Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing...
Transcript of Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing...
![Page 1: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/1.jpg)
1/72
Adaptive Security ApplianceCCNA Security Lab5505 vs 5506-X
Nico [email protected] 20, 2018Diegem, Belgium
![Page 2: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/2.jpg)
2/72
Agenda: What will happen in this session?
ASA Overview
Basic Interface/Firewall Config
ASA Firewall Rules
ASA 8.3+ NAT
Modular Policy Framework
CLI config lab
this session focusses on ASA 5505/5506-X ONLY (!)
![Page 3: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/3.jpg)
3/72
Agenda: What won’t happen in this session?
ASDM Configuration
IPsec site-to-site or remote access VPN
SSL remote access VPN (requires ASDM)
ASDM config session
Dynamic Routing with ASA
Linking ASA with AD
![Page 4: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/4.jpg)
4/72
ASA Overview
![Page 5: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/5.jpg)
5/72
ASA (Adaptive Security Appliance)
Proven Firewall technology
Intrusion Prevention capabilities
VPN Solution
Failover
Virtualization
ASA 5505 / 5506-X
new bundleshave a 5506-X
Next Generation FirewallNext Generation IPSAdvanced Malware Protection“FirePower”
![Page 6: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/6.jpg)
6/72
ASA Security Contexts
Virtualisation
Separate Policy
Separate Interfaces
Separate admin
![Page 7: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/7.jpg)
7/72
ASA High Availability (failover)
Active/Standby
Active/Active
depends on model
![Page 8: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/8.jpg)
8/72
ASA Identity Firewall
![Page 9: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/9.jpg)
9/72
ASA Threat Containment
Advanced Intrusion Prevention
AIP-SSM for rack-based models
AIP-SSC-5 for ASA-5505
software module on ASA-5506-X
![Page 10: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/10.jpg)
10/72
Routed vs Transparent Mode
“Router” with filtering
Different networks
Switch” with filtering
Single network
1 IP-address for management
![Page 11: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/11.jpg)
11/72
ASA 5505 Licensing
![Page 12: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/12.jpg)
12/72
ASA 5506-X Licensing
more power
more possibilities (VLANs, connections, VPN Sessions, …)
...
![Page 13: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/13.jpg)
13/72
ASA 5505/5506-X Licensing
5505 VLANs with Base License
– 3 VLANs are supported
– 1 restricted VLAN that can ONLY initiate traffic to one 1 other VLAN (return traffic is allowed)
5506-X with Base License
– 5 VLANS are supported (on trunks)
NO support for Security Contexts
Stateless Active/Passive failover ONLY in Security Plus License
Not an HQ firewall, but SOHO, Small Branch, ...
![Page 14: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/14.jpg)
14/72
Any questions so far???
![Page 15: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/15.jpg)
15/72
Basic Interface / Firewall Config
![Page 16: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/16.jpg)
16/72
Permitted Traffic
Security level(aka Trust-Level)
Defaults
Inside: 100
Outside: 0
Typical
DMZ: 50
5505 Base Lic.
1 VLAN can only initiate traffic to
one other VLAN
DMZ does not initiate traffic to
inside
![Page 17: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/17.jpg)
17/72
Denied Traffic
return traffic is allowed (inspection)
no lower to higher security level traffic
exception: ACLs
![Page 18: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/18.jpg)
18/72
Security Levels
Measure of trustworthiness
0 (not trusted) to 100 (trusted)
Traffic can flow freely from higher valued to lower valued interfaces
Return Traffic is automatically allowed
ACLs are needed to allow flow from low to high
![Page 19: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/19.jpg)
19/72
“Return traffic is automatically allowed”
Requires “inspection”
CONN & XLATE internal tables
to “allow” return traffic
depending on protocol up to layer 7
![Page 20: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/20.jpg)
20/72
ASA 5505 vs 5506-X
max ASA OS 9.2
8 layer 2 ports, 0-7
Interface names do not include speed (Ethernet0/1)
to be divided over 3 (Base License) VLANs
1 VLAN cannot initiate traffic to the others
VLAN interfaces get the layer 3 configuration
ASA OS 9.7+
8 layer 3 ports, 1-8
Interface names include speed (GigabitEthernet1/1)
1 management port
Bridging between interfaces must be configured – similar to IOS Bridge-Group Virtual Interfaces (BVI)
BVI interface gets the layer 3 configuration
![Page 21: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/21.jpg)
21/72
IOS vs ASA commands
enable secret password
line vty 0 4 password password login
ip route
show ip interfaces brief
show ip route
show vlan
show ip nat translations
copy running-config startup-config
erase startup-config
enable password password
passwd password
route intname
show interfaces ip brief
show route
show switch vlan
show xlate
write [memory]
write erase
![Page 22: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/22.jpg)
22/72
IOS vs ASA commands
Privileged EXEC commands can be given in any mode (no need for do)
The help command can HELP
To interrupt the “more” output, press Q, not Ctrl-C
There is a “setup” wizard…
some things can only be configured from within ASDM...
![Page 23: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/23.jpg)
23/72
ASA Default Configuration
HTTP Access for ASDM (ASA Device Manager) is configured for access from 192.168.1.0/24 via “inside” VLAN/BVI
A DHCP-server is configured for the “inside” VLAN/BVI, with addresses 192.168.1.5-192.168.1.36 (5505) or 192.168.1.5-192.168.1.254 (5506-X)
Default information (DNS-info, and DNS-server) from “outside” DHCP-server
Default: empty passwords
The ASA works “out of the box”
To reset an ASA:
– (config)# configure factory-default
![Page 24: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/24.jpg)
24/72
ASA 5505 Defaults
hostname is “ciscoasa”
E0/0 is configured in VLAN 2 (outside)
Other interfaces are in VLAN 1 (inside)
VLAN 1 is configured as “inside”, with security-level 100 and IP 192.168.1.1/24
VLAN 2 is configured as “outside”, with security-level 0, and IP and default gateway via DHCP
PAT is automatically configured
![Page 25: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/25.jpg)
25/72
ASA 5506-X Defaults
hostname is “ciscoasa”
GigE1/1 is configured as outside interface
Other interfaces are in bridge-group 1
BVI1 is configured as “inside”, with security-level 100 and IP 192.168.1.1/24
GigE1/1 is configured as “outside”, with security-level 0, and IP and default gateway via DHCP
PAT is automatically configured
Dedicated management Ethernet interface
![Page 26: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/26.jpg)
26/72
ASA 9.7+ Default Configuration (ASDM/NAT/MGMT)
Management 1/1 interface up but unconfigured, used for ASA FirePower module
ASDM Access– from inside hosts– from wifi hosts
NAT, interface PAT configured for– wifi > outside – inside > outside – management > outside
![Page 27: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/27.jpg)
27/72
Let’s take a (more or less) deep dive in the ASA CLI
![Page 28: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/28.jpg)
28/72
ASA 5505 Default Configuration
ASA Version 9.1(1) !hostname ciscoasaenable password 8Ry2YjIyt7RRXU24 encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 nameif outside security-level 0 ip address dhcp setroute !
ftp mode passiveobject network obj_any subnet 0.0.0.0 0.0.0.0pager lines 24logging asdm informationalmtu outside 1500mtu inside 1500no failovericmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnected!object network obj_any nat (inside,outside) dynamic interfacetimeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALhttp server enablehttp 192.168.1.0 255.255.255.0 inside
![Page 29: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/29.jpg)
29/72
ASA 5505 Default Configuration
no snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh timeout 5console timeout 0
dhcpd auto_config outside! dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn anyconnect-essentials!
class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:d5da6714509c82bc97629f33075459a2: end
![Page 30: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/30.jpg)
30/72
ASA 5506-X Default Configuration
ASA Version 9.8(1) !hostname ciscoasaenable password $sha512$5000$9JNFlM2inkuNUhQjKQHfnA==$wT70e2xMZSZjwgKJVQAu0Q== pbkdf2names
!interface GigabitEthernet1/1 nameif outside security-level 0 ip address dhcp setroute !interface GigabitEthernet1/2 bridge-group 1 nameif inside_1 security-level 100!interface GigabitEthernet1/3 bridge-group 1 nameif inside_2 security-level 100!interface GigabitEthernet1/4 bridge-group 1 nameif inside_3 security-level 100!interface GigabitEthernet1/5 bridge-group 1 nameif inside_4 security-level 100!
interface GigabitEthernet1/6 bridge-group 1 nameif inside_5 security-level 100!interface GigabitEthernet1/7 bridge-group 1 nameif inside_6 security-level 100!interface GigabitEthernet1/8 bridge-group 1 nameif inside_7 security-level 100!interface Management1/1 management-only no nameif no security-level no ip address!interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !ftp mode passivesame-security-traffic permit inter-interface
![Page 31: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/31.jpg)
31/72
ASA 5506-X Default Configuration
object network obj_any1 subnet 0.0.0.0 0.0.0.0object network obj_any2 subnet 0.0.0.0 0.0.0.0object network obj_any3 subnet 0.0.0.0 0.0.0.0object network obj_any4 subnet 0.0.0.0 0.0.0.0object network obj_any5 subnet 0.0.0.0 0.0.0.0object network obj_any6 subnet 0.0.0.0 0.0.0.0object network obj_any7 subnet 0.0.0.0 0.0.0.0pager lines 24logging asdm informationalmtu outside 1500mtu inside_1 1500mtu inside_2 1500mtu inside_3 1500mtu inside_4 1500mtu inside_5 1500mtu inside_6 1500mtu inside_7 1500icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400no arp permit-nonconnectedarp rate-limit 16384
object network obj_any1 nat (inside_1,outside) dynamic interfaceobject network obj_any2 nat (inside_2,outside) dynamic interfaceobject network obj_any3 nat (inside_3,outside) dynamic interfaceobject network obj_any4 nat (inside_4,outside) dynamic interfaceobject network obj_any5 nat (inside_5,outside) dynamic interfaceobject network obj_any6 nat (inside_6,outside) dynamic interfaceobject network obj_any7 nat (inside_7,outside) dynamic interfacetimeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00timeout conn-holddown 0:00:15timeout igp stale-route 0:01:10user-identity default-domain LOCALaaa authentication login-history
![Page 32: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/32.jpg)
32/72
ASA 5506-X Default Configuration
http server enablehttp 192.168.1.0 255.255.255.0 inside_1http 192.168.1.0 255.255.255.0 inside_2http 192.168.1.0 255.255.255.0 inside_3http 192.168.1.0 255.255.255.0 inside_4http 192.168.1.0 255.255.255.0 inside_5http 192.168.1.0 255.255.255.0 inside_6http 192.168.1.0 255.255.255.0 inside_7no snmp-server locationno snmp-server contactservice sw-reset-buttoncrypto ipsec security-association pmtu-aging infinitecrypto ca trustpool policytelnet timeout 5ssh stricthostkeycheckssh timeout 5ssh key-exchange group dh-group1-sha1console timeout 0
dhcpd auto_config outside!dhcpd address 192.168.1.5-192.168.1.254 insidedhcpd enable inside! threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptdynamic-access-policy-record DfltAccessPolicy!
class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspectionpolicy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context Cryptochecksum:d59032ee5b05b5a1791caaa0aa416df8: end
![Page 33: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/33.jpg)
33/72
ASA Commands
hostname hostname
domain-name name
banner motd message (multiple lines = multiple banner motd commands, NO delimiter)
enable password password
key config-key password-encryption newpassword [ oldpassword ]
password encryption aes
show password encryption
![Page 34: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/34.jpg)
34/72
ASA Interface Commands
interface Ethernet0 (PIX/ASA)
interface vlan 1 (ASA5505)
nameif if_name
– Not case sensitive
– “no”-form removes ALL references
– For names “inside” and “outside”, security-levels 100 or 0 are automatically used
security-level value
ASA 5505: LIMITED 3rd VLAN: can only initiate traffic to one (of 2) other VLANs
– no forward interface vlan 1
![Page 35: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/35.jpg)
35/72
ASA Interface Commands
ip address IP SNM
ip address dhcp
ip address dhcp setroute
– (also ask external DHCP-server for default gateway)
ip address ppoe
ip address ppoe setroute
![Page 36: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/36.jpg)
36/72
ASA 5505 Interface Commands
interface ethernet0/0
switchport access vlan 2
no shutdown
show switch vlan (ports to VLAN/ifname mapping)
show interface
show interface ip brief (physical/logical interfaces and status)
show ip address
![Page 37: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/37.jpg)
37/72
ASA BVI-interface configuration
Bridge-group Virtual Interface
connected with bridge-group-command on physical interface
names and securitylevel per interfaceare required (!)
Layer 3 configuration on BVI
interface GigabitEthernet1/2 bridge-group 1 nameif Private_1 security-level 100
interface GigabitEthernet1/3 bridge-group 1 nameif Private_2 security-level 100
interface BVI1 nameif Private security-level 100 ip address 10.0.0.1 255.255.255.0
![Page 38: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/38.jpg)
38/72
Configure a (Default) Static Route
Syntax:route int_name NWA SNM Next-Hop-IP
Example:route outside 0.0.0.0 0.0.0.0 192.0.2.1
dynamic routing is not within the scope of this session
![Page 39: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/39.jpg)
39/72
Configure Telnet Access
passwd password
Define subnet and interface for telnet-clients:– telnet NWA SNM if_name (IPv4)– telnet PF/PFL if_name (IPv6)– (multiple statements are allowed)
telnet timeout minutes
aaa authentication telnet console LOCAL (LOCAL is predefined and case sensitive)
clear configure telnet (remove all telnet config from running-config)
show run telnet (shows only telnet configuration)
![Page 40: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/40.jpg)
40/72
Configure SSH Access
Create user DB:username name password password
aaa authentication ssh console LOCAL (LOCAL is predefined and case sensitive)
crypto key generate rsa modulus modulus (2048 recommended)
ssh version { 1 | 2 } ssh timeout minutes Define subnet and interface for SSH-clients:
– ssh NWA SNM if_name (IPv4)– ssh PF/PFL if_name (IPv6)– (multiple statements are allowed)
clear configure ssh (remove all SSH config from running-config)
![Page 41: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/41.jpg)
41/72
Configure Clock
Manual: clock set ?
ntp server IP-address [ key keyid ]
ntp authenticate
ntp trusted-key keyid
ntp authentication-key keyid md5 key
clock timezone zone-name {+ | -}hours [ minutes ]
clock summer-time CEST last sunday March 02:00 last sunday October 03:00
![Page 42: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/42.jpg)
42/72
Configure DHCP Server
Only 1 “pool” is possible:dhcpd address IP_from[-IP_to] if_name
Default lease length is 1 hour (3600 seconds)dhcpd lease-length seconds
Optionally give DNS-info:dhcpd dns dnsIP1 [ dnsIP2 ]dhcpd domain domainname
dhcpd enable if_name
Depending on license a number of DHCP-clients are supported:
– ASA Base License: 32 (for 10 concurrent users)– with 50 concurrent users: 128 DHCP-clients– with “unlimited” users: 256 DHCP-clients
![Page 43: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/43.jpg)
43/72
Configure DHCP Server
To give information that was learned through external DHCP (outside interface) to internal DHCP-clients:dhcpd auto_config outside
show dhcpd state (state for inside/outside/... interfaces)
show dhcpd binding
show dhcpd statistics
clear dhcpd binding
clear dhcpd statistics
![Page 44: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/44.jpg)
44/72
Local User Database
username admin1 password class
username admin2 password class privilege 15
The local userdatabase is known as “LOCAL” (case sensitive) in AAA method lists
![Page 45: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/45.jpg)
45/72
Define AAA Servers
aaa-server SRVLIST protocol { radius | tacacs+ | ...}
aaa-server SRVLIST (inside) host 10.1.1.2 shared-secret
The shared secret is not shown in the running-config (!)
There are more authentication protocols available than RADIUS/TACACS+
Define a method-list:– aaa authentication { enable | serial | telnet | ssh | http
} console SRVLIST LOCAL– Only two methods can be used.
![Page 46: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/46.jpg)
46/72
No questions yet?
![Page 47: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/47.jpg)
47/72
ASA Firewall Rules
![Page 48: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/48.jpg)
48/72
Acces Control Lists
Standard or extended, but only named ACLs No WCM, but SNM Also possible to specify source/destination interface Multiple access-list statements make one ACL
ASA(config)# access-list ACL1 extended permit ?configure mode commands/options: <0-255> Enter protocol number (0 – 255) ip object Specify a service object after this keyword object-group Specify a service or protocol object-group after this keyword tcp udp
<output ommited>
(config)# access-group access-list {in|out} interface if_name [ control-plane ]
![Page 49: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/49.jpg)
49/72
Filtering
Automatic filtering with system of security-levels
What with interfaces on the same level?(config)# same-security-traffic permit ?configure mode commands/options: inter-interface Permit communication between different interfaces with the same security level intra-interface Permit communication between peers connected to the same interface
ASA-5505: intra-interface for members of same VLAN
ASA-5506-X: inter-interface for members of same bridge-group
Objects and Object Groups
ACL's
![Page 50: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/50.jpg)
50/72
Objects / Object-Groups
1 namespace Objects
– Network objects: hosts, subnets, range– Service objects: L4 protocols with source or destination port
numbers Object-Groups
– Network: hosts, subnets, range or other network objects/object-groups
– Service objects: L4 protocols with source or destination port numbers or other service objects/object-groups
– ICMP-type-object groups– Protocol object-groups: protocols carried by IP– User Object-Groups (no CCNA Security topic)– Security Object-Groups (no CCNA Security topic)
![Page 51: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/51.jpg)
51/72
Network Object-Groups
(config)# object-group network NWG(config-network)# ? description Specify description text group-object Configure an object group as an object help Help for network object-group configuration commands network-object Configure a network object no Remove an object or description from object-group
(config-network)# network-object ?network-object-group mode commands/options: Hostname or A.B.C.D Enter an IPv4 network address X:X:X:X::X/<0-128> Enter an IPv6 prefix host Enter this keyword to specify a single host object
![Page 52: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/52.jpg)
52/72
Service Object-Groups
(config)# object-group service SRV(config-service)# ? description Specify description text group-object Configure an object group as an object help Help for service object-group configuration commands no Remove an object or description from object-group service-object Configure a service object(config-service)# service-object ?dual-service-object-group mode commands/options: <0-255> Enter protocol number (0 - 255) icmp icmp6 ip tcp tcp-udp Both TCP & UDP udp <output ommited>
![Page 53: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/53.jpg)
53/72
Service Object-Groups
service-object tcp [ operator ] <dstport or name>service-object tcp source [ operator ] <srcport or name>
operator:
eq
neq
gt
lt
range
![Page 54: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/54.jpg)
54/72
Other Object-Groups / Objects
ICMP-type object groups
Protocol object groups (allows for protocol selection: 6, 17, 47, 50, 51, 88, 89, …)
There are also Network Objects / Service Objects (NOT GROUPS)
– to define addresses in some way (subnet, ...)– to define services in some way (port number, ...)
![Page 55: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/55.jpg)
55/72
Objects & Object Groups: When?
NAT-definition (on 8.3+) is only possible with “Network Objects”
Since the same namespace is used, you can choose
Network Object-Groups have no “range” or “subnet”-statement
IPv6 Object-Groups can NOT be nested
Perhaps it is easier to use – objects only for NAT – object groups for Access Control Lists
![Page 56: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/56.jpg)
56/72
Still no questions?
![Page 57: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/57.jpg)
57/72
ASA 8.3+ NAT
![Page 58: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/58.jpg)
58/72
Network Address Translation
Inside NAT: addresses from higher security level have to be changed when transmitted through lower level interface (SNAT)
Outside NAT: addresses from lower security level have to be change before being transmitted through higher level interface (DNAT)
Bidirectional NAT: all of the above
![Page 59: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/59.jpg)
59/72
Network Address Translation
Dynamic NAT: many-to-many
Dynamic PAT: many-to-one
Static NAT: one-to-one (mostly outside to inside)
Policy NAT: Not all traffic has to be NAT-ted the same way.
Twice NAT: used with Remote-Access VPNs (not CCNA Security)
![Page 60: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/60.jpg)
60/72
Dynamic NAT
First, create a network object defining the outside address-range:(config)# object network NOUTSIDE(config-network-object)# range 192.0.2.1 192.0.2.6
Then, create a network object defining the inside addresses(config)# object network NINSIDE(config-network-object)# subnet 192.168.0.1 255.255.0.0
Within this object, define the NAT-rule(config-network-object)# nat(inside,outside) dynamic NOUTSIDE
![Page 61: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/61.jpg)
61/72
Dynamic PAT
First, create a network object defining the inside addresses(config)# object network NINSIDE(config-network-object)# subnet 192.168.0.1 255.255.0.0
Within this object, define the NAT-rule, translating to the interface IP(config-network-object)# nat(inside,outside) dynamic interface
![Page 62: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/62.jpg)
62/72
Static NAT
Mostly used to “publish” an internal server to the internet
Create a network object defining the inside server address(config)# object network SERVER(config-network-object)# host 192.168.0.17(config-network-object)# nat(inside,outside) static 192.0.2.85
The NAT-statement mentions the outside IP-address of the server.
You still have to make an ACL to allow the traffic IN from a lower to a higher security level!
![Page 63: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/63.jpg)
63/72
Static PAT
If you want to add a port number (to allow for one external IP-address and multiple internal servers), the nat syntax is as follows:(config)# nat (in_if,out_if) static ext_ip service { tcp | udp } out_port in_port
Example:(config)# nat (inside,outside) static 100.200.100.100 service tcp 2222 22
![Page 64: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/64.jpg)
64/72
NAT Troubleshooting
Actual NAT-definition:# show nat# show nat detail
Translations:# show xlate
![Page 65: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/65.jpg)
65/72
Are you guys still with me?
![Page 66: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/66.jpg)
66/72
Modular Policy Framework
![Page 67: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/67.jpg)
67/72
Modular Policy Framework
Class Maps are used to identify the traffic– Default class map: inspection_default
Policy Maps are used to specify what to do with the traffic:– Inspect– Police/shape– Prepare for RADIUS accounting– Prepare for NetFlow export – …– Default policy-map: global_policy
Service-Policy: connects the Policy to an interface– If no other policies are defined, the default policy map is used
for all traffic on all interfaces– default: service-policy global_policy global
Related to IOS MQC and C3PL
![Page 68: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/68.jpg)
68/72
Class-Maps
Default Class-Map(config)# class-map inspection_default(config-cmap)# match default-inspection-traffic
– Default inspection traffic: DNS, FTP, HTTP, ICMP, SMTP, TFTP (incomplete list) and TCP/UDP
Within a self-defined Class Map you can match on– Access-list– Any packet– DSCP/precedence-value– TCP/UDP Port (destination by default)– RTP Port numbers– …
show running-config class-map
class-map HTTPTRAFFIC match port tcp eq 80class-map SPECIALTRAFFIC match access-list MYACL
![Page 69: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/69.jpg)
69/72
Policy-Map
Default Policy Map
TCP and UDP are automatically inspected
Note the default Policy Map has no inspection for ICMP!!!
Create Policy Map:(config)# policy map MYPOLICY(config-pmap)# class MYCLASS(config-pmap-c)# inspect protocol
Connect Policy Map to interface(config)# service-policy MYPOLICY { global | interface if_name }
The default is:(config)# service-policy global_policy global
policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect ip-options inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp
![Page 70: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/70.jpg)
70/72
Q&A: shoot!
![Page 71: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/71.jpg)
71/72
Friendly neighbourhood competition!
Let’s Play!
![Page 72: Adaptive Security Appliance CCNA Security Lab 5505 vs 5506-X · 13/72 ASA 5505/5506-X Licensing 5505 VLANs with Base License – 3 VLANs are supported – 1 restricted VLAN that can](https://reader030.fdocuments.us/reader030/viewer/2022040211/5e6a14e683fc4143d12669ec/html5/thumbnails/72.jpg)
72/72