The Cisco Adaptive Security Appliance (ASA) firewall was introduced in 2005 and it was formerly known as Private Internet Exchange (PIX) firewall. The PIX firewall originated in 1994 and ended in 2008 with 7.x code. Cisco has released the ASA 5500-X next-generation firewall (NGFW) in 2012 and started to see the emergence of FirePower IPS, Application Visibility and Control (AVC), Advanced Malware Protection (AMP) and other advanced firewall capabilities.
Although the ASA firewall has many advanced features, the basics remains the same. This includes configuring IP addresses, security levels, NAT and ACL. It's been three years since I've started configuring and playing around with the ASA firewall and I still have a lot to learn with the new features and security technologies that are coming out.
Router(config)#hostname R1
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 209.165.200.225 255.255.255.248
R1(config-if)#no shutdown
R1(config-if)#
*Jul 3 13:28:32.799: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jul 3 13:28:33.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
*Jul 3 13:29:33.995: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to downl
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/0
Router(config)#hostname R2
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul 3 13:29:54.803: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jul 3 13:29:55.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul 3 13:30:25.943: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#ip route 209.165.200.224 255.255.255.248 serial0/0/0
R2(config)#ip route 172.16.3.0 255.255.255.0 serial0/0/1
Router(config)#hostname R3
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jul 3 13:34:39.919: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jul 3 13:34:40.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Jul 3 13:34:42.851: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jul 3 13:35:06.927: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jul 3 13:35:07.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/1
Switch(config)#hostname S1
Switch(config)#hostname S2
Switch(config)#hostname S3
R1(config)#ip http server
R1(config)#enable password cisco
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
ciscoasa> enable
Password: <ENTER> // BY DEFAULT JUST PRESS ENTER TO GET TO PRIVILEGE MODE
ciscoasa#
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(6)6
Device Manager Version 7.4(2)
Compiled on Fri 26-Oct-12 16:36 by builders
System image file is "disk0:/asa916-6-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 19 mins 15 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is c84c.7596.e7c6, irq 11
1: Ext: Ethernet0/0 : address is c84c.7596.e7be, irq 255
2: Ext: Ethernet0/1 : address is c84c.7596.e7bf, irq 255
3: Ext: Ethernet0/2 : address is c84c.7596.e7c0, irq 255
4: Ext: Ethernet0/3 : address is c84c.7596.e7c1, irq 255
5: Ext: Ethernet0/4 : address is c84c.7596.e7c2, irq 255
6: Ext: Ethernet0/5 : address is c84c.7596.e7c3, irq 255
7: Ext: Ethernet0/6 : address is c84c.7596.e7c4, irq 255
8: Ext: Ethernet0/7 : address is c84c.7596.e7c5, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled 91 days
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1423Z47R
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc108009a
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abfcf80
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# show file system
File Systems:
Size(b) Free(b) Type Flags Prefixes
* 127111168 9244672 disk rw disk0: flash: // disk0 IS ANOTHER NAME FOR FLASH
- - network rw tftp:
- - opaque rw system:
- - network ro http:
- - network ro https:
- - network rw ftp:
- - network wo cluster:
- - stub ro cluster_trace:
- - network rw smb:
ciscoasa# show flash | inc bin
202 26353488 Jul 03 2015 14:38:18 asdm-742.bin
207 4096 Apr 14 2013 03:00:06 ._asa901-k8.bin
237 27168768 Jul 03 2015 14:36:38 asa916-6-k8.bin
ciscoasa# show running-config // DEFAULT CONFIG IF write erase COMMAND IS USED
: Saved
:
ASA Version 9.1(6)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa(config)# config ?
configure mode commands/options:
WORD Configure from HTTP:
http(s)://[<user>:<password>@]<location>[:<port>]/<pathname>.
