Cisco asa-5505-configuration
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Cisco asa-5505-configuration

on

  • 1,973 views

 

Statistics

Views

Total Views
1,973
Views on SlideShare
1,965
Embed Views
8

Actions

Likes
2
Downloads
277
Comments
0

1 Embed 8

http://www.techgig.com 8

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cisco asa-5505-configuration Document Transcript

  • 1. BONUS TUTORIALCISCO ASA 5505 CONFIGURATIONA LL YOU NEED TO K NOW TO C ONFIGURE AND I MPLEMENT T HE B EST F IREWALL I N T HE M ARKET WRITTEN BY: HARRIS ANDREAMS C E LECTRICAL E NGINEERING AND C OMPUTER S CIENCE C ISCO C ERTIFIED NETWORK P ROFESSIONAL (CCNP) C ISCO C ERTIFIED S ECURITY P ROFESSIONAL (CCSP) http://www.cisco-tips.com 1
  • 2. ABOUT THE AUTHOR:Harris Andrea is a Senior Network Security Engineer in a leading Internet Service Provider inEurope. He graduated from the University of Kansas USA in 1998 with a B.S and M.S degrees inElectrical Engineering and Computer Science. Since then, he has been working in the Networkingfield, designing, implementing and managing large scale networking projects with Cisco productsand technologies. His main focus is on Network Security based on Cisco PIX/ASA Firewalls, FirewallService Modules (FWSM) on 6500/7600 models, VPN products, IDS/IPS products, AAA services etc.To support his knowledge and to build a strong professional standing, Harris pursued and earnedseveral Cisco Certifications such as CCNA, CCNP, and CCSP. He is also a technology blogger owingtwo networking blogs which you can visit for extra technical information and tutorials. http://www.cisco-tips.com http://www.ciscoasa.com 2
  • 3. You do not have resell rights or giveaway rights to this eBook. Only customers that have purchased this material are authorized to view it.This eBook contains material protected under International and Federal Copyright Laws andTreaties. No part of this publication may be transmitted or reproduced in any way without the priorwritten permission of the author. Violations of this copyright will be enforced to the full extent ofthe law.LEGAL NOTICE: The information services and resources provided in this eBook are based upon thecurrent Internet environment as well as the author’s experience. The techniques presented havebeen proven to be successful. Because technologies are constantly changing, the services andexamples presented in this eBook may change, cease or expand with time. We hope that the skillsand knowledge acquired from this eBook will provide you with the ability to adapt to inevitableevolution of technological services. However, we cannot be held responsible for changes that mayaffect the applicability of these techniques. The opinions expressed in this book belong to theauthor and are not necessarily those of Cisco Systems, Inc.All product names, logos and artwork are copyrights of their respective owners. None of the ownershave sponsored or endorsed this publication. While all attempts have been made to verifyinformation provided, the author assumes no responsibility for errors, omissions, or contraryinterpretation of the subject matter herein. Any perceived slights of peoples or organizations areunintentional. The purchaser or reader of this publication assumes responsibility for the use ofthese materials and information. No guarantees of income are made. The author reserves the rightto make changes and assumes no responsibility or liability whatsoever on behalf of any purchaseror reader of these materials. 3
  • 4. TABLE OF CONTENTSAbout the Author: ..............................................................................................................................................................................2Bonus Tutorial: ...................................................................................................................................................................................5Cisco ASA 5505 Fundamentals ...............................................................................................................................................5 ASA 5505 Hardware and Licensing.....................................................................................................................................5 ASA 5505 Default Configuration ...........................................................................................................................................8ASA 5505 Configuration Examples ...................................................................................................................................11 Configuration Example 1: Internet Access With Dynamic Address From ISP ...........................................11 Configuration Example 2: Dynamic Address From ISP With DMZ Web Server ........................................15 Configuration Example 3: Static Outside Address With DMZ Web and Email Servers .........................19 Configuration Example 4: Cisco ASA 5505 With PPPoE Internet Access .....................................................24 Configuration Example 5: Lan-to-Lan IPSEC VPN Between Cisco ASA 5505 .............................................28 Configuration Example 6: Remote Access IPSEC VPN on Cisco ASA 5505 ..................................................35 4
