SCOR Lab 3: ASA Basic Configuration

Download

ASA Basic Configuration

In Lab 3: ASA Basic Configuration, participants typically engage in configuring a Cisco Adaptive Security Appliance (ASA) to establish a foundational network security posture. This lab involves tasks such as setting up basic interfaces, configuring IP addresses, and implementing security policies using Access Control Lists (ACLs) on the ASA. Participants may also explore basic NAT (Network Address Translation) configurations to enable connectivity between internal and external networks. The lab aims to provide hands-on experience in the initial setup and configuration of an ASA firewall, emphasizing the establishment of a secure network perimeter. Successful completion of Lab 3 equips participants with fundamental skills in configuring an ASA firewall to enhance network security and control traffic flow effectively.

Lab:

LAB Topology

This Lab was developed on IOS Version 15.6(2)T and ASA Virtual 9.8. The objective of the lab is to get device ready for communication and analyze the traffic flow through firewall.

Task 1: Initial Configuration:

Step 1: Configure all the routers with their respective IP address and static routes (refer LAB Topology).

Router#conf t
Router(config)#hostname IN
IN(config)#interface fa0/0
IN(config-if)#ip address 100.0.0.1 255.255.255.0
IN(config-if)#no sh
IN(config-if)#exit
IN(config-if)#exit
IN(config)#ip route 0.0.0.0 0.0.0.0 100.0.0.10
IN(config)#line vty 0 4
IN(config-line)#password cisco
IN(config-line)#login
IN(config-line)#exit
IN(config)#exit

Router#conf t
Router(config)#hostname OUT
OUT(config)#interface fa0/0
OUT(config-if)#ip address 200.0.0.2 255.255.255.0
OUT(config-if)#no sh
OUT(config-if)#exit
OUT(config-if)#exit
OUT(config)#
OUT(config)#ip route 100.0.0.0 255.255.255.0 200.0.0.10
OUT(config)#ip route 1.1.1.0 255.255.255.0 200.0.0.10
OUT(config)#line vty 0 4
OUT(config-line)#password cisco
OUT(config-line)#login
OUT(config-line)#exit
OUT(config)#exit

Router#conf t
Router(config)#hostname DMZ
DMZ(config)#interface fa0/0
DMZ(config-if)#ip address 1.1.1.3 255.255.255.0
DMZ(config-if)#no sh
DMZ(config-if)#exit
DMZ(config)#
DMZ(config)#
DMZ(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.10
DMZ(config)#line vty 0 4
DMZ(config-line)#password cisco
DMZ(config-line)#login
DMZ(config-line)#exit
DMZ(config)#exit

Task 2: Configuration on ASA Firewall:

Step 1: Configure ASA Firewall with IP address and zone information (refer LAB Topology).

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# interface gi0/0
ciscoasa(config-if)# ip address 100.0.0.10 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# no sh
ciscoasa(config-if)# exit
ciscoasa(config)# interface gi0/1
ciscoasa(config-if)# ip address 200.0.0.10 255.255.255.0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# no sh
ciscoasa(config-if)# exit
ciscoasa(config)# interface gi0/2
ciscoasa(config-if)# ip address 1.1.1.10 255.255.255.0
ciscoasa(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no sh
ciscoasa(config-if)# exit

Step 2: Verify the IP address and zone information on ASA firewall.**

ciscoasa(config)# show interface ip brief
Interface                  IP-Address        OK? Method        Status                Protocol
1
GigabitEthernet0/0         100.0.0.10        YES  manual       up                up 
GigabitEthernet0/1         200.0.0.10        YES  manual       up                up 
GigabitEthernet0/2         1.1.1.10          YES  manual       up                up 
GigabitEthernet0/3         unassigned        YES  unset               administratively down         
        up 
GigabitEthernet0/4         unassigned        YES  unset       administratively down        up 
GigabitEthernet0/5         unassigned        YES  unset       administratively down        up 
GigabitEthernet0/6         unassigned        YES  unset       administratively down        up 
Management0/0              unassigned        YES  unset       administratively down        up 
ciscoasa(config)# show nameif
Interface                  Name     Security
GigabitEthernet0/0         inside   100
GigabitEthernet0/1          outside  0
GigabitEthernet0/2          dmz      50
ciscoasa(config)# wr
Building configuration...
Cryptochecksum: 3002b2ff ef849a90 3814bb98 20c0a7c3
 
7324 bytes copied in 0.440 secs
\[OK\]

Step 3: Inspect the flow of traffic between zones through ASA firewall.**

IN#telnet 200.0.0.2
Trying 200.0.0.2 ... Open
 
User Access Verification
 
Password:
OUT>

ciscoasa(config)# sh conn
1 in use, 1 most used
 
TCP outside  200.0.0.2:23 inside  100.0.0.1:19180, idle 0:00:09, bytes 337, flags UIO
 
IN#telnet 1.1.1.3 
Trying 1.1.1.3 ... Open
 
User Access Verification
 
Password:
DMZ>
ciscoasa(config)# sh conn
2 in use, 2 most used
 
TCP dmz  1.1.1.3:23 inside  100.0.0.1:24438, idle 0:00:02, bytes 119, flags UIO
 
 
DMZ#telnet 200.0.0.2
Trying 200.0.0.2 ... Open
 
User Access Verification
 
Password:
OUT>
 
ciscoasa(config)# sh conn
1 in use, 1 most used
 
TCP outside  200.0.0.2:23 dmz  1.1.1.3:39204, idle 0:00:05, bytes 127, flags UIO
 
OUT#telnet 100.0.0.1
Trying 100.0.0.1 ...
% Connection timed out; remote host not responding
 
OUT#telnet 1.1.1.3        
Trying 1.1.1.3 ...
% Connection timed out; remote host not responding
 
DMZ#telnet 100.0.0.1      
Trying 100.0.0.1 ...
% Connection timed out; remote host not responding