Initial Setup

When the security appliance is booted with no configuration, it offers a setup menu that enables you to configure the initial parameters such as the device name and the IP address. You can choose to go through the initial setup menu for quick configuration.

In Example 4-4, a security appliance is prompting the user to specify whether they wish to go through the interactive menu to preconfigure the device. If a user types yes or selects the default option, the security appliance walks them through the configuration of ten parameters. The security appliance shows the default values in brackets ([]) before prompting the user to accept or change them. To accept the default input, press Enter. After going through the initial setup menu, the security appliance displays the summary of the new configuration before prompting the user to accept or reject them.

Example 4-4. Initial Setup Menu

Pre-configure Firewall now through interactive prompts [yes]? yes

Firewall Mode [Routed]:

Enable password []: cisco123

Allow password recovery [yes]?

Clock (UTC):

 Year [2003]: 2005

 Month [Aug]:

 Day [16]: 5

 Time [02:02:48]: 23:30:00

Inside IP address: 192.168.10.1

Inside network mask: 255.255.255.0

Host name: Chicago

Domain name: securemeinc.com

IP address of host running Device Manager: 192.168.10.100



The following configuration will be used:

Enable password: cisco123

Allow password recovery: yes

Clock (UTC): 23:30:00 Aug 5 2005

Firewall Mode: Routed

Inside IP address: 192.168.10.1

Inside network mask: 255.255.255.0

Host name: Chicago

Domain name: securemeinc.com

IP address of host running Device Manager: 192.168.10.100



Use this configuration and write to flash? yes

INFO: Security level for "inside" set to 100 by default.

Cryptochecksum: 1d3c3c10 b029b36d 9c95faaa 3b8dca37

1252 bytes copied in 3.330 secs (417 bytes/sec)

Chicago>

Table 4-2 lists all the parameters that can be configured in the initial setup menu. It also provides a brief description of each parameter along with the default and configured values.

Table 4-2. Initial Setup Parameters and Their Values

Parameter

Description

Default Value

Configured Value

Enable password

Specifies the enable password

None

cisco123

Firewall mode

Sets up the security appliance as a Layer 2 or 3 firewall

Routed

Routed

Inside IP address

Specifies the IP address on the inside interface

None

192.168.10.1

Inside subnet mask

Specifies the subnet mask on the inside interface

None

255.255.255.0

Host name

Sets the host name on the device

ciscoasa

Chicago

Domain name

Sets the domain name on the device

None

securemeinc.com

IP address of host running Device Manager

Specifies the IP address of the host machine responsible for managing the Cisco ASA

None

192.168.10.100

Clock

Sets up the current time on the Cisco ASA

varies

4:18 PM August 5th 2005

Save configuration

Prompts the user if configuration needs to be saved

Yes

Yes

Allow password recovery

Prompts the user if password recovery is allowed

Yes

Yes

If a user bypasses the initial setup, the same parameters and features can be set up by using the CLI commands discussed throughout this chapter. The next section discusses how to configure a device name from the CLI.

Tip

The initial setup process can be rerun by using the setup command in configuration mode.

 

Setting Up the Device Name

The default device name, also known as the host name, of a security appliance is ciscoasa. It is highly recommended that you set a unique device name to identify the security appliance on the network. In Example 4-5, the host name of the security appliance is changed to Chicago by using the hostname command. Because it is a configuration change, the administrator needs to go to configuration mode before the hostname command can be used. As soon as the host name is altered, the CLI prompt is changed to reflect this modification.

Example 4-5. Setting Up the Host Name

ciscoasa# configure terminal

ciscoasa(config)# hostname Chicago

Chicago(config)#

Networking devices usually belong to a network domain. A domain name can be specified on the security appliance, which appends the unqualified host names with the configured domain name. For example, if the security appliance tries to reach a host, secweb, by its host name and the configured domain name is securemeinc.com, then the fully qualified domain name (FQDN) will be secweb.securemeinc.com. The domain name is specified by using the domain-name command followed by the actual name of your organization's domain. As shown in Example 4-6, a domain name of securemeinc.com is set up in configuration mode.

Example 4-6. Setting Up the Domain Name

Chicago# configure terminal

Chicago(config)# domain-name securemeinc.com

Note

The domain name is necessary if RSA (Rivest, Shamir, and Adleman) keys need to be generated. These keys are used for Public Key Infrastructure (PKI) implementation and for secure access such as SSH and Secure Sockets Layer (SSL).

