A basic setup looks like this:
Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G
1. We're going to start by setting up a Hostname for our new firewall.
I will set it to LINUXMAN-ASA, notice the change takes place immediately and does not require reboot like Windows does.
ciscoasa # configure terminal
ciscoasa(config)# hostname LINUXMAN-ASA
LINUXMAN-ASA(config)#
2. We need to secure it so not just anyone can log into it, so we're going to setup a password for GLOBAL CONFIGURATION MODE and CONSOLE.
LINUXMAN-ASA(config)# enable password linuxman
Before we can configure LOCAL authentication, we have to create users to manage our firewall. For simplicity, we are going to assume that we are dealing with a group of trusted Administrators so we are going to skip assigning specific privileges for now and go with privilege level 15.
Lets create 3 accounts for our Administrators:
LINUXMAN-ASA(config)# username jeff password jeff
LINUXMAN-ASA(config)# username thomas password thomas
LINUXMAN-ASA(config)# username chris password chris
Now that we have a list of user accounts in our LOCAL database, we can configure LOCAL authentication for CONSOLE and set a max login attempts to prevent.
LINUXMAN-ASA(config)# aaa authentication serial console LOCAL
LINUXMAN-ASA(config)# aaa local authentication attempts max-fail 3
Lets logout completely from our ASA and test the console authentication and log in as Jeff followed by the ENABLE password authentication.
LINUXMAN-ASA(config)# exit
LINUXMAN-ASA# exit
Logoff
Username: jeff
Password: ****
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 2. Last login: 21:44:13 UTC Sep 1 2018 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#
Now lets test our max-fail rule for LOCAL users.
LINUXMAN-ASA# exit
Logoff
Username: jeff
Password: *
Username: jeff
Password: *
Username: jeff
Password: *
Username: jeff
Password: ****
Username: chris
Password: *****
User chris logged in to LINUXMAN-ASA
Logins over the last 1 days: 2. Last login: 21:49:21 UTC Sep 1 2018 from console
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#
Notice that after the 3rd failed attempt, even if we use the correct credentials it doesn't let us login at all or give an error. We logged in as Chris to troubleshoot. Lets look to see if the account is marked as Lockout.
LINUXMAN-ASA# show aaa local user lockout
Lock-time Failed-attempts Locked User
22:42:19 3 Y jeff
LINUXMAN-ASA#
Here we can see how many failed attempts were made and the current Locked state for user Jeff. Now lets unlock his account, re-check the Lockout state and make sure we can login again.
LINUXMAN-ASA # configure terminal
LINUXMAN-ASA(config)# clear aaa local user lockout username jeff
LINUXMAN-ASA(config)# show aaa local user lockout
Lock-time Failed-attempts Locked User
LINUXMAN-ASA(config)# exit
LINUXMAN-ASA# exit
Logoff
Username: jeff
Password: ****
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 3. Last login: 21:46:54 UTC Sep 1 2018 from console
Failed logins since the last login: 12. Last failed login: 22:43:43 UTC Sep 1 2
018 from console
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#
3. We can setup a banner for Login and MOTD (Message of the Day) for when we connect or log into our ASA.
LINUXMAN-ASA # configure terminal
LINUXMAN-ASA(config)# banner login UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
LINUXMAN-ASA(config)# banner login
LINUXMAN-ASA(config)# banner login You must have explicit, authorized permission to access or configure this device.
LINUXMAN-ASA(config)# banner login
LINUXMAN-ASA(config)# banner login Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
LINUXMAN-ASA(config)# banner login
LINUXMAN-ASA(config)# banner login All activities performed on this device are logged and monitored.
LINUXMAN-ASA(config)# exit
LINUXMAN-ASA(config)# WELCOME AUTHORIZED USER!
And lets give it a try!
LINUXMAN-ASA(config)# exit
LINUXMAN-ASA # exit
Logoff
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
Username: jeff
Password: ****
WELCOME AUTHORIZED USER!
