So, you inherited the Cisco ASA firewall. Hands are itching to connect, configure and make them fulfill their purpose. Which side to approach it and where to start?
When writing this article, I used a Cisco ASA 5520 firewall with system version 9.1 and a clean (standard) configuration.
Configuring Cisco ASA from scratch:
1. Connecting via COM port
2. Configuring the management interface and ssh access
3. Configuring access through ASDM
4. System update and ASDM
5. Configuring interfaces
6. Configuring NAT to the external network and ping
7. Configuring NAT from outside to internal network to server
8. Packet Traversal Testing
1. Connection via COM port
If you just picked up the Cisco ASA, then to get started, you need to connect to it via a COM port (blue RJ45 – DB9 cable). The port settings are usually as follows:
Bits per sec: 9600
Data bits: 8
Parity: none
Stop bits: 1
Flow control: none
The Cisco ASA, like other Cisco devices, has two modes: user and privileged. Switch to privileged mode with the enable command (you can use the en abbreviation):
ciscoasa> ciscoasa> enable ciscoasa#
A fresh or factory-reset Cisco ASA does not yet have a privileged mode password. You can start configuring: configure terminal or conf t.
ciscoasa# configure terminal ciscoasa(config)#
All other commands are entered in configuration mode unless otherwise specified. The exit command executed in configuration mode will take you back.
In the lists of commands, I have comments starting with the # symbol, they do NOT need to be entered, they are for you, the tsiska will not understand them …
2. Configuring the management interface and ssh access
The Cisco ASA has a dedicated management interface. It is recommended to have a separate network for the management and control of all equipment and servers, inaccessible to ordinary users.
# create a password for privileged mode enable password zzz # Configuration management interface interface Management 0/0 nameif manage security-level 100 ip address 192.168.1.100 255.255.255.0 no shutdown exit # configure ssh access crypto key generate rsa modulus 1024 username username password yyy passwd yyy # specify a list of addresses or networks from which it is allowed to connect via ssh # do not specify unnecessary ssh 192.168.1.22 255.255.255.255 ssh 192.168.1.33 255.255.255.255 ssh version 2 # at the same time you can increase the timeout, by default only 5 minutes ssh timeout 15 aaa authentication ssh console LOCAL
Now you can connect to the ASA over the network via ssh, you can use putty or linux console:
ssh username@192.168.1.100
3. Configuring access through ASDM
In addition to configuring the Cisco ASA through the console, there is an alternative option: Cisco Adaptive Security Device Manager (ASDM). ASDM functionality duplicates CLI capabilities and is made more for those who click the mouse. Some operations are easier to perform in ASDM, but for most settings it is more convenient, intuitive, and easier to use the CLI. Consider both options, choose the one that best suits your needs.
# if you have not yet configured ssh access, then run the crypto key gen ... command from the previous paragraph # start the http server http server enable # set the list of addresses or networks from which http 192.168.1.22 255.255.255.255 manage http 192.168.1.33 255.255.255.255 manage # view file list on Cisco ASA dir # if several versions of ASDM are available, then select the more recent asdm image disk0:/asdm-742.bin
To access ADSM, type in your browser https://192.168.1.100
4. Updating the system and ASDM
You can view the current software versions like this:
ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9.1(7)13 Device Manager Version 7.7(1) ...
You can check the availability of more recent software versions and their support by your cisca on the official website: https://software.cisco.com/download/type.html?mdfid=280582808 , but you can download them only with a valid license. To download and install update files on the Cisco ASA, it is easier to use ASDM: Download: Tools -> File Management … -> File Transfer Or immediately with the installation: Tools -> Upgrade Software from Local Computer Uploading a file from the command line is performed by one command (on your computer raise the tftp server, for windows Tftpd32 will do):
# запуск команды copy в интерактивном режиме copy tftp disk0: Address or name of remote host []? 192.168.1.22 Source filename []? asa917-13-k8.bin Destination filename [asa917-13-k8.bin]? Accessing tftp://192.168.1.22/asa917-13-k8.bin.........!! Writing file disk0:/asa917-13-k8.bin...........!! 27703296 bytes copied in 3.60 secs # проверьте, что файл на месте dir # выбор используемого образа системы и ASDM asdm image disk0:/asdm-771.bin boot system disk0:/asa917-13-k8.bin # сохранить настройки write memory # перезагрузка с новой версией системы reload
5. Configuring interfaces
Let’s take the most common network diagram for a sample:
- external network with white ip (outside);
- dedicated network with servers (dmz): 192.168.20.0/29;
- local network with users (lan): 192.168.10.0/24;
By default, the Cisco ASA will allow traffic from a zone with a higher security-level value to a zone with a lower one. After scratching the back of our head, we distribute the security-level values: outside – 0, dmz – 50, lan – 100. And the numbers themselves do not matter, the main thing is their relationship (more, less).
