Asa Lab Manual

8/13/2019 Asa Lab Manual

1/114

1 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk

Ph: 92-21-4310956-8

LAB MANUAL

Securing Networks with ASA

Fundamentals(SNAF)

Version 1.0

Developed By: Mr. Ahmed Saeed

Network Manager

CTTC (PVT) Limited, Karachi Pakistan.


2/114


Ph: 92-21-4310956-8

TABLE OF CONTENTS

LAB 1: Configure Cisco ASA Appliance for basic configuration CLI

LAB 2: Configure the Security Appliance for ASDM

LAB 3: Configure Interfaces and verifying configuration through CLI

LAB 4: Configure Interfaces and verifying configuration through ASDM

LAB 5: Configure ASA Appliance for Syslog Server from ASDM

LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration

LAB7:Configure PAT on interface IP of ASA through ASDM

LAB8: Configure Static NAT with ACL to allow inside access through ASDM

LAB9: Configuring Remote Access VPN (Easy VPN)

LAB10: Configure Remote Access VPN using AAA

LAB11: Configure Site to Site IPSEC VPN through ASDM

LAB12: Configuring ASA Appliance for Static Route through ASDM

LAB13: Configuring ASA Appliance for Passive RIP through ASDM

LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM

LAB15: Configuring ASA Software Image and Licenses through ASDM

LAB16: Monitoring ASA Appliance through ASDM


3/114


Ph: 92-21-4310956-8

LAB 1: Configure Cisco ASA Appliance for Basic Configuration CLI

Step1

CTTC(config)# write erase

This command will erase the startup configuration (default) of ASA appliance.

Step2

CTTC(Config)# reload

This command will reload the security appliance.

Step3

CTTC> ?

Display the help of supported commands in user mode.

Step4

CTTC> enable

Password :

Enter in the privilege mode of appliance and press enter after prompting for password

Step5

CTTC# Show Run

This command will show the running configuration of your Security appliance.

Step6

CTTC# Show memory

Free memory: 1000431424 bytes (93%)

Used memory: 73310400 bytes ( 7%)

------------- ----------------


4/114


Ph: 92-21-4310956-8

Total memory: 1073741824 bytes (100%)

This command will show the memory of security appliance (Output may vary for different platforms).

Step7

CTTC# Show Version

Cisco Adaptive Security Appliance Software Version 7.0(8)

Device Manager Version 5.0(8)

Compiled on Sat 31-May-08 23:48 by builders

System image file is "disk0:/asa708-k8.bin"

Config file at boot was "startup-config"

CTTC up 3 days 18 hours

Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 0022.90fe.2006, irq 9




4: Ext: Management0/0 : address is 0022.90fe.200a, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Not used : irq 5


5/114


Ph: 92-21-4310956-8

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 200

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 5000

This platform has an ASA 5540 VPN Premium license.

Serial Number: JMX1247L0RJ

Running Activation Key: 0x6000e973 0x0c5221a3 0xf4b1a9dc 0xa14c5408 0x4a11229b

Configuration register is 0x1

Configuration last modified by ahmed at 22:42:10.042 UTC Tue Jan 19 2010

Step8

CTTC# show History

Enable

Show version

Show history

This command will show the history of previously entered commands.

Step9

CTTC# show bootvar

BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin

Current BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin

CONFIG_FILE variable =

Current CONFIG_FILE variable =


6/114


Ph: 92-21-4310956-8

This command will let you know that from which image file your ASA firewall load.

Step10

CTTC# dir

Directory of disk0:/

47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin

48 -rwx 5823304 08:29:00 Aug 15 2006 asdm505.bin

50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin

51 -rwx 8312832 03:31:14 Mar 10 2008 asa722-k8.bin

52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin

2 drwx 8192 00:47:45 Jan 23 2010 log

9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive

59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo

62 drwx 8192 02:30:00 Jan 23 2010 snmp

255426560 bytes total (213508096 bytes free)

This command will show the contents of internal flash memory of your firewall

Step 11

CTTC # boot system disk0:/asa821-k8.bin

CTTC # boot system disk0:/asa705-k8.bin

This command will define that the firewall will first boot from disk0:/asa821-k8.bin this image and if

this image is corrupt or not found firewall will boot from this disk0:/asa705-k8.bin image.


7/114


Ph: 92-21-4310956-8

LAB2: Configure the Security Appliance for ASDM

Step1

To verify that you ASA firewall has ASDM image in flash memory.

CTTC # dir

Directory of disk0:/

47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin

50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin

52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin

2 drwx 8192 00:47:45 Jan 23 2010 log

9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive

59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo

62 drwx 8192 02:30:00 Jan 23 2010 snmp

64 -rwx 11491880 03:24:24 Jan 25 2010 asdm-623.bin

255426560 bytes total (216154112 bytes free)

Step2

CTTC (Config) # asdm image disk0:asdm-623.bin

This command will define which asdm image will be used in flash.

Step3

CTTC (config)# http server enable

This command will enable HTTP server on ASA firewall that is necessary for ASDM.

Step4

CTTC (config)# http 10.0.50.10 255.255.255.255 inside

Step5

CTTC (config)# aaa authentication http console LOCAL

This command will enable authentication for ASDM.

Step6


8/114


Ph: 92-21-4310956-8

Open Web Brower and enter the following URL:https://10.254.1.2 (Inside Interface IP Address) and

then click RUN ASDM
https://10.254.1.2/https://10.254.1.2/https://10.254.1.2/https://10.254.1.2/


9/114


Ph: 92-21-4310956-8

Step 7

Click YES

Step 8

Enter Username and Password


10/114


Ph: 92-21-4310956-8

Step 9

After entering username and password, home page of ASDM will open


11/114


Ph: 92-21-4310956-8

LAB3: Configure Interfaces and Verifying Configuration through CLI

Step1

CTTC# configure factory-default

This command will erase all configurations on your ASA firewall and your ASA firewall configuration will

revert back to factory default.

Step 2

CTTC (config) # int vlan 1

CTTC (config-if) # nameif inside

CTTC (config-if) # security-level 100

CTTC (config-if) # ip address 10.0.0.1 255.0.0.0

CTTC (config-if) # no shut

These commands will configure inside interface and security level of the ASA 5505 Firewall.

Step 3

CTTC (config) # int vlan 2

CTTC (config-if) # nameif outside

CTTC (config-if) # security-level 0

CTTC (config-if) # ip address 20.0.0.1 255.0.0.0

CTTC (config-if) # no shut

These commands will configure outside interface and security level of the ASA 5505 Firewall.

Step 4

CTTC# show nameif

Interface Name Security

Vlan1 inside 100

Vlan2 outside 0


12/114


Ph: 92-21-4310956-8

This command will verify the name and security level of each interface.

Step 5

CTTC# show ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 10.0.0.1 255.0.0.0 manual

Vlan2 outside 20.0.0.1 255.0.0.0 manual

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan1 inside 10.0.0.1 255.0.0.0 manual

Vlan2 outside 20.0.0.1 255.0.0.0 manual

This command will verify the IP addresses of all interfaces of firewall.

Step 6

CTTC# show switch vlan

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------

1 inside down Et0/1, Et0/2, Et0/3, Et0/4

Et0/5, Et0/6, Et0/7

2 outside down Et0/0

This command will let you know that which interfaces of firewall are in inside VLAN and which interfaces

are in outside VLAN.

Step 7 (Optional)

CTTC (config) # clear configure all

This command will clear the running configuration of ASA Firewall.


13/114


Ph: 92-21-4310956-8

LAB4: Configure Interfaces and Verifying Configuration through ASDM

Step 1

Click configuration TAB and then click on Interfaces .You can see that firewall is already configured for

inside interface with the security level of 100 and IP Address 10.0.0.1.


