ASA1 v5.0.0

Download as pdf or txt
Download as pdf or txt
You are on page 1of 159

ASA 8.4.

1 Basics

Lab Guide
Version 5.0.0

Part of the Fuel Series brought to you by the ASTEC team

February, 2011
2

Table of Contents
Introduction......................................................................................................................... 3
Exercise 1: Prepare for Launch Meeting............................................................................ 7
Exercise 2: Verify Initial Connectivity (Baseline) .............................................................. 9
Exercise 3: Bootstrap ASA ................................................................................................ 14
Exercise 4: Install ASDM and Complete ASA Configuration ........................................... 25
Exercise 5: Configure DMZ Interface on ASA and Test Configuration ........................... 48
Exercise 6: Configure NAT and ACLs .............................................................................. 63
Exercise 7: Configure Smart Call-Home and Password Encryption ............................. 101
Exercise 8: Disaster Recovery Backup ........................................................................... 114
Exercise 9: IPSec VPN using ASDM wizard .................................................................. 121
Exercise 10: Using LDAP Authentication for VPN Users .............................................. 135
Appendix A: Answers to Exercise Questions .................................................................. 146
Appendix B: Final ASA Configuration ........................................................................... 148
Appendix C: Fix Exchange Server Unavailable issue .................................................... 152

February, 2011 ASA Basics Lab Procedures


3

Introduction

Your company was selected to execute a firewall upgrade for Inside.local. Inside.local is
a mid-size organization that employs 500 people and is growing. They recently hired a
new IT manager to focus on several major projects. The first project is to replace their
legacy firewall with a new Cisco ASA.

Currently, Inside.local is using a third-party firewall. You are the engineer who will be
replacing this firewall with a Cisco ASA. The ASA needs to be set up to provide the
required Internet access as well as include the DMZ where the Web server resides. The
DMZ Web server is already installed and ready for use. The customer has a planned
outage window to allow us the time to remove the old firewall, and deploy and test the
ASA. The customer is ready for you to do your ASA magic!

What precipitated the engagement?


The current firewall does not support SSL VPN and all new hires will be using
VPN to access their resources. Also the new ASA 8.4.1 provides enhanced
clientless SSL VPN access. This will be part of a future engagement/project.
Inside.local would like to add the IPS module in the future. With their existing
firewall, they would have had to purchase a dedicated IPS appliance and use a
different management application.
The IT manager will be looking at purchasing an additional new Cisco ASA and
having both ASA firewalls in an active/standby configuration, thus providing high
availability.
Future plans also include adding an SMTP gateway in the DMZ.

Key drivers and requirements:


You must provide the customer a logical topology diagram.
Allow HTTP traffic to the Web server in the DMZ.
Allow SMTP traffic to the email server on the inside LAN.
Deploy better tools for troubleshooting and understanding traffic flow through
the firewall.
Ensure deployment aligns with future initiatives.

The customer would also like for you to complete the following tasks, time permitting:

Provide IPSec VPN access for their remote staff


Leverage their Active Directory server to authenticate remote access VPN users

Provide post-installation recommendations:


The customer is looking for any post-implementation recommendations.

February, 2011 ASA Basics Lab Procedures


4

Logical Topology
The diagram below depicts the logical L3 topology of the network for this lab. Please
note that the UserPCs and Servers are VMware images and that if you shut down any of
these machines you will lose all changes. Please ensure that you use restart, if/when
needed. Unless otherwise specified, all logins are administrator and passwords are
cisco123, all in lower case, except for pc-inside.inside.local where the username is
johndoe and the password is cisco123.

February, 2011 ASA Basics Lab Procedures


5

Disclaimer
This lab is intended to be a sample of one way to configure the ASA to provide the
required connectivity. There are many ways the ASA can be configured, which vary
depending on the situation and the customers goals/requirements. Please ensure that you
consult all current official Cisco documentation before proceeding with a design or
installation. This lab is primarily intended to be a learning tool and may not necessarily
follow best practice recommendation at all times in order to convey specific information.

Current documentation for ASA can be found on CCO:

Cisco ASA 5500 Series Configuration Guide using the CLI, v8.4
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html

Cisco ASA 5500 Series Configuration Guide using ASDM, v6.4


http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config.html

Cisco ASA 5500 Migration Guide for Version 8.3


http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Release Notes for the Cisco ASA 5500 Series, 8.4(x)


http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

Memory Requirements for the Cisco ASA Software version 8.3 and later
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html

The labs were constructed using the following software versions:

ASA asa841-k8.bin
ASDM asdm-641.bin
AVC AnyConnect-win-3.0.0629-k9.pkg
VPN Client vpnclient-win-msi-5.0.07

Prerequisite knowledge
This lab is the first module in a series of ASA labs created by the ASTEC team. The first
lab assumes a basic understanding of IP technologies. It is suggested that you take the
modules in the recommended order unless you are already familiar with the information
in the previous modules.

February, 2011 ASA Basics Lab Procedures


6

**Memory Requirements for the ASA Software version 8.3 and later**

The Cisco ASA release 8.3.(x) and later has the following memory
requirements. Please ensure that any ASA you upgrade to version 8.3.(x) or
later meets this requirement.

We use the ASA 5510 appliance in this lab which has 1 Gigabyte of
memory.

*** Important ASA Lab Information***


The ASAs in the lab are configured with the configure register set to boot from
ROMMON. This is part of Team ASTECs automation in preparing the ASA for your
lab. Once the ASA loads in your lab, it will have the factory-default configuration.

If you reload your ASA during the lab, it will initialize in ROMMON.
Should this happen, issue the following commands:

1- From ROMMON, type boot flash:asa841-k8.bin.


2- Once the ASA has reloaded, type copy startup-config running-config.

Some ASA firewalls have the AIP-SSM module therefore, you might see the IPS in
the ASDM. Please disregard the IPS module in this lab.

February, 2011 ASA Basics Lab Procedures


7

Exercise 1: Prepare for Launch Meeting


Goal: Create simple diagrams and review IP address assignments in preparation for a
project launch meeting with the Inside.local Network team.

Hopefully most of this design was discussed as part of the pre-sales process and the
detailed design meetings that occurred in order to prepare an accurate statement of work.
Now the time has arrived to start the project. The Inside.local engineering team wants a
kickoff meeting to review exactly what you will be doing and provide you with any final
details you need to begin. The main focus of the meeting is to finalize the IP address
assignments used outside the firewall. The ISPs physical handoff is Ethernet based.
Also, Inside.local was assigned a class C block of 254 IP addresses from the providers
address space. We will only be using 4 IP addresses for now with lots for future use.

IP addressing will be as follows:


192.0.0.254 ASA outside interface
192.0.0.253 Reserved for future ASA for HA
192.0.0.252 PAT address for InsideLAN network
192.0.0.251 NAT address for the DMZ web server
192.0.0.250 NAT address for the Email server

Lab Task: Review the diagram below and think through how it could be used to
storyboard the project for the customer.

February, 2011 ASA Basics Lab Procedures


8

February, 2011 ASA Basics Lab Procedures


9

Exercise 2: Verify Initial Connectivity (Baseline)


Goal: Execute some baseline tests to ensure the network is operational prior to beginning
the work.

From the ASTEC student portal, go to pc-inside.inside. Log in as johndoe with a


password of cisco123.

Open a command prompt and issue the ipconfig command.

What is your IP address? _________________________


What is your subnet mask? ________________________
What is your default gateway? _____________________

From pc-inside.inside.local, ping the following destinations:


pc-inside default gateway 10.0.1.1.
dc.inside.local 10.0.2.10
exchange.inside.local 10.0.2.100
ASA inside interface 10.0.0.254 (this will fail as the ASA is not yet configured)
dmz.inside.local 192.168.1.10 (this will also fail)

From pc-inside.inside.local, launch Outlook from the desktop shortcut. Send a test email
to yourself, [email protected] .

*** Note***

If Outlook pops up a message indicating that Microsoft Exchange is unavailable, please


proceed to Appendix C for the steps to resolve this.

February, 2011 ASA Basics Lab Procedures


10

Click New and select Mail Message.

February, 2011 ASA Basics Lab Procedures


11

In the To field, type [email protected] .


In the Subject field, type Email test.
In the body of the email type, This is a test!
Click Send.

Confirm that the email appears in your Inbox.

February, 2011 ASA Basics Lab Procedures


12

From the ASTEC Student Portal, go to pc-outside. Log in as administrator with a


password of cisco123.

Ping the following destinations:

pc.outside.lab default gateway 192.0.2.1.


server.outside.lab 192.0.2.100
ASA outside interface 192.0.0.254 (this will fail as the ASA is not yet
configured)

Now launch Outlook from the desktop shortcut.


Send a test email to yourself, [email protected]

In Outlook, click New and select Mail Message.


In the To field, type [email protected]
In the Subject field, type Email test.
In the body of the email type, This is a test!
Click Send.

February, 2011 ASA Basics Lab Procedures


13

Confirm that the email appears in your Inbox.

Contact your proctor if you have any issues before proceeding.

February, 2011 ASA Basics Lab Procedures


14

Exercise 3: Bootstrap ASA


Goal: The goal is to place a new ASA into the customers existing network. The ASA is
already cabled and has the factory-default configuration. We will need to go into the
console port and bootstrap the ASA with a base configuration to allow us to use the
ASDM and complete the set up.

From the desktop of pc-inside.inside.local, launch the OoB Console Access shortcut.

Select your pod number from the Pod Number drop-down box and select ASA 1 ASA
Basics from the Content Package drop-down and click Access Console Map.

February, 2011 ASA Basics Lab Procedures


15

We then need to click on the ASA so that we can connect via the console. This will
launch a Telnet application which will connect to the ASA console. Press Enter twice in
the terminal box.

February, 2011 ASA Basics Lab Procedures


16

From the console, issue the enable command and press Enter. There is no password.
Then issue the show version command. Reference the Memory requirement table image
on page 16.

Q3.1: What version of code is running?

Q3.2: How much memory is installed?

Q3.3: Do we have enough memory on this ASA?

Q3.4: Does the licensing look the same as in past releases? If not, what has changed?

Q3.5: What licenses are installed?

February, 2011 ASA Basics Lab Procedures


17

Lets start configuring the ASA. Type configure terminal or conf t to enter global
configuration mode.

February, 2011 ASA Basics Lab Procedures


18

Lets type the following to configure the inside interface for the ASA:

interface Ethernet 0/1


ip address 10.0.0.254 255.255.255.0
nameif inside
description Interface_2_InsideLAN
no shutdown

Lets type the following to configure the outside interface for the ASA:

interface Ethernet 0/0


ip address 192.0.0.254 255.255.255.0
nameif outside
description Interface_2_the_Internet
no shutdown

February, 2011 ASA Basics Lab Procedures


19

Lets pause here for a minute have a look at what the ASA did when we typed nameif
inside and nameif outside and explain Security Level. The nameif command allows us to
assign a name to an interface and both, inside and outside interface names are variables
which dynamically assign a security level that the interfaces; 0 for the outside interface
and 100 for the inside interface.

Each interface must have a security level from 0 (lowest) to 100 (highest). For example,
you should assign your most secure network, such as the inside host network, to level
100. While the outside network connected to the Internet can be level 0. Other networks,
such as DMZs can be in between, 1-99.

The effects of security levels access, by default, there is an implicit permit from a higher
security interface to a lower security interface (outbound). Hosts on the higher security
interface can access any host on a lower security interface. You can limit access by
applying an access list to the interface.

Lets continue with the ASA configuration.

We will not be using the management interface on the ASA in the lab. Lets disable this
interface. You may get the following warning message, WARNING: DHCP bindings
cleared on interface management, address pool removed. This is due to DHCP being
enabled on the management 0/0 interface.

interface management 0/0


no nameif
no ip address
shutdown

February, 2011 ASA Basics Lab Procedures


20

We need to enable ASDM and tell the ASA to allow access from the 10.0.0.0 network.
We will enter http in the command, but the ASA will actually use https.

http server enable


http 10.0.0.0 255.0.0.0 inside

Next, lets configure the ASA to use the 6.4.1 ASDM image.

asdm image disk0:/asdm-641.bin

February, 2011 ASA Basics Lab Procedures


21

We will next add a local user and give the user privilege 15 level access.

username administrator password cisco123 privilege 15

February, 2011 ASA Basics Lab Procedures


22

Change the hostname on the ASA to podx-asa where x is your pod number.

hostname podx-asa

We will use static routes for our routing on the ASA. All outbound traffic will have the
ISP router as the default gateway and all internal traffic will have the internal switch as
default gateway.

route inside 10.0.0.0 255.0.0.0 10.0.0.1


route outside 0.0.0.0 0.0.0.0 192.0.0.1 or route outside 0 0 192.0.0.1

February, 2011 ASA Basics Lab Procedures


23

Lets configure the enable password.

enable password cisco123

Test connectivity.. ..

ping 10.0.0.1 inside switch


ping 192.0.0.1 outside router
ping 10.0.2.10 inside DC server
ping 192.0.2.100 outside server

February, 2011 ASA Basics Lab Procedures


24

February, 2011 ASA Basics Lab Procedures


25

Exercise 4: Install ASDM and Complete ASA Configuration


Goal: The goal is to install the ASDM on pc-inside.inside.local, which we will be using
to complete the configuration on the ASA.

On pc-inside.inside.local, point your Internet Explorer to https://10.0.0.254 , the inside


interface on the ASA. If this fails, return to the console and verify that you typed http
server enable and http 10.0.0.0 255.0.0.0 inside to allow access from the Inside
network.

Click Continue to this website (not recommended).

Click the Install ASDM Launcher and Run ASDM button.

February, 2011 ASA Basics Lab Procedures


26

Type administrator and cisco123 in the username and password boxes.

February, 2011 ASA Basics Lab Procedures


27

Click Run.

Click Run again.

February, 2011 ASA Basics Lab Procedures


28

Click Next twice.

February, 2011 ASA Basics Lab Procedures


29

Click Install.

Then click Finish to complete the installation.

Lets log onto the ASAs inside IP address of 10.0.0.254 using the local administrator
account and cisco123 password.

February, 2011 ASA Basics Lab Procedures


30

Check Always trust content from this publisher and click Yes.

The ASDM will start loading the ASAs configuration.

This is the home view in the ASDM. From here we can view lots of valuable information
such as Device information, Interface status and IP addressing, Traffic status and System
Resources status.

February, 2011 ASA Basics Lab Procedures


31

Q4.1: What version of code and of ASDM is running on this ASA?

Q4.2: How long has this ASA been up (running)?

Q4.3: What is the difference between Routed and Transparent mode?

Lets enable the preview commands on ASA so that we can see the CLI equivalent to our
ASDM configs.

From the ASDM, click on Tools and select Preferences from the drop down menu.

February, 2011 ASA Basics Lab Procedures


32

Select the Preview commands before sending them to the device and click OK.

February, 2011 ASA Basics Lab Procedures


33

Click the Firewall Dashboard tab. From here we could see the top 10 access rules that
have been triggered. We could also enable the ASA to track the top usages for Services,
Sources and Destinations.

Lets enable those three Usage statuses. These will take additional resources and should
be enabled with caution in a production environment. Have a good understanding of the
performance baseline of your ASA before turning on any additional features.

From the Firewall Dashboard tab, select Top 10 Services and click Enable.
From the Firewall Dashboard tab, select Top 10 Sources and click Enable.
From the Firewall Dashboard tab, select Top 10 Destinations and click Enable.

Click Send.

February, 2011 ASA Basics Lab Procedures


34

Once we start to collect data, we can then change the interval to 8 or 24 hour periods, as
well as configure how to display the data.

Return to the Device Dashboard and click the License sub-tab. How many SSL VPN
peers are supported on this ASA?

February, 2011 ASA Basics Lab Procedures


35

The ASA has a logging feature that allows us to see real-time logs on the ASDM. It is
recommended to also have a Syslog server and to send logs to it. Lets turn on logging on
the ASDM..

On the Device Dashboard page, click Enable Logging.

February, 2011 ASA Basics Lab Procedures


36

Here is the CLI equivalent.

