This is a continuation of my previous post and fully integrated the Layer 2 switched network and added a couple of 1841 routers.
There were some minor modifications on the 871w router for NAT to function properly. I also opened ICMP, SSH and Telnet ports on the ASA5505 firewall for troubleshooting and testing purposes. The switch's management IP were changed I used the 172.16.0.0 /16 subnet solely for my lab. I then isolate my wifi users on the 192.168.1.0 /24 subnet.
871W#configure terminal
871W(config-if)#interface fastethernet0 // MOVE TRUNK FROM FE3 TO FE0 PORT
871W(config-if)#description TRUNK TO ASA5505
871W(config-if)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset administratively down down
FastEthernet4 59.189.109.1 YES DHCP up up
Group-Async4 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up up
871W(config)#ip route 172.16.0.0 255.255.0.0 192.168.1.2 // ROUTE TO LAB NETWORK
871W(config)#access-list 10 permit 172.16.0.0 0.0.255.255
871W(config)#do show access-list 10
Standard IP access list 10
10 permit 172.16.0.0, wildcard bits 0.0.255.255 (54 matches) // NAT ACL FOR 172.16.0.0/16 (LAB)
20 permit 192.168.1.0, wildcard bits 0.0.0.255 (862 matches) // NAT ACL FOR 192.168.1.0 /24 (WIFI)
871W(config)#exit
871W#show ip nat translations | include 172.16.1.6
udp 59.189.105.139:49226 172.16.1.6:49226 8.8.8.8:33506 8.8.8.8:33506
udp 59.189.105.139:49227 172.16.1.6:49227 8.8.8.8:33507 8.8.8.8:33507
udp 59.189.105.139:49228 172.16.1.6:49228 8.8.8.8:33508 8.8.8.8:33508
udp 59.189.105.139:49229 172.16.1.6:49229 8.8.8.8:33509 8.8.8.8:33509
udp 59.189.105.139:49230 172.16.1.6:49230 8.8.8.8:33510 8.8.8.8:33510
udp 59.189.105.139:49231 172.16.1.6:49231 8.8.8.8:33511 8.8.8.8:33511
udp 59.189.105.139:49232 172.16.1.6:49232 8.8.8.8:33512 8.8.8.8:33512
udp 59.189.105.139:49233 172.16.1.6:49233 8.8.8.8:33513 8.8.8.8:33513
udp 59.189.105.139:49234 172.16.1.6:49234 8.8.8.8:33514 8.8.8.8:33514
udp 59.189.105.139:49235 172.16.1.6:49235 8.8.8.8:33515 8.8.8.8:33515
udp 59.189.105.139:49236 172.16.1.6:49236 8.8.8.8:33516 8.8.8.8:33516
udp 59.189.105.139:49237 172.16.1.6:49237 8.8.8.8:33517 8.8.8.8:33517
udp 59.189.105.139:49238 172.16.1.6:49238 8.8.8.8:33518 8.8.8.8:33518
udp 59.189.105.139:49239 172.16.1.6:49239 8.8.8.8:33519 8.8.8.8:33519
udp 59.189.105.139:49240 172.16.1.6:49240 8.8.8.8:33520 8.8.8.8:33520
udp 59.189.105.139:49241 172.16.1.6:49241 8.8.8.8:33521 8.8.8.8:33521
udp 59.189.105.139:49242 172.16.1.6:49242 8.8.8.8:33522 8.8.8.8:33522
udp 59.189.105.139:49243 172.16.1.6:49243 8.8.8.8:33523 8.8.8.8:33523
871W#ping 172.16.1.6 // PING AND TELNET TO 1841-2 LAB ROUTER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
871W#telnet 172.16.1.6
Trying 172.16.1.6 ... Open
+--------------------------------------------------------------+
| This equipment is privately owned and monitored. |
| Disconnect immediately if you are not an authorized user. |
+--------------------------------------------------------------+
User Access Verification
Username:
----
ASA5505# configure terminal
ASA5505(config)# interface ethernet0/0 // WAN PORT
ASA5505(config-if)# description LINK TO 871W
ASA5505(config-if)# interface ethernet0/1 // LAN PORT
ASA5505(config-if)# description TRUNK TO SW1
ASA5505(config-if)# exit
ASA5505(config)# banner motd +--------------------------------------------------------------+
ASA5505(config)# banner motd | This equipment is privately owned and monitored. |
ASA5505(config)# banner motd | Disconnect immediately if you are not an authorized user. |
ASA5505(config)# banner motd +--------------------------------------------------------------+
ASA5505(config)# policy-map global_policy
ASA5505(config-pmap)# class inspection_default
ASA5505(config-pmap-c)# inspect icmp error // FOR TRACEROUTE FUNCTION
ASA5505(config-pmap-c)# exit
ASA5505(config-pmap)# exit
ASA5505(config)# access-list OUTSIDE-IN extended permit icmp any 172.16.0.0 255.255.0.0 echo
ASA5505(config)# access-list OUTSIDE-IN extended permit tcp any 172.16.0.0 255.255.0.0 eq telnet
ASA5505(config)# access-list OUTSIDE-IN extended permit tcp any 172.16.0.0 255.255.0.0 eq ssh
ASA5505(config)# access-list OUTSIDE-IN extended permit icmp any any time-exceeded // FOR TRACEROUTE FUNCTION
ASA5505(config)# access-list OUTSIDE-IN extended permit icmp any any unreachable // FOR TRACEROUTE FUNCTION
PING TO SWITCHES:
ASA5505# ping 172.16.1.2 // SW1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505# ping 172.16.1.3 // SW2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5505# ping 172.16.1.4 // SW3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PING TO ROUTERS:
ASA5505# ping 172.16.1.6 // 1841-2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PING TO OUTSIDE:
ASA5505# ping 8.8.8.8 // GOOGLE PUBLIC DNS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms
ASA5505# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.254.168.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/50 ms
----
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface fastethernet0/8
SW1(config-if)#description TRUNK TO ASA5505
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#do show interface description
Interface Status Protocol Description
Vl1 up up L3 MANAGEMENT VLAN
Fa0/1 up up L2 ETHERCHANNEL TO SW2 (LINK#1)
Fa0/2 up up L2 ETHERCHANNEL TO SW2 (LINK#2)
Fa0/3 up up L2 ETHECHANNEL TO SW3 (LINK#1)
Fa0/4 up up L2 ETHECHANNEL TO SW3 (LINK#2)
Fa0/5 down down
Fa0/6 down down
Fa0/7 down down
Fa0/8 up up TRUNK TO ASA5505
Gi0/1 down down
Po1 up up L2 ETHERCHANNEL TO SW2
Po2 up up L2 ETHECHANNEL TO SW3
SW1(config)#interface vlan1
SW1(config-if)#ip address 172.16.1.2 255.255.255.0 // CHANGED MANAGEMENT IP ADDRESS
SW1(config)#ip default-gateway 172.16.1.1 // ASA INSIDE IP ADDRESS
SW1(config)#exit
00:41:14: %SYS-5-CONFIG_I: Configured from console by console
SW1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1007 ms
SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interface vlan1
SW2(config-if)#ip address 172.16.1.3 255.255.255.0
SW2(config)#interface fastethernet0/8
SW2(config-if)#description LINK TO 1841-1
SW2(config-if)#switchport mode trunk
SW2(config-if)#exit
SW2(config)#ip default-gateway 172.16.1.1
SW2(config)#exit
SW2#
01:00:29: %SYS-5-CONFIG_I: Configured from console by console
SW2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/201/1000 ms
----
SW3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#interface vlan1
SW3(config-if)#ip address 172.16.1.4 255.255.255.0
SW3(config-if)#exit
SW3(config)#ip default-gateway 172.16.1.1
SW3(config)#interface fastethernet0/8
SW3(config-if)#description LINK TO 1841-2
SW3(config-if)#switchport mode trunk
SW3(config-if)#do show interface description
Interface Status Protocol Description
Vl1 up up L3 MANAGEMENT VLAN
Fa0/1 up up L2 ETHERCHANNEL TO SW1 (LINK#1)
Fa0/2 up up L2 ETHERCHANNEL TO SW1 (LINK#2)
Fa0/3 up up L2 ETHERCHANNEL TO SW2 (LINK#1)
Fa0/4 up up L2 ETHERCHANNEL TO SW2 (LINK#2)
Fa0/5 down down
Fa0/6 down down
Fa0/7 down down
Fa0/8 down down LINK TO 1841-2
Gi0/1 down down
Po1 up up L2 ETHERCHANNEL TO SW1
Po2 up up L2 ETHERCHANNEL TO SW2
SW3(config)#exit
*Mar 1 00:59:09.169: %SYS-5-CONFIG_I: Configured from console by console
SW3#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1006 ms
----
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Router#configure terminal
Router(config)# hostname 1841-2
1841-2(config)#service timestamps debug datetime msec localtime show-timezone
1841-2(config)#service timestamps log datetime msec localtime show-timezone
1841-2(config)#service password-encryption
1841-2(config)#banner login #
