Cisco ASA basic Theory with configuration

Source: Internet
Author: User
Tags stateful firewall

Cisco's ASA Firewall is a stateful firewall that maintains a connection table (conn) about user information, by default the ASA provides stateful connections to TCP and UDP traffic, and is non-stateful to the ICMP protocol.


The message traversal process for Cisco ASA is as follows:


A new TCP message view to establish the connection


1. The ASA checks if the ACL is allowed to connect


2. ASA performs a routing query if there is a route then the ASA creates an Conn entry


3, the ASA detects a predefined set of rules in the detection engine, determines whether to forward according to the detection engine detection results


4, the ASA receives the return message to carry on the Conn table comparison to whether has the item to have to allow not to discard



If a port from a low security level is to access a high-security port, the packet arrives at the firewall to check that the ACL and the Conn table match one of the entries can be forwarded!



ASA access Rule


Ports with high security levels allow access to ports with low security levels


Ports with low security level do not allow access to high-security ports


Two ports have the same security level and can not access each other



Here are some basic configurations of the ASA through experiments

Experimental topology

Software version GNS3 0.8.6 ASA image is ASA8.0 (2)

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/76/D4/wKioL1ZdUFXwZkkUAAAp6QdKJQk086.png "title=" nm44w) 7377i6u5dydk%33yi.png "alt=" Wkiol1zdufxwzkkuaaap6qdkjqk086.png "/>



Experimental requirements


Allow R1 loopback to communicate with R2


Allow R1 and R2 to telnet to each other


Allow R1 telnet to the ASA


Allows R2 to SSH remote management of the ASA



Address planning


R1 Loopback 0 IP:192.168.10.1/24 (analog intranet network segment)

R1 f0/0 ip:11.0.0.2/24

R2 Loopback 0 IP:12.0.0.2/24

R2 Loopback 0 IP:202.106.1.1/24

ASA1 e0/0 ip:11.0.0.1/24

ASA1 E0/1 ip:12.0.0.1/24


R1 configuration:

Some simple configurations don't explain here.

R1#conf T

R1 (config) #int f0/0

R1 (config-if) #ip add 11.0.0.2 255.255.255.0

R1 (config-if) #no shut

R1 (config-if) #int Loo 0

R1 (config-if) #ip add 192.168.10.1 255.255.255.0

R1 (config-if) #no shut

R1 (config-if) #exit

R1 (config) #ip Route 0.0.0.0 0.0.0.0 11.0.0.1

R1 (config) #line vty 0 4

R1 (config-line) #password abc123

R1 (Config-line) #login

R1 (Config-line) #exit

R1 (config) #enable password abc123


R2 configuration:

R2#conf T

R2 (config) #int f0/0

R2 (config-if) #ip add 12.0.0.2 255.255.255.0

R2 (config-if) #no shut

R2 (config-if) #int Loo 0

R2 (config-if) #ip add 202.106.1.1 255.255.255.0

R2 (config-if) #no shut

R2 (config) #ip Route 0.0.0.0 0.0.0.0 12.0.0.1

R2 (config) #line vty 0 4

R2 (Config-line) #pas

R2 (config-line) #password abc123

R2 (Config-line) #login

R2 (Config-line) #exit

R2 (config) #enable password abc123


ASA1 configuration:

Using the "/mnt/disk0/lina_monitor" command in the Cisco emulator to convert Linux mode to Cisco command line


Ciscoasa> Enable

Password: //No password to enter directly on the line

ciscoasa# conf t

Ciscoasa (config) # hostname ASA1 //Change device name

ASA1 (config) # int e0/0

ASA1 (config-if) # Nameif inside //interface on Cisco devices to have a logical name (name can be arbitrarily defined) otherwise the IP address does not take effect, the default outside port security level is 100, all other interfaces are 0. Security level can be defined by "security-level"

Info:security level for ' inside ' set to ' default '.

ASA1 (config-if) # IP Add 11.0.0.1 255.255.255.0

ASA1 (config-if) # no shut

ASA1 (config-if) # int E0/1

ASA1 (config-if) # Nameif outside

Info:security level for ' outside ' set to 0 by default.

ASA1 (config-if) # IP Add 12.0.0.1 255.255.255.0

ASA1 (config-if) # no shut


Viewing interface information usingshow interface IP Brief

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D5/wKiom1ZdVLexkfYMAABfsUESYmc890.png "title=" a2b6_ D3i2cywmgelklnaivx.png "alt=" Wkiom1zdvlexkfymaabfsuesymc890.png "/>

To view the route table of the ASA usingshow Route

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/D5/wKiom1ZdVSKzEJEVAAB1ooyXmoE507.png "title=" 3V ' VS) [441T ' 6n_%8kwc38l.png "alt=" Wkiom1zdvskzejevaab1ooyxmoe507.png "/>

Firewalls currently only have direct-attached two segment routes and do not have routing information for R1 and R2 ring back ports


adding static routes


ASA1 (config) # route outside 202.106.1.0 255.255.255.0 12.0.0.2

ASA1 (config) # route inside 192.168.10.0 255.255.255.0 11.0.0.2


650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/76/D4/wKioL1ZdVlrTGFRnAACKWHxX6oo270.png "title=" f5u{ Pro7jto@n%8g]sln995.png "alt=" Wkiol1zdvlrtgfrnaackwhxx6oo270.png "/>


Can you use R1 to Telnet R2 success?


