SNPA50SL03

Getting Started with
Cisco Security
Appliances
Lesson 3
2007 Cisco Systems, Inc. All rights reserved.
SNPA v5.03-1
User Interface
SNPA v5.03-2
Security Appliance Access Modes

A Cisco security appliance has four main
administrative access modes:
Unprivileged
Privileged
Configuration
Monitor
ciscoasa>
ciscoasa#
ciscoasa(config)#
monitor>
SNPA v5.03-3
Access Privileged Mode

Internet
ciscoasa>
enable [priv_level]
Used to control access to the privileged mode
Enables you to enter other access modes
ciscoasa> enable
password:
ciscoasa#
SNPA v5.03-4
Access Configuration Mode: configure

terminal Command
ciscoasa#
configure terminal
Used to start configuration mode to enter
configuration commands from a terminal
ciscoasa#
exit
Used to exit from an access mode
ciscoasa> enable
password:
ciscoasa# configure terminal
ciscoasa(config)# exit
ciscoasa# exit
ciscoasa>
SNPA v5.03-5
help Command
ciscoasa > help ?
enable
exit
login
logout
perfmon
ping
quit
Turn on privileged commands

Exit the current command mode
Log in as a particular user
Exit from current user profile to unprivileged mode
Change or view performance monitoring options
Test connectivity from specified interface to an IP
address
Exit the current command mode
ciscoasa > help enable

USAGE:
enable [<priv_level>]
DESCRIPTION:
enable
Turn on privileged commands

SNPA v5.03-6
File Management
SNPA v5.03-7
Viewing and Saving Your Configuration

The following commands
enable you to view or save
your configuration:
copy run start
To save configuration changes:

copy run start
show running-config
show startup-config
write memory
startupconfig
(saved)
runningconfig
Configuration
Changes
write terminal
SNPA v5.03-8
Clearing Running Configuration

Clear the running configuration:
clear config all
startupconfig
runningconfig
(default)
ciscoasa(config)#
clear configure all

Clears the running configuration
ciscoasa(config)# clear config all

SNPA v5.03-9
Clearing Startup Configuration

Clear the startup configuration:
write erase
startupconfig
runningconfig
(default)
ciscoasa#
write erase
Clears the startup configuration
ciscoasa# write erase

SNPA v5.03-10
Reload the Configuration: reload

Command
ciscoasa#
reload [at hh:mm [month day | day month]]

[cancel] [in [hh:]mm] [max-hold-time [hh:]mm]
[noconfirm] [quick] [reason text] [save-config]
Reboots the security appliance and reloads the configuration
Allows scheduled reboots
ciscoasa# reload
Proceed with reload?[confirm] y
Rebooting...
SNPA v5.03-11
Security Appliance
Security Levels
SNPA v5.03-12
Functions of the Security Appliance:

Security Algorithm
Implements stateful connection control through the security
appliance.
Allows one-way (outbound) connections with a minimum number
of configuration changes. An outbound connection is a connection
originating from a host on a more-protected interface and
destined for a host on a less-protected network.
Monitors return packets to ensure that they are valid.
Randomizes the first TCP sequence number to minimize the risk
of attack.
SNPA v5.03-13
Security Level Example

DMZ Network
GigabitEthernet0/2
Security level 50
Interface name = DMZ
g0/2
Internet
g0/0
g0/1
Outside Network
Inside Network
GigabitEthernet0/0
Security level 0
Interface name = outside
GigabitEthernet0/1
Security level 100
Interface name = inside
SNPA v5.03-14
Basic Security
Appliance Configuration
SNPA v5.03-15
Basic CLI Commands for Security

Appliances
hostname
interface
nameif
ip address
security-level
speed
duplex
no shutdown
nat-control
nat
global
route
g0/2
Internet
g0/0
g0/1
SNPA v5.03-16
Assigning a Hostname to Security