14/114


Ph: 92-21-4310956-8

Step2

To add a new interface click Add button and then add Ethernet 0/0interface to selected switch ports

and then writeoutsidein Interface Name field. Click on Enable interface and check on use static IP and

then configure 20.0.0.1 IP address and Subnet mask 255.0.0.0.Click Ok.


15/114


Ph: 92-21-4310956-8

Step 3

Now Outside interface is listed in the below window. Click Apply.


16/114


Ph: 92-21-4310956-8

Step 4

You can verify the interface status and IP Address and traffic status of the interface from Home TAB.


17/114


Ph: 92-21-4310956-8

LAB5: Configure ASA Appliance for Syslog Server from ASDM

Step 1: In order to configure Syslog Server, navigate the configuration TAB and then Click on logging.

Cisco ASA5505

10.0.0.1

E0/1 E0/0

20.0.0.1

10.0.0.10

20.0.0.10Syslog Server

NETWORK TOPOLOGY


18/114


Ph: 92-21-4310956-8

Step 2

Click on Logging Setup and check on enable logging and then press apply.


19/114


Ph: 92-21-4310956-8

Step 3

Click on Syslog Server TAB and then press Add. Select the interface of ASA appliance on which Syslog

Server is connected and then enter the IP Address of Syslog Server. Press ok.


20/114


Ph: 92-21-4310956-8

Step 4

You can see that Syslog Server entry is created on below window. Please note that you can add up to 16

Syslog Servers. Press Apply.


21/114


Ph: 92-21-4310956-8

Step 5

In order to enable Syslog time stamping, click on Syslog Setup and then check on the box Include time

stamp in Syslog. Press Apply.


22/114


Ph: 92-21-4310956-8

Step 6

Click on Event Lists and then press Add button. A new dialog box appears ADD EVENT LIST.


23/114


Ph: 92-21-4310956-8

Step 7

Configure Name of event List and then press Add. New Dialog box will appear in which select event class

ALL and severity Debugging. Press Ok.


24/114


Ph: 92-21-4310956-8

Step 8

You can see that event list is added. Press Apply.


25/114


Ph: 92-21-4310956-8

Step 9

Press logging Filter from logging menu and then select Syslog Servers. Press Edit Button.


26/114


Ph: 92-21-4310956-8

Step 10

Press on Radio button USE EVENT LIST and then select the list CTTCSYSLOG. Press Ok.


27/114


Ph: 92-21-4310956-8

Step 11

You can see the logs on Kiwi Syslog server. Verify the time stamping and log format.


28/114


Ph: 92-21-4310956-8

LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration

Step 1: In order to configure Dynamic NAT, click configuration and then click NAT RULES

Cisco ASA5505

10.0.0.1

E0/1 E0/0

20.0.0.1

IP Pool

20.0.0.100-200

20.0.0.10

Telnet Server

NETWORK TOPOLOGY


29/114


Ph: 92-21-4310956-8

Step 2

Click Add and then select Add Dynamic NAT Rule


30/114


Ph: 92-21-4310956-8

Step 3

New Window will open. Select inside interface and also in Source field select inside-network/8


31/114


Ph: 92-21-4310956-8

Step 4

In order to define Global pool, click Manage Tab and then add a Global Address Range. Select Interface

Outside, Pool ID 1 and range 20.0.0.100-20.0.0.200.Press add and then Ok.


32/114


Ph: 92-21-4310956-8

Step 5

The following window will appear. You can see the dynamic NAT entry, you had just configured. In order

to implement restriction on firewall that no traffic will pass through firewall without Nat Entry uncheck

the box unable traffic through firewall without NAT. Press Apply.


33/114


Ph: 92-21-4310956-8

Step 6

In order to verify Dynamic NAT Configuration, use the following Commands.

CTTC# show run nat-control

nat-control

This command will show that no traffic will pass between interfaces through firewall without NAT.

CTTC# show run nat

nat (inside) 1 10.0.0.0 255.0.0.0

This command will show the inside network that will be translated.

CTTC# show run global

global (outside) 1 20.0.0.100-20.0.0.200 netmask 255.0.0.0

This command will display the global address space.

CTTC# show xlate

1 in use, 1 most used

Global 20.0.0.112 Local 10.0.0.10

This command will display the NAT Table of ASA Appliance.

CTTC# clear xlate

This command will clear the NAT Table of ASA Appliance.

CTTC# show arp

inside 10.0.0.10 0017.423c.6806 52

outside 20.0.0.10 0021.9b37.b62e 473

This command will display Arp Cache of your security Appliance.

CTTC# clear arp

This command will clear arp cache of your appliance.


34/114


Ph: 92-21-4310956-8

LAB 7: Configure PAT on interface IP of ASA through ASDM

Step 1

Repeat the first three steps of previous lab and then click on outside interface and then check the box

PAT using IP address of the interface. Press Add and then click ok. The translation would be done onoutside interface of the firewall.


35/114


Ph: 92-21-4310956-8

LAB 8: Configure Static NAT with ACL to allow inside access through ASDM

Step1: Press NAT RULE and press add and then add static NAT Rule.

Cisco ASA5505

10.0.0.1

E0/1 E0/0

20.0.0.1

10.0.0.10

20.0.0.10Telnet Server

NETWORK TOPOLOGY

Translated IP

20.0.0.100


36/114


Ph: 92-21-4310956-8

Step 2

A New Window will be open and then click source


37/114


Ph: 92-21-4310956-8

Step 3

A new window will open press add and then IP name


38/114


Ph: 92-21-4310956-8

Step 4

A new window is opened. Enter Name: Telnet Server and IP Address: 10.0.0.1. Press ok.


39/114


Ph: 92-21-4310956-8

Step 5

Check use IP address field and then enter IP address 20.0.0.100 as an translated IP.


40/114


Ph: 92-21-4310956-8

Step6

Press enter. Following window will be opened. Press Apply.


41/114


Ph: 92-21-4310956-8

Step 7

To allow the access to telnet server connected to inside interface, we have to configure the

access rule from outside machine to telnet server.


42/114


Ph: 92-21-4310956-8

Step 8

Press Add and then select interface Outside and then press on Permit. On source field

select any and in destination field enter the translated IP Address 20.0.0.100.Select trafficdirection In. Also Select services TCP/Telnet.


43/114


Ph: 92-21-4310956-8

Step 9

Press Ok and you can see the access rule on the following window. Now telnet from outside

machine to telnet server that is translated with 20.0.0.100 IP address.


44/114


Ph: 92-21-4310956-8

LAB 9: Configure Remote Access VPN (Easy VPN) through ASDM

Step 1 Press Configuration menu and then select VPN tab.

Cisco ASA5505

10.0.0.1

E0/1 E0/0

20.0.0.1

10.0.0.10

20.0.0.10Telnet Server

NETWORK TOPOLOGY

Cisco VPN Client

IP Pool: 172.16.1.1-254


45/114


Ph: 92-21-4310956-8

Step 2: Click Launch VPN Wizard and new window will be opened. Click Remote access VPN and

then select outside interface as a VPN terminated interface. Enter Next.


46/114


Ph: 92-21-4310956-8

Step 3 Select the VPN client Type to Cisco VPN Client 3.X or higher and then press Next.


47/114


Ph: 92-21-4310956-8

Step 4 Enter pre-share key cisco123 and tunnel group name CTTC.


48/114


Ph: 92-21-4310956-8

Step 5 Click on authenticating local user database


49/114


Ph: 92-21-4310956-8

Step 6 Add another user test in local database of ASA appliance.


50/114


Ph: 92-21-4310956-8

Step 7 Create a new local pool of IP Addresses. Click New.


51/114


Ph: 92-21-4310956-8

Step 8 Enter the name of Pool CTTCPOOL and then starting range 172.16.1.1 and Ending IP

Address 172.16.1.254.


52/114


Ph: 92-21-4310956-8

Step 9 Enter the primary DNS server 10.0.0.100 and domain name cttc.net.pk.


