Enable SSH ON ASA
asa (config)# domain-name company.local
asa(config)# crypto key generate rsa
asa(config)# ssh 0.0.0.0 0.0.0.0 outside
asa(config)# username asaadmin password l3tmein priv 15
asa(config)# aaa authentication ssh console LOCAL
Setting Up PAT for LAN Internet Access
To configure Port Address Translation (PAT) to allow your internal LAN to access the Internet, you need to:
1. Use the nat command to specify the internal IP addresses you want translated. nat (inside) 1 0.0.0.0 0.0.0.0
2. Setup a corresponding global command with the address you want to translate to. global (outside) 1 interface
Setting Up Static NAT For Public Servers
--------------------------------------------------------------------
To configure Static Network Address Translation for 1-to-1 mappings for hosts like web servers, you need to use the static command.
Syntax for static NAT command – static (real_interface,mapped_interface) mapped_ip real_ip netmask mask
static (inside,outside) 63.227.68.12 192.168.2.12 netmask 255.255.255.255
static (dmz,outside) 66.123.45.95 192.168.64.45 netmask 255.255.255.255
Commands to view NAT details:
· show local-host– will display both tcp and udp flows active on the firewall for all or a certain number of hosts.
Configure Logging on the ASA
--------------------------------------------------------------------
To configure buffered logging and syslog logging.
1. Enable logging. logging enable
2. Timestamp logs. logging timestamp
3. Enable buffered logging. logging buffered errors (by default the asa allocates 4096 bytes of memory, this can be changed with the command logging buffer-size xxxx)
Configure Routes
--------------------------------------------------------------------
To configure a default gateway,
· route outside 0.0.0.0 0.0.0.0 gatewayIP metric
To configure routes for internal destination networks,
· route inside192.168.10.0 255.255.255.0 gatewayIP metric
Configure access-list
--------------------------------------------------------------------
Access lists are configured similarly to on a Cisco router. You create an extended access list with commands similar to the below (italics are not part of the command):
· access-list outside_access_in extended remark Allow port 8o to WebServer A(used to create comments in the Access Lists)
· access-list outside_access_in extended permit tcp any host 192.168.80.4 eq 80(allows traffic destined for 192.168.80.4 on port 80 through the firewall)
· access-list outside_access_in extended permit tcp any object-group WEBServerSubnet eq 80(you can use an object-group to group multiple hosts, or networks for which you need to allow the same ports for, see below)
· access-list outside_access_in extended deny ip any any log(block all other traffic and log it)
To create an object-group for use in you access lists, from global configuration mode:
1. object-group network WebServerSubnet
2. network-object 192.168.76.0 255.255.255.0
Access lists are applied to an interface using,
· access-group outside_access_in in interface outsidewhere in is the direction of the traffic flow.
Commands:
· show access-list– show the access list, and also the hit count per entry.
asa_RaTunnel
---------------------------------------------------------------------
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.17.17.0 255.255.255.0 10.17.21.0 255.255.255.0
ip local pool vpnpool 10.17.21.170-10.17.21.190 mask 255.255.255.0
nat (outside) 1 10.17.21.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
group-policy OHI_RACiscoGRP internal
group-policy OHI_RACiscoGRP attributes
wins-server value 10.17.17.30
dns-server value 10.17.17.30 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain value ohallorans.local
tunnel-group OHI_RACiscoGRP type remote-access
tunnel-group OHI_RACiscoGRP general-attributes
address-pool vpnpool
default-group-policy OHI_RACiscoGRP
tunnel-group OHI_RACiscoGRP ipsec-attributes
pre-shared-key c1sco123v
username vpnuser attributes
vpn-group-policy OHI_RACiscoGRP
asa_site2sitetunnel
access-list outside_1_cryptomap permit ip 172.16.2.0 255.255.255.0 10.17.17.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.17.17.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 63.86.81.70
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
tunnel-group 63.86.81.70 type ipsec-l2l
tunnel-group 63.86.81.70 ipsec-attributes
pre-shared-key *********
Show preshared key
OHI-ASAFW# sh run | b tunnel-group
OHI-ASAFW# sh run isakmp
OHI-ASAFW# more system:running-config | b tunnel-group
Commands:
ASAFW# show crypto isakmp policy – view the crypto policy.
