Bi 1: ASA C BN

1. Gii thiu cu lnh c bn:

- ASA c 2 cch cu hnh: CLI v ASDM
- Ban u khi khi ng xong ASA, ta s thy dng lnh user mode l:
ciscoasa>
ciscoasa l tn mc nh ca thit b ASA.
- Ta c th dng du ? xem nhng t kha gi .

- xem cc thng tin cn thit trn thit b ta dung t kha show ?

- Mun vo privileged mode ta dung t kha enable vi password mc nh l trng.

- cu hnh cho thit b ta phi vo mode config vi cu lnh nh sau:

- Lu cu hnh tng t nh router.

- t password console v enable tng t nh router.
- C th dng phm Tab hin y cu lnh.
- Xa cu hnh:
ciscoasa# write erase
2. Cu hnh cc interface:
- Thit b ASA c cc cng console, cng Ethernet v cng management (cng qun l c
chc nng ging cng console).
- Nh router, thit b ASA mun cu hnh ip, speed hay duplex ta u phi vo cng vi cc cu
lnh ging vi router.
ciscoasa# configure terminal
ciscoasa(config)# interface [ethernet0/1 | management0/0]
ciscoasa(config-if)#
- d nh hn nu ta khng nh tn cng vt l ca ASA th ta c th dung tn lun l thay cho
tn cng vt l vi t kha l nameif
ciscoasa(config-if)# nameif tn
- Cu lnh t cho cng interface hon ton tng t nh router.
- c im mi ca ASA khc vi router l Security Level , vit tt l sec-lvl (mc bo
mt trn cng). Sec-lvl c gi tr t 0 100 vi 100 l mc bo mt cao nht, v mc nh c gi
tr l 0.
- Trng hp ta to sub-interface cho ASA th bt buc ta phi khai bo VLAN km theo tng
ng vi VLAN trn Switch m cng ca ASA cm vo.
V d ta c s v c cu hnh nh sau:

ciscoasa>
ciscoasa> enable
Password:
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)# hostname ASA1
ASA1(config)# interface Mamagement0/0
ASA1(config-if)# nameif mgmt
ASA1(config-if)# security-level 100
ASA1(config-if)# ip address 192.168.1.11 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface Ethernet0/1
ASA1(config-if)# no shutdown
ASA1(config)# interface Ethernet0/1.1201
ASA1(config-if)# vlan 1201
ASA1(config-if)# nameif fw1
ASA1(config-if)# security-level 50
ASA1(config-if)# ip address 172.16.61.1 255.255.255.0
ASA1(config)# interface Ethernet0/1.1212
ASA1(config-if)# vlan 1212
ASA1(config-if)# description *** Welcome to the VnPro ***
ASA1(config-if)# nameif svcs
ASA1(config-if)# security-level 99
ASA1(config-if)# ip address 172.16.62.171 255.255.255.240

ASA1(config-if)# end
ASA1#
- Xem li ton b cu hnh:

- Xem tn i din v ip ca cng

- Tin hnh ping kim tra kt ni:

- Mt tnh nng c bit na l cng vt l ca ASA 5505 c tnh nng nh cng ca thit b
switch. C ngha l trn cng ca ASA, ta c th cu hnh trunking, to vlan, gn cng vo vlan.
V d nh s sau y:

ciscoasa>
ciscoasa> enable
Password:
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)# hostname ASA5505
ASA5505(config)# interface Ethernet0/5
ASA5505(config-if)# switchport access vlan 100
ASA5505(config-if)# no shutdown
ASA5505(config)# interface Ethernet0/3
ASA5505(config-if)# switchport trunk allow vlan 100, 201
ASA5505(config-if)# switchport mode trunk
ASA5505(config-if)# no shutdown
ASA5505(config)# interface vlan 100
ASA5505(config-vlan)# description *** Management Interface ***
ASA5505(config-vlan)# nameif mgmt
ASA5505(config-vlan)# security-level 100
ASA5505(config-vlan)# ip address 192.168.1.2 255.255.255.0
ASA5505(config-vlan)# no shutdown
ASA5505(config)# interface vlan 201
ASA5505(config-vlan)# description *** DMZ Network ***
ASA5505(config-vlan)# nameif dmz
ASA5505(config-vlan)# security-level 50
ASA5505(config-vlan)# ip address 172.16.201.2 255.255.255.0
ASA5505(config-vlan)# no shutdown
- Xem li ton b cu hnh:

- Xem thng tin cc cng c gn cho vlan no:

3. Telnet:
- i vi ASA th ch chp nhn gi tin telnet vi ip ngun l mng 192.168.1.0/24 v vi
username mc nh l admin.
- Telnet s dng c s d liu l LOCAL, y l t kha mc nh cho cc dng ASA.
- Cc bc cu hnh
Bc 1: To username v password
ciscoasa(config)# username admin password tnpass privileged 15

Bc 2: Bt xc thc telnet trn ASA

ciscoasa(config)# aaa authentication telnet console LOCAL
4. SSH:
- i vi ASA th ch chp nhn gi tin ssh vi ip ngun l mng 192.168.1.0/24 v vi
username mc nh l admin.
- Cu hnh SSH trn ASA cng tng t nh trn router. Ch mt im khc l ta bt SSH ln
bng cu aaa
- Cc bc cu hnh
Bc 1: To username v password
ciscoasa(config)# username admin password tnpass privileged 15
Bc 2: Bt tnh nng AAA
ciscoasa(config)# aaa new-model
Bc 3: To domain cho qu trnh SSH
ciscoasa(config)# ip domain-name tn
Bc 4: To key
ciscoasa(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024
Bc 5: Chn version cho SSH
ciscoasa(config)# ip ssh version 2
Bc 6: Kch hot tnh nng SSH v p vo VTY
ciscoasa(config)# aaa authentication login TERMINAL-LINES local
ciscoasa(config)# line vty 0 4
ciscoasa(config-line)# login authentication TERMINAL-LINES
5. Cho php cu hnh ASA bng ASDM
- i vi ASA th ch chp nhn cu hnh bng ASDM vi ip ngun l mng 192.168.1.0/24 v
vi username mc nh l admin.
- ASDM phi c ci t trc tip ln Flash.
- Cc bc cu hnh:
Bc 1: To username v password
ciscoasa(config)# username admin password tnpass privileged 15
Bc 2: nh ngha ip cho php cu hnh v xc thc vi c s d liu ca ASA
ciscoasa(config)# http 192.168.1.0 255.255.255.0 mgmt
ciscoasa(config)# aaa authentication http console LOCAL
Bc 3: Bt tnh nng HTTP Server
ciscoasa(config)# http server enable
Bc 4: nh ngha v tr lu ASDM
ciscoasa(config)# asdm image disk0:/asdm-621.bin
6. Qun l license:
- Cu lnh xem license ca ASA
ciscoasa# show version
- Thay i license:
ciscoasa(config)# activation-key key-id

Bi 2: Cu Hnh C Bn Cisco ASA

Cc ch cu hnh trong Cisco IOS:
Ciscoasa> User mode
Ciscoasa# Privileged mode (hoc Enable mode)
Ciscoasa(config)# Ch Global Configuration
Ciscoasa(config-if)# Ch Interface Configuration
Ciscoasa(config-subif)# Ch Subinterface Configuration
Ciscoasa(config-line)# Ch cu hnh Line
M t
Ciscoasa> enable
hoc
Ciscoasa> ena
Ciscoasa# configure
terminal
hoc
Ciscoasa# conf t
Ciscoasa# show runningconfig
hoc
Ciscoasa# show run
Ciscoasa# show startupconfig
Ciscoasa# copy runningconfig startup-config
hoc
Ciscoasa# write
hoc
Ciscoasa# wr
Ciscoasa# show ?
Ciscoasa# show clock
Ciscoasa# show version
Ciscoasa# show flash
Ciscoasa(config)#
hostname name
Ciscoasa(config)# enable
password password
Ciscoasa(config)# banner
motd # messenger #
Ciscoasa(config-if)#
description messenger
Ciscoasa(config-if)#

T User mode vo Privileged mode.

Vo Configuration mode.

Hin th cu hnh ang chy trn RAM.

Hin th file cu hnh startup c lu trong NVRAM.

Lu file cu hnh ang chy trn RAM (file running-config) vo NVRAM.

Hin th tc c cc cu lnh show c kh nng thc thi.

Hin th gi cu hnh
Hin th cc thng tin v Cisco IOS hin ti.
Hin th cc thng tin v b nh flash.
t tn cho Ciscoasa.
t password cho Enable v t m ha password.
Hin th thng ip khi ngi dng truy cp vo thit b.
Cu hnh m t cho interface.
t tn cho cng vt l chnh

nameif name
Ciscoasa# show interface
ip brief
Ciscoasa# show interface
{interface_number}

Hin th thng tin tng qut ca tt c interface, bao gm: trng thi cng (up, down, adminis
cng.
Xem thng tin chi tit cng (a ch MAC, speed, bandwidth, v.v).

Hin th bng nh tuyn ca Ciscoasa.

Ciscoasa# erase startup- Xa ton b cu trn ciscoasa.
config
Khi ng li thit b.

Lu :
- Cc bn c th dng cu lnh show ti bt k mode no.
- C th xa cu lnh thc thi va nhp bng cch dng t no trc cu lnh.
- Cisco IOS c tnh nng gi t kha tip theo trong cu lnh vi du ?.
- Mt s phm tt nn nh:
+ Quay li u dng: Ctrl-A
+ Xung cui dng: Ctrl-E
+ Xa 1 dng: Ctrl-X
+ Xa 1 t: Ctrl-W
+ Gi lnh va nhp trc trong b nh m (tng ng pha mi tn up): Ctrl-P
+ Tr v cu lnh va thc thi trc (tng ng phm mi tn down): Ctrl-N

Mt sa u hnh c bn cho Firewall Cisco:

