Cisco CCIE Security 350-701- Cisco ASA Configuration Part 1

1. Manage Cisco CLI – ASA – GUI

So managing the Cisco ASA. Now we can manage the Cisco ASA either by the command line, by using the command line just like we do it on the routers. So I can connect the console cable to the console port and we can manage it by a console. Or if we have some IP connectivity to the Ethernet port, we can still manage with either by using a tenant or SSH is mobile prefer way to do the remote access because it’s something encrypted compared to the Internet. Now, we can also configure the ASA to be managed by a graphical interface because most of the basic configurations we will be managing by using the command line, just like the basic IP configuration or some kind of routing or any other things.

But if you are going to any advanced configurations on the Cisco, as a Firewall probably will be managing via GUI. But again, if you want to manage the GUI, we will be using something called ASDM Adaptive Security Device Manager. And of course we need to do some kind of basic configurations on the ASA. For the ASA to support the ASDM or the graphical management, like we need to enable some Http services, we need to do some basic configurations like username and the passwords, we need to have some IP connectivity and also you need to have some ASDM file which need to be installed inside the Flash.

Now there’s something I’ll be covering more in detail in a separate session where you’ll see how what are the basic configurations you have to do with UI. So initially we’ll be assuming I’m using a console and then we’ll do some basic configurations. And once we do the basic configurations, we will be covering some another lab where I’ll be showing you if you want to manage the ASA wire remotely by using either tenant or SSH here. Also we need to do some basic configurations like you need to define which networks you want to allow, something like that. So the console, you know, these putty applications you can use Secure CRT or Hyper Terminal. Most of the Windows platform nowadays do not support Hyper Terminal.

2. Basic CLI Modes – Commands

So the next thing we’ll talk about security appliance modes. Now, most of the modes what we use in the ASA Firewall are similar to the Router modes. Like we got some basic unused unprivileged mode or the user mode, privilege mode, configuration mode. We got something like Router mode or most of the modes are similar and most of the commands are also similar. So if you are well aware with the of command line we will be using almost similar commands. There will be few slight changes like basically Enable. By default there’s no password, but whenever you type, you type Enable. It is going to prompt for the password. You just need to press Enter to go to the next mode. Of course there is a global configuration mode. We can go to the global configuration mode by using Conflict command and then we can get into the Interface mode. Of course we can go to Router mode.

There will be a slight difference in the command line by using Router Rap. We can also use Tab buttons to autocomplete the command. We can use shortcuts instead of typing the complete command, we can simply say interface G zero by zero. You can also use IBASE health more similar to the routers. So there’s no much difference like few differences like here I got an ASA in my GNS three so if I exit back, probably this is the first mode what you’ll see. So I’ll be using Enable and just press Enter without any password. And generally in routers, we use show IP interface brief. So here we’ll be using Show Interface IP Brief and I do have some basic configuration already into my as a firewall here. Of course the commands are almost similar.

We will be using like Show version command ping trace. Of course Enable. By default there’s no password. If you want to set the password, we use this command enable password. Or I think we can also use Enable Secret. So let me try enable secret. You just use Enable password here and the next thing is in routers. Generally you cannot use Show commands in the conflation mode. If you want to use Show commands, we’ll be using Do Show or maybe in the new iOS version it supports, but probably here we can use all the Show commands and also use the iOS help inside the global configuration mode.

And one more thing you need to if you want to whenever you use question mark, generally you’ll see more options and if you want to come back to the command line, you have to press Q Quit and that’s the key we need to type it here q so quit and come back to the command line. So, slight changes you can use like Show running config command to see the running configurations. The same time, I can use Show startup configurations to verify my startup configurations, configurations which I saved and mostly the same thing. We will be seeing more and more commands as we progress, but technically, when you’re already aware of the router command line, you don’t need to really learn any new commands.

3. ASA Security Levels

Now the next thing we’ll talk about ASA segregate levels. Now segregate levels will decide what traffic is allowed between the interfaces in general. So before we go to the segment levels, so most of the network designs, most of the firewalls will be configured with different policies between the interfaces. Like you have some internal LAN and you want to make sure that the traffic going from land to the internet need to be restricted. Or you want to implement some kind of security policy like what traffic you want to allow to the internet, or who can access resources in the land from the Internet, something like that. At the same time you want to implement some kind of security policy to access the resources inside your DMZ where you place all your service. At the same time you also want the user sitting on the Internet should be able to access your internal service.