53/114


Ph: 92-21-4310956-8

Step 10 Configure IKE Phase 1 parameters as soon in the below window. Click Next.


54/114


Ph: 92-21-4310956-8

Step 11 Select IPSEC phase parameters as shown in below window and then click next.


55/114


Ph: 92-21-4310956-8

Step 12 In order to bypass VPN traffic from Network Address Translation, you need to select interface

Inside and configure 10.0.0.0 with the default mask of 255.255.255.0. Press Add and then click Next.


56/114


Ph: 92-21-4310956-8

Step 13 Just see the summary of VPN configuration and then click on finish to complete.


57/114


Ph: 92-21-4310956-8

Step 14 Open VPN Client Software Click New

A New window will open. Enter the connection entry name cttc and host IP Address 20.0.0.1 .

Enter the Tunnel Group Name CTTC and then enter pre-share key cisco123.Click Save.


58/114


Ph: 92-21-4310956-8

Step 15 A new Connection Entry will be created as shown in below window.

Double click the connection entry after that a new window will be opened . Enter the Username and

Password for VPN local Database Authentication.

After entering the username and password VPN tunnel will be established and you can verify the

credential of VPN connections from the below window.


59/114


Ph: 92-21-4310956-8

LAB 10: Configure Remote Access VPN (Easy VPN) using AAA

Step1: Press on configuration menu and then click on AAA Server Group. Press Add.

Cisco ASA5505

10.0.0.1

E0/1 E0/0

20.0.0.1

10.0.0.10

20.0.0.10

NETWORK TOPOLOGY

Cisco VPN Client

IP Pool: 172.16.1.1-254


60/114


Ph: 92-21-4310956-8

Step 2: Type the Server Group as default and then select protocol TACACS+and then press Ok.


61/114


Ph: 92-21-4310956-8

Step3: Press Add AAA Servers and then select the Interface on which AAA server is placed inside.

Enter AAA Server IP Address 10.0.0.10 and then enter Secret Server Key cisco123. Press Pk.


62/114


Ph: 92-21-4310956-8

Step 4: Both Entries configured shown in below window. Press Apply.


63/114


Ph: 92-21-4310956-8

Step5: Select IPSECCONECTION PROFILE from the window and then select CTTC connection entry

and then press Edit.


64/114


Ph: 92-21-4310956-8

Step6: In User Authentication select Server Group default and then click on Use Local if Server Group

fails. Press Ok.


65/114


Ph: 92-21-4310956-8

Step7: In order to enable accounting, select AAA Access from window and then press on Accounting.

Then click on Enable Server Group and select the Group default. Press Apply.


66/114


Ph: 92-21-4310956-8

Step 8: In order to Add User on Cisco Secure ACS, press on User Setup and enter the username

ahmed and then click Add/Edit.


67/114


Ph: 92-21-4310956-8

Step9: Enter and confirmed password in below mentioned window. Then press Submit.


68/114


Ph: 92-21-4310956-8

Step10: Select Network Configuration from menu and then click on Add Entry for AAA client.


69/114


Ph: 92-21-4310956-8

Step11: Enter AAA Client name CTTCA and then enter the IP address of AAA client i.e. ASA inside

Interface IP 10.0.0.1. Enter the server secret key cisco123 and then select Authenticating using

TACACS+ (Cisco IOS). Then press Submit.


70/114


Ph: 92-21-4310956-8

Step12: You can see the selected entry has been added in AAA client List in below window.


71/114


Ph: 92-21-4310956-8

Step13: For accounting, press Reports and Activity.


72/114


Ph: 92-21-4310956-8

Step14: Select TACACS+ Accounting and then select TACACS+ Accounting active.csv.


73/114


Ph: 92-21-4310956-8

Step15: Accounting statics mentioned in below window.


74/114


Ph: 92-21-4310956-8

LAB 11: Configuring IPSEC Site to Site VPN through ASDM

Step1: On CTTC B Firewall, Click Wizard option from the top menu and then selects IPSEC Wizard.

