Cisco ASA Initial Configuration

Bootstrapping a Cisco Adaptive Security virtual appliance in EVE-NG Community Edition using CLI.

1. Setting up the topology.

2. Configure Cisco ASA hostname.

ciscoasa(config)# hostname ASA-FW
ASA-FW(config)#

3. Configure Inside and Outside interfaces.

ASA-FW(config)# interface g0/0
ASA-FW(config-if)# no shut
ASA-FW(config-if)# ip address 10.10.10.1 255.255.255.0
ASA-FW(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA-FW(config-if)# exit

ASA-FW(config)# interface g0/1
ASA-FW(config-if)# no shut
ASA-FW(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA-FW(config-if)# ip address 172.10.0.1 255.255.255.0
ASA-FW(config-if)# exit

4. Enable AAA authentication and create local user.

ASA-FW(config)# username clarence password cisco123 priv 15
ASA-FW(config)# aaa authentication ssh console LOCAL
ASA-FW(config)# crypto key generate rsa modulus 1024

5. Enable SSH version 2 access from the inside interface.

ASA-FW(config)# ssh version 2
ASA-FW(config)# ssh 192.168.203.0 255.255.255.0 inside

Verify SSH login from the inside network:

Verify from the ASA:

ASA-FW(config)# show ssh sessions

SID Client IP Version Mode Encryption Hmac State Username
0 10.10.10.101 2.0 IN aes128-ctr sha1 SessionStarted admin
OUT aes128-ctr sha1 SessionStarted admin

6. Configure default route to outside interface.

ASA-FW(config)# route outside 0.0.0.0 0.0.0.0 172.10.0.100

7. Configure PAT for internet access.

a. Create an object-group for the inside network:

ASA-FW(config)# object-group network INSIDE
ASA-FW(config-network-object-group)# network-object 10.10.10.0 255.255.255.0

b. Configure PAT to the outside interface.

ASA-FW(config)# nat (inside,outside) source dynamic INSIDE interface

7. Enable ICMP inspection

ASA-FW(config)# policy-map global_policy
ASA-FW(config-pmap)# class inspection_default
ASA-FW(config-pmap-c)# inspect icmp

Without ICMP inspection:

VPCS> ping 172.10.0.100

172.10.0.100 icmp_seq=1 timeout
172.10.0.100 icmp_seq=2 timeout
172.10.0.100 icmp_seq=3 timeout
172.10.0.100 icmp_seq=4 timeout
172.10.0.100 icmp_seq=5 timeout

With ICMP inspection:

VPCS> ping 172.10.0.100

84 bytes from 172.10.0.100 icmp_seq=1 ttl=255 time=14.205 ms
84 bytes from 172.10.0.100 icmp_seq=2 ttl=255 time=17.622 ms
84 bytes from 172.10.0.100 icmp_seq=3 ttl=255 time=22.790 ms
84 bytes from 172.10.0.100 icmp_seq=4 ttl=255 time=23.118 ms
84 bytes from 172.10.0.100 icmp_seq=5 ttl=255 time=16.457 ms

8. Verify IP translation.

ASA-FW# show xlate
5 in use, 6 most used
Flags: D — DNS, e — extended, I — identity, i — dynamic, r — portmap,
s — static, T — twice, N — net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:06:17 timeout 0:00:00

ICMP PAT from inside:10.10.10.100/43185 to outside:172.10.0.1/43185 flags ri idle 0:00:00 timeout 0:00:30

9. Save configurations.

ASA-FW# wr mem
Building configuration…
Cryptochecksum: c454754f f4ab8d80 a41ce4c4 bf1390d5

7514 bytes copied in 0.500 secs