Click Send.

We can start seeing the logging on the ASDM Home page.

February, 2011 ASA Basics Lab Procedures


37

What would happen if the ASA reloaded before we save changes? Notice the little
diskette with the yellow exclamation point on the bottom of the ASDM? This is a visual
indicator that there are changes that have not been saved. Simply click on the diskette
icon. This is the equivalent of typing write memory from the CLI.

Here is the CLI equivalent.

Click Send.

Lets continue configuring the ASA with items like Domain name and Time Zone.

February, 2011 ASA Basics Lab Procedures


38

Having synchronized clocks on all network devices is crucial for logging forensics.
***(Due to no real Internet access in this lab, we will not set a NTP server, but you
would do this in a production ASA)***

From the ASDM, click Configuration > Device Setup > Device Name/Password.
Type inside.local for the Domain Name

Click apply. Click Send.

Then expand the System Time and click Clock.


Set the Time Zone. Lets set the Time Zone to Eastern Time (GMT -05:00)

February, 2011 ASA Basics Lab Procedures


39

Verify that the ASA date matches the PC date.

Click Apply and Send.

So now we already have ASDM management access to the ASA. Lets also configure
Telnet and SSH CLI access to the ASA.

February, 2011 ASA Basics Lab Procedures


40

From the Configuration > Device Management > Management Access, select
ASDM/HTTPS/Telnet/SSH and click Add.
Select SSH, Inside, 10.0.0.0 and 255.0.0.0 and click OK.

Click Add again and fill in the same information but this time, select Telnet.

February, 2011 ASA Basics Lab Procedures


41

We then need to specify how we will authenticate users trying to login using SSH and
Telnet.
Go to Configuration > Device Management > Users/AAA and select AAA Access.
From there, check the SSH and Telnet boxes and select LOCAL from the drop-down
Server Group.

Click Apply and Send.

February, 2011 ASA Basics Lab Procedures


42

Q4.4: What is the difference between Telnet and SSH?

Q4.5: What ports do these applications use?

Q4.6: Which is more secure?

Lets test the Telnet and SSH access from the desktop of pc-inside.inside.local.
From pc-inside.inside.local, open a command prompt or use any available application
from the desktop. Telnet to 10.0.0.254. Does this work?

Lets test using SSH. .


Double click on the Putty shortcut on the desktop and click Run.

February, 2011 ASA Basics Lab Procedures


43

Type the inside IP address of the ASA, 10.0.0.254 and be certain that the port is 22 for
SSH. Click Open.

Did this work? Why were you not able to SSH to the ASA? What is missing?

February, 2011 ASA Basics Lab Procedures


44

SSH uses certificates to secure the communications and the ASA does not have a
certificate. We will generate a certificate now. From the Telnet window that you just
launched to the ASA, type conf t and then crypto key generate rsa modulus 1024.

Because this change was done from the CLI, ASDM prompts us to refresh the screen
with the new information. Lets refresh the ASDM.

Click Refresh Now.

February, 2011 ASA Basics Lab Procedures


45

Now lets re-test SSH. Now we are prompted to acknowledge the newly created
certificate. Double click on the putty shortcut on the desktop and click Run.
Type the inside IP address of the ASA, 10.0.0.254 and be certain that the port is 22 for
SSH. Click Open.

We now get the ASA fingerprint. Click on Yes to continue.

February, 2011 ASA Basics Lab Procedures


46

Login in as administrator and use the enable password of cisco123. Now we have SSH
access.

Dont forget to save your work!

February, 2011 ASA Basics Lab Procedures


47

February, 2011 ASA Basics Lab Procedures


48

Exercise 5: Configure DMZ Interface on ASA and Test


Configuration
Goal: Now that we have a base configuration on the ASA, we need to configure a DMZ
interface to allow connectivity to the DMZ web server. Once this is configured, we will
test the connectivity.

From pc-inside.inside.local, navigate in the ASDM to the Configuration > Device Setup
> Interfaces and select Ethernet 0/2 and click Edit.

Complete the following parameters for Ethernet 0/2.


Interface Name: DMZ
Security Level: 50
Use a static IP address: 192.168.1.254
Subnet Mask : 255.255.255.0
Enable Interface
Description: Interface_2_DMZ

February, 2011 ASA Basics Lab Procedures


49

Click OK. And click OK to acknowledge the Security Level Change. Then Apply and
then Send.

February, 2011 ASA Basics Lab Procedures


50

From the ASDM, lets ping our DMZ server and test connectivity.
Go to Tools and select Ping. Type the DMZ server IP address, 192.168.1.10. You can
also select the DMZ interface and then click Ping.

February, 2011 ASA Basics Lab Procedures


51

So we determined that we have connectivity from the ASA to the DMZ server. This is
great. Next, lets test the connectivity through the ASA from pc-inside.inside.local.

From pc-inside.inside.local, launch Internet Explorer and type, http://192.168.1.10 . The


web page should open.

Great, the web page loads. Now lets test Ping. Open a command prompt and ping
192.168.1.10. Why does the ping fail yet it succeeded from the ASA?

The ASA by default, does not maintain ICMP state, therefore it does not allow the return
traffic. This is why ICMP packets originating from the ASA will work while ICMP
traversing the ASA will not work. What do we need to configure to allow the ASA to
maintain ICMP state? Lets turn on ICMP inspection on the global-policy service policy.

February, 2011 ASA Basics Lab Procedures


52

Go to Configuration, Firewall > Service Policy Rules and Add a Service Policy Rule

Select Global-applies to all interfaces. Type a description, Global policy for ASA and
click Next.

February, 2011 ASA Basics Lab Procedures


53

Select Default Inspection Traffic and click Next.

Click Next.

February, 2011 ASA Basics Lab Procedures


54

Select ICMP and click Finish.

Click Apply to push the config to the ASA.

February, 2011 ASA Basics Lab Procedures


55

Click Send.

Now lets try to ping the DMZ server again from pc-inside.local.

ping 192.168.1.10

Q5.1: Are there any drawbacks to having ICMP enabled?

Lets test pinging from pc.outside to the ASA.

Logon to pc.outside.lab as administrator/cisco123.

February, 2011 ASA Basics Lab Procedures


56

Ping the outside interface of the ASA. Ping 192.0.0.254.

We can see that the pings are successful.

Its not a good idea to allow external hosts ICMP access to the firewall. Lets block
ICMP from the outside interface.

February, 2011 ASA Basics Lab Procedures


57

From pc-inside.inside.local in the ASDM, navigate to Configuration > Device


Management > Management Access and select ICMP. Click Add and select Add
Rule

Enter the following information:


ICMP Type: Any
Interface: Outside
Action: Deny
Select Any Address box

Click OK, then click Apply. Note the CLI equivalent.

February, 2011 ASA Basics Lab Procedures


58

Click Send.

Now lets return to pc.outside.lab and try to ping the outside ASA interface IP address.

From pc.outside.lab, open a command prompt and ping 192.0.0.254.

We clearly see that the pings now are failing, which is a good thing.

We want to further test to ensure that our new ACL has not had any adverse effects on
our firewall. Lets return to the ASDM on pc-inside.inside.local and issue some
additional ping tests through the outside interface. Lets ping the server.outside.lab at
192.0.2.100. We know we could ping that server before.

February, 2011 ASA Basics Lab Procedures


59

Now our pings initiated from the ASA are failing. Why is this?

We will need to allow ICMP echo-reply traffic through the Outside ASA interface.

February, 2011 ASA Basics Lab Procedures


60

From pc-inside.inside.local, navigate on the ASDM to Configuration > Device


Management > Management Access and select ICMP. Next, highlight the existing
ICMP ACL and click Add and select Insert from the drop-down options.

Type the following information.


ICMP Type: Echo-reply
Action: Permit
Select the Any Address check box

Click OK, Apply, and then Send.

Look at the order of how the ASA organizes the ACL. With Access Control Lists, order
does matter! It permits echo-replies from the outside interface and denies all other ICMP
traffic!

February, 2011 ASA Basics Lab Procedures


61

Like all good engineers, we need to test to confirm that our results are in fact our desired
results.

