SNAF 642-524

Fra NørderiWiki
Skift til: Navigation, Søgning

Indholdsfortegnelse

SNAF - 642-524 - Securing Networks with ASA Foundation

Tager udgangspunkt i denne cisco test, da den er rigtig god og man kommer rundt om rigtig mange ting hvad en ASA kan.

Du kan nok næppe bestå ved kun at have læst dette, men jeg bruger selv siden som note til SNAF testen. Husk også at tage et kig på links.

Exam Topics

ASA version: 8.0.2

ASDM Version: 6.0.2

Configure Security Appliances for secured network connectivity

Configure and verify network and interface settings using ASDM and CLI

Configuration -> Device Setup -> Interfaces -> Tryk Add knap. 

Interface Ethernet0/2
no shutdown
nameif DMZ
security-level 50
ip address  10.10.5.1 255.255.255.0

Sub interface

Fjern nameif fra "over" interface, for fjerne IP kontakt på denne (untagged trafik). 

Interface Ethernet0/2
no nameif
no shutdown

Interface Ethernet0/2.50
vlan 50
no shutdown
description Interface for vlan 50
nameif Vlan50
security-level 50
ip address  10.10.50.1 255.255.255.0

DHCP

ASDM: Configuration -> Device Management -> DHCP -> DHCP Server

CLI: 

dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
dhcpd dns 8.8.8.8  interface inside

Show 

sh run nameif

interface Ethernet0/0
 nameif outside
 security-level 0

sh inter ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.200.101 YES DHCP   up                    up

Configure and verify NAT globals, statics, NAT exemption, and Identity NAT using ASDM

Conf -> Firewall -> NAT Rules

Fra høj sec-level til lav sec-level er tilladt, men ikke fra lav til høj. Altså:
Inside -> Outside = OK, men Outside -> Inside = Ikke OK, uden tilladelse. 

no nat-control

natcontrol.png

Som der står på billedet er trafik uden en NAT regel tilladt. Med nat control skal der altså være lavet en NAT regel før trafik kommer i gennem. 

Static (høj, lav) lav høj netmask tcp [sim. tcp conn] [embryonic connections] udp [sim. udp conn]

static (inside,management)  192.168.1.20 10.10.10.10 netmask 255.255.255.255

ASDM:

nat1l.png

Denne oversætter 192.168.1.20 på management til 10.10.10.10 på inside, så 10.10.10.10 server kan tilgås fra management via 192.168.1.20. Man kan altså fra management interface tilgå serveren med IP 10.10.10.10 på inside interface ved at skrive 192.168.1.20. Dette gælder også den anden vej, når 10.10.10.10 laver trafik mod management, vil management se serveren som 192.168.1.20.

Dynamisk NAT/PAT

dynnat1.png

Alt fra management kommer ud på outside via PAT, da der ikke er lavet NAT pools, som ellers ville blive brugt først.

Forbindelses indstillinger for NAT regel:

natconnsettings.png

NAT exemption

Skal ikke NAT'es, virker både ind og ud. 

(config)# access-list EXEMPT-NAT extended permit ip 10.10.1.0 255.255.255.0 172.16.10.0 255.255.255.0
(config)# nat (inside) 0 access-list EXEMPT-NAT

Identity NAT

Dynamic Identity NAT:

Kun forbindelser inde fra og ud bliver oversat. 

(config)# nat (inside) 0 10.10.1.0 255.255.255.0

NAT rækkefølge:

  • 1. Check Access Rules
  • 2. Check routing table for exit interface
  • 3. Look in current translation table
  • 4. Checks for NAT Exemptions
  • 5. Static NAT and PAT (regular and policy)
  • 6. Policy dynamic NAT
  • 7. regular dynamic NAT
  • 8. If NAT control enabled, and no match through above, drop packet.

