Welcome to this series where we will cover CCNA Security topics using Cisco Packet Tracer in our labs. Some related topics have already been covered on the Intense School site so you should consider taking a look at those first. For a guide on the Packet Tracer labs already on the site, you can check out this article.
In this lab, we will be dealing with the Cisco Adaptive Security Appliance (ASA). Starting with Packet Tracer version 6.1.1, the Cisco ASA (5505) has been added as a device so we can now use this for our lab. An introduction to the Cisco ASA has already been covered in this article, so you may want to read that article first.
Note: I will be using Packet Tracer version 6.2.
This lab deals with a basic configuration of the Cisco ASA, which will include configuring the hostname, domain name, interfaces, and security levels. The lab setup in Packet Tracer is as shown below:
Two files are attached to this article:
intro_to_cisco_asa_init.pkt: This Packet Tracer file contains the lab setup with the ‘Inside User’ and ‘Web Server’ configured with IP addresses and default gateways. The Outside_RTR is configured with an IP address on its Gi0/0 interface.
intro_to_cisco_asa_final.pkt: This Packet Tracer file contains the lab setup with the ASA fully configured to meet the lab requirements.
The tasks for this lab are as follows:
Configure the Hostname of the ASA as “PKT-ASA” and the domain name as “example.com”.
Modify VLAN 1 settings to the following: IP address of 10.0.0.1, security level of 100 and name “inside”.
Modify VLAN 2 settings to the following: IP address of 192.0.2.1, security level of 0 and name “outside”.
Create a 3rd VLAN and name it “dmz” with a security level of 50 and assign an IP address of 172.16.10.1 to the VLAN interface. This VLAN does not need to initiate connections to the inside VLAN.
Assign Ethernet0/0 to the ‘outside’ VLAN, Ethernet0/1 to the ‘inside’ VLAN and Ethernet0/2 to the ‘dmz’ VLAN.
Verify your configuration and make sure you can ping all the connected devices from the Cisco ASA.
Task 1: Hostname and Domain Name
We use the hostname command to configure the hostname on a Cisco ASA just like we do on the Cisco IOS. However unlike on the Cisco IOS, we use the domain-name command to configure a domain name on the Cisco ASA.
Note: On the Cisco IOS, the equivalent command is ip domain-name. Actually, many of the commands that have “ip” on the Cisco IOS do not have “ip” on the Cisco ASA. Examples include show route as opposed to show ip route and route as opposed to ip route.
hostname PKT-ASA domain-name example.com
Task 2: VLAN 1 Settings
By default, VLAN 1 has already been created on the Cisco ASA 5505 and it has been named “inside” with a security level of 100. Therefore, the only change we need to make here is the IP address. However, if you try to change the IP address of that VLAN interface, you will get an error message: “Interface address is not on same subnet as DHCP pool. ERROR: ip address command failed“.
The problem is that there is a default DHCP configuration on the ‘inside’ interface as shown below:
dhcpd address 192.168.1.5-192.168.1.35 inside dhcpd enable inside
One way to go about it will be to remove only the DHCP pool or to remove the entire DHCP configuration since the task doesn’t say anything about DHCP. After removing the configuration, you can then change the IP address.
no dhcpd address 192.168.1.5-192.168.1.35 inside no dhcpd enable inside ! interface Vlan1 ip address 10.0.0.1 255.255.255.0
Task 3: VLAN 2 Settings
VLAN 2 also exists in the default configuration of the Cisco ASA 5505 and it has been named “outside” with a security level of 0. However, IP address is enabled via DHCP so we need to change that to a static configuration.
interface Vlan2 ip address 192.0.2.1 255.255.255.0
Task 4: Setup VLAN 3
This one is a bit tricky because of the license that comes with the ASA 5505 on Packet Tracer, i.e. Base License. With the Base License on the ASA 5505, you can only create two active VLANs and a third restricted VLAN. The third VLAN is restricted because you can only configure it to initiate traffic to only one other VLAN. You don’t have this restriction with a Security Plus license.
Note: An active VLAN is one configured with the nameif command.
As such, if we try to configure VLAN 3 and add the nameif command, we will get the following message: “ERROR: This license does not allow configuring more than 2 interfaces with nameif and without a “no forward” command on this interface or on 1 interface(s) with nameif already configured.”
Therefore, like the error message states, we need to use the no forward command on one of the active interfaces. In our case, the task specifies that the dmz interface does not need to initiate connections to the inside, therefore our configuration will be as follows:
interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 172.16.10.1 255.255.255.0 !
Task 5: Interface Assignment
The ASA 5505 comes with switchport (L2) interfaces and the way to assign them to security zones is to assign them to the corresponding VLAN for that security zone. By default, Ethernet0/0 is already assigned to VLAN 2 (outside) and all other interfaces belong to VLAN 1. Therefore, we just need to assign Ethernet0/2 to VLAN 3:
interface Ethernet0/2 switchport access vlan 3
Task 6: Verification
This last sub-task is about verifying our configuration so far. We can begin by looking at the VLAN configuration and VLAN assignment for the interfaces using the show switch vlan command:
We can also check the IP settings on the ASA’s interfaces using the show interface ip brief command (as opposed to show ip interface brief on the Cisco IOS):
Finally, we will ping the following devices connected to the Cisco ASA on its different interfaces: 10.0.0.100 (Inside User), 172.16.10.100 (Web Server) and 192.168.10.100 (Outside_RTR):
Cool, our configuration works!
This brings us to the end of this Packet Tracer lab where we have configured basic settings such as hostname, domain name and interface settings on the Cisco ASA 5505.
In the next article, we will continue with another lab on the Cisco ASA. I hope you have found this lab insightful.
References and Further Reading
CCNA Security Certification Series- #3 Cisco Firewall Technologies- cont’d: http://resources.intenseschool.com/ccna-security-certification-series-3-cisco-firewall-technologies-contd/
Starting Interface Configuration (ASA 5505) – Maximum Active VLAN Interfaces for Your License: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html#wp1321772