The Accidental Administrator Cisco Asa Security Pdf
Here's a guest post sent to me by Don Crawley, author of The Accidental Administrator book series. It is an excerpt from his latest: The Accidental Administrator: Cisco ASA Security Appliance: A Step-by-Step Configuration GuideThere are literally thousands of commands and sub-commands available to configure a Cisco security appliance. As you gain knowledge of the appliance, you will use more and more of the commands. Initially, however, there are just a few commands required to configure basic functionality on the appliance. Basic functionality is defined as allowing inside hosts to access outside hosts, but not allowing outside hosts to access the inside hosts. Additionally, management must be allowed from at least one inside host. To enable basic functionality, there are eight basic commands (these commands are based on software version 8.3(1) or greater):.
interface. nameif. security-level. ip address. switchport access. object network. nat.
routeinterfaceThe interface command identifies either the hardware interface or the Switch Virtual Interface (VLAN interface) that will be configured. Once in interface configuration mode, you can assign physical interfaces to switchports and enable them (turn them on) or you can assign names and security levels to VLAN interfaces. nameifThe nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ. Security-levelSecurity levels are numeric values, ranging from 0 to 100, used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way.
Access-lists must be used to permit traffic to flow from lower security levels to higher security levels. The default security level for an outside interface is 0. For an inside interface, the default security level is 100. In the following sample configuration, the interface command is first used to name the inside and outside VLAN interfaces, then the DMZ interface is named and a security level of 50 is assigned to it. Interface vlan1 nameif inside interface vlan2 nameif outside interface vlan3 nameif dmz security-level 50ciscoasa(config)#ciscoasa(config-if)#INFO: Security level for 'inside' set to 100 by default.ciscoasa(config-if)#ciscoasa(config-if)#INFO: Security level for 'outside' set to 0 by default.ciscoasa(config-if)#ciscoasa(config-if)#ciscoasa(config-if)# ip addressThe ip address command assigns an IP address to a VLAN interface either statically or by making it a DHCP client. With modern versions of security appliance software, it is not necessary to explicitly configure default subnet masks. If you are using non-standard masks, you must explicitly configure the mask, otherwise, it is not necessary.
Interface vlan 1 ip address 192.168.1.1In the following sample configuration, an IP address is assigned to VLAN 1, the inside interface.ciscoasa(config-if)#ciscoasa(config-if)#switchport accessThe switchport access command on the ASA 5505 security appliance assigns a physical interface to a logical (VLAN) interface. In the next example, the interface command is used to identify physical interfaces, assign them to switchports on the appliance, and enable them (turn them on). This command is not used on the ASA 55x0 appliances. Interface ethernet 0/0 switchport access vlan 2 no shutdown interface ethernet 0/1 switchport access vlan 1 no shutdownciscoasa(config-if)#ciscoasa(config-if)#ciscoasa(config-if)#ciscoasa(config-if)#ciscoasa(config-if)#ciscoasa(config-if)# object network objanyThe object network objany statement creates an object called “objany”. (You do not have to name the object “objany”; that is a descriptive name, but you could just as easily name it “Juan”.) The network option states that this particular object will be based on IP addresses. The subnet 0.0.0.0 0.0.0.0 command states that objany will affect any IP address not configured on any other object. Object network objany subnet 0.0.0.0 0.0.0.0ciscoasa(config-if)#ciscoasa(config-network-object)# natThe nat statement, as shown below, tells the firewall to allow all traffic flowing from the inside to the outside interface to use whatever address is dynamically (DHCP) configured on the outside interface.
Nat (inside,outside) dynamic interfaceciscoasa(config)# routeThe route command, in its most basic form, assigns a default route for traffic, typically to an ISP’s router. It can also be used in conjunction with access-lists to send specific types of traffic to specific hosts on specific subnets.
Software de ontvoering van alfred heineken pdf. Outside identifies the interface through which traffic will flow to reach the default route. Route outside 0 0 12.3.4.6In this sample configuration, the route command is used to configure a default route to the ISP’s router at 12.3.4.6. The two zeroes before the ISP’s router address are shorthand for an IP address of 0.0.0.0 and a mask of 0.0.0.0.
The statementciscoasa(config-if)#The above commands create a very basic firewall, however, using a sophisticated device such as a Cisco PIX or ASA security appliance to perform such basic firewall functions is overkill.
The Accidental Administrator Cisco Asa Security Pdf File
There is a newer version of this book, updated for software version 9.x and later. Look for ISBN 9750. This version is appropriate for software versions 8.3 and 8.4.
The Accidental Administrator: Cisco ASA Step-by-Step Configuration Guide is packed with 56 easy-to-follow hands-on exercises to help you build a working firewall configuration from scratch. It's the most straight-forward approach to learning how to configure the Cisco ASA Security Appliance, filled with practical tips and secrets learned from years of teaching and consulting on the ASA. There is no time wasted on boring theory. The essentials are covered in chapters on installing, backups and restores, remote administration, VPNs, DMZs, usernames, transparent mode, static NAT, port address translation, access lists, DHCP, password recovery, logon banners, AAA (authentication, authorization, and accounting), filtering content, and more. This book is based on software version 8.3(1). All this information is presented in a straightforward style that you can understand and use right away.
The idea is for you to be able to sit down with your ASA and build a working configuration in a matter of minutes. Of course, some of the more advanced configs may take a little longer, but even so, you'll be able to 'get it done' in a minimal amount of time!