Thu, Oct 21, 21, firewall, vpn and dynamic routing and Lina

curious programmer

Cisco Adaptive Security Appliancy is known as the Cisco ASA. It is used to protect networks and data centres.

It offers firewall, VPN and facilitates dynamic routing amongst other features and capabilities.

It runs on Linux using a single Executable and Linkable Format program called lina. Lina schedules processes and handles things like concurrency internally rather than using the underlying Linux capabilities.

In this post I share a few of the CLI commands to query, operate and configure the device.

Access privelage EXEC mode

ciscoasa is the default hostname for the default ASA state. You will see that you are in EXEC mode with the ciscoasa> prompt.

Type enable to access privilege EXEC mode. The default password is blank. The prompt changes to ciscoasa#

Lockdown access to ASA

show displays sensitive data and we don’t want prying eyes to see that.

enable password <PASSWORD>
show running-config enable

To verify the password works, we need to exit the modes. exit config mode and then privilege EXEC.

Create a local user account

The highest privilege is 15

username admin password cisco privilege 15
show running-config user

Get more information about the system

show version

show processes

show file system

show flash

Set a hostname

Change the hostname from the global configuration mode.

configure terminal or config terminal or config t

Notice the prompt becomes ciscoasa(config)#

Enter hostname <HOSTNAME> and your prompt will change to that name.

Set the clock for logs and what-not

Timestamps are important for logs. They help administrators understand the order of events. clock set hh:mm:ss {month day | day month} year

clock set 21:10:00 9 february 2019
show clock

Assign a domain name

domain-name ec2-1-2-3-4.compute-1.amazonaws.com
show running-config domain-name

Show a banner

In your global configuration mode oxygen(config)# we can set banners. Below we configure the message of the day (MOTD) banner.

banner motd Please be advised unauthorized access is strictly prohibited
banner motd All access are recorded for security purposes
banner motd This device is the property for ACME Corp.
show banner

Inside/Outside interfaces

oxygen(congif)# show interface oxygen(config)# interface management0/0 oxygen(config-if)# nameif Inside oxygen(config-if)# security-level 100 oxygen(config-if)# ip address 192.168.2.1 255.255.255.0 oxygen(config-if)# nameif Inside oxygen(config-if)# nameif Inside

References

I work with NATs and ACLs on Cisco ASA (Adaptive Security Appliance) in the terminal. I want a sandbox environment for me to go bonkers. I couldn’t find an image from Cisco to download and install so I chose to go shopping on the AWS Marketplace.

I found Cisco Adaptive Security Virtual Appliance (ASAv) - Standard Package. They say it brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. I think that’s pretty much what I need.

Cisco does party hard. They charge you and it can get quite pricey. They predefine the instances you can select which does not fall under the AWS free usage tier. As I write this, there is a 5-day trial and thereafter a charge of $0.69 per hour.

I need you to brace yourself for this shopping experience. It’s not very user friendly and it becomes repetitive.

WARNING! You will get an error after you have created your instance if your account has not been verified. There is an option to replay the order for your instance so your time would not have been for nothing.

Going shopping

  1. To enter the marketplace you need to authenticate. Access the AWS Account page. Sign in. Sign up. You know best.
  2. Squeeze your way past all the tempting options by going directly to the Cisco Adaptive Security Virtual Appliance (ASAv) - Standard Package.
  3. Proceed to the first level of checkout. There will be a few of these. Go on by clicking on the top right orange button on each page.
    • Continue to Subscribe gives you more information about annual licensing and the TOCs.
    • Continue to Configuration gives you a small fulfillment form you need to verify or change. Specify the image (64xbit (x86) Amazon Machine Image (AMI)), ASAv version (9.9.2.1 (May 10, 2018)) and region (US East (N. Virginia)). I just chose the defaults.
    • Continue to Launch shows you a screen to review your instance configuration and choose how you want to launch the software. I went with Launch through EC2.

Building your instance

Now that we are done shopping and spending all our money, we shall proceed to build our Cisco instance. One does not simply build such an instance so let’s take it one step at a time shall we. Okay, this statement rings true for me at least.

  1. Default to everything. Don’t get clever just yet. Let’s first get something up and running. You can terminate it and create a new one later.
  2. Choose your instance type. I chose m4.large (6.5 ECUs, 2 vCPUs, 2.4 GHz, Intel Xeon E5-2676v3, 8 GiB memory, EBS only). This is the minimum requirement for Cisco ASAv.
  3. Check out the other entries then click on the blue button Preview and Launch.

You’ll get warnings. Possibly two. One will be about improving your instance security because the firewall created is open so that whole world can access your instance (inbound SSH defined on 0.0.0.0/0) and the other will politely explain that your instance is not eligible for the free usage tier.

Change what you want. Verify the order. Click on Launch which proceeds to another step: Select an existing key pair or create a new key. Use this key to authenticate to your instance without a password. I downloaded mine, moved it to ~/.ssh and chown 400 ~/.ssh/awesome.pem.

The name of your key is the .pem filename so I avoided special characters the second time around.

Finally, you can click on the blue Launch Instances button. If all goes according to plan, the instance will launch.

Accessing your AWS instance

Here is where the fun begins. Can you ping it? Copy the Public DNS IPv4 address and slap that into a ping command in your terminal. Access that under Dashboard > Running Instances > copy the Public DNS IPv4 address from the table of instances for your instance.

I can’t ping my AWS instance

No luck? Let’s try Network & Security > Security Groups > right-click on the associated security group > Edit inbound rules > Add Rule. Type=Custom ICMP Rule - IPv4, Protocol=Echo Request, Source=Anywhere/My IP.

Can you SSH to it? On the instances page, click on the Connect button for that instance and get more information about what to do with your .pem file. It’s basically what I explained above. For our instance we need to connect using the admin user and include our .pem file which we can do as follows ssh -i "~/.ssh/awesome.pem" admin@ec2-1-2-3-4.compute-1.amazonaws.com

I can’t SSH to my AWS instance

Still no luck? Let’s try Network & Security > Security Groups > right-click on security group > Edit inbound rules again.

  • Does your firewall have a rule configured for SSH?
  • What sources can access your instance? Any (0.0.0.0/0) or your current IP address?
  • Is your instance using the correct security group?
  • Can you ping your instance yet? If not, check your VPC and network interface. I had an instance configured and couldn’t get a network interface to attatch. Eventually I terminated it, recreated it and it worked. If I knew where the correct settings were, I wouldn’t have had to do that.

Using ASA

What a journey!

I am finally in. There is a ciscoasa> prompt. Basic commands are permitted in this mode. See them ?

Go into admin mode login admin and again press ? to see admin commands.

The mode I hang around in the most is the config mode. Once logged in config t which is short for config terminal For the last time, press ? for all the commands available. WHAM! The instance works and I can get my hands dirty on my very own Cisco box.

The following wiki, pages and posts are tagged with

TitleTypeExcerpt
Cisco adaptive security appliancy, to protect data center and networks post Thu, Oct 21, 21, firewall, vpn and dynamic routing and Lina
Network books and reference post Sun, Nov 07, 21, network books and references including illustration and field examples
udt tcp protocol post Sun, Nov 07, 21, definition of protocols
visible light communication in 5G post Tue, Dec 28, 21, utilizes infrared (IR), visible, and ultraviolet (UV) subbands in overcoming comm huddles
network scanner for windows post Mon, Jan 24, 22, network scanner