Friday, March 15, 2013

What is a firewall(Part-2) and configuration of Cisco ASA5505

Hello friends so I am back with the second part of what is Firewall? As i described in last session (http://brijeshsani.blogspot.ae/2012/10/what-is-firewall.html) that a Firewall is basically kind of roadblock to keep unwanted/insecure force away from your own area. The job a firewall is very similar to physical firewall that keeps fire from spreading from one place to another.

There are so many firewalls brands and models (Juniper/Fortigate/Sonicwall/Cisco) in the market. Now in this session we will know how to configure a Cisco ASA 5505 firewall with basic configuration. So let’s start now. These are some images of Cisco ASA 5505 firewall.


 


So let’s start with the configuration. After opening the box you need to power on the firewall. Connect your console with the firewall and you will see the following:-

Type help or ‘?’ for list of available commands.

ciscioasa>

Here you need to type the command “enable” to get in enabled mode or we can say admin mode.

ciscioasa> eanable

Password:

Ciscoasa#

Now can see it is prompting for password. Simply hit enter here because there is no enable password configured. As Cisco ASA5505 always come with default configuration which we need to delete as this default configuration having lot of thing which we don’t required and can create some network issue if you connected with your DHCP enabled network. To delete this we will use command “write erase”

ciscoasa# write erase

Erase configuration in flash memory? [confirm]

[OK]

ciscoasa#

You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.

Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.

ciscoasa# reload

Proceed with reload? [confirm]

ciscoasa#

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down File system

***

*** --- SHUTDOWN NOW ---

Now when your router is restarted you will get this question:

Pre-configure Firewall now through interactive prompts [yes]?

Answer with “no” since you want to configure the ASA yourself. (You want to be a cisco engineer right?).

Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config“. Just to check the current running configuration on firewall.

ciscoasa# show running-config

Now we will start main configuration.

The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”

ciscoasa# configure terminal

ciscoasa(config)#

See the (config) aftr the device hostname denotes that you are in configuration mode.

Now we will assign hostname to our ASA firewall.

ciscoasa(config)# hostname BrijeshASA

BrijeshASA(config)#

Now you can see the hostname changes immediately.

Next step is we need to set username and password on the firewall so you can manage the ASA from your desk with SSH/Telnet/ASDM

BrijeshASA(config)# username BKS password BKSblog privilege 15

BrijeshASA(config)#

You can see we set privilege 15; it is very important as it is the highest of the privileges and provides full control over the device.

Now we will inside (LAN) IP address for ASA. In ASA 5505 we will configure VLAN instead of giving IP addresses to actual interfaces. We will use VLAN2 as our inside VLAN.

BrijeshASA(config)# interface vlan 2

BrijeshASA(config-if)# ip address 172.16.1.1 255.255.255.0

BrijeshASA(config-if)# nameif inside

INFO: security level for “inside” set to 100 by default.

This is the interesting thing that all the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.

Now we will start on the outside (WAN) configuration.

There are 2 way to start configuration of WAN interface. I will guide you for both options.

1st we will configure WAN interface if you have Static IP.

BrijeshASA(config)# interface vlan3

BrijeshASA(config-if)# ip address 83.111.206.230 255.255.255.252

BrijeshASA(config-if)# nameif outside

INFO: Security level for outside set to 0 by default.

BrijeshASA(config-if) exit

BrijeshASA(config)# route outside 0.0.0.0 0.0.0.0 83.111.206.229

Security level for ASA outside interface or we can say WAN interface is always 0.

You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.

2nd way if your ISP provided IP DHCP, in this way the configuration become very easy. So let’s do this.

BrijeshASA(config)# interfaces vlan 3

BrijeshASA(config-if)# address dhcp setroute

BrijeshASA(config-if)# nameif outside

With this commands you don’t need to configure a default gateway since you will get this from your provider.

Now we need to attach the outside VLAN to one of the interface of the ASA

By default all the interfaces are attached to VLAN 2 and by default all the interfaces are in the “shutdown” state. Now I’ll attach the interface “Ethernet 0” to the outside VLAN (vlan3) and make the port operational.

BrijeshASA(config)# interface ethernet0/0

BrijeshASA(config-if)# switchport access vlan 3

BrijeshASA(config-if)# no shutdown

So this interface is attached with vlan3 and fully operational now.

Now you need to make at least one other port functional for your inside network by typing command “no shutdown:

BrijeshASA(config)# interface ethernet0/1

BrijeshASA(config-if)# switchport access vlan 2

BrijeshASA(config)# no shutdown

Most important thing I want to mark here is if you notice we didn’t use VLAN1 which is the default VLAN for every switch port. The reason behind this is security, because as this is the default vlan so hackers easily get access our network.

Now you need to configure NAT so that your internet service starts.

At this point we need to make global interface to where all the addresses from the inside can be translated to.

BrijeshASA(config)# global (outside) 10 interface

INFO: outside interface address added to PAT pool

If you notice we use number 10 in this command. Actually number 10 is an identifier. This way you can tell the NAT ot the inside to which outside IP address they should translate to.

2nd this we will do here to make NAT rule for inside network also.