Appliance: Changing the CLI Prompt
New York
( asa1)
Server
Boston
(asa2)
Server
Internet
Dallas
(asa3)
Server
ciscoasa(config)#
hostname newname
Changes the hostname in the security appliance CLI prompt
ciscoasa(config)# hostname asa1

asa1(config)#
SNPA v5.03-17
interface Command and Subcommands

GigabitEthernet0/2
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/0
GigabitEthernet0/1
ciscoasa(config)#
interface {physical_interface[.subinterface] | mapped_name}

Enters configuration mode for the interface you specify
asa1(config)# interface GigabitEthernet0/0

asa1(config-if)#
SNPA v5.03-18
Assign an Interface Name:

nameif Subcommand
GigabitEthernet0/2
Interface name = dmz
g0/2
Internet
g0/0
GigabitEthernet0/0
g0/1
GigabitEthernet0/1
ciscoasa(config-if)#
nameif if_name
Assigns a name to an interface on the security appliance.

asa1(config-if)# nameif outside
SNPA v5.03-19
Assign Interface IP Address:

ip address Subcommand
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/0
IP address = 192.168.1.2
ip address ip_address [mask] [standby ip_address]

Assigns an IP address to each interface

asa1(config-if)# ip address 192.168.1.2 255.255.255.0
SNPA v5.03-20
DHCP-Assigned Address
DHCP
Assigned
Internet
g0/0
GigabitEthernet0/0
IP address = dhcp
ip address dhcp [setroute]

Enables the DHCP client feature on the outside interface

asa1(config-if)# ip address dhcp
SNPA v5.03-21
Assign a Security Level: security-level

Subcommands
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/0
IP address = 192.168.1.2
Security level = 0
security-level number
Assigns a security level to the interface

asa1(config-if)# ip address 192.168.1.2
asa1(config-if)# security-level 0
SNPA v5.03-22
Interfaces with Same Security Level:

same-security-traffic Command
DMZ Network
GigabitEthernet0/2
Security level 100
g0/2
Internet
g0/0
g0/1
Inside Network
GigabitEthernet0/1
Security level 100
ciscoasa(config)#
same-security-traffic permit {inter-interface | intra-interface}

Enables communication between interfaces with the same security level or allows traffic to enter and exit
the same interface
asa1(config)# same-security-traffic permit inter-interface

SNPA v5.03-23
Assign an Interface Speed and Duplex:

speed and duplex SubCommands
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/0
Speed =1000
Duplex = full
speed {10 | 100 | 1000 | auto | nonegotiate}

duplex {auto | full | half}
Enable the interface speed and duplex
asa1(config-if)# ip address 192.168.1.2
asa1(config-if)# security-level 0
asa1(config-if)# speed 1000
asa1(config-if)# duplex full
SNPA v5.03-24
ASA Management Interface

Management0/0
Management only = no
g0/2
Internet
g0/0
m0/0
g0/1
management-only
Configures an interface to accept management traffic only
no management-only
Disables management-only mode
asa1(config)#
interfacemode
management0/0
Disables management-only
(for ASA 5520, 5540 and 5550)
asa1(config-if)# no management-only
SNPA v5.03-25
Enabling and Disabling Interfaces:

shutdown Subcommand
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/0
Enabled
shutdown
Disables an interface
no shutdown = enabled
Disables management-only
(for ASA 5520, 5540 and 5550)
asa1(config)#
interfacemode
GigabitEthernet0/0
asa1(config-if)# no shutdown
SNPA v5.03-26
Network Address Translation
NAT
Internet
10.0.0.11
192.168.0.20
10.0.0.11
192.168.10 .11
Translation Table
Outside
Mapped Pool
Inside
Local
192.168.0.20
10.0.0.11
10.0.0.4
SNPA v5.03-27
Enable NAT Control

