Interface Name drop-down list. 4, Enter insidehost in the Server Name or IP Address field, Enter secretkey in the Server Secret Key fied. 6. Click OK. The AAA server is displayed in the AAA Server Groups panel. Click Apply, Task 5: Configure and Test Inbound Authentication In this task, you will enable the use of inbound authentication (from outside to inside) on the security appliance for any IP traffic. Activity Procedure Complete these steps: step 1 Complete the following substeps to configure the security appliance to require authentication for all inbound traffic: Click Firewall in the Cisco ASDM navigation pane. 2, Choose AAA Rules from the Firewall menu. The AAA Rules panel is displayed. 3. Click Add. 4, Choose Add Authentication Rule, The Add Authentication Rule window opens. 5. Choose outside from the Interface drop-down list 6. Verify that the Authenticate radio button is selected. 7. Choose MYRADIUS from the AAA Server Group drop-down list. 8, Enter any in the Source field. 9. Enter any in the Destination field 10. Enter tep in the Service field. 11, Click More Options. 12. Verify that the Enable Rule check box is checked. 4 ‘Securing Networks with ASA Fundamentals (SNAF) vi.0 {© 2008 Cisco Systems, ne‘Step2 Stop 3 Step 4 13, Click OK 14, Click Apply in the AAA Rules panel. 15. Click Save in the Cisco ASDM toolbar. Test inbound web authentication by completing the following substeps: 1. Open a web browser on the remote office server and go to your inside host web server by entering http://192.168.P.10 in the browser. 2. When prompted for a usemame and password, enter aaauser as the username and aaapass as the password and click OK. After you successfully authenticate, complete the following substeps to view the authenticated user: 1, Click the Monitoring tab in the Cisco ASDM toolbar. 2. Choose Properties from the navigation pane. 3. Expand the Device Access menu, 4. Choose Authenticated Users from the Device Access menu. The Authenticated Users panel is displayed, 5. Click Refresh, User aaauser is displayed in the Authenicated Users table, Complete the following substeps to view statistics on the AAA server: 1. Choose AAA Servers from the Properties menu in the navigation pane, The AAA Servers panel is displayed. 2. Click MYRADIUS in the AAA Servers table, 3. Click Refresh. The statistics for the server are displayed. The statistics should appear similar to the following: Server port 1645 (authentication), 1646 (accounting) Number of pending requests ° Average round trip time ans Number of authentication requests 1 Number of authorization requests ° Number of accounting requests ° Number of retransmissions ° Number of accepts a Number of rejects ° Number of challenges ° Number of malformed responses ° Number of bad authenticators ° Number of timeouts ° Mumber of unrecognized responses ° 1© 2008 Cisco Systems, Inc. Lab Guide 65Task 6: Configure and Test Outbound Authentication Activity Procedure In this task, you will enable the use of outbound authentication (fron security appliance for any IP traffic. Complete these steps: Step 1 Stop 2 Complete the following substeps to configure the security appliance to require authentication for all outbound connections: 1. Click Configuration in the Cisco ASDM toolbar. 2. Click Firewall in the navigation pane. 3. Choose AAA Rules from the Firewall menu. ‘The AAA Rules panel is, displayed. 4. Click Add. 5. Choose Add Authentication Rule. The Add Authentication Rule window opens. 6. Choose inside from the Interface drop-down list 7. Verify that the Authenticate radio button is selected 8. Choose MYRADIUS from the AAA Server Group drop-down list. 9. Enter any in the Source field. 10. Enter any in the Destination field. 11, Enter tep in the Service field. 12, Click More Options. 13, Verify that the Enable Rule check box is checked. 14, Click OK. 15, Click Apply in the AAA Rules panel 16, Save your configuration. ‘Test FTP outbound authentication using FTP from your corporate server. C:\> ep 172.26.26.50 Connected to 172.26.26.50 220-PTP authentication 220 User (172.26.26.50:(none)): aaauser@anonynous 331-Password: 331 Password: ai 230-230 Anonymous user logged in 66 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Ine230 ftp> Note Step 3 Step 4 Stop 5 Step 6 Step 7 Step 8 Stop 9 Stop 10 step 11 On the ACS server for cut-through proxy authentication, the username is “aaauser" and the password is “aaapass." For the FTP service, the username is “anonymous and the Password is "Cisco." ‘Complete the following substeps to view the authenticated user: 1. Click the Monitoring tab in the Cisco ASDM toolbar. Choose Properties from the navigation pane, Expand the Device Access menu. Choose Authenticated Users from the Device Access menu. The Authenticated Users panel is displayed, 5. Click Refresh, User aaauser is displayed in the Authenicated Users table At the security appliance CLI, clear the uauth timer, asaP(config)# clear uauth asaP(config)# show uauth Current Most Seen Authenticated users ° i Authen In Progress ° 2 Ifyour web browser is open, close it If your FTP session is still open, quit the FTP session, ‘Test web outbound authentication. Open a web browser on the corporate server and center http://172.26.26.50, When prompted, enter aaauser as the username and aaapass as the password, Click OK, Corplete the following substeps to display the authenticated user 1. Click the Monitoring tab in the Cisco ASDM toolbar, 2. Choose Properties from the navigation pane 3. Expand the Device Access menu. 4, Click Authenticated Users in the Device Access menu. The Authenticated Users panel is displayed 5. Click Refresh. User aaauser is displayed in the Authenicated Users table. Close your browser (© 2006 Cisco Sysiome, ne. Lab Gude 67Task 7: Configure and Test Virtual Telnet Authentication In this task, you will enable the use of authentication with virtual Telnet on the security appliance. Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Step 4 Complete the following substeps to configure the security appliance to accept authentication to a virtual Telnet service: 1. Click the Configur: button in the Cisco ASDM toolbar 2. Choose Firewall from the navigation pane. 3. Expand the Advanced menu, Choose Virtual Access. The Virtual Access panel is displayed. Check the Enable Telnet Server check box. Enter 192.168.P.5 in the Virtual Telnet Server field 7. Click Apply. At the security appliance CLI, clear the uauth timer. acaP(config)# clear uauth asaP(config)# show uauth Current Most Seen Authenticated Users ° 2 Authen In Progress ° 2 To test virtual Telnet for outbound authentication, from the corporate server, connect via Telnet to the virtual Telnet IP address to authenticate, and log in. C:\> telnet 192.168.P.5 LOGIN Authentication Username: aaauser Password: aaapaa: Authentication Successful Connection to host lost Complete the following substeps to verify that you were authenticated on the security appliance: 1, Click the Monitoring tab in the Cisco ASDM toolbar 2. Choose Properties from the navigation pane. 3. Expand the Device Access menu 4, Choose Authenticated Users from the Device Access menu. The Authenticated Users panel is displayed. 5. Click Refresh, User aaauser is displayed in the Authenicated Users table. 08 ‘Securing Networks wih ASA Fundamentals (SNAF) v1.0, (© 2008 Cisco Systems, neStep 5 Stop 6 Step 7 step 9 Step 10 Step 14 Stop 12 Verify that you are authenticated. Open your web browser and enter http://172.26.26.50. You should not be prompted to authenticate. The Internet server web page is displayed, Close your browser. Clear the uauth timer, asaP (config) # clear uauth Display your security appliance authentication statistics. asaP (config)# show uauth Current Most Seen Authenticated Usere ° 2 Authen In Progress ° 2 To verify that you are not authenticated now and that you need to reauthenticate, open your web browser and enter http://172.26.26.50 in the URL field. You are prompted for a username and password. Enter anauser as the usemame and aaapass as the password. The Internet server ‘web page is displayed. Close your browser. Task 8: Change and Test Authentication Timeouts and Prompts In this task, you will change the authentication timeouts and prompts. Activity Procedure Complete these steps: Step 1 Stop 2 Complete the following substeps to change the uauth absolute and inactivity timeouts: |. Click the Configuration button in the Cisco ASDM toolbar. 2. Choose Firewall from the navigation pane. 3. Expand the Advanced menu, 4, Choose Global Timeouts, The Global Timeouts panel is displayed. 5. Set the authenticaton absolute timeout to 3 hours. 6, Set the authentication inactivity timeout to 30 minutes. 7. Click Apply. Complete the following substeps to configure authentication prompts: 1. Choose Deviee Management from the navigation pane. 2. Expand the Users/AAA menu. 3. Click Authentication Prompt. The Authentication Prompt panel is displayed, (© 2008 Cisco Systems, ne. Lab Gude 69Step 3 Step 4 Step 5 4. In the Prompt field, enter the prompt that users will get when authenticating Please authenticate 5. In the User Accepted field, enter the message that users will get when they successfully authenticate. You've been authenticated 6. Inthe User Rejected field, enter the message that users will get when their authentication is rejected. Authentication failed. Try again. 7. Click Apply. At the security appliance CLI, clear the uauth timer asaP(config)# clear uauth Verify that the uauth timer has been cleared. asaP(config)# show uauth Current Most seen Authenticated Users o 2 Authen In Progress ° 2 From the corporate server, connect via Telnet tothe backbone router and log in as shown below to test your new authentication prompts C:\> telnet 192.168.P.1 Please authenticate Username: Password: badpass Authentication failed. Try again Please authenticate Username: a Password: aaapase You've been authenticated. 70 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, In.Task 9: Configure ACS to Download ACLs to the Security Appliance During RADIUS Inbound Authentication In this task, you will configure ACS to send downloadable ACLs to the security appliance during RADIUS inbound authentication. The download ACL should permit only FTP traffic fiom any host to the bastionhost. Activity Procedure Complete these steps: Stop t Step 2 Stop 3 Step 4 Step 5 Step 6 Step7 Step 6 Step 8 Stop 10 Stop 11 Step 12 Step 13 Step 14 Step 15 Step 16 If your ACS Admin window is not already open, double-click the ACS Admin icon on the desktop of your corporate server. In the ACS Admin window, click the Interface Configuration icon, The Interface Configuration window opens. Click Advanced Options. The Advanced Options pane! is displayed. Check the following check boxes and then click Sul defaults, t. Do not change the other © User-Level Down! lable ACLs © Group-Level Downloadable ACLs Click the Shared Profile Components button. The Shared Profile Components > Select page is displayed. Click Downloadable IP ACLs. The Shared Profile Components > Select > Downloadable IP ACLs page is displayed. Click the Add button. The Shated Profile Components > Edit > Downloadable IP ACL page is displayed. Enter RADIUSAUTH in the Name field, Click the Add button, ‘The Shared Profile Components > Edit > Downloadable IP ACL Content page is displayed. Enter ACLCONTENT in the Name field. ‘Add the following ACL statements in the ACL Definitions field: permit tep any host 192.168.P.11 eq ftp = deny ip any any Click Submit, The Shared Profile Components > Edit > Downloadable IP ACLs page is displayed with the ACL Contents highlighted in blue. Click Submit. In the ACS Admin window, click the User Setup button. The User Setup > Select age is displayed. Click Find, The User List is displayed Click aaauser. The User Setup > Edit > User: aaauser page is displayed. (© 2008 Cisco Systems, ine, Lab Guide 71Step 17 Step 18 Step 19 Scroll down to Downloadable ACLs, and check the Assign IP ACL check box. Verify that the name of the downloadable ACL that you created is displayed in the drop-down box to the right of your check mark. Click Submit, Task 10: Test Downloadable ACLs with Inbound Authentication In this task, you will test downloadable ACLs with inbound authentication, Activity Procedure Complete these steps: Step 1 Step 2 step 3 At the security appliance CLI, clear the user authentication cache. asaP(config)# clear uauth Verify that the user authentication cache has been cleared. asaP(config)# show uauth Current Most. Seen Authenticated Users ° a Authen In Progress ° 2 ‘View your existing ACLs before testing authorization, Notice that HTTP access to ‘your bastion host is permitted, but FTP access is not permitted. asaP (config) # show access-list access-list cached ACL log flows: total 0, denied 0 (deny flow-max 4096) alert-interval 300 access-list outside_access_in ; 9 elements access-list outside_access_in line 1 extended permit tcp any object-group CORPSERVERS eq www 0x25e1b63d ist outside access in line 1 extended permit tep any host 192.168.P.11 eq www (hitent=1) 0x6b43382e access-list outside_access_in line 1 extended permit tcp any host 192.168.P.10 eq www (hitent=3) 0xb70c935b access-list outside_access_in line 2 extended permit icmp any object-group CORPSERVERS object-group PING 0X14cf3abb access-list outside_access_in line 2 extended permit icmp any host 192.168.P.11 echo (hitcnt=1) 0x3e2518£5 access-list outside_access_in line 2 extended permit icmp any host 192.168.P.11 echo-reply (hitcnt=0) Oxbedeccae access-list outside_access_in line 2 extended permit icmp any host 192.168.P.11 unreachable (hitcnt=0) oxfsa0sb7e access-list outside _access_in line 2 extended permit icmp any host 192.168.P.10 echo (hitcnt=2) 0x739a1058 access-list outside_access_in line 2 extended permit icmp any host 192.168.P.10 echo-reply (hitcnt=3) 0x58d075a0 access-list outside_access_in line 2 extended permit icmp any host 192.168.P.10 unreachable (hitcnt=0) 0xa3f21e63 n ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Ineaccess-list outside_access_in line 3 extended deny ip any any (hiten! 2) Oxadabect access-list dmz_access_in; 3 elements access-list dmz_access_in line 1 extended permit object-group PING oxcobb3d7£ access-list dnz_access_in line 1 extended permit echo (hitent=0) oxa1fesscc access-list dnz_access_in line 1 extended permit echo-reply (hitent=2) 0x5£4559a0 access-list dnz_access_in line 1 extended permit unreachable (hitent: )Oxe214254a Step 4 Verify that per-user override is configured, asaP(config)# show run access-group icmp any any icmp any any icmp any any iemp any any access-group outside_access_in in interface outside per-user-override ‘aceess-group dmiz_access_in in interface dmz per-user-override Step § Test inbound web authentication and authorization from the remote office server by complet i the following substeps: 1. Open a web browser on the remote office server and attempt to access your DMZ web server. heetp://192.168.P.12 2. When prompted for a usemame and password, enter aaauser as the username and aaapass as the password. Although the interface ACL permits HTTP to the bastion host, you should be denied access because the downloaded ACL only permits FTP traffic to 192,168.P.11. You should receive the following error message: Error: acl authorization denied Step6 View your ACLs again, Notice that the authorization ACL was downloaded to the security appliance. Also notice the count on the deny ip any any ACE. asaP(config)# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside access_in ; 9 elements access-list outside_access_in line 1 extended permit CORPSERVERS eq www Ox25e1bé3d access-list outside access in line 1 extended permit eq www (hitent=3) oxéb433828 access-list outside access_in line 1 extended permit eg www (hitent=3) Oxb70e9355 access-list outside _access_in line 2 extended permit CORPSERVERS object -group PING ox14ct3abb access-list outside access_in line 2 extended permit 192.168.P.11 echo (hitent-I) oxie2519£5 access-list outside access in line 2 extended permit 192.168.P.11 echo-reply (nitent-0) oxbedeccae access-list outside access_in line 2 extended permit 192.168.P.11 unreachable (hitent-0) oxfsa0sb7e access-list outside _access_in line 2 extended permit 192.168.P.10 echo (hitent=2) 0x739a105@ access-list outside_access_in line 2 extended permit 192.168.P.10 echo-reply (hitente3) ox5ed075a0 access-list outside access_in line 2 extended permit 192.168.P.10 unreachable (hitent-0) oxa3t21e63, tep any object-group tep any host 192.160..11 tep any host 192.168.P.10 somp emp icmp emp tonp emp emp any any any any any any any ebject-group host host hose host hose. host {© 2006 Cisco Systems, Inc. Lab Guide 73,access-list outside _access_in line 3 extended deny §j oxadzbect ni 3) ned access-list dnz_access_in; 3 elements access-list dnz_access_in line 1 extended permit icmp any PING oxcobbsa7f access-list dnz_access_in line 1 extended permit icmp any oxaifessce access-list dnz_access_in line 1 extended permit icap (hitent=2) oxs£45s9a0 access-list dnz_access_in line 1 extended permit icmp any (hitent=0) oxe2i¢2saa access-list #ACSACL-TP-RADIUSAUTH-3ddbEabs; 2 elements (dynamic) access-list #ACSACLH-IP-RADIUSAUTH-3ddbGab6 line 1 extended permit tep any host 192.168.P.11 eq ftp (hitent=0) Oxb9fats75 access-list #ACSACLH-IP-RADIUSAUTH-3ddbeab6 line 2 extended deny ip any any (hitent=1) oxbabsbser any any (hitents3) any object -group any echo (hitent=0) any any echo-reply any unreachable Step7 Close your browser. Step Display authentication statistics on the security appliance. asaP(config)# show uauth Current Most. Seen Authenticated Users 2 2 Authen In Progress ° 2 user ‘aaauser! at 172.26.26.50, authenticated (idle for 0:02:43) access-list HACSACLH-IP-RADIUSAUTH-3ddbeab6 (*) absolute timeout: 3:00:00 inactivity timeout: 0:30:00 Stop 9 Clear the authentication cache. asaP(config)# clear uauth ‘Step 10 Froin the Windows command line on the remote office server, initiate an FTP session to the bastion host. Although the user-specific downloadable ACL permits FTP, you should not be prompted to authenticate and you should not be able to FTP. to the bastion host because the interface ACL denies FTP. C:\>ftp 192.168.P.22 ‘Step 11 Complete the following substeps to add an ACE to the ACL on the outside interface to permit FTP access to the bastion host: 1. Return to the Cisco ASDM session on the corporate server. Click Configuration in the Cisco ASDM toolbar. Click Firewall in the navigation pane. Click Access Rules. The Access Rules panel is displayed Click Ada, ae eb SS Click Add Access Rule. The Add Access Rule window opens. 7. Choose outside from the Interface drop-down list 8. Verify that the Permit radio button is selected. 9. Enter 172.26.P.0/24 in the Source field, 74 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Gisco Systems, Ine.10, Enter 192.168.P.11 in the Destination field. 11. Enter tep/ftp in the Service field. 12, Click More Options. 13. Verify that the Enable Rule check box is checked. 14, Click OK. The Access Rules panel becomes active. 15. Verify that the new access rule is highlighted. 16, Click the Move Up arrow. The new access rule should appear directly above the deny ip any any rule. 17. Click Apply. ‘Step 12 From the Windows command line on the remote office server, initiate an FTP session to the bastion host. You should be able to log in as aaauser as follows: C:\>ftp 192.268.P.11 Connected to 192.168.P.11. 