ASA Firewall Configuration

Questions and Answers

Which command is used to revert an ASA 5506-X to its original factory settings?

• configure factory-default (correct)
• default configuration
• restore factory-settings
• erase startup-config

Which of the following commands is used to set the enable password on an ASA?

• password enable <password>
• set enable password <password>
• enable secret password <password>
• enable password <password> (correct)

Which command is used to encrypt all user passwords on the ASA?

• password encryption aes (correct)
• key config-key password-encryption
• encrypt all passwords
• enable password encryption

By convention, which interface on the ASA 5506-X is typically configured as the outside interface?

G1/1 (C)

Which command assigns a name and security level to an ASA interface?

nameif <if_name> security-level (B)

What command is used to configure a default static route on an ASA?

route outside 0.0.0.0 0.0.0.0 (C)

What is the default timeout, in minutes, for Telnet sessions on an ASA before they are closed due to inactivity?

5 (A)

Which command is used to enable SSH access to the ASA from a specific host?

ssh <ip_address> (B)

Which of the following is a recommended modulus size for RSA key generation when configuring SSH on an ASA?

2048 bits (C)

Which command configures an ASA to use an NTP server?

ntp server <ip_address> (A)

Which command enables the DHCP server on a specific interface of the ASA?

dhcpd enable (B)

What is the default lease time, in seconds, for DHCP addresses assigned by the ASA?

3600 (B)

Which command erases all service objects on an ASA?

clear config object service (B)

Which object group type is used to group TCP, UDP, or a mix of TCP and UDP ports on an ASA?

service (A)

If 'Host' is configured within a network object, what traffic qualifies?

A single host IPv4 or IPv6 address (A)

Which command is used to view the configuration of a specific object on an ASA?

show running-config object <object_name> (A)

What is a correct statement regarding the security levels of ASA interfaces, relative to each other?

Higher level interfaces cannot connect to any lower level ones without an ACL. (A)

When configuring an extended access list on an ASA, what does the any keyword represent regarding source or destination?

Any IP address (D)

What is the default behavior of an ASA regarding traffic attempting to pass from a lower security interface to a higher security interface?

All traffic is denied. (D)

What type of access list is used to identify destination IP addresses on an ASA?

Standard access list (C)

On the ASA, what type of access list would you use for client-less SSL VPN traffic to deny access based on destination URLs?

Webtype access list (C)

What command is used to add descriptive text to an access-list?

remark (C)

After creating an ACL on an ASA, what command is used to apply it to an interface?

access-group in interface <interface_name> (A)

Which type of NAT is known as 'NAT with overload'?

Dynamic PAT (D)

Which command is used to configure dynamic NAT with overload on an ASA, using the interface IP address?

nat (inside,outside) dynamic interface (B)

Which command displays active NAT translations on an ASA?

show xlate (A)

When configuring static NAT, what does 'mapped-inline-host-ip' refer to?

The public IP address used for translation. (D)

What AAA function controls the commands and services available to an authenticated user?

Authorization (C)

Which command creates a local user account on an ASA?

username password (C)

To check AAA functioning, what command displays a list of all configured usernames?

show running-config username (D)

What global configuration mode command is used to authenticate users accessing privileged EXEC mode?

aaa authentication enable console (C)

In Modular Policy Framework (MPF), what is the purpose of a class map?

To identify the traffic to be processed. (A)

In MPF on an ASA, which of these is the correct command to create a Class Map called 'test'?

class-map test (B)

What command is used to apply a policy map to an interface on an ASA?

service-policy interface <interface_name> (C)

Which MPF command sets rate limits for traffic in a class?

police (B)

Flashcards

ASA command line interface (CLI)

A proprietary OS with a similar look and feel to the router IOS.

configure factory-default

Global configuration mode command to restore the factory default configuration.

enable command

User EXEC mode command to enter privileged EXEC mode.

clock set command

A privileged EXEC command to set the date and time.

configure terminal command

A privileged EXEC command to enter global configuration mode.

hostname name

A command to set the device's hostname.

domain-name name

A command to set the default domain name.

enable password password

A command to set the enable password for privileged EXEC mode.

banner motd message

A command that configures a login banner.

key config-key password-encryption

A command to generate the encryption key.

password encryption aes

Command that enables password encryption and encrypts all user passwords.

show password encryption

A command to show password encryption.

ip address ip-address netmask

Command to assign an IP address to the interface.

ip address dhcp

A command used to configure an interface to receive its IP address via DHCP.

ip address pppoe

Command used configure an interface to requests an IP address from the upstream device.

nameif if_name

A command to name the interface.

security-level value

A command to set the security level of an interface.

no shutdown

A command to activate the interface.

route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address

Command used to configure a default static route.

{passwd | password} password

A command to set the login password for Telnet.

telnet { ipv4_address mask | ipv6_address/prefix } if_name

Command identifies which network can Telnet to the ASA interface.

telnet timeout minutes

A command to alter the default exec timeout.

aaa authentication telnet console LOCAL

Remote authentication using console to LOCAL database

username name password password

Command that creates a local database entry.

LOCAL keyword

Configuration is case sensitive and is a predefined server tag.

ssh { ip_address mask | ipv6_address/prefix } if_name

SSH secured access.

ssh version version_number

Sets SSH version for security.

ssh timeout minutes

Modifies the timeout.

crypto key generate rsa modulus modulus_size

Command requires for SSH encryption.

ntp authenticate

Enable authentication that creates connection.

ntp trusted-key key_id

Creates connection to AAA server.

ntp authentication-key key_id md5 key

Commits connection to AAA server.

Service Protocol

Name or number.

access-list id extended

Name or number.

Study Notes

Module 21 Overview: ASA Firewall Configuration

• Module focuses on implementing an ASA firewall configuration
• Main topics: basic ASA firewall config, management settings, object groups, ACLs, NAT services, AAA, and service policies
• An optional topic is introduction to ASDM

Module Activities

• Module is associated with a range of syntax checkers, optional labs, packet tracers, understanding checks and a module quiz
• Activities involve configuring various ASA features using the CLI, such as basic settings, interfaces, routing, NAT, AAA, and ACL.

Basic ASA Firewall Configuration

• ASA CLI, a proprietary OS, mirrors the look and feel of a Cisco IOS router

Basic ASA Settings

• Commands and keywords can be abbreviated in the ASA CLI
• Tab key may be used to autocomplete partial commands
• The help key (?) displays additional syntax after a command
• ASA CLI commands function regardless of the current configuration mode prompt
• The configure factory-default command resets the ASA to its original settings

ASA Default Configuration

• ASA 5506-X comes with a default configuration suitable for basic SOHO deployment
• Default hostname is ciscoasa
• By default, privileged EXEC, and console line passwords are not configured

Changing Settings Options

• Manually via CLI;
• Using CLI Setup Initialization Wizard,
• With ASDM Startup Wizard

ASA Interactive Setup Initialization Wizard

• Prompts "Pre-configure Firewall now through interactive prompts [yes]?" if there's no startup configuration
• Enter no to cancel and access the user EXEC mode
• Enter yes or press Enter to start the wizard and configure settings interactively

Entering Global Configuration Mode

• The default prompt, ciscoasa>, appears after erasing the ASA configuration, rebooting, and skipping the setup wizard
• Use enable to enter privileged EXEC mode
• Set the date and time with clock set or via NTP
• Use configure terminal to enter global configuration mode

Configuring Basic Settings

• hostname name: Sets the device hostname (up to 63 characters, letters, digits, and hyphens)
• domain-name name: Defines the default domain
• enable password password: Sets the privileged EXEC mode password as a case-sensitive string of 3-32 alphanumeric or special characters
• banner motd message: Displays a "message-of-the-day" banner
• key config-key password-encryption [new-pass [old-pass ]]: Sets a passphrase (8-128 characters) to generate the encryption key
• password encryption aes: activates password encryption and encrypts all user passwords

Configuring Banners

• For multi-line banners, the banner motd command must be entered multiple times
• The EXEC password encrypts automatically with MD5
• It is better to enable stronger AES by configuring a master passphrase
• Use key config-key password-encryption password to change the master passphrase and show password encryption to check the status

Configuring Interfaces

• ASA 5506-X has eight configurable Gigabit Ethernet interfaces
• G1/1 defaults as the outside interface, set to receive its IP address via DHCP.
• The remaining interfaces, G1/2-G1/8, are for inside networks or DMZs
• Management1/1 which is a gigabit Ethernet port allows in-band management
• RJ45 and USB provide out-of-band management connections

Interface IP Address Configuration Options:

• Manual: Assigns a static IP and mask
• DHCP: Obtains IP from an upstream DHCP server
• PPPoE: Used for DSL connections

ASA Interface Commands:

• ip address ip-address netmask: Assigns a static IP address to the interface
• ip address dhcp: Obtains IP configuration from a DHCP server
• ip address dhcp setroute: Also installs a default route using DHCP
• ip address pppoe: Requests an IP address via PPPoE
• ip address pppoe setroute: Includes default route installation via PPPoE
• Each interface requires a security level from 0(lowest) to 100(highest)
• Use command show interface ip brief to verify the interface addressing
• The show command is not needed in User EXEC mode
• nameif if_name: Names interface to a 48 character string. Names are not case sensitive
• Do not use the no nameif command, because that command causes all commands that refer to that name to be deleted
• security-level value: Sets security level from 0 (lowest) to 100 (highest)
• no shutdown: Activates the interface

Default Static Route Configuration

• Set up default route with the command route interface-name 0.0.0.0 0.0.0.0 next-hop-ip-address

Remote Access configuration

• Manage the ASA 5506-X requires Telnet or SSH, and uses the CLI remotely so use the commands listed in the table
• Use these commands to enable the Telnet service in the table
• {passwd | password} password: Sets Telnet password up to 80 characters for Telnet
• telnet { ipv4_address mask | ipv6_address/prefix } if_name: Identifies inside host or network that can Telnet to ASA interface
• clear configure telnet: Removes the created Telnet connection
• telnet timeout minutes: Telnet sessions that are idle for five minutes are closed by default
• AAA Authentication aaa authentication telnet console LOCAL configures Telnet to refer to the local database for authentication
• Use commands that are listed on the next slide to enable SSH

Enabaling SSH

• username name password password: Creates a database entry locally for authentication
• aaa authentication ssh console LOCAL: Configures SSH to refer to the local database for authentication. The Local keyword is a pre defined server tag
• crypto key generate rsa modulus modulus_size: Modulus in bits can be between (512 - 2048)
• ssh { ip_address mask| ipv6_address/prefix} if_name: Identifies either an inside host or network that can ssh to the ASA interface
• ssh version version_number which restricts ssh connections to a certain version
• clear configure ssh: Removes SSH

Configuring Network Time Protocl (NTP) services

• NTP must be enabled for time and date
• Use command show ntp status and show ntp associations: To verify configuration and status check
• Commands with descriptions
• ntp authenticate: Enables authetication for a NTP server
• ntp trusted-key key_id: Authentication ID for a trusted key for authentication of NTP Server
• otp authentication-key key-id md5 key: Sets key for authentication of a NTP Server
• ntp server ip_address [ key key_id ]: Identifies a NTP server

Configuring DHCP Services

• ASA is configured as a DHCP server to provide IP addresses and DHCP-related information to hosts enabling DHCP
• ASA has a range of commands listed below
• dhcpd address IP_address [ - IP_address2] if_name: Pools DHCP address and the address pool must be on subnets as the ASA interface
• dhcpd dns dns1 [ dns2 ]: IP addresses of the DNS servers are specified and is optional
• dhcp lease length: Default lease to 3600 seconds from 0- 1,048,576 seconds. This is OPTIONAL
• dhcpe domain domain_name: Specifies domain name and is OPTIONAL
• dchpd enable if_name: Will enable the dhcp server on inside interface

Configuring Object Groups

• Reusable config and used in cisco ASA configs including services and names
• Command object group
• icmp-type: Specifies group for ICMP, such as echo network Specifies a group of host or subnet IP addresses
• security: Specifies indentity attributes such as security groups
• service: Specifies a group of TCP/ UDP ports and services
• user: Specifies single user, local or import user group
• Configure a network object groups by adding the command object-group network grp-name and use network-object and group-object commands

Configuring Network Objects

• Config the object network object-name
• Network objects include
  • a host address,
  • fully-qualified domain name,
  • a range of IP addresses
  • an entire IP network or subnet
• Use can configure, attribute, attribute value and description ###Configure Service Objects
• Optional keywords used for source/ destination such as eq (equal), neq (not equal), lt (less than), gt (greater than) and range support configuring a port. Default operator ev

Guidelines and Limitations

• object groups share the same name space
• object groups have unique names and one name group
• cannot be removed if empties used in a command
• ASA no support IPv6 nested

There are five types of object grouops

• Network: object group specs list of IP, subnet and network address
• User: Active directory user groups are defines
• Service: Service based object group TCP, UDP or tcp, udp ports into object. TCP services, UDP services, ICmp services protocols such as, GRE and TCP
• ICMP-type: Groups types for ICMP with security needs
• Security: For features of Cisco TrustSec that include the group in an access rule

Configuring ASA ACLs

• Have similarities to IOS acls and acl is made up of on ACEs
• ACLs Process top down
• Criteria match then exits

Diffs from ASA ACLs and IOS acls

• Uses Network asks vsWildcard
• ACL have a name and aren;t numbered
• By default security applies access control without acl config

###Types of ASA ACL Filtering

• Through filters - traffic passing one interface to traffic. configure the ACL, then apply the ACL to an interface. Terminating- Terminates with ASA

The ASA supports five types of access lists:

• Extended access list- The most common
• Standard accesss list ASA and are identifier
• EtherType configured only if transparent mode Webtype -clientless SSL
• Ipv6 - router, not needed

Use access-list and privileged EXEC` command to display commands

Description of command elements of ASA

• ACL id - name
• action type
• source- identify , a hoy , network , ot Net group from the ASA
• Destination from ASA

Destination keyword what ASA port if can destination , set syslog Time - time on Ace

###Applying ACLs Keyword, applies to the ACL and the name command The the inbound packets for outbound and

NAT Services on an ASA

• NAT can be deployed using Inside NAT, Outside NAT, and Bidirectional NAT.
• Common NAT types supported are dynamic PAT, static NAT, policy NAT, and identity NAT

Configuring Dynamic NAT

• Identify the pool of public IP addresses with the range or subnet network object commands
• Identify the internal addresses to be translated with the range or subnet network object commands.
• The two network objects are then bound together using nat [(real_if_name,mapped_if_name)] dynamic mapped_obj [interface [ipv6]] [dns] network object command.
  • real_if_name is the prenat interface -mapped_if_name is the postnat interface

Configuring Dynamic PAT

• Enable inside hosts to overload the outside address,
• Uses the command ,nat [(real_if_name,mapped_if_name)]d dynamic interface command and is shown din the example

Configuring Static NAT

• When set NAT static
• To config, the command is nat [(real_if_name,mapped_if_name)] static mapped-inline-host-ip network object command

Local Database and Servers

• Use the command username name password password [privilege priv-level] To create local user accounts and from the command clear config username [name] To erase a local user
• To view user accounts use the command show running-config username

AAA configuration

• The asa CLI must console
• aaa authentication enable console for Global config

MPF

• Modular Frame Policy
• ciscoasa(config)# class-map class-name
  -ciscoasa (config)# policy-map policy-name
  -ciscoasa (config)# service-policy serv-name [ global | interface if-name ]

There are four steps to configure MPF on an ASA:

    (Optional) Configure extended ACLs to identify granular traffic that can be specifically
     referenced in the class map.
    Configure the class map to identify traffic.
    Configure a policy map to apply actions to those class maps.
    Configure a service policy to attach the policy map to an interface.

Configuring Class Maps and traffic types

• To create a class map and configure config Use class-map class-name command

Other commands

• traffic command be identified with any match with any match (matches all traffic) or matches access-list access-list-name commands to traffic spec

Set up and Activate a policy command

commands : policy-map policy-map name These other common commands can help : connection set, inspect, police Activate these set up in command is service-policy policy-name [ global | interface intf)global config