NAT
Internet
10.0.0.11
192.168.0.20
10.0.0.11
200.200.200.11
Translation Table
Outside
Mapped Pool
Inside
Local
192.168.0.20
10.0.0.11
10.0.0.4
Enable or disable NAT configuration requirement
asa1(config)# nat-control
SNPA v5.03-28
nat Command
Internet
10.0.1.11
10.0.1.11
X.X.X.X
NAT
10.0.1.4
ciscoasa(config)#
nat (if_name) nat_id address [netmask] [dns]

Enables IP address translation
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

SNPA v5.03-29
global Command
Internet
10.0.1.11
192.168.1.20
10.0.1.11
NAT
ciscoasa(config)#
10.0.1.4
global(if_name) nat_id {mapped_ip[-mapped_ip]

[netmask mapped_mask]} | interface
Works with the nat command to assign a registered or public IP address
to an internal host when accessing the outside network through the
firewall, for example, 192.168.0.20-192.168.0.254
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0
asa1(config)# global (outside) 1 192.168.1.20-192.168.1.254
SNPA v5.03-30
Configure a Static Route: route

Command
Default Route
Static Route
Internet
192.168.1.1
10.0.1.102
10.1.1.11
ciscoasa(config)#
10.1.1.4
route if_name ip_address netmask gateway_ip

[metric]
Defines a static or default route for an interface
asa1(config)# route outside 0.0.0.0 0.0.0.0
192.168.1.1 1
asa1(config)# route inside 10.1.1.0 255.255.255.0
10.0.1.102 1
SNPA v5.03-31
Host Name-to-IP-Address Mapping:

name Command
bastionhost
172.16.1.2
172.16.1.0
.2
.1
Internet
10.0.1.0
.1
.11
insidehost
10.0.1.11
ciscoasa(config)#
name ip_address name

Configures a list of name-to-IP-address mappings on the security
appliance
asa1(config)# names
asa1(config)# name 172.16.1.2 bastionhost
asa1(config)# name 10.0.1.11 insidehost
SNPA v5.03-32
Configuration Example
172.16.1.
0
Internet
.1
10.0.1.0
192.168.1.0
.2
GigabitEthernet0/0
Security level = 0
IP address = 192.168.1.2
.1
10.1.1.0
.1
GigabitEthernet0/1
Security level = 100
IP address = 10.0.1.1
asa1(config)# write terminal

. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0 . . .
SNPA v5.03-33
Configuration Example (Cont.)

bastionhost
172.16.1.2
GigabitEthernet0/2
Security level = 50
IP address = 172.16.1.1
172.16.1.0
Internet
.1
192.168.1.0
.2
10.0.1.0
.1
insidehost
10.1.1.11
10.1.1.0
.1
nameif dmz
security-level 50
speed 1000
duplex full
ip address 172.16.1.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asa1
names
name 172.16.1.2 bastionhost
name 10.1.1.11 insidehost
SNPA v5.03-34
Configuration Example (Cont.)

bastionhost
172.16.1.2
Default Route
Internet
172.16.1.0
.1
192.168.1.0
.1
.2
.2
Static Route
10.0.1.0
.1
Mapped Pool
insidehost
10.1.1.11
10.1.1.0
.102
.1
10.0.0.0
192.168.1.20 - 254
nat-control
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 192.168.1.20-192.168.1.254
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 10.1.1.0 255.255.255.0 10.0.1.102 1
SNPA v5.03-35
Examining Security
Appliance Status
SNPA v5.03-36
show Commands
asa1# show run interface
. . .
speed 1000
duplex full
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0 . . .
show interface
show run interface
asa1# show interface

Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Detected: Speed 1000 Mbps, Full-duplex
Requested: Auto
MAC address 000b.fcf8.c538, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 0 VLAN untagged packets, 0 bytes
Dropped 0 VLAN untagged packets
SNPA v5.03-37
show memory Command

ciscoasa#
show memory
asa1# show memory

Free memory:
468962336 bytes (87%)
Used memory:
67908576 bytes (13%)
------------Total memory:
---------------536870912 bytes (100%)

SNPA v5.03-38
show cpu usage Command
Internet
10.0.1.11
10.0.1.4
ciscoasa#
show cpu usage
asa1# show cpu usage

