Cisco ASA Basics 001 - The Initial Configuration Setup!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] how's it going everybody in this video we're gonna be taking a look at the initial setup of a Cisco AAS a firewall now when it comes to understanding how a Cisco is a firewall works we definitely need to understand the initial steps in order to get it up and running because if you've never dealt with an AAS a firewall before or you're you know you're about to have to work with one I know when I first started working with them there was a little bit of a learning curve to understand exactly how the AAS a firewall worked so that being said we're gonna take a few minutes go through the initial configuration of what the AAS a firewall needs and some of those details behind it and go from there and then when we get done with getting everything up and running and we can verify some pings and things like that then we'll be taking a look at some of the follow-on details and some following videos about how we can optimize the aasa' so that being said let's go ahead and dive into the configuration of what we need to know about the aasa' so let's go ahead and bring the command line over so operationally this is a virtual essay so it's running a set of Eve and when you start working with the a is a firewall it can be a little daunting the first time you ever played with it because the command structure if you're familiar with Cisco IOS on an iOS router or an iOS which is a little bit different and can be a little tricky to get working and get operational and things like that so you definitely need to know some of the initial steps so one of the first things that you're gonna definitely want to do just like you would a regular router or a firewall or a switch is in the enable command and hit the enter key you're presented with this this right here this password : there is no password hit the enter key it makes it very very easy to work with it's a little disconcerting at first because you're like well I never set a password and then you're like having to go Google and you've learned very quickly that just hit the enter key a couple times and you'll be at kurt of the privilege level of 15 or privilege mode so unlike iOS there's another way of looking at it as the show curve proof command if you get the Enter key it'll show you that your current privilege level is 15 and that's pretty much where you're at so the question mark command works as it normally would on an iOS router if you want to look at the interfaces that are available on the firewall you would do you wouldn't do a show IP interface there that command does not support it here what you would do is you would do a show interfaces and then IP configuration and look at the brief output guess what here is your show interface IP brief so that's how you look at the show IP interface brief command inside of an iOS router on an a as a firewall now let's go ahead and go to global config that process is still the same and you get this notice it says help to improve a SA and blah blah blah we're going to type in no we do not want to soon they need a time anonymous error reporting back so we can change that if we want to give you the call home reporting anonymous command if you want to do that please remember to save your configuration so thank you for letting us know not to make a mistake so with that being said now we need to first name it so I'm gonna type in hostname it is going to be a s a to that initially changes the configuration to a s a - and now we have to go configure some things the first thing that I'm going to go and configure is going to be the inside in your face which is gonna be gig 0 / 1 gig 0 / 1 happens to be our inside interface I'm gonna type in interface get your search 1 I'm gonna type in the IP address and this guy is going to be 10 dot 1.4.2 / 24 okay then I have to know show the interfaces because if you look right up here there is no interfaces up if we don't have to use the do command either we can do a show interface IP brief and now we can see that the interface has been configured but it hasn't been enabled so it's up in know shut that that again now we're up up but there's one last step that we have to do and if we look at the command it's called show name if and right now the name if command is going to be what we reference throughout the rest of the configuration in terms of mapping access list and turning features on and things like that you would give every interface on a firewall a specific name so we would type in a name if is in this case you're the inside for example now because I'm using the term inside the security level is set to a value of 100 by default now this was really tricky for me to understand when the first time I played within a si I was like what's a security level well if you've ever dealt with other platforms say for example like juniper juniper has trust and untrust well the same logic can apply where the trusted network is going to be the inside network and the untrusted Network is going to be things like the Internet well Cisco what the a si comes up with the security level concept in the name if now if we were to go to another interface so if we were to go to for example interface League 0/0 and type in IP address is going to be 102 0 0 2 / 24 we type in no shut give it a name if of outside for example this was gonna happen we're gonna get a security level of 0 by default anything that's not inside so labeled inside is going to be given the security level of 0 so we do a show name if we're gonna see that the inside interfaces geek 0/1 and we have a value of 100 for the security level the outside interface is gig 0/0 and it's got a security level of 0 now what's actually going to end up happening is there is a highly level security zone to low level security zone flow that happens out of the gate meaning if you have an insight interface with the security level of 100 and an outside interface of security level 0 then that's going to be a natural progression or a natural flow of data you're gonna have users on the inside trying to reach things on the outside know that the internet YouTube research whatever the case might be you're definitely going to Allah want to allow the communication from a high security level to a little security level to happen without any type of interference now that's going to go from 100 to 99 99 to 98 98 to 97 so on and so forth but if you have a scenario where you want to go from a low security level to a higher security level for example outside to inside but still as possible you would just have to go in and create an access list to allow the traffic to flow from outside or low to high security level in order for that communication to take place we're going to take a look at that at upcoming videos when we start talking about how you do things like NAT on the a s a or go from the DMZ to the inside or something along those lines now with that being said here we have the inside interface is set to a value of 100 we have the outside set to is value of 0 those are okay I'm okay with that now in terms of the next steps that we need to go through and do we can go and do the gig 0 / 2 interface we'll type an interface gig 0 / 2 and we'll use the IP address of 10.2 10.10 because we connect to router to much like this I could use let me just double-check with MPLS what the interfaces show IP interface brief and on gig 0/2 I'm using dot one so I can go here and do dot 2/24 and I can say the name if is going to be MPLS now it's set to zero so that will allow us to do the inter communication as we need it to and things like that so now we have that if we do a show name if we'll see that we have multiple interfaces and both of the additional interfaces outside in MPLS have values of zero for their security levels so that's pretty much the initial setup that's the the workflow that we need to be aware of now one of the things that we definitely need to be aware of in terms of a routing perspective is we need to be able to set up a static default route or depending on the situation the aasa' that we're running the version of code that we're playing with is show show version or running 9.1 color 9.9 code so it's relatively new code in grant in terms of operations and capabilities it's look like that so it's it's got some heft to it right and we have some options and capabilities that we can work with and things like that but what we want to make sure we can do in terms of how we operate is you want to make sure we can create a static default route and the version of code that we're running will support multiple routing protocols we can run BGP we can run a IG RP OSPF is is rip we can do all the different routing protocols on the aasa' with obviously with limited functionality that's ok though we're not looking forward to you know be the greatest thing since sliced bread we just want it to be functional so I can go in here and create a BGP appearing to the MPLS router if I wanted to or I can create a default route towards the internet which is what I want you guys to see now in order to set up a default route you don't type in the IP route command right that command is not supported in order to create a default right you type in the route and then the interface that you want to send the traffic out of so in this case here is going to be the outside interface or cake 0/0 and you would specify what the forward Network is going to be in this case here is zero zero and then you would have your next hop in this case here we are going to say 102 and I believe the Internet one this should be on gig 0 / - we should have gig 0 / - is 102 dot 0 to 0.1 so if we go back over here and type in 100 2.0 to 0.1 there we have it so we do a show route now I have a static default route in the writing table to do a show run route we can see that I have a static default route if I wanted to send traffic through the aasa' firewall I could do that and it would go out to the internet because that would be the the Gateway of last resort and that would get us to where we want to go Internet wise now I could also do a BG be peering or something along those lines but for right now I'm not going to do that now what are the other options that we can do and this is where once you have some initial details configured you want to be able to manage the aasa' either out-of-band through the management 0 interface or over the in band meaning over the network so I'm going to show you how to set up out of band management because that's going to be what we use to actually work with the aasa' firewall in some capacities so with that being said let's go ahead and setup management interface configuration so we're type an interface management 0 for 0 and here we're going to type in the IP address and we could use pretty much any address we want to in this particular case I'm going to use the IP address of 10 dot 255 dot one dot 32 / 24 and I'm gonna hit the enter key I still need to do is the no shut and then the name if is going to be MGMT and there we go so now I have that squared away you'll know the security level goes to zero as well for this interface which is fine now in order for me to be able to reach the firewall one of the things that I have to do is I had to set up a static route towards it so what I'm gonna do what I'm gonna do is I'm going to come in here and I'm going to set up a continuous pain to ten dot 255 dot one dot 32 let's see if I can't reach it and right now I'm unable to do so I'm gonna move this over here in order to set up connectivity to the AAS a firewall out-of-band I'm gonna new type in route MGMT and then 10 dot 255 dot 10.0 / 24 out 10 dot 255 dot 10.1 so as soon as I do that in just a couple seconds we should have pain replies to start showing up in order to reach the connection so what I should be able to do now that that's up and running if we do a I'm sorry not that one it's one dot one so let's do a show run route or are you gonna get rid of this entry right here because that's actually incorrect so momentarily we should get a ping reply and there we go so I had the wrong default gateway that was my fault so now we have ping replies now that's all well and great but we won't actually be able to do anything with the connectivity until we do a little bit more to that router to the firewall the first thing I'm gonna do is I'm gonna go ahead and do I'm going to enable the HTTP session so we do a show HTTP show run HTTP you can see that HTTP is not enabled so if I go I had to type in HTTP and I get to say server and then enable and then I hit the enter key I could change the ssl port that it could listen to as well if I wanted to but I'm not gonna do that then I have to tell the aasa' what specific networks are you going to allow to connect to the a sa I'm going to type in HTTP and then this top line right here says the IP address of the host and/or Network authorized to access the HTTP server once I've been 10 dot 255 dot 0 / 24 and then on which interface do you want to allow it in on you type in MGMT so that allows that so now I should be able to pull up an HTTP HTTP connection on the a SA now that'll only get me to an act to access the a SA I still need to be authentic 8 to the a SA so what I'm gonna do is I'm going to create a user name his name of Rob and a privilege level of 15 and a password for his password Cisco curve is level 15 and then once I have that creative type in the Triple A authentication is going to be for HTTP I need to specify we're going to use the console and use the local database now the console is just a term so it's basically I'm going to be trying to connect to the a si V its console line but it doesn't necessarily mean the actual physical cable console so there's that so now I should be able to if I wanted to connect to the a SA and everything should work that way now what I'm gonna do and one of the options that we have available to us it I've already done this but if you were to open up an HTTP connection to show interface IP brief open up a connection to 10 dot C fifty-five dot 1.32 go ahead and cancel this ping what you would end up seeing is a web browser pop-up well let's actually go ahead and do that real quick go ahead and pull up Firefox so I'm on Firefox now I can come in here and type in HTTP colon four slash four slash and then 10 by 255 dot 1.30 to hit the enter key and Here I am brought to the ASA's web page so I'm gonna go ahead I'm gonna click on in I'm going to accept the risk because I know that it's the aasa' has a self-signed certificate that's being presented and if I wanted to install the ASTM or the adaptive security device manager I could do that I've already got it ready to go but our could run Java Web Start through to run the ASTM from there so that's a couple options if you want to install it click on this and it would actually download if you look in the lower left-hand corner of your screen where it says DM - launcher dot MSI it's actually going to install the ASTM on the from the aasa' onto my PC now I will tell you that this is a virtual a si feature only because what'll end up happening in a physical assay is if you don't have the ASTM binary files or the actual package then this will never ever happen so make sure you have the ASTM already installed on the a si in flash so that you can allow people to download the ASTM in order to manage the firewall so we're gonna go actually go ahead and just close out Firefox if we don't really need it now assuming that you've already pulled up the launcher we have this and I've already typed meai Pedro stand at 255 dot 1.30 - I'm gonna come down here type in Cisco and I'm gonna click on OK now it's going to end up happening is you're gonna get this little pop-up I'm gonna say yep that's fine continue and then you're gonna see the a si software start to load and we should be login here momentarily and yep it's popping up on another screen we're going to go ahead and this is the ASTM and this is how this is one way for you to manage the ASI if you'd like to do so now there are a few top different reasons why you would use the ASTM for operations and stuff like that but for right now we don't really need to worry about it too much because at this point in time we're not doing anything crazy with it but if we wanted to we could if we wanted to but for right now there's some specific things that we could use the a SaaS DM for we're not going to do that I just wanted to show you how to gain access to the ASTM and things like that but from that perspective that's pretty much it and that ladies and gentlemen is the end of the bootstrapping fairly straightforward it gets you up and running and gets you a default route things like that and where everybody is squared away so if you have any questions or would like to see something else covered let me know in the comment section down below and that's the next time guys take it easy [Music]
Info
Channel: Rob Riker's Tech Channel
Views: 13,373
Rating: 4.9203982 out of 5
Keywords:
Id: vqhSPb282oM
Channel Id: undefined
Length: 20min 27sec (1227 seconds)
Published: Mon Jan 06 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.