SMB Security - ASA v1.0 Lab Guide L5698C-001-1 November 2008 by Global Knowledge
SNAF v1.0 Lab Guide L5698C-001-1 November 2008
Copyright Information Copyright © 2008 by Global Knowledge Network (S) Pte Ltd The following publication, SNAF v1.0 Lab Guide, was developed by Global Knowledge Network. All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means without the prior written permission of the copyright holder. This courseware may contain images from Cisco Systems. All Cisco images are copyright Cisco Systems, Inc. Products and company names are the trademarks, registered trademarks, and service marks of their respective owners. Throughout this manual, Global Knowledge has used its best efforts to distinguish proprietary trademarks from descriptive names by following the capitalization styles used by the manufacturer.
Global Knowledge Project Team Sunny Chan
Project Coordinator
Khor Hee Soo
Product Manager
Lee Kee Piao
Development Manager
190 Middle Road Fortune Centre, #20-02 Singapore Phone: +65 6332 2330 Email:
[email protected] www.globalknowledge.com.sg
Printed_in_Singapore
Table of Contents Lab 0: Introduction to the Remote Lab System ..................................................L0-1 Lab 1: Preparing the ASA for Administration....................................................L1-1 Lab 2: Initial ASA Configuration .......................................................................L2-1 Lab 3: Translations and Connections..................................................................L3-1 Lab 4: ACLs and Object Groups ........................................................................L4-1
SNAF v1.0 Lab Guide © Global Knowledge
TOC-1
Table of Contents
TOC-2 SMB Security - ASA v1.0 Lab Guide Global Knowledge
.1
Data-Srv 10.10.1.10
2K3
10.10.1.0/24 Data Center Subnet (5)
Management Subnet(6) 10.10.2.0/24
2K3 10.10.2.10
Security-Srv
DMZ-Srv (3) 172.16.1.15 NAT: 200.200.1.15 www.gkl.com
2K
DMZ Subnet 172.16.1.0/24
Perimeter Router
.1
GKL-ASA
XP
L3-Switch
User-PC 10.10.10.20
XP
(7)
10.10.10.0/24 End User Subnet
.1
Admin-PC 10.10.10.10
.1
.1
.2
(4)
10.10.0.0/24 Inside Perimeter
.1
.2
(2)
.1 (10) 100.100.1.0/30
Outside Perimeter 200.200.1.0/24
.2
SNAF 1.0 Topology
BT2
BackTrack2 (location & IP Varies)
.1
200.200.20.2
INTERNET
time.nist.gov 192.43.244.18
.1
(11)
www.sru.com
Services-R-Us
(16) 50.50.50.50
2K3
50.50.50.0/24
2K
Outside-PC 150.150.1.20 pc.outside.net
(Indicates VLAN #)
Site1-PC 10.20.10.10
XP
10.20.10.0/24 (13)
.1
150.150.1.0/24
.1
Data-Srv 10.10.1.10
2K3
10.10.1.0/24 Data Center Subnet (5)
Management Subnet(6) 10.10.2.0/24
2K3 10.10.2.10
Security-Srv
DMZ-Srv (3) 172.16.1.15 NAT: 200.200.1.15 www.gkl.com
2K
DMZ Subnet 172.16.1.0/24
Perimeter Router
.1
GKL-ASA
XP
L3-Switch
User-PC 10.10.10.20
XP
(7)
10.10.10.0/24 End User Subnet
.1
Admin-PC 10.10.10.10
.1
.1
.2
(4)
10.10.0.0/24 Inside Perimeter
.1
.2
(2)
.1 (10) 100.100.1.0/30
Outside Perimeter 200.200.1.0/24
.2
SNAF 1.0 Topology
BT2
BackTrack2 (location & IP Varies)
.1
200.200.20.2
INTERNET
time.nist.gov 192.43.244.18
.1
(11)
www.sru.com
Services-R-Us
(16) 50.50.50.50
2K3
50.50.50.0/24
2K
Outside-PC 150.150.1.20 pc.outside.net
(Indicates VLAN #)
Site1-PC 10.20.10.10
XP
10.20.10.0/24 (13)
.1
150.150.1.0/24
L0 Introduction to the Remote Lab System
L0-1 © Global Knowledge Training LLC
Introduction to the Remote Lab System
Lab Overview The purpose of this lab is to introduce you to the features of the Global Knowledge Remote Labs system. A quick familiarization with the system will prepare you for the labs presented in this course.
