This example will apply to Cisco ASA/PIX v8.x-v9.x
Cisco ASA Basic Setup

A basic setup looks like this:

  • Set Hostname
  • Password Protection/User Management
  • Set Banner (Recommended for Legal)
  • WAN Address
  • Internal LAN
  • Set DNS (Optional)
  • Remote Access
  • NAT Internal LAN to WAN
  • DHCP Server (Optional)
  • SAVE YOUR WORK

1. We’re going to start by setting up a Hostname for our new firewall.

I will set it to LINUXMAN-ASA, notice the change takes place immediately and does not require reboot like Windows does.

ciscoasa # configure terminal
ciscoasa(config)# hostname LINUXMAN-ASA
LINUXMAN-ASA(config)#

2. We need to secure it so not just anyone can log into it, so we’re going to setup a password for GLOBAL CONFIGURATION MODE and CONSOLE.

Global Configuration Mode
LINUXMAN-ASA(config)# enable password linuxman
Console

Before we can configure LOCAL authentication, we have to create users to manage our firewall. For simplicity, we are going to assume that we are dealing with a group of trusted Administrators so we are going to skip assigning specific privileges for now and go with privilege level 15.

Lets create 3 accounts for our Administrators:

  • Jeff
  • Thomas
  • Chris
LINUXMAN-ASA(config)# username jeff password jeff
LINUXMAN-ASA(config)# username thomas password thomas
LINUXMAN-ASA(config)# username chris password chris

Now that we have a list of user accounts in our LOCAL database, we can configure LOCAL authentication for CONSOLE and set a max login attempts to prevent.

LINUXMAN-ASA(config)# aaa authentication serial console LOCAL
LINUXMAN-ASA(config)# aaa local authentication attempts max-fail 3
Testing and Troubleshooting

Lets logout completely from our ASA and test the console authentication and log in as Jeff followed by the ENABLE password authentication.

LINUXMAN-ASA(config)# exit
LINUXMAN-ASA# exit

Logoff

Username: jeff
Password: ****
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 2. Last login: 21:44:13 UTC Sep 1 2018 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#

Now lets test our max-fail rule for LOCAL users.

LINUXMAN-ASA# exit

Logoff

Username: jeff
Password: *
Username: jeff
Password: *
Username: jeff
Password: *
Username: jeff
Password: ****
Username: chris
Password: *****
User chris logged in to LINUXMAN-ASA
Logins over the last 1 days: 2. Last login: 21:49:21 UTC Sep 1 2018 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#

Notice that after the 3rd failed attempt, even if we use the correct credentials it doesn’t let us login at all or give an error. We logged in as Chris to troubleshoot. Lets look to see if the account is marked as Lockout.

LINUXMAN-ASA# show aaa local user lockout
Lock-time Failed-attempts   Locked User
22:42:19                3   Y      jeff
LINUXMAN-ASA#

Here we can see how many failed attempts were made and the current Locked state for user Jeff. Now lets unlock his account, re-check the Lockout state and make sure we can login again.

LINUXMAN-ASA # configure terminal
LINUXMAN-ASA(config)# clear aaa local user lockout username jeff
LINUXMAN-ASA(config)# show aaa local user lockout
Lock-time Failed-attempts   Locked User
LINUXMAN-ASA(config)# exit
LINUXMAN-ASA# exit

Logoff

Username: jeff
Password: ****
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 3. Last login: 21:46:54 UTC Sep 1 2018 from console
Failed logins since the last login: 12. Last failed login: 22:43:43 UTC Sep 1 2
018 from console
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#

3. We can setup a banner for Login and MOTD (Message of the Day) for when we connect or log into our ASA.

Login Banner
LINUXMAN-ASA # configure terminal
LINUXMAN-ASA(config)# banner login UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
LINUXMAN-ASA(config)# banner login
LINUXMAN-ASA(config)# banner login You must have explicit, authorized permission to access or configure this device.
LINUXMAN-ASA(config)# banner login
LINUXMAN-ASA(config)# banner login Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
LINUXMAN-ASA(config)# banner login
LINUXMAN-ASA(config)# banner login All activities performed on this device are logged and monitored.
LINUXMAN-ASA(config)# exit
MOTD Banner
LINUXMAN-ASA(config)# banner motd WELCOME AUTHORIZED USER!

And lets give it a try!

LINUXMAN-ASA(config)# exit
LINUXMAN-ASA # exit

Logoff

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.

All activities performed on this device are logged and monitored.
Username: jeff
Password: ****
WELCOME AUTHORIZED USER!
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 6. Last login: 23:19:13 UTC Sep 1 2018 from console
Failed logins since the last login: 0. Last failed login: 22:43:43 UTC Sep 1 20
18 from console
Type help or '?' for a list of available commands.
LINUXMAN-ASA> en
Password: ********
LINUXMAN-ASA #

4. Lets setup your WAN Address, this could be getting an address via DHCP from your provider or STATIC.

I will go over setting up the WAN via STATIC and DHCP. In my scenario my WAN Address is going to be a Private Address since I am creating this behind a NAT. A real WAN Address looks “unusual” or very “random” such as Google’s 216.58.194.46. For the rest of this guide, i will be using a STATIC IP Address.

We’re going to be using GigabitEthernet 1/1 as our WAN and GigabitEthernet 1/2 as our LAN. To see what available interfaces you have on your model, execute the following command:

LINUXMAN-ASA # show interface ip brief
Interface              IP-Address   OK? Method Status                Protocol
Virtual0               127.1.0.1    YES unset  up                    up
GigabitEthernet1/1     unassigned   YES unset  administratively down down
GigabitEthernet1/2     unassigned   YES unset  administratively down down
GigabitEthernet1/3     unassigned   YES unset  administratively down down
GigabitEthernet1/4     unassigned   YES unset  administratively down down
GigabitEthernet1/5     unassigned   YES unset  administratively down down
GigabitEthernet1/6     unassigned   YES unset  administratively down down
GigabitEthernet1/7     unassigned   YES unset  administratively down down
GigabitEthernet1/8     unassigned   YES unset  administratively down down
Internal-Control1/1    127.0.1.1    YES unset  up                    up
Internal-Data1/1       unassigned   YES unset  down                  down
Internal-Data1/2       unassigned   YES unset  up                    up
Internal-Data1/3       unassigned   YES unset  up                    up
Internal-Data1/4       169.254.1.1  YES unset  up                    up
Management1/1          unassigned   YES unset  administratively down down
STATIC
  1. Configure Interface IP Address
  2. Enable Interface
  3. Configure Interface Name
  4. Configure Default Route for WAN Interface
Configure IP Address
LINUXMAN-ASA# configure terminal
LINUXMAN-ASA(config)# interface GigabitEthernet 1/1
LINUXMAN-ASA(config-if)# ip address 192.168.0.55 255.255.255.0
LINUXMAN-ASA(config-if)# no shutdown
LINUXMAN-ASA(config-if)# nameif WAN
INFO: Security level for "WAN" set to 0 by default.
LINUXMAN-ASA(config-if)# exit
LINUXMAN-ASA(config)# route WAN 0.0.0.0 0.0.0.0 192.168.0.1
Verify Settings

Check IP Address assignment

LINUXMAN-ASA(config)# show interface ip brief
Interface              IP-Address    OK? Method Status        Protocol
Virtual0               127.1.0.1     YES unset  up            up
GigabitEthernet1/1     192.168.0.55  YES manual up            up
<--- Output Omitted --->

Check Routes

LINUXMAN-ASA(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, WAN
C     192.168.0.0 255.255.255.0 is directly connected, WAN
L     192.168.0.55 255.255.255.255 is directly connected, WAN

LINUXMAN-ASA(config)#
Verify Connectivity

We can verify connectivity to the internet by pinging an external host. We will ping SecureDNS for testing.

LINUXMAN-ASA(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
LINUXMAN-ASA(config)#
DHCP
  1. Configure Interface for DHCP
  2. Enable Interface
  3. Configure Interface Name
Configure Interface to use DHCP
LINUXMAN-ASA # configure terminal
LINUXMAN-ASA(config)# interface GigabitEthernet 1/1
LINUXMAN-ASA(config-if)# ip address dhcp setroute
LINUXMAN-ASA(config-if)# nameif WAN
INFO: Security level for "WAN" set to 0 by default.
LINUXMAN-ASA(config-if)# exit
Verify Settings

Check IP Address assignment

LINUXMAN-ASA(config)# show interface ip brief
Interface              IP-Address     OK? Method Status        Protocol
Virtual0               127.1.0.1      YES unset  up            up
GigabitEthernet1/1     192.168.0.163  YES manual up            up
<--- Output Omitted --->

Check Routes

LINUXMAN-ASA(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, WAN
C     192.168.0.0 255.255.255.0 is directly connected, WAN
L     192.168.0.163 255.255.255.255 is directly connected, WAN

LINUXMAN-ASA(config)#
Verify Connectivity

We can verify connectivity to the internet by pinging an external host. We will ping SecureDNS for testing.

LINUXMAN-ASA(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
LINUXMAN-ASA(config)#

5. Lets configure our Internal LAN where our hosts will connect to.

  1. Configure Interface IP Address
  2. Enable Interface
  3. Configure Interface Name
  4. Set Security Level of Interface
Configure IP Address
LINUXMAN-ASA(config)# interface GigabitEthernet 1/2
LINUXMAN-ASA(config-if)# ip address 172.16.30.254 255.255.255.0
LINUXMAN-ASA(config-if)# no shutdown
LINUXMAN-ASA(config-if)# nameif LAN
INFO: Security level for "LAN" set to 0 by default.
LINUXMAN-ASA(config-if)# security-level 100
Verify Settings

Check IP Address assignment

LINUXMAN-ASA(config)# show interface ip brief
Interface              IP-Address     OK? Method Status        Protocol
Virtual0               127.1.0.1      YES unset  up            up
GigabitEthernet1/1     192.168.0.55   YES manual up            up
GigabitEthernet1/2     172.16.30.254  YES manual down          down
<--- Output Omitted --->

Check Routes

LINUXMAN-ASA(config)# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
    i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
    ia - IS-IS inter area, * - candidate default, U - per-user static route
    o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, WAN
C     172.16.30.0 255.255.255.0 is directly connected, LAN
L     172.16.30.254 255.255.255.255 is directly connected, LAN
C     192.168.0.0 255.255.255.0 is directly connected, WAN
L     192.168.0.55 255.255.255.255 is directly connected, WAN

LINUXMAN-ASA(config)#

7. Now that we have our Administrator accounts setup and have configured Interfaces, lets setup SSH Remote Access for them.

I personally try to avoid using Telnet at all costsfor remote access and favor SSH which should be a no brainer. We’re going to setup Remote Access for WAN, for all remote IP’s or specific IP’s. You can add additional interfaces where SSH will listen/allow connections from by simply specifying which interface to listen on.

NOTE: And for the love of God, please change the key-exchange to use the latest diffie-hellman group. I have come across many ASA’s configured by other technicians and they did not bother to change this so its more secure. If your firewall does not support the latest diffie-hellman group, then you should look into upgrading the IOS Software.

  1. Allow all/host/hosts to connect to WAN
  2. Set latest supported Diffie-Hellman group
  3. Set Timeout
  4. Set Authentication
Allow All
LINUXMAN-ASA(config)# ssh 0.0.0.0 0.0.0.0 WAN
LINUXMAN-ASA(config)# ssh key-exchange group dh-group14-sha1
LINUXMAN-ASA(config)# ssh timeout 5
LINUXMAN-ASA(config)# aaa authentication ssh console LOCAL
Allow Specific Host
LINUXMAN-ASA(config)# ssh 192.168.0.169 255.255.255.255 WAN
LINUXMAN-ASA(config)# ssh key-exchange group dh-group14-sha1
LINUXMAN-ASA(config)# ssh timeout 5
LINUXMAN-ASA(config)# aaa authentication ssh console LOCAL
Allow Specific Subnet
LINUXMAN-ASA(config)# ssh 192.168.0.0 255.255.255.0 WAN
LINUXMAN-ASA(config)# ssh key-exchange group dh-group14-sha1
LINUXMAN-ASA(config)# ssh timeout 5
LINUXMAN-ASA(config)# aaa authentication ssh console LOCAL
Test Connectivity

We’re going to test our SSH connection from a Linux machine and login as Jeff. Notice we get our Login Banner and MOTD Banner even on SSH.

linuxman@LINUXMAN-PC:~$ ssh jeff@192.168.0.55
The authenticity of host '192.168.0.55 (192.168.0.55)' can't be established.
RSA key fingerprint is SHA256:ukjKlh3XsLygqCUPbwaNVzX8tkMZv9vFRS2qEhZ7MAc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.55' (RSA) to the list of known hosts.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit, authorized permission to access or configure this device.

Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.

All activities performed on this device are logged and monitored.
jeff@192.168.0.55's password:
WELCOME AUTHORIZED USER!
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 7. Last login: 23:26:35 UTC Sep 1 2018 from console
Failed logins since the last login: 0. Last failed login: 22:43:43 UTC Sep 1 2018 from console
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#

8. Now we need to provide our Internal LAN some outside access. In this example we will keep it simple and Dynamically NAT our LAN Interface.

To achieve this, we need to create a Network Object that will represent all traffic from LAN and create a NAT statement for it.

LINUXMAN-ASA(config)# object network all
LINUXMAN-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
LINUXMAN-ASA(config-network-object)# nat (LAN,WAN) dynamic interface
LINUXMAN-ASA(config-network-object)# exit

9. If you are not going to use a separate DHCP server, you can set one up right on your firewall.

  1. Configure the IP Pool for DHCPD to use
  2. Configure DNS for DHCPD Clients
  3. Configure Lease time
  4. Enable DHCPD on an Interface
LINUXMAN-ASA(config)# dhcpd address 172.16.30.100-172.16.30.150 LAN
LINUXMAN-ASA(config)# dhcpd dns 1.1.1.1 interface LAN
LINUXMAN-ASA(config)# dhcpd lease 1500 interface LAN
LINUXMAN-ASA(config)# dhcpd enable LAN

10. Really you should be doing this as you go, but save your work!

LINUXMAN-ASA# write memory
Building configuration...
Cryptochecksum: 4191e39f 9663e937 0c8e1df5 3095ffa5

5348 bytes copied in 0.290 secs
[OK]
LINUXMAN-ASA#
Final Testing

Now that we have configured our Firewall for internet access to internal hosts with DHCP, lets connect a host to the LAN and test connectivity. I will be connecting my Chromebook and testing the Internet.

Cisco ASA Basic Setup Test
Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *