Friday, March 15, 2013

What is a firewall(Part-2) and configuration of Cisco ASA5505

Hello friends so I am back with the second part of what is Firewall? As i described in last session (http://brijeshsani.blogspot.ae/2012/10/what-is-firewall.html) that a Firewall is basically kind of roadblock to keep unwanted/insecure force away from your own area. The job a firewall is very similar to physical firewall that keeps fire from spreading from one place to another.

There are so many firewalls brands and models (Juniper/Fortigate/Sonicwall/Cisco) in the market. Now in this session we will know how to configure a Cisco ASA 5505 firewall with basic configuration. So let’s start now. These are some images of Cisco ASA 5505 firewall.


 


So let’s start with the configuration. After opening the box you need to power on the firewall. Connect your console with the firewall and you will see the following:-

Type help or ‘?’ for list of available commands.

ciscioasa>

Here you need to type the command “enable” to get in enabled mode or we can say admin mode.

ciscioasa> eanable

Password:

Ciscoasa#

Now can see it is prompting for password. Simply hit enter here because there is no enable password configured. As Cisco ASA5505 always come with default configuration which we need to delete as this default configuration having lot of thing which we don’t required and can create some network issue if you connected with your DHCP enabled network. To delete this we will use command “write erase”

ciscoasa# write erase

Erase configuration in flash memory? [confirm]

[OK]

ciscoasa#

You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.

Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.

ciscoasa# reload

Proceed with reload? [confirm]

ciscoasa#

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down File system

***

*** --- SHUTDOWN NOW ---

Now when your router is restarted you will get this question:

Pre-configure Firewall now through interactive prompts [yes]?

Answer with “no” since you want to configure the ASA yourself. (You want to be a cisco engineer right?).

Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config“. Just to check the current running configuration on firewall.

ciscoasa# show running-config

Now we will start main configuration.

The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”

ciscoasa# configure terminal

ciscoasa(config)#

See the (config) aftr the device hostname denotes that you are in configuration mode.

Now we will assign hostname to our ASA firewall.

ciscoasa(config)# hostname BrijeshASA

BrijeshASA(config)#

Now you can see the hostname changes immediately.

Next step is we need to set username and password on the firewall so you can manage the ASA from your desk with SSH/Telnet/ASDM

BrijeshASA(config)# username BKS password BKSblog privilege 15

BrijeshASA(config)#

You can see we set privilege 15; it is very important as it is the highest of the privileges and provides full control over the device.

Now we will inside (LAN) IP address for ASA. In ASA 5505 we will configure VLAN instead of giving IP addresses to actual interfaces. We will use VLAN2 as our inside VLAN.

BrijeshASA(config)# interface vlan 2

BrijeshASA(config-if)# ip address 172.16.1.1 255.255.255.0

BrijeshASA(config-if)# nameif inside

INFO: security level for “inside” set to 100 by default.

This is the interesting thing that all the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.

Now we will start on the outside (WAN) configuration.

There are 2 way to start configuration of WAN interface. I will guide you for both options.

1st we will configure WAN interface if you have Static IP.

BrijeshASA(config)# interface vlan3

BrijeshASA(config-if)# ip address 83.111.206.230 255.255.255.252

BrijeshASA(config-if)# nameif outside

INFO: Security level for outside set to 0 by default.

BrijeshASA(config-if) exit

BrijeshASA(config)# route outside 0.0.0.0 0.0.0.0 83.111.206.229

Security level for ASA outside interface or we can say WAN interface is always 0.

You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.

2nd way if your ISP provided IP DHCP, in this way the configuration become very easy. So let’s do this.

BrijeshASA(config)# interfaces vlan 3

BrijeshASA(config-if)# address dhcp setroute

BrijeshASA(config-if)# nameif outside

With this commands you don’t need to configure a default gateway since you will get this from your provider.

Now we need to attach the outside VLAN to one of the interface of the ASA

By default all the interfaces are attached to VLAN 2 and by default all the interfaces are in the “shutdown” state. Now I’ll attach the interface “Ethernet 0” to the outside VLAN (vlan3) and make the port operational.

BrijeshASA(config)# interface ethernet0/0

BrijeshASA(config-if)# switchport access vlan 3

BrijeshASA(config-if)# no shutdown

So this interface is attached with vlan3 and fully operational now.

Now you need to make at least one other port functional for your inside network by typing command “no shutdown:

BrijeshASA(config)# interface ethernet0/1

BrijeshASA(config-if)# switchport access vlan 2

BrijeshASA(config)# no shutdown

Most important thing I want to mark here is if you notice we didn’t use VLAN1 which is the default VLAN for every switch port. The reason behind this is security, because as this is the default vlan so hackers easily get access our network.

Now you need to configure NAT so that your internet service starts.

At this point we need to make global interface to where all the addresses from the inside can be translated to.

BrijeshASA(config)# global (outside) 10 interface

INFO: outside interface address added to PAT pool

If you notice we use number 10 in this command. Actually number 10 is an identifier. This way you can tell the NAT ot the inside to which outside IP address they should translate to.

2nd this we will do here to make NAT rule for inside network also.

BrijeshASA(config)# nat (inside) 10 172.16.1.0 255.255.255.0

BrijeshASA(config)#

I use number 10 in this rule. This links the inside network to the outside global. The subnet states that the network 172.16.1.0/24 is allowed to be translated to the outside IP address.

So enjoy now! Your internet services have been started.

Now question is we really required to walk to server room all the time whenever we need to manager our ASA. Don’t worry we can do it using SSH/telnet or ASDM. ASDM is GUI for ASA which stands for Advanced Security Device Manager.

So now I’ll show you how to configure ASA for ASDM and SSH.

So let’s start first with SSH. To enable SSH you will need to generate a key which will encrypt the traffic between the user and the ASA.

BrijeshASA(config)# crypto key generate rsa modulus 1024

INFO: the name for the keys will be:

Keypair generation process begin. Please wait….

BrijeshASA(config)#

Now we want to use the username we made earlier to connect to the ASA with SSH.

BrijeshASA(config)# aaa authentication ssh console LOCAL

The LOCAL means that the ASA uses the local username database to authenticate users.

When this is done you need to tell ASA which IP address are allowed to connect to the ASA. We will only allow users on the inside to access the ASA by SSH.

BrijeshASA(config)# ssh 172.16.1.0 255.255.255.0 inside

So now are are can access your ASA from your LAN.

Now we will enable ASDM GUI.

BrijeshASA(config)# http server enable

The above command enables ASDM on the ASA.

We want to use the username we made earlier and tell which networks are allowed to connect to the ASA with the ASDM.

BrijeshASA(config)# aaa authentication http consol LOCAL

BrijeshASA(config)# http 172.16.1.0 25.255.255.0 inside

When this is done you want to make sure your ASA doesn’t start up without a configuration next time the ASA reboots. You can do this by saving the configuration with the following command.

BrijeshASA(config)# write mem

Building configuration …

Cryptochecksum: e5fa3ae8 add2aae4 c0be8847 79cec1ba

2502 bytes copied in 1.190 secs (2502 bytes/sec)

[ok]

BrijeshASA(config)#

So friends Congrates your ASA configuration

Next time I’ll guide you more about ASA firewall configuration including firewall rules to access networks/blocking domains,policy, and other options.

No comments:

Post a Comment