Cisco ASA 5506-X

最後更新: 2018-08-31

介紹

 


Hareware

 

  • Port: 8 GbE
  • Power Supply: 12V, 5A
  • Ram: 4 GB
  • CPU: Atom C2000 series 1250 MHz, 1 CPU (4 cores)
  • SSD: 8000MB

Speed

  • 資安防護吞吐量: 125 Mbps(應用程式控管與IPS)
  • 防火牆吞吐量: 750 Mbps
  • VPN吞吐量: 100 Mbps

 


OS

 

ASA 5506-X ships with either ASA or Firepower Threat Defense software preinstalled.

Firepower 授權=年費 (選購)

  * 必須透過額外建置的Firepower Management Center(FMC)伺服器才能控管

 


Software License

 

Base or Security Plus license, depending on the version you ordered.

The Security Plus license provides more firewall connections, VPN connections, failover capability, and VLANs.

It also comes pre-installed with the Strong Encryption (3DES/AES) license if you qualify for its use;
(this license is not available for some countries depending on United States export control policy)

AnyConnect Plus or Apex license, which allows AnyConnect VPN client connections.

ASA FirePOWER Licenses

 


Check Serial Number

 

Cisco IOS License

  • Preinstalled License (Base License)
  • Permanent License (Security Plus License)
  • Time-Based Licenses

 * The ASA 5506-X and ASA 5506W-X do not support time-based licenses

show version | grep Serial

Serial Number: ??????????

show version | grep Activation

Running Permanent Activation Key: 0x? 0x? 0x? 0x? 0x?

不同 license 的分別

# 它們會有不同的功能, 跟機來是 "Base license"

show activation-key

Serial Number:  ?
Running Permanent Activation Key: ? ? ? ? ?

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

The flash permanent activation key is the SAME as the running permanent key.

Base License

  • Firewall Conns (Concurrent): 20,000
  • VPN Licenses: 10
  • Failover: No support
  • VLANs, Maximum: 5

Security Plus License (代號: ASA5506-SEC-PL) // 要買的, HK$3000@20180917

  • ...

Input ASA 5506-X Sec. Plus Lic.

 * The activation key is not stored in your configuration file

 * The key is tied to the serial number of the device.

# Enter four-or-five-tuple activation-key

activation-key X X X X

# You must reboot it for the change to take effect in the running image.

reload

# Checking

show activation-key

...
This platform has an ASA 5506 Security Plus license.

The flash permanent activation key is the SAME as the running permanent key.

 


LED

 

Status - System operating status:

    Green – Normal system function.

    Amber – Critical alarm indicating one or more of the following:
        Major failure of a hardware or software component.
        Over-temperature condition.
        Power voltage outside the tolerance range.

Active - Status of the failover pair:

    Solid green – Failover pair operating normally. The LED is green always unless the ASA in an HA pair.
    Amber – When the ASA is in an HA pair, the LED is amber for the Standby unit.
    Unlit – Failover is not operational.

Link status (L):

    Unlit – No link, or port is not in use.
    Solid green – Link established.
    Flashing green – Link activity.

Connection-speed status (S):

    One blink every three seconds – 10 Mbps.
    Two rapid blinks – 100 Mbps.
    Three rapid blinks – 1000 Mbps.

 


USB Console Port

 

Two serial ports, a mini USB Type B, and a standard RJ-45 (8P8C),
are provided for management access via an external system.

Only one console port can be active at a time.

For Linux and Macintosh systems, no special driver is required.

For Windows systems, you must download and install a USB driver

(Cisco_usbconsole_driver_X_X_zip)

Windows

安裝 driver 後, 插 USB Cable 後出現 Cisco Serial (COM5)

9600 baud
8 data bits
no parity
1 stop bit
no flow control

Linux

screen /dev/ttyACM0 9600

 


Reset button

 

A small recessed button that if pressed for longer than "three" seconds resets the ASA to its default “as-shipped” state following the next reboot.

However, the flash is not erased and no files are removed.

You can use the service sw-reset-button to disable the reset button. The default is enabled.

console output

Cryptochecksum: ? ? ? ?

4754 bytes copied in 0.260 secs



***
*** --- START GRACEFUL SHUTDOWN ---
***
*** Message to all terminals:
***
***   SW Reset Button Pressed
Shutting down isakmp
Shutting down webvpn
Shutting down sw-module
Shutting down License Controller
Shutting down File system



***
*** --- SHUTDOWN NOW ---
***
*** Message to all terminals:
***
***   SW Reset Button Pressed
Process shutdown finished
Rebooting... (status 0x9)

 


First Time Deploy

 

outside GigabitEthernet 1/1 interface, IP address from DHCP

inside bridge group with GigabitEthernet 1/2 through 1/8 member interfaces

Management 1/1 interface

No ASA IP
FirePOWER IP: 192.168.1.2 (must set in FirePOWER)

Belongs to the ASA FirePOWER module;
The interface is Up, but otherwise unconfigured on the ASA.

