Forskel mellem versioner af "SNAF 642-524"

Versionen fra 8. jun 2010, 17:58 (vis wikikode) Freesoft (diskussion | bidrag) (→‎Configure and verify active/standby failover using ASDM) ← Gå til forrige ændring		Versionen fra 8. jun 2010, 18:14 (vis wikikode) Freesoft (diskussion | bidrag) (→‎Configure and verify active/standby and active/active failover features on Security Appliances) Gå til næste ændring →
Linje 441:		Linje 441:
	=== Configure and verify active/standby and active/active failover features on Security Appliances ===		=== Configure and verify active/standby and active/active failover features on Security Appliances ===
		+	'''Hardware failover'''
		+	*Connections are dropped.
		+	*Client applications must reconnect.
		+	*Provides hardware redundancy.
		+	*Provided by LAN-based failover link.
		+
		+	'''Stateful failover'''
		+	*TCP connections remain active.
		+	*No client applications need to reconnect.
		+	*Provides redundancy and stateful connection.
		+	*Provided by stateful link.
		+
		+	'''Failover Requirements'''
		+	*Same model number and hardware configurations
		+	*Same Security Services Modules installed
		+	*Same software versions* (prior to version 7.0)
		+	*Same operating mode
		+	*Same features (DES or 3DES)
		+	*Same amount of Flash memory and RAM
		+	*Proper licensing
		+
		+	'''Failover links'''
		+	*LAN-based, sender status beskeder.
		+	*Stateful, sender alt state info, xlates osv, så bruger ikke mærker failover.
		+	Kan være på samme kabel, men anbefales ikke.
		+	*Enable PortFast
		+	*Turn off Ether-channeling
		+
		+	Hvis et Redundant Interface bliver brugt til failover link, skal der en switch på da man ikke kan vide hvilken interface der er aktiv.
		+
		+
		+	The state information that is passed to the standby unit includes the following:
		+	*NAT translation table
		+	*TCP connection states
		+	*UDP connection states
		+	*The ARP table
		+	*The Layer 2 bridge table (when running in transparent firewall mode)
		+	*The HTTP connection states (if HTTP replication is enabled)
		+	*The ISAKMP and IPsec SA table
		+	*SIP signaling sessions
		+
		+	The information that is not passed to the standby unit when stateful failover is enabled includes the following:
		+	*The HTTP connection table (unless HTTP replication is enabled).
		+	*The user authentication (uauth) table.
		+	*The routing tables. After a failover occurs, some packets may be lost or routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.
		+	*State information for Security Service Modules.
		+	*DHCP server address leases.
		+
		+	The following SSL VPN features are not supported with stateful failover:
		+	*Smart tunnels
		+	*Port forwarding
		+	*Plug-ins
		+	*Java applets
		+	*IPv6 clientless or Anyconnect sessions
		+	*Citrix authentication (Citrix users must reauthenticate after failover.)
		+
		+
	==== Configure and verify active/standby failover using ASDM ====		==== Configure and verify active/standby failover using ASDM ====
		+
		+	*1.  Cable the interfaces on both security appliances.
		+	*2.  Prepare both security appliances for configuration via ASDM.
		+	*3.  Use the ASDM High Availability and Scalability Wizard to configure the primary security appliance.
		+	*4.  Verify that ASDM configured the secondary security appliance.
		+	*5.  Save the configuration of the secondary security appliance to flash memory.
		+
		+
		+	ASDM: Secondary ASA skal kunne logge på Primary ASA.
		+
		+	#show failover
		+
		+	Overtag aktiv rolle:
		+	#failover active
		+	Fratag aktiv rolle:
		+	#no failover active
		+	Nustiller fail state. Kan bruges på begge, men bedst at gøre det på den aktive:
		+	#failover reset
		+
		+
		+	Failover kriterier:
		+	*Failover unit poll time: Amount of time between hello messages
		+	*Failover unit hold time: Amount of time to wait (after 3 consecutive poll failures) before triggering failover
		+	*Failover interface poll time: Poll time for interface monitoring
		+	ƒ*Failover interface hold time: Hold time for interface monitoring
		+	*Failover interface policy: Number of failed interfaces that triggers failover
		+	ASDM: Configuration -> Device Management -> High Availability -> Failover -> Criteria
−	failover reset
	==== Configure and verify active/active failover using ASDM ====		==== Configure and verify active/active failover using ASDM ====

---

Versionen fra 8. jun 2010, 18:14

SNAF - 642-524 - Securing Networks with ASA Foundation

Tager udgangs punkt i denne cisco test, da den er rigtig god og man kommer rundt om rigtig mange ting hvad en ASA kan.

