ASA1 v5.0.0
ASA1 v5.0.0
ASA1 v5.0.0
1 Basics
Lab Guide
Version 5.0.0
February, 2011
2
Table of Contents
Introduction......................................................................................................................... 3
Exercise 1: Prepare for Launch Meeting............................................................................ 7
Exercise 2: Verify Initial Connectivity (Baseline) .............................................................. 9
Exercise 3: Bootstrap ASA ................................................................................................ 14
Exercise 4: Install ASDM and Complete ASA Configuration ........................................... 25
Exercise 5: Configure DMZ Interface on ASA and Test Configuration ........................... 48
Exercise 6: Configure NAT and ACLs .............................................................................. 63
Exercise 7: Configure Smart Call-Home and Password Encryption ............................. 101
Exercise 8: Disaster Recovery Backup ........................................................................... 114
Exercise 9: IPSec VPN using ASDM wizard .................................................................. 121
Exercise 10: Using LDAP Authentication for VPN Users .............................................. 135
Appendix A: Answers to Exercise Questions .................................................................. 146
Appendix B: Final ASA Configuration ........................................................................... 148
Appendix C: Fix Exchange Server Unavailable issue .................................................... 152
Introduction
Your company was selected to execute a firewall upgrade for Inside.local. Inside.local is
a mid-size organization that employs 500 people and is growing. They recently hired a
new IT manager to focus on several major projects. The first project is to replace their
legacy firewall with a new Cisco ASA.
Currently, Inside.local is using a third-party firewall. You are the engineer who will be
replacing this firewall with a Cisco ASA. The ASA needs to be set up to provide the
required Internet access as well as include the DMZ where the Web server resides. The
DMZ Web server is already installed and ready for use. The customer has a planned
outage window to allow us the time to remove the old firewall, and deploy and test the
ASA. The customer is ready for you to do your ASA magic!
The customer would also like for you to complete the following tasks, time permitting:
Logical Topology
The diagram below depicts the logical L3 topology of the network for this lab. Please
note that the UserPCs and Servers are VMware images and that if you shut down any of
these machines you will lose all changes. Please ensure that you use restart, if/when
needed. Unless otherwise specified, all logins are administrator and passwords are
cisco123, all in lower case, except for pc-inside.inside.local where the username is
johndoe and the password is cisco123.
Disclaimer
This lab is intended to be a sample of one way to configure the ASA to provide the
required connectivity. There are many ways the ASA can be configured, which vary
depending on the situation and the customers goals/requirements. Please ensure that you
consult all current official Cisco documentation before proceeding with a design or
installation. This lab is primarily intended to be a learning tool and may not necessarily
follow best practice recommendation at all times in order to convey specific information.
Cisco ASA 5500 Series Configuration Guide using the CLI, v8.4
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html
Memory Requirements for the Cisco ASA Software version 8.3 and later
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_bulletin_c25-586414.html
ASA asa841-k8.bin
ASDM asdm-641.bin
AVC AnyConnect-win-3.0.0629-k9.pkg
VPN Client vpnclient-win-msi-5.0.07
Prerequisite knowledge
This lab is the first module in a series of ASA labs created by the ASTEC team. The first
lab assumes a basic understanding of IP technologies. It is suggested that you take the
modules in the recommended order unless you are already familiar with the information
in the previous modules.
**Memory Requirements for the ASA Software version 8.3 and later**
The Cisco ASA release 8.3.(x) and later has the following memory
requirements. Please ensure that any ASA you upgrade to version 8.3.(x) or
later meets this requirement.
We use the ASA 5510 appliance in this lab which has 1 Gigabyte of
memory.
If you reload your ASA during the lab, it will initialize in ROMMON.
Should this happen, issue the following commands:
Some ASA firewalls have the AIP-SSM module therefore, you might see the IPS in
the ASDM. Please disregard the IPS module in this lab.
Hopefully most of this design was discussed as part of the pre-sales process and the
detailed design meetings that occurred in order to prepare an accurate statement of work.
Now the time has arrived to start the project. The Inside.local engineering team wants a
kickoff meeting to review exactly what you will be doing and provide you with any final
details you need to begin. The main focus of the meeting is to finalize the IP address
assignments used outside the firewall. The ISPs physical handoff is Ethernet based.
Also, Inside.local was assigned a class C block of 254 IP addresses from the providers
address space. We will only be using 4 IP addresses for now with lots for future use.
Lab Task: Review the diagram below and think through how it could be used to
storyboard the project for the customer.
From pc-inside.inside.local, launch Outlook from the desktop shortcut. Send a test email
to yourself, [email protected] .
*** Note***
From the desktop of pc-inside.inside.local, launch the OoB Console Access shortcut.
