HomeCisco ASAConfiguring ASA from scratch

Configuring ASA from scratch

Software Effect Enterprises, Inc Posted on by

Notes on the following

Items that are all italics like MyEnablePassword  and OUTSIDE are names for items that you can select. They are case sensitive. Set the names of items so that you can remember what they are later on. For example, you can replace OUTSIDE with ComcastInternet .

In my example below, the location I am at has the following IP addresses

Inside the office: 10.131.1.0/24

IP Address for the interface of the ASA facing the Internet: 1.1.1.2/28

Default gateway: 1.1.1.1

For our remote office, the internal ip address range is 10.9.6.0/24 and the ip address on the ASA interface facing the Internet is 2.2.2.2

Initial Setup To Access The Internet

Connect the console cable

After the ASA Boots if this is a new asa or you have issued the “write erase” command followed by the “reload” command you should be prompted with

Pre-configure Firewall now through interactive prompts [yes]? 

answer “no” At the  “ciscoasa>” prompt type in:

en

When prompted with

Password:

just press <ENTER>. At the “ciscoasa#” prompt type in

conf t

You might be prompted with

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later:

Normally I put “No” as my answer

now you should have a prompt that reads “ciscoasa(config)# “

Now – get your inside interface up

interface GigabitEthernet1/2
no shut
nameif INSIDE
security-level 100
ip address 10.131.1.1 255.255.255.0

set the enable password

enable password MyEnablePassword

next get a user in there to be used for ssh and http

username MyASAUsername password MyAdminPassword privilege 15

use the local authentication for ssh and http

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL

(optional)use local authentication for enable

aaa authentication enable console LOCAL

Allow ssh from anywhere on your inside network

ssh 10.131.1.0 255.255.255.0 INSIDE

generate your ssh key

crypto key generate rsa modulus 2048

(optional) set up a dhcp server for your network. In my configuration, I also set up the PCode and TCode as several devices on my network required the time zone they were in

dhcpd address 10.131.1.100-10.131.1.200 INSIDE
dhcpd domain office.mydomain.com interface INSIDE
dhcpd dns 208.67.222.222 208.67.220.220 interface INSIDE
dhcpd option 101 ascii America/New_York interface INSIDE
dhcpd option 100 ascii EST5EDT4,,M3.2.0/2:00:00,M11.1.0/2:00:00 interface INSIDE
dhcpd enable INSIDE

save your current work

wr mem

set the hostname and domain name

hostname myasa
domain-name mydomain.com

set up your outside interface

interface GigabitEthernet1/1
no shut
nameif OUTSIDE
security-level 0
ip address 1.1.1.2 255.255.255.240

and the default route

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

NOTE: If you do not have a static IP address assigned to you, i.e. your ISP is providing your ip address via dhcp, use the following configuration

interface GigabitEthernet1/1
no shut
nameif OUTSIDE
security-level 0
ip address dhcp setroute
dhcpd auto_config OUTSIDE

In the case of using dhcp on the outside interface, you will not need the “route” command

If you have the network cables plugged in you will be able to ping things on the Internet and on your inside network. Test that now. Note – clients on your inside network will not be able to reach the Internet – yet.

You can check to see if clients on your inside network are getting addresses from the ASA by using the command

show dhcpd binding

Now, lets get the clients on your network to connect to the Internet

object network OBJ-NAT-INSIDE-OUTSIDE
subnet 10.131.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) dynamic interface

Permit the outside interface on the ASA to be pinged. First create an access list

access-list ACL-IN-OUTSIDE extended permit icmp any any

Then apply it to the OUTSIDE interface

access-group ACL-IN-OUTSIDE in interface OUTSIDE

Save your work

write mem

 

Set up a Site to Site VPN

First, we need to enable ikev1 on the outside interface

crypto ikev1 enable OUTSIDE

Now we need to set up some access lists and object-networks to indicate what addresses we are permitting traffic to/from on our vpn

First the object-networks – one for our location here – one for our office #2

object network OBJ-HO-NET
subnet 10.131.1.0 255.255.255.0
object network OBJ-OFFICE2-NET
subnet 10.9.6.0 255.255.255.0

now we are going to set up the access list

access-list VPN-HO-OFFICE2 line 1 extended permit ip object OBJ-HO-NET object OBJ-OFFICE2-NET

Now we need set our nat statement (note- that is not a typo. OBJ-HO-NET and OBJ-OFFICE2-NET has to be put in twice)

nat (INSIDE,OUTSIDE) source static OBJ-HO-NET OBJ-HO-NET destination static OBJ-OFFICE2-NET OBJ-OFFICE2-NET

Create the tunnel group to tell the firewall its a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key MyVerySecretKeyNoOneKnows123
isakmp keepalive threshold 10 retry 2
exit

Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it, it also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused :)

If you already have a crypto ikev1 policy for another vpn, make sure you use a policy number that is different that the existing policy, unless the policy is the same as the existing one, then you dont have to enter this

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

We stated above that we are going to use 3DES and SHA so we need a “Transform Set” that matches.

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Finally we need to create a “Cryptomap” to handle “Phase 2” of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last od all we apply that Cryptomap to the outside interface. Note – as you enter these lines you will get the message “WARNING: The crypto map entry is incomplete!” until you enter the last line. Dont worry!!!

crypto map CRYPTO_MAP 5 match address VPN-HO-OFFICE2
crypto map CRYPTO_MAP 5 set pfs group2 
crypto map CRYPTO_MAP 5 set peer 2.2.2.2
crypto map CRYPTO_MAP 5 set transform-set ESP-3DES-SHA

and apply the CRYPTO_MAP to the OUTSIDE interface

crypto map CRYPTO_MAP interface OUTSIDE

Dont forget to save your work!!!

write mem

Repeat the above with the correct ip addresses on the other end and your vpn will be up!

Create a DMZ

There will be times you need to set up a machine that can be accessed from the Internet (for example a web server or mail server) but you dont want that machine sitting on your office network in the event it is compromised. So we will put it on its own separate network

Set up the interface

interface GigabitEthernet1/3
no shut
nameif DMZ
security-level 10
ip address 10.132.1.1 255.255.255.0

Enable the equipment in the DMZ to access the Internet

object network OBJ-NAT-DMZ-OUTSIDE
subnet 10.132.1.0 255.255.255.0
nat (DMZ,OUTSIDE) dynamic interface

Enable the INSIDE network to securely access the DMZ

object network OBJ-NAT-INSIDE-DMZ
subnet 10.131.1.0 255.255.255.0
nat (INSIDE,DMZ) dynamic interface

We are going to set up our web server with the DMZ ip address of 10.132.1.2 and the Internet will be able to access our web server using the Internet facing interface with the ip address of 1.1.1.2

object network OBJ-WEBSERV
 host 10.132.1.2
nat (DMZ,OUTSIDE) static interface service tcp www www

Last thing – we need to create an access list to permit inbound connections to the web server. As we have already set up the access-group for the OUTSIDE interface, we just need to add a line to it:

access-list ACL-IN-OUTSIDE line 1 extended permit tcp any host 10.132.1.2 eq www

DMZ For A Second Web Server

We have a need for second web server. Fortunately we have a /28 network on our OUTSIDE interface. To use 1.1.1.3 as the public address for our second web server, and 10.132.1.3 for the DMZ ip address, we need to add the following configuration

object network OBJ-WEBSERV2-OUTSIDE
host 1.1.1.3

 object network OBJ-WEBSERV2
host 10.132.1.3
nat (DMZ,OUTSIDE) static OBJ-WEBSERV2-OUTSIDE service www www

access-list ACL-IN-OUTSIDE line 1 extended permit tcp any host 10.132.1.3 eq www

DMZ For A Mail Server

The above examples address inbound connections to a web server at a selected IP address. Occasionally, we need to make sure the outbound traffic from a server goes out a selected address. In the above examples, the outbound traffic goes out the interface IP address 1.1.1.2 – even in the example of the Second Web Server.

Mail servers are one of those items we need to control the outbound traffic due to the need for reverse lookups in the DNS to permit email delivery. In the following example we are going to set up a SMTP server using the addresses 1.1.1.3 and 10.132.1.4, but we are going to nat the outbound traffic also out 1.1.1.3

object network OBJ-MAIL-OUTSIDE
host 1.1.1.3

 object network OBJ-MAIL
host 10.132.1.4
nat (DMZ,OUTSIDE) static OBJ-MAIL-OUTSIDE service smtp smtp

access-list ACL-IN-OUTSIDE line 1 extended permit tcp any host 10.132.1.4 eq smtp

object network OBJ-NAT-MAIL
host 10.132.1.4
nat (DMZ,OUTSIDE) dynamic OBJ-MAIL-OUTSIDE 

 

Comments are closed.