Note

" Note: If you remove a static command, current connections that use the translation are not affected. In order to remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. "

" NOTE If you don’t configure the nat-control command, then address translation is optional. The appliance will use any address translation policies you’ve configured, and if a packet doesn’t match a translation policy, it isn’t translated, but forwarded as is. "

Configure and verify access-lists with or without object groups using ASDM

Conf -> Firewall -> Objects

Network Object Groups

  • Kan indeholde en eller flere netværk eller IP adresser
object-group network DMZ-Servers
 network-object host 10.10.10.20
 network-object host 10.10.10.25
 network-object host 10.10.10.26

IP Names

  • Navngiv IP adresser så de er nemmere at huske, fx en web server med ip 10.10.10.10, er det måske nemmere at huske ved at kalde den web-server
name 10.10.10.10 web-server description En Web Server

Service groups

  • Service
  • TCP
  • UDP
  • TCP-UDP
  • ICMP
  • Protocol

Global Pools

  • Bliver brugt til NAT/PAT

Time Ranges

  • Lav tidsintervaller fx til acl'er eller login tid.

ACL

Dest: Den "public" ip / translated

aclpartner.png

-> Network Object Groups networkobj1.png -> Service groups tcpservices.png

Kan kombineres på mange måder.

Uden objekter:

aclpartner2.png

Configure and verify routing and switching on Security Appliances

Describe the routing capabilities of the Security Appliance

ASDM: Conf -> Device Setup -> Routing

  • Static
  • RIP
  • OSPF
  • EIRGP

Use ASDM to configure VLANs on a Security Appliance interface

Se subinterface.

Fjern nameif for at fjerne IP forbindelse på et interface. Når der oprettes et sub interface bliver interfacet til en .1q trunk.
Så for at kunne have trafik på et interface skal der være angivet et navn med nameif, og i routed mode skal der være en IP adresse.

Use ASDM to configure the passive RIP routing functionality of the Security Appliance

Passiv RIP: Modtager route opdateringer, men sender ingen ud.

RIP version 2

ASDM:

pasvrip.png 

router rip
 version 2
 passive-interface default

Configure and verify Authentication, Authorization, & Accounting services for Security Appliances

Configure ACS for Security Appliance support

ACS -> Network Conf -> AAA Clients -> Add Entry

AAA Client Hostname: ASA

AAA Client IP Address: 10.10.10.1

ACS -> User Setup -> Opret brugere

Use ASDM to configure the Security Appliance AAA features

Conf -> Device Management -> Users/AAA -> AAA Server Groups

Under AAA Server Groups opret en ny gruppe af servere.

Marker gruppen og vælg Add under Servers in the Selected Group.


RADIUS

  • IETF standard
  • Authentication: UDP port 1812 (Gammel/Cisco: 1645)
  • Accounting: UDP port 1813 (Gammel/Cisco: 1646)

TACACS+

  • Cisco
  • TCP port 49
  • Kryptering

Configure and verify Auth-Proxy (cut-through proxy) using ASDM

Sender HTTP login videre til dest server.

Understøtter:

  • TCP port 21, FTP
  • TCP port 23, telnet
  • TCP port 80, HTTP
  • TCP port 443, HTTPS

Opsætning:

  • Opret AAA server gruppe
  • Tilføj AAA server
  • Tilføj AAA regel i Configuration -> Firewall -> AAA Rules

addaaarule.png

Se brugere logget på: ASDM: Monitoring -> Properties -> Device Access -> Authenticated Users

CLI: 

show uauth

Slette brugere der er logget ind: 

clear uauth

Sikker HTTP forbindelse

Configuration -> Firewall -> AAA Rules -> Tryk på Advanced knappen, for at logge på med HTTPS:

aaaadvopt.png

Hvis serveren i den anden ende også kræver et login, men det forskelligt fra det AAA serveren kender, skal der bruges Virtual HTTP server. Da denne tager bruger og password ud af HTTP GET request.