From the ASDM, lets try and ping the server.outside.lab at the IP address of 192.0.2.100
again. Is this now successful?

February, 2011 ASA Basics Lab Procedures


62

This concludes this section. Lets review what we have accomplished so far.
We bootstrapped a factory default ASA through the console port and applied base configs
such as IP addressing and routing We also enabled ASDM access, created a local user
and then continued working through the ASDM once we got this installed on pc-
inside.inside.local. We configured and tested a DMZ interface and enabled ICMP
inspection. Next exercise will cover NAT and ACL. Lets keep going!

February, 2011 ASA Basics Lab Procedures


63

Exercise 6: Configure NAT and ACLs


Goal: Now that we have some a solid configuration on the ASA, we need to configure
NAT to allow internal RFC 1918 internal addressing to be translated to publicly routable
IP addresses on the Internet. We will also need to allow access to our Email server on the
inside LAN and to our Web server in the DMZ. Once this is configured, we will test the
connectivity.

The goal of this section is to set up the address translation required to allow packets to
come into the inside interface, be translated to a valid outside address, and then be sent
out the outside interface. The returning traffic will be allowed back through the ASA,
based on the state built for the outbound connection.

From pc-inside.inside.local, lets open Internet Explorer and try to browse to the outside
web server at http://192.0.2.100. Does the page load? Why or why not? Try to ping to the
same IP address. Does this work or not?

We will need to configure some NAT statements for our RFC 1918 internal hosts to
allow access to the Internet. From ASA 8.3.1 and onward, the method of creating NAT
configurations has changed.

February, 2011 ASA Basics Lab Procedures


64

Lets take some time and understand these changes.

Prior to ASA software version 8.3.1, ASA supports multiple variants of NAT, which
have redundant configurations and parameters, which can be very complex from a
configuration and troubleshooting perspective. The new NAT design from ASA software
version 8.3.(x) and later aims to provide an easy of use interface for configuration and
troubleshooting. The key elements of the new NAT design are:
Unified NAT table: A single NAT table to view NAT policies where rules can be
inserted in any arbitrary order.
Object-based NAT: An object can be defined for a host, network or address range
and NAT configuration can be done within the object.
Two simplified and flexible ways to configure NAT: Object-based (or Auto)
NAT, and Manual (or twice) NAT.
Interface independent NAT: NAT rules are not dependent on interfaces or
interface security level as compared to prior ASA software versions.
NAT Order of Operation

Prior to ASA software version 8.3.1, the order of NAT operation was much more
complex and was based on the different types of NAT configurations. It was much harder
to understand and to troubleshoot when issues arise. For reference, ASA software
versions prior to 8.3.1 followed the following order of operation:
1. NAT exemptionIn order, until the first match.
2. Static NAT and Static PAT (regular and policy)In order, until the first match.
Static identity NAT is included in this category.
3. Policy dynamic NATIn order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NATBest match. Regular identity NAT is included in this
category. The order of the NAT rules does not matter; the NAT rule that best
matches the real address is used. For example, you can create a general rule to
translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of
your network (10.1.1.1) to a different address, then you can create a rule to
translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for
10.1.1.1 is used because it matches the real address best. We do not recommend
using overlapping rules; they use more memory and can slow the performance of
the security appliance.
In ASA software version 8.3.1 and after, NAT rules evaluation are applied on a top-
down, first match basis. Once a particular NAT rule is matched, no further evaluation is
done at that point, therefore it is important to insert the most specific NAT rules above
the broader NAT rules if there are NAT rules that overlap. For example if you have a
static outside interface Port Address Translation (PAT) and a dynamic outside interface

February, 2011 ASA Basics Lab Procedures


65

PAT, you have to put the static outside interface PAT above the dynamic outside
interface PAT otherwise it will not work properly.
Rules in the NAT table are evaluated in the following order:
1. Manual NAT rules (section 1 of the NAT table)
2. Object-based NAT rules (section 2 of the NAT table)
3. Manual (twice) NAT rules (section 3 of the NAT table)
Lets continue on with the lab.
Lets look at creating a NAT entry on the ASA through the ASDM. We will look at the
equivalent in CLI (thanks to enabling the Preview commands feature which we did
earlier in the lab).

Navigate to Configuration > Firewall > NAT Rules. In the Addresses tab, click on
Add and select Network Object We will create a Network Object of the PAT IP
Address 192.0.0.252.

Complete the following information.


Name: Outside_PAT_Address
Type: Host
IP Address: 192.0.0.252
Description: Address_2_PAT_Inside_LAN

February, 2011 ASA Basics Lab Procedures


66

Click OK, then Apply. Click Send.

Now lets create another object. This will be for our Inside LAN.

February, 2011 ASA Basics Lab Procedures


67

Fill in the following information.


Name: InsideLAN
Type: Network
IP Address: 10.0.0.0
Netmask: 255.0.0.0
Description: Inside-10-Network

Click OK, then Apply, then Send.

We will reference both Network Objects as we create the NAT statement.


Under the NAT Rules, click Add and select Add NAT Rule After Network Object
NAT Rules

February, 2011 ASA Basics Lab Procedures


68

We want the InsideLAN, the 10.0.0.0 subnet, to translate to the PAT address of
192.0.0.252.

Lets provide the following information.


Source Interface: Inside Destination Interface: Outside
Source Address: InsideLAN
Source NAT Type: Dynamic PAT (Hide)
Source Address: Outside_PAT_Address

February, 2011 ASA Basics Lab Procedures


69

Click OK, then Apply and Send.

Now lets re-test the server.outside.lab web site again. Point your browser to
http://192.0.2.100. If the web page does not open an Under Construction web page, close
and re-launch your browser and test it again.

February, 2011 ASA Basics Lab Procedures


70

While the web page is open, SSH or Telnet to the ASA (10.0.0.254) and issue the show
xlate command. We could see that there is one in use and we can see the source IP
address of PC-Inside, 10.0.1.50, and the PAT IP address in use, 192.0.0.252.

Q6.1: From the server.outside.lab, what would the connections source IP address be
seen as?

There is a tool in ASDM, Packet Tracer, which allows us to see the processing order on
the ASA data plane as the packets traverse the ASA and if the packet would succeed in
getting across or fail. If the packet fails, it will also identify where it is being blocked.
This is a great troubleshooting tool but also a great provisioning tool. We can simulate
traffic flowing through the firewall and observe those results.

Lets run a few tests using Packet Tracer. From the Tools, select Packet Tracer

February, 2011 ASA Basics Lab Procedures


71

Fill in the following information.


Interface: Inside
Packet Type: TCP
Source IP Address: 10.0.1.50 Destination IP Address: 192.0.2.100
Source Port: 4000 Destination Port: http
And click Start.

February, 2011 ASA Basics Lab Procedures


72

Note the CLI equivalent.

February, 2011 ASA Basics Lab Procedures


73

Click Send.

The Packet Tracer goes through an animated display and shows the packet flow and the
processing order. If anything were to prevent or block the packet from successfully
traversing the ASA, this would display where.

Back to NAT. Lets do some testing and really understand what we configured for the
NAT and look at some options that we have. Close all open browsers. Telnet or SSH to
the ASA and issue the clear xlate command.

Launch another instance of Internet explorer and navigate to the DMZ-server at


http://192.168.1.10 .

February, 2011 ASA Basics Lab Procedures


74

From the Telnet or SSH session, issue the show xlate command.

Why are there no NAT translations on the ASA? Leave this browser open and launch
another instance and browse to the Server-Outside at http://192.0.2.100 then re-issue a
show xlate on the ASA.

February, 2011 ASA Basics Lab Procedures


75

February, 2011 ASA Basics Lab Procedures


76

Q6.2: Why are we seeing a translation when we browse towards the Outside server but
not for the DMZ server?

Q6.3: If the traffic to the DMZ is not translated, then what will the source IP address be
seen as at the DMZ server?

Close all browsers and lets return to the ASDM and edit our NAT entry.
Lets change the Destination Interface from outside to any. Return to the ASDM, and go
to Configuration > Firewall > NAT Rules, and highlight your NAT statement and click
Edit.

Change the Destination Interface from Outside to Any.

