Upload
it2000
View
241
Download
5
Embed Size (px)
Citation preview
8/13/2019 Asa Lab Manual
1/114
1 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB MANUAL
Securing Networks with ASA
Fundamentals(SNAF)
Version 1.0
Developed By: Mr. Ahmed Saeed
Network Manager
CTTC (PVT) Limited, Karachi Pakistan.
8/13/2019 Asa Lab Manual
2/114
2 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
TABLE OF CONTENTS
LAB 1: Configure Cisco ASA Appliance for basic configuration CLI
LAB 2: Configure the Security Appliance for ASDM
LAB 3: Configure Interfaces and verifying configuration through CLI
LAB 4: Configure Interfaces and verifying configuration through ASDM
LAB 5: Configure ASA Appliance for Syslog Server from ASDM
LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration
LAB7:Configure PAT on interface IP of ASA through ASDM
LAB8: Configure Static NAT with ACL to allow inside access through ASDM
LAB9: Configuring Remote Access VPN (Easy VPN)
LAB10: Configure Remote Access VPN using AAA
LAB11: Configure Site to Site IPSEC VPN through ASDM
LAB12: Configuring ASA Appliance for Static Route through ASDM
LAB13: Configuring ASA Appliance for Passive RIP through ASDM
LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM
LAB15: Configuring ASA Software Image and Licenses through ASDM
LAB16: Monitoring ASA Appliance through ASDM
8/13/2019 Asa Lab Manual
3/114
3 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 1: Configure Cisco ASA Appliance for Basic Configuration CLI
Step1
CTTC(config)# write erase
This command will erase the startup configuration (default) of ASA appliance.
Step2
CTTC(Config)# reload
This command will reload the security appliance.
Step3
CTTC> ?
Display the help of supported commands in user mode.
Step4
CTTC> enable
Password :
Enter in the privilege mode of appliance and press enter after prompting for password
Step5
CTTC# Show Run
This command will show the running configuration of your Security appliance.
Step6
CTTC# Show memory
Free memory: 1000431424 bytes (93%)
Used memory: 73310400 bytes ( 7%)
------------- ----------------
8/13/2019 Asa Lab Manual
4/114
4 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Total memory: 1073741824 bytes (100%)
This command will show the memory of security appliance (Output may vary for different platforms).
Step7
CTTC# Show Version
Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)
Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"
CTTC up 3 days 18 hours
Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: GigabitEthernet0/0 : address is 0022.90fe.2006, irq 9
1: Ext: GigabitEthernet0/1 : address is 0022.90fe.2007, irq 9
2: Ext: GigabitEthernet0/2 : address is 0022.90fe.2008, irq 9
3: Ext: GigabitEthernet0/3 : address is 0022.90fe.2009, irq 9
4: Ext: Management0/0 : address is 0022.90fe.200a, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
8/13/2019 Asa Lab Manual
5/114
5 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
This platform has an ASA 5540 VPN Premium license.
Serial Number: JMX1247L0RJ
Running Activation Key: 0x6000e973 0x0c5221a3 0xf4b1a9dc 0xa14c5408 0x4a11229b
Configuration register is 0x1
Configuration last modified by ahmed at 22:42:10.042 UTC Tue Jan 19 2010
Step8
CTTC# show History
Enable
Show version
Show history
This command will show the history of previously entered commands.
Step9
CTTC# show bootvar
BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin
Current BOOT variable = disk0:/asa821-k8.bin;disk0:/asa705-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
8/13/2019 Asa Lab Manual
6/114
6 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
This command will let you know that from which image file your ASA firewall load.
Step10
CTTC# dir
Directory of disk0:/
47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin
48 -rwx 5823304 08:29:00 Aug 15 2006 asdm505.bin
50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin
51 -rwx 8312832 03:31:14 Mar 10 2008 asa722-k8.bin
52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin
2 drwx 8192 00:47:45 Jan 23 2010 log
9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive
59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo
62 drwx 8192 02:30:00 Jan 23 2010 snmp
255426560 bytes total (213508096 bytes free)
This command will show the contents of internal flash memory of your firewall
Step 11
CTTC # boot system disk0:/asa821-k8.bin
CTTC # boot system disk0:/asa705-k8.bin
This command will define that the firewall will first boot from disk0:/asa821-k8.bin this image and if
this image is corrupt or not found firewall will boot from this disk0:/asa705-k8.bin image.