ASDM: Configuration -> Firewall -> Advanced -> Virtual Access

Husk at web browsere kan cache login, så hvis Telnet og FTP ser ud til at virke normalt, men HTTP/S ikke timer ud, så kan det være det.

Authentication Prompt

Configuration -> Device Management -> Users/AAA -> Authentication Prompt

Authentication Timeouts

Configuration -> Firewall -> Advanced -> Global Timeouts

  • Authentication Inactivity: Tid uden trafik før der skal logges på igen.
  • Authentication Absolute: Fast tid der skal logges ind igen. Længere end inaktiv tiden.

Downloadable ACLs

  • Henter ACL fra AAA server for brugeren eller gruppen
  • Understøttes kun af RADIUS
  • Får et navn der starter med #ACSACL#-

ACS:

Interface Configuration -> Advanced Options -> Advanced Options -> User/Group-Level Downloadable ACLs

Shared Profile Components -> Vælg Downloadable IP ACLs -> Klik Add 

show access-list

Viser alle access lister, også downloadable. 

show uauth

Viser også ACL'en for brugeren

Per-User Override

Overskriv ACL'er for brugeren, fx hvis en ACL tillader noget, men en bestemt bruger må ikke tilgå den server, kan man bruge per-user override.

Hvis per user override er sat til, bliver indgående ACL overskrevet, ellers bliver den kombineret med ACL'en på ASA og RADIUS.

ASDM: Configuration -> Firewall -> Access Rules -> Tryk på Advanced, og sæt hak i Per User Override, ud for den ACL det tillades på.

Virtual Telnet

Kan bruges til at brugerne kan logge ind via telnet, hvis det trafik der skal godkendes ikke er understøttet.

Configure and verify Layer 3 & 4 protocol inspection, Modular Policy Framework, and threat detection for Security Appliances

" You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.)"


Rækkefølge:

CBT Nuggets:

  • 1. TCP normalization, connection limit and timeout, and seq # randomization
  • 2. CSC
  • 3. Application Inspection
  • 4. IPS
  • 5. QoS input policing
  • 6. QoS output policing
  • 7. QoS priority queuing

ASA Guide:

Modular Policy Framework supports the following features:

  • QoS input policing
  • TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
  • CSC
  • Application inspection (multiple types)
  • IPS
  • QoS output policing
  • QoS standard priority queue
  • QoS traffic shaping, hierarchical priority queue

Configure and verify Layer 3 and Layer 4 protocol inspection using ASDM

Conf -> Firewall -> Service Policy Rules

mpfprotocolinspect.png

Strict FTP

  • Embedded FTP requests, fra fx web browsere er ikke tilladt.
  • FTP kommandoer skal blive acknowledged før ny kommando.
  • 227 and PORT kommandoerne bliver tjekket for fejl. Fx, ip og port nr. skal passe ved passiv FTP.

ftpstrict.png

Configure and verify Modular Policy Framework using ASDM

1. Service Policy (interface/global)
2. Match (class map)
3. Action (policy map)


connsettings.png

IPS

ipsq.png

QoS

qosqueue.png

qosrule.png

Use ASDM to configure and verify threat detection

Configuration -> Firewall -> Threat Detection

Basic er stanard. Scanning kan sættes til.

Stats for: Top 10 / 200, Access rules, Port, Protocol, TCP Intercept

Basic

  • Droppede pakker, som kan skyldes flere ting.
  • Andre sikkerheds ting.
  • Kan være et DoS attack.

Scanning

  • "Unlike IPS scan detection that is based on traffic signatures, the security appliance scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity."
  • Kan have indflydelse på performance og ram forbrug, derfor er den ikke sat til som standard.
  • Kan automatisk Shun'e hosts

Configure and verify secure connectivity using VPNs

Phase 1: ISAKMP (Aggressive / Main)

Phase 2: IPsec (Quick)

  • Transport mode: Payload encrypted / authenticated. Typisk til host-til-host.
  • Tunnel mode: Hele pakken encrypted / authenticated. For host-til-host, netværk-til-netværk, host-til-netværk.