CPU utilization for 5 seconds = 0%; 1 minute:
0%; 5 minutes: 0%
SNPA v5.03-39
show version Command

asa1# show version
Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
Compiled on Wed 31-May-06 14:45 by root
System image file is "disk0:/asa721-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 mins 51 secs
Hardware:
ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000
MHz
Internal ATA Compact Flash, 64MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
. . .
Displays the security appliance software version, operating time since its last reboot,
processor type, Flash memory type, interface boards, serial number (BIOS
identification), and activation key value
SNPA v5.03-40
show ip address Command

172.16.1.0
Internet
.1
192.168.1.0
10.0.1.0
.2
.1
10.1.1.0
.1
asa1# show ip address

System IP Addresses:
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
Name
outside
inside
dmz
IP address
192.168.1.2
10.0.1.1
172.16.1.1
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.0
Method
CONFIG
CONFIG
CONFIG
Current IP Addresses:
Interface
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
Name
outside
inside
dmz
IP address
192.168.1.2
10.0.1.1
172.16.1.1
Subnet mask
255.255.255.0
255.255.255.0
255.255.255.0
Method
CONFIG
CONFIG
CONFIG
SNPA v5.03-41
show interface Command

asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address 192.168.1.2, subnet mask 255.255.255.0
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
SNPA v5.03-42
show nameif Command

GigabitEthernet0/2
Security level = 50
g0/2
Internet
g0/0
g0/1
GigabitEthernet0/1
Security level = 100
GigabitEthernet0/0
Security level = 0
asa1# show nameif

Interface
Security
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
Name
outside
inside
dmz
0
100
50
SNPA v5.03-43
show run nat Command
Internet
10.0.1.11
X.X.X.X
10.0.1.X
NAT
10.0.1.4
ciscoasa#
show run nat

Displays a single host or range of hosts to be translated
asa1# show run nat

nat (inside) 1 10.0.1.0 255.255.255.0 0 0
SNPA v5.03-44
show run global Command
Internet
10.0.1.X
Mapped Pool
192.168.1.20-192.168.1.254
10.0.1.11
10.0.1.4
ciscoasa#
show run global

Displays the pool of mapped addresses
asa1# show run global

global (outside) 1 192.168.1.20-192.168.1.254
netmask 255.255.255.0
SNPA v5.03-45
show xlate Command

Internet
10.0.1.11
192.168.1.20
Xlate Table
Outside
mapped pool
192.168.1.20
Inside
local
10.0.1.11
10.0.1.4
10.0.1.11
ciscoasa#
show xlate
Displays the contents of the translation slots
asa1# show xlate

1 in use, 1 most used
Global 192.168.1.20 Local 10.0.1.11
SNPA v5.03-46
show route Command

172.16.1.0
Internet
g0/2
10.0.1.0
192.168.1.0
.1
g0/0
g0/1
ciscoasa#
show route [interface_name [ip_address [netmask [static]]]]

Displays the contents of the routing table
asa1(config)# show route

S
C
C*
C
C
0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

10.0.1.0 255.255.255.0 is directly connected, inside
127.0.0.0 255.255.0.0 is directly connected, cplane
172.16.1.0 255.255.255.0 is directly connected, dmz
192.168.1.0 255.255.255.0 is directly connected, outside
SNPA v5.03-47
ping Command
Internet
10.0.1.11
ciscoasa#
10.0.1.4
ping [if_name] host [data pattern] [repeat count] [size bytes]

[timeout seconds] [validate]
Determines whether other devices are visible from the security appliance
asa1# ping 10.0.1.11

Sending 5, 100-byte ICMP Echos to 10.0.1.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
SNPA v5.03-48
traceroute Command
Internet
example.com
ciscoasa#
traceroute {destination_ip | hostname} [source source_ip | sourceinterface] [numeric] [timeout timeout_value] [probe probe_num] [ttl
min_ttl max_ttl] [port port_value] [use-icmp]
Determines the route packets will take to their destination
asa1#traceroute 172.26.26.20
SNPA v5.03-49
Summary
SNPA v5.03-50
Summary
Cisco security appliances have four main administrative access modes:
unprivileged, privileged, configuration, and monitor.
There are two configuration memories in the Cisco security appliances: running
configuration and startup configuration.
The show running-config command displays the current configuration in the
security appliance RAM on the terminal.
You can use the copy run start or the write memory command to save the
current running configuration to flash memory, startup configuration.
Interfaces with a higher security level can access interfaces with a lower security
level, but interfaces with a lower security level cannot access interfaces with a
higher security level unless given permission.
The security appliance show commands help you manage the security appliance.
SNPA v5.03-51
Lab Visual Objective

Web
FTP
.50
Pods 15
.1
.2
Bastion Host:
Web
FTP
.2
172.26.26.0
.150
192.168.P.0
Pods 610
.1
RBB
192.168.Q.0
.2
.1
ASA
172.16.P.0
ASA
172.16.Q.0
.1
.1
10.0.P.0
Web
FTP
.10
10.0.Q.0
.100
.10
.100
RTS
RTS
Local: 10.0.P.11
Student PC
Bastion Host:
Web
FTP
.2
.1
Web
FTP
Web
FTP
Web
FTP
Local: 10.0.Q.11
Student PC
SNPA v5.03-52
SNPA v5.03-53

SNPA50SL03

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SNPA50SL03

Uploaded by

Copyright:

Available Formats

Getting Started with

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Security Appliance Access Modes

2007 Cisco Systems, Inc. All rights reserved.

Access Privileged Mode

Access Configuration Mode: configure

Turn on privileged commands

ciscoasa > help enable

Turn on privileged commands

2007 Cisco Systems, Inc. All rights reserved.

Viewing and Saving Your Configuration

To save configuration changes:

2007 Cisco Systems, Inc. All rights reserved.

Clearing Running Configuration

clear configure all

ciscoasa(config)# clear config all

Clearing Startup Configuration

ciscoasa# write erase

Reload the Configuration: reload

reload [at hh:mm [month day | day month]]

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Functions of the Security Appliance:

2007 Cisco Systems, Inc. All rights reserved.

Security Level Example

2007 Cisco Systems, Inc. All rights reserved.

2007 Cisco Systems, Inc. All rights reserved.

Basic CLI Commands for Security

2007 Cisco Systems, Inc. All rights reserved.

Assigning a Hostname to Security

ciscoasa(config)# hostname asa1

interface Command and Subcommands

interface {physical_interface[.subinterface] | mapped_name}

asa1(config)# interface GigabitEthernet0/0

2007 Cisco Systems, Inc. All rights reserved.

Assign an Interface Name:

asa1(config)# interface GigabitEthernet0/0

Assign Interface IP Address:

ip address ip_address [mask] [standby ip_address]

asa1(config)# interface GigabitEthernet0/0

ip address dhcp [setroute]

asa1(config)# interface GigabitEthernet0/0

Assign a Security Level: security-level

asa1(config)# interface GigabitEthernet0/0

Interfaces with Same Security Level:

same-security-traffic permit {inter-interface | intra-interface}

asa1(config)# same-security-traffic permit inter-interface

Assign an Interface Speed and Duplex:

speed {10 | 100 | 1000 | auto | nonegotiate}

ASA Management Interface

Enabling and Disabling Interfaces:

Network Address Translation

2007 Cisco Systems, Inc. All rights reserved.

Enable NAT Control

Enable or disable NAT configuration requirement

nat (if_name) nat_id address [netmask] [dns]

asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0

global(if_name) nat_id {mapped_ip[-mapped_ip]

2007 Cisco Systems, Inc. All rights reserved.

Configure a Static Route: route

route if_name ip_address netmask gateway_ip

Host Name-to-IP-Address Mapping:

name ip_address name