Select your pod number from the Pod Number drop-down box and select ASA 1 ASA
Basics from the Content Package drop-down and click Access Console Map.
We then need to click on the ASA so that we can connect via the console. This will
launch a Telnet application which will connect to the ASA console. Press Enter twice in
the terminal box.
From the console, issue the enable command and press Enter. There is no password.
Then issue the show version command. Reference the Memory requirement table image
on page 16.
Q3.4: Does the licensing look the same as in past releases? If not, what has changed?
Lets start configuring the ASA. Type configure terminal or conf t to enter global
configuration mode.
Lets type the following to configure the inside interface for the ASA:
Lets type the following to configure the outside interface for the ASA:
Lets pause here for a minute have a look at what the ASA did when we typed nameif
inside and nameif outside and explain Security Level. The nameif command allows us to
assign a name to an interface and both, inside and outside interface names are variables
which dynamically assign a security level that the interfaces; 0 for the outside interface
and 100 for the inside interface.
Each interface must have a security level from 0 (lowest) to 100 (highest). For example,
you should assign your most secure network, such as the inside host network, to level
100. While the outside network connected to the Internet can be level 0. Other networks,
such as DMZs can be in between, 1-99.
The effects of security levels access, by default, there is an implicit permit from a higher
security interface to a lower security interface (outbound). Hosts on the higher security
interface can access any host on a lower security interface. You can limit access by
applying an access list to the interface.
We will not be using the management interface on the ASA in the lab. Lets disable this
interface. You may get the following warning message, WARNING: DHCP bindings
cleared on interface management, address pool removed. This is due to DHCP being
enabled on the management 0/0 interface.
We need to enable ASDM and tell the ASA to allow access from the 10.0.0.0 network.
We will enter http in the command, but the ASA will actually use https.
Next, lets configure the ASA to use the 6.4.1 ASDM image.
We will next add a local user and give the user privilege 15 level access.
Change the hostname on the ASA to podx-asa where x is your pod number.
hostname podx-asa
We will use static routes for our routing on the ASA. All outbound traffic will have the
ISP router as the default gateway and all internal traffic will have the internal switch as
default gateway.
Test connectivity.. ..
Click Run.
Click Install.
Lets log onto the ASAs inside IP address of 10.0.0.254 using the local administrator
account and cisco123 password.
Check Always trust content from this publisher and click Yes.
This is the home view in the ASDM. From here we can view lots of valuable information
such as Device information, Interface status and IP addressing, Traffic status and System
Resources status.
Lets enable the preview commands on ASA so that we can see the CLI equivalent to our
ASDM configs.
From the ASDM, click on Tools and select Preferences from the drop down menu.
Select the Preview commands before sending them to the device and click OK.
Click the Firewall Dashboard tab. From here we could see the top 10 access rules that
have been triggered. We could also enable the ASA to track the top usages for Services,
Sources and Destinations.
Lets enable those three Usage statuses. These will take additional resources and should
be enabled with caution in a production environment. Have a good understanding of the
performance baseline of your ASA before turning on any additional features.
From the Firewall Dashboard tab, select Top 10 Services and click Enable.
From the Firewall Dashboard tab, select Top 10 Sources and click Enable.
From the Firewall Dashboard tab, select Top 10 Destinations and click Enable.
Click Send.
Once we start to collect data, we can then change the interval to 8 or 24 hour periods, as
well as configure how to display the data.
Return to the Device Dashboard and click the License sub-tab. How many SSL VPN
peers are supported on this ASA?
The ASA has a logging feature that allows us to see real-time logs on the ASDM. It is
recommended to also have a Syslog server and to send logs to it. Lets turn on logging on
the ASDM..
Click Send.
What would happen if the ASA reloaded before we save changes? Notice the little
diskette with the yellow exclamation point on the bottom of the ASDM? This is a visual
indicator that there are changes that have not been saved. Simply click on the diskette
icon. This is the equivalent of typing write memory from the CLI.
Click Send.
Lets continue configuring the ASA with items like Domain name and Time Zone.
Having synchronized clocks on all network devices is crucial for logging forensics.
***(Due to no real Internet access in this lab, we will not set a NTP server, but you
would do this in a production ASA)***
From the ASDM, click Configuration > Device Setup > Device Name/Password.
Type inside.local for the Domain Name
So now we already have ASDM management access to the ASA. Lets also configure
Telnet and SSH CLI access to the ASA.
From the Configuration > Device Management > Management Access, select
ASDM/HTTPS/Telnet/SSH and click Add.
Select SSH, Inside, 10.0.0.0 and 255.0.0.0 and click OK.
Click Add again and fill in the same information but this time, select Telnet.
We then need to specify how we will authenticate users trying to login using SSH and
Telnet.
Go to Configuration > Device Management > Users/AAA and select AAA Access.
From there, check the SSH and Telnet boxes and select LOCAL from the drop-down
Server Group.
Lets test the Telnet and SSH access from the desktop of pc-inside.inside.local.
From pc-inside.inside.local, open a command prompt or use any available application
from the desktop. Telnet to 10.0.0.254. Does this work?
Type the inside IP address of the ASA, 10.0.0.254 and be certain that the port is 22 for
SSH. Click Open.
Did this work? Why were you not able to SSH to the ASA? What is missing?
SSH uses certificates to secure the communications and the ASA does not have a
certificate. We will generate a certificate now. From the Telnet window that you just
launched to the ASA, type conf t and then crypto key generate rsa modulus 1024.
Because this change was done from the CLI, ASDM prompts us to refresh the screen
with the new information. Lets refresh the ASDM.
Now lets re-test SSH. Now we are prompted to acknowledge the newly created
certificate. Double click on the putty shortcut on the desktop and click Run.
Type the inside IP address of the ASA, 10.0.0.254 and be certain that the port is 22 for
SSH. Click Open.
Login in as administrator and use the enable password of cisco123. Now we have SSH
access.
From pc-inside.inside.local, navigate in the ASDM to the Configuration > Device Setup
> Interfaces and select Ethernet 0/2 and click Edit.
Click OK. And click OK to acknowledge the Security Level Change. Then Apply and
then Send.
From the ASDM, lets ping our DMZ server and test connectivity.
Go to Tools and select Ping. Type the DMZ server IP address, 192.168.1.10. You can
also select the DMZ interface and then click Ping.
So we determined that we have connectivity from the ASA to the DMZ server. This is
great. Next, lets test the connectivity through the ASA from pc-inside.inside.local.
Great, the web page loads. Now lets test Ping. Open a command prompt and ping
192.168.1.10. Why does the ping fail yet it succeeded from the ASA?
The ASA by default, does not maintain ICMP state, therefore it does not allow the return
traffic. This is why ICMP packets originating from the ASA will work while ICMP
traversing the ASA will not work. What do we need to configure to allow the ASA to
maintain ICMP state? Lets turn on ICMP inspection on the global-policy service policy.
Go to Configuration, Firewall > Service Policy Rules and Add a Service Policy Rule
Select Global-applies to all interfaces. Type a description, Global policy for ASA and
click Next.
Click Next.
Click Send.
Now lets try to ping the DMZ server again from pc-inside.local.
ping 192.168.1.10
Its not a good idea to allow external hosts ICMP access to the firewall. Lets block
ICMP from the outside interface.
Click Send.
Now lets return to pc.outside.lab and try to ping the outside ASA interface IP address.
We clearly see that the pings now are failing, which is a good thing.
We want to further test to ensure that our new ACL has not had any adverse effects on
our firewall. Lets return to the ASDM on pc-inside.inside.local and issue some
additional ping tests through the outside interface. Lets ping the server.outside.lab at
192.0.2.100. We know we could ping that server before.
Now our pings initiated from the ASA are failing. Why is this?
We will need to allow ICMP echo-reply traffic through the Outside ASA interface.
Look at the order of how the ASA organizes the ACL. With Access Control Lists, order
does matter! It permits echo-replies from the outside interface and denies all other ICMP
traffic!
Like all good engineers, we need to test to confirm that our results are in fact our desired
results.
From the ASDM, lets try and ping the server.outside.lab at the IP address of 192.0.2.100
again. Is this now successful?
This concludes this section. Lets review what we have accomplished so far.
We bootstrapped a factory default ASA through the console port and applied base configs
such as IP addressing and routing We also enabled ASDM access, created a local user
and then continued working through the ASDM once we got this installed on pc-
inside.inside.local. We configured and tested a DMZ interface and enabled ICMP
inspection. Next exercise will cover NAT and ACL. Lets keep going!
The goal of this section is to set up the address translation required to allow packets to
come into the inside interface, be translated to a valid outside address, and then be sent
out the outside interface. The returning traffic will be allowed back through the ASA,
based on the state built for the outbound connection.
From pc-inside.inside.local, lets open Internet Explorer and try to browse to the outside
web server at http://192.0.2.100. Does the page load? Why or why not? Try to ping to the
same IP address. Does this work or not?
We will need to configure some NAT statements for our RFC 1918 internal hosts to
allow access to the Internet. From ASA 8.3.1 and onward, the method of creating NAT
configurations has changed.
