Nextelco:ASA basics

From its-wiki.no
Jump to: navigation, search

Basic ASA configuration

In this section we will describe how to save ASA's actual configuration, how to erase configuration and how to make the initial configuration.


Save actual configuration

In order to save the actual configuration, we need to connect to ASA through console port and run the following commands. 

NexTelCoASA>
NexTelCoASA>enable
Password:
NexTelCoASA#configure terminal
NexTelCoASA(config)#
NexTelCoASA(config)#copy startup-config disk0:
Destination filename [startup-config]?NexTelCoASA_startup-config_20140522
NexTelCoASA(config)#copy running-config disk0:
Destination filename [startup-config]?NexTelCoASA_running-config_20140522

These are the necessary steps to save the actual and startup configuration into the device flash disk.


Erase configuration & load the correct boot image

These steps are used to erase the actual configuration and reload the device. Remember that ASA by default starts with the oldest software image. 

NexTelCoASA(config)#write erase
Erase configuration in flash memory? [confirm]
NexTelCoASA(config)#reload
System config has been modified. Save? [Y]es/[N]o:N
Proceed with reload? [confirm]
...
Pre-configure Firewall now through interactive prompts [yes]? No

If in our flash memory we have a newer software version is a good idea to change it. 

ciscoasa>enable
Password:
ciscoasa#configure terminal
ciscoasa(config)#boot system disk0:/asa805-k8.bin
ciscoasa(config)#asdm image disk0:/asdm-623.bin
ciscoasa(config)#write memory
ciscoasa(config)#reload
Proceed with reload? [confirm]


Initial configuration

In the following Figure we can see which kind of configuration we would like to set up. It is important to remember that inbound ICMP through the ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.

Nextelco ASA basic conf.png

Let start with the configuration.

  1. The first step is to connect though console cable and set up its name, VLANs and interfaces. In order to be able to connect remotely, it is a good recommendation to set up ssh connection.
    2. ciscoasa>enable
Password:
ciscoasa#configure terminal
ciscoasa(config)#hostname ASA2
ASA2(config)#interface vlan 1
ASA2(config)#ip address 192.168.2.1 255.255.255.0
ASA2(config)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA2(config-if)#interface vlan 2
ASA2(config-if)#ip address 10.10.10.2 255.255.255.0
ASA2(config-if)#nameif outside
INFO: Security level for "inside" set to 0 by default.
ASA2(config-if)#exit
ASA2(config)#interface ethernet0/0
ASA2(config-if)#switchport access vlan 2
ASA2(config-if)#no shutdown
ASA2(config-if)#exit
ASA2(config)#interface ethernet0/1
ASA2(config-if)#no shutdown
ASA2(config-if)#exit
ASA2(config)#crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined name <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
ASA2(config)#aaa authentication ssh console LOCAL
ASA2(config)#ssh 192.168.2.0 255.255.255.0 inside
  2. The second step is to allow ICMP traffic from inside to outside in order to leave nodes connected to inside network to ping or traceroute the outside networks. There are two different ways to allow ICMP traffic through the ASA:
    • ICMP traffic inspection
      1. This is the simplest way, we just have to and ICMP inspection to the existing inspection_default class of global_policy map.
        2. ASA2(config)#policy-map global_policy
ASA2(config-pmap)#class inspection_default
ASA2(config-pmap-c)#inspect icmp
    • Access-lists configuration
      1. Let start by defining an object-group of type icmp-type in order to classify which of icmp packets will be allowed
        2. ASA2(config)#object-group icmp-type ping_traceroute
ASA2(config-icmp)#icmp-object echo
ASA2(config-icmp)#icmp-object echo-reply
ASA2(config-icmp)#icmp-object time-exceeded
ASA2(config-icmp)#icmp-object unrechable
ASA2(config-icmp)#icmp-object traceroute
ASA2(config-icmp)#exit
      2. Having an object-group defined now we can create two different access-lists, one for inside interface and the other for outside interface. The inside one will check both IP and ICMP protocols. Since IP communications are stored in a lookup table during some time, it is not necessary to permit them to access the outside interface, this will happen automatically.
        3. ASA2(config)#access-list inside_access_in extended permit IP any any
ASA2(config)#access-list inside_access_in extended permit icmp any any object-group ping_traceroute
ASA2(config)#access-list outside_access_in extended permit icmp any any object-group ping_traceroute
      3. The last step is to apply an access-group on each interface
        4. ASA2(config)#access-group inside_access_in in interface inside
ASA2(config)#access-group outside_access_in in interface outside


Finally, we will be able to ping and access a web page available at Ubuntu from Mac.


Return to Phase 1 page.

Retrieved from "https://its-wiki.no/index.php?title=Nextelco:ASA_basics&oldid=20497"