Ports on hardware are very valuable, especially on this. To save them, you can create several subinterfaces:
interface GigabitEthernet0/0 mac-address 0050.56xx.xxxx nameif outside security-level 0 ip address 11.11.11.11 255.255.255.248 no shutdown exit interface GigabitEthernet0/1.20 vlan 20 nameif dmz security-level 50 ip address 192.168.20.1 255.255.255.248 exit interface GigabitEthernet0/1.10 vlan 10 nameif lan security-level 100 ip address 192.168.10.1 255.255.255.0 exit interface GigabitEthernet0/1 no shutdown exit # маршрут по умолчанию route outside 0.0.0.0 0.0.0.0 11.11.11.10 1 dhcpd dns 8.8.8.8
6. Configuring NAT to the external network and ping
Access to the external network is allowed according to the set security-level, but for everything to work, you must do NAT:
object network lan-subnet subnet 192.168.10.0 255.255.255.0 nat (lan,outside) dynamic interface exit object network dmz-subnet subnet 192.168.20.0 255.255.255.248 nat (dmz,outside) dynamic interface exit
Done, your users and servers have access to the Internet. If you need to enable the use of icmp, then do the following:
policy-map global_policy
class inspection_default
inspect icmp
exit
7. Configuring NAT from outside to the internal network to the server
Option 1 . You need to forward one port, for example, 80 to the server in dmz:
object network server-www host 192.168.20.2 nat (dmz,outside) static interface service tcp www www exit # трафик из сети outside в dmz противоречит настройкам security-level # для его пропуска настройте правила ACL (Access Control List) access-list outside_acl extended permit tcp any object server-www eq www access-group outside_acl in interface outside
Option 2 . You need to forward two or more ports. By simply adding a new nat rule to the existing one, you will overwrite the first rule with it, so you need to duplicate everything for each port:
object network server-www host 192.168.20.2 nat (dmz,outside) static interface service tcp www www exit object network server-8080 host 192.168.20.2 nat (dmz,outside) static interface service tcp 8080 8080 exit access-list outside_acl extended permit tcp any object server-www eq www access-list outside_acl extended permit tcp any object server-8080 eq 8080 access-group outside_acl in interface outside
Option 3 . We forward all ports to the internal server (it will no longer be possible to wrap anything on the second server):
object network server-ip host 192.168.20.2 nat (dmz,outside) static interface exit # разрешайте только нужные порты access-list outside_acl extended permit tcp any object server-ip eq www access-list outside_acl extended permit tcp any object server-ip eq 8080 access-list outside_acl extended permit tcp any object server-ip eq ssh access-list outside_acl extended permit tcp any object server-ip eq ftp access-group outside_acl in interface outside
8. Testing packet passing
You can test the settings like this: “Nikolay, try to go to ya.ru … Doesn’t work? Clearly, I’ll take a look … “. A more correct approach, faster and more informative – packet-tracer! This tool generates a batch and shows you the order in which it will be processed step by step.
We generate a packet from the internal network (from the user) to the external one:
packet-tracer input lan tcp 192.168.10.2 12345 93.159.134.3 80
We generate a packet from the external network to the external interface for the www server in dmz:
packet-tracer input outside tcp 8.8.8.8 12345 11.11.11.11 80
Save settings
write memory # abbreviated as wm
To get started, the settings made are enough … but only for the beginning. You should not consider this collection as a guide to action, these are only recommendations on where to start, a kind of “quick start guide”. What then? There is no definite answer to this question. The answer is in:
- the organization of your network (now and in the future) and the place of Cisco ASA in it;
- detailed study of documentation, articles, reviews: which of the supported technologies can be used;
- the specifics of your organization: what levels of security and service availability are required;
- etc.
Translated by Google Translate