LABSEC-2020

Troubleshooting Cisco ASA 8.3 (or higher)

Firewall Capabilities

Lab Guide




1

Table of Contents
Lab Overview ................................................................................................................................................ 2
Prerequisites: ............................................................................................................................................ 2
How to Access Your Lab ................................................................................................................................ 2
Network Topology ..................................................................................................................................... 3
Access Information for your POD: ............................................................................................................ 3
Exercise 1: Configuring and Troubleshooting Basic NAT and Access Control ............................................... 5
Terminology .............................................................................................................................................. 5
Some Background Information About NAT .................................................................................................. 5
Requirements and Steps to Complete ...................................................................................................... 6
Helpful Steps If (When) You Run Into Problems ....................................................................................... 6
Exercise 2: Configuring and Troubleshooting Authentication For Firewall Sessions .................................... 9
Terminology .............................................................................................................................................. 9
Some Background Information About AAA .................................................................................................. 9
Requirements and Steps to Complete ...................................................................................................... 9
Helpful Steps If (When) You Run Into Problems ..................................................................................... 10







2

Lab Overview

In this lab participants will learn basic troubleshooting skills and techniques for diagnosing and fixing
network problems on Cisco Adaptive Security Appliance (ASA). Troubleshooting concepts and tools are
introduced by completing step-by-step lab scenarios. Students will work individually with a dedicated
lab pod containing containing the latest version of Cisco ASA Software.


Prerequisites:

Must understand firewall basics.
Must understand IP routing.
Must know how to perform basic configuration Cisco ASA via CLI or ASDM. This lab assumes that
you already know how to configure basic NAT, access control, and routing in the Cisco ASA.

If further information is needed on these topics, refer to: http://www.cisco.com/go/asa

How to Access Your Lab

This section describes how to access the lab setup and provides the addressing connections and port
scheme information for your POD.
This section describes the following:
Network Topology
Access Information




3
Network Topology
The following diagram (Figure 1) shows the network topology and setup for this lab. Your POD
information will be provided to you by the instructor/lab proctor.

Figure 1. Network Topology

Access Information for your POD:

Step 1. Using your assigned lab PC launch a remote desktop client
a. Start-> Run: mstsc.exe
b. If you are Pod 1-8, then connect to computer: 64.102.242.76:10000
c. If you are Pod 9-16 then connect to computer 64.102.242.77:10000
d. Use podXuser and podXpass for credentials, where X is your assigned pod number.

Step 2. ASDM should already be installed and have a shortcut on your desktop, launch it and
connect to 209.165.201.X, where X is your pod number.

Step 3. Alternatively, login to the ASA via SSH (i.e., using Putty).

Step 4. Login into the ASA using the following credentials:
a. Username: ciscolive
b. Password: ciscolive




4
After logging into the security appliance, make sure that it is running version 8.4, as shown below in
Figure 2:


Figure 2. Cisco ASA Version Information

Alternatively, you use the show version CLI command.




5

Exercise 1: Configuring and Troubleshooting Basic NAT and Access
Control

Terminology
This document uses the following terminology:
Real address/host/network/interface The real address is the address that is defined on the
host, before it is translated. In a typical NAT scenario where you want to translate the inside
network when it accesses the outside, then the inside network would be the "real" network.
Note that you can translate any network connected to the adaptive security appliance, not just
an inside network, Therefore if you configure NAT to translate outside addresses, "real" can
refer to the outside network when it accesses the inside network.
Mapped address/host/network/interface The mapped address is the address that the real
address is translated to. In a typical NAT scenario where you want to translate the inside
network when it accesses the outside, then the outside network would be the "mapped"
network.
Bidirectional initiation Static NAT allows connections to be initiated bidirectionally, meaning
both to the host and from the host.
Source and destination NAT For any given packet, both the source and destination IP
addresses are compared to the NAT rules, and one or both can be translated/untranslated.
Some Background Information About NAT
Each computer and device within an IP network is assigned a unique IP address that identifies the host.
Because of a shortage of public IPv4 addresses, most of these IP addresses are private, not routable
anywhere outside of the private company network. One of the main functions of NAT is to enable
private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP
address, translating the private addresses in the internal private network into routable addresses that
can be used on the public Internet.
You can implement NAT using the following methods:
Static NATA consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation.
Dynamic NATA group of real IP addresses are mapped to a (usually smaller) group of mapped
IP addresses, on a first come, first served basis. Only the real host can initiate traffic.
Dynamic Port Address Translation (PAT)A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address.