  • 5. BONUS TUTORIAL:CISCO ASA 5505 FUNDAMENTALSThis Tutorial is dedicated to the Cisco ASA 5505 firewall appliance which has some Hardware,Licensing and Configuration differences compared with the other models. The ASA 5505 provides ahigh-performance and flexible upgrade from the older PIX 501 and PIX 506E appliances and isdesigned for small offices or remote branches. Below we will describe the basic differences of theCisco ASA 5505 compared with the other models and provide several configuration examples thatcover most of the implementation scenarios that are usually found in real networks. Theprerequisite of this Tutorial is to study first the “Cisco ASA Firewall Fundamentals” ebook so thatyou grasp the fundamental configuration concepts of Cisco ASA appliances.ASA 5505 HARDWARE AND LICENSINGHardware Ports and VLANs 1 Power 48VDC 2 SSC slot 3 Console Port 4 Lock Slot 5 Reset Button 6 USB 2.0 interfaces 7 Network Ports 0-5 (10/100) 8 Network Ports 6-7 (10/100 with Power over Ethernet) 5
  • 6. Unlike the other Cisco ASA models, the ASA 5505 has a built-in 8-port 10/100 switch as shown onthe figure above.Starting from right to left, we have Ethernet0/0 up to Ethernet0/7. The last two Ports 6 and 7 arealso Power over Ethernet Ports (PoE), which means that in addition to normal computers, you canalso connect IP Phones (or other PoE devices) which will be powered by the firewall PoE ports. Theeight network interfaces of the ASA 5505 work only as Layer 2 ports, which is the difference of the5505 from the other ASA models. This means that you cannot configure a Layer 3 IP addressdirectly on each interface. Instead, you have to assign the interface port in a VLAN, and thenconfigure all Firewall Interface parameters under the interface VLAN command.You can divide the eight physical ports into groups, called VLANs, that function as separatenetworks. This enables you to improve the security of your business because devices in differentVLANs can only communicate with each other by passing the traffic through the firewall appliancewhere relevant security policies can be enforced. Devices in the same VLAN can communicatebetween them without Firewall control. Your license determines how many active VLANs you canhave on the ASA 5505.The ASA 5505 comes preconfigured with two VLANs: VLAN1 and VLAN2. By default, Ethernetswitch port 0 (Ethernet 0/0) is allocated to VLAN2. All other switch ports are allocated by default toVLAN1.The factory Default configuration of the network interfaces uses port Ethernet0/0 as the Outsideuntrusted interface (connecting to Internet), and the rest of the interfaces (0/1 to 0/7) areconfigured as the trusted Inside interfaces connecting to internal hosts. Two Switch Vlan Interfaces(SVI) exist by default (Interface Vlan 1 and Interface Vlan 2) which can be used to assign theLayer 3 IP addresses and other interface settings for the Outside zone (Ethernet 0/0) and for theInside zone (Ethernet0/1 to 0/7). The default configuration of the Cisco ASA 5505 will beexplained in the next section. 6
  • 7. LicensingAlthough the ASA 5505 comes preconfigured with two VLANs, you can create as many as 20 VLANs,depending on your license. For example, you could create VLANs for the Inside, Outside, and DMZnetwork segments. There are two license options for the ASA 5505: Base License Security Plus LicenseBase LicenseWith the Base License, you can configure up to 3 VLANs, thus segmenting your network into threesecurity zones (Inside, Outside, DMZ). However there is a communication restriction betweenVLANs (zones). Communication between the DMZ VLAN and the Inside VLAN is restricted: theInside VLAN is permitted to send traffic to the DMZ VLAN, but the DMZ VLAN is not permitted tosend traffic to the Inside VLAN. Also, you cannot configure firewall failover redundancy with theBase License. These limitations are removed with the Security Plus license.To configure a DMZ VLAN on a Base License use the following commands:asa5505(config)# interface Vlan 3asa5505(config-if)# no forward interface vlan 1asa5505(config-if)# nameif DMZasa5505(config-if)# security-level 50asa5505(config-if)# ip address 10.2.2.1 255.255.255.0 7