8/13/2019 Asa Lab Manual
7/114
7 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB2: Configure the Security Appliance for ASDM
Step1
To verify that you ASA firewall has ASDM image in flash memory.
CTTC # dir
Directory of disk0:/
47 -rwx 5474304 00:04:44 Jan 01 2003 asa705-k8.bin
50 -rwx 5474304 01:22:08 May 16 2007 asa706-k8.bin
52 -rwx 16275456 01:01:26 Jan 23 2010 asa821-k8.bin
2 drwx 8192 00:47:45 Jan 23 2010 log
9 drwx 8192 00:47:53 Jan 23 2010 crypto_archive
59 drwx 8192 00:50:48 Jan 23 2010 coredumpinfo
62 drwx 8192 02:30:00 Jan 23 2010 snmp
64 -rwx 11491880 03:24:24 Jan 25 2010 asdm-623.bin
255426560 bytes total (216154112 bytes free)
Step2
CTTC (Config) # asdm image disk0:asdm-623.bin
This command will define which asdm image will be used in flash.
Step3
CTTC (config)# http server enable
This command will enable HTTP server on ASA firewall that is necessary for ASDM.
Step4
CTTC (config)# http 10.0.50.10 255.255.255.255 inside
Step5
CTTC (config)# aaa authentication http console LOCAL
This command will enable authentication for ASDM.
Step6
8/13/2019 Asa Lab Manual
8/114
8 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Open Web Brower and enter the following URL:https://10.254.1.2 (Inside Interface IP Address) and
then click RUN ASDM
https://10.254.1.2/https://10.254.1.2/https://10.254.1.2/https://10.254.1.2/8/13/2019 Asa Lab Manual
9/114
9 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 7
Click YES
Step 8
Enter Username and Password
8/13/2019 Asa Lab Manual
10/114
10 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 9
After entering username and password, home page of ASDM will open
8/13/2019 Asa Lab Manual
11/114
11 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB3: Configure Interfaces and Verifying Configuration through CLI
Step1
CTTC# configure factory-default
This command will erase all configurations on your ASA firewall and your ASA firewall configuration will
revert back to factory default.
Step 2
CTTC (config) # int vlan 1
CTTC (config-if) # nameif inside
CTTC (config-if) # security-level 100
CTTC (config-if) # ip address 10.0.0.1 255.0.0.0
CTTC (config-if) # no shut
These commands will configure inside interface and security level of the ASA 5505 Firewall.
Step 3
CTTC (config) # int vlan 2
CTTC (config-if) # nameif outside
CTTC (config-if) # security-level 0
CTTC (config-if) # ip address 20.0.0.1 255.0.0.0
CTTC (config-if) # no shut
These commands will configure outside interface and security level of the ASA 5505 Firewall.
Step 4
CTTC# show nameif
Interface Name Security
Vlan1 inside 100
Vlan2 outside 0
8/13/2019 Asa Lab Manual
12/114
12 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
This command will verify the name and security level of each interface.
Step 5
CTTC# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.0.0.0 manual
Vlan2 outside 20.0.0.1 255.0.0.0 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 10.0.0.1 255.0.0.0 manual
Vlan2 outside 20.0.0.1 255.0.0.0 manual
This command will verify the IP addresses of all interfaces of firewall.
Step 6
CTTC# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside down Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside down Et0/0
This command will let you know that which interfaces of firewall are in inside VLAN and which interfaces
are in outside VLAN.
Step 7 (Optional)
CTTC (config) # clear configure all
This command will clear the running configuration of ASA Firewall.
8/13/2019 Asa Lab Manual
13/114
13 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB4: Configure Interfaces and Verifying Configuration through ASDM
Step 1
Click configuration TAB and then click on Interfaces .You can see that firewall is already configured for
inside interface with the security level of 100 and IP Address 10.0.0.1.