Prior to ASA software version 8.3.1, ASA supports multiple variants of NAT, which
have redundant configurations and parameters, which can be very complex from a
configuration and troubleshooting perspective. The new NAT design from ASA software
version 8.3.(x) and later aims to provide an easy of use interface for configuration and
troubleshooting. The key elements of the new NAT design are:
Unified NAT table: A single NAT table to view NAT policies where rules can be
inserted in any arbitrary order.
Object-based NAT: An object can be defined for a host, network or address range
and NAT configuration can be done within the object.
Two simplified and flexible ways to configure NAT: Object-based (or Auto)
NAT, and Manual (or twice) NAT.
Interface independent NAT: NAT rules are not dependent on interfaces or
interface security level as compared to prior ASA software versions.
NAT Order of Operation
Prior to ASA software version 8.3.1, the order of NAT operation was much more
complex and was based on the different types of NAT configurations. It was much harder
to understand and to troubleshoot when issues arise. For reference, ASA software
versions prior to 8.3.1 followed the following order of operation:
1. NAT exemptionIn order, until the first match.
2. Static NAT and Static PAT (regular and policy)In order, until the first match.
Static identity NAT is included in this category.
3. Policy dynamic NATIn order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NATBest match. Regular identity NAT is included in this
category. The order of the NAT rules does not matter; the NAT rule that best
matches the real address is used. For example, you can create a general rule to
translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of
your network (10.1.1.1) to a different address, then you can create a rule to
translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for
10.1.1.1 is used because it matches the real address best. We do not recommend
using overlapping rules; they use more memory and can slow the performance of
the security appliance.
In ASA software version 8.3.1 and after, NAT rules evaluation are applied on a top-
down, first match basis. Once a particular NAT rule is matched, no further evaluation is
done at that point, therefore it is important to insert the most specific NAT rules above
the broader NAT rules if there are NAT rules that overlap. For example if you have a
static outside interface Port Address Translation (PAT) and a dynamic outside interface
PAT, you have to put the static outside interface PAT above the dynamic outside
interface PAT otherwise it will not work properly.
Rules in the NAT table are evaluated in the following order:
1. Manual NAT rules (section 1 of the NAT table)
2. Object-based NAT rules (section 2 of the NAT table)
3. Manual (twice) NAT rules (section 3 of the NAT table)
Lets continue on with the lab.
Lets look at creating a NAT entry on the ASA through the ASDM. We will look at the
equivalent in CLI (thanks to enabling the Preview commands feature which we did
earlier in the lab).
Navigate to Configuration > Firewall > NAT Rules. In the Addresses tab, click on
Add and select Network Object We will create a Network Object of the PAT IP
Address 192.0.0.252.
Now lets create another object. This will be for our Inside LAN.
We want the InsideLAN, the 10.0.0.0 subnet, to translate to the PAT address of
192.0.0.252.
Now lets re-test the server.outside.lab web site again. Point your browser to
http://192.0.2.100. If the web page does not open an Under Construction web page, close
and re-launch your browser and test it again.
While the web page is open, SSH or Telnet to the ASA (10.0.0.254) and issue the show
xlate command. We could see that there is one in use and we can see the source IP
address of PC-Inside, 10.0.1.50, and the PAT IP address in use, 192.0.0.252.
Q6.1: From the server.outside.lab, what would the connections source IP address be
seen as?
There is a tool in ASDM, Packet Tracer, which allows us to see the processing order on
the ASA data plane as the packets traverse the ASA and if the packet would succeed in
getting across or fail. If the packet fails, it will also identify where it is being blocked.
This is a great troubleshooting tool but also a great provisioning tool. We can simulate
traffic flowing through the firewall and observe those results.
Lets run a few tests using Packet Tracer. From the Tools, select Packet Tracer
Click Send.
The Packet Tracer goes through an animated display and shows the packet flow and the
processing order. If anything were to prevent or block the packet from successfully
traversing the ASA, this would display where.
Back to NAT. Lets do some testing and really understand what we configured for the
NAT and look at some options that we have. Close all open browsers. Telnet or SSH to
the ASA and issue the clear xlate command.
From the Telnet or SSH session, issue the show xlate command.
Why are there no NAT translations on the ASA? Leave this browser open and launch
another instance and browse to the Server-Outside at http://192.0.2.100 then re-issue a
show xlate on the ASA.
Q6.2: Why are we seeing a translation when we browse towards the Outside server but
not for the DMZ server?
Q6.3: If the traffic to the DMZ is not translated, then what will the source IP address be
seen as at the DMZ server?
Close all browsers and lets return to the ASDM and edit our NAT entry.
Lets change the Destination Interface from outside to any. Return to the ASDM, and go
to Configuration > Firewall > NAT Rules, and highlight your NAT statement and click
Edit.
Click OK, then Apply. Note the CLI equivalent. Observe the any instead of outside
in the NAT statement. This will now translate the InsideLAN through any interface, not
just the outside.
Click Send.
Lets test the NAT with the InsideLAN translated through any interface.
Open Internet explorer and browse to the DMZ-server, http://192.168.1.10 and from
Telnet or SSH, re-issue the show xlate command.
Q6.5: So now what source IP address would the DMZ server see coming to establish
connections?
Lets return and change the NAT entry from Any to Outside Interface.
When was the last time we saved our configs? Lets save our work!
We still have an Email server to which we would like to have access from the Outside.
The email servers inside IP address is 10.0.2.100 and we will translate this to the
external IP of 192.0.0.250. As discussed in the planning phase, the public IP address of
192.0.0.250 will be allocated for the inside Email server.
Lets create another NAT statement for the inside Email server. From the ASDM, we will
create a new Network Object and well have a look at another method to create our NAT.
Navigate to Configuration > Firewall > NAT Rules. In the Addresses tab, click on Add
and select Network Object We will create a Network Object for the Email server.
Now lets select our Email_Server Network Object and click Edit.
Click on the two arrows pointing downward and the check the Add Automatic Address
Translation Rules box.
Type: Static
From the Translated Addr box, click the drop down and browse the Translated Addr box
and select the Network Object Email_NAT_IP_Address
Click OK.
Click Advanced and select Inside for the Source interface and Outside for the
Destination interface.
We now have two NAT statements, one that is a dynamic NAT that specifies that internal
hosts on the 10.0.0.0 subnet will be translated to 192.0.0.252, and one static that
translates the exchange.inside.local servers IP address of 10.0.2.100 to 192.0.0.250.
Notice the static NAT for the Email server is bi-directional, thus we see the two lines in
the first statement number .
Lets now test this NAT by logging onto the Exchange-Inside server. Go back to the
ASTEC Student Portal and log into the Exchange.inside server with
Administrator/cisco123. Open Internet explorer and browse to http://192.0.2.100 .
Q6.6: If we returned to an SSH or Telnet session to the ASA and executed a show xlate
command, what IP address would we see paired to the Email servers 10.0.2.100 IP
address?
Lets test this.
Indeed, the translation is as expected. The Email server is being translated to 192.0.0.250.
This makes receiving emails easier now that we have a NAT address (public IP). So the
external MX record would point to the public IP address of 192.0.0.250 and the firewall
would translate this to the internal server IP address of 10.0.2.100.
Now that the NAT is in place for the Email server, is this enough to allow Emails to pass
through the firewall and be received by the inside Email server? What is missing?
All outbound traffic is allowed by default (not necessarily a good thing) and all inbound
traffic is blocked by default. So we will need to allow SMTP traffic to our inside Email
server. We will need to create an ACL to allow SMTP.
From the ASDM, navigate to Configuration > Firewall > Access Rules
The Access Rules view allow us to see both, IPv4 and IPv6 access rules. Since we have
no IPv6 rules, lets click on IPv4 Only.
Click Add and select Add Access Rule from the drop-down menu.
Click Send.
Before proceeding further with the testing, did you notice the Network Object used in the
ACL to allow SMTP? The Destination that we selected was the Email_Server. Do you
recall what IP address this Object referenced?
It referenced the 10.0.2.100 IP address or the real internal IP address. This is a change
now from ASA 8.3.1 and later where we will reference the real internal IP address and
NOT the NAT or outside address in ACLs.
Now lets test the SMTP flow and see if this works. Lets login to pc.outside.lab as
administrator with a password of cisco123. Launch Outlook and send an email to
[email protected].
You can on the Send/Receive button or you just wait a few seconds.
Bingo! The email message is delivered. Our ACL and NAT work as expected.
There is one more server in the DMZ, our Web server. We need to create a static NAT
and an ACL to allow HTTP traffic to the server.
Lets start by creating the Network Object for the DMZ Web server.
Navigate on the ASDM to Configuration > Firewall > NAT Rules and from the
Addresses tab on the far right, click Add and select Network Object from the drop-
down menu.
Now that we have a Network Object for the Web server, lets create an ACL which will
allow HTTP traffic.
Navigate on the ASDM to Configuration > Firewall > Access Rules
Click Add and select Add Access Rule from the drop-down menu.
We can now see our two ACLs, one allows SMTP access to our Email server and the
other allows HTTP access to our DMZ server. Should there be an explicit Deny All entry
for the Outside interface? Does this mean that all traffic will be allowed to our servers?
We should test this now. Lets login again onto pc.outside.lab with the administrator
account and cisco123 password.
