Welcome back to this series where we cover CCNA Security topics using Cisco Packet Tracer in our labs. In the previous lab, we started looking at the Cisco ASA and we will continue looking at this Cisco appliance in this lab.
The lab setup from the last article is as shown below:
In this lab, we will configure routing on the Cisco ASA, look at the Cisco Modular Policy Framework (MPF) and also configure SSH for management access to the Cisco ASA.
Two files are attached to this article:
cisco_asa_routing_mpf_mgt_init.pkt: This Packet Tracer file is actually the “final” PKT file from the previous lab.
cisco_asa_routing_mpf_mgt_final.pkt: This Packet Tracer file contains the lab setup with the ASA fully configured to meet the lab requirements.
The tasks for this lab are as follows:
Configure a loopback interface on the Outside_RTR with an IP address of 188.8.131.52/32.
Configure a default route on the ASA pointing to the Outside_RTR. Ensure that you can ping the newly configured loopback on the Outside_RTR from the Cisco ASA.
The ‘Inside User’ should be able to initiate connections to the ‘Web Server’ and get a response. You should also ensure that ping from the ‘Inside User’ to the ‘Web Server’ is successful. Do not use an access list to accomplish this.
Enable SSH access to the ASA from any IP address on both the inside and outside interfaces. Create a local user on the ASA to be used for authentication with the following credentials: Username – “insideuser” and Password – “userpwd”.
Task 1: Loopback Interface Settings
The goal of this task is just to simulate an external host, e.g. a device on the Internet.
interface Loopback0 ip address 184.108.40.206 255.255.255.255
Task 2: Default Routing
As I said in the last article, many commands that have “ip” in the Cisco IOS do not have “ip” in the Cisco ASA. The route command, used to configure static/default routes on the Cisco ASA, is an example of this.
Another thing to keep in mind with the Cisco ASA is that you must specify an interface name (e.g. inside, outside) for any route statement. This interface name specifies the interface through which the next hop IP address is reachable.
Finally, instead of specifying “0.0.0.0 0.0.0.0” like we do on the Cisco IOS, we can shorten it to “0 0” on the Cisco ASA. However, this short form is not (yet) implemented in Packet Tracer so we must specify it in its full form.
route outside 0.0.0.0 0.0.0.0 192.0.2.100
To test this configuration, we will ping the 220.127.116.11 IP address from the Cisco ASA:
Task 3: Inside to DMZ Communication
In the last lab, we said that due to the license that comes with the Cisco ASA in Packet Tracer (Base License), the 3rd VLAN we created (dmz) will be a restricted VLAN, i.e. it will only be able to initiate a connection to only one other VLAN. In that lab, we restricted the dmz VLAN from initiating a connection to the inside VLAN. Notice the word “initiate” in that sentence? It means that even though the dmz VLAN cannot initiate traffic to the inside, the inside VLAN can actually initiate traffic to the dmz and the dmz will respond.
Since the inside interface is on a higher security interface than the dmz, traffic from the inside to the dmz will be allowed by default. We can confirm this by opening an HTTPS connection from the ‘Inside User’ to the ‘Web Server’:
Note: Even though HTTP is also enabled on the Web Server, http://172.16.10.100 doesn’t work for some reason. I assume it’s some limitation with Packet Tracer. Two services I found to work are HTTPS and SMTP.
However, the task also requires that ping traffic from the ‘Inside User’ to the ‘Web Server’ is successful, so let’s test that:
As you can see, the ping failed. The problem is that, by default, ICMP inspection is not enabled on the Cisco ASA so even though the ping from the inside is getting to the dmz, the return traffic is not permitted. There are two ways around this issue:
Use an ACL to allow return ICMP traffic.
Use the Cisco Modular Policy Framework (MPF).
The task specifically said not to use an ACL so we are left with the second option. Although you can configure an ICMP policy on the ASA, an easier option is to copy the default MPF configuration from the Cisco site and edit it to include ICMP inspection. Due to the limitations of Packet Tracer, some of the commands included in the default MPF configuration are not supported so you will end up with a configuration similar to the following:
class-map inspection_default match default-inspection-traffic ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect tftp inspect icmp ! service-policy global_policy global
As you can see, I have enabled ICMP inspection (inspect icmp) under the “global_policy” policy map. Let’s test again:
Task 4: SSH Access
To enable SSH on the Cisco ASA, there are a couple of things we need to do:
Generate an RSA Key Pair. There is a default RSA Key pair on the Cisco ASA called “Default-RSA-Key”.
If you will be using local authentication, create username/password combinations.
Configure the ASA to use local authentication for SSH connections.
Specify what IP addresses can manage the ASA using SSH and through what interface.
We can view the default RSA key pair using the show crypto key mypubkey rsa command:
The other necessary configuration is as follows:
username insideuser password userpwd aaa authentication ssh console LOCAL ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside
Let’s first test this configuration from the ‘Inside User’ by opening command prompt and typing “ssh –l insideuser 10.0.0.1”:
The SSH connection was successful. Let’s now test from the Outside_RTR:
Great! We have now successfully completed the tasks in this lab.
This brings us to the end of this Packet Tracer lab where we have configured routing, Cisco MPF and also enabled SSH on the Cisco ASA 5505.
In the next article, we will continue with another lab on the Cisco ASA. I hope you have found this lab insightful.
References and Further Reading
CCNA Security Certification Series- #3 Cisco Firewall Technologies- cont’d: http://resources.intenseschool.com/ccna-security-certification-series-3-cisco-firewall-technologies-contd/
CCNA Security Certification Series – #4 Cisco Firewall Technologies – cont’d: http://resources.intenseschool.com/ccna-security-certification-series-4-cisco-firewall-technologies-contd/