Now this all traffic which is moving from land to internet or maybe from land to DMZ, or maybe from DMZ into internet so it passes through the firewall. Now on the firewall we need to configure some security policies and these security policies will decide. So we got some inside interface outside in the DMZ. This is a common naming, what we use for each network. Technically we could refer as security zones or we can say network segments. Now basically mostly in any network, most of the requirement is like from the inside network, which means from the land I want to make sure that all the users sitting in the land should be able to access Internet. At the same time I want the user sitting in the land should be able to access some DMZ. These are like common rules which we follow, but at the same time we can decide what traffic is a load, what traffic should not be allowed. But basically I’m just going with the basic normal rules.

At the same time I want the user sitting on the DMZ should also be able to access Internet maybe. At the same time I want from DMZ you may not want the traffic to go from the DMZ to inside, maybe some traffic you want to restrict, but mostly generally you don’t need any of the server to access the resources in the land. At the same time you want to make sure that the user is sitting on the internet. Let’s say the user sitting on the internet, maybe someone sitting on the internet may want to access the Yahoo server or whatever the company web server or FTP server. At the same time the user sitting on the internet should not be able to access anything in my land. So basically you got this kind of requirements, but requirements can be different than what I discussed and it all depends upon what you want.

Based on that, we’ll be conferring some kind of security policies. Now again going to ASA and conferring all these policies actually makes a lot of configurations. So the ASA have a predefined, something called security levels. Levels are just like numbering which can be given from zero to 100. So probably what we’ll do is we’ll assign some level to each interface. Like we’ll be selling something like 100 on the interface, planting in the land maybe something like zero on the outside interface and something like 50 on the DMC, something like that. Now, higher the number, the more trusted that interface is. Now it’s up to you to decide what level of trust you apply on the interface. So which means whenever you are connecting your ASAP firewall to the LAN or outer interface and the DMZ generally you must configure the interface with.

Of course IP rules must be there and also the no shadow command. We generally configure these two commands even on the routers. But there are two additional configurations we have to do it. Here is one is Name if name if is like we have to give some name to this interface. You might be connecting G zero by one, g zero by two, g zero by three here, let’s say. But when we are configuring most of the configurations like maybe an ACL, maybe Nat or maybe some kind of VPN configurations we do in the layer transitions. So when we correlate these configurations to the interface, we don’t refer them as G zero by one. We actually refer this with some name. We had to give some name. I can give any name. But commonly we say inside.

That’s a common name we use. You can say inside, you can say land, you can say internal network, whatever you want. You can actually say any name. It’s up to you. So two additional parameters we need to configure compared to the rafters. One is you have to give some name. So if you don’t give the name, the interface is not going to work. At the same time, we also need to define the Segregate level like the level of trust on that interface. So the default levels which we use in general is for inside interface we follow with 100 and then outside is not really trusted because this inside is trusted. Anything coming from the outside of you don’t really trust.

So we generally give the least number list of all is zero and probably the traffic which is coming from the DMZ interface. You may trust maybe in between the zero and 10 you can give 50. It’s up to you can decide any number in this range. But this is something what we generally use now based on the segment levels. Now once we define the secret level now based on the level or the numbering what we assign, let’s say I’m getting 100 here, zero here, 50 here. Based on the levels or the numbers, what we assign there is a default security policy traffic flow through the ASA from one interface to another interface so by default all the traffic coming from higher to lower is allowed by default. Which means the users sitting in the land automatically, they can access or send the traffic anything on the internet at the same time written traffic will come because ASA will do state full packet inspection.

So stateful package inspection, I already discussed it means that the written traffic will be allowed automatically based on the state table. At the same time the user sitting in the land will be able to access anything on the DMC service automatically by default. And the user sitting on the internet cannot access anything on the DMZ because zero to 50 lawyer to hire is not allowed by default. So hire to lawyer is allowed, but lawyer to hire is not allowed by default. At the same time, the user sitting on the DMZ cannot access anything in the land and the user sitting on the internet cannot initiate any traffic into the land in general. So this is a default signal policy which allows the ASA to automatically permit or deny some traffic based on the signal levels.

Okay, now what if I want to allow the traffic from users on the internet to the DMC? In that case we need to configure some ACL on this interface which will explicitly define some permit statement to explicitly allow the users on the internet to access on the DMC. Likewise, let’s say you want to restrict some traffic from the land to the internet which is by default allowed. We can apply some ACL to tell the deny the traffic and of course we need to say permit IP, any rest of the traffic is permitted. Now, once we apply the ACL on this interface, any interface, let’s say once you apply the ACL now this is something what I’m talking about. If there is no ACL configured in general, the default rule will verify anyway in the next section when we do the basic configurations.

But once you apply the ACL, what traffic is allowed or denied? It will be decided by the ACL. So if the ACL says hello, it will allow. If the ACL says denied, it will automatically deny the target. So this is something you need to remember. So always you need to see if there is some kind of issue connected issue, like the user’s complaint. They are not able to access anything on the DMC server. So you verified everything, but you also need to check the ASA is there any ACL configured? Because if there is no ACL configured, normally they can access because 100 to 50 is by default higher to loyal. But if there is an ACL and configured on this interface, and if that interfaces not defined with the permit statement to allow, it’s not going to allow. So these are the default security levels and default traffic flow from between the interfaces based on the secretary levels.

4. ASA Interface Configurations

Now the next thing we’ll see the interface configuration on the ASF firewall. Now this is going to be my default topology what I’ll be using for my labs. So this is my Asif firewall which is connecting to multiple routers and I’m simulating the router one which is acting as my device on the inside interface and then router two is simulating a router router which is on the outside network. So I’m going to assume this is my outside interface connecting the internet and then this is my inside interface and then of course I’m using some router three as one DMZ assuming it’s a server and I’ll be assuming that this is a server and hosting some services. So likewise in some scenarios I’m a user out of four with some DMZ for something like that but at the time you don’t really need two DMZ but I just did the basic configuration as an additional DMZ for testing in the future labs.

Now, the overall configuration wise, on the ASA, it’s the same commands, what we use on the routers. Like we need to assign the IP address, getting to the interface, the interface which connects to the entire interface. It’s g zero by one. Assign the IP address and you know certain commands, same, like a router, but inside the ASA firewall. We need to add two additional commands where you must define the name. You can give any name, it’s up to you, we can say inside, we can see land, whatever and then you need to define the city level. Now segment level as we discussed in the previous sessions it defines the trust of the interface higher the traffic, any traffic initiated from that interface is considered as a more trusted then you can use highest, highest upon.

So I decided to use 100 here, probably zero here, 50 here. Now similarly we need to go to the interface g zero by two and assign the same thing and segregate level I decided to go with zero on the g zero by two interface. Likewise on the g zero by three I’m using the DMZ as three and then the city level as 50. So if I go to this router as for my topology, I think I just did the basic configuration already. So if I say show run interface g zero by one you can see I already configured the inside with a serial level of 100 and also if I verify with showrun interface g zero by two, let me quickly configure g zero by three interface. So I’m going to say IP address is going to be 100 three dot ten as for my topology and then I’m going to say no shut down, you must say no shut down.

And if I verify which for IP interface, in fact this show interface IP brief I can see g zero by interface is shown here and did I give you any name? Name if say DNC DNC you can also use small letters, DNC three, let’s say. And by default, whenever you assign any name, the default city level assigned will be zero except inside name. Because if I’m using the default name as inside, then automatically the state level goes to 100 as for the defaults. But if you assign any other name, normally the city level will be zero assigned by default. So in my case, I want to change the city level to 50. So I’m going to change it. Of course, we can save the configurations like we read down the routers and then we can also verify with Showrun interface G zero by three to verify the interface specific configurations.

Now, the next thing, I have the same configuration. I did the same configurations on the routers with some IP addressing. You can see here, let me just go to the router one. And if I say Show IP interface and the router one is precontributed IP addresses. And if you want to test the connectivity between the router, the ASA, like I’ll try to test the connected between these two and these two interfaces, or you can test it from the ASA itself. Try to ping to router one, the iPad, which is preconfered. You can see I’m able to ping. So likewise I’ll try to ping to router two which is on the outside network. It should be able to ping.