Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

How to Configure SNMP V3 on Cisco ASA and IOS?

April 28 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Here we will focus on SNMP V3 configuration on Cisco ASAs with a brief overview of an IOS configuration. This article assumes a basic understanding of SNMP and its operation.

 

The most common and sought after reasoning behind an upgrade to SNMP V3 is security. SNMP versions 1 and 2(c) transmit data between the SNMP server and the SNMP agent “in the clear”.

 

This makes your infrastructure and corresponding infrastructure devices far more vulnerable to attack and or misuse. Weak SNMP provides attackers with low hanging fruit they sometimes need for improved attack vectors.

 

SNMP V3’s focus was to improve this security flaw. SNMP V3 adds authentication and privacy options to secure its communication between SNMP servers and SNMP agents.

 

SNMP V3 Security Models

The authentication (auth) and privacy (priv) options are grouped into security models.

  • NoAuthPriv – no authentication and no privacy
  • AuthNoPriv – authentication and no privacy
  • AuthPriv – you guessed it – authentication and privacy

 

SNMP Groups

SNMP groups provide an access control policy to which users are added. The user will inherit the security model of the group. If the SNMP group “SEC3” has the AuthPriv security model, users assigned to it will inherit the AuthPriv security model.

 

SNMP Users

SNMP users are assigned a username, a group to which they belong, authentication password, encryption password, and associated algorithms to use.

Authentication algorithms are MD5 and SHA
Encryption algorithms are DES, 3DES, and AES (128,192,256)

 

SNMP Host

An SNMP host is the server to which SNMP notifications and traps are sent. SNMP V3 hosts require the SNMP server IP address and SNMP username. Each SNMP host can only have one username associated with it. The user credentials on the NMS (CiscoWorks, Solarwinds, etc.) must match the SNMP username credentials.

Configuring SNMP V3:

Note – the brackets <> are used to indicate a variable you assign a name to. I used these brackets to emphasize these important variables.

  1. Enable SNMP
    snmp-server enable
  2. Enable the SNMP traps (this will change depending on environment and business requirements). The following example enables all but this could be limited to a subset of traps.
    snmp-server enable traps all
  3. Create the SNMP group
    Note the following meanings:
    auth indicates authention only
    noauth indicates no authentication or encryption
    priv indicates encryption and authentication
    snmp-server group  <GROUPNAME> v3 {auth | noauth | priv}
  4. Create the SNMP user
    snmp-server user <USERNAME> <GROUPNAME> v3 encrypted auth md5 <AUTHENTICATION-PASSWORD> priv AES 128 <ENCRYPTION-KEY>
  5. Create the SNMP Server host
    snmp-server host <INTERFACE-NAME> <HOSTNAME> version 3 <USERNAME>

 

Full Configuration Example for the Cisco ASA (Version 8.4)

snmp-server group SEC3 v3 priv

snmp-server user SNMPUSER3 SEC3GROUP v3 encrypted auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server host mgmt 10.20.30.10 version 3 SNMPUSER3

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps ipsec start stop

snmp-server enable traps remote-access session-threshold-exceeded

 

Full Configuration Example for the Cisco IOS

snmp-server view SNMPMGR iso included

snmp-server group SEC3GROUP v3 priv read SNMPMGR write SNMPMGR notify SNMPMGR

snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

snmp-server enable traps config

 

Note – in IOS you won’t see the following line:
snmp-server user SNMPUSER3 SEC3GROUP v3 auth md5 thisshouldbeastrongpassword priv aes 128 thisshouldbeastrongencryptionkey

IOS hides the authentication password and encryption key from the “show run” and “show startup”.

 

More Information

Cisco Configuration Guide for ASA 8.4 and 8.6

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.html#wp1239780

Cisco Configuration Guide for ASA 8.4 and 8.6 PDF

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.pdf

---Reference from

http://www.gomiocon.com/2012/04/29/configuring-snmp-v3-on-cisco-asa-and-ios/

 

More Related Cisco and Networking TOPICS:

How to Configure SNMP on Cisco IOS-based Router/Switch?

Read more

Startup Aims SDN Technology at Cisco WANs

April 25 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

Glue Networks developing automation tools for managing WAN operations

SDNs aren't just for data center networks, despite the best-use-case-scenario arguments for network virtualization and flow management pervading the industry.

 

SDNs can automate and manage WAN operations as well. Google is using OpenFlow to interconnect data center over a WAN.

 

And startup Glue Networks is targeting Cisco's installed base of WAN routers as a sweet spot for its SDN WAN offerings.

 

Major IT trends such as SaaS, private clouds, BYOD, mobility and voice/data convergence are stressing the quality of links in an enterprise WAN, as analyst Lee Doyle notes here. WAN links now require improved security, lower latency, higher reliability and support for any device in any location to accommodate these trends.

 

SDN can help enterprise IT accomplish this without the expense of upgrading individual WAN links, Doyle notes. The technology can allow for prioritization of key applications and traffic types, ease provisioning for new sites, new applications, and changed traffic priorities, enhance security and more tightly link WAN service to specific applications.

 

That's what Glue Networks is after. Glue's gluware software runs in the cloud and provides a cloud-based service for turning up remote sites and teleworkers worldwide. It is designed to lower the cost of private WAN networking by automating those operations and handling ongoing maintenance, monitoring, life-cycle management and feature extension.

 

Some of those features might include Cisco's WAAS Express, ScanSafe, ISE, MediaNet and TrustSec services.

 

The software automates the provisioning of voice, video, wireless, LAN networking, IP addressing, PKI security, firewalls, VLANs and ACLs, and allows users to configure a meshed, spoke-to-spoke, low-latency infrastructure that is QoS-enabled, the company says.

 

The company's gluware Teleworker software resides in the cloud and acts as a control plane to create a secure data plane for teleworkers to connect to the corporate network. Teleworkers can self-provision their equipment with a single click and no IT support, Glue claims.

 

Glue's products are essentially a software-defined dynamic multipoint VPN offered as a monthly software-as-a-service subscription. It includes a central policy-based controller, applications with "CCIE intelligence," and an API to configure the OS using the applications.

 

Glue's gluware also includes tools for alert notification based on thresholds; hardware ordering logistics and router provisioning workflows; end-user and administrator monitoring portals; repository of network configurations, end-user data, and reporting and monitoring data; agents to proactively monitor the health of the network and deploy large-scale configurations; and an orchestrator to generate hardware configurations, check for errors and conduct "self-healing" operations.

 

Glue says its addressable market is the $12 billion worth of 16 million Cisco WAN routers installed globally. Glue expects Cisco to have 23 million WAN routers installed by 2017.

 

Glue was founded in 2007. It has about $6.2 million in funding from a $4.5 million Series A round in 2011, and $1.7 million in convertible notes in 2012. The company's investors include Keiretsu Forum, San Joaquin Angels, Sierra Angels, Sacramento Angels, Sand Hill Angels, Harvard Angels, Halo Fund and Angel Forum.

 

Glue is headquartered in San Francisco and the company's executive team is comprised of officials from Yelofin Networks, Cisco, Agilent, Intel, INX and MTV Networks.

 

---News from http://www.networkworld.com/news/2013/041213-glue-networks-268664.html

 

More Related Cisco News:

Cisco SDN Strategy Doubles Cisco Software Business

Cisco Combines Wired, Wireless and SDN into Its New Catalyst Switch

Read more

Which Cisco Exam of CCENT and CCNA Certification Should You Take 2013?

April 22 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Certification - CCNA - CCNP - CCIE

If you are considering taking the exams to become certified as a Cisco Certified Entry Networking Technician (CCENT) or Cisco Certified Network Associate (CCNA), this article by Cisco expert Michelle Plumb will help you decide which exams you should take. These exams are not for the faint at heart. They are meant to weed out those who are committed from those who are easily dissuaded.

 

For more information on the new Cisco CCENT/CCNA exams, including special offers and study guides, visit our Cisco Press "About CCNA" page.

 

This article reviews the options you have when preparing for the Cisco Certified Entry Networking Technician (CCENT) certification and Cisco Certified Network Associate (CCNA) certification.

 

CCENT

First, let’s start with the CCENT certification. This certification is geared toward an entry-level network technician. This certification proves you have foundational knowledge for a small-to medium-sized network. Passing this exam is the first step to enter into a network engineering job using Cisco routers and switches. The course that you should take for the CCENT exam is ICND1v2.0. This is an updated course and exam due this spring. The new exam number is 100-101. Once you have passed this exam, you become a CCENT.

