Anda di halaman 1dari 16

Secure Your Network With Cisco ASA Second Generation's OS 9.

Chapter 3

ASA Basic

After Reading this chapter you would be able to configure & Describe

Cisco asa Modes


Hostname
Enable Password
IP Address on interface
Security-level
Telnet
SSH
HTTP
Backup
Upgrade
Password Recovery

Page 25 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

ASA Basic LAB


How to set hostname.
How to set enable password
How to set IP add on an interface
How to enable TELNET
How to enable SSH
How to enable HTTP
How to take backup
How to upgrade an appliance
How to recover password

Diagram:-

ASA Mode
ciscoasa> (User mode)
ciscoasa> enable
Password:
ciscoasa# conf t (enable mode)
ciscoasa(config)# ! hostname (config-mode)
ciscoasa(config)# hostname ASA1

How To set Enable Password


ASA1(config)#
ASA1(config)# enable password shiva
ASA1(config)# exit
Logoff
Type help or '?' for a list of available commands.
ASA1> enable
Password: shiva
ASA1# conf t
ASA1(config)# ! remove enable password
ASA1(config)# enable password (just enter)

Page 26 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

How to Check Configuration


ASA1(config)# ! show run
ASA1(config)# sh running-config
: Saved
:
ASA Version 9.0(3)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level

How to Check Interface Status


ASA1(config)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down

How to assign IP address & security-level to interface


ASA1(config)# ! set interface ip
ASA1(config)# int g0/0
ASA1(config-if)# no sh
ASA1(config-if)# ip add 192.168.101.1
ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ASA1(config-if)# int g0/1
ASA1(config-if)# no sh
ASA1(config-if)# no shu
ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA1(config-if)# ip add 192.168.102.1
ASA1(config-if)# ! check
ASA1(config-if)# sh int ip br
ASA1(config-if)# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.101.1 YES manual up up
GigabitEthernet0/1 192.168.102.1 YES manual up up
PC2(config)#int fastEthernet 0/0
PC2(config-if)#no shutdown
PC2(config-if)#ip add 192.168.102.100 255.255.255.0
PC2(config-if)#no shutdown
ASA1(config-if)# ping 192.168.101.1
Type escape sequence to abort.

Page 27 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Sending 5, 100-byte ICMP Echos to 192.168.101.1, timeout is 2 seconds:


!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA1(config-if)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA1(config-if)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

How to enable telnet


ASA1(config)# telnet 192.168.101.100 255.255.255.255 inside (for host)
ASA1(config)# telnet 192.168.101.0 255.255.255.0 inside (for n/w)
ASA1(config)# telnet 0.0.0.0 0.0.0.0 inside (wild card)

! default telnet pass is cisco till os 8.6


! but in os 9.0 & later default password removed

ASA1(config)# ! you have to set


ASA1(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.0(3)


ASA1(config)# passwd cisco

! verification on pc

Page 28 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

!How to enable SSH on Cisco ASA


ASA1(config)# domain-name cisco.com
ASA1(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ASA1(config)# ssh 0 0 inside
ASA1(config)# ssh 0 0 outside
ASA1(config)# username shiva password shiva privilege 15
ASA1(config)# aaa authentication ssh console LOCAL

! verification in pc

Page 29 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

! verification in pc2
PC2#ssh -l shiva 192.168.102.1

Password:
Type help or '?' for a list of available commands.
ASA1>
! you can't telnet to lowest security-level
ASA1(config)# telnet 0 0 outside
ASA1(config)# ssh 0 0 outside
PC2#telnet 192.168.102.1
Trying 192.168.102.1 ...
% Connection timed out; remote host not responding

PC2#ssh
PC2#ssh -l
PC2#ssh -l shiva 192.168.102.1

Page 30 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Password:

! How to enable http server


ASA1(config)# sh flash
--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate
147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096 Aug 29 2014 12:48:00 log
21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop
165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg

4118732800 bytes total (3964596224 bytes free)

ASA1(config)# http server enable


ASA1(config)# http 0 0 inside
ASA1(config)# username shiva pass shiva pri 15
ASA1(config)# ! verification on client

Page 31 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Note:-
if some wrong
please run these commands on asa
ASA1(config)# asdm image disk0:/asdm-66114.bin
initiate connection again.........................................

Page 32 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Page 33 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Page 34 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Page 35 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

! ASA os Backup
ASA1(config)# sh fla
ASA1(config)# sh flash:
--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate
147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
11 4096 Aug 29 2014 12:48:00 log
21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop
165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg

4118732800 bytes total (3964596224 bytes free)


ASA1(config)# copy flash: tftp:
Source filename []? asa903-smp-k8.bin
Address or name of remote host []? 192.168.101.100
Destination filename [asa903-smp-k8.bin]?
Writing file tftp://192.168.101.100/asa903-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
36993024 bytes copied in 130.870 secs (284561 bytes/sec)
Page 36 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

ASA1(config)# ! ASA os Upgrade


ASA1(config)# ! Latest os is no PC1 FTP

ASA1(config)# copy ftp://192.168.101.100/asa922-4-smp-k8.bin flash:


Address or name of remote host [192.168.101.100]? enter
Source filename [asa922-4-smp-k8.bin]? enter
Destination filename [asa922-4-smp-k8.bin]? enter
Accessing ftp://192.168.101.100/asa922-4-smp-
k8.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asa922-4-smp-k8.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
52457472 bytes copied in 63.150 secs (832658 bytes/sec)
ASA1(config)# sh flash:
--#-- --length-- -----date/time------ path
146 0 Aug 29 2014 13:00:14 nat_ident_migrate
147 1422 Sep 23 2014 17:29:26 admin.cfg
148 2331 Sep 23 2014 17:29:26 old_running.cfg
22 4096 Sep 27 2013 10:55:54 coredumpinfo
23 59 Sep 27 2013 10:55:54 coredumpinfo/coredump.cfg
149 35602388 Aug 29 2014 12:44:36 csd_3.6.6203-k9.pkg
Page 37 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

11 4096 Aug 29 2014 12:48:00 log


21 4096 Aug 29 2014 12:48:40 crypto_archive
150 17851400 Aug 29 2014 12:56:32 asdm-66114.bin
151 135168 Jan 01 1980 00:00:00 FSCK0000.REC
152 12998641 Oct 16 2012 13:16:00 csd_3.5.2008-k9.pkg
153 4096 Aug 29 2014 13:29:32 sdesktop
165 2082 Aug 29 2014 13:29:30 sdesktop/data-bkp.xml
166 2009 Aug 29 2014 13:42:06 sdesktop/data.xml
154 6487517 Oct 16 2012 13:16:00 anyconnect-macosx-i386-2.5.2014-k9.pkg
155 6689498 Oct 16 2012 13:16:02 anyconnect-linux-2.5.2014-k9.pkg
156 4678691 Oct 16 2012 13:16:02 anyconnect-win-2.5.2014-k9.pkg
157 333 Aug 29 2014 13:28:04 Anyconnect_client_profile.xml
158 36993024 Sep 23 2014 16:38:16 asa903-smp-k8.bin
168 52457472 Sep 28 2014 13:23:59 asa922-4-smp-k8.bin
160 4096 Jan 01 1980 00:00:00 FSCK0001.REC
161 31522773 Sep 26 2013 12:44:30 anyconnect-win-3.1.03103-k9.pkg

4118732800 bytes total (3912138752 bytes free)


! boot to latest os
ASA1(config)# boot system disk0:/asa922-4-smp-k8.bin
ASA1(config)# write
Building configuration...
Cryptochecksum: 23dfb1bc 85a02476 e2a94e9f 9626e623
2852 bytes copied in 0.750 secs
[OK]
ASA1(config)# sh running-config boot
boot system disk0:/asa922-4-smp-k8.bin
ASA1(config)# reload
Proceed with reload? [confirm]
ASA1(config)#
***
*** --- START GRACEFUL SHUTDOWN ---
***
*** --- SHUTDOWN NOW ---
Booting from ROMMON
Cisco Systems ROMMON Version (2.1(9)8) #1: Wed Oct 26 17:14:40 PDT 2011
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Launching BootLoader...
Boot configuration file contains 1 entry.
Loading disk0:/asa922-4-smp-k8.bin...
ASA1# sh version
Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 6.6(1)
Compiled on Tue 29-Jul-14 23:41 PDT by builders
System image file is "disk0:/asa922-4-smp-k8.bin"
Config file at boot was "startup-config"
ASA1 up 40 secs

Page 38 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

! password recovery
ASA1(config)# enable password asdasdwwqek89geuqbdqweqw
ASA1(config)# wr
ASA1(config)# write
ASA1# ex

Logoff

Type help or '?' for a list of available commands.


ASA1> reset manually...the appliance......

At the time of boot....................


Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot in 9 seconds.
Press (Use BREAK or ESC to interrupt boot) on key borad.........
Use ? for help.
rommon #0> confreg 0x41

Update Config Register (0x41) in NVRAM...

rommon #1> reset


ciscoasa> en
ciscoasa> enable
Password:
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,


which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve


the product? [Y]es, [N]o, [A]sk later:
ciscoasa(config)#
ciscoasa(config)# copy startup-config running-config

Destination filename [running-config]?

.
Cryptochecksum (unchanged): 3968c06d 20751a6b 73f37918 d875d53d

2941 bytes copied in 0.370 secs


ASA1(config)#
ASA1(config)# enable password enter
ASA1(config)# config-register 0x01
ASA1(config)# reload
System config has been modified. Save? [Y]es/[N]o: y

Page 39 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x
Secure Your Network With Cisco ASA Second Generation's OS 9.x

Cryptochecksum: 3f5ee47a 0fe39be7 24974ec3 28f97b3b

3403 bytes copied in 0.710 secs


Proceed with reload? [confirm] enter
ASA1(config)#

***
*** --- START GRACEFUL SHUTDOWN ---
ASA1> en
ASA1> enable
Password: (now no password)
ASA1#
ASA1(config)# ping 192.168.101.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.101.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA1(config)# pin
ASA1(config)# ping 192.168.102.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.102.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Page 40 of 846
Secure Your Network With Cisco ASA Second Generation's OS 9.x