February, 2011 ASA Basics Lab Procedures


77

Click OK, then Apply. Note the CLI equivalent. Observe the any instead of outside
in the NAT statement. This will now translate the InsideLAN through any interface, not
just the outside.

Click Send.

Lets test the NAT with the InsideLAN translated through any interface.

Open Internet explorer and browse to the DMZ-server, http://192.168.1.10 and from
Telnet or SSH, re-issue the show xlate command.

February, 2011 ASA Basics Lab Procedures


78

Q6.4: Why are we now seeing a translation entry on the ASA?

Q6.5: So now what source IP address would the DMZ server see coming to establish
connections?

Lets return and change the NAT entry from Any to Outside Interface.

February, 2011 ASA Basics Lab Procedures


79

When was the last time we saved our configs? Lets save our work!

We still have an Email server to which we would like to have access from the Outside.
The email servers inside IP address is 10.0.2.100 and we will translate this to the
external IP of 192.0.0.250. As discussed in the planning phase, the public IP address of
192.0.0.250 will be allocated for the inside Email server.

Lets create another NAT statement for the inside Email server. From the ASDM, we will
create a new Network Object and well have a look at another method to create our NAT.

Navigate to Configuration > Firewall > NAT Rules. In the Addresses tab, click on Add
and select Network Object We will create a Network Object for the Email server.

February, 2011 ASA Basics Lab Procedures


80

Type the following information.


Name: Email_Server
Type: Host
Ip Address: 10.0.2.100
Description: Inside_email_server

Click OK, then Apply, then Send.


Lets also create another Network Object for the NAT address to be used by the
Email_Server. Lets call this Email_NAT_IP_Address with the IP address of
192.0.0.250.

Type the following information.


Name: Email_NAT_IP_Address
Type: Host
Ip Address: 192.0.0.250
Description: NAT-Address-4-EmailServer

February, 2011 ASA Basics Lab Procedures


81

Click OK, then Apply, then Send.

Now lets select our Email_Server Network Object and click Edit.

Click on the two arrows pointing downward and the check the Add Automatic Address
Translation Rules box.

February, 2011 ASA Basics Lab Procedures


82

Complete the following parameters.

Type: Static
From the Translated Addr box, click the drop down and browse the Translated Addr box
and select the Network Object Email_NAT_IP_Address

February, 2011 ASA Basics Lab Procedures


83

Click OK.

Click Advanced and select Inside for the Source interface and Outside for the
Destination interface.

February, 2011 ASA Basics Lab Procedures


84

Click OK twice, Apply and Send.

We now have two NAT statements, one that is a dynamic NAT that specifies that internal
hosts on the 10.0.0.0 subnet will be translated to 192.0.0.252, and one static that
translates the exchange.inside.local servers IP address of 10.0.2.100 to 192.0.0.250.

Notice the static NAT for the Email server is bi-directional, thus we see the two lines in
the first statement number .
Lets now test this NAT by logging onto the Exchange-Inside server. Go back to the
ASTEC Student Portal and log into the Exchange.inside server with
Administrator/cisco123. Open Internet explorer and browse to http://192.0.2.100 .

February, 2011 ASA Basics Lab Procedures


85

Q6.6: If we returned to an SSH or Telnet session to the ASA and executed a show xlate
command, what IP address would we see paired to the Email servers 10.0.2.100 IP
address?
Lets test this.

February, 2011 ASA Basics Lab Procedures


86

Indeed, the translation is as expected. The Email server is being translated to 192.0.0.250.
This makes receiving emails easier now that we have a NAT address (public IP). So the
external MX record would point to the public IP address of 192.0.0.250 and the firewall
would translate this to the internal server IP address of 10.0.2.100.
Now that the NAT is in place for the Email server, is this enough to allow Emails to pass
through the firewall and be received by the inside Email server? What is missing?

All outbound traffic is allowed by default (not necessarily a good thing) and all inbound
traffic is blocked by default. So we will need to allow SMTP traffic to our inside Email
server. We will need to create an ACL to allow SMTP.

From the ASDM, navigate to Configuration > Firewall > Access Rules
The Access Rules view allow us to see both, IPv4 and IPv6 access rules. Since we have
no IPv6 rules, lets click on IPv4 Only.

Click Add and select Add Access Rule from the drop-down menu.

Complete the following for the Access Rule.


Interface: Outside
Action: Permit
Source: Any (any email server)
Destination: Email_Server
Service: tcp/smtp
Description: ACE to allow SMTP traffic to the email server
Select Enable Logging (It should be already selected)

February, 2011 ASA Basics Lab Procedures


87

Click OK. Click Apply. Note the CLI equivalent.

Click Send.

Before proceeding further with the testing, did you notice the Network Object used in the
ACL to allow SMTP? The Destination that we selected was the Email_Server. Do you
recall what IP address this Object referenced?

It referenced the 10.0.2.100 IP address or the real internal IP address. This is a change
now from ASA 8.3.1 and later where we will reference the real internal IP address and
NOT the NAT or outside address in ACLs.

February, 2011 ASA Basics Lab Procedures


88

Now lets test the SMTP flow and see if this works. Lets login to pc.outside.lab as
administrator with a password of cisco123. Launch Outlook and send an email to
[email protected].

Click in New and select Mail message.

February, 2011 ASA Basics Lab Procedures


89

In the To address box, type [email protected]


Type Email Test in the Subject box. Type, This is an email test in the email body and
then click Send.

February, 2011 ASA Basics Lab Procedures


90

Now confirm the receipt of this email by John Doe.


From pc-inside.inside.local, launch Outlook and see if the email has been delivered.

February, 2011 ASA Basics Lab Procedures


91

You can on the Send/Receive button or you just wait a few seconds.

February, 2011 ASA Basics Lab Procedures


92

Bingo! The email message is delivered. Our ACL and NAT work as expected.

There is one more server in the DMZ, our Web server. We need to create a static NAT
and an ACL to allow HTTP traffic to the server.

Lets start by creating the Network Object for the DMZ Web server.
Navigate on the ASDM to Configuration > Firewall > NAT Rules and from the
Addresses tab on the far right, click Add and select Network Object from the drop-
down menu.

February, 2011 ASA Basics Lab Procedures


93

Enter the following information.


Name: DMZ_Server
Type: Host
IP Address: 192.168.1.10
Description: DMZ_Web_Server

Click OK, then Apply, then Send.

Now that we have a Network Object for the Web server, lets create an ACL which will
allow HTTP traffic.
Navigate on the ASDM to Configuration > Firewall > Access Rules
Click Add and select Add Access Rule from the drop-down menu.

February, 2011 ASA Basics Lab Procedures


94

Create a new Access Control List with the following information.


Interface: Outside
Action: Permit
Source: any
Destination: DMZ_Server
Service: tcp/http
Description: ACE to allow HTTP traffic to the Web server
Select Enable Logging if not already selected.

February, 2011 ASA Basics Lab Procedures


95

Click OK, Apply, then Send.

We can now see our two ACLs, one allows SMTP access to our Email server and the
other allows HTTP access to our DMZ server. Should there be an explicit Deny All entry
for the Outside interface? Does this mean that all traffic will be allowed to our servers?

February, 2011 ASA Basics Lab Procedures


96

We should test this now. Lets login again onto pc.outside.lab with the administrator
account and cisco123 password.

Launch Internet Explorer and type http://192.0.0.250 . If you recall, that is the NAT
address to our Email server. Our Email server has a Web server installed (you can test
this from the pc-inside.inside.local by typing, http://exchange.inside.local/exchange , this
is the Web mail URL and when prompted to login, type inside\johndoe and cisco123 as
the login name and password) and if there is no Outside interface explicit deny ACL, then
this should also work from the outside.

We see that this fails. But why? Lets return to our Access Rules and look carefully.
What is the Global Access Rule? It simply states Any Any IP Deny.

February, 2011 ASA Basics Lab Procedures


97

Global Access Policies

A Global access rule is a rule that is interface independent. It will apply to all interfaces.
That said, an interface rule will have higher priority, thus, our two permit access rules
will apply first, and any other interface rule would also apply. The Global rules apply
afterward.

Lets say we had two DMZ networks and we wanted both DMZ networks and the
Internet beyond our Outside interface to all have SMTP access to our Email server. To
meet this need we could have changed the Email_Server ACL to a Global instead of
specifying the Outside interface. This would have allowed interfaces with a lower
security level, DMZ networks, to be allowed SMTP access to our Email server. The
alternative is to create a permit access rule for each interface for which we want to allow
access.

Ok, back to our Web server. What is missing? Can external users and people access our
DMZ web server? Not until we create a NAT for the Web server!

Navigate on the ASDM to Configuration > Firewall > NAT Rules and from the
Addresses tab on the far right, click Add and select Network Object from the drop-
down menu.

Enter the following information.


Name: Web_NAT_IP_Address
Type: Host
IP Address: 192.0.0.251
Description: NAT-Address-4-WebServer

February, 2011 ASA Basics Lab Procedures


98

Click OK, Apply and Send.

Now that we have both network objects for the Web server and the NAT IP address, lets
create the NAT. Navigate to Configuration > Firewall > NAT Rules and click Add and
select Add NAT Rule Before Network Object NAT Rules from the drop-down
menu.

Enter the following information.

Source Interface: DMZ Destination Interface: Outside


Source Address : DMZ_Server
Source NAT Type: Static
Source Address: Web_NAT_IP_Address
Direction: Both

Click OK, then Apply.

February, 2011 ASA Basics Lab Procedures


99

With the ACL and NAT in place, we should be able to test the Web site from the
pc.outside.lab.
Lets log into that computer with the administrator username and cisco123 password.
Launch Internet Explorer and point your browser to http://192.0.0.251 .
Does this work?

Returning to pc-inside.inside.local and looking at the ASDM, we can see we got a hit on
the DMZ_Server access rule. So we know the traffic is hitting our new rule.

February, 2011 ASA Basics Lab Procedures


100

When was the last time we saved our work? Lets save it now.

February, 2011 ASA Basics Lab Procedures


101

Exercise 7: Configure Smart Call-Home and Password Encryption


Goal: There are several new features on the ASA 8.3.1., including Smart Call-Home and
password-encryption. Smart Call Home offers proactive diagnostics and real-time alerts
while minimizing down time due to unknown causes. Smart Call Home can quickly
identify potential problems with continuous monitoring, and send proactive alerts and
detailed diagnostics.

The goal here is to enable the Smart Call Home feature and explain to Inside.local the
benefits of doing so.

From the ASDM on pc-inside.inside.local, navigate to Configuration > Device


Management > Smart Call-Home.

We can see on this page that we will need to enable this feature and then provide some
configuration as to where and to whom to send notifications.

February, 2011 ASA Basics Lab Procedures


102

Lets start by enabling Smart Call-Home. Then click Mail Server(s) and type 10.0.2.100.

Continue with the configuration by filling in the following information.


Contact Name: JohnDoe
Phone number: 1-234-567-8901
Postal address: 123 ABC street, Nowhereville, ZX
Email address: [email protected]
Senders from address: [email protected]
Senders Reply-to-address: [email protected] (assuming there is a distribution
group named SecOps with the email address [email protected])
Customer ID: 145689
Site ID: 1
Contract ID: 123456789

February, 2011 ASA Basics Lab Procedures


103

Expand Alert Control and Alert group status.

From here we can select the information we want the ASA to monitor. Select everything
if it is not already selected.

February, 2011 ASA Basics Lab Procedures


104

Click Apply. Note the CLI equivalent of these configs.

Click Send. We next want to create a new Alert Subscription Profile. Click Add.

February, 2011 ASA Basics Lab Procedures


105

Fill in the following information.


Name: Inside
Select: Enable this subscription profile
Select: Deliver subscriptions via email
Email subscribers: [email protected]

To add the configuration, click Add and select configuration.

February, 2011 ASA Basics Lab Procedures


106

We can then select the frequency, whether its only at system boot up, daily, weekly or
monthly.

We next select the Information sent to subscribers. Toggle between Basic and Detailed to
see what Information gets attached and sent to the subscribers.

February, 2011 ASA Basics Lab Procedures


107

We can see the detailed Information has running and startup configs as well as access-
lists. It has much more detailed information.
Select at system boot up time only and Detailed. Click OK.

The last item to configure is the Massage parameters. Lets select XML from the
Preferred message format drop-down box if not already selected.
Click OK and Apply.

February, 2011 ASA Basics Lab Procedures


108

We are now finished configuring Smart Call Home and are ready to test.
Lets click the Test button and see if we get an email delivered to John Does mailbox.

February, 2011 ASA Basics Lab Procedures


109

From pc-inside.inside.local, log in as johndoe/cisco123 and launch Outlook.

We should receive the test email message from the ASA. We know this now works.
The Smart Call Home also will automatically create another Alert Subscription Profile
with the name CiscoTAC-1. Lets return to the ASDM and have a look. This may take a
few minutes. If it does not appear after two minutes, try to refresh your ASDM or close
and re-launch your ASDM.

February, 2011 ASA Basics Lab Procedures


110

Notice your CiscoTAC-1 is not active. You could either click the active box or click Edit
and review some settings first and then click Active from within the profile.
Lets highlight the CiscoTAC-1 profile and click Edit.

Lets check the Enable this subscription profile box. Notice what is monitored in the
Alert Group? Is the frequency for the dispatch alert the same for all?
Click OK, Apply and Send.

Here is the CLI for making the CiscoTAC-1 profile active.

February, 2011 ASA Basics Lab Procedures


111

February, 2011 ASA Basics Lab Procedures


112

The Master Passphrase (Password Encryption) is another new feature which became
available in the ASA 8.3.1 code. This allows you to securely store plain text passwords in
encrypted format. The master passphrase provides a key that is used to universally
encrypt or mask all passwords, without changing any functionality. The following
passwords take advantage of this feature: OSPF, EIGRP, VPN load balancing, Logging,
Shared licenses, VPN, remote access and site-to-site, AAA servers, and Failover.

Goal: We informed the customer of this new ASA feature and the client requested that
this feature be implemented.

From the ASDM, choose Configuration > Device Management > Advanced > Master
Passphrase pane.

Check the Advanced Encryption Standard (AES) password encryption checkbox.

Check the Change the encryption master passphrase check box; this will enable you to
enter and confirm your new master passphrases.

Your new master passphrase must be between 8 and 128 characters long.

Type cisco123 in the New master passphrase and the Confirm master passphrase boxes.

Click Apply.

Here is the CLI equivalent.

February, 2011 ASA Basics Lab Procedures


113

Click Send.

February, 2011 ASA Basics Lab Procedures


114

Exercise 8: Disaster Recovery Backup

It is always an excellent idea to back up the configuration data. ASDM has a backup
utility built-in that will create a ZIP file on your PC with the configuration and any other
data required to recover the ASA in a failure. This is also excellent data to present to the
customer as part of final documentation for the project along with the ASA activation
key.

From the ASDM, click Tools and click Backup Configurations from the drop-down
menu.

This opens a Backup Configurations dialogue box. Notice we have several options for
what we want to back up using this backup wizard. What is different between running a
backup using this tool as opposed to backing up your startup-config to a TFTP server?
What about SSL VPN configurations, how have you backed these up in the past? You
could select Backup All and this would grey out all the boxes and back up all your ASA
files and configs.

February, 2011 ASA Basics Lab Procedures


115

Lets go ahead and select Backup All in the check box.

February, 2011 ASA Basics Lab Procedures


116

Lets click the Browse Local button and browse to the Desktop. Type ASA-backup in
the File name.

February, 2011 ASA Basics Lab Procedures


117

Because we enabled the Master Passphrase in the earlier exercise, take notice of the
warning message that appears. Take a minute and read this warning! There are steps
that explain the recovery process IF you forget or lose the passphrase. Click Yes to
acknowledge the message.

February, 2011 ASA Basics Lab Procedures


118

We see the progress bar as all the selected items get backed up to the desktop. Now what
would happen if we selected to backup CSD image or Plug-ins but we had none of these
on the Flash? We see below that we would get a Failure message that those items are not
available.
Click OK.

On the desktop, we can now see the backed-up file, ASA-backup.zip.