Enter TEXT message. End with the character '#'
+--------------------------------------------------------------+
| This equipment is privately owned and monitored. |
| Disconnect immediately if you are not an authorized user. |
+--------------------------------------------------------------+
#
1841-2(config)#logging buffered 4096
1841-2(config)#enable password cisco
1841-2(config)#ip domain name lagura.com
1841-2(config)#ip name-server 8.8.8.8
1841-2(config)#ip name-server 4.2.2.2
1841-2(config)#username cisco privilege 15 password cisco
1841-2(config)#interface fastethernet0/0
1841-2(config-if)#description CONNECTION TO WAN
1841-2(config-if)#ip address 172.16.1.6 255.255.255.0
1841-2(config-if)#interface fastethernet0/1
1841-2(config-if)#description CONNECTION TO LAN
1841-2(config-if)#ip address 172.16.20.254 255.255.255.0
1841-2(config-if)#no shutdown
1841-2(config-if)#exit
*Nov 6 09:24:53.155: %SYS-5-CONFIG_I: Configured from console by console
*Nov 6 09:24:54.235: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Nov 6 09:24:55.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Nov 6 09:25:00.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
1841-2(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 // STATIC DEFAULT ROUTE TO ASA INSIDE IP ADDRESS
1841-2(config)#router eigrp 1
1841-2(config-router)#network 172.16.0.0 0.0.255.255
1841-2(config-router)#no auto-summary
1841-2(config-router)#exit1841-2(config)#line vty 0 4
1841-2(config-line)#exec-timeout 0
1841-2(config-line)#logging synchronous
1841-2(config-line)#login local
1841-2(config-line)#line console 0
1841-2(config-line)#no exec-timeout
1841-2(config-line)#logging synchronous
1841-2(config-line)#end
1841-2#ping 172.16.1.1 // ASA INSIDE IP ADDRESS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
1841-2#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms
1841-2#ping www.cisco.com
Translating "www.cisco.com"...domain server (8.8.8.8) [OK]
Translating "www.cisco.com"...domain server (8.8.8.8) [OK]
Translating "www.cisco.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.240.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
1841-2#traceroute www.google.com
Type escape sequence to abort.
Tracing the route to www.google.com (74.125.200.105)
1 192.168.1.1 0 msec 0 msec 4 msec
2 cm1.delta104.maxonline.com.sg (59.189.104.1) 8 msec 12 msec 12 msec
3 172.20.43.1 12 msec 12 msec 12 msec
4 172.26.43.1 32 msec 12 msec 16 msec
5 172.20.7.114 28 msec 12 msec 12 msec
6 203.117.36.89 12 msec 16 msec 16 msec
7 203.117.36.21 [MPLS: Label 16040 Exp 0] 28 msec 12 msec 12 msec
8 203.117.35.206 12 msec 12 msec 12 msec
9 72.14.196.189 12 msec 12 msec 12 msec
10 66.249.95.124 12 msec
66.249.95.122 16 msec 20 msec
11 72.14.239.61 12 msec
209.85.244.23 12 msec 16 msec
12 * * *
13 www.google.com (74.125.200.105) 20 msec 28 msec 16 msec
Below are the logical network diagram and the actual physical setup of my lab. I plan to add more stuff like DDNS, enable EIGRP, use PRTG monitoring and experiment on the different styles of VPN and MPLS. I'll also rack mount my gears to a 12 RU rack to give it a more "professional" look.
Saturday, January 18, 2014
Sunday, January 5, 2014
Configuring My Cisco ASA 5505 Home Lab Firewall
I'm done with FIREWALL and will start my VPN very soon. So I took out my ASA 5505 to test my firewall skills, made a factory default and hooked it up on my lab network.
I did a two network approach using the "inside" and "outside" network since my ASA 5505 has a Base License, which supports only 3 VLANs. I could setup the firewall with a DMZ, but it would only be "restricted." This means that if I add a DMZ network, it can only go out to the outside (Internet) while the inside network can communicate with both the outside and DMZ network.
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
This scenario fits with my current network topology since I wanted my 871w router to function as the Internet edge router and the ASA 5505 behind it. Another good reason for doing this setup is that NAT is much simpler to configure and mange on a Cisco router.
ciscoasa(config)# hostname ASA_5505
ERROR: Invalid hostname: 'ASA_5505'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ciscoasa(config)# hostname ASA5505
ASA5505(config)# username cisco password cisco privilege 15 // NOT RECOMMENDED IN A PRODUCTION NETWORK
ASA5505(config)# enable password cisco
ASA5505(config)# interface vlan 1
ASA5505(config-if)# ip address 172.16.1.1 255.255.255.0
ASA5505(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA5505(config-if)# interface vlan 2
ASA5505(config-if)# ip address 192.168.1.2 255.255.255.0
ASA5505(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA5505(config-if)# exit
ASA5505(config)# route outside 0 0 192.168.1.1 // STATIC DEFAULT ROUTE TO 871W
ASA5505(config)# interface ethernet0/0 // E0/0 PORT IS USED FOR WAN BY DEFAULT
ASA5505(config-if)# no shutdown
ASA5505(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5505(config-if)# exit
ASA5505(config)# http server enable
ASA5505(config)# http 192.168.1.0 255.255.255.0 outside // FOR ASDM ACCESS
ASA5505(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
ASA5505(config)# ping www.cisco.com
^
ERROR: % Invalid Hostname
ASA5505(config)# dns ?
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
exec mode commands/options:
update Update FQDN IP addresses
ASA5505(config)# dns domain-lookup ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# dns domain-lookup outside
ASA5505(config)# dns domain-lookup inside
ASA5505(config)# dns server-group DefaultDNS // DNS DOESN'T WORK ON A DIFFERENT DNS GROUP
ASA5505(config-dns-server-group)# name-server 8.8.8.8
ASA5505(config-dns-server-group)# name-server 4.2.2.2
ASA5505(config-dns-server-group)# exit
ASA5505(config)# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms
ASA5505(config)# object network INSIDE_HOSTS // CREATE NETWORK OBJECT FOR SIMPLIFIED AND CLEAN CONFIG (IOS 8.3+)
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# exit
ASA5505(config)# object network INSIDE_LAN
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# nat (?
network-object mode commands/options:
Current available interface(s):
any Global address space // ANY KEYWORD IS AVAILABLE ON IOS 8.3+
inside Name of interface Vlan1
outside Name of interface Vlan2
configure mode commands/options:
Current available interface(s):
any Global address space
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config-network-object)# nat (inside,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA5505(config-network-object)# nat (inside,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP
ASA5505(config-network-object)# nat (inside,outside) static INSIDE_HOSTS // IDENTITY NAT
ASA5505(config-network-object)# exit
ASA5505(config)# telnet 172.16.0.0 255.255.0.0 inside // TELNET IS DISALLOWED ON THE OUTSIDE INTERFACE
ASA5505(config)# ssh 192.168.1.0 255.255.255.0 outside
ASA5505(config)# domain-name ?
configure mode commands/options:
WORD Domain names must begin and end with a digit/letter, only letters,
digits, and hyphen are allowed as internal characters, labels are
separated by a dot. A maximum of 63 characters is allowed.
ASA5505(config)# domain-name lagura.com // DOMAIN NAME AND RSA KEYS ARE NEEDED FOR SSH CONNECTION
ASA5505(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
512 512 bits
768 768 bits
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA5505(config)# aaa authentication ssh console LOCAL // USE LOCAL DATABASE FOR SSH
ASA5505(config)# ssh timeout 60 // SSH TIMEOUT CAN'T BE DISABLED AND CAN ONLY BE SET TO 60 MINS MAX
I can now remotely access my ASA 5505 firewall via ASDM and with an SSH client on my iPad.
I did a two network approach using the "inside" and "outside" network since my ASA 5505 has a Base License, which supports only 3 VLANs. I could setup the firewall with a DMZ, but it would only be "restricted." This means that if I add a DMZ network, it can only go out to the outside (Internet) while the inside network can communicate with both the outside and DMZ network.
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
ASA5505(config)# interface vlan 3
ASA5505(config-if)# nameif dmz
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
This scenario fits with my current network topology since I wanted my 871w router to function as the Internet edge router and the ASA 5505 behind it. Another good reason for doing this setup is that NAT is much simpler to configure and mange on a Cisco router.
ciscoasa(config)# hostname ASA_5505
ERROR: Invalid hostname: 'ASA_5505'
INFO: A hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen.
ciscoasa(config)# hostname ASA5505
ASA5505(config)# username cisco password cisco privilege 15 // NOT RECOMMENDED IN A PRODUCTION NETWORK
ASA5505(config)# enable password cisco
ASA5505(config)# interface vlan 1
ASA5505(config-if)# ip address 172.16.1.1 255.255.255.0
ASA5505(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA5505(config-if)# interface vlan 2
ASA5505(config-if)# ip address 192.168.1.2 255.255.255.0
ASA5505(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA5505(config-if)# exit
ASA5505(config)# route outside 0 0 192.168.1.1 // STATIC DEFAULT ROUTE TO 871W
ASA5505(config)# interface ethernet0/0 // E0/0 PORT IS USED FOR WAN BY DEFAULT
ASA5505(config-if)# no shutdown
ASA5505(config-if)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5505(config-if)# exit
ASA5505(config)# http server enable
ASA5505(config)# http 192.168.1.0 255.255.255.0 outside // FOR ASDM ACCESS
ASA5505(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
ASA5505(config)# ping www.cisco.com
^
ERROR: % Invalid Hostname
ASA5505(config)# dns ?
configure mode commands/options:
domain-lookup Enable/Disable DNS host-to-address translation
expire-entry-timer Specify DNS entry expire timer
name-server Specify DNS servers
poll-timer Specify dns update interval
retries Configure DNS retries
server-group Configure a DNS server group
timeout Configure DNS query timeout
exec mode commands/options:
update Update FQDN IP addresses
ASA5505(config)# dns domain-lookup ?
configure mode commands/options:
Current available interface(s):
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config)# dns domain-lookup outside
ASA5505(config)# dns domain-lookup inside
ASA5505(config)# dns server-group DefaultDNS // DNS DOESN'T WORK ON A DIFFERENT DNS GROUP
ASA5505(config-dns-server-group)# name-server 8.8.8.8
ASA5505(config-dns-server-group)# name-server 4.2.2.2
ASA5505(config-dns-server-group)# exit
ASA5505(config)# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms
ASA5505(config)# object network INSIDE_HOSTS // CREATE NETWORK OBJECT FOR SIMPLIFIED AND CLEAN CONFIG (IOS 8.3+)
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# exit
ASA5505(config)# object network INSIDE_LAN
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# subnet 172.16.0.0 255.255.0.0
ASA5505(config-network-object)# ?
description Specify description text
fqdn Enter this keyword to specify an FQDN
help Help for network object configuration commands
host Enter this keyword to specify a single host object
nat Enable NAT on a singleton object
no Remove an object or description from object
range Enter this keyword to specify a range
subnet Enter this keyword to specify a subnet
ASA5505(config-network-object)# nat (?
network-object mode commands/options:
Current available interface(s):
any Global address space // ANY KEYWORD IS AVAILABLE ON IOS 8.3+
inside Name of interface Vlan1
outside Name of interface Vlan2
configure mode commands/options:
Current available interface(s):
any Global address space
inside Name of interface Vlan1
outside Name of interface Vlan2
ASA5505(config-network-object)# nat (inside,outside) ?
network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA5505(config-network-object)# nat (inside,outside) static ?
network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP
ASA5505(config-network-object)# nat (inside,outside) static INSIDE_HOSTS // IDENTITY NAT
ASA5505(config-network-object)# exit
ASA5505(config)# telnet 172.16.0.0 255.255.0.0 inside // TELNET IS DISALLOWED ON THE OUTSIDE INTERFACE
ASA5505(config)# ssh 192.168.1.0 255.255.255.0 outside
ASA5505(config)# domain-name ?
configure mode commands/options:
WORD Domain names must begin and end with a digit/letter, only letters,
digits, and hyphen are allowed as internal characters, labels are
separated by a dot. A maximum of 63 characters is allowed.
ASA5505(config)# domain-name lagura.com // DOMAIN NAME AND RSA KEYS ARE NEEDED FOR SSH CONNECTION
ASA5505(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
512 512 bits
768 768 bits
ASA5505(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA5505(config)# aaa authentication ssh console LOCAL // USE LOCAL DATABASE FOR SSH
ASA5505(config)# ssh timeout 60 // SSH TIMEOUT CAN'T BE DISABLED AND CAN ONLY BE SET TO 60 MINS MAX
I can now remotely access my ASA 5505 firewall via ASDM and with an SSH client on my iPad.
Subscribe to:
Posts (Atom)