April 26, 2018

KT Labs EP2 :: Getting Started with the ASA & ASDM

(Last Updated On: 23rd January 2018)

In this knowledge transfer session, I show you how to configure basic settings on the Cisco Adaptive Security Appliance (ASA) and how we can manage the ASA using the Adaptive Security Device Manager (ASDM).

Please see the video below;

 

In the video, we couldn’t get outbound access to the Internet because of the GNS3 appliance I was using. After the video, I managed to fix this by verifying the next hope IP address which was 192.168.222.2/24 and not 192.168.222.1/24, verification commands and a screenshot from the workstation is below.

Changed the default route on the ASA and verified outbound connectivity to Google’s DNS

ciscoasa(config)# no route OUTSIDE 0 0 192.168.222.1
ciscoasa(config)# route OUTSIDE 0 0 192.168.222.2

ciscoasa(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/40 ms

Verified outbound connectivity from the workstation

 

Final ASA configuration output

Output Omitted

ciscoasa(config)# show run
!
ASA Version 9.8(1)
!
hostname ciscoasa
enable password $sha512$5000$xats8UNNBqKhJfd5MFOTaw==$+j/4b7aqiOJzHtxCTluSxQ== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address dhcp
!
object network INSIDE-HOSTS
subnet 192.168.1.0 255.255.255.0
access-list INSIDE extended permit icmp object INSIDE-HOSTS any
!
object network INSIDE-HOSTS
nat (INSIDE,OUTSIDE) dynamic interface
access-group INSIDE in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.222.2 1
!
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 INSIDE
!
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 INSIDE
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
!
username wizkid password $sha512$5000$wI5AtBBMcQjGzHtDRfrm6Q==$hK+1hT9LfbW+wN2PiZ0Peg== pbkdf2
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: