Cisco ASA 5505 Firewall Initial Setup: Cisco ASA Training 101

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to Cisco aasa training 101 my name is Don Crawley I'm from sound training net we're the Seattle Washington based provider of accelerated training and publisher of learning resources for IT professionals this time we're doing Cisco AAS a security appliance initial set up it's based on chapter one in my book The Accidental administrator Cisco a sa security appliance the book is not required for the video but if you'd like to get a copy to follow along it's available through Amazon and other resellers or you can visit our website at www.traknetpm.com firewall what we want to do is we want to limit where connections can be initiated and that's the important concept here so a firewall allows your internal users to initiate a connection to say the public internet maybe a website or a mail server or FTP server something like that but it prohibits Internet users from being able to initiate a connection to the internal network and that at its core is what a firewall is all about now you take a sophisticated device like a Cisco a sa security appliance and certainly can do lots more than just that but at its core that is basic firewall functionality now we can break firewalls down into two broad families there's desktop and network firewalls here's the difference desktop firewall is typically a software application that is installed on a computer such as what you're seeing here the windows 8 firewall a network firewall is a typically a purpose-built device you can certainly install Network firewall software on a general-purpose PC but it's typically a purpose-built device such as what you see here with the Cisco AAS a family of firewalls the difference is that a desktop firewall is designed to protect an individual node on a network and a network firewall is placed at the network edge and it's designed to protect an entire network one question that comes up frequently in my classes and just in discussions in general especially with people who are new to networking is if I have a network firewall such as a Cisco a sa at the edge of my network do I need to install the desktop firewall software do I need to activate it on my individual computers in my network and the answer is yes yes yes you do because depending on the statistic I've read varying numbers but the point is that a large percentage of of security breaches are caused from internal sources and a network firewall would have nothing to do with something like that maybe you have a user who brings in an infected USB flash drive or or since this is a BYOD bring your own device world today that we live in maybe they bring in an infected system and say a worm is released into your network and systems that aren't protected with a desktop or an application firewall like that would be subject to compromise and so a desktop firewall protects your internal systems while a network at the edge a network firewall at the edge of your network protects all of the network in general but it's not going to have any effect on somebody bringing in an infected cd-rom drive for example so you need both now one other comment on this before we move on a lot of times people will say well that's such a pain to configure and I've got to manage them and they complain about that well but that's what tools like Microsoft group policy are designed for so if you're new to networking one of the best gifts you can give yourself is to learn how to use centralized management tools such as group policy I'm not going to go into any more detail on that but but the point of this slide is that you need both you need a desktop firewall to protect your individual nodes in a network firewall at the edge to keep the bad stuff out of your network the cisco a sa family firewall starts with the small office home office version which is the 5505 that's the one you see in the upper right hand corner of the graphic and it goes all the way up through the the 55 10 20 40 50 the X series such as 55 15 X all the way up into the 55 80 85 series which are designed for provider class applications we're going to be doing the demo using a 5505 but again what I'm going to show you should be relevant no matter which version of the a si software you're working with or or the a si platform you're working with let's take a look at the front of the 5505 then we'll take a look at the back in the lower left hand corner you see a USB 2.0 port that is inactive and it's reserved for future use it's been reserved for future use since the ASA's first came out back in the mid-2000s so I'm not sure what Cisco is planning to do with that you would think that by now it would be active for something but it's not then moving along there are eight indicator lights along the top that indicate a link activity and eight along the bottom then indicate that you're connected at fast ethernet speeds then on the right hand side there's a power indicator meaning the unit is receiving power a status if it's flashing that means the unit is booting if it's solid then the unit is either booted or it's nearly booted active means it's processing traffic VPN means that it has a VPN connection and SSC means that there is a card in the security services card slot on the back let's take a look at the bat so here is the back of an a sa 5505 and in the upper left hand corner you see the security services card slot that is for adding additional functionality through cards the lower left-hand corner there's the power port and then there are eight Ethernet ports and this is counter-intuitive listen carefully they are numbered from right to left not the way you would expect them to be so the port number zero is on the far right and the port number seven is on the far left typically we connect the outside to port 0 and the inside to ports one through seven you can configure it however you want but that's the default configuration also you need to be aware of the fact that port six and seven rpoe enabled so if you have say a an IP phone or an access point or a switch that is p OE powered then you can plug it into either of those two ports and power it off of the a si continuing to the right there are two more USB 2.0 ports that are reserved for future use they are inactive as of the timing of this video and then there's a Cisco console port so you'll need to get a Cisco console cable if you cringe at the thought of working in the command line