Launch Internet Explorer and type http://192.0.0.250 . If you recall, that is the NAT
address to our Email server. Our Email server has a Web server installed (you can test
this from the pc-inside.inside.local by typing, http://exchange.inside.local/exchange , this
is the Web mail URL and when prompted to login, type inside\johndoe and cisco123 as
the login name and password) and if there is no Outside interface explicit deny ACL, then
this should also work from the outside.
We see that this fails. But why? Lets return to our Access Rules and look carefully.
What is the Global Access Rule? It simply states Any Any IP Deny.
A Global access rule is a rule that is interface independent. It will apply to all interfaces.
That said, an interface rule will have higher priority, thus, our two permit access rules
will apply first, and any other interface rule would also apply. The Global rules apply
afterward.
Lets say we had two DMZ networks and we wanted both DMZ networks and the
Internet beyond our Outside interface to all have SMTP access to our Email server. To
meet this need we could have changed the Email_Server ACL to a Global instead of
specifying the Outside interface. This would have allowed interfaces with a lower
security level, DMZ networks, to be allowed SMTP access to our Email server. The
alternative is to create a permit access rule for each interface for which we want to allow
access.
Ok, back to our Web server. What is missing? Can external users and people access our
DMZ web server? Not until we create a NAT for the Web server!
Navigate on the ASDM to Configuration > Firewall > NAT Rules and from the
Addresses tab on the far right, click Add and select Network Object from the drop-
down menu.
Now that we have both network objects for the Web server and the NAT IP address, lets
create the NAT. Navigate to Configuration > Firewall > NAT Rules and click Add and
select Add NAT Rule Before Network Object NAT Rules from the drop-down
menu.
With the ACL and NAT in place, we should be able to test the Web site from the
pc.outside.lab.
Lets log into that computer with the administrator username and cisco123 password.
Launch Internet Explorer and point your browser to http://192.0.0.251 .
Does this work?
Returning to pc-inside.inside.local and looking at the ASDM, we can see we got a hit on
the DMZ_Server access rule. So we know the traffic is hitting our new rule.
When was the last time we saved our work? Lets save it now.
The goal here is to enable the Smart Call Home feature and explain to Inside.local the
benefits of doing so.
We can see on this page that we will need to enable this feature and then provide some
configuration as to where and to whom to send notifications.
Lets start by enabling Smart Call-Home. Then click Mail Server(s) and type 10.0.2.100.
From here we can select the information we want the ASA to monitor. Select everything
if it is not already selected.
Click Send. We next want to create a new Alert Subscription Profile. Click Add.
We can then select the frequency, whether its only at system boot up, daily, weekly or
monthly.
We next select the Information sent to subscribers. Toggle between Basic and Detailed to
see what Information gets attached and sent to the subscribers.
We can see the detailed Information has running and startup configs as well as access-
lists. It has much more detailed information.
Select at system boot up time only and Detailed. Click OK.
The last item to configure is the Massage parameters. Lets select XML from the
Preferred message format drop-down box if not already selected.
Click OK and Apply.
We are now finished configuring Smart Call Home and are ready to test.
Lets click the Test button and see if we get an email delivered to John Does mailbox.
We should receive the test email message from the ASA. We know this now works.
The Smart Call Home also will automatically create another Alert Subscription Profile
with the name CiscoTAC-1. Lets return to the ASDM and have a look. This may take a
few minutes. If it does not appear after two minutes, try to refresh your ASDM or close
and re-launch your ASDM.
Notice your CiscoTAC-1 is not active. You could either click the active box or click Edit
and review some settings first and then click Active from within the profile.
Lets highlight the CiscoTAC-1 profile and click Edit.
Lets check the Enable this subscription profile box. Notice what is monitored in the
Alert Group? Is the frequency for the dispatch alert the same for all?
Click OK, Apply and Send.
The Master Passphrase (Password Encryption) is another new feature which became
available in the ASA 8.3.1 code. This allows you to securely store plain text passwords in
encrypted format. The master passphrase provides a key that is used to universally
encrypt or mask all passwords, without changing any functionality. The following
passwords take advantage of this feature: OSPF, EIGRP, VPN load balancing, Logging,
Shared licenses, VPN, remote access and site-to-site, AAA servers, and Failover.
Goal: We informed the customer of this new ASA feature and the client requested that
this feature be implemented.
From the ASDM, choose Configuration > Device Management > Advanced > Master
Passphrase pane.
Check the Change the encryption master passphrase check box; this will enable you to
enter and confirm your new master passphrases.
Your new master passphrase must be between 8 and 128 characters long.
Type cisco123 in the New master passphrase and the Confirm master passphrase boxes.
Click Apply.
Click Send.
It is always an excellent idea to back up the configuration data. ASDM has a backup
utility built-in that will create a ZIP file on your PC with the configuration and any other
data required to recover the ASA in a failure. This is also excellent data to present to the
customer as part of final documentation for the project along with the ASA activation
key.
From the ASDM, click Tools and click Backup Configurations from the drop-down
menu.
This opens a Backup Configurations dialogue box. Notice we have several options for
what we want to back up using this backup wizard. What is different between running a
backup using this tool as opposed to backing up your startup-config to a TFTP server?
What about SSL VPN configurations, how have you backed these up in the past? You
could select Backup All and this would grey out all the boxes and back up all your ASA
files and configs.
Lets click the Browse Local button and browse to the Desktop. Type ASA-backup in
the File name.
Because we enabled the Master Passphrase in the earlier exercise, take notice of the
warning message that appears. Take a minute and read this warning! There are steps
that explain the recovery process IF you forget or lose the passphrase. Click Yes to
acknowledge the message.
We see the progress bar as all the selected items get backed up to the desktop. Now what
would happen if we selected to backup CSD image or Plug-ins but we had none of these
on the Flash? We see below that we would get a Failure message that those items are not
available.
Click OK.
Lets open the zipped file and see the contents. We can see our running and startup config
files amongst any other present files. Now we have a process to restore configs or any
other relevant file to our ASA!
As was discussed with Inside.local, they have remote teleworkers who need access to the
network resources. Inside.local had VPN capabilities with their previous firewall and will
be transitioning to SSL VPN. But for now, they would like to continue having IPsec VPN
access.
Goal: The goal for this exercise is to implement IPsec VPN for Inside.local. There is an
IPsec VPN wizard in the ASDM that will help you with your configurations.
From the ASDM, click Wizards, VPN Wizards and select IPsec (IKEv1) Remote
Access VPN Wizard (formerly known as IPsec VPN Wizard in previous ASA versions)
from the drop-down menu.
This will launch the IPsec IKEv1 Remote Access Wizard.
From the VPN Tunnel Interface, select outside from drop-down menu, and put a check in
the Enable inbound IPsec sessions to bypass interface access-lists.
Click Next.
Click Next.
Click Next.
Inside.local does have a Microsoft Active Directory server and we will be leveraging that
server for authentication, as per the originally discussed requirements. For now, we will
use local ASA accounts and then later change this to using the Active Directory server.
Select the Authenticate using the local user database radio button.
Click Next.
This next step allows you to create local accounts on the ASA.
Type janedoe in the username field and cisco123 in password and confirm password
boxes.
We need to select a VPN IP Address pool but since none exist, click New and create an
IP pool.
Name: INSIDE-IPSEC-VPN-POOL
Starting IP Address: 10.1.1.1
Ending IP Address: 10.1.1.50
Subnet Mask: 255.255.255.0
Click OK.
Type 10.0.2.10 in the Primary DNS Server and Primary WINS Server boxes.
Type inside.local in the Default Domain Name box.
Click Next.
Accept the default for the IKE Policy.
Click Next.
The next step is to create a NAT exemption to the internal LAN network.
Select inside from the Interface drop-down menu.
Click the drop-down arrow for Exempt Networks.
The IPsec VPN wizard was pretty easy and straightforward. Lets now test and see if this
will actually work.
Log into pc.outside.lab with the username administrator and cisco123 password.
Double-click to open the VPN Client from the desktop.
Click New.
Click Save.
The VPN has been established as can be seen by the gold lock in the taskbar.
Now that we have VPN connectivity, lets perform a test.
ping 10.0.2.10
Goal: Now that we have successfully tested the VPN, the goal is to leverage Insides
Active Directory user database. This will eliminate the need to create and maintain two
user account databases and will make it easier for the users to remember and use only one
account.
Our goal is to configure the ASA to query the domain controller and pass along the
authentication request. We will then test our configuration.
From the ASDM, navigate to Configuration > Device Management > Users/AAA and
select AAA Server Groups.
Click Add.
Click Apply.
Click Send.
Then click Add.
We will now provide the necessary configurations to allow the ASA to bind and query
the AD server.
Click Send.
Select Authentication and type administrator and cisco123 in the username and
password boxes.
Click OK.
If there are any error messages, return to the 10.0.2.10 server in the AD-Server group and
verify your settings. Remember, there are no spaces between the commas, and the
naming attribute is case sensitive.
The next configuration is to change the authentication method for our acme-ipsec-
tunnelgroup.
From the ASDM, navigate to Configuration > Remote Access VPN > Network
(Client) Access > IPsec (IKEv1) Connection Profiles and select inside-ipsec-
tunnelgroup.
Click Edit.
From the drop-down menu, change the User Authentication from Local to AD-server.
Click Send.
