Chapter10 – ASA – Basic config

write erase ! route outside ! help reload ! The ASA can be restored to its factory default configuration by using the configure factory-default global configuration command. ! !!!!!!!!!!! BASIC SETTINGS! !!!!!!!!!!!!!!! clock set 8:05:00 3 October 2011 clock timezone BOG/CO -5 console timeout 2 ! passwd terminal@2014 enable password console@2014 domain lab.local hostname CISCO-ASA ! ! The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing any functionality. ! key config-key password-encryption password encryption aes ! As soon as password encryption is turned on and the master passphrase is available, all the user passwords will be encrypted. ! show password encryption ! interface g0  nameif OUTSIDE  security-level 0  ip address dhcp setroute ! interface g1  nameif INSIDE  security-level 100  ip address ! CAUTION: An ASA 5505 with a Base license does not allow three fully functioning VLAN interfaces to be created. However, a third “limited” VLAN interface can be created

if it is first configured with the no forward interface vlan command. This command limits the interface from initiating contact to another VLAN. Therefore, when the

inside and outside VLAN interfaces are configured, the no forward interface vlan number command must be entered before the nameif command is entered on the third

interface. The number argument specifies the VLAN ID to which this VLAN interface cannot initiate traffic. The Security Plus license is required to achieve full

functionality. ! show ip address show interface ip brief !  route OUTSIDE 0 0 ! telnet INSIDE telnet timeout 2 ! crypto key generate rsa general-keys modulus 1024 aaa authentication ssh console LOCAL username admin PASsword password123 privilege 15 ssh INSIDE ssh timeout 3 ! show ssh ! ntp server ntp authenticate ntp authentication-key 1 md5 cisco123 ntp trusted-key 1 ! show ntp status show ntp associations ! Note: The ASA 5505 Base license is a 10-user license and therefore the maximum number of DHCP clients supported is 32. For a 50-user license, the maximum is 128

clients. For an unlimited user license, the maximum is 250 (which is the same as all other ASA models). ! dhcpd enable INSIDE dhcpd address INSIDE dhcpd domain lab.local dhcpd lease 3200 dhcpd dns ! If the ASA outside interface was configured as a DHCP client, then the dhcpd auto_config outside global configuration command can be used to pass DNS, WINS, and domain

information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface. dhcpd auto_config ! show dhcpd state show dhcpd binding show dhcpd statistics ! Cisco ASDM is a Java-based GUI tool that facilitates the setup, configuration, monitoring, and troubleshooting of Cisco ASAs. ! Cisco ASDM can be used to monitor and configure multiple ASAs that run the same ASDM version. ! copy tftp:// disk0: disk0: ! http server enable http INSIDE aaa authentication http console LOCAL aaa authentication serial console LOCAL aaa local authentication attempts max-fail 3 aaa authorization exec LOCAL asdm image disk0:/asdm-647.bin asdm history enable ! The Cisco ASDM Home page displays important information about the ASA. Status information in the Home page is updated every 10 seconds. ! A network object name can contain only one IP address and mask pair. Therefore, there can only be one statement in the network object. Entering a second IP

address/mask pair will replace the existing configuration. ! A service object name can only be associated with one protocol and port (or ports). If an existing service object is configured with a different protocol and port (or

ports), the new configuration replaces the existing protocol and port (or ports) with the new ones. ! service protocol service tcp service udp service icmp service icmp6 ! ! ! policy-map type inspect dns preset_dns_map  parameters   message-length maximum 512 policy-map global_policy  class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp ! service-policy global_policy global ! Note: A network object group cannot be used to implement NAT. A network object is required to implement NAT. ! ASA ACLs differ from IOS ACLs in that they use a network mask (e.g., instead of a wildcard mask (e.g. Also most ASA ACLs are named instead

of numbered. ! Therefore an ACL would be required to permit traffic from a lower security level to a higher security level. ! Note: To allow connectivity between interfaces with the same security levels, the same-security-traffic permit inter-interface global configuration command is

required. To enable traffic to enter and exit the same interface, such as when encrypted traffic enters an interface and is then routed out the same interface

unencrypted, use the same-security-traffic permit intra-interface global configuration command. ! ACLs on a security appliance can be used not only to filter out packets passing through the appliance but also to filter out packets destined to the appliance. ! The ASA divides the NAT configuration into two sections. The first section defines the network to be translated using a network object. The second section defines the

actual nat command parameters. These appear in two different places in the running-config. ! Note: The any keyword could be used instead of the mapped-ifc parameter. This allows the translation of an object between multiple interfaces with just one CLI

command. For example, nat (dmz, any) static would allow any device on any internal network access to the DMZ server using the outside IP address. !


Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s