  • 8. asa5505(config)# interface Vlan 1asa5505(config-if)# nameif insideasa5505(config-if)# security-level 100asa5505(config-if)# ip address 192.168.1.1 255.255.255.0asa5505(config)# interface Vlan 2asa5505(config-if)# nameif outsideasa5505(config-if)# security-level 0asa5505(config-if)# ip address 100.100.100.1 255.255.255.0Security Plus LicenseThis license removes all restrictions of the Base license. Up to 20 VLANs can be configured (portscan be configured as Trunk ports thus supporting multiple VLANs per port). Also there are nocommunication restrictions between VLANs. This license supports also Active/Standby (nonstateful) firewall failover redundancy and Backup ISP Connectivity (Dual ISP connection).ASA 5505 DEFAULT CONFIGURATIONThe ASA 5505 is factory configured in such a way as to work right away out of the box. The InternetOutside Interface (Ethernet 0/0) is configured to obtain IP address automatically from the ISP, andthe Inside Interfaces (Ethernet 0/1 to 0/7) are configured to provide IP addresses to internal hostsdynamically (DHCP). Specifically, the default ASA 5505 configuration includes the following: An inside VLAN 1 interface that includes the Ethernet 0/1 through 0/7 switch ports. The VLAN 1 IP address and mask are 192.168.1.1 and 255.255.255.0. An outside VLAN 2 interface that includes the Ethernet 0/0 switch port. VLAN 2 derives its IP address using DHCP (from the ISP). The default route is also derived from DHCP. All inside IP addresses are translated when accessing the outside using interface PAT. By default, inside users can access the outside, and outside users are prevented from accessing the inside. The DHCP server is enabled on the security appliance, so a PC connecting to the VLAN 1 interface receives an address between 192.168.1.2 and 192.168.1.254. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0 network.Restore the default factory configuration using the configure factory-default command. 8
  • 9. The Default Configuration consists of the following commands.interface Ethernet 0/0 switchport access vlan 2  This assigns Ethernet0/0 to Vlan 2 no shutdowninterface Ethernet 0/1 switchport access vlan 1  This assigns Ethernet0/1 to Vlan 1 no shutdowninterface Ethernet 0/2 switchport access vlan 1 no shutdowninterface Ethernet 0/3 switchport access vlan 1 no shutdowninterface Ethernet 0/4 switchport access vlan 1 no shutdowninterface Ethernet 0/5 switchport access vlan 1 no shutdowninterface Ethernet 0/6 switchport access vlan 1 no shutdowninterface Ethernet 0/7 switchport access vlan 1 no shutdowninterface vlan2  Configure all interface parameters under “interface Vlan [number]” nameif outside no shutdown ip address dhcp setrouteinterface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 no shutdownglobal (outside) 1 interfacenat (inside) 1 0 0http server enable 9
  • 10. http 192.168.1.0 255.255.255.0 insidedhcpd address 192.168.1.2-192.168.1.254 insidedhcpd auto_config outside  Obtain IP address dynamically from the ISPdhcpd enable inside  Assign IP addresses dynamically to internal PCslogging asdm informational 10
  • 11. ASA 5505 CONFIGURATION EXAMPLESCONFIGURATION EXAMPLE 1: INTERNET ACCESS WITH DYNAMIC ADDRESS FROM ISPIn this scenario the 5505 is used for basic internet access using PAT, with a Dynamic IP addressobtained from the ISP via DHCP (Firewall will act as DHCP client for the Outside interface). TheFirewall will act also as a DHCP server for assigning IP addresses to inside hosts. Notice in thisscenario that we don’t need to configure a default route towards the ISP since the default route willbe obtained automatically together with an IP address from the DHCP server of the ISP.The complete configuration follows below. See the Blue Color comments for clarifications. 11
  • 12. ASA-5505# show run: Saved:ASA Version 7.2(3)!hostname ASA-5505domain-name test.comenable password xxxxxxxxxxxxxxxx encryptednames!! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.interface Vlan2 nameif outside security-level 0! Get outside address and default gateway from ISP ip address dhcp setroute!! Assign Eth0/0 to vlan 2.interface Ethernet0/0 switchport access vlan 2!! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!passwd xxxxxxxxxxxxxxxxxx encryptedftp mode passivedns server-group DefaultDNS domain-name test.com 12
