Pinging ASA Interfaces

Source: Pinging ASA Interfaces

Advertisements

Cisco ASA Basic Configuration

This is a base configuration template that can be used to start building your Cisco ASA firewalls. Enjoy !!!

!
username admin password mypassword privilege 15
hostname <hostname>
!
enable password mypassword
!
clock timezone GMT/BST 0
clock summer-time BST recurring 1 Sun Apr 3:00 last Sun Oct 2:00
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address x.x.x.x x.x.x.x
!
interface Management0/0
nameif management
security-level 100
ip address x.x.x.x
management-only
!
pager lines 24
logging enable
logging timestamp
logging standby
logging buffered informational
logging trap informational
logging asdm informational
logging facility 23
logging queue 250
!
logging host management x.x.x.x
!

logging host inside x.x.x.x
!
mtu inside 1500
mtu management 1500
mtu outside 1500
!
route management x.x.x.x x.x.x.x 
route inside x.x.x.x x.x.x.x 
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host x.x.x.x
 key mytacacskey
aaa-server TACACS+ (management) host x.x.x.x
 key mytacacskey
!
aaa authentication ssh console TACACS+ 
aaa authentication telnet console TACACS+ 
aaa authentication http console TACACS+ 
aaa authentication serial console TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting serial console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+

or

aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+ LOCAL
aaa accounting enable console TACACS+ LOCAL
aaa accounting serial console LOCAL
aaa accounting ssh console TACACS+ LOCAL

snmp-server host inside x.x.x.x community 

or

snmp-server host inside x.x.x.x
snmp-server community 
snmp-server location 
snmp-server contact 
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
!
policy-map global_policy
class inspection_default
inspect icmp
!

TCP Handshake as seen from ASA

When troubleshooting problems related connection timeout on Cisco ASA, there are few things necessary to look at if need investigate in more details. Such as TCP handshake messages below. You may have Syslog enabled on the firewall which may provide you clue of what is actually going on. But having a look at the Firewall in real time to provide you open or active or inactive TCP or even UDP session.

Take a look at the each flag and root cause the time outs.

TCP ASA Messages.png

Internet Access Firewall Cisco ASA

In this tutorial, I am going to show how you can setup the Cisco ASA to allow internet access to the LAN behind. Our lab topology would like as following:

Untitled.png

Configure the Un-trusted and Trusted network as following:

!
 interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 172.16.1.3 255.255.255.248
 !
 interface GigabitEthernet0/2
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.224
 !

Setup an Object of type network named ANY to represent any traffic coming from the LAN interface of the firewall that is named as inside interface.

!
 object network ANY
 nat (inside,outside) dynamic interface
 !

Setup a default route that should be pointing to the VRRP interface of the PE router:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

Enable the DHCP for the any device connected to the inside interface to get an IP address automatically:

dhcpd dns 8.8.8.8 9.9.9.9
 !
 dhcpd address 10.10.10.5-10.10.10.30 inside
 dhcpd enable inside
 !
 dhcprelay timeout 60

Cisco ASA Delete and Create Context

Login to Firewall as an administrator. You will land into the admin context. You need to go back to the system context to make changes.

 conf t
 changeto system
 !
 !

Now you are in system context, you need to delete the context as following:

!
 no context mycontext-100
 delete disk:/mycontext-100.cfg
 !
Then recover/delete the assigned sub-interfaces which were assigned to the context which you deleted in the step above:
 !
 no interface TenGigabitEthernet0/9.3201
 no interface TenGigabitEthernet0/9.3202
 !
Now re-assign/create the sub-interfaces with new VLAN numbers:
 !
 interface TenGigabitEthernet0/9.1201
 vlan 1201
 !
 interface TenGigabitEthernet0/9.1202
 vlan 1202
 !

Now create new context and assign the sub-interfaces into the new context:

!
 context mynewcontext-200
 allocate-interface interface Management0/0
 allocate-interface interface TenGigabitEthernet0/9.1201
 allocate-interface interface TenGigabitEthernet0/9.1202
 config-url disk0:/mynewcontext-200.cfg
 !
Now getinto the context and apply required configuration etc.
 !
 changeto context mynewcontext-200
 enable password Cisco123 encrypted
 !
 interface TenGigabitEthernet0/9.1201
 nameif outside
 security-level 0
 ip address 1.1.1.1. 255.255.255.240 standby 1.1.1.2
 !
 interface TenGigabitEthernet0/9.1202
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.248 standby 10.1.1.2
 !