get over it because when you're working with Cisco devices there will be times where you'll have to go into the command line and type some commands not that difficult and so make sure you've got a Cisco console cable far right there's a security lock slot and then right below that is a reset button reset button like the USB ports is reserved for future use so as of right now at least based on my research that I did prior to producing the video and and experimenting in my lab it still does nothing you can push it and nothing will happen now there's an important concept that you need to understand relative to Cisco security appliances and that is the concept of security levels we assign security levels to interfaces and then the traffic can flow from a network behind a security level that is high to a network behind a security level that is low relatively and impeded so here you see the office land the interface connected to the office land is a security level of 100 and the Internet's interface has a security level of zero that simply means that traffic can flow from the office land to the internet fundamentally unimpeded but not the other way around again it kind of goes back to the first slide that we showed you about initiating connections in other words you can initiate a connection from the office land of the internet because the office land is a security level of 100 but not from the Internet to the office land now one comment before we go on you may notice that the dmz as a security level of 50 and there's a web server and a mail server up in the DMZ in the upper left-hand corner so you're thinking well okay so how does an internet user get to the web server in the DMZ since the DMZ has a security level of 50 and the Internet has a security level of zero and the answer is we poke a hole in the firewall using a combination of an access control list in a static NAT statement to allow specific traffic flows to get to either the web server the mail server now we're not going to go into any more detail on that but just for right now just know that that is possible and that that's how that works prerequisites for this lesson you should have the following unrestricted privilege mode access to a cisco aasa security appliance the one I'm using is a 55 5:05 you'll want it configured as a DHCP server which will happen automatically when you apply the default configuration but if for some reason you don't want a DHCP server in there then you'll need to manually assign an IP address to your management workstation and that's the next requirement is a computer for your management workstation I'm going to be using a computer running Microsoft Windows 8 but you could use an older version of Windows or a Mac or Linux system you'll also need an Ethernet cable a Cisco console cable and if your management workstation doesn't have a comport on it and let's face it most of them don't today then you'll also need a USB to serial adapter and here's a picture of the Cisco console cable they're pretty widely available you can make them if you want to get them on eBay or you can buy a new one from Cisco but they're pretty pricey from Cisco you also if you don't have a comport on your PC then you'll need a USB to serial adapter such as the one I'm showing you on the far right be careful on which one you get if you get a cheap one a lot of times you'll have problems with the the chipset not being compatible with the Windows operating system or whatever operating system you're using so you just want to be prepared to spend you know maybe 35 or 40 bucks to get a good one and make sure that it is if you're using with Windows that it is logo certified now here's the network diagram that we're going to be working from as you can see it's pretty simple we've got a serial console cable connected from the management workstation either the comm port or through a USB to serial adapter to a USB port on the management workstation going to the console port on the firewall and then we also have an Ethernet cable connected to port one not port 0 on the a SA that's confusing so let's just take a quick look at it here's the back of the a sa and you want to connect to port 1 that's the second from the right port on the back of the a si here's your disclaimer this video is provided solely as a courtesy to you our viewer there are no guarantees whatsoever please do not attempt these procedures on a production firewall without first testing them for security and suitability in a lab environment these procedures will destroy your file walls existing configurations so if you're doing this on a firewall that's already configured you may want to do a backup and we'll cover that in a different video also performing these procedures may open your firewall to the public internet and subject your network to attack so make sure you have current backups take precautions including data encryption and additional access controls to protect sensitive data just generally good advice anyway so here we go let's start by erasing the existing configuration now that may not be something you want to do but I want to demonstrate this with a completely clean configuration so you'll notice the prompt is showing a si0 one that's an arbitrary host name that I gave to the aasa' and we're going to go into privilege mode so I'll type en which is short for enable and it prompts me for the password I don't have a password on this one since it's just in my lab so just hit enter and now I'm in privileged mode the difference is that in user mode where I've limited access to commands the prompt is a greater than sign and in privileged mode where I buy all access to all commands the prompt is a pound sign now we're going to erase the existing configuration with a command right erase which I can abbreviate with W R space ER that's short for write erase and it's going to prompt me and I'm going to confirm by hitting Enter it whirs for a moment and it says ok you've done it you've blown away the configuration in flash memory now the the firewall will continue to function because right now the configuration lives in dynamic Ram but as soon as I power cycle or reload the device it's going to try to read it's saved configuration from flash memory and it's not there let's just take a look let's do the command show startup config I could have preview that show start notice that it says no config so we're going to say reload no confirm and that's going to reload the device without