Pages

Cisco ASA on VmWare ESXi install and basic config

Goal
Prepare to CCNA Security exam and test Cisco ASA appliance on VmWare ESXi infrastructure.


ASDM java workaround

ASA mgmt ip: 10.10.10.15
download https://10.10.10.15/admin/public/asdm.jnlp

C:\Users\sc>javaws C:\Users\sc\Downloads\asdm.jnlp

show isa sa
show cry ipsec sa
show vpn-sessiondb detail l2l

debug crypto isakmp 7
debug crypto ipsec 7
debug crypto condition peer <peer IP>
un all

clear crypto ipsec sa
clear crypto isakmp sa


!
interface Management0/0
 management-only
 nameif mgmt
 security-level 0
 ip address 10.200.200.17 255.255.255.0 
!
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 10.10.10.0 255.255.255.0 mgmt
username scp password pg94qEe@#$87hXXJ encrypted privilege 15



Install
1. Select ESXi host
2. File -> Deploy OVF Template
3. Select OVF (there are OVF templates over the Internets)

Add Serial Port (Network Based) to redirect Console Port.


Start VM and connect to telnet IP 10.1.1.2 (ESXi host mgmt IP) port 2052.
Cisco ASA IOS is loading
Initializing cgroup subsys cpu
Linux version 2.6.29.6 (builders@bld-releng-05a) (gcc version 4.3.4 (crosstool-NG-1.5.0) ) #1 PREEMPT Wed Jun 15 17:19:01 MDT 2011
...
Starting network...
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 48 files, 10090/65443 clusters
...
This platform has an ASA 5520
Cisco Adaptive Security Appliance Software Version 8.4(2)
Basic Config

0. Reset Config

write erase
Erase configuration in flash memory? [confirm]
...
Process shutdown finished
Rebooting.....
Restarting system.
machine restart
...
Preconfiguration
Pre-configure Firewall now through interactive prompts [yes]? no
Type help or '?' for a list of available commands.
ciscoasa>
Password:    (exec password is not set - just press enter)
ciscoasa#

1. Interfaces
ciscoasa(config)# interface GigabitEthernet0
ciscoasa(config-if)#  nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)#  security-level 100
ciscoasa(config-if)#  ip address 10.2.1.252 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# !
ciscoasa(config-if)# !
ciscoasa(config-if)# interface GigabitEthernet1
ciscoasa(config-if)#  nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#  security-level 0
ciscoasa(config-if)#  ip address 1.1.1.43 255.255.255.192
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# mtu inside 1500
ciscoasa(config-if)# mtu outside 1500
2. Hostname and DNS
ciscoasa(config-if)# hostname esx1-asa2
esx1-asa2(config)# domain-name mydmn.com

esx1-asa2(config)# dns domain-lookup outside
esx1-asa2(config)# dns server-group DefaultDNS
esx1-asa2(config-dns-server-group)#  name-server 8.8.8.8
esx1-asa2(config-dns-server-group)#  name-server 8.8.4.4
esx1-asa2(config-dns-server-group)#  domain-name mydmn.com
3. Enable/VTY Passwords
! Enables password encryption
key config-key password-encryption s0m3-encryt3d-t3kst
password encryption aes

! password to Privilege EXEC (IOS enable secret)
enable password <password>
enable password pas@#E!dc

! The login password is used for Telnet and SSH connections.
{passwd | password} <password>

passwd DV#F#$FD4f$
4. Set Telnet Acces and Tune timers
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 15
console timeout 0
To start SSH
esx1-asa2(config)# crypto key generate rsa modulus 1024
  INFO: The name for the keys will be: <Default-RSA-Key>
  Keypair generation process begin. Please wait...
esx1-asa2(config)# ssh 10.1.1.0 255.255.255.0 inside
esx1-asa2(config)# ssh version 2
esx1-asa2(config)# ssh timeout 15
5. Set Time and NTP
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
ntp server 10.1.1.4
ntp server 10.1.1.1
6. Setup Acces to Cisco ASDM
http server enable
http 10.1.1.0 255.255.255.0 inside
7. Set Default Gateway
route outside 0.0.0.0 0.0.0.0  2.3.4.5   1
8. Setup Users
esx1-asa2(config)# username sc password ********* privilege 15
Minimum allowed username length is 3
ERROR: Username addition failed.
esx1-asa2(config)# username sclabs password ********* privilege 15 
! use the local database as your main method of authentication with no fallback. In order to do this, enter LOCAL alone
(config)#aaa authentication ssh console LOCAL
9. Setup SNMP
esx1-asa2(config)#   snmp-server host inside 10.1.1.42 community ***** version 2c
esx1-asa2(config)#   snmp-server community *****
esx1-asa2(config)#   snmp-server location ESX1-location
esx1-asa2(config)#   snmp-server contact noc@mydmn.com
esx1-asa2(config)#   logging buffered notifications
esx1-asa2(config)#   logging buffer-size 1048576
10. Apply activate keys

11. Save config and reload
esx1-asa2(config)# wr
Building configuration...
Cryptochecksum: 35f32de6 81c535ed 3dce03ec 13f334ff
2568 bytes copied in 0.40 secs
[OK]
esxi1-asa2# reload
Proceed with reload? [confirm]
esxi1-asa2#

 PostInstall configure:
1) Configure Split-tunnel for AnyConnect-Profile
Permit Any traffic (internet) when tunnel is UP.
Default: only protected traffic (10.1.1.0/24) is permited when tunnel comes UP.
 group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
    wins-server none
    dns-server value 8.8.8.8 8.8.4.4
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value MYLAN

...
access-list MYLAN  line 1 remark MYLAN MGMT
access-list MYLAN  line 2 standard permit 10.1.1.0 255.255.255.0
3) Permit Both profile selection: AnyConnect and Clientless Clients 
ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

3) Enable Both: AnyConnect and Clientless Clients
Error: Clientless (browser) SSL VPN access is not allowed.
You can't have both AnyConnect Essential license and AnyConnect Premium license enabled at the same ASA. It is one or the other.
esxi1-ciscoasa-si(config)# webvpn
esxi1-ciscoasa-si(config-webvpn)#   no anyconnect-essentials
https://supportforums.cisco.com/thread/2048458