8/13/2019 Asa Lab Manual
14/114
14 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2
To add a new interface click Add button and then add Ethernet 0/0interface to selected switch ports
and then writeoutsidein Interface Name field. Click on Enable interface and check on use static IP and
then configure 20.0.0.1 IP address and Subnet mask 255.0.0.0.Click Ok.
8/13/2019 Asa Lab Manual
15/114
15 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 3
Now Outside interface is listed in the below window. Click Apply.
8/13/2019 Asa Lab Manual
16/114
16 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 4
You can verify the interface status and IP Address and traffic status of the interface from Home TAB.
8/13/2019 Asa Lab Manual
17/114
17 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB5: Configure ASA Appliance for Syslog Server from ASDM
Step 1: In order to configure Syslog Server, navigate the configuration TAB and then Click on logging.
Cisco ASA5505
10.0.0.1
E0/1 E0/0
20.0.0.1
10.0.0.10
20.0.0.10Syslog Server
NETWORK TOPOLOGY
8/13/2019 Asa Lab Manual
18/114
18 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 2
Click on Logging Setup and check on enable logging and then press apply.
8/13/2019 Asa Lab Manual
19/114
19 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 3
Click on Syslog Server TAB and then press Add. Select the interface of ASA appliance on which Syslog
Server is connected and then enter the IP Address of Syslog Server. Press ok.
8/13/2019 Asa Lab Manual
20/114
20 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 4
You can see that Syslog Server entry is created on below window. Please note that you can add up to 16
Syslog Servers. Press Apply.
8/13/2019 Asa Lab Manual
21/114
21 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 5
In order to enable Syslog time stamping, click on Syslog Setup and then check on the box Include time
stamp in Syslog. Press Apply.
8/13/2019 Asa Lab Manual
22/114
22 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 6
Click on Event Lists and then press Add button. A new dialog box appears ADD EVENT LIST.
8/13/2019 Asa Lab Manual
23/114
23 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 7
Configure Name of event List and then press Add. New Dialog box will appear in which select event class
ALL and severity Debugging. Press Ok.
8/13/2019 Asa Lab Manual
24/114
24 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 8
You can see that event list is added. Press Apply.
8/13/2019 Asa Lab Manual
25/114
25 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 9
Press logging Filter from logging menu and then select Syslog Servers. Press Edit Button.
8/13/2019 Asa Lab Manual
26/114
26 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 10
Press on Radio button USE EVENT LIST and then select the list CTTCSYSLOG. Press Ok.
8/13/2019 Asa Lab Manual
27/114
27 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 11
You can see the logs on Kiwi Syslog server. Verify the time stamping and log format.
8/13/2019 Asa Lab Manual
28/114
28 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 6: Configure Dynamic NAT through ASDM and verify the Configuration
Step 1: In order to configure Dynamic NAT, click configuration and then click NAT RULES
Cisco ASA5505
10.0.0.1
E0/1 E0/0
20.0.0.1
IP Pool
20.0.0.100-200
20.0.0.10
Telnet Server
NETWORK TOPOLOGY
8/13/2019 Asa Lab Manual
29/114
29 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 2
Click Add and then select Add Dynamic NAT Rule
8/13/2019 Asa Lab Manual
30/114
30 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 3
New Window will open. Select inside interface and also in Source field select inside-network/8
8/13/2019 Asa Lab Manual
31/114
31 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 4
In order to define Global pool, click Manage Tab and then add a Global Address Range. Select Interface
Outside, Pool ID 1 and range 20.0.0.100-20.0.0.200.Press add and then Ok.
8/13/2019 Asa Lab Manual
32/114
32 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 5
The following window will appear. You can see the dynamic NAT entry, you had just configured. In order
to implement restriction on firewall that no traffic will pass through firewall without Nat Entry uncheck
the box unable traffic through firewall without NAT. Press Apply.
8/13/2019 Asa Lab Manual
33/114
33 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 6
In order to verify Dynamic NAT Configuration, use the following Commands.
CTTC# show run nat-control
nat-control
This command will show that no traffic will pass between interfaces through firewall without NAT.
CTTC# show run nat
nat (inside) 1 10.0.0.0 255.0.0.0
This command will show the inside network that will be translated.
CTTC# show run global
global (outside) 1 20.0.0.100-20.0.0.200 netmask 255.0.0.0
This command will display the global address space.
