Friday, February 1, 2008

Basic Configuration for Cisco ASA 8.x

by Mark Lambiase, MultiFactor Corp

Introduction:


This guide will walk you through configuring a Cisco ASA 5505 as an SSL VPN server.
I have chosen the 5505 for a couple of reasons:

1) I have one available;
2) it is an inexpensive way to learn to configure the SSL VPN, and test the functionality.

Additionally, for a small organization it has plenty of power to actually serve as the SSL VPN gateway.
There is a caveat. The 5505 is different from any of the other ASA models. The 8 Ethernet ports are switch ports, and as such cannot have IP addresses assigned to them. All of the 5505’s interfaces have to be VLAN interfaces and all of the switch ports are, well, switch ports, so they are just assigned to vlans.

Basic ASA configuration


Out-of-the-box, to On-the-Net
Starting with a factory default system I need to do a few things before I can plug it in to the part of the network where I really want it.
First, since my 5505 shipped with v7.2 software I am going to upgrade it to 8.0(3). To do that I need to configure it to work on my inside network so it can connect with the tftp server. I am also going to install the most up-to-date version of the Advanced Security Device Manager (the management GUI). I am just going to reuse vlan 1 for this, but in general I do not like to use vlan 1 anywhere on the network. For this task I am going to console in to the ASA and work from the CLI.

Now, you cannot just go and change the IP address of the vlan 1 interface. The ASA will complain that the address does not match the subnet of the DHCP scope. You could just bring up a new interface, but if you too, are working with a 5505 you probably have the 3 interface (DMZ restricted) limitation, and cannot just fire up new interfaces, so we are going to just delete the DHCP pool and then change the IP address. And, c’mon, are you really going to use 192.168.1.0/24 as your subnet?


    ciscoasa> en
    Password:
    ciscoasa(config)# no dhcpd enable inside
    ciscoasa(config)# no dhcpd address 192.168.1.2-192.168.1.129 inside
    ciscoasa(config)# interface vlan 1
    ciscoasa(config-if)# ip address 192.168.0.247 255.255.255.0

And I am going to just make sure that I can really see the tftp server:

    ciscoasa(config)# ping 192.168.0.30
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.0.30, timeout is 2 seconds:
    !!!!!

Now I copy the new ASA software to the 5505:

    ciscoasa(config)# copy tftp://192.168.0.30/asa803-k8.bin disk0:
    Address or name of remote host [192.168.0.30]?
    Source filename [asa803-k8.bin]?
    Destination filename [asa803-k8.bin]?
    Accessing tftp://192.168.0.30/asa803-k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Writing file disk0:/asa803-k8.bin...
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    14635008 bytes copied in 29.700 secs (504655 bytes/sec)

And the new ASDM:

    ciscoasa(config)# copy tftp://192.168.0.30/asdm-603.bin disk0:
    Address or name of remote host [192.168.0.30]?
    Source filename [asdm-603.bin]?
    Destination filename [asdm-603.bin]?
    Accessing tftp://192.168.0.30/asdm-603.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Writing file disk0:/asdm-603.bin...
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    6851212 bytes copied in 12.710 secs (570934 bytes/sec)

Now that we have some new software on the ASA, we want to use it, but we may not want to erase the old versions of ASA and ASDM just yet, so:

    ciscoasa(config)# boot system disk0:/asa803-k8.bin
    ciscoasa(config)# asdm image disk0:/asdm-603.bin

Just one thing left to do, save the changes we made, and reload:


    ciscoasa(config)# write memory

    Building configuration...
    Cryptochecksum: a3729f5a 5f885d75 12e4bbea 5323b96e
    1991 bytes copied in 1.470 secs (1991 bytes/sec)
    [OK]
    ciscoasa(config)# reload
    Proceed with reload? [confirm]

This will reboot the ASA with the new firmware we just copied to it.
Lots of good information comes across when you reboot an ASA. It is probably a good idea to make a copy of it, just to keep on file somewhere. The ASA identifies the software it is booting from, some memory information, modules installed, interfaces, ASA license, some platform info and an acceptable use statement. The only thing that might really be useful is the interface MACs, but storage is cheap, it is only text, and it is something that you should put your eyes on at least once.

At this point there are a few options:
- Set up the ASA interfaces, routes or routing, and place it in its proper place on the network, or;
- Configure it where it is as much as possible and put it in its proper place later.

I am going to set the ASA up for my network, put it in place, and configure the VPN once it is on the network.

You can view the config of the ASA with the configuration up to this point at (config 1).


Next:
- disconnect the Ethernet
- configure hostname and domain
- configure the interfaces

    * outside
    - remove the ‘dhcp auto_config outside’ statement
    * inside
    - configure routing or static routes
    - configure administrative access for your network
    * Don’t forget to change the passwords, add users, etc.
    - save the config
    - move the ASA

Now that we have updated code on the ASA we are going to do just a little more prep work and then put it on the network. First, we are going to disconnect the Ethernet that we had plugged in so that when we change the address to another subnet we do not have any weird happenings. Then we will configure a few additional basic settings and move it to its real location on our network.

Disconnect the Ethernet:
If I have to explain how to do this, well, maybe you should not be configuring the ASA in the first place.

Configure the ‘hostname’ and domain:
This is the hostname and domain that is associated with the ‘outside’ interface of the ASA.


    ciscoasa# conf t

    ciscoasa(config)# hostname 5505
    5505(config)# domain multifa.com

Configuring the Interfaces:
I mentioned that I do not like to use VLAN 1. This is also a base-licensed 5505, so I have a 3 interface limitation. In order to set up new vlan interfaces I am going to have to get rid of the old ones first. Once that is done I will create the new interfaces and configure them.
First we are going to remove the dhcpd auto_config statement. If we do not do this first, and remove the interface, we will have to wait until we create our interfaces, bind the statement to one of our interfaces, and then remove it. (The ASA will think the command is incomplete without the interface, and once we remove the interface it is dropped from the config, so if we don’t want it we will save time by just doing it now.)

    5505(config)# no dhcpd auto_config outside
    5505(config)# no interface vlan 1
    5505(config)# no interface vlan 2

    5505(config)#interface vlan 3
    5505(config-if)# nameif inside
    INFO: Security level for "inside" set to 100 by default.
    5505(config-if)# description inside interface
    5505(config-if)# ip address 192.168.1.20 255.255.255.0

Note: The security-level for this interface was automatically set to the highest level. That is because I name it ‘inside’. Were I to choose any other name the security-level would have automatically been set to ‘0’, the lowest security-level, and I would have had to manually set the security-level of this interface to the appropriate value.

I am going to remove the interface I just created and then add it again, but this time with a different name, and then change the security level:


    5505(config-if)# no int vlan 3

    5505(config)# int vlan 3
    5505(config-if)# nameif wan
    INFO: Security level for "wan" set to 0 by default.
    5505(config-if)# security-level 100
    5505(config-if)# ip address 192.168.1.20 255.255.255.0
    5505(config-if)# description inside interface

    5505(config)# interface vlan 101
    5505(config-if)# nameif outside
    INFO: Security level for "outside" set to 0 by default.
    5505(config-if)# description outside interface
    5505(config-if)# ip address 208.179.252.201 255.255.255.224

Set up your routes. Mine are basic:

    5505(config)# route outside 0.0.0.0 0.0.0.0 208.179.252.193
    5505(config)# route inside 192.168.0.0 255.255.0.0 192.168.1.1

Administrative Access:
Now, you don’t want to have to do everything from the console, so let’s get the ASA configure for remote access. We are going to configure ASDM and SSH access. ASDM has come a long way, is easy to use, and can configure pretty much everything you will want your ASA to do. In my opinion there are still a few things that are easier at the command line, but I perform most of the configuration of SSL VPN from the GUI. Additionally, there are a number of elements of the SSL VPN that are configured in files besides that startup/running config on the ASA. These include customizations, Dynamic Access Policies (DAP) and others, so we have reached a point where today you cannot truly configure everything in your ASA from the command line. Maybe one day we will get ‘vi’ ported in to the ASA code, but until then you will need to either use ASDM, or write the config files for the specific elements in a text editor and import them in the ASA.

So, ASDM is important to us. Oh, and we want to use this ASA for SSL VPN. Just to keep things clean, let’s run ASDM on a port other than 443.

    5505(config)# http server enable 60443

And, we let the inside network manage the ASA:

    5505(config)# http 192.168.0.0 255.255.0.0 inside
    5505(config)# ssh 192.168.0.0 255.255.0.0 inside

You may or may not want to allow access from the outside. If you do, and it is possible, limit the IP addresses it is accessible from. In this example I allow access from everywhere on the outside interface (guess I had better use a good password):

    5505(config)# http 0.0.0.0 0.0.0.0 outside
    5505(config)# ssh 0.0.0.0 0.0.0.0 outside


Next, we set up an account to log in to and configure a little AAA:

    5505(config)# username admin password sslt3st privileg
    5505(config)# username admin password sslt3st privilege 15
    5505(config)# aaa authentication ssh console LOCAL
    5505(config)# aaa authentication http console LOCAL
    5505(config)# aaa authentication enable console LOCAL

A brief note on shared accounts:
I created an admin account, but only for this demo. There is really no need to set up shared accounts, and lots of good reasons not to. One of the most important aspects of NOT using shared accounts is an audit trail of administrative access and activity. Cisco Secure ACS has an excellent accounting mechanism that will detail administrative activity.

All we have to do now is save the config and move it to the proper place on our network.

A copy of the config up to this point can be viewed at (Config 2).




MultiFactor SecureAuth Protects Cisco® SSL VPNs


Cisco® has created a truly fantastic SSL VPN offering on the ASA 5500 Series Adaptive Security Appliance. MultiFactor's team of developers and engineers have taken the world-unique SecureAuth strong authentication solution and integrated it tightly to secure your Cisco ASA SSL VPN.

To learn more about MultiFactor SecureAuth visit us at www.MultiFA.com or send us an email and ask for a demonstration.




Config 1

    ciscoasa# sh run
    : Saved
    :
    ASA Version 8.0(3)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.247 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    boot system disk0:/asa803-k8.bin
    ftp mode passive
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:a3729f5a5f885d7512e4bbea5323b96e
    : end
    ciscoasa#



Config 2

    5505# sh run
    : Saved
    :
    ASA Version 8.0(3)
    !
    hostname 5505
    domain-name multifa.com
    enable password 8RyXXXXXXXXRXU24 encrypted
    names
    !
    interface VLAN3
    description inside interface
    nameif inside
    security-level 100
    ip address 192.168.1.20 255.255.255.0
    !
    interface VLAN101
    description outside interface
    nameif outside
    security-level 0
    ip address 208.179.252.201 255.255.255.224
    !
    interface Ethernet0/0
    switchport access VLAN 101
    !
    interface Ethernet0/1
    switchport access VLAN 3
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd XXXXXXXXXXX encrypted
    boot system disk0:/asa803-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name multifa.com
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 200.000.000.1 1
    route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication http console LOCAL
    aaa authentication enable console LOCAL
    http server enable 60443
    http 192.168.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    username admin password XXXXXXXXXXX encrypted privilege 15
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map parameters message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:3e5fb25ce9fac5cbc24dc23ece539b3e
    : end
    5505#



Copyright 2008. MultiFactor Corporation. All Rights Reserved.
SEO Services & Blog Design by SEOwhat.com