February, 2011 ASA Basics Lab Procedures


119

Lets open the zipped file and see the contents. We can see our running and startup config
files amongst any other present files. Now we have a process to restore configs or any
other relevant file to our ASA!

February, 2011 ASA Basics Lab Procedures


120

Great job this concludes the lab!!!


Continue on for the optional IPsec VPN and LDAP exercises.

February, 2011 ASA Basics Lab Procedures


121

Exercise 9: IPSec VPN using ASDM wizard

As was discussed with Inside.local, they have remote teleworkers who need access to the
network resources. Inside.local had VPN capabilities with their previous firewall and will
be transitioning to SSL VPN. But for now, they would like to continue having IPsec VPN
access.

Goal: The goal for this exercise is to implement IPsec VPN for Inside.local. There is an
IPsec VPN wizard in the ASDM that will help you with your configurations.

From the ASDM, click Wizards, VPN Wizards and select IPsec (IKEv1) Remote
Access VPN Wizard (formerly known as IPsec VPN Wizard in previous ASA versions)
from the drop-down menu.
This will launch the IPsec IKEv1 Remote Access Wizard.

From the VPN Tunnel Interface, select outside from drop-down menu, and put a check in
the Enable inbound IPsec sessions to bypass interface access-lists.
Click Next.

February, 2011 ASA Basics Lab Procedures


122

Select Cisco VPN Client, Release 3.x or higher.

Click Next.

February, 2011 ASA Basics Lab Procedures


123

In the Authentication method, select Pre-shared key and type cisco123.


Type inside-ipsec-tunnelgroup in the Tunnel Group Name.

Click Next.
Inside.local does have a Microsoft Active Directory server and we will be leveraging that
server for authentication, as per the originally discussed requirements. For now, we will
use local ASA accounts and then later change this to using the Active Directory server.

Select the Authenticate using the local user database radio button.

Click Next.

February, 2011 ASA Basics Lab Procedures


124

This next step allows you to create local accounts on the ASA.

Type janedoe in the username field and cisco123 in password and confirm password
boxes.

Click Add. Click Next.

February, 2011 ASA Basics Lab Procedures


125

We need to select a VPN IP Address pool but since none exist, click New and create an
IP pool.

February, 2011 ASA Basics Lab Procedures


126

In the Add IP Pool box, fill in the following information:

Name: INSIDE-IPSEC-VPN-POOL
Starting IP Address: 10.1.1.1
Ending IP Address: 10.1.1.50
Subnet Mask: 255.255.255.0

Click OK.

From the Pool Name drop-down menu, select INSIDE-IPSEC-VPN-POOL.


Confirm the values shown are what you had previously created.
Click Next.

Type 10.0.2.10 in the Primary DNS Server and Primary WINS Server boxes.
Type inside.local in the Default Domain Name box.

February, 2011 ASA Basics Lab Procedures


127

Click Next.
Accept the default for the IKE Policy.

Click Next.

February, 2011 ASA Basics Lab Procedures


128

The next step is to create a NAT exemption to the internal LAN network.
Select inside from the Interface drop-down menu.
Click the drop-down arrow for Exempt Networks.

Select InsideLAN and click Exempt Networks.


Click OK.

February, 2011 ASA Basics Lab Procedures


129

The Enable Perfect Forwarding Secrecy (PFS) is selected by default.


Click Next.

February, 2011 ASA Basics Lab Procedures


130

Review the IPSec VPN configurations and click Finish.

Here is the CLI equivalent. Click Send.

The IPsec VPN wizard was pretty easy and straightforward. Lets now test and see if this
will actually work.

February, 2011 ASA Basics Lab Procedures


131

Log into pc.outside.lab with the username administrator and cisco123 password.
Double-click to open the VPN Client from the desktop.

Click New.

Lets create a VPN profile. Fill in the following information.

Connection Entry: INSIDE-IPSEC-Profile


Description: INSIDE-VPN
Host: 192.0.0.254
Select Group-Authentication
Name: inside-ipsec-tunnelgroup
Password: cisco123
Confirm Password: cisco123

Click Save.

February, 2011 ASA Basics Lab Procedures


132

Select INSIDE-IPSEC-Profile and click Connect.

February, 2011 ASA Basics Lab Procedures


133

In the username and password fields, type janedoe and cisco123.


Click OK.

The VPN has been established as can be seen by the gold lock in the taskbar.
Now that we have VPN connectivity, lets perform a test.

Open a command prompt and ping the inside DC server.

ping 10.0.2.10

We see four successful replies.

February, 2011 ASA Basics Lab Procedures


134

February, 2011 ASA Basics Lab Procedures


135

Exercise 10: Using LDAP Authentication for VPN Users

Goal: Now that we have successfully tested the VPN, the goal is to leverage Insides
Active Directory user database. This will eliminate the need to create and maintain two
user account databases and will make it easier for the users to remember and use only one
account.

Our goal is to configure the ASA to query the domain controller and pass along the
authentication request. We will then test our configuration.

From the ASDM, navigate to Configuration > Device Management > Users/AAA and
select AAA Server Groups.

Click Add.

Type AD-server in the Server Group box.

From the drop-down menu for Protocol, select LDAP.


Click OK.

February, 2011 ASA Basics Lab Procedures


136

Click Apply.

Note the CLI equivalent.

Click Send.
Then click Add.

February, 2011 ASA Basics Lab Procedures


137

We will now provide the necessary configurations to allow the ASA to bind and query
the AD server.

Type the following information.

Interface name: inside


Server name or ip address: 10.0.2.10
Timeout: 10
Server port: 389
Server type: Microsoft
Base DN: dc=inside,dc=local
Scope: All levels beneath the base DN
Naming attribute(s): sAMAccountName
Login DN: cn=administrator,cn=users,dc=inside, dc=local
Login password: cisco123

Click OK. Click Apply

February, 2011 ASA Basics Lab Procedures


138

Note the CLI equivalent.

February, 2011 ASA Basics Lab Procedures


139

Click Send.

Then click Test.

Select Authentication and type administrator and cisco123 in the username and
password boxes.
Click OK.

Click OK to confirm the success.

If there are any error messages, return to the 10.0.2.10 server in the AD-Server group and
verify your settings. Remember, there are no spaces between the commas, and the
naming attribute is case sensitive.

February, 2011 ASA Basics Lab Procedures


140

The next configuration is to change the authentication method for our acme-ipsec-
tunnelgroup.
From the ASDM, navigate to Configuration > Remote Access VPN > Network
(Client) Access > IPsec (IKEv1) Connection Profiles and select inside-ipsec-
tunnelgroup.

Click Edit.

From the drop-down menu, change the User Authentication from Local to AD-server.

February, 2011 ASA Basics Lab Procedures


141

Click OK. Click Apply.

Note the CLI equivalent.

Click Send.

February, 2011 ASA Basics Lab Procedures


142

Let us re-test the VPN again and see whether our configurations will be successful.

Return to pc.outside and right click the VPN icon in the taskbar and select Disconnect.

February, 2011 ASA Basics Lab Procedures


143

Once the VPN disconnects, click Connect.

If we recall, we had created an account on the ASA called janedoe which we had
previously used. This time we will use an account that resides on the domain controller,
johndoe.

In the user authentication box, type johndoe and cisco123 in the username and password
boxes.

Click OK.

February, 2011 ASA Basics Lab Procedures


144

We are successful. We see the gold VPN lock in the taskbar.

February, 2011 ASA Basics Lab Procedures


145

Lets review the status of this VPN connection.


From the ASDM, navigate to Monitoring > VPN > VPN Statistics > Sessions.

We should see johndoes VPN session. What IP address has he been assigned from the IP
Pool? Which VPN tunnel/connection profile is he matching?

Lets save our configurations and call it a successful implementation!!

Congratulations. This completes the lab!

February, 2011 ASA Basics Lab Procedures


146

Appendix A: Answers to Exercise Questions

Q3.1: What version of code is running? The ASA is running the 8.4(1) version of
code.

Q3.2: How much memory is installed? There is 1 GB of memory installed on the ASA.

Q3.3: Do we have enough memory on this ASA? Yes we meet the minimum
requirements.