Du kan nok næppe bestå ved kun at have læst dette, men jeg bruger selv siden som note til SNAF testen. Husk også at tage et kig på links.

Exam Topics

ASA version: 8.0.2

ASDM Version: 6.0.2

Configure Security Appliances for secured network connectivity

Configure and verify network and interface settings using ASDM and CLI

Configuration -> Device Setup -> Interfaces -> Tryk Add knap.

Interface Ethernet0/2
no shutdown
nameif DMZ
security-level 50
ip address  10.10.5.1 255.255.255.0

Sub interface

Fjern nameif fra "over" interface, for fjerne IP kontakt på denne.

Interface Ethernet0/2
no nameif

Interface Ethernet0/2.50
vlan 50
no shutdown
description Interface for vlan 50
nameif Vlan50
security-level 50
ip address  10.10.50.1 255.255.255.0

DHCP

ASDM: Configuration -> Device Management -> DHCP -> DHCP Server

CLI:

dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
dhcpd dns 8.8.8.8  interface inside

---

Show

sh run nameif

interface Ethernet0/0
 nameif outside
 security-level 0

sh inter ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.200.101 YES DHCP   up                    up

Configure and verify NAT globals, statics, NAT exemption, and Identity NAT using ASDM

Fra høj sec-level til lav sec-level er tilladt, men ikke fra lav til høj.
Inside -> Outside = OK, men Outside -> Inside = Ikke OK, uden tilladelse.

nat-control

Som billedet viser, der skal være lavet en NAT regel for at trafikken bliver tilladt, hvis nat-control er sat til, som det ikke er her.

Static (høj, lav) lav høj netmask tcp [sim. tcp conn] [embryonic connections] udp [sim. udp conn]

Billeder af forskellige nat regler

static (inside,management)  192.168.1.20 10.10.10.10 netmask 255.255.255.255

ASDM:

Denne oversætter 192.168.1.20 på management til 10.10.10.10 på inside, så 10.10.10.10 server kan tilgås fra management via 192.168.1.20.

Dynamisk NAT/PAT

Alt fra management kommer ud på outside via PAT, da der ikke er lavet NAT pools, som ellers ville blive brugt først.

NAT rækkefølge:

• 1. Check Access Rules
• 2. Check routing table for exit interface
• 3. Look in current translation table
• 4. Checks for NAT Exemptions
• 5. Static NAT and PAT (regular and policy)
• 6. Policy dynamic NAT
• 7. regular dynamic NAT
• 8. If NAT control enabled, and no match through above, drop packet.

Configure and verify access-lists with or without object groups using ASDM

Conf -> Firewall -> Objects

Network Object Groups

• Kan indeholde en eller flere netværk eller IP adresser

object-group network DMZ-Servers
 network-object host 10.10.10.20
 network-object host 10.10.10.25
 network-object host 10.10.10.26

IP Names

• Navngiv IP adresser så de er nemmere at huske, fx en web server med ip 10.10.10.10, er det måske nemmere at huske ved at kalde den web-server

name 10.10.10.10 web-server description En Web Server

Service groups

• Service
• TCP
• UDP
• TCP-UDP
• ICMP
• Protocol

Global Pools

• Bliver brugt til NAT/PAT

Time Ranges

• Lav tidsintervaller fx til acl'er eller login tid.

Billeder og forklaring af ACL regler

Configure and verify routing and switching on Security Appliances

Describe the routing capabilities of the Security Appliance

ASDM: Conf -> Device Setup -> Routing

• Static
• RIP
• OSPF
• EIRGP

Use ASDM to configure VLANs on a Security Appliance interface

Se subinterface.

Fjern nameif for at fjerne IP forbindelse på et interface. Når der oprettes et sub interface bliver interfacet til en .1q trunk.
Så for at kunne have trafik på et interface skal der være angivet et navn med nameif, og i routed mode skal der være en IP adresse.

Use ASDM to configure the passive RIP routing functionality of the Security Appliance

RIP version 2

ASDM:

router rip
 version 2
 passive-interface default

Configure and verify Authentication, Authorization, & Accounting services for Security Appliances

Configure ACS for Security Appliance support

ACS -> Network Conf -> AAA Clients -> Add Entry

AAA Client Hostname: ASA

AAA Client IP Address: 10.10.10.1

ACS -> User Setup -> Opret brugere

Use ASDM to configure the Security Appliance AAA features

Conf -> Device Management -> Users/AAA -> AAA Server Groups

Under AAA Server Groups opret en ny gruppe af servere.

Marker gruppen og vælg Add under Servers in the Selected Group.

RADIUS vs TACACS+

Configure and verify Auth-Proxy (cut-through proxy) using ASDM

Sender HTTP login videre til dest server.

Understøtter:

• TCP port 21, FTP
• TCP port 23, telnet
• TCP port 80, HTTP
• TCP port 443, HTTPS

Opsætning:

• Opret AAA server gruppe
• Tilføj AAA server
• Tilføj AAA regel i Configuration -> Firewall -> AAA Rules

Se brugere logget på: ASDM: Monitoring -> Properties -> Device Access -> Authenticated Users

CLI:

show uauth

Slette brugere der er logget ind:

clear uauth

Sikker HTTP forbindelse

Configuration -> Firewall -> AAA Rules -> Tryk på Advanced knappen, for at logge på med HTTPS:

Hvis serveren i den anden ende også kræver et login, men det forskelligt fra det AAA serveren kender, skal der bruges Virtual HTTP server. Da denne tager bruger og password ud af HTTP GET request.

ASDM: Configuration -> Firewall -> Advanced -> Virtual Access

Husk at web browsere kan cache login, så hvis Telnet og FTP ser ud til at virke normalt, men HTTP/S ikke timer ud, så kan det være det.

Authentication Prompt

Configuration -> Device Management -> Users/AAA -> Authentication Prompt

Authentication Timeouts

Configuration -> Firewall -> Advanced -> Global Timeouts

• Authentication Inactivity: Tid uden trafik før der skal logges på igen.
• Authentication Absolute: Fast tid der skal logges ind igen. Længere end inaktiv tiden.

Downloadable ACLs

• Henter ACL fra AAA server for brugeren
• Understøttes kun af RADIUS
• Får et navn der starter med #ACSACL#-

ACS:

Interface Configuration -> Advanced Options -> Advanced Options -> User/Group-Level Downloadable ACLs

Shared Profile Components -> Vælg Downloadable IP ACLs -> Klik Add

show access-list

Viser alle access lister, også downloadable.

show uauth

Viser også ACL'en for brugeren

Per-User Override

Overskriv ACL'er for brugeren, fx hvis en ACL tillader noget, men en bestemt bruger må ikke tilgå den server, kan man bruge per-user override.

Hvis per user override er sat til, bliver indgående ACL overskrevet, ellers bliver den kombineret med ACL'en på ASA og RADIUS.

ASDM: Configuration -> Firewall -> Access Rules -> Tryk på Advanced, og sæt hak i Per User Override, ud for den ACL det tillades på.

Virtual Telnet

Kan bruges til at brugerne kan logge ind via telnet, hvis det trafik der skal godkendes ikke er understøttet.

Configure and verify Layer 3 & 4 protocol inspection, Modular Policy Framework, and threat detection for Security Appliances

Configure and verify Layer 3 and Layer 4 protocol inspection using ASDM

" You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.)"

Rækkefølge: CBT Nuggets:

• 1. TCP normalization, connection limit and timeout, and seq # randomization
• 2. CSC
• 3. Application Inspection
• 4. IPS
• 5. QoS input policing
• 6. QoS output policing
• 7. QoS priority queuing

ASA Guide: Modular Policy Framework supports the following features:

• QoS input policing
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
• CSC
• Application inspection (multiple types)
• IPS
• QoS output policing
• QoS standard priority queue
• QoS traffic shaping, hierarchical priority queue

Configure and verify Modular Policy Framework using ASDM

1. Service Policy (interface/global)
2. Match
3. Action

Use ASDM to configure and verify threat detection

Conf -> Firewall -> Threat Detection

Basic er stanard. Scanning kan sættes til.

Stats for: Top 10 / 200, Access rules, Port, Protocol, TCP Intercept

Configure and verify secure connectivity using VPNs

Configure and verify remote access VPNs using ASDM

Phase 1: ISAKMP (Aggressive / Main)

Phase 2: IPsec (Quick)

• Transport mode: Payload encrypted / authenticated. Typisk til host-til-host.
• Tunnel mode: Hele pakken encrypted / authenticated. For host-til-host, netværk-til-netværk, host-til-netværk.

