Pages

Monday, December 21, 2015

ASA CLI L3-4



enable
conf t

show run int m0/0

## Configure interfaces
int m 0/0
no shutdown
nameif management
security-level 100
ip address 192.168.1.100 255.255.255.0
exit

int Gig 0/0
no shutdown
nameif outside
security-level 0
ip address 10.123.0.100 255.255.255.0
exit

int Gig 0/1
no shutdown
nameif inside
security-level 100
ip address 10.1.0.100 255.255.255.0
exit

int Gig 0/2
no shutdown
nameif dmz
security-level 50
ip address 172.16.5.100 255.255.255.0
exit

## To manage ASA from GUI
http server enable
http 192.168.1.0 255.255.255.0 management

## verify the config
show int ip brief

##create a default route pointing to R2
route outside 0.0.0.0 0.0.0.0 10.123.0.1 1 : 1 is AD here. Lower AD is preferred.

##Configure SNMP v3
snmp-server location CBT Nuggets Lab
snmp-server contact Keith Barker
snmp-server group G1 v3 priv
snmp-server user U1 G1 v3 auth sha a-pass priv aes 128 e-pass
snmp-server host management 192.168.1.23 version 3 U1 # who are going to send snmp message to .23
snmp cpu threshold rising 80 1  ## generate traps if CPU rising above 80 %
snmp-server enable traps cpu threshold rising

## Verify
show snmp user
show snmp group

##By default logging is disabled on ASA.

show logging
logging enable
logging host management 192.168.1.23 ## send syslog messages to .23
logging trap 5
logging console 4
logging buffered 6
clear logging buffer
exit
conf t
show log

## to remove particular log message
no logging message 111005

## to change syslog messsage
logging message 111007 level Informational: Informational is level 6
exit
conf t

## Verify
show logging | include 111007

## to clear buffer
clear logging buffer

exit
conf t

### To send some particular syslog messages to email
logging list Our-Event-List message 101001-101003
logging list Our-Event-List level Informational ## send only those messages are Informational or below

smtp-server 192.168.1.23
logging from-address ASA@Here.net
logging recipient-address Keith@there.com level Informational ## send messages to this email address
logging mail Our-Event-List ## only syslog messages for this list should be sent

##Set up a time Zone
clock timezone PST -8 0
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60

## Ping NTP server
ping 66.187.233.4

## setup ntp
ntp server 66.187.233.4 source outside

##verify
show ntp associations
show ntp status

## set up net flow
flow-export destination management 192.168.1.23 9996 ## send netwflow record out mgmt interface to .23 on port 9996

##configure MPF
class-map global-class
match any ## match on any traffic
exit

policy-map global_policy
class global-class
flow-export event-type all destination 192.168.1.23  ### any traffic that matches the global class, export the flow to .23 which is running NetFlow collector
exit
exit

## Configure NAT for DMZ server
object network Srv-1
host 172.16.5.5
nat static 10.123.0.5 net-to-net

## if we want to configure multiple hosts, we can create object-groups
object network Srv-2
host 172.16.5.6
object network Srv-3
host 172.16.5.7
object-group network DMZ-Servers
network-object object Srv-1
network-object object Srv-2
network-object object Srv-3

## To create service object group
object-group service WEB-Services
service-object tcp destination eq http
service-object tcp destination eq https
exit

## if traffic is destined to HTTP and https ports that are running on DMZ-servers permit
access-list outside_access_in permit object-group WEB-Services any object-group DMZ-Servers
access-group outside_access_in in interface outside


No comments:

Post a Comment