Place IPv6 address within square brackets if a port is
specified.
factory-default Configure from factory-default
memory Configure from memory
net Configure from tftp
exec mode commands/options:
terminal Configure using terminal/console
ciscoasa(config)# config factory-default // FACTORY RESET ASA CONFIG
WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.
Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (inside,outside) dynamic interface
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa# show running-config // FACTORY DEFAULT RUNNING-CONFIG
: Saved
:
ASA Version 9.1(6)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2 // ETH0/0 DEFAULTS ON VLAN 2 (ON ASA 5505)
!
interface Ethernet0/1 // ETH0/1-7 DEFAULTS ON VLAN 1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0 // ANY
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface // PAT INSIDE VLAN 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside // ASDM/WEB GUI
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside // AUTO DHCP IP FROM ISP
!
dhcpd address 192.168.1.5-192.168.1.36 inside // DHCP IP FOR VLAN 1
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b9ee89beb9a41c8c47b159ddaa8b1223
: end
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa# show startup-config
No Configuration
ciscoasa# reload
System config has been modified. Save? [Y]es/[N]o:n
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
Loading disk0:/asa916-6-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9928
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 464 files, 28776/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 343932928, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: c84c.7596.e7c5
88E6095 rev 2 Ethernet @ index 07 MAC: c84c.7596.e7c4
88E6095 rev 2 Ethernet @ index 06 MAC: c84c.7596.e7c3
88E6095 rev 2 Ethernet @ index 05 MAC: c84c.7596.e7c2
88E6095 rev 2 Ethernet @ index 04 MAC: c84c.7596.e7c1
88E6095 rev 2 Ethernet @ index 03 MAC: c84c.7596.e7c0
88E6095 rev 2 Ethernet @ index 02 MAC: c84c.7596.e7bf
88E6095 rev 2 Ethernet @ index 01 MAC: c84c.7596.e7be
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: c84c.7596.e7c6
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc108009a
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abfcf80
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled 91 days
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Cisco Adaptive Security Appliance Software Version 9.1(6)6
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.
This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.
Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Cisco Adapative Security Appliance Software, version 9.0,
Copyright (c) 1996-2012 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.0 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. You can
redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpldetails.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
Flash read failed
ERROR: MIGRATION - Could not get the startup configuration.
Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201507031400.log'
Pre-configure Firewall now through interactive prompts [yes]? no
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <ENTER>
ciscoasa# config t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: no
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)# interface vlan 1 // CONFIGURE SVI FOR ASA 5505 ONLY; 5510 (5500-X) ABOVE ARE LAYER 3 PORTS
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# show interface ip brief // BY DEFAULT ALL ASA PORTS ARE SHUTDOWN
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual down down
Virtual0 127.1.0.1 YES unset up up
ciscoasa(config)# interface e0/1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual up up
Virtual0 127.1.0.1 YES unset up up
ciscoasa(config)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# interface e0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual up up
Vlan2 unassigned YES unset up up
Virtual0 127.1.0.1 YES unset up up
C:\Users\PC-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-B>ping 192.168.1.1 // PING TO ASA VLAN 1 SVI
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
ciscoasa(config)# http ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network
authorized to access the HTTP server
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to access the HTTP
server
authentication-certificate Request a certificate from the HTTPS client when
a management connection is being established
redirect Redirect HTTP connections to the security gateway
to use HTTPS
server Enable the http server required to run Device
Manager
ciscoasa(config)# http server ?
configure mode commands/options:
enable Enable the http server required to run Device Manager
idle-timeout Idle timeout in minutes (single routed mode only)
session-timeout Session timeout in minutes (single routed mode only)
ciscoasa(config)# http server enable // ALLOWS HTTPS VIA ASDM
ciscoasa(config)# http ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network
authorized to access the HTTP server
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to access the HTTP
server
authentication-certificate Request a certificate from the HTTPS client when
a management connection is being established
redirect Redirect HTTP connections to the security gateway
to use HTTPS
server Enable the http server required to run Device
Manager
ciscoasa(config)# http 192.168.1.0 ?
configure mode commands/options:
A.B.C.D The IP netmask to apply to the IP address
ciscoasa(config)# http 192.168.1.0 255.255.255.0 ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside // ALLOW HTTPS ACCESS FROM INSIDE SUBNET 192.168.1.0/24
I haven't upgraded my ASA 5505 since I bought it on Ebay. I checked the RAM requirements for 9.1(6) and my 512 MB RAM can accommodate the upgrade. I also upgraded the ASDM image to 7.4(2) according to the ASA compatibility matrix. The ASDM image also needs to be compatible with Java. My laptop was already on Java 8 and I downgraded to version 7 in order for ASDM to work.
The ASDM image can be downloaded on Cisco's website by going to: Downloads Home > Products > Security > Firewalls > Firewall Management > Adaptive Security Device Manager.
ciscoasa# ping 192.168.1.3 // PING TO TFTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# boot system flash:asa916-6-k8.bin
INFO: Converting flash:asa916-6-k8.bin to disk0:/asa916-6-k8.bin
ciscoasa(config)# asdm image flash:asdm-742.bin // USED JAVA VERSION 7 UPDATE 45 FOR ASDM 7.4.2 TO WORK
ciscoasa(config)# username cisco ?
configure mode commands/options:
attributes Enter the attributes sub-command mode for the specified user
nopassword Indicates that this user has no password
password The password for this user
ciscoasa(config)# username cisco password ?
configure mode commands/options:
WORD Enter the password for this user
ciscoasa(config)# username cisco password cisco ?
configure mode commands/options:
encrypted Indicates the <password> entered is encrypted
mschap The password will be converted to unicode and hashed using MD4.
User entries must be created this way if they are to be
authenticated using MSCHAPv1 or MSCHAPv2
nt-encrypted Indicates the <password> entered has been converted to unicode
and hashed using MD4, and can be used for MS-CHAP.
privilege Enter the privilege level for this user
<cr>
ciscoasa(config)# username cisco password cisco privilege ?
configure mode commands/options:
<0-15> The privilege level for this user
ciscoasa(config)# username cisco password cisco privilege 15
C:\Users\PC-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>telnet 192.168.1.1
User Access Verification
Password:<cisco>
Type help or '?' for a list of available commands.
CCNAS-ASA> enable
Password: *****
CCNAS-ASA#
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 172.16.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.3.1
SSH from PC-C isn't working since AAA local authentication (for SSH) isn't configured yet.
To test and monitor TCP activity in ASDM, open a web browser on PC-B to 209.165.200.225 (R1's F0/0 interface).
To test or simulate the access to an external website, we can use the ASDM packet tracer utility.
We can configure on ASDM the basic ASA firewall settings such as date/time and static/default route.We could also perform basic troubleshooting in ASDM such as ping and traceroute.
We can SSH to the ASA by first enabling AAA user (LOCAL) authentication. SSH worked on PC-C afterwards.
CCNAS-ASA# show running-config
: Saved
:
: Serial Number: JMX1423Z47R
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)6
!
hostname CCNAS-ASA
domain-name ccnasecurity.com
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.200.226 255.255.255.248
!
boot system disk0:/asa916-6-k8.bin
ftp mode passive
clock timezone SGT 8
dns server-group DefaultDNS
domain-name ccnasecurity.com
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.3.3 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.3-192.168.1.30 inside
dhcpd dns 10.20.30.40 interface inside
dhcpd domain ccnasecurity.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password e1z89R3cZe9Kt6Ib encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d2e6d2d1ba03d160ffc4d3367dd59933
: end
We can allow ICMP and enable the inspection engine using the ASA Modular Policy Framework (MPF).
C:\Users\PC-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 10.1.1.1 // R1 S0/0/0
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
We can configure the third interface (DMZ) using SVI/VLAN 3 and configure NAT to a DMZ Server and apply ACL to access the DMZ Server from the outside interface.