  • 13. ! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a!deny all with log at the end to monitor any attacks coming from outside.access-list outside_in extended permit icmp any any echo-replyaccess-list outside_in extended deny ip any any logpager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400! Do PAT using the outside interface addressglobal (outside) 1 interface! Translate ALL inside addressesnat (inside) 1 0.0.0.0 0.0.0.0access-group outside_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolute! Configure Local authentication for firewall management (For accessing the Firewall you need to!use the username/password configured later).aaa authentication serial console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart! Allow internal hosts to telnet to the devicetelnet 192.168.1.0 255.255.255.0 insidetelnet timeout 5! Allow an external management host to ssh from outside for firewall managementssh 100.100.100.1 255.255.255.255 outsidessh timeout 5console timeout 0dhcpd auto_config outside! Assign a DNS server to internal hostsdhcpd dns 200.200.200.1!! Assign IP addresses to internal hostsdhcpd address 192.168.1.10-192.168.1.40 insidedhcpd enable inside!class-map inspection_default match default-inspection-traffic!policy-map type inspect dns preset_dns_map parameters 13
  • 14. message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy global! Configure here the username and password for accessing the deviceusername admin password xxxxxxxxxxxxxx encryptedprompt hostname context: end 14
  • 15. CONFIGURATION EXAMPLE 2: DYNAMIC ADDRESS FROM ISP WITH DMZ WEB SERVERThis is an extension scenario of the previous one. The Cisco ASA 5505 receives an outside IPaddress dynamically from the ISP and has three security zones (Inside, Outside, DMZ). The Insidezone network shall be able to access the Internet and DMZ, and also Internet hosts shall be able toaccess the DMZ Web Server. This scenario can work with both Base License and Security PlusLicense. However, with a Security Plus license the DMZ public server (whatever that be – FTP,Email, Web etc) will be able to initiate traffic also to the Inside network zone (with the properconfiguration). Since we have three security zones, we must create also three VLANs. VLAN1(Inside) will be assigned to ports Ethernet0/2 up to 0/7, VLAN2 (Outside) will be assigned to portEthernet 0/0, and VLAN3 (DMZ) will be assigned to Ethernet 0/1.The complete configuration follows below. See the Blue Color comments for clarifications. 15
  • 16. ASA-5505# show run: Saved:ASA Version 7.2(3)!hostname ASA-5505domain-name test.comenable password xxxxxxxxxxxxxxxx encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!interface Vlan2 nameif outside security-level 0! Get outside address and default gateway from ISP ip address dhcp setroute!interface Vlan3! Use the following command ONLY if you have a BASE LICENSE no forward interface vlan 1 nameif DMZ security-level 50 ip address 10.0.0.1 255.255.255.0!! Assign Eth0/0 to vlan 2.interface Ethernet0/0 switchport access vlan 2!! Assign Eth0/1 to vlan 3.interface Ethernet0/1 switchport access vlan 3! The rest are by default assigned to vlan 1. No need to change anything.!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7 16
  • 17. !passwd xxxxxxxxxxxxxxxxxx encryptedftp mode passivedns server-group DefaultDNS domain-name test.com! Create an ACL on the outside that will allow access to the DMZ Web Server. Because the outside!address is dynamic (unknown) we use “any eq 80” for the destination address in the access list.access-list outside_in extended permit tcp any any eq 80access-list outside_in extended deny ip any any logpager lines 24logging asdm informationalmtu inside 1500mtu outside 1500mtu DMZ 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400! Do PAT on the outside interfaceglobal (outside) 1 interface! Do PAT on the DMZ interfaceglobal (DMZ) 1 interface! Translate ALL inside addresses when they access Outside or DMZ zonesnat (inside) 1 0.0.0.0 0.0.0.0! Create a static redirection for port 80 towards the DMZ web serverstatic (DMZ,outside) tcp interface 80 10.0.0.10 80 netmask 255.255.255.255access-group outside_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolute! Configure Local authentication for firewall management (For accessing the Firewall you need to!use the username/password configured later).aaa authentication serial console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart! Allow internal hosts to telnet to the devicetelnet 192.168.1.0 255.255.255.0 insidetelnet timeout 5! Allow an external management host to ssh from outside for firewall managementssh 100.100.100.1 255.255.255.255 outsidessh timeout 5 17
  • 18. console timeout 0dhcpd auto_config outside! Assign a DNS server to internal hostsdhcpd dns 200.200.200.1!! Assign IP addresses to internal hostsdhcpd address 192.168.1.10-192.168.1.40 insidedhcpd enable inside!class-map inspection_default match default-inspection-traffic!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy global! Configure here the username and password for accessing the deviceusername admin password xxxxxxxxxxxxxx encryptedprompt hostname context: end 18
  • 19. CONFIGURATION EXAMPLE 3: STATIC OUTSIDE ADDRESS WITH DMZ WEB AND EMAILSERVERSThis scenario requires a Security Plus License. We have a single static public address assigned to us(199.1.1.1) which we will use with Port Redirection to access two DMZ public servers (Web andEmail). Any request from the Internet coming to 199.1.1.1 port 80 will be redirected to 10.0.0.10(web server), and any request coming to 199.1.1.1 port 25 will be redirected to 10.0.0.11 (EmailProxy Server). The Email Proxy Server will be sending any inbound received email to the InternalEmail Server. Similarly, all outgoing email will be sent by the Internal Email server to the DMZEmail Proxy for outbound email processing. We will use Static NAT to map the Inside network(192.168.1.0/24) towards the DMZ for bidirectional communication between the two zones.The complete configuration follows below. See the Blue Color comments for clarifications. 19
  • 20. ASA-5505# show run: Saved:ASA Version 7.2(3)!hostname ASA-5505domain-name test.comenable password xxxxxxxxxxxxxxxx encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address 199.1.1.1 255.255.255.252!interface Vlan3 nameif DMZ security-level 50 ip address 10.0.0.1 255.255.255.0!! Assign Eth0/0 to vlan 2.interface Ethernet0/0 switchport access vlan 2!! Assign Eth0/1 to vlan 3.interface Ethernet0/1 switchport access vlan 3! The rest are by default assigned to vlan 1. No need to change anything.!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!passwd xxxxxxxxxxxxxxxxxx encryptedftp mode passive 20
  • 21. dns server-group DefaultDNSdomain-name test.com! Create an ACL on the outside that will allow access to the DMZ Web and Email Servers.access-list outside_in extended permit tcp any host 199.1.1.1 eq 80access-list outside_in extended permit tcp any host 199.1.1.1 eq 25access-list outside_in extended deny ip any any log! Create an ACL on the DMZ that will allow access of the DMZ servers towards Inside and Outside! The first entry below allows access only from Email Proxy to Internal Emailaccess-list DMZ_in extended permit tcp host 10.0.0.11 host 192.168.1.11 eq 25access-list DMZ_in extended deny ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0access-list DMZ_in extended permit tcp host 10.0.0.11 any eq 25access-list DMZ_in extended permit udp host 10.0.0.11 any eq domain! Create an ACL on the Inside to allow Internet Access and also access of Internal eMail to Proxy!eMailaccess-list inside_in extended permit tcp host 192.168.1.11 host 10.0.0.11 eq 25access-list inside_in extended permit tcp host 192.168.1.11 host 10.0.0.11 eq 110access-list inside_in extended permit tcp 192.168.1.0 255.255.255.0 host 10.0.0.10 eq 80access-list inside_in extended deny ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0access-list inside_in extended permit ip 192.168.1.0 255.255.255.0 anypager lines 24logging asdm informationalmtu inside 1500mtu outside 1500mtu DMZ 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400! Do PAT on the outside interfaceglobal (outside) 1 interface! Translate ALL inside addresses when they access Outsidenat (inside) 1 0.0.0.0 0.0.0.0! Create static port redirections towards the DMZ web and email serversstatic (DMZ,outside) tcp 199.1.1.1 80 10.0.0.10 80 netmask 255.255.255.255static (DMZ,outside) tcp 199.1.1.1 25 10.0.0.11 25 netmask 255.255.255.255! Create static NAT of inside network towards the DMZstatic (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 21
  • 22. access-group outside_in in interface outsideaccess-group DMZ_in in interface DMZaccess-group inside_in in interface insideroute outside 0.0.0.0 0.0.0.0 199.1.1.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolute! Configure Local authentication for firewall management (For accessing the Firewall you need to!use the username/password configured later).aaa authentication serial console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart! Allow internal hosts to telnet to the devicetelnet 192.168.1.0 255.255.255.0 insidetelnet timeout 5! Allow an external management host to ssh from outside for firewall managementssh 100.100.100.1 255.255.255.255 outsidessh timeout 5console timeout 0dhcpd auto_config outside! Assign a DNS server to internal hostsdhcpd dns 200.200.200.1!! Assign IP addresses to internal hostsdhcpd address 192.168.1.20-192.168.1.50 insidedhcpd enable inside!class-map inspection_default match default-inspection-traffic!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet 22
