This document provides instructions for two exercises on a Cisco ASA firewall. The first exercise has students configure static and dynamic NAT to allow HTTP and FTP access to a web server while denying other traffic. The second exercise covers configuring authentication for firewall sessions using AAA. The exercises provide terminology, background information, requirements, step-by-step instructions, and tips for troubleshooting problems.
This document provides instructions for two exercises on a Cisco ASA firewall. The first exercise has students configure static and dynamic NAT to allow HTTP and FTP access to a web server while denying other traffic. The second exercise covers configuring authentication for firewall sessions using AAA. The exercises provide terminology, background information, requirements, step-by-step instructions, and tips for troubleshooting problems.
This document provides instructions for two exercises on a Cisco ASA firewall. The first exercise has students configure static and dynamic NAT to allow HTTP and FTP access to a web server while denying other traffic. The second exercise covers configuring authentication for firewall sessions using AAA. The exercises provide terminology, background information, requirements, step-by-step instructions, and tips for troubleshooting problems.
Table of Contents Lab Overview ................................................................................................................................................ 2 Prerequisites: ............................................................................................................................................ 2 How to Access Your Lab ................................................................................................................................ 2 Network Topology ..................................................................................................................................... 3 Access Information for your POD: ............................................................................................................ 3 Exercise 1: Configuring and Troubleshooting Basic NAT and Access Control ............................................... 5 Terminology .............................................................................................................................................. 5 Some Background Information About NAT .................................................................................................. 5 Requirements and Steps to Complete ...................................................................................................... 6 Helpful Steps If (When) You Run Into Problems ....................................................................................... 6 Exercise 2: Configuring and Troubleshooting Authentication For Firewall Sessions .................................... 9 Terminology .............................................................................................................................................. 9 Some Background Information About AAA .................................................................................................. 9 Requirements and Steps to Complete ...................................................................................................... 9 Helpful Steps If (When) You Run Into Problems ..................................................................................... 10
2
Lab Overview
In this lab participants will learn basic troubleshooting skills and techniques for diagnosing and fixing network problems on Cisco Adaptive Security Appliance (ASA). Troubleshooting concepts and tools are introduced by completing step-by-step lab scenarios. Students will work individually with a dedicated lab pod containing containing the latest version of Cisco ASA Software.
Prerequisites:
Must understand firewall basics. Must understand IP routing. Must know how to perform basic configuration Cisco ASA via CLI or ASDM. This lab assumes that you already know how to configure basic NAT, access control, and routing in the Cisco ASA.
If further information is needed on these topics, refer to: http://www.cisco.com/go/asa
How to Access Your Lab
This section describes how to access the lab setup and provides the addressing connections and port scheme information for your POD. This section describes the following: Network Topology Access Information
3 Network Topology The following diagram (Figure 1) shows the network topology and setup for this lab. Your POD information will be provided to you by the instructor/lab proctor.
Figure 1. Network Topology
Access Information for your POD:
Step 1. Using your assigned lab PC launch a remote desktop client a. Start-> Run: mstsc.exe b. If you are Pod 1-8, then connect to computer: 64.102.242.76:10000 c. If you are Pod 9-16 then connect to computer 64.102.242.77:10000 d. Use podXuser and podXpass for credentials, where X is your assigned pod number.
Step 2. ASDM should already be installed and have a shortcut on your desktop, launch it and connect to 209.165.201.X, where X is your pod number.
Step 3. Alternatively, login to the ASA via SSH (i.e., using Putty).
Step 4. Login into the ASA using the following credentials: a. Username: ciscolive b. Password: ciscolive
4 After logging into the security appliance, make sure that it is running version 8.4, as shown below in Figure 2:
Figure 2. Cisco ASA Version Information
Alternatively, you use the show version CLI command.