CTTC# show xlate
1 in use, 1 most used
Global 20.0.0.112 Local 10.0.0.10
This command will display the NAT Table of ASA Appliance.
CTTC# clear xlate
This command will clear the NAT Table of ASA Appliance.
CTTC# show arp
inside 10.0.0.10 0017.423c.6806 52
outside 20.0.0.10 0021.9b37.b62e 473
This command will display Arp Cache of your security Appliance.
CTTC# clear arp
This command will clear arp cache of your appliance.
8/13/2019 Asa Lab Manual
34/114
34 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 7: Configure PAT on interface IP of ASA through ASDM
Step 1
Repeat the first three steps of previous lab and then click on outside interface and then check the box
PAT using IP address of the interface. Press Add and then click ok. The translation would be done onoutside interface of the firewall.
8/13/2019 Asa Lab Manual
35/114
35 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 8: Configure Static NAT with ACL to allow inside access through ASDM
Step1: Press NAT RULE and press add and then add static NAT Rule.
Cisco ASA5505
10.0.0.1
E0/1 E0/0
20.0.0.1
10.0.0.10
20.0.0.10Telnet Server
NETWORK TOPOLOGY
Translated IP
20.0.0.100
8/13/2019 Asa Lab Manual
36/114
36 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 2
A New Window will be open and then click source
8/13/2019 Asa Lab Manual
37/114
37 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 3
A new window will open press add and then IP name
8/13/2019 Asa Lab Manual
38/114
38 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 4
A new window is opened. Enter Name: Telnet Server and IP Address: 10.0.0.1. Press ok.
8/13/2019 Asa Lab Manual
39/114
39 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 5
Check use IP address field and then enter IP address 20.0.0.100 as an translated IP.
8/13/2019 Asa Lab Manual
40/114
40 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step6
Press enter. Following window will be opened. Press Apply.
8/13/2019 Asa Lab Manual
41/114
41 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 7
To allow the access to telnet server connected to inside interface, we have to configure the
access rule from outside machine to telnet server.
8/13/2019 Asa Lab Manual
42/114
42 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 8
Press Add and then select interface Outside and then press on Permit. On source field
select any and in destination field enter the translated IP Address 20.0.0.100.Select trafficdirection In. Also Select services TCP/Telnet.
8/13/2019 Asa Lab Manual
43/114
43 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 9
Press Ok and you can see the access rule on the following window. Now telnet from outside
machine to telnet server that is translated with 20.0.0.100 IP address.
8/13/2019 Asa Lab Manual
44/114
44 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 9: Configure Remote Access VPN (Easy VPN) through ASDM
Step 1 Press Configuration menu and then select VPN tab.
Cisco ASA5505
10.0.0.1
E0/1 E0/0
20.0.0.1
10.0.0.10
20.0.0.10Telnet Server
NETWORK TOPOLOGY
Cisco VPN Client
IP Pool: 172.16.1.1-254
8/13/2019 Asa Lab Manual
45/114
45 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 2: Click Launch VPN Wizard and new window will be opened. Click Remote access VPN and
then select outside interface as a VPN terminated interface. Enter Next.
8/13/2019 Asa Lab Manual
46/114
46 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 3 Select the VPN client Type to Cisco VPN Client 3.X or higher and then press Next.
8/13/2019 Asa Lab Manual
47/114
47 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 4 Enter pre-share key cisco123 and tunnel group name CTTC.
8/13/2019 Asa Lab Manual
48/114
48 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 5 Click on authenticating local user database
8/13/2019 Asa Lab Manual
49/114
49 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 6 Add another user test in local database of ASA appliance.
8/13/2019 Asa Lab Manual
50/114
50 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 7 Create a new local pool of IP Addresses. Click New.
8/13/2019 Asa Lab Manual
51/114
51 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 8 Enter the name of Pool CTTCPOOL and then starting range 172.16.1.1 and Ending IP
Address 172.16.1.254.
8/13/2019 Asa Lab Manual
52/114
52 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 9 Enter the primary DNS server 10.0.0.100 and domain name cttc.net.pk.
8/13/2019 Asa Lab Manual
53/114
53 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 10 Configure IKE Phase 1 parameters as soon in the below window. Click Next.
8/13/2019 Asa Lab Manual
54/114
54 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 11 Select IPSEC phase parameters as shown in below window and then click next.
8/13/2019 Asa Lab Manual
55/114
55 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 12 In order to bypass VPN traffic from Network Address Translation, you need to select interface
Inside and configure 10.0.0.0 with the default mask of 255.255.255.0. Press Add and then click Next.
8/13/2019 Asa Lab Manual
56/114
56 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 13 Just see the summary of VPN configuration and then click on finish to complete.
8/13/2019 Asa Lab Manual
57/114
57 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 14 Open VPN Client Software Click New
A New window will open. Enter the connection entry name cttc and host IP Address 20.0.0.1 .
Enter the Tunnel Group Name CTTC and then enter pre-share key cisco123.Click Save.
8/13/2019 Asa Lab Manual
58/114
58 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 15 A new Connection Entry will be created as shown in below window.
Double click the connection entry after that a new window will be opened . Enter the Username and
Password for VPN local Database Authentication.
After entering the username and password VPN tunnel will be established and you can verify the
credential of VPN connections from the below window.
8/13/2019 Asa Lab Manual
59/114
59 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 10: Configure Remote Access VPN (Easy VPN) using AAA
Step1: Press on configuration menu and then click on AAA Server Group. Press Add.
Cisco ASA5505
10.0.0.1
E0/1 E0/0
20.0.0.1
10.0.0.10
20.0.0.10
NETWORK TOPOLOGY
Cisco VPN Client
IP Pool: 172.16.1.1-254
8/13/2019 Asa Lab Manual
60/114
60 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 2: Type the Server Group as default and then select protocol TACACS+and then press Ok.
8/13/2019 Asa Lab Manual
61/114
61 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step3: Press Add AAA Servers and then select the Interface on which AAA server is placed inside.
Enter AAA Server IP Address 10.0.0.10 and then enter Secret Server Key cisco123. Press Pk.
8/13/2019 Asa Lab Manual
62/114
62 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 4: Both Entries configured shown in below window. Press Apply.
8/13/2019 Asa Lab Manual
63/114
63 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step5: Select IPSECCONECTION PROFILE from the window and then select CTTC connection entry
and then press Edit.
8/13/2019 Asa Lab Manual
64/114
64 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step6: In User Authentication select Server Group default and then click on Use Local if Server Group
fails. Press Ok.
8/13/2019 Asa Lab Manual
65/114
65 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step7: In order to enable accounting, select AAA Access from window and then press on Accounting.
Then click on Enable Server Group and select the Group default. Press Apply.
8/13/2019 Asa Lab Manual
66/114
66 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 8: In order to Add User on Cisco Secure ACS, press on User Setup and enter the username
ahmed and then click Add/Edit.
8/13/2019 Asa Lab Manual
67/114
67 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step9: Enter and confirmed password in below mentioned window. Then press Submit.
8/13/2019 Asa Lab Manual
68/114
68 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step10: Select Network Configuration from menu and then click on Add Entry for AAA client.
8/13/2019 Asa Lab Manual
69/114
69 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step11: Enter AAA Client name CTTCA and then enter the IP address of AAA client i.e. ASA inside
Interface IP 10.0.0.1. Enter the server secret key cisco123 and then select Authenticating using
TACACS+ (Cisco IOS). Then press Submit.
8/13/2019 Asa Lab Manual
70/114
70 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step12: You can see the selected entry has been added in AAA client List in below window.
8/13/2019 Asa Lab Manual
71/114
71 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step13: For accounting, press Reports and Activity.
8/13/2019 Asa Lab Manual
72/114
72 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step14: Select TACACS+ Accounting and then select TACACS+ Accounting active.csv.
8/13/2019 Asa Lab Manual
73/114
73 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step15: Accounting statics mentioned in below window.
8/13/2019 Asa Lab Manual
74/114
74 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB 11: Configuring IPSEC Site to Site VPN through ASDM
Step1: On CTTC B Firewall, Click Wizard option from the top menu and then selects IPSEC Wizard.
Select Site to Site VPN Option and then press Next.
