Cisco ASA basic Theory with configuration

Cisco's ASA Firewall is a stateful firewall that maintains a connection table (conn) about user information, by default the ASA provides stateful connections to TCP and UDP traffic, and is non-stateful to the ICMP protocol.

The message traversal process for Cisco ASA is as follows:

A new TCP message view to establish the connection

1. The ASA checks if the ACL is allowed to connect

2. ASA performs a routing query if there is a route then the ASA creates an Conn entry

3, the ASA detects a predefined set of rules in the detection engine, determines whether to forward according to the detection engine detection results

4, the ASA receives the return message to carry on the Conn table comparison to whether has the item to have to allow not to discard

If a port from a low security level is to access a high-security port, the packet arrives at the firewall to check that the ACL and the Conn table match one of the entries can be forwarded!

ASA access Rule

Ports with high security levels allow access to ports with low security levels

Ports with low security level do not allow access to high-security ports

Two ports have the same security level and can not access each other

Here are some basic configurations of the ASA through experiments

Experimental topology

Software version GNS3 0.8.6 ASA image is ASA8.0 (2)

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/D4/wKioL1ZdUFXwZkkUAAAp6QdKJQk086.png "title=" nm44w) 7377i6u5dydk%33yi.png "alt=" Wkiol1zdufxwzkkuaaap6qdkjqk086.png "/>

Experimental requirements

Allow R1 loopback to communicate with R2

Allow R1 and R2 to telnet to each other

Allow R1 telnet to the ASA

Allows R2 to SSH remote management of the ASA

Address planning

R1 Loopback 0 IP:192.168.10.1/24 (analog intranet network segment)

R1 f0/0 ip:11.0.0.2/24

R2 Loopback 0 IP:12.0.0.2/24

R2 Loopback 0 IP:202.106.1.1/24

ASA1 e0/0 ip:11.0.0.1/24

ASA1 E0/1 ip:12.0.0.1/24

R1 configuration:

Some simple configurations don't explain here.

R1#conf T

R1 (config) #int f0/0

R1 (config-if) #ip add 11.0.0.2 255.255.255.0

R1 (config-if) #no shut

R1 (config-if) #int Loo 0

R1 (config-if) #ip add 192.168.10.1 255.255.255.0

R1 (config-if) #no shut

R1 (config-if) #exit

R1 (config) #ip Route 0.0.0.0 0.0.0.0 11.0.0.1

R1 (config) #line vty 0 4

R1 (config-line) #password abc123

R1 (Config-line) #login

R1 (Config-line) #exit

R1 (config) #enable password abc123

R2 configuration:

R2#conf T

R2 (config) #int f0/0

R2 (config-if) #ip add 12.0.0.2 255.255.255.0

R2 (config-if) #no shut

R2 (config-if) #int Loo 0

R2 (config-if) #ip add 202.106.1.1 255.255.255.0

R2 (config-if) #no shut

R2 (config) #ip Route 0.0.0.0 0.0.0.0 12.0.0.1

R2 (config) #line vty 0 4

R2 (Config-line) #pas

R2 (config-line) #password abc123

R2 (Config-line) #login

R2 (Config-line) #exit

R2 (config) #enable password abc123

ASA1 configuration:

Using the "/mnt/disk0/lina_monitor" command in the Cisco emulator to convert Linux mode to Cisco command line

Ciscoasa> Enable

Password: //No password to enter directly on the line

ciscoasa# conf t

Ciscoasa (config) # hostname ASA1 //Change device name

ASA1 (config) # int e0/0

ASA1 (config-if) # Nameif inside //interface on Cisco devices to have a logical name (name can be arbitrarily defined) otherwise the IP address does not take effect, the default outside port security level is 100, all other interfaces are 0. Security level can be defined by "security-level"

Info:security level for ' inside ' set to ' default '.

ASA1 (config-if) # IP Add 11.0.0.1 255.255.255.0

ASA1 (config-if) # no shut

ASA1 (config-if) # int E0/1

ASA1 (config-if) # Nameif outside

Info:security level for ' outside ' set to 0 by default.

ASA1 (config-if) # IP Add 12.0.0.1 255.255.255.0

ASA1 (config-if) # no shut

Viewing interface information usingshow interface IP Brief

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D5/wKiom1ZdVLexkfYMAABfsUESYmc890.png "title=" a2b6_ D3i2cywmgelklnaivx.png "alt=" Wkiom1zdvlexkfymaabfsuesymc890.png "/>

To view the route table of the ASA usingshow Route

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/D5/wKiom1ZdVSKzEJEVAAB1ooyXmoE507.png "title=" 3V ' VS) [441T ' 6n_%8kwc38l.png "alt=" Wkiom1zdvskzejevaab1ooyxmoe507.png "/>

Firewalls currently only have direct-attached two segment routes and do not have routing information for R1 and R2 ring back ports

adding static routes

ASA1 (config) # route outside 202.106.1.0 255.255.255.0 12.0.0.2

ASA1 (config) # route inside 192.168.10.0 255.255.255.0 11.0.0.2

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/D4/wKioL1ZdVlrTGFRnAACKWHxX6oo270.png "title=" f5u{ Pro7jto@n%8g]sln995.png "alt=" Wkiol1zdvlrtgfrnaackwhxx6oo270.png "/>

Can you use R1 to Telnet R2 success?