Main mode

  • Mere sikker
  • 3 udvekslinger
  • Total: 6 beskeder

Aggressive mode

  • Hurtigere
  • 2 udvekslinger
  • Total: 3 beskeder

Configure and verify remote access VPNs using ASDM

Hvis klienten bruger:

  • Pre-shared Keys: Aggressive mode.
  • Digital certificate: Main mode.

Wizards -> IPsec VPN Wizard -> Remote Access

"The Cisco Easy VPN client feature can be configured in one of two modes: client mode or network extension mode."

Opsætning af remote VPN:

  • Tunnel interface
  • "Enable Inbound IPsec Sessions to Bypass Interface Access Lists"
  • Client Type (Cisco)
  • Pre-shared key
  • Tunnel group name
  • Bruger login (AAA)
  • IP pool
  • Valgfrit: DNS server, WINS server, domæne navn
  • IKE Policy
  • IPsec Encryption and Authentication
  • Address Translation Exemption og Split Tunneling

Show

Monitoring -> VPN -> VPN Connection Graphs | VPN Statistics | Clientless SSL VPN

Monitoring -> VPN -> VPN Statistics -> Sessions, viser hvem der er logget på remote VPN og meget andet.


ƒVerify ACLs and interesting traffic. 

show run access-list

ƒVerify correct IKE configuration. 

show run isakmp
show run tunnel-group

ƒVerify IPsec and ISAKMP SAs. 

show crypto ipsec sa
show crypto isakmp sa

ƒVerify correct crypto map configuration. 

show run crypto map

ƒClear IPsec SA. 

clear crypto ipsec sa

ƒClear IKE SA. 

clear crypto isakmp sa

ƒDebug IKE and IPsec traffic through the security appliance. 

debug crypto ipsec
debug crypto isakmp

Configure and verify IPsec VPN clients with preshared keys using ASDM

vpnclient.png

Host: VPN Interface IP (Public)

Name: IPsec Connection Profile

Password: Pre Shared Key

Configure and verify site-to-site VPNs with preshared keys using ASDM

Wizards -> IPsec VPN Wizard -> Site to Site

  • Peer IP Address
  • Name, skal være samme som peer IP, eller hostname.


  • Message encryption algorithm
  • Message integrity (hash) algorithm
  • Key exchange parameters (DH group ID)
  • Peer authentication method

Monitoring -> VPN -> Sessions

Verify IKE and IPsec using ASDM and CLI

show crypto isakmp

show crypto ipsec sa

show crypto ca certificates  Show certificates

show crypto ca crls          Show Certificate Revocation Lists

show run crypto map

Configure and verify clientless SSL VPN using ASDM

  • Browerbaseret
  • Proxy gennem ASA
  • Kræver cookies i browser

Giver adgang til:

  • corporate websites
  • web-enabled applications
  • NT/AD file share (web-enabled)
  • e-mail
  • other TCP-based applications from almost any computer that can reach HTTPS Internet sites, fx CIFS og FTP.


Understøtter ikke:

  • Inspection features under the Modular Policy Framework
  • QoS, rate limiting using the police command and priority-queue command.
  • Connection limits, checking either via the static or the Modular Policy Framework set connection command.
  • Og mere...

Note

URL Entry:

  • Giver mulighed for at brugerne kan skrive en URL ind i portal siden. Tag det fra, og brugerne kan kun gå på sider du har lavet bookmark/url list på.

Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies -> Add or Edit -> Functions.

URL list: Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies -> Add or Edit -> URL Lists.

ASDM og SSL VPN kan være på samme interface, hvis man skifter port.

Configure and verify active/standby and active/active failover features on Security Appliances

Hardware failover

  • Connections bliver droppet.
  • Klient programmer må forbinde igen.
  • Hardware redundans.
  • Bruger LAN-based failover link.