Hvis klienten bruger:

• Pre-shared Keys: Aggressive mode.
• Digital certificate: Main mode.

"Both provide the same services, but aggressive mode requires only two exchanges between the peers totaling 3 messages, rather than three exchanges totaling 6 messages. Aggressive mode is faster, but does not provide identity protection for the communicating parties."

Wizards -> IPsec VPN Wizard -> Remote Access

Opsætning af remote VPN:

• Tunnel interface
• "Enable Inbound IPsec Sessions to Bypass Interface Access Lists"
• Client Type (Cisco)
• Pre-shared key
• Tunnel group name
• Bruger login (AAA)
• IP pool
• Valgfrit: DNS server, WINS server, domæne navn
• IKE Policy
• IPsec Encryption and Authentication
• Address Translation Exemption og Split Tunneling

---

Show

Monitoring -> VPN -> VPN Connection Graphs | VPN Statistics | Clientless SSL VPN

Monitoring -> VPN -> VPN Statistics -> Sessions, viser hvem der er logget på remote VPN og meget andet.

ƒVerify ACLs and interesting traffic.

show run access-list

ƒVerify correct IKE configuration.

show run isakmp
show run tunnel-group

ƒVerify IPsec and ISAKMP SAs.

show crypto ipsec sa
show crypto isakmp sa

ƒVerify correct crypto map configuration.

show run crypto map

ƒClear IPsec SA.

clear crypto ipsec sa

ƒClear IKE SA.

clear crypto isakmp sa

ƒDebug IKE and IPsec traffic through the security appliance.

debug crypto ipsec
debug crypto isakmp

Configure and verify IPsec VPN clients with preshared keys using ASDM

Host: VPN Interface IP (Public)

Name: IPsec Connection Profile

Password: Pre Shared Key

Configure and verify site-to-site VPNs with preshared keys using ASDM

Wizards -> IPsec VPN Wizard -> Site to Site

• Peer IP Address
• Name, skal være samme som peer IP, eller hostname.

• Message encryption algorithm
• Message integrity (hash) algorithm
• Key exchange parameters (DH group ID)
• Peer authentication method

Monitoring -> VPN -> Sessions

Verify IKE and IPsec using ASDM and CLI

show crypto isakmp

show crypto ipsec sa

show crypto ca certificates  Show certificates

show crypto ca crls          Show Certificate Revocation Lists

show run crypto map

Configure and verify clientless SSL VPN using ASDM

• Browerbaseret
• Proxy gennem ASA
• Kræver cookies i browser

Giver adgang til:

• corporate websites
• web-enabled applications
• NT/AD file share (web-enabled)
• e-mail
• other TCP-based applications from almost any computer that can reach HTTPS Internet sites, fx CIFS og FTP.

Understøtter ikke:

• Inspection features under the Modular Policy Framework
• QoS, rate limiting using the police command and priority-queue command.
• Connection limits, checking either via the static or the Modular Policy Framework set connection command.
• Og mere...

Note

URL Entry:

• Giver mulighed for at brugerne kan skrive en URL ind i portal siden. Tag det fra, og brugerne kan kun gå på sider du har lavet bookmark/url list på.

Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies -> Add or Edit -> Functions.

URL list: Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies -> Add or Edit -> URL Lists.

ASDM og SSL VPN kan være på samme interface, hvis man skifter port.

Configure and verify active/standby and active/active failover features on Security Appliances

Hardware failover

• Connections are dropped.
• Client applications must reconnect.
• Provides hardware redundancy.
• Provided by LAN-based failover link.

Stateful failover

• TCP connections remain active.
• No client applications need to reconnect.
• Provides redundancy and stateful connection.
• Provided by stateful link.

Failover Requirements

• Same model number and hardware configurations
• Same Security Services Modules installed
• Same software versions* (prior to version 7.0)
• Same operating mode
• Same features (DES or 3DES)
• Same amount of Flash memory and RAM
• Proper licensing

Failover links

• LAN-based, sender status beskeder.
• Stateful, sender alt state info, xlates osv, så bruger ikke mærker failover.

Kan være på samme kabel, men anbefales ikke.

• Enable PortFast
• Turn off Ether-channeling

Hvis et Redundant Interface bliver brugt til failover link, skal der en switch på da man ikke kan vide hvilken interface der er aktiv.