Cu hnh c bn:
t password cho ch privileged mode:
enable password password
t user name v password phn quyn truy cp
asa5520(config)# username admin password admin privilege 15
t tn Firewall v Banner:
Pixfirewall (config) #hostname CorpFW1
Pixfirewall (config) # banner exec Unauthorized access will be prosecuted
Cu hnh mc nh ban u:
configure factory-default
hoc: hostname(config)# clear configure all
Cu hnh Telnet cho Firewall:
Cu hnh cho interface:
asa5520# config t
asa5520(config)# int gi0/3

asa5520(config-if)# no sh
asa5520(config-if)# nameif LAN2
INFO: Security level for "LAN2" set to 0 by default.
asa5520(config-if)# security-level 100
asa5520(config-if)# ip address 192.168.2.1 255.255.255.0
Cu hnh telnet:
asa5520(config)# password cisco
asa5520(config)# telnet 10.7.0.0 255.255.255.0 inside
Cu hnh ASDM:
To user truy cp:
asa5520(config)# username admin password admin privilege 15
Cu hnh a ch qun tr:
asa5520# config t
asa5520(config)# int gi0/3
asa5520(config-if)# ip address 192.168.2.1 255.255.255.0
Bt HTTP server:
pixfirewall(config)#http server enable
Cu hnh a ch my qun tr:
pixfirewall(config)#http 192.168.1.1 255.255.255.0 inside
Kim tra thng tin trn Flash:
- Firewall# dir flash:/
Kim tra kt ni n TFTP:
- Firewall# ping 192.168.254.2
Khai bo TFTP:
- Firewall(config)# tftp-server outside 192.168.254.2
Copy t TFTP
- Firewall# copy tftp://192.168.254.2/newimage.bin flash:image
Sau khi upgrade ln phin bn mi phi update li Activation key:
- hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e
Kim tra thng tin license:
- show activation-key detail
Crack PassWord:
Vo RMON thay i gi tr thanh ghi:
rommon #0> confreg
Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash
Do you wish to change this configuration? y/n [n]: y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y

go to ROMMON prompt if netboot fails? y/n [n]:

enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:
Current Configuration Register: 0x00000040
Khi ng li vi password trng, copy cu hnh start -> run:
ciscoasa# copy startup-config running-config
Firewall# configure terminal
Firewall(config)# password password
Firewall(config)# enable password enablepass
Khi phc ni dung thanh ghi v gi tr mc nh:
Firewall(config)# config-register 0x00000001
Lu li cu hnh v khi ng li ASA
Firewall# copy running-config startup-config
Cu hnh:
Real address of the Web server 192.168.1.4; Internet address 10.1.1.3
Real address of the Mail server 192.168.1.15; Internet address 10.1.1.4
Real address of the FTP server 192.168.1.10; Internet address 10.1.1.5
Cu hnh cho Interface:
interface Ethernet0
nameif outside
securitylevel 0
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet1
nameif inside
securitylevel 100
ip address 192.168.1.1 255.255.255.0
To 1 Access list cho php Ping ra ngoi:
accesslist 100 extended permit icmp any any echoreply
accesslist 100 extended permit icmp any any timeexceeded
accesslist 100 extended permit icmp any any unreachable
accesslist 100 extended permit tcp any host 10.1.1.3 eq www
accesslist 100 extended permit tcp any host 10.1.1.4 eq smtp
accesslist 100 extended permit tcp any host 10.1.1.5 eq ftp
accessgroup 100 in interface outside
To NAT i ra ngoi:
To NAT Pool i ra ngoi:
global (outside) 1 10.1.1.1510.1.1.253

global (outside) 1 10.1.1.254

nat (inside) 1 0.0.0.0 0.0.0.0
Cu lnh NAT cho cc server
static (inside,outside) 10.1.1.3 192.168.1.4 netmask 255.255.255.255
static (inside,outside) 10.1.1.4 192.168.1.15 netmask 255.255.255.255
static (inside,outside) 10.1.1.5 192.168.1.10 netmask 255.255.255.255
Cu hnh Route ra ngoi:
route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
Cu Hnh PPPoE cho ng cp quang kt ni internet:
vpdn group VietVuong request dialout pppoe
vpdn group VietVuong localname FTTH_vietvuong_vcpto
vpdn group VietVuong ppp authentication pap
vpdn username FTTH_vietvuong_vcpto password hanoi123
Cu hnh cho interface Vlan vi dng ASA5505:
interface Vlan10
nameif outside
security-level 0
pppoe client vpdn group VietVuong
ip address pppoe setroute
no shut
Cu hnh gn Port cho VLAN:
interface Ethernet0/0
description Internet connection to VNPT ISP
switchport access vlan 10
no shut
Nu l dng 5510 th dng :
interface Gigabit Ethernet 0
nameif outside
security-level 0
pppoe client vpdn group VietVuong
ip address pppoe setroute
no shut
Cu hnh cc Banner:
banner exec Chi duoc truy cap khi co cap phep cua xxxxxxx
banner login Chi duoc truy cap khi co cap phep cua xxxxxx
banner asdm Chi duoc truy cap khi co cap phep cua xxxxxx