SlideShare uma empresa Scribd logo

Basic Cisco ASA 5506-x Configuration (Firepower)

NetProtocol Xpert
NetProtocol Xpert

Basic Cisco ASA 5506-x Configuration (Firepower)

Engenharia
1 de 26
Basic Cisco ASA 5506-x Configuration (Firepower) www.NetProtocolXpert.com 1
Network Requirements  In a typical business environment, the network is comprised of three segments – Internet, user and optionally a DMZ network. The DMZ network is used to host publicly accessible servers such web server, Email server and so on. The Cisco ASA acts as a Firewall, as well as an Internet  LAN users and Web Servers all have Internet access.  LAN users have full access to the Web Server network segment (DMZ1) but DMZ1 does not have any access to the LAN (in case DMZ is compromised).  Anyone on the Internet can access the Web Server via a publicly NAT IP address over HTTP.  All other traffic is denied unless explicitly allowed. www.NetProtocolXpert.com 2
Update ASA software and ASDM code  Download the recent stable release from Cisco.com and transfer the codes to the ASA. www.NetProtocolXpert.com 3
 Set the system to boot to the new image. Configure the ASDM image to be used.  ASA1(config)# boot system disk0:/asa952-lfbff-k8.SPA  ASA1(config)# asdm image disk0:/asdm-752.bin  Write memory and verify the bootvar is set correctly. Reboot the system to load the new image. www.NetProtocolXpert.com 4
Security levels on Cisco ASA Firewall  Before jumping into the configuration, I’d like to briefly touch on how Cisco ASAs work in a multi-level security design. The concept is not Cisco specific. It applies to any other business grade firewalls.  By default, traffic passing from a lower to higher security level is denied. This can be overridden by an applied to that lower security interface. Also the ASA, by default, will allow traffic from higher to lower security interfaces. This behaviour can also be overridden with an ACL. The security levels are defined by numeric numbers between 0 and 100. 0 is often placed on the untrusted network such as Internet. And is the most secured network. In our example we assign security levels as following: LAN = 100, DMZ1 = 50 and outside = 0. www.NetProtocolXpert.com 5
 LAN is considered the most secured network. It not only hosts internal user workstations as well as mission critical production servers. LAN users can reach other networks. However, no inbound access is allowed from any other networks unless explicitly allowed.  DMZ1 hosts public facing web servers. Any one on the Internet can reach the servers on TCP port 80 for HTTP.  The design idea here is that we don’t allow any possibilities of compromising the LAN. All “inbound” access to the LAN is denied unless the connection is initiated from the inside hosts. Servers in DMZ1 serve Internet web traffic and internal user traffic from the LAN. www.NetProtocolXpert.com 6
Network Design and IP Assignment  For simplicity, we assume the SOHO network has less than 200 users and does not have a layer switch on the LAN. All user and server traffic point to the ASA as their default gateway to the Internet. We assign each network segment a /24 (255.255.255.0) subnet mask. www.NetProtocolXpert.com 7
 User LAN network: Subnet: 192.168.0.0 /24 Gateway: 192.168.0.1 (ASA inside interface) LAN-host (for testing): 192.168.0.200  DMZ1 network: Subnet 192.168.1.0 /24 Gateway: 192.168.1.1 Web server: 192.168.1.10  Internet: Internet-host (for testing): 10.1.1.200 www.NetProtocolXpert.com 8
Step 1: Configure ASA interfaces and assign appropriate security levels  The ASA 5506-X comes with 8 GigE routed interfaces. We are going to use three of the interfaces in this network – inside (100), dmz1(50) and outside (0). www.NetProtocolXpert.com 9 interface GigabitEthernet1/1 description to WAN nameif outside security-level 0 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet1/2 description to LAN nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface GigabitEthernet1/3 description to DMZ1 nameif dmz1 security-level 50 ip address 192.168.1.1 255.255.255.0 !
Step 2: Configure ASA as an Internet gateway, enable Internet access  There are two things required in order for the internal hosts to go out to the Internet, configuring Network Address Translation (NAT) and routing all traffic to the ISP. You do not need an ACL because all outbound traffic is traversing from higher security level (inside and dmz1) to lower security level (outside).  nat (inside,outside) after-auto source dynamic any interface  nat (dmz1,outside) after-auto source dynamic any interface www.NetProtocolXpert.com 10
 The configuration in previous slide states that any traffic coming from inside and dmz1 network, translate the source IP to the outside interface’s IP for outbound Internet traffic. The “after-auto” keyword simply set this NAT the least preferred rule to be evaluated after Manual NAT and Auto NAT are evaluated. The reason we want to give it the least preference is to avoid possible conflict with other NAT rules.  Next is configuring a default gateway and route all traffic to the upstream ISP. 10.1.1.2 is the gateway the ISP provided.  route outside 0.0.0.0 0.0.0.0 10.1.1.2 www.NetProtocolXpert.com 11
