Routing & Security

Home > Security > Managing the ASA

Managing the ASA

June 24th, 2010 ryanschuett Leave a comment Go to comments

Enabling Telnet on the lowest security interface of the appliance has been one of things that many people just don’t do, but it is nice to know if it can be done and what is needed to do this in case you do need to utlilize it in your infrastructure. Cisco documentation states that telnet can only be enabled on the lowest security interface as long as IPSec is terminated on that same interface. Hmmm. Keith over at INE posted a blog entry that can be found here – Bob’s Challenge . In one of Keiths solutions (number 4), he does mention to enable IPSec on the tunnel interface, and one of the solutions shows how to do this.

This blog will discuss and show the ways that we can manage the device when connecting to the lowest security interface. Let’s observe the following, simple topology:

Interface F0/0 has been named outside and does have a default security-level of 0. The IP addresses have been configured on the devices as shown in the above diagram

So most of us will go ahead and enable ssh on the outside interface, and some others who like the GUI will also enable http (usually a port other than 80 or 443 since we all love to use SSL VPN). So let’s start by using the ssh and http commands to manage these two management protocols before moving onto telnet. These commands will enable R1 to manage the ASA (Although ASDM is not on the router for obvious reasons, we can test to make sure the ASA allows traffic to it’s port)

ciscoasa(config)#ssh 192.168.1.1 255.255.255.255 outside
ciscoasa(config)#http 192.168.1.1 255.255.255.255 outside
ciscoasa(config)#http server enable
ciscoasa(config)#asdm image flash:asdm-621.bin

Let’s make sure that our http port is open to accept ASDM connections:

Router#telnet 192.168.1.2 80
Trying 192.168.1.2, 80 … Open

[Connection to 192.168.1.2 closed by foreign host]

Everything looks ok with ASDM acces to port 80. So for ssh access, we need to specify a username. The default username is “pix” and password is “cisco”. Let’s make sure this works:

Router#ssh -l pix 192.168.1.2

Password:
Type help or ‘?’ for a list of available commands.
ciscoasa> en
Password:
ciscoasa#

Everything looks fine. Now, for some reason somebody loves telnet and needs it enabled on the outside interface (or an interface with the lowest security level). Let’s setup telnet and try to access the ASA via the outside interface”

ciscoasa(config)#telnet 192.168.1.1 255.255.255.255 outside

So let’s try and access the ASA from the router:

Router#telnet 192.168.1.2

[Connection to 192.168.1.2 closed by foreign host]

Ok, so we can see that we will have to implement a solution for this. We will terminate an IPSec tunnel between the ASA’s outside interface and the router. Here is the final configurations of both devices. Note that the configurations were cleared before this setup. I have made bold all required commands for the IPSec configuration.

Router Configuration
Router#sh run
Building configuration…

Current configuration : 1523 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key manage address 192.168.1.2
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
!
crypto map crypto_map 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set aes256sha
match address acl_crypto_traffic
!
archive
log config
hidekeys
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map crypto_map
!
interface FastEthernet1
ip address dhcp
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.2
no ip http server
no ip http secure-server
!
!
ip access-list extended acl_crypto_traffic
permit ip host 192.168.1.1 host 192.168.1.2
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login
!
end

ASA Configuration

ciscoasa# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list acl_crypto_traffic extended permit ip host 192.168.1.2 host 192.168.1.1
pager lines 24
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map crypto_map 10 match address acl_crypto_traffic
crypto map crypto_map 10 set peer 192.168.1.1
crypto map crypto_map 10 set transform-set aes256sha
crypto map crypto_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet 192.168.1.1 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.1 255.255.255.255 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Ok, let’s bring up the IPSec tunnel between the two devices by using ping:

Router#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Router#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.1.2 192.168.1.1 QM_IDLE 2011 ACTIVE

IPv6 Crypto ISAKMP SA

Router#sh crypto ipsec sa

interface: FastEthernet0
Crypto map tag: crypto_map, local addr 192.168.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
   current_peer 192.168.1.2 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

The IPSec tunnel is now up and we are passing encrypted traffic. Let us see if we can telnet to the outside interface now. By default the line password for the ASA is “cisco”:

Router#telnet 192.168.1.2
Trying 192.168.1.2 … Open
User Access Verification

Password: (use the password of “cisco” here)
Type help or ‘?’ for a list of available commands.
ciscoasa> en
Password: (until you enable a password on the ASA (enable), this is blank)

We see that we can telnet to the lowest security interface on the ASA. I hope this has been helpful!

Categories: Security Tags:

Comments (0) Trackbacks (0) Leave a comment Trackback

No comments yet.

No trackbacks yet.

ASA DNS Doctoring with Alias & Static. HairPinning Solution Also. Studies Update

What I'm Doing...

Cisco EEM and tcl scripts is awesome. Just setup my first script to track HSRP on a router and e-mail me when things change. Very Powerful! 12 hrs ago
@packetu I just downloaded c1310-k9w7-tar.124-21a.JY.tar this morning without issue. How do you like this device? in reply to packetu 18 hrs ago
@packetu So have I Paul. I have found the website to be slow as well at times. Cisco Learning Network was down too for a bit. in reply to packetu 1 day ago
@TacAck Did you do the L2-NAC and Posture Validations sections? in reply to TacAck 1 day ago
More updates...

Managing the ASA

Recent Posts

Study Schedule

Lab Schedule

To Do List

What I'm Doing...

Categories

Blogroll

Archives

Meta