Configure Cisco Active/Standby Failover

This is very simple to configure but in production environment, secure a maintenance window, take configuration back and verify the patching before hand. Following steps involved:

1. Setup failover interface on Primary ASA

Execute the following commands to mark the port 0/3 as failover lan unit primary. This is the interface between Primary & Secondary Firewall pair that carries all the information necessary to recover at Secondary unit in case of failure inducing session table etc.

enable
 config t
 interface gigabitEthernet 0/3
 description LAN Failover Interface
 no shutdown

2. Assign the failover ip-address on Primary ASA using LANFAIL

failover lan unit primary
 failover lan interface LANFAIL gi0/3
 failover link LANFAIL gigabitethernet 0/3
 failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2

3. Assign the External ip-address on Primary ASA

config t
 interface gigabitEthernet 0/0
 ip address 10.141.144.228 255.255.255.248 standby 10.141.144.229
 exit

4. Assign the Internal ip-address on Primary ASA

interface gigabitEthernet 0/1
ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
exit
failover
monitor-interface MGT
monitor-interface DMZ

Secondary Firewall

==================

failover lan unit secondary
 failover lan interface LANFAIL gigabitethernet 0/3
 failover link LANFAIL gigabitethernet 0/3
 failover interface ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
 failover
 interface gigabitEthernet 0/3
 no shutdown

Don’t forget to workout the back-out plan in case. It is always good to write in before hand.

BACKOUT

  1. on Primary firewall:
enable
 config t
 interface gigabitEthernet 0/3
 shutdown
 !
 no failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
 no failover link LANFAIL gigabitethernet 0/3
 no failover lan interface LANFAIL gigabitethernet 0/3
 no failover lan unit primary
 !
 interface gigabitEthernet 0/0
 no ip address 10.141.144.228 255.255.255.248 standby 10.141.144.229
 ip address 10.141.144.228 255.255.255.248
 !
 interface gigabitEthernet 0/1
 no ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3
 ip address 192.168.1.2 255.255.255.0
 !
 no failover
 no monitor-interface MGT
 no monitor-interface DMZ

Secondary Firewall

 no failover interfaces ip LANFAIL 172.31.1.1 255.255.255.0 standby 172.31.1.2
 no failover link LANFAIL gigabitethernet 0/3
 no failover lan interface LANFAIL gigabitethernet 0/3
 no failover lan unit secondary

interface gigabitEthernet 0/3
 shutdown
 no failover

Cisco ASA Licence upgrade

Check for the existing licences on your Firewall:

#show ver

.

.

Licensed features for this platform:
 Maximum Physical Interfaces : Unlimited perpetual
 Maximum VLANs : 50 perpetual
 Inside Hosts : Unlimited perpetual
 Failover : Disabled perpetual
 Encryption-DES : Enabled perpetual
 Encryption-3DES-AES : Enabled perpetual
 Security Contexts : 0 perpetual
 GTP/GPRS : Disabled perpetual
 AnyConnect Premium Peers : 2 perpetual
 AnyConnect Essentials : Disabled perpetual
 Other VPN Peers : 250 perpetual
 Total VPN Peers : 250 perpetual
 Shared License : Disabled perpetual
 AnyConnect for Mobile : Disabled perpetual
 AnyConnect for Cisco VPN Phone : Disabled perpetual
 Advanced Endpoint Assessment : Disabled perpetual
 UC Phone Proxy Sessions : 2 perpetual
 Total UC Proxy Sessions : 2 perpetual
 Botnet Traffic Filter : Disabled perpetual
 Intercompany Media Engine : Disabled perpetual
 IPS Module : Disabled perpetual
 Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: FCHS208DWST
 Running Permanent Activation Key: 0x20dfsdf 0x48dfsf 0x3sdfdf 0xegfdg 0xsdfdff
 Configuration register is 0x1

!
 !

Now perform following steps and key-in the activation key provided by the Cisco when purchased the new release.

 HO-Markhorr-KHI-FW01(config)# activation-key 000sdfs 1c42dfsfsd fddfsfsd asdfsdsf
 Validating activation key. This may take a few minutes...
 Failover is different.
 running permanent activation key: Restricted(R)
 new permanent activation key: Unrestricted(UR)
 WARNING: The running activation key was not updated with the requested key.
 Proceed with update flash activation key? [confirm]
 The flash permanent activation key was updated with the requested key,
 and will become active after the next reload.
 HO-Markhorr-KHI-FW01(config)#
 HO-Markhorr-KHI-FW01(config)#
 HO-Markhorr-KHI-FW01(config)# wr
 Building configuration...
 Cryptochecksum: 5e648459 ea268bf2 20d92ce8 7709071b

21647 bytes copied in 0.730 secs
 [OK]
 HO-Markhorr-KHI-FW01(config)#
 HO-Markhorr-KHI-FW01(config)#
 HO-Markhorr-KHI-FW01(config)#
 HO-Markhorr-KHI-FW01(config)# reload
 Proceed with reload? [confirm]
 HO-Markhorr-KHI-FW01(config)#
 ***
 *** --- START GRACEFUL SHUTDOWN ---
 Shutting down isakmp
 Shutting down sw-module
 Shutting down License Controller
 Shutting down File system

***
 *** --- SHUTDOWN NOW ---