  • 23. inspect sunrpcinspect tftpinspect sipinspect xdmcp!service-policy global_policy global! Configure here the username and password for accessing the deviceusername admin password xxxxxxxxxxxxxx encryptedprompt hostname context: end 23
  • 24. CONFIGURATION EXAMPLE 4: CISCO ASA 5505 WITH PPPOE INTERNET ACCESSFor Broadband DSL or Cable access connectivity, many ISPs provide Point to Point over Ethernet(PPPoE) access, as will be described in this example scenario. If the ISP supplies you with ausername/password for internet access, this means that you need to configure your ASA as PPPoEclient. Most often, in this setup the ISP provides you also with a Modem which will bridge the DSLor Cable connectivity between the Customer Premises Equipment (ASA 5505 in our case) and theISP equipment. In the following typical environment the ISP is providing Public IP address to theASA via PPPoE.The complete configuration follows below. See the Blue Color comments for clarifications. 24
  • 25. ASA-5505# show run: Saved:ASA Version 7.2(3)!hostname ASA-5505domain-name test.comenable password xxxxxxxxxxxxxxxx encryptednames!! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.interface Vlan2 nameif outside security-level 0! Configure this VLAN as PPPoE Client and associate the pppoe group “ATT”pppoe client vpdn group ATTip address pppoe setroute!! Assign Eth0/0 to vlan 2.interface Ethernet0/0 switchport access vlan 2!! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!passwd xxxxxxxxxxxxxxxxxx encryptedftp mode passivedns server-group DefaultDNS domain-name test.com 25
  • 26. ! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a!deny all with log at the end to monitor any attacks coming from outside.access-list outside_in extended permit icmp any any echo-replyaccess-list outside_in extended deny ip any any logpager lines 24logging asdm informationalmtu inside 1500! Configure the outside MTU as 1492 since there is an extra 8-byte overhead for PPPoEmtu outside 1492icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400! Do PAT using the outside interface addressglobal (outside) 1 interface! Translate ALL inside addressesnat (inside) 1 0.0.0.0 0.0.0.0access-group outside_in in interface outsidetimeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolute! Configure Local authentication for firewall management (For accessing the Firewall you need to!use the username/password configured later).aaa authentication serial console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart! Allow internal hosts to telnet to the devicetelnet 192.168.1.0 255.255.255.0 insidetelnet timeout 5! Allow an external management host to ssh from outside for firewall managementssh 100.100.100.1 255.255.255.255 outsidessh timeout 5console timeout 0! Next create the “ATT” pppoe group with the ISP connection detailsvpdn group ATT request dialout pppoevpdn group ATT localname [ENTER ISP USERNAME HERE]vpdn group ATT ppp authentication chap [or PAP, depends on your ISP settings]vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]dhcpd auto_config outside! Assign a DNS server to internal hostsdhcpd dns 200.200.200.1! 26
  • 27. ! Assign IP addresses to internal hostsdhcpd address 192.168.1.10-192.168.1.40 insidedhcpd enable inside!class-map inspection_default match default-inspection-traffic!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy global! Configure here the username and password for accessing the deviceusername admin password xxxxxxxxxxxxxx encryptedprompt hostname context: end 27
  • 28. CONFIGURATION EXAMPLE 5: LAN-TO-LAN IPSEC VPN BETWEEN CISCO ASA 5505Site-to-Site IPSEc VPN is sometimes called LAN-to-LAN VPN. As the name implies, this VPN typeconnects together two distant LAN networks over the Internet. Usually, Local Area Networks useprivate addressing as shown on our diagram below. Without VPN connectivity, the two LANnetworks below (LAN-1 and LAN-2) wouldn’t be able to communicate. By configuring a Lan-to-LanIPSEc VPN between the two ASA 5505 firewalls, we can establish a secure tunnel over the Internet,and pass our private LAN traffic inside this tunnel. The result is that hosts in network192.168.1.0/24 can now directly access hosts in 192.168.2.0/24 network (and vice-versa) as if theyare located in the same LAN. The IPSEc tunnel is established between the Public IP addresses of thefirewalls (100.100.100.1 and 200.200.200.1). The ASA 5505 supports maximum 10 Lan-to-LanIPSEc sessions with the Base License and 25 IPSEc sessions with the Security Plus license.The complete configuration follows below. See the Blue Color comments for clarifications. 28