5
Exercise 1: Configuring and Troubleshooting Basic NAT and Access Control
Terminology This document uses the following terminology: Real address/host/network/interface The real address is the address that is defined on the host, before it is translated. In a typical NAT scenario where you want to translate the inside network when it accesses the outside, then the inside network would be the "real" network. Note that you can translate any network connected to the adaptive security appliance, not just an inside network, Therefore if you configure NAT to translate outside addresses, "real" can refer to the outside network when it accesses the inside network. Mapped address/host/network/interface The mapped address is the address that the real address is translated to. In a typical NAT scenario where you want to translate the inside network when it accesses the outside, then the outside network would be the "mapped" network. Bidirectional initiation Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host. Source and destination NAT For any given packet, both the source and destination IP addresses are compared to the NAT rules, and one or both can be translated/untranslated. Some Background Information About NAT Each computer and device within an IP network is assigned a unique IP address that identifies the host. Because of a shortage of public IPv4 addresses, most of these IP addresses are private, not routable anywhere outside of the private company network. One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into routable addresses that can be used on the public Internet. You can implement NAT using the following methods: Static NATA consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. Dynamic NATA group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic. Dynamic Port Address Translation (PAT)A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
6 Identity NATStatic NAT lets you translate a real address to itself, essentially bypassing NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses. Requirements and Steps to Complete A fictitious company called SecureMe is used in this lab as an example. You are now the firewall administrator for SecureMe and must configure a new ASA to allow Web (HTTP) and FTP traffic to the Web/FTP server shown in the network topology (Figure 1). The following are the requirements: 1. The Web/FTP server IP address (192.168.2.102) must be statically translated to the outside IP address of 209.165.201.2XX ( XX = your POD number; for example, POD 1 will be 209.165.201.201; POD 2 will be 209.165.201.202; etc.) 2. Allow only Web (HTTP) and FTP traffic to the server. 3. All other inbound traffic must be denied. 4. All other inside hosts should be dynamically translated to the Cisco ASAs outside interfaces IP address when accessing the Internet. IMPORTANT: In Cisco ASA Software version 8.3(1) and later the NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration. This lab uses Cisco ASA Software version 8.4 which has support for network and service objects, use them appropriately. There is another lab that uses version 8.2, where you can use the legacy nat and static commands.
Helpful Steps If (When) You Run Into Problems
You will most definitely run into problems in this lab. Do not assume that everything will work as expected. The following are some helpful tips if you run into problems. Step 1. Can you access the server using web browser (over TCP port 80)?
Step 2. Can you access the server via FTP using the CLI? If not, can you telnet to the FTP server on port 21? (tip: you can use Putty to telnet on port 21).
Step 3. Issue the show xlate command. How do you see?
Step 8. Enable syslog to the internal buffer at debug level. Then view the syslogs. What do you see? (commands: logging enable; logging buffered debugging; show log)
Step 9. Enable packet capture on the outside interface, then view the capture. What do you see? (commands: capture out interface outside, show capture out)
Step 10. Enable packet capture on the inside interface, then view the capture. What do you see? (commands: capture in interface inside, show capture in)
9 Exercise 2: Configuring and Troubleshooting Authentication For Firewall Sessions
Terminology This section uses the following terminology: AAA Authentication, Authorization, and Accounting. AAA enables the adaptive security appliance to determine who the user is (authentication), what the user can do (authorization), and what the user did (accounting). Some Background Information About AAA The Cisco ASA uses "cut-through proxy" to significantly improve performance compared to a traditional proxy server. Although you can configure the Cisco ASA to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the adaptive security appliance allows other traffic requiring authentication. The authentication ports that the adaptive security appliance supports for AAA are fixed as follows: Port 21 for FTP Port 23 for Telnet Port 80 for HTTP Port 443 for HTTPS After you authenticate correctly, the adaptive security appliance redirects you to your original destination. If the destination server also has its own authentication, the user enters another username and password. If you use basic HTTP authentication and need to enter another username and password for the destination server, then you need to configure the virtual http command.
Requirements and Steps to Complete
SecureMe has a new requirement. You must configure the Cisco ASA to authenticate all outside users connecting to the web server. The following are the requirements: 1. All outside users must be authenticated before connecting to the web server. 2. External authentication using RADIUS must be used. You must not configure the Cisco ASA to perform authentication using its local database.
10 Helpful Steps If (When) You Run Into Problems
You will most definitely run into problems in this lab. Do not assume that everything will work as expected. The following are some helpful tips if you run into problems. Be aware that we expect that you already know how to configure the Cisco ASA for authentication; the following are some configuration and troubleshooting tips. Step 1. Verify that you can still access the web server using web browser (over TCP port 80) before you configure and enable authentication.
Step 2. Configure authentication. Using the aaa-server command, identify your AAA servers. If you have already identified your AAA servers, continue to the next step. Since the server is located toward the inside interface, select inside interface and specify the IP address of the server (192.168.2.101). The server secret key is ciscolive.
Step 3. Using the access-list command, create an access list that identifies the source addresses and destination addresses of traffic you want to authenticate. The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic from authentication. Be sure to include the destination port for HTTP in the access list because the user must authenticate with this service before traffic to the web server is allowed through the ASA.
Step 4. Use the aaa authentication match command to enable authentication and match the ACL you just configured.
Step 5. Test your connection to the web server from the outside client. Do you get a prompt for authentication?
Step 6. If you do, enter podXuser as the username and podXpass as the password.
Step 7. If not, enable debug aaa authentication. What do you see?