Select Site to Site VPN Option and then press Next.

10.0.0.1

E0/1 E0/0

11.0.0.1

10.0.0.1020.0.0.10

NETWORK TOPOLOGY

CTTCBCTTCA

E0/0

11.0.0.2

E0/1

20.0.0.1


75/114


Ph: 92-21-4310956-8

Step2: Enter the Peer IP Address 11.0.0.2 and then select Authentication method Pre-shared Key

and then enter Pre-Shared Key Cisco123. Leave the tunnel group name as 11.0.0.2.Press Next.


76/114


Ph: 92-21-4310956-8

Step3: Enter the IKE Phase 1 parameters as mentioned in below window.


77/114


Ph: 92-21-4310956-8

Step4: Enter the IKE Phase 2 parameters as shown in below mentioned window.


78/114


Ph: 92-21-4310956-8

Step5: In order to define the interesting VPN traffic selects the source network from which traffic will be

transmitted to tunnel. Press the inside-network 20.0.0.0/8 as a source network. Press Ok.


79/114


Ph: 92-21-4310956-8

Step6: Enter the remote network to which VPN traffic will be forwarded as 10.0.0.0/8.Press Ok.


80/114


Ph: 92-21-4310956-8

Step7: Both the configured entries are shown in below mention window. Traffic from Local network to

Remote Network will only pass through VPN Tunnel. Press Next.


81/114


Ph: 92-21-4310956-8

Step8: Below mentioned window shows the summary of VPN configuration. Press finish to complete the

configuration on CTTCB firewall.

NOTE: Repeat these steps on CTTCA firewall as well as in order to configure Site to Site VPN.


82/114


Ph: 92-21-4310956-8

Step 9: After configuring CTTCA firewall, you can verify that VPN Tunnel Status in below mention

window. IKE: 1 and IPSEC: 1


83/114


Ph: 92-21-4310956-8

Step10: Click monitoring Tab and then click VPN and then sessions.


84/114


Ph: 92-21-4310956-8

Step11: Verify the IKE phase 1 and IPSEC phase parameters.

ciscoasa# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

ciscoasa# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 11.0.0.2

access-list outside_1_cryptomap permit ip 20.0.0.0 255.0.0.0 remotenetwork 255.255.255.0

local ident (addr/mask/prot/port): (20.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (remotenetwork/255.255.255.0/0/0)

current_peer: 11.0.0.1

#pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226

#pkts decaps: 226, #pkts decrypt: 226, #pkts verify: 226

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 11.0.0.2, remote crypto endpt.: 11.0.0.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 2DBE841E

inbound esp sas:

spi: 0x023E2818 (37627928)

transform: esp-des esp-md5-hmac no compression


85/114


Ph: 92-21-4310956-8

LAB12: Configuring Static Route on ASA Firewall through ASDM

Step1: Press Configuration and then device setup and then select Static Routes. Press Add.(CTTCA)

10.0.0.1

E0/1 E0/0

11.0.0.1

10.0.0.1020.0.0.10

NETWORK TOPOLOGY

CTTCBCTTCA

E0/0

11.0.0.2

E0/1

20.0.0.1


86/114


Ph: 92-21-4310956-8

Step2: Select the Interface Outside and then mention the destination network 20.0.0.0 and subnet

mask 255.0.0.0. And then click on gateway IP option.


87/114


Ph: 92-21-4310956-8

Step3: A new window will open. Press Add.


88/114


Ph: 92-21-4310956-8

Step4: Enter the Network Object Name next hopand mentioned the IP Address of next hop

11.0.0.2. Select network mask 255.255.255.255 and press Ok.


89/114


Ph: 92-21-4310956-8

Step5: Anew window will open as below. Press Ok.


90/114


Ph: 92-21-4310956-8

Step6: A new window will be opened as below. Press Apply to configure the static route.