 Also make sure “inspect icmp” is configured under global_policy. It allows icmp return traffic to pass the ASA while the Ping is initiated from inside hosts. policy-map global_policy class inspection_default inspect icmp  At this point, you should be able to ping the host 10.1.1.200 on the Internet from any internal subnets. www.NetProtocolXpert.com 12
Step 3: Configure static NAT to web servers, grant Internet inbound access to web servers  First we define two objects for the web server, one for its internal IP and one for its public facing IP.  object network WWW NPX EXT  host 10.1.1.10  !  object network WWW NPX INT  host 192.168.1.10  !  nat (dmz1,outside) source static WWW NPX INT WWW NPX EXT www.NetProtocolXpert.com 13
 Anyone on the Internet trying to access the web server, they’ll use the public IP defined in WWW NPX EXT. It will be translated to the private IP defined in WWW NPX INT.  Now the IP address translation has been done. We will need to configure ACL and allow Internet inbound traffic to access the web server. And apply the ACL to the outside interface. www.NetProtocolXpert.com 14
 access-list OUTSIDE extended permit tcp any object WWW NPX INT eq www  access-list OUTSIDE extended permit icmp any4 any4 echo  access-group OUTSIDE in interface outside  The ACL states, permit traffic from anywhere to the web server (WWW NPX INT: 192.168.1.10) on port 80. For troubleshooting and demonstration purpose, we also allow ICMP ping traffic. In a real-world network, I recommend disallow Ping for higher security. www.NetProtocolXpert.com 15
Step 4: Configure DHCP service on the ASA  This step is optional. If you have a DHCP server on the LAN you can skip to the next step. For small businesses that do not have server in house, you may configure the ASA to be a DHCP server.  Specify a DHCP address pool and the interface for the client to connect. We reserve a few address before and after the pool for future network devices or appliances that require static IP.  dhcpd address 192.168.0.5-192.168.0.250 inside www.NetProtocolXpert.com 16
 Specify the IP address of the DNS servers for client use. It is always a good idea to have the secondary DNS server in case the primary fails.  dhcpd dns 9.9.9.9 4.2.2.2  Specify the lease length to be granted to the client. This lease equals the amount of time (in seconds) the client can use its allocated IP address before the lease expires. Enter a value between 0 to 1,048,575.The default value is 3600 seconds.  dhcpd lease 3600  dhcpd ping_timeout 50 www.NetProtocolXpert.com 17
 Enable the DHCP service to listen for DHCP client requests on the enabled interface.  dhcpd enable inside  dhcprelay timeout 60 www.NetProtocolXpert.com 18
(Optional) Step 5: Redirect traffic to the FirePOWER module for deeper level inspection  In order to utilize any of the ASA’s next-generation firewall features, Cisco made customers order subscription based licenses for the FirePOWER module to work. The subscription based licenses can be purchased annually, 3 or 5 years with discount. Here are list of licenses available:  Intrusion detection and prevention (IPS license)  Application Visibility and Control (AVC)  File control and advanced malware protection (AMP)  Application, user, and URL control (URL Filtering)  IPS license is required for the AVC, AMP and URL Filtering license. www.NetProtocolXpert.com 19
 If you have a FirePOWER feature license available and send traffic to the FirePOWER module for deeper level inspection, here is an example of send all traffic to FirePOWER. In case there was a software (in case of 5585-X, it is hardware) failure, bypass the FirePOWER module without inspection.  class-map global-class  match any  policy-map global_policy  class global-class  sfr fail-open www.NetProtocolXpert.com 20
Step 6: Hardening the device  Shutdown unused interfaces  interface GigabitEthernet1/4 through 1/8  shutdown www.NetProtocolXpert.com 21
 Enable SSH access for admin  There are three steps to enable SSH access:  Create a hostname for your ASA  Generate a RSA key  Configure SSH access to the ASA, and only allow from known IP/networks. www.NetProtocolXpert.com 22
Configuration example:  ASA1(config)# hostname ASA1  ASA1(config)# crypto key generate rsa modulus 1024  WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.  Do you really want to replace them? [yes/no]: yes  Keypair generation process begin. Please wait... www.NetProtocolXpert.com 23
 The IP subnets from where you trust to manage the ASA  ssh 12.2.1.0 255.255.255.0 outside  ssh 192.168.0.0 255.255.0.0 inside  ssh timeout 30  ssh version 2  aaa authentication ssh console LOCAL www.NetProtocolXpert.com 24
Step 7: Configure time and enable logging  It is important to enable logging so we know what happened in case there was an incident. Make sure time is set correctly and timestamp is enabled while logging. In this example we enabled logging into the ASA’s buffer memory. The maximum log size can grow up to 512MB and then oldest logs are overwritten. The logging level is set to “debugging”, which records everything in detailed level. www.NetProtocolXpert.com 25
 ASA1# clock set 12:05:00 Jan 22 2016  ASA1# clock timezone EST -5  ASA1# clock summer-time EST recurring  ASA1# logging enable  ASA1# logging timestamp  ASA1# logging buffer-size 512000  ASA1# logging buffered debugging  To view logs, issue command “show logging” on the ASA. www.NetProtocolXpert.com 26