Q3.4: Does the licensing look the same as in past releases? If not, what has
changed? No, it has changed. We can now see time based licenses as well as permanent
and feature base licenses.

Q3.5: What licenses are installed? Security plus and advanced endpoint assessment
licenses are installed.

Q4.1: What version of code and of ASDM is running on this ASA? The ASA is
running the 8.4(1) version of code and ASDM is 6.4.1.

Q4.2: How long has this ASA been up (running)? Answer will vary.

Q4.3: What is the difference between Routed and Transparent mode? Routed mode
is when the ASA is a layer 3 hop on the network meaning that we will have different
networks for each interface while transparent mode means it has the same network
addressing on the inside and outside interface, however using different vlans. Transparent
mode is like a bridge.

Q4.4: What is the difference between Telnet and SSH? Telnet authenticates and
communicates over clear text while SSH is encrypted.

Q4.5: What ports do these applications use? Telnet uses port 23 and SSH uses port 22
by default.

Q4.6: Which is more secure? The encrypted communication of SSH make it more
secure.

Q5.1: Are there any drawbacks to having ICMP enabled? Anyone can now perform
an ICMP attack or use applications and ICMP sweeps to determine what ports are in a
listening state. ICMP can also be used to determine if a host is responsive.

Q6.1: From the server.outside.lab, what would the connections source IP address
be seen as? The source IP address would be seen as 192.0.0.252.

February, 2011 ASA Basics Lab Procedures


147

Q6.2: Why are we seeing a translation when we browse towards the Outside server
but not for the DMZ server? In the NAT rule that we created, we specified that the
outside interface was the destination interface. Thus, any traffic sourced from the inside
interface going to any interface other than the outside will not match this NAT rule.

Q6.3: If the traffic to the DMZ is not translated, then what will the source IP
address be seen as at the DMZ server? We will see the source IP address of 10.0.1.50.

Q6.4: Why are we now seeing a translation entry on the ASA? Now that the NAT
rule has been modified to state ANY as the destination interface, the inside traffic now
going to the DMZ interface will match this rule.

Q6.5: So now what source IP address would the DMZ server see coming to establish
connections? Because the traffic matches the NAT rule, the source IP address would be
seen as 192.0.0.252.

Q6.6: If we returned to an SSH or Telnet session to the ASA and executed a show
xlate command, what IP address would we see paired to the Email servers
10.0.2.100 IP address? We would see the 192.0.0.250 IP address as this is the IP we
used for the static NAT rule.

February, 2011 ASA Basics Lab Procedures


148

Appendix B: Final ASA Configuration

The configuration below was taken from pod1 after successfully completion of the lab.

: Saved
:
ASA Version 8.4(1)
!
hostname pod1-asa
domain-name inside.local
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Interface_2_the_Internet
nameif outside
security-level 0
ip address 192.0.0.254 255.255.255.0
!
interface Ethernet0/1
description Interface_2_InsideLAN
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
description Interface_2_DMZ
nameif DMZ
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name inside.local
object network Outside_PAT_Address
host 192.0.0.252
description Address_2_PAT_Inside_LAN

February, 2011 ASA Basics Lab Procedures


149

object network InsideLAN


subnet 10.0.0.0 255.0.0.0
description Inside-10-Network
object network Email_Server
host 10.0.2.100
description Inside_email_server
object network Email_NAT_IP_Address
host 192.0.0.250
description NAT-Address-4EmailServer
object network DMZ_Server
host 192.168.1.10
description DMZ_Web_Server
object network Web_NAT_IP_Address
host 192.0.0.251
description NAT-Address-4-WebServer
object network NETWORK_OBJ_10.1.1.0_26
subnet 10.1.1.0 255.255.255.192
access-list outside_access_in remark ACE to allow SMTP traffic to the email server
access-list outside_access_in extended permit tcp any object Email_Server eq smtp
access-list outside_access_in remark ACE to allow HTTP traffic to the Web server
access-list outside_access_in extended permit tcp any object DMZ_Server eq www
pager lines 24
logging enable
logging asdm informational
mtu DMZ 1500
mtu inside 1500
mtu outside 1500
ip local pool INSIDE-IPSEC-VPN-POOL 10.1.1.1-10.1.1.50 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (DMZ,outside) source static DMZ_Server Web_NAT_IP_Address
nat (inside,outside) source static InsideLAN InsideLAN destination static NETWORK_OBJ_10.1.1.0_26
NETWORK_OBJ_10.1.1.0_26
!
object network Email_Server
nat (inside,outside) static Email_NAT_IP_Address
!
nat (inside,outside) after-auto source dynamic InsideLAN Outside_PAT_Address
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.0.0.1 1
route inside 10.0.0.0 255.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-Server protocol ldap
aaa-server AD-Server (inside) host 10.0.2.10
ldap-base-dn dc=inside,dc=local

February, 2011 ASA Basics Lab Procedures


150

ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 8 9LbHzjgUFs0kP5nrO81NOQ6LfaZaELk9
ldap-login-dn cn=administrator,cn=users,dc=inside,dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-
SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-
MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy inside-ipsec-tunnelgroup internal
group-policy inside-ipsec-tunnelgroup attributes
wins-server value 10.0.2.10

February, 2011 ASA Basics Lab Procedures


151

dns-server value 10.0.2.10


vpn-tunnel-protocol ikev1
default-domain value inside.local
username administrator password e1z89R3cZe9Kt6Ib encrypted privilege 15
username janedoe password 6r/4Scprwy80gY.x encrypted privilege 0
username janedoe attributes
vpn-group-policy inside-ipsec-tunnelgroup
tunnel-group inside-ipsec-tunnelgroup type remote-access
tunnel-group inside-ipsec-tunnelgroup general-attributes
address-pool INSIDE-IPSEC-VPN-POOL
authentication-server-group AD-Server
default-group-policy inside-ipsec-tunnelgroup
tunnel-group inside-ipsec-tunnelgroup ipsec-attributes
ikev1 pre-shared-key 8 6Yq8bRpZEhasTqoHP1MleVUqUiNdxOmq
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
description Global policy for ASA
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
service call-home
call-home
contact-email-addr [email protected]
contact-name JohnDoe
contract-id 123456789
customer-id 145689
phone-number 1-234-567-8901
sender from [email protected]
sender reply-to [email protected]
site-id 1
street-address 123 ABC street Nowhereville, ZX
mail-server 10.0.2.100 priority 1
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile Inside
destination address email [email protected]
destination transport-method email
subscribe-to-alert-group configuration export full
password encryption aes
Cryptochecksum:3d572a9b8bb91c8b18c761cb64976933
: end
asdm image disk0:/asdm-641.bin
no asdm history enable

February, 2011 ASA Basics Lab Procedures


152

Appendix C: Fix Exchange Server Unavailable issue


When launching Outlook from pc-inside or pc-outside, if Outlook pops up a message
indicating that Exchange Server is unavailable, here are the steps to rectify this.

February, 2011 ASA Basics Lab Procedures


153

1- For pc-inside Outlook connectivity issues, from the ASTEC Student Portal web
page, click on the Exchange-Inside web link.

February, 2011 ASA Basics Lab Procedures


154

2- For pc-outside Outlook connectivity issues, click on the Server-Outside web link.

February, 2011 ASA Basics Lab Procedures


155

Login to the Exchange server with the username/password of administrator/cisco123.

February, 2011 ASA Basics Lab Procedures


156

Click on start and navigate to Programs > Administrative Tools > Services.

February, 2011 ASA Basics Lab Procedures


157

In the Services snap-in, expand the Name column so that you can see the full name of the
listed services below. Scroll down until you see the Microsoft Exchange Information
Store service. Select that service and click on the Start the service button on the top left
corner.

You will see the progress bar.

February, 2011 ASA Basics Lab Procedures


158

Repeat the same procedure for the Microsoft Exchange MTA Stacks service. Select that
service and click on the Start the service from the top left corner.

You will see the progress bar.

February, 2011 ASA Basics Lab Procedures


159

Once both services have been started, proceed to return to pc-inside and launch Outlook
again.

February, 2011 ASA Basics Lab Procedures

You might also like