10.0.0.1
E0/1 E0/0
11.0.0.1
10.0.0.1020.0.0.10
NETWORK TOPOLOGY
CTTCBCTTCA
E0/0
11.0.0.2
E0/1
20.0.0.1
8/13/2019 Asa Lab Manual
75/114
75 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2: Enter the Peer IP Address 11.0.0.2 and then select Authentication method Pre-shared Key
and then enter Pre-Shared Key Cisco123. Leave the tunnel group name as 11.0.0.2.Press Next.
8/13/2019 Asa Lab Manual
76/114
76 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step3: Enter the IKE Phase 1 parameters as mentioned in below window.
8/13/2019 Asa Lab Manual
77/114
77 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step4: Enter the IKE Phase 2 parameters as shown in below mentioned window.
8/13/2019 Asa Lab Manual
78/114
78 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step5: In order to define the interesting VPN traffic selects the source network from which traffic will be
transmitted to tunnel. Press the inside-network 20.0.0.0/8 as a source network. Press Ok.
8/13/2019 Asa Lab Manual
79/114
79 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step6: Enter the remote network to which VPN traffic will be forwarded as 10.0.0.0/8.Press Ok.
8/13/2019 Asa Lab Manual
80/114
80 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step7: Both the configured entries are shown in below mention window. Traffic from Local network to
Remote Network will only pass through VPN Tunnel. Press Next.
8/13/2019 Asa Lab Manual
81/114
81 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step8: Below mentioned window shows the summary of VPN configuration. Press finish to complete the
configuration on CTTCB firewall.
NOTE: Repeat these steps on CTTCA firewall as well as in order to configure Site to Site VPN.
8/13/2019 Asa Lab Manual
82/114
82 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 9: After configuring CTTCA firewall, you can verify that VPN Tunnel Status in below mention
window. IKE: 1 and IPSEC: 1
8/13/2019 Asa Lab Manual
83/114
83 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step10: Click monitoring Tab and then click VPN and then sessions.
8/13/2019 Asa Lab Manual
84/114
84 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step11: Verify the IKE phase 1 and IPSEC phase parameters.
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 11.0.0.2
access-list outside_1_cryptomap permit ip 20.0.0.0 255.0.0.0 remotenetwork 255.255.255.0
local ident (addr/mask/prot/port): (20.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (remotenetwork/255.255.255.0/0/0)
current_peer: 11.0.0.1
#pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226
#pkts decaps: 226, #pkts decrypt: 226, #pkts verify: 226
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 11.0.0.2, remote crypto endpt.: 11.0.0.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 2DBE841E
inbound esp sas:
spi: 0x023E2818 (37627928)
transform: esp-des esp-md5-hmac no compression
8/13/2019 Asa Lab Manual
85/114
85 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB12: Configuring Static Route on ASA Firewall through ASDM
Step1: Press Configuration and then device setup and then select Static Routes. Press Add.(CTTCA)
10.0.0.1
E0/1 E0/0
11.0.0.1
10.0.0.1020.0.0.10
NETWORK TOPOLOGY
CTTCBCTTCA
E0/0
11.0.0.2
E0/1
20.0.0.1
8/13/2019 Asa Lab Manual
86/114
86 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2: Select the Interface Outside and then mention the destination network 20.0.0.0 and subnet
mask 255.0.0.0. And then click on gateway IP option.
8/13/2019 Asa Lab Manual
87/114
87 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step3: A new window will open. Press Add.
8/13/2019 Asa Lab Manual
88/114
88 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step4: Enter the Network Object Name next hopand mentioned the IP Address of next hop
11.0.0.2. Select network mask 255.255.255.255 and press Ok.
8/13/2019 Asa Lab Manual
89/114
89 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step5: Anew window will open as below. Press Ok.
8/13/2019 Asa Lab Manual
90/114
90 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step6: A new window will be opened as below. Press Apply to configure the static route.
8/13/2019 Asa Lab Manual
91/114
91 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 7: Repeat the previous steps to configure the below mentioned static route on CTTCB firewall.