Recomendados

Jobsheet instalasi mikrotik
Jobsheet instalasi mikrotikJobsheet instalasi mikrotik
Jobsheet instalasi mikrotik
waskito
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotik
Achmad Mardiansyah
 
CCNA Product Overview.pptx
CCNA Product Overview.pptxCCNA Product Overview.pptx
CCNA Product Overview.pptx
KISHOYIANKISH
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
 
Basic BGP Configuration
Basic BGP ConfigurationBasic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
 
CCNA Network Devices
CCNA Network DevicesCCNA Network Devices
CCNA Network Devices
Dsunte Wilson
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
Jignesh H. Bhalsod
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
Irsandi Hasan
 

Recomendados

Jobsheet instalasi mikrotik
Jobsheet instalasi mikrotikJobsheet instalasi mikrotik
Jobsheet instalasi mikrotik
waskito
 
VLAN on mikrotik
VLAN on mikrotikVLAN on mikrotik
VLAN on mikrotik
Achmad Mardiansyah
 
CCNA Product Overview.pptx
CCNA Product Overview.pptxCCNA Product Overview.pptx
CCNA Product Overview.pptx
KISHOYIANKISH
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
 
Basic BGP Configuration
Basic BGP ConfigurationBasic BGP Configuration
Basic BGP Configuration
NetProtocol Xpert
 
CCNA Network Devices
CCNA Network DevicesCCNA Network Devices
CCNA Network Devices
Dsunte Wilson
 
Mikro tik advanced training
Mikro tik advanced trainingMikro tik advanced training
Mikro tik advanced training
Jignesh H. Bhalsod
 
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
Irsandi Hasan
 
Mikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerMikrotik Hotspot User Manager
Mikrotik Hotspot User Manager
KHNOG
 
CCNA IP Addressing
CCNA IP AddressingCCNA IP Addressing
CCNA IP Addressing
Dsunte Wilson
 
20170415- 智慧空調通訊系統實務_柯大
20170415- 智慧空調通訊系統實務_柯大20170415- 智慧空調通訊系統實務_柯大
20170415- 智慧空調通訊系統實務_柯大
MAKERPRO.cc
 
CTAP
CTAPCTAP
CTAP
Lan & Wan Solutions
 
CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 10CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 10
Irsandi Hasan
 
Pace IT - Setting Up a SOHO Network
Pace IT - Setting Up a SOHO NetworkPace IT - Setting Up a SOHO Network
Pace IT - Setting Up a SOHO Network
Pace IT at Edmonds Community College
 
TUTORIAL DYNAMIC ROUTING OSPF.pptx
TUTORIAL DYNAMIC ROUTING OSPF.pptxTUTORIAL DYNAMIC ROUTING OSPF.pptx
TUTORIAL DYNAMIC ROUTING OSPF.pptx
TaufikHidayat8361
 
Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021
I Putu Hariyadi
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English
Adhie Lesmana
 
Cisco router basic
Cisco router basicCisco router basic
Cisco router basic
Tapan Khilar
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
Irsandi Hasan
 
CCNA
CCNACCNA
CCNA
Aniruddha Das
 
CCNA project-report
CCNA project-reportCCNA project-report
CCNA project-report
Sagar Shashank
 
Ccna new syllabus
Ccna new syllabusCcna new syllabus
Ccna new syllabus
thetechnicalzone
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
Ali Layth
 
Ccna day1
Ccna day1Ccna day1
Ccna day1
AHMED NADIM JILANI
 
CCNA Syllabus pdf
CCNA Syllabus pdfCCNA Syllabus pdf
CCNA Syllabus pdf
Hub4Tech.com
 
Packets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 framesPackets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 frames
Aruba, a Hewlett Packard Enterprise company
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture
Yovan Chandel
 
CCNA Report
CCNA ReportCCNA Report
CCNA Report
Abhishek Parihari
 
Air Live Rs 1200
Air Live Rs 1200Air Live Rs 1200
Air Live Rs 1200
guest52b3f5
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Mikrotik Hotspot User Manager
Mikrotik Hotspot User ManagerMikrotik Hotspot User Manager
Mikrotik Hotspot User Manager
 
CCNA IP Addressing
CCNA IP AddressingCCNA IP Addressing
CCNA IP Addressing
 
20170415- 智慧空調通訊系統實務_柯大
20170415- 智慧空調通訊系統實務_柯大20170415- 智慧空調通訊系統實務_柯大
20170415- 智慧空調通訊系統實務_柯大
 
CTAP
CTAPCTAP
CTAP
 
CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 10CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 10
 
Pace IT - Setting Up a SOHO Network
Pace IT - Setting Up a SOHO NetworkPace IT - Setting Up a SOHO Network
Pace IT - Setting Up a SOHO Network
 
TUTORIAL DYNAMIC ROUTING OSPF.pptx
TUTORIAL DYNAMIC ROUTING OSPF.pptxTUTORIAL DYNAMIC ROUTING OSPF.pptx
TUTORIAL DYNAMIC ROUTING OSPF.pptx
 
Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021
Soal Packet Tracer Troubleshooting - ITNSA LKS SMK Tingkat Provinsi NTB 2021
 
MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English MikroTik Basic Training Class - Online Moduls - English
MikroTik Basic Training Class - Online Moduls - English
 
Cisco router basic
Cisco router basicCisco router basic
Cisco router basic
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
 
CCNA
CCNACCNA
CCNA
 
CCNA project-report
CCNA project-reportCCNA project-report
CCNA project-report
 
Ccna new syllabus
Ccna new syllabusCcna new syllabus
Ccna new syllabus
 
MikroTik MTCNA
MikroTik MTCNAMikroTik MTCNA
MikroTik MTCNA
 
Ccna day1
Ccna day1Ccna day1
Ccna day1
 
CCNA Syllabus pdf
CCNA Syllabus pdfCCNA Syllabus pdf
CCNA Syllabus pdf
 
Packets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 framesPackets never lie: An in-depth overview of 802.11 frames
Packets never lie: An in-depth overview of 802.11 frames
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture
 
CCNA Report
CCNA ReportCCNA Report
CCNA Report
 

Semelhante a Basic Cisco ASA 5506-x Configuration (Firepower)

Air Live Rs 1200
Air Live Rs 1200Air Live Rs 1200
Air Live Rs 1200
guest52b3f5
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
theviper0308
 
All about routers
All about routersAll about routers
All about routers
agwanna
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix Firewall
Souvik Santra
 
ZodiacWX_Northbound Networks manual1
ZodiacWX_Northbound Networks manual1ZodiacWX_Northbound Networks manual1
ZodiacWX_Northbound Networks manual1
Nam Yong Kim
 
Ccnav5.org ccna 3-chapter_4_v50_2014_exam_answers
Ccnav5.org ccna 3-chapter_4_v50_2014_exam_answersCcnav5.org ccna 3-chapter_4_v50_2014_exam_answers
Ccnav5.org ccna 3-chapter_4_v50_2014_exam_answers
Đồng Quốc Vương
 

Semelhante a Basic Cisco ASA 5506-x Configuration (Firepower) (20)

Air Live Rs 1200
Air Live Rs 1200Air Live Rs 1200
Air Live Rs 1200
 
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
 
Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu Tutorial mikrotik step by step anung muhandanu
Tutorial mikrotik step by step anung muhandanu
 
All about routers
All about routersAll about routers
All about routers
 
Tutorial mikrotik step by step
Tutorial mikrotik step by stepTutorial mikrotik step by step
Tutorial mikrotik step by step
 
Internetworking With Pix Firewall
Internetworking With Pix FirewallInternetworking With Pix Firewall
Internetworking With Pix Firewall
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
 
Nat 03
Nat 03Nat 03
Nat 03
 
Networking Concepts and Tools for the Cloud
Networking Concepts and Tools for the CloudNetworking Concepts and Tools for the Cloud
Networking Concepts and Tools for the Cloud
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answers
 
ZodiacWX_Northbound Networks manual1
ZodiacWX_Northbound Networks manual1ZodiacWX_Northbound Networks manual1
ZodiacWX_Northbound Networks manual1
 
p10
p10p10
p10
 
p10
p10p10
p10
 
CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014
 
Com 135 final project user manual
Com 135 final project user manualCom 135 final project user manual
Com 135 final project user manual
 
Eyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration GuideEyeball AnyConnect™ Gateway Administration Guide
Eyeball AnyConnect™ Gateway Administration Guide
 
GREAT MINDS
GREAT MINDSGREAT MINDS
GREAT MINDS
 
Cisco asa firewall command line technical guide
Cisco asa firewall command line technical guideCisco asa firewall command line technical guide
Cisco asa firewall command line technical guide
 
Ccnav5.org ccna 3-chapter_4_v50_2014_exam_answers
Ccnav5.org ccna 3-chapter_4_v50_2014_exam_answersCcnav5.org ccna 3-chapter_4_v50_2014_exam_answers
Ccnav5.org ccna 3-chapter_4_v50_2014_exam_answers
 
PIX vs ASA_firewall
PIX vs ASA_firewallPIX vs ASA_firewall
PIX vs ASA_firewall
 

Mais de NetProtocol Xpert

Mais de NetProtocol Xpert (20)

MPLS Layer 3 VPN
MPLS Layer 3 VPN MPLS Layer 3 VPN
MPLS Layer 3 VPN
 
Common Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & MitigationCommon Layer 2 Threats, Attacks & Mitigation
Common Layer 2 Threats, Attacks & Mitigation
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
 
IP Source Guard
IP Source Guard IP Source Guard
IP Source Guard
 
DHCP Snooping
DHCP SnoopingDHCP Snooping
DHCP Snooping
 
Password Recovery
Password RecoveryPassword Recovery
Password Recovery
 
Application & Data Center
Application & Data CenterApplication & Data Center
Application & Data Center
 
Cisco ISR 4351 Router
Cisco ISR 4351 RouterCisco ISR 4351 Router
Cisco ISR 4351 Router
 
Cisco ASR 1001-X Router
Cisco ASR 1001-X RouterCisco ASR 1001-X Router
Cisco ASR 1001-X Router
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Point to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAPPoint to-point protocol (ppp), PAP & CHAP
Point to-point protocol (ppp), PAP & CHAP
 
Avoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a commandAvoid DNS lookup when mistyping a command
Avoid DNS lookup when mistyping a command
 
TCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and SwitchesTCLSH and Macro Ping Test on Cisco Routers and Switches
TCLSH and Macro Ping Test on Cisco Routers and Switches
 
Private VLANs
Private VLANsPrivate VLANs
Private VLANs
 
MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)MTU (maximum transmission unit) & MRU (maximum receive unit)
MTU (maximum transmission unit) & MRU (maximum receive unit)
 
OTV Configuration
OTV ConfigurationOTV Configuration
OTV Configuration
 
Cisco OTV 
Cisco OTV Cisco OTV 
Cisco OTV 
 
OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)OTV(Overlay Transport Virtualization)
OTV(Overlay Transport Virtualization)
 
Regular expression examples
Regular expression examplesRegular expression examples
Regular expression examples
 

Último

Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
 

Último (20)

Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 

Basic Cisco ASA 5506-x Configuration (Firepower)

