ASA CHAPTER 1 (Addressing & Rip)
Since version 7.0 of the ASA code, configuring interfaces in the firewall appliance
is very similar to configuring interfaces in IOS-based platforms. If the firewall
connection to the switch is a dot1q trunk (the ASA supports 802.1q only, no ISL),
you can create sub-interfaces, corresponding to the VLANs carried on the trunk.
Do not forget to assign a VLAN number to the sub-interface. The native
(untagged) VLAN on the trunk connection maps to the physical interface.
When configuring the firewall interfaces do not forget to “no shutdown” them (as
they are down by default) and assign a nameif/security-level. The default
nameifs, such as “inside” and “outside” have security levels of 100 and 0
assigned automatically.
1. How to configure IP Addressing on ASA ?
• Configure ASA1’s interface Ethernet 0/0 using the nameif “outside” and
the security level of zero.
• Configure ASA1’s interface Ethernet 0/1 using the nameif “inside” and the
security level value of 100.
• Create new subinterface Ethernet 0/2.120 using the VLAN number 120,
nameif “dmz” and the security-level of 75.
2. Configuring RIPv2 on ASA ?
• Enable RIPv2 on ASA1 for networks 10.0.0.0/8 and 136.X.0.0/16.
• Ensure routing summaries are not generated automatically on the classful
subnets boundaries.
• Do not send RIPv2 updates out of any interfaces except to “Inside” and
“DMZ”.
• Configure RIPv2 on R1 using the network 136.X.0.0/16.
• Authenticate RIPv2 updates sent/received to/from R1 using the key-string
“CISCO”.
• Use the most secure form of authentication.
• Configure interface IP addressing per the diagram.
diagram:
Solution:
!
hostname A
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 136.1.122.12 255.255.255.0
no shut
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 136.1.121.12 255.255.255.0
no shut
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.120
vlan 120
nameif dmz
security-level 75
ip address 10.0.0.12 255.255.255.0
!
2. Configuring RIPv2 on ASA ?
-->
1) (Mandatory). Starting the RIP routing process and defining version 2 (almost
no one uses version 1 nowadays). Also, disable auto-summary as the legacy
classful protocol feature. This step is identical to the initial configuration of RIPv2
in IOS routers.
2) (Mandatory). Defining the networks where RIP updates will be send and that
will be advertised into RIP. You enter the networkstatements, defining classful
networks. RIP process finds all interfaces matching those networks, and starts
sending/receiving updates on those interfaces. At the same time, the local
subnets matching the networkstatement will be advertised in RIP updates.
3) (Optional). You define the passive interfaces, to limit the scope of interfaces
selected for sending RIP updates. Keep in mind that a passive interface never
sends any updates, but still accepts them. You may define ALL interfaces as
passive by using the command passive-interface default, and then
selectively enable some interfaces using the command no passive interface X.
This is what we’ve done in our scenario.
This is what we’ve done in our scenario.
4) (Optional). Authenticate routing updates is needed. RIPv2 supports two
authentication types – plain text (non-secure, default) and MD5 hash. In both
cases, you define a key on the interface and configure this interface for proper
RIPv2 authentication mode. There could be multiple keys defined on the
interface, but only the first one is used to authenticate the incoming and outgoing
updates. However, with MD5 mode, other keys are used to accept incoming
updates with a matching key.
While routing has been pre-configured in routers, you still need to know how to
authenticate RIPv2 packets in an IOS router. The process is a bit different from
the ASA. First, you create a key-chain in global configuration mode, which may
contain one or more authentication keys. You then apply the key-chain to an
interface, configured for proper RIPv2 authentication mode (MD5 or plain-text).
The router will use the first key to authenticate the incoming/outgoing updates.
Other keys are used with MD5 authentication mode to accept the matching
incoming updates.
ASA1:
!
! RIP process configuration
!
router rip
network 10.0.0.0
network 136.1.0.0
passive-interface default
no passive-interface inside
no passive-interface dmz1
version 2
no auto-summary
!
! MD5 Authentication on the Inside interface
!
interface Ethernet0/1
rip authentication mode md5
rip authentication key CISCO key_id 1
R1:
!
! Key-chain configuration
!
key chain RIP
key 1
key-string CISCO
!
! Applying the key-chain and setting the mode
!
interface FastEthernet 0/0
ip rip authentication mode md5
ip rip authentication key-chain RIP
!
R1#sh ip protocols
Routing Protocol is "rip"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 12 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2 RIP
Loopback1 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
136.1.0.0
150.1.0.0
Routing Information Sources:
Gateway Distance Last Update
136.1.121.12 120 00:05:42
Distance: (default is 120)
!
A(config-if)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 136.1.121.0 255.255.255.0 is directly connected, inside
C 136.1.122.0 255.255.255.0 is directly connected, outside
C 10.0.0.0 255.255.255.0 is directly connected, dmz
R 150.1.1.0 255.255.255.0 [120/1] via 136.1.121.1, 0:00:09, inside
!
Packet capture example:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
!!
Packet capture example:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html
https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios
!!
No comments:
Post a Comment