Note: This command is different from the show ip interface brief IOS command. By default, all ASA physical interfaces are administratively down unless the Setup utility has been run, or the factory defaults have been reset. NETSEC-ASA(config-if)# ip address dhcp setroute, NETSEC-ASA(config)# username admin password cisco12345, NETSEC-ASA(config)# aaa authentication ssh console LOCAL. CCNA Cybersecurity Operations (Version 1.1) CyberOps 5 The ASA used with this lab is a Cisco model 5505 with an 8-port integrated switch, running OS version 9.2(3), Adaptive Security Device Manager (ASDM) version 7.4(1), and comes with a Base license that allows a maximum of three VLANs. Configure static NAT for the DMZ server using a network object. Step 1: Configure a static default route for the ASA. R3 connects an administrator from a network management company, who has been hired to remotely manage your network. In Part 1 of this lab, you will configure the topology and non-ASA devices. Display the contents of flash memory using either the, Display the current running configuration using the, You can restore the ASA to its factory default settings by using the, You may want to capture and print the factory-default configuration as a reference. Router R1 G0/0 and the ASA OUTSIDE interface are already using 209.165.200.225 and .226. Click OK > Apply to send the commands to the ASA. Make sure, have been erased and have no startup configuration, : To avoid using the switches, use a cross-over cable to connect the end devices. Previously, you configured address translation using PAT for the inside network. PDF - Complete Book (11.16 MB) PDF - This Chapter (1.12 MB) . Return to the Device dashboard and check the Interface Status window. translate_hits = 17, untranslate_hits = 4, TCP PAT from INSIDE:192.168.1.3/49503 to OUTSIDE:209.165.200.226/49503 flags ri idle 0:01:24 timeout 0:00:30, TCP PAT from INSIDE:192.168.1.3/49502 to OUTSIDE:209.165.200.226/49502 flags ri idle 0:01:24 timeout 0:00:30, TCP PAT from INSIDE:192.168.1.3/49501 to OUTSIDE:209.165.200.226/49501 flags ri idle 0:01:25 timeout 0:00:30, TCP PAT from INSIDE:192.168.1.3/49500 to OUTSIDE:209.165.200.226/49500 flags ri idle 0:01:25 timeout 0:00:30. d. You may want to capture and print the factory-default configuration as a reference. Attach the devices that are shown in the topology diagram and cable as necessary. Enable the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface (INSIDE). Depending on the processes and daemons running on the particular computer used as PC-B, you may see more translated and untranslated hits than the four echo requests and echo replies. You should see TCP activity in the ASDM Device dashboard Traffic Status window on the Home page. e. Ping from the ASA to R1 S0/0/0 IP address 10.1.1.1. Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C as shown in the IP Addressing Table. There is no way to effectively list all t This course is designed to guide students doing all the Cisco Network Security Activities on Packet Tracer. When prompted to pre-configure the firewall through interactive prompts (Setup mode), respond with no. Step 2: Configure the login and enable mode passwords. _______________________________________________________________________________________ ____________________________________________________________________________________ Do NOT check the box to Enable auto-configuration from interface. You will get prompt requesting that you configure an enable password to enter privileged EXEC mode. interface are already using 209.165.200.225 and .226. In the Add Interface dialog box, select port Ethernet0/2 and click Add. Other ASAs can assign IP addresses and security levels directly to a physical port like an ISR. a. ####### Based on the inside IP address and mask, the DHCP address, ####### pool size is reduced to 250 from the platform limit 256. Part 3: Configuring Basic ASA Settings and Interface Security Levels Using the CLI. ____________________________________________________________________________________ The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates astateful firewall, VPN, and other capabilities. How many VLANs can be created with this license? Add the inspection of ICMP traffic to the policy map list using the following commands: c. Display the default MPF polich map to verify ICMP is now listed in the inspection rules. Initially, there is no traffic displayed. Note: The IOS command erase startup-config is not supported on the ASA. Part 2: Access the ASA Console and Use CLI Setup Mode to Configure Basic Settings Part 3: Configure Basic ASA Settings and Interface Security Levels Background / Scenario The Cisco Adaptive Security Appliance (ASA) is an advanced network security device that integrates a stateful firewall, VPN, and FirePOWER services. The default ASA hostname and prompt is ciscoasa>. Note: If you are unable to launch ASDM, the IP address must be added to the allowed list of IP addresses in Java. Pre-configure Firewall now through interactive prompts [yes]? The following configuration will be used: Use this configuration and save to flash? c. Create a local admin01 account using admin01pass for the password. Design Determine the ASA version, interfaces, and license. The ASA creates three security interfaces: , and DMZ. The ASA is an edge security device that connects the internal corporate network and DMZ to the ISP while providing NAT and DHCP services to inside hosts. The main categories on this screen are Interfaces, VPN, Routing, Properties, and Logging. Click OK to accept the changes. b. If you use the older commands as shown in the example with ASA version 8.3 and newer you will receive the In this part, you will start with the settings configured in the previous part and then add to or modify them to create a complete basic configuration. You must create logical L3 SVIs and assign them to ports on an ASA 5505, like an L3 switch. Note: You can also see the commands generated by using the Tools > Command Line Interface and entering the show run command. The ASA generates these as a result of erasing the startup config. if the original startup configuration has been erased. The graph below shows an additional 4000 input packets and both input and output packet counts. In Part 2 of this lab, you will access the ASA via the console and use various show commands to determine hardware, software, and configuration settings. ####### WARNING: The boot system configuration will be cleared. In Part 2, the MGMT interface was configured with an IP address of 192.168.100.1. c. Enter privileged mode with the enable command and password (if a password has been set). Test connectivity to the ASA. Step 4: Configure and encrypt passwords on R1. Attach the devices that are shown in the topology diagram and cable as necessary. The HTTP server is enabled for ASDM and is accessible to users on the 192.168.1.0/24 network. To enable the ASA to reach external networks, you will configure a default static route on the ASA. from any host on the inside network 192.168.1.0/24. The focus of this lab is the configuration of the ASA as a basic firewall. On the Edit Service Policy Rule window, click the Rule Actions tab and select the ICMP check box. Part 1: Configure Basic Device Settings Part 2: Access the ASA Console and ASDM Part 3: Configure Basic ASA Settings and Firewall Using the ASDM Startup Wizard Part 4: Configure ASA Settings from the ASDM Configuration Menu Part 5: Configure DMZ, Static NAT, and ACLs Configure the hostname and domain name. If the pings fail, troubleshoot the configuration as necessary. NETSEC-ASA(config)# dhcpd address 192.168.1.5-192.168.1.100 INSIDE, NETSEC-ASA(config)# dhcpd dns 209.165.201.2. In Part 2, you will access the ASA via the console and use various show commands to determine hardware, software, and configuration settings. You should remove password commands and enter the no shut command to bring up the desired interfaces. Other devices will receive minimal configuration to support the ASA portion of this lab. Cisco Adaptive Security Appliance Software Version 9.15(1)1, Compiled on Fri 20-Nov-20 18:47 GMT by builders, System image file is disk0:/asa9-15-1-1-lfbff-k8.SPA, Hardware:ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores), Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1), 1: Ext: GigabitEthernet1/1: address is 00a3.8ecd.0ed2, irq 255, 2: Ext: GigabitEthernet1/2: address is 00a3.8ecd.0ed3, irq 255, 3: Ext: GigabitEthernet1/3: address is 00a3.8ecd.0ed4, irq 255. Click Yes for the other security warnings. is clock set hh:mm:ss {month day | day month} year. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. Optional Lab - Configure ASA Network Part 3: Configure ASA Settings and Firewall Using the ASDM Startup Wizard. Answers Note: Red font color or gray highlights indicate text that appears in the instructor copy only. This mode can be used to configure minimal basic settings, such as hostname, clock, and passwords. After entering the CLI commands, ASDM will prompt you to refresh the screen. f. Display the information for the Layer 3 VLAN interfaces using the show ip address command. Because no physical interface in VLAN 1 has been enabled, the VLAN 1 status is down/down. However, PC-C should be able to ping the R1 interface G0/0. Use a terminal emulation program, such as TeraTerm or PuTTy to access the CLI. Other routers, switches, and Cisco IOS versions can be used. Only traffic that was initiated from the inside is allowed back in to the outside interface. You will then modify the default application inspection policy to allow specific traffic. Configure a network object named DMZSERVER and assign it the static IP address of the DMZ server (192.168.2.3). The Telnet/SSH default login is not supported. Note: Depending on the processes and daemons running on the particular computer used as PC-B, you may see more translated and untranslated hits than the four echo requests and echo replies. Use the following script to configure R1. Console cables to configure Cisco networking devices. You will use the public address 209.165.200.227 and static NAT to provide address translation access to the server. interface to control the type of access to be permitted or denied to the DMZ server from inside hosts. Cable the network and clear previous device settings. Ping the DMZ server (PC-A) internal address (192.168.2.3) from inside network host PC-B (192.168.1.X). Note: The router commands and output in this lab are from a Cisco 1941 router with Cisco IOS Release 15.4(3)M2 (with a Security Technology Package license). InterfaceIP-AddressOK? PC-B should still be able to ping the G0/0/1 interface for R1 at 209.165.200.225. CCNA Cybersecurity Operations (Version 1.1) CyberOps 12 Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. a. Configure the ASA to accept HTTPS connections by using the http command to allow access to ASDM Click Next to continue. Use the following script to configure the ASA. Step 5: Clear the previous ASA configuration settings. Switches S1, S2, and S3 Use default configs, except for host name, 9.3.1.2 Lab A: Configuring ASA Basic Settings and Firewall Using CLI (Instructor Version), 10.2.1.9 Lab B Configure a Site-to-Site IPsec VPN between an ISR and an ASA (Instructor Version), 11.3.1.2 CCNA Security Comprehensive Lab (Instructor Version), 10.3.1.2 Lab D Configure AnyConnect Remote Access SSL VPN Using ASDM, 10.3.1.1 Lab C Configure Clientless Remote Access SSL VPNs Using ASDM, 10.2.1.9 Lab B Configure a Site-to-Site IPsec VPN between an ISR and an ASA, CCNA Cybersecurity Operations (Version 1.1) CyberOps 1 a. Configure the inside and outside interfaces. The actual output varies depending on the ASA model, version, and configuration status. Objectives Verify Connectivity and Explore the ASA Configure Basic ASA Settings and Interface Security Levels Using CLI Configure Routing, Address Translation, and Inspection Policy Using CLI Configure DHCP, AAA, and SSH Configure a DMZ, Static NAT, and ACLs Scenario Your company has one location connected to an ISP. Note: To avoid using the switches, use a cross-over cable to connect the end devices. Disk0: b. Specify a modulus of 1024 using the crypto key command. [confirm]
, Et0/5, Et0/6, Et0/7
You can configure the ASA to accept HTTPS connections using the http command. When the ASA completes the reload process, it should detect that the. Use a terminal emulation program to access the CLI. Then use the serial port settings of 9600 baud, eight data bits, no parity, one stop bit, and no flow control. The table does not include any other type of interface, even though a specific router may contain one. The Traffic Status window may show the ASDM access as TCP traffic spike. In addition, the process of moving between configuration modes and sub-modes is essentially the same. This allows Multicast traffic to more reliably reach its destination. You can no longer connect to the ASA using SSH with the default username and the login password. Clear the previous ASA configuration settings. Set the SSH timeout to, On PC-C, use an SSH client (such as PuTTY) to connect to the ASA OUTSIDE interface at the IP address, You can also connect to the ASA INSIDE interface from a PC-B SSH client using the IP address, Configure DMZ interface G1/3 which is on the LAN where the public access web server will reside. Save your ASA configuration for the next lab. The modulus (in bits) can be 512, 768, 1024, or 2048. 0.0.0.0 0.0.0.0 [1/0] via 209.165.200.225. The ASA uses interface security levels from 0 to 100 to enforce the security policy. In Part 3, you will configure additional settings, test connectivity, and configure Adaptive Security Device Manager (ASDM) access. d. Issue the show nat command on the ASA to see the translated and untranslated hits. However, to manually configure the default gateway, or set it to a different networking devices IP address, use the following command: d. Enable the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface (inside). 9.3.1.2 Lab - Configure ASA Basic Settings and Firewall Using CLI - GNS3 8,279 views Jan 25, 2018 73 Dislike Share Save Christian Augusto Romero Goyzueta 48.4K subscribers CCNA Security 2.0 -. Configure the hostname, domain name, and enable the password. The ASA in this lab uses version 9.2(3). Prior to ASA version 8.3, NAT configuration from the CLI was the same as the older PIX firewalls. R2 represents an intermediate Internet router. 1) Access the Windows Control Panel and click Java. Enter global configuration mode using the config t command. Note: The IOS command erase startup-config is not supported on the ASA. b. 1. After you refresh, 70should appear in the Security Level column for the dmz interface. 1 Router (Cisco 4221 with Cisco XE Release 16.9.6 universal image or comparable with a Security Technology Package license), 3 Switches (Cisco 2960+ with Cisco IOS Release 15.2(7) lanbasek9 image or comparable), 3 PCs (Windows OS with a terminal emulation, such as PuTTY or Tera Term installed), 1 ASA 5506-X (OS version 9.15(1) and ASDM version 7.15(1) and Base license or comparable), Console cables to configure Cisco networking devices, Ethernet cables as shown in the topology. c. On the Add Static Route dialog box, select the outside interface from the drop-down list. Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only. If the password has been changed to one that is specific to this lab, enter the passwordcisco12345. In this lab, the student uses ASDMto configure these features. [confirm]. While in object definition mode, use the nat command to specify that this object is used to translate a DMZ address to an outside address using static NAT, and specify a public translated address of 209.165.200.227. ***************************** NOTICE *****************************. Use the no shutdown command to ensure they are up. Click Apply to send the commands to the ASA. On the Startup Wizard Step 9 screen Startup Wizard Summary, review the Configuration Summaryand click Finish. ####### issue the command "call-home reporting anonymous". CCNA Cybersecurity Operations (Version 1.1) FINAL Exam Answers Full. , Enable password [