asking for confirmation there it goes and we'll do a quick edit and come back when it's completely reloaded and ready for us to work with so now through the miracle of digital editing we've rebooted in record time and you can see that there's a prompt at the bottom says pre configure the firewall now through interact prompts and you actually could go through that process but we're not going to do that for the purpose of the video so I'm going to say no and now let's go into privilege mode notice that the prompt is changed by the way it now says Cisco aasa that's because the old config is completely gone in fact let's go ahead and go into privilege mode en short again for enable there's no password so we'll just hit enter and let's do the command show startup config which we can abbreviate show start again there's still no configuration now let's go into global configuration mode with a command configure terminal which we can abbreviate just conte ste and it's asking if we want to enable anonymous error reporting and maybe you do maybe you don't for our purpose in the video I'm going to say no Cisco would appreciate it if you would but again that's a personal preference and we're going to issue the command config factory default to apply a default configuration to these security appliance and then we can go in and modify it in the GUI but right now let's just issue the command config factory default notice that I've just typed config space fact and I'm going to touch the tab key and notice that it just completes the command for me that's pretty slick and I could by the way provide an IP address here if I want to change the management interface on my security appliance I could put in the IP address right now and it would apply that to the management interface but I'm going to say just leave it as is and use the defaults we'll go ahead and hit enter watch what happens now it's applying the factory default configuration it doesn't prompt me it doesn't say hey we're about to mess with your config it doesn't say are you sure it just does it so be aware of that we're going to touch the space bar at each of the more prompts and almost done and now it is it's complete and let's go ahead and save this with a command right which is short for right mem so I can just type W R and now let's take a look at the saved configuration now show start and see now it has a configuration in flash memory so if there were a power event or we reloaded the firewall it would come back and would actually have a configuration on it now as opposed to before where it didn't touch cue to break out of this and we're all set let's go ahead and bring up a browser and take a look at running the ASTM the adaptive security device manager and continuing the configuration through that so we've got Internet explorer open you can use a different browser but I've had better luck with Internet Explorer and using the ASTM than the other two browsers Chrome and Firefox personal preference I recommend use IE I think you'll find it's a little less problematic but again personal preference we're going to type in HTTPS and that's important you must use secure HTTP to connect to the firewall otherwise you'll end up with an error we're going to type in the IP address of the inside interface so that's going to be 192.168.1.1 that's the default if you configured it with some other address then you'll need to use that we'll go ahead and hit enter and you get a security warning just click through that in the real world you may want to check and make sure that you're connecting to where you think you are now notice down at the bottom it says this webpage wants to run the following add-on and it's asking if it's okay to run Java you need to do that so we'll click on allow and notice what happens now to the ASTM splash page it gives us three options one is to install the ASTM launcher and we're not going to do that for this video although I do have another video where I show you how to do that you could also run ASTM or you can run the startup wizard really there's not a lot of difference between running ASTM and running the startup wizard other than run startup wizard runs ASTM and then it starts the startup wizard so that's what we're going to do click on the run startup wizard button and close the process of starting java and we'll get some certificate warnings that's fairly normal and just make sure you know what you're connecting to we'll click on yes and now it's asking us for our username and password well we didn't configure one so we'll just simply click OK and it's going to worry for a moment then it'll come back and actually start the ASTM and then it will kick in the startup wizard as well and here it goes we'll get a warning about letting Cisco know reporting about errors and how we use it we'll bypass that there's the warning well it's called smart call home and we'll just not enable that Cisco would like us to but for the purpose of the video we're going to bypass that click on OK and there's our startup wizard just finish getting the data from the device and now we're ready to go and you'll notice that we have two options one is to modify the existing configuration or reset the configuration to the factory defaults and since we've already reset it to the factory defaults we just want to modify the existing configuration tweak it a little bit so we'll click on next and notice that it says configure the device for teleworker usage as an option that would allow us to set it up for remote access VPN usage and remote management that sort of thing we're not going to do that we're just going to configure it as a standalone device this is just setting up the very basic a sa like it's configured in thousands maybe millions of offices small offices and home offices around the world now let's give it a hostname and so I'm just going to call it a sa zero one not feeling particularly creative here so we'll go with that and now we'll choose our domain name you'll probably want to use something other than what I'm using but I'll use my company name will change the privilege mode password this is the password that you use to get into privilege mode that's what the name says and so you want to use something fairly robust whatever you choose I'm going to put in just one that I like to use for this purpose and we'll click Next now it's a page about configuring VLANs if you're working with a fifty five ten twenty forty fifty one of the x-series you're not going