ASAFW# show crypto ipsec transform-set – view the current transform set.
ASAFW# show crypto engine connections active – display the active IPSec connections.
ASAFW# sh run cry
ASAFW# sh run nat
ASAFW# sh access-l inside_nat0_outbound
ASAFW# sh cry isa sa
ASAFW# sh cry ipsec sa peer 216.243.196.203
ASAFW# debug crypto ipsec
ASAFW# debug crypto isakmp
ASAFW# clear cry isakmp
ASAFW# clear cry ipsec sa peer 216.243.196.203
ASAFW# Clearcrypto ipsec sa counters
ASAFW# sh access-l outside_1_cryptomap
ASAFW# sh run manage
ASAFW# sh xlate | in
ASAFW# packet-tracer in inside icmp 10.127.12.254 8 0 192.168.129.252 det
Other commands
--------------------------------------------------------------------
· Use packet tracer to simulate traffic flow through the ASA to view how it will process certain types of packets. Example: packet-tracer input outside tcp 66.55.44.33 1459 201.6.44.3 80 detailed.
· Use packet capture to capture if packets are being transmitted and received by the ASA. Example capturing an internal host talking to an external server:
·
ASA CAPTURE
----------------------------------------------------
access-list capture_acl permit ip host <server_ip> host <client_ip>
access-list capture_acl permit ip host <client_ip> host <server_ip>
capture inside access-list capture_acl interface inside
capture outside access-list capture_acl interface outside
examples:
c) Special case: capture with NAT involved
Capturing with NAT is no more complex than without, you simply need to alter your access-lists.
Consider the following topology with NAT:
host (192.168.1.5) -------- ASA ---------- Server on the Internet (64.87.193.45)
As the host passes through the ASA, its IP address will obviously need to be NAT'd. He can't speak on the Internet with an RFC1918 private address. Capture access-lists will need to be built in order to capture traffic for whatever IP the host is known by on each interface.
Let's say we have the same scenario as in b, but our server is now on the Internet. Also, as our client passes through the firewall, he is NAT'd to address 12.34.5.23.
-------------------------------------------------------------------------------
access-list capture_acl_inside permit ip host 64.87.193.45 host 192.168.1.5
access-list capture_acl_inside permit ip host 192.168.1.5 host 64.87.193.45
access-list capture_acl_outside permit ip host 64.87.193.45 host 12.34.5.23
access-list capture_acl_outside permit ip host 12.34.5.23 host 64.87.193.45
And our capture commands might look like this:
capture capinside access-list capture_acl_inside interface inside
capture capoutside access-list capture_acl_outside interface outside
So I captured the packet data, how do I view it?
Well, there are two ways of viewing the packet data:
1) show capture <capture_name> - this will give you the raw CLI output of the packets captured. This is useful when simply wondering what type of traffic the host produced, the number of packets sent, simple TCP flags set, etc. You can even do a show capture <capture_name> detail to look at the packets in a manner that would be seen in Ethereal/Wireshark.
2) The CLI viewing method is good, fast, and sometimes all we need to verify the data. However, most of us want to see the capture in Ethereal/Wireshark and have that application analyze the packets in an aesthetically pleasing manner. There are two ways to gather a packet capture, in pcap form, from a firewall:
via CLI - show capinside
a) single-contex: copy /pcap capture:inside tftp:
-or- mutli-context: copy /pcap capture:admin/inside tftp:
via HTTPS
b) single-context: https://<ASA_IP>/capture/<capture_name>/pcap
-or- mutli-context: https://<ASA_IP>/capture/<context>/<capture_name>/pcap
Restoring Factory Defaults to the Cisco ASA5505
#ASAFW(config)# configure factory-default
Configure DHCP on Cisco ASA5505
dhcpd dns 10.17.17.32 4.2.2.2
dhcpd wins 10.17.17.32
dhcpd domain rmi.local
dhcpd address 10.17.20.107-10.17.20.126 inside
dhcpd enable inside
No comments:
Post a Comment