91/114


Ph: 92-21-4310956-8

Step 7: Repeat the previous steps to configure the below mentioned static route on CTTCB firewall.


92/114


Ph: 92-21-4310956-8

LAB13: Configuring Passive RIP on ASA Firewall through ASDM

Step1: Click on enable RIP routing and then check RIP version1 and then add 10.0.0.0 and 11.0.0.0

networks and then click outside interface as a passive interface on CTTCA firewall.

10.0.0.1

E0/1 E0/0

11.0.0.1

10.0.0.1020.0.0.10

NETWORK TOPOLOGY

CTTCBCTTCA

E0/0

11.0.0.2

E0/1

20.0.0.1


93/114


Ph: 92-21-4310956-8

Step2: Click on enable RIP routing and then check RIP version1 and then add 20.0.0.0 and 11.0.0.0

networks and then click outside interface as a passive interface on CTTCB firewall.


94/114


Ph: 92-21-4310956-8

LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM

Step1: Click on Configuration >Device Management>Management Access> asdm/http/https/ssh/Telnet.

Press Add.


95/114


Ph: 92-21-4310956-8

Step2: Click on telnet and mentioned the IP address 10.0.0.10 that is connected to inside interface of

firewall. Firewall can only be accessed from 10.0.0.10 IP. Press Ok.


96/114


Ph: 92-21-4310956-8

Step3: The firewall is configured for telnet and that is highlighted on below mention window.


97/114


Ph: 92-21-4310956-8

Step4: For SSH Configuration, select the inside interface and then click on SSH. Enter the IP address of

the client that initiate SSH to the security appliance.


98/114


Ph: 92-21-4310956-8

Step5: For SSH you need to configure domain name and hostname of firewall. Configuration>Device

Setup>DeviceName/Password.


99/114


Ph: 92-21-4310956-8

Step6: Generate RSA Key. Configuration>device management>Certificate Management>Identity

Management


100/114


Ph: 92-21-4310956-8

Step7: Click on Add a new identity certificate and then click on new.


101/114


Ph: 92-21-4310956-8

Step8:

Press Generate now to generate RSA key for SSH.


102/114


Ph: 92-21-4310956-8

LAB15: Configuring ASA for Software Image and Licensing

Step1: In order to configure the Boot Sequence of ASA image and also to define the ASDM image please

Navigate the following: Configuration>Device Management> System image/configuration>Boot

image/configuration. Press Add.


103/114


Ph: 92-21-4310956-8

Step2: In order to define the Flash Image click on Browse Flash.


104/114


Ph: 92-21-4310956-8

Step3: Select the appropriate image and then press Ok.


105/114


Ph: 92-21-4310956-8

Step4: The software image has been added. In order to define ASA image file path press on Browse

Flash.


106/114


Ph: 92-21-4310956-8

Step5: Press on appropriate ASDM image file as below window. Press Ok.


107/114


Ph: 92-21-4310956-8

Step6 : Press Apply to push the configuration to ASA Appliance.


108/114


Ph: 92-21-4310956-8

Step7 : In order to upgrade the license we need to change activation key. Configuration>Device

Management>Activation Key


109/114


Ph: 92-21-4310956-8

LAB16: Monitoring ASA Appliance through ASDM

Step1: To verify the Platform, ASA version, ASDM version, Device Uptime, Interface Status, CPU and

memory utilization and latest asdm Syslog messages go to Home page of ASDM.


110/114


Ph: 92-21-4310956-8

Step2: Foe the monitoring of Routing Tables please navigate Monitoring>Routing.


111/114


Ph: 92-21-4310956-8

Step 3: For interfaces monitoring please navigate Monitoring>Interfaces


112/114


Ph: 92-21-4310956-8

Step4: For AAA Servers monitoring, please navigate Monitoring>Properties>AAA Servers


113/114


Ph: 92-21-4310956-8

Step5: For real time logging please navigate Monitoring>Logging>Real Time Log View


114/114

Step6: Press view to see the real time logs.

Documents

Asa Lab Manual