to see this but for the 5505 since it has a built in eight port switch and the interfaces that it uses our physical interfaces that are made members of VLANs we have to configure the VLANs and so we'll configure two of them we're not going to configure the DMZ so we'll just choose do not configure for the DMZ and we'll clear this checkbox and we'll click Next now it's asking for us to assign switch ports to VLANs and we're going to go with the default configuration but I just want to point out that by default it associates Ethernet 0/0 that's the port 0 the the farthest rightmost port on the back of the firewall with the outside VLAN which is VLAN 2 by default and it associates ports 1 through 7 or is it labels them Ethernet 0 / 1 through 0 / 7 with VLAN 1 the inside VLAN we don't need to make any changes here so we'll simply click Next and go on now it's asking us to assign IP addresses to the interfaces and we're going to use DHCP to get our IP address on the outside VLAN if you need to assign a static then you can push the radio button that says use the following IP address and put in whatever address you need in and the appropriate mass but we're going to use DHCP there's one thing we need to do here and that is to check the box for obtain default route using DHCP and we want to do that typically we would do that I think because we're going to get that from our our ISP and we want to use their router as the as the default route and so I think for most most of the time you'll want to do that now let's do the inside and we can just leave it at the default if you need to change it for some reason then go ahead and do that but I think most of the time you'll probably leave it as the default and we'll click Next now we're enabling the DHCP server and as you can see by default it wants to do that on the inside interface the only thing we really need to configure here are how it's going to get the DNS settings and maybe you want to check the box for enable auto configuration from the interface if you do that it's going to pull all of those settings from your ISPs DHCP server I tend to like to use Open DNS for my DNS server so I'm going to set that up here but this is really a matter of personal preference for you so Open DNS if you're not familiar with it just search on it and you'll see what it's about but it's a an Open DNS server that anybody can use so I'm going to enter their two DNS servers 208 dot 67 dot 2 2 2 2 2 2 for the first one and for the second one 208 dot sixty 7.2 2 0 2 2 0 we don't need to configure a winna server if you need to do that you'll know what the address is but most of you probably won't need to do that our lease length we're going to set to one day so that's 86,400 seconds which is the default our ping timeout we're going to set to 50 milliseconds again the default oops let's type that and our domain name this is the domain name that's handed out to the DHCP clients and I'll set that again to sound training net you'll probably want to use your own and now we're ready so we'll click on next next is using port address translation and probably you're going to want to use port address translation and in order to do that we'll simply push the radio button that says use port address translation and we'll accept the default of use the IP address on the outside interface what this is this allows all of your inside clients to share an IP address on the outside and that's the typical configuration you know if you're using a little Linksys or a Netgear home router that's what it does and so for most purposes this is what you're going to want to do if you need to do it a different way you'll probably know that and then you can configure it accordingly we'll click on next now this is the page where we configure administrative access and it's all setup this is simply saying who can connect to the a SDM and it's fine as it is so we'll click on next and it's giving us a summary of what we've done and take a look at it make sure it's what you expect and when you're satisfied click on finish delivers the commands to the device and now it wants a network password now we don't have a user name configured yet so we'll tab down to the password field and enter the password that we just configured and click on login and away we go in a moment you'll see the ASTM with the new configuration you can tell that it's the new configuration because remember we gave it a new hostname and if you look in the upper left-hand corner it says the hostname is now a sa 0 1 a couple of other things that you probably want to do down to the very bottom let's enable logging so you can see what's going on that's handy when you're troubleshooting or just want to kind of see what's going on with the system the other thing that I like to do is up under the Tools menu click on Tools and go to preferences and there's an option to allow you to preview commands before the ASTM sends them to the device and I like to do that just so I can see what the command line commands are so we'll check that box that says preview commands before sending them to the device we'll click on OK and and we're good now we've got a fully functioning AAS a security appliance configured through the ASTM and that's how you do the very basic configuration we have other videos where we've shown you how to set up a VPN or how to set up dmz s and some of the other aspects of administration but this is where it all starts if you'd like more information visit our website at www.traknetpm.com training dotnet slash blog either way you can follow us on Google+ Facebook and Twitter if you'd like more videos there on our video channel we're adding new videos all the time usually several a week at wwm training Nets videos if you'd like the companion book I'd love for you to have a copy of it it's available through our book store at www.weiu.net slash bookstore or you can find it at Amazon or through other internet resellers well I hope it's been helpful for you for sound training dotnet I'm Don Crowley we'll see you next time

Info

Channel: soundtraining.net

Views: 562,430

Rating: 4.8910785 out of 5

Keywords: cisco asa, asa cisco, how do i setup a cisco asa, vpn, vlan, setup wizard, config factory-default, write erase, cisco asa security appliance, cisco setup, Security (Quotation Subject), Technology, Software Tutorial, Computer Security (Industry)

Id: F6qvKRFn-xc

Channel Id: undefined

Length: 26min 59sec (1619 seconds)

Published: Tue Dec 04 2012