SETUP and Configure ASA 5520 on GNS3

ASA on GNS3 – STEP by STEP TUTORIAL

Requriment / system used:

Laptop & Destop (XP, dual core, 1Gb RAM, GNS)

Sotware:

1.       GNS3 : GNS3-0.8.7-all-in-one.exe

2.       Two file neede to configure GNS with ASA. (asa842-initrd.gz & asa842-vmlinuz)

1.       ASA software : asa847-k8.bin

2.       ASDM : asdm-671.bin

3.       JAVA : JAVA SE 6 (JavaSetup7u65.exe)

4.       Setting for Quemu

a.      Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

b.      Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

*********************************************************************************
Setup diagram

Laptop 10.10.10.10     10.10.10.1-gig0 (inside)  ASA - gig 1 (outside) 192.168.1.100  Desktop

 Task 1: permit icmp from inside to outside

 CLI:

class-map icmp
   mathc   match default-inspection-traffic
   policy-map inside-policy

class icmp
    inspect icmp

service-policy inside-policy interface inside

GUI: configuration à  Firewall à Service Policy Rules

*********************************************************************************
 Task 2 : nat inside host with static nat (global ip 20.20.20.20)

 CLI:

 no access-group outside_access_in in interface outside

object network DESKTOP
      host 192.168.1.10

object network LAPTOP
      host 10.10.10.10

object network NATPOOL20
       host 20.20.20.20

 nat (inside,outside) 1 source static LAPTOP NATPOOL20 destination static DESKTOP DESKTOP

 Note: 1 = <1-2147483647>  Position of NAT rule within before auto section

verification:

GUI : CONFIGURATION à FIREWALL à NAT RULES  à   ADD

******************************************************************************

Task 3 permit ping from outside (192.168.1.10) host to inside host (natted address 20.20.20.20)

CLI:

object network DESKTOP
       host 192.168.1.10

object network LAPTOP

       host 10.10.10.10

access-list outside_access_in line 1 remark Allow ping from outside 192.168.1.10  to inside 10.10.10.10.

access-list outside_access_in line 2 extended permit ip object DESKTOP object LAPTOP

access-group outside_access_in in interface outside

GUI:

**********************************************************************************

029 - Configuring Cisco ASA 5505

Configuration example Cisco ASA 5505
Descriptions:
Device has eight 10/100 Ethernet port E0/0 to E0/7, last two port E0/6 & E0/7 are PoE.

Licensing:

• Base License
• 3Vlans
• Support three security zones (inside, outside, dmz) but with communication restriction between DMZ & INSIDE
  (Note: Inside vlan is permited to send traffic to the dmz only, but reverse traffic is not permited.
• No failover redundancy

• Security Plus Licens
• Upto 20 VLANs
• Failover redundancy

To Verify Serial Number and License type of ASA 5505

ciscoasa# show activation-key
Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.

Clear configuration on  ASA 5505
ASA5505# write erase

Resetting ASA 5505 to factory default
ASA5505(config)# config factory-default

Note: Factory default setting

• DHCP is enabled
• Preconfigured with two VLANs:
• Vlan 1 - Switchport E0/1 - E0/7 (inside trusted interface)
• Vlan 2 - Switch port E0/0 ( outside untrusted interface)
• Internal IP address is now 192.168.1.1

To set Privileged level password (enable password)
ASA5505(config)# enable password mysecretpassword

Configure the private inside interface
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 10.0.0.1 255.255.255.0

ASA5505(config)#interface e0/1
ASA5505(config-if)#switchport access vlan 1

Configure the public outside interface
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config)# inteface e0/0
ASA5505(config-if)# switchport access vlan 2

Configure the  DMZ interface (BASE License)ASA5505(config)# interface vlan 3
ASA5505(config-if)#no forward interface vlan 1
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config)# ip address 172.10.0.1 255.255.255.0

ASA5505(config)#interface e0/2
ASA5505(config-if)#switchport access vlan 3

If ISP is going to provide ip addess to outside interface then we can configure is as follows:
interface  vlan 2
 nameif outside
 security-level 0
 ip address dhcp setroute

Note: ip address dhcp setroute : gets ip address and also set default ISP as default gateway

interfae e0/0
  swithport access vlan 2

To enable management access to ASA from internal subnet 10.0.0.0 /24
http server enable
http 10.0.0.0 255.255.255.0 inside

Configure static route to reach internal subnet 10.0.0.0/24
route inside 10.10.10.0 255.255.255.0 ethernet 0/1

Configure default route to reach outside (internet)
route outside 0.0.0.0 0.0.0.0 192.168.1.2

Configure static router to DMZ
route dmz 172.16.0.1 255.255.255.0 ethernet 0/2

To configure DHCP pool for inside subnet
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside

028 Password Recovery CISCO ASA 5505 Security Appliance

Password Recovery procedure for Cisco ASA 5505 Security Appliance.


1. Power-cycle your security appliance by unpluggin and pluggin the power cable.
2. Press Esc to interrupt the boot process and enter ROM Monitor mode.
      You will see a rommon prompt (rommon #0>).
3. Enter the confreg command to view the current configuration register setting:
                  rommon #0>confreg4. The current configuration register should be the default of 0x01 (it will actually display as 0x00000001). The security appliance will ask if you want to make changes to the configuration register. Answer no when prompted.
5. Change the configuration register to 0x41, which tells the appliance to ignore its saved (startup)configuration upon boot:
                  rommon #1>confreg 0x41
6. Reset the appliance with the boot command:
                  rommon #2>boot
7. The security appliance ignore the saved configuration and once it boot up following User Mode prompt will appear:
 ciscoasa>
8. Enter the enable command to enter Privileged Mode. When the appliance prompts you for a password, simply press:
ciscoasa>enable
Password:
ciscoasa#
9. Copy the startup configuration file into the running configuration with the following command: ciscoasa#copy startup-config running-config
10. Enter the following command to change the Privileged Mode password:
asa#conf t
asa(config)#enable password abcd
11. Change configuration register to the default of 0x01 so that ASA read its startup configuration on boot: asa(config)#config-register 0x01
12. Verify the configuaration change:
asa(config)#exit
asa#show version
Note: At bottom of the output of the show version command, you should see the following statement: Configuration register is 0x41 (will be 0x1 at next reload)
13. Save the current configuration
asa#copy run start Source filename [running-config]
14. Reload the security appliance:
asa# reload
System config has been modified. Save? [Y]es/[N]o:yes
Cryptochecksum: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX

2149 bytes copied in 1.480 secs (2149 bytes/sec)
Proceed with reload? [confirm]