Translate

Monday, 24 July 2017

Default and Static Routing on Cisco ASA

Hello and welcome to the tutorial on building up the Cisco ASA step by step.

In this tutorial i will describes how to configure IP routing (Default/Static) on the Cisco ASA. 




Let's know few important things first.

When we have dynamic routing protocols like OSPF or EIGRP which changes dynamically as per the situation then why we are learning static routes. Are they needed and important in ASA ?

Yes, Even if single context mode supports dynamic routing multiple context mode does not support those. We must use static routes in that case.
But
We may use static routes in single context mode in few cases:

The existing networks use a different routing protocol like EIGRP or OSPF.
OR 
The network is small and we can easily manage static routes.
OR
We do not want the traffic or CPU overhead due to routing protocols.

SO,

We can configure a default route to send all traffic to an next hop router, relying on the router to route the traffic for us. However, in cases the default gateway might not be able to reach the intended destination network and so we also configure more specific static routes. 

For example, if the default gateway(route) is pointing outside, then how can a default route direct traffic to any inside or DMZ network that are not directly connected to the security appliance.

AGENDA:

•Configuring Default Route on Cisco ASA.
Configuring Static Route on Cisco ASA.

Configuring Default Routes:

Default route is a route which forwards all the unknown traffic to one specified interface. The networks whose path is not known are sent to a default gateway which is an default route.

Here we will configure our ASA to send any unknown route to external routers connected interface from where it will routed to internet.


Topology:


To add default route, commands are:

Mountain(config)# route outside 0 0 192.168.3.254
or
Mountain(config)# route outside 0.0.0.0 0.0.0.0 192.168.3.254
(Route any traffic of any subnet mask to 192.168.3.254 which is on Outside Interface)

Verify:



Now every unknown traffic will be routed to default gateway which is 192.168.3.254.
Lets try to ping the Internet IP "8.8.8.8" from the LAN network.




Configuring Static Routes:

We have to add a specific route for DMZ network so that it doesn't get routed to external router via default route. We will configure a static route so that any traffic to 10.144.16.254 coming on ASA will be routed to the DMZ routers connected interface.

To add static route commands are:

Mountain(config)# route DMZ 10.144.16.254 255.255.255.255 192.168.2.254
(Route traffic for 10.144.16.254/32 to 192.168.2.254 through DMZ interface)


Verify:


The distance is the administrative distance for the route. The default is 1 if you do not specify a value. 



Administrative distance is a parameter used to compare routes priority among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. 
If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.

Static routes remain in the routing table even if the specified gateway becomes unavailable. 
If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, dynamic routes are removed from the routing table if the specified interface goes down. 
They are reinstated when the interface comes back up.

If you create a static route with an administrative distance greater than the administrative distance of the routing protocol running on the security appliance, then a route to the specified destination discovered by the routing protocol takes precedence over the static route.
The static route is used only if the dynamically discovered route is removed from the routing table.

Friends, i have successfully demonstrated how to configure the ASA to enable the firewall admin to access the ASA from his management system via ASDM or SSH.

To get better clarification for the concepts, please watch the video tutorial linked above.

Subscribe my Youtube channel for further updates, like and comment your suggestions and also click the bell icon for update notification.

Thank You.


YouTube Channel    Facebook Group


Wednesday, 19 July 2017

ASDM & SSH access on Cisco ASA.

Hello and welcome to the tutorial on building up the Cisco ASA step by step.

Today we are heading forward in our journey where we will configure our Cisco ASA to get accessed from the firewall admin's local system via ASDM & SSH.

In this series till now we have accessed our ASA only via console. Today I will demonstrate how to access the appliance via ASDM or SSH, rather how to configure the ASA to do so.

Topology:






In this setup we will configure the ASA in such a manner that the management system of the Firewall admin will be able to access the ASA with SSH by putty or via ASDM.


ASDM Access :

The first thing we need in this config is to have a "ASDM .bin" file which is the image file and a TFTP application by which we need to upload the ".bin" file in the flash memory of the ASA.

*I am using the tftpd32 application in this demonstration.


Install the application and copy the .bin file in the folder where the application is installed.





Commands to execute on console:

Mountain# configure terminal

(To get in the global config mode)

Mountain(config)#copy tftp: flash:

(To copy TFTP files to Flash memory)

*interactive config starts*

Address or name of remote host []? 192.168.1.100

(Specify the TFTP servers IP address when asked "192.168.1.100")

Source filename []? asdm-649-103.bin

(Specify the file name when asked "asdm-649-103.bin")

Destination filename?(Hit enter)
(Its preferred to keep the same file name so hit enter)

And then copying starts
Accessing tftp://192.168.1.100/asdm-649-103.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!19706880 bytes copied in 73.890 secs (269957 bytes/sec)

Now we have copied our .bin image file in the flash of the ASA. Now time to tell the ASA to use that .bin file as ASDM image file.

Command:

Mountain(config)# asdm image flash:/asdm-649-103.bin
(ASDM file is in flash and which is "asdm-649-103.bin")

Verify:


We have uploaded the ASDM image in flash and specified ASA to use that. 
lets access the ASA from the Mgmt system to get the copy of the same.



What happened, why we are not able to connect ?

?
?
The reason is access,  How we are connecting ?
Https righ, so do we have the required access ?
Is the https service enabled ?
No the answers is no, so lets do that.


Commands:

Mountain(config)# configure terminal
(To get in the global config mode)
Mountain(config)# http server enable
(To enable http & https service on ASA)
Mountain(config)# http 192.168.1.100 255.255.255.255 Inside
(Says provide http & https access to "192.168.1.100/32" when coming from "Inside" interface)

Now lets try.



The certificate notification as the certificate used by the ASA is self signed and our browser will never accept it.

Lets continue as we know its still secure to proceed.

Now we are given a link to either Install the ASDM launcher on our system or to run the java based ASDM.


lets download the launcher.

Not, we are asked for user name and password which is not mandatory but will be later.

After download is complete, install the application and open it.




Still we can proceed without username and password but why to keep the ASA vulnerable. To counter this we have to ask our ASA to authenticate every http session terminating on it.



Commands:

Mountain(config)# aaa authentication http console LOCAL
(Authenticate the http sessions via local user database)

Now we also have to create a user ID and password.

Commands:

Mountain(config)# username sai password sai@12345
(User name is "sai" where as the password is "sai@12345")

Lets try to login now.



Continue to process further.




We can see the Home tab of the ASDM with various details which involve  health, interface status, traffic log etc.





Configuration tab where we can configure the appliance.




Monitor tab to monitor the appliance.






Now let's try to enable SSH access.

Lets first try to access the ASA via putty from the management system.



No we are not allowed to, think what might be the issue.

?
?
?
Yes, the RSA keys. 

We needs the Asymmetric RSA keys so that we can build a secure tunnel to share our symmetric key(our password) so that traffic then gets encrypted by it.

Commands:


Mountain(config)# domain-name Madness.com
(Domain name for keys)
Mountain(config)# crypto key generate rsa modulus 1048
(Create a crypto key 1024 bits strong)

Output:


Mountain(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

Lets try again.
Still the same.




What is missing now ? how we are accessing the appliance. Do we have the required access ?


No, we have not allowed any one to access the ASA on port 22 yet.



Commands:


Mountain(config)# ssh 192.168.1.100 255.255.255.255 Inside

(Says provide ssh access to "192.168.1.100/32" when coming from "Inside" interface)



Also ask the ASA to authenticate every SSH connection.



Mountain(config)# aaa authentication ssh console LOCAL
(Authenticate the ssh sessions via local user database)


Now we can access.





Friends, i have successfully demonstrated how to configure the ASA to enable the firewall admin to access the ASA from his management system via ASDM or SSH.

To get better clarification for the concepts, please watch the video tutorial linked above.

Subscribe my Youtube channel for further updates, like and comment your suggestions and also click the bell icon for update notification.

Thank You.


YouTube Channel      Facebook Group 

Onion Secure YT       Onion Secure FB

Wednesday, 12 July 2017

ASA Interface And Other Basic Configuration

Hello and welcome to the tutorial on building up the Cisco ASA step by step.

Today we are heading towards the first tutorial where we will build our Cisco ASA from scratch. 
We will configure the ASA with basic requirements and will get its interfaces up and running and also troubleshoot the most probable issues faced while doing the same. 