Stateful failover

  • TCP forbindelser forbliver aktive.
  • Klient programmer behøver ikke at forbinde igen.
  • Giver redundans og stateful forbindelse.
  • Bruger stateful failover link.

Failover krav

  • Samme model og hardware conf.
  • Samme Security Services Modules (SSM) installeret.
  • Samme software version (før 7.0)
  • Samme mode (context / firewall)
  • Samme funktioner (DES or 3DES)
  • Samme størrelse flash og RAM.
  • Den rigtige licens.

Failover links

  • LAN-based, sender status beskeder.
  • Stateful, sender alt state info, xlates osv, så bruger ikke mærker failover.

Kan være på samme kabel, men anbefales ikke.

  • Enable PortFast.
  • Sluk Ether-channel.

Hvis et Redundant Interface bliver brugt til failover link, skal der en switch på da man ikke kan vide hvilken interface der er aktiv.

State info overført via stateful link:

  • NAT translation table
  • TCP connection states
  • UDP connection states
  • The ARP table
  • The Layer 2 bridge table (when running in transparent firewall mode)
  • The HTTP connection states (if HTTP replication is enabled)
  • The ISAKMP and IPsec SA table
  • SIP signaling sessions

Info der IKKE kommer med over via stateful link:

  • The HTTP connection table (unless HTTP replication is enabled).
  • The user authentication (uauth) table.
  • The routing tables. After a failover occurs, some packets may be lost or routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.
  • State information for Security Service Modules.
  • DHCP server address leases.

SSL VPN funktioner der ikke understøttes af stateful failover:

  • Smart tunnels
  • Port forwarding
  • Plug-ins
  • Java applets
  • IPv6 clientless or Anyconnect sessions
  • Citrix authentication (Citrix users must reauthenticate after failover.)


Configure and verify active/standby failover using ASDM

1. Cable the interfaces on both security appliances.
2. Prepare both security appliances for configuration via ASDM.
3. Use the ASDM High Availability and Scalability Wizard to configure the primary security appliance.
4. Verify that ASDM configured the secondary security appliance.
5. Save the configuration of the secondary security appliance to flash memory.


ASDM: Secondary ASA skal kunne logge på Primary ASA. 

#show failover

Overtag aktiv rolle: 

#failover active

Fratag aktiv rolle: 

#no failover active

Nustiller fail state. Kan bruges på begge, men bedst at gøre det på den aktive: 

#failover reset


Failover kriterier:

  • Failover unit poll time: Amount of time between hello messages
  • Failover unit hold time: Amount of time to wait (after 3 consecutive poll failures) before triggering failover
  • Failover interface poll time: Poll time for interface monitoring
  • Failover interface hold time: Hold time for interface monitoring
  • Failover interface policy: Number of failed interfaces that triggers failover

ASDM: Configuration -> Device Management -> High Availability -> Failover -> Criteria


Configure and verify active/active failover using ASDM

Bruger contexts

2 contexts på hver ASA, 1 aktiv og 1 standby, i hver sin failover gruppe.

failovergrp.png

  • Cable the interfaces on both security appliances.
  • Ensure that both security appliances are in multiple context mode.
  • Configure contexts and allocate interfaces to contexts.
  • Enable and assign an IP address to each interface that is allocated to a context.
  • Prepare both security appliances for configuration via ASDM.
  • Use the ASDM High Availability and Scalability Wizard to configure the primary security appliance.
  • Verify that ASDM configured the secondary security appliance.
  • Save the configuration of the secondary security appliance to flash memory.

System context: Wizards -> High Availability and Scalability Wizard 

# show failover
[...]
Group 1 last failover at: 15:54:49 UTC Dec 17 2010
Group 2 last failover at: 15:55:00 UTC Dec 17 2010



# show failover group 1


Activates a group or unit: 

failover active [group group_id]

Changes CTX2 from standby to active: 

(config)# failover active group 2

no failover active group 1


In active/active failover, failover can be triggered at the unit level if one of the following events occurs:

  • The unit has a hardware failure.
  • The unit has a power failure.
  • The unit has a software failure.
  • The no failover active command is entered in the system execution space.

Failover is triggered at the failover group level when one of the following events occurs:

  • Too many monitored interfaces in the group fail.
  • The no failover active group group_id command is entered.

Configure and verify redundant Interface using ASDM

Conf -> Device Setup -> Interfaces

Add Redundant Interface 

Interface redundant1
 member-interface Ethernet0/2
 member-interface Ethernet0/3
 no shutdown
 description Redundant Interface 1
 nameif Redu1
 security-level 100
 ip address 10.10.5.1 255.255.255.0


Redundant Interface:

  • Navn
  • IP Adresse
  • Security level

Member Interfaces:

  • Samme fysisk type
  • Intet navn
  • Ingen IP
  • Intet Security level

Viser aktivt medlem: 

show interface redundantnumber  detail | grep member

Skifter aktiv interface: 

redundant-interface redundantnumber  active-member physical_interface

Configure transparent firewall and virtual firewall features on a Security Appliance

Explain the purpose of virtual & transparent firewalls

Virtuel firewall

Multiple Context Mode

Deler samme hardware i flere logiske firewalls, fx som ISP kan leje firewall ud. Man kan fx have 2 netværk med samme IP segment på samme ASA da de er delt på hver deres virtuelle firewall.


Understøtter ikke:

  • Dynamisk routing
  • VPN
  • Multicast routing, bridging er understøttet.
  • Threat Detection



Transparent firewall

  • Ingen IP på interfaces, kun mgmt ip
  • Vlan på forskellige vlan, men samme netværk
  • Ingen router hop, bump in the wire
  • Kan forware ting som router mode ikke kan, EtherTypes
  • Kun 2 data interfaces
  • MAC lookups
  • MGMT IP, på samme netværk
  • Default gateway på host bagved = routeren på anden side

Ellers samme regler som routed mode

Understøtter ikke:

  • Dynamisk DNS
  • Dynamisk routing
  • IPv6
  • DHCP relay
  • QoS
  • Multicast
  • VPN "headend"

Configure and verify the transparent firewall feature of the Security Appliance using CLI

ASA(config)# firewall transparent

Alt conf bliver slettet, så husk at gemme.

For at gå tilbage: 

ASA(config)# no firewall transparent

Efter det skal interface og mgmt IP, som skal ligge i samme subnet, sættes op: 

interface Ethernet0/0
 nameif outside
 no shutdown
interface Ethernet0/1
 nameif inside
 no shutdown

ip address 192.168.200.251 255.255.255.0

http server enable
http 192.168.200.0 255.255.255.0 inside

Tjek transparent mode, i Home under Device Infomation, Firewall Mode: Transparent 

show mode

Ændre MGMT IP:

Configuration -> Device Management -> Management Access -> Management IP Address

For at tillade DHCP gennem ASA skal udp portne åbnes begge veje.

Ethertype Rules, for er ikke-IP trafik.

fwtransmac.png

Configure and verify the virtual firewall feature of the Security Appliance using ASDM

Firewall Virtualization / Multiple Context mode

Deler ASA'en op i flere context modes, med egne sikkerhed politikker.

Kan administreres som var det en fysisk firewall.

For at klassificere pakker til forskellige contexts bruger ASAen:

  • Unikke interfaces, hver context egen interface
  • MAC adresser, samme interface, forskellig MAC pr. context (som en switch)
  • NAT opsætning (IP adresse), kigger i dest IP, må kende subnets bagved.

Hvis du ikke har unikke interfaces til hver context anbefales det at bruge MAC adr.

  • Routed mode tillader delte interfaces.
  • Transparent mode tillader ikke delte interfaces.

System configuration, har ikke netværks indstillinger eller interfaces, den bruger admin context. I System conf indstiller man resurser osv.