 

Configuring an Interface

Cisco ASA 5510 comes with four Fast Ethernet interfaces (Ethernet0/0Ethernet0/3) and a management interface (Managament0/0), while Cisco ASA 5520 and Cisco ASA 5540 have four Gigabit Ethernet interfaces (GigabitEthernet0/0GigabitEthernet0/3) and a management interface (Management0/0). The Fast Ethernet and Gigabit Ethernet interfaces are used to route traffic from one interface to another based on the configured policies, while the management interface is designed to establish out-of-band connections. By default, all of these interfaces are shut down, meaning no traffic can pass through them. You can enable these interfaces by issuing the no shutdown command under the interface sub-configuration mode. As shown in Example 4-7, the administrator is enabling the GigabitEthernet0/0 interface.

Example 4-7. Enabling an Interface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0

Chicago(config-if)# no shutdown

Cisco ASA protects the internal network from external threats. Each interface is assigned a name to designate its role on the network. The most secure network is typically labeled as the inside network, whereas the least secure network is tagged as the outside network. For semitrusted networks, you can define them as demilitarized zones (DMZs).

If you go through the initial setup and configure an IP address and a subnet mask, the security appliance designates the GigabitEthernet0/1 interface as the inside interface on the Cisco ASA 5520 and 5540, while it designates Ethernet0/1 as the inside interface on the Cisco ASA 5510. You can also use the nameif command followed by the name to be assigned to the interface. You must use the interface name to set up the configuration features that are linked to an interface. In Example 4-8, the administrator has designated the GigabitEthernet0/0 interface as outside and GigabitEthernet0/1 as inside.

Example 4-8. Assigning Names to Interfaces

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0

Chicago(config-if)# nameif outside

Chicago(config-if)# exit

Chicago(config)# interface GigabitEthernet0/1

Chicago(config-if)# nameif inside

The security appliance also uses the concept of assigning security levels to the interfaces. The higher the security level, the more secure an interface is. Consequently, the security level is used to reflect the level of trust of this interface with respect to the level of trust of another interface on the Cisco ASA. The security level can be between 0 and 100. Therefore, the most secure network is placed behind the interface with a security level of 100. The security level is assigned by using the security-level command, as shown in Example 4-9. The inside interface has been configured with a security level of 100, and the outside interface with a security level of 0.

Note

The Cisco ASA allows you to assign the same security level to more than one interface. If communication is required for the hosts on the same security level interfaces, use the global configuration same-security-traffic permit inter-interface command.

 

Example 4-9. Assigning Security Levels

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0

Chicago(config-if)# nameif outside

Chicago(config-if)# security-level 0

Chicago(config-if)# exit

Chicago(config)# interface GigabitEthernet0/1

Chicago(config-if)# nameif inside

Chicago(config-if)# security-level 100

Note

When an interface is configured with a nameif command, the security appliance automatically assigns a preconfigured security level. If an interface is set up with an inside name, the security appliance assigns a security level of 100. For all the other interface names, the security appliance sets the security level to 0.

Additionally, if an interface is not assigned a security level, it does not respond back on the network layer.

The most important parameter under the interface configuration is the assignment of an IP address. This is required if an interface is to be used to pass traffic in the Layer 3 firewall, also known as routed mode. An address can be either statically or dynamically assigned. To assign an IP address to an interface, use the ip address command followed by an IP address and subnet mask. The complete syntax of the ip address command is shown here:

ip address ip_address [mask] [standby ip_address]

ip address dhcp setroute

The ip_address next to the ip address command is the static address to be configured to this interface and mask is the subnet mask for the respective IP address. If there is no mask specified, the security appliance assigns a default mask of a class for the configured IP address. The standby ip_address is also optional and it is used only if this interface participates in failover, discussed in Chapter 11, "Failover and Redundancy."

Note

If a security appliance is deployed in transparent mode, discussed in Chapter 10, "Transparent Firewalls," the IP address is configured in global configuration mode.

The security appliance also supports interface address assignment through a Dynamic Host Configuration Protocol (DHCP) server. This is a preferred method if an ISP dynamically allocates an IP address to the outside interface. The dhcp keyword indicates that a DHCP server will assign an IP address, while the setroute keyword informs the security appliance to use the DHCP server's specified default gateway as the default route.

Note

Chapter 6, "IP Routing," discusses how to configure default route to get connectivity to the networks that are not in the routing table.

In Example 4-10, a DHCP server is responsible for assigning an IP address on the outside interface, while a static IP address of 192.168.10.1 with a mask of 255.255.255.0 is set up on the inside interface.

Example 4-10. Assigning Interface IP Addresses

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0

Chicago(config-if)# nameif outside

Chicago(config-if)# security-level 0

Chicago(config-if)# ip address dhcp setroute

Chicago(config-if)# exit

Chicago(config)# interface GigabitEthernet0/1

Chicago(config-if)# nameif inside

Chicago(config-if)# security-level 100

Chicago(config-if)# ip address 192.168.10.1 255.255.255.0

Optionally, you can configure speed and duplex on an interface. Both parameters are set to auto by default and can be changed to avoid link negotiations. The command syntax to change the speed and duplex is as follows:

speed {auto | 10 | 100 | 1000}

duplex {auto | full | half}

The speed option is used to hard-code the interface connection speed to 10, 100, or 1000 Mbps. This option does not allow an interface to auto-negotiate link speed on the interface. The duplex option disables auto-negotiation of duplex parameters and limits an interface to act either in full or half-duplex mode. As demonstrated in Example 4-11, the outside interface is set up with a connection speed of 1000 Mbps using full-duplex mode.

Example 4-11. Configuring Speed and Duplex on an Interface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0

Chicago(config-if)# nameif outside

Chicago(config-if)# security-level 0

Chicago(config-if)# ip address dhcp setroute

Chicago(config-if)# speed 1000

Chicago(config-if)# duplex full

Note

The management interface, discussed in the section titled "Configuring a Management Interface," is a FastEthernet interface, which only allows either 10 or 100 Mbps as the interface speed.

The Ethernet-based interfaces on the Cisco ASA 5500 series use the auto-MDI/MDIX (media-dependent interface/media-dependent interface crossover) feature, which does not require a crossover cable when connecting two similar type interfaces. They perform an internal crossover when a straight network cable connects two similar interfaces. This feature only works when both the speed and duplex parameters are set for auto-negotiations.

Caution

If the speed and duplex settings do not match the speed and duplex settings on the other end of the Ethernet connection, you will see packet loss, which will result in performance degradation.

The security appliance shows the output of interface-related parameters and counters information when the show interface command is used. As illustrated in Example 4-12, GigabitEthernet0/0 is set up as the outside interface and has an IP address of 209.165.200.225, while GigabitEthernet0/1 is set up as the inside interface with an IP address of 192.168.10.1.

Example 4-12. Output of show interface

Chicago# show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up

 Hardware is i82546GB rev03, BW 1000 Mbps

 Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

 MAC address 0013.c480.90ee, MTU 1500

 IP address 209.165.200.225, subnet mask 255.255.255.224

 79855 packets input, 6345439 bytes, 0 no buffer

 Received 79692 broadcasts, 0 runts, 0 giants

 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

 75 packets output, 7806 bytes, 0 underruns

 0 output errors, 0 collisions

 0 late collisions, 0 deferred

 input queue (curr/max blocks): hardware (0/5) software (0/0)

 output queue (curr/max blocks): hardware (0/1) software (0/0)

 Received 79220 VLAN untagged packets, 4869649 bytes

 Transmitted 75 VLAN untagged packets, 6420 bytes

 Dropped 14202 VLAN untagged packets

Interface GigabitEthernet0/1 "inside", is up, line protocol is up

 Hardware is i82546GB rev03, BW 1000 Mbps

 Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

 MAC address 0013.c480.90ef, MTU 1500

 IP address 192.168.10.1, subnet mask 255.255.255.0

 79693 packets input, 6331839 bytes, 0 no buffer

 Received 79693 broadcasts, 0 runts, 0 giants

 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

 1 packets output, 64 bytes, 0 underruns

 0 output errors, 0 collisions

 0 late collisions, 0 deferred

 input queue (curr/max blocks): hardware (0/6) software (0/0)

 output queue (curr/max blocks): hardware (0/1) software (0/0)

 Received 79059 VLAN untagged packets, 4859061 bytes

 Transmitted 1 VLAN untagged packets, 28 bytes

 Dropped 14114 VLAN untagged packets

 

Configuring a Subinterface

Cisco ASA has a limited number of Ethernet-based interfaces and it currently does not allow adding more physical interfaces. However, you can divide a physical interface into multiple logical interfaces to increase the total number of interfaces. This is achieved by tagging each subinterface with a unique virtual LAN (VLAN) ID, which keeps the network traffic separate from other VLANs using the same physical interface. The security appliance uses the IEEE-specified 802.1Q trunking to connect the physical interface to an 802.1Q-enabled device.

The number of VLANs (subinterfaces) can range from 0 to 100 depending on the security appliance model and the license key used, as shown in Table 4-3.

Table 4-3. Supported Subinterfaces on the Security Appliances

Appliance Model

License Feature

Number of VLANs

ASA5510

Base License

0

ASA5510

Security Plus

10

ASA5520

Base Plus

25

ASA5520

VPN Plus

25

ASA5540

Base Plus

100

ASA5540

VPN Plus

100

ASA5540

VPN Premium

100

To create subinterfaces on an appliance, you can use the interface command followed by the interface name and the subinterface number, as shown in the following syntax:

interface physical_interface.subinterface

Here, physical_interface is the actual physical interface and subinterface is an integer between 1 and 4,294,967,295. Example 4-13 demonstrates how to create a subinterface 300 on GigabitEthernet0/0.

Example 4-13. Creating a Subinterface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0.300

Once you have created a subinterface, the next step is to associate the interface with a unique VLAN identity. Assign a VLAN ID by using the vlan subinterface configuration command followed by the actual VLAN ID, which ranges between 1 and 4096. In Example 4-14, the administrator has linked GigabitEthernet0/0.300 to vlan 300. Although the subinterface number and the VLAN ID do not have to match, it is a good practice to use the same number for ease of management.

Example 4-14. Associating a VLAN ID to a Subinterface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0.300

Chicago(config-if)# vlan 300

Caution

If the main physical interface is shut down, all the associated subinterfaces are disabled as well.

The subinterface is configured identically to a physical interface, using the nameif, security-level, and ip address commands. It does not, however, allow the use of speed and duplex commands, discussed in the previous section. Example 4-15 shows a subinterface GigabitEthernet0/0.300 configuration that is set up as a DMZ interface with the security level 30 and an IP address of 192.168.20.1/24 in VLAN 300.

Example 4-15. Configuring Subinterface Parameters

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/0.300

Chicago(config-if)# vlan 300

Chicago(config-if)# nameif DMZ

Chicago(config-if)# security-level 30

Chicago(config-if)# ip address 192.168.20.1 255.255.255.0

Note

Even after creating the subinterfaces, a security appliance can still pass untagged traffic over the physical interface if the nameif, security-level, and ip address commands are configured.

 

Configuring a Management Interface

Cisco ASA 5500 appliances have a built-in Management0/0 port, which is designed to pass management-related traffic only. The management interface blocks all the traffic that is trying to pass through it and only permits traffic destined to the security appliance. This ensures that the management traffic is separate from the data traffic on an appliance. You can change this default behavior, however, to allow through traffic similar to the Gigabit Ethernet interfaces. Additionally, any Gigabit Ethernet or Fast Ethernet interface can act as a dedicated management interface when it is configured with the management-only command. As shown in Example 4-16, the Management0/0 interface is set up to allow through traffic, while GigabitEthernet0/2 is set up as the management-only interface.

Note

The base license on the Cisco ASA 5510 does not allow you to enable through traffic on the management interface.

 

Example 4-16. Configuring a Management-Only Interface

Chicago# configure terminal

Chicago(config)# interface GigabitEthernet0/2

Chicago(config-if)# management-only

Chicago(config-if)# exit

Chicago(config)# interface Management0/0

Chicago(config-if)# no management-only

Some general characteristics about a management interface include the following:

  • Routing protocols such as RIP and OSPF are supported on a management interface.
  • A subinterface can also act as a management interface if configured with the management-only command.
  • Multiple management interfaces are supported on an appliance.
  • Traffic through the security appliance is dropped on a management interface and a syslog message is generated to log this event.
  • VPN tunnels for remote management are allowed on a management interface.

DHCP Services

Cisco ASA can act as a DHCP server to hand out IP addresses to the end machines that are running the DHCP client services. The supported DHCP server options can be enabled by using the dhcpd command, as shown in Example 4-17.

Example 4-17. Supported DHCP Server Options

Chicago# configure terminal

Chicago(config)# dhcpd ?

configure mode commands/options:

 address Configure the IP pool address range after this keyword

 auto_config Enable auto configuration from client

 dns Configure the IP addresses of the DNS servers after this keyword

 domain Configure DNS domain name after this keyword

 enable Enable the DHCP server

 lease Configure the DHCPD lease length after this keyword

 option Configure options to pass to DHCP clients after this keyword

 ping_timeout Configure ping timeout value after this keyword

 wins Configure the IP addresses of the NETBIOS servers after this

 keyword

To configure the DHCP server on the security appliance, use the following steps:

Step 1.

Enable the DHCP server.

The first step in setting up the DHCP server is to enable it on an interface. Use the dhcpd enable command followed by the name of an interface. The security appliance runs the DHCP services on the configured interface. As shown in the following example, the administrator is enabling the DHCP services on the inside interface.
 

Chicago(config)# dhcpd enable inside
 

Step 2.

Define a DHCP pool of addresses.

The next step in setting up the DHCP server is to define a pool of addresses that can be assigned to a DHCP client. Use the dhcpd address command and configure a range of IP addresses. The pool of addresses is then bound to an interface. As shown in the following example, the administrator is setting up a pool of addresses that starts at 192.168.10.100 and ends at 192.168.10.200. This pool of addresses is bound to the inside interface.
 

Chicago(config)# dhcpd address 192.168.10.100-192.168.10.200 inside
 

Step 3.

Set up WINS, DNS, and domain-name options.

The DHCP server sends the WINS, DNS, and domain name when an address is offered to a DHCP client. The client computers do not need to be manually set up for these addresses. Use the dhcpd dns, dhcpd wins, and dhcpd domain commands to assign the DNS, WINS, and domain names to the DHCP clients. In the following example, the security appliance assigns 192.168.10.50 and 192.168.10.51 as the primary and secondary DNS addresses, 192.168.10.51 and 192.168.10.50 as the primary and secondary WINS addresses, and securemeinc.com as the domain name:
 

Chicago(config)# dhcpd dns 192.168.10.50 192.168.10.51

 Chicago(config)# dhcpd wins 192.168.10.51 192.168.10.50

 Chicago(config)# dhcpd domain securemeinc.com
 

Step 4.

Specify the DHCP timeout parameters.

Before the security appliance allocates an IP address to a DHCP client, it sends two ICMP request packets to the address it is about to assign. It waits for 50 milliseconds to receive an ICMP response. If a response is received, the security appliance assumes that the address is being used and thus does not assign it. This default ping timeout value can be changed by using the dhcpd ping_timeout command. If a response is not received, the security appliance allocates the IP address until the DHCP lease expires. Once the lease expires, the DHCP client is expected to return the assigned IP address. The default lease time setting of 3600 seconds can be changed by using the dhcpd lease. In the following example, the administrator has set up a ping timeout value of 20 milliseconds and a DHCP lease time of 86,400 seconds (1 day).
 

Chicago(config)# dhcpd lease 86400

Chicago(config)# dhcpd ping_timeout 20
 

Step 5.

Set up additional DHCP options (optional).

The security appliance allows you to assign DHCP option codes ranging from 0 to 255. These DHCP option codes are defined in RFC 2132 and can be set up on the security appliance by using the dhcp option command. In the following example, the DHCP option code 66 (TFTP server) is assigned to the DHCP clients with a TFTP server address of 192.168.10.10. This DHCP option code is typically used by the Cisco IP Phones to retrieve their configuration from the TFTP server.
 

Chicago(config)# dhcpd option 66 ip 192.168.10.10
 

Step 6.

Set up DHCP auto-configuration (optional).

In many network implementations, the security appliance acts as a DHCP client on one interface and a DHCP server on another interface. This is usually the case when the security appliance gets an IP address from the ISP's DHCP server on its outside interface. At the same time, it acts as a DHCP server to assign addresses to the DHCP clients connected on the inside networks. In this network scenario, the security appliance can pass the DNS, WINS, and domain-name information to the DHCP clients after it receives them from the DHCP server on its interface that acts as a DHCP client. This is achieved if the dhcpd auto_config command is set up with the interface name that acts as a DHCP client. In the following example, the security appliance is set up to pass DNS, WINS, and domain-name information, obtained on the outside interface, to the DHCP clients:
 

Chicago(config)# dhcpd auto_config outside
 

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net