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 6. Last login: 23:19:13 UTC Sep 1 2018 from console
Failed logins since the last login: 0. Last failed login: 22:43:43 UTC Sep 1 20
18 from console
Type help or '?' for a list of available commands.
LINUXMAN-ASA> en
Password: ********
LINUXMAN-ASA #
4. Lets setup your WAN Address, this could be getting an address via DHCP from your provider or STATIC.
I will go over setting up the WAN via STATIC and DHCP. In my scenario my WAN Address is going to be a Private Address since I am creating this behind a NAT. A real WAN Address looks "unusual" or very "random" such as Google's 216.58.194.46. For the rest of this guide, i will be using a STATIC IP Address.
We're going to be using GigabitEthernet 1/1 as our WAN and GigabitEthernet 1/2 as our LAN. To see what available interfaces you have on your model, execute the following command:
LINUXMAN-ASA # show interface ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 unassigned YES unset administratively down down
GigabitEthernet1/2 unassigned YES unset administratively down down
GigabitEthernet1/3 unassigned YES unset administratively down down
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset down down
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset administratively down down
LINUXMAN-ASA# configure terminal
LINUXMAN-ASA(config)# interface GigabitEthernet 1/1
LINUXMAN-ASA(config-if)# ip address 192.168.0.55 255.255.255.0
LINUXMAN-ASA(config-if)# no shutdown
LINUXMAN-ASA(config-if)# nameif WAN
INFO: Security level for "WAN" set to 0 by default.
LINUXMAN-ASA(config-if)# exit
LINUXMAN-ASA(config)# route WAN 0.0.0.0 0.0.0.0 192.168.0.1
Check IP Address assignment
LINUXMAN-ASA(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 192.168.0.55 YES manual up up
<--- Output Omitted --->
Check Routes
LINUXMAN-ASA(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, WAN
C 192.168.0.0 255.255.255.0 is directly connected, WAN
L 192.168.0.55 255.255.255.255 is directly connected, WAN
LINUXMAN-ASA(config)#
We can verify connectivity to the internet by pinging an external host. We will ping SecureDNS for testing.
LINUXMAN-ASA(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
LINUXMAN-ASA(config)#
LINUXMAN-ASA # configure terminal
LINUXMAN-ASA(config)# interface GigabitEthernet 1/1
LINUXMAN-ASA(config-if)# ip address dhcp setroute
LINUXMAN-ASA(config-if)# nameif WAN
INFO: Security level for "WAN" set to 0 by default.
LINUXMAN-ASA(config-if)# exit
Check IP Address assignment
LINUXMAN-ASA(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 192.168.0.163 YES manual up up
<--- Output Omitted --->
Check Routes
LINUXMAN-ASA(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, WAN
C 192.168.0.0 255.255.255.0 is directly connected, WAN
L 192.168.0.163 255.255.255.255 is directly connected, WAN
LINUXMAN-ASA(config)#
We can verify connectivity to the internet by pinging an external host. We will ping SecureDNS for testing.
LINUXMAN-ASA(config)# ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/40 ms
LINUXMAN-ASA(config)#
5. Lets configure our Internal LAN where our hosts will connect to.
LINUXMAN-ASA(config)# interface GigabitEthernet 1/2
LINUXMAN-ASA(config-if)# ip address 172.16.30.254 255.255.255.0
LINUXMAN-ASA(config-if)# no shutdown
LINUXMAN-ASA(config-if)# nameif LAN
INFO: Security level for "LAN" set to 0 by default.
LINUXMAN-ASA(config-if)# security-level 100
Check IP Address assignment
LINUXMAN-ASA(config)# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 192.168.0.55 YES manual up up
GigabitEthernet1/2 172.16.30.254 YES manual down down
<--- Output Omitted --->
Check Routes
LINUXMAN-ASA(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, WAN
C 172.16.30.0 255.255.255.0 is directly connected, LAN
L 172.16.30.254 255.255.255.255 is directly connected, LAN
C 192.168.0.0 255.255.255.0 is directly connected, WAN
L 192.168.0.55 255.255.255.255 is directly connected, WAN
LINUXMAN-ASA(config)#
7. Now that we have our Administrator accounts setup and have configured Interfaces, lets setup SSH Remote Access for them.