Do not configure an IP address for this interface in the ASA configuration.
Only configure an IP address in the FirePOWER configuration.
You should consider this interface as completely separate from the ASA in terms of routing.

 * assumes you want to use ASDM to manage the ASA FirePOWER Module. I

Default Login Info.

IP: IP: 192.168.1.1

Panel: https://192.168.1.1/admin

Default Login: NULL / NULL

Enable pass: NULL

 


Upgrade a Standalone Unit Using the CLI

 

# 每個 Version 的 ASA 都有對應 version 的 ASDM (Compatibility)

ASA 9.9 -> ASDM 7.9
ASA 9.8 -> ASDM 7.8
....

Download

Interim releases

They contain bug fixes which address specific issues found since the last Feature or Maintenance release.

# FileName
# size 103.62 MB
asa982-38-lfbff-k8.SPA # 14-JUN-2018
asa982-35-lfbff-k8.SPA # 23-MAY-2018

# asdm
asdm-782-151.bin       # 12-OCT-2017

 

Step

1. Upgrade the ASA Appliance

In privileged EXEC mode, copy the ASA software to flash memory.

i.e.

ciscoasa# copy http://192.168.1.177/asa982-38-lfbff-k8.SPA disk0:/
ciscoasa# copy ftp://cisco:pass@10.1.1.1/asa991-smp-k8.bin disk0:/

2. Copy the ASDM image to flash memory.

i.e.

ciscoasa# copy http://192.168.1.177/asdm-782-151.bin disk0:/
ciscoasa# copy ftp://cisco:pass@10.1.1.1/asdm-771791.bin disk0:/

3. Show current image

# IOS

show version | grep image

System image file is "disk0:/asa982-lfbff-k8.SPA"

# asdm image

show asdm image

Device Manager image file, disk0:/asdm-782.bin

4. Remove any existing boot image configurations

The ASA uses the images in the order listed;
if the first image is unavailable, the next image is used, and so on.
You cannot insert a new image URL at the top of the list; to specify the new image to be first,
you must remove any existing entries, and enter the image URLs in the order desired, according to the next steps.

ciscoasa# show running-config boot system

# 沒有 output

ciscoasa# configure terminal

ciscoasa(config)# no boot system disk0:/asa982-OLD-lfbff-k8.SPA

ciscoasa(config)# boot system disk0:/asa982-38-lfbff-k8.SPA

ciscoasa(config)# asdm image disk0:/asdm-782-151.bin

ciscoasa(config)# show bootvar

BOOT variable = disk0:/asa982-38-lfbff-k8.SPA
Current BOOT variable = disk0:/asa982-38-lfbff-k8.SPA
CONFIG_FILE variable =
Current CONFIG_FILE variable =

ciscoasa# write memory

ciscoasa# reload
 

 


ASDM

 

Cisco ASDM can run as

  • a local application (Java)
  • a Java Web Start application (IE)
  • start ASDM from command-line

 * Default Lan IP: 192.168.1.1

start ASDM from command-line

1. fw allow jp2launcher.exe outgoing

2. C:\Program Files\Java\jre1.8.0_181\bin      # asdm-782 need Java8

3. javaws.exe https://(ip or hostname to ASA)/admin/public/asdm.jnlp

Enable asdm on management interface

http server enable

http 192.168.8.0 255.255.255.0 management
 


Disable A ACL

 

To make an ACE inactive, use the inactive keyword.

To reenable it, enter the entire ACE without the inactive keyword.

This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier.

i.e.

access-list outside_acl extended permit icmp any any time-exceeded inactive

 


Enable SSH By Console

 

ciscoasa(config)# crypto key generate rsa general-keys modulus 2048
ciscoasa(config)# username testuser password testpass
ciscoasa(config)# aaa authentication ssh console LOCAL

ciscoasa(config)# ssh timeout 30

ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh key-exchange group dh-group14-sha1
ciscoasa(config)# ssh cipher integrity high
ciscoasa(config)# ssh cipher encryption high

ciscoasa(config)# ssh 192.168.1.177 255.255.255.255 inside_1
...
ciscoasa(config)# ssh 192.168.1.177 255.255.255.255 inside_7

ciscoasa(config)# write memory

timeout unit => minutes

 


Set "enable" Password

 

Get into the command line.

Type 'enable' to enter enable mode.

Type 'config t' .

Type 'enable password PaSsWoRd

 


ASA 5505 質 5506-X 分別

 

 

[1] 在 5506-X 上 vlan 被 bridge-group 取代了

bridge-group vs vlan

A bridge group is used on routers to join two (or more) router interfaces to a single broadcast domain.

A VLAN is used on switches to group switch ports into a single broadcast domain.

 


VNI Interface

 

Virtual Extensible LAN (VXLAN)

 - VXLAN is a technology which allows overlaying a Layer 2 (L2) network over a Layer 3 (L3) underlay with use of any IP routing protocol.
 - It uses MAC-in-UDP Encapsulation.

 


Virtual Tunnel Interface (VTI)

 

IP security (IPsec) virtual tunnel interfaces (VTIs) provide a routable interface type for terminating IPsec tunnels and an easy way to define protection between sites to form an overlay network.

IPsec VTIs simplify configuration of IPsec for protection of remote links, support multicast, and simplify network management and load balancing.

 


Object

 

show run object

object network apps1_lan_ip
 host 192.168.3.151
object network apps_network
 subnet 192.168.3.0 255.255.255.0

show run object in-line

object network apps1_lan_ip host 192.168.3.151
object network apps_network subnet 192.168.3.0 255.255.255.0

 


NAT

 

Version 9.8 一共有兩種 Nat 模式, 分別是

 - network object NAT
    All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules.
    (You cannot create these rules for a group object)

 -  twice NAT.
    Twice NAT lets you identify both the source and destination address in a single rule.

Outgoing NAT (Share Single IP)

inside hosts to share a single public address for translation

Use: Port Address Translation (PAT)

GUI

Equivalent CLI

wan:outside_1

lan:inside_1

i.e.

nat (inside_1,outside_1) source dynamic apps_network interface

解說

# nat (real_ifc ,mapped_ifc ) source dynamic {real_obj | any }{mapped_obj [interface]} [description desc] [inactive]

real_ifc,mapped_ifc

Required for bridge group member interfaces.

interface

    The interface keyword enables interface PAT fallback.
    After the mapped IP addresses are used up,
    then the IP address of the mapped interface is used.
    you must configure a specific interface for the mapped_ifc
    (You cannot specify interface when the mapped interface is a bridge group member)

Static NAT

static NAT allows bidirectional connection initiation, both to and from the host (if an access rule exists that allows it)

wan --- 88.243(outside_1,inside_1) --- 3.178

i.e.

object network tim_lan_ip host 192.168.3.178
object network tim_wan_ip host 192.168.88.243
nat (outside_1,inside_1) source static any any destination static tim_wan_ip tim_lan_ip net-to-net description for 1to1 nat testing
  • source static
  • destination static
  • net-to-net                         # For a one-to-one translation

GUI 會有兩條 Rule

access rule 要用 Lan IP

access-list outside_1_access_in_1 extended permit tcp any object tim_lan_ip eq www

 

 


Troubleshoot

 

  • show conn addr IP
  • syslog
  • packet-tracer
  • Capture Package

----------------

show conn

# connection in the firewall connection table (stateful firewall)

show conn address 198.168.3.178

TCP outside_1  192.168.88.177:64503 inside_1  192.168.3.178:80, idle 0:00:02, bytes 3021, flags UIOB
TCP outside_1  192.168.88.177:64502 inside_1  192.168.3.178:80, idle 0:00:02, bytes 8220, flags UIOB
TCP outside_1  192.168.88.177:64501 inside_1  192.168.3.178:80, idle 0:00:02, bytes 29084, flags UIOB
TCP outside_1  192.168.88.177:64500 inside_1  192.168.3.178:80, idle 0:00:02, bytes 7645, flags UIOB
TCP outside_1  192.168.88.177:64499 inside_1  192.168.3.178:80, idle 0:00:02, bytes 0, flags SaAB

# flag 的意思

show conn detail

# Inbound Connection

B - initial SYN from outside

...

# shows the state of all TCP connections through the ASA

show conn protocol tcp

 

Syslog

 

ASA(config)# show log | in 198.168.3.178

 

packet-tracer

# allows you to specify a simulated packet and see all of the various steps,
# checks, and functions that the firewall goes through when it processes traffic.

client(outside_1)     ASA        server(inside_1)
.88.177:1234  -> .88.234 -> 198.168.3.178

i.e. 1

packet-tracer input outside_1 tcp 192.168.88.177 1234 192.168.88.243 http

Result:
input-interface: outside_1
input-status: up
input-line-status: up
output-interface: inside_1
output-status: up
output-line-status: up
Action: allow

i.e. 2

packet-tracer input outside_1 tcp 192.168.88.177 1234 192.168.88.243 https

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside_1,inside_1) source static any any destination static tim_wan_ip tim_lan_ip net-to-net description for 1to1 nat testing
Additional Information:
NAT divert to egress interface inside_1
Untranslate 192.168.88.243/443 to 192.168.3.178/443

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.88.177 using egress ifc  outside_1

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside_1
input-status: up
input-line-status: up
output-interface: inside_1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

i.e. 3

packet-tracer input outside_1 tcp 192.168.88.177 1234 192.168.3.178 http

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside_1,inside_1) source static any any destination static tim_wan_ip tim_lan_ip net-to-net description for 1to1 nat testing
Additional Information:

Result:
input-interface: outside_1
input-status: up
input-line-status: up
output-interface: inside_1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Capture Package

ASA# capture capin interface inside match tcp host 172.16.11.5 host 198.51.100.100

ASA# capture capout interface outside match tcp any host 198.51.100.100

ASA#show capture capin

ASA#show capture capout