Difference between revisions of "Cisco ASA 5500"

From Noah.org
Jump to navigationJump to search
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:Engineering]]
 
[[Category:Engineering]]
 
[[Category:Networking]]
 
[[Category:Networking]]
 +
You need a tftp server and client to move rules files back and forth.
  
You need a tftp server and client to move rules files back and forth.
+
== Cisco ASDM 5.2 for ASA -- Bug in the Java manager ==
 +
 
 +
The ASA manager has a really annoying bug that can throw you off. When you create a new Security Polity rule or a NAT rule often times when you hit OK to save the rule it will popup with an error saying that the rule already exists or that it conflicts with another rule. But if you ignore the error and hit OK again then it will save the second time without complaint.
  
== login to the shell ==
+
== Login to the shell ==
  
 
Login via telnet. The ASA can use LDAP, so if it talks to your Active Directory Server then your login and password will taken from there.
 
Login via telnet. The ASA can use LDAP, so if it talks to your Active Directory Server then your login and password will taken from there.
  
set enable to turn on privileged commands -- pretty much useless without doing this!
+
<pre>
 +
$ telnet 192.168.1.1
 +
Connected to 192.168.1.1.
 +
Escape character is '^]'.
 +
 
 +
 
 +
User Access Verification
 +
 
 +
Username: Administrator
 +
Password: ********
 +
Type help or '?' for a list of available commands.
 +
fw-asa-01>
 +
</pre>
 +
 
 +
First set 'enable' to turn on privileged commands -- pretty much useless without doing this!
  
 
   fw-asa-01> enable
 
   fw-asa-01> enable
Line 18: Line 35:
 
   fw-asa-01# show configuration
 
   fw-asa-01# show configuration
  
== view the Running Configuration ==
+
== View the Running Configuration ==
  
 
Normally Running and Startup Configuration should be the same.
 
Normally Running and Startup Configuration should be the same.
Line 45: Line 62:
 
You can also save the configuration to a TFTP server:
 
You can also save the configuration to a TFTP server:
  
   fw-asa-01# write net 192.168.1.55:running-config.
+
   fw-asa-01# write net 192.168.1.55:running-config
  
== Load running configuration from a remote serve ==
+
== Load running configuration from a remote server ==
  
You will get a lot of errors and warning complaining about duplicates if the new configuration is about the same as the current running configuration. I think this is harmless.
+
Most of the instructions out there show you how to load a new running-config using a command like this:
  
 
   fw-asa-01# copy tftp://192.168.1.55/running running-config
 
   fw-asa-01# copy tftp://192.168.1.55/running running-config
  
== TFTP Note for Ubuntu ==
+
The problem is that this actually <strong>merges</strong> your file with the current running-config. That works fine when you don't have a running-config already defined. This is useless if you are trying to edit and update existing firewall rules. If you try to merge with an existing complex running-config you will get a lot of errors like this:
 +
 
 +
<pre>
 +
ERROR: DNS Duplicate server address activedirectory01
 +
ERROR: DNS Duplicate server address 192.168.1.2
 +
Adding obj (port-object eq pop3) to grp (mail) failed; object already exists
 +
Adding obj (port-object eq imap4) to grp (mail) failed; object already exists
 +
Adding obj (port-object eq smtp) to grp (mail) failed; object already exists
 +
Adding obj (port-object eq ssh) to grp (Roothack) failed; object already exists
 +
Adding obj (port-object eq www) to grp (Roothack) failed; object already exists
 +
</pre>
 +
 
 +
The trick is to copy your new rules over the startup-config and then restart the ASA. This seems stupid because then you can't load and test new rules without being able to revert to a working state if something goes wrong.
 +
 
 +
  copy tftp://192.168.1.55/running-config2 startup-config
 +
  reload
 +
 
 +
== TFTP Notes for Ubuntu ==
  
To move the configuration on and off the firewall you will need a Trivial FTP server. On Ubuntu, install tftpd-hpa:
+
To move files on and off embedded devices and firewalls you often need a Trivial FTP server. On Ubuntu, install tftpd-hpa:
  
   apt-get -q -y install tftpd-hpa
+
   aptitude -q -y install tftpd-hpa
  
 
Edit configuration (vim /etc/default/tftpd-hpa) to something like this:
 
Edit configuration (vim /etc/default/tftpd-hpa) to something like this:
  
 
   #Defaults for tftpd-hpa
 
   #Defaults for tftpd-hpa
   RUN_DAEMON="no"
+
   RUN_DAEMON="yes"
 
   # The -c option allows clients to write files.
 
   # The -c option allows clients to write files.
 
   # Files are read and written from /tmp.
 
   # Files are read and written from /tmp.

Latest revision as of 05:27, 1 December 2008

You need a tftp server and client to move rules files back and forth.

Cisco ASDM 5.2 for ASA -- Bug in the Java manager

The ASA manager has a really annoying bug that can throw you off. When you create a new Security Polity rule or a NAT rule often times when you hit OK to save the rule it will popup with an error saying that the rule already exists or that it conflicts with another rule. But if you ignore the error and hit OK again then it will save the second time without complaint.

Login to the shell

Login via telnet. The ASA can use LDAP, so if it talks to your Active Directory Server then your login and password will taken from there.

$ telnet 192.168.1.1
Connected to 192.168.1.1.
Escape character is '^]'.


User Access Verification

Username: Administrator
Password: ********
Type help or '?' for a list of available commands.
fw-asa-01>

First set 'enable' to turn on privileged commands -- pretty much useless without doing this!

 fw-asa-01> enable

View saved Startup Configuration

Use the show command:

 fw-asa-01# show configuration

View the Running Configuration

Normally Running and Startup Configuration should be the same. See below to edit or save the Running Configuration to the Startup.

 fw-asa-01# show running-config

Shun or Ban an external host

It's easy to ban a host by IP address:

 fw-asa-01# shun A.B.C.D

This is equivalent to the following in Linux iptables:

 iptables -I INPUT -j DROP -s A.B.C.D

Save running configuration

Edits to the running configuration must be saved before a reboot:

 fw-asa-01# write memory

Copy running configuration to remote server

You can also save the configuration to a TFTP server:

 fw-asa-01# write net 192.168.1.55:running-config

Load running configuration from a remote server

Most of the instructions out there show you how to load a new running-config using a command like this:

 fw-asa-01# copy tftp://192.168.1.55/running running-config

The problem is that this actually merges your file with the current running-config. That works fine when you don't have a running-config already defined. This is useless if you are trying to edit and update existing firewall rules. If you try to merge with an existing complex running-config you will get a lot of errors like this:

ERROR: DNS Duplicate server address activedirectory01
ERROR: DNS Duplicate server address 192.168.1.2
Adding obj (port-object eq pop3) to grp (mail) failed; object already exists
Adding obj (port-object eq imap4) to grp (mail) failed; object already exists
Adding obj (port-object eq smtp) to grp (mail) failed; object already exists
Adding obj (port-object eq ssh) to grp (Roothack) failed; object already exists
Adding obj (port-object eq www) to grp (Roothack) failed; object already exists

The trick is to copy your new rules over the startup-config and then restart the ASA. This seems stupid because then you can't load and test new rules without being able to revert to a working state if something goes wrong.

 copy tftp://192.168.1.55/running-config2 startup-config
 reload

TFTP Notes for Ubuntu

To move files on and off embedded devices and firewalls you often need a Trivial FTP server. On Ubuntu, install tftpd-hpa:

 aptitude -q -y install tftpd-hpa

Edit configuration (vim /etc/default/tftpd-hpa) to something like this:

 #Defaults for tftpd-hpa
 RUN_DAEMON="yes"
 # The -c option allows clients to write files.
 # Files are read and written from /tmp.
 OPTIONS="-c -l -s /tmp"

Start the TFTP server:

 /etc/init.d/tftpd-hpa start