Opsætning af context mode

Når man konvertere til context mode, bliver der lavet 2 filer, en ny start up conf, og en admin.cfg og den gamle bliver gemt som old_running.cfg. 

ASA(config)# mode multiple
  • Sti til context conf fil
  • Context navn
  • Tilføj interfaces til context
  • Valgfrit: Assign resources to the context.
  • Valgfrit: Assign an IPS virtual sensor to the context.
  • Valgfrit: Assign MAC addresses to context interfaces.

For at vende tilbage: 

ASA(config)# mode single

context1.png 

#show context

Context Name      Class      Interfaces           URL
*admin            default    Ethernet0/0,Ethernet0/1, disk0:/admin.cfg
                             Management0/0
 Martin           default    Ethernet0/2,Ethernet0/3 disk0:/martin.cfg

Resource Management

ASDM begrænsning: System: 32, Context: 5.

SSH begrænsning: System: 100, Context: 5.

Telnet begrænsning: System: 100, Context: 5.

Monitor and manage installed Security Appliances

Update, backup, and restore configurations and software images using ASDM and CLI

Blank conf, åbne for ASDM:

  • Name: inside, give IP og netmask
  • Sæt tid, hostname, og domæne
  • Starte http service
  • Tillade hosts ind på http
  • Opt: Vælge asdm image
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0

hostname ASA
domain-name domain.local
clock set hh:mm:ss DAY MONTH Year

http server enable
http 192.168.1.0 255.255.255.0 management

asdm image disk0:/asdm-602.bin

Boot image: 

boot system disk0:/asa802-k8.bin

Install and verify Licensing using ASDM

ASDM: Configuration > Device Management > System Image/Configuration > Activation Key

1. Få key fra cisco.com ud fra serial no med show version kommando
2. Genstart ASA, for at sikre image i flash er det samme som kørende.
3. Gå til Configuration > Device Management > System Image/Configuration > Activation Key, skriv key ind med 4 eller 5 blokke med mellemrum i mellem.
4. Tryk på Update Activation Key
5. Genstart ASA for at aktivere key.

Configure and verify Console and SSH/Telnet access

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Secure Shell (SSH)

SSH kræver:

  • Hostname
  • Domain name
  • Bruger oprettet
  • RSA key

ASDM: Conf -> Device Management -> Users/AAA -> AAA Access -> Authentication

Ud for SSH, sæt hak og vælg LOCAL. 

username AdminUser password AdminPass
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024

ssh 192.168.1.0 255.255.255.0 management

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Telnet 

telnet 192.168.1.0 255.255.255.0 management

Configure and utilize Logging using ASDM

ASDM: Conf -> Device Management -> Logging

-> Event Lists

-> Logging Filters

-> Syslog Servers

Diverse

The SAST keys can be seen via the show crypto key mypubkey rsa command.

ASA Links

ASDM 6.0 User Guide

ASA CLI Configuration Guide 8.0

ASA 8.3(x) Dynamic PAT with Two Internal Networks and Internet

http://www.wr-mem.com/

http://www.wr-mem.com/?p=4

ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF

https://supportforums.cisco.com/docs/DOC-1268

http://www.networkstraining.com/ciscoasaebook.php

http://www.networkworld.com/community/node/58537

http://www.iflipr.com/deck/search?query=snaf

https://learningnetwork.cisco.com/docs/DOC-2800

http://blog.ine.com/

https://learningnetwork.cisco.com/message/11409#11409

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

http://oav.net/mirrors/cidr.html

http://www.quia.com/quiz/497859.html?AP_rand=334332925

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=6

http://www.subnet-calculator.com/

http://www.gocertify.com/blog/2009/07/20/cisco-asa-specialist-certification-snaf-642-524-exam/

http://www.sadikhov.com/forum/index.php?showtopic=167632

Configuring the SSC

Hentet fra "https://wiki.kvig.dk/index.php?title=SNAF_642-524&oldid=3220"