It was obviously a success.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D6/wKioL1Zdbbey4KijAAAnS5RmOws810.png "title=" I ' j%8i G8a~xc}lvys ' 4[9$d.png "alt=" Wkiol1zdbbey4kijaaans5rmows810.png "/>


Use "Show conn Detail" To view the ASA's Conn table

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/76/D6/wKioL1ZdbkuBw5FjAACeO7CjhBE617.png "title=" M48gxexulz]wwy7$[j@fw{n.png "alt=" Wkiol1zdbkubw5fjaaceo7cjhbe617.png "/> You can see a TCP connection from the diagram, Is inside 11.0.0.2 access to outside's 202.106.1.1 23-Port connection

Use R1 to ping R2 can ping pass?


Apparently there's no ping-through.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D7/wKiom1ZdbsjyNk0TAAA6s4k2GYE082.png "title=" {F_WTR }ynab034nird (f46w.png "alt=" Wkiom1zdbsjynk0taaa6s4k2gye082.png "/>

Because the ASA firewall for Cisco only records connections to TCP and UDP protocols, the ICMP is not logged connected so the packet returns when the view ACL and the Conn table are not found corresponding entries are discarded directly.


Using ACLs to allow ICMP protocol


ASA1 (config) # access-list permit ICMP 202.106.1.0 255.255.255.0 192.168.10.0 255.255.255.0

The above mentioned that the port security level is high can access port security level is low, so only return back. Defines an 202.106.1.0 network segment that allows ICMP traffic to access the 192.168.10.0 segment

ASA1 (config) # Access-group in interface outside//apply the list to the in direction of the outside interface


Test


650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/76/D6/wKioL1ZdcQLx1wdxAABHse2Tf1Q504.png "title=" Z ' 9PAV1) V3 ' c66cluqw}jox.png "alt=" Wkiol1zdcqlx1wdxaabhse2tf1q504.png "/>



Let's consider a question, now R2 telnet R1 can succeed?




650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/76/D6/wKioL1ZdcWiScvGxAAAiyk-l7lU705.png "title=" Q1S1PP6PR ' JGA9 ' nzxi0z6t.png "alt=" Wkiol1zdcwiscvgxaaaiyk-l7lu705.png "/>

Apparently, it was rejected.


According to the experience, it is clear that there are no entries in the ASA's Conn table and ACLs that match this request


Defining ACLS


ASA1 (config) # access-list permit tcp 202.106.1.0 255.255.255.0 192.168.10.0 255.255.255.0 eq 23

Allow the 202.106.1.0 network segment to access Port 23 of the 192.168.10.0 segment, since the previous 110 list has been applied to the interface and is not applied again here.


Test

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/76/D7/wKiom1ZdcuPTE8t0AAAomzHYJoQ302.png "title=" c4{ s61@7m@3q0o ' {' D ((u~u.png "alt=" Wkiom1zdcupte8t0aaaomzhyjoq302.png "/>



Configure the Telnet capability of the ASA


ASA1 (config) # enable password abc123 //Configure privileged mode password

ASA1 (config) # passwd abc123 //configure Telnet password

ASA1 (config) # telnet 192.168.10.0 255.255.255.0 inside //configuration allows 192.168.10.0 network segment telnet, the least secure port on the Cisco firewall is not allowed to use Telnet access.


Test

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/76/D7/wKioL1ZddGPRSWIrAAAxT6RCHMg764.png "title=" Paim)% Jk7f7rmw8c77gzwvb.png "alt=" Wkiol1zddgprswiraaaxt6rchmg764.png "/>



Configure Telnet login with user name and password


ASA1 (config) # username Test password abc123 //Create a user

ASA1 (config) # AAA authentication Telnet console local //configure Telnet login for native authentication, where local is case sensitive


Test

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/76/D8/wKiom1ZddMPxdC7aAAA3PFPojfs216.png "title=" H_p "[ PD3MS$YLG0%WV (eh5w.png "alt=" Wkiom1zddmpxdc7aaaa3pfpojfs216.png "/>



Manage your device using SSH original


Cisco firewall only allows the lowest port security level to use SSH original management device


The SSH configuration is as follows:


ASA1 (config) # Crypto key generate RSA modulus 1024x768 //Generate an RSA key, key length 1024bit

ASA1 (config) # SSH version 2 //using version 2

ASA1 (config) # ssh 12.0.0.2 255.255.255.255 outside //Allow 12.0.0.2 this address from the outside port using SSH for remote access


Test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/76/D7/wKioL1ZddpbDI0b_AAAehca2etM448.png "title=" _ ZQBP9DL~4XKTP (9Z_QJV@N.png "alt=" Wkiol1zddpbdi0b_aaaehca2etm448.png "/>

-L: Logged in User name

Cisco firewall default SSH login user name is pix, password is telnet password. Using the PIX is not secure and can be logged on with local user name authentication so that the PIX cannot log on.



SSH login with a local user name



ASA1 (config) # AAA authentication SSH Console LOCAL


Test


650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/76/D8/wKiom1ZddvXxeHQ5AAAaL821__U555.png "title=" W}_]GC %eek0zfyd[c45$~dw.png "alt=" Wkiom1zddvxxehq5aaaal821__u555.png "/>


Login successful


Supplemental command:


Write memory //Save configuration


Clear Configure All//Clears all current configurations


Clear Configure Access-list //Clear All Access control lists


Write erase //delete startup-config configuration file



This article is from the "Sunj" blog, make sure to keep this source http://sunjie123.blog.51cto.com/1263687/1718606

Cisco ASA basic Theory with configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.