Etudes 03- Cisco ASA 5505

This is a simple guide to setting up an ASA 5505 Firewall, using only the command line. This guide is designed for folks with little to no experience with the 5505, but who are familiar with networking.

We are going to set up our device to function as the primary network device for a simple cyber defense competition. To that end, we will create three networks- a management network, a competition network, and an external network.

Accessing the device

Access to the firewall’s configuration information can be done in one of four ways

    • Via a console cable
    • Via Telnet on a properly configured port
    • Via SSH on a properly configured port
    • Via HTTP on a properly configured port.

Since all but the first of these require the device to be first configured, we will focus our attention (for now) on using the console cable.

Connect one end of the console cable to the console port on the device. The second end is an RS-232 adapter. Most older computers contain one or more RS-232 ports, and the cable can simply be connected. Most newer computers do not have an RS-232 port, and so require an RS-232 to USB adapter. These are available at a good electronics store (e.g. Baynesville Electronics).

When using a native RS-232 port, you need to know which COM port you are using; usually this is COM1 or possible COM2 (if your machine is old enough to have more than one RS-232 ports). When using the RS-232 to USB adapter, the device will simulate another COM port, usually COM3 depending on the hardware driver your device uses.

Once the device is physically connected to your computer, you need appropriate software to connect. The best choice (for a windows machine) is PuTTY.

Start PuTTY, and in the “Basic options for your PuTTY session” select “Serial”. For the “Serial line” speciy the COM port above- usually COM1 for a native RS-232 equipped computer and COM3 for a computer using RS-232 to USB. For the “Speed” option, you can leave the default value of 9600. Open the connection.

Once PuTTY opens the connection, you will be presented with blank terminal window. Tap the enter key once of twice to receive a command prompt.

Exec Mode

Simply accessing the device does not give you privileges to change the settings on the device. The lowest level of privilege is called “exec” mode, and very little interaction is permitted with the device. In this mode, the command prompt is simply the name of the device followed by “>”. In my example, we start with a device named “ciscoasa” so the command prompt is

ciscoasa>

It should be noted that, when using a serial cable, you must manually log out from various privileged modes. If you do not, then later users will be presented with the same session and privileges of the last user.

From the basic command prompt, run the command

ciscoasa> show version

to see basic information about the system, including

      • The name of the boot configuration file
      • System up time
      • Inerface names
      • List of licensed features

Privileged Mode

To begin working in privileged mode, run the command

ciscoasa> enable

and then enter the password.

In privileged mode, the prompt changes, and is now the host name followed by “#”. In our example where the host name is “ciscoasa”, the prompt in privileged mode is

ciscoasa#

Configuration Mode

From privileged mode, one can enter configuration mode by running the command

ciscoasa# configure terminal

In configuration mode, the prompt changes again, and now is the hostname followed by “(config)#”. In our example where the hostname is “ciscoasa”, we obtain the prompt

ciscoasa(config)#

System Reset

To proceed with this demonstration, we begin by setting the ASA to a blank configuration. We do so by running the command

ciscoasa(config)# clear configure all

from configuration mode.

Though we have changed the configuration, this change will not persist across a reboot. The ASA keeps two configuration files- the running-config and the startup-config. When the device is booted, it loads and uses the startup-config. Any changes subsequently made are made to the running-config. To save the running-config as the startup-config, simply run the command

ciscoasa# copy running-config startup-config

from privileged mode.

Though we have changed the network settings, we have not changed the hostname, domain name, or password settings. We can do this as follows:

ciscoasa(config)# hostname <<HOSTNAME>>
ciscoasa(config)# domain-name <<DOMAINNAME>>
ciscoasa(config)# passwd <<PASSWORD>>
ciscoasa(config)# enable password <<PASSWORD>>

At this point, our ASA is essentially blank, with all of its interfaces shut down and the passwords, hostname, and domain name set as we wished.

Configuring the interfaces

VLANs

Decisions about how traffic passes through the device are made on the basis of the different VLANs. Our first job then, is to configure the various VLANs

By default, the ASA 5505 can use only three VLANs.

Our first VLAN will be used for device management; we create it and call it vlan 100:

ciscoasa(config)# interface vlan 100

Note that we now pass to a sub-configuration mode, which is noted by the change in the prompt to

ciscoasa(config-if)#

Let’s give this vlan the name mgmt

ciscoasa(config-if)# nameif mgmt

The system sets the security level for this vlan to 0 by default. The security level is a number between 0 and 100, with higher levels associated with more secure networks. There is an implicit rule that allows traffic to pass from a higher level security interface to the same or a lower level one. Given this, we want this interface to be maximally protected, so we set its security level to 100.

ciscoasa(config-if)# security-level 100

Next, we set the ip address and netmask of this vlan

ciscoasa(config-if)# ip address 10.10.1.1 255.255.255.0

Finally, we enable the vlan

ciscoasa(config-if)# no shutdown

Next we create a VLAN for the various teams to work in; let us call it vlan 200. To create it we execute

ciscoasa(config) interface vlan 200

This command can also be executed from a previous sub-configuration prompt.