It was obviously a success.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D6/wKioL1Zdbbey4KijAAAnS5RmOws810.png "title=" I ' j%8i G8a~xc}lvys ' 4[9$d.png "alt=" Wkiol1zdbbey4kijaaans5rmows810.png "/>

Use "Show conn Detail" To view the ASA's Conn table

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/76/D6/wKioL1ZdbkuBw5FjAACeO7CjhBE617.png "title=" M48gxexulz]wwy7$[j@fw{n.png "alt=" Wkiol1zdbkubw5fjaaceo7cjhbe617.png "/> You can see a TCP connection from the diagram, Is inside 11.0.0.2 access to outside's 202.106.1.1 23-Port connection

Use R1 to ping R2 can ping pass?

Apparently there's no ping-through.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D7/wKiom1ZdbsjyNk0TAAA6s4k2GYE082.png "title=" {F_WTR }ynab034nird (f46w.png "alt=" Wkiom1zdbsjynk0taaa6s4k2gye082.png "/>

Because the ASA firewall for Cisco only records connections to TCP and UDP protocols, the ICMP is not logged connected so the packet returns when the view ACL and the Conn table are not found corresponding entries are discarded directly.

Using ACLs to allow ICMP protocol

ASA1 (config) # access-list permit ICMP 202.106.1.0 255.255.255.0 192.168.10.0 255.255.255.0

The above mentioned that the port security level is high can access port security level is low, so only return back. Defines an 202.106.1.0 network segment that allows ICMP traffic to access the 192.168.10.0 segment

ASA1 (config) # Access-group in interface outside//apply the list to the in direction of the outside interface

Test

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/76/D6/wKioL1ZdcQLx1wdxAABHse2Tf1Q504.png "title=" Z ' 9PAV1) V3 ' c66cluqw}jox.png "alt=" Wkiol1zdcqlx1wdxaabhse2tf1q504.png "/>

Let's consider a question, now R2 telnet R1 can succeed?

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/76/D6/wKioL1ZdcWiScvGxAAAiyk-l7lU705.png "title=" Q1S1PP6PR ' JGA9 ' nzxi0z6t.png "alt=" Wkiol1zdcwiscvgxaaaiyk-l7lu705.png "/>

Apparently, it was rejected.

According to the experience, it is clear that there are no entries in the ASA's Conn table and ACLs that match this request

Defining ACLS

ASA1 (config) # access-list permit tcp 202.106.1.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 23

Allow the 202.106.1.0 network segment to access Port 23 of the 192.168.10.0 segment, since the previous 110 list has been applied to the interface and is not applied again here.

Test

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/76/D7/wKiom1ZdcuPTE8t0AAAomzHYJoQ302.png "title=" c4{ s61@7m@3q0o ' {' D ((u~u.png "alt=" Wkiom1zdcupte8t0aaaomzhyjoq302.png "/>

Configure the Telnet capability of the ASA

ASA1 (config) # enable password abc123 //Configure privileged mode password

ASA1 (config) # passwd abc123 //configure Telnet password

ASA1 (config) # telnet 192.168.10.0 255.255.255.0 inside //configuration allows 192.168.10.0 network segment telnet, the least secure port on the Cisco firewall is not allowed to use Telnet access.

Test

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/76/D7/wKioL1ZddGPRSWIrAAAxT6RCHMg764.png "title=" Paim)% Jk7f7rmw8c77gzwvb.png "alt=" Wkiol1zddgprswiraaaxt6rchmg764.png "/>

Configure Telnet login with user name and password

ASA1 (config) # username Test password abc123 //Create a user

ASA1 (config) # AAA authentication Telnet console local //configure Telnet login for native authentication, where local is case sensitive

Test

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/76/D8/wKiom1ZddMPxdC7aAAA3PFPojfs216.png "title=" H_p "[ PD3MS$YLG0%WV (eh5w.png "alt=" Wkiom1zddmpxdc7aaaa3pfpojfs216.png "/>

Manage your device using SSH original

Cisco firewall only allows the lowest port security level to use SSH original management device

The SSH configuration is as follows:

ASA1 (config) # Crypto key generate RSA modulus 1024x768 //Generate an RSA key, key length 1024bit

ASA1 (config) # SSH version 2 //using version 2

ASA1 (config) # ssh 12.0.0.2 255.255.255.255 outside //Allow 12.0.0.2 this address from the outside port using SSH for remote access

Test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/76/D7/wKioL1ZddpbDI0b_AAAehca2etM448.png "title=" _ ZQBP9DL~4XKTP (9Z_QJV@N.png "alt=" Wkiol1zddpbdi0b_aaaehca2etm448.png "/>

-L: Logged in User name

Cisco firewall default SSH login user name is pix, password is telnet password. Using the PIX is not secure and can be logged on with local user name authentication so that the PIX cannot log on.

SSH login with a local user name

ASA1 (config) # AAA authentication SSH Console LOCAL

Test

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D8/wKiom1ZddvXxeHQ5AAAaL821__U555.png "title=" W}_]GC %eek0zfyd[c45$~dw.png "alt=" Wkiom1zddvxxehq5aaaal821__u555.png "/>

Login successful

Supplemental command:

Write memory //Save configuration

Clear Configure All//Clears all current configurations

Clear Configure Access-list //Clear All Access control lists

Write erase //delete startup-config configuration file

This article is from the "Sunj" blog, make sure to keep this source http://sunjie123.blog.51cto.com/1263687/1718606

Cisco ASA basic Theory with configuration