Cisco ASA firewalls:
1. Enable password
configuration:
Enable password cisco
Username cisco password cisco
2. SSH configuration:
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024
ssh 10.10.10.0 255.255.255.0 management
3. Copying asdm file into
ASA firewall:
copy tftp flash
remote host: laptop ip
file name: asdm-647.bin
destination: enter button
!!!!!...!!!!
Once you uploaded the firmware please check below options:
ASA1# dir
ASA1(config)# boot system disk0:/asa952-lfbff-k8.SPA
ASA1(config)# asdm image disk0:/asdm-752.bin
Once done the above steps, check below commands before boot
the appliance
ASA1# show bootvar
(config)# asdm image flash:/asdm-647.bin
4. post uploaded ASDM enable http server
(config)# http serve
http server enable
http 10.10.10.0 255.255.255.0 management
Step
1: Configure ASA interfaces and assign appropriate security levels
interface GigabitEthernet1/1 description to WAN nameif outside security-level 0 ip address 10.1.1.1 255.255.255.0!interface GigabitEthernet1/2 description to LAN nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 Step 2: Configure ASA as an Internet gateway, enable Internet access (PAT)
nat (inside,outside) after-auto source dynamic any interfacenat (dmz1,outside) after-auto source dynamic any interfaceAdd default route in appliance:
Route outside 0.0.0.0 0.0.0.0 10.1.1.2For ICMP Return traffic below are the commands:
It allows icmp return traffic to pass the ASA while the Ping is initiated from inside hosts.
“policy-map global_policyclass inspection_defaultinspect icmp”Step 3: Configure static NAT to web servers, grant Internet inbound access to web servers
object network WWW-EXT ( External IP ) host 10.1.1.10!object network WWW-INT ( Internal IP) host 192.168.1.10!nat (dmz1,outside) source static WWW-INT WWW-EXTACL for the static NAT (WAN>LAN):
access-list OUTSIDE
extended permit tcp any object WWW-INT eq www
access-list OUTSIDE extended permit icmp any4 any4 echo -----à ( Optional)
access-group OUTSIDE in interface outsideStep 4: Configure DHCP service on the ASA
dhcpd address 192.168.0.5-192.168.0.250 insidedhcpd dns 9.9.9.9 4.2.2.2dhcpd lease 3600 ---------à ( In seconds )
dhcpd ping_timeout 50dhcpd enable inside -----------à ( Enabling DHCP on inside interface )
dhcprelay timeout 60
Enable SSH access for admin:
ASA1(config)# hostname ASA1ASA1(config)# crypto key generate rsa modulus 1024ssh 12.2.1.0 255.255.255.0 outsidessh 192.168.0.0 255.255.0.0 insidessh timeout 30ssh version 2aaa authentication ssh console LOCAL DNS –Server:asa(config)#dns name-server 4.2.2.2
Step 7: Configure time and enable logging
ASA1# clock set 12:05:00 Jan 22 2016ASA1# clock timezone EST -5ASA1# clock summer-time EST recurringASA1# logging enableASA1# logging timestampASA1# logging buffer-size 512000ASA1# logging buffered debuggingCisco ASA 5506-X FirePOWER Configuration Example Part 2
Step 2: Verifying FirePOWER module status
ASA1# sho module Mod Card Type Model Serial No.---- -------------------------------------------- ------------------ -----------ASA 5506-X with FirePOWER services, 8GE, AC, ASA5506 JAD19280XXXsfr FirePOWER Services Software Module ASA5506 JAD19280XXXMod MAC Address Range Hw Version Fw Version Sw Version---- --------------------------------- ------------ ------------ ---------------1 5897.bd27.58d6 to 5897.bd27.58df 1.0 1.1.1 9.5(2)sfr 5897.bd27.58d5 to 5897.bd27.58d5 N/A N/A 5.4.1-211Mod SSM Application Name Status SSM Application Version---- ------------------------------ ---------------- --------------------------sfr ASA FirePOWER Up 5.4.1-211Mod Status Data Plane Status Compatibility---- ------------------ --------------------- -------------1 Up Sys Not Applicablesfr Up UpStep 3: Physical cabling
Step 4: Initial configuration of FirePOWER module:
On console CLI interface, enter the FirePOWER module using session command:
ASA1# session sfrDefault username / password: admin / SourcefireThe first time you access the FirePOWER module, you are prompted for basic configuration parameters.System initialization in progress. Please stand by.You must change the password for 'admin' to continue.Enter new password:Confirm new password:You must configure the network to continue.You must configure at least one of IPv4 or IPv6.Do you want to configure IPv4? (y/n) [y]:Do you want to configure IPv6? (y/n) [n]:Configure IPv4 via DHCP or manually? (dhcp/manual) [manual]:Enter an IPv4 address for the management interface [192.168.45.45]: 192.168.1.2Enter an IPv4 netmask for the management interface [255.255.255.0]:Enter the IPv4 default gateway for the management interface []: 192.168.1.1Enter a fully qualified hostname for this system [Sourcefire3D]:Enter a comma-separated list of DNS servers or 'none' []:Enter a comma-separated list of DNS servers or 'none' []:Enter a comma-separated list of DNS servers or 'none' []: 4.2.2.2Enter a comma-separated list of search domains or 'none' [example.net]:If your networking information has changed, you will need to reconnect.For HTTP Proxy configuration, run 'configure network http-proxy'Applying 'Default Allow All Traffic' access control policy.
Configure and Manage AS A FirePOWER Module using ASDM Part 3
Configure and Manage ASA FirePOWER Module using ASDM:
Step 1: Enable HTTP service
on the ASA:
By default, HTTP service is not enabled on the ASA. You
need first enable HTTP service and specify the network and interface where
access is allowed.http server enablehttp 192.168.0.0 255.255.255.0 insidehttp 192.168.1.0 255.255.255.0 management
Step 2: Open a web browser
and go to the management IP of the ASA
No comments:
Post a Comment