 

Note:

The ICND (Interconnecting Cisco Network Devices) exams are very challenging. You need to make sure you know all the material extremely well. The exam is timed, and these exams could run close on time. Know these tips before taking the test:

  • I would know subnetting extremely well. You cannot afford to spend too much time solving the troubleshooting questions on IPv4 subnetting.
  • You do not have access to a calculator.
  • You may also run into simulations that require knowledge to configure routing protocols and the appropriate IPv4 addresses. New to this course is IPv6 configuration, and you will need to be able to use IPv6 addresses appropriately as well as configuration options with routing protocols.
  • The exams could include multiple choice, drag and drop, as well as simulations.

 

Cisco’s website does have practice questions so you are familiar with the exam interface.

 

CCNA

If you have taken the ICND1 course and exam, strongly consider taking the ICND2 course and exam 200-101 as well. By taking this second exam and passing it, you will achieve the CCNA certification. The CCNA credentials show your abilities to install, configure, operate, and troubleshoot medium-sized routed and switched networks.

 

This exam is also challenging. Again, as with the CCENT exam, make sure you feel extremely comfortable with all the material covered in the ICND courses. You can expect the same type of questions using simulators, drag and drop, as well as multiple choices.

 

A Combination

You do have another option for exams. If you are a very skilled individual who has in-depth knowledge and experience configuring routers and switches in a medium- to large-sized network, then the combination exam might be for you. Cisco has an exam that covers knowledge from both ICND1 and ICND2: exam 200-120.

 

I highly caution anybody who is considering taking the all-in-one exam. This is a very tough exam. You need to make sure you know subnetting like the back of your hand and can do it very quickly. You also may see several simulations where you need to configure the various routing protocols, including figuring out what subnet information needs to be entered. With the new ICNDv2.0 classes and exams, you also have to be very proficient with IPv6. You will need to be capable of configuring and routing IPv4 and IPv6 at the same time. You may also see drag and drop type questions.

 

Scheduling

You will schedule these exams on the Pearson Vue website. You will need to bring a picture ID, and a photo will be taken of you at the testing center. You will also need to sign some paperwork about the exams, and sign in and out of the exam center.

 

Study Tips

If this is the first exam you have taken in a while, I have some study tips that have helped me:

  • Make sure to attend the appropriate course and/or purchase the official Cisco press books for the exam.
  • Review the material at least three times. Then use practice questions to see how I am doing with the material. For these exams, as stated earlier in this article, you have to know subnetting. So when I was just learning how to subnet, I made sure every day I ran through a subnetting problem, just to keep it fresh in my mind.
  • Do not wait longer than one month from finishing the class until taking the exam. We start to lose some of the information that is fresh in our minds.
  • Get a good night’s sleep the night before the exam. A good solid breakfast or lunch before the exam is a good idea as well.
  • Stop studying the day before. If you don’t know it by then, you might want to think about rescheduling the exam. You only have 24 hours before your scheduled time to make any changes. But make sure you double-check the cancelation policy.
  • Make sure to know exactly how long it will take to reach the exam center, and arrive 15 minutes early. Sometimes if no one is in the seat you are scheduled for, the test center might let you get started a little early if it is available.
  • Be prepared to store your accessories or valuables. You will be required to lock your valuables in a locker. You are not allowed to take purses, cell phones, etc. into the room where the exam is administered. You might also be asked to leave your watch in a locked locker.
  • When you get into the testing room, you will be given something to write with either a dry erase type board or paper. You will have to return these materials when you are done with the exam.

 

The Exam Process

Once you sit down and start into the exam process, you will see examples of the type of questions and how to navigate them. This does not take away from your timed exam. If you are not familiar with the types of questions and how to navigate the simulations, the examples will walk you through how to navigate them. You may also receive a brief questionnaire about your training before starting the official exam.

 

Once you are finished with this portion of the exam, the real exam begins. Try to take a deep breath and stay calm. I still get nervous to this day after taking many of these exams every year. Make sure you read each question thoroughly. This is one of the biggest reasons people miss questions. Read the entire question and all the answers before you start to formulate an answer. For simulations, double-check your work before you submit and move on. With Cisco exams, you cannot go back to a question once you have clicked Next to move to the next question.

