A Cisco ASA firewall is a barrier between LAN and WAN networks (trusted and untrusted networks), we configure the firewall in the forwarding path of the network so each packet has to be checked by our firewall. Cisco ASA firewall offers several ways to connect and interact. The Administrative user can access the ASA using Telnet, Secure Shell SSH, and ASDM.
Cisco ASA supports In-band management and Out-band management.
In-band management ASA uses the same data network that carries regular user traffic and protocols like Telnet, SSH, or HTTPS over the same network interfaces that handle user traffic. Inband management uses the same transit path as user traffic. (data plane + management plane)
Now this kind of topology has advantages and disadvantages. It's easy to configure because of the existing
network infrastructure and no need for separate dedicated management
interfaces. Disadvantages are a security risk, dependent on network availability
and shared resources.
Out-band management
Out-band management Cisco ASA offers a dedicated management interface separate from regular data interfaces. The administrator uses a dedicated management physical port on the ASA to access the device and this interface is only used for outbound management purposes.
Out-band management isolates management
traffic from normal data traffic. The console port and management physical port
both are out-band management.
let's see the configuration of all the methods to access the ASA firewall,
- in the first lab, we are going to configure the Talent
- in the second lab, we are going to configure the Secure Shell
- in the third lab, we are going to configure a dedicated management interface
- in the fourth lab, we are going to configure the ASDM
First lab topology:-
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure the zone inside and outside
- enable telnet because by default telnet is disabled on ASA
- configure router-1 to act as a PC for verification.
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms
ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside
Trying 192.168.1.1 ... Open
User Access Verification
Password:
ciscoasa> enable
Password:
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.1.1 YES manual up up
GigabitEthernet1 12.12.12.1 YES manual up up
GigabitEthernet2 unassigned YES unset administratively down up
GigabitEthernet3 unassigned YES unset administratively down up
ciscoasa#
ciscoasa# exit
Logoff
[Connection to 192.168.1.1 closed by foreign host]
R1#
R1#
in the second lab, we are going to configure the Secure Shell
Topology:-
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure the zone inside and outside
- configure AAA authentication on LOCAL
- configure Secure shell
- configure username and password
- configure router-1 to act as a PC for verification.
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.10 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security 100
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# ip address 12.12.12.1 255.255.255.0
ciscoasa(config-if)# security 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.1.1 YES manual up up
GigabitEthernet1 12.12.12.1 YES manual up up
ciscoasa(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# ssh 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# ssh version 2
ciscoasa(config)# show run user
username admin password eY/fQXw7Ure8Qrz7 encrypted
R-1-acting-PC-#ssh -l admin 192.168.1.1
Password:
ciscoasa>
ciscoasa> enable
Password:
ciscoasa# show run user
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.1.1 YES manual up up
GigabitEthernet1 12.12.12.1 YES manual up up
Logoff
[Connection to 192.168.1.1 closed by foreign host]
R-1-acting-PC-#
in the third lab, we are going to configure a dedicated management interface
Topology:-
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure the zone inside and outside
- configure the IP address on the dedicated management interface for management traffic.
- configure the IP address on normal fastethernet 0/0 for normal data traffic
- configure talent for access to the ASA firewall
ciscoasa(config)# telnet 192.168.1.0 255.255.255.0 inside
Trying 192.168.1.1 ... Open
User Access Verification
Password:
ciscoasa> enable
Password:
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down up
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 unassigned YES unset administratively down down
Management0/0 192.168.1.1 YES manual up up
in the fourth lab, we are going to configure the ASDM
Topology:-
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure the zone inside and outside
- configure IP address VMware net interface on PC-1
- configure SSH on Cisco ASA
- configure ASDM and access the ASA with GUI ASA.
Ethernet adapter VMware Network Adapter VMnet9:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::7827:ff4c:a645:b047%19
IPv4 Address. . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\Dell>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=7ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Reply from 192.168.1.1: bytes=32 time=2ms TTL=255
Reply from 192.168.1.1: bytes=32 time=3ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 7ms, Average = 3ms
(configure the IP address on the management 0/0 interface )
No comments:
Post a Comment