Oct 14, 2008 Choose Configuration Properties Certificate Key Pair, click Add and use the default options presented in order to generate the same RSA keys with ASDM. Choose Configuration Properties Device Access Secure Shell in order to use ASDM to specify hosts allowed to connect with SSH and to specify the version and timeout options. ASA-5505 (config)# domain-name networkjutsu.com ASA-5505 (config)# crypto key gen rsa mod 4096 ASA-5505 (config)# ssh version 2 ASA-5505 (config)# ssh key-exchange group dh-group14-sha1. As you know, it is a good idea to enable SSH and disable Telnet. Since ASA does not enable SSH and/or Telnet by default, you have less to worry about.
Welcome back to this series where we cover CCNA Security topics using Cisco Packet Tracer in our labs. In the previous lab, we started looking at the Cisco ASA and we will continue looking at this Cisco appliance in this lab.
The lab setup from the last article is as shown below:
In this lab, we will configure routing on the Cisco ASA, look at the Cisco Modular Policy Framework (MPF) and also configure SSH for management access to the Cisco ASA.
Two files are attached to this article:
The tasks for this lab are as follows:
Lab Solutions
Task 1: Loopback Interface Settings
The goal of this task is just to simulate an external host, e.g. a device on the Internet.
Task 2: Default Routing
As I said in the last article, many commands that have “ip” in the Cisco IOS do not have “ip” in the Cisco ASA. The route command, used to configure static/default routes on the Cisco ASA, is an example of this.
Another thing to keep in mind with the Cisco ASA is that you must specify an interface name (e.g. inside, outside) for any route statement. This interface name specifies the interface through which the next hop IP address is reachable.
/generate-pem-encoded-rsa-public-key-from-certificate.html. Finally, instead of specifying “0.0.0.0 0.0.0.0” like we do on the Cisco IOS, we can shorten it to “0 0” on the Cisco ASA. However, this short form is not (yet) implemented in Packet Tracer so we must specify it in its full form.
To test this configuration, we will ping the 8.8.8.8 IP address from the Cisco ASA:
Task 3: Inside to DMZ Communication
In the last lab, we said that due to the license that comes with the Cisco ASA in Packet Tracer (Base License), the 3rd VLAN we created (dmz) will be a restricted VLAN, i.e. it will only be able to initiate a connection to only one other VLAN. In that lab, we restricted the dmz VLAN from initiating a connection to the inside VLAN. Notice the word “initiate” in that sentence? It means that even though the dmz VLAN cannot initiate traffic to the inside, the inside VLAN can actually initiate traffic to the dmz and the dmz will respond.
Since the inside interface is on a higher security interface than the dmz, traffic from the inside to the dmz will be allowed by default. We can confirm this by opening an HTTPS connection from the ‘Inside User’ to the ‘Web Server’:
Note: Even though HTTP is also enabled on the Web Server, http://172.16.10.100 doesn’t work for some reason. I assume it’s some limitation with Packet Tracer. Two services I found to work are HTTPS and SMTP.
However, the task also requires that ping traffic from the ‘Inside User’ to the ‘Web Server’ is successful, so let’s test that:
As you can see, the ping failed. The problem is that, by default, ICMP inspection is not enabled on the Cisco ASA so even though the ping from the inside is getting to the dmz, the return traffic is not permitted. There are two ways around this issue:
The task specifically said not to use an ACL so we are left with the second option. Although you can configure an ICMP policy on the ASA, an easier option is to copy the default MPF configuration from the Cisco site and edit it to include ICMP inspection. Due to the limitations of Packet Tracer, some of the commands included in the default MPF configuration are not supported so you will end up with a configuration similar to the following:
As you can see, I have enabled ICMP inspection (inspect icmp) under the “global_policy” policy map. Let’s test again:
Task 4: SSH Access
To enable SSH on the Cisco ASA, there are a couple of things we need to do:
We can view the default RSA key pair using the show crypto key mypubkey rsa command:
The other necessary configuration is as follows:
Let’s first test this configuration from the ‘Inside User’ by opening command prompt and typing “ssh –l insideuser 10.0.0.1”:
The SSH connection was successful. Let’s now test from the Outside_RTR:
Great! Dota custom keys generator 6.88. We have now successfully completed the tasks in this lab.
Summary
This brings us to the end of this Packet Tracer lab where we have configured routing, Cisco MPF and also enabled SSH on the Cisco ASA 5505.
In the next article, we will continue with another lab on the Cisco ASA. I hope you have found this lab insightful.
References and Further Reading
Related Posts