  • 29. ASA-1 CONFIGURATIONASA-1# show run: Saved:ASA Version 7.2(3)!hostname ASA-1domain-name test.comenable password xxxxxxxxxxxxxx encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address 100.100.100.1 255.255.255.0!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!passwd xxxxxxxxxxxxxxxx encryptedftp mode passivedns server-group DefaultDNS domain-name test.com! Select Interesting Traffic to be encryptedaccess-list VPN-TO-ASA2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0! Select which traffic must be excluded from NAT.access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 29
  • 30. access-list OUTSIDE_IN extended permit icmp any any echo-replyaccess-list OUTSIDE_IN extended deny ip any any logpager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400global (outside) 1 interface! Do not translate Interesting Trafficnat (inside) 0 access-list NONATnat (inside) 1 192.168.1.0 255.255.255.0access-group OUTSIDE_IN in interface outsideroute outside 0.0.0.0 0.0.0.0 100.100.100.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absoluteaaa authentication serial console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart! Create a Phase 2 transform set for encryption and authentication protocols.crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac! Create a crypto map for the IPSEC VPN with the ASA-2 firewallcrypto map IPSEC 10 match address VPN-TO-ASA2crypto map IPSEC 10 set peer 200.200.200.1crypto map IPSEC 10 set transform-set espSHA3DESproto! Attach the crypto map to the outside interfacecrypto map IPSEC interface outsidecrypto isakmp identity address! Enable also the Phase 1 isakmp to the outside interfacecrypto isakmp enable outside! Create the Phase 1 isakmp policycrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 30
  • 31. lifetime 86400telnet 192.168.1.0 255.255.255.0 insidetelnet timeout 5ssh timeout 5console timeout 0!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp!service-policy global_policy globalusername admin password xxxxxxxxxxxxxxx encrypted! Create a tunnel group for the IPSEC VPNtunnel-group 200.200.200.1 type ipsec-l2ltunnel-group 200.200.200.1 ipsec-attributes pre-shared-key LANtoLANvpnkey isakmp keepalive threshold 30 retry 5prompt hostname context: end 31
  • 32. ASA-2 CONFIGURATIONASA-2# show run: Saved:ASA Version 7.2(3)!hostname ASA-2domain-name test.comenable password xxxxxxxxxxxxxx encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address 200.200.200.1 255.255.255.0!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!passwd xxxxxxxxxxxxxxxx encryptedftp mode passivedns server-group DefaultDNS domain-name test.com! Select Interesting Traffic to be encryptedaccess-list VPN-TO-ASA1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0! Select which traffic must be excluded from NAT.access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 32
  • 33. access-list OUTSIDE_IN extended permit icmp any any echo-replyaccess-list OUTSIDE_IN extended deny ip any any logpager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-523.binno asdm history enablearp timeout 14400global (outside) 1 interface! Do not translate Interesting Trafficnat (inside) 0 access-list NONATnat (inside) 1 192.168.2.0 255.255.255.0access-group OUTSIDE_IN in interface outsideroute outside 0.0.0.0 0.0.0.0 200.200.200.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absoluteaaa authentication serial console LOCALaaa authentication telnet console LOCALaaa authentication ssh console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart! Create a Phase 2 transform set for encryption and authentication protocols.crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac! Create a crypto map for the IPSEC VPN with the ASA-1 firewallcrypto map IPSEC 10 match address VPN-TO-ASA1crypto map IPSEC 10 set peer 100.100.100.1crypto map IPSEC 10 set transform-set espSHA3DESproto! Attach the crypto map to the outside interfacecrypto map IPSEC interface outsidecrypto isakmp identity address! Enable also the Phase 1 isakmp to the outside interfacecrypto isakmp enable outside! Create the Phase 1 isakmp policycrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 33
