Basic Checks:
Versions and image, certificates like self-signed which is temporary, Access allowed like SSH, user auth etc.
Certificates Options:
Temporary Self-signed
Permanent Self-signed
Permanent from CA
Configuring :
Security Levels and Other Interfaces
NAT and DHCP Services
Verification
To check Licensing on ASDM
Config -> Device Management -> Licensing -> Activation Key
To check boot image :
Config -> Device Management -> System Image -> Boot Image
To check management access :
Config -> Device Management -> Management Access -> ASDM/https/telnet/ssh
To allow http and ssh on inside interface
http 10.0.0.0 255.255.255.0 inside
ssh 10.0.0.0 255.255.255.0 inside
Lets create some users under LOCAL on ASA
Config -> device mgmt -> Users/AAA -> user accounts
CLI :
username admin password XXXXXXX encrypted privilege 15
Now for http and ssh access use LOCAL database
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
Certificate Options:
Config -> device mgmt -> certificate mgmt -> Identity cert
We can have inside host as dhcp server so that it can assign ip address to outside clients.
We can also configure NAT. Anybody coming from 10.0.0.0 network and going to internet from outside interface translates the source ip address
The router is doing some basic NAT as well for the 192.168.1.0/24 address space.
To verify routing :
Monitoring -> Routing -> Routes
To configure NAT:
Config -> Firewall -> NAT
nat (inside, outside) 1 source dynamic any interface
#nat from inside to outside coming from any ip, pat on outside interface.
Configure DHCP server:
config -> device mgmt -> dhcp-> dhcpserver
dhcpd address 10.0.0.51-10.0.0.60 inside
dhcpd enable inside
dhcpd dns 8.8.8.8 interface inside
No comments:
Post a Comment