  • 1. Basic Cisco ASA 5506-x Configuration (Firepower) www.NetProtocolXpert.com 1
  • 2. Network Requirements  In a typical business environment, the network is comprised of three segments – Internet, user and optionally a DMZ network. The DMZ network is used to host publicly accessible servers such web server, Email server and so on. The Cisco ASA acts as a Firewall, as well as an Internet  LAN users and Web Servers all have Internet access.  LAN users have full access to the Web Server network segment (DMZ1) but DMZ1 does not have any access to the LAN (in case DMZ is compromised).  Anyone on the Internet can access the Web Server via a publicly NAT IP address over HTTP.  All other traffic is denied unless explicitly allowed. www.NetProtocolXpert.com 2
  • 3. Update ASA software and ASDM code  Download the recent stable release from Cisco.com and transfer the codes to the ASA. www.NetProtocolXpert.com 3
  • 4.  Set the system to boot to the new image. Configure the ASDM image to be used.  ASA1(config)# boot system disk0:/asa952-lfbff-k8.SPA  ASA1(config)# asdm image disk0:/asdm-752.bin  Write memory and verify the bootvar is set correctly. Reboot the system to load the new image. www.NetProtocolXpert.com 4
  • 5. Security levels on Cisco ASA Firewall  Before jumping into the configuration, I’d like to briefly touch on how Cisco ASAs work in a multi-level security design. The concept is not Cisco specific. It applies to any other business grade firewalls.  By default, traffic passing from a lower to higher security level is denied. This can be overridden by an applied to that lower security interface. Also the ASA, by default, will allow traffic from higher to lower security interfaces. This behaviour can also be overridden with an ACL. The security levels are defined by numeric numbers between 0 and 100. 0 is often placed on the untrusted network such as Internet. And is the most secured network. In our example we assign security levels as following: LAN = 100, DMZ1 = 50 and outside = 0. www.NetProtocolXpert.com 5
  • 6.  LAN is considered the most secured network. It not only hosts internal user workstations as well as mission critical production servers. LAN users can reach other networks. However, no inbound access is allowed from any other networks unless explicitly allowed.  DMZ1 hosts public facing web servers. Any one on the Internet can reach the servers on TCP port 80 for HTTP.  The design idea here is that we don’t allow any possibilities of compromising the LAN. All “inbound” access to the LAN is denied unless the connection is initiated from the inside hosts. Servers in DMZ1 serve Internet web traffic and internal user traffic from the LAN. www.NetProtocolXpert.com 6
  • 7. Network Design and IP Assignment  For simplicity, we assume the SOHO network has less than 200 users and does not have a layer switch on the LAN. All user and server traffic point to the ASA as their default gateway to the Internet. We assign each network segment a /24 (255.255.255.0) subnet mask. www.NetProtocolXpert.com 7
  • 8.  User LAN network: Subnet: 192.168.0.0 /24 Gateway: 192.168.0.1 (ASA inside interface) LAN-host (for testing): 192.168.0.200  DMZ1 network: Subnet 192.168.1.0 /24 Gateway: 192.168.1.1 Web server: 192.168.1.10  Internet: Internet-host (for testing): 10.1.1.200 www.NetProtocolXpert.com 8
  • 9. Step 1: Configure ASA interfaces and assign appropriate security levels  The ASA 5506-X comes with 8 GigE routed interfaces. We are going to use three of the interfaces in this network – inside (100), dmz1(50) and outside (0). www.NetProtocolXpert.com 9 interface GigabitEthernet1/1 description to WAN nameif outside security-level 0 ip address 10.1.1.1 255.255.255.0 ! interface GigabitEthernet1/2 description to LAN nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface GigabitEthernet1/3 description to DMZ1 nameif dmz1 security-level 50 ip address 192.168.1.1 255.255.255.0 !
  • 10. Step 2: Configure ASA as an Internet gateway, enable Internet access  There are two things required in order for the internal hosts to go out to the Internet, configuring Network Address Translation (NAT) and routing all traffic to the ISP. You do not need an ACL because all outbound traffic is traversing from higher security level (inside and dmz1) to lower security level (outside).  nat (inside,outside) after-auto source dynamic any interface  nat (dmz1,outside) after-auto source dynamic any interface www.NetProtocolXpert.com 10
  • 11.  The configuration in previous slide states that any traffic coming from inside and dmz1 network, translate the source IP to the outside interface’s IP for outbound Internet traffic. The “after-auto” keyword simply set this NAT the least preferred rule to be evaluated after Manual NAT and Auto NAT are evaluated. The reason we want to give it the least preference is to avoid possible conflict with other NAT rules.  Next is configuring a default gateway and route all traffic to the upstream ISP. 10.1.1.2 is the gateway the ISP provided.  route outside 0.0.0.0 0.0.0.0 10.1.1.2 www.NetProtocolXpert.com 11
  • 12.  Also make sure “inspect icmp” is configured under global_policy. It allows icmp return traffic to pass the ASA while the Ping is initiated from inside hosts. policy-map global_policy class inspection_default inspect icmp  At this point, you should be able to ping the host 10.1.1.200 on the Internet from any internal subnets. www.NetProtocolXpert.com 12
