|
|
| Line 3: |
Line 3: |
| | * [[Nextelco:ASA_basics|Configuration 1: learning the basics. Basic ip and icmp forwarding.]] | | * [[Nextelco:ASA_basics|Configuration 1: learning the basics. Basic ip and icmp forwarding.]] |
| | | | |
| − | First step is to save actual configuration into its internal disk.
| |
| | | | |
| − | NexTelCoASA>
| + | Return to [[Nextelco:Technology|Technology]] page. |
| − | NexTelCoASA>enable
| + | |
| − | Password:
| + | |
| − | NexTelCoASA#configure terminal
| + | |
| − | NexTelCoASA(config)#
| + | |
| − | NexTelCoASA(config)#copy startup-config disk0:
| + | |
| − | Destination filename [startup-config]?NexTelCoASA_startup-config_20140522
| + | |
| − | NexTelCoASA(config)#copy running-config disk0:
| + | |
| − | Destination filename [startup-config]?NexTelCoASA_running-config_20140522
| + | |
| − | NexTelCoASA(config)#show disk0:
| + | |
| − | ''shows disk0 content''
| + | |
| − | | + | |
| − | Then, we can restore the factory-settings and copy them to startup-config.
| + | |
| − | | + | |
| − | NexTelCoASA(config)#configure factory-default
| + | |
| − | ciscoasa(config)#copy running-config startup-config
| + | |
| − | ciscoasa(config)#reload
| + | |
| − | Proceed with reload? [confirm]
| + | |
| − | | + | |
| − | In order to start with a clean device without any kind of previous configuration we need to erase the configuration that is stored in the flash memory and reload again the system.
| + | |
| − | | + | |
| − | ciscoasa#write erase
| + | |
| − | Erase configuration in flash memory? [confirm]
| + | |
| − | ciscoasa#reload
| + | |
| − | Proceed with reload? [confirm]
| + | |
| − | ...
| + | |
| − | Pre-configure Firewall now through interactive prompts [yes]? No
| + | |
| − | ciscoasa>
| + | |
| − | | + | |
| − | After we have a clean device we start its configuration by setting its hostname, creating a username and password to connect to it through SSH/Telnet/ASDM, set the user privileges to 15 (highest privileges in order to have full control), set up the vlan and inferfaces and so on.
| + | |
| − | | + | |
| − | ciscoasa>
| + | |
| − | ciscoasa>enable
| + | |
| − | Password:
| + | |
| − | ciscoasa#configure terminal
| + | |
| − | ciscoasa(config)#hostname ASA1
| + | |
| − | ASA1(config)#username basicinternet password basicinternet privilege 15
| + | |
| − | ASA1(config)#interface vlan 1
| + | |
| − | ASA1(config-if)#ip address 192.168.1.1 255.255.255.0
| + | |
| − | ASA1(config-if)#nameif inside
| + | |
| − | INFO: Security level for "inside" set to 100 by default.
| + | |
| − | ASA1(config-if)#interface vlan 2
| + | |
| − | ASA1(config-if)#ip address dhcp
| + | |
| − | ASA1(config-if)#nameif outside
| + | |
| − | INFO: Security level for "inside" set to 0 by default.
| + | |
| − | ASA1(config-if)#exit
| + | |
| − | ASA1(config)#interface ethernet0/0
| + | |
| − | ASA1(config-if)#switchport access vlan 2
| + | |
| − | ASA1(config-if)#no shutdown
| + | |
| − | ASA1(config-if)#exit
| + | |
| − | ASA1(config)#interface ethernet0/1
| + | |
| − | ASA1(config-if)#no shutdown
| + | |
| − | ASA1(config-if)#exit
| + | |
| − | | + | |
| − | Now we have two different networks and two different interfaces configured, the interface 0 set to outside network and the interface 1 set to inside. In order to be able to reach internet through internal interface we need to configure Network Address Translation (NAT). The first step is to create a global interface in order to translate all inside addresses to that address. We use the number 10 but it could be 0-2147483647. Additionally we need Port Address Translation (PAT) that is why we add interface.
| + | |
| − | | + | |
| − | ASA1(config)#global (outside) 10 interface
| + | |
| − | INFO: outside interface address added to PAT pool
| + | |
| − | | + | |
| − | After this we need to link the inside network to the outside global.
| + | |
| − | | + | |
| − | ASA1(config)#nat (inside) 10 192.168.1.0 255.255.255.0
| + | |
| − | | + | |
| − | After having outside connectivity it would be nice to allow remote configuration, without the need of console communication. With the following steps we will configure remote ASDM (graphical) and SSH (CLI) communication.
| + | |
| − | # In order to set up remote SSH configuration we will follow the next steps:
| + | |
| − | ## First we generate the rsa keys of 2048 bits
| + | |
| − | ## Then we set to use the local database for ssh authentication.
| + | |
| − | ## The next step is to set from which ip addresses will ASA accept ssh connections.
| + | |
| − | # To set up the graphical interface, these are the steps:
| + | |
| − | ## Enable the http server
| + | |
| − | ## Protect the connection by redirecting all http request to https
| + | |
| − | ## Set to use the local database for http authentication.
| + | |
| − | ## Finally, set from which ip addresses will ASA accept http connections.
| + | |
| − | ASA1(config)#crypto key generate rsa modulus 2048
| + | |
| − | WARNING: You have a RSA keypair already defined name <Default-RSA-Key>.
| + | |
| − | Do you really want to replace them? [yes/no]: yes
| + | |
| − | Keypair generation process begin. Please wait...
| + | |
| − | ASA1(config)#aaa authentication ssh console LOCAL
| + | |
| − | ASA1(config)#ssh 192.168.1.0 255.255.255.0 inside
| + | |
| − | ASA1(config)#http server enable
| + | |
| − | ASA1(config)#http redirect inside http
| + | |
| − | ASA1(config)#aaa authentication http console LOCAL
| + | |
| − | ASA1(config)#http 192.168.1.0 255.255.255.0 inside
| + | |
| − | | + | |
| − | The last step is to save the configuration in memory in order to start whit the same configuration the next time
| + | |
| − | | + | |
| − | ASA1(config)#write memory
| + | |