6
Identity NATStatic NAT lets you translate a real address to itself, essentially bypassing NAT.
You might want to configure NAT this way when you want to translate a large group of
addresses, but then want to exempt a smaller subset of addresses.
Requirements and Steps to Complete
A fictitious company called SecureMe is used in this lab as an example. You are now the firewall
administrator for SecureMe and must configure a new ASA to allow Web (HTTP) and FTP traffic to the
Web/FTP server shown in the network topology (Figure 1). The following are the requirements:
1. The Web/FTP server IP address (192.168.2.102) must be statically translated to the outside IP
address of 209.165.201.2XX ( XX = your POD number; for example, POD 1 will be
209.165.201.201; POD 2 will be 209.165.201.202; etc.)
2. Allow only Web (HTTP) and FTP traffic to the server.
3. All other inbound traffic must be denied.
4. All other inside hosts should be dynamically translated to the Cisco ASAs outside interfaces IP
address when accessing the Internet.
IMPORTANT: In Cisco ASA Software version 8.3(1) and later the NAT configuration was completely
redesigned to allow greater flexibility and ease of use. You can now create named network objects that
you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named
service objects that you can use in place of a protocol and port in your configuration. You can then
change the object definition in one place, without having to change any other part of your configuration.
This lab uses Cisco ASA Software version 8.4 which has support for network and service objects, use
them appropriately. There is another lab that uses version 8.2, where you can use the legacy nat and
static commands.

Helpful Steps If (When) You Run Into Problems

You will most definitely run into problems in this lab. Do not assume that everything will work as
expected. The following are some helpful tips if you run into problems.
Step 1. Can you access the server using web browser (over TCP port 80)?

Step 2. Can you access the server via FTP using the CLI? If not, can you telnet to the FTP server
on port 21? (tip: you can use Putty to telnet on port 21).

Step 3. Issue the show xlate command. How do you see?

___________________________________________________________




7
Step 4. Issue the show conn command. How many connections are in use?

___________________________________________________________

Step 5. What are the connection flags?

___________________________________________________________

Step 6. What do the connection flags indicate?

___________________________________________________________


Step 7. Issue the show perfmon command. What do you notice?

___________________________________________________________

Step 8. Enable syslog to the internal buffer at debug level. Then view the syslogs.
What do you see? (commands: logging enable; logging buffered debugging; show log)

___________________________________________________________

Step 9. Enable packet capture on the outside interface, then view the capture.
What do you see? (commands: capture out interface outside, show capture out)

___________________________________________________________


Step 10. Enable packet capture on the inside interface, then view the capture. What do you see?
(commands: capture in interface inside, show capture in)

___________________________________________________________


Step 11. Specifically, what are the source IP addresses?

___________________________________________________________





8
Step 12. What is the destination IP?

___________________________________________________________

Step 13. What does this tell you about what is happening?

___________________________________________________________






9
Exercise 2: Configuring and Troubleshooting Authentication For Firewall
Sessions

Terminology
This section uses the following terminology:
AAA Authentication, Authorization, and Accounting. AAA enables the adaptive security
appliance to determine who the user is (authentication), what the user can do (authorization),
and what the user did (accounting).
Some Background Information About AAA
The Cisco ASA uses "cut-through proxy" to significantly improve performance compared to a traditional
proxy server. Although you can configure the Cisco ASA to require authentication for network access to
any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user
must first authenticate with one of these services before the adaptive security appliance allows other
traffic requiring authentication. The authentication ports that the adaptive security appliance supports
for AAA are fixed as follows:
Port 21 for FTP
Port 23 for Telnet
Port 80 for HTTP
Port 443 for HTTPS
After you authenticate correctly, the adaptive security appliance redirects you to your original
destination. If the destination server also has its own authentication, the user enters another username
and password. If you use basic HTTP authentication and need to enter another username and password
for the destination server, then you need to configure the virtual http command.

Requirements and Steps to Complete

SecureMe has a new requirement. You must configure the Cisco ASA to authenticate all outside users
connecting to the web server. The following are the requirements:
1. All outside users must be authenticated before connecting to the web server.
2. External authentication using RADIUS must be used. You must not configure the Cisco ASA to
perform authentication using its local database.



10
Helpful Steps If (When) You Run Into Problems

You will most definitely run into problems in this lab. Do not assume that everything will work as
expected. The following are some helpful tips if you run into problems. Be aware that we expect that
you already know how to configure the Cisco ASA for authentication; the following are some
configuration and troubleshooting tips.
Step 1. Verify that you can still access the web server using web browser (over TCP port 80)
before you configure and enable authentication.

Step 2. Configure authentication. Using the aaa-server command, identify your AAA servers. If
you have already identified your AAA servers, continue to the next step. Since the server is located
toward the inside interface, select inside interface and specify the IP address of the server
(192.168.2.101). The server secret key is ciscolive.

Step 3. Using the access-list command, create an access list that identifies the source addresses
and destination addresses of traffic you want to authenticate. The permit ACEs mark matching
traffic for authentication, while deny entries exclude matching traffic from authentication. Be sure
to include the destination port for HTTP in the access list because the user must authenticate with
this service before traffic to the web server is allowed through the ASA.

Step 4. Use the aaa authentication match command to enable authentication and match the
ACL you just configured.

Step 5. Test your connection to the web server from the outside client. Do you get a prompt for
authentication?

Step 6. If you do, enter podXuser as the username and podXpass as the password.

Step 7. If not, enable debug aaa authentication. What do you see?

_________________________________________________________________________

Step 8. Enable debug radius. Does this give you more information? If so, what do you see?

_________________________________________________________________________

Step 9. What do you think thats wrong?


_________________________________________________________________________