CCNAS-ASA(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 209.165.200.226 YES manual up up
Vlan12 192.168.2.1 YES manual down down
Virtual0 127.1.0.1 YES unset up up
CCNAS-ASA(config)# no interface vlan 12 // CAN ONLY BE FIXED VIA ASA CLI
CCNAS-ASA(config)# interface vlan3
CCNAS-ASA(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
CCNAS-ASA(config-if)# no forward interface vlan1
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
R3#ping 209.165.200.227 source 172.16.3.3 // PING DMZ SERVER FROM R3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.227, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
C:\Users\DMZ-Server>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.2.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
C:\Users\DMZ-Server>ping 192.168.1.1 // PING ISN'T ALLOWED FROM DMZ WITH LOWER SECURITY LEVEL (70) TO INSIDE VLAN WITH HIGHER SECURITY LEVEL (100). WILL NEED TO ADD AN ACL FOR IT TO WORK.
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
To monitor network activity in ASDM, we go to Monitoring page.
Although the ASA firewall has many advanced features, the basics remains the same. This includes configuring IP addresses, security levels, NAT and ACL. It's been three years since I've started configuring and playing around with the ASA firewall and I still have a lot to learn with the new features and security technologies that are coming out.
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 209.165.200.225 255.255.255.248
R1(config-if)#no shutdown
R1(config-if)#
*Jul 3 13:28:32.799: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jul 3 13:28:33.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
*Jul 3 13:29:33.995: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to downl
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/0
Router(config)#hostname R2
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul 3 13:29:54.803: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jul 3 13:29:55.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul 3 13:30:25.943: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#ip route 209.165.200.224 255.255.255.248 serial0/0/0
R2(config)#ip route 172.16.3.0 255.255.255.0 serial0/0/1
Router(config)#hostname R3
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jul 3 13:34:39.919: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jul 3 13:34:40.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Jul 3 13:34:42.851: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jul 3 13:35:06.927: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jul 3 13:35:07.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/1
Switch(config)#hostname S1
Switch(config)#hostname S2
Switch(config)#hostname S3
R1(config)#ip http server
R1(config)#enable password cisco
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
ciscoasa> enable
Password: <ENTER> // BY DEFAULT JUST PRESS ENTER TO GET TO PRIVILEGE MODE
ciscoasa#
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 9.1(6)6
Device Manager Version 7.4(2)
Compiled on Fri 26-Oct-12 16:36 by builders
System image file is "disk0:/asa916-6-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 19 mins 15 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is c84c.7596.e7c6, irq 11
1: Ext: Ethernet0/0 : address is c84c.7596.e7be, irq 255
2: Ext: Ethernet0/1 : address is c84c.7596.e7bf, irq 255
3: Ext: Ethernet0/2 : address is c84c.7596.e7c0, irq 255
4: Ext: Ethernet0/3 : address is c84c.7596.e7c1, irq 255
5: Ext: Ethernet0/4 : address is c84c.7596.e7c2, irq 255
6: Ext: Ethernet0/5 : address is c84c.7596.e7c3, irq 255
7: Ext: Ethernet0/6 : address is c84c.7596.e7c4, irq 255
8: Ext: Ethernet0/7 : address is c84c.7596.e7c5, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled 91 days
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1423Z47R
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc108009a
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abfcf80
Configuration register is 0x1
Configuration has not been modified since last system restart.
ciscoasa# show file system
File Systems:
Size(b) Free(b) Type Flags Prefixes
* 127111168 9244672 disk rw disk0: flash: // disk0 IS ANOTHER NAME FOR FLASH
- - network rw tftp:
- - opaque rw system:
- - network ro http:
- - network ro https:
- - network rw ftp:
- - network wo cluster:
- - stub ro cluster_trace:
- - network rw smb:
ciscoasa# show flash | inc bin
202 26353488 Jul 03 2015 14:38:18 asdm-742.bin
207 4096 Apr 14 2013 03:00:06 ._asa901-k8.bin
237 27168768 Jul 03 2015 14:36:38 asa916-6-k8.bin
ciscoasa# show running-config // DEFAULT CONFIG IF write erase COMMAND IS USED
: Saved
:
ASA Version 9.1(6)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
shutdown
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa(config)# config ?
configure mode commands/options:
WORD Configure from HTTP:
http(s)://[<user>:<password>@]<location>[:<port>]/<pathname>.
Place IPv6 address within square brackets if a port is
specified.
factory-default Configure from factory-default
memory Configure from memory
net Configure from tftp
exec mode commands/options:
terminal Configure using terminal/console
ciscoasa(config)# config factory-default // FACTORY RESET ASA CONFIG
WARNING: The boot system configuration will be cleared.
The first image found in disk0:/ will be used to boot the
system on the next reload.
Verify there is a valid image on disk0:/ or the system will
not boot.
Begin to apply factory-default configuration:
Clear all configuration
Executing command: interface Ethernet 0/0
Executing command: switchport access vlan 2
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/1
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/2
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/3
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/4
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/5
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/6
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface Ethernet 0/7
Executing command: switchport access vlan 1
Executing command: no shutdown
Executing command: exit
Executing command: interface vlan2
Executing command: nameif outside
INFO: Security level for "outside" set to 0 by default.
Executing command: no shutdown
Executing command: ip address dhcp setroute
Executing command: exit
Executing command: interface vlan1
Executing command: nameif inside
INFO: Security level for "inside" set to 100 by default.
Executing command: ip address 192.168.1.1 255.255.255.0
Executing command: security-level 100
Executing command: allow-ssc-mgmt
ERROR: SSC card is not available
Executing command: no shutdown
Executing command: exit
Executing command: object network obj_any
Executing command: subnet 0.0.0.0 0.0.0.0
Executing command: nat (inside,outside) dynamic interface
Executing command: exit
Executing command: http server enable
Executing command: http 192.168.1.0 255.255.255.0 inside
Executing command: dhcpd address 192.168.1.5-192.168.1.36 inside
Executing command: dhcpd auto_config outside
Executing command: dhcpd enable inside
Executing command: logging asdm informational
Factory-default configuration is completed
ciscoasa# show running-config // FACTORY DEFAULT RUNNING-CONFIG
: Saved
:
ASA Version 9.1(6)6
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2 // ETH0/0 DEFAULTS ON VLAN 2 (ON ASA 5505)
!
interface Ethernet0/1 // ETH0/1-7 DEFAULTS ON VLAN 1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0 // ANY
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface // PAT INSIDE VLAN 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside // ASDM/WEB GUI
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside // AUTO DHCP IP FROM ISP
!
dhcpd address 192.168.1.5-192.168.1.36 inside // DHCP IP FOR VLAN 1
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b9ee89beb9a41c8c47b159ddaa8b1223
: end
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa# show startup-config
No Configuration
ciscoasa# reload
System config has been modified. Save? [Y]es/[N]o:n
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down License Controller
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Default configuration file contains 1 entry.
Searching / for images to boot.
Loading disk0:/asa916-6-k8.bin... Booting...
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9928
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 464 files, 28776/31033 clusters
dosfsck(/dev/hda1) returned 0
Processor memory 343932928, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: c84c.7596.e7c5
88E6095 rev 2 Ethernet @ index 07 MAC: c84c.7596.e7c4
88E6095 rev 2 Ethernet @ index 06 MAC: c84c.7596.e7c3
88E6095 rev 2 Ethernet @ index 05 MAC: c84c.7596.e7c2
88E6095 rev 2 Ethernet @ index 04 MAC: c84c.7596.e7c1
88E6095 rev 2 Ethernet @ index 03 MAC: c84c.7596.e7c0
88E6095 rev 2 Ethernet @ index 02 MAC: c84c.7596.e7bf
88E6095 rev 2 Ethernet @ index 01 MAC: c84c.7596.e7be
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: c84c.7596.e7c6
Verify the activation-key, it might take a while...
Running Permanent Activation Key: 0x3021cd54 0x20efac90 0xc852410c 0xb95cd094 0xc108009a
Running Timebased Activation Key: 0x11580c70 0xbc7e2ac4 0x093d128a 0x4834133b 0x8abfcf80
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled 91 days
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.08
Cisco Adaptive Security Appliance Software Version 9.1(6)6
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.
This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.
Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Cisco Adapative Security Appliance Software, version 9.0,
Copyright (c) 1996-2012 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.0 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. You can
redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpldetails.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
Flash read failed
ERROR: MIGRATION - Could not get the startup configuration.
Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201507031400.log'
Pre-configure Firewall now through interactive prompts [yes]? no
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: <ENTER>
ciscoasa# config t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: no
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)# interface vlan 1 // CONFIGURE SVI FOR ASA 5505 ONLY; 5510 (5500-X) ABOVE ARE LAYER 3 PORTS
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# show interface ip brief // BY DEFAULT ALL ASA PORTS ARE SHUTDOWN
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual down down
Virtual0 127.1.0.1 YES unset up up
ciscoasa(config)# interface e0/1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual up up
Virtual0 127.1.0.1 YES unset up up
ciscoasa(config)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# interface e0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES manual up up
Vlan2 unassigned YES unset up up
Virtual0 127.1.0.1 YES unset up up
C:\Users\PC-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-B>ping 192.168.1.1 // PING TO ASA VLAN 1 SVI
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
ciscoasa(config)# http ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network
authorized to access the HTTP server
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to access the HTTP
server
authentication-certificate Request a certificate from the HTTPS client when
a management connection is being established
redirect Redirect HTTP connections to the security gateway
to use HTTPS
server Enable the http server required to run Device
Manager
ciscoasa(config)# http server ?
configure mode commands/options:
enable Enable the http server required to run Device Manager
idle-timeout Idle timeout in minutes (single routed mode only)
session-timeout Session timeout in minutes (single routed mode only)
ciscoasa(config)# http server enable // ALLOWS HTTPS VIA ASDM
ciscoasa(config)# http ?
configure mode commands/options:
Hostname or A.B.C.D The IP address of the host and/or network
authorized to access the HTTP server
X:X:X:X::X/<0-128> IPv6 address/prefix authorized to access the HTTP
server
authentication-certificate Request a certificate from the HTTPS client when
a management connection is being established
redirect Redirect HTTP connections to the security gateway
to use HTTPS
server Enable the http server required to run Device
Manager
ciscoasa(config)# http 192.168.1.0 ?
configure mode commands/options:
A.B.C.D The IP netmask to apply to the IP address
ciscoasa(config)# http 192.168.1.0 255.255.255.0 ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside // ALLOW HTTPS ACCESS FROM INSIDE SUBNET 192.168.1.0/24
I haven't upgraded my ASA 5505 since I bought it on Ebay. I checked the RAM requirements for 9.1(6) and my 512 MB RAM can accommodate the upgrade. I also upgraded the ASDM image to 7.4(2) according to the ASA compatibility matrix. The ASDM image also needs to be compatible with Java. My laptop was already on Java 8 and I downgraded to version 7 in order for ASDM to work.