Estimated Completion Time 20 minutes
Lab Procedures 1. Logging In 2. Controlling Your Pod 3. Using the Virtual Machines 4. Pseudo-Physical Device Access
L0-2 © Global Knowledge Training LLC
Introduction to the Remote Lab System
Logging In Initial access to the Global Knowledge Remote Labs System is performed with a web browser connection to www.remotelabs.com. 1. On your local PC, open a web browser and connect to www.remotelabs.com. 2. Enter your credentials and click Log In. 3. The main remotelabs.com page displays several things: x
The title and topology display for the lab that is currently set up.
x
The current date and time, and how much time is left on your reservation.
x
Various control and help links, which will be highlighted in this lab.
Controlling Your Pod One feature of the Global Knowledge Remote Labs System is the ability to reset your pod to the initial starting point for any of the labs for which your user id has privileges. You will be shown how to do this in this section of the lab. 4. To control your pod, expand the pod link, so the underlying options are displayed.
5. First, select the Information link. 5.1. The Pod Information window opens. 5.2. If there are any problems with your pod, this information must be provided to the Global Knowledge Helpdesk to identify the pod which is malfunctioning. 5.3. Close the Pod Information window. 6. Next, select the Setup Results link. 6.1. The Setup Results window will open. 6.2. It is expected that you will see the message “All setup activity for this reservation has been successful” highlighted in green. If you instead see a failure message highlighted in red, you should inform your instructor. 6.3. Close the Setup Results window. 7. Now, select the Reset To… link. 7.1. The Reset To… window opens. 7.2. Expand the Lab Document drop down menu. A list of all the labs for which your user id has privileges is displayed. L0-3 © Global Knowledge Training LLC
Introduction to the Remote Lab System
7.3. Don’t perform the operation now. Your pod should currently be prepared for either Lab 0 or Lab 1 of this class. Lab 0 and Lab 1 have identical reset settings, and are hence equivalent from a reset perspective. But understand, to reset to the starting point of any particular lab is as simple as selecting the lab from the Lab Document list and clicking the Reset button. When you do this, the reset operation will start. A progress indicator window will open. You must wait for the progress indicator to complete before accessing your pod. At the setup completion, a new Setup Results window will be displayed. 7.4. Click Cancel to close the Reset To… window.
Using the Virtual Machines While control of the pod is performed from the remotelabs.com web page, the labs are performed from a VMware console. Like in most real world environments, administrators and users don’t usually interact directly with network devices. They use PC’s and workstations to access network devices and network services. You will use several virtual machine instances, placed strategically around the lab network topology, to complete the administration and testing of the lab scenarios. 8. Select a Graphical Firewall Method: 8.1. Expand the Graphical Firewall drop down list: 8.2. Select the appropriate option. In an instructor led class, unless your instructor provides other direction, RDP is the appropriate option. A description of the 3 options available: x
RDP: This will use the native Remote Desktop Protocol. It will provide the optimal user experience, but in some cases is blocked by firewalls between your location and the internet.
x
RDP 443: This will still use the Remote Desktop Protocol, but it will connect to TCP port 443 instead of the RDP standard TCP 3389. This will also provide an optimal user experience and may work where standard RDP does not. It will work when a stateful firewall permits TCP connections for HTTPS (TCP port 443). Note, it may not work if the firewall performs deep packet inspection or if a proxy server is in the network path. Both of these systems will recognize that it is not standard HTTPS.
x
Tarantella: This option will work in most firewalled environments, even when proxy servers are used. Tarantella will encapsulate the RDP connection within a standard HTTPS connection. If the other options fail, you should use this option. Tarantella is functional, but it is not as responsive as the two RDP methods above, hence the user experience is diminished.
L0-4 © Global Knowledge Training LLC
Introduction to the Remote Lab System
9. Connect to the VMware Server Console: 9.1. Click the PC-Console link. Depending on whether you are using Firefox or Internet Explorer, the behavior will be different. x
Internet Explorer: Internet Explorer will display the contents of an “rdp” file which is a configuration file for the Remote Desktop Client. To launch the Remote Desktop Client, use File > Edit with Remote Desktop Connection.
x
Firefox: Firefox will query whether you would like to open the file with the default application or save it to disk. Firefox does not have a default application registered, so it will use whatever the base OS provides. With firefox, choose to Open with RDP.File (default).
9.2. Login to the Remote Desktop. The credentials are the same as the www.remotelabs.com credentials. 10. Setup the VMware Server Console: 10.1. If the Inventory window is displayed, close it. It is not required when working with the remote labs. 10.2. The VMware Console will be running in the Remote Desktop Connection. However, none of the VMs will be open. Click the Open Existing Virtual Machine button. 10.3. A list of all the running virtual machines will be displayed. Select all of the VMs by clicking the top VM in the list, then Shift-Clicking the last VM in the list. With all of the VM’s selected, click OK. The VMs should open one after the other, displaying a tab per VM at the top of the window. 10.4.
From the VMware Server Console Menus, select View > Quick Switch.
L0-5 © Global Knowledge Training LLC
Introduction to the Remote Lab System
10.5. The Remote Desktop Client window should now be optimized for use with the remote labs system: x x x x x
The VMware server’s menus should be hidden from view. Across the top of the window are a set of tabs from which the VMs can be selected. The current VM’s tab is highlighted. The full desktop of the current VM is displayed (there should not be any scrollbars to move around within the VM desktop). The display should look similar to the following diagram:
10.6. The VMware Console’s menus are hidden, but can still be accessed by hovering the mouse pointer in the window’s title bar. Access the VMware Console menu and verify that the options Quick Switch, Autofit Guest and Tabs are all selected, and no other features under View are selected:
Warning One last note to be aware of: Even though Autofit Guest is selected, sometimes the VMware console does not properly update the desktop of the VM to fit the console window. If this ever happens, select View > Fit Guest Now from the VMware console menu.
L0-6 © Global Knowledge Training LLC
Introduction to the Remote Lab System
11. Familiarize yourself with the VM desktops: Note
There are several ways to recognize which VM you are currently using. The highlighted tab at the top of the window is the most obvious. Also, the background color for each VM is unique. Most VM’s have identity information displayed in the center of their desktops. And, the Window’s based VMs have their “My Computer” icon renamed with the identity of the VM.
11.1. Select the Admin PC’s tab. The Admin PC’s desktop should be displayed. The majority of the lab work will be done from the Admin PC. Think of it as the PC the network administrator has in their office. For efficiency, the most commonly used applications are included on the Windows quick launch bar. They are similar between VM’s. The Admin PC’s quick launch bar is illustrated for an example:
11.2.
From left to right, the icons on the quick launch bar are for: x
Show Desktop
x
Outlook Express (Email Client)
x
Windows Command Prompt
x
Windows Explorer
x
Word Pad
x
PuTTY (SSH Client)
x
Internet Explorer
x
Firefox
11.3. One other common item worthy of pointing out is the 3C Daemon. Many of the VMs use the 3C Daemon as a Syslog Server, FTP Server and TFTP Server. When the 3C Daemon is operational, it’s icon shows up in the Windows status tray.
A common mistake in the lab environment, after using the 3C Daemon, is to close the 3C Daemon window. If you close the 3C Daemon window, you terminate the application. Future steps which require the 3C Daemon’s services will fail. The correct operation is to minimize the 3C Daemon window. This will minimize it to the Windows status tray. If it is accidentally terminated, it can be restarted from the Window’s start bar.