  • 34. lifetime 86400telnet 192.168.2.0 255.255.255.0 insidetelnet timeout 5ssh timeout 5console timeout 0!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect pptp!service-policy global_policy globalusername admin password xxxxxxxxxxxxxxx encrypted! Create a tunnel group for the IPSEC VPNtunnel-group 100.100.100.1 type ipsec-l2ltunnel-group 100.100.100.1 ipsec-attributes pre-shared-key LANtoLANvpnkey isakmp keepalive threshold 30 retry 5prompt hostname context: end 34
  • 35. CONFIGURATION EXAMPLE 6: REMOTE ACCESS IPSEC VPN ON CISCO ASA 5505We will configure here a Remote Access VPN scenario for providing secure connectivity to remoteusers over the Internet. Moreover, in this configuration example we will setup the “split-tunneling” feature which allows remote users to browse the Internet while connected with theIPSEC VPN. Because “split-tunneling” is not considered safe, it is disabled by default. This meansthat once the remote users initiate a Remote Access VPN with the central site, they can ONLY accessthe Corporate LAN network and nothing else. In order for the users to simultaneously accessInternet resources and the Corporate LAN, then split-tunneling must be configured.The remote teleworker user must have a Cisco VPN client software installed on his/her computer inorder to establish the VPN session. Once the VPN is established, the ASA 5505 will assign a privateIP address from pool 192.168.20.0 to the remote user. This will allow the remote user to have fullnetwork connectivity with the internal corporate LAN (192.168.1.0/24).The complete configuration follows below. See the Blue Color comments for clarifications. 35
  • 36. ASA-1# show run: Saved:ASA Version 7.2(3)!hostname ASA-1domain-name test.comenable password xxxxxxxxxxxxxx encryptednames!interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address 100.100.100.1 255.255.255.0!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!passwd xxxxxxxxxxxxxxxxxxxxx encryptedftp mode passivedns server-group DefaultDNS domain-name test.comaccess-list outside-in extended permit icmp any any echo-replyaccess-list outside-in extended deny ip any any log 36
  • 37. ! Traffic between internal LAN and Remote Access clients must not be translatedaccess-list nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0! Remote Access client traffic destined to the internal LAN is permitted for split tunneling (i.e to!access the Internet simultaneously)access-list splittunnel standard permit 192.168.1.0 255.255.255.0pager lines 24logging enablelogging trap debuggingmtu outside 1500mtu inside 1500! Create a pool of addresses to assign for the remote access clientsip local pool vpnpool 192.168.20.1-192.168.20.254icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list nat0_aclnat (inside) 1 192.168.1.0 255.255.255.0access-group outside-in in interface outsideroute outside 0.0.0.0 0.0.0.0 100.100.100.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absoluteaaa authentication ssh console LOCALaaa authentication serial console LOCALaaa authentication telnet console LOCALno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac! Create a dynamic crypto map for the remote VPN clientscrypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5! Attach the dynamic crypto map to a static crypto mapcrypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_mapcrypto map outside_map interface outside 37
  • 38. ! Create a Phase 1 isakmp policy for the remote VPN clientscrypto isakmp enable outsidecrypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400! nat-traversal allows remote clients behind a NAT device to connect without problems.crypto isakmp nat-traversal 20telnet 192.168.1.0 255.255.255.0 insidetelnet timeout 5console timeout 0!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp!service-policy global_policy global! Configure a group-policy and associate the split tunnel network list configured beforegroup-policy remotevpn internalgroup-policy remotevpn attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value splittunnelusername admin password xxxxxxxxxxxxxxxxxxxx encrypted 38
  • 39. ! Create a tunnel group with type “ipsec-ra” and associate the vpn pool configured beforetunnel-group remotevpn type ipsec-ratunnel-group remotevpn general-attributes address-pool vpnpool default-group-policy remotevpn! The group name “remotevpn” and the pre-shared-key value must be configured also on the Cisco!VPN client softwaretunnel-group remotevpn ipsec-attributes pre-shared-key some-strong-key-hereprompt hostname context: end http://www.cisco-tips.com 39