Chapter 2: Securing Networks with Cisco’s Adaptive Security Appliance

In This Chapter

Locating firewalls in the OSI network model

Getting a grasp on the IOS

Connecting to the ASA

Setting up your firewall and user accounts

Applying a base configuration to the ASA

Setting up a DHCP server

Viewing licensing information

In this chapter, I introduce you to the world of firewalls via Cisco’s Adaptive Security Appliance (ASA). Specifically, I show the configuration of the Cisco ASA 5505, but this configuration could easily apply to any of the ASA products in Cisco’s product line. I show you how to configure the ASA using either the command line or the Adaptive Security Device Manager (ASDM). You see how to run a basic setup of this device and how to change many of the settings after setup is complete.

Locating Firewalls in the OSI Model

Unlike routers and switches, firewalls can technically operate at just about any level of the Open System Interconnection (OSI) network model, depending on their functions. So an application layer firewall could be used to block HTTP traffic to and from your network. If you think that sounds like a proxy or reverse proxy server, well, yes it is.

In most cases, when you think of a firewall, you think of a network layer, or layer 3, firewall. The network layer firewall takes the place of a router on your network and filters traffic based primarily by IP address header information. In this chapter, I show you how to configure and use your Cisco Adaptive Security Appliance (ASA), which is just that type of firewall.

Getting to Know the Internetwork Operating System

The Internetwork Operating System (IOS) that is in use with the ASA has most of the same features as the IOS for other devices. The IOS used for the ASA has a few specific commands, but in general, you follow the same process for entering User EXEC mode, Privileged EXEC mode, and Global Configuration mode.

Getting help in the IOS is quite easy. Type a question mark (?) at any point on the command line to see what commands are available to you or to find out how to complete a command that you are working on. In addition to tab completion, you can usually quickly figure out most commands.

If you are completely new to IOS configuration, a complete command reference guide for each IOS routing component can be downloaded from Cisco at www.cisco.com/cisco/web/psa/reference.html in the Product/Technology Support section. Select your IOS version from the Products list.

Making Connections

In Book I, Chapter 5, I introduce how to connect to your device to make configuration changes. The three basic methods of making configuration changes to a router are

• Console connection: This involves having direct access to the router. The changes are made through your computer’s serial port and a rollover cable. This is command line access to a router.

• Telnet or SSH: These options give you remote command-line access to the router to make configuration changes. However, because Telnet sends all data in unencrypted text over the network, SSH should be used in its place.

• Adaptive Security Device Manager (ASDM): Represents the most popular graphical configuration interface for your ASA devices.

You can always make a console connection to your ASA, so take a few minutes to locate a rollover cable for your ASA and the console port on the ASA. If you do not have serial port on your computer, get a USB to serial port adapter for your computer and test it with your Cisco ASA. Testing the adaptor is best to do before you need to make an emergency connection to your ASA.

If you have already enabled SSH access to your ASA, ensure that you have also disabled Telnet access. SSH is as easy to use and is the only secure remote access option to the command line interface.

Running the ASA Setup Wizard

When you first unpack a new ASA or if you erase the configuration, when the ASA boots for the first time, it automatically enters setup. If your ASA does not, you can set up from Privileged EXEC mode. The following code shows the basic setup process, with responses you need to add in bold. Within just a few minutes, you can have your ASA up and running.

Pre-configure Firewall now through interactive prompts [yes]?

Firewall Mode [Routed]:

Enable password [<use current password>]: enable

Allow password recovery [yes]?

Clock (UTC):

  Year [2011]:

  Month [Apr]:

  Day [16]:

  Time [13:16:14]:

Inside IP address: 192.168.1.12

Inside network mask: 255.255.255.0

Host name: ASAFirewall1

Domain name: edtetz.net

IP address of host running Device Manager: 192.168.1.123

The following configuration will be used:

Enable password: enable

Allow password recovery: yes

Clock (UTC): 13:16:14 Apr 16 2011

Firewall Mode: Routed

Inside IP address: 192.168.1.12

Inside network mask: 255.255.255.0

Host name: ASAFirewall1

Domain name: edtetz.net

IP address of host running Device Manager: 192.168.1.123

Use this configuration and write to flash? yes

INFO: Security level for “inside” set to 100 by default.

WARNING: http server is not yet enabled to allow ASDM access.

Cryptochecksum: 23d86fb3 f78f728a cd7f48cd 9faf22c0

1417 bytes copied in 2.40 secs (708 bytes/sec)

Type help or ‘?’ for a list of available commands.

Notice how little information you need to enter to get basic management access to your ASA over the network (well, almost). The setup process has set up the internal IP address and configured an Access Control List (ACL) entry to allow only the IP address of the computer that ran the setup to manage the ASA from one host on your network, but it has not actually enabled access. The message in setup actually tells you that the HTTP server has not been enabled. So prior to closing out this connection, you want to enable the HTTP server using the following commands:

ASAFirewall1> enable

Password: ******

ASAFirewall1# configure terminal

ASAFirewall1(config)# http server enable

ASAFirewall1(config)# copy running-config startup-config

Source filename [running-config]?

Cryptochecksum: 6431b60b a26d0b05 941fa189 e3edf475

1913 bytes copied in 1.740 secs (1913 bytes/sec)

ASAFirewall1(config)# end

From this point, you can connect your ASA to a switch and manage it from a device with the IP address you specified in the initial set up of the device.

The ASA 5505 places all switch ports into VLAN 1 (your Inside VLAN) by default, whereas the large ASA devices have a dedicated management interface or port. The management function can be configured to operate over the other interfaces on the ASA.

After you have the management interface up for the ASDM, you can run the Startup Wizard through the ASDM (even if you already set up the ASA on the command line). The benefit to running the Startup Wizard is that you can go to the computer you identified as your management computer and point your web browser to the interface address of your ASA. (Note: You need to have Java installed on this computer.) Unless you install a valid certificate that matches the name of the ASA, you are presented with a certificate error, as shown in Figure 2-1.

After you are connected to your ASA, the introduction page appears, as shown in Figure 2-2. This page allows you to make a decision. Because you need to have Java installed on your computer, you have three choices here:

• Install ASDM Launcher and Run ASDM: Installs the ASDM on your computer. If this is the computer you will always use to perform your management, this method makes the most sense.

• Run ASDM: This option uses Java Web Start to launch the ASDM tool directly from the copy installed on the ASA. This is beneficial if you are not at your normal computer because you do not install any software.

• Run Startup Wizard: This option also uses Java Web Start to launch ASDM, with one exception; after the ASDM has launched, the Startup Wizard runs automatically.

To perform the network configuration of the ASA, the following process walks you through the Startup Wizard:

1. Click the Run Startup Wizard button on the introduction page.

You receive a warning related to the security settings on Java.

2. If you are sure that you are connected to the correct device on the network and not some fake device trying to collect your credentials, dismiss the warning message.

Because you expect this message from the ASDM, continue to the website.

The Cisco ASDM Launcher dialog box, as shown in Figure 2-3, appears.

3. If you have an enable password, but no actual users, skip the Username field, fill in the enable password in the Password field, and click OK.

If you have already created an administrative user, provide the username and password in the appropriate fields.

The Starting Point page, as shown in Figure 2-4, appears.

4. Select one of the following, based on whether you are setting up the ASA initially or whether you are using setup to change an existing ASA installation:

• Modify Existing Configuration: You can choose to modify the existing configuration.

• Reset Configuration to Factory Defaults: With the exception of the management interface, modify the default configuration. As it turns out, a lot of small networks out there require only simple changes to their configuration, and as such, re-running the Startup Wizard is the easiest way to make these changes.

5. Click the Next button.

The Basic Configuration page, as shown in Figure 2-5, appears with two optional items which you can choose to do.

6. (Optional) Select from the following items:

• Configure the Device for Teleworker Usage: This option supports teleworkers or remote workers via a virtual private network (VPN). If you select this option, you are presented with an extra page of questions for the Easy VPN Remote Configuration near the end of the Startup Wizard. On this page, you can also tell the Startup Wizard the name of the firewall device, such as ASAFirewall1, and the domain name to which the device belongs, such as edtetz.net.

• Change Privileged Mode (Enable) Password: If you are not happy with your current enable password, change it here before you complete this step of the Startup Wizard.

7. Click the Next button.

Depending on the number of interfaces you are licensed for (which you can find out by checking out the “Examining Your License” section, later in this chapter), you can configure up to three interfaces. The basic license for the ASA allows you to have only two interfaces. The Interface Selection page of the Startup Wizard, as shown in Figure 2-6, appears.

8. Choose virtual local area networks (VLANs) for the Outside, Inside, and optionally, DMZ interfaces.

• The Outside VLAN faces the Internet.

• The Inside VLAN faces your corporate network.

• The DMZ VLAN operates parallel to your corporate network. The Demilitarized Zone (DMZ) is an area where you can place servers, such as mail, web, or ftp servers, that the public at large — or at least people outside your network — need access to.

For each of these interfaces, you assign a VLAN to the segment or choose not to use the interface at all. By default, the Inside interface is configured for VLAN 1, which you can change if you want; however, because this is the default VLAN on your switches, you may not want to change it. For your Outside interface and DMZ interface, you can choose another VLAN or go with the ones chosen by default.

Enabling the inside VLAN, outside VLAN, and DMZ VLAN interfaces does not actually associate any particular switch ports to those interfaces. The interfaces are virtual and need to be associated to physical interfaces on the switch. This means that any number of ports can be associated to any of these interfaces.

9. Click the Next button.

The Switch Port Allocation page, as shown in Figure 2-7, appears.

10. Assign the ASA switch ports to the three VLANs by selecting the port in the Available Ports or Allocated Ports panes and clicking the Add or Remove buttons.

Initially, all your ports are associated with the inside VLAN. In most cases, associate the lowest interface, or Ethernet 0/0 of an ASA 5505, with the outside VLAN because you will likely want to use the additional ports on the inside of your network. Also, on the ASA 5505, the last two ports supply Power over Ethernet (POE) to power up devices, such as phones or access points (APs), which is yet another reason you want the upper ports to be associated with the inside network.

As you choose a switch port and associate it with a VLAN or interface, you are prompted with a message telling you that it may be removed from an existing VLAN. Because all ports start out associated with the Inside interface, you see this message for all your port reassignments.

11. Click the Next button.

The Interface IP Address Configuration page, as shown in Figure 2-8, appears.

12. Assign IP configuration for each of your IP addresses.

For your outside address, you can manually assign an address, which is not uncommon for business Internet connections. If your Internet connection supports either Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPOE), select the appropriate option. If you use DHCP, tell your ASA to use the default gateway it receives from DHCP as the system-wide default gateway for this device. If you choose not to use the system-wide default gateway option, you need to configure a manual route through ASDM or the route outside 0 0 <IP address of gateway> at the command-line interface (CLI).

13. Click the Next button.

The DHCP Server page, as shown in Figure 2-9, appears. For small businesses or regional offices, the ASA may represent the only real device on the network other than printers and computers. You may have these locations set up without any local servers onsite.

14. (Optional) Select the Enable DHCP Server on the Inside Interface check box to have the ASA act as a DHCP server for this network segment.

15. (Optional) Select the Enable Auto-Configuration from Interface check box so that you can copy most of these settings from an existing interface.

Enabling the Auto-Configuration check box is very useful for Domain Name System (DNS) and Windows Internet Name Service (WINS) server addresses that are constantly being used on all network segments and may all be the same for the organization.

16. Configure or change any of the missing information in the following:

• Starting IP Address: The first address to be handed out in the DHCP range.

• Ending IP Address: The last address to be handed out in the DHCP range.

• DNS servers 1 and 2: The DNS servers that are handed out to DHCP clients.

• WINS servers 1 and 2: The WINS servers that are handed out to DHCP clients.

• Lease Length: The lease length determines when DHCP clients are required to renew their leases on the DHCP supplied addresses.

• Ping Timeout: The Ping Timeout setting is used by the DHCP server because it pings each address that it is ready to give, prior to assigning the address, to verify that the address is not in use. This reduces the chance of duplicate IP addresses being created on the network.

• Domain Name: The domain name of the DHCP client belongs to.

17. Click the Next button.

The Address Translation (NAT/PAT) page, as shown in Figure 2-10, appears.

18. Set up Network Address Translation or Port Address Translation.

Choose from the available address translation methods:

• Use Port Address Translation (PAT): Most small offices, which use only one public IP address on their Internet connection, use PAT on their connection. PAT can use a specific address or the main address from their outside VLAN interfaces. PAT allows an entire office to share (or translate to) a single external IP address for Internet access.

• Use Network Address Translation (NAT): Selecting NAT puts one-to-one mapping (or translation) between internal and external IP addresses, so you can specify a range of addresses to use on the outside VLAN interface. If you use ASA internally on your network (for example, to protect a server subnet), you may want to select the Enable Traffic through the Firewall Without Address Translation radio button if you use public addresses on your internal network (not likely) or if you use the ASA as firewall on the interior of your network.

For more about NAT, turn to Chapter 3 of this minibook.

19. Click the Next button.

The Administrative Access page, as shown in Figure 2-11, appears.

20. Set what systems on your network can connect to your ASA to perform management or configuration changes.

Use the following process to add new management interfaces. If you want to use ASDM, you need to select the Enable HTTP Server for HTTPS/ASDM Access check box, whereas the Enable ASDM History Metrics check box saves usage data regarding accessing the ASDM interface.

In the command line setup, you only have the option to ASDM connections to be made from a single computer. This page allows you to specify additional systems that can perform management of your ASA and the type of connection they make to perform that configuration.

If you add a new management option, the Add Administrative Access Entry dialog box, as shown in Figure 2-12, appears. Select your desired options to create the new Administrative Access entry:

a. Choose HTTP (ASDM), SSH, or Telnet from the Access Type drop-down list.

b. Choose Inside from the Interface Name drop-down list.

Inside is typically the most secure interface option, but in some cases, such as if you need to be able to conduct remote administration over the Outside interface, you should be very restrictive in the address from which the administration is performed.

c. Specify either a specific address from which administration is performed in the IP Address text box or give a network range defined by either an IP address or a Network ID from the Subnet Mask drop-down list.

Remember, the more restrictive you can be with this configuration, the more secure your ASA is.

d. Click OK.

You return to the Administrative Access page.

If you allow your firewall to be administered from the outside interface, you leave yourself open to potentially being compromised by someone you do not know.

21. Click the Next button.

The summary page of the configuration Startup Wizard appears, providing a summary of the configuration that you have applied to the system. All these configuration changes are written into the running configuration on the ASA. After the configuration changes are made, you see the standard ASA ASDM management screen, as shown in Figure 2-13. From this interface you can

• Perform any other configuration changes.

• Relaunch the Startup Wizard or other wizards.

• Perform basic monitoring of the ASA via the home page.

• Perform more detailed monitoring of the ASA and connections that it hosts through the Monitoring pages.

• Run additional management and troubleshooting tools.

• Save the current configuration to flash memory.

Performing a Basic Configuration

Through the rest of this chapter, I walk you through some of the common configuration items that you will likely want to configure on the ASA. Although I give examples from the ASA 5505, if you are working on any other member of the ASA family, your configuration is performed in much the same manner. For most of the options, I show both the command line method of applying the configuration and the ASDM.

You have only a few things to worry about to get a basic routing configuration on your ASA. This section takes a look at each of these configuration items.

Device name

Setting a name for your ASA does not impact the function of the unit, but it does make it a little easier when you connect to the device to make configuration changes or if you are using a remote monitoring tool that can identify the device by name. In general, you do not want to apply the incorrect configuration to a device, possibly opening your entire network to the Internet or disabling your remote access to the device. The following code allows you to use the Cisco CLI to set a new device name on the Cisco ASA.

ciscoasa> enable

Password: ******

ciscoasa# configure terminal

ciscoasa(config)# hostname ASAFirewall1

ASAFirewall1(config)# end

Standard firewall ports

As with all the Cisco networking devices that this book examines, you can connect a number of ports to cables on the ASA. The ASA’s ports, as shown in Figure 2-14, are

• Console: Serial configuration port for command line access to ASA management and configuration.

• Ethernet/Fast Ethernet/Gigabit: Standard network interfaces that are used to connect different network segments. Depending on the ASA model you have, you have a mixture of Fast Ethernet and Gigabit ports, which will be copper RJ45 connections or small form-factor pluggable (SFP) modules. Also, depending on your device, you may have Power over Ethernet (POE) ports.

• USB ports: Currently not used on the ASA series, the USB ports are there for future features that may be implemented in the series.

• Expansion port: If your ASA model has an expansion module, it will be either the Security Services Card (SSC) or Security Services Module (SSM) connection for an appropriate expansion card model. These cards offload VPN encryption or implement additional feature sets, such as e-mail antivirus scanning.

Interfaces

In this section, I describe the basics of configuring Fast Ethernet and Gigabit Ethernet connections.

To start your configuration, connect to your ASA and get into Global Configuration mode using this set command:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

The next step is to choose your interface by number. You can choose from Ethernet (which actually means Fast Ethernet on the ASA) or Gigabit interfaces. After choosing Ethernet or Gigabit, specify the port number. All devices in current IOS versions are numbered starting at the motherboard in one of these formats: network-module-slot/port, 0/interface-card-slot/port, or network-module-slot/interface-card-slot/port. Effectively, all modules are connected to the motherboard slot on the ASA, which is always slot 0 (this is the first zero in the interface name):

ASAFirewall1(config)#interface Ethernet 0/0

Now you can set the specifics of the network connection or use the Auto settings for Duplex and Speed modes. Duplex modes include Full- or Half-Duplex, whereas speeds are typically from 10 Mbps up to the speed of the interface:

ASAFirewall1(config-if)#duplex auto

ASAFirewall1(config-if)#speed auto

For switches, you might not want to use the description option to name interfaces, but it is a good idea on your ASA to give yourself a description to help prevent you from changing the configuration on the wrong interface. (It can be a career-limiting move to shut down the wrong interface at a critical time in your business!) The description does nothing to assist with the configuration; it only prevents some level of human error:

ASAFirewall1(config-if)#description Internal Interface

This may seem a little strange. You have done all this work, so there is a good chance that you want to use this interface now. But exit out of the configuration and check your running configuration; you notice one configuration item that is a little strange:

ASAFirewall1#show running-config interface Ethernet 0/0

!

interface Ethernet0/0

switchport access vlan 2

So there is one important item that is missing, or actually, is present. Unlike routers, all the interfaces on your ASA are enabled by default, but they are all put into the default inside VLAN. As with your switch interfaces, the no shutdown command gets rid of the shutdown command. Complete the configuration of your ASA interface with the following command:

ASAFirewall1(config-if)#no shutdown

If you are working on the console or have terminal monitor enabled, you receive a status message telling you that the interface has been enabled. This message is similar to the following:

%LINK-5-CHANGED: Interface Ethernet0/0, changed state to up

That is everything that is required (and then some) for you to configure an ASA interface. If you trust the Auto settings for Speed and Duplex modes, you likely just need to assign an IP address to the VLAN interfaces and associate one or more ports to that VLAN interface. A description is nice to have and other configuration options are required based on configuration of other parts of your network, such as VLAN configuration.

After you have the interface up and running, if you are using auto for your speed and duplex settings, examine the interface to ensure that it has detected settings that you are happy with. Do this with the show interface command:

ASAFirewall1# show interface Ethernet 0/0

Interface Ethernet0/0 “”, is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Available but not configured via nameif

        MAC address 001f.ca8c.93d2, MTU not set

        IP address unassigned

        13666 packets input, 1134634 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        13660 switch ingress policy drops

        142 packets output, 13321 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        0 rate limit drops

        0 switch egress policy drops

In all that information, notice that the interface and line protocols should both be up, or properly connected to the network and communicating with other devices. In the preceding example, the interface detected Full-Duplex as well as a speed of 100 Mbps. Incorrect Duplex settings between ends of a connection can cause packet errors.

IP addresses

Because you plan to route from this interface, you need to give your client devices an IP address it can connect to. This is done in the VLAN interfaces with the following command:

ASAFirewall1(config-if)#ip address 192.168.1.240 255.255.255.0

You can configure your ASA to use DHCP using the command ip address dhcp, but this would not typically be used for a static network device, such as a router. If you connect this ASA as a NAT device to your Internet service provider (ISP), it would represent the only case where this would likely be used. (You can find out more about NAT in Chapter 3 of this minibook.)

Security zones

Your Cisco ASA works with three default security zones, which it assigns the values of Inside (100), Outside (0), and DMZ (50). By default, any device at a higher security zone level can communicate with devices at a lower security zone, but devices at a lower security zone cannot initiate connections to devices at the higher zone level.

By default, devices on the Inside and DMZ interfaces can both establish connections to devices on the Internet; as well, devices on the Inside interface can establish connections to devices on the DMZ interface.

You set these security levels using the ASDM when you configure your VLAN interfaces, as shown in Figure 2-15.

Passwords

Although it is not actually necessary to have a password on your ASA, it is a very good idea. If you do not configure any passwords and enable Telnet, anyone can connect to your ASA from any interface, and reconfigure your ASA to their hearts’ desire, giving themselves access to your entire internal network.

Aside from creating a user accounts, the only password used on the ASA for authentication is the enable password.

Setting the enable password

The enable password is used every time you move from User EXEC mode to Privileged EXEC mode. This gives you security on your ASA because Privileged EXEC mode is where all the dangerous commands are, including Global Configuration mode. To set an enable password, use the following command:

ASAFirewall1>enable

ASAFirewall1#configure terminal

ASAFirewall1(config)#enable password mypass

This creates an enable password for you that is stored in your Configuration file. To view this password, you can show your running configuration using the following command:

ASAFirewall1>enable

Password:

ASAFirewall1#show running-config | include enable password

enable password VpEu/DBiUqr.VhG7 encrypted

When you configure your ASA, set the enable password.

Setting the Telnet password

If you need to remotely manage your ASA, you can choose between Telnet and SSH. Telnet is less secure than SSH because it sends data over the network in clear text. However, some people justify using Telnet because if they are running it only on a secured management network, some of the risks are mitigated.

So, in spite of risks, it is good to know how Telnet works and how to administer it. I show you how to perform the setup to allow Telnet access to the ASA. You need to worry only about two commands: One to enable Telnet, and one to set the inactivity timeout. The default timeout is five minutes, which closes the connection after five minutes of inactivity. (I would not want Telnet to time out much longer or shorter. )

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)# telnet 192.168.1.0 255.255.255.0 inside

ASAFirewall1(config)# telnet timeout 5

These commands order access to the system through Telnet and require a Telnet password to be set. If you look at the running configuration, this is identified with the passwd command. (Notice that by default the command is stored in an encrypted format, such as the enable password.)

ASAFirewall1>enable

ASAFirewall1# show running-config | include passwd

passwd 2KFQnbNIdI.2KYOU encrypted

The default Telnet password is cisco; it is a really good idea to change it from the default.

To set the password for Telnet, use the following commands:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)#passwd telnetpass

ASAFirewall1(config)#end

To have access to the ASA for Telnet, you need to have both an enable password and the Telnet password specified in your configuration.

Setting the SSH password

To set up access to the ASA for SSH, you have a few additional steps to perform to allow access. SSH access is not possible with only a password — you need to have a user account created on your ASA. (I show you how to create user accounts later in this chapter in the “Working Users” section, but for now I assume that you have a user named remote with a password named remote. (Please do not use such an easily guessed username and password on your production network!)

To set up SSH access, you need to ensure the following commands have been issued:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)#domain-name edtetz.net

ASAFirewall1(config)#crypto key generate rsa

INFO: The name for the keys will be: <Default-RSA-Key>

Keypair generation process begin. Please wait...

ASAFirewall1(config)#ssh 192.168.1.0 255.255.255.0 inside

ASAFirewall1(config)#ssh timeout 5

ASAFirewall1(config)#exit

You see the SSH commands in your running configuration. To ensure that you have created a Rivest Shamir Adleman (RSA) authentication key, use the following command:

ASAFirewall1>enable

Password:

ASAFirewall1# show crypto key mypubkey rsa

Key pair was generated at: 08:36:47 UTC Apr 17 2011

Key name: <Default-RSA-Key>

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

  30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a42987

  298d346b 9594ac23 4c00a9a6 934da77d baed3666 11a72016 71d7014e 5df955f2

  d5cdf615 9ea0e89d da3b79a1 97b70df7 8ad508e7 0ef74c66 ec6c39e6 8663f363

  3a0ff4c4 02c66bf8 3190a053 1b9f3bd7 b92f24bd 523c608c da6da849 1fbe5706

  1169c73a 57437e16 cdff6f38 35f08075 c6449a6f 142d0bc0 7d8d361a 63020301 0001

Key pair was generated at: 08:46:56 UTC Apr 17 2011

Key name: <Default-RSA-Key>.server

Usage: Encryption Key

Modulus Size (bits): 768

Key Data:

  307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00a5bd13 6d1cc29a

  86af47cd a340fd67 2b5ee15d 6babb483 f096d6af e69ebad5 0701cc69 5318718d

  873fa38e 4a7cb828 36e157d0 0c85dba0 fcb4b276 2a130446 d54ac52a 0c64df36

  4879d6d7 0d7d5329 ddb6c046 95ac1abd 50c04275 fc88d5fd 6b020301 0001

So the crypto key generate rsa command has successfully created a set of RSA encryption keys, and the rest of the command sequence enabled SSH, and only allowed SSH on the internal interface. The crypto key command needs to be issued only once on the ASA. With this done, you can now use a program, such as PuTTY, to connect to this ASA on TCP port 22.

By default, the SSH version is set to 1 and 2. If you want to use only version 1 or only version 2, use the ssh version command, which is followed by the version you want.

If you want to change the SSH version through the ASDM:

1. Launch ASDM and click the Configuration link at the top of the page.

The Configuration page appears.

2. Choose Device Management in the bottom of the left navigation pane.

3. In the Device Management navigation pane, click the + sign next to Management Access, click the + sign next to Command Line (CLI), and then click Secure Shell (SSH), as shown in Figure 2-16.

From here, you can add an authorized address from which to allow SSH traffic and set the interface to be used for that traffic. To add or edit an entry, use the appropriate button to the right of the screen.

If you try to connect to the ASA, you may still see that you cannot use SSH to connect to the ASA. If you attempt to connect, you see that the SSH service is running on TCP port 22. You are given the prompt regarding the server certificate that is used and are asked to verify and store the key. After you do this, you are asked to provide a login name, which you have not yet created.

To create a user that can log in via SSH or the CLI, use these commands at the command line:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)#username RemoteAdmin password AdminPass privilege 15

ASAFirewall1(config)#aaa authentication ssh console LOCAL

The last line of the preceding command set tells the ASA to use the local ASA user database as the Remote Authentication Dial In User Service (RADIUS) or Authentication, Authorization, and Accounting (AAA) server. This again needs to be done only once. The user account that was created has the highest level of privilege and can be used to access not only SSH, but also the ASDM console. There are lower privilege settings that can be applied to the user, but that would restrict what commands are available to them in Privileged EXEC mode.

Creating users in the ASDM

To create the user in ASDM:

1. Click the Configuration button and then click the Device Management tab on the bottom of the left navigation panel.

2. Click the + sign next to Users/AAA and then click User Accounts.

You can then click the Add, Edit, and Delete buttons on the right of the screen to add, change, or remove users, respectively. Figure 2-17 shows you the User Account screen.

To set up the local account database to be used for SSH access:

1. Click the + sign next to Users/AAA and then click AAA Access.

2. Select the SSH check box.

If you want to use your newly created account for ASDM as well, in the Device Management pane, click the + sign next to Users/AAA and then click AAA Access; select the HTTP/ASDM check box. Alternatively, you can specify aaa authentication http console LOCAL in your configuration.

Banners

A banner is a message that is presented to a user that is using the ASA. When this message is shown to the user depends on the type of banner you have configured for use. You can configure four main types of banners on your Cisco ASA. These banners are

• Message of the Day (MOTD): This type of logon message has been around for a very long time on Unix and mainframe systems. The idea of the message is to display a temporary notice to users, such as issues with system availability; but because it is displayed when you connect to the device prior to login, most network administrators use it to display legal notices regarding access to the ASA, such as Unauthorized access to this device is prohibited, and violators will be prosecuted to the full extent of the law.

• Login: This banner is displayed before login to the system but after the MOTD banner is displayed, unless an EXEC banner has been configured. This is typically used to display a permanent message to the users.

• Exec: This banner is displayed after the MOTD and after login. This is the notice for users prior to entering Privileged EXEC mode. This can be used to post reminders to your network administrators.

• ASDM: This banner is displayed after authenticating to the ASDM interface, but prior to displaying the ASDM interface.

To configure each of these banners, examine the following commands, which set up all four banners on your ASA:

ASAFirewall1(config)#banner motd This device is for authorized personnel only.

ASAFirewall1(config)#banner motd If you have not been provided with permission

ASAFirewall1(config)#banner motd to access this device - disconnect at once.

ASAFirewall1(config)#banner login *** Login Required. Unauthorized use is prohibited ***

ASAFirewall1(config)#banner exec *** Ensure that you update the system configuration ***

ASAFirewall1(config)#banner exec *** documentation after making system changes.      ***

ASAFirewall1(config)#banner asdm *** Login Required to access $(hostname). Unauthorized use is prohibited ***

ASAFirewall1(config)#exit

Unlike banners on switches and routers, you do not use a delimiter character to end the message, but rather add a line at a time to the banner message. You can use two tokens that are replaced when the message is displayed: $(hostname) and $(domain).

All these banners can be configured easily using ASDM by clicking the Configuration link at the top of the page, and then clicking the Device Management button in the bottom of the left navigation pane; next, click the + signs next to Management Access and Command Line (CLI), and then click Banner, as shown in Figure 2-18.

Setting Up User Accounts

In the “Passwords” section earlier in this chapter, I mention that SSH requires user accounts to allow login for SSH. These accounts can be stored in a local database on the ASA or can be stored on a central access server — Terminal Access Controller Access-Control System (TACACS). TACACS is an industry standard authentication server similar to that of RADIUS, but not compatible with RADIUS. Most small organizations, and even some larger ones, rely on the local database for user authentication because of the amount of work required to set up RADIUS. However, if you already have RADIUS set up, you would use the following configuration to enable it. Many RADIUS servers are available, including Cisco’s Secure Access Control Server (ACS) for Windows or Microsoft’s Internet Authentication Service (IAS).

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)# aaa-server RADIUS_SERVER_GROUP protocol RADIUS

ASAFirewall1(config)# aaa-server RADIUS_SERVER_GROUP (inside) host 192.168.1.2

ASAFirewall1(config-aaa-server-host)# key secretkey

ASAFirewall1(config-aaa-server-host)#exit

ASAFirewall1(config)#exit

To use the local database for authentication, do two things:

1. Create at least one user account.

2. Configure your ASA to use the local database rather than a password on an interface basis.

To create a user in the account database, use a command like the following to specify the username and password:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)#username RemoteAdmin password AdminPass privilege 15

ASAFirewall1(config)#username remoteuser password remotepass

ASAFirewall1(config)#aaa authentication ssh console LOCAL

ASAFirewall1(config)#exit

If you do not specify a privilege level, the level defaults to 2. This is enough for VPN users but not administrative users, who are normally set to privilege level 15.

To remove a user, use the standard no command. You need only to specify the username in the same way that following command removes the remoteuser account from the local database:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)#no username remoteuser

ASAFirewall1(config)#exit

You can also manage users with the ASDM interface, as I describe in the earlier section, “Creating users in the ASDM,” in this chapter.

Configuring Dynamic Host Configuration Protocol

If you have not read it yet, you may want to review the DHCP process I describe in Book IV, Chapter 2. After you have determined your address ranges, configure your DHCP settings with this short list of commands:

ASAFirewall1>enable

Password:

ASAFirewall1#configure terminal

ASAFirewall1(config)#dhcpd address 192.168.1.175-192.168.1.199 inside

ASAFirewall1(config)#dhcpd dns 192.168.1.8 192.168.1.254 interface inside

ASAFirewall1(config)#dhcpd wins 192.168.1.8 interface inside

ASAFirewall1(config)#dhcpd lease 28800 interface inside

ASAFirewall1(config)#dhcpd ping_timeout 10 interface inside

ASAFirewall1(config)#dhcpd domain edtetz.net interface inside

ASAFirewall1(config)#dhcpd enable inside

ASAFirewall1(config)#exit

To view your current settings, use the following command to extract all DHCP-related items out of your running-config:

ASAFirewall1>enable

Password:

ASAFirewall1# show running-config | include dhcp

dhcpd address 192.168.1.175-192.168.1.199 inside

dhcpd dns 192.168.1.8 192.168.1.254 interface inside

dhcpd wins 192.168.1.8 interface inside

dhcpd lease 28800 interface inside

dhcpd ping_timeout 10 interface inside

dhcpd domain edtetz.net interface inside

dhcpd enable inside

Other items can be configured for DHCP, including Global DHCP options and a DHCP relay, which forwards DHCP requests onto another DHCP server to get address information for clients on a network. (This is beyond the scope of this book, but if you want to find out more, review the Configuring DHCP in the Cisco ASA 5500 Series Configuration Guide www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_cfg.pdf.)

If you want to use ASDM to manage your DHCP settings, click the Configuration button, and then click the Device Management tab in the left navigation pane. Click the + sign next to DHCP and then click DHCP Server, as shown in Figure 2-19. You may find that managing your settings this way is easier.

Examining Your License

If you want to know what you are licensed for by way of your ASA, you can find out in two places. If you reboot your ASA, licensing information is shown during the boot process. You likely will not want to reboot your ASA just to see the licensing information though, so you can also view it through the ASDM. Launch the ASDM, and on the Home screen, click the License tab in the Device Information section. I show an excerpt of the boot process in the following code so you can see the licensing that is presented during the boot process:

CISCO SYSTEMS

Embedded BIOS Version 1.0(12)6 08/21/06 17:26:53.43

Low Memory: 632 KB

High Memory: 251 MB

PCI Device Table.

Bus Dev Func VendID DevID Class              Irq

00  01  00   1022   2080  Host Bridge

00  01  02   1022   2082  Chipset En/Decrypt 11

00  0C  00   1148   4320  Ethernet           11

00  0D  00   177D   0003  Network En/Decrypt 10

00  0F  00   1022   2090  ISA Bridge

00  0F  02   1022   2092  IDE Controller

00  0F  03   1022   2093  Audio              10

00  0F  04   1022   2094  Serial Bus         9

00  0F  05   1022   2095  Serial Bus         9

Evaluating BIOS Options ...

Launch BIOS Extension to setup ROMMON

Cisco Systems ROMMON Version (1.0(12)6) #0: Mon Aug 21 19:34:06 PDT 2006

Platform ASA5505

Use BREAK or ESC to interrupt boot.

Use SPACE to begin boot immediately.

Launching BootLoader...

Default configuration file contains 1 entry.

Searching / for images to boot.

Loading /asa803-k8.bin... Booting...

Loading...

Processor memory 188010496, Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520)

Guest RAM start: 0xd3800080

Guest RAM   end: 0xdd400000

Guest RAM   brk: 0xd3801000

IO memory 39403520 bytes

IO memory start: 0xd0fff000

IO memory   end: 0xd3593000

Total SSMs found: 0

Total NICs found: 10

88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002

88E6095 rev 2 Ethernet @ index 08 MAC: 001f.ca8c.93d9

88E6095 rev 2 Ethernet @ index 07 MAC: 001f.ca8c.93d8

88E6095 rev 2 Ethernet @ index 06 MAC: 001f.ca8c.93d7

88E6095 rev 2 Ethernet @ index 05 MAC: 001f.ca8c.93d6

88E6095 rev 2 Ethernet @ index 04 MAC: 001f.ca8c.93d5

88E6095 rev 2 Ethernet @ index 03 MAC: 001f.ca8c.93d4

88E6095 rev 2 Ethernet @ index 02 MAC: 001f.ca8c.93d3

88E6095 rev 2 Ethernet @ index 01 MAC: 001f.ca8c.93d2

y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001f.ca8c.93da

Licensed features for this platform:

Maximum Physical Interfaces  : 8

VLANs                        : 20, DMZ Unrestricted

Inside Hosts                 : Unlimited

Failover                     : Active/Standby

VPN-DES                      : Enabled

VPN-3DES-AES                 : Enabled

VPN Peers                    : 25

webVPN Peers                 : 2

Dual ISPs                    : Enabled

VLAN Trunk Ports             : 8

AnyConnect for Mobile        : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

This platform has an ASA 5505 Security Plus license.

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04