BrijeshASA(config)# nat (inside) 10 172.16.1.0 255.255.255.0

BrijeshASA(config)#

I use number 10 in this rule. This links the inside network to the outside global. The subnet states that the network 172.16.1.0/24 is allowed to be translated to the outside IP address.

So enjoy now! Your internet services have been started.

Now question is we really required to walk to server room all the time whenever we need to manager our ASA. Don’t worry we can do it using SSH/telnet or ASDM. ASDM is GUI for ASA which stands for Advanced Security Device Manager.

So now I’ll show you how to configure ASA for ASDM and SSH.

So let’s start first with SSH. To enable SSH you will need to generate a key which will encrypt the traffic between the user and the ASA.

BrijeshASA(config)# crypto key generate rsa modulus 1024

INFO: the name for the keys will be:

Keypair generation process begin. Please wait….

BrijeshASA(config)#

Now we want to use the username we made earlier to connect to the ASA with SSH.

BrijeshASA(config)# aaa authentication ssh console LOCAL

The LOCAL means that the ASA uses the local username database to authenticate users.

When this is done you need to tell ASA which IP address are allowed to connect to the ASA. We will only allow users on the inside to access the ASA by SSH.

BrijeshASA(config)# ssh 172.16.1.0 255.255.255.0 inside

So now are are can access your ASA from your LAN.

Now we will enable ASDM GUI.

BrijeshASA(config)# http server enable

The above command enables ASDM on the ASA.

We want to use the username we made earlier and tell which networks are allowed to connect to the ASA with the ASDM.

BrijeshASA(config)# aaa authentication http consol LOCAL

BrijeshASA(config)# http 172.16.1.0 25.255.255.0 inside

When this is done you want to make sure your ASA doesn’t start up without a configuration next time the ASA reboots. You can do this by saving the configuration with the following command.

BrijeshASA(config)# write mem

Building configuration …

Cryptochecksum: e5fa3ae8 add2aae4 c0be8847 79cec1ba

2502 bytes copied in 1.190 secs (2502 bytes/sec)

[ok]

BrijeshASA(config)#

So friends Congrates your ASA configuration

Next time I’ll guide you more about ASA firewall configuration including firewall rules to access networks/blocking domains,policy, and other options.

Sunday, March 10, 2013

WHY MOST OF THE BOSSES FAILED TO BE AN “IDEAL”

In last few months I observed that some of my friends resigned from their positions. Even these companies are the most known/Strongest MNCs. I asked few of them why you left/resigned, expecting an answer like “I was looking more challenging role”, or “Same post/responsibilities killing their talents”, but instead they said “They couldn’t work with their bosses any more”.

The work was stimulating, the team was great but their mangers were unbearable to work with. In this situation companies lose good employees on a regular basis and all the managers sit around a conference table trying to address employee attrition, developing strategies for employee retention.

After this observation I decided to do some research where most bosses failed to be an ideal for their sub-ordinates. Or we can say how we can find out bad bosses in every company including us. No doubt somewhere we are also boss for some one.

Divides and Rule Policy: Bad bosses always believe in Divide and Rule policy. They always manipulate their team members, employees even their own bosses. They always have this phycology that in this they will get more importance of their team members/employees/Colleagues and their own bosses.

Lack of communication power:  Bad bosses always try to hide the right information from their team members. They always keep all the information with them. This situation really demotivates their team members, when they get the right information in middle or at the end of each work/task and they need to start their work from scratch.

Always Feel Insecure: Bad bosses always feel insecure whenever they see someone in their team/company have more capabilities to grow and give batter results then them. In this situation they always use all their efforts to pull that team member/colleague down. And many times they avoid giving any important task to that team member so that he/she can’t show his/her real talent to get the job done.

Make unrealistic plans: Bad Bosses always make Big/Unrealistic plan just to impress top management. It is common in every organization that bosses accept a plan even they knew, their team don’t have that much related capable resources to achieve this plan. This condition put extra burden over the existing team members to finish this plan on time.

Politics and Inequity: Most common issue in every bad boss, they made workplace as a politics ground. Instead of concentrate over the work, or over the team support, bad bosses always busy to make political plan to show someone down in their team/company. These type of bosses always keep some Chaplus employees with them and feed (either they are working or not) them to support their political plans to get down someone else in company/team.

Backbiters: Backbiters bosses always talk about everyone behind their back. Remember this type of bosses always show that they are doing good rather than someone else. And in this case they always talk firstly about them who is the most sincere in their team/company, so that everyone start making/thinking wrong image about those sincere people.

Lack of Confidences: As they are not trust worthy due to their negative images they always have low confidence issue. Bad bosses always order/assign work to their team with marking that super bosses decided this they don’t. This always shows that they don’t have confidence that team/employees will accept their decision or not. They knew someone can raise finger if they declare that they took this decision their self not by the management.

Never talk straight: Bad bosses never talk straight about any work. They always talk in Mari-go-round way but never to the point. You will go to discuss some issue but they will never talk about that issue and will start talking about something else.

May be the above given point are less, but these are the main factor that destroy a boss image as an ideal boss. It’s not about our bosses; remember it’s about us also because we are also the future boss. Hope this article help to reduce our negativ habits, so that we can buide an example of a good boss.