I personally try to avoid using Telnet at all costs for remote access and favor SSH which should be a no brainer. We're going to setup Remote Access for WAN, for all remote IP's or specific IP's. You can add additional interfaces where SSH will listen/allow connections from by simply specifying which interface to listen on.
NOTE: And for the love of God, please change the key-exchange to use the latest diffie-hellman group. I have come across many ASA's configured by other technicians and they did not bother to change this so its more secure. If your firewall does not support the latest diffie-hellman group, then you should look into upgrading the IOS Software.
LINUXMAN-ASA(config)# ssh 0.0.0.0 0.0.0.0 WAN
LINUXMAN-ASA(config)# ssh key-exchange group dh-group14-sha1
LINUXMAN-ASA(config)# ssh timeout 5
LINUXMAN-ASA(config)# aaa authentication ssh console LOCAL
LINUXMAN-ASA(config)# ssh 192.168.0.169 255.255.255.255 WAN
LINUXMAN-ASA(config)# ssh key-exchange group dh-group14-sha1
LINUXMAN-ASA(config)# ssh timeout 5
LINUXMAN-ASA(config)# aaa authentication ssh console LOCAL
LINUXMAN-ASA(config)# ssh 192.168.0.0 255.255.255.0 WAN
LINUXMAN-ASA(config)# ssh key-exchange group dh-group14-sha1
LINUXMAN-ASA(config)# ssh timeout 5
LINUXMAN-ASA(config)# aaa authentication ssh console LOCAL
We're going to test our SSH connection from a Linux machine and login as Jeff. Notice we get our Login Banner and MOTD Banner even on SSH.
linuxman@LINUXMAN-PC:~$ ssh jeff@192.168.0.55
The authenticity of host '192.168.0.55 (192.168.0.55)' can't be established.
RSA key fingerprint is SHA256:ukjKlh3XsLygqCUPbwaNVzX8tkMZv9vFRS2qEhZ7MAc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.55' (RSA) to the list of known hosts.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
jeff@192.168.0.55's password:
WELCOME AUTHORIZED USER!
User jeff logged in to LINUXMAN-ASA
Logins over the last 1 days: 7. Last login: 23:26:35 UTC Sep 1 2018 from console
Failed logins since the last login: 0. Last failed login: 22:43:43 UTC Sep 1 2018 from console
Type help or '?' for a list of available commands.
LINUXMAN-ASA> enable
Password: ********
LINUXMAN-ASA#
8. Now we need to provide our Internal LAN some outside access. In this example we will keep it simple and Dynamically NAT our LAN Interface.
To achieve this, we need to create a Network Object that will represent all traffic from LAN and create a NAT statement for it.
LINUXMAN-ASA(config)# object network all
LINUXMAN-ASA(config-network-object)# subnet 0.0.0.0 0.0.0.0
LINUXMAN-ASA(config-network-object)# nat (LAN,WAN) dynamic interface
LINUXMAN-ASA(config-network-object)# exit
9. If you are not going to use a separate DHCP server, you can set one up right on your firewall.
LINUXMAN-ASA(config)# dhcpd address 172.16.30.100-172.16.30.150 LAN
LINUXMAN-ASA(config)# dhcpd dns 1.1.1.1 interface LAN
LINUXMAN-ASA(config)# dhcpd lease 1500 interface LAN
LINUXMAN-ASA(config)# dhcpd enable LAN
10. Really you should be doing this as you go, but save your work!
LINUXMAN-ASA# write memory
Building configuration...
Cryptochecksum: 4191e39f 9663e937 0c8e1df5 3095ffa5
5348 bytes copied in 0.290 secs
[OK]
LINUXMAN-ASA#
Now that we have configured our Firewall for internet access to internal hosts with DHCP, lets connect a host to the LAN and test connectivity. I will be connecting my Chromebook and testing the Internet.
Need a Cisco ASA for studying? Buy one here - https://amzn.to/2JnBp6G