L0-7 © Global Knowledge Training LLC
Introduction to the Remote Lab System
Pseudo-Physical Device Access While it is most common for network administrators to use protocols like SSH and HTTPS to administer devices remotely, there are times when physical access is necessary. When a device is unconfigured, it doesn’t have any IP addresses to accept connections. When a device has a problem with flash, it can’t load it’s operating system. When passwords are lost, password recovery requires power cycling the device. When you need direct access to a device’s console port or when you need to power cycle a device, you must use the Access PC. 12. Go to the desktop of the Access PC. 13. If necessary, launch Internet Explorer. If necessary, log in using your remotelabs.com credentials. 14. A different version of the remotelabs.com interface is displayed. 14.1. This time, instead of offering Graphical Firewall settings, it offers Character Firewall settings. From the Access PC, this should always be set to Standard. Do not change it. 14.2. The Pod link is still available, but it does not offer the Reset To… option. This is only available on the external remotelabs.com interface. 14.3. Below the Pod link, there are a series of links associated with different devices such as the L3-Switch, Perim-Rtr and Internet-Rtr. The list of devices varies between classes. 15. For a demonstration, expand the Internet-Rtr link:
15.1.
Five options are available for each device. They are: x
HyperTerminal – this will open a HyperTerminal window, connecting to the device’s console port using a remotelabs.com access server.
x
Default Telnet – This will open a Tera Term Pro window, connecting to the device’s console port using a remotelabs.com access server.
x
Power Off – This will power off the associated device.
x
Power On – This will power on the associated device.
x
Clear Line – If the Default Telnet and HyperTerminal options are not working, it is likely that the remotelabs.com access server believes the line to the console port is already in use. Use clear line to reset the line and make it available for use.
L0-8 © Global Knowledge Training LLC
Introduction to the Remote Lab System
15.2.
Connect to the console port of the Internet Router:
15.2.1.Click the Default Telnet link. A Tera Term window opens. 15.2.2.You are challenged for a password. At this point, you are not yet authenticating to the Internet Router’s console port. You are authenticating to the remotelabs.com access server. Enter your remotelabs.com password (the user ID is not required). 15.2.3.If the password was accepted, you are now connected to the Internet Router’s console port. Hit
to stimulate the console line. 15.2.4.To log in to the Internet router, use admin for the username and admin$Pwd for the password. 15.3.
Demonstrate that you are connected to the console port of the Internet Router.
15.3.1.Enter the command show users. InternetRouter>show users Line User Host(s) * 0 con 0 admin idle Interface
Note
User
Idle 00:00:00 Mode
Idle
Location
Peer Address
The line to which you are connected is con 0.
15.3.2.From the remotelabs.com interface, under Internet-Rtr, select Power Off, and click OK to confirm you wish to power off the device. 15.3.3.Return to the Tera Term window. Try hitting a few times. You will get no response. The Internet Router has been powered off. 15.3.4.From the remotelabs.com interface, under Internet-Rtr, select Power On. No confirmation is necessary. 15.3.5.Return to the Tera Term window. You will be able to watch the Power On Self Test messages as the Internet Router boots. 16. You do not have to wait for the Internet Router to fully boot. Close the Tera Term window, and move on to Lab 1. The Internet Router should be rebooted before it is required in Lab 1.
Lab Complete
L0-9 © Global Knowledge Training LLC
Introduction to the Remote Lab System
L0-10 © Global Knowledge Training LLC
L1 Preparing the ASA for Administration
L1-1 © Global Knowledge Training LLC
Preparing the ASA for Administration
Lab Overview The goal of this lab is to prepare the ASA for remote administration, by both SSH and HTTPS/ASDM. You will find the ASA currently has an unusable configuration. You will have to access it via its physical console port and reset the configuration back to factory defaults. You will then use the setup dialog to configure the inside interface and enable ASDM access via HTTP. You will also enable SSH from the CLI. You will then test SSH access from the Admin PC. You will also install and configure ASDM on the Admin PC and test initial access with ASDM.
Estimated Completion Time 30 minutes
Lab Procedures 1. Access the ASA Console Port 2. Clearing an Existing Configuration 3. Taking Inventory of the ASA 4. The Setup Dialog 5. Enable SSH 6. Setup ASDM 7. Verify the ASA Configuration
L1-2 © Global Knowledge Training LLC
Preparing the ASA for Administration
Access the ASA Console Port Currently the ASA has a tiny, dysfunctional configuration. There is no way to manage it across the network. Much of this lab will need to be completed from the ASA’s physical console port. Use the Access PC and the remotelabs.com interface to connect to the ASA’s console port. 1. Use the Access-PC to reach the remotelabs.com interface for access to the ASA’s console port: 1.1. Go to the desktop of the Access-PC. 1.2. If necessary, launch Internet Explorer and connect to www.remotelabs.com and log in using your remotelabs.com credentials. 1.3. In the remotelabs.com interface, expand the ASA link and select Default Telnet. A Tera Term Pro window opens. (If you prefer HyperTerminal over Tera Term Pro, you could instead select HyperTerminal.) 1.4. The password challenge will be from the remotelabs.com access server, not the ASA. Enter your remotelabs.com password to access the ASA console port. 1.5. After authenticating to the access server, hit enter to stimulate the console port. You should see TempConfig> as the prompt.
Clearing an Existing Configuration At this point in the lab, the ASA is almost in a default configuration. Only two things are configured: A hostname (TempConfig), and an enable password (san-fran). In this section of the lab you will experiment with two ways of setting an ASA configuration back to factory default. The first is to use the clear configure all command. You will see that this clears most of the configuration. It leaves the enable password intact. The second method is by erasing the startup configuration (write erase), and rebooting the ASA (reload). This takes a little longer, but it guarantees that the configuration is truly factory default. 2. Establish yourself in privileged mode with the enable command, using the password sanfran. Then move on to configuration mode with the configure terminal command (abbreviated here as conf t): TempConfig> enable Password: san-fran TempConfig# conf t TempConfig(config)#
3. Use the clear configure all command to reset the configuration almost to factory default. TempConfig(config)# clear config all ciscoasa(config)# Note
The hostname has returned to the default of ciscoasa, as evidenced by the new command prompt.
L1-3 © Global Knowledge Training LLC
Preparing the ASA for Administration
4. Demonstrate that the enable password was not reset by the clear configure all command. Leave configuration mode and privileged mode, and then attempt re-entry. It will require the old enable password to reach privileged mode: ciscoasa(config)# exit ciscoasa# disable ciscoasa> enable Password: Invalid password Password: san-fran ciscoasa#
5. Use the write erase command to clear the startup configuration from flash: ciscoasa# write erase Erase configuration in flash memory? [confirm] [OK]
6. Reboot the ASA with the reload command. DO NOT save the modified configuration (the whole point is to boot with a blank configuration)!: ciscoasa# reload System config has been modified. Save? [Y]es/[N]o: n Proceed with reload? [confirm]
7. After the reload finishes, there is no startup configuration, so the ASA offers to run the setup configuration dialog. You will run the setup dialog later, for now you should answer no. If you accidentally hit enter and the setup dialog has started, you can use to terminate the dialog. Pre-configure Firewall now through interactive prompts [yes]? no Type help or '?' for a list of available commands. ciscoasa>
Taking Inventory of the ASA In this section of the lab you will use some simple show commands to determine the characteristics of the ASA that you are using. 8. The show version command shows much more than the OS version. Use the show version command and answer the questions that follow the example: ciscoasa> show version Cisco Adaptive Security Appliance Software Version 8.0(2) Device Manager Version 6.0(2) Compiled on Fri 15-Jun-07 19:29 by builders System image file is "disk0:/asa802-k8.bin" Config file at boot was "startup-config" ciscoasa up 2 mins 9 secs L1-4 © Global Knowledge Training LLC
Preparing the ASA for Administration Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz Internal ATA Compact Flash, 256MB BIOS Flash AT49LW080 @ 0xffe00000, 1024KB Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0) Boot microcode : CN1000-MC-BOOT-2.00 SSL/IKE microcode: CNLite-MC-SSLmPLUS-2.01 IPSec microcode : CNlite-MC-IPSECmMAIN-2.04 0: Ext: GigabitEthernet0/0 : address is 0018.195b.d7dc, irq 9 1: Ext: GigabitEthernet0/1 : address is 0018.195b.d7dd, irq 9 2: Ext: GigabitEthernet0/2 : address is 0018.195b.d7de, irq 9 3: Ext: GigabitEthernet0/3 : address is 0018.195b.d7df, irq 9 4: Ext: Management0/0 : address is 0018.195b.d7e0, irq 11 5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11 6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5 Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 750 WebVPN Peers : 2 Advanced Endpoint Assessment : Disabled This platform has an ASA 5520 VPN Plus license. Serial Number: JMX1032K00G Running Activation Key: 0xb10f664d 0x445025ed 0x8c61e184 0x823c68b0 0x093a9a82 Configuration register is 0x1 Configuration has not been modified since last system restart.
x
What software version is running on the ASA? ______________________
x
Which version of ASDM is running? ______________________________
x
How long has the ASA been up and running? ______________________
x
What is the ASA Model Number? ________________________________ L1-5
© Global Knowledge Training LLC
Preparing the ASA for Administration
x
How much RAM is installed? ___________________________________
x
How much flash is installed? ____________________________________
x
What type of Failover license is available? _________________________
x
Do you have DES, 3DES and AES encryption available? _______________
x
How many security contexts are available? ___________________________
x
How many (IPsec) VPN peers are licensed? __________________________
x
How many WebVPN peers are licensed? _____________________________
9. Go to privileged mode so you can run some privileged show commands. Note the enable password is now blank: ciscoasa> enable Password: ciscoasa#
10. Verify how much memory is in use with the show memory command: ciscoasa# show memory Free memory: 433418720 bytes (81%) Used memory: 103452192 bytes (19%) ---------------------------Total memory: 536870912 bytes (100%)
11. View the files in flash and determine how much free flash is available: ciscoasa# show flash --#-- --length-- -----date/time------ path 65 14524416 Feb 26 2008 15:31:04 asa803-k8.bin 66 6889764 Feb 26 2008 15:32:58 asdm-603.bin 2 8192 Jun 07 2003 22:36:18 log 6 8192 Jun 07 2003 22:36:30 crypto_archive 255426560 bytes total (231358464 bytes free)
12. View the running configuration with the show running-config command. Note, the configuration is currently defaulted – all of the interfaces are shut down with no IP addresses configured. But, there is still many firewall configuration settings in place by default, including connection timers and inspection settings. ciscoasa# show running-config : Saved : ASA Version 8.0(3) ! L1-6 © Global Knowledge Training LLC
Preparing the ASA for Administration hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface GigabitEthernet0/0 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive pager lines 24 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-603.bin no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcppat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sipdisconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy L1-7 © Global Knowledge Training LLC
Preparing the ASA for Administration no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end
The Setup Dialog Like IOS routers, ASA’s offer a setup dialog when they are booted without a startup configuration. Also, like IOS routers, you can run the setup dialog at any time. However, the purpose of the setup dialog is quite different. On an IOS router, the setup dialog will ask many questions and when done the IOS router is ready to act as a router (with a very simple configuration). On the ASA, the setup dialog only sets up one interface, so the ASA won’t be configured to be a firewall after setup is complete. What it will be ready to do, however, is support ASDM. L1-8 © Global Knowledge Training LLC
Preparing the ASA for Administration
13. Use the configure terminal to reach global configuration mode. ciscoasa# conf t ciscoasa(config)#
14. Setup requires the inside interface to be assigned before it is executed from the CLI. Assign the interface Gi0/1 the name inside: ciscoasa(config)# int g0/1 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default.
15. Now run the setup dialog, responding as shown in this example: ciscoasa(config-if)# setup Pre-configure Firewall now through interactive prompts [yes]? Firewall Mode [Routed]: Enable password [