 

When you have finished, you will see your score, and a printout of the exam information will be given to you by the exam proctor.

 

Final Thoughts

If something happens and you don’t pass on the first attempt, please don’t give up. These exams are very difficult, and I don’t want to see anyone get discouraged from trying again.

 

---Article resource from http://www.pearsonitcertification.com/articles/article.aspx?p=2036575

 

More Reviews about Cisco Exam:

CCNP SWITCH 642-813 Guide: Configuring IP SLA

Cisco CCNP: How to Configure IP Source Guard?

CCNP TSHOOT: Cisco Troubleshooting Techniques & Procedures

How to Prepare for the CCIE Voice Written Exam?

Guide to Cisco CCNA Voice Exam 640-461…Reviews, Main Topics

Top 5 VoIP Concepts to Know for CCNA Voice—VoIP Basic for CCNA Voice Exam

Top Cisco Certification Books

Read more

Cisco Ports Nexus 1000V Virtual Switch to Microsoft's Hyper-V

April 19 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Hooks UCS servers into Systems Center, fast-tracks Windows infrastructure clouds

Upstart server-maker Cisco is bounding around the Microsoft Management Summit this week in Las Vegas to talk about how it is plugging its technologies into Redmond's cloud stack.

 

First up, as it promised it would do back in the summer of 2011, Cisco has ported its Nexus 1000V virtual switch to run atop Microsoft's Hyper-V server virtualization hypervisor.

 

While Microsoft has its own virtual switch, called Hyper-V Extensible Switch, there are others that run in conjunction with Windows, such as the vNetwork switch buried inside of VMware's ESXi hypervisor. The Open vSwitch created by Nicira is popular on Linux-based virtualization platforms and is now controlled by VMware. NEC in January launched its own freebie Programmable Flow 1000 Virtual Switch for Hyper-V.

 

Still, support for the Nexus 1000V is important for the Windows stack because Cisco is still, by far, the dominant supplier of physical switches in the data center. And a Nexus 1000V virtual switch, which is used to link virtual machines to each other, can manage their networks as the VMs migrate around a server cluster; it looks and smells like other physical switches that run the NX-OS operating system.

 

Satinder Sethi, vice-president of data center solutions at Cisco, tells El Reg that Cisco has watched the adoption rate for Hyper-V growing on its UCS B-Series blade and C-Series rack servers, and moreover, that Cisco expects many enterprises to have two hypervisors running across their clusters for various political and technical reasons.

 

The important thing for Cisco is that its Nexus 1000V virtual switch is the common element across whatever hypervisors enterprises choose. This is why Cisco already has the Nexus 1000V plugged into Red Hat's KVM hypervisor and is working on integrating it with Citrix Systems' Xen hypervisor–which has fallen into fourth place in the server virtualization beauty pageant unless you count all of the public clouds that use either XenServer (like Rackspace Hosting does) or a tweaked homegrown Xen (as Amazon Web Services does).

Cisco-nexus-1000v-hyper-V.jpg

 

Cisco is making its Nexus 1000V virtual switch and fabric extenders work with Hyper-V

The Nexus 1000V support for Hyper-V 3.0, which is based on and which works with Windows Server 2012, was expected to be delivered in late 2012. So it took a few months longer to get it together than expected. (That's IT for you.)

 

By the way, you don't have to run the Nexus 1000V on Cisco's servers. It works on any x86 machines using a supported hypervisor, and many of the 6,000 customers who bought it through October last year run it on non-Cisco server gear.

 

The Nexus 1000V comes in a freebie Essential Edition with the basic switch. The Advanced Edition that costs $695 and has a plug-in for VMware's vCenter Server management console as well as extending Cisco's TrustSec security policies for physical switches down to virtual switches. The Advanced Edition, which started shipping at the end of last year, also adds high-availability clustering across data centers for virtual switches and has a rolling upgrade process for Nexus 1000V virtual switches so you don't have to take hypervisors offline to patch the virtual switch.

The Nexus 1000V support for Hyper-V 3.0 will be available later this month.

 

From the get-go, VMware's ESXi hypervisor has been tightly integrated with the extended fabric at the heart of the UCS system, called the Virtual Machine Fabric Extender or VM-FEX. This takes the interfaces between the integrated UCS switch and the server nodes and virtualizes and extends them down into the server nodes with virtual network interfaces that can be set up programmatically and have its bandwidth or VM assignment changed on the fly.