8/13/2019 Asa Lab Manual
92/114
92 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB13: Configuring Passive RIP on ASA Firewall through ASDM
Step1: Click on enable RIP routing and then check RIP version1 and then add 10.0.0.0 and 11.0.0.0
networks and then click outside interface as a passive interface on CTTCA firewall.
10.0.0.1
E0/1 E0/0
11.0.0.1
10.0.0.1020.0.0.10
NETWORK TOPOLOGY
CTTCBCTTCA
E0/0
11.0.0.2
E0/1
20.0.0.1
8/13/2019 Asa Lab Manual
93/114
93 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2: Click on enable RIP routing and then check RIP version1 and then add 20.0.0.0 and 11.0.0.0
networks and then click outside interface as a passive interface on CTTCB firewall.
8/13/2019 Asa Lab Manual
94/114
94 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB14: Telnet and SSH Configuration on ASA Appliance through ASDM
Step1: Click on Configuration >Device Management>Management Access> asdm/http/https/ssh/Telnet.
Press Add.
8/13/2019 Asa Lab Manual
95/114
95 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2: Click on telnet and mentioned the IP address 10.0.0.10 that is connected to inside interface of
firewall. Firewall can only be accessed from 10.0.0.10 IP. Press Ok.
8/13/2019 Asa Lab Manual
96/114
96 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step3: The firewall is configured for telnet and that is highlighted on below mention window.
8/13/2019 Asa Lab Manual
97/114
97 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step4: For SSH Configuration, select the inside interface and then click on SSH. Enter the IP address of
the client that initiate SSH to the security appliance.
8/13/2019 Asa Lab Manual
98/114
98 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step5: For SSH you need to configure domain name and hostname of firewall. Configuration>Device
Setup>DeviceName/Password.
8/13/2019 Asa Lab Manual
99/114
99 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step6: Generate RSA Key. Configuration>device management>Certificate Management>Identity
Management
8/13/2019 Asa Lab Manual
100/114
100 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step7: Click on Add a new identity certificate and then click on new.
8/13/2019 Asa Lab Manual
101/114
101 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step8:
Press Generate now to generate RSA key for SSH.
8/13/2019 Asa Lab Manual
102/114
102 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB15: Configuring ASA for Software Image and Licensing
Step1: In order to configure the Boot Sequence of ASA image and also to define the ASDM image please
Navigate the following: Configuration>Device Management> System image/configuration>Boot
image/configuration. Press Add.
8/13/2019 Asa Lab Manual
103/114
103 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2: In order to define the Flash Image click on Browse Flash.
8/13/2019 Asa Lab Manual
104/114
104 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step3: Select the appropriate image and then press Ok.
8/13/2019 Asa Lab Manual
105/114
105 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step4: The software image has been added. In order to define ASA image file path press on Browse
Flash.
8/13/2019 Asa Lab Manual
106/114
106 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step5: Press on appropriate ASDM image file as below window. Press Ok.
8/13/2019 Asa Lab Manual
107/114
107 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step6 : Press Apply to push the configuration to ASA Appliance.
8/13/2019 Asa Lab Manual
108/114
108 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step7 : In order to upgrade the license we need to change activation key. Configuration>Device
Management>Activation Key
8/13/2019 Asa Lab Manual
109/114
109 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
LAB16: Monitoring ASA Appliance through ASDM
Step1: To verify the Platform, ASA version, ASDM version, Device Uptime, Interface Status, CPU and
memory utilization and latest asdm Syslog messages go to Home page of ASDM.
8/13/2019 Asa Lab Manual
110/114
110 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step2: Foe the monitoring of Routing Tables please navigate Monitoring>Routing.
8/13/2019 Asa Lab Manual
111/114
111 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step 3: For interfaces monitoring please navigate Monitoring>Interfaces
8/13/2019 Asa Lab Manual
112/114
112 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step4: For AAA Servers monitoring, please navigate Monitoring>Properties>AAA Servers
8/13/2019 Asa Lab Manual
113/114
113 CTTC (PVT) Limited@2010 SNAF Lab ManualWeb: www.cttc.net.pk
Ph: 92-21-4310956-8
Step5: For real time logging please navigate Monitoring>Logging>Real Time Log View
8/13/2019 Asa Lab Manual
114/114
Step6: Press view to see the real time logs.