Translate

Wednesday, 19 July 2017

ASDM & SSH access on Cisco ASA.

Hello and welcome to the tutorial on building up the Cisco ASA step by step.

Today we are heading forward in our journey where we will configure our Cisco ASA to get accessed from the firewall admin's local system via ASDM & SSH.

In this series till now we have accessed our ASA only via console. Today I will demonstrate how to access the appliance via ASDM or SSH, rather how to configure the ASA to do so.

Topology:






In this setup we will configure the ASA in such a manner that the management system of the Firewall admin will be able to access the ASA with SSH by putty or via ASDM.


ASDM Access :

The first thing we need in this config is to have a "ASDM .bin" file which is the image file and a TFTP application by which we need to upload the ".bin" file in the flash memory of the ASA.

*I am using the tftpd32 application in this demonstration.


Install the application and copy the .bin file in the folder where the application is installed.





Commands to execute on console:

Mountain# configure terminal

(To get in the global config mode)

Mountain(config)#copy tftp: flash:

(To copy TFTP files to Flash memory)

*interactive config starts*

Address or name of remote host []? 192.168.1.100

(Specify the TFTP servers IP address when asked "192.168.1.100")

Source filename []? asdm-649-103.bin

(Specify the file name when asked "asdm-649-103.bin")

Destination filename?(Hit enter)
(Its preferred to keep the same file name so hit enter)

And then copying starts
Accessing tftp://192.168.1.100/asdm-649-103.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!19706880 bytes copied in 73.890 secs (269957 bytes/sec)

Now we have copied our .bin image file in the flash of the ASA. Now time to tell the ASA to use that .bin file as ASDM image file.

Command:

Mountain(config)# asdm image flash:/asdm-649-103.bin
(ASDM file is in flash and which is "asdm-649-103.bin")

Verify:


We have uploaded the ASDM image in flash and specified ASA to use that. 
lets access the ASA from the Mgmt system to get the copy of the same.



What happened, why we are not able to connect ?

?
?
The reason is access,  How we are connecting ?
Https righ, so do we have the required access ?
Is the https service enabled ?
No the answers is no, so lets do that.


Commands:

Mountain(config)# configure terminal
(To get in the global config mode)
Mountain(config)# http server enable
(To enable http & https service on ASA)
Mountain(config)# http 192.168.1.100 255.255.255.255 Inside
(Says provide http & https access to "192.168.1.100/32" when coming from "Inside" interface)

Now lets try.



The certificate notification as the certificate used by the ASA is self signed and our browser will never accept it.

Lets continue as we know its still secure to proceed.

Now we are given a link to either Install the ASDM launcher on our system or to run the java based ASDM.


lets download the launcher.

Not, we are asked for user name and password which is not mandatory but will be later.

After download is complete, install the application and open it.




Still we can proceed without username and password but why to keep the ASA vulnerable. To counter this we have to ask our ASA to authenticate every http session terminating on it.



Commands:

Mountain(config)# aaa authentication http console LOCAL
(Authenticate the http sessions via local user database)

Now we also have to create a user ID and password.

Commands:

Mountain(config)# username sai password sai@12345
(User name is "sai" where as the password is "sai@12345")

Lets try to login now.



Continue to process further.




We can see the Home tab of the ASDM with various details which involve  health, interface status, traffic log etc.





Configuration tab where we can configure the appliance.




Monitor tab to monitor the appliance.






Now let's try to enable SSH access.

Lets first try to access the ASA via putty from the management system.



No we are not allowed to, think what might be the issue.

?
?
?
Yes, the RSA keys. 

We needs the Asymmetric RSA keys so that we can build a secure tunnel to share our symmetric key(our password) so that traffic then gets encrypted by it.

Commands:


Mountain(config)# domain-name Madness.com
(Domain name for keys)
Mountain(config)# crypto key generate rsa modulus 1048
(Create a crypto key 1024 bits strong)

Output:


Mountain(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

Lets try again.
Still the same.




What is missing now ? how we are accessing the appliance. Do we have the required access ?


No, we have not allowed any one to access the ASA on port 22 yet.



Commands:


Mountain(config)# ssh 192.168.1.100 255.255.255.255 Inside

(Says provide ssh access to "192.168.1.100/32" when coming from "Inside" interface)



Also ask the ASA to authenticate every SSH connection.



Mountain(config)# aaa authentication ssh console LOCAL
(Authenticate the ssh sessions via local user database)


Now we can access.





Friends, i have successfully demonstrated how to configure the ASA to enable the firewall admin to access the ASA from his management system via ASDM or SSH.

To get better clarification for the concepts, please watch the video tutorial linked above.

Subscribe my Youtube channel for further updates, like and comment your suggestions and also click the bell icon for update notification.

Thank You.


YouTube Channel      Facebook Group 

Onion Secure YT       Onion Secure FB

No comments:

Post a Comment