Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
56 views

Week 5 Assignment 2

Uploaded by

sharonwairimu600
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
56 views

Week 5 Assignment 2

Uploaded by

sharonwairimu600
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Course: Cloud and Network Security

Student Name: Dickens Omolo

Student No.: cs-cns07-24101

Sunday, 24th October, 2024

Week 5 Assignment 2: Configure ASA Basic Settings and Firewall Using the CLI
Introduction
This report outlines the configuration process of a Cisco ASA (Adaptive Security Appliance)
using Packet Tracer. The main objective is to verify connectivity, configure basic settings, and
set up firewall rules through the Command Line Interface (CLI). The ASA serves as a security
device connecting the internal network and DMZ (Demilitarized Zone) to the Internet. The
assignment involves configuring various features, including routing, address translation, DHCP
services, and security settings. This hands-on exercise will enhance understanding of network
security concepts and ASA functionality.

Below is the physical topology of the network

Addressing table
Device Interface IP Address Subnet Mask Default Gateway

R1 G0/0 209.165.200.225 255.255.255.248 N/A

R1 N/A

S0/0/0 (DCE) 10.1.1.1 255.255.255.252

R2 S0/0/0 10.1.1.2 255.255.255.252 N/A

R2 N/A

S0/0/1 (DCE) 10.2.2.2 255.255.255.252

R3 G0/1 172.16.3.1 255.255.255.0 N/A

R3 N/A

S0/0/1 10.2.2.1 255.255.255.252


ASA G1/1 209.165.200.226 255.255.255.248 NA

ASA NA

G1/2 192.168.1.1 255.255.255.0

ASA NA

G1/3 192.168.2.1 255.255.255.0

DMZ Server NIC 192.168.2.3 255.255.255.0 192.168.2.1

PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1

PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1

BODY

Answers to Questions
Part 1: Verify Connectivity and Explore the ASA

Step 1: Verify connectivity.

 Outcome: PC-C was able to ping all router interfaces but failed to reach the ASA, PC-B,
or the DMZ server.

PC-B
Step 2: Determine ASA version, interfaces, and license.

 Command: show version


Step 3: Determine file system and contents of flash memory.

 Commands:
o Enter privileged EXEC mode.
o show file system
o show flash:

Part 2: Configure ASA Settings and Interface Security Using the CLI
Tip: Many ASA CLI commands are similar to, if not the same, as those used with the Cisco IOS CLI.
In addition, the process of moving between configuration modes and submodes is essentially the
same.

Step 1: Configure the hostname and domain name.

 Commands:

hostname NETSEC-ASA

domain-name netsec.com
Step 2: Configure the Enable Mode Password
 Command: NETSEC-ASA(config)# enable password ciscoenpa55
Step 3: Set the date and time.
Use the clock set command to manually set the date and time

Step 4: Configure the INSIDE and OUTSIDE Interfaces


a. Create the G1/1 interface for the outside network (209.165.200.224/29), set the security level to the
lowest setting of 0, and enable the interface.
 Commands for OUTSIDE:

NETSEC-ASA(config)# interface g1/1

NETSEC-ASA(config-if)# nameif OUTSIDE

NETSEC-ASA(config-if)# ip address 209.165.200.226 255.255.255.248

NETSEC-ASA(config-if)# security-level 0

NETSEC-ASA(config-if)# no shutdown

b. Configure the G1/2 interface for the inside network (192.168.1.0/24) and set the security level to the
highest setting of 100 and enable the interface.

Commands for INSIDE:

NETSEC-ASA(config)# interface g1/2

NETSEC-ASA(config-if)# nameif INSIDE

NETSEC-ASA(config-if)# ip address 192.168.1.1 255.255.255.0

NETSEC-ASA(config-if)# security-level 100

NETSEC-ASA(config-if)# no shutdown

Use the following verification commands to check your configurations:


1) Use the show interface ip brief command to display the status for all ASA interfaces.
Note: This command is different from the IOS command show ip interface brief. If any of
the physical or logical interfaces previously configured are not up/up, troubleshoot as
necessary before continuing.
Tip: Most ASA show commands, including ping, copy, and others, can be issued from
within any configuration mode prompt without the do command.
2) Use the show ip address command to display the interface information.
Step 5: Test Connectivity to the ASA
 Results: PC-B pings ASA (192.168.1.1) successfully, but cannot ping the OUTSIDE interface
(209.165.200.226).
Part 3: Configure Routing, Address Translation, and Inspection Policy Using the
CLI

Step 1: Configure a static default route for the ASA.


Configure a default static route on the ASA OUTSIDE interface to enable the ASA to reach external
networks.

Verification: show route confirms the route.

Verify that the ASA can ping the R1 S0/0/0 IP address 10.1.1.1

Step 2: Configure address translation using PAT and network objects.


a. Create network object INSIDE-NET and assign attributes to it using
the subnet and nat commands.
NETSEC-ASA(config)# object network INSIDE-NET
NETSEC-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
NETSEC-ASA(config-network-object)# nat (INSIDE,OUTSIDE) dynamic
interface
b. The ASA splits the configuration into the object portion that defines the network to be translated and
the actual nat command parameters. Display the NAT object configuration using the show
run command.
From PC-B attempt to ping the R1 G0/0 interface at IP address 209.165.200.225.

The pings fail


Issue the show nat command on the ASA to see the translated and untranslated hits.

Part 4: Configure DHCP, AAA, and SSH

Step 1: Configure the ASA as a DHCP server.


a. Configure a DHCP address pool and enable it on the ASA INSIDE interface.
NETSEC-ASA(config)# dhcpd address 192.168.1.5-192.168.1.36 INSIDE
NETSEC-ASA(config)# dhcpd enable INSIDE

b. Specify the IP address of the DNS server to be given to clients


NETSEC-ASA(config)# dhcpd dns 209.165.201.2 interface INSIDE
c. Enable the DHCP daemon within the ASA to listen for DHCP client requests on the enabled
interface (INSIDE)
NETSEC-ASA(config)# dhcpd enable INSIDE
d. Change PC-B from a static IP address to a DHCP client and verify that it receives IP addressing
information.
.

Step 2: Configure AAA to use the local database for authentication.


a. Define a local user named admin by entering the username command. Specify a password
of adminpa55.
b. Configure AAA to use the local ASA database for SSH user authentication.
NETSEC-ASA(config)# aaa authentication ssh console LOCAL
Step 3: Configure remote access to the ASA.
a. The ASA can be configured to accept connections from a single host or a range of hosts on the
INSIDE or OUTSIDE network. In this step, hosts from the OUTSIDE network can only use SSH to
communicate with the ASA. SSH sessions can be used to access the ASA from the inside
network.
b. Configure the ASA to allow SSH connections from any host on the INSIDE network
(192.168.1.0/24) and from the remote management host at the branch office (172.16.3.3) on the
OUTSIDE network. Set the SSH timeout to 10 minutes.
c. Establish an SSH session from PC-C to the ASA (209.165.200.226).
C:\> ssh -l admin 192.168.1.1
The ssh session was established successfully.

Part 5: Configure a DMZ, Static NAT, and ACLs


R1 G0/0 and the ASA OUTSIDE interface already use 209.165.200.225 and .226, respectively. You
will use public address 209.165.200.227 and static NAT to provide address translation access to the
server.

Step 1: Configure the DMZ interface VLAN 3 on the ASA.


a. Configure DMZ VLAN 3, which is where the public access web server will reside. Assign it IP
address 192.168.2.1/24, name it DMZ, and assign it a security level of 70. Because the server
does not need to initiate communication with the inside users, disable forwarding to interface
VLAN 1.
NETSEC-ASA(config)# interface g1/3
NETSEC-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
NETSEC-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
NETSEC-ASA(config-if)# security-level 70
NETSEC-ASA(config-if)# no shutdown

b. Use the following verification commands to check your configurations:


Use the show interface ip brief command to display the status for the ASA interfaces.
Use the show ip address command to display the information for the ASA interfaces

Step 2: Configure static NAT to the DMZ server using a network object.
Configure a network object named DMZ-SERVER and assign it the static IP address of the DMZ
server (192.168.2.3). While in object definition mode, use the nat command to specify that this object
is used to translate a DMZ address to an OUTSIDE address using static NAT, and specify a public
translated address of 209.165.200.227.
Step 3: Configure an ACL to allow access to the DMZ server from the Internet.
Configure a named access list OUTSIDE-DMZ that permits the TCP protocol on port 80 from any
external host to the internal IP address of the DMZ server. Apply the access list to the ASA OUTSIDE
interface in the “IN” direction.
NETSEC-ASA(config)# access-list OUTSIDE-DMZ permit icmp any host
192.168.2.3
NETSEC-ASA(config)# access-list OUTSIDE-DMZ permit tcp any host
192.168.2.3 eq 80
NETSEC-ASA(config)# access-group OUTSIDE-DMZ in interface OUTSIDE
Step 4: Test access to the DMZ server.
From a web browser on PC-C, navigate to the DMZ server (209.165.200.227).

Result: Successfully accessed the DMZ server via web browser from PC-C.
Conclusion
Through this assignment, I gained hands-on experience with configuring Cisco ASA for network
security. The step-by-step process enhanced my understanding of network interface
configurations, routing, address translation, and security policies. Troubleshooting connectivity
issues helped solidify my skills in network management.

You might also like