enableThe default password is blank. We can either hit Return on press Backspace. By default, a device would have the Base license. With Base License, you won't have things like Security Contexts. However, you can use 4 interfaces, 10 VLANs, 50 RA hosts, unlimited INSIDE hosts, and all VPN encryption types.
From privileged mode, we can move into the global configuration mode like in an IOS router. To do this, we'll use:
configure terminalWe should now change our enable password:
enable secret ciscoThe recommended secure password should contain uppercase and lowercase letters, numbers and symbols. It should also be 8 characters or more.
From here, we can configure interfaces. For the ASA, a Fast Ethernet interface is referred to as simply Ethernet. To go into an interface, use:
interface ethernet0/0You can turn an interface into a management-only interface using:
management-onlyThis command prevents all traffic THROUGH it (aka it blocks packet mode traffic).
ASA has a help system which can be invoked by typing:
help management-onlyThe help system also shows commands related to the one you typed.
To save a configuration, you can use:
copy run startAlternatively, you can use:
wrYou can view the list of commands you typed previously using:
show historyYou can clear out your running-configuration using:
clear configure allYou can also go to factory-defaults using:
conf factory-defaultTo clear the startup-configuration, use:
write eraseYou can then reboot the ASA using:
reloadDuring the reboot process, you may encounter a delay to allow the Administrator to enter the ROMMON mode. Like an IOS router, the ASA also has a ROMMON mode. To do this, we'll need to hit CTRL+R during bootup.
The ASA has a filesystem which you can explore through:
dirThe ASA firmware and the ASDM image is both stored in the flash as .bin files. You can store more than 1 image of each type. You can designate which to boot from using:
boot system flash:asa802-k9.binThe Adaptive Security Algorithm does a few things. The most obvious one is that it provides stateful control. This is the actual service that the stateful functionality. The ASA allows one-way outbound connections using minimum configuration changes. The ASA also watches all ingress packets. These packets are all watched for state and sequence numbers (which it can also randomize). It allows the appliance to be a more defined security boundary.
Understanding security-levels is extremely important on an ASA/PIX because it is one of the first things we need to configure. It allows to specify how trusted/protected an interface is with relation to another interface. The security-level is a number between 0 to 100. The INSIDE interface is typically 100 while the OUTSIDE interface has a default of 0. The DMZ is typically put to 50.
Traffic that originates from a less secure interface to a higher security interface is denied by default. Traffic from OUTSIDE to INSIDE, or DMZ to INSIDE, or OUTSIDE to DMZ, are such traffic. This is dropped unless specifically permitted by an access-list.
Traffic that originates from two interfaces with the same security-level are also denied by default. We can prevent this behavior using:
same-security-traffic permitOn the other hand, a host from a higher security level can statefully traverse to a lower security interface. Such would be true for INSIDE to OUTSIDE, INSIDE to DMZ, or DMZ to OUTSIDE.
The interfaces are named from interface context using:
nameif INSIDETo set the security-level, we use:
security-level 100There are many ways to configure an ASA. One of the ways is to use the ASDM web interface. To do this, we'll need to find a way to connect the computer to the ASA (through a switch or an interface). By default, we can obtain an IP by plugging directly to the management interface because DHCP is turned on for all management interfaces.
Once should make sure that the basics are set up, such as Time, Interface Names, Host Name, and the Auth Hosts. Auth Hosts is a list of the authorized hosts allowed to configure through the web interface. All these configurations are done using:
en
conf t
!Time
clock time zone SGT +08
exit
clock set 11:13:00 19 July 2010
conf t
!Host Name
host ASA
domain-name syraxius.local
!Interface Names
in e0/0
nameif MANAGEMENT
sec 99
ip address 192.168.1.1 255.255.255.0
management-only
in e0/1
nameif INSIDE
sec 100
ip address 1.1.1.1 255.255.255.0
exit
!Auth List
http 192.168.1.150 255.255.255.255 MANAGEMENT
http server enableOn a side note, if you don't have a system with a serial port, we can get a USB-to-Serial converter.
When we're done, we can connect to the ASA through the web browser by putting in the ASA's management interface IP (assuming that we've connected the computer through a crossover to the management interface).
We can manage ASDM as a Windows application or a Java application. If you run it as a Windows application, you will not have to double-authenticate. The launcher also works well if your version of Java is not completely compatible with the Java version.
The ASDM is very similar to the SDM and the IDM we covered in previous articles. ASDM is more similar to SDM, in which you have a Home tab, but the Configuration and Monitoring tabs that we're interested in is common across all the management GUIs.
We'll talk more about configuration in the next article. This about commands more specific to the ASA itself.
No comments :
Post a Comment