Monday, July 19, 2010

CCNA Security 23

From the ASDM, we can configure the interfaces by going to Configure - Interfaces. From there, we can rename interfaces, set the security-level, change the MTU and IP address and allow same-security-level interfaces to pass traffic. From here, we can also allow interfaces to use DHCP. You can also select to receive default-gateway information and to renew.
To check the DHCP leases and bindings, we can go to the Monitoring tab. In Monitoring - Interfaces, we can find the DHCP section. If you would like to run a DHCP server, we can go to Configuration - Properties - DHCP Services. You would notice that DHCP is enabled on management interfaces by default. Apart from the DHCP server, you can also configure a DHCP Relay there.

For the 5500 series ASA, you would have an interface dedicated to management traffic known as Management 0/0. You can actually turn the management-only mode off so you can use it as an extra port. To do this, we'll go into the management interface through:
in management 0/0
no management-only

Like IOS routers, you the ASA only knows connected routes by default. To allow it to route further, you'll need to create either a static route or use a routing protocol. You can also configure a default-route on an ASA. Before we do any of that, let's go through some of the show commands.

The first and most common show command we use is:
show run

This will show all configurations currently in place. This is the most basic way we troubleshoot as we know from our IOS routers. To check on our interfaces, we use the command:
show interfaces

If you are only looking for IP address and the interface's state, we can hide all the details using:
show int ip br

Alternatively, if we want to see the interface names as well as the IP addresses on them, use:
show ip add

To view the routing table, we can use:
show route

To view the memory available, use:
show mem

To view the CPU usage, use:
show cpu usage

Now while we're at the basic services, we'll configure NTP. Before we configure anything, we'll need to set the timezone:
clock timezone SGT +08

Next, we'll add the NTP server using:
ntp server

NTP is configured on the ASDM at Configuration - Device Administration - Administration - NTP.

We can use authentication with NTP. NTP requires a key ID which needs to be the same between the client and the server. Instead of the server actually authenticating the client, the NTP client actually does the authentication. To add the key, use:
ntp authentication-key 1 md5 cisco
ntp trusted-key 1 key 1 source INSIDE prefer
ntp authenticate

In the ASDM, you can enable logging at Configuration - Properties - Logging - Logging Setup. You can split the logging to different devices according to severity using event lists. You can even log by email from Configuration - Properties - Logging - Email Setup.

If the logging is too fast, causing the syslog devices be flooded, we can configure rate limiting through Configuration - Properties - Logging - Rate Limit.

Syslog comes with facility codes. These facility codes does not affect the severity level in any way. Instead, facility code is an identifier in the syslog message which allows the syslog server to sort messages. For example, we can configure all routers to use local0 and all switches to use local1, then sort all router messages into its own log file and do the same for the switches.

No comments :

Post a Comment