Friday, 8 February 2013

ASA administrative access and management traffic



  • Topology




1. Administrative access

 1.1.Configure telnet access from inside subnet
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
telnet 10.0.0.0 255.255.255.0 inside
passwd cisco

 ASA doesn't allow telnet to the  interfaces with security-level less than 100.
You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel.

 1.2.Configure ssh access from outside subnet

 In order to enable encrypted access to the ASA appliance using either SSH or HTTPs first you need to generate on ASA a RSA key-pair
ciscoasa(config)# crypto key generate rsa modulus 1024
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
ciscoasa(config)#

Command used to identify the IP addresses from which the ASA accepts connections is:
ciscoasa(config)# ssh 172.20.100.0 255.255.255.0 outside 


1.3.Configure ASDM acess from host BT5R3
To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the ASA.


ciscoasa(config)# http server enable 10443
*By default port is 443

Specify the location of the ASDM image:
ciscoasa(config)# asdm image disk0:/asdm/asdm-645-106.bin

1.4 Configuring AAA for System Administrators

1.4.1 Telnet authentication using AAA
aaa authentication telnet console LOCAL 

1.4.2 SSH authentication using AAA
ciscoasa(config)# aaa authentication ssh console LOCAL

1.4.3 HTTPs authentication using AAA
ciscoasa(config)# aaa authentication http console LOCAL

Instead of LOCAL server authentication you can use an RADIUS or TACACS+ aaa-server group for administrative authentication.

Configuration on ASA for TACACS+ server group:


aaa-server TACACS_TEST protocol tacacs+
aaa-server TACACS_TEST (dmz) host 192.168.223.129
 key *****
aaa authentication ssh console TACACS_TEST 


If you use a AAA server group for authentication, you can configure the ASA to use the local database as a fallback method if the AAA server is unavailable.
aaa authentication telnet console TACACS_TEST LOCAL
aaa authentication ssh console TACACS_TEST LOCAL
aaa authentication http console TACACS_TEST LOCAL

You can configure the ASA to authenticate users with a AAA server or the local database when they enter the enable command.
aaa authentication enable console TACACS_TEST LOCAL

2. Management traffic
2.1 NTP
Configure ASA for time syncornization with R1 (use MD5 key NTP_key for security)
ntp authentication-key 1 md5 NTP_key
ntp authenticate
ntp trusted-key 1
ntp server 172.20.100.3 key 1

 ciscoasa# show ntp status  
Clock is synchronized, stratum 9, reference is 172.20.100.3
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d4bfb07e.6c18a0bb (17:12:30.422 UTC Fri Feb 8 2013)
clock offset is -14.9486 msec, root delay is 7.42 msec
root dispersion is 15905.61 msec, peer dispersion is 15890.63 msec

ciscoasa# show ntp associations
      address         ref clock     st  when  poll reach  delay  offset    disp
*~172.20.100.3     127.127.7.1       8    41    64    1     7.4  -14.95  15890.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured


2.2 System logging
Enable logging
ciscoasa(config)# logging enable

Send Syslog Messages to the Internal Log Buffer
ciscoasa(config)# logging buffered critical
ciscoasa(config)# logging buffered alerts
ciscoasa(config)# logging buffered errors

Changes the size of the internal log buffer. The default buffer size is 4 KB.
ciscoasa(config)# logging buffer-size 8192

You can send memory buffer contents when it wraps to the FTP server 192.168.1.129.
logging ftp-bufferwrap
logging ftp-server 192.168.223.129 /syslog ftp_user *****

Send Syslog Messages to syslog server 192.168.1.129
logging trap informational
logging host dmz 192.168.223.129

Specifies that syslog messages should include the date and time that they were generated.
ciscoasa(config)# logging timestamp

By default syslog messages are sent with facility 20. You can change that using next command:
ciscoasa(config)# logging facility 19

Send to console port syslog messages:
ciscoasa(config)# logging console alerts

Send to ssh/telnet session syslog messages
ciscoasa(config)# logging monitor critical
ciscoasa(config)# terminal monitor

Send to asdm interface syslog messages
ciscoasa(config)# logging asdm debugging

Including the Device ID in Syslog Messages
ciscoasa(config)# logging device-id ipaddress inside

Filter syslog messages
a. class based filtering
ciscoasa(config)# logging class config console errors

b.list filtering
ciscoasa(config)#logging list ASA_SYSLOG_LIST message 101002-103000
ciscoasa(config)#logging asdm ASA_SYSLOG_LIST

c.message-id filterging
ciscoasa(config)# no logging message 111010

Check logging status:
ciscoasa(config)# show logging
Syslog logging: enabled
    Facility: 23
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging:  class config, 4 messages logged
    Monitor logging: level critical, 0 messages logged
    Buffer logging: level errors, 0 messages logged
    Trap logging: level informational, facility 23, 98 messages logged
        Logging to dmz 192.168.223.129
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: 'inside' interface IP address "10.0.0.1"
    Mail logging: disabled
    ASDM logging: list ASA_SYSLOG_LIST, 109 messages logged

ciscoasa(config)# show logging message
syslog 111010: default-level notifications (disabled)


2.3 SNMP

Enable the snmp server on the ASA
ciscoasa(config)# snmp-server enable

Identify the NMS host that can connect to the ASA for SNMP management
ciscoasa(config)# snmp-server host dmz 192.168.223.129 community *****

Set SNMP location and contact
ciscoasa(config)# snmp-server location Test_city
ciscoasa(config)# snmp-server contact +108919991

Set SNMP community
ciscoasa(config)# snmp-server community *****
ciscoasa(config)# snmp-server enable traps all

Enable logging of alerts syslog messages using SNMPO
ciscoasa(config)# logging history alerts

SNMP server statistics
ciscoasa(config)# show snmp-server statistics
5 SNMP packets input
    0 Bad SNMP version errors
    0 Unknown community name
    0 Illegal operation for community name supplied
    0 Encoding errors
    2 Number of requested variables
    0 Number of altered variables
    2 Get-request PDUs
    0 Get-next PDUs
    1 Get-bulk PDUs
    0 Set-request PDUs (Not supported)
990 SNMP packets output
    0 Too big errors (Maximum packet size 512)
    0 No such name errors
    0 Bad values errors
    0 General errors
    3 Response PDUs
    985 Trap PDUs

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)