Saturday, May 21, 2011

Basic ASA Configuration



Configure ASA hostname
   ASA# config t
   ASA(config)# hostname TestASA

Configure enable password
   TestASA(config)# enable password THISISPASSWORDTEXT
Configure DNS on ASA
   TestASA(config)# domain-name MyTest.com

Configure uploading ASDM image on ASA and enabling access to ASDM
   TestASA(config)# asdm image disk0:/asdm-524.bin
   TestASA(config)# http server enable

Configure the interfaces
   TestASA# config t
   TestASA(config)# interface Vlan1
   TestASA(config-if)# nameif inside
   TestASA(config-if)# security-level 100
   TestASA(config-if)# ip address 192.168.2.1 255.255.255.0
   TestASA(config-if)# no shutdown
   TestASA(config-if)# exit
   TestASA(config)# interface Vlan2
   TestASA(config-if)# nameif outside
   TestASA(config-if)# security-level 0
   TestASA(config-if)# ip address 192.168.1.254 255.255.255.0
   TestASA(config-if)# no shutdown
   TestASA(config-if)# exit

Assign physical interface ETH0/0 to VLAN2 or Outside interface
   TestASA(config)# interface ethernet 0/0
   TestASA(config-if)# switchport access vlan 2

The rest of the physical interfaces are assigned to VLAN1 by default

Configure access to ASA device, for SSH please read this link.
   TestASA(config)# username USER_1 password PASSWORD_1 privilege 15
   TestASA(config)# username USER_2 password PASSWORD_2 privilege 5
   TestASA(config)# aaa authenticate ssh console LOCAL
   TestASA(config)# aaa authenticate telnet console LOCAL
   TestASA(config)# aaa authenticate http console LOCAL
   TestASA(config)# crypto key generate rsa modulus 1024
   !- generates an RSA key pair which is required for SSH
   TestASA(config)# ssh 192.168.2.0 255.255.255.0 inside
   TestASA(config)# ssh timeout 30
   !- allow putty to connect using SSH
   TestASA(config)# telnet 192.168.2.0 255.255.255.0 inside
  TestASA(config)# telnet timeout 30
   !- allow putty to connect using Telnet
   TestASA(config)# http 192.168.2.0 255.255.255.0 inside
   !- allow user to connect using ASDM

Configure clock
   TestASA(config)# clock set hh:mm:ss {month day} year

--------------------------------------------------------------------------------Good CLI to use:
   # show curpriv

Posted by at No comments:
Labels: , , ,

Sunday, May 15, 2011

Dynamic NAT configuration on ASA 55XX

Configure using 8.0 ASA
ciscoasa(config)# nat (inside) 1 192.168.2.0 255.255.255.0
ciscoasa(config)# global (outside) 1 10.2.2.1-10.2.2.10 netmask 255.255.255.0

additional note: Running PAT
ciscoasa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa(config)# global (outside) 1 interface

Configure using 8.3 ASA
ciscoasa(config)# object network MyOutsideRangePool
ciscoasa(config-network-object)# range 10.2.2.1 10.2.2.10

ciscoasa(config)# object network MyInsideNetwork
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MyOutsideRangePool  

Additional example of Dynamic NAT of 2 internal networks
Configure using 8.0 ASA
ciscoasa(config)# nat (inside) 1 192.168.2.0 255.255.255.0
ciscoasa(config)# nat (inside2 192.168.3.0 255.255.255.0
ciscoasa(config)# global (outside) 1 10.2.2.1-10.2.2.10 netmask 255.255.255.0
ciscoasa(config)# global (outside2 10.2.2.11-10.2.2.20 netmask 255.255.255.0

Configure using 8.3 ASA
ciscoasa(config)# object network MyOutsideRangePool_1
ciscoasa(config-network-object)# range 10.2.2.1 10.2.2.10

ciscoasa(config)# object network MyInsideNetwork_1
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MyOutsideRangePool_1 
ciscoasa(config)# object network MyInsideNetwork_2
ciscoasa(config-network-object)# subnet 192.168.3.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MyOutsideRangePool_2 
ciscoasa(config)# object network MyOutsideRangePool_2
ciscoasa(config-network-object)# range 10.2.2.11 10.2.2.20
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)