220-Please authenticate 220 User (192.168.P.11: (none): aaauser nonymous 331-Password 331 Password: aaapassestp 230-230 Anonymous user logged in. 230 ftp> dir 200 PORT command successful Step 13. View the uauth cache, asaP (config) # show uauth Current Most Seen Authenticated Users 3 a Authen In Progress ° 2 user ‘aaauser' at 172.26.P.50, authenticated (idle for 0:01:52) access-list #ACSACLH-IP-RADIUSAUTH-3d9afcb1 absolute timeout: 3:00:00 inactivity timeout: 0:30:00 Step 14 View your ACL again, Notice that the hit count on the entry permitting FTP a to the bastion host (192.168.1.11) has incremented. asaP (conf ig) # show access-list access-list cached ACL log flows: total a, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside accese_in ; 10 elements (© 2008 Cisco Systems, ine Lab Gude 75access-list outside_access_in line 1 extended permit CORPSERVERS eq www Ox25e1bé30 access-list outside access_in line 1 extended permit eq ww (hitent=3) 0xdb433876 access-list outside access_in line 1 extended permit eq ww (hitent=1) 0xb700935b access-list outside_access_in line 2 extended permit icmp any CORPSERVERS object-group PING OX14cf2abb access-list outside access_in line 2 extended permit icmp any host 192.168.P.11 echo (Ritent=1) oxie2si19¢5 access-list outside access _in line 2 extended permit icmp any host 192.168.P.11 echo-reply (hitent=0) Oxbedeccae access-list outside access_in line 2 extended permit icmp any host 192.168.P.11 unreachable (hitent-0) oxfSa0sb7e access-list outside access_in line 2 extended permit icmp any host 192.168.P.10 echo (hitent=2) 0x739a1058 access-list outside access in line 2 extended permit icmp any host 192.168.P.10 echo-reply (hitent=3) 0xS8d075a0 access-list outside access_in line 2 extended permit icmp any host 192.168.P.10 unreachable (hitent-0) oxa3f21e63 access-list outside_access_in line 3 extended permit top 172.26.26.0 255.255.255.0 host 192.168..11 eq ftp (hitent=2)oxfitdasscaccess- List outside access_in line 4 extended deny ip any any (hitent«3) Ox4d2bect access-list dmz_access_in; 2 elements access-list dmz_access_in line 1 extended permit icmp any any object-group PING Oxcobbaa7e access-list dmz_access_in line 1 extended permit icmp any any echo (hitcnt+o) oxsifesscc access-list dmz_access_in line 1 extended permit icmp any any echo-reply (hitent=2) 0x5£4559a0 access-list dnz_access_in line 1 extended permit icmp any any unreachable (hitent=0) oxezia2saa access-list HACSACL#-1P-RADIUSAUTH-3ddbsabs; 4 elements (dynamic) access-list #ACSACLH-IP-RADIUSAUTH-3ddbBab6 line 1 extended permit tcp any host 192.168.P.10 (hitent=0) Ox5£b¢7326 access-list #ACSACL#-1P-RADIUSAUTH-3ddbBabs line 2 extended permit tep any host 192.166.P.11 eq ftp (hitent-4) Oxb9fafs75 access-list HACSACLH-IP-RADIUSAUTH-3ddbBabé line 3 extended permit icmp any host 192.168.P.10 (hitent=0) 0x749b2142 access-list HACSACL#-IP-RADIUSAUTH-3ddbsabs line 4 extended deny ip any any (hitent=1) oxbabsbéet tep any object-group tep any host 192.168..11 top any host 192.168.P.10 object -group Step 15 Clear the wauth cache. asaP(config)# clear uauth Step 16 View your ACL again. Notice that the downloadable ACL is gone. asaP (config) * show acceas-1ist access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside access_in ; 10 elenents access-list outside_access in line 1 extended permit tcp any object-group CORPSERVERS eq www Ox25eibé30 access-list outside_access_in line 1 extended permit tcp any host 192.168.P.12 eq ww (nitent=3) oxsbaazaze access-list outside access_in line 1 extended permit tep any host 192.168.P.10 eq ww (hitent=1) 0xb70¢9355 access-list outside access_in line 2 extended permit icmp any object-group CORPSERVERS object-group PING Oxi4cf3abb access-list outside access_in line 2 extended permit icmp any host 192.168.P.11 echo (hitent=i) ox3e2516¢5 access-list outside acces®_in line 2 extended permit icmp any host 192.168.P.11 echo-reply (hitcnt=0) Oxbedeccae access-list outside_access_in line 2 extended permit icmp any host 192.168.P.11 unreachable (hitent=0) oxtsa0sb7e access-list outside access_in line 2 extended permit icmp any host 192.168.P.10 echo (hitent=2) 0x739a1058 76 ‘Seauring Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Syetome, Inc.access-list outside access_in line 2 extended permit icmp any host 192.168.P.10 echo-reply (hitent<3) 0x58d075a0 access-list outside access_in line 2 extended permit icmp any host 192.168.P.20 unreachable (hitent~0) Oxasf21e63 access-list outside_access_in line 3 extended permit tep 172.26.26.0 255.255.255.0 host 192.168,P.11 eq ftp (hitent~2)oxtlfaisse access-list outside_access_in line 4 extended deny ip any any (hitcn! oxtd2bect access-list dnz_access_in; 3 elements access-list dnz_access_in line 1 extended permit icmp any any object-group PING Oxcobb3a7e access-list dnz_access_in line 1 extended permit icmp any any echo (hitcnt=0) oxeifessce access-list duz_access_in line 1 extended permit icmp any any echo-reply (hitente2) oxsfiss9a0 access-list dnz_access_in line 1 extended permit icrp any any unreachable (hitent=0) oxezia2sea Task 11: Test Downloadable ACLs with Outbound Authentication In this task, you will test downloadable ACLs with outbound authentication, Activity Procedure Complete these steps: Step1 Open a web browser on the corporate server, and attempt to access the Internet server. htep://172.26.26.50 Step2 When prompted for a usemame and password, enter the username aaauser and the password aaapass. You should be denied access because the downloaded ACL. RADIUSAUTH is now applied to the inside interface. Authentication is required for ‘outbound access to the Internet server, but RADIUSAUTH does not permit access to the Internet server: Error: acl authorization denied Step3 View your ACLs. Notice the ACLs that have been downloaded to the security appliance and the hit count on the following entry: access-list #ACSACLY-IP-RADIUSAUTH-3d5¢6e76 deny ip any any (nitent-1) asaP(config)# show accosa-1iet access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside acceaa_in ; 10 elenents access-list outside acceas_in line 2 extended permit tcp any object-group CORPSERVERS eq www Ox25e1bE34 access-list outside access_in line 2 extended permit tep any host 192.168.P.11 fq ww (hitent=0) Oxdbea3e28 access-list outside access_in line 2 extended permit tcp any host 192.168.P.10 eq ww (hitent=1)oxb7009355 access-list outside_access_in line 3 extended permit icmp any object-group ALLSERVERS object-group PING Ox14cf3abh access-list outside access_in line 3 extended permit icmp any host 192.168.P.22 echo (hitentel) ox3ez516¢5, access-list outside access_in line 3 extended permit icmp any host 192.168.P.11 echo-reply (hitcnt=0) Oxbedeccae access-list outside access_in line 3 extended permit icap any host 192.168.P.11 unreachable (hitent=0) oxtsa0sb7e access-list outside access_in line 3 extended permit icmp any host 192.168.P.10 echo (Ritent=2) 0x739a1056 (© 2008 Cisco Systems, ine. LabGuide 77access-list outside access_in line 3 extended permit icmp any host 192.168.P.10 echo-reply (hitent=3) oxsed075a0 access-list outside access_in line 3 extended permit icmp any host 192.168.P.10 unreachable (hitent=0) oxa3t21e6), access-list outside access_in line 3 extended permit tep 172.26.26.0 255.255.255.0 host 192.168-P.11 eq ftp (hitent=2] Oxcb91132a access-list outside access_in line 4 extended deny ip any any (hitcnt-3) oxad2bect access-list dnz_access_in; 3 elements access-list dnz_access_in line 1 extended permit icmp any any object -group PING Oxcbbad7é access-list dnz_access_in line 1 extended permit icmp any any echo (hitent=0) oxe1fessce access-list dmz_access_in line 1 extended permit icmp any any echo-reply (hitente2) oxs£1559a0, access-list dnz_access_in line 1 extended permit icmp any any unreachable (hitent=0) oxe2ia2s4a access-list HACSACL#-IP-RADIUSAUTH-3ddbeab6; 2 elements (dynamic) access-list WACSACL#-IP-RADTUSAUTH-3ddbsabs Line 1 extended permit tep any host 192.168.P.11 eq ftp (hitcnt-0) oxbstafs7s access-list HACSACL#~IP-RADIUSAUTH-3ddb8ab6 Line 2 extended deny ip any any (hitente1) oxbebsbier Step4 Close your browser. Step§ If your ACS Admin window is not already open, double-click the ACS Admin icon ‘on your desktop. Step6 Click the Shared Profile Components button. The Shared Profile Components > Select page is displayed. Step? Click Downloadable IP ACLs. The Shared Profile Components > Select > Downloadable IP ACLs page is displayed. Stop8 Click RADIUSAUTH. The Shared Profile Components > Edit > Downloadable IP ACLs page is displayed. Step9 Click ACLCONTENTI. The Downloadable IP ACL Content panel is displayed. Step 10 Insert the following ACL statement at the top of the list of ACL definitions: permit top any host 172.26.26.50 eq www Step 11. Click Submit. The Downloadable IP ACLs panel is displayed Step 12 Click Submit. Step 13 Clear the uauth cache. asaP (config) clear uauth Step 14 Try again to access the Internet server by entering http://172.26.26.50 in the corporate server web browser. Step 15 When prompted for a username and password, enter the username aaauser and the password aaapass, You should now be allowed access, Step 16 Close your browser. 78 ‘Securing Networks with ASA Fundamentals (SNAF) vi.0 {© 2008 Cisco Systems, IneTask 12: Configure and Test Accounting In this task, you will enable the use of accounting on the security appliance, Activity Procedure Complete these steps: Step 1 Stop 2 Step 3 Step 4 ‘Complete the following substeps to configure the security appliance to perform accounting for all outbound traffic: 1. Choose Firewall from the navigation pane. 2. Choose AAA Rules from the Firewall menu. The AAA Rules panel is displayed, 3. Click Add. 4. Choose Add Accounting Rule. The Add Accounting Rule window opens 5. Choose ide from the Interface drop-down list 6. Verify that the Aceount radio button is selected. 7. Choose MYRADIUS from the AAA Server Group drop-down list 8. Enter any in the Source field. 9. Enter any in the Destination field. 10. Enter tep in the Service field LL. Click OK. 12. Click Apply in the AAA Rules panel. Clear the uauth cache aeaP(config)# clear uauth Verify that the uauth cache has been cleared. asaP(config)# show uauth Current Most. Seen Authenticated Users ° 2 Authen Tn Progress o 2 ‘Test accounting by completing the following substeps: 1, Open a web browser on the corporate server. 2. Enter http://172.26.26.50.in the browser. 3. When prompted for a username and password, enter anauser as the username and aaapass as the password. 4. After the connection is established, refresh the browser several times to generate some traffic and then close the browser. (© 2008 Cisco Systems, Ine Lab Guide 7%5. In the Cisco Secure ACS browser window, click the Reports and Activity button to open the Reports and Activity interface. 6. Click RADIUS Accounting, 7. Click RADIUS Accounting active.csv to open the accounting records, 8. View the accounting record Step5 Close the Cisco Secure ACS browser window. Step6 Disable AAA by entering the following command: asaP(config)# clear configure aaa Step7 Complete the following substeps to disable authorization on your AAA server: 1, Double-click the ACS Admin icon on the desktop of the corporate server. The Cisco Secure ACS interface is displayed in your web browser. 2. Click the User Setup button. The User Setup page is displayed. 3. Click Find. The userlist is displayed 4, Click aaauser. The User Setup Edit page is displayed. 5. Scroll down to Downloadable ACLs. 6. Uncheck the Assign IP ACL check box. 7. Click Submit, 8. Close the Cisco Secure ACS window. 180 Securing Networke with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Ine.Lab 11-1: Configure Advanced Protocol Inspection on the Security Appliance Complete this lab activity to practice what you leamed in the related lesson, Activity Objective In this activity, you will configure and test advanced protocol inspection. After completing this, activity, you will be able to meet these objectives: 4% Display the inspection protocol configurations © Change the inspection protocol configurations = Test the outbound FTP inspection protocol Configure a policy for the outside adaptive security appliance interface Visual Objective The figure illustrates what you will accomplish in this activity Lab 11-1: Visual Objective Ineret [Pe Sg orton Bo msero 4 (PH Chen Basson Host 10020 Pete = a Corporate Server oop gh Coonsou (© 2008 Cisco Systems, Ine. Lab Guide atTask 1: Display the Inspection Protocol Configurations In this task, you will view the current modular policy configuration of your security appliance. Activity Procedure Complete these steps Step 1 Display the default modular policy class map running on your security appliance. asaP(config)# show run cla map QI) Whats the default class map name? Q2)_ What is the matching criterion for this class? _ ‘Step 2 Display the default modular policy map running on your security appliance. asaP (config) # show run policy-map Q3) What is the default Layer 3/4 policy map name? Q4) Whats the class for this policy map? Q5) By default, which protocols are inspected by the security appliance? Check each protocol that applies. “ons ESMTP FIP 11323 4.225 11323 RAS HTTP IMP NetBIOS RSH RTSP SIP skinny SNMP: ‘Sun RPG FIP xomGP SOL"Net 2 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 “© 2008 Cisco Systems, neStep 3 26) Qn) List the default modular policy service policy that is appliance. jing on your security asaP(config)# show run service-policy What is the default service policy name? _ Where is the default service policy applied? Task 2: Change the Inspection Protocol Configurations In this task, you will disable some of the default protocol inspections on your security appliance. Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Stop 4 Step 5 step 6 stop 7 Step 8 Step 9 Task Click the Configuration button in the Cisco ASDM toolbar. Choose Firewall from the navigation pane. Choose Service Policy Rules from the Firewall menu. The Service Policy Rules, panel is displayed. Click inspeetion_default in the Name column of the Traffic Classification table, Click Edit. The Edit Service Policy Rule window opens. Click the Rule Aetions tab, Uncheck the check boxes for the following = SunRPC = 1.323 RAS = SQLNet Click OK. Click Apply in the Service Policy Rules panel, : Test the Outbound FTP Inspection Protocol In this task, you will enter the commands as directed to test the outbound FTP inspection protocol. Activity Procedure Complete these steps: Stop 1 (© 2008 Cisco Systems, in. Initiate an FTP session to the Internet server from the corporate server using the Windows FTP client, C:\> ftp 172.26.26.50 Connected to 172.26.26.50 220 Microsoft PTP Service User (172.26.26.50:(none)): anonymous Lab Guide 88Q8) Step 2 Q) Step 3 Step 4 Step 5 Qi0) step 6 ay Stp7 331 Anonymous access allowed, send identity (e-mail name) as Password Password: ciaco ‘Were you able to log in to the server? Why or why not? Do a directory listing at the FTP prompt. ftp> dir Were you able to see a file listing? Why or why not? Quit your FTP session. Etp> quit Complete the following substeps to turn off FTP inspection on your security appliance: 1. In the Service Policy Rules panel, click inspeetion_default again in the Name column of the Traffic Classification table. 2. Click Edit. The Edit Service Policy Rule window opens. 3. Click the Rule Aetions tab. 4, Uncheck the FTP check box. 5. Click OK. 6. Click Apply in the Service Policy Rules panel, Again, initiate an FTP session to the Internet server from the corporate server using the Windows FTP client. C:\> ftp 172.26.26.50 Connected to 172.26.26.50 220 Microsoft PTP Service User (172.26.26.50; (none)) : anonymous 331 Anonymous access allowed, send identity (e-mail name) as password Password: cisco Were you able to log in to the server? Why or why not? Do a directory listing at the FTP prompt. ftps dir Were you able to see a file listing? Why or why not? Quit your FTP session. ftp> quit Note {the FTP client stops responding, press Ctri-C until you return to the C:\ prompt or close the command prompt window. ‘Securing Networks with ASA Fundamentals (SNAF) v1.0, (© 2008 Cisco Systems, ncStep8 ‘Test how the security appliance handles passive FTP when FTP inspection is disabled by completing the following substeps: 7. Open a browser on the corporate server. 8. Configure the browser to use passive FTP by choosing Tools > Internet, Options > Advanced > Use Passive FTP. 9. Click OK. 10. Initiate an FTP session to the Internet server from the corporate server. Enter ftp://172.26.26.50 in the URL field. You should be able to connect. Q12) Were you able to connect? Why or why not? Q13) Were you able to see a file listing? Why or why not? 1. Disable passive FTP on the web browser 2. Close the browser. (© 2008 Cisco Systems, Inc. Lab Guide 85Lab 12-1: Configure Threat Detection Complete this lab activity to practice what you learned in the related lesson, Activity Objective In this activity, you will configure the threat detection feature of the security appliance. After completing this activity, you will be able to meet these objectives: = Use the CLI to configure basic threat detection = Use the CLI to configure scanning threat detection with shunning Use Cisco ASDM to verify and analyze threats Visual Objective The figure illustrates what you will accomplish in this activity. 6 Lab 12-1: Visual Objective . maozeo Sf Sm ES: ' a Intra fm masro von / "|irez6pe0.0 bsuaueccie 2 sae Rent ce "Securing Networks with ASA Fundamentals (GNAF) v1.0, (© 2008 Cisco Systems, IneTask 1: Examining the Capabilities of Basic Threat Detection In this task, you will send specific traffic from the remote office server to illustrate the different types of packet drops that basic threat detection ean detect. Acti ity Procedure Complete these steps: step 1 Stop 2 Stop 3 Complete the following substeps to create an access list on your corporate adaptive security appliance that denies all IP traffic to host 192,168.1.10. 1. Return to the Cisco ASDM session on the corporate server. 2. Click Configuration in the Cisco ASDM toolbar. 3. Click Firewall in the navigation pane. 4. Click Access Rules. The Access Rules panel is displayed. 5. Click Add. 6. Click Add Access Rule, The Add Access Rule window opens 7. Choose outside from the Interface drop-down list 8. Click the Deny radio button 9. Verify that any is displayed in the Source field. 10. Enter 192.168.P.10 in the Destination field. LL. Verify that ip is displayed in the Service field 12, Click More Options. 13. Verify that the Enable Rule check box is checked 14, Click OK. The Access Rules panel becomes active. 15, Verify that the new access rule is highlighted. 16, Use the Move Up arrow to move the access rule to the top of the list of rules for the outside interface. 