 

Now this capability is also being extended to Hyper-V, which makes Microsoft's hypervisor a peer to ESXi at this point.

 

VM-FEX support for Hyper-V is available now, but Sethi says improved configuration tools are coming in the June-July timeframe to make it easier for VM-FEX and Hyper-V to work together.

Cisco-ucs-microsoft-systems-center.jpg

 

Microsoft and Cisco have integrated their respective control freaks

Cisco and Microsoft have also been working together to mash up their respective systems and systems-software management tools so they work together to make Windows and Hyper-V play nice on top of Cisco UCS systems. Specifically, the APIs in UCS Manager, the control freak that runs in the embedded switch in the UCS machines, and its UCS PowerTool, which are exposed to Microsoft's Systems Center 2012 SP1 and PowerShell utility.

 

Cisco has created a UCS Management Pack for Systems Center Operations Manager so customers can monitor UCS hardware and Windows software from the same System Center console. There is also a UI Extension add-in for Virtual Machine Manager that can talk through UCS Manager and the Nexus 1000V switch to the virtual machines on the UCS iron.

 

Cisco is also talking up the fact that its UCS reference architectures are now certified to be part of the Microsoft Fast Track 3.0 reference architecture, which allows partners to use the recipes cooked up by Cisco and approved by Microsoft to build private infrastructure clouds quickly and consistently.

 

There is a Fast Track setup that mixes UCS systems with NetApp storage, known as FlexPod. This includes B-Series blade servers using the UCS 5108 chassis and the 6248 fabric interconnects plus Nexus 5548UP switches for the access layer linking multiple blade enclosures together. The storage systems feeding the blades are NetApp FAS3240 arrays. And of course the nodes are running the Hyper-V 3.0 hypervisor and the Windows Server 2012 operating system with all the control freakage above tossed in.

 

The VSPEX private cloud stacks that Cisco has built with EMC to run the Microsoft server stack can run either Windows Server 2008 R2 or Windows Server 2012 with the appropriate Systems Center management tools and Hyper-V hypervisor. This particular Fast Track setup is based on the UCS C220 M3 rack servers linked together by Nexus 5548UP switches and also talking to EMC VNXe 3300 arrays using iSCSI over 10 Gigabit Ethernet links.

 

---From http://www.theregister.co.uk/2013/04/11/cisco_nexus_ucs_microsoft_hyperv_sc2012/ 

More Cisco Reviews and News:

Microsoft Hyper-V: What It Means for Cisco Nexus 1000v

Why Does the Nexus Core Switch Rock in the Datacenter?

Cisco Nexus Switches: Layer 2 Configuration Strategies

Cisco Catalyst 6500 vs. Cisco Nexus 7000 Switch

To Answer the Questions from Cisco Nexus 1000V InterCloud Users and Analysts

Cisco Combines Wired, Wireless and SDN into Its New Catalyst Switch

Read more

Configuring NAT on Cisco ASA

April 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Network address translation (NAT) allows you to translate private to public addresses. 
With CISCO ASA firewall, You can configure 2 types of NAT: 
- Dynamic NAT (including PAT - port address translation)
- Static NAT 

Nat example (Web server must send responses to a client on public/mapped address):

cisco-nat-NAT-Configuration.jpg

Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113-193.222.168.116 255.255.255.240

 
PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 193.222.168.113                 


Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

 ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0                               

 ASA1(config)#global (outside) 1 interface              

 

Static NAT, allows You to permanently map public ip address and port to an inside one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Port forwarding:

nat3-NAT-Configuration.jpg

Port forwarding of publicly available ports to an internal addresses. After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp 209.165.201.3 http 10.2.2.28 http netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 ftp 10.2.2.27 ftp netmask 255.255.255.255

 ASA1(config)#static (inside,outside) tcp 209.165.201.3 smtp 10.2.2.29 smtp netmask 255.255.255.255

 

ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq http

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq ftp

 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq smtp

 

 ASA1(config)#access-group outside_in_acl in interface outside

 

Static 1:1 nat, (every public port maped to the same internal port): 

ASA1(config)#static (inside,outside) 209.165.201.4 10.2.2.45 netmask 255.255.255.255        

To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied. 

 

More Related Cisco ASA Tips:

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Basic Interface Configuration of Cisco ASA 5520

April 10 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

The Cisco ASA 5520 is one of the mid-range ASAs. 4 Gigabit Ethernet ports. Max 450 Mbps throughput under ideal conditions. Good for mid-sized offices. Has an expansion slot where you can install an add-on card that does content filtering (e.g. email and web) or intrusion prevention. Or you can install an expansion card that gives your ASA more physical ports.

 

The lowest-end ASA is the Cisco ASA 5505 model, which is a more like a switch with VLANs. But on the 5510 models and up, interface config is akin to that of a router.

 

Factory Default Settings on the ASA 5520

Out of the box, or with the configure factory-default command, the ASA 5520 is configured thusly:

Interface

Name

Security Level

IP Address

State

GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3

no nameif

no security-level

no ip address

Shutdown

Management0/0

management

100

192.168.1.1

Management-only

 

Configuration Example

On a Cisco ASA 5520 with a factory default config, a show run interface coughs up this information:

interface GigabitEthernet0/0

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

 

With nothing configured on the interfaces, the routing table on a factory default ASA shows only the loopback interface:

ciscoasa(config-if)# show route

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

To make an interface operational, it needs a name, an IP address, a security level and it needs to be administratively brought up with the no shutdown command.

 

So let’s give the GigabitEthernet0/0 interface a name and an IP address.

ciscoasa# con t

ciscoasa(config)# interface gigabitEthernet 0/0

ciscoasa(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

ciscoasa(config-if)# ip address 5.5.5.1

 

When an interface is named “outside”, the ASA automatically assigns the interface a security level of 0. If an interface is named “inside”, it is automatically given a security level of 100.

To view the config on all interfaces, use the show run interface command. To view just one interface, use theshow run interface command and specify the interface:

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.0.0.0

 

Because I did not specify a subnet mask when I configured the IP address, the interface was automatically assigned a classful subnet mask. I can specify the subnet mask in the ip address command.

ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 shutdown

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

When I am ready to bring the interface up, I use the no shutdown command.

ciscoasa(config-if)# no shut

ciscoasa(config-if)# sh ru int g 0/0

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

 

The show run ip address command shows all interfaces that have IP addresses.

ciscoasa(config-if)# sh ru ip

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 5.5.5.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

The show ip address command also displays all IP addresses, along with the method used to configure the IP address. (“System IP Addresses” refer to the primary IP addresses used for failover. “Current IP Addresses” are the currently-used IP addresses on the interface(s). So, in an active/standby ASA pair, the active ASA would have the same “System” and “Current” IP addresses. The standby ASA would have different “System” and “Current” IP addresses.)

ciscoasa(config-if)# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual

Management0/0            management             192.168.1.1     255.255.255.0   manual

 

After a write memory and a reload, when you do show ip address, the “Method” on these manually-configured interfaces changes to CONFIG, signifying that they were loaded from the startup config:

ciscoasa# sh ip

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

 

Now a show route command displays the directly-connected route to the 5.5.5.0 subnet.

ciscoasa(config-if)# sh ro

 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

C    5.5.5.0 255.255.255.0 is directly connected, outside

C    127.0.0.0 255.255.0.0 is directly connected, cplane

 

From the show run interface command, we can see that there is nothing configured on the g 0/1 interface. Let’s set it as a DHCP client and bring it up.

ciscoasa(config-if)# sh ru int g 0/1

!

interface GigabitEthernet0/1

 shutdown

 no nameif

 no security-level

 no ip address

ciscoasa(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

ciscoasa(config-if)# ip add dhcp

ciscoasa(config-if)# no shut

 

The show run interface command will show that g 0/1 is a DHCP client, but it will not display the dynamically-assigned IP address on the interface. To view the DHCP IP address, use the show ip address command.

ciscoasa(config-if)# sh ip add

System IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Current IP Addresses:

Interface                Name                   IP address      Subnet mask     Method

GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG

GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP

Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Note that the “Method” for g 0/1 is “DHCP”.

