Thursday 27 June 2024

Cisco ASA access management with ASDM, SSH, telnet and dedicated management interface.

 

A Cisco ASA firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet has to be checked by our firewall. Cisco ASA firewall offers several ways to connect and interact. The Administrative user can access the ASA using Telnet, Secure Shell SSH, and ASDM.   




Cisco ASA supports In-band management and Out-band management.

In-band management ASA uses the same data network that carries regular user traffic and protocols like Telnet, SSH, or HTTPS over the same network interfaces that handle user traffic. Inband management uses the same transit path as user traffic. (data plane  management plane)




you can see the data plane traffic (normal traffic) and management plane ( Telnet, SSH, and ASDM traffic) using the same transit path. it can be any interface fast ethernet, gigabyte ethernet serial interface, or loopback but not a dedicated management interface. 

Now this kind of topology has advantages and disadvantages.  It's easy to configure because of the existing network infrastructure and no need for separate dedicated management interfaces. Disadvantages are a security risk, dependent on network availability and shared resources. 


Out-band management  

Out-band management Cisco ASA offers a dedicated management interface separate from regular data interfaces.  The administrator uses a dedicated management physical port on the ASA to access the device and this interface is only used for outbound management purposes. 





Out-band management isolates management traffic from normal data traffic. The console port and management physical port both are out-band management.  


let's see the configuration of all the methods to access the ASA firewall, 

  1. in the first lab, we are going to configure the Talent
  2. in the second lab, we are going to configure the Secure Shell
  3. in the third lab, we are going to configure a dedicated management interface
  4. in the fourth  lab, we are going to configure the ASDM


 First lab topology:-



  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure the zone inside and outside 
  • enable telnet because by default telnet is disabled on ASA 
  • configure router-1 to act as a PC for verification. 

  

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms


ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# username admin password admin
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside

R1#telnet 192.168.1.1 /source-interface fastEthernet 0/0
Trying 192.168.1.1 ... Open

User Access Verification
Password:

ciscoasa> enable
Password:

ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           12.12.12.1      YES manual up                    up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
ciscoasa#
ciscoasa# exit
Logoff

[Connection to 192.168.1.1 closed by foreign host]
R1#
R1#




in the second lab, we are going to configure the Secure Shell


Topology:-



  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure the zone inside and outside 
  • configure AAA authentication on LOCAL
  • configure Secure shell 
  • configure username and password 
  • configure router-1 to act as a PC for verification. 


R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit

ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit


ciscoasa(config)# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           12.12.12.1      YES manual up                    up


ciscoasa(config)# username admin password admin

ciscoasa(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...


ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# ssh version 2

ciscoasa(config)# show run user
username admin password eY/fQXw7Ure8Qrz7 encrypted



R-1-acting-PC-#
R-1-acting-PC-#ssh -l admin 192.168.1.1
Password:

ciscoasa>
ciscoasa> enable
Password:
ciscoasa# show run user
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.1     YES manual up                    up
GigabitEthernet1           12.12.12.1      YES manual up                    up

Logoff

[Connection to 192.168.1.1 closed by foreign host]

R-1-acting-PC-#


in the third lab, we are going to configure a dedicated management interface


Topology:-





  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure the zone inside and outside 
  • configure the IP address on the dedicated management interface for management traffic.
  • configure the IP address on normal fastethernet 0/0  for normal data traffic
  • configure talent for access to the ASA firewall 







ciscoasa(config)# username admin password admin
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside

R1#telnet 192.168.1.1 /source-interface fastEthernet 0/0
Trying 192.168.1.1 ... Open

User Access Verification
Password:

ciscoasa> enable
Password:

ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  administratively down up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
Management0/0              192.168.1.1     YES manual up                    up



in the fourth  lab, we are going to configure the ASDM


Topology:- 




  • configure the topology as per the diagram 
  • configure the IP addresses as per the topology 
  • configure the zone inside and outside 
  • configure IP address VMware net interface on PC-1
  • configure SSH on Cisco ASA 
  • configure ASDM and access the ASA with GUI ASA. 



C:\Users\Dell>ipconfig
Ethernet adapter VMware Network Adapter VMnet9:
   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::7827:ff4c:a645:b047%19
   IPv4 Address. . . . . . . . . . . : 192.168.1.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1


C:\Users\Dell>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=7ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Reply from 192.168.1.1: bytes=32 time=2ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 7ms, Average = 3ms


(configure the IP address on the management 0/0 interface )




(enabling the HTTP  server and configure username and password)



(now start the ASDM  )









If you like this blog, please visit our YouTube channel https://www.youtube.com/@internetworkss . if you have any issues with these labs please let me know. I think ASDM might be complicated for many of us because pictures can be confusing and missing steps. let me know I will make the video and upload it on our YouTube channel. 

No comments:

How to configure the DHCP server on a Cisco ASA device?

How to configure the DHCP server on a Cisco ASA device?    DHCP (Dynamic Host Configuration Protocol) servers provide all the basic informat...