  • 13. Step 3: Configure static NAT to web servers, grant Internet inbound access to web servers  First we define two objects for the web server, one for its internal IP and one for its public facing IP.  object network WWW NPX EXT  host 10.1.1.10  !  object network WWW NPX INT  host 192.168.1.10  !  nat (dmz1,outside) source static WWW NPX INT WWW NPX EXT www.NetProtocolXpert.com 13
  • 14.  Anyone on the Internet trying to access the web server, they’ll use the public IP defined in WWW NPX EXT. It will be translated to the private IP defined in WWW NPX INT.  Now the IP address translation has been done. We will need to configure ACL and allow Internet inbound traffic to access the web server. And apply the ACL to the outside interface. www.NetProtocolXpert.com 14
  • 15.  access-list OUTSIDE extended permit tcp any object WWW NPX INT eq www  access-list OUTSIDE extended permit icmp any4 any4 echo  access-group OUTSIDE in interface outside  The ACL states, permit traffic from anywhere to the web server (WWW NPX INT: 192.168.1.10) on port 80. For troubleshooting and demonstration purpose, we also allow ICMP ping traffic. In a real-world network, I recommend disallow Ping for higher security. www.NetProtocolXpert.com 15
  • 16. Step 4: Configure DHCP service on the ASA  This step is optional. If you have a DHCP server on the LAN you can skip to the next step. For small businesses that do not have server in house, you may configure the ASA to be a DHCP server.  Specify a DHCP address pool and the interface for the client to connect. We reserve a few address before and after the pool for future network devices or appliances that require static IP.  dhcpd address 192.168.0.5-192.168.0.250 inside www.NetProtocolXpert.com 16
  • 17.  Specify the IP address of the DNS servers for client use. It is always a good idea to have the secondary DNS server in case the primary fails.  dhcpd dns 9.9.9.9 4.2.2.2  Specify the lease length to be granted to the client. This lease equals the amount of time (in seconds) the client can use its allocated IP address before the lease expires. Enter a value between 0 to 1,048,575.The default value is 3600 seconds.  dhcpd lease 3600  dhcpd ping_timeout 50 www.NetProtocolXpert.com 17
  • 18.  Enable the DHCP service to listen for DHCP client requests on the enabled interface.  dhcpd enable inside  dhcprelay timeout 60 www.NetProtocolXpert.com 18
  • 19. (Optional) Step 5: Redirect traffic to the FirePOWER module for deeper level inspection  In order to utilize any of the ASA’s next-generation firewall features, Cisco made customers order subscription based licenses for the FirePOWER module to work. The subscription based licenses can be purchased annually, 3 or 5 years with discount. Here are list of licenses available:  Intrusion detection and prevention (IPS license)  Application Visibility and Control (AVC)  File control and advanced malware protection (AMP)  Application, user, and URL control (URL Filtering)  IPS license is required for the AVC, AMP and URL Filtering license. www.NetProtocolXpert.com 19
  • 20.  If you have a FirePOWER feature license available and send traffic to the FirePOWER module for deeper level inspection, here is an example of send all traffic to FirePOWER. In case there was a software (in case of 5585-X, it is hardware) failure, bypass the FirePOWER module without inspection.  class-map global-class  match any  policy-map global_policy  class global-class  sfr fail-open www.NetProtocolXpert.com 20
  • 21. Step 6: Hardening the device  Shutdown unused interfaces  interface GigabitEthernet1/4 through 1/8  shutdown www.NetProtocolXpert.com 21
  • 22.  Enable SSH access for admin  There are three steps to enable SSH access:  Create a hostname for your ASA  Generate a RSA key  Configure SSH access to the ASA, and only allow from known IP/networks. www.NetProtocolXpert.com 22
  • 23. Configuration example:  ASA1(config)# hostname ASA1  ASA1(config)# crypto key generate rsa modulus 1024  WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.  Do you really want to replace them? [yes/no]: yes  Keypair generation process begin. Please wait... www.NetProtocolXpert.com 23
  • 24.  The IP subnets from where you trust to manage the ASA  ssh 12.2.1.0 255.255.255.0 outside  ssh 192.168.0.0 255.255.0.0 inside  ssh timeout 30  ssh version 2  aaa authentication ssh console LOCAL www.NetProtocolXpert.com 24
  • 25. Step 7: Configure time and enable logging  It is important to enable logging so we know what happened in case there was an incident. Make sure time is set correctly and timestamp is enabled while logging. In this example we enabled logging into the ASA’s buffer memory. The maximum log size can grow up to 512MB and then oldest logs are overwritten. The logging level is set to “debugging”, which records everything in detailed level. www.NetProtocolXpert.com 25
  • 26.  ASA1# clock set 12:05:00 Jan 22 2016  ASA1# clock timezone EST -5  ASA1# clock summer-time EST recurring  ASA1# logging enable  ASA1# logging timestamp  ASA1# logging buffer-size 512000  ASA1# logging buffered debugging  To view logs, issue command “show logging” on the ASA. www.NetProtocolXpert.com 26