Agenda:


# Setting up the privilege mode password.

# Naming the appliance

# Configuring the interfaces



Topology





Requirement 1.

Privilege mode password:
Cisco ASA appliance comes with no privilege mode password. We are prompt for password but we can just enter the mode without any.


Set the privilege mode password as “secret@123” to restrict any one to get access in. 

Configuration:
ciscoasa> enable
(To get in the privilege mode)
ciscoasa# configuration terminal
(To get in the global config mode)
ciscoasa(config)#enable password Secret@123
(Enables the privilege mode password as Secret@123)
ciscoasa(config)#exit
(To exit the mode)
ciscoasa#wr
(To save the config)
ciscoasa#exit
ciscoasa>

Now we will try to enter the privilege mode without the password as we did before.

ciscoasa> enable (To get in the privilege mode)


We are not allowed to make in the privilege mode as we are not specifying the password which has been configured earlier.

Now lets try with the password.

ciscoasa> enable
Password: **********
And we are now allowed to make in the privilege mode.

Now let's move towards next requirement.

Requirement 2.

Naming the device:
Cisco ASA appliance comes with default host name as ciscoasa.
Change the hostname to “Mountain”.

Our this requirement ask us to change the host name to "Mountain".

Let's configure:

Ciscoasa>enable
Password: ********
ciscoasa#configure terminal
ciscoasa(config)#hostname Mountain
(To specify host name is Mountain)

As we executive the command the hostname changes immediately.



Now let's move towards the last requirement for this tutorial.

Requirement 3:
Interface configuration:
Default interface status on Cisco ASA appliance is down.
Configure the cisco ASA interfaces as below
Interface  gigabitEthernet 1
Ip address 192.168.1.1/24
Name it Inside
Security level 100

Let's configure

Mountain>enable
Password: ********
Mountain#configure terminal
Mountain (config)#interface gi 1
(To enter the interface config mode)
Mountain (config-if)#ip address 192.168.1.1 255.255.255.0
(Specifying the IP address and netmask)
Mountain (config-if)#no shut
(Enabling the interface)

As per our L3 switches and routers this is the minimum config required to enable a interface. But in ASA this doesn't works.
The proof is as below.




The interface is up but the ip address is still missing and which mean the interface is not yet in working state.

Naming the interface is very important in ASA.
Now the question arises on security level. Is it important ?
Yes, it is also the important factor in interface configuration but as per the default Cisco design, security level of 100 is given to the interface, when we configure the interface with name as Inside and 0 to all other Interfaces.

So if we fail to configure it, the default 100 or 0 will be assigned but if we want to define our own levels, then we have to do that manually.

Mountain (config-if)#nameif Inside
(Naming the Interface)
Mountain (config-if)#security level 100
(Configuring the security level)
Mountain (config)#exit
Mountain (config)#exit

Let's verify the interface status
Mountain#show interface if brief
(Getting the brief interface status)


Similarly we have too configure the second Interfaces.

Interface  gigabitEthernet 2
Ip address 192.168.2.1/24
Name it DMZ
Security level 75

Commands:
Mountain#configure terminal
Mountain (config)#interface gi 2
Mountain (config-if)#ip address 192.168.2.1 255.255.255.0
Mountain (config-if)#nameif DMZ
Mountain (config-if)#no shut
Mountain (config-if)#security level 75
Mountain (config-if)#exit
Mountain (config)#exit

The sequence of the command doesn't matters.

Verification
Mountain#show interface if brief



And the third Interfaces.

Interface  gigabitEthernet 0
Ip address 192.168.3.1/24
Name it Outside
Security level 0

Commands:
Mountain#configure terminal
Mountain (config)#interface gi 1
Mountain (config-if)#ip address 192.168.3.1 255.255.255.0
Mountain (config-if)#nameif Outsidr
Mountain (config-if)#no shut

And as we said Outside then pre-desined security level gets configured.



Mountain (config)#exit
Mountain (config)#exit


Verification
Mountain#show interface if brief

Friends, we have successfully configured all the basic requirements which were the part of agenda.

To get better clarification for the concepts, please watch the video tutorial linked above.

Also subscribe my Youtube channel for further updates and also like and comment your suggestions.

Thank You.

YouTube Channel      Facebook Group

Onion Secure YT      Onion Secure FB