Let us re-test the VPN again and see whether our configurations will be successful.
Return to pc.outside and right click the VPN icon in the taskbar and select Disconnect.
If we recall, we had created an account on the ASA called janedoe which we had
previously used. This time we will use an account that resides on the domain controller,
johndoe.
In the user authentication box, type johndoe and cisco123 in the username and password
boxes.
Click OK.
We should see johndoes VPN session. What IP address has he been assigned from the IP
Pool? Which VPN tunnel/connection profile is he matching?
Q3.1: What version of code is running? The ASA is running the 8.4(1) version of
code.
Q3.2: How much memory is installed? There is 1 GB of memory installed on the ASA.
Q3.3: Do we have enough memory on this ASA? Yes we meet the minimum
requirements.
Q3.4: Does the licensing look the same as in past releases? If not, what has
changed? No, it has changed. We can now see time based licenses as well as permanent
and feature base licenses.
Q3.5: What licenses are installed? Security plus and advanced endpoint assessment
licenses are installed.
Q4.1: What version of code and of ASDM is running on this ASA? The ASA is
running the 8.4(1) version of code and ASDM is 6.4.1.
Q4.2: How long has this ASA been up (running)? Answer will vary.
Q4.3: What is the difference between Routed and Transparent mode? Routed mode
is when the ASA is a layer 3 hop on the network meaning that we will have different
networks for each interface while transparent mode means it has the same network
addressing on the inside and outside interface, however using different vlans. Transparent
mode is like a bridge.
Q4.4: What is the difference between Telnet and SSH? Telnet authenticates and
communicates over clear text while SSH is encrypted.
Q4.5: What ports do these applications use? Telnet uses port 23 and SSH uses port 22
by default.
Q4.6: Which is more secure? The encrypted communication of SSH make it more
secure.
Q5.1: Are there any drawbacks to having ICMP enabled? Anyone can now perform
an ICMP attack or use applications and ICMP sweeps to determine what ports are in a
listening state. ICMP can also be used to determine if a host is responsive.
Q6.1: From the server.outside.lab, what would the connections source IP address
be seen as? The source IP address would be seen as 192.0.0.252.
Q6.2: Why are we seeing a translation when we browse towards the Outside server
but not for the DMZ server? In the NAT rule that we created, we specified that the
outside interface was the destination interface. Thus, any traffic sourced from the inside
interface going to any interface other than the outside will not match this NAT rule.
Q6.3: If the traffic to the DMZ is not translated, then what will the source IP
address be seen as at the DMZ server? We will see the source IP address of 10.0.1.50.
Q6.4: Why are we now seeing a translation entry on the ASA? Now that the NAT
rule has been modified to state ANY as the destination interface, the inside traffic now
going to the DMZ interface will match this rule.
Q6.5: So now what source IP address would the DMZ server see coming to establish
connections? Because the traffic matches the NAT rule, the source IP address would be
seen as 192.0.0.252.
Q6.6: If we returned to an SSH or Telnet session to the ASA and executed a show
xlate command, what IP address would we see paired to the Email servers
10.0.2.100 IP address? We would see the 192.0.0.250 IP address as this is the IP we
used for the static NAT rule.
The configuration below was taken from pod1 after successfully completion of the lab.
: Saved
:
ASA Version 8.4(1)
!
hostname pod1-asa
domain-name inside.local
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Interface_2_the_Internet
nameif outside
security-level 0
ip address 192.0.0.254 255.255.255.0
!
interface Ethernet0/1
description Interface_2_InsideLAN
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/2
description Interface_2_DMZ
nameif DMZ
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name inside.local
object network Outside_PAT_Address
host 192.0.0.252
description Address_2_PAT_Inside_LAN
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password 8 9LbHzjgUFs0kP5nrO81NOQ6LfaZaELk9
ldap-login-dn cn=administrator,cn=users,dc=inside,dc=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-
SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-
MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy inside-ipsec-tunnelgroup internal
group-policy inside-ipsec-tunnelgroup attributes
wins-server value 10.0.2.10
1- For pc-inside Outlook connectivity issues, from the ASTEC Student Portal web
page, click on the Exchange-Inside web link.
2- For pc-outside Outlook connectivity issues, click on the Server-Outside web link.
Click on start and navigate to Programs > Administrative Tools > Services.
In the Services snap-in, expand the Name column so that you can see the full name of the
listed services below. Scroll down until you see the Microsoft Exchange Information
Store service. Select that service and click on the Start the service button on the top left
corner.
Repeat the same procedure for the Microsoft Exchange MTA Stacks service. Select that
service and click on the Start the service from the top left corner.
Once both services have been started, proceed to return to pc-inside and launch Outlook
again.