You can also display all IP addresses on all interfaces with the show interface ip brief command.

ciscoasa(config-if)# sh int ip b

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         5.5.5.1         YES CONFIG up                    up

GigabitEthernet0/1         10.30.1.101     YES DHCP   up                    up

GigabitEthernet0/2         unassigned      YES unset  administratively down down

GigabitEthernet0/3         unassigned      YES unset  administratively down down

Internal-Control0/0        127.0.1.1       YES unset  up                    up

Internal-Data0/0           unassigned      YES unset  up                    up

Management0/0              192.168.1.1     YES CONFIG down                  down

Virtual254                 unassigned      YES unset  up                    up

 

More Related Cisco ASA Tips:

Cisco ASA 5520 Basic Configuration Guide

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Read more

Cisco ASA Pre-8.3 to 8.3 NAT Configuration Examples

April 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Static NAT/PAT

pre-8.3NAT.jpg

Pre-8.3NAT02.jpg

Detailed Reference:

ASA Pre-8.3 to 8.3 NAT Configuration Examples

https://supportforums.cisco.com/docs/DOC-9129

More Related Topics:

Cisco ASA 8.3, 8.4 Hairpinning NAT Configuration

Read more

Cisco Branch Router Series Platform

April 2 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Small Branch Office Cisco ISR 1941W Platform

Small-Branch-Office-Cisco-ISR-1941W-Platform.jpg

 

To simulate a small branch office, the Cisco ISR 1941W was configured as a branch router serving a dozen employees. Primary network connectivity was established via a public internet connection with a DMVPN (Dynamic Multipoint Virtual Private Network) encrypted link to corporate headquarters. A 3G wireless data connection was setup for branch redundancy in the event of a primary WAN link failure. The Cisco ISR 1941W was also configured to support wireless utilizing 802.11n radio to extend the corporate wireless network into the branch office as well as provide guest network connectivity for visitors to the office. Security features–Zone Based Firewall, Cisco IOS IPS and content filtering were activated. The Voice services were provided by a headquarters-based CUCM (Cisco Unified Communications Manager).

 

Medium Branch Office Cisco ISR 2911 Platform

Medium-Branch-Office-Cisco-ISR-2911-Platform.jpg

A medium branch office deployment was simulated using a Cisco ISR 2911. This branch scenario supports about 25 users. Primary and backup network connections were to be provided by two separate Ethernet WAN links. An IP WAN provided primary network connectivity with a DMVPN secure connection serving as backup to corporate headquarters. Security features – Zone Based Firewall, Cisco IOS IPS were activated. Voice services were provided by a headquarters-based CUCM with local POTS (Plain Old Telephone Service) access from the Cisco ISR 2911. Cisco Unified SRST (Survivable Remote Site Telephony) was supported to provide redundant local call control in the branch offices in the event the central CUCM is unreachable. Telepresence and video are also supported and enabled for this deployment.

 

Large Branch Office Cisco ISR 2951 Platform

Large-Branch-Office-Cisco-ISR-2951-Platform.jpg

A large branch with 40 to 60 users was created using a Cisco ISR 2951. In this scenario, the 2951 was configured to provide both primary and backup corporate access via an IP WAN connection as the primary connection to the headquarters and a public Internet connection with a DMVPN secure connection acting as backup. In this scenario the Cisco 2951 was configured to support all voice functions including Cisco Unified Communications Manager Express (CUCME) for call control and voice-mail with Cisco Unity Express. Local PSTN access is provided by a SIP trunk from the 2951 to the local phone network. Zone Based Firewall, Cisco IOS IPS and Cisco WAAS were also activated in the router.

 

Regional Branch Office Cisco ISR 3945 Platform

Regional-Branch-Office-Cisco-ISR-3945-Platform.jpg

A large regional office with 150 or more employees was simulated with a Cisco 3945. Primary and backup connectivity to the headquarters was provided with redundant IP WAN connections. The Cisco 3945 series was configured tosupport CUBE (Cisco Unified Border Element) functionality for call control in conjunction with a CUCM at corporate headquarters. SRST functionality was also enabled at the Cisco 3945 in the event that connectivity with the central CUCM is lost. Local PSTN access was provided by a SIP trunk to the local telephone network. Zone Based Firewall, Cisco IOS IPS and Cisco WAAS were also activated in the router.

 

More Cisco Branch Router Tips:

Cisco ISR-AX: Cheaper Branch Router with Bundled Layer 4-7 Services

Buyer’s Guide: How to Select Cisco Branch Routers

Cisco Branch Routers, Accelerate Your WAN Performance

Read more