Professional Documents
Culture Documents
Cisco Security
Appliances
Lesson 3
SNPA v5.03-1
User Interface
SNPA v5.03-2
Unprivileged
Privileged
Configuration
Monitor
ciscoasa>
ciscoasa#
ciscoasa(config)#
monitor>
SNPA v5.03-3
ciscoasa>
enable [priv_level]
Used to control access to the privileged mode
Enables you to enter other access modes
ciscoasa> enable
password:
ciscoasa#
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-4
configure terminal
Used to start configuration mode to enter
configuration commands from a terminal
ciscoasa#
exit
Used to exit from an access mode
ciscoasa> enable
password:
ciscoasa# configure terminal
ciscoasa(config)# exit
ciscoasa# exit
ciscoasa>
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-5
help Command
ciscoasa > help ?
enable
exit
login
logout
perfmon
ping
quit
File Management
SNPA v5.03-7
show running-config
show startup-config
write memory
startupconfig
(saved)
runningconfig
Configuration
Changes
write terminal
SNPA v5.03-8
runningconfig
(default)
ciscoasa(config)#
SNPA v5.03-9
runningconfig
(default)
ciscoasa#
write erase
Clears the startup configuration
SNPA v5.03-10
ciscoasa# reload
Proceed with reload?[confirm] y
Rebooting...
SNPA v5.03-11
Security Appliance
Security Levels
SNPA v5.03-12
SNPA v5.03-13
Internet
g0/0
g0/1
Outside Network
Inside Network
GigabitEthernet0/0
Security level 0
Interface name = outside
GigabitEthernet0/1
Security level 100
Interface name = inside
SNPA v5.03-14
Basic Security
Appliance Configuration
SNPA v5.03-15
g0/2
Internet
g0/0
g0/1
SNPA v5.03-16
Server
Boston
(asa2)
Server
Internet
Dallas
(asa3)
Server
ciscoasa(config)#
hostname newname
Changes the hostname in the security appliance CLI prompt
SNPA v5.03-17
Internet
g0/0
g0/1
GigabitEthernet0/0
GigabitEthernet0/1
ciscoasa(config)#
SNPA v5.03-18
g0/2
Internet
g0/0
GigabitEthernet0/0
Interface name = outside
g0/1
GigabitEthernet0/1
Interface name = inside
ciscoasa(config-if)#
nameif if_name
Assigns a name to an interface on the security appliance.
SNPA v5.03-19
g0/0
g0/1
GigabitEthernet0/0
Interface name = outside
IP address = 192.168.1.2
ciscoasa(config-if)#
SNPA v5.03-20
DHCP-Assigned Address
DHCP
Assigned
Internet
g0/0
GigabitEthernet0/0
Interface name = outside
IP address = dhcp
ciscoasa(config-if)#
SNPA v5.03-21
g0/0
g0/1
GigabitEthernet0/0
Interface name = outside
IP address = 192.168.1.2
Security level = 0
ciscoasa(config-if)#
security-level number
Assigns a security level to the interface
SNPA v5.03-22
GigabitEthernet0/2
Security level 100
Interface name = dmz
g0/2
Internet
g0/0
g0/1
Inside Network
GigabitEthernet0/1
Security level 100
Interface name = inside
ciscoasa(config)#
SNPA v5.03-23
ciscoasa(config-if)#
g0/0
g0/1
GigabitEthernet0/0
Speed =1000
Duplex = full
SNPA v5.03-24
g0/0
m0/0
g0/1
ciscoasa(config-if)#
management-only
Configures an interface to accept management traffic only
no management-only
Disables management-only mode
asa1(config)#
interfacemode
management0/0
Disables management-only
(for ASA 5520, 5540 and 5550)
asa1(config-if)# no management-only
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-25
g0/0
g0/1
GigabitEthernet0/0
Enabled
ciscoasa(config-if)#
shutdown
Disables an interface
no shutdown = enabled
Disables management-only
(for ASA 5520, 5540 and 5550)
asa1(config)#
interfacemode
GigabitEthernet0/0
asa1(config-if)# no shutdown
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-26
NAT
Internet
10.0.0.11
192.168.0.20
10.0.0.11
192.168.10 .11
Translation Table
Outside
Mapped Pool
Inside
Local
192.168.0.20
10.0.0.11
10.0.0.4
SNPA v5.03-27
Internet
10.0.0.11
192.168.0.20
10.0.0.11
200.200.200.11
Translation Table
Outside
Mapped Pool
Inside
Local
192.168.0.20
10.0.0.11
10.0.0.4
asa1(config)# nat-control
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-28
nat Command
Internet
10.0.1.11
10.0.1.11
X.X.X.X
NAT
10.0.1.4
ciscoasa(config)#
SNPA v5.03-29
global Command
Internet
10.0.1.11
192.168.1.20
10.0.1.11
NAT
ciscoasa(config)#
10.0.1.4
SNPA v5.03-30
Static Route
Internet
192.168.1.1
10.0.1.102
10.1.1.11
ciscoasa(config)#
10.1.1.4
SNPA v5.03-31
.2
.1
Internet
10.0.1.0
.1
.11
insidehost
10.0.1.11
ciscoasa(config)#
asa1(config)# names
asa1(config)# name 172.16.1.2 bastionhost
asa1(config)# name 10.0.1.11 insidehost
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-32
Configuration Example
172.16.1.