17. Click Apply. Open a command prompt on the remote-access server and enter the Following command to send UDP traffic to the corporate server: C:\Program Files\Nmap> nmap -aU -D RND:100 -PN -n 192.168.P.10 On the corporate adaptive security appliance, display the threat detection statics to see the ACL hit asaP(contig)# show threat-detection statistics Top Name Id Average(eps) Current (eps) Trigger Total events i-hour ACL hits 01 outside access, im_a/a 8 0 9 — 30040 {© 2008 Cisco Systems, Inc. Lab Guide 87Step 4 8-hour ACL hits 01 outside access_in 1/4 1 0 9 30361 24-hour ACL hits: 01 outside _access_in 1/4 ° 20 0 32560 Display the threat-detection sta ics, asaP(confi)# show threat-detection rate Average (eps) Current (eps) Trigger Total events 10-min ACL drop: ° e ° 155, A-hour ACL drop 8 1 ° 30266 10-min Scanning ° ‘ 9 15s i-hour Scanning 8 2 3 30266 10-min Firewall ° é ° 15s I-hour Firewall: a a ° 30266 1o-min Interface: ° ° ° 14s i-hour Interface a ° ° 30257 Task 2: Configure Scanning Threat Detection with Shunning In this task, you will use the scanning threat feature to shun the traffic from SYN attack that ‘you generated in the previous task. Activity Procedure Complete these steps: Step 1 Stop 2 Step 3 Complete the following substeps to edit the ACL that you created in Task 1 so that it permits all IP traffic to 192.168.P.10, 1. Retum to the Access Rules panel in Cisco ASDM. Click the access rule you created in this lab exercise, 2 3. Click Edit. The Edit Access Rule window opens. 4. Click the Permit radio button 5. Click OK. 6 Click Apply in the A s Rules panel, 7. Click Save in the Cisco ASDM toolbar. Enable scanning threat detect yn with shunning, asaP(config)# threat-detection scanning-threat shun Lower the rate interval for testing purposes. asal(config)# no threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400 asal (config) threat-detection rate dos-drop rate-interval 600 average-rate 0 burat-rate 0 a8 ‘Securing Networks wit ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Ine.Step 4 Step 5 Step 6 Stop 7 Step 8 ‘Open a command prompt on the remote-access server and enter the following, ‘command to send TCP traflic to the corporate server: C:\Program Files\Nmap> nmap 8 -D RND:100 -n 192.168.P.10 Display any threat-detection shuns. asaP(config)# show threat-detection shun Shunned Host Liat: src-ip*172.26.1.4 255.255.255.255 sre-ip=172.26.1.5 255.255.255.255 src-ipe172.26.1.6 255.255.255.255 src-ip*172.26.1.7 255.255.255.255 sre-ipel?2.26.1.8 255.255.255.255 26.1.9 255.255.255.255 Complete the following substeps to remove the ACL that you created in this lab exercise. 1. Return to the Access Rules panel in Cisco ASDM. 2. Click the access rule that you ereated in this lab exercise. 3. Click Delete, 4. Click Apply in the Access Rules panel 5. Click Save in the Cisco ASDM toolbar. Disable scanning threat detection, asaP(config)# no threat-detection scanning-threat shun Disable basic threat detection, asaP(config)# no threat-detection baaic-threat Lab GuideLab 13-1: Configure Security Appliance Site-to- Site VPN with Pre-Shared Keys Complete this lab activity to practice what you learned in the related lesson, Aci ity Objective In this activity, you will configure a security appliance for a site-to-site VPN. After completing this activity, you will be able to meet these objectives: Prepare to configure VPN support = Use the Cisco ASDM IPsec VPN Wizard to configure a site-to-site VPN = Use Cisco ASDM to verify the site-to-site VPN configuration a Test the site-to-site VPN Visual Objective ‘The figure illustrates what you will accomplish in this activity : Visual Objective 172262650 8 ‘Sore im y: Sten Pe Remete fico Scenario ‘The XYZ Company wants you to configure a secure VPN gateway using IPsec between two Cisco ASA security appliances. 90 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, Inc.Task 'y Procedure : Prepare to Configure VPN Support In this task, you will verify network conn ity without the site-to-site VPN. Complete these steps using the security appliance CLI Step1 Step 2 From the corporate adaptive security appliance, ping the remote office adaptive security appliance. asaP (config) # ping 172.26.P.2 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 172.26.P.2, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 me From the remote office adaptive security appliance, ping the corporate adaptive security appliance, roP(config)# ping 192.168.P.2 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 192.168.P.2, timeout is 2 seconds trans Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/10 ms Task 2: Use the Cisco ASDM IPsec VPN Wizard to Configure a Site-to-Site VPN In this task, you will use the IPsec VPN Wizard to configure both ends of the site-to-site VPN to protect the traffic from the remote office server to the corporate inside server. Activity Procedure Complete these steps: step (© 2008 Cisco Systems, In. Complete the following substeps to configure the corporate ASA. 1, Launch Cisco ASDM on your corporate adaptive security appliance. 2. Click Wizards in the menu bat 3. Choose IPsee VPN Wizard from theWizards menu. The VPN Wizard VPN Tunnel Type page is displayed 4. Verify that the Site-to-Site radio button is selected 5. Choose outside from the VPN Tunnel Interface drop-down list. 6. Verify that the Enable Inbound IPsce Sessions to Bypass Interface Access Lists check box is checked. ‘Lab Guide rn7. Click Next, The Remote Site Peer page is displayed, 8. Enter 172.26.P.2 in the Peer IP Address field. 9. Verify that the Pre-Shared Key radio button is selected. 10. Enter eisco123 in the Pre-Shared Key field. LL. Verify that 172.26.P.2 is displayed in the Tunnel Group Name field 12. Click Next. The IKE Policy page is displayed. 13. Choose 3DES from the Encryption drop-down list 14. Choose SHA from the Authentication drop-down list, 15. Choose 2 from the DH Group drop-down list. 16. Click Next. The IPsec Encryption and Authentication page is displayed. 17. Choose DES from the Eneryption drop-down lis. 18. Choose None from the Authentication drop-down list 19. Click Next, The Hosts and Networks page is displayed, 20. Verify that the Protect radio button is selected 21, Enter 10.0.P.10 in the Local Networks field. 22, Enter 172.26.P+10.10 in the Remote Networks field. 23, Verify that the Exempt ASA Side Host/Network from Address Translation check box is checked and that inside is displayed in the drop-down list 24, Click Next. The Summary page is displayed 25, Click Finish. 26. Click Save in the Cisco ASDM toolbar. Step2 Complete the following substeps to configure the remote office adaptive security appliance: 1. Launch Ciseo ASDM on your remote office adaptive security appliance. 2. Click Wizards in the menu bar. 3. Choose IPsec VPN Wizard from theWizards menu. The VPN Wizard VPN Tunnel Type page is displayed. 4, Verify that the Site-to-Site radio button is selected. 5. Choose outside from the VPN Tunnel Interface drop-down list. 6. Verify that the Enable Inbound IPsec Sessions to Bypass Interface Access Lists check box is checked. 7. Click Next, The Remote Site Peer page is displayed. 8. Enter 192.168.P.2 in the Peer IP Address field. 92 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne.9. Verify that the Pre-Shared Key radio button is selected. 10, Enter eisco123 in the Pre-Shared Key field. 11. Verify that 192.168.P.2 is displayed in the Tunnel Group Name field 12, Click Next. The IKE Policy page is displayed. 13. Choose 3DES from the Encryption drop-down list. 14, Choose SHA from the Authentication drop-down list. 15. Choose 2 from the DH Group drop-down list. 16. Click Next. The IPsec Encryption and Authentication page is displayed. 17. Choose DES from the Encryption drop-down list 18. Choose None from the Authentic n drop-down list, 19. Click Next. The Hosts and Networks page is displayed 20. Verify that the Protect radio button is selected. 21. Enter 172.26.P+10.10 in the Local Networks field, 22. Enter 10.0.P.10 in the Remote Networks field 23, Verify that the Exempt ASA Side Host/Network from Address Translation check box is checked and that inside is displayed in the drop-down list 24, Click Next. The Summary page is displayed, 25, Click Finish, 26. Click Save in the Cisco ASDM toolbar. Task 3: Use Cisco ASDM to Verify the Site-to-Site VPN Configuration In this task, you will use Cisco ASDM to verity your site-o-site VPN configuration on both security appliances, Activity Procedure Complete these steps: Step 1 On the corporate adaptive security appliance, complete the following substeps to verify the tunnel group that you just created. 1. Click Configuration in the Cisco ASDM toolbar. 2. Choose Site-to-Site VPN from the navigation pane. 3. Choose Conneetion Profiles from the Site-to-Site VPN menu. The Connection Profiles panel is displayed. 4. Verify that the Allow Access check box for the outside interface is checked. 5. Select the connection profile displayed in the Connection Profiles table. {© 2008 Cisco Systems, Ine Lab Guide 93Step2 Step 3 Step 4 Step 5 Step 6 6. Click Edit. The Edit IPsec Site-to-Site Connection Profile: 172.26.1.2 window. opens. 7. Verify that the following values are displayed: Peer IP Address: 172.26.P.2 = Connection Name: 172.26.P.2 m Pre-shared Key: **#44944 = Local Network: insidehost Remote Network: 172.26.P-+10.10 = IKE Proposal: pre-share-3des-sha IPsec Proposal: TUNNEL_ESP_DES_None 8. Click OK. Complete the following substeps to verify the crypto map that you created: 1, Expand the Advanced menu in the Site-to-Site VPN list. 2. Click Crypto Maps. The Crypto Maps panel is displayed 3. Verify that the crypto map that you created is displayed in the Crypto Maps table. Choose IKE Policies from the Advanced menu, and verify the following IKE policy settings: ™ Encryption: 3DES = Hash: SHA = DH Group: 2 Lifetime: 86400 Choose ACL Manager from the Advanced menu, and verify the crypto ACL. Verify the IKE policy at the corporate adaptive security appliance CLI asaP (config) show run crypto isakmp crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 Lifetime 6400 no crypto isakmp nat-traversal Verify the tunnel group at the corporate adaptive security appliance CLI asaP(config)# show run tunnel-group tunnel-group 172.26.1.2 type ipsec-121 tunnel-group 172.26.1.2 ipsec-attributes 94 ‘Securing Networks with ASA Fundamental (SNAF) v1.0 (© 2008 Cisco Systems, ne.Step7 Step 8 Step 9 Stop 10 Step 11 Step 12 Step 13, Stop 14 pre-shared-key * ‘Verify the crypto map ACL at the corporate adaptive security appliance CLI asaP(config)# show run acce: “list outside 1 cryptomap access-list outside_1_cryptomap extended permit ip host 10.0.P.10 host 172.26,P+10.10 Verify that the IPsec parameters (IKE Phase 2) are correct. asaP(config)# show run erypto ipsec crypto ipsec transform-set TUNNEL_ESP-DES-None esp-des esp none Verify that the crypto map configuration is correct asaP (config) # show run erypto map crypto map outside map 1 match address outside 1_cryptomap crypto map outside map 1 set pfs crypto map outside map 1 set peer 172.26.1.2 erypto map outside map 1 set transform-set TUNNEL_&SP_DES None erypto map outside_map interface outside Clear any existing SAs. asaP(config)# clear crypto ipsec a asaP(config)# clear crypto isakmp sa Turn on debugging for IPsec and ISAKMP on the corporate adaptive security appliance. asaP(config)# debug e#ypto ipsec mp asaP(config)# debug crypto i: Enable logging to the console. asaP (config) legging enable asaP(config)# logging console debugging Verify the IKE policy at the remote office adaptive sccurity appliance CLI asaP(config)# show run exypto isakmp crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 Lifetime 86400 no crypto isakmp nat-traversal Verify the tunnel group at the remote office adaptive security appliance CLL asaP(config)# show run tunnel-group tunnel-group 192.168.1.2 type ipsec-121 (© 2008 Cisco Systems, Inc. Lab Guide 95tunnel-group 192.168.1.2 ipsec-attributes pre-shared-key * ‘Stop 15 Verify the erypto map ACL at the remote office adaptive security appliance CLI asaP(config)# show run acces! list outside 1 cryptomap access-list outside 1 cryptomap extended permit ip host 172.26.P+10.10 host 10.0.P.10 Step 16 Verify that the IPsec parameters (IKE Phase 2) are correct on the remote office adaptive security appliance asaP(config)# show run crypto ipsec crypto ipsec transform-set TUNNEL ESP-DES-None esp-des esp- ‘Step 17 Verify that the crypto map configuration is correct on the remote office adaptive security appliance. asaP(config)# show run crypto map crypto map outside map 1 match addres outeide_1_cryptomap crypto map outside map 1 set pfs crypto map outside_map a 1 crypto map outeide_map 1 set peer 192.168.1.2 2 set transform-set TUNNEL_ESP_DES_None i crypto map outside map interface outside Step 18 Clear any existing SAs on the remote office adaptive security appliance asaP(config)# clear crypto ipsec sa asaP (config) clear crypto ieakmp ea Task 4: Test the Site-to-Site VPN In this task, you will test your site-to-site VPN configurat Activity Procedure Complete these steps: Step 1 From the corporate server, ping the remote office server. €:\oping 172.26.P410.10 Pinging 172.26.P410.10 with 32 bytes of data: Reply from 172,26.P+10.10: bytes=32 time<1oms TTL-122 Reply from 172.26.P¢10.10: bytes=32 timeping 192.168.P.2 Pinging 192.16.P.2 with 32 bytes of dal Reply from 192.161 P.2: bytes=32 timeclOms TTL=126 Reply from 192. : bytes=32 timecloma TTL+126 Reply from 192. P.2: bytes=32 timecloms TrLa126 Reply from 192.168.P.2: bytes=32 timecloms TTL=126 Stop 2 Complete the following substeps to ensure that you can establish a web connect from the remote office server to the corporate server. 1. Open a web browser on the remote office server. 2. Enter http://192.168.P.10 in the web browser to access the corporate server, The home page of the corporate server should appear in the web browser. Step 3 From the corporate server, ping the remote office server. You should be able to ping the remote office server C:\sping 172.26.P.50 102 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems ncTask 2: Use the Cisco ASDM IPsec VPN Wizard to Configure a Remote-Access VPN In this task, you will use the IPsec VPN Wizard to configure the corporate adaptive security appliance as the head-end of the remote-aecess VPN. Activity Procedure Complete these steps: Step1 Launch Cisco ASDM on your corporate adaptive security appliance. Stop2 Click Wizards in the menu bar. Step3 Choose IPsec VPN Wizard. The VPN Tunnel Type page of the VPN Wizard is, displayed. Step 4 Complete the following substeps to configure the VPN Tunnel Type page 1 Click the Remote Access radio button. 2. Verify that outside is displayed in the VPN Tunnel Interface field, 3. Verify that Enable Inbound LPsec Sessions to Bypass Interface Access Lists check box is checked, 4. Click Next. The Remote Access Client page is displayed Stop5 Verify that the Cisco VPN Cli , Release 3.x oF higher radio button is selected, Step6 Click Next. The VPN Client Authentication Method and Tunnel Group Name page is displayed. ‘step7 Complete the following substeps to configure the client authentication and the tunnel ‘group name: 1. Verify that the Pre-shared Key radio button is selected. 2. Enter TRAINM in the Pre-Shared Key field. 3. Enter TRAINING in the Tunnel Group Name field. 4. Click Next. The Client Authentication page is displayed. Step 8 — Complete the following substeps to configure the security applia for RADIUS, authentication’ 1. Click the Authenticate Using a AAA Server Group radio button, 2. Choose MYRADIUS from the AAA Server Group Name drop-down list. 3. Click Next Step9 Complete the following substeps to set up a pool of IP addresses that will dynamically be assigned to the Cisco VPN Clients via IKE mode configuration: 1. Click the New button. The Add IP Pool window opens 2. Enter MYPOOL in the Name field (© 2008 Ciseo Systems, ne Leb Guide 1093. Enter 10.0.20+P.1 in the Starting IP Address field. 4, Enter 10,0.20+P.254 in the Ending IP Address field 5. Choose 255.255.255.0 from the Subnet Mask drop-down list. 6. Click OK. The address pool settings are displayed in the Address Pool page. 7. Click Next. The Attributes Pushed to Client (Optional) page is displayed. 8. Click Next. The IKE Policy page is displayed, Step 10 Complete the follo ig substeps to configure IKE policy parameters: 1. Choose DES from the Eneryption drop-down list. 2. Choose MDS fiom the Authentication drop-down lst. 3. Choose 2 from the DH Group drop-down list 4, Click Next. The IPsec Encryption and Authentication page is displayed. Step 11 Complete the following substeps to specily the encryption and authentication algorithms for the IPsec VPN tunnel: 1. Choose DES from the Encryption drop-down lst. 2. Choose MDS from the Authentication drop-down list 3. Click Next. The Address Translation Exemption and Split Tunneling (Optional) page is displayed. Stop 12 fete the following substeps to configure address translation exemption: 1. Choose inside from the Interface drop-down lst. 2. Enter 10.0.P.0/24 in the Address field. 3. Click Add. The network address moves to the Selected Hosts/Networks list 4, Click Next. The Summary page is displayed. 5. Verify your configuration and click Finish. 6. Click Save in the Cisco ASDM toolbar. 7. Minimize the Cisco ASDM window. Step 13. At the CLI, enable NAT traversal asaP(config)# crypto isakmp nat-traversal 104 Securing Networks with ASA Fundamentals (SNAF) v1.0, (© 2008 Cisco Systems, neTask 3: Verify Your Configuration In this task, you will use the CLI to verify the conti Activity Procedure uration of your security appliance, Complete these steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Verify your IP local pool aeaP(config)# show ip local pool MYPOOL Begin End Mask Free In use 10.0.20+P.1 10.0,204P.254 255.255.255.0 254 0 Available addresses 10.0.20+P.1 10.0.209P.2 10.0.209P.3 10.0.204P.254 Verify your NAT configuration. asaP (config) # sh run nat nat (inside) 0 access-list inside_nato_outbound nat (inside) 1 10.0.P.0 255.255.255.0 Verify the access list assocated with NAT translation exemption, asaP(config)# eh run acces ist inside nato outbound access-list inside nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.20+P,0 255.255.255.0 Verify your AAA server configuration. asaP(contig)# show run aaa-server aaa-server MYRADUIS protocol radius aaa-server MYRADIUS host insidehost key secretkey Verify your crypto map. asaP(config)# show run erypto map crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DRFAULT_CRYPTO_MAP. crypto map outside _map interface outside Verity your IKE policy asaP(config)# show run seakmp crypto isakmp enable outside crypto isakmp policy 10 (© 2008 Cisco Systems, ine Lab Guide 105;Step 7 authentication pre-share encryption des hash nas group 2 Lifetime 86400 crypto icakmp nat-traversal Verify your tunnel group configuration, asaP (config) show run tunnel-group tunnel-group TRAINING type remote-access tunnel-group TRAINING general-attributes address-pool MYPOOL authentication-server-group MYRADIUS tunnel-group TRAINING ipsec-attributes pre-shared-key * Task 4: Configure the Cisco VPN Client on the Remote Office Server Activity Procedure In this task, you will configure the networking parameters ofthe Cisco VPN Client Complete these steps: Step 1 Step 2 Step 3 Step 4 Step § Step 6 Stop 7 Choose Start > Programs > Cisco Systems VPN Client > VPN Client. The VPN Client window opens. From the Connection Entries menu, select New. The VPN Client | Create New VPN. Connection Entry window opens. Enter CorpNet in the Connection Entry field, Leave the Description field blank. Enter 192.168.P.2, the public IP address of your corporate adaptive security appliance, in the Host field. Verify that the Group Authentication radio button is selected, and complete the following substeps. The entries are case sensitive; use uppercase characters for this lab activity, 1. Inthe Name field, enter the group name TRAINING, 2. In the Password field, enter the group password TRAINME, 3. In the Confirm Password field, enter the password TRAINME. Click Save and leave the VPN Client window open, 108 ‘Securing Networks wth ASA Fundemontale (SNAF) v3.0 (© 2008 Cisco Systems, ieTask 5: Launch the Cisco VPN Client In this task, you will launch the Cisco VPN Client on the remote oflice server. Activity Procedure Complete these steps Step 1 Step 2 Step 3 Stop 4 Stop 5 Ifthe Cisco VPN Client is not open, choose Start > Programs > Cisco Systems VPN Client > VPN Client to open it Select the CorpNet connection entry, Click Connect. The VPN Client | User Authentication for "CorpNet" window opens. Enter aaauser as the usermame and aaapass as the password, Click OK. Task 6: Verify the VPN Connection In this task, you will verify the IPsec connection. Activity Procedure Complete these steps: Stop 1 Step 2 Step 3 Step 4 Step 5 Step 6 step 7 (© 2008 Cisco Systems, nc. ‘Test access to the inside web server from the remote client by completing the following substeps: {Open a web browser on the Cisco VPN Client PC, the remote office server 2. Use the web browser to access the inside web server by entering hhttp2//10.0.P.10 in the Address field. The home page of the web server should be displayed. Right-click the Ciseo VPN Client icon in the system tray, choose the Statistics menu option, and view the information provided. Notice how many packets have been encrypted and decrypted. Refiesh your browser Return to the VPN Client Statistics window and notice that the number of packets encrypted and decrypted has incremented. Click Close to close the window. Disconnect your Cisco VPN Client session by right-clicking the Cisco VPN Client icon in the system tray and choosing Disconnect from the menu, Complete the following substeps to remove the crypto map from the outside interface of the corporate adaptive security appliance: 1, Maximize your Cisco ASDM window on the corporate server. 2. Verify that Remote Access VPN is selected in the Configuration navigation pane. 3, Expand the Network Client Access menu. ab Guide 4074. Expand the Advanced menu. 5. Expand the 1Psee menu, 6. Choose Crypto Maps. The Crypto Maps panel is displayed. 7. Select the crypto map that you created in this lab exerci 8. Click Delete 9. Click Apply. Step8 Complete the following substeps to remove the isakmp command statements from, your configuration 1. Choose IKE Policies from the IPsec menu 2, Select the IKE policy that you created in this lab exercise. 3. Click Delete 4. Click Apply. Step9 Complete the following substeps to remove the ACL named inside_nat0_outbound from your configuration 1. From Configuration > Remote Access VPN > Network (Client) Access > Advanced, choose ACL Manager. The ACL Manager panel is displayed 2. Click the ACE under inside_nat0_outhound, 3. Click Delete. 4. Click Apply. Step 10 Complete the following substeps to remove the tunnel-group comm from your configuration ind statements 1. From Configuration > Remote Access VPN > Network (Client) Access, choose IPsec Conneetion Profiles. The IPsec Connection Profiles panel is displayed. 2. Select the connection profile named TRAINING. 3. Click Delete 4, Click Apply. Step 11. Click Save in the Cisco ASDM toolbar: 108 Securing Networks with ASA Fundamentals (SNAF) v1 0 {© 2008 Cisco Systems, In.Lab 15-1: Configure the Security Appliance to Provide Secure Clientless SSL VPN Connectivity Complete this lab activity to practice what you learned in the related lesson, Act ity Objective In this activity, you will implement Clicntless SSL VPN (WebVPN) on the Cisco ASA security appliance, After completing this activity, you will be able to meet these objectives: Use Cisco ASDM to configure the security appliance for basic SSL VPN services Use Cisco ASDM to configui users and groups for SSL VPN services = Test and verify security appliance SSL VPN connectivity Visual Objective ‘The figure illustrates what you will accomplish in this activity Lab 15-1: Visual Objective Roe 17226 106.0 102.1687. Suudert Po j (Pn chen) Means wgeemc Scenario ‘Your company wants to implement remote access using remotely located PCs that terminate at a centrally located Cisco ASA security appliance, without using any client software. You must configure the security appliance for remote access using the WebVPN feature set (© 2008 Cisco Systems, Inc Lab Guide 108Task 1: Use the SSL VPN Wizard to Configure a Secure SSL VPN Activity Procedure 110 In this task, you will use the SSL VPN Wizard in Cisco ASDM to configure the corporate adaptive security appliance for SSL VPN connections. Complete these steps: Stop 1 Step2 Step 1 Step 2 Step3 Stop 4 Step 5 Step 6 Retum to your Cisco ASDM session on the corporate server. Click Wizards in the Cisco ASDM menu bar. Choose SSL VPN Wizard. The SSL VPN Connection Type page of the wizard is displayed. Verify that the Clientless SSL VPN Access check box is checked, Click Next. The SSL VPN Interface page is displayed, Complete the following substeps to configure a connection profile name and specify the interface that users will access for SSL VPN connections: 1. Enter AUSTIN in the Connection Name field 2. Verify that outside is displayed in the SSL VPN Interface drop-down list. IF itis not, choose outside from the drop-down lis 3. Click Next. The User Authentication page is displayed Complete the following substeps to configure authentication for the SSL VPN: 1. Check the Authenticate Using the Local User Database radio button, ‘ater studentP in the Usemmame field. (where P = pod number) 3. Enter studentP in the Password field, (where P = pod number) 4. Enter studentP in the Confirm Password field. (where P = pod number) 3. Click Add. The user name is displayed in the field to the right of the Add bution, 6. Click Next. The Group Policy page is displayed Complete the following substeps to create a group policy to group attributes that are common to specific groups of users: L. Verify that the Create a New Group Policy radio button is selected. If it is not, select it 2. Enter FIRSTGROUP in the corresponding field 3. Click Next. The Clientless Connections Only—Bookmark List page is displayed. ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, nc‘Step7 Complete the following substeps to create a bookmark list for the SSL VPN end- user portal: |. Click Manage. The Configure GUI Customization Objects window opens. 2. Click Add. The Add Bookmark List window opens 3. Enter URLs in the Bookmark List Name field. 4, Click Add. The Add Bookmark Entry window opens. 5. Enter CIFSSHARE in the Bookmark Title field. 6. Choose eifs from the URL Value drop-down list to add a file-sharing bookmark. 7. In the corresponding URL field, enter 10.0.P.10/training. 8. Click OK. 9. Click OK in the Add Bookmark List window. 10. Click OK in the Configure GUI Customization Objects window. The bookmark list name “URLs” is displayed in the Bookmark List field on the Clientless Connections Only—Bookmark List page. II. Click Next. The Summary page is displayed Step 8 Review your configuration in the Summary page. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance. Step 9 Click the Save button in the Cisco ASDM toolbar Step 10 Complete the following substeps to verify that user student? is configured to inherit settings fiom the FIRSTGROUP group policy: L. Click the Configuratis nutton in the Cisco ASDM toolbar. 2. Click Device Management in the navigation pane. 3. Expand the Users/AAA menu. 4. Click User Accounts. The User Accounts panel is displayed. 5. In the user accounts table, verify that VPN group policy FIRSTGROUP is assigned to user studentP. Step 11 Minimize the Cisco ASDM window. Task 2: Test Your SSL VPN In this task, you will test and verify your SSL VPN. Activity Procedure Complete these steps: Step 1 Open a web browser on the remote office server. (© 2008 Cisco Systems, Ine Lab Guide 11Step2 Enter https://192.168.P.2 to access the outside interface of the corporate adaptive security appliance, which you configured to accept Clientless SSL VPN connections. A Security Alert window opens, Step3 Click Yes. Step4 Login to the SSL VPN service with the username student? and the password studentP. The SSL VPN Service window displays the Home page. Step5 Complete the following substeps to test the file-sharing bookmark you created with the SSL VPN Wizard: 1, Click the CIFSSHARE link under File Bookmarks. An Authentication required panel is displayed, 2. Enter administrator in the Username field, 3. Enter attack in the Password field. 4. Click Submit. The following files are displayed = Filel.doc = File2.bmp 5. Verify that you can open the files. You should be able to open them. Step Complete the following substeps to test file browsing over your Clientless SSL VPN: 1. Verity that eifsy is displayed in the Address drop-down list, 2. Delete /trat 1g 80 that only 10.0.P.10 is displayed in the Address field. 3. Click Browse. The Authentication required panel is displayed. 4, Enter administrator in the Username field 5. Enter attack in the Password field. 6. Click Submit. The following shared folders are displayed = Training = LabGuides 7. Click the LabGuides folder. A file named SNAFLabGuide.doc is displayed 8. Click the file. The File Download window opens. 9. Click Save. The Save As window opens. 10. Save the file as SNAFLabGuidev2.doc on the desktop of the remote office PC. The Download Complete window opens. LL. Click Close, 12, Open the file from the remote office PC desktop. 13. Change the date from 2007 to 2008, 14, Save and close the file, ‘Seouring Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IncTask 3: 15. Return to your Clientless SSL VPN portal 16. Click the Upload icon, 17. Click Browse in the dialog box that is displayed. 18. Browse to the file SNAFLabGuidev2.doc. 19. Double-click the file, The path to the file is displayed in the Upload File field of the dialog box 20, Click OK. The file SNAFLabGuidev2.doc is displayed in the list of files in the LabGuide folder. Step7 Click Logout, Step8 Close your browser window. Create a Customization Object In this task, you will create a customi: tion object, Activity Procedure Complete these steps: Step1 Return to your Cisco ASDM session on the corporate server Step2 Click the Configuration button in the Cisco ASDM toolbar Step 3 Choose Remote Access VPN from th navigation pane. Stop4 Expand the Clientless SSL VPN Access menu. Stop § Expand the Portal menu. Step 6 Choose Customization. The Customization panel is displayed. Step7 Click Add. The Add Customization Object window opens Step8 Enter CUSTOMPORTAL in the Customization Object Name field Step9 Click OK. Step 10 Click Apply. Step 11 Select the new customization object in the Customization Objects table Step 12 Click Edit, A security alert is displayed Stop 13 Click Yes. The SSL VPN Customization Editor opens Step 14 Click Portal Step 15 Click Title Panel, The CUSTOMPORTAL: Portal > Title Panel panel is displayed. Step 16 Enter ASA VPN Marketing in the Text field Step 17 Click the Background Color. button Step 18 Select a new background color for the title panel. (© 2008 Cisco Systems, ine Lab Guide 113Step 19 Stop 20 Step 21 Step 22 Step 23, Step 24 Step 25 Step 26 Step 27 Step 28, Click OK. Click § ve in the upper-right comer. Click Portal again in the navigation pane Click Applications, The CUSTOMPORTAL: Portal > Applications panel is displayed. Enter Marketing Home in the Home field. Click Save. Close the Customization Editor, The Customization panel is displayed. In the OnScreen Keyboard area, click the Show Only for the Login Page radio button. Click Apply, Task 4; Modify the FIRSTGROUP Group Policy In this task, you will disable File Server Browsing and File Server Entry for group policy FIRSTGROUP and apply a customization object to it Activity Procedure Complete these steps: Stop 1 Step2 step3 Step 4 Step 5 step 6 step 7 Stop 6 Click the Configuration button in the Cisco ASDM toolbar Choose Remote Access VPN in the navigation pane. Expand the Clientless SSL VPN Access menu, Choose Group Policies. The Group Policies panel is displayed. Select FIRSTGROUP from the table. Click Edit. The Edit Internal Group Policy: FIRSTGROUP window opens. Complete the following substeps to apply the customization object you created in the previous task to group policy FIRSTGROUP: 1. Expand the More Options men the navigation pane. 2. Click Customization, 3. Uncheck the Portal Customization Inherit check box 4. Choose CUSTOMPORTAL from the drop-down list to select the customized WebVPN home portal page created in the last task Complete the following substeps to disable file browsing for FIRSTGROUP users: 1. Click Portal in the navigation pane. 2. Uncheck the File Server Entry Inherit check box. The Disable radio button is automatically selected 114 Securing Networks with ASA Fundamentals (SNAF) vi.0 {© 2008 Cisco Systems, neStep 9 Step 10 3. Uncheck the is autom: Server Browsing Inherit check box. The Disable radio button lly selected, 4. Click OK. Click Apply in the Group Policies panel. Click Save in the Cisco ASDM toolbar. Task 5: Test Your Configuration In this task, you will verify that users to whom group policy FIRSTGROUP is applied are ‘unable to browse network files and that their portal appears as defined in the Customization Editor. Activity Procedure Complete these steps: Step 1 Step 2 Complete the following substeps to verify that all Clientless SSL VPN sessions are logged out: 1. Click the Monitoring button in the Cisco ASDM toolbar. Click VPN in the navigation pane. 2 3. Expand the VPN Statisties menu, 4, Choose Ses ns. The Sessions panel is displayed Choose Clientless SSL VPN from the Filter By drop-down list. 6. Click Refresh. 7. Ifa session is displayed, click the Logout Sessions button at the bottom of the panel. ‘Complete the following substeps to test your configuration: 1. Open a web browser on the remote office PC 2. Enter https://192.168.P.2 to access the outside interface of the corporate adaptive security appliance. A security alert window is displayed. 3. Click Yes. The login panel is displayed. 4. Enter student? in the Username field. (where P = pod number) 5. Attempt to enter studentP in the Password field. The OnScreen Keyboard is displayed. (where P = pod number) 6. Use the OnScreen Keyboard to enter the password studentP. The Clientless SSL VPN portal is displayed. 7. Verify that the customization object that you applied to group policy FIRSTGROUP is in effect. The ttle panel text should be “ASA VPN. Marketing,” and its background color should be the color you selected for it Verify that the home page title is now Marketing Home. 8, Enter http://10.0.1.10 in the Address bar. (© 2008 Cisco Systems, ine. Lab Gude 115,9. Click Browse, The default web page for the corporate server should be displayed instead of the shared folders on the corporate server. 10. Close the browser. Step3 At the CLI of the corporate security appliance, disable Clientless SSL VPN. asa (config) clear config webvpn 116 Securing Networks wth ASA Fundamentals (SNAF) v3.0 (© 2008 Cisco Systems, In.Lab 16-1: Configure Security Appliance Transparent Firewall Complete this lab activity to practice what you leamed in the related lesson. Objectives In this activity, you will configure the security appliance transparent firewall. After completing this activity, you will be able to meet these objectives: = Configure the networking parameters on the corporate server Enable transparent firewall mode = Configure the security appliance interfaces and management IP address ‘= Test inside and outside connectivity = Allow ICMP traffic through the transparent firewall, Disable transparent firewall mode Visual Objective The figure illustrates what you will accomplish in this activity Lab 16-1: Visual Objective “s 1722626 yezero agers! 8 Classroom wareare oo a aes 5 Prine a s2s60P4 (© 2008 Cisco Systems, Inc. Lab Gude 117Task : Configure the Corporate Server Networking Parameters Im this activity, certain networking parameters must be configured before your corporate server will operate in the lab environment. Complete the following step to configure your corporate server networking parameters. This procedure assumes that the Windows 2000 server is operating with an active NIC. Activity Procedure Complete this step: Step1 Change the IP address and default gateway of your corporate server. Use the following configuration parameters IP addresses: 192,168.P.10 Subnet mask: 255.255,255.0 m= Default gateway: 192.168.P.1 Task 2: Enable Transparent Firewall Mode In this task, you will enable transparent firewall mode. Activity Procedure Complete these steps: Step1 Save the configuration to flash memory. When prompted for source and destin: file names, press Enter asaP(config)# copy running-config disk0:eaved.cfg Source filename (running-config]? Destination filename [saved.config]? Step2 Set the firewall mode to transparent. asaP(config)# firewall transparent ciscoasa (config) # Step 3 Confirm that the Cisco security appliance is in transparent mode. ciscoasa (config) # show firewall Firewall mode: ‘Transparent Step4 Examine the running configuration. ciscoasa(contig)# show run saved ASA Version 9.0(2) firewall tranaparent hostname ciscoasa enable password sRy2¥jIyt7RRXU24 encrypted interface Gigabitetherneto/o shutdown no nameit no security-level 118 Securing Networks wih ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ncinterface Gigabicetherneto/1 shutdown no nameif no security-level intertace GigabitEtherneto/2 shutdown ho nameif no security-level intertace Gigabitetherneto/3 shutdown no nameit no security level interface Managemento/o shutdown Ro namei ft no security-level Passud 2KFQMDNIAE.2KYOU encrypted boot system disk: /asa802-ki.bin ftp mode passive Pager lines 24 no ip addres no failover icmp unreachable rate-limit 1 burst-size 1 no asdn history enable arp timeout 14400 timeout xlate 3:00:00 Timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpe 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mycp-pat 0:05:00 timeout sip 0:30:00 sip media 0:02:00 eip-invite 0:03:00 sip-diacennect 0:02:00, timeout uauth 0:05:00 absolute dynamic-access-pol icy-record DE1tAccessPolicy no snmp-server location no snnp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat -detection statistics access-list class-map inspection_default match detault-inspection-traffic policy-map type inspect dns preset_dne_map parameters message-length maximun 512 policy-map global policy class inspection default inspect dns preset_dns_map inspect ftp inspect 323 225 inspect hi23 ras inspect netbios inspect rsh ingpect rtsp inspect skinny inspect esmtp inspect sqinet inspect sunrpe (© 2008 Cisco Systems, ine. Lab Guide 119inspect tftp inspect sip inspect _xdncp service-policy global_policy global prompt hostname context Cryptochecksum:42327435¢1763£7¢530eebicdec8S356 end Task 3: Configure Security Appliance Interfaces and Management IP Address In this task, you will configure the security appliance Gigabit Ethemet interfaces. Activity Procedure Complete these steps: Step 1 Configure the GigabitEthernet0/1 interface. Note Step 2 Step 3 By dofault, the interfaces are disabled. You must enable all nterfaces that you intend to use. ciscoasa(config)# interface g0/1 ciscoasa(config-if}# nameif inside INFO: Security level for *inaide" set to 100 by default. ciscoasa(contig-if}# no shut ciscoasa(config-if}# exit Configure the GigabitEthernet0/0 interface. ciscoasa(config)# interface 90/0 ciscoasa(config-if}# nameif outside INFO: Security level for outside" set to 0 by default. ciscoasa(config-if)# no shut ciscoasa(config-if)# exit Use the setup command interactive prompts to configure the management IP ‘address and prepare the security appliance for configuration via Cisco ASDM. Respond to each prompt as shown in bold text. ciscoasa (config)# setup Pre-configure Firewall now through interactive prompts {yes}? Firewall Mode [Transparent]: Enable password (]: Allow password recovery [yes]? Clock (ure) Year (2008): Month [Jan]: Day [14]: Time [20:47:13]: 120 Securing Notworks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systoms, IneStep 4 Step Step 6 ‘Step7 Step 8 Step 9 Management IP address [0.0.0.0]: 192.168.P.30 Management network mask [255.255.255.255]: 255.255.255.0 Host name [ciscoasa]: asaP (where P = pod number) Domain name: training.com IP address of host running Device Manager: 192.168.P.10 The following configuration will be used: Enable password: Allow password recovery: yes Clock (wre): 20:47:13 gan 14 2008 Firewall Mode: Transparent Management IP address: 192.168.P.30 Management network mask: 255.255.255.255 Host name: asaP Domain name: training.com IP address of host running Device Manager: 192.168.1.10 Use this configuration and write to flash? yes Enable the HTTP server on the security appliance asaP (config) # http server enable Save your configuration, asaP (config) # write memory Reload the security appliance. asaP (config) # reload Proceed with reload?(confirm] Launch Cisco ASDM. You will need to access Cisco ASDM using IP address 192.168.P.30. Complete the following substeps to verify the management IP address conliguration, 1. Click the Configuration button in the Cisco ASDM toolbar. 2. Choose Device Management from the navigation pan: 3. Expand the Man ygement Access menu, 4. Choose Management IP Address. The Management IP Address panel is displayed. 5. Verify that 192.168.P.30 is displayed in the Management IP Addtess field Minimize, but do not close the Cisco ASDM window. (© 2008 Cisco Systems, ine. Leb Gude 124Task 4: Test Inside and Outside Connectivity In this task, you will test and troubleshoot interface connectivity using the security appliance ping command. Activity Procedure Complete these steps: Step1 Ping your corporate server from your corporate adaptive security appliance. asaP(config)# ping 192.168.P.10 Type escape sequence to abort Sending 5, 100-byte ICNP Echos to 192.168.P.10, timeout is 2 seconds: juccess rate is 100 percent (5/5), round-trip min/avg/max 2/2/10 ms Step2 Ping your backbone router from your corporate adaptive security appliance. asap (config)# ping 192.168.P.1 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.P.1, timeout is 2 seconds Success rate is 100 percent (5/5), round-trip min/avg/max = a/i/i ms Step3 Examine the MAC address table, asaP (config) show mac-addrei -table interface mac address type Age min) outside 0002. fare. 3043 dynamic 4 inside 00d0.b7b9. 62af dynamic 4 Task 5: Test and Verify Transparent Firewall Operations In this task, you will test connectivity through the transparent firewall Activity Procedure Complete these steps: Step 1 Test web access through the transparent firewall by completing the following substeps 1. Open a web browser on the corporate server. 2. Use the web browser to access the HTTP server in the backbone router. Enter ttp://192,168.P.1 3. When prompted for a password, enter eiseo. 122 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, neStop 2 Stop 3 Step 4 Stop 5 4. The home page of the backbone router should appear in the web browser ‘Attempt to send ICMP traffic through the transparent firewall by pinging your backbone router from your corporate server. The pings should fail C:\sping 192.168.P.2 Pinging 192.168.P.1 with 32 bytes of data: Request timed out. Request timed out Request timed out Request timed out ICMP traffic from the inside to the outside is not being inspected by default. Complete the following substeps to edit the default global_policy to inspect the ICMP traffic from the inside network to the outside network: 1. Click the Configuration button in the Cisco ASDM toolbar. 2. Choose Firewall from the navigation pane. 3. Choose Service Policy Rules from the Firewall menu. The Service Policy Rules panel is displayed, 4. Select the inspection_default class map beneath the global policy, 5. Click Edit. The Edit Service Policy Rule window opens. 6. Click the Rule Actions tab. 7. Verify that the Protocol Inspeetion tab is 8. Check the ICMP check box. 9% Click OK. 10. Click Apply in the Service Policy Rules window. Ping your backbone router from your corporate server again. The pings should now be successful ©: \ sping 192,168.P.1 Pinging 192.16.P.1 with 32 bytes of data Reply from 192.168.P.1: bytes 2 time copy in progress 4999 bytes copied in 0.250 secs Step 4 Reboot the security appliance, ciscoasa(config)# reload Proceed with reload? [confirm] 124 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, neLab 18-1: Configure LAN-Based Active/Standby Failover Complete this lab activity to practice what you leamed in the related lesson, This is a two-part lab activity. In the first part, you will configure and test active/standby failover. In the second part of this lab activity, you will configure and test active/active failover: Activity Objective Jn this activity, you will configure the security appliance to support active/standby failover. After completing this activity, you will be able to meet these objectives = Prepare the primary and secondary security appliances for failover configuration via Cisco ASDM Use the Cisco ASDM High Availability and Scalability Wizard to configure the primary and secondary security appliances for LAN-bascd failover m= Test LAN-based failover = Enable stateful LAN-based failover Test stateful LAN-based failover Make the primary security appliance active Visual Objective The figure illustrates what you will accomplish in this activity Lab 18-4: Visual Objective (© 2008 Cisco Systems, in. Lab Gude 125,Caution For the failover labs to work, pods must be peered correctly. ASAP peers with ASAP +4 (where P= 1,2, 3, or 4). For example, ASA1 peers with ASAS, ASA2 peers with ASAS, ASA3 peers with ASAT, and ASA4 peers with ASAB, Task 1: Prepare the Primary and Secondary Security Appliances for Failover Configuration via Cisco ASDM In this task, you will prepare to use Cisco ASDM to configure the primary and secondary security appliances for LAN-based failover. Activity Procedure Complete these steps: Step 1 Complete the following substeps to prepare the corporate server for this lab activity. ‘These substeps must be completed on all corporate servers, regardless of lab environment and security appliance roles. 1, Ifa secondary IP address is configured on your corporate server, remove it 2. Ifyou changed the IP address of your corporate server in a previous lab activity, restore the original IP address. The corporate server should be configured as follows: Primary IP address: 10.0.P.10 Subnet mask: 255.285.255.0 m Default gateway IP address: 10.0.P.1 Step 2 Complete the following substeps to prepare the secondary se ty appliance for failover configuration via Cisco ASDM. 1, _Brase the default configuration of the secondary security appliance. When prompted to confirm, press Enter. ciscoasa# write erase Erase configuration in flash memory? [confirm] 2. Reboot the security app nce. When prompted to confirm, press Enter. ciscoasa# reload Proceed with reload? [confirm) 3. After the security appliance reboots, it will prompt you to bootstrap it through interactive prompts. Press Ctr-Z.to escape, The unprivileged mode prompt is displayed. Pre-configure Firewall now through interactive prompts [yes]? 4, Enter configuration mode. asaP> enable Password: ciscoasa# configure terminal 126 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems ne.Step 3 5. Specify GigabitRthernet0/1 as the inside interface and accept the default security level ciscoasa (config)# interface g0/1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. 6. Configure an IP address for GigabitEthernet0/I that is reachable from the primary security appliance inside interface. ciscoasa(config-if)# ip address 10.0.P.7 255.255.255.0 7. Enable GigabitEthemet0/1 ciscoasa(config-if)# no shut 8. Exit interface configuration mode ciscoasa(config-if)# exit 9. Enable the HTTP server on the secondary security appliance. Ciscoasa(config)# http server enable 10. Configure the secondary security appliance to accept HTTP connections trom the corporate server and the primary security appliance. ciscoasa(config)# http 10.0.P.10 255.255.255.255 inside ciscoasa(config)# http 10.0.P.1 255.255.255.255 inaide 11. Save your configuration. ciscoasa (config) # write men Complete the following substeps to prepare the primary security appliance for failover configuration via Cisco ASDM. 1. Configure the primary security appliance to accept HTTP connections from the secondary security appliance, asaP (config) # http 10.0.P.7 255.255.255.255 inside 2. Configure the primary security appliance to accept HTTP connections from the comporate server, asaP(config)# http 10.0.P.10 255.255.255.255 inside 3. Verify that the HTTP server is enabled on the security appliance and that the security appliance is configured to accept HTTP connections from both the secondary security appliance and the corporate server, asaP (config) show run hetp http server enable http 10.0.P.7 255.255.255.255 ingide http 10.0.P.10 255.255.255.255 inside (© 2006 Cisco Systems, ne. Lab Guide 1274. Important: Verify that the saved.cfg file is in the flash memory of your security appliance. You will revert to this configuration at the end of this lab. asaP(config)# show disko ae length-- ~date/time- - path 6 14524416 08:30:41 Dec 12 2007 asaso2- ka bin 11 6889764 08:30:42 Dec 12 2007 asdm-602.bin 12 $586 10:15:00 Dec 14 2007 saved.cég 5. Clear any existing configuration for the interface gO/2. In this lab, you will use interface g0/2 for the failover link. asaP(config)# clear configure interface g0/2 6. Enable the interface used for the failover link. asaP(config)# interface g0/2 asaP(config-if)# no shut asaP(config-if)# exit 7. Save your configuration. asaP (config) # write men Task 2: Use the Cisco ASDM High Availability and Scalability Wizard to Configure LAN-Based Failover In this task, you will use the Cisco ASDM failover wizard to configure the p secondary security appliances for LAN-bascd failover Activity Procedure Complete these steps: Step1 If Cisco ASDM is open, close it. Step 2 Launch Cisco ASDM on the corporate server using IP address 10.0.P.1 Step3 Click Wizards in the Cisco ASDM menu bar. Step 4 Choose High Availability and Scalability Wizard. The High Availability and. Scalability Wizard opens, Step § On the first wizard page, verify that the Configure Active/Standby Failover radio bution is selected. If itis not, click it, Step 6 Click Next. The Failover Peer Connectivity and Compatibility Check page is displayed. Step7 Enter 10.0.P.7 in the Peer IP Address field. Step 8 Click Next. Cisco ASDM performs the failover compatibility tests and displays @ security warming. Step 9 ick Yes. The Enter Network Password window opens. 128 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, Ine.Stop 10 Click Login. Afterall compatibility tests are passed, the LAN Link Configuration page is displayed, Step 11 Complete the following substeps to configure the failover interface: |. From the Interface drop-down list, choose GigabitEthernet0/2. 2. Enter MYFAILOVER in the Logical Name field Enter 172.17.P.1 in the Active IP Address field. 4. Enter 172.17.P.7 in the Standby IP Address field, 5. Choose 255.255.255.0 from the Subnet Mask drop-down list. 6, Enter 1234567 in the Secret Key field. 7. Click Next. The State Link Configuration page is displayed. Step 12 Verify that the Disable Stateful Failover radio button is selected, Ifit is not, select it Step 13. Click Next. The Standby Address Configuration page is displayed, Step 14 Complete the following substeps to configure standby IP addresses |. Double-click in the Standby IP Address column for the inside interface 2. Enter 10.0..7 in the field that is activated, 3. Press Enter. 4, Double-click in the Standby IP Address columnn for the outside interface. 5. Enter 192.168.P.7 in the field that is activated. 6. Press Enter. 7. Double-click in the Standby IP Address column for the DMZ interface 8. Enter 172.16.P.7 in the field that is activated, 9. Press Enter. 10. Click Next. The Summary page is displayed, Step 18 Review your configuration in the Summary page, Ifnecessary, use the Back button to go toa previous screen and make changes Stop 16 When you are satisfied with your configuration, click Finish. The failover configuration is sent to the security appliance and to the failover peer: Step 17 The Waiting for Config Sync window is displayed. Wait until this window ‘automatically closes and the Information dialog box displays the following message: paslover configuration is complete. Configuration synchronization between the pair may take up to a few minutes. During that cine, ASDM Rerreeee Connectivity to the device. After a few minutes, click on the Refresh button on the toolbar to regain connection Step 18 Click OK in the Information dialog box. (© 2008 Cisco Systems, Ine Lab Guide 120Step 19 Minimize the Cisco ASDM window. Step 20 Go to the primary security appliance console. You should see the following, message, Beginning configuration replication. Sending to mate. Step 21. Wait until the console displays the following message: End Configuration Replication to mate Step 22 Make sure that the primary security appliance is enabled for failover and that the secondary security appliance is recognized. Note may take a few moments forthe interfaces to transition trom Normal (Waiting) to Normal asaP(config)# show failover Failover on Failover unit Primary Failover LAN Interface: MYPATLOVER GigabitEtherneto/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: ours €.0(2), Mate 6.0(2) Last Failover at: 16:03:38 UTC Feb 1 2008 ‘This host: Primary - active Active time: 1240 (sec) slot 0: ASASS20 hw/sw rev (1.0/8.0(2)) status (Up sys) Interface outside (192.168.P.2): Normal Interface inside (10.0.P.1): Normal Interface dmz (172.16.1.1): Normal slot 1: ASA-SSM-10 hw/sw rev (1,0/6.0(1)E1) status (Up/Up) IPS, 6.0(1)E1, Up Other host: Secondary - Standby Ready Active time: 0 (sec) slot 0: ASASS20 hw/aw rev (1.0/8.0(2)) statue (Up sys) Interface outside (192.168.P.7): Normal Interface inside (10,0.P.7): Normal Interface dmz (172.16.P.7): Normal slot 1: ASA-SSM-10 hw/sw rev (1,0/6.0(1)E1) status (Up/Up) IPS, 6.0(1)B1, Up 190 Securing Networks with ASA Fundamentals (SNAF) vi.0 (© 2008 Cisco Systems, ne.Stop 23 Step 24 ‘Step 25 Stateful Failover Logical Update statistics Link : Unconfigured. On the primary security appliance, create an ACL to allow failover testing through the primary security appliance. asa (config) # ace List ACLIN permit icmp any any asa (config) # access-list ACLIN permit ip any any asa (config) # access-group ACLIN in interface inside Verify that you can ping the Internet server from the corporate server C:\> ping 172.26.26.50 Verify that you can open a Telnet session to the backbone router. Note you are prompted for a password before the router prompt is displayed, enter cisco as the password C:\> telnet 192.168.P.1 SNAP-RBB> Task 3: Test LAN-Based Failover In this task, you will test LAN-based failover. Activity Procedure Complete these steps: Step 1 Stop 2 Start a continuous ping fiom the corporate server to 172.26.26.50, C:\ ping 172.26.26.50 From the corporate server, also open a Telnet session to the backbone router Note Step 3 you are prompted for a password before the router prompt is displayed, enter cisco, C:\stelnet 192.168.P.1 SNAF-RBB> enable Password: Password: Password: % Bad passwords SNAF-RBB> Reload the primary security appliance, When asked to confirm the reload, press Enter asaP (config) reload '© 2008 Cisco Systems, ine. Lab Guide 131Step 4 Notice that the ping request times out and eventually resumes. After the successful pings return, try to access the RBB router's enable mode. The connection to RBB> should be lost because statefal failover is not enabled, Press Ctr1-C to stop the pings Step5 After the primary security appliance has completely rebooted, enter the show failover command on the primary security appliance and observe that the Primary unit is now in standby ready state and the Secondary unit is now in the active state. Also observe that the IP addresses between the Primary and Secondary units have swapped. (It may take several minutes for the configuration to replicate and the interfaces to normalize.) asaP (config) # show failover Failover on Failover unit Primary Failover LAN Interface: MYFATLOVER Gigabitethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Last Failover at: 18:03:38 UTC Dec 22 2007 ‘This host: Primary - Standby Ready Active time: 0 (sec) slot 0: ASAS520 hw/sw rev (1.0/8.0(2)) status (Up sys) Interface outside (192.168.P.7): Normal Interface inside (10.0.P.7): Normal Interface dmz (172.16.P.7): Normal slot 1: ASA-SSM-10 hw/ew rev (1.0/6.0(1)E1) status (up/up) IPS, 6.0(1)E1, Up Other host: Secondary ~ Active Active time: 232 (sec) slot 0: ASAS520 hw/sw rev (1.0/8.0(2)) status (Up sys) Interface outside (192.168.P.2): Normal Interface inside (10.0.P.1): Normal Interface dmz (172.16.P.1): Normal slot 1: ASA-SSM-10 hw/ew rev (1.0/6.0(1)E1) status (Up/Up) IPS, 6.0(1)E1, Up Stateful Failover Logical Update Statistics Link : Unconfigured, 132 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, IncStep 6 Step 7 Verify that the interfaces have normalized before proceeding, Make the primary security appliance the active security appliance by using the failover active command. Make sure that you are connected to the console port of the primary security appliance. asaP (config) failover active Switching to Active Task 4: Configure Stateful LAN-Based Failover In this task, you will enable stateful LAN-based failover, Activity Procedure Complete these steps: Step 2 Complete the following substeps to enable stateful LAN-based failover 1. From your corporate server, restart Cisco ASDM. 2. Click the Refresh button in the Cisco ASDM toolbar to update Cisco ASDM with the latest security appliance configuration, 3. Click the Configuration button in the Ciseo ASDM toolbar. 4. Choose Device Management from the navigation pane. 5. Expand the High Availability menu, 6. Choose Failover from the High Availability menu, The Failover panel is displayed. 7. Verify that the Setup tab is active, If tis not, click the Setup tab 8. In the State Failover area, choose GigabitEthernet0/2 trom the Interface drop: down list to contigure the GigabitEthernet0/2 LAN-based failover link as the stateful failover link. 9. Click Apply. Complete the following substeps to change the unit failover polltime to decrease the time it takes for the units to fail over 1. Click the Criteria tab in the Failover panel 2. In the Failover Poll Times area, choose milliseconds from the Unit drop-down list. 3. Enter $00 in the Unit Failover field 4, In the Failover Poll Times area, enter 2 in the Unit Hold Time field, 3. Click Apply. A warning window is displayed, 6. Click OK. {© 2008 Cisco Systems, Ine. Leb Guide 1337. Click Save in the Cisco ASDM toolbar. The Save Running Configuration to Flash window opens. 8. Click Apply. Step3__ Complete the following substeps to verify that stateful failover is enabled, The stateful failover statistics should be present. 1. Click the Monitoring button in the Cisco ASDM toolbar 2, Choose Properties from the navigation pane. 3. Expand the Failover menu, 4. Choose Status from the Failover menu, The Status panel is displayed, 5. Click Refresh. The window displays the show failover command output Failover On Failover unit Primary Failover LAN Interface: MYFAILOVER Gigabitetherneto/2 (up) Unit Poll frequency 500 milliseconds, noldtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Last Pailover at: 18:03:38 UTC Dec 24 2007 This host: Primary - Active Revive time: 140 (sec) slot 0: ASAS520 hw/sw rev (1.0/8.0(2)) status (Up sys) Interface outside (192.168.P.2): Normal Interface inside (10.0.P.1): Normal Interface dz (172.16.P.1): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(1) 1) status (Up/Up) iPS, 6.0(1)E1, Up Other host: Secondary - Standby Ready Active time: 3105 (sec) slot sys) ASASS20 hw/sw rev (1.0/8.0(2)) status (Up Interface outside (192.168.P.7): Normal Interface inside (10.0.P.7): Normal Interface dmz (172.16.P.7): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(1) 1) status (Up/Up) IPS, 6.0(1)E1, Up 134 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IncStep 4 Stateful Failover Logical Update Statistice Link : MYFAILOVER Gigabitethernet0/2 (up) Stateful obj xmit xerr rev rere General a5 81 ° sys end ar a1 up time ° RPC services ‘TCP conn UDP conn ARP tb1 Xlate_Timeout VEN IKE upd VPN IPSEC upd ven cree upd VPN SDI upa VPN DHCP upa SIP Session Logical Update Queue Information cur Max Total Recy Q ° 9 a2 xmit Q: ° 23 na Verify that the interfaces have normalized before proceeding, Task 5: Test Stateful LAN-Based Failover In this task, you will test stateful LAN-based failover. Activity Procedure Complete these steps: Step 1 Step 2 Start a continuous ping from the corporate server to 172.26.26.50. €:\ ping 172.26.26.50 “t From the corporate server, open a Telnet session to the backbone router. {you are prompted for @ password before the router prompt is displayed, enter cisco as the password, C:\stelnet 192.168.P.1 SNAP-RBB> enable Password: (© 2008 Cisco Systems, Ine Lab Guide 135Password: Password: % Bad secrets SNAP-RBB> Step3__ Complete the following substeps to reload the primary security appliance: 1. Choose Tools from the Cisco ASDM toolbar. 2. Choose System Reload from the Tools menu. The System Reload window opens, 3. Verify that the Now radio button is selected in the Reload Start Time area, If it is not, select it 4, Click Schedule Reload to reload the primary security appliance 5, When asked to confirm the reload, click Yes. 6. Close the System Reload window. 7. Close Cisco ASDM. Step 4 Notice that the ping request times out for a shorter period of time and resumes after a shorter delay. Step5 After the pings resume, try to access RBB> enable through the Telnet session, The connection to RBB> should still be present. Stateful failover is enabled SNAP-RBB> enable Password: Password: Password: % Bad secrete SNAE-RBB> Step6 Press Ctrl-C to stop the pings. Step7 Close the Telnet session. Task 6: Make the Primary Security Appliance Active In this task, you will make the primaty security appliance the active security appliance. x pr pI Activity Procedure Complete these steps: Step1 At the primary security appliance CLI, verify the status of the secutity appliances. asa> enable Password: ciacoi23 asal show fallover Failover On Failover unit Primary Failover LAN Interface: MYPAILOVER Gigabitethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds 136 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IneInterface Policy 1 Monitored Interfaces 3 of 250 maximun Version: Ours 8.0(2), Mate 8.0(2) bast Failover at; 18:03:38 UTC Dec 22 2007 ‘This host: Primary - Standby Ready Active time: 0 (sec) slot 0: ASASS20 hw/sw rev (1.0/8.0(2)) status (Up sys) Intertace outside (192.168.P.7); Normal Interface inside (10.0.P.7); Normal Interface dmz (172.16.P.7): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(1)81) status (up/vp) TPS, 6.0(2)B1, Up Other host: Secondary - Active Active time: 232 (sec) Blot 0: ASKSS20 hw/sw rev (1.0/8.0(2)) status (Up sys) Interface outside (192.168.P.2); Normal Interface inside (10.0.P.1); Normal Interface daz (172.16.P.1): Normal slot 1: ASA-SSH-10 hw/ew rev (1.0/6.0(1)E1) status (Up/Up) TPS, 6.0(2)81, Up Stateful Failover Logical update Statistics Link : MYPAILOVER GigabitEtherneto/2 (up) Stateful Obj xmit xerr rev rere General 251 ° 253 ° sys end 251 ° 251 ° up time ° ° ° ° RPC services 0 ° ° . TCP conn ° ° o ° UDP conn ° ° ° ° ARP tbl ‘ ° 2 ° Xlate Timeout 0 ° 0 ° VPN IKE updo ° o ° VPN IPSEC upd 0 ° o ° VPN cTcP updo ° o ° VPN SOI upd oo ° ° ° VPN DHCP upd 0 ° o ° SIP Sessiono ° o ° Logical Update Queue Information cur Max. Total Recv @) ° 8 2ise xmit Q: ° 1 251 Step 2 Return the primary security appliance to the active state. asaP# failover active Step3 Verify that the primary security appliance is now in active mode and the sceondary security appliance is in standby mode. aaPH show failover Failover on Failover unit Primary Failover LAN Interface: MYPATLOVER Gigabitstherneto/2 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Intertace Policy 1 Monitored Interfaces 3 of 250 maximum Version: ours 8.0(2), Mate 8.012) Lest Failover at: 18:03:38 UPC Dec 24 2007 ‘This host: Primary - Active Active time: 140 (sec) slot 0: ASASS20 hw/sw rev (1.0/8.0(2)) status (up sys) Interface outside (192.168.P.2); Normal (© 2008 Cisco Systems. In. Lab Guide 137Interface inside (10.0.P.1): Normal Interface dz (172.16.P.1): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(1)81) status (Up/Up! TPS, 6.0()E1, Up Other host: Secondary - standby Ready Active time: 3105 (sec) slot 0: ASASS20 hw/sw rev (1.0/8.0(2)) status (up sys) Interface outside (192.168.P.7): Normal Interface inside (10.0.7): Normal Interface dnz (172.16.P.7): Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(1)#1) status (up/up) 18, 6.0(1)81, Up Stateful Failover Logical update statistics Link : MYFATLOVER GigabitEthernet0/2 (up) Stateful Obj xnit xerr rev General, 347 ° 349 ° sys ond 347 ° 347 ° up tine ° o ° o RPC services 0 o ° ° ‘TCP conn ° ° ° ° UDP conn ° ° ° o ARP tbl 4 ° 2 ° Xlate_Timeout 0 ° ° ° VEN IKE updo ° ° ° VPN IPSEC upd 0 ° o ° VPN CTCP upd 0 0 0 ° VPN SDI upd 0 ° o ° VPN DHCP upd 0 0 ° ° SIP Sessiono ° ° ° Logical Update Queue Information cur Max Total Recy 0: ° 8 2754 Xmit Q: ° 1 569 Step4 Use the f appliance: asaPl failover exec mi Failover on Failover unit Secondary Failover LAN Interface: MYFAILOVER Gigabitetherneto/2 (up) Unit Poll frequency 500 milliseconds, holdtime 2 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 3 of 250 maximum Version: Ours 8.0(2), Mate 8.0(2) Laat Pailover at: 1810345 UTC Dec 24 2007 ‘This host: Secondary - Standby Ready ‘Active time: 4059 (sec) slot 0: ASASS20 hw/aw rev (1.0/8,0(2)) status (Up sys) Interface outside (192.168.P.7): Normal Interface inside (10.0.P.7): Normal Interface dmz (172.16.P.7): Normal slot 1: ASA-SSM-10 hw/ew rev (1.0/6.0(1)E1) status (Up/Up) 1PS, 6.0(2)E1, Up Other host: Primary - Active Active time: 3105 (sec) slot 0: ASAS520 hw/aw rev (1.0/8,0(2)) status (Up sys) Interface outside (192.168.P.2): Normal Interface inside (10.0.P-1): Normal Wer exee command to view the failover status on the secondary security 10 show failover 130 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Gisco Systems, ne.Interface dmz (172.16..1): Normal slot 1: ASA-S8M-10 hw/ew rev (2.0/6.0(1)E1) status (Up/Up) TPS, 6.0(1)81, up Stateful Failover Logical update statistics step § Step 6 Link : MYPAILOVER GigabitBtherneto/2 (up) Stateful Obj xmit xerr rev rerr General 924 ° 990 ° sys cmd, 917 ° 916 ° up time ° ° ° ° RPC services 0 ° ° ° ‘TCP conn 2 ° 2 ° bP conn ° ° 66 ° ARP tbl 5 ° 6 ° Xlate Timeout 0 ° ° ° VPN IKE updo o o ° VPN IPSEC upd 0 ° ° ° VPN CTCP upd 0 ° o ° VPN SDI upd 0 ° o ° VPN DHCP upe 0 ° ° ° SIP Sessiono ° ° ° Logical Update Queue Information cur Max Total Reev o: ° 4 4075 Xmit Q: ° 2 4066 Before starting the active/active failover section in the second part of this lab, you will need to “default” the failover configuration. Disable failover on the primary security appliance asaP(config)# clear configure failover Save the primary security appliance configuration to flash memory. asaP(config)# write mem (© 2008 Cisco Systems, Ine. ab Guide 19Lab 18-2: Configure LAN-Based Active/Active Failover Complete this lab activity to practice what you learned in the related lesson. This is a two-part lab activity. In the first part, you configured and tested active/standby failover. In the second part of this lab activity, you will configure and test active/active failover. Activity Objective In tis activity, you will configure the security appliance to support active/active failover. After completing this activity, you will be able to meet these objectives: ‘= Enable multiple context mode on the security appliances © Confirm multiple context mode on the security appliances = Create security contexts on the primary security appliance = Configure the CTX! context on the primary security appliance 4% Prepare the security appliances for active/active failover configuration via Cisco ASDM. Use the Cisco ASDM High Availability and Scalability Wizard to configure active/active ilover = Configure standby IP addresses for CTX1 Exercise active/active failover node & Return the failover devices to singl 40 ‘Securing Networks wity ASA Fundamentals (SNAF) v4.0 {© 2008 Cisco Systems, ne.Visual Objective The figure illustrates what you will accomplish inthis activity, There is a primary security appliance and a secondary security appliance. Fach security appliance consists of two contexts: admin and CTX1. In active/active failover, only one admin context and one CTX! context will be active at any one ti Lab 18-2: Visual Objective nnncli — | Capone Once HP capaan 4 Task 1: Enable Multiple Context Mode By default, a security appliance operates in single mode. Active/active failover requites the security appliance to operate with multiple mode and virtual security contexts. In this task, you will enable multiple context mode on the primary and secondary security appliances. Complete these steps Step Complete the following substeps to enable and verify multiple context mode on the primary security appliance: 1, Verify that security context is a licensed feature of the security appliance asaP(contig)# show version Licensed features for thie platform: Security Contexta: 2 2. Check the current mode of the security appliance asaP (config) # show mode Security appliance mode: single {© 2008 Gisca Systeme, nc. LabGuide 1413. Enable multiple context mode. Press Enter when prompted to confirm, asaP (config) # mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? (confirm) Convert the system configuration? [confirm] ‘The old running configuration file will be written to flash ‘The admin context configuration will be written to flash ‘The new running configuration file was written to flash Step2 Complete the following substeps to enable and verify multiple context mode on secondary security appliance: 1, Remove any existing failover configuration on the secondary security appliance. asaP(contig)# clear configure failover 2, Verify that security content isa licensed feature ofthe security appliance asaP (contig) # shew veraion Licensed features for this platform. Security Contexta 2 3. Check the current mode of the security appliance. asaP (config) # show mode Security appliance mode: single 4 ible multiple context mode. Press Enter when prompted to confirm. asaP (config) # mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? (confirm) Convert the system configuration? [confirm] ‘The old running configuration file will be written to flash ‘The admin context configuration will be written to flash ‘The new running configuration file was written to flash Task 2: Confirm Multiple Context Mode When a security appliance changes to a multiple mode configuration, the default multiple mode configuration is two security contexts: system and admin. The security appliance boots into the system context. From the system context, you can create and view contexts. From the system context, you can also allocate system resources and configure failover links. In this task, you will examine the default multiple mode environment 142 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, neActivity Procedure Complete these steps: Step Complete the following substeps to confirm multiple context mode on the primary security appliance: 1. After the primary security appliance reboots, enter privileged EXEC mode When prompted for a password, enter eisco123 asaP> enable Password: ciscol23 2. Conf m that the security appliance is in multiple context mode. asaP# show mode Security context mode: multiple 3. Confirm that the security appliance saved the original configuration as, old_running cf asaP# show disko ~~ ~-length-- -----date/time- ~ path 6 14524416 Jan 12 2008 08:30:41 asa802-ke.bin 7 5758 Jan 12 2008 08:30:41 old_xunning.cfa 10 4865 Jan 12 2008 08:30:41 admin.cfg 22 6889764 Jan 12 2008 08:30:42 aadn-602.bin 4. Examine the current security contexts asaPh show context Context Name Class Interfaces oat sadnin default Gigabitetherneto/o, disko:/adnin.ctg Gigabitetherneto/1, Gigabitstherneto/3 Total active Security Contexts: 1 asaPi show context detail Context "system’, is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Gigabitetherneto/0, Gigabitetherneto/2, Gigabitethernet0/2, Gigabitethernet0/3, tnternal- Control0/0, Internal-Data0/0, Managemento/0 Class: default, Flags: 0x00000019, 1D: 0 Context "admins, nas been created Config URL: disko: /adnin.cfg Real Interfaces: GigabitEthernet0/0, Gigabitetherneto/1, Gigabitetherneto/3 Mapped Interfaces: Gigabitethernet0/0, Gigabitetherneto/1, Gigabitktherneto/3 Real IPS Sensors. Mapped IPS Sensors Class: default, Flags: oxoo000813, 1D: 1 Context "nul", is a system resource Contig URL! mull, Real Interfaces Mapped Interfaces: Real 1PS Sensors: Mapped 1P3 Sensors: Class: default, Flags: ox00000809, 1D: 257 {© 2008 Cisco Systems, in. LebGuide 43Step 2 ymplete the following substeps to confirm multiple context mode on the secondary security appliance: 1. After the secondary security appliance reboots, enter pri ‘ged EXEC mode. When prompted for a password, press Enter. asaP> enable Password: ciseol23 2. Confirm that the security appliance is in multiple context mode. asaPi show mode Security context mode: multiple 3. Confirm that the secondary security appliance saved the original configuration as old_running cf, asaPi show disko -#- =-length-- -----date/time-------- path 6 14524416 Jan 12 2008 08:30:41 asa802-k6.bin 7 5758 Jan 12 2008 08:30:41 old_running.cfg 10 aa6s Jan 12 2008 08:30:41 admin.cfg 21 6889764 Jan 12 2008 08:30:42 _asdm-602.bin 4. Examine the current security contexts acaPii show context Context Name Class Interfaces uRL yadmin default Gigabitethernet0/0, disk0:/admin.ctg Gigabitetherneto/1, Gigabitetherneto/3 Total active Security Contexts: 1 asaPH show context detail Context "system", is a system resource Config URL: startup-config Real Interfaces: Mapped Interfaces: Gigabitethernet0/0, GigabitEthernet0/1, GigabitEthernet0/2, Gigabitetherneto/3, Internal- Control0/o, Internal-Datad/0, Managemento/o Class: default, Flags: 0x00000819, ID: 0 Context "admin", has been created Config URL: disk0:/admin.ctg Real Interfaces: GigabitEtherneto/0, Gigabitetherneto/1, GigabitEthernet 0/3 Mapped Interfaces: GigabitEthernet0/0, Gigabitktherneto/1, GigabitBtherneto/3 Real IPS Sensors 144 Securing Networks with ASA Fundamentals (SNAF) 1.0 {© 2008 Gisco Systems, IneMapped IPS Sensors: Class: default, Flags: 0xo0000813, 1D: 1 Context "null", is a system resource Config URL null Real Interfaces Mapped Interfaces Real IPS Sensors Mapped IPS Sensors: Class: default, Flags: 0x00000809, 1D: 257 Task 3: Create Security Contexts on the Primary Security Appliance In this task, you will ereate a security context on the primary security appliance and allocate interfaces to both the admin context and the new context. Activity Procedure Complete these steps Step 1 Complete the following substeps to access Cisco ASDM. 1, From the system context, enable GigabitEthernet0/1 asaP (config) # int go/1 asaP(config-if)# no ehut asaP(config-it)# exit 2. Change to the admin context. asaP(config)# changeto context admin 3. Configure the inside interface, GigabitEthemet0/1 asaP(config)# int g0/1 asaP(config-if)# nameif inside aeaP(config-if)# ip addresa 10.0.P.1 255.255.2550 asaP(config-if)# no shut asaP(config-if)# exit Step2 Launch Cisco ASDM on the primary security appliance. Step 3 Click View in the menu bar Step4 Choose Device List. The Device List is displayed. Step § In the menu for device 10.0,P.1, double-click System. Step6 Verify that Cisco ASDM 6.0 for ASA ~ 10.0.P.1 | System is displayed in the title bar. Step7 Click the Configuration bution in the Cisco ASDM toolbar. (© 2008 Cisco Systome, Inc. (ab GuideStep8 Click Context Management in the navigation pane. Step9 Click Interfaces. The Interfaces panel is displayed. Step 10 Verify that all interfaces are enabled in the system context. Enable any interface that is not already enabled. = Gigabitktheme10/0 = GigabitEthemet0/1 = GigabitEthemet0/2 = GigabitEthemet0/3 © ManagementO/0 Step 11 Click Apply. Step 12 Complete the following substeps to disassociate GigabitEthernet0/3 with the admin context. 1. Click Seeurity Contexts. The Security Contexts panel is displayed 2. Click admin in the Security Contexts table 3. Click Edit. The Edit Context window opens. 4. In the Interface Allocation panel, click GigabitEthernet0/3. 5. Click Delete, 6. Click OK. 7. Click Apply in the Security Contexts panel. Step 13 Complete the following substeps to create a new context: 1. Click Add. The Add Context window opens. 2, Bnnter CTX1 in the Security Context field 3. Click Add in the Interface Allocation panel. The Add Interface Allocation window opens. 4. Choose GigabitEthernet0/3 from the Physical Interface drop-down list. 5. Click OK. 6 Click Add again in the Add Context window. The Add Interface Allocation window opens. 7. Choose Management0/0 from the Physical Interface drop-down list 8 Click OK. 9. Bnter /CTX1.efg in the Config URL. field 10. Click OK. 11. Click Apply in the Security Contexts panel 12, Ian Information window is displayed, click OK. 146 Securing Networks with ASA Fundamentals (SNAF) v1.0 © 2008 Cisco Systems, neTask 4: Configure the CTX1 Context on the Primary Security Appliance In this 3k, you will configure the CTX1 context. Activity Procedure Complete these steps: Step Complete the following substeps to verify that the interfaces for the admin context are already configured: 1. Double-click admin in the Device List 2. Verify that Cisco ASDM 6.0 for ASA ~ 10.0.P.1 | active context:admin is displayed in the Cisco ASDM title bar 3. Click Configuration in the Cisco ASDM toolbar. 4, Click Device Setup in the navigation pane 5. Click Interfaces in the Device Setup menu. The Interfaces panel is displayed, 6. Verify that IP address 192,168.P.2 is assigned to GigabitEthernet0/0. 7. Verity that IP address 10.0.P.1 is assigned to GigabitEthernet0/1 Step2 Complete the following substeps to configure the interfaces for context CTX 1. Double-click CTX1 in the Device List. The Interfaces panel for CTX1 is displayed. 2. Click Giga Bthernet0/3, 3. Click Edit. The Edit Interface window opens. 4. Verify that the General tab is active. Ifit is not, click it to activate it 5. Enter CTXOUT in the Interface Name field, 6. Enter 0 in the Security Level field. Verify that the Enable Interface check box is checked. If itis not, click it. + 192.168.304P.2 in the IP Address field. 9. Choose 255.255.255.0 from the Subnet Mask drop-down list. 10. Click OK, The Security Level Change window opens 1, Click OK 12. In the Interfaces panel, click Management0/0, 13, Click Edit. The Edit Interface window opens. 14, Verify that the General tab is active. Ifit is not, click it to activate it 15. Enter CTXIN in the Interface Name field, 16. Enter 100 in the Security Level field. (© 2008 Cisco Systems, Ine. lab Gude 147vas Stop 3 Step 4 Step 5 17. Uncheck the Dedicate This Interface to Management Only check box. 18, Verify that the Enable Interface check box is checked. IF itis not, click it 19, Enter 10.0.30+P.1 in the IP Address field 20. Choose 255.255.255.0 from the Subnet Mask drop-down lis. 21. Click OK. The Security Level Change window opens. 22. Click OK. 23. Click Apply. Complete the following substeps to add a default route |. Expand the Routing menu in the Device Setup menu. 2. Click Static Routes. The Static Routes panel is displayed. 3. Click Add. The Add Static Route window opens. Verify that CTXOUT js selected in the Interface Name drop-down list. 5. Enter 0.0.0.0 in the IP Address field. 6. Choose 0.0.0.0 from the Mask drop-down list 7. Enter 192,168.30+P in the Gateway IP field 8, Click OK, Click Apply. ‘Complete the following substeps to add a static translation for the CTX inside host 1, Click Firewall in the navigation pane. 2. Choose NAT Rules from the Firewall menu. 3. Click Add. 4. Choose Add Static NAT Rule, The Add Static NAT Rule window opens. 5. Verify that CTXIN is selected from the Interface drop-down list, 6. Enter 10,0.30+P.10 in the Source field 7. Choose CTXOUT from the Interface drop-down list in the Translated area 8. Verify that the Use IP Address radio button is selected 9. Enter 192.168.30+P.10 in the Use IP Address field. 10. Click OK, I. Click Apply. Complete the following substeps to add an ACL that allows access to the CTX | inside host: 1, Click Access Rules in the Firewall menu, The Access Rules panel is displayed. ‘Securing Network with AEA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, neStep 6 step 7 Step 8 2. Click CTXOUT in the Access Rules table, 3. Click Ada, 4. Choose Add Access Rule. The Add Access Rule window opens. 5. Verify that CTXOUTT is selected from the Interface drop-down list. 6. Verify that the Permit radio button is selected. 7. Verify that any is displayed in the Source field 8, Enter 192.168.30+P.0/24 in the Destination field 9. Click the Service button. The Browse Service window opens. 10, Double-click tep. IL ick OK 12, Verify that tep is displayed in the Service field. 13, Click OK. Complete the following substeps to add an ACL that allows ICMP: 1. Click Add again in the Access Rules panel, 2. Choose Add Aecess Rule fiom the Add menu. The Add Access Rule window opens Verify that CTXOUT is selected from the Interface drop-down list. If itis not, select it 4, Verify that the Permit radio button is selected 5. Verify that any is displayed in the Souree field, 6, Verify that any is displayed in the Destination field. 7. Click the Service .. button. The Browse Service window opens. 8. Double-click femp. ICMP is displayed in the Selected Service field. 9. Click OK 10. Click OK in the Add Access Rule window. 11. Click Apply. Click Save in the Cisco ASDM toolbar. Complete the following substeps to test connectivity: |. From the corporate server, ping the Internet server. The ping should succeed, c:\ ping 172.26.26.50 2. From the corporate server, telnet to the backbone router. You should be able to telnet to the backbone router. C:\ telnet 192.168.2.1 (© 2008 isco Systoms, Ine. Lab Guide 149Task 5: Prepare the Security Appliances for Active/Active Failover Configuration via Cisco ASDM When you use the High Availability and Scalability Wizard to configure failover on the Activity Procedure 150 primary security appliance, 0 ASDM configutes the secondary security appliance for you In order for Cisco ASDM to perform this configuration, the two security appliances must be able to communicate via HTTP, Complete the following steps to prepare the security appliances for active/active failover configuration vi Cisco ASDM. Complete these steps Step 1 Step 2 Complete the following substeps to prepare the primary security appliance for failover configuration via Cisco ASDM |. Clear any existing configuration for the interface g0/2. In this lab, you will use interface g0/2 for the failover link asaP(config)# clear configure interface g0/2 2. Enable the interface used for the failover link asaP (config) interface g0/2 asaP (config-if)# no abut asaP(config-if)# exte 3. Change to the admin context on the primary security appliance. asaP (contig) # changeto context admin 4. Verify that the primary sceurity appliance is still configured to accept HTTP ‘connections from the secondary security appliance. asaP/admin(config)# show run http http server enable hktp insidehost 258.255.255.255 inside http 10.0.P.7 255.255.255.255 inside 5. Save your configuration, asaP/admin (config) # write men Complete the following substeps to prepare the secondary security appli failover configuration via Cisco ASDM: 1. Enter configuration mode on the secondary security applianee. asaP# config t 2. Clear any existing configuration for the interface g0/2. In this lab, you will use interface g0/2 forthe failover link asaP(config)# clear configure interface g0/2 3. Enable the interface used for the failover link asaP(config)# interface g0/2 asaP(config-if)# no shut Securing Networks with ASA Fundamentals (SNAF) v1.0, {© 2008 Cisco Systems, IneTask 6: Use the Cisco ASDM asaP(config-if}# exit 4. Change to the admin context, asaP(config)# changeto context admin 5. Bnter configuration mode for GigabitEthemet0/1 asaP/admin(configh# int g0/1 6. Name the interface, asaP/admin (config-if) nameif inside 7. Assign an IP address to the interface. asaP/admin(config-if)# ip address 10.0.P.7 255.255.255.0 8, Enable the interface. agaP/admin(config-it)# no shut 9. Exit interface configuration mode. asaP/admin (config-if)# exit 10. Verify that the secondary sccurity appliance is configured to accept HTTP connections from host 10.0.P.10. asaP/admin (config) #show run http http server enable http 10.0.P.10 255.255.255.255 inside http 10.0.P.7 255.255.255.255 inside 11. Configure the secondary security appliance to accept HTTP connections from the primary security appliance. acaP/admin(config)# http 10.0.P.1 255.255.255.255 inside 12, Save your configuration, asaP/admin(config)# write mem lh Availabili ity and Scalability Wizard to Configure Active/Active Failover In this task, you will use the High Availability and Scalability Wizard to configure the primary security appliance for active/active failover. You will then allow Cisco ASDM to configure the secondary security appliance for active/active failover. Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Step 4 Launch Cisco ASDM on the primary security appliance. Verity that the Device List is displayed. If it is not, click View in the menu bar, and choose Device List to display it In the menu for device 10,0.P.1, double-click System. Click Wizards in the Cisco ASDM menu bar (© 2008 Cisco Systems, Inc. Lab Guide 151Step 5 Step 6 Step 7 Step 6 Step 3 Step 10 Step 11 Stop 12 Stop 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 24 Step 22 Step 23 Step 24 Step 25, Choose High Availability and Scalability Wizard, The High Availability and Scalability Wizard opens. On the first wizard page, verify that the Configure Active/Active Failover radio button is selected. If itis not, click it to select it Click Next. The Failover Peer Connectivity and Compatibility Check page of the wizard is displayed Enter 10.0.P.7 in the Peer IP Address fica. Click Next. A security warning is displayed Click Yes. The Enter Network Password window opens. Enter eisco123 in the Password field. Click Login. The compatibility tests are completed and the Security Context Configuration page displays the admin and CTX! contexts, Click Group 1 in the Failover Group column for CTX1 Choose Group 2 from the drop-down list. Click Next. The LAN Link Configuration page of the wizard is displayed Verify that GigabitEthernet0/2 is selected from the Interface drop-down list. [Pit is not, select it. Enter MYFAILOVER in the Logical Name field, Enter 172.17.P.1 in the Active IP Address field. Enter 172.17.P.7 in the ndby IP Address field Choose 255.255.255.0 from the Subnet Mask drop-down list Enter 1234567 in the Secret Key field, Click Next. The State Link Configuration page of the wizard is displayed, Click the Use the LAN Link as the State Link radio button, Click Next. The Standby Address Configuration page of the wizard is displayed. Complete the following substeps to assign standby IP addresses to the interfaces that are allocated to the admin context 1. Double-click in the Standby IP Address column for the outside interface, 2. Enter 192.168.P.7 in the field that becomes active. 3. Press Enter. 4, Double-click in the Standby IP Address column for the inside interface 5. Enter 10.0.P.7 in the field that becomes active, 6. Press Enter, 7. Click Next. The Summary page of the wizard is displayed, 152 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, neStep 26 Click Finish, The Waiting for Config Syne window opens. Step 27 Wait while the configuration is synchronized between the security appliances. Step 28. An Information window lisplays the following message: Failover configuration is complete. Configuration synchronization between the pair may take up to a few minutes During that time, ASDM may lose connectivity to the device After a few minutes, click on the Refresh button on the tool bar to regain connection Step 29° Click OK. Step 30 Click Save in the Cisco ASDM toolbar. Step 31. Complete the following substeps to check the failover status. 1. Click Tools in the Cisco ASDM menu bar, 2. Click Command Line Interface, The Command Line Interface window opens. 3. Enter show failover in the Command field. 4. Click Send. The Response field displays the following output: Failover on Failover unit Primary Failover LAN Interface: MYFAILOVER GigabitBtherneto/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: ours 6.0(2), Mate 8.0(2) Group 1 last failover at: 19:54:49 UT gan 24 2000 Group 2 last failover at: 19:55:00 UTC Jan 24 2008 ‘This host: Primary Group 2 State active Active time: 765 (sec) Group 2 state Active Active time: 765 (sec) slot 0: ASASS20 hw/sw rev (1.1/8.0(2)) status (Up sys) aduin tterface inside (10.0.P.1); Normal admin Interface outside (192.168.P.2); Normal (TKI Interface ctxin (10.0.30+P.1); Normal (Waiting) €TKL Interface ctxout (192.168.30¢P.2): Normal (Waiting) SLOE 1: ASA-SSM-10 hw/aw rev (1.0/6.0(1)82) status (Up/up) IPS, 6.0181, Up Other host: Secondary Group 1 state Standby Ready Active time: 0 (sec) Group 2 state Standby Ready Active time: 0 (secl slot 0: ASASS20 hw/sw rev (1.1/8.0(2)) status (Up sys) agmin Interface inside (10.0.0.7): Normal admin Taterface outeide (192.168.7.7); Normal €TKL Interface ctxin (10.0.30sP.7)) Normal CTI Interface ctxout (192.168.30+P,7); Normal slot 1: ASA-SSM-10 hw/aw rev (1.0/6.0(1}£1) status (Up/Up) (© 2008 Cisco Systems, Ine. Lab Guide 153Task 7: Coni IPS, 6.0(1)E1, Up Stateful Failover Logical Update statistics Step 32 Link : MYSAILOVER GigabitEtherneto/2 (up) Stateful Ob} xmit xerr rev General 26 ° 24 ° sys cnd 24 ° 24 ° up time o ° ° 0 RPC services 0 ° ° a TCP conn ° ° ° a bP conn ° ° ° ° ARP tbl 1 ° o ° Klate_Timeout 0 ° ° ° SIP Session0 ° ° ° Logical Update Queue Information cur Max Total Recv ° 1 24 xmit Q: ° a 25 Close the Command Line Interface window. jure Standby IP Addresses for CTX1 In this task, you will configure the standby IP addresses for CTX1 that were not configured by the wizard, Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Step4 Step 5 Step 6 Step? Step 8 Step 9 Step 10 Step 11 Stop 12 Step 13 Step 14 In the Cisco ASDM Device List, double-click CTX1 Click Configuration in the Cisco ASDM toolbar Click Device Management in the navigation pane. Expand the High Availability menu, Click Failover. The Failover panel is displayed. Verity that etxin is highlighted in the table. Click Edit, The Edit Failover Interface Configuration window opens Enter 10.0.30+P.7 in the Standby IP Address field. Click OK, Click etxout in the Interface Name column of the Failover panel. Click Edit, The Edit Failover Interface Configuration window opens. Enter 192.168.31.7 in the Standby IP Address field Click OK. Click Apply. 154 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, IneTask 8: Exercise Active/Active Failover In this task, you will exercise active/active failover Activity Procedure Complete these steps: Step1 From the primary device console, enter the system context saP/admin (config)} changeto system asaP (config) # Step2 View the failover statistics, Notice thatthe primary groups 1 and 2 are both active Notice that secondary groups 1 and 2 are in standby ready state. Also notice the host Addresses of each interface, The standby interface addresses end in 7. 29a? (config) show failover Pailover on Failover unit Primary Failover LAN Interface: MYPAILOVER Gigabitetherneto/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency § seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: ours 8.0(2), Mate 8,0(2) Group 1 last failover at: 19:54:49 UTC gan 24 2008 Group 2 last failover at: 19:55:00 UTC Jan 24 2008 ‘This host: Primary Group 1 State: Active Active time: 3668 (sec) Group 2 State: active Active time: 3668 (sec) slot 0: ASASS20 hw/ew rev (1.1/8.0(2)) status (up sys) admin Interface inside (10.0.P.1): Normal admin Interface outside (192.168,P.2): Normal CTKL Interface ctxin (10.0.30+P.1); Normal CTX Interface ctxout (192.169.30yP.2); Normal slot 1: ASA-SSN-10 hw/sw rev (1.0/6.0(1)E1) statue (Up/Up) IPS, 6.0(1)E1, up Other host: secondary Group 1 state Standby Ready Active time: 0 (sec) Group 2 State Standby Ready Active time: 0 (sec) Slot 0: ASASS20 hw/sw rev (1.1/8.0(2)) status (Up Sys) admin Interface inside (10.0.P-7): Normal admin Interface outside (192.168.P.7): Normal €TX1 Interface ctxin (10.0.30+P.7): Normal CTKL Interface ctxout (192.168.30+7.7): Normal slot 1: ASA-SSM-10 hw/aw rev (1.0/6.0(1)E1) status (up/Up) IPs, 6.0(1)81, up Stateful Failover Logical update statistics Link : MYPATLOVER Gigabitethernet0/2 (up) Stateful Obj xmit xere rev rerr General 494 ° 48s, o sys ond 485, ° 45, 0 up time ° ° ° ° (© 2008 Cisco Systems, Ine. Lab Guide 185RPC services 0 ° ° ° TCP conn ° ° ° ° UDP conn ° ° ° ° ARP tbl 9 ° 0 ° Xlate_Timeout 0 ° ° ° SIP Session 0 ° ° o togical Update Queue Information cur Max Total Recv Q: ° 1 485 xmit 0. ° 1 494 Step3 Verify thatthe interfaces have normalized before proceeding Step4 From the corporate server, perform a continuous ping to host 172.26.26.50, C:\oping 172.26.26.50 -t Step5 From the corporate server, open a Telnet session to the backbone router. Note | you are prompted for a password before the router prompt is displayed, enter cisco as the password. c:\steinet 192.168.7.1 SNAP-REB> enable Password: Password: Password: 4 Bad passwords SNAF-RBB> Step 6 Force the peer security appliance to become active. asaP (contig) # no failover active Step7 After the failover, verify that the ping is still active and that the Telnet session is stil ‘open. From the Telnet session, enter the following: SNAP-RBB> enable Password: Password: Password: 4 Bad passwords SNRP-RBB> Step8 Close the Telnet session and stop the pings. Step 9 From the primary failover device console, view failover statistics. asaP (config) # show failover Pailover on Failover unit Primary Failover LAN Interface: MYFATLOVER Gigabitetherneto/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency § seconde, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 4 of 250 maximum Version: Oure 8.0(2), Mate 8.0(2) 156 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Gisco Systems, nc.Group 1 last failover at 22:54:49 ure gan 24 2008 Group 2 last failover at 22:55:00 UTC Jan 24 2008 ‘This host Group 1 Primary state Active time. state Standby Ready Active time: 4852 (sec) Slot 0: ASASS20 bw/sw rev (1.1/8.0(2)) sys) Standby Ready 4852 (sec) Group 2 status (up admin Interface inside (10.0.P.7); Normal admin Interface outside (192,168-P.7) cK Interface ctxin (10.0.30+P.7); Normal CTKL Interface ctxout (192.168.304P.7); Normal slot 1: ASA-SSM-10 hw/sw rev (1.0/6.0(1)B1) status (Up/up) res, Normal 6.0081, up other host Group 1 Secondary State Active time: State Active time: slot o Active 277 (sec) Aetive 277 (sec) ASAS520 hw/sw rev sya) admin Interface inside (10.0.P.1): Normal admin Interface outside (192.168.P.2); Normal CTK1 Interface ctxin (10.0.30+P. i): Normal CTKL Interface ctxout (192.160.30+P.2); Normal slot 1: ASA-SSM-10 hw/sw rev (1,0/6.0(1) 81) status (Up/up) IPS, 6-0(1)E1, up Group 2 (2.1/8.0(2)) statue (up Stateful Failover Logical Update statistics Link © NYPATLOVER Gigabitethernet0/2 (up) Stateful Obj xmit xerr General n2 o sys ord 596 up time o RPC services 9 TCP conn 0 upP conn, 0 ARP tbl uu Xlate_ Timeout 0 SIP Seasiono 698 696 Logical Update Queue Information cur Reev ° xmit 0) 1 a ‘Total ns na Notice that after the failover, the IP addresses of the primary security appliance interfaces end -7, and the addresses of the secondary security appliance interfaces end in .| or 2. The interface addresses switched between primary and secondary units because of the failover. (© 2008 Cisco Systems, Ine. Lab Guide 17Task : Return the Failover Devices to Single Mode In this task, you will return the failover devices to single mode. ivity Procedure Complete these steps: Step 1 Stop 2 Stop 3 Step 4 Step 5 Step 6 Step? Step 8 From the primary security appliance console (system context), make the primary security appliance active. asaP(config) failover active From the primary security appliance console (system context), disable failover. asaP (contig) no failover Return the primary security appliance to single mode. When prompted to confirm, press Enter, asaP (config) mode single WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? (confirm) Ater the primary security appliance reboots, enter privileged EXEC mode. When prompted for a password, enter eiseo123. asaP>enable Password: eiscoi23 Erase the configuration on the primary security appliance. When prompted to confirm, press Enter. asaPH write eras Brase configuration in flash memory? [confirm] Reload the primary security appliance. When prompted to confirm, press F asaP # reload Proceed with reload? [confirm] After the primary security appliance reboots, you are prompted to bootstrap it through interactive prompts. Press Ctrl-Z, to escape, The unprivileged mode prompt is displayed, Pre-configure Firewall now through interactive prompts [yes]? Type help or '?' for a list of available commands Enter privileged EXEC mode, When prompted for a password, press Enter. ciscoasa> enable Password: 158 Securing Networks with ASA Fundamentals (SNAF) v1.0 {© 2008 Cisco Systems, neStep 9 Step 10 Step 11 Step 12 Step 13 Stop 14 Stop 15 Stop 16 Stop 17 Enter configuration mode ciscoasa# config t ciscoasa (config) # Copy the configuration you saved at the beginning of this lab activity to the runnin Configuration. When prompted for source and destination file names, press Enter Ciscoasa(config)# copy disk0:/saved.cfg run Source filename [saved.cfg]? Destination filename (running-config]? Save the configuration. From the secondary security appliance console (system context), disable failover. asaP (config) # no failover Return the secondary securit press Enter. appliance to single mode, When prompted to confi asaP (config) # mode single WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? (confirm) After the secondary device reboots, enter privileged EXEC mode. When prompted for a password, enter eisco123, asaP>enable Password: eiaco123 Erase the configuration on the secondary security appliance. When prompted to confirm, press Enter. asaP # write erase Erase configuration in flash memory? [confirm] Reload the secondary security appliance. When prompted to confirm, press Enter. asaP reload Proceed with reload? [confirm] Close any open windows. {© 2008 Cisco Systems, Inc Lab Guide 159Lab 19-1: Manage the Security Appliance ‘Complete this lab activity to practice what you learned in the related lesson. Objectives In this activity, you will manage the security appliance. After completing this activity, you will be able to meet these objectives: = Configure the student PC networking parameters ™ Configure enable-level command authorization with passwords m= Test enable-level command authorization Generate an RSA key pair for encrypte = Establish an SSH com SH sessions ion to the security appliance = Configure command authorization using the local user database Test command authorization using the local user database Upgrade the security appliance software image Visual Objective The figure illustrates what you will accomplish in this activity Lab 19-1: Visual Objective a ven ashore oa c < i v0 : 192.168P.0 ower (Conan 4 ‘susent Pe (wenn) 0 waspo 4 160 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, nc.Task 1: Configure Enable-Level Command Authorization with Passwords 4m this task, you will enable command authorization with privileged mode passwords, Activity Procedure Complete these steps: Step 1 Step 2 {© 2008 Cisco Systems, Inc Launch Cisco ASDM from the corporate server Complete the following substeps to configure privilege levels for CLI commands: 1. Click Configuration 2. Click Device Management in the navigation pane. 3. Expand the Users/AAA menu, 4. Click AAA Aceess. The Authentication, Authorization, and Accounting tabs are displayed. 5. Click the Authorization tab, 6. In the Enable Authorization for ASA Command Access area, check the Enable check box. 7. Click Configure Command Privileges, opens. ¢ Command Privilege Setup window 8. From the Command Mode drop-down list, choose exee. 9. Click configure in the CLI Command list 10. Click Edi ‘The Select Command(s) Privilege window opens. 11. Choose 10 from the Privilege Level drop-down list. 12, Click OK 13. Click the show variant of the nameif command in the CLI Command list 14, Click Bait 15. Choose 10 from the Privilege Level drop-down lis. 16, Click OK. 17. Choose interface from the Command Mode drop-down list 18. Click the nameif configuration command in the CLI Command list 19. Click Rdit, The Select Command(s) Privilege window opens. 20. Choose 12 from the Privilege Level drop-down list. 21, Click OK. 22. Choose configure from the Command Mode drop-down list. 23. Click the interfaee configuration command in the CLI Command list Lab Guide 161aa 24, Click Edit 25. Choose 10 from the Privilege Level drop-down list. 26. Click OK. 27. Click OK in the Command Privilege Setup window 28. Click Apply in the Authorization tab, Step3__ Complete the following substeps to use the CLI to assign passwords to privilege levels: 1. Assign an enable password for privilege level 15, asaP(config)# enable password prmode1s 2. Assign an cnable password to privilege level 10. avaP(config)# enable password prmode10 level 10 3. Assign an enable password to privilege level 12. asap (contig) # enable p. 4. Log out ofthe CLL. word prmodel2 level 12 asaP (config) fexit asaPi exit Logoft Type help or ‘2’ for a list of available commande asaP> Task 2: Test Enable-Level Command Authorization In this task, you will test the command authorization that you configured in Task | Activity Procedure Complete these steps Step1 Enter privileged mode level 12. Whi prompted for a password, enter prmodel2. asaP> enable 12 Password asaré Step2 Enter configuration mode. asaP# config t Step 3 Verify that you can use the interface command. asaP(config)# interface g0/3 162 ‘Securing Networks with ASA Fundamentals (SNAF) v1.0, (© 2008 Cisco Systems, IneStep 4 Step 5 Step 6 step7 Step 8 Step 9 asaP(contig-if)# show interface [nterface GigabitEthernet0/o "outside", is up, line protocol is up Hardware is 9254668 revo3, BW 1000 Mbps Ruto-Duplex(Pull-duplex), 100 Mbps (100 Mbps) MAC address 0013.c422.2e52, MTU 1500 IP address 192.168.P.2, subnet mask 255.255.255.0 2322 packets input, 643052 bytes, 0 no buffer Received 1300 broadcasts, 0 runts, 0 giants © input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, Verify that you can use the nameif command. asaP(config-if)# nameié PRIVTEST View your configuration. asaP (config-if)# show names Interface Name Security Gigabitetherneto/o outside o Gigabitrcherneto/1 inside 200 Gigabitetherneto/3 PRIVIEST ° Verify that you cannot use the shutdown command, asaP(config-if)# no shut ERROR: ¥ Invalid input detected at '*' marker ERROR: Command authorization failed Return to privileged EXEC mode. asaP (config-if)# exit asaP (contig) ¥ exit asaPt Exit privileged mode. asaPi exit LegDee Type help or '?’ for a list of available commands. asaP> (© 2008 Cisco Systems, Ie. Lad Guide 4653,Step 10 Enter privileged mode level 10. When prompted for a password, enter prmodet0. asaP> enable 10 Password asaPe Step 11 Enter configuration mode. asaPh config & asap (config) # Step 12 Verify that you can use the interface command. asaP(config)# interface 90/3 asaP(config-if) # Step 13 Try to use the namelf command, asaP(config-if)# nameif PRIVTEST2 ERROR: % Invalid input detected at ‘** marker. ERROR: Command authorization failed Step 14 Exit interface configuration mode. asaP(config-if)# exit asaP (config) # Step 15 Exit configuration mode. asaP (config) # exit asap Step 16 Exit privileged mode. asap exit Logoft Type help or '?' for a list of available commands asap> ‘Step 17 Enter privileged mode. When prompted for a password, enter prmodel5, asaP> enable Password asaPa Stop 18 Enter configuration mode asaP# config t asaP (config) # 164 Secuting Networks with ASA Fundamentals (SNAF) v1.0 '© 2008 Cisco Systems, nc.Task 3: Generate an RSA Key Pair for Encrypted SSH Sessions Im this task, you will generate an RSA key pair to encrypt the SSH terminal session Activity Procedure Complete these steps Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Delete any previously created RSA keys, asaP(config)# crypto key zeroize rea Save the CA state to complete the erasure of the old RSA key pair asaP(config)# write memory Configure the domain name. asaP(config)# domain-name training.com Generate an RSA key pair to use to encrypt SSH sessions, aeaP(config)# crypto key generate rea modulus 1024 INFO: The name for the keys will be: Keypair generation process begin. Please wait Save the keys to flash memory. asaP (config) write memory View your public key. asaP(config)f ah crypto key mypubkoy rea Key pair was generated at: 12:36:03 UTC Feb 14 2008 Key name: Usage: General purpose Key Modulus Size (bits): 1024 Key Data 30819£30 0d06052a s64ea6t7 04010101 05000381 sd003081 89028181 0ob794c6 lbffath GeodbS0f £70537£2 c2949n91 baddasfa 303b2£76 1octs274 ef2aedif 3ccb0499 909baS66 70bSeacd FSdb0e2a c63ce148 ef94abae 17610610 cssca76d 7722288f 381ba46e 04536c0c de48ia7a 96892b9e béfad7cb 37¢Sd5d7 a70s6ce4 Babe324d 7£9£0636 607582£6 bfof0e22 a9¢91159 79402ab9 74812c08 41020301 0001, {© 2008 Cisco Systems. Inc Lav Guide 165,Task 4: Establish an SSH Connection to the Security Appliance In this task, you will securely connect to your security appliance via SSH. Activity Procedure 166 Complete these steps: Stop 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step7 Step 8 Step 9 Step 10 Stop 11 Step 12 Step 13 Stop 14 Enable SSH debugging. asaP (config) debug ash debug ssh enabled at level 1 Grant SSH access to your ide subnet. asaP(config)# oh 10.0.P.0 255.255.255.0 inside Set the SSH inactivity timeout to 30 minutes. asaP (config) sh timeout 30 Double-click the Shorteut to TTSSH icon on your desktop, Enter 10.0.P.1, the IP address of the security appliance inside interface, in the Host field Select the SSH radio button, Click OK. When prompted to save the keys, click Continue. Log in to the security appliance, Enter pi password, as the username and eisco as the Enter privileged mode, When prompted for a password, enter prmodel5. asaP>enable Password asaPé Enter configuration mode. asaP# config t asaP (config) # Use the show ssh sessions command to view the status of your SSH session, asaP(config)# show ssh sessions SID Client IP Version Mode Encryption Hmac State Username © insidehost 1.5 - 3pEs Sessionstarted pix Disconnect your SSH session asaP(config)# ssh disconnect 0 Return to your Telnet session window. Change the Telnet password on the security appliance from eisco to sshpass, asaP (config) # pass 4 sshpass ‘Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, InStep 15 Step 16 Stop 17 Exit configuration mode. asaP(config)# exit asap Exit privileged mode. asaPy exit Logoft Type help or ‘2’ for a list of available commands asaP> Minimize your Telnet window, Do not close it Note Stop 18 Leave this Telnet session open throughout the rest of this ab activity Establish another SSH session to your security appliance, When prompted to authenticate, enter pix as the username and sshpass as the password. Task 5: Configure Command Authorization Using the Local User Database In this task, you will configure local user auth Activity Procedure ntication via a secure SSH session, Complete these steps: Step 1 Step 2 Return to the Cisco ASDM session on the corporate server Complete the following substeps to configure local user authentication via a secure SSH session: 1. Click User Accounts from the Users/AAA menu in the Cisco ASDM navigation pane. The User Accounts panel is displayed, Click Add. The Add User Account window opens. Enter user12 in the Username field. Bnter user12pass in the password field. Enter user12pass in the Confirm Password field, Enter 12 in the Privilege Level field 7. Click OK, 8. Click Add again in the User Accounts panel. The Add User Account window opens. 9. Enter admin in the Username field 10, Enter adminpass in the Password field, (© 2008 Cisco Systems, nc. Lab Guide 16711, Enter adminpass in the Confirm Password field 12. Choose 15 from the Privilege Level drop-down list. 13. Click OK. Step3__ Complete the following substeps to enable authentication using the LOCAL database: Click AAA Aceess in the Users/AAA menus 2. Click the Authentication tab, 3. Inthe Require Authentication to Allow Use of Privileged Mode Commands area, check the Enable check box. 4. Click Apply. Step 4 Disconnect your SSH session, Task 6: Test Command Authorization Using the Local User Database In this task, you will test command authorization with local user authentication. Activity Procedure Complete these steps: Step1 Return to your Telnet session, Step2 Enter privileged mode. When prompted for a username, enter user12. When prompted for a password, enter user12pass. acaP> enable Username: Password asap Step3 Enter configuration mode. asaP# config t asaP (config) # Stop4 View the user that is currently logged in asaP (config) # show cuxpriv Username : useri2 Current privilege level : 12 Current Mode/s : P_PRIV P_CONF Step5 Verify that you can use thi hame of Gigabitithernet0/3. terface and nameif commands. Attempt to change the asaP(config)# interface 90/3 asaP(config-if)# nameif BOB 168 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, incStep 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 (© 2008 Cisco Systems, ine. View your configuration, asaP(config-if)# show nameif Interface Name Security Gigabitstherneto/o outside ° Gigabitetherneto/1 inside 100 Gigabitetherneto/3 BoB 50 Return to global configuration mode, and try to create a static mapping for DMZ. host 172.16.P.4, asaP (config-if) Hexit asaP (config) static (dmz, outside) 192.168.P.18 172.16.P.4 netmask 255.255.255.255 ERROR: ¥ Invalid input detected at ‘*' marker: ERROR: Command authorization failed Log out of the user12 account. asaP(config)# logout Logoft ‘Type help or ‘?/ for a list of available commands asaP> Log in to the user admin account. When prompted for a username, enter admin, When prompted for a password, enter adminpass, avaP>login Username Password: asaPt Enter configuration mode. asaPii config var (contig) # Clear yé i AAA, enable password, and privilege configurations. asaP(config)# clear configure aaa asaP (config) clear configure privilege asap (contig) # enable pa word Save your configuration, asaP (config) write memory lab Guide 169Task 7: Upgrade the Security Appliance Software Image In this task, you will load the security appliance image using TFTP. Activity Procedure Complete these steps: step 1 Step 2 Stop 3 Step 4 Stop 5 Step 6 Double-click the Titpd32.exe file on the desktop of your corporate server to open TRIP. Complete the following substeps to upgrade the software image on the security appliance: 1. Close your Cisco ASDM session if it is still running on your corporate server 2. Relaunch Cisco ASDM, 3, Return to the Cisco ASDM session on the corporate scrver 4. Click Toots in the Cisco ASDM menu bar. 5. Choose Upgrade Software from Local Computer. The Upgrade Software window opens. 6. Choose ASA from the Image to Load drop-down list. 7. Click Browse Local Files to browse to the ASA image file, which is located on the corporate server desktop. 8. Click Upload Image. After the security appli we has received the image, the ASA window displays the following message: Image has been uploaded to flash successfully. Do you want to set this image as the boot image? 9. Click Yes. An Information window opens. 10. Click OK. Click Save in the Cisco ASDM toolbar. The Save Running Configuration to Flash window opens Click Apply. Complete the following substeps to reload the security appliance: 1. Click Tools in the Cisco ASDM menu bar 2. Choose System Reload, The System Reload window opens 3. Verify that the Now radio button is selected. Ifit is not, click it 4, Click Schedule Reload, The C m Schedule Reload window opens, 5. Click Yes. The Reload Status window opens, 6. Click Exit ASDM. Afler the security appliance reboots, launch Cisco ASDM. 170 ‘Securing Networks with ASA Fundamentals (NAF) v1.0 {© 2008 Cisco Systems, IneStep7 Click Home in the Cisco ASDM toolbar. Step8 Verify that the Device Dashboard tab is active. Ifit is not, lick it to activate it Step9 Verify that the General tab is active. Ifit is not, click it to activate it Step 10 On the General tab, verify that you have loaded Cisco ASA Software Version 8.0(3) (© 2008 Cisco Systems, Ine LabGuide 171Answer Key ‘The correct answers for the questions inthis guide appear here Lab 3-1 Answer Key: Prepare to Use Cisco ASDM to Configure the Secu: 'y Appliance ‘The following are the answers to the questions in this lab activity QI) How many commands are listed? 10 2) How many commands are listed? 63 Q3) What is the ASA image version? 8,0(2) Q4) What is the ASDM version? 6.0(2) Q5) What model is your ASA? $520 96) How many VLANs does the license support? 150 Q7) What type of failover does the license support, if any? active/active Q8) Is VPN-DES enabled? yes Q9) Is VPN-3DES-AES enabled? yes Q10) How many security contexts does the license support? 2 Q11)__ How many VPN peers does the license support? 750 Q12)_ How many WebVPN peers does the license support? 2 Q13) What is the host name? asa training.com Q14) What is the security appliance version? 8.0(2) Q13) What is the ASDM version? 6.0) Q16) What is the device type? ASA $520 Q17) What is the firewall mode? Routed Q18) What is the context mode? Single Q19) What is the total flash memory? 64 MB 20) What is the total memory? $12 MB Q21) Encryption: 3DES-AES 22) Failover: active/active 172 ‘Securing Networks with ASA Fundamentals (SNAF) v1 0 (© 2008 Cisco Systems, ncQ23) Maximum VLANs: 150 Q24) Clientless SSL VPN Peers: 2 Q25) GTP/GPRS: Disabled 26) VPN Peers: 750 Q27) Maximum physical interfaces: Unlimited Q28) License: VPN Plus Lab 5-1 Answer Key: Configure Translations ‘The following are the answers to the questions in this lab activity. High port numbers (above 1024) may vary. Q1) How many translations are in use in the translation table? 1 2) What does the translation flag "i" mean? dynamic Q3) How many connections are in use in the connection table? 1 List the H'PTP connection table host entries here. TCP out (host) bastionhost: (port) 80: in (host) insidehost: (port) 1051 Note H¥you open another browser window and make the connection, you will get two connections. you just refresh, you wil stil have just one, Q4) What does the connection flag UIO mean? up, inbound data, outbound data Q5) How many translations are in use in the translation table? 1 List the translation table host entries here. Global 172,16.1.20 Local insidehost Q6) How many TCP connections are in use in the connection table? 2 List the connection table host entries below. (You may have to refresh the HTTP connection to see both connections). ‘TCP out (host) bastionhost: (port) 21 in (host dehost: (port) 1052 ‘TCP out (host) bastionhost: (port) 80 in (host) insidehost: (port) 1053 Q7) How many translations are in the translation table? 2 Q8) List the translation table host entries here. Global 192.168.P.21 Local insidehost (© 2008 Cisco Systems, Ine Lab Guide 173,Global 172.16,P.21 Local insidehost Q9) How many TCP comections are in the connection table? 3 List the connection host entries below. You may have to refresh the HTTP connection to see all connections. ‘TCP out (host) bastionhost: (port) 80 in (host) insidehost: (port) 1052 ‘TCP out (host) 192.168.P.1 (port) 23 in (host) insidehost: (port) 1053 ‘TCP out (host) bastionhost: (port) 21 in (host) insidehost: (port) 1054 Q10) How many translations are in use? none QI) How many connections are in use? none Lab 11-1 Answer Key: Configure Advanced Protocol Inspection on the Security Appliance ‘The following are the answers to the questions in this lab activity. QI) What is the default class map name? inspection default Q2) What is the matching criterion for this class? default-inspection-traffic 3) What is the default Layer % policy map name? global_policy Q4) What isthe class for this policy map? inspection_defaul Q5) By default, which protocols are inspected by the security appliance? DNS, FTP, H.323 H.225, H.323 RAS, NetBIOS, RSH, RTSP, Skinny, ESMTP, SQLNET, SUNRPC, ‘TETP, SIP, XDMCP 26) What is the default service policy name? global_policy Q7) Where is the default service policy applied? globally, to all interfaces Q8)_ Were you able to log in to the server? yes Q9) Were you able to see a file listing? yes Q10) Were you able to log in to the server? yes, QI1)_ Were you able to see a file listing? Why or why not? no, because ETP inspection is disabled and the security appliance will not negotiate the necessary ports QI2)_ Were you able to connect? yes QI3) Were you able to see a file ing? ves 174 Securing Networks with ASA Fundamentals (SNAF) v1.0 (© 2008 Cisco Systems, ne