The ASDM image can be downloaded on Cisco's website by going to: Downloads Home > Products > Security > Firewalls > Firewall Management > Adaptive Security Device Manager.
ciscoasa# ping 192.168.1.3 // PING TO TFTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# boot system flash:asa916-6-k8.bin
INFO: Converting flash:asa916-6-k8.bin to disk0:/asa916-6-k8.bin
ciscoasa(config)# asdm image flash:asdm-742.bin // USED JAVA VERSION 7 UPDATE 45 FOR ASDM 7.4.2 TO WORK
ciscoasa(config)# username cisco ?
configure mode commands/options:
attributes Enter the attributes sub-command mode for the specified user
nopassword Indicates that this user has no password
password The password for this user
ciscoasa(config)# username cisco password ?
configure mode commands/options:
WORD Enter the password for this user
ciscoasa(config)# username cisco password cisco ?
configure mode commands/options:
encrypted Indicates the <password> entered is encrypted
mschap The password will be converted to unicode and hashed using MD4.
User entries must be created this way if they are to be
authenticated using MSCHAPv1 or MSCHAPv2
nt-encrypted Indicates the <password> entered has been converted to unicode
and hashed using MD4, and can be used for MS-CHAP.
privilege Enter the privilege level for this user
<cr>
ciscoasa(config)# username cisco password cisco privilege ?
configure mode commands/options:
<0-15> The privilege level for this user
ciscoasa(config)# username cisco password cisco privilege 15
C:\Users\PC-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>telnet 192.168.1.1
User Access Verification
Password:<cisco>
Type help or '?' for a list of available commands.
CCNAS-ASA> enable
Password: *****
CCNAS-ASA#
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 172.16.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.3.1
SSH from PC-C isn't working since AAA local authentication (for SSH) isn't configured yet.
To test and monitor TCP activity in ASDM, open a web browser on PC-B to 209.165.200.225 (R1's F0/0 interface).
To test or simulate the access to an external website, we can use the ASDM packet tracer utility.
We can configure on ASDM the basic ASA firewall settings such as date/time and static/default route.We could also perform basic troubleshooting in ASDM such as ping and traceroute.
We can SSH to the ASA by first enabling AAA user (LOCAL) authentication. SSH worked on PC-C afterwards.
CCNAS-ASA# show running-config
: Saved
:
: Serial Number: JMX1423Z47R
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(6)6
!
hostname CCNAS-ASA
domain-name ccnasecurity.com
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.200.226 255.255.255.248
!
boot system disk0:/asa916-6-k8.bin
ftp mode passive
clock timezone SGT 8
dns server-group DefaultDNS
domain-name ccnasecurity.com
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.3.3 255.255.255.255 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.3-192.168.1.30 inside
dhcpd dns 10.20.30.40 interface inside
dhcpd domain ccnasecurity.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password e1z89R3cZe9Kt6Ib encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d2e6d2d1ba03d160ffc4d3367dd59933
: end
We can allow ICMP and enable the inspection engine using the ASA Modular Policy Framework (MPF).
C:\Users\PC-B>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 10.1.1.1 // R1 S0/0/0
Pinging 10.1.1.1 with 32 bytes of data:
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Reply from 10.1.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 10.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
We can configure the third interface (DMZ) using SVI/VLAN 3 and configure NAT to a DMZ Server and apply ACL to access the DMZ Server from the outside interface.
CCNAS-ASA(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 209.165.200.226 YES manual up up
Vlan12 192.168.2.1 YES manual down down
Virtual0 127.1.0.1 YES unset up up
CCNAS-ASA(config)# no interface vlan 12 // CAN ONLY BE FIXED VIA ASA CLI
CCNAS-ASA(config)# interface vlan3
CCNAS-ASA(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
CCNAS-ASA(config-if)# no forward interface vlan1
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
R3#ping 209.165.200.227 source 172.16.3.3 // PING DMZ SERVER FROM R3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.227, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
C:\Users\DMZ-Server>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.2.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
C:\Users\DMZ-Server>ping 192.168.1.1 // PING ISN'T ALLOWED FROM DMZ WITH LOWER SECURITY LEVEL (70) TO INSIDE VLAN WITH HIGHER SECURITY LEVEL (100). WILL NEED TO ADD AN ACL FOR IT TO WORK.
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
To monitor network activity in ASDM, we go to Monitoring page.
No comments:
Post a Comment