0
Internet
.1
10.0.1.0
192.168.1.0
.2
GigabitEthernet0/0
Interface name = outside
Security level = 0
IP address = 192.168.1.2
.1
10.1.1.0
.1
GigabitEthernet0/1
Interface name = inside
Security level = 100
IP address = 10.0.1.1
SNPA v5.03-33
GigabitEthernet0/2
Interface name = dmz
Security level = 50
IP address = 172.16.1.1
172.16.1.0
Internet
.1
192.168.1.0
.2
10.0.1.0
.1
insidehost
10.1.1.11
10.1.1.0
.1
interface GigabitEthernet0/2
nameif dmz
security-level 50
speed 1000
duplex full
ip address 172.16.1.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asa1
names
name 172.16.1.2 bastionhost
name 10.1.1.11 insidehost
SNPA v5.03-34
Default Route
Internet
172.16.1.0
.1
192.168.1.0
.1
.2
.2
Static Route
10.0.1.0
.1
Mapped Pool
insidehost
10.1.1.11
10.1.1.0
.102
.1
10.0.0.0
192.168.1.20 - 254
nat-control
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 192.168.1.20-192.168.1.254
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
SNPA v5.03-35
Examining Security
Appliance Status
SNPA v5.03-36
show Commands
asa1# show run interface
. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0 . . .
show interface
SNPA v5.03-37
show memory
Used memory:
------------Total memory:
2007 Cisco Systems, Inc. All rights reserved.
Internet
10.0.1.11
10.0.1.4
ciscoasa#
SNPA v5.03-39
SNPA v5.03-40
Internet
.1
192.168.1.0
10.0.1.0
.2
.1
10.1.1.0
.1
Name
outside
inside
dmz
IP address
192.168.1.2
10.0.1.1
172.16.1.1
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.0
Method
CONFIG
CONFIG
CONFIG
Current IP Addresses:
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
Name
outside
inside
dmz
IP address
192.168.1.2
10.0.1.1
172.16.1.1
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.0
Method
CONFIG
CONFIG
CONFIG
SNPA v5.03-41
SNPA v5.03-42
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/1
Interface name = inside
Security level = 100
GigabitEthernet0/0
Interface name = outside
Security level = 0
Name
outside
inside
dmz
0
100
50
SNPA v5.03-43
Internet
10.0.1.11
X.X.X.X
10.0.1.X
NAT
10.0.1.4
ciscoasa#
SNPA v5.03-44
Internet
10.0.1.X
Mapped Pool
192.168.1.20-192.168.1.254
10.0.1.11
10.0.1.4
ciscoasa#
SNPA v5.03-45
192.168.1.20
Xlate Table
Outside
mapped pool
192.168.1.20
Inside
local
10.0.1.11
10.0.1.4
10.0.1.11
ciscoasa#
show xlate
Displays the contents of the translation slots
SNPA v5.03-46
Internet
g0/2
10.0.1.0
192.168.1.0
.1
g0/0
g0/1
ciscoasa#
SNPA v5.03-47
ping Command
Internet
10.0.1.11
ciscoasa#
10.0.1.4
SNPA v5.03-48
traceroute Command
Internet
example.com
ciscoasa#
traceroute {destination_ip | hostname} [source source_ip | sourceinterface] [numeric] [timeout timeout_value] [probe probe_num] [ttl
min_ttl max_ttl] [port port_value] [use-icmp]
Determines the route packets will take to their destination
asa1#traceroute 172.26.26.20
SNPA v5.03-49
Summary
SNPA v5.03-50
Summary
Cisco security appliances have four main administrative access modes:
unprivileged, privileged, configuration, and monitor.
There are two configuration memories in the Cisco security appliances: running
configuration and startup configuration.
The show running-config command displays the current configuration in the
security appliance RAM on the terminal.
You can use the copy run start or the write memory command to save the
current running configuration to flash memory, startup configuration.
Interfaces with a higher security level can access interfaces with a lower security
level, but interfaces with a lower security level cannot access interfaces with a
higher security level unless given permission.
The security appliance show commands help you manage the security appliance.
SNPA v5.03-51
Pods 15
.1
.2
Bastion Host:
Web
FTP
.2
172.26.26.0
.150
192.168.P.0
Pods 610
.1
RBB
192.168.Q.0
.2
.1
ASA
172.16.P.0
ASA
172.16.Q.0
.1
.1
10.0.P.0
Web
FTP
.10
10.0.Q.0
.100
.10
.100
RTS
RTS
Local: 10.0.P.11
Student PC
Bastion Host:
Web
FTP
.2
.1
Web
FTP
Web
FTP
Web
FTP
Local: 10.0.Q.11
Student PC
SNPA v5.03-52
SNPA v5.03-53