The state information that is passed to the standby unit includes the following:

• NAT translation table
• TCP connection states
• UDP connection states
• The ARP table
• The Layer 2 bridge table (when running in transparent firewall mode)
• The HTTP connection states (if HTTP replication is enabled)
• The ISAKMP and IPsec SA table
• SIP signaling sessions

The information that is not passed to the standby unit when stateful failover is enabled includes the following:

• The HTTP connection table (unless HTTP replication is enabled).
• The user authentication (uauth) table.
• The routing tables. After a failover occurs, some packets may be lost or routed out of the wrong interface (the default route) while the dynamic routing protocols rediscover routes.
• State information for Security Service Modules.
• DHCP server address leases.

The following SSL VPN features are not supported with stateful failover:

• Smart tunnels
• Port forwarding
• Plug-ins
• Java applets
• IPv6 clientless or Anyconnect sessions
• Citrix authentication (Citrix users must reauthenticate after failover.)

Configure and verify active/standby failover using ASDM

• 1. Cable the interfaces on both security appliances.
• 2. Prepare both security appliances for configuration via ASDM.
• 3. Use the ASDM High Availability and Scalability Wizard to configure the primary security appliance.
• 4. Verify that ASDM configured the secondary security appliance.
• 5. Save the configuration of the secondary security appliance to flash memory.

ASDM: Secondary ASA skal kunne logge på Primary ASA.

#show failover

Overtag aktiv rolle:

#failover active

Fratag aktiv rolle:

#no failover active

Nustiller fail state. Kan bruges på begge, men bedst at gøre det på den aktive:

#failover reset

Failover kriterier:

• Failover unit poll time: Amount of time between hello messages
• Failover unit hold time: Amount of time to wait (after 3 consecutive poll failures) before triggering failover
• Failover interface poll time: Poll time for interface monitoring

ƒ*Failover interface hold time: Hold time for interface monitoring

• Failover interface policy: Number of failed interfaces that triggers failover

ASDM: Configuration -> Device Management -> High Availability -> Failover -> Criteria

Configure and verify active/active failover using ASDM

Configure and verify redundant Interface using ASDM

Conf -> Device Setup -> Interfaces

Add Redundant Interface

Interface redundant1
 member-interface Ethernet0/2
 member-interface Ethernet0/3
 no shutdown
 description Redundant Interface 1
 nameif Redu1
 security-level 100
 ip address 10.10.5.1 255.255.255.0

Configure transparent firewall and virtual firewall features on a Security Appliance

Explain the purpose of virtual & transparent firewalls

Virtuel firewall

Multiple Context Mode

Deler samme hardware i flere logiske firewalls, fx som ISP kan leje firewall ud. Man kan fx have 2 netværk med samme IP segment på samme ASA da de er delt på hver deres virtuelle firewall.

Understøtter ikke:

• Dynamisk routing
• VPN
• Multicast routing, bridging er understøttet.
• Threat Detection

---

Transparent firewall

• Ingen IP på interfaces, kun mgmt ip
• Vlan på forskellige vlan, men samme netværk
• Ingen router hop, bump in the wire
• Kan forware ting som router mode ikke kan, EtherTypes
• Kun 2 data interfaces
• MAC lookups
• MGMT IP, på samme netværk
• Default gateway på host bagved = routeren på anden side

Ellers samme regler som routed mode

Understøtter ikke:

• Dynamisk DNS
• Dynamisk routing
• IPv6
• DHCP relay
• QoS
• Multicast
• VPN "headend"

Configure and verify the transparent firewall feature of the Security Appliance using CLI

ASA(config)# firewall transparent

Alt conf bliver slettet, så husk at gemme.

For at gå tilbage:

ASA(config)# no firewall transparent

Efter det skal interface og mgmt IP sættes op:

interface Ethernet0/0
 nameif outside
 no shutdown
interface Ethernet0/1
 nameif inside
 no shutdown

ip address 192.168.200.251 255.255.255.0

http server enable
http 192.168.200.0 255.255.255.0 inside 

Tjek transparent mode, i Home under Device Infomation, Firewall Mode: Transparent

show mode

Ændre MGMT IP:

Configuration -> Device Management -> Management Access -> Management IP Address

For at tillade DHCP gennem ASA skal udp portne åbnes begge veje.

Ethertype Rules, for er ikke-IP trafik.

Configure and verify the virtual firewall feature of the Security Appliance using ASDM

Firewall Virtualization / Multiple Context mode

Deler ASA'en op i flere context modes, med egne sikkerhed politikker.

Kan administreres som var det en fysisk firewall.

For at klassificere pakker til forskellige contexts bruger ASAen:

• Unikke interfaces, hver context egen interface
• MAC adresser, samme interface, forskellig MAC pr. context
• NAT opsætning (IP adresse), kigger i dest IP, må kende subnets bagved.

Hvis du ikke har unikke interfaces til hver context anbefales det ar bruge MAC.

• Routed mode tillader delte interfaces.
• Transparent mode tillader ikke delte interfaces.

System configuration, har ikke netværks indstillinger eller interfaces, den bruger admin context. I System conf indstiller man resurser osv.

Opsætning af context mode

Når man konvertere til context mode, bliver der lavet 2 filer, en ny start up conf, og en admin.cfg og den gamle bliver gemt som old_running.cfg.

ASA(config)# mode multiple

• Sti til context conf fil
• Context navn
• Tilføj interfaces til context
• Valgfrit: Assign resources to the context.
• Valgfrit: Assign an IPS virtual sensor to the context.
• Valgfrit: Assign MAC addresses to context interfaces.

For at vende tilbage:

ASA(config)# mode single

#show context

Context Name      Class      Interfaces           URL
*admin            default    Ethernet0/0,Ethernet0/1, disk0:/admin.cfg
                             Management0/0
 Martin           default    Ethernet0/2,Ethernet0/3 disk0:/martin.cfg

Resource Management

ASDM begrænsning: System: 32, Context: 5.

SSH begrænsning: System: 100, Context: 5.

Telnet begrænsning: System: 100, Context: 5.

Monitor and manage installed Security Appliances

Update, backup, and restore configurations and software images using ASDM and CLI

Blank conf, åbne for ASDM:

• Name: inside, give IP og netmask
• Sæt tid, hostname, og domæne
• Starte http service
• Tillade hosts ind på http
• Opt: Vælge asdm image

interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0

hostname ASA
domain-name domain.local
clock set hh:mm:ss DAY MONTH Year

http server enable
http 192.168.1.0 255.255.255.0 management

asdm image disk0:/asdm-602.bin

Boot image:

boot system disk0:/asa802-k8.bin

Install and verify Licensing using ASDM

ASDM: Configuration > Device Management > System Image/Configuration > Activation Key

1. Få key fra cisco.com ud fra serial no med show version kommando
2. Genstart ASA, for at sikre image i flash er det samme som kørende.
3. Gå til Configuration > Device Management > System Image/Configuration > Activation Key, skriv key ind med 4 eller 5 blokke med mellemrum i mellem.
4. Tryk på Update Activation Key
5. Genstart ASA for at aktivere key.

Configure and verify Console and SSH/Telnet access

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Secure Shell (SSH)

SSH kræver:

• Hostname
• Domain name
• Bruger oprettet
• RSA key

ASDM: Conf -> Device Management -> Users/AAA -> AAA Access -> Authentication

Ud for SSH, sæt hak og vælg LOCAL.

username AdminUser password AdminPass
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024

ssh 192.168.1.0 255.255.255.0 management

ASDM: Conf -> Device Management -> Management Access -> Command Line (CLI) -> Telnet

telnet 192.168.1.0 255.255.255.0 management

Configure and utilize Logging using ASDM

ASDM: Conf -> Device Management -> Logging

-> Event Lists

-> Logging Filters

-> Syslog Servers

Diverse

The SAST keys can be seen via the show crypto key mypubkey rsa command.

" Note: If you remove a static command, current connections that use the translation are not affected. In order to remove these connections, enter the clear local-host command. You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command. "

" NOTE If you don’t configure the nat-control command, then address translation is optional. The appliance will use any address translation policies you’ve configured, and if a packet doesn’t match a translation policy, it isn’t translated, but forwarded as is. "

ASA Links

ASDM 6.0 User Guide

ASA CLI Configuration Guide 8.0

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b1ee95.shtml

http://www.wr-mem.com/

http://www.wr-mem.com/?p=4

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

https://supportforums.cisco.com/docs/DOC-1268

http://www.networkstraining.com/ciscoasaebook.php

http://www.networkworld.com/community/node/58537

http://www.iflipr.com/deck/search?query=snaf

https://learningnetwork.cisco.com/docs/DOC-2800

http://blog.ine.com/

https://learningnetwork.cisco.com/message/11409#11409

http://blog.ine.com/2009/04/19/understanding-modular-policy-framework/

http://oav.net/mirrors/cidr.html

http://www.quia.com/quiz/497859.html?AP_rand=334332925

http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=6

http://www.subnet-calculator.com/