Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Jn*ri&ileged mode
<imited rights
2ri&ileged mode
Klo4al con%ig'ration
Jsed %or :general= con%ig'rations /e.g *assword %or *ri&iledged mode5 static
ro'tes5 4anners5 hostname con%ig'ration etc0
Con%ig'ration s'4-modes
CR E <(
ciscoasa>enable 15
Password:
ciscoasa#configure terminal
ciscoasa(config)#interface fa0/1
ciscoasa(config-if)#exit
ciscoasa(config)#exit
ciscoasa#exit
ciscoasa>
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #6
ciscoasa > ?
enable Turn on privileged commands
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP
address
uit Exit the current command mode
ciscoasa > help enable
!"#$E%
enable &'priv(level>)
*E"C+IPTI,-%
enable Turn on privileged commands
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #7
,
(irst we deleteL
start'*-con%ig r'nning- con%ig
Deleting
con%ig'rations
RAM (lash
ciscoasa. clear configure all
ciscoasa. write erase
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #9
,
Then we sa&eN
Sal&area con%ig'raOiei
RAM (lash
ciscoasa. co! running startu
ciscoasa. write mem
ciscoasa. wr
ciscoasa. s"ow running
ciscoasa. s"ow startu
start'*-con%ig r'nning- con%ig
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #>
,
It doesn.t e8ist in I)S/on ro'ters and switches0
,
Ena4les the s*eci%ic deletion o% con%ig'rations in RAM
ciscoasa/config0. s"ow running-config # include isa$m
isa$m enable outside
isa$m olic! 10 aut"entication re-s"are
isa$m olic! 10 encr!tion %des
isa$m olic! 10 "as" md5
isa$m olic! 10 grou &
isa$m olic! 10 lifetime '()00
ciscoasa/config0. clear configure isa$m
ciscoasa/config0. s"ow running-config # include isa$m
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #F
,
Con%ig'ring a hostname
,
Con%ig'ring a *assword %or the telnet line
,
Con%ig'ring a *assword %or *ri&ileged mode. 3ow did we
con%ig're this on a ro'terM
ciscoasa/config0. "ostname id
ipd/config0.
ipd/config0. asswd cisco
ipd/config0. enable assword cisco
ipd. s" run # i ass
enable assword &*+,nb-.d./&*012 encr!ted
asswd &*+,nb-.d./&*012 encr!ted
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential #I
,
In order to *ass tra%%ic 4etween ! inter%aces5
le&els o% sec'rity need to 4e de%ined %or each
inter%ace.
,
Sec'rity le&els re*resent the sim*lest state%'l
%irewall model that the ASA o%%ers
,
2ackets get ins*ected 4y the %irewall engine when the tra&erse %rom a
higher sec'rity le&el inter%ace to a lower sec'rity le&el inter%ace
,
2ackets that try to *ass %rom a lower sec'rity inter%ace to a higher
sec'rity inter%ace5 witho't ha&ing a state%'l o4Aect related to them in
the memory o% the ASA5 will get dro**ed 4y de%a'lt.
,
Besides sec'rity le&els5 e&ery ASA inter%ace needs a :name=. This
:name= is going to 4e re%%ered in all commands that want to 'se this
inter%ace
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !"
,
Con%ig'ring sec'rity le&els is done %rom /con%ig-i%0P
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !#
,
An ASA inter%ace that has no name or sec'rity le&el does
not ha&e <+ connecti&ity
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
ciscoasa/config0. interface e0/1
ciscoasa/config1if0. nameif inside
.-+1: 3ecurit! le4el for 5inside5 set to 100 b! default/
ciscoasa/config1if0. i address 16&/1('/1/1 &55/&55/&55/0
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !!
,
Can 4e con%ig'red 'sing the security1level command
Internet
:DM; :
Sec'rity <e&el
7"
:inside=
Sec'rity <e&el
#""
:o'tside=
Sec'rity <e&el "
E"$#
E"$!
E"$+
ciscoasa(config)#interface e0/1
ciscoasa(config-if)#nameif 789
.-+1: 3ecurit! le4el for 57895 set to 0 b! default/
ciscoasa(config-if)#securit!-le4el 50
ciscoasa(config-if)#i address 16&/1('/&/1 &55/&55/&55/0
ciscoasa(config-if)#no s"utdown
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !+
,
By de%a'lt access is not allowed
,
I% no *assword is set5 4y de%a'lt it.s :cisco=
,
Access thro'gh telnet on the o'tside inter%ace/sec'rity-le&el "0 is not
*ermitted 'nless the telnet connection is coming thro'gh an I2Sec
t'nnel
,
Monitoring connections
ciscoasa(config)# telnet 10/10/0/0 &55/&55/&55/0 inside
ciscoasa(config)# telnet timeout 10
ciscoasa(config)# asswd cisco1&%
ciscoasa# w"o
0: 10/10/0/1%&
ciscoasa# $ill 0
ciscoasa# w"o
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !6
,
2ermitted on any inter%ace
,
Ste* #G generate the keys
,
Ste* !G acti&ate SS3
,
By de%a'lt5 the 'ser is :*i8= and the *assword is the one
con%ig'red with passwd
ciscoasa(config)# cr!to $e! generate rsa modulus 10&)
:;<-.-=: 0ou "a4e a <3; $e!air alread! defined named
>7efault-<3;-*e!>/
7o !ou reall! want to relace t"em? @!es/noA: !es
*e!air generation rocess begin/ Please wait///
ciscoasa(config)# ss" 1)1/'5/%B/0 &55/&55/&55/0 outside
ciscoasa(config)# ss" 4ersion &
ciscoasa(config)# ss" timeout 10
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !7
,
Con%ig'ring a s*eci%ic inter%ace
,
Name o% the inter%ace and sec'rity le&els
asa1# s"ow run interface C0/%
interface Ct"ernet0/%
seed 10
dulex full
nameif outside
securit!-le4el 0
i address 16&/1('/%/1 &55/&55/&55/0
asa1# s"ow nameif
.nterface -ame 3ecurit!
=igabitCt"ernet0/0 outside 0
=igabitCt"ernet0/1 inside 100
=igabitCt"ernet0/& dmD 50
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !9
,
All the *arameters o% an inter%ace
asa1# show interface
.nterface =igabitCt"ernet0/0 5outside5E is uE line rotocol is u
Fardware is i'&5)(=G re40%E G: 1000 8bs
+ull-7ulex(+ull-dulex)E 100 8bs(100 8bs)
8;C address 001%/c)'&/&e)cE 8H2 1500
.P address 16&/1('/1/&E subnet mas$ &55/&55/&55/0
' ac$ets inutE 10B' b!tesE 0 no buffer
<ecei4ed ' broadcastsE 0 runtsE 0 giants
0 inut errorsE 0 C<CE 0 frameE 0 o4errunE 0 ignoredE 0 abort
0 I& decode dros
0 ac$ets oututE 0 b!tesE 0 underruns
0 outut errorsE 0 collisions
0 late collisionsE 0 deferred
inut Jueue (curr/max bloc$s): "ardware ('/0) software (0/0)
outut Jueue (curr/max bloc$s): "ardware (0/0) software (0/0)
Hraffic 3tatistics for 5outside5:
' ac$ets inutE 6%) b!tes
0 ac$ets oututE 0 b!tes
' ac$ets droed
1 minute inut rate 0 $ts/secE 0 b!tes/sec
1 minute outut rate 0 $ts/secE 0 b!tes/sec
1 minute dro rateE 0 $ts/sec
!"## Cisco and$or its a%%iliates. All rights reser&ed. Cisco Con%idential !>
27
,
Qhat command did we 'se in I)S to see the <! and +
stat's o% inter%aces in a R4rie%R o't*'tM