Let’s give this vlan the name teams

ciscoasa(config-if)# nameif teams

We want this at a middle security level- we set it to 50

ciscoasa(config-if)# security-level 50

Set the IP address and netmask; we use a large address space.

ciscoasa(config-if)# ip address 10.0.1.1 255.255.0.0

Enable the VLAN

ciscoasa(config-if)# no shutdown

We set the final VLAN for the outside; call it vlan300. To create it, we execute

ciscoasa(config-if)# interface vlan300

Now we do not want traffic to pass from the external interface to the management interface:

ciscoasa(config-if)# no forward interface vlan 100

Name this interface as the outside interface

ciscoasa(config-if)# nameif outside

We retain the default security level of zero, and we use DHCP to set the address for the external interface

ciscoasa(config-if)# ip address dhcp

Physical interfaces
With the VLANs configured, now we need to configure the different physical interfaces.

We set interface 0 (Ethernet0/0) to use the management VLAN. First we select the interface

ciscoasa(config)# interface ethernet0/0

Tell it to use VLAN 100

ciscoasa(config-if)# switchport access vlan 100

And activate it…

ciscoasa(config-if)# no shutdown

For interfaces 1, 2, 3, and 4 we configure them to use VLAN 200.

ciscoasa(config-if)# interface ethernet0/1
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet0/2
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet0/3
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface ethernet0/4
ciscoasa(config-if)# switchport access vlan 200
ciscoasa(config-if)# no shutdown

We configure interface 5 for the external interface

ciscoasa(config-if)# interface ethernet0/5
ciscoasa(config-if)# switchport access vlan 300
ciscoasa(config-if)# no shutdown

This way the PoE interfaces (6 and 7) are left unused and unconfigured for future use.

Status
Let us check our status:

ciscoasa(config-if)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Internal-Data0/2 unassigned YES unset up up
Vlan100 10.10.1.1 YES CONFIG up up
Vlan200 10.0.1.1 YES CONFIG up up
Vlan300 unassigned YES DHCP down down
Virtual0 127.0.0.1 YES unset up up
Vlan4091 unassigned YES unset up up
Vlan4092 127.0.1.1 YES unset up up
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down

From this we see that Ethernet0/0 and VLAN 100 are up and that Ethernet0/1 and VLAN 200 are also up; we also see that Ethernet0/2, 0/3, 0/4 are down, as is Ethernet0/5 and VLAN 300. This occurs in this example because there is an active ethernet cable plugged into port 0 and port 1 (that I am using for testing), but no active connection on ports 2, 3, 4, and 5. These interfaces are down because they are not receiving traffic, but unlike Ethernet 0/6, or 0/7 they are not administratvely down,
as they have been properly configured.

If we want to see the security levels assigned, we can find them by running

ciscoasa(config)#  show running config

Finally, we save our running config as our starting config.

ciscoasa# copy running-config startup-config

Setting up DHCP

We want to set up a DHCP server to run for the teams; it should pass out addresses only in the 10.0.250.0/24 subnet. This subnet is easily distinguished from other subnets, and lets us give a full statically defined /24 to each team.

Keep in mind the limits on the number of IP addresses allowed by the ASA license, and run

ciscoasa# show local-host

We first create the address pool for the DHCP server

ciscoasa(config)# dhcpd address 10.0.250.1-10.0.250.128 teams

The default license restricts us to 128 addresses in the DHCP pool, hence the choice made above.

We can configure

  • the DNS server
    ciscoasa(config)# dhcpd dns IP1 IP2
  • the WINS server
    ciscoasa(config)# dhcpd wins IP
  • the lease time (in sec)
    ciscoasa(config)# dhcpd lease TIME
  • the ping timeout (in ms)
    ciscoasa(config)# dhcpd ping_timeout TIME
  • the default domain name
    ciscoasa(config)# dhcpd domain example.com

that the DHCP server will use.

Now we enable the DHCP server on the teams interface

ciscoasa(config)# dhcpd enable teams

To see the results, you can use the status commands

ciscoasa# show dhcpd binding
IP address Hardware address Lease expiration Type
10.0.250.1 0100.2618.70e4.3d 3119 seconds Automatic
ciscoasa# show dhcpd state
Context Configured as DHCP Server
Interface mgmt, Not Configured for DHCP
Interface teams, Configured for DHCP SERVER
Interface outside, Configured for DHCP CLIENT
ciscoasa# show dhcpd statistic
DHCP UDP Unreachable Errors: 0
DHCP Other UDP Errors: 0
Address pools 1
Automatic bindings 1
Expired bindings 0
Malformed messages 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 2
DHCPREQUEST 1
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 2
Message Sent
BOOTREPLY 0
DHCPOFFER 2
DHCPACK 3
DHCPNAK 0

Once we are satisfied, we copy the running config to the startup config as we have done in the past.

The Future

At this point, we have only scratched the surface of what we can do with our ASA. Heck, we have not yet even started writing filtering rules, or fired up the web management interface.

Time permitting, I will come back to those issues in an updated version…

  1. January 26, 2012 at 